import of dnsmasq-2.38.tar.gz

CHANGELOG

@@ -1785,3 +1785,370 @@ version 2.28
             ignored, since this may be unreliable. This means that a DHCP 
             client must use the standard port to do full configuration.
  
+version 2.29
+	    Fixed compilation on OpenBSD (thanks to Tom Hensel for the
+	    report). 
+
+	    Fixed false "no interface" errors when --bind-interfaces is
+	    set along with --interface=lo or --listen-address. Thanks
+	    to Paul Wise for the report.
+
+	    Updated patch for SuSE rpm. Thanks to Steven Springl.
+
+	    It turns out that there are some Linux kernel
+	    configurations which make using the capability system
+	    impossible. If this situation occurs then continue, running
+	    as root, and log a warning. Thanks to Scott Wehrenberg
+	    for help tracking this down.
+
+version 2.30
+            Fixed crash when a DHCP client requested a broadcast
+            reply. This problem was introduced in version 2.28.
+	    Thanks to Sandra Dekkers for the bug report.
+
+version 2.31
+	    Added --dhcp-script option. There have been calls for this
+	    for a long time from many good people. Fabio Muzzi gets
+	    the prize for finally convincing me.
+
+	    Added example dbus config file and moved dbus stuff into
+	    its own directory.
+
+	    Removed horribly outdated Redhat RPM build files. These
+	    are obsolete now that dnsmasq in in Fedora extras. Thanks
+	    to Patrick "Jima" Laughton, the Fedora package
+	    maintainer.
+
+	    Added workaround for Linux kernel bug. This manifests
+	    itself as failure of DHCP on kernels with "support for
+	    classical IP over ATM" configured. That includes most
+	    Debian kernel packages. Many thanks to A. Costa and
+	    Benjamin Kudria for their huge efforts in chasing this
+	    down.
+
+	    Force-kill child processes when dnsmasq is sent a sigterm,
+	    otherwise an unclosed TCP connection could keep dnsmasq
+	    hanging round for a few minutes.
+
+	    Tweaked config.h logic for uclibc build. It will now pick
+	    up MMU and IPV6 status correctly on every system I tested.
+
+version 2.32 
+	    Attempt a better job of replacing previous configuration
+	    when re-reading /etc/hosts and /etc/ethers. SIGHUP is
+	    still not identical to a restart under all circumstances,
+	    but it is for the common case of name->MAC address in
+	    /etc/ethers and name->IP address in /etc/hosts.
+
+	    Fall back to broadcast for DHCP to an unconfigured client
+	    when the MAC address size is greater than 14 bytes.
+
+	    Fix problem in 2.28-onwards releases which breaks DNS on
+	    Mac OS X. Thanks to Doug Fields for the bug report and
+	    testing.
+
+	    Added fix to allow compilation on c89-only compilers.
+	    Thanks to John Mastwijk for the patch.
+	   
+	    Tweak resolv file polling code to work better if there is
+	    a race between updating the mtime and file contents. This
+	    is not normally a problem, but it can be on systems which
+	    replace nameservers whilst active. The code now continues
+	    to read resolv.conf until it gets at least one usable
+	    server. Thanks to Holger Mauermann for help with this.
+
+	    If a client DECLINEs an address which is allocated to it
+	    via dhcp-host or /etc/hosts, lock that address out of use
+	    for ten minutes, instead of forever, and log when it's not
+	    being used because of the lock-out. This should provide
+	    less surprising behaviour when a configured address can't be
+	    used. Thanks to Peter Surda and Heinz Deinhart for input
+	    on this.
+
+	    Fixed *BSD DHCP breakage with only some
+	    arches/compilers, depending on structure padding rules.
+	    Thanks to Jeb Campbell and Tom Hensel for help with this.
+
+	    Added --conf-dir option. Suggestion from Aaron Tygart.
+
+	    Applied patch from Brent Cook which allows netids in
+	    dhcp-option configuration lines to be prefixed by
+	    "net:". This is not required by the syntax, but it is
+	    consistent with other configuration items.
+
+	    Added --log-facility option. Suggestion from Fabio Muzzi.
+
+	    Major update to Spanish translation. Many thanks to Chris
+	    Chatham. 
+
+	    Fixed gcc-4.1 strict-alias compilation warning.
+
+version 2.33
+            Remove bash-specific shellcode from the Makefile.
+
+	    Fix breakage with some DHCP relay implementations which
+	    was introduced in 2.28. Believing the source port in
+	    DHCP requests and sending the reply there is sometimes a
+	    bad thing to do, so I've reverted to always sending to
+	    the relay on port 68. Thanks to Daniel Hamlin and Alex
+	    (alde) for bug reports on this.
+
+	    Moved the SuSe packaging files to contrib. I will no
+	    longer attempt to maintain this in the source tarball. It
+	    will be done externally, in the same way as packaging for
+	    other distros. Suse packages are available from 
+	    ftp://ftp.suse.com/pub/people/ug/
+	    
+	    Merged patch from Gentoo to honour $LDFLAGS environment.
+
+	    Fix bug in resolv.conf processing when more than one file
+	    is being checked.
+
+	    Add --dns-forward-max option.
+
+	    Warn if --resolv-file flags are ignored because of
+	    --no-resolv. Thanks to Martin F Krafft for spotting this
+	    one.
+
+            Add --leasefile-ro option which allows the use of an 
+            external lease database. Many thanks to Steve Horbachuk 
+	    for assistance developing this feature.
+
+	    Provide extra information to lease-change script via its
+	    environment. If the host has a client-id, then
+	    DNSMASQ_CLIENT_ID will be set. Either the lease length (in
+	    DNSMASQ_LEASE_LENGTH) or lease expiry time (in
+	    DNSMASQ_LEASE_EXPIRES) will be set, depending on the
+	    HAVE_BROKEN_RTC compile-time option. This extra
+	    information should make it possible to maintain the lease
+	    database in external storage such as LDAP or a relational
+	    database. Note that while leasefile-ro is set, the script
+            will be called with "old"  events more often, since 
+	    changes to the client-id and lease length
+	    (HAVE_BROKEN_RTC) or lease expiry time (otherwise) 
+	    are now flagged. 
+
+	    Add contrib/wrt/* which is an example implementation of an
+	    external persistent lease database for *WRT distros with 
+	    the nvram command.
+
+	    Add contrib/wrt/dhcp_release.c which is a small utility 
+	    which removes DHCP leases using DHCPRELEASE operation in
+	    the DHCP protocol.
+
+version 2.34
+	    Tweak network-determination code for another corner case:
+	    in this case a host forced to move between dhcp-ranges on
+	    the same physical interface. Thanks to Matthias Andree.
+	    
+	    Improve handling of high DNS loads by throttling acceptance of
+	    new queries when resources are tight. This should be a
+	    better response than the "forwarding table full..."
+	    message which was logged before.
+
+	    Fixed intermittent infinite loop when re-reading
+	    /etc/ethers after SIGHUP. Thanks to Eldon Ziegler for the
+	    bug report.
+
+	    Provide extra information to the lease-change script: when
+	    a lease loses its hostname (because a new lease comes
+	    along and claims the same new), the "old" action is called 
+	    with the current state of the lease, ie no name. The
+	    change is to provide the former name which the lease had
+	    in the environment variable DNSMASQ_OLD_HOSTNAME. This
+	    helps scripts which do stuff based on hostname, rather
+	    than IP address. Also provide vendor-class and user-class
+	    information to the lease-change script when a new lease is
+	    created in the DNSMASQ_VENDOR_CLASS and
+	    DNSMASQ_USER_CLASS<n> environment variables. Suggestion 
+            from Francois-Xavier Le Bail.
+
+	    Run the lease change script as root, even when dnsmasq is
+	    configured to change UID to an unprivileged user. Since
+	    most uses of the lease change script need root, this
+	    allows its use whilst keeping the security advantages of
+	    running the daemon without privs. The script is invoked
+	    via a small helper process which keeps root UID, and
+	    validates all data received from the main process. To get
+	    root, an attacker would have to break dnsmasq and then
+	    break the helper through the restricted comms channel 
+	    linking the two.
+	    
+	    Add contrib/port-forward/* which is a script to set up 
+	    port-forwards using the DHCP lease-change script. It's
+	    possible to add a host to a config file by name, and when
+	    that host gets a DHCP lease, the script will use iptables
+	    to set up port-forwards to configured ports at the address
+	    which the host is allocated. The script also handles
+	    setting up the port-forward iptables entries after reboot,
+	    using the persistent lease database, and removing them
+	    when a host leaves and its DHCP lease expires.
+
+	    Fix unaligned access problem which caused wrong log
+	    messages with some clients on some architectures. Thanks
+	    to Francois-Xavier Le Bail for the bugreport.
+
+	    Fixed problem with DHCPRELEASE and multi-address
+	    interfaces. Enhanced contrib/wrt/dhcp_release to cope
+	    under these circumstances too. Thanks to Eldon Ziegler for
+	    input on this.
+
+	    Updated French translation: thanks to Gildas Le Nadan.
+
+	    Upgraded the name hash function in the DNS cache. Thanks
+	    to Oleg Khovayko for good work on this.
+
+	    Added --clear-on-reload flag.  Suggestion from Johannes
+	    Stezenbach.
+
+	    Treat a nameserver address of 0.0.0.0 as "nothing". Erwin 
+            Cabrera spotted that specifying a nameserver as 0.0.0.0 
+	    breaks things badly; this is because the network stack
+	    treats is as "this host" and an endless loop ensues.
+		   
+            Added Webmin module in contrib/webmin. Thanks to Neil
+            Fisher for that.
+
+version 2.35
+	    Generate an "old" script event when a client does a DHCPREQUEST
+	    in INIT-REBOOT or SELECTING state and the lease already
+	    exists. Supply vendor and user class information to these
+	    script calls.
+
+	    Added support for Dragonfly BSD to src/config.h
+
+	    Removed "Upgrading to 2.0" document, which is ancient
+	    history now.
+
+	    Tweak DHCP networking code for BSD, esp OpenBSD. Added a 
+	    workaround for a bug in OpenBSD 4.0: there should finally
+            be support for multiple interfaces under OpenBSD now.
+	    Note that no version of dnsmasq before 2.35 will work for 
+	    DHCP under OpenBSD 4.0 because of a kernel bug.
+	    Thanks to Claudio Jeker, Jeb Campbell and Cristobal 
+	    Palmer for help with this.
+
+	    Optimised the cache code for the case of large
+	    /etc/hosts. This is mainly to remove the O(n-squared)
+	    algorithm which made reading large (50000 lines) files 
+	    slow, but it also takes into account the size of 
+	    /etc/hosts when building hash tables, so overall 
+	    performance should be better. Thanks to "koko" for 
+	    pointing out the problem.
+
+version 2.36
+	    Added --dhcp-ignore-names flag which tells dnsmasq not to
+	    use names provided by DHCP clients. Suggestion from 
+	    Thomas M Steenholdt.
+
+	    Send netmask and broadcast address DHCP options always,
+	    even if the client doesn't request them. This makes a few
+	    odd clients work better.
+
+	    Added simple TFTP function, optimised for net-boot. It is
+	    now possible to net boot hosts using only dnsmasq. The
+	    TFTP server is read-only, binary-mode only, and designed to be
+	    secure; it adds about 4K to the dnsmasq binary. 
+ 
+	    Support DHCP option 120, SIP servers, (RFC 3361). Both
+            encodings are supported, so both --dhcp-option=120,192.168.2.3
+            and	--dhcp-option=120,sip.example.net will work. Brian
+            Candler pointed out the need for this.
+
+	    Allow spaces in domain names, to support DNS-SD.
+
+	    Add --ptr-record flag, again for DNS-SD. Thanks to Stephan 
+	    Sokolow for the suggestion.
+	    
+	    Tolerate leading space on lines in the config file. Thanks
+	    to Luigi Rizzo for pointing this out.
+
+	    Fixed netlink.c to cope with headers from the Linux 2.6.19
+	    kernel. Thanks to Philip Wall for the bug report.
+
+	    Added --dhcp-bridge option, but only to the FreeBSD
+	    build. This fixes an oddity with a a particular bridged
+	    network configuration on FreeBSD. Thanks to Luigi Rizzo
+	    for the patch.
+
+	    Added FAQ entry about running dnsmasq in a Linux
+	    vserver. Thanks to Gildas le Nadan for the information.  
+
+	    Fixed problem with option parsing which interpreted "/" as
+	    an address and not a string. Thanks to Luigi Rizzo
+	    for the patch.
+
+	    Ignore the --domain-needed flag when forwarding NS
+	    and SOA queries, since NS queries of TLDs are always legit.
+	    Marcus Better pointed out this problem.
+
+	    Take care to forward signed DNS requests bit-perfect, so
+	    as not to affect the validity of the signature. This
+	    should allow DDNS updates to be forwarded.
+
+version 2.37
+            Add better support for RFC-2855 DHCP-over-firewire and RFC
+           -4390 DHCP-over-InfiniBand. A good suggestion from Karl Svec.
+
+	    Some efficiency tweaks to the cache code for very large
+	    /etc/hosts files. Should improve reverse (address->name)
+	    lookups and garbage collection. Thanks to Jan 'RedBully'
+	    Seiffert for input on this.
+
+	    Fix regression in 2.36 which made bogus-nxdomain
+	    and DNS caching unreliable. Thanks to Dennis DeDonatis
+	    and Jan Seiffert for bug reports.
+
+	    Make DHCP encapsulated vendor-class	options sane. Be
+	    warned that some conceivable existing configurations 
+	    using these may break, but they work in a much 
+	    simpler and more logical way now. Prepending
+	    "vendor:<client-id>" to an option encapsulates it 
+	    in option 43, and the option is sent only if the 
+	    client-supplied vendor-class substring-matches with 
+	    the given client-id. Thanks to Dennis DeDonatis for 
+	    help with this.
+
+	    Apply patch from Jan Seiffert to tidy up tftp.c
+
+	    Add support for overloading the filename and servername 
+	    fields in DHCP packet. This gives extra option-space when
+	    these fields are not being used or with a modern client
+	    which supports moving them into options.
+
+	    Added a LIMITS section to the man-page, with guidance on
+	    maximum numbers of clients, file sizes and tuning.
+
+release 2.38
+	    Fix compilation on *BSD. Thanks to Tom Hensel.
+
+	    Don't send length zero DHCP option 43 and cope with 
+	    encapsulated options whose total length exceeds 255 octets
+	    by splitting them into multiple option 43 pieces.
+
+	    Avoid queries being retried forever when --strict-order is
+	    set and an upstream server returns a SERVFAIL
+	    error. Thanks to Johannes Stezenbach for spotting this.
+
+	    Fix BOOTP support, broken in version 2.37.
+
+	    Add example dhcp-options for Etherboot.
+
+	    Add \e (for ASCII ESCape) to the set of valid escapes
+	    in config-file strings.
+
+	    Added --dhcp-option-force flag and examples in the
+	    configuration file which use this to control PXELinux.
+
+	    Added --tftp-no-blocksize option.
+
+	    Set netid tag "bootp" when BOOTP (rather than DHCP) is in
+	    use. This makes it easy to customise which options are
+	    sent to BOOTP clients. (BOOTP allows only 64 octets for
+	    options, so it can be necessary to trim things.)
+
+	    Fix rare hang in cache code, a 2.37 regression. This
+	    probably needs an infinite DHCP lease and some bad luck to
+	    trigger. Thanks to Detlef Reichelt for bug reports and testing.
+
+	    

FAQ

@@ -42,10 +42,12 @@ Q: Will dnsmasq compile/run on non-Linux systems?
 A: Yes, there is explicit support for *BSD and MacOS X. There are
    start-up scripts for MacOS X Tiger and Panther in /contrib. Earlier
    dnsmasq releases ran under Solaris, but that capability has
-   probably rotted. Dnsmasq will link with uclibc to provide small
+   rotted. Dnsmasq will link with uclibc to provide small
    binaries suitable for use in embedded systems such as
    routers. (There's special code to support machines with flash
    filesystems and no battery-backed RTC.)
+   If you encounter make errors with *BSD, try installing gmake from
+   ports and building dnsmasq with "make MAKE=gmake" 
    For other systems, try altering the settings in config.h.
  
 Q: My companies' nameserver knows about some names which aren't in the
@@ -309,7 +311,7 @@ A: Because when a Gentoo box shuts down, it releases its lease with
 
 Q: My laptop has two network interfaces, a wired one and a wireless
    one. I never use both interfaces at the same time, and I'd like the
-   same IP and configuration to be used irrespcetive of which
+   same IP and configuration to be used irrespective of which
    interface is in use. How can I do that?
 
 A: By default, the identity of a machine is determined by using the
@@ -369,6 +371,7 @@ A: Yes, dynmaically allocated IP addresses are checked by sending an
    other DHCP requests during this time. To avoid dropping requests,
    the address probe may be skipped when dnsmasq is under heavy load.
 
+
 Q: I'm using dnsmasq on a machine with the Firestarter firewall, and
    DHCP doesn't work. What's the problem?
 
@@ -376,7 +379,45 @@ A: This a variant on the iptables problem. Explicit details on how to
    proceed can be found at 
    http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2005q3/000431.html
  
-  
+
+Q: Dnsmasq logs "running as root because setting capabilities failed"
+   when it starts up. Why did that happen and what can do to fix it?
+
+A: Change your kernel configuration: either deselect CONFIG_SECURITY
+   _or_ select CONFIG_SECURITY_CAPABILITIES.
+
+
+Q: Where can I get .rpms Suitable for Suse?
+
+A: Dnsmasq is in Suse itself, and the latest releases are also
+   available at ftp://ftp.suse.com/pub/people/ug/
+
+
+Q: Can I run dnsmasq in a Linux vserver?
+
+A: Yes, as a DNS server, dnsmasq will just work in a vserver.
+   To use dnsmasq's DHCP function you need to give the vserver
+   extra system capabilities. Please note that doing so will lesser 
+   the overall security of your system. The capabilities 
+   required are NET_ADMIN and NET_RAW. NET_ADMIN is essential, NET_RAW
+   is required to do an ICMP "ping" check on newly allocated
+   addresses. If you don't need this check, you can disable it with
+   --no-ping and omit the NET_RAW capability. 
+   Adding the capabilities is done by adding them, one per line, to
+   either /etc/vservers/<vservername>/ccapabilities for a 2.4 kernel or
+   /etc/vservers/<vservername>/bcapabilities for a 2.6 kernel (please
+   refer to the vserver documentation for more information).
+
+
+
+
+
+
+
+
+
+
+ 
 
 
 

Makefile

@@ -9,12 +9,14 @@ MAN = man
 
 CFLAGS?= -O2
 
-all : 
+all :   dnsmasq
+
+dnsmasq :
 	$(MAKE) I18N=-DNO_GETTEXT -f ../bld/Makefile -C $(SRC) dnsmasq 
 
 clean :
 	rm -f *~ $(SRC)/*.mo contrib/*/*~ */*~ $(SRC)/*.pot 
-	rm -f $(SRC)/*.o $(SRC)/dnsmasq core */core
+	rm -f $(SRC)/*.o $(SRC)/dnsmasq.a $(SRC)/dnsmasq core */core
 
 install : all install-common
 
@@ -26,7 +28,7 @@ install-common :
 all-i18n :
 	$(MAKE) I18N=-DLOCALEDIR='\"$(LOCALEDIR)\"' -f ../bld/Makefile -C $(SRC) dnsmasq
 	cd $(PO); for f in *.po; do \
-		$(MAKE) -f ../bld/Makefile -C ../$(SRC) $${f/.po/.mo}; \
+		$(MAKE) -f ../bld/Makefile -C ../$(SRC) $${f%.po}.mo; \
 	done
 
 install-i18n : all-i18n install-common

UPGRADING_to_2.0

@@ -1,68 +0,0 @@
-
-
-	Upgrading to dnsmasq V2
-        -----------------------
-
-Version 1.x of dnsmasq includes a facility for reading the dhcp.leases
-file written by ISC dhcpd. This allows the names of machines which
-have addresses allocated by DHCP to be included in the DNS.
-
-Version 2.x of dnsmasq replaces the ISC dhcpd integration with a DHCP 
-server integrated into dnsmasq. Versions 2.0-2.5 removed the ISC 
-integration completely, but in version 2.6 it was re-enabled for 
-backwards compatibility purposes. The change to an integrated DHCP 
-server has the following advantages:
-
-* Small. ISC dhcpd is a large and comprehensive DHCP solution. The
-  dnsmasq DHCP server adds about 15k to DNS-only dnsmasq and provides
-  all the facilities likely to be needed in the sort of networks
-  which are targeted by dnsmasq.
-
-* Easy to configure. All configuration is in one file and there are
-  sensible defaults for common settings. Many applications will need
-  just one extra line in /etc/dnsmasq.conf which tells it the range of
-  addresses to allocate to DHCP.
-
-* Support for static leases. When static leases are used with ISC DHCP
-  they don't appear in the dhcp.leases file (since that file is used
-  for storage of dynamic leases which aren't pre-configured.) Hence
-  static leases cannot be used with dnsmasq unless each machine with a
-  static lease is also inserted into /etc/hosts. This is not required
-  with the dnsmasq DHCP server.
-
-
-       DHCP configuration
-       ------------------
-
-To convert an installation which is currently using ISC dhcpd, remove
-the ISC DHCP daemon. Unless you want dnsmasq to use the same file
-to store its leases it is necessary to remove the configuration line in
-/etc/dnsmasq.conf which specifies the dhcp.leases file.
-
-To enable DHCP, simply add a line like this to /etc/dnsmasq.conf
-
-dhcp-range=192.168.0.100,192.168.0.200,12h
-
-which tells dnsmasq to us the addresses 192.168.0.100 to 192.168.0.200
-for dynamic IP addresses, and to issue twelve hour leases.
-
-Each host will have its default route and DNS server set to be the
-address of the host running dnsmasq, and its netmask and broadcast 
-address set correctly, so nothing else at all is required for a
-minimal system. Hosts which include a hostname in their DHCP request 
-will have that name and their allocated address inserted into the DNS,
-in the same way as before.
-
-Having started dnsmasq, tell any hosts on the network to renew their
-DHCP lease, so that dnsmasq's  DHCP server becomes aware of them. For
-Linux, this is best done by killing-and-restarting the DHCP client
-daemon or taking the network interface down and then back up. For 
-Windows 9x/Me, use the graphical tool "winipcfg". For Windows
-NT/2000/XP, use the command-line "ipconfig /renew"
-
-For more complex DHCP configuration, refer to the doc/setup.html, the
-dnsmasq manpage and the annotated example configuration file. Also
-note that for some ISC dhcpd to dnsmasq DHCP upgrades there may be
-firewall issues: see the FAQ for details of this.
-
-

bld/Makefile

@@ -3,14 +3,14 @@ PKG_CONFIG ?= pkg-config
 
 
 OBJS = cache.o rfc1035.o util.o option.o forward.o isc.o network.o \
-       dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o
+       dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o helper.o tftp.o
 
 .c.o:
-	$(CC) $(CFLAGS) $(I18N) `../bld/pkg-wrapper $(PKG_CONFIG) --cflags dbus-1` $(RPM_OPT_FLAGS) -Wall -W -c $<
+	$(CC) $(CFLAGS) $(COPTS) $(I18N) `echo $(COPTS) | ../bld/pkg-wrapper $(PKG_CONFIG) --cflags dbus-1` $(RPM_OPT_FLAGS) -Wall -W -c $<
 
 dnsmasq : $(OBJS)
-	$(CC) -o $@  $(OBJS) `../bld/pkg-wrapper $(PKG_CONFIG) --libs dbus-1` $(LIBS) 
-
+	$(CC) $(LDFLAGS) -o $@  $(OBJS) `echo $(COPTS) | ../bld/pkg-wrapper $(PKG_CONFIG) --libs dbus-1` $(LIBS) 
+ 
 dnsmasq.pot : $(OBJS:.o=.c) dnsmasq.h config.h
 	xgettext -d dnsmasq --foreign-user --keyword=_ -o dnsmasq.pot -i $(OBJS:.o=.c)
 

bld/install-mo

@@ -1,9 +1,9 @@
 #!/bin/sh
 
 for f in *.mo; do
-  install -d $1/${f/.mo/}/LC_MESSAGES
-  install -m 644 $f $1/${f/.mo/}/LC_MESSAGES/dnsmasq.mo
-  echo installing $1/${f/.mo/}/LC_MESSAGES/dnsmasq.mo
+  install -d $1/${f%.mo}/LC_MESSAGES
+  install -m 644 $f $1/${f%.mo}/LC_MESSAGES/dnsmasq.mo
+  echo installing $1/${f%.mo}/LC_MESSAGES/dnsmasq.mo
 done
 
 

bld/pkg-wrapper

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-if grep -q "^\#.*define.*HAVE_DBUS" config.h ; then
+if grep -q "^\#.*define.*HAVE_DBUS" config.h || grep -q HAVE_DBUS ; then
   exec $*
 fi
 

contrib/Suse/README

@@ -0,0 +1,6 @@
+This packaging is now unmaintained in the dnsmasq source: dnsmasq is
+included in Suse proper, and up-to-date packages are now available
+from 
+
+ftp://ftp.suse.com/pub/people/ug/
+

contrib/Suse/dnsmasq-SuSE.patch

@@ -17,7 +17,7 @@
  #define CHUSER "nobody"
 -#define CHGRP "dip"
 +#define CHGRP "dialout"
- #define IP6INTERFACES "/proc/net/if_inet6"
- #define UPTIME "/proc/uptime"
  #define DHCP_SERVER_PORT 67
+ #define DHCP_CLIENT_PORT 68
+ 
 

contrib/Suse/dnsmasq-suse.spec

@@ -5,7 +5,7 @@
 ###############################################################################
 
 Name: dnsmasq
-Version: 2.28
+Version: 2.33
 Release: 1
 Copyright: GPL
 Group: Productivity/Networking/DNS/Servers
@@ -106,6 +106,6 @@ rm -rf $RPM_BUILD_ROOT
 /usr/sbin/dnsmasq
 /usr/share/locale/*/LC_MESSAGES/*
 %doc %{_mandir}/man8/dnsmasq.8.gz
-
+%doc %{_mandir}/*/man8/dnsmasq.8.gz
 
 

contrib/port-forward/dnsmasq-portforward

@@ -0,0 +1,68 @@
+#!/bin/bash
+# 
+# /usr/sbin/dnsmasq-portforward
+#
+# A script which gets run when the dnsmasq DHCP lease database changes.
+# It logs to $LOGFILE, if it exists, and maintains port-forwards using
+# IP-tables so that they always point to the correct host. See
+# $PORTSFILE for details on configuring this. dnsmasq must be version 2.34 
+# or later.
+#
+# To enable this script, add 
+#    dhcp-script=/usr/sbin/dnsmasq-portforward
+# to /etc/dnsmasq.conf
+#
+# To enable logging, touch $LOGFILE
+#
+
+PORTSFILE=/etc/portforward
+LOGFILE=/var/log/dhcp.log
+IPTABLES=/sbin/iptables
+
+action=${1:-0}
+hostname=${4}
+
+# log what's going on.
+if [ -f ${LOGFILE} ] ; then
+    date +"%D %T $*" >>${LOGFILE}
+fi
+
+# If a lease gets stripped of a name, we see that as an "old" action
+# with DNSMASQ_OLD_HOSTNAME set, convert it into a "del" 
+if [ ${DNSMASQ_OLD_HOSTNAME} ] && [ ${action} = old ] ; then
+    action=del
+    hostname=${DNSMASQ_OLD_HOSTNAME}
+fi
+
+# action init is not relevant, and will only be seen when leasefile-ro is set.
+if [ ${action} = init ] ; then
+    exit 0
+fi
+
+if [ ${hostname} ]; then
+    ports=$(sed -n -e "/^${hostname}\ .*/ s/^.* //p" ${PORTSFILE})
+
+    for port in $ports; do
+	verb=removed
+	protocol=tcp
+	if [ ${port:0:1} = u ] ; then
+	    protocol=udp 
+	    port=${port/u/}
+	fi
+	src=${port/:*/}
+	dst=${port/*:/}
+# delete first, to avoid multiple copies of rules.
+	${IPTABLES} -t nat -D PREROUTING -p $protocol --destination-port $src -j DNAT --to-destination ${3}:$dst
+        if [ ${action} != del ] ; then
+	    ${IPTABLES} -t nat -A PREROUTING -p $protocol --destination-port $src -j DNAT --to-destination ${3}:$dst
+	    verb=added
+	fi
+	if [ -f ${LOGFILE} ] ; then
+	    echo "     DNAT $protocol $src to ${3}:$dst ${verb}." >>${LOGFILE}
+	fi
+    done
+fi
+    
+exit 0
+
+

contrib/port-forward/portforward

@@ -0,0 +1,28 @@
+# This file is read by /usr/sbin/dnsmasq-portforward and used to set up port 
+# forwarding to hostnames. If the dnsmasq-determined hostname matches the
+# first column of this file, then a DNAT port-forward will be set up 
+# to the address which has just been allocated by DHCP . The second field 
+# is port number(s). If there is only one, then the port-forward goes to 
+# the same port on the DHCP-client, if there are two seperated with a 
+# colon, then the second number is the port to which the connection 
+# is forwarded on the DHCP-client. By default, forwarding is set up 
+# for TCP, but it can done for UDP instead by prefixing the port to "u". 
+# To forward both TCP and UDP, two lines are required. 
+#
+# eg.
+# wwwserver 80
+# will set up a port forward from port 80 on this host to port 80 
+# at the address allocated to wwwserver whenever wwwserver gets a DHCP lease.
+#
+# wwwserver 8080:80
+# will set up a port forward from port 8080 on this host to port 80
+# on the DHCP-client.
+#
+# dnsserver 53
+# dnsserver u53
+# will port forward port 53 UDP and TCP from this host to port 53 on dnsserver.
+#
+# Port forwards will recreated when dnsmasq restarts after a reboot, and
+# removed when DHCP leases expire. After editing this file, restart dnsmasq 
+# to install new iptables entries in the kernel.
+

contrib/try-all-ns/README

@@ -0,0 +1,19 @@
+Date: Thu, 07 Dec 2006 00:41:43 -0500
+From: Bob Carroll <bob.carroll@rit.edu>
+Subject: dnsmasq suggestion
+To: simon@thekelleys.org.uk
+
+
+Hello,
+
+I recently needed a feature in dnsmasq for a very bizarre situation. I 
+placed a list of name servers in a special resolve file and told dnsmasq 
+to use that. But I wanted it to try requests in order and treat NXDOMAIN 
+requests as a failed tcp connection. I wrote the feature into dnsmasq 
+and it seems to work. I prepared a patch in the event that others might 
+find it useful as well.
+
+Thanks and keep up the good work.
+
+--Bob
+

contrib/try-all-ns/dnsmasq-2.35-try-all-ns.patch

@@ -0,0 +1,61 @@
+diff -Nau dnsmasq-2.35/src/dnsmasq.h dnsmasq/src/dnsmasq.h
+--- dnsmasq-2.35/src/dnsmasq.h	2006-10-18 16:24:50.000000000 -0400
++++ dnsmasq/src/dnsmasq.h	2006-11-16 22:06:31.000000000 -0500
+@@ -112,6 +112,7 @@
+ #define OPT_NO_PING        2097152
+ #define OPT_LEASE_RO       4194304
+ #define OPT_RELOAD         8388608
++#define OPT_TRY_ALL_NS     16777216
+ 
+ struct all_addr {
+   union {
+diff -Nau dnsmasq-2.35/src/forward.c dnsmasq/src/forward.c
+--- dnsmasq-2.35/src/forward.c	2006-10-18 16:24:50.000000000 -0400
++++ dnsmasq/src/forward.c	2006-11-16 22:08:19.000000000 -0500
+@@ -445,6 +445,10 @@
+     {
+        struct server *server = forward->sentto;
+        
++       // If strict-order and try-all-ns are set, treat NXDOMAIN as a failed request
++       if( (daemon->options & OPT_ORDER) && (daemon->options && OPT_TRY_ALL_NS)
++           && header->rcode == NXDOMAIN ) header->rcode = SERVFAIL;
++
+        if ((header->rcode == SERVFAIL || header->rcode == REFUSED) && forward->forwardall == 0)
+ 	 /* for broken servers, attempt to send to another one. */
+ 	 {
+diff -Nau dnsmasq-2.35/src/option.c dnsmasq/src/option.c
+--- dnsmasq-2.35/src/option.c	2006-10-18 16:24:50.000000000 -0400
++++ dnsmasq/src/option.c	2006-11-16 22:10:36.000000000 -0500
+@@ -28,7 +28,7 @@
+ 
+ /* options which don't have a one-char version */
+ #define LOPT_RELOAD 256
+-
++#define LOPT_TRY_ALL_NS 257
+ 
+ #ifdef HAVE_GETOPT_LONG
+ static const struct option opts[] =  
+@@ -102,6 +102,7 @@
+     {"leasefile-ro", 0, 0, '9'},
+     {"dns-forward-max", 1, 0, '0'},
+     {"clear-on-reload", 0, 0, LOPT_RELOAD },
++    {"try-all-ns", 0, 0, LOPT_TRY_ALL_NS },
+     { NULL, 0, 0, 0 }
+   };
+ 
+@@ -134,6 +135,7 @@
+   { '5',            OPT_NO_PING },
+   { '9',            OPT_LEASE_RO },
+   { LOPT_RELOAD,    OPT_RELOAD },
++  { LOPT_TRY_ALL_NS,OPT_TRY_ALL_NS },
+   { 'v',            0},
+   { 'w',            0},
+   { 0, 0 }
+@@ -208,6 +210,7 @@
+   { "-9, --leasefile-ro", gettext_noop("Read leases at startup, but never write the lease file."), NULL },
+   { "-0, --dns-forward-max=<queries>", gettext_noop("Maximum number of concurrent DNS queries. (defaults to %s)"), "!" }, 
+   { "    --clear-on-reload", gettext_noop("Clear DNS cache when reloading %s."), RESOLVFILE },
++  { "    --try-all-ns", gettext_noop("Try all name servers in tandem on NXDOMAIN replies (use with strict-order)."), NULL },
+   { NULL, NULL, NULL }
+ }; 
+ 

contrib/webmin/README

@@ -0,0 +1,54 @@
+
+This is the README for the DNSmasq webmin module.
+
+Problems:
+
+1) There's only basic error checking - if you enter some bad
+addresses or names, they will go straight into the config file
+although we do check for things like IP addresses being of
+the correct form (no letters, 4 groups of up to 3 digits
+separated by dots etc). One thing that ISN'T CHECKED FOR is
+that IP dotted quads are all numbers < 256. Another is that
+netmasks are logical (you could enter a netmask of 255.0.255.0 
+for example). Essentially, if it'll pass the config file
+regex scanner (and the above examples will), it won't be 
+flagged as "bad" even if it is a big no-no for dnsmasq itself. 
+
+2) Code is ugly and a kludge - I ain't a programmer! There are probably 
+a lot of things that could be done to tidy up the code - eg, 
+it probably wouldn't hurt to move some common stuff into the lib file.
+
+3) I've used the %text hash and written an english lang file, but
+I am mono-lingual so no other language support as yet.
+
+4) for reasons unknown to me, the icon does not appear properly
+on the servers page of webmin (at least it doesn't for me!)
+
+5) icons have been shamelessly stolen from the ipfilter module,
+specifically the up and down arrows.
+
+6) if you delete an item, the config file will contain
+an otherwise empty, but commented line. This means that if
+you add some new stuff, then delete it, the config file
+will have a number of lines at the end that are just comments.
+Therefore, the config file could possibly grow quite large.
+
+7) NO INCLUDE FILES!
+if you use an include file, it'll be flagged as an error. 
+OK if the include file line is commented out though.
+
+8) deprecated lines not supported (eg user and group) - they
+may produce an error! (user and group don't, but you can't change
+them)
+
+IOW, it works, it's just not very elegant and not very robust.
+
+Hope you find it useful though - I do, as I prevents me having to ever
+wade through the config file and man pages again.
+
+If you modify it, or add a language file, and you have a spare moment,
+please e-mail me - I won't be upset at all if you fix my poor coding!
+(rather the opposite - I'd be pleased someone found it usefull)
+
+Cheers,
+	Neil Fisher <neil@magnecor.com.au>

contrib/wrt/Makefile

@@ -0,0 +1,7 @@
+CFLAGS?= -O2
+
+all: dhcp_release.c
+	$(CC) $(CFLAGS) $(RPM_OPT_FLAGS) -Wall -W dhcp_release.c -o dhcp_release
+
+clean:
+	rm -f *~ *.o core dhcp_release

contrib/wrt/README

@@ -0,0 +1,81 @@
+This script can be used to implement persistent leases on openWRT, DD-WRT
+etc. Persistent leases are good: if the lease database is lost on a
+reboot, then it will eventually be restored as hosts renew their
+leases. Until a host renews (which may take hours/days) it will
+not exist in the DNS if dnsmasq's DDNS function is in use.
+
+*WRT systems remount all non-volatile fileystems read-only after boot,
+so the normal leasefile will not work. They do, however have NV
+storage, accessed with the nvram command:
+
+/usr/lib #  nvram
+usage: nvram [get name] [set name=value] [unset name] [show]
+
+The principle is that leases are kept in NV variable with data
+corresponding to the line in a leasefile:
+
+dnsmasq_lease_192.168.1.56=3600 00:41:4a:05:80:74 192.168.1.56 * *
+
+By giving dnsmasq the leasefile-ro command, it no longer creates or writes a
+leasefile; responsibility for maintaining the lease database transfers
+to the lease change script. At startup, in leasefile-ro mode,
+dnsmasq will run
+
+"<lease_change_script> init" 
+
+and read whatever that command spits out, expecting it to
+be in dnsmasq leasefile format.
+
+So the lease change script, given "init" as argv[1] will 
+suck existing leases out of the NVRAM and emit them from
+stdout in the correct format.
+
+The second part of the problem is keeping the NVRAM up-to-date: this
+is done by the lease-change script which dnsmasq runs when a lease is
+updated. When it is called with argv[1] as "old", "add", or "del"
+it updates the relevant nvram entry.
+
+So, dnsmasq should be run as :
+
+dnsmasq --leasefile-ro --dhcp-script=/path/to/lease_update.sh
+
+or the same flags added to /etc/dnsmasq.conf
+
+
+
+Notes: 
+
+This needs dnsmasq-2.33 or later to work.
+
+This technique will work with, or without, compilation with
+HAVE_BROKEN_RTC. Compiling with HAVE_BROKEN_RTC is
+_highly_recommended_ for this application since is avoids problems
+with the system clock being warped by NTP, and it vastly reduces the
+number of writes to the NVRAM. With HAVE_BROKEN_RTC, NVRAM is updated
+only when a lease is created or destroyed; without it, a write occurs
+every time a lease is renewed.
+
+It probably makes sense to restrict the number of active DHCP leases
+to an appropriate number using dhcp-lease-max. On a new DD_WRT system,
+there are about 10K bytes free in the NVRAM. Each lease record is
+about 100 bytes, so restricting the number of leases to 50 will limit
+use to half that. (The default limit in the distributed source is 150)
+
+Any UI script which reads the dnsmasq leasefile will have to be
+ammended, probably by changing it to read the output of 
+`lease_update init` instead.
+ 
+
+Thanks:
+
+To Steve Horbachuk for checks on the script and debugging beyond the 
+call of duty.
+
+
+Simon Kelley
+Fri Jul 28 11:51:13 BST 2006
+
+
+
+
+

contrib/wrt/dhcp_release.c

@@ -0,0 +1,331 @@
+/* Copyright (c) 2006 Simon Kelley
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 dated June, 1991.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+*/
+
+/* dhcp_release <interface> <address> <MAC address> <client_id>
+   MUST be run as root - will fail otherwise. */
+
+/* Send a DHCPRELEASE message via the specified interface 
+   to tell the local DHCP server to delete a particular lease. 
+   
+   The interface argument is the interface in which a DHCP
+   request _would_ be received if it was coming from the client, 
+   rather than being faked up here.
+   
+   The address argument is a dotted-quad IP addresses and mandatory. 
+   
+   The MAC address is colon separated hex, and is mandatory. It may be 
+   prefixed by an address-type byte followed by -, eg
+
+   10-11:22:33:44:55:66
+
+   but if the address-type byte is missing it is assumed to be 1, the type 
+   for ethernet. This encoding is the one used in dnsmasq lease files.
+
+   The client-id is optional. If it is "*" then it treated as being missing.
+*/
+
+#include <sys/types.h> 
+#include <netinet/in.h>
+#include <net/if.h>
+#include <arpa/inet.h>
+#include <sys/socket.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <net/if_arp.h>
+#include <sys/ioctl.h>
+#include <linux/types.h>
+#include <linux/netlink.h>
+#include <linux/rtnetlink.h>
+#include <errno.h>
+
+#define DHCP_CHADDR_MAX          16
+#define BOOTREQUEST              1
+#define DHCP_COOKIE              0x63825363
+#define OPTION_SERVER_IDENTIFIER 54
+#define OPTION_CLIENT_ID         61
+#define OPTION_MESSAGE_TYPE      53
+#define OPTION_END               255
+#define DHCPRELEASE              7
+#define DHCP_SERVER_PORT         67
+
+typedef unsigned char u8;
+typedef unsigned short u16;
+typedef unsigned int u32;
+
+struct dhcp_packet {
+  u8 op, htype, hlen, hops;
+  u32 xid;
+  u16 secs, flags;
+  struct in_addr ciaddr, yiaddr, siaddr, giaddr;
+  u8 chaddr[DHCP_CHADDR_MAX], sname[64], file[128];
+  u32 cookie;
+  unsigned char options[308];
+};
+
+static struct iovec iov;
+
+static int expand_buf(struct iovec *iov, size_t size)
+{
+  void *new;
+
+  if (size <= iov->iov_len)
+    return 1;
+
+  if (!(new = malloc(size)))
+    {
+      errno = ENOMEM;
+      return 0;
+    }
+
+  if (iov->iov_base)
+    {
+      memcpy(new, iov->iov_base, iov->iov_len);
+      free(iov->iov_base);
+    }
+
+  iov->iov_base = new;
+  iov->iov_len = size;
+
+  return 1;
+}
+
+static ssize_t netlink_recv(int fd)
+{
+  struct msghdr msg;
+  ssize_t rc;
+
+  msg.msg_control = NULL;
+  msg.msg_controllen = 0;
+  msg.msg_name = NULL;
+  msg.msg_namelen = 0;
+  msg.msg_iov = &iov;
+  msg.msg_iovlen = 1;
+    
+  while (1)
+    {
+      msg.msg_flags = 0;
+      while ((rc = recvmsg(fd, &msg, MSG_PEEK)) == -1 && errno == EINTR);
+      
+      /* 2.2.x doesn't suport MSG_PEEK at all, returning EOPNOTSUPP, so we just grab a 
+         big buffer and pray in that case. */
+      if (rc == -1 && errno == EOPNOTSUPP)
+        {
+          if (!expand_buf(&iov, 2000))
+            return -1;
+          break;
+        }
+      
+      if (rc == -1 || !(msg.msg_flags & MSG_TRUNC))
+        break;
+            
+      if (!expand_buf(&iov, iov.iov_len + 100))
+        return -1;
+    }
+
+  /* finally, read it for real */
+  while ((rc = recvmsg(fd, &msg, 0)) == -1 && errno == EINTR);
+  
+  return rc;
+}
+
+static int parse_hex(char *in, unsigned char *out, int maxlen, int *mac_type)
+{
+  int i = 0;
+  char *r;
+    
+  if (mac_type)
+    *mac_type = 0;
+  
+  while (maxlen == -1 || i < maxlen)
+    {
+      for (r = in; *r != 0 && *r != ':' && *r != '-'; r++);
+      if (*r == 0)
+        maxlen = i;
+      
+      if (r != in )
+        {
+          if (*r == '-' && i == 0 && mac_type)
+           {
+              *r = 0;
+              *mac_type = strtol(in, NULL, 16);
+              mac_type = NULL;
+           }
+          else
+            {
+              *r = 0;
+	      out[i] = strtol(in, NULL, 16);
+              i++;
+            }
+        }
+      in = r+1;
+    }
+    return i;
+}
+
+static int is_same_net(struct in_addr a, struct in_addr b, struct in_addr mask)
+{
+  return (a.s_addr & mask.s_addr) == (b.s_addr & mask.s_addr);
+}
+
+static struct in_addr find_interface(struct in_addr client, int fd, int index)
+{
+  struct sockaddr_nl addr;
+  struct nlmsghdr *h;
+  ssize_t len;
+ 
+  struct {
+    struct nlmsghdr nlh;
+    struct rtgenmsg g; 
+  } req;
+
+  addr.nl_family = AF_NETLINK;
+  addr.nl_pad = 0;
+  addr.nl_groups = 0;
+  addr.nl_pid = 0; /* address to kernel */
+
+  req.nlh.nlmsg_len = sizeof(req);
+  req.nlh.nlmsg_type = RTM_GETADDR;
+  req.nlh.nlmsg_flags = NLM_F_ROOT | NLM_F_MATCH | NLM_F_REQUEST | NLM_F_ACK; 
+  req.nlh.nlmsg_pid = 0;
+  req.nlh.nlmsg_seq = 1;
+  req.g.rtgen_family = AF_INET; 
+
+  if (sendto(fd, (void *)&req, sizeof(req), 0, 
+	     (struct sockaddr *)&addr, sizeof(addr)) == -1)
+    {
+      perror("sendto failed");
+      exit(1);
+    }
+  
+  while (1)
+    {
+      if ((len = netlink_recv(fd)) == -1)
+	{
+	  perror("netlink");
+	  exit(1);
+	}
+
+      for (h = (struct nlmsghdr *)iov.iov_base; NLMSG_OK(h, (size_t)len); h = NLMSG_NEXT(h, len))
+	if (h->nlmsg_type == NLMSG_DONE)
+	  exit(0);
+	else if (h->nlmsg_type == RTM_NEWADDR)
+          {
+            struct ifaddrmsg *ifa = NLMSG_DATA(h);  
+            struct rtattr *rta;
+            unsigned int len1 = h->nlmsg_len - NLMSG_LENGTH(sizeof(*ifa));
+            
+            if (ifa->ifa_index == index && ifa->ifa_family == AF_INET)
+              {
+                struct in_addr netmask, addr;
+                
+                netmask.s_addr = htonl(0xffffffff << (32 - ifa->ifa_prefixlen));
+                addr.s_addr = 0;
+                
+                for (rta = IFA_RTA(ifa); RTA_OK(rta, len1); rta = RTA_NEXT(rta, len1))
+		  if (rta->rta_type == IFA_LOCAL)
+		    addr = *((struct in_addr *)(rta+1));
+		
+                if (addr.s_addr && is_same_net(addr, client, netmask))
+		  return addr;
+	      }
+	  }
+    }
+ 
+  exit(0);
+}
+
+int main(int argc, char **argv)
+{ 
+  struct in_addr server, lease;
+  int mac_type;
+  struct dhcp_packet packet;
+  unsigned char *p = packet.options;
+  struct sockaddr_in dest;
+  struct ifreq ifr;
+  int fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);
+  int nl = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
+  struct iovec iov;
+ 
+  iov.iov_len = 200;
+  iov.iov_base = malloc(iov.iov_len);
+
+  if (argc < 4 || argc > 5)
+    { 
+      fprintf(stderr, "usage: dhcp_release <interface> <addr> <mac> [<client_id>]\n");
+      exit(1);
+    }
+
+  if (fd == -1 || nl == -1)
+    {
+      perror("cannot create socket");
+      exit(1);
+    }
+  
+  /* This voodoo fakes up a packet coming from the correct interface, which really matters for 
+     a DHCP server */
+  strcpy(ifr.ifr_name, argv[1]);
+  if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, &ifr, sizeof(ifr)) == -1)
+    {
+      perror("cannot setup interface");
+      exit(1);
+    }
+  
+  
+  lease.s_addr = inet_addr(argv[2]);
+  server = find_interface(lease, nl, if_nametoindex(argv[1]));
+  
+  memset(&packet, 0, sizeof(packet));
+ 
+  packet.hlen = parse_hex(argv[3], packet.chaddr, DHCP_CHADDR_MAX, &mac_type);
+  if (mac_type == 0)
+    packet.htype = ARPHRD_ETHER;
+  else
+    packet.htype = mac_type;
+
+  packet.op = BOOTREQUEST;
+  packet.ciaddr = lease;
+  packet.cookie = htonl(DHCP_COOKIE);
+
+  *(p++) = OPTION_MESSAGE_TYPE;
+  *(p++) = 1;
+  *(p++) = DHCPRELEASE;
+
+  *(p++) = OPTION_SERVER_IDENTIFIER;
+  *(p++) = sizeof(server);
+  memcpy(p, &server, sizeof(server));
+  p += sizeof(server);
+
+  if (argc == 5 && strcmp(argv[4], "*") != 0)
+    {
+      unsigned int clid_len = parse_hex(argv[4], p+2, 255, NULL);
+      *(p++) = OPTION_CLIENT_ID;
+      *(p++) = clid_len;
+      p += clid_len;
+    }
+  
+  *(p++) = OPTION_END;
+ 
+  dest.sin_family = AF_INET;
+  dest.sin_port = ntohs(DHCP_SERVER_PORT);
+  dest.sin_addr = server;
+
+  if (sendto(fd, &packet, sizeof(packet), 0, 
+	     (struct sockaddr *)&dest, sizeof(dest)) == -1)
+    {
+      perror("sendto failed");
+      exit(1);
+    }
+
+  return 0;
+}

contrib/wrt/lease_update.sh

@@ -0,0 +1,54 @@
+#!/bin/sh
+
+# Copyright (c) 2006 Simon Kelley
+#
+#  This program is free software; you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation; version 2 dated June, 1991.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+
+
+# if $1 is add del or old, this is a dnsmasq-called lease-change
+# script, update the nvram database. if $1 is init, emit a 
+# dnsmasq-format lease file to stdout representing the current state of the 
+# database, this is called by dnsmasq at startup.
+
+NVRAM=/usr/sbin/nvram
+PREFIX=dnsmasq_lease_
+
+# Arguments.
+# $1 is action (add, del, old)
+# $2 is MAC 
+# $3 is address
+# $4 is hostname (optional, may be unset)
+
+# env.
+# DNSMASQ_LEASE_LENGTH or DNSMASQ_LEASE_EXPIRES (which depends on HAVE_BROKEN_RTC)
+# DNSMASQ_CLIENT_ID (optional, may be unset)
+
+# File.
+# length|expires MAC addr hostname|* CLID|* 
+
+# Primary key is address.
+
+if [ ${1} = init ] ; then
+     ${NVRAM} show | sed -n -e "/^${PREFIX}.*/ s/^.*=//p"
+else
+     if [ ${1} = del ] ; then
+          ${NVRAM} unset ${PREFIX}${3}
+     fi
+
+     if [ ${1} = old ] || [ ${1} = add ] ; then
+          ${NVRAM} set ${PREFIX}${3}="${DNSMASQ_LEASE_LENGTH:-}${DNSMASQ_LEASE_EXPIRES:-} ${2} ${3} ${4:-*} ${DNSMASQ_CLIENT_ID:-*}"
+     fi
+     ${NVRAM} commit
+fi
+
+
+
+
+ 

dbus/dnsmasq.conf

@@ -0,0 +1,16 @@
+<!DOCTYPE busconfig PUBLIC
+ "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+	<policy user="root">
+		<allow own="uk.org.thekelleys.dnsmasq"/>
+		<allow send_destination="uk.org.thekelleys.dnsmasq"/>
+                <allow send_interface="uk.org.thekelleys.dnsmasq"/>
+	</policy>
+	<policy context="default">
+                <deny own="uk.org.thekelleys.dnsmasq"/>
+                <deny send_destination="uk.org.thekelleys.dnsmasq"/>
+                <deny send_interface="uk.org.thekelleys.dnsmasq"/>
+        </policy>
+</busconfig>
+

dnsmasq-rh.spec

@@ -1,133 +0,0 @@
-###############################################################################
-#
-# General mumbojumbo
-#
-###############################################################################
-
-Name: dnsmasq
-Version: 2.28
-Release: 1
-License: GPL
-Group: System Environment/Daemons
-Vendor: Simon Kelley
-Packager: Simon Kelley
-Distribution: Red Hat Linux
-URL: http://www.thekelleys.org.uk/dnsmasq
-Source0: %{name}-%{version}.tar.gz
-Requires: chkconfig
-BuildRoot: /var/tmp/%{name}-%{version}
-Summary: A lightweight caching nameserver
-
-%description
-Dnsmasq is lightweight, easy to configure DNS forwarder and DHCP server. It 
-is designed to provide DNS and, optionally, DHCP, to a small network. It can
-serve the names of local machines which are not in the global DNS. The DHCP 
-server integrates with the DNS server and allows machines with DHCP-allocated
-addresses to appear in the DNS with names configured either in each host or 
-in a central configuration file. Dnsmasq supports static and dynamic DHCP 
-leases and BOOTP for network booting of diskless machines.
-
-
-
-###############################################################################
-#
-# Build
-#
-###############################################################################
-
-%prep
-%setup -q
-%build
-make all-i18n PREFIX=/usr
-
-
-###############################################################################
-#
-# Install
-#
-###############################################################################
-
-%install
-rm -rf $RPM_BUILD_ROOT
-
-mkdir -p -m 755 $RPM_BUILD_ROOT/usr/sbin
-mkdir -p -m 755 $RPM_BUILD_ROOT/etc/rc.d/init.d
-mkdir -p -m 755 $RPM_BUILD_ROOT/usr/share/man/man8
-
-cp rpm/dnsmasq.rh $RPM_BUILD_ROOT/etc/rc.d/init.d/dnsmasq
-make install-i18n DESTDIR=$RPM_BUILD_ROOT PREFIX=/usr
-strip $RPM_BUILD_ROOT/usr/sbin/dnsmasq
-cp src/dnsmasq $RPM_BUILD_ROOT/usr/sbin
-cp dnsmasq.conf.example $RPM_BUILD_ROOT/etc/dnsmasq.conf
-
-###############################################################################
-#
-# Clean up
-#
-###############################################################################
-
-%clean
-rm -rf $RPM_BUILD_ROOT
-
-
-###############################################################################
-#
-# Post-install scriptlet
-#
-###############################################################################
-
-%post
-/sbin/chkconfig --add dnsmasq
-
-
-###############################################################################
-#
-# Pre-uninstall scriptlet
-#
-# If there's a time when your package needs to have one last look around before
-# the user erases it, the place to do it is in the %preun script. Anything that
-# a package needs to do immediately prior to RPM taking any action to erase the
-# package, can be done here.
-#
-###############################################################################
-
-%preun
-if [ $1 = 0 ]; then     # execute this only if we are NOT doing an upgrade
-    service dnsmasq stop >/dev/null 2>&1
-    /sbin/chkconfig --del dnsmasq
-fi
-
-
-###############################################################################
-#
-# Post-uninstall scriptlet
-#
-# The %postun script executes after the package has been removed. It is the
-# last chance for a package to clean up after itself.
-#
-###############################################################################
-
-%postun
-if [ "$1" -ge "1" ]; then
-    service dnsmasq restart >/dev/null 2>&1
-fi
-
-
-###############################################################################
-#
-# File list
-#
-###############################################################################
-
-%files
-%defattr(-,root,root)
-%doc CHANGELOG COPYING FAQ doc.html setup.html UPGRADING_to_2.0
-%config /etc/rc.d/init.d/dnsmasq 
-%config /etc/dnsmasq.conf
-%attr(0755,root,root) /etc/rc.d/init.d/dnsmasq
-%attr(0664,root,root) /etc/dnsmasq.conf
-%attr(0755,root,root) /usr/sbin/dnsmasq
-#%attr(0644,root,root) /usr/share/man/*/man8/dnsmasq*
-%attr(0644,root,root) /usr/share/man/man8/dnsmasq*
-%attr(0644,root,root) /usr/share/locale/*/LC_MESSAGES/*
-

dnsmasq.conf.example

@@ -11,9 +11,9 @@
 # these requests from bringing up the link uneccessarily.
 
 # Never forward plain names (without a dot or domain part)
-domain-needed
+#domain-needed
 # Never forward addresses in the non-routed address spaces.
-bogus-priv
+#bogus-priv
 
 
 # Uncomment this to filter useless windows-originated DNS requests
@@ -37,7 +37,7 @@ bogus-priv
 
 # If you don't want dnsmasq to read /etc/resolv.conf or any other
 # file, getting its servers from this file instead (see below), then
-# uncomment this
+# uncomment this.
 #no-resolv
 
 # If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
@@ -206,12 +206,19 @@ bogus-priv
 # subnet mask - 1
 # default router - 3
 # DNS server - 6
+# hostname - 12
 # broadcast address - 28
 
 # Override the default route supplied by dnsmasq, which assumes the
 # router is the same machine as the one running dnsmasq.
 #dhcp-option=3,1.2.3.4
 
+# Override the default route supplied by dnsmasq and send no default
+# route at all. Note that this only works for the options sent by
+# default (1, 3, 6, 12, 28) the same line will send a zero-length option 
+# for all other option numbers.
+#dhcp-option=3
+
 # Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5
 #dhcp-option=42,192.168.0.4,10.10.0.5
 
@@ -255,16 +262,58 @@ bogus-priv
 # Send RFC-3442 classless static routes (note the netmask encoding)
 #dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
 
-# Send encapsulated vendor-class specific options. The vendor-class
-# is sent as DHCP option 60, and all the options marked with the
-# vendor class are send encapsulated in DHCP option 43. The meaning of
-# the options is defined by the vendor-class. This example sets the
-# mtftp address to 0.0.0.0 for PXEClients
+# Send vendor-class specific options encapsulated in DHCP option 43. 
+# The meaning of the options is defined by the vendor-class so
+# options are sent only when the client supplied vendor class
+# matches the class given here. (A substring match is OK, so "MSFT" 
+# matches "MSFT" and "MSFT 5.0"). This example sets the
+# mtftp address to 0.0.0.0 for PXEClients.
 #dhcp-option=vendor:PXEClient,1,0.0.0.0
 
-# Set the boot filename and tftpd server name and address
-# for BOOTP. You will only need this is you want to
-# boot machines over the network.
+# Send microsoft-specific option to tell windows to release the DHCP lease
+# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
+# value as a four-byte integer - that's what microsoft wants. See
+# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
+#dhcp-option=vendor:MSFT,2,1i
+
+# Send the Encapsulated-vendor-class ID needed by some configurations of
+# Etherboot to allow is to recognise the DHCP server.
+#dhcp-option=vendor:Etherboot,60,"Etherboot"
+
+# Send options to PXELinux. Note that we need to send the options even
+# though they don't appear in the parameter request list, so we need
+# to use dhcp-option-force here. 
+# See http://syslinux.zytor.com/pxe.php#special for details.
+# Magic number - needed before anything else is recognised
+#dhcp-option-force=208,f1:00:74:7e
+# Configuration file name
+#dhcp-option-force=209,configs/common
+# Path prefix
+#dhcp-option-force=210,/tftpboot/pxelinux/files/
+# Reboot time. (Note 'i' to send 32-bit value)
+#dhcp-option-force=211,30i
+
+# Set the boot filename for BOOTP. You will only need 
+# this is you want to boot machines over the network and you will need
+# a TFTP server; either dnsmasq's built in TFTP server or an
+# external one. (See below for how to enable the TFTP server.)
+#dhcp-boot=pxelinux.0
+
+# Enable dnsmasq's built-in TFTP server
+#enable-tftp
+
+# Set the root directory for files availble via FTP.
+#tftp-root=/var/ftpd
+
+# Make the TFTP server more secure: with this set, only files owned by
+# the user dnsmasq is running as will be send over the net.
+#tftp-secure
+
+# Set the boot file name only when the "red" tag is set.
+#dhcp-boot=net:red,pxelinux.red-net
+
+# An example of dhcp-boot with an external server: the name and IP
+# address of the server are given after the filename.
 #dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3
 
 # Set the limit on DHCP leases, the default is 150
@@ -285,6 +334,12 @@ bogus-priv
 # http://www.isc.org/index.pl?/sw/dhcp/authoritative.php
 #dhcp-authoritative
 
+# Run an executable when a DHCP lease is created or destroyed.
+# The arguments sent to the script are "add" or "del", 
+# then the MAC address, the IP address and finally the hostname
+# if there is one. 
+#dhcp-script=/bin/echo
+
 # Set the cachesize here.
 #cache-size=150
 
@@ -357,6 +412,11 @@ bogus-priv
 # example.com
 #srv-host=_ldap._tcp.example.com
 
+# The following line shows how to make dnsmasq serve an arbitrary PTR
+# record. This is useful for DNS-SD. (Note that the
+# domain-name expansion done for SRV records _does_not
+# occur for PTR records.)
+#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"
 
 # Change the following lines to enable dnsmasq to serve TXT records.
 # These are used for things like SPF and zeroconf. (Note that the
@@ -364,7 +424,7 @@ bogus-priv
 # occur for TXT records.)
 
 #Example SPF.
-#txt-record=example.com,v=spf1 a -all
+#txt-record=example.com,"v=spf1 a -all"
 
 #Example zeroconf
 #txt-record=_http._tcp.example.com,name=value,paper=A4
@@ -376,3 +436,4 @@ bogus-priv
 
 # Include a another lot of configuration options.
 #conf-file=/etc/dnsmasq.more.conf
+#conf-dir=/etc/dnsmasq.d

doc.html

@@ -11,20 +11,22 @@ Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP
  server and allows machines with DHCP-allocated addresses
  to appear in the DNS with names configured either in each host or
  in a central configuration file. Dnsmasq supports static and dynamic 
- DHCP leases and BOOTP for network booting of diskless machines.
+ DHCP leases and BOOTP/TFTP for network booting of diskless machines.
 <P>
  Dnsmasq is targeted at home networks using NAT and 
 connected to the internet via a modem, cable-modem or ADSL
-connection but would be a good choice for any small network where low
+connection but would be a good choice for any smallish network (up to
+1000 clients is known to work) where low
 resource use and ease of configuration are important. 
 <P>
 Supported platforms include Linux (with glibc and uclibc), *BSD and
 Mac OS X.
 Dnsmasq is included in at least the following Linux distributions:
-Gentoo, Debian, Slackware, Suse, 
-Smoothwall, IP-Cop, floppyfw, Firebox, LEAF, Freesco, fli4l, CoyoteLinux and
-Clarkconnect. It is also available as a FreeBSD port and is used in
-Linksys wireless routers and the m0n0wall project.
+Gentoo, Debian, Slackware, Suse, Fedora,
+Smoothwall, IP-Cop, floppyfw, Firebox, LEAF, Freesco, fli4l,
+CoyoteLinux, Endian Firewall and
+Clarkconnect. It is also available as FreeBSD, OpenBSD and NetBSD ports and is used in
+Linksys wireless routers (dd-wrt, openwrt and the stock firmware) and the m0n0wall project.
 <P>
 Dnsmasq provides the following features:
 <DIR>
@@ -73,7 +75,7 @@ upstream servers handling only those domains. This makes integration
 with private DNS systems easy.
 </LI>
 <LI>
-Dnsmasq supports MX records and can be configured to return MX records
+Dnsmasq supports MX and SRV records and can be configured to return MX records
 for any or all local machines.
 </LI>
 </DIR>
@@ -81,27 +83,11 @@ for any or all local machines.
 <H2>Download.</H2>
 
 <A HREF="http://www.thekelleys.org.uk/dnsmasq/"> Download</A> dnsmasq here. 
-The tarball includes this documentation, source, manpage and control files for building .rpms.
-There are also pre-built i386 .rpms, and a 
-<A HREF="CHANGELOG"> CHANGELOG</A>.
+The tarball includes this documentation, source, and manpage.
+There is also a <A HREF="CHANGELOG"> CHANGELOG</A> and a <A HREF="FAQ">FAQ</A>.
 Dnsmasq is part of the Debian distribution, it can be downloaded from 
 <A HREF="http://ftp.debian.org/debian/pool/main/d/dnsmasq/"> here</A> or installed using <TT>apt</TT>.
 
-
-<H2>Building rpms.</H2>
-Assuming you have the relevant tools installed, you can rebuild .rpms simply by running (as root)
-
-<PRE>
-rpmbuild -ta dnsmasq-xxx.tar.gz
-</PRE>
-
-Note for Suse users: you will need to re-compress the tar file as
-bzip2 before building using the commands
-<PRE>
-gunzip dnsmasq-xxx.tar.gz
-bzip2 dnsmasq-zzz.tar
-</PRE>
-
 <H2>Links.</H2>
 There is an article in German on dnsmasq at <A
 HREF="http://www.linuxnetmag.com/de/issue7/m7dnsmasq1.html">http://www.linuxnetmag.com/de/issue7/m7dnsmasq1.html</A>

man/dnsmasq.8

@@ -6,7 +6,7 @@ dnsmasq \- A lightweight DHCP and caching DNS server.
 .I [OPTION]...
 .SH "DESCRIPTION"
 .BR dnsmasq
-is a lightweight DNS and DHCP server. It is intended to provide coupled DNS and DHCP service to a
+is a lightweight DNS, TFTP and DHCP server. It is intended to provide coupled DNS and DHCP service to a
 LAN.
 .PP
 Dnsmasq accepts DNS queries and either answers them from a small, local,
@@ -18,13 +18,15 @@ DNS queries for DHCP configured hosts.
 The dnsmasq DHCP server supports static address assignments, multiple
 networks, DHCP-relay and RFC3011 subnet specifiers. It automatically
 sends a sensible default set of DHCP options, and can be configured to
-send any desired set of DHCP options. It also supports BOOTP.
+send any desired set of DHCP options, inlcuding vendor-encapsulated
+options. It includes a secure, read-only,
+TFTP server to allow net/PXE boot of DHCP hosts and also supports BOOTP.
 .PP
 Dnsmasq 
-supports IPv6.
+supports IPv6 for DNS, but not DHCP.
 .SH OPTIONS
 Note that in general missing parameters are allowed and switch off
-functions, for instance "--pid-file=" disables writing a PID file. On
+functions, for instance "--pid-file" disables writing a PID file. On
 BSD, unless the GNU getopt library is linked, the long form of the
 options does not work on the command line; it is still recognised in
 the configuration file.
@@ -37,6 +39,10 @@ Additional hosts file. Read the specified file as well as /etc/hosts. If -h is g
 only the specified file. This option may be repeated for more than one
 additional hosts file.
 .TP
+.B \-E, --expand-hosts
+Add the domain to simple names (without a period) in /etc/hosts
+in the same way as for DHCP-derived names.
+.TP
 .B \-T, --local-ttl=<time>
 When replying with information from /etc/hosts or the DHCP leases
 file dnsmasq by default sets the time-to-live field to zero, meaning
@@ -60,6 +66,10 @@ to handle TCP queries.
 .B \-q, --log-queries
 Log the results of DNS queries handled by dnsmasq. Enable a full cache dump on receipt of SIGUSR1.
 .TP
+.B \-8, --log-facility=<facility>
+Set the facility to which dnsmasq will send syslog entries, this
+defaults to DAEMON, and to LOCAL0 when debug mode is in operation.
+.TP
 .B \-x, --pid-file=<path>
 Specify an alternate path for dnsmasq to record its process-id in. Normally /var/run/dnsmasq.pid.
 .TP
@@ -102,14 +112,11 @@ or
 options are given dnsmasq listens on all available interfaces except any
 given in
 .B \--except-interface
-options. If IP alias interfaces (eg "eth1:0") are used with
+options. IP alias interfaces (eg "eth1:0") cannot be used with
 .B --interface
 or
 .B --except-interface
-options, then the 
-.B --bind-interfaces 
-option will be automatically set. This is required for deeply boring
-sockets-API reasons. 
+options, use --listen-address instead. 
 .TP
 .B \-I, --except-interface=<interface name>
 Do not listen on the specified interface. Note that the order of
@@ -122,7 +129,7 @@ options does not matter and that
 options always override the others.
 .TP 
 .B \-2, --no-dhcp-interface=<interface name>
-Do not provide DHCP on the specified interface, but do provide DNS service.
+Do not provide DHCP or TFTP on the specified interface, but do provide DNS service.
 .TP
 .B \-a, --listen-address=<ipaddr>
 Listen on the given IP address(es). Both 
@@ -148,9 +155,7 @@ working even when interfaces come and go and change address. This
 option forces dnsmasq to really bind only the interfaces it is
 listening on. About the only time when this is useful is when 
 running another nameserver (or another instance of dnsmasq) on the
-same machine or when using IP
-alias. Specifying interfaces with IP alias automatically turns this
-option on. Setting this option also enables multiple instances of
+same machine. Setting this option also enables multiple instances of
 dnsmasq which provide DHCP service to run in the same machine.
 .TP
 .B \-y, --localise-queries
@@ -220,12 +225,17 @@ server strictly in the order they appear in /etc/resolv.conf
 .B \-n, --no-poll
 Don't poll /etc/resolv.conf for changes.
 .TP
+.B --clear-on-reload
+Whenever /etc/resolv.conf is re-read, clear the DNS cache.
+This is useful when new nameservers may have different
+data than that held in cache.
+.TP
 .B \-D, --domain-needed
 Tells dnsmasq to never forward queries for plain names, without dots
 or domain parts, to upstream nameservers. If the name is not known
 from /etc/hosts or DHCP then a "not found" answer is returned.
 .TP
-.B \-S, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>][@<source>[#<port>]]]
+.B \-S, --local, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>][@<source>[#<port>]]]
 Specify IP address of upstream severs directly. Setting this flag does
 not suppress reading of /etc/resolv.conf, use -R to do that. If one or
 more 
@@ -318,6 +328,9 @@ all that match are returned.
 Return a TXT DNS record. The value of TXT record is a set of strings,
 so  any number may be included, split by commas.
 .TP
+.B --ptr-record=<name>[,<target>]
+Return a PTR DNS record.
+.TP
 .B \-c, --cache-size=<cachesize>
 Set the size of dnsmasq's cache. The default is 150 names. Setting the cache size to zero disables caching.
 .TP
@@ -327,6 +340,12 @@ Disable negative caching. Negative caching allows dnsmasq to remember
 identical queries without forwarding them again. This flag disables
 negative caching.
 .TP
+.B \-0, --dns-forward-max=<queries>
+Set the maximum number of concurrent DNS queries. The default value is
+150, which should be fine for most setups. The only known situation
+where this needs to be increased is when using web-server log file
+resolvers, which can generate large numbers of concurrent queries.
+.TP
 .B \-F, --dhcp-range=[[net:]network-id,]<start-addr>,<end-addr>[[,<netmask>],<broadcast>][,<default lease time>]
 Enable the DHCP server. Addresses will be given out from the range
 <start-addr> to <end-addr> and from statically defined addresses given
@@ -344,7 +363,7 @@ always optional. On some broken systems, dnsmasq can listen on only
 one interface when using DHCP, and the name of that interface must be
 given using the
 .B interface
-option. This limitation currently affects OpenBSD. It is always
+option. This limitation currently affects OpenBSD before version 4.0. It is always
 allowed to have more than one dhcp-range in a single subnet. The optional
 network-id is a alphanumeric label which marks this network so that
 dhcp options may be specified on a per-network basis. 
@@ -358,7 +377,7 @@ addresses given via
 .B dhcp-host
 or from /etc/ethers will be served.
 .TP
-.B \-G, --dhcp-host=[[<hwaddr>]|[id:[<client_id>][*]]][net:<netid>][,<ipaddr>][,<hostname>][,<lease_time>][,ignore]
+.B \-G, --dhcp-host=[<hwaddr>][,id:<client_id>|*][,net:<netid>][,<ipaddr>][,<hostname>][,<lease_time>][,ignore]
 Specify per host parameters for the DHCP server. This allows a machine
 with a particular hardware address to be always allocated the same
 hostname, IP address and lease time. A hostname specified like this
@@ -419,7 +438,7 @@ have exactly the same effect as
 .B --dhcp-host
 options containing the same information.
 .TP
-.B \-O, --dhcp-option=[<network-id>,[<network-id>,]][vendor:<vendor-class>]<opt>,[<value>[,<value>]]
+.B \-O, --dhcp-option=[<network-id>,[<network-id>,]][vendor:[<vendor-class>],]<opt>,[<value>[,<value>]]
 Specify different or extra options to DHCP clients. By default,
 dnsmasq sends some standard options to DHCP clients, the netmask and
 broadcast address are set to the same as the host running dnsmasq, and
@@ -439,9 +458,10 @@ and a text string. If the optional network-ids are given then
 this option is only sent when all the network-ids are matched.
 
 Special processing is done on a text argument for option 119, to
-conform with RFC 3397, and dotted-quad IP addresses which are followed
-by a slash and then a netmask size are encoded as described in RFC
-3442.
+conform with RFC 3397. Text or dotted-quad IP addresses as arguments
+to option 120 are handled as per RFC 3361. Dotted-quad IP addresses 
+which are followed by a slash and then a netmask size are encoded as
+described in RFC 3442.
 
 Be careful: no checking is done that the correct type of data for the
 option number is sent, it is quite possible to
@@ -460,12 +480,27 @@ a literal IP address as TFTP server name, it is necessary to do
 
 Encapsulated Vendor-class options may also be specified using
 --dhcp-option: for instance 
-.B --dhcp-option=vendor:PXEClient,1,0.0.0.0
-sends the vendor class "PXEClient" and the encapsulated vendor class-specific option "mftp-address=0.0.0.0" Only one vendor class is allowed for any
-host, but multiple options are allowed, provided they all have
-the same vendor class. The address 0.0.0.0 is not treated specially in
+.B --dhcp-option=vendor:PXEClient,1,0.0.0.0 
+sends the encapsulated vendor
+class-specific option "mftp-address=0.0.0.0" to any client whose
+vendor-class matches "PXEClient". The vendor-class matching is
+substring based (see --dhcp-vendorclass for details). If a
+vendor-class option (number 60) is sent by dnsmasq, then that is used 
+for selecting encapsulated options in preference to any sent by the
+client. It is
+possible to omit the vendorclass completely;
+.B --dhcp-option=vendor:,1,0.0.0.0
+in which case the encapsulated option is always sent.
+The address 0.0.0.0 is not treated specially in
 encapsulated vendor class options.
 .TP
+.B --dhcp-option-force=[<network-id>,[<network-id>,]][vendor:[<vendor-class>],]<opt>,[<value>[,<value>]]
+This works in exactly the same way as
+.B --dhcp-otion
+except that the option will always be sent, even of the client does
+not ask for it in the parameter request list. This is sometimes
+needed, for example when sending options to PXELinux.
+.TP
 .B \-U, --dhcp-vendorclass=<network-id>,<vendor-class>
 Map from a vendor-class string to a network id. Most DHCP clients provide a 
 "vendor class" which represents, in some sense, the type of host. This option 
@@ -498,10 +533,23 @@ When all the given network-ids match the set of network-ids derived
 from the net, host, vendor and user classes, ignore the host and do
 not allocate it a DHCP lease.
 .TP
+.B --dhcp-ignore-name[=<network-id>[,<network-id>]]
+When all the given network-ids match the set of network-ids derived
+from the net, host, vendor and user classes, ignore any hostname
+provided by the host. Note that, unlike dhcp-ignore, it is permissable
+to supply no netid tags, in which case DHCP-client supplied hostnames
+are always ignored, and DHCP hosts are added to the DNS using only
+dhcp-host configuration in dnsmasq and the contents of /etc/hosts and
+/etc/ethers.
+.TP
 .B \-M, --dhcp-boot=[net:<network-id>,]<filename>,[<servername>[,<server address>]]
-Set BOOTP options to be returned by the DHCP server. These are needed
-for machines which network boot, and tell the machine where to collect
-its initial configuration. If the optional network-id(s) are given,
+Set BOOTP options to be returned by the DHCP server. Server name and
+address are optional: if not provided, the name is left empty, and the
+address set to the address of the machine running dnsmasq. If dnsmasq
+is providing a TFTP service (see 
+.B --enable-tftp
+) then only the filename is required here to enable network booting.
+If the optional network-id(s) are given,
 they must match for this configuration to be sent. Note that
 network-ids are prefixed by "net:" to distinguish them.
 .TP  
@@ -538,13 +586,79 @@ is given but no dhcp-range option is given then dnsmasq version 1
 behaviour is activated. The file given is assumed to be an ISC dhcpd
 lease file and parsed for leases which are then added to the DNS
 system if they have a hostname. This functionality may have been
-excluded from dnsmasq at compile time, in which case an error will occur.
+excluded from dnsmasq at compile time, in which case an error will
+occur. In any case note that ISC leasefile integration is a deprecated
+feature. It should not be used in new installations, and will be
+removed in a future release.
+.TP 
+.B \-6 --dhcp-script=<path>
+Whenever a new DHCP lease is created, or an old one destroyed, the
+binary specified by this option is run. The arguments to the process
+are "add", "old" or "del", the MAC
+address of the host (or "<null>"), the IP address, and the hostname,
+if known. "add" means a lease has been created, "del" means it has
+been destroyed, "old" is a notification of an existing lease when
+dnsmasq starts or a change to MAC address or hostname of an existing
+lease (also, lease length or expiry and client-id, if leasefile-ro is set).
+The process is run as root (assuming that dnsmasq was originally run as
+root) even if dnsmasq is configured to change UID to an unprivileged user.
+The environment is inherited from the invoker of dnsmasq, and if the
+host provided a client-id, this is stored in the environment variable
+DNSMASQ_CLIENT_ID. If the client provides vendor-class or user-class 
+information, these are provided in DNSMASQ_VENDOR_CLASS and 
+DNSMASQ_USER_CLASS0..DNSMASQ_USER_CLASSn variables, but only for
+"add" actions or "old" actions when a host resumes an existing lease,
+since these data are not held in dnsmasq's lease
+database. If dnsmasq was compiled with HAVE_BROKEN_RTC, then
+the length of the lease (in seconds) is stored in
+DNSMASQ_LEASE_LENGTH, otherwise the time of lease expiry is stored in
+DNSMASQ_LEASE_EXPIRES. If a lease used to have a hostname, which is
+removed, an "old" event is generated with the new state of the lease, 
+ie no name, and the former name is provided in the environment 
+variable DNSMASQ_OLD_HOSTNAME.
+All file decriptors are
+closed except stdin, stdout and stderr which are open to /dev/null
+(except in debug mode).
+The script is not invoked concurrently: if subsequent lease 
+changes occur, the script is not invoked again until any existing 
+invokation exits. At dnsmasq startup, the script will be invoked for
+all existing leases as they are read from the lease file. Expired
+leases will be called with "del" and others with "old". <path>
+must be an absolute pathname, no PATH search occurs.
+.TP 
+.B \-9, --leasefile-ro
+Completely suppress use of the lease database file. The file will not
+be created, read, or written. Change the way the lease-change
+script (if one is provided) is called, so that the lease database may
+be maintained in external storage by the script. In addition to the
+invokations  given in 
+.B  --dhcp-script
+the lease-change script is called once, at dnsmasq startup, with the
+single argument "init". When called like this the script should write
+the saved state of the lease database, in dnsmasq leasefile format, to
+stdout and exit with zero exit code. Setting this
+option also forces the leasechange script to be called on changes
+to the client-id and lease length and expiry time.
+.TP
+.B --bridge-interface=<interface>,<alias>[,<alias>]
+Treat DHCP request packets arriving at any of the <alias> interfaces
+as if they had arrived at <interface>. This option is only available
+on FreeBSD and Dragonfly BSD, and is necessary when using "old style" bridging, since
+packets arrive at tap interfaces which don't have an IP address.
 .TP
 .B \-s, --domain=<domain>
 Specifies the domain for the DHCP server. This has two effects;
 firstly it causes the DHCP server to return the domain to any hosts
 which request it, and secondly it sets the domain which it is legal
-for DHCP-configured hosts to claim. The intention is to constrain hostnames so that an untrusted host on the LAN cannot advertise it's name via dhcp as e.g. "microsoft.com" and capture traffic not meant for it. If no domain suffix is specified, then any DHCP hostname with a domain part (ie with a period) will be disallowed and logged. If suffix is specified, then hostnames with a domain part are allowed, provided the domain part matches the suffix. In addition, when a suffix is set then hostnames without a domain part have the suffix added as an optional domain part. Eg on my network I can set 
+for DHCP-configured hosts to claim. The intention is to constrain
+hostnames so that an untrusted host on the LAN cannot advertise 
+its name via dhcp as e.g. "microsoft.com" and capture traffic not 
+meant for it. If no domain suffix is specified, then any DHCP
+hostname with a domain part (ie with a period) will be disallowed 
+and logged. If suffix is specified, then hostnames with a domain 
+part are allowed, provided the domain part matches the suffix. In
+addition, when a suffix is set then hostnames without a domain
+part have the suffix added as an optional domain part. Eg on my network I can set 
 .B --domain=thekelleys.org.uk
 and have a machine whose DHCP hostname is "laptop". The IP address for that machine is available from 
 .B dnsmasq
@@ -552,14 +666,51 @@ both as "laptop" and "laptop.thekelleys.org.uk". If the domain is
 given as "#" then the domain is read from the first "search" directive
 in /etc/resolv.conf (or equivalent). 
 .TP
-.B \-E, --expand-hosts
-Add the domain to simple names (without a period) in /etc/hosts
-in the same way as for DHCP-derived names.
+.B --enable-tftp
+Enable the TFTP server function. This is deliberately limited to that
+needed to net-boot a client: Only reading is allowed, and only in
+binary/octet mode. The tsize and blksize extensions are supported.
 .TP
+.B --tftp-root=<directory>
+Look for files to transfer using TFTP relative to the given
+directory. When this is set, TFTP paths which include ".." are
+rejected, to stop clients getting outside the specified root.
+.TP
+.B --tftp-secure
+Enable TFTP secure mode: without this, any file which is readble by
+the dnsmasq process under normal unix access-control rules is
+available via TFTP. When the --tftp-secure flag is given, only files
+owned by the user running the dnsmasq process are accessible. If
+dnsmasq is being run as root, different rules apply: --tftp-secure
+has no effect, but only files which have the world-readable bit set
+are accessible. It is not recommended to run dnsmasq as root with TFTP
+enabled, and certainly not without specifying --tftp-root. Doing so
+can expose any world-readable file on the server to any host on the net. 
+.TP
+.B --tftp-max=<connections>
+Set the maximum number of concurrent TFTP connections allowed. This
+defaults to 50. When serving a large number of TFTP connections,
+per-process file descriptor limits may be encountered. Dnsmasq needs
+one file descriptor for each concurrent TFTP connection and one
+file descriptor per unique file (plus a few others). So serving the
+same file simultaneously to n clients will use require about n + 10 file
+descriptors, serving different files simultaneously to n clients will
+require about (2*n) + 10 descriptors.
+.TP
+.B --tftp-no-blocksize
+Stop the TFTP server from negotiating the "blocksize" option with a
+client. Some buggy clients request this option but then behave badly
+when it is granted.
+.TP  
 .B \-C, --conf-file=<file>
 Specify a different configuration file. The conf-file option is also allowed in
-configuration files, to include multiple configuration files. Only one
-level of nesting is allowed.
+configuration files, to include multiple configuration files.
+.TP
+.B \-7, --conf-dir=<directory>
+Read all the files in the given directory as configuration
+files. Files whose names end in ~ or start with . or start and end
+with # are skipped. This flag may be given on the command
+line or in a configuration file.
 .SH CONFIG FILE
 At startup, dnsmasq reads
 .I /etc/dnsmasq.conf,
@@ -568,7 +719,9 @@ FreeBSD, the file is
 .I /usr/local/etc/dnsmasq.conf
 ) (but see the 
 .B \-C
-option.) The format of this
+and
+.B \-7
+options.) The format of this
 file consists of one option per line, exactly as the long options detailed 
 in the OPTIONS section but without the leading "--". Lines starting with # are comments and ignored. For
 options which may only be specified once, the configuration file overrides 
@@ -697,9 +850,53 @@ on a particular network. (Setting --bootp-dynamic removes the need for
 static address mappings.) The filename
 parameter in a BOOTP request is matched against netids in
 .B  dhcp-option 
-configurations, allowing some control over the options returned to
+configurations, as is the tag "bootp", allowing some control over the options returned to
 different classes of hosts.
 
+.SH LIMITS
+The default values for resource limits in dnsmasq are generally
+conservative, and appropriate for embedded router type devices with
+slow processors and limited memory. On more capable hardware, it is
+possible to increase the limits, and handle many more clients. The
+following applies to dnsmasq-2.37: earlier versions did not scale as well.
+ 
+.PP
+Dnsmasq is capable of handling DNS and DHCP for at least a thousand
+clients. Clearly to do this the value of 
+.B --dhcp-max
+must be increased,
+and lease times should not be very short (less than one hour). The
+value of 
+.B --dns-forward-max 
+can be increased: start with it equal to
+the number of clients and increase if DNS seems slow. Note that DNS
+performance depends too on the performance of the upstream
+nameservers. The size of the DNS cache may be increased: the hard
+limit is 10000 names and the default (150) is very low. Sending
+SIGUSR1 to dnsmasq makes it log information which is useful for tuning
+the cache size. See the 
+.B NOTES
+section for details.
+
+.PP
+The built-in TFTP server is capable of many simultaneous file
+transfers: the absolute limit is related to the number of file-handles
+allowed to a process and the ability of the select() system call to
+cope with large numbers of file handles. If the limit is set too high
+using 
+.B --tftp-max
+it will be scaled down and the actual limit logged at
+start-up. Note that more transfers are possible when the same file is
+being sent than when each transfer sends a different file.
+
+.PP
+It is possible to use dnsmasq to block Web advertising by using a list
+of known banner-ad servers, all resolving to 127.0.0.1 or 0.0.0.0, in
+.B /etc/hosts 
+or an additional hosts file. The list can be very long, 
+dnsmasq has been tested successfully with one million names. That size
+file needs a 1GHz processor and about 60Mb of RAM.
+
 .SH FILES
 .IR /etc/dnsmasq.conf 
 

man/es/dnsmasq.8

@@ -0,0 +1,812 @@
+.TH DNSMASQ 8
+.SH NOMBRE
+dnsmasq \- Un ligero servidor DHCP y DNS con caché.
+.SH SINOPSIS
+.B dnsmasq
+.I [OPCION]...
+.SH "DESCRIPCION"
+.BR dnsmasq
+es un ligero servidor DNS y DHCP. Su propósito es proveer servicios DNS
+y DHCP a una red de área local.
+.PP
+Dnsmasq acepta búsquedas DNS y las responde desde un pequeño
+caché local, o las reenvía hacia un servidor DNS real recursivo.
+Carga el contenido de /etc/hosts, de tal forma que nombres de
+hosts locales los cuales no aparecen en el DNS mundial puedan ser
+resueltos. También responde a búsquedas DNS para hosts configurados
+vía DHCP.
+.PP
+El servidor DHCP dnsmasq incluye soporte para assignación de direcciones
+estáticas, redes múltiples, DHCP-relay y especificadores de subredes
+RFC3011. Automáticamente envía un predeterminado sensible de opciones
+DHCP, y puede ser configurado para enviar cualquier opciones DHCP
+deseadas. Tambíen incluye soporte para BOOTP.
+.PP
+Dnsmasq 
+incluye soporte para IPv6.
+.SH OPCIONES
+Nótese que en general parámetros ausentes son permitidos y deshabilitan
+funciones, por ejemplo "--pid-file=" deshabilita la escritura de un
+archivo PID. En BSD, a menos que la librería GNU getopt esté enlazada,
+la forma larga de las opciones no funciona en la línea de comandos,
+pero todavía es reconocida en el archivo de configuración.
+.TP
+.B \-h, --no-hosts
+No leer los nombres de hosts en /etc/hosts.
+.TP
+.B \-H, --addn-hosts=<archivo>
+Archivo de hosts adicional. Leer el archivo especificado adicionalmente
+a /etc/hosts. Si se brinda -h, leer solo el archivo especificado. Esta
+opción puede ser repetida para más de un archivo de hosts adicional.
+.TP
+.B \-T, --local-ttl=<tiempo>
+Al responder con información desde /etc/hosts o desde el archivo
+de arriendos DHCP, dnsmasq fija el tiempo de vida a cero por
+predeterminado, significando que el remitente no debrá cachear
+la información por sí mismo. Esto es lo correcto a hacer en casi
+todas las situaciones. Esta opción permite que se especifique
+cierto tiempo de vida (en segundos) para estas respuestas. Esto
+reduce la carga sobre el servidor al costo de que los clientes
+usaran datos añejos bajo algunas circunstancias.
+.TP
+.B \-k, --keep-in-foreground
+No ir hacia el fondo al iniciar, pero aparte de eso correr como
+normal. La intención de esto es para cuando dnsmasq es corrido
+bajo daemontools o launchd.
+.TP
+.B \-d, --no-daemon
+Modo debug: no hacer un fork hacia el fondo, no crear un archivo PID,
+no cambiar el ID del usuario, generar un cache dump completo al
+recibir un SIGUSR1, bitacorear a stderr al igual que a syslog, no
+hacerle fork a procesos nuevos para manejar búsquedas TCP.
+.TP
+.B \-q, --log-queries
+Bitacorear los resultados de búsquedas DNS manejadas por dnsmasq.
+Habilitar un dump de caché completo al recibir un SIGUSR1.
+.TP
+.B \-8, --log-facility=<facilidad>
+Fijar la facilidad a la cual dnsmasq deberá enviar mensajes syslog,
+esto es DAEMON por predeterminado, y LOCAL0 cuando en modo debug.
+.TP
+.B \-x, --pid-file=<path>
+Especificar un path alterno donde dnsmasq debe guardar su PID.
+Normalmente es /var/run/dnsmasq.pid.
+.TP
+.B \-u, --user=<usuario>
+Especificar el userid al cual dnsmasq debe cambiarse despues de iniciar.
+Dnsmasq normalmente debe ser iniciado como root, pero soltará los
+privilegios root despues del inicio, cambiando a otro usuario.
+Normalmente este usuario es "nobody", pero eso se puede cambiar
+con esta opción.
+.TP
+.B \-g, --group=<grupo> 
+Especificar el grupo como el cual dnsmasq correrá. El predeterminado
+es "dip", si está disponible, para facilitar el acceso a
+/etc/ppp/resolv.conf el cuál normalmente no es globalmente leíble.
+.TP
+.B \-v, --version
+Mostrar el número de versión.
+.TP
+.B \-p, --port=<puerto>
+Escuchar en el puerto <puerto> en vez del puerto estándar DNS (53).
+Principalmente útil para debugging.
+.TP
+.B \-P, --edns-packet-max=<tamaño>
+Especificar el paquete UDP EDNS.0 más grande que es soportado por
+el reenviador DNS. Por predeterminado es 1280, lo cual es el
+máximo recomendado en RFC2671 para ethernet.
+.TP
+.B \-Q, --query-port=<puerto>
+Enviar búsquedas outbound desde, y escuchar por respuestas en,
+el puerto UDP <puerto> en vez de usar uno escojido a la hora
+de inicio. Esto es útil para simplificar las reglas del firewall;
+sin esto, su firewall tendría que permitir conecciones desde
+servidores DNS foráneos hacia un rango de puertos UDP, o
+adaptarse dinámicamente al puerto siendo usado por la actual
+instancia de dnsmasq.
+.TP
+.B \-i, --interface=<interface>
+Escuchar solo en las interfaces especificadas. Dnsmasq automaticamente
+agrega la interface loopback a la lista de interfaces para usar cuando
+la opción
+.B \--interface
+es usada. Si ninguna opcion
+.B \--interface
+o
+.B \--listen-address
+es brindada, dnsmasq escucha en todas las interfaces disponibles excepto
+cualquiera fijada con la opcion
+.B \--except-interface
+Interfaces IP alias (eg "eth1:0") no pueden ser utilizadas con
+.B --interface
+o
+.B --except-interface
+, usar --listen-address en vez.
+.TP
+.B \-I, --except-interface=<interface>
+No escuchar en la interface especificada. Nótese que el orden de
+las opciones
+.B \--listen-address
+.B --interface
+y
+.B --except-interface
+no importa y la opcion
+.B --except-interface
+siempre invalida a las otras.
+.TP 
+.B \-2, --no-dhcp-interface=<interface>
+No proveer DHCP en la interface especificada, pero sí
+proveer servicio DNS.
+.TP
+.B \-a, --listen-address=<dirección IP>
+Escuchar en la(s) dirección(es) IP especificada(s). Las opciones
+.B \--interface
+y
+.B \--listen-address
+ambas pueden ser brindadas, y en tal caso el juego de ambas
+direcciones IP y interfaces es usada. Nótese que si ninguna opción
+.B \--interface
+es brindada, pero sí se brinda la opción
+.B \--listen-address
+entonces dnsmasq no escuchará automáticamente en la interface
+loopback. Para obtener esto, la dirección IP 127.0.0.1 debe ser
+explícitamente dada como una opción
+.B \--listen-address
+.TP
+.B \-z, --bind-interfaces
+En sistemas que inluyen el soporte, dnsmasq acopla la dirección
+de comodín, aún cuando está escuchando solamente en algunas
+interfaces. Entonces descarta búsquedas a las cuales no debe
+responder. Esto tiene la ventaja de funcionar aún cuando
+interfaces van y vienen y cambian direcciones. Esta opción forza
+a dnsmasq a acoplarse realmente solo a las interfaces en
+las cuales está escuchando. Casi la única vez que esto es útil
+es cuando se está corriendo otro servidor DNS (o otra instancia
+de dnsmasq) en la misma máquina. Fijar esta opción tambien
+habilita multiples instancias de dnsmasq, las cuales proveen
+servicio DHCP en la misma máquina.
+.TP
+.B \-y, --localise-queries
+Retornar respuestas a búsquedas DNS desde /etc/hosts las cuales dependen
+de la interface donde entró la búsqueda. Si un nombre en /etc/hosts tiene
+mas de una dirección asociada con el, y por lo menos una de esas direcciones
+está en la misma subred de la interface donde fue enviada, entónces
+retornar solo las direcciones en esa subred. Esto permite a un servidor
+tener direcciones múltiples en /etc/hosts correspondientes a cada una de
+sus interfaces y cada host recibirá la respuesta adecuada
+dependiendo de cual red tengan adjunta. Por el momento, esta facilidad
+está limitada a IPv4.
+.TP
+.B \-b, --bogus-priv
+Búsquedas privadas reversas raras. Toda búsqueda para rangos de IP
+privados (192.168.x.x, etc.) los cuales no se encuentren en
+/etc/hosts o en el archivo de arriendos DHCP es respondida con
+"dominio no existente" en vez de ser reenviada upstream.
+.TP
+.B \-V, --alias=<IP vieja>,<IP nueva>[,<máscara>]
+Modificar direcciones IPv4 retornadas desde servidores DNS upstream;
+<IP vieja> es remplazada con <IP nueva>. Si la máscara opcional
+es brindada, entonces cualquier dirección que coincida con la
+<IP vieja> enmascarada será re-escrita. Así que, por ejemplo,
+.B --alias=1.2.3.0,6.7.8.0,255.255.255.0
+mapeará 1.2.3.56 a 6.7.8.56 y 1.2.3.67 a 6.7.8.67. Esto es lo que
+ruteadores Cisco PIX llaman "DNS doctoring".
+.TP 
+.B \-B, --bogus-nxdomain=<dirección IP>
+Transformar respuestas que contienen la dirección IP brindada en
+respuestas tipo "Dominio no existe". La intención de esto es actuar
+en contra de una movida desviada hecha por Verisign en septiembre
+del 2003, cuando comenzaron a retornar la dirección de un servidor
+de publicidad en respuesta a búsquedas por nombres no registrados,
+en vez de la correcta respuesta NXDOMAIN. Esta opción le dice a dnsmasq
+que debe forjear la respuesta correcta cuando ve este comportamiento.
+Desde septiembre 2003 la dirección IP siendo retornada por Verisign
+es 64.94.110.11
+.TP
+.B \-f, --filterwin2k
+Algunas versiones de Windows hacen búsquedas DNS periódicas las cuales no
+reciben respuestas sensibles desde el DNS público y pueden causar problemas
+activando enlaces marcación-en-demanda. Esta opción filtra dichas búsquedas.
+Las búsquedas filtradas son para registros tipo SOA y SRV, al igual que
+tipo ANY donde el nombre pedido contiene _, para atrapar búsquedas LDAP.
+.TP
+.B \-r, --resolv-file=<archivo>
+Leer las direcciones IP de servidores DNS upstream desde <archivo>,
+en vez de /etc/resolv.conf. Para el formato de este archivo, ver
+.BR resolv.conf (5)
+Las únicas líneas relevantes a dnsmasq son las de servidores DNS. A
+dnsmasq se le puede decir que revise más de un archivo resolv.conf,
+el primer archivo especificado remplaza al predeterminado, y los
+subsiguientes archivos son agregados a la lista. Esto es solo
+permitido cuando haciendo polling; el archivo con la actual fecha
+de modificación más nueva es el que es usado.
+.TP
+.B \-R, --no-resolv
+No leer /etc/resolv.conf. Obtener los servidores DNS upstream solo
+desde la línea de comandos o desde el archivo de configuración de
+dnsmasq.
+.TP
+.B \-1, --enable-dbus
+Permitir que la configuración de dnsmasq sea actualizada vía llamadas
+de método DBus. La configuración que puede ser cambiada es servidores
+DNS upstream (y dominios correspondientes) y limpieza de caché. Esta
+opción requiere que dnsmasq haya sido compilado con soporte para DBus.
+.TP 
+.B \-o, --strict-order
+Por predeterminado, dnsmasq enviará búsquedas a cualquiera de los
+servidores upstream que conoce, y trata de favorecer servidores los
+cuales sabe que están activos. Fijar esta opcion forza a dnsmasq a
+probar cada búsqueda con cada servidor estrictamente en el orden
+que aparecen en /etc/resolv.conf
+.TP
+.B \-n, --no-poll
+No revisar periodicamente a /etc/resolv.conf en busca de cambios.
+.TP
+.B \-D, --domain-needed
+Le dice a dnsmasq que no debe reenviar búsquedas para nombres sencillos,
+sin puntos o partes de dominios, a servidores upstream. Si el nombre
+no se conoce desde /etc/hosts o desde DHCP entonces una respuesta
+"no encontrado" es devuelta.
+.TP
+.B \-S, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>][@<source>[#<port>]]]
+Especificar la dirección IP de servidores upstream directamente. Fijar
+esta opción no suprime la lectura de /etc/resolv.conf, use -R para
+hacer eso. Si uno a más dominios opcionales son brindados, ese servidor
+es usado solo para esos dominios y las búsquedas son hechas usando
+el servidor especificado solamente. La intención de esto es para el
+uso con servidores DNS privados: si usted tiene un servidor DNS en su
+red el cual lidea con nombres de la forma
+xxx.internal.thekelleys.org.uk en 192.168.1.1 entonces brindar la
+opción
+.B -S /internal.thekelleys.org.uk/192.168.1.1
+enviará todas las búsquedas de máquinas internas a ese servidor DNS,
+todas las demás búsquedas serán enviadas a los servidores en
+/etc/resolv.conf. Una especificación de dominio en blanco
+.B //
+tiene el significado especial de "solo nombres no calificados", o
+sea nombres sin ningun punto en ellos. Un puerto no-estándar puede
+ser especificado como parte de la dirección IP usando el caracter
+#. Más de una opción -S es permitida, con partes de dominio o
+dirección IP repetidas como sea necesario.
+
+También se permite una opción -S la cual brinda un dominio pero
+ninguna dirección IP; esto le dice a dnsmasq que un dominio es local
+y puede responder a búsquedas desde /etc/hosts o DHCP pero nunca
+deberá reenviar búsquedas en ese dominio a ningún servidor upstream.
+.B local
+es un sinónimo de
+.B server
+para hacer los archivos de configuración mas claros en este caso.
+
+La segunda dirección IP opcional después del carácter @ le dice
+a dnsmasq como fijar la dirección de remitente de las búsquedas
+hacia este servidor DNS. Debe ser una dirección perteneciente a
+la máquina en la cual corre dnsmasq, o de forma contraria esta
+línea de servidor será bitacoreada y después ignorada. La opción
+query-port es ignorada para cualquier servidores que tengan una
+dirección remitente especificada, pero el puerto puede ser
+especificado directamente como parte de la dirección remitente.
+.TP
+.B \-A, --address=/<domain>/[domain/]<ipaddr>
+Especificar una dirección IP para retornar por cualquier host en
+los dominios brindados. Búsquedas en estos dominios nunca son
+reenviadas, y siempre son respondidas con la dirección IP
+especificada, la cual puede ser IPv4 o IPv6. Para brindar ambas
+direcciones IPv4 y IPv6 para un dominio, usar opciones -A repetidas.
+Nótese que /etc/hosts y arriendos DHCP invalidan esto para nombres
+individuales. Un uso común para esto es redireccionar el dominio
+doubleclick.net entero a algún servidor web local amigable para
+evitar banners de publicidad. La especificación funciona de la misma
+forma que con --server, con la facilidad adicional que /#/ coincide
+con cualquier dominio. De tal forma, --address=/#/1.2.3.4 siempre
+retornará 1.2.3.4 para cualquier búsqueda no respondida desde
+/etc/hosts o DHCP y que no haya sido enviada a un servidor DNS
+upstream por una directiva --server mas especifica.
+.TP
+.B \-m, --mx-host=<mx name>[[,<hostname>],<preference>]
+Retornar un record llamado <nombre MX> apuntando hacia un nombre de
+host brindado (opcionalmente), o el host especificado en la opción
+--mx-target, o si esa opción no es brindada, el host en el cual
+dnsmasq está corriendo. El predeterminado es útil para redireccionar
+correo de sistemas en la red local hacia un servidor central. La
+opción de preferencia es opcional, y su predeterminado es 1 si no
+es brindada. Más de un record MX puede ser brindado para un host.
+.TP 
+.B \-t, --mx-target=<hostname>
+Especificar el target predeterminado para el record MX devuelto
+por dnsmasq. Ver --mx-host. Si --mx-target es brindado, pero no
+--mx-host, entonces dnsmasq devuelve un record MX conteniendo
+el target MX para búsquedas MX en el hostname de la máquina donde
+dnsmasq está corriendo.
+.TP
+.B \-e, --selfmx
+Retornar un record MX apuntándose a sí mismo para cada máquina local.
+Máquinas locales son aquellas en /etc/hosts o con arriendos DHCP.
+.TP 
+.B \-L, --localmx
+Retornar un record MX apuntando al host brindado por mx-target (o
+la máquina donde dnsmasq está corriendo) para cada máquina local.
+Máquinas locales son aquellas en /etc/hosts o con arriendos DHCP.
+.TP
+.B \-W, --srv-host=<_service>.<_prot>.[<domain>],[<target>[,<port>[,<priority>[,<weight>]]]]
+Retornar un record SRV DNS. Ver RFC2782 para detalles. Si no es
+brindada, el dominio se predetermina a el brindado por
+.B --domain.
+El predeterminado para el dominio target está vacío, y el predeterminado
+para puerto es uno y los predeterminados para peso y prioridad son cero.
+Tener cuidado al transponer data desde archivos de zona BIND: los
+números de puerto, peso, y prioridad están en un orden diferente. Más
+de un record SRV para un servicio/dominio es permitido, todos los que
+coincidan son retornados.
+.TP
+.B \-Y, --txt-record=<name>[[,<text>],<text>]
+Retornar un récord DNS TXT. El valor del récord TXT es una serie de
+strings, así que cualquier número puede ser incluido, dividido por
+comas.
+.TP
+.B \-c, --cache-size=<cachesize>
+Fijar el tamaño del caché de dnsmasq. El predeterminado es 150 nombres.
+Fijar el tamaño a cero deshabilita el caché.
+.TP
+.B \-N, --no-negcache
+Deshabilitar caché negativo. El caché negativo le permite a dnsmasq
+recordar resultados tipo "dominio no existe" desde servidores DNS
+upstream y responder búsquedas idénticas sin reenviarlas nuevamente.
+Esta opción deshabilita el caché negativo.
+.TP
+.B \-F, --dhcp-range=[[net:]network-id,]<start-addr>,<end-addr>[[,<netmask>],<broadcast>][,<default lease time>]
+Habilitar el servidor DHCP. Direcciones serán distribuidas desde el
+rango <start-addr> hasta <end-addr> y desde direcciones definidas
+estáticamente en opciones
+.B dhcp-host
+Si el tiempo de arriendo es brindado, entonces arriendos serán
+dados por esa cantidad de tiempo. El tiempo de arriendo es en
+segundos, o minutos (ej. 45m), o horas (ej. 1h), o el literal
+"infinite". Esta opción puede ser repetida, con diferentes
+direcciones para habilitar servicio DHCP en más de una red. Para
+redes conectadas diréctamente (en otras palabras, redes en las
+cuales la máquina corriendo dnsmasq tiene una interface) la
+máscara de subred es opcional. Es requerida para redes que
+reciben servicio DHCP vía un agente de relay. La dirección de
+broadcast siempre es opcional. En algunos sistemas rotos, dnsmasq
+solo puede escuchar en una interface cuando se usa DHCP, y el
+nombre de esa interface debe ser brindado usando la opcion
+.B interface
+Esta limitación actualmente afecta a OpenBSD. Siempre se permite
+tener más de un rango dhcp (dhcp-range) en una subred. El
+parametro opcional network-id es una etiqueta alfanumerica la
+cual marca esta red de tal forma que opciones dhcp puedan ser
+especificadas en base a cada red.
+Cuando es prefijada con 'net:' entonces el significado cambia
+de "fijar etiqueta" a "coincidir con etiqueta".
+La dirección final puede ser remplazada por la palabra
+.B static
+la cual le dice a dnsmasq que debe habilitar DHCP para la red
+especificada, pero no alocar dinámicamente direcciones IP.
+Solo hosts que tienen direcciones estáticas brindadas vía
+.B dhcp-host
+o desde /etc/ethers serán servidas.
+.TP
+.B \-G, --dhcp-host=[[<hwaddr>]|[id:[<client_id>][*]]][net:<netid>][,<ipaddr>][,<hostname>][,<lease_time>][,ignore]
+Especificar parámetros por host para el servidor DHCP. Esto permite
+que una máquina con una dirección de hardware particular sea siempre
+alocada el mismo nombre de host, dirección IP, y tiempo de arriendo.
+Un nombre de host especificado de esta manera toma presedencia
+sobre cualquiera suministrado por el cliente DHCP en la máquina.
+También se permite omitir la direccion de hardware y incluir el
+nombre host; en tal caso la dirección IP y los tiempos de arriendo
+serán aplicables a cualquier máquina que reclame ese nombre.
+Por ejemplo:
+.B --dhcp-host=00:20:e0:3b:13:af,wap,infinite
+le dice a dnsmasq que debe darle a la máquina con dirección
+ethernet 00:20:e0:3b:13:af el nombre wap, y un arriendo DHCP infinito.
+.B --dhcp-host=lap,192.168.0.199
+le dice a dnsmasq que siempre debe alocarle a la maquina lap
+la dirección IP 192.168.0.199. Direcciones alocadas de esta manera
+no tienen que estar dentro del rango dado con la opción --dhcp-range,
+pero deben estar en la red siendo servida por el servidor DHCP. Se
+permite usar identificadores de clientes en vez de direcciones de
+hardware para identificar hosts prefijando 'id:'. O sea que:
+.B --dhcp-host=id:01:02:03:04,.....
+se refiere al host con identificador de cliente 01:02:03:04.
+También se permite especificar el ID de cliente como texto, así:
+.B --dhcp-host=id:clientidastext,.....
+La opción especial id:* significa "ignorar cualquier ID de cliente
+y usar solamente direcciones MAC." Esto es útil cuando un cliente
+presenta un ID de cliente algunas veces pero otras no.
+Si un nombre aparece en /etc/hosts, la dirección asociada puede
+ser alocada a un arriendo DHCP, pero solo si existe una opción
+.B --dhcp-host
+la cual especifica el nombre también. La palabra clave "ignore"
+le dice a dnsmasq que no debe ofrecer jamás un arriendo DHCP a
+una máquina. La máquina puede ser especificada por dirección de
+hardware, ID de cliente, o nombre de host, por ejemplo:
+.B --dhcp-host=00:20:e0:3b:13:af,ignore
+Esto es útil cuando hay otro servidor DHCP en la red para ser
+usado por algúnas máquinas. net:<network-id> fija la etiqueta
+network-id cuando sea que esta directiva dhcp-host está en uso.
+Esto puede ser usado para enviar selectivamente opciones DHCP
+a este host.
+Direcciones ethernet (pero no client-ids) pueden tener bytes
+comodínes, así que por ejemplo
+.B --dhcp-host=00:20:e0:3b:13:*,ignore
+causará que dnsmasq ignore un rango de direcciones ethernet. Nótese
+que el "*" necesitará ser escapado o escrito entre comillas en la
+línea de comandos, pero no en el archivo de configuración.
+Direcciones de hardware normalmente coinciden con cualquier
+tipo de red (ARP), pero es posible restringirlas a un tipo ARP
+singular precediendolo con el tipo ARP (en HEX) y "-". Así que
+.B --dhcp-host=06-00:20:e0:3b:13:af,1.2.3.4
+solo coincidaría una dirección de hardware Token-Ring, dado que
+el tipo ARP para Token-Ring es 6.
+.TP 
+.B \-Z, --read-ethers
+Leer /etc/ethers en busca de información sobre hosts para el servidor
+DHCP. El formato de /etc/ethers es una dirección de hardware, seguida
+por ya sea un nombre de host o una dirección IP. Al ser leidas por
+dnsmasq, estas líneas tienen exáctamente el mismo efecto que opciones
+.B --dhcp-host
+que contienen la misma información.
+.TP
+.B \-O, --dhcp-option=[<network-id>,[<network-id>,]][vendor:<vendor-class>]<opt>,[<value>[,<value>]]
+Especificar opciones diferentes o extra a clientes DHCP. Por
+predeterminado, dnsmasq envía algunas opciones estándar a clientes
+DHCP. La máscara de subred y dirección broadcast son fijadas igual
+a las del host que corre dnsmasq, y el servidor DNS y ruteador
+a la dirección de la máquina que corre dnsmasq. Si la opción de
+nombre de dominio ha sido fijada, es enviada. Esta opción permite
+que esos predeterminados sean sobrescritos, o que sean especificadas
+otras opciones. <opt> es el numero de la opción, como especificado
+en RFC2132. Por ejemplo, para fijar a ruta predeterminada a
+192.168.4.4, hágase un
+.B --dhcp-option=3,192.168.4.4
+y para fijar la dirección de servidor de tiempo a 192.168.0.4,
+hágase un
+.B --dhcp-option=42,192.168.0.4
+La dirección especial 0.0.0.0 es entendida que significa "la
+dirección de la máquina que corre dnsmasq". Tipos de data permitidos
+son direcciones IP de cuatro puntos, un número decimal, dígitos hex
+separados por colones, y un string de texto. Si las network-ids
+opcionales son brindadas, entonces esta opcion es solo enviada cuando
+todas las network-ids coinciden.
+
+Tener cuidado: niguna verificación es hecha sobre si el número de tipo
+correcto es enviado, y es muy posible persuadir a dnsmasq para que
+genere paquetes DHCP ilegales mediante uso inadecuado de esta opción.
+Cuando el valor es un número decimal, dnsmasq debe determinar qué tan
+grande es el objeto de data. Esto es hecho mediante una examinación del
+número de opción, y/o el valor, pero puede ser invalidado agregándole
+una opción de una sola letra de esta forma: b = un byte, s = dos bytes,
+i = cuatro bytes. Esto es principalmente útil con opciones encapsuladas
+tipo vendedor (ver abajo) donde dnsmasq no puede determinar el tamaño
+de data usando el número de opción. Data de opción la cual consiste
+solo de puntos y dígitos será interpretada por dnsmasq como una
+dirección IP, y será insertada dentro de una opción de esa manera.
+Para forzar un string literal, usar comillas. Por ejemplo, cuando se
+usa la opción 66 para enviar una IP literal como un nombre de servidor
+TFTP, es necesario hacer:
+.B --dhcp-option=66,"1.2.3.4"
+Opciones encapsuladas vendor-class también pueden ser especificadas
+usando
+--dhcp-option: por ejemplo
+.B --dhcp-option=vendor:PXEClient,1,0.0.0.0
+envía la clase de vendedor "PXEClient" y la clase encapsulada de vendedor
+especifica "mftp-address=0.0.0.0". Solo se permite una clase para cualquier
+host, pero opciones múltiples son permitidas, con tal que tengan la misma
+clase de vendedor. La dirección 0.0.0.0 no es tratada de forma especial
+en opciones de clase encapsuladas.
+.TP
+.B \-U, --dhcp-vendorclass=<network-id>,<vendor-class>
+Mapear desde un string vendor-class a un network id. La mayoría de los
+clientes DHCP proveen una "vendor class" la cual representa, en cierto
+sentido, el tipo de host. Esta opción mapea clases de vendedor a network
+ids, de tal forma que opciones DHCP pueden ser selectivamente entregadas
+a diferentes clases de hosts. Por ejemplo
+.B dhcp-vendorclass=printers,Hewlett-Packard JetDirect
+peritiría que opciones sean fijadas solo para impresoras HP así:
+.B --dhcp-option=printers,3,192.168.4.4 
+El string vendor-class es coordinado con el vendor-class proveido por
+el cliente, para permitir coincidencias borrosas.
+.TP
+.B \-j, --dhcp-userclass=<network-id>,<user-class>
+Mapear desde un string user-class a un network id (con coordinación
+substring, como con vendor-class). La mayoría de los clientes DHCP
+proveen un "user class" el cual es configurable. Esta opción mapea
+clases user a network ids, de tal manera que opciones DHCP puedan
+ser selectivamente enviadas a diferentes tipos de hosts. Es posible,
+por ejemplo, usar esto para especificar una impresora diferente para
+hosts en la clase "accounts" que para los de la clase "engineering".
+.TP
+.B \-4, --dhcp-mac=<network-id>,<MAC address>
+Mapear desde una dirección MAC a una network id. La dirección MAC
+puede incluir comodínes. Por ejemplo:
+.B --dhcp-mac=3com,01:34:23:*:*:*
+fijaría el tag "3com" a cualquier host el cual su MAC coincida con
+el patrón.
+.TP
+.B \-J, --dhcp-ignore=<network-id>[,<network-id>]
+Cuando todos los network ids brindados coincidan con el juego de
+network ids derivados de las clases net, host, y vendor, ignorar
+el host y no brindarle un arriendo DHCP.
+.TP
+.B \-M, --dhcp-boot=[net:<network-id>,]<filename>,[<servername>[,<server address>]]
+Fijar opciones BOOTP que han de ser devueltas por el servidor DHCP.
+Estas se necesitan para máquinas que bootean desde la red, y decirle
+a la máquina donde conseguir su configuración inicial. Si las network
+id opcionales son brindadas, deben coincidir con esta opción para ser
+enviadas. Nótese que network ids son prefijadas con "net:" para
+distinguirlas.
+.TP  
+.B \-X, --dhcp-lease-max=<number>
+Limita a dnsmasq a el número especificado de arriendos DHCP. El
+predeterminado es 150. El limite es para prevenir ataques DoS desde
+hosts que crean cientos de arriendos y usan mucha de la memoria del
+proceso dnsmasq.
+.TP
+.B \-K, --dhcp-authoritative
+Esta opción debe ser fijada cuando dnsmasq es definitivamente el único
+servidor DHCP en la red. Cambia el comportamiento de RFC de tal manera
+que pedidos desde hosts no conocidos no serán ignorados. Esto permite que
+hosts nuevos puedan conseguir un arriendo sin sin un timeout bajo toda
+circunstancia. También permite que dnsmasq reconstruya su base de datos
+de arriendos sin que cada cliente requiera un arriendo, si la base de datos
+es perdida.
+.TP
+.B \-3, --bootp-dynamic
+Habilitar alocación dinámica de direcciones IP a clientes BOOTP. Usar
+esto con cuidado, ya que cada cirección alocada a un cliente BOOTP
+es arrendada para siempre, y consecuentemente queda no-disponible
+para uso por otros hosts.
+.TP
+.B \-5, --no-ping
+Por predetermindado, el servidor DHCP tratará de asegurarse que una
+dirección no esté en uso antes de alocarsela a un host. Hace esto
+enviando un echo ICMP (ping) a la dirección referente. Si recibe una
+respuesta, entonces la dirección debe estar siendo usada, y se repite
+la prueba con otra. Esta opcion deshabilita esta prueba. Usar con
+cuidado.
+.TP
+.B \-l, --dhcp-leasefile=<path>
+Usar el archivo especificado para almacenar informacion de arriendos
+DHCP. Si esta opcion es brindada, pero ninguna opcion dhcp-range es
+brindada, entonces se activa comportamiento tipo dnsmasq versión 1.
+El archivo brindado se asume es un archivo de arriendos dhcpd ISC y
+es analizado en busca de arriendos los cuales son agregados al sistema
+DNS si tienen un nombre de host. Esta funcionalidad pudo haber sido
+excluida de dnsmasq a la hora de compilación, y en tal caso ocurrirá
+un error. En todo caso, nótese que la integración de archivos de
+arriendo ISC es una caracterísctica depreciada. No debería ser usada
+en instalaciones nuevas, y será eliminada en versiones futuras.
+.TP
+.B \-6 --dhcp-script=<path>
+Cuando sea que un arriendo DHCP nuevo es creado, o uno viejo es
+destruido, el binario especificado por esta opción es ejecutado.
+Los argumentos para el binario son "add", "old", o "del", la dirección
+MAC del host (o "<null>"), la dirección IP, y el hostname, si es
+conocido. "add" significa que un arriendo ha sido creado, "del" que
+ha sido destruido, y "old" es una notificación de un arriendo existente
+cuando dnsmasq inicia o un cambio a una MAC o nombre host de un arriendo
+existente. Este proceso es ejecutado como el usuario sin privilegios
+como corre dnsmasq, así que puede ser necesario inhibir el dejar el
+usuario root, usando la directiva
+.B -u
+si el ejecutable necesita privilegios root.
+El ambiente es heredado del usuario que ha invocado a dnsmasq, y todos
+los descriptores están cerrados excepto stdin, stdout y stderr los cuales
+están abiertos a /dev/null (excepto en modo debug).
+Este guión no es invocado concurrentemente: si cambios de arriendos
+subsiguientes ocurren, el guión no es invocado otra vez hasta que
+cualquier invocación existennte haga exit. Al inicio de dnsmasq, el guión
+será invocado para todos los arriendos existenetes mientras van siendo
+leidos desde el archivo de arriendos. Arriendos vencidos serán llamados
+con "del" y otros con "old". <path> debe ser un path absoluto, ninguna
+búsqueda PATH ocurre.
+.TP
+.B \-s, --domain=<domain>
+Especifica el dominio para el servidor DHCP. Esto tiene dos efectos:
+Primeramente, causa que el servidor DHCP le devuelva el dominio a
+cualquier host que lo pida. Segundamente, fija el dominio para el cual
+es legal para hosts configurados mediante DHCP reclamar. La intención es
+restringir nombres de host para que un host no-confiado en la LAN no
+pueda proclamar su nombre vía DHCP, como por ejemplo "microsoft.com" y
+capturar tráfico no destinado a ella. Si ningún sufijo de dominio es
+especificado, entonces cualquier nombre de host con una parte de dominio
+(o sea con un punto) será negada y logeada. Si un sufijo es especificado,
+entonces nombres de host con una parte de dominio son permitidos, con tal
+que la parte de dominio coincida con el sufijo. Adicionalmente, cuando
+un sufijo es fijado, entonces nombres de host sin parte de dominio tienen
+el sufijo agregado como una parte de dominio opcional. Por ejemplo, en
+mi red puedo fijar
+.B --domain=thekelleys.org.uk
+y tener una maquina cuyo nombre host DHCP es "laptop". La dirección IP
+de esa máquina es disponible desde
+.B dnsmasq
+como "laptop" y "laptop.thekelleys.org.uk". Si el dominio es brindado
+como "#" entonces el dominio es leido desde la primera directiva de
+búsqueda en /etc/resolv.conf (o equivalente).
+.TP
+.B \-E, --expand-hosts
+Agregar el dominio a nombres simples (sin un punto) en /etc/hosts de
+la misma manera que con nombres derivados de DHCP.
+.TP
+.B \-C, --conf-file=<archivo>
+Especificar un archivo de configuración diferente. La opción conf-file
+también es permitida en archivos de configuración, para incluir múltiples
+archivos de configuración.
+.TP
+.B \-7, --conf-dir=<directorio>
+Leer todos los archivos dentro del directorio brindado como archivos
+de configuración. Archivos cuyos nombres terminen con ~ o comienzen
+con . o comienzen y terminen con # son ignorados. Esta opción puede
+ser brindada en la línea de comandos o en un archivo de configuración.
+.SH ARCHIVO DE CONFIGURACION
+Al inicio, dnsmasq lee
+.I /etc/dnsmasq.conf,
+si existe. (En FreeBSD, el archivo es
+.I /usr/local/etc/dnsmasq.conf
+) (ver las opciónes
+.B \-C
+y
+.B \-7
+porfavor.) El formato de este archivo consiste de una opción por línea,
+exáctamente como las opciones largas detalladas en la sección OPCIONES
+pero sin el "--" al frente. Líneas que comienzan con # son comentarios
+y son ignoradas. Para opciones que solo pueden ser especificadas una
+sola vez, la línea de comandos invalida el archivo de configuración.
+La comillas son permitidas en el archivo de configuración: entre comillas
+tipo " los significados especiales de ,:. y # son eliminados y los
+siguientes escapes son permitidos: \\\\ \\" \\t \\a \\b \\r y \\n. El
+último corresponde a tab, bell, backspace, return y newline.
+.SH NOTAS
+Al recibir un SIGHUP
+.B dnsmasq 
+libera su cache y entonces recarga
+.I /etc/hosts.
+Si
+.B
+--no-poll
+está fijado entnces SIGHUP también re-lee
+.I /etc/resolv.conf.
+SIGHUP
+NO re-lee el archivo de configuración.
+.PP
+Al recibir un SIGUSR1,
+.B dnsmasq 
+escribe estadisticas de caché al log del sistema. Escribe el tamaño
+del caché, el numero de nombres que han tenido que ser removidos del
+caché antes de que vencieran para hacer espacio para nombres nuevos
+y el número total de nombres que han sido insertados en el caché. En
+modo
+.B --no-daemon
+o cuando logeo completo está habilitado (-q), una descarga completa de
+el contenido del caché es hecha.
+.PP
+Dnsmasq es un reenviador de búsquedas DNS: no puede responder búsquedas
+arbitrarias comenzando desde los servidores root pero reenvía dichas
+búsquedas a un servidor DNS recursivo, el cual es típicamente proveído
+por el proveedor de Internet. Por predeterminado, dnsmasq lee
+.I /etc/resolv.conf
+para descubir las direcciones IP de los servidores DNS upstream que
+debe usar, dado a que esta información es normalmente almacenada allí.
+Amenos que
+.B --no-poll
+sea usado,
+.B dnsmasq
+revisa el tiempo de modificación de
+.I /etc/resolv.conf
+(o equivalente si
+.B \--resolv-file 
+es usado)  y lo re-lee si ha cambiado. Esto permite que servidores DNS séan
+fijados dinámicamente vía PPP o DHCP ya que ambos protocolos brindan esta
+información.
+La ausencia de
+.I /etc/resolv.conf
+no es un error ya que pudo haber sido creada antes de que una conexión PPP
+haya existido. Dnsmasq simplemente sigue revisando en caso de que
+.I /etc/resolv.conf 
+sea creado en algún momento. A dnsmasq se le puede decir que revise más
+de un archivo resolv.conf. Esto es útil en una laptp, donde ambos PPP y
+DHCP podrían estar siendo usados: dnsmasq puede ser fijado para revisar
+ambos:
+.I /etc/ppp/resolv.conf 
+y
+.I /etc/dhcpc/resolv.conf 
+y usará el contenido de cualquiera que haya cambiado mas recientemente,
+brindando así la habilidad de cambio automático entre servidores DNS.
+.PP
+Servidores upstream también pueden ser especificados en la línea de
+comandos o en el archivo de configuración. Estas especificaciones de
+servidor ocpionalmente llevan un nombre de dominio el cual le dice a
+dnsmasq que debe usar ese servidor solo para encontrar nombres en ese
+dominio en particular.
+.PP
+Para configurar dnsmasq para que actúe como caché para el host donde está
+corriendo, poner un "nameserver 127.0.0.1" en
+.I /etc/resolv.conf
+para así forzar procesos locales a enviar búsquedas a dnsmasq. Entonces
+o espesificar los servidores upstream diréctamente a dnsmasq usando
+opciones
+.B \--server
+o poniendo sus direcciones reales en otro archivo, digamos
+.I /etc/resolv.dnsmasq
+y correr dnsmasq con la opcion
+.B \-r /etc/resolv.dnsmasq
+Esta segunda técnica permite la actualización dinámica de las direcciones
+de servidores mediante PPP o DHCP.
+.PP
+Direcciones en /etc/hosts harán "sombra" a diferentes direcciones para
+los mismos nombres en servidores DNS upstream, así que
+"miempresa.com 1.2.3.4" en /etc/hosts se asegurará que las búsquedas
+por "miempresa.com" siempre retornarán 1.2.3.4 aún si búsquedas en el
+servidor DNS upstream devolverían una dirección diferente. Hay una
+excepción a esto: si el servidor DNS upstream contiene un CNAME que
+apunta a un nombre sombreado, entonces buscando el CNAME a travéz de
+dnsmasq resultará en que la dirección no-sombreada será asociada con
+el destino del CNAME. Para circumventar esto, agregar en CNAME a
+/etc/hosts de tal manera que el CNAME es sombreado también.
+.PP
+El sistema network-id funciona de la siguiente manera: Para cada pedido
+DHCP, dnsmasq colecciona un juego de etiquetas network-id válidas,
+una del
+.B dhcp-range
+usado para alocar la dirección, una de cualquier
+.B dhcp-host
+que coincida, y posiblemente muchas de clases de vendedor y usuario
+que coinicdan que hayan sido enviadas por el cliente DHCP.
+Cualquier opcion
+.B dhcp-option 
+que tenga etiquetas network-id será usada en preferencia de una opción
+.B dhcp-option,
+sin etiqueta, con tal que _todas_ las etiquetas coincidan en alguna
+parte del juego coleccionado describido arriba. El prefijo "#" en una
+etiqueta significa "no" así que --dhcp=option=#purple,3,1.2.3.4 envía
+la opción cuando la etiqueta network-id "purple" no está en el juego
+de etiquetas válidas.
+.PP
+Si el network-id en un
+.B dhcp-range 
+es prefijado con "net:", entonces su significado cambia de "fijar
+etiqueta" a "coincidir con etiqueta". O sea que si hay más de un
+dhcp-range en enu subred, y una tiene una etiqueta network-id la
+cual está fijada (por ejemplo una opcion de clase de vendedor) entonces
+hosts que fijen la etiqueta network-id serán alocados direcciones en
+el rango etiquetado.
+.PP 
+El servidor DHCP de dnsmasq funcionará como servidor BOOTP tambien,
+con tal que las direcciones MAC y IP de los clientes sean brindadas,
+ya sea usando configuraciones
+.B dhcp-host 
+o en
+.I /etc/ethers
+, y una configuración
+.B dhcp-range 
+esté presente para activar el servidor DHCP en una red particular.
+(Fijar --bootp-dynamic elimina la necesidad de mapeos estáticos.) El
+Parámetro de nombre de archivos en un pedido BOOTP es revisado para
+ver si coincide con algún network-id en configuraciónes
+.B  dhcp-option 
+permitiendo algún control sobre las opciones devueltas a diferentes
+clases de hosts.
+.SH ARCHIVOS
+.IR /etc/dnsmasq.conf 
+
+.IR /usr/local/etc/dnsmasq.conf
+
+.IR /etc/resolv.conf
+
+.IR /etc/hosts
+
+.IR /etc/ethers
+
+.IR /var/lib/misc/dnsmasq.leases 
+
+.IR /var/db/dnsmasq.leases
+
+.IR /var/run/dnsmasq.pid
+.SH VER TAMBIEN
+.BR hosts (5), 
+.BR resolver (5)
+.SH AUTOR
+Este manual fue escrito por Simon Kelley <simon@thekelleys.org.uk>.
+
+Traducido a español por Christopher Chatham <chrislinux@gmail.com>.

rpm/dnsmasq.rh

@@ -1,93 +0,0 @@
-#!/bin/sh
-#
-# Startup script for the DNS caching server
-#
-# chkconfig: 2345 99 01
-# description: This script starts your DNS caching server
-# processname: dnsmasq
-# pidfile: /var/run/dnsmasq.pid
-
-# Source function library.
-. /etc/rc.d/init.d/functions
-
-# Source networking configuration.
-. /etc/sysconfig/network
-
-# Check that networking is up.
-[ ${NETWORKING} = "no" ] && exit 0
-
-dnsmasq=/usr/sbin/dnsmasq
-[ -f $dnsmasq ] || exit 0
-
-# change this line if you want dnsmasq to serve an MX record for 
-# the host it is running on. 
-MAILHOSTNAME=""
-# change this line if you want dns to get its upstream servers from
-# somewhere other that /etc/resolv.conf 
-RESOLV_CONF=""
-# change this if you want dnsmasq to cache any "hostname" or "client-hostname" from
-# a dhcpd's lease file
-DHCP_LEASE="/var/lib/dhcp/dhcpd.leases"
-DOMAIN_SUFFIX=`dnsdomainname`
-
-OPTIONS=""
-
-if [ ! -z "${MAILHOSTNAME}" ]; then
-  OPTIONS="$OPTIONS -m $MAILHOSTNAME"
-fi
-
-if [ ! -z "${RESOLV_CONF}" ]; then
-  OPTIONS="$OPTIONS -r $RESOLV_CONF"
-fi
-
-if [ ! -z "${DHCP_LEASE}" ]; then
-  OPTIONS="$OPTIONS -l $DHCP_LEASE"
-fi
-
-if [ ! -z "${DOMAIN_SUFFIX}" ]; then
-  OPTIONS="$OPTIONS -s $DOMAIN_SUFFIX"
-fi
-
-RETVAL=0
-
-# See how we were called.
-case "$1" in
-  start)
-        echo -n "Starting dnsmasq: "
-        daemon $dnsmasq $OPTIONS
-	RETVAL=$?
-        echo
-        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/dnsmasq
-        ;;
-  stop)
-        if test "x`pidof dnsmasq`" != x; then
-            echo -n "Shutting down dnsmasq: "
-            killproc dnsmasq
-        fi
-	RETVAL=$?
-        echo
-        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/dnsmasq /var/run/dnsmasq.pid
-        ;;
-  status)
-	status dnsmasq
-	RETVAL=$?
-	;;
-  restart|reload)
-	$0 stop
-	$0 start
-	RETVAL=$?
-	;;
-  condrestart)
-	    if test "x`/sbin/pidof dnsmasq`" != x; then
-		$0 stop
-		$0 start
-		RETVAL=$?
-	    fi
-	    ;;
-  *)
-        echo "Usage: $0 {start|stop|restart|reload|condrestart|status}"
-        exit 1
-esac
-
-exit $RETVAL
-

src/bpf.c

@@ -26,17 +26,6 @@ static struct iovec ifreq = {
   .iov_len = 0
 };
 
-struct header {
-  struct ether_header ether; 
-  struct ip ip;
-  struct udphdr {
-    u16 uh_sport;               /* source port */
-    u16 uh_dport;               /* destination port */
-    u16 uh_ulen;                /* udp length */
-    u16 uh_sum;                 /* udp checksum */
-  } udp;
-};
-
 void init_bpf(struct daemon *daemon)
 {
   int i = 0;
@@ -48,7 +37,12 @@ void init_bpf(struct daemon *daemon)
 	{
 	  sprintf(ifreq.iov_base, "/dev/bpf%d", i++);
 	  if ((daemon->dhcp_raw_fd = open(ifreq.iov_base, O_RDWR, 0)) != -1)
-	    return;
+	    {
+	      int flags = fcntl(daemon->dhcp_raw_fd, F_GETFD);
+	      if (flags != -1)
+		fcntl(daemon->dhcp_raw_fd, F_SETFD, flags | FD_CLOEXEC); 
+	      return;
+	    }
 	}
       if (errno != EBUSY)
 	die(_("cannot create DHCP BPF socket: %s"), NULL);
@@ -64,9 +58,17 @@ void send_via_bpf(struct daemon *daemon, struct dhcp_packet *mess, size_t len,
       Build the packet by steam, and send directly, bypassing
       the kernel IP stack */
   
-  struct header header;
+  struct ether_header ether; 
+  struct ip ip;
+  struct udphdr {
+    u16 uh_sport;               /* source port */
+    u16 uh_dport;               /* destination port */
+    u16 uh_ulen;                /* udp length */
+    u16 uh_sum;                 /* udp checksum */
+  } udp;
+  
   u32 i, sum;
-  struct iovec iov[2];
+  struct iovec iov[4];
 
   /* Only know how to do ethernet on *BSD */
   if (mess->htype != ARPHRD_ETHER || mess->hlen != ETHER_ADDR_LEN)
@@ -80,96 +82,103 @@ void send_via_bpf(struct daemon *daemon, struct dhcp_packet *mess, size_t len,
   if (ioctl(daemon->dhcpfd, SIOCGIFADDR, ifr) < 0)
     return;
   
-  memcpy(header.ether.ether_shost, LLADDR((struct sockaddr_dl *)&ifr->ifr_addr), ETHER_ADDR_LEN);
-  header.ether.ether_type = htons(ETHERTYPE_IP);
+  memcpy(ether.ether_shost, LLADDR((struct sockaddr_dl *)&ifr->ifr_addr), ETHER_ADDR_LEN);
+  ether.ether_type = htons(ETHERTYPE_IP);
   
   if (ntohs(mess->flags) & 0x8000)
     {
-      memset(header.ether.ether_dhost, 255,  ETHER_ADDR_LEN);
-      header.ip.ip_dst.s_addr = INADDR_BROADCAST;
+      memset(ether.ether_dhost, 255,  ETHER_ADDR_LEN);
+      ip.ip_dst.s_addr = INADDR_BROADCAST;
     }
   else
     {
-      memcpy(header.ether.ether_dhost, mess->chaddr, ETHER_ADDR_LEN); 
-      header.ip.ip_dst.s_addr = mess->yiaddr.s_addr;
+      memcpy(ether.ether_dhost, mess->chaddr, ETHER_ADDR_LEN); 
+      ip.ip_dst.s_addr = mess->yiaddr.s_addr;
     }
   
-  header.ip.ip_p = IPPROTO_UDP;
-  header.ip.ip_src.s_addr = iface_addr.s_addr;
-  header.ip.ip_len = htons(sizeof(struct ip) + 
-			   sizeof(struct udphdr) +
-			   len) ;
-  header.ip.ip_hl = sizeof(struct ip) / 4;
-  header.ip.ip_v = IPVERSION;
-  header.ip.ip_tos = 0;
-  header.ip.ip_id = htons(0);
-  header.ip.ip_off = htons(0x4000); /* don't fragment */
-  header.ip.ip_ttl = IPDEFTTL;
-  header.ip.ip_sum = 0;
+  ip.ip_p = IPPROTO_UDP;
+  ip.ip_src.s_addr = iface_addr.s_addr;
+  ip.ip_len = htons(sizeof(struct ip) + 
+		    sizeof(struct udphdr) +
+		    len) ;
+  ip.ip_hl = sizeof(struct ip) / 4;
+  ip.ip_v = IPVERSION;
+  ip.ip_tos = 0;
+  ip.ip_id = htons(0);
+  ip.ip_off = htons(0x4000); /* don't fragment */
+  ip.ip_ttl = IPDEFTTL;
+  ip.ip_sum = 0;
   for (sum = 0, i = 0; i < sizeof(struct ip) / 2; i++)
-    sum += ((u16 *)&header.ip)[i];
+    sum += ((u16 *)&ip)[i];
   while (sum>>16)
     sum = (sum & 0xffff) + (sum >> 16);  
-  header.ip.ip_sum = (sum == 0xffff) ? sum : ~sum;
+  ip.ip_sum = (sum == 0xffff) ? sum : ~sum;
   
-  header.udp.uh_sport = htons(DHCP_SERVER_PORT);
-  header.udp.uh_dport = htons(DHCP_CLIENT_PORT);
+  udp.uh_sport = htons(DHCP_SERVER_PORT);
+  udp.uh_dport = htons(DHCP_CLIENT_PORT);
   if (len & 1)
     ((char *)mess)[len] = 0; /* for checksum, in case length is odd. */
-  header.udp.uh_sum = 0;
-  header.udp.uh_ulen = sum = htons(sizeof(struct udphdr) + len);
+  udp.uh_sum = 0;
+  udp.uh_ulen = sum = htons(sizeof(struct udphdr) + len);
   sum += htons(IPPROTO_UDP);
   for (i = 0; i < 4; i++)
-    sum += ((u16 *)&header.ip.ip_src)[i];
+    sum += ((u16 *)&ip.ip_src)[i];
   for (i = 0; i < sizeof(struct udphdr)/2; i++)
-    sum += ((u16 *)&header.udp)[i];
+    sum += ((u16 *)&udp)[i];
   for (i = 0; i < (len + 1) / 2; i++)
     sum += ((u16 *)mess)[i];
   while (sum>>16)
     sum = (sum & 0xffff) + (sum >> 16);
-  header.udp.uh_sum = (sum == 0xffff) ? sum : ~sum;
+  udp.uh_sum = (sum == 0xffff) ? sum : ~sum;
   
   ioctl(daemon->dhcp_raw_fd, BIOCSETIF, ifr);
   
-  iov[0].iov_base = &header;
-  iov[0].iov_len = sizeof(struct header);
-  iov[1].iov_base = mess;
-  iov[1].iov_len = len;
-  while (writev(daemon->dhcp_raw_fd, iov, 2) == -1 && retry_send());
+  iov[0].iov_base = &ether;
+  iov[0].iov_len = sizeof(ether);
+  iov[1].iov_base = &ip;
+  iov[1].iov_len = sizeof(ip);
+  iov[2].iov_base = &udp;
+  iov[2].iov_len = sizeof(udp);
+  iov[3].iov_base = mess;
+  iov[3].iov_len = len;
+
+  while (writev(daemon->dhcp_raw_fd, iov, 4) == -1 && retry_send());
 }
 
 int iface_enumerate(struct daemon *daemon, void *parm, int (*ipv4_callback)(), int (*ipv6_callback)())
 {
   char *ptr;
-  struct ifreq *ifr, ifaux;
+  struct ifreq *ifr;
   struct ifconf ifc;
   int fd, errsav, ret = 0;
   int lastlen = 0;
-  size_t len;
+  size_t len = 0;
   
   if ((fd = socket(PF_INET, SOCK_DGRAM, 0)) == -1)
     return 0;
-        
-  for (len = 0; ; len += 10*sizeof(struct ifreq))
+  
+  while(1)
     {
-       if (!expand_buf(&ifconf, len))
-	 goto err;
-
-       ifc.ifc_len = len;
-       ifc.ifc_buf = ifconf.iov_base;
-
-       if (ioctl(fd, SIOCGIFCONF, &ifc) == -1)
-	 {
-	   if (errno != EINVAL || lastlen != 0)
-	     goto err;
-	 }
-       else
-	 {
-	   if (ifc.ifc_len == lastlen)
-	     break; /* got a big enough buffer now */
-	   lastlen = ifc.ifc_len;
-	 }
-     }
+      len += 10*sizeof(struct ifreq);
+      
+      if (!expand_buf(&ifconf, len))
+	goto err;
+      
+      ifc.ifc_len = len;
+      ifc.ifc_buf = ifconf.iov_base;
+      
+      if (ioctl(fd, SIOCGIFCONF, &ifc) == -1)
+	{
+	  if (errno != EINVAL || lastlen != 0)
+	    goto err;
+	}
+      else
+	{
+	  if (ifc.ifc_len == lastlen)
+	    break; /* got a big enough buffer now */
+	  lastlen = ifc.ifc_len;
+	}
+    }
   
   for (ptr = ifc.ifc_buf; ptr < ifc.ifc_buf + ifc.ifc_len; ptr += len )
     {
@@ -186,14 +195,10 @@ int iface_enumerate(struct daemon *daemon, void *parm, int (*ipv4_callback)(), i
 
       ifr = ifreq.iov_base;
       memcpy(ifr, ptr, len);
-      
-      strncpy(ifaux.ifr_name, ifr->ifr_name, IF_NAMESIZE);
            
       if (ifr->ifr_addr.sa_family == AF_INET && ipv4_callback)
 	{
 	  struct in_addr addr, netmask, broadcast;
-	  if (ioctl(fd, SIOCGIFINDEX, &ifaux) == -1)
-	    continue;
 	  broadcast.s_addr = 0;
 	  addr = ((struct sockaddr_in *) &ifr->ifr_addr)->sin_addr;
 	  if (ioctl(fd, SIOCGIFNETMASK, ifr) == -1)
@@ -201,7 +206,10 @@ int iface_enumerate(struct daemon *daemon, void *parm, int (*ipv4_callback)(), i
 	  netmask = ((struct sockaddr_in *) &ifr->ifr_addr)->sin_addr;
 	  if (ioctl(fd, SIOCGIFBRDADDR, ifr) != -1)
 	    broadcast = ((struct sockaddr_in *) &ifr->ifr_addr)->sin_addr; 
-	  if (!((*ipv4_callback)(daemon, addr, (int)ifaux.ifr_index, netmask, broadcast, parm)))
+	  if (!((*ipv4_callback)(daemon, addr, 
+				 (int)if_nametoindex(ifr->ifr_name),
+				 netmask, broadcast, 
+				 parm)))
 	    goto err;
 	}
 #ifdef HAVE_IPV6
@@ -214,11 +222,9 @@ int iface_enumerate(struct daemon *daemon, void *parm, int (*ipv4_callback)(), i
 	      addr->s6_addr[2] = 0;
 	      addr->s6_addr[3] = 0;
 	    }
-	  if (ioctl(fd, SIOCGIFINDEX, &ifaux) == -1)
-	    continue;
 	  if (!((*ipv6_callback)(daemon, addr,
 				 (int)((struct sockaddr_in6 *)&ifr->ifr_addr)->sin6_scope_id,
-				 (int)ifaux.ifr_index,
+				 (int)if_nametoindex(ifr->ifr_name),
 				 parm)))
 	    goto err;
 	}

src/cache.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2005 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2007 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -13,17 +13,55 @@
 #include "dnsmasq.h"
 
 static struct crec *cache_head, *cache_tail, **hash_table;
-static struct crec *dhcp_inuse, *dhcp_spare, *new_chain;
+static struct crec *dhcp_spare, *new_chain;
 static int cache_inserted, cache_live_freed, insert_error;
 static union bigname *big_free;
 static int bignames_left, log_queries, cache_size, hash_size;
 static int uid;
 static char *addrbuff;
 
+/* type->string mapping: this is also used by the name-hash function as a mixing table. */
+static const struct {
+  unsigned int type;
+  const char * const name;
+} typestr[] = {
+  { 1,   "A" },
+  { 2,   "NS" },
+  { 5,   "CNAME" },
+  { 6,   "SOA" },
+  { 10,  "NULL" },
+  { 11,  "WKS" },
+  { 12,  "PTR" },
+  { 13,  "HINFO" },	
+  { 15,  "MX" },
+  { 16,  "TXT" },
+  { 22,  "NSAP" },
+  { 23,  "NSAP_PTR" },
+  { 24,  "SIG" },
+  { 25,  "KEY" },
+  { 28,  "AAAA" },
+  { 33,  "SRV" },
+  { 36,  "KX" },
+  { 37,  "CERT" },
+  { 38,  "A6" },
+  { 39,  "DNAME" },
+  { 41,  "OPT" },
+  { 48,  "DNSKEY" },
+  { 249, "TKEY" },
+  { 250, "TSIG" },
+  { 251, "IXFR" },
+  { 252, "AXFR" },
+  { 253, "MAILB" },
+  { 254, "MAILA" },
+  { 255, "ANY" }
+};
+
 static void cache_free(struct crec *crecp);
 static void cache_unlink(struct crec *crecp);
 static void cache_link(struct crec *crecp);
 static char *record_source(struct hostsfile *add_hosts, int index);
+static void rehash(int size);
+static void cache_hash(struct crec *crecp);
 
 void cache_init(int size, int logq)
 {
@@ -36,8 +74,9 @@ void cache_init(int size, int logq)
     addrbuff = NULL;
       
   cache_head = cache_tail = NULL;
-  dhcp_inuse = dhcp_spare = NULL;
+  dhcp_spare = NULL;
   new_chain = NULL;
+  hash_table = NULL;
   cache_size = size;
   big_free = NULL;
   bignames_left = size/10;
@@ -57,33 +96,85 @@ void cache_init(int size, int logq)
 	}
     }
   
-  /* hash_size is a power of two. */
-  for (hash_size = 64; hash_size < cache_size/10; hash_size = hash_size << 1);
-  hash_table = safe_malloc(hash_size*sizeof(struct crec *));
-  for(i=0; i < hash_size; i++)
-    hash_table[i] = NULL;
+  /* create initial hash table*/
+  rehash(cache_size);
 }
 
+/* In most cases, we create the hash table once here by calling this with (hash_table == NULL)
+   but if the hosts file(s) are big (some people have 50000 ad-block entries), the table
+   will be much too small, so the hosts reading code calls rehash every 1000 addresses, to
+   expand the table. */
+static void rehash(int size)
+{
+  struct crec **new, **old, *p, *tmp;
+  int i, new_size, old_size;
+
+  /* hash_size is a power of two. */
+  for (new_size = 64; new_size < size/10; new_size = new_size << 1);
+  
+  /* must succeed in getting first instance, failure later is non-fatal */
+  if (!hash_table)
+    new = safe_malloc(new_size * sizeof(struct crec *));
+  else if (new_size <= hash_size || !(new = malloc(new_size * sizeof(struct crec *))))
+    return;
+
+  for(i = 0; i < new_size; i++)
+    new[i] = NULL;
+
+  old = hash_table;
+  old_size = hash_size;
+  hash_table = new;
+  hash_size = new_size;
+  
+  if (old)
+    {
+      for (i = 0; i < old_size; i++)
+	for (p = old[i]; p ; p = tmp)
+	  {
+	    tmp = p->hash_next;
+	    cache_hash(p);
+	  }
+      free(old);
+    }
+}
+  
 static struct crec **hash_bucket(char *name)
 {
-  unsigned int c, val = 0;
-  
-  /* don't use tolower and friends here - they may be messed up by LOCALE */
+  unsigned int c, val = 017465; /* Barker code - minimum self-correlation in cyclic shift */
+  const unsigned char *mix_tab = (const unsigned char*)typestr; 
+
   while((c = (unsigned char) *name++))
-    if (c >= 'A' && c <= 'Z')
-      val += c + 'a' - 'A';
-    else
-      val += c;
+    {
+      /* don't use tolower and friends here - they may be messed up by LOCALE */
+      if (c >= 'A' && c <= 'Z')
+	c += 'a' - 'A';
+      val = ((val << 7) | (val >> (32 - 7))) + (mix_tab[(val + c) & 0x3F] ^ c);
+    } 
   
   /* hash_size is a power of two */
-  return hash_table + (val & (hash_size - 1));
+  return hash_table + ((val ^ (val >> 16)) & (hash_size - 1));
 }
 
 static void cache_hash(struct crec *crecp)
 {
-  struct crec **bucket = hash_bucket(cache_get_name(crecp));
-  crecp->hash_next = *bucket;
-  *bucket = crecp;
+  /* maintain an invariant that all entries with F_REVERSE set
+     are at the start of the hash-chain  and all non-reverse
+     immortal entries are at the end of the hash-chain.
+     This allows reverse searches and garbage collection to be optimised */
+
+  struct crec **up = hash_bucket(cache_get_name(crecp));
+
+  if (!(crecp->flags & F_REVERSE))
+    {
+      while (*up && ((*up)->flags & F_REVERSE))
+	up = &((*up)->hash_next); 
+      
+      if (crecp->flags & F_IMMORTAL)
+	while (*up && !((*up)->flags & F_IMMORTAL))
+	  up = &((*up)->hash_next);
+    }
+  crecp->hash_next = *up;
+  *up = crecp;
 }
  
 static void cache_free(struct crec *crecp)
@@ -168,7 +259,7 @@ static int is_expired(time_t now, struct crec *crecp)
 
   if (difftime(now, crecp->ttd) < 0)
     return 0;
-
+  
   return 1;
 }
 
@@ -182,10 +273,13 @@ static int cache_scan_free(char *name, struct all_addr *addr, time_t now, unsign
      If (flags == 0) remove any expired entries in the whole cache. 
 
      In the flags & F_FORWARD case, the return code is valid, and returns zero if the
-     name exists in the cache as a HOSTS or DHCP entry (these are never deleted) */
-  
-  struct crec *crecp, **up;
+     name exists in the cache as a HOSTS or DHCP entry (these are never deleted)
 
+     We take advantage of the fact that hash chains have stuff in the order <reverse>,<other>,<immortal>
+     so that when we hit an entry which isn't reverse and is immortal, we're done. */
+ 
+  struct crec *crecp, **up;
+  
   if (flags & F_FORWARD)
     {
       for (up = hash_bucket(name), crecp = *up; crecp; crecp = crecp->hash_next)
@@ -220,7 +314,9 @@ static int cache_scan_free(char *name, struct all_addr *addr, time_t now, unsign
       int addrlen = INADDRSZ;
 #endif 
       for (i = 0; i < hash_size; i++)
-	for (crecp = hash_table[i], up = &hash_table[i]; crecp; crecp = crecp->hash_next)
+	for (crecp = hash_table[i], up = &hash_table[i]; 
+	     crecp && ((crecp->flags & F_REVERSE) || !(crecp->flags & F_IMMORTAL));
+	     crecp = crecp->hash_next)
 	  if (is_expired(now, crecp))
 	    {
 	      *up = crecp->hash_next;
@@ -491,16 +587,19 @@ struct crec *cache_find_by_addr(struct crec *crecp, struct all_addr *addr,
   else
     {  
       /* first search, look for relevant entries and push to top of list
-	 also free anything which has expired */
+	 also free anything which has expired. All the reverse entries are at the
+	 start of the hash chain, so we can give up when we find the first 
+	 non-REVERSE one.  */
        int i;
        struct crec **up, **chainp = &ans;
        
-       for(i=0; i<hash_size; i++)
-	 for (crecp = hash_table[i], up = &hash_table[i]; crecp; crecp = crecp->hash_next)
+       for (i=0; i<hash_size; i++)
+	 for (crecp = hash_table[i], up = &hash_table[i]; 
+	      crecp && (crecp->flags & F_REVERSE);
+	      crecp = crecp->hash_next)
 	   if (!is_expired(now, crecp))
 	     {      
-	       if ((crecp->flags & F_REVERSE) && 
-		   (crecp->flags & prot) &&
+	       if ((crecp->flags & prot) &&
 		   memcmp(&crecp->addr.addr, addr, addrlen) == 0)
 		 {	    
 		   if (crecp->flags & (F_HOSTS | F_DHCP))
@@ -539,19 +638,42 @@ struct crec *cache_find_by_addr(struct crec *crecp, struct all_addr *addr,
 }
 
 static void add_hosts_entry(struct crec *cache, struct all_addr *addr, int addrlen, 
-			    unsigned short flags, int index)
+			    unsigned short flags, int index, int addr_dup)
 {
   struct crec *lookup = cache_find_by_name(NULL, cache->name.sname, 0, flags & (F_IPV4 | F_IPV6));
-
+  int i;
+  
   /* Remove duplicates in hosts files. */
   if (lookup && (lookup->flags & F_HOSTS) &&
       memcmp(&lookup->addr.addr, addr, addrlen) == 0)
     free(cache);
   else
     {
-      /* Ensure there is only one address -> name mapping (first one trumps) */
-      if (cache_find_by_addr(NULL, addr, 0, flags & (F_IPV4 | F_IPV6)))
+      /* Ensure there is only one address -> name mapping (first one trumps) 
+	 We do this by steam here, first we see if the address is the same as
+	 the last one we saw, which eliminates most in the case of an ad-block 
+	 file with thousands of entries for the same address.
+	 Then we search and bail at the first matching address that came from
+	 a HOSTS file. Since the first host entry gets reverse, we know 
+	 then that it must exist without searching exhaustively for it. */
+     
+      if (addr_dup)
 	flags &= ~F_REVERSE;
+      else
+	for (i=0; i<hash_size; i++)
+	  {
+	    for (lookup = hash_table[i]; lookup; lookup = lookup->hash_next)
+	      if ((lookup->flags & F_HOSTS) && 
+		  (lookup->flags & flags & (F_IPV4 | F_IPV6)) &&
+		  memcmp(&lookup->addr.addr, addr, addrlen) == 0)
+		{
+		  flags &= ~F_REVERSE;
+		  break;
+		}
+	    if (lookup)
+	      break;
+	  }
+      
       cache->flags = flags;
       cache->uid = index;
       memcpy(&cache->addr.addr, addr, addrlen);
@@ -559,25 +681,25 @@ static void add_hosts_entry(struct crec *cache, struct all_addr *addr, int addrl
     }
 }
 
-static void read_hostsfile(char *filename, int opts, char *buff, char *domain_suffix, int index)
+static int read_hostsfile(char *filename, int opts, char *buff, char *domain_suffix, int index, int cache_size)
 {  
   FILE *f = fopen(filename, "r");
   char *line;
-  int count = 0, lineno = 0;
-  
+  int addr_count = 0, name_count = cache_size, lineno = 0;
+  unsigned short flags, saved_flags = 0;
+  struct all_addr addr, saved_addr;
+
   if (!f)
     {
       syslog(LOG_ERR, _("failed to load names from %s: %m"), filename);
-      return;
+      return 0;
     }
     
   while ((line = fgets(buff, MAXDNAME, f)))
     {
-      struct all_addr addr;
       char *token = strtok(line, " \t\n\r");
-      int addrlen;
-      unsigned short flags;
-          
+      int addrlen, addr_dup = 0;
+              
       lineno++;
 
       if (!token || (*token == '#')) 
@@ -607,12 +729,28 @@ static void read_hostsfile(char *filename, int opts, char *buff, char *domain_su
 	  continue;
 	}
 
+     if (saved_flags == flags && memcmp(&addr, &saved_addr, addrlen) == 0)
+       addr_dup = 1;
+     else
+       {
+	 saved_flags = flags;
+	 saved_addr = addr;
+       }
+     
+     addr_count++;
+     
+     /* rehash every 1000 names. */
+     if ((name_count - cache_size) > 1000)
+       {
+	 rehash(name_count);
+	 cache_size = name_count;
+       }
+     
      while ((token = strtok(NULL, " \t\n\r")) && (*token != '#'))
        {
 	 struct crec *cache;
 	 if (canonicalise(token))
 	   {
-	     count++;
 	     /* If set, add a version of the name with a default domain appended */
 	     if ((opts & OPT_EXPAND) && domain_suffix && !strchr(token, '.') && 
 		 (cache = malloc(sizeof(struct crec) + 
@@ -621,12 +759,15 @@ static void read_hostsfile(char *filename, int opts, char *buff, char *domain_su
 		 strcpy(cache->name.sname, token);
 		 strcat(cache->name.sname, ".");
 		 strcat(cache->name.sname, domain_suffix);
-		 add_hosts_entry(cache, &addr, addrlen, flags, index);
+		 add_hosts_entry(cache, &addr, addrlen, flags, index, addr_dup);
+		 addr_dup = 1;
+		 name_count++;
 	       }
 	     if ((cache = malloc(sizeof(struct crec) + strlen(token)+1-SMALLDNAME)))
 	       {
 		 strcpy(cache->name.sname, token);
-		 add_hosts_entry(cache, &addr, addrlen, flags, index);
+		 add_hosts_entry(cache, &addr, addrlen, flags, index, addr_dup);
+		 name_count++;
 	       }
 	   }
 	 else
@@ -635,14 +776,17 @@ static void read_hostsfile(char *filename, int opts, char *buff, char *domain_su
     }
   
   fclose(f);
+  rehash(name_count);
 
-  syslog(LOG_INFO, _("read %s - %d addresses"), filename, count);
+  syslog(LOG_INFO, _("read %s - %d addresses"), filename, addr_count);
+
+  return name_count;
 }
 	    
 void cache_reload(int opts, char *buff, char *domain_suffix, struct hostsfile *addn_hosts)
 {
   struct crec *cache, **up, *tmp;
-  int i;
+  int i, total_size = cache_size;
 
   cache_inserted = cache_live_freed = 0;
   
@@ -677,35 +821,29 @@ void cache_reload(int opts, char *buff, char *domain_suffix, struct hostsfile *a
     }
 
   if (!(opts & OPT_NO_HOSTS))
-    read_hostsfile(HOSTSFILE, opts, buff, domain_suffix, 0);
+    total_size = read_hostsfile(HOSTSFILE, opts, buff, domain_suffix, 0, total_size);
   while (addn_hosts)
     {
-      read_hostsfile(addn_hosts->fname, opts, buff, domain_suffix, addn_hosts->index);
+      total_size = read_hostsfile(addn_hosts->fname, opts, buff, domain_suffix, addn_hosts->index, total_size);
       addn_hosts = addn_hosts->next;
     }  
 } 
 
 void cache_unhash_dhcp(void)
 {
-  struct crec *tmp, *cache, **up;
+  struct crec *cache, **up;
   int i;
 
   for (i=0; i<hash_size; i++)
     for (cache = hash_table[i], up = &hash_table[i]; cache; cache = cache->hash_next)
       if (cache->flags & F_DHCP)
-	*up = cache->hash_next;
+	{
+	  *up = cache->hash_next;
+	  cache->next = dhcp_spare;
+	  dhcp_spare = cache;
+	}
       else
 	up = &cache->hash_next;
-
-  /* prev field links all dhcp entries */
-  for (cache = dhcp_inuse; cache; cache = tmp)
-    {
-      tmp = cache->prev;
-      cache->prev = dhcp_spare;
-      dhcp_spare = cache;
-    }
-    
-  dhcp_inuse = NULL;
 }
 
 void cache_add_dhcp_entry(struct daemon *daemon, char *host_name, 
@@ -746,7 +884,7 @@ void cache_add_dhcp_entry(struct daemon *daemon, char *host_name,
     }
 
   if ((crec = dhcp_spare))
-    dhcp_spare = dhcp_spare->prev;
+    dhcp_spare = dhcp_spare->next;
   else /* need new one */
     crec = malloc(sizeof(struct crec));
   
@@ -759,14 +897,10 @@ void cache_add_dhcp_entry(struct daemon *daemon, char *host_name,
 	crec->ttd = ttd;
       crec->addr.addr.addr.addr4 = *host_address;
       crec->name.namep = host_name;
-      crec->prev = dhcp_inuse;
-      dhcp_inuse = crec;
       cache_hash(crec);
     }
 }
 
-
-
 void dump_cache(struct daemon *daemon, time_t now)
 {
   syslog(LOG_INFO, _("time %lu, cache size %d, %d/%d cache insertions re-used unexpired cache entries."), 
@@ -882,6 +1016,8 @@ void log_query(unsigned short flags, char *name, struct all_addr *addr,
 	strcpy(addrbuff, "<SRV>");
       else if (flags & F_NXDOMAIN)
 	strcpy(addrbuff, "<TXT>");
+      else if (flags & F_BIGNAME)
+	strcpy(addrbuff, "<PTR>");
       else
 	strcpy(addrbuff, "<CNAME>");
     }
@@ -909,38 +1045,6 @@ void log_query(unsigned short flags, char *name, struct all_addr *addr,
   else if (flags & F_QUERY)
     {
       unsigned int i;
-      static const struct {
-	unsigned int type;
-	const char * const name;
-      } typestr[] = {
-	{ 1,   "A" },
-	{ 2,   "NS" },
-	{ 5,   "CNAME" },
-	{ 6,   "SOA" },
-	{ 10,  "NULL" },
-	{ 11,  "WKS" },
-	{ 12,  "PTR" },
-	{ 13,  "HINFO" },	
-        { 15,  "MX" },
-	{ 16,  "TXT" },
-	{ 22,  "NSAP" },
-	{ 23,  "NSAP_PTR" },
-	{ 24,  "SIG" },
-	{ 25,  "KEY" },
-	{ 28,  "AAAA" },
- 	{ 33,  "SRV" },
-        { 36,  "KX" },
-        { 37,  "CERT" },
-        { 38,  "A6" },
-        { 39,  "DNAME" },
-	{ 41,  "OPT" },
-	{ 250, "TSIG" },
-	{ 251, "IXFR" },
-	{ 252, "AXFR" },
-        { 253, "MAILB" },
-	{ 254, "MAILA" },
-	{ 255, "ANY" }
-      };
       
       if (type != 0)
         {

src/config.h

@@ -10,19 +10,19 @@
    GNU General Public License for more details.
 */
 
-#define VERSION "2.28"
+#define VERSION "2.38"
 
-#define FTABSIZ 150 /* max number of outstanding requests */
+#define FTABSIZ 150 /* max number of outstanding requests (default) */
 #define MAX_PROCS 20 /* max no children for TCP requests */
 #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */
 #define EDNS_PKTSZ 1280 /* default max EDNS.0 UDP packet from RFC2671 */
-#define TIMEOUT 20 /* drop UDP queries after TIMEOUT seconds */
+#define TIMEOUT 10 /* drop UDP queries after TIMEOUT seconds */
 #define LEASE_RETRY 60 /* on error, retry writing leasefile after LEASE_RETRY seconds */
-#define LOGRATE 120 /* log table overflows every LOGRATE seconds */
 #define CACHESIZ 150 /* default cache size */
 #define MAXLEASES 150 /* maximum number of DHCP leases */
 #define PING_WAIT 3 /* wait for ping address-in-use test */
 #define PING_CACHE_TIME 30 /* Ping test assumed to be valid this long. */
+#define DECLINE_BACKOFF 600 /* disable DECLINEd static addresses for this long */
 #define DHCP_PACKET_MAX 16384 /* hard limit on DHCP packet size */
 #define SMALLDNAME 40 /* most domain names are smaller than this */
 #define HOSTSFILE "/etc/hosts"
@@ -33,7 +33,7 @@
 #  define RESOLVFILE "/etc/resolv.conf"
 #endif
 #define RUNFILE "/var/run/dnsmasq.pid"
-#if defined(__FreeBSD__) || defined (__OpenBSD__)
+#if defined(__FreeBSD__) || defined (__OpenBSD__) || defined(__DragonFly__)
 #   define LEASEFILE "/var/db/dnsmasq.leases"
 #else
 #   define LEASEFILE "/var/lib/misc/dnsmasq.leases"
@@ -48,27 +48,19 @@
 #define CHGRP "dip"
 #define DHCP_SERVER_PORT 67
 #define DHCP_CLIENT_PORT 68
+#define TFTP_PORT 69
+#define TFTP_MAX_CONNECTIONS 50 /* max simultaneous connections */
 
 /* DBUS interface specifics */
 #define DNSMASQ_SERVICE "uk.org.thekelleys.dnsmasq"
 #define DNSMASQ_PATH "/uk/org/thekelleys/dnsmasq"
 
-/* Logfile stuff - change this to change the options and facility */
-/* debug is true if the --no-daemon flag is given */
-#ifdef LOG_PERROR
-#  define DNSMASQ_LOG_OPT(debug)  (debug) ? LOG_PERROR : LOG_PID
-#else
-#  define DNSMASQ_LOG_OPT(debug)  (debug) ? 0 : LOG_PID
-#endif
-
-#ifdef LOG_LOCAL0
-#  define DNSMASQ_LOG_FAC(debug)  (debug) ? LOG_LOCAL0 : LOG_DAEMON
-#else
-#  define DNSMASQ_LOG_FAC(debug)  LOG_DAEMON
-#endif
-
 /* A small collection of RR-types which are missing on some platforms */
 
+#ifndef T_SIG
+#  define T_SIG 24
+#endif
+
 #ifndef T_SRV
 #  define T_SRV 33
 #endif
@@ -77,9 +69,19 @@
 #  define T_OPT 41
 #endif
 
+#ifndef T_TKEY
+#  define T_TKEY 249
+#endif
+
+#ifndef T_TSIG
+#  define T_TSIG 250
+#endif
+
+
 /* Get linux C library versions. */
 #if defined(__linux__) && !defined(__UCLIBC__) && !defined(__uClinux__)
-#  include <libio.h> 
+/*#  include <libio.h> */
+#  include <features.h> 
 #endif
 
 
@@ -111,6 +113,9 @@ HAVE_ISC_READER
    define this to include the old ISC dhcpcd integration. Note that you cannot
    set both HAVE_ISC_READER and HAVE_BROKEN_RTC.
 
+HAVE_TFTP
+   define this to get dnsmasq's built-in TFTP server.
+
 HAVE_GETOPT_LONG
    define this if you have GNU libc or GNU getopt. 
 
@@ -165,15 +170,21 @@ NOTES:
 
 */
 
-/* platform independent options. */
-#undef HAVE_BROKEN_RTC
-#undef HAVE_ISC_READER
-#undef HAVE_DBUS
+/* platform independent options- uncomment to enable */
+#define HAVE_TFTP
+/* #define HAVE_BROKEN_RTC */
+/* #define HAVE_ISC_READER */
+/* #define HAVE_DBUS */
 
 #if defined(HAVE_BROKEN_RTC) && defined(HAVE_ISC_READER)
 #  error HAVE_ISC_READER is not compatible with HAVE_BROKEN_RTC
 #endif
 
+/* Allow TFTP to be disabled with COPT=-DNO_TFTP */
+#ifdef NO_TFTP
+#undef HAVE_TFTP
+#endif
+
 /* platform dependent options. */
 
 /* Must preceed __linux__ since uClinux defines __linux__ too. */
@@ -203,11 +214,13 @@ NOTES:
 #define HAVE_DEV_URANDOM
 #define HAVE_DEV_RANDOM
 #undef HAVE_SOCKADDR_SA_LEN
-#if !defined(__UCLIBC_HAS_MMU__)
+#if !defined(__ARCH_HAS_MMU__) && !defined(__UCLIBC_HAS_MMU__)
 #  define NO_FORK
 #endif
-#if !defined(__UCLIBC_HAS_IPV6__)
-#  define NO_IPV6
+#if defined(__UCLIBC_HAS_IPV6__)
+#  ifndef IPV6_V6ONLY
+#    define IPV6_V6ONLY 26
+#  endif
 #endif
 
 /* This is for glibc 2.x */
@@ -227,7 +240,7 @@ typedef unsigned long in_addr_t;
 #   define HAVE_BROKEN_SOCKADDR_IN6
 #endif
 
-#elif defined(__FreeBSD__) || defined(__OpenBSD__)
+#elif defined(__FreeBSD__) || defined(__OpenBSD__) || defined(__DragonFly__)
 #undef HAVE_LINUX_NETWORK
 /* Later verions of FreeBSD have getopt_long() */
 #if defined(optional_argument) && defined(required_argument)
@@ -263,6 +276,7 @@ typedef unsigned long in_addr_t;
  
 #endif
 /* Decide if we're going to support IPv6 */
+/* IPv6 can be forced off with "make COPTS=-DNO_IPV6" */
 /* We assume that systems which don't have IPv6
    headers don't have ntop and pton either */
 
@@ -282,4 +296,3 @@ typedef unsigned long in_addr_t;
 #  define ADDRSTRLEN 16 /* 4*3 + 3 dots + NULL */
 #endif
 
-

src/dbus.c

@@ -240,7 +240,7 @@ DBusHandlerResult message_handler(DBusConnection *connection,
       check_servers(daemon);
     }
   else if (strcmp(method, "ClearCache") == 0)
-    clear_cache_and_reload(daemon);
+    clear_cache_and_reload(daemon, dnsmasq_time());
   else
     return (DBUS_HANDLER_RESULT_NOT_YET_HANDLED);
   
@@ -260,7 +260,7 @@ char *dbus_init(struct daemon *daemon)
   dbus_error_init (&dbus_error);
   if (!(connection = dbus_bus_get (DBUS_BUS_SYSTEM, &dbus_error)))
     return NULL;
-
+    
   dbus_connection_set_exit_on_disconnect(connection, FALSE);
   dbus_connection_set_watch_functions(connection, add_watch, remove_watch, 
 				      NULL, (void *)daemon, NULL);
@@ -282,8 +282,8 @@ char *dbus_init(struct daemon *daemon)
 }
  
 
-int set_dbus_listeners(struct daemon *daemon, int maxfd,
-		       fd_set *rset, fd_set *wset, fd_set *eset)
+void set_dbus_listeners(struct daemon *daemon, int *maxfdp,
+			fd_set *rset, fd_set *wset, fd_set *eset)
 {
   struct watch *w;
   
@@ -293,8 +293,7 @@ int set_dbus_listeners(struct daemon *daemon, int maxfd,
 	unsigned int flags = dbus_watch_get_flags(w->watch);
 	int fd = dbus_watch_get_fd(w->watch);
 	
-	if (fd > maxfd)
-	  maxfd = fd;
+	bump_maxfd(fd, maxfdp);
 	
 	if (flags & DBUS_WATCH_READABLE)
 	  FD_SET(fd, rset);
@@ -304,7 +303,6 @@ int set_dbus_listeners(struct daemon *daemon, int maxfd,
 	
 	FD_SET(fd, eset);
       }
-  return maxfd;
 }
 
 void check_dbus_listeners(struct daemon *daemon,

src/dhcp.c

@@ -25,14 +25,13 @@ void dhcp_init(struct daemon *daemon)
 {
   int fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);
   struct sockaddr_in saddr;
-  int flags, oneopt = 1;
+  int oneopt = 1;
   struct dhcp_config *configs, *cp;
 
   if (fd == -1)
     die (_("cannot create DHCP socket : %s"), NULL);
   
-  if ((flags = fcntl(fd, F_GETFL, 0)) == -1 ||
-      fcntl(fd, F_SETFL, flags | O_NONBLOCK) == -1 ||
+  if (!fix_fd(fd) || 
 #if defined(HAVE_LINUX_NETWORK)
       setsockopt(fd, SOL_IP, IP_PKTINFO, &oneopt, sizeof(oneopt)) == -1 ||
 #elif defined(IP_RECVIF)
@@ -42,12 +41,26 @@ void dhcp_init(struct daemon *daemon)
     die(_("failed to set options on DHCP socket: %s"), NULL);
   
   /* When bind-interfaces is set, there might be more than one dnmsasq
-     instance binding port 67. That's Ok if they serve different networks.
-     Need to set REUSEADDR to make this posible. */
-  if ((daemon->options & OPT_NOWILD) &&
-      setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &oneopt, sizeof(oneopt)) == -1)
-    die(_("failed to set SO_REUSEADDR on DHCP socket: %s"), NULL);
+     instance binding port 67. That's OK if they serve different networks.
+     Need to set REUSEADDR to make this posible, or REUSEPORT on *BSD.
+     OpenBSD <= 4.0 screws up IP_RECVIF when SO_REUSEPORT is set, but
+     OpenBSD <= 3.9 doesn't have IP_RECVIF anyway, so we just have to elide
+     this for OpenBSD 4.0, if you want more than one instance on oBSD4.0, tough. */
+
+#ifndef OpenBSD4_0
+  if (daemon->options & OPT_NOWILD)
+    {
+#ifdef SO_REUSEPORT
+      int rc = setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, &oneopt, sizeof(oneopt));
+#else
+      int rc = setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &oneopt, sizeof(oneopt));
+#endif
+      if (rc == -1)
+	die(_("failed to set SO_REUSE{ADDR|PORT} on DHCP socket: %s"), NULL);
+    }
+#endif
   
+  memset(&saddr, 0, sizeof(saddr));
   saddr.sin_family = AF_INET;
   saddr.sin_port = htons(DHCP_SERVER_PORT);
   saddr.sin_addr.s_addr = INADDR_ANY;
@@ -104,7 +117,7 @@ void dhcp_packet(struct daemon *daemon, time_t now)
   struct iovec iov;
   ssize_t sz; 
   int iface_index = 0, unicast_dest = 0;
-  struct in_addr iface_addr;
+  struct in_addr iface_addr, *addrp = NULL;
   struct iface_param parm;
 
   union {
@@ -116,8 +129,8 @@ void dhcp_packet(struct daemon *daemon, time_t now)
 #endif
   } control_u;
   
-  msg.msg_control = control_u.control;
-  msg.msg_controllen = sizeof(control_u);
+  msg.msg_control = NULL;
+  msg.msg_controllen = 0;
   msg.msg_name = NULL;
   msg.msg_namelen = 0;
   msg.msg_iov = &daemon->dhcp_packet;
@@ -134,42 +147,48 @@ void dhcp_packet(struct daemon *daemon, time_t now)
   /* expand_buf may have moved buffer */
   mess = daemon->dhcp_packet.iov_base;
   msg.msg_controllen = sizeof(control_u);
+  msg.msg_control = control_u.control;
   msg.msg_flags = 0;
   msg.msg_name = &dest;
   msg.msg_namelen = sizeof(dest);
 
-  while ((sz = recvmsg(daemon->dhcpfd, &msg, 0)) && errno == EINTR);
+  while ((sz = recvmsg(daemon->dhcpfd, &msg, 0)) == -1 && errno == EINTR);
  
-  if ((msg.msg_flags & MSG_TRUNC) ||
-      sz < (ssize_t)(sizeof(*mess) - sizeof(mess->options)))
+  if (sz < (ssize_t)(sizeof(*mess) - sizeof(mess->options)))
     return;
   
 #if defined (HAVE_LINUX_NETWORK)
-  if (msg.msg_controllen < sizeof(struct cmsghdr))
-    return;
-  for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
-    if (cmptr->cmsg_level == SOL_IP && cmptr->cmsg_type == IP_PKTINFO)
-      {
-	iface_index = ((struct in_pktinfo *)CMSG_DATA(cmptr))->ipi_ifindex;
-	if (((struct in_pktinfo *)CMSG_DATA(cmptr))->ipi_addr.s_addr != INADDR_BROADCAST)
-	  unicast_dest = 1;
-      }
-
+  if (msg.msg_controllen >= sizeof(struct cmsghdr))
+    for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
+      if (cmptr->cmsg_level == SOL_IP && cmptr->cmsg_type == IP_PKTINFO)
+	{
+	  iface_index = ((struct in_pktinfo *)CMSG_DATA(cmptr))->ipi_ifindex;
+	  if (((struct in_pktinfo *)CMSG_DATA(cmptr))->ipi_addr.s_addr != INADDR_BROADCAST)
+	    unicast_dest = 1;
+	}
+  
   if (!(ifr.ifr_ifindex = iface_index) || 
       ioctl(daemon->dhcpfd, SIOCGIFNAME, &ifr) == -1)
     return;
   
 #elif defined(IP_RECVIF)
-  if (msg.msg_controllen < sizeof(struct cmsghdr))
-    return;
-  for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
-    if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
-      iface_index = ((struct sockaddr_dl *)CMSG_DATA(cmptr))->sdl_index;
-
+  if (msg.msg_controllen >= sizeof(struct cmsghdr))
+    for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
+      if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
+	iface_index = ((struct sockaddr_dl *)CMSG_DATA(cmptr))->sdl_index;
+  
   if (!iface_index || !if_indextoname(iface_index, ifr.ifr_name))
     return;
+  
+#ifdef MSG_BCAST
+  /* OpenBSD tells us when a packet was broadcast */
+  if (!(msg.msg_flags & MSG_BCAST))
+    unicast_dest = 1;
+#endif
 
 #else
+  /* fallback for systems without IP_RECVIF - allow only one interface
+     and assume packets arrive from it - yuk. */
   {
     struct iname *name;
     for (name = daemon->if_names; name->isloop; name = name->next);
@@ -179,16 +198,30 @@ void dhcp_packet(struct daemon *daemon, time_t now)
 #endif
 
   ifr.ifr_addr.sa_family = AF_INET;
-  if (ioctl(daemon->dhcpfd, SIOCGIFADDR, &ifr) < 0 )
-    return;
-  iface_addr = ((struct sockaddr_in *) &ifr.ifr_addr)->sin_addr;
+  if (ioctl(daemon->dhcpfd, SIOCGIFADDR, &ifr) != -1 )
+    {
+      addrp = &iface_addr;
+      iface_addr = ((struct sockaddr_in *) &ifr.ifr_addr)->sin_addr;
+    }
 
+  if (!iface_check(daemon, AF_INET, (struct all_addr *)addrp, &ifr, &iface_index))
+    return;
+  
   for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
     if (tmp->name && (strcmp(tmp->name, ifr.ifr_name) == 0))
       return;
   
-  if (!iface_check(daemon, AF_INET, (struct all_addr *)&iface_addr, ifr.ifr_name))
-    return;
+  /* interface may have been changed by alias in iface_check */
+  if (!addrp)
+    {
+      if (ioctl(daemon->dhcpfd, SIOCGIFADDR, &ifr) != -1)
+	{
+	  syslog(LOG_WARNING, _("DHCP packet received on %s which has no address"), ifr.ifr_name);
+	  return;
+	}
+      else
+	iface_addr = ((struct sockaddr_in *) &ifr.ifr_addr)->sin_addr;
+    }
   
   /* unlinked contexts are marked by context->current == context */
   for (context = daemon->dhcp; context; context = context->next)
@@ -203,9 +236,9 @@ void dhcp_packet(struct daemon *daemon, time_t now)
     return;
   lease_prune(NULL, now); /* lose any expired leases */
   iov.iov_len = dhcp_reply(daemon, parm.current, ifr.ifr_name, (size_t)sz, now, unicast_dest);
-  lease_update_file(daemon);
+  lease_update_file(daemon, now);
   lease_update_dns(daemon);
-  
+    
   if (iov.iov_len == 0)
     return;
   
@@ -226,21 +259,27 @@ void dhcp_packet(struct daemon *daemon, time_t now)
   if (mess->giaddr.s_addr)
     {
       /* Send to BOOTP relay  */
-      if (!dest.sin_port)
-	dest.sin_port = htons(DHCP_SERVER_PORT);
+      dest.sin_port = htons(DHCP_SERVER_PORT);
       dest.sin_addr = mess->giaddr; 
     }
   else if (mess->ciaddr.s_addr)
     {
-      dest.sin_addr = mess->ciaddr;
-      if (!dest.sin_port)
-	dest.sin_port = htons(DHCP_CLIENT_PORT);
+      /* If the client's idea of its own address tallys with
+	 the source address in the request packet, we believe the
+	 source port too, and send back to that. */
+      if (dest.sin_addr.s_addr != mess->ciaddr.s_addr || !dest.sin_port)
+	{
+	  dest.sin_port = htons(DHCP_CLIENT_PORT); 
+	  dest.sin_addr = mess->ciaddr;
+	}
     } 
 #ifdef HAVE_LINUX_NETWORK
-  else if (ntohs(mess->flags) & 0x8000)
+  else if ((ntohs(mess->flags) & 0x8000) || mess->hlen == 0 ||
+	   mess->hlen > sizeof(ifr.ifr_addr.sa_data) || mess->htype == 0)
     {
-      /* broadcast to 255.255.255.255 */
+      /* broadcast to 255.255.255.255 (or mac address invalid) */
       struct in_pktinfo *pkt;
+      msg.msg_control = control_u.control;
       msg.msg_controllen = sizeof(control_u);
       cmptr = CMSG_FIRSTHDR(&msg);
       dest.sin_addr.s_addr = INADDR_BROADCAST;
@@ -254,12 +293,17 @@ void dhcp_packet(struct daemon *daemon, time_t now)
     }
   else
     {
-      /* unicast to unconfigured client */
+      /* unicast to unconfigured client. Inject mac address direct into ARP cache. 
+	 struct sockaddr limits size to 14 bytes. */
+      struct arpreq req;
       dest.sin_addr = mess->yiaddr;
       dest.sin_port = htons(DHCP_CLIENT_PORT);
-      if (mess->hlen != 0 && mess->htype != 0)
-	arp_inject(daemon->netlinkfd, mess->yiaddr, iface_index,
-		   mess->chaddr, mess->hlen);
+      *((struct sockaddr_in *)&req.arp_pa) = dest;
+      req.arp_ha.sa_family = mess->htype;
+      memcpy(req.arp_ha.sa_data, mess->chaddr, mess->hlen);
+      strncpy(req.arp_dev, ifr.ifr_name, 16);
+      req.arp_flags = ATF_COM;
+      ioctl(daemon->dhcpfd, SIOCSARP, &req);
     }
 #else
   else 
@@ -356,7 +400,7 @@ struct dhcp_context *address_available(struct dhcp_context *context, struct in_a
   struct dhcp_context *tmp;
 
   for (tmp = context; tmp; tmp = tmp->current)
-    if (taddr.s_addr == context->local.s_addr)
+    if (taddr.s_addr == context->router.s_addr)
       return NULL;
   
   for (tmp = context; tmp; tmp = tmp->current)
@@ -471,7 +515,7 @@ int address_allocate(struct dhcp_context *context, struct daemon *daemon,
 	  do {
 	    /* eliminate addresses in use by the server. */
 	    for (d = context; d; d = d->current)
-	      if (addr.s_addr == d->local.s_addr)
+	      if (addr.s_addr == d->router.s_addr)
 		break;
 
 	    if (!d &&
@@ -612,7 +656,8 @@ void dhcp_read_ethers(struct daemon *daemon)
   char *ip, *cp;
   struct in_addr addr;
   unsigned char hwaddr[ETHER_ADDR_LEN];
-  struct dhcp_config *config, *configs = daemon->dhcp_conf;
+  struct dhcp_config **up, *tmp;
+  struct dhcp_config *config;
   int count = 0, lineno = 0;
 
   addr.s_addr = 0; /* eliminate warning */
@@ -623,6 +668,22 @@ void dhcp_read_ethers(struct daemon *daemon)
       return;
     }
 
+  /* This can be called again on SIGHUP, so remove entries created last time round. */
+  for (up = &daemon->dhcp_conf, config = daemon->dhcp_conf; config; config = tmp)
+    {
+      tmp = config->next;
+      if (config->flags & CONFIG_FROM_ETHERS)
+	{
+	  *up = tmp;
+	  /* cannot have a clid */
+	  if (config->flags & CONFIG_NAME)
+	    free(config->hostname);
+	  free(config);
+	}
+      else
+	up = &config->next;
+    }
+
   while (fgets(buff, MAXDNAME, f))
     {
       lineno++;
@@ -657,7 +718,7 @@ void dhcp_read_ethers(struct daemon *daemon)
 
 	  flags = CONFIG_ADDR;
 	  
-	  for (config = configs; config; config = config->next)
+	  for (config = daemon->dhcp_conf; config; config = config->next)
 	    if ((config->flags & CONFIG_ADDR) && config->addr.s_addr == addr.s_addr)
 	      break;
 	}
@@ -671,14 +732,14 @@ void dhcp_read_ethers(struct daemon *daemon)
 
 	  flags = CONFIG_NAME;
 
-	  for (config = configs; config; config = config->next)
+	  for (config = daemon->dhcp_conf; config; config = config->next)
 	    if ((config->flags & CONFIG_NAME) && hostname_isequal(config->hostname, ip))
 	      break;
 	}
       
       if (!config)
 	{ 
-	  for (config = configs; config; config = config->next)
+	  for (config = daemon->dhcp_conf; config; config = config->next)
 	    if ((config->flags & CONFIG_HWADDR) && 
 		config->wildcard_mask == 0 &&
 		config->hwaddr_len == ETHER_ADDR_LEN &&
@@ -690,10 +751,10 @@ void dhcp_read_ethers(struct daemon *daemon)
 	    {
 	      if (!(config = malloc(sizeof(struct dhcp_config))))
 		continue;
-	      config->flags = 0;
+	      config->flags = CONFIG_FROM_ETHERS;
 	      config->wildcard_mask = 0;
-	      config->next = configs;
-	      configs = config;
+	      config->next = daemon->dhcp_conf;
+	      daemon->dhcp_conf = config;
 	    }
 	  
 	  config->flags |= flags;
@@ -720,8 +781,6 @@ void dhcp_read_ethers(struct daemon *daemon)
   fclose(f);
 
   syslog(LOG_INFO, _("read %s - %d addresses"), ETHERSFILE, count);
-  
-  daemon->dhcp_conf =  configs;
 }
 
 void dhcp_update_configs(struct dhcp_config *configs)
@@ -730,10 +789,15 @@ void dhcp_update_configs(struct dhcp_config *configs)
      This goes through /etc/hosts and sets static addresses for any DHCP config
      records which don't have an address and whose name matches. 
      We take care to maintain the invariant that any IP address can appear
-     in at most one dhcp-host. */
+     in at most one dhcp-host. Since /etc/hosts can be re-read by SIGHUP, 
+     restore the status-quo ante first. */
   
   struct dhcp_config *config;
   struct crec *crec;
+
+  for (config = configs; config; config = config->next)
+    if (config->flags & CONFIG_ADDR_HOSTS)
+      config->flags &= ~(CONFIG_ADDR | CONFIG_ADDR_HOSTS);
   
   for (config = configs; config; config = config->next)
     if (!(config->flags & CONFIG_ADDR) &&
@@ -747,7 +811,7 @@ void dhcp_update_configs(struct dhcp_config *configs)
 	else
 	  {
 	    config->addr = crec->addr.addr.addr.addr4;
-	    config->flags |= CONFIG_ADDR;
+	    config->flags |= CONFIG_ADDR | CONFIG_ADDR_HOSTS;
 	  }
       }
 }

src/dnsmasq.h

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2005 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2007 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -10,14 +10,12 @@
    GNU General Public License for more details.
 */
 
-#define COPYRIGHT "Copyright (C) 2000-2006 Simon Kelley" 
+#define COPYRIGHT "Copyright (C) 2000-2007 Simon Kelley" 
 
 /* get these before config.h  for IPv6 stuff... */
 #include <sys/types.h> 
 #include <netinet/in.h>
 
-/* get this before config.h too. */
-#include <syslog.h>
 #ifdef __APPLE__
 /* need this before arpa/nameser.h */
 #  define BIND_8_COMPAT
@@ -69,6 +67,8 @@
 #include <netinet/ip.h>
 #include <netinet/ip_icmp.h>
 #include <sys/uio.h>
+#include <syslog.h>
+#include <dirent.h>
 #ifndef HAVE_LINUX_NETWORK
 #  include <net/if_dl.h>
 #endif
@@ -88,28 +88,33 @@ extern int capset(cap_user_header_t header, cap_user_data_t data);
 */
 #define DNSMASQ_PACKETSZ PACKETSZ+MAXDNAME+RRFIXEDSZ
 
-#define OPT_BOGUSPRIV      1
-#define OPT_FILTER         2
-#define OPT_LOG            4
-#define OPT_SELFMX         8
-#define OPT_NO_HOSTS       16
-#define OPT_NO_POLL        32
-#define OPT_DEBUG          64
-#define OPT_ORDER          128
-#define OPT_NO_RESOLV      256
-#define OPT_EXPAND         512
-#define OPT_LOCALMX        1024
-#define OPT_NO_NEG         2048
-#define OPT_NODOTS_LOCAL   4096
-#define OPT_NOWILD         8192
-#define OPT_ETHERS         16384
-#define OPT_RESOLV_DOMAIN  32768
-#define OPT_NO_FORK        65536
-#define OPT_AUTHORITATIVE  131072
-#define OPT_LOCALISE       262144
-#define OPT_DBUS           524288
-#define OPT_BOOTP_DYNAMIC  1048576
-#define OPT_NO_PING        2097152
+#define OPT_BOGUSPRIV      (1<<0)
+#define OPT_FILTER         (1<<1)
+#define OPT_LOG            (1<<2)
+#define OPT_SELFMX         (1<<3)
+#define OPT_NO_HOSTS       (1<<4)
+#define OPT_NO_POLL        (1<<5)
+#define OPT_DEBUG          (1<<6)
+#define OPT_ORDER          (1<<7)
+#define OPT_NO_RESOLV      (1<<8)
+#define OPT_EXPAND         (1<<9)
+#define OPT_LOCALMX        (1<<10)
+#define OPT_NO_NEG         (1<<11)
+#define OPT_NODOTS_LOCAL   (1<<12)
+#define OPT_NOWILD         (1<<13)
+#define OPT_ETHERS         (1<<14)
+#define OPT_RESOLV_DOMAIN  (1<<15)
+#define OPT_NO_FORK        (1<<16)
+#define OPT_AUTHORITATIVE  (1<<17)
+#define OPT_LOCALISE       (1<<18)
+#define OPT_DBUS           (1<<19)
+#define OPT_BOOTP_DYNAMIC  (1<<20)
+#define OPT_NO_PING        (1<<21)
+#define OPT_LEASE_RO       (1<<22)
+#define OPT_RELOAD         (1<<24)
+#define OPT_TFTP           (1<<25)
+#define OPT_TFTP_SECURE    (1<<26)
+#define OPT_TFTP_NOBLOCK   (1<<27)
 
 struct all_addr {
   union {
@@ -144,6 +149,11 @@ struct txt_record {
   struct txt_record *next;
 };
 
+struct ptr_record {
+  char *name, *ptr;
+  struct ptr_record *next;
+};
+
 union bigname {
   char name[MAXDNAME];
   union bigname *next; /* freelist */
@@ -228,8 +238,7 @@ struct serverfd {
 
 struct server {
   union mysockaddr addr, source_addr;
-  struct serverfd *sfd; /* non-NULL if this server has its own fd bound to
-			   a source port */
+  struct serverfd *sfd; 
   char *domain; /* set if this server only handles a domain. */ 
   int flags, tcpfd;
   struct server *next; 
@@ -238,11 +247,12 @@ struct server {
 struct irec {
   union mysockaddr addr;
   struct in_addr netmask; /* only valid for IPv4 */
+  int dhcp_ok;
   struct irec *next;
 };
 
 struct listener {
-  int fd, tcpfd, family;
+  int fd, tcpfd, tftpfd, family;
   struct irec *iface; /* only valid for non-wildcard */
   struct listener *next;
 };
@@ -273,7 +283,7 @@ struct hostsfile {
 struct frec {
   union mysockaddr source;
   struct all_addr dest;
-  struct server *sentto;
+  struct server *sentto; /* NULL means free */
   unsigned int iface;
   unsigned short orig_id, new_id;
   int fd, forwardall;
@@ -282,13 +292,23 @@ struct frec {
   struct frec *next;
 };
 
+/* actions in the daemon->helper RPC */
+#define ACTION_DEL           1
+#define ACTION_OLD_HOSTNAME  2
+#define ACTION_OLD           3
+#define ACTION_ADD           4
+
 #define DHCP_CHADDR_MAX 16
 
 struct dhcp_lease {
   int clid_len;          /* length of client identifier */
   unsigned char *clid;   /* clientid */
   char *hostname, *fqdn; /* name from client-hostname option or config */
-  int auth_name;         /* hostname came from config, not from client */
+  char *old_hostname;    /* hostname before it moved to another lease */
+  char auth_name;        /* hostname came from config, not from client */
+  char new;              /* newly created */
+  char changed;          /* modified */
+  char aux_changed;      /* CLID or expiry changed */
   time_t expires;        /* lease expiry */
 #ifdef HAVE_BROKEN_RTC
   unsigned int length;
@@ -296,6 +316,8 @@ struct dhcp_lease {
   int hwaddr_len, hwaddr_type;
   unsigned char hwaddr[DHCP_CHADDR_MAX]; 
   struct in_addr addr;
+  unsigned char *vendorclass, *userclass;
+  unsigned int vendorclass_len, userclass_len;
   struct dhcp_lease *next;
 };
 
@@ -308,6 +330,7 @@ struct dhcp_netid_list {
   struct dhcp_netid *list;
   struct dhcp_netid_list *next;
 };
+
 struct dhcp_config {
   unsigned int flags;
   int clid_len;          /* length of client identifier */
@@ -317,6 +340,7 @@ struct dhcp_config {
   char *hostname;
   struct dhcp_netid netid;
   struct in_addr addr;
+  time_t decline_time;
   unsigned int lease_time, wildcard_mask;
   struct dhcp_config *next;
 };
@@ -329,6 +353,9 @@ struct dhcp_config {
 #define CONFIG_ADDR             32
 #define CONFIG_NETID            64
 #define CONFIG_NOCLID          128
+#define CONFIG_FROM_ETHERS     256    /* entry created by /etc/ethers */
+#define CONFIG_ADDR_HOSTS      512    /* address added by from /etc/hosts */
+#define CONFIG_DECLINED       1024    /* address declined by client */
 
 struct dhcp_opt {
   int opt, len, flags;
@@ -339,6 +366,9 @@ struct dhcp_opt {
 
 #define DHOPT_ADDR               1
 #define DHOPT_STRING             2
+#define DHOPT_ENCAPSULATE        4
+#define DHOPT_VENDOR_MATCH       8
+#define DHOPT_FORCE             16
 
 struct dhcp_boot {
   char *file, *sname;
@@ -362,6 +392,13 @@ struct dhcp_mac {
   struct dhcp_mac *next;
 };
 
+#if defined(__FreeBSD__) || defined(__DragonFly__)
+struct dhcp_bridge {
+  char iface[IF_NAMESIZE];
+  struct dhcp_bridge *alias, *next;
+};
+#endif
+
 struct dhcp_context {
   unsigned int lease_time, addr_epoch;
   struct in_addr netmask, broadcast;
@@ -397,6 +434,23 @@ struct ping_result {
   struct ping_result *next;
 };
 
+struct tftp_file {
+  int refcount, fd;
+  off_t size;
+  char filename[];
+};
+
+struct tftp_transfer {
+  int sockfd;
+  time_t timeout;
+  int backoff;
+  unsigned int block, blocksize;
+  struct sockaddr_in peer;
+  char opt_blocksize, opt_transize;
+  struct tftp_file *file;
+  struct tftp_transfer *next;
+};
+
 struct daemon {
   /* datastuctures representing the command-line and 
      config file arguments. All set (including defaults)
@@ -406,26 +460,29 @@ struct daemon {
   struct resolvc default_resolv, *resolv_files;
   struct mx_srv_record *mxnames;
   struct txt_record *txt;
+  struct ptr_record *ptr;
   char *mxtarget;
   char *lease_file; 
   char *username, *groupname;
   char *domain_suffix;
   char *runfile; 
+  char *lease_change_command;
   struct iname *if_names, *if_addrs, *if_except, *dhcp_except;
   struct bogus_addr *bogus_addr;
   struct server *servers;
-  int cachesize;
+  int log_fac; /* log facility */
+  int cachesize, ftabsize;
   int port, query_port;
   unsigned long local_ttl;
   struct hostsfile *addn_hosts;
   struct dhcp_context *dhcp;
   struct dhcp_config *dhcp_conf;
-  struct dhcp_opt *dhcp_opts, *vendor_opts;
+  struct dhcp_opt *dhcp_opts;
   struct dhcp_vendor *dhcp_vendors;
   struct dhcp_mac *dhcp_macs;
   struct dhcp_boot *boot_config;
-  struct dhcp_netid_list *dhcp_ignore;
-  int dhcp_max; 
+  struct dhcp_netid_list *dhcp_ignore, *dhcp_ignore_names;
+  int dhcp_max, tftp_max; 
   unsigned int min_leasetime;
   struct doctor *doctors;
   unsigned short edns_pktsz;
@@ -440,10 +497,10 @@ struct daemon {
   struct server *last_server;
   struct server *srv_save; /* Used for resend on DoD */
   size_t packet_len;       /*      "        "        */
-  int num_kids;
-  
+  pid_t tcp_pids[MAX_PROCS];
+ 
   /* DHCP state */
-  int dhcpfd; 
+  int dhcpfd, helperfd; 
 #ifdef HAVE_LINUX_NETWORK
   int netlinkfd;
 #else
@@ -453,14 +510,20 @@ struct daemon {
   char *dhcp_buff, *dhcp_buff2;
   struct ping_result *ping_results;
   FILE *lease_stream;
+#if defined(__FreeBSD__) || defined(__DragonFly__)
+  struct dhcp_bridge *bridges;
+#endif
 
   /* DBus stuff */
-#ifdef HAVE_DBUS
   /* void * here to avoid depending on dbus headers outside dbus.c */
   void *dbus;
+#ifdef HAVE_DBUS
   struct watch *watches;
 #endif
 
+  /* TFTP stuff */
+  struct tftp_transfer *tftp_trans;
+  char *tftp_prefix; 
 };
 
 /* cache.c */
@@ -495,7 +558,7 @@ size_t answer_request(HEADER *header, char *limit, size_t qlen, struct daemon *d
 int check_for_bogus_wildcard(HEADER *header, size_t qlen, char *name, 
 			     struct bogus_addr *addr, time_t now);
 unsigned char *find_pseudoheader(HEADER *header, size_t plen,
-				 size_t *len, unsigned char **p);
+				 size_t *len, unsigned char **p, int *is_sign);
 int check_for_local_domain(char *name, time_t now, struct daemon *daemon);
 unsigned int questions_crc(HEADER *header, size_t plen, char *buff);
 size_t resize_packet(HEADER *header, size_t plen, 
@@ -522,25 +585,32 @@ int parse_hex(char *in, unsigned char *out, int maxlen,
 int memcmp_masked(unsigned char *a, unsigned char *b, int len, 
 		  unsigned int mask);
 int expand_buf(struct iovec *iov, size_t size);
+char *print_mac(struct daemon *daemon, unsigned char *mac, int len);
+void bump_maxfd(int fd, int *max);
+void log_start(struct daemon *daemon);
+int read_write(int fd, unsigned char *packet, int size, int rw);
+
 /* option.c */
 struct daemon *read_opts (int argc, char **argv, char *compile_opts);
 
 /* forward.c */
-void forward_init(int first);
 void reply_query(struct serverfd *sfd, struct daemon *daemon, time_t now);
 void receive_query(struct listener *listen, struct daemon *daemon, time_t now);
 unsigned char *tcp_request(struct daemon *daemon, int confd, time_t now,
 			   struct in_addr local_addr, struct in_addr netmask);
+void server_gone(struct daemon *daemon, struct server *server);
+struct frec *get_new_frec(struct daemon *daemon, time_t now, int *wait);
 
 /* network.c */
 struct serverfd *allocate_sfd(union mysockaddr *addr, struct serverfd **sfds);
-void reload_servers(char *fname, struct daemon *daemon);
+int reload_servers(char *fname, struct daemon *daemon);
 void check_servers(struct daemon *daemon);
 int enumerate_interfaces(struct daemon *daemon);
-struct listener *create_wildcard_listeners(int port);
+struct listener *create_wildcard_listeners(int port, int have_tftp);
 struct listener *create_bound_listeners(struct daemon *daemon);
-int iface_check(struct daemon *daemon, int family, 
-		struct all_addr *addr, char *name);
+int iface_check(struct daemon *daemon, int family, struct all_addr *addr, 
+		struct ifreq *ifr, int *indexp);
+int fix_fd(int fd);
 
 /* dhcp.c */
 void dhcp_init(struct daemon *daemon);
@@ -564,12 +634,11 @@ char *strip_hostname(struct daemon *daemon, char *hostname);
 char *host_from_dns(struct daemon *daemon, struct in_addr addr);
 
 /* lease.c */
-void lease_update_file(struct daemon *daemon);
+void lease_update_file(struct daemon *daemon, time_t now);
 void lease_update_dns(struct daemon *daemon);
 void lease_init(struct daemon *daemon, time_t now);
-struct dhcp_lease *lease_allocate(unsigned char *hwaddr, unsigned char *clid,
-				  int hw_len, int hw_type, int clid_len, struct in_addr addr);
-int lease_set_hwaddr(struct dhcp_lease *lease, unsigned char *hwaddr,
+struct dhcp_lease *lease_allocate(struct in_addr addr);
+void lease_set_hwaddr(struct dhcp_lease *lease, unsigned char *hwaddr,
 		      unsigned char *clid, int hw_len, int hw_type, int clid_len);
 void lease_set_hostname(struct dhcp_lease *lease, char *name, 
 			char *suffix, int auth);
@@ -579,6 +648,7 @@ struct dhcp_lease *lease_find_by_client(unsigned char *hwaddr, int hw_len, int h
 struct dhcp_lease *lease_find_by_addr(struct in_addr addr);
 void lease_prune(struct dhcp_lease *target, time_t now);
 void lease_update_from_configs(struct daemon *daemon);
+int do_script_run(struct daemon *daemon);
 
 /* rfc2131.c */
 size_t dhcp_reply(struct daemon *daemon, struct dhcp_context *context, char *iface_name, size_t sz, time_t now, int unicast_dest);
@@ -586,7 +656,7 @@ size_t dhcp_reply(struct daemon *daemon, struct dhcp_context *context, char *ifa
 /* dnsmasq.c */
 int make_icmp_sock(void);
 int icmp_ping(struct daemon *daemon, struct in_addr addr);
-void clear_cache_and_reload(struct daemon *daemon);
+void clear_cache_and_reload(struct daemon *daemon, time_t now);
 
 /* isc.c */
 #ifdef HAVE_ISC_READER
@@ -599,8 +669,6 @@ void netlink_init(struct daemon *daemon);
 int iface_enumerate(struct daemon *daemon, void *parm,
 		    int (*ipv4_callback)(), int (*ipv6_callback)());
 void netlink_multicast(struct daemon *daemon);
-void arp_inject(int fd, struct in_addr addr, 
-		int iface, unsigned char *mac, unsigned int mac_len);
 #endif
 
 /* bpf.c */
@@ -617,6 +685,19 @@ int iface_enumerate(struct daemon *daemon, void *parm,
 char *dbus_init(struct daemon *daemon);
 void check_dbus_listeners(struct daemon *daemon,
 			  fd_set *rset, fd_set *wset, fd_set *eset);
-int set_dbus_listeners(struct daemon *daemon, int maxfd, 
-		       fd_set *rset, fd_set *wset, fd_set *eset);
+void set_dbus_listeners(struct daemon *daemon, int *maxfdp, 
+			fd_set *rset, fd_set *wset, fd_set *eset);
+#endif
+
+/* helper.c */
+int create_helper(struct daemon *daemon);
+void helper_write(struct daemon *daemon);
+void queue_script(struct daemon *daemon, int action, 
+		  struct dhcp_lease *lease, char *hostname);
+int helper_buf_empty(void);
+
+/* tftp.c */
+#ifdef HAVE_TFTP
+void tftp_request(struct listener *listen, struct daemon *daemon, time_t now);
+void check_tftp_listeners(struct daemon *daemon, fd_set *rset, time_t now);
 #endif

src/forward.c

@@ -12,25 +12,14 @@
 
 #include "dnsmasq.h"
 
-static struct frec *frec_list;
+static struct frec *frec_list = NULL;
 
-static struct frec *get_new_frec(time_t now);
-static struct frec *lookup_frec(unsigned short id);
+static struct frec *lookup_frec(unsigned short id, unsigned int crc);
 static struct frec *lookup_frec_by_sender(unsigned short id,
 					  union mysockaddr *addr,
 					  unsigned int crc);
-static unsigned short get_id(void);
+static unsigned short get_id(int force, unsigned short force_id, unsigned int crc);
 
-/* May be called more than once. */
-void forward_init(int first)
-{
-  struct frec *f;
-  
-  if (first)
-    frec_list = NULL;
-  for (f = frec_list; f; f = f->next)
-    f->new_id = 0;
-}
 
 /* Send a UDP packet with it's source address set as "source" 
    unless nowild is true, when we just send it with the kernel default */
@@ -174,7 +163,7 @@ static unsigned short search_servers(struct daemon *daemon, time_t now, struct a
 	      {
 		if ((sflag | F_QUERY ) & qtype)
 		  {
-		    flags = qtype;
+		    flags = qtype & ~F_BIGNAME;
 		    if (serv->addr.sa.sa_family == AF_INET) 
 		      *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
 #ifdef HAVE_IPV6
@@ -195,7 +184,9 @@ static unsigned short search_servers(struct daemon *daemon, time_t now, struct a
       else
 	log_query(F_CONFIG | F_FORWARD | flags, qdomain, *addrpp, 0, NULL, 0);
     }
-  else if (qtype && (daemon->options & OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') && namelen != 0)
+  else if (qtype && !(qtype & F_BIGNAME) && 
+	   (daemon->options & OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') && namelen != 0)
+    /* don't forward simple names, make exception from NS queries and empty name. */
     flags = F_NXDOMAIN;
     
   if (flags == F_NXDOMAIN && check_for_local_domain(qdomain, now, daemon))
@@ -242,18 +233,22 @@ static void forward_query(struct daemon *daemon, int udpfd, union mysockaddr *ud
       if (gotname)
 	flags = search_servers(daemon, now, &addrp, gotname, daemon->namebuff, &type, &domain);
       
-      if (!flags && !(forward = get_new_frec(now)))
+      if (!flags && !(forward = get_new_frec(daemon, now, NULL)))
 	/* table full - server failure. */
 	flags = F_NEG;
       
       if (forward)
 	{
+	  /* force unchanging id for signed packets */
+	  int is_sign;
+	  find_pseudoheader(header, plen, NULL, NULL, &is_sign);
+	  
 	  forward->source = *udpaddr;
 	  forward->dest = *dst_addr;
 	  forward->iface = dst_iface;
-	  forward->new_id = get_id();
-	  forward->fd = udpfd;
 	  forward->orig_id = ntohs(header->id);
+	  forward->new_id = get_id(is_sign, forward->orig_id, crc);
+	  forward->fd = udpfd;
 	  forward->crc = crc;
 	  forward->forwardall = 0;
 	  header->id = htons(forward->new_id);
@@ -336,7 +331,7 @@ static void forward_query(struct daemon *daemon, int udpfd, union mysockaddr *ud
       
       /* could not send on, prepare to return */ 
       header->id = htons(forward->orig_id);
-      forward->new_id = 0; /* cancel */
+      forward->sentto = NULL; /* cancel */
     }	  
   
   /* could not send on, return empty answer or address if known for whole domain */
@@ -350,17 +345,17 @@ static void forward_query(struct daemon *daemon, int udpfd, union mysockaddr *ud
 }
 
 static size_t process_reply(struct daemon *daemon, HEADER *header, time_t now, 
-			    unsigned int query_crc, struct server *server, size_t n)
+			    struct server *server, size_t n)
 {
   unsigned char *pheader, *sizep;
-  int munged = 0;
+  int munged = 0, is_sign;
   size_t plen; 
 
   /* If upstream is advertising a larger UDP packet size
 	 than we allow, trim it so that we don't get overlarge
-	 requests for the client. */
+	 requests for the client. We can't do this for signed packets. */
 
-  if ((pheader = find_pseudoheader(header, n, &plen, &sizep)))
+  if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign)) && !is_sign)
     {
       unsigned short udpsz;
       unsigned char *psave = sizep;
@@ -403,12 +398,8 @@ static size_t process_reply(struct daemon *daemon, HEADER *header, time_t now,
 	  header->aa = 1;
 	  header->rcode = NOERROR;
 	}
-  
-      /* If the crc of the question section doesn't match the crc we sent, then
-	 someone might be attempting to insert bogus values into the cache by 
-	 sending replies containing questions and bogus answers. */
-      if (query_crc == questions_crc(header, n, daemon->namebuff))
-	extract_addresses(header, n, daemon->namebuff, now, daemon);
+      
+      extract_addresses(header, n, daemon->namebuff, now, daemon);
     }
   
   /* do this after extract_addresses. Ensure NODATA reply and remove
@@ -432,16 +423,16 @@ void reply_query(struct serverfd *sfd, struct daemon *daemon, time_t now)
 {
   /* packet from peer server, extract data for cache, and send to
      original requester */
-  struct frec *forward;
   HEADER *header;
   union mysockaddr serveraddr;
+  struct frec *forward;
   socklen_t addrlen = sizeof(serveraddr);
   ssize_t n = recvfrom(sfd->fd, daemon->packet, daemon->edns_pktsz, 0, &serveraddr.sa, &addrlen);
   size_t nn;
 
   /* packet buffer overwritten */
   daemon->srv_save = NULL;
-
+  
   /* Determine the address of the server replying  so that we can mark that as good */
   serveraddr.sa.sa_family = sfd->source_addr.sa.sa_family;
 #ifdef HAVE_IPV6
@@ -450,52 +441,57 @@ void reply_query(struct serverfd *sfd, struct daemon *daemon, time_t now)
 #endif
   
   header = (HEADER *)daemon->packet;
-  forward = lookup_frec(ntohs(header->id));
   
-  if (n >= (int)sizeof(HEADER) && header->qr && forward)
+  if (n >= (int)sizeof(HEADER) && header->qr && 
+      (forward = lookup_frec(ntohs(header->id), questions_crc(header, n, daemon->namebuff))))
     {
-       struct server *server = forward->sentto;
-       
-       if ((header->rcode == SERVFAIL || header->rcode == REFUSED) && forward->forwardall == 0)
-	 /* for broken servers, attempt to send to another one. */
-	 {
-	   unsigned char *pheader;
-	   size_t plen;
-	   
-	   /* recreate query from reply */
-	   pheader = find_pseudoheader(header, (size_t)n, &plen, NULL);
-	   header->ancount = htons(0);
-	   header->nscount = htons(0);
-	   header->arcount = htons(0);
-	   if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
-	     {
-	       forward->forwardall = 1;
-	       header->qr = 0;
-	       header->tc = 0;
-	       forward_query(daemon, -1, NULL, NULL, 0, header, nn, now, forward);
-	       return;
-	     }
-	 }   
-
-       if ((forward->sentto->flags & SERV_TYPE) == 0)
-	 {
-	   if (header->rcode == SERVFAIL || header->rcode == REFUSED)
-	     server = NULL;
-	   else
-	     {
-	       struct server *last_server;
-	       /* find good server by address if possible, otherwise assume the last one we sent to */ 
-	       for (last_server = daemon->servers; last_server; last_server = last_server->next)
-		 if (!(last_server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR)) &&
-		     sockaddr_isequal(&last_server->addr, &serveraddr))
-		   {
-		     server = last_server;
-		     break;
-		   }
-	     } 
-	   daemon->last_server = server;
-	 }
-	         
+      struct server *server = forward->sentto;
+      
+      if ((header->rcode == SERVFAIL || header->rcode == REFUSED) &&
+	  !(daemon->options & OPT_ORDER) &&
+	  forward->forwardall == 0)
+	/* for broken servers, attempt to send to another one. */
+	{
+	  unsigned char *pheader;
+	  size_t plen;
+	  int is_sign;
+	  
+	  /* recreate query from reply */
+	  pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign);
+	  if (!is_sign)
+	    {
+	      header->ancount = htons(0);
+	      header->nscount = htons(0);
+	      header->arcount = htons(0);
+	      if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
+		{
+		  header->qr = 0;
+		  header->tc = 0;
+		  forward_query(daemon, -1, NULL, NULL, 0, header, nn, now, forward);
+		  return;
+		}
+	    }
+	}   
+      
+      if ((forward->sentto->flags & SERV_TYPE) == 0)
+	{
+	  if (header->rcode == SERVFAIL || header->rcode == REFUSED)
+	    server = NULL;
+	  else
+	    {
+	      struct server *last_server;
+	      /* find good server by address if possible, otherwise assume the last one we sent to */ 
+	      for (last_server = daemon->servers; last_server; last_server = last_server->next)
+		if (!(last_server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR)) &&
+		    sockaddr_isequal(&last_server->addr, &serveraddr))
+		  {
+		    server = last_server;
+		    break;
+		  }
+	    } 
+	  daemon->last_server = server;
+	}
+      
       /* If the answer is an error, keep the forward record in place in case
 	 we get a good reply from another server. Kill it when we've
 	 had replies from all to avoid filling the forwarding table when
@@ -503,14 +499,14 @@ void reply_query(struct serverfd *sfd, struct daemon *daemon, time_t now)
       if (forward->forwardall == 0 || --forward->forwardall == 1 || 
 	  (header->rcode != REFUSED && header->rcode != SERVFAIL))
 	{
-	  if ((nn = process_reply(daemon, header, now, forward->crc, server, (size_t)n)))
+	  if ((nn = process_reply(daemon, header, now, server, (size_t)n)))
 	    {
 	      header->id = htons(forward->orig_id);
 	      header->ra = 1; /* recursion if available */
 	      send_from(forward->fd, daemon->options & OPT_NOWILD, daemon->packet, nn, 
 			&forward->source, &forward->dest, forward->iface);
 	    }
-	  forward->new_id = 0; /* cancel */
+	  forward->sentto = NULL; /* cancel */
 	}
     }
 }
@@ -623,27 +619,24 @@ void receive_query(struct listener *listen, struct daemon *daemon, time_t now)
       if (if_index == 0)
 	return;
       
-      if (daemon->if_except || daemon->if_names || (daemon->options & OPT_LOCALISE))
-	{
 #ifdef SIOCGIFNAME
-	  ifr.ifr_ifindex = if_index;
-	  if (ioctl(listen->fd, SIOCGIFNAME, &ifr) == -1)
-	    return;
-#else
-	  if (!if_indextoname(if_index, ifr.ifr_name))
-	    return;
-#endif
-
-	  if (listen->family == AF_INET &&
-	      (daemon->options & OPT_LOCALISE) &&
-	      ioctl(listen->fd, SIOCGIFNETMASK, &ifr) == -1)
-	    return;
-
-	  netmask = ((struct sockaddr_in *) &ifr.ifr_addr)->sin_addr;
-	}
-
-      if (!iface_check(daemon, listen->family, &dst_addr, ifr.ifr_name))
+      ifr.ifr_ifindex = if_index;
+      if (ioctl(listen->fd, SIOCGIFNAME, &ifr) == -1)
 	return;
+#else
+      if (!if_indextoname(if_index, ifr.ifr_name))
+	return;
+#endif
+      
+      if (!iface_check(daemon, listen->family, &dst_addr, &ifr, &if_index))
+	return;
+      
+      if (listen->family == AF_INET &&
+	  (daemon->options & OPT_LOCALISE) &&
+	  ioctl(listen->fd, SIOCGIFNETMASK, &ifr) == -1)
+	return;
+      
+      netmask = ((struct sockaddr_in *) &ifr.ifr_addr)->sin_addr;
     }
   
   if (extract_request(header, (size_t)n, daemon->namebuff, &type))
@@ -667,31 +660,6 @@ void receive_query(struct listener *listen, struct daemon *daemon, time_t now)
 		  header, (size_t)n, now, NULL);
 }
 
-static int read_write(int fd, unsigned char *packet, int size, int rw)
-{
-  ssize_t n, done;
-  
-  for (done = 0; done < size; done += n)
-    {
-    retry:
-      if (rw)
-	n = read(fd, &packet[done], (size_t)(size - done));
-      else
-	n = write(fd, &packet[done], (size_t)(size - done));
-
-      if (n == 0)
-	return 0;
-      else if (n == -1)
-	{
-	  if (errno == EINTR)
-	    goto retry;
-	  else
-	    return 0;
-	}
-    }
-  return 1;
-}
-  
 /* The daemon forks before calling this: it should deal with one connection,
    blocking as neccessary, and then return. Note, need to be a bit careful
    about resources for debug mode, when the fork is suppressed: that's
@@ -825,9 +793,13 @@ unsigned char *tcp_request(struct daemon *daemon, int confd, time_t now,
 #endif 
 		  
 		  /* There's no point in updating the cache, since this process will exit and
-		     lose the information after one query. We make this call for the alias and 
+		     lose the information after a few queries. We make this call for the alias and 
 		     bogus-nxdomain side-effects. */
-		  m = process_reply(daemon, header, now, crc, last_server, (unsigned int)m);
+		  /* If the crc of the question section doesn't match the crc we sent, then
+		     someone might be attempting to insert bogus values into the cache by 
+		     sending replies containing questions and bogus answers. */
+		  if (crc == questions_crc(header, (unsigned int)m, daemon->namebuff))
+		    m = process_reply(daemon, header, now, last_server, (unsigned int)m);
 		  
 		  break;
 		}
@@ -847,65 +819,83 @@ unsigned char *tcp_request(struct daemon *daemon, int confd, time_t now,
     }
 }
 
-static struct frec *get_new_frec(time_t now)
+static struct frec *allocate_frec(time_t now)
 {
-  struct frec *f = frec_list, *oldest = NULL;
-  time_t oldtime = now;
-  int count = 0;
-  static time_t warntime = 0;
-
-  while (f)
-    {
-      if (f->new_id == 0)
-	{
-	  f->time = now;
-	  return f;
-	}
-
-      if (difftime(f->time, oldtime) <= 0)
-	{
-	  oldtime = f->time;
-	  oldest = f;
-	}
-
-      count++;
-      f = f->next;
-    }
+  struct frec *f;
   
-  /* can't find empty one, use oldest if there is one
-     and it's older than timeout */
-  if (oldest && difftime(now, oldtime)  > TIMEOUT)
-    { 
-      oldest->time = now;
-      return oldest;
-    }
-  
-  if (count > FTABSIZ)
-    { /* limit logging rate so syslog isn't DOSed either */
-      if (!warntime || difftime(now, warntime) > LOGRATE)
-	{
-	  warntime = now;
-	  syslog(LOG_WARNING, _("forwarding table overflow: check for server loops."));
-	}
-      return NULL;
-    }
-
   if ((f = (struct frec *)malloc(sizeof(struct frec))))
     {
       f->next = frec_list;
       f->time = now;
-      f->new_id = 0;
+      f->sentto = NULL;
       frec_list = f;
     }
+
+  return f;
+}
+
+/* if wait==NULL return a free or older than TIMEOUT record.
+   else return *wait zero if one available, or *wait is delay to
+   when the oldest in-use record will expire. */
+struct frec *get_new_frec(struct daemon *daemon, time_t now, int *wait)
+{
+  struct frec *f, *oldest;
+  int count;
+  
+  if (wait)
+    *wait = 0;
+
+  for (f = frec_list, oldest = NULL, count = 0; f; f = f->next, count++)
+    if (!f->sentto)
+      {
+	f->time = now;
+	return f;
+      }
+    else if (!oldest || difftime(f->time, oldest->time) <= 0)
+      oldest = f;
+  
+  /* can't find empty one, use oldest if there is one
+     and it's older than timeout */
+  if (oldest && ((int)difftime(now, oldest->time)) >= TIMEOUT)
+    { 
+      /* keep stuff for twice timeout if we can by allocating a new
+	 record instead */
+      if (difftime(now, oldest->time) < 2*TIMEOUT && 
+	  count <= daemon->ftabsize &&
+	  (f = allocate_frec(now)))
+	return f;
+
+      if (!wait)
+	{
+	  oldest->sentto = 0;
+	  oldest->time = now;
+	}
+      return oldest;
+    }
+  
+  /* none available, calculate time 'till oldest record expires */
+  if (count > daemon->ftabsize)
+    {
+      if (oldest && wait)
+	*wait = oldest->time + (time_t)TIMEOUT - now;
+      return NULL;
+    }
+  
+  if (!(f = allocate_frec(now)) && wait)
+    /* wait one second on malloc failure */
+    *wait = 1;
+
   return f; /* OK if malloc fails and this is NULL */
 }
  
-static struct frec *lookup_frec(unsigned short id)
+/* crc is all-ones if not known. */
+static struct frec *lookup_frec(unsigned short id, unsigned int crc)
 {
   struct frec *f;
 
   for(f = frec_list; f; f = f->next)
-    if (f->new_id == id)
+    if (f->sentto && f->new_id == id && 
+	(f->crc == crc || crc == 0xffffffff))
       return f;
       
   return NULL;
@@ -918,7 +908,7 @@ static struct frec *lookup_frec_by_sender(unsigned short id,
   struct frec *f;
   
   for(f = frec_list; f; f = f->next)
-    if (f->new_id &&
+    if (f->sentto &&
 	f->orig_id == id && 
 	f->crc == crc &&
 	sockaddr_isequal(&f->source, addr))
@@ -927,21 +917,41 @@ static struct frec *lookup_frec_by_sender(unsigned short id,
   return NULL;
 }
 
+/* A server record is going away, remove references to it */
+void server_gone(struct daemon *daemon, struct server *server)
+{
+  struct frec *f;
+  
+  for (f = frec_list; f; f = f->next)
+    if (f->sentto && f->sentto == server)
+      f->sentto = NULL;
+  
+  if (daemon->last_server == server)
+    daemon->last_server = NULL;
 
-/* return unique random ids between 1 and 65535 */
-static unsigned short get_id(void)
+  if (daemon->srv_save == server)
+    daemon->srv_save = NULL;
+}
+
+/* return unique random ids.
+   For signed packets we can't change the ID without breaking the
+   signing, so we keep the same one. In this case force is set, and this
+   routine degenerates into killing any conflicting forward record. */
+static unsigned short get_id(int force, unsigned short force_id, unsigned int crc)
 {
   unsigned short ret = 0;
-
-  while (ret == 0)
+  
+  if (force)
     {
-      ret = rand16();
-      
-      /* scrap ids already in use */
-      if ((ret != 0) && lookup_frec(ret))
-	ret = 0;
+      struct frec *f = lookup_frec(force_id, crc);
+      if (f)
+	f->sentto = NULL; /* free */
+      ret = force_id;
     }
-
+  else do 
+    ret = rand16();
+  while (lookup_frec(ret, crc));
+  
   return ret;
 }
 

src/helper.c

@@ -0,0 +1,327 @@
+/* dnsmasq is Copyright (c) 2000-2006 Simon Kelley
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 dated June, 1991.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+*/
+
+#include "dnsmasq.h"
+
+/* This file has code to fork a helper process which recieves data via a pipe 
+   shared with the main process and which is responsible for calling a script when
+   DHCP leases change.
+
+   The helper process is forked before the main process drops root, so it retains root 
+   privs to pass on to the script. For this reason it tries to be paranoid about 
+   data received from the main process, in case that has been compromised. We don't
+   want the helper to give an attacker root. In particular, the script to be run is
+   not settable via the pipe, once the fork has taken place it is not alterable by the 
+   main process.
+*/
+
+struct script_data
+{
+  unsigned char action, hwaddr_len, hwaddr_type;
+  unsigned char clid_len, hostname_len, uclass_len, vclass_len;
+  struct in_addr addr;
+#ifdef HAVE_BROKEN_RTC
+  unsigned int length;
+#else
+  time_t expires;
+#endif
+  unsigned char hwaddr[DHCP_CHADDR_MAX];
+};
+
+static struct script_data *buf;
+static size_t bytes_in_buf, buf_size;
+
+int create_helper(struct daemon *daemon)
+{
+  pid_t pid;
+  int i, pipefd[2];
+  struct sigaction sigact;
+
+  buf = NULL;
+  buf_size = bytes_in_buf = 0;
+
+  if (!daemon->dhcp || !daemon->lease_change_command)
+    return -1;
+
+  /* create the pipe through which the main program sends us commands,
+   then fork our process. */
+  if (pipe(pipefd) == -1 || !fix_fd(pipefd[1]) || (pid = fork()) == -1)
+    return -1;
+  
+  if (pid != 0)
+    {
+      close(pipefd[0]); /* close reader side */
+      return pipefd[1];
+    }
+
+  /* ignore SIGTERM, so that we can clean up when the main process gets hit */
+  sigact.sa_handler = SIG_IGN;
+  sigact.sa_flags = 0;
+  sigemptyset(&sigact.sa_mask);
+  sigaction(SIGTERM, &sigact, NULL);
+
+  /* close all the sockets etc, we don't need them here */
+  for (i = 0; i < 64; i++)
+    if (i != STDOUT_FILENO && i != STDERR_FILENO && 
+	i != STDIN_FILENO && i != pipefd[0])
+      close(i);
+
+  /* we open our own log connection. */
+  log_start(daemon);
+  
+  /* don't give our end of the pipe to our children */
+  if ((i = fcntl(pipefd[0], F_GETFD)) != -1)
+    fcntl(pipefd[0], F_SETFD, i | FD_CLOEXEC); 
+      
+  /* loop here */
+  while(1)
+    {
+      struct script_data data;
+      char *p, *action_str, *hostname = NULL;
+      unsigned char *buf = (unsigned char *)daemon->namebuff;
+
+      /* we read zero bytes when pipe closed: this is our signal to exit */ 
+      if (!read_write(pipefd[0], (unsigned char *)&data, sizeof(data), 1))
+	_exit(0);
+      
+      if (data.action == ACTION_DEL)
+	action_str = "del";
+      else if (data.action == ACTION_ADD)
+	action_str = "add";
+      else if (data.action == ACTION_OLD || data.action == ACTION_OLD_HOSTNAME)
+	action_str = "old";
+      else
+	continue;
+	
+      /* stringify MAC into dhcp_buff */
+      p = daemon->dhcp_buff;
+      if (data.hwaddr_type != ARPHRD_ETHER || data.hwaddr_len == 0) 
+	p += sprintf(p, "%.2x-", data.hwaddr_type);
+      for (i = 0; (i < data.hwaddr_len) && (i < DHCP_CHADDR_MAX); i++)
+	{
+	  p += sprintf(p, "%.2x", data.hwaddr[i]);
+	  if (i != data.hwaddr_len - 1)
+	    p += sprintf(p, ":");
+	}
+      
+      /* and CLID into packet */
+      if (!read_write(pipefd[0], buf, data.clid_len, 1))
+	continue;
+      for (p = daemon->packet, i = 0; i < data.clid_len; i++)
+	{
+	  p += sprintf(p, "%.2x", buf[i]);
+	  if (i != data.clid_len - 1) 
+	    p += sprintf(p, ":");
+	}
+      
+      /* and expiry or length into dhcp_buff2 */
+#ifdef HAVE_BROKEN_RTC
+      sprintf(daemon->dhcp_buff2, "%u ", data.length);
+#else
+      sprintf(daemon->dhcp_buff2, "%lu ", (unsigned long)data.expires);
+#endif
+      
+      if (!read_write(pipefd[0], buf, data.hostname_len + data.uclass_len + data.vclass_len, 1))
+	continue;
+      
+      if ((pid = fork()) == -1)
+	continue;
+      
+      /* wait for child to complete */
+      if (pid != 0)
+	{
+	  int status;
+	  waitpid(pid, &status, 0);
+	  if (WIFSIGNALED(status))
+	    syslog(LOG_WARNING, _("child process killed by signal %d"), WTERMSIG(status));
+	  else if (WIFEXITED(status) && WEXITSTATUS(status) != 0)
+	    syslog(LOG_WARNING, _("child process exited with status %d"), WEXITSTATUS(status));
+	  continue;
+	}
+      
+      if (data.clid_len != 0)
+	setenv("DNSMASQ_CLIENT_ID", daemon->packet, 1);
+      else
+	unsetenv("DNSMASQ_CLIENT_ID");
+      
+#ifdef HAVE_BROKEN_RTC
+      setenv("DNSMASQ_LEASE_LENGTH", daemon->dhcp_buff2, 1);
+      unsetenv("DNSMASQ_LEASE_EXPIRES");
+#else
+      setenv("DNSMASQ_LEASE_EXPIRES", daemon->dhcp_buff2, 1); 
+      unsetenv("DNSMASQ_LEASE_LENGTH");
+#endif
+      
+      if (data.vclass_len != 0)
+	{
+	  buf[data.vclass_len - 1] = 0; /* don't trust zero-term */
+	  /* cannot have = chars in env - truncate if found . */
+	  if ((p = strchr((char *)buf, '=')))
+	    *p = 0;
+	  setenv("DNSMASQ_VENDOR_CLASS", (char *)buf, 1);
+	  buf += data.vclass_len;
+	}
+      else 
+	unsetenv("DNSMASQ_VENDOR_CLASS");
+      
+      if (data.uclass_len != 0)
+	{
+	  unsigned char *end = buf + data.uclass_len;
+	  buf[data.uclass_len - 1] = 0; /* don't trust zero-term */
+	  
+	  for (i = 0; buf < end;)
+	    {
+	      size_t len = strlen((char *)buf) + 1;
+	      if ((p = strchr((char *)buf, '=')))
+		*p = 0;
+	      if (strlen((char *)buf) != 0)
+		{
+		  sprintf(daemon->dhcp_buff2, "DNSMASQ_USER_CLASS%i", i++);
+		  setenv(daemon->dhcp_buff2, (char *)buf, 1);
+		}
+	      buf += len;
+	    }
+	}
+      
+      if (data.hostname_len != 0)
+	{
+	  hostname = (char *)buf;
+	  hostname[data.hostname_len - 1] = 0;
+	  canonicalise(hostname);
+	}
+      
+      if (data.action == ACTION_OLD_HOSTNAME && hostname)
+	{
+	  setenv("DNSMASQ_OLD_HOSTNAME", hostname, 1);
+	  hostname = NULL;
+	}
+      else
+	unsetenv("DNSMASQ_OLD_HOSTNAME");
+      
+      p =  strrchr(daemon->lease_change_command, '/');
+      execl(daemon->lease_change_command, 
+	    p ? p+1 : daemon->lease_change_command,
+	    action_str, daemon->dhcp_buff, inet_ntoa(data.addr), hostname, (char*)NULL);
+      
+      /* log socket should still be open, right? */
+      syslog(LOG_ERR, _("failed to execute %s: %m"), 
+	     daemon->lease_change_command);
+      _exit(0); 
+    }
+}
+
+/* pack up lease data into a buffer */    
+void queue_script(struct daemon *daemon, int action, struct dhcp_lease *lease, char *hostname)
+{
+  unsigned char *p;
+  size_t size;
+  unsigned int hostname_len = 0, clid_len = 0, vclass_len = 0, uclass_len = 0;
+
+  /* no script */
+  if (daemon->helperfd == -1)
+    return;
+
+  if (lease->vendorclass)
+    vclass_len = lease->vendorclass_len;
+  if (lease->userclass)
+    uclass_len = lease->userclass_len;
+  if (lease->clid)
+    clid_len = lease->clid_len;
+  if (hostname)
+    hostname_len = strlen(hostname) + 1;
+
+  size = sizeof(struct script_data) +  clid_len + vclass_len + uclass_len + hostname_len;
+
+  if (size > buf_size)
+    {
+      struct script_data *new;
+      
+      /* start with resonable size, will almost never need extending. */
+      if (size < sizeof(struct script_data) + 200)
+	size = sizeof(struct script_data) + 200;
+
+      if (!(new = malloc(size)))
+	return;
+      if (buf)
+	free(buf);
+      buf = new;
+      buf_size = size;
+    }
+
+  buf->action = action;
+  buf->hwaddr_len = lease->hwaddr_len;
+  buf->hwaddr_type = lease->hwaddr_type;
+  buf->clid_len = clid_len;
+  buf->vclass_len = vclass_len;
+  buf->uclass_len = uclass_len;
+  buf->hostname_len = hostname_len;
+  buf->addr = lease->addr;
+  memcpy(buf->hwaddr, lease->hwaddr, lease->hwaddr_len);
+#ifdef HAVE_BROKEN_RTC 
+  buf->length = lease->length;
+#else
+  buf->expires = lease->expires;
+#endif
+ 
+  p = (unsigned char *)(buf+1);
+  if (buf->clid_len != 0)
+    {
+      memcpy(p, lease->clid, clid_len);
+      p += clid_len;
+    }
+  if (buf->vclass_len != 0)
+    {
+      memcpy(p, lease->vendorclass, vclass_len);
+      p += vclass_len;
+    }
+  if (buf->uclass_len != 0)
+    {
+      memcpy(p, lease->userclass, uclass_len);
+      p += uclass_len;
+    }
+  if (buf->hostname_len != 0)
+    {
+      memcpy(p, hostname, hostname_len);
+      p += hostname_len;
+    }
+
+  bytes_in_buf = p - (unsigned char *)buf;
+}
+
+int helper_buf_empty(void)
+{
+  return bytes_in_buf == 0;
+}
+
+void helper_write(struct daemon *daemon)
+{
+  ssize_t rc;
+
+  if (bytes_in_buf == 0)
+    return;
+  
+  if ((rc = write(daemon->helperfd, buf, bytes_in_buf)) != -1)
+    {
+      if (bytes_in_buf != (size_t)rc)
+	memmove(buf, buf + rc, bytes_in_buf - rc); 
+      bytes_in_buf -= rc;
+    }
+  else
+    {
+      if (errno == EAGAIN || errno == EINTR)
+	return;
+      bytes_in_buf = 0;
+    }
+}
+
+
+

src/lease.c

@@ -12,77 +12,118 @@
 
 #include "dnsmasq.h"
 
-static struct dhcp_lease *leases;
+static struct dhcp_lease *leases, *old_leases;
 static int dns_dirty, file_dirty, leases_left;
 
 void lease_init(struct daemon *daemon, time_t now)
 {
-  unsigned int a0, a1, a2, a3;
   unsigned long ei;
-  unsigned char hwaddr[DHCP_CHADDR_MAX];
   struct in_addr addr;
   struct dhcp_lease *lease;
-  int clid_len = 0, hw_len, hw_type;
+  int flags, clid_len, hw_len, hw_type;
+  FILE *leasestream;
   
-  dns_dirty = 1;
-  file_dirty = 0;
-  leases = NULL;
+  leases = old_leases = NULL;
   leases_left = daemon->dhcp_max;
 
-  /* NOTE: need a+ mode to create file if it doesn't exist */
-  if (!(daemon->lease_stream = fopen(daemon->lease_file, "a+")))
-    die(_("cannot open or create leases file: %s"), NULL);
-    
-  /* a+ mode lease pointer at end. */
-  rewind(daemon->lease_stream);
-
+  if (daemon->options & OPT_LEASE_RO)
+    {
+      /* run "<lease_change_script> init" once to get the
+	 initial state of the database. If leasefile-ro is
+	 set without a script, we just do without any 
+	 lease database. */
+      if (!daemon->lease_change_command)
+	{
+	  file_dirty = dns_dirty = 0;
+	  return;
+	}
+      strcpy(daemon->dhcp_buff, daemon->lease_change_command);
+      strcat(daemon->dhcp_buff, " init");
+      leasestream = popen(daemon->dhcp_buff, "r");
+    }
+  else
+    {
+      /* NOTE: need a+ mode to create file if it doesn't exist */
+      leasestream = daemon->lease_stream = fopen(daemon->lease_file, "a+");
+      
+      if (!leasestream)
+	die(_("cannot open or create lease file %s: %s"), daemon->lease_file);
+      
+      flags = fcntl(fileno(leasestream), F_GETFD);
+      if (flags != -1)
+	fcntl(fileno(leasestream), F_SETFD, flags | FD_CLOEXEC); 
+      
+      /* a+ mode lease pointer at end. */
+      rewind(leasestream);
+    }
+  
   /* client-id max length is 255 which is 255*2 digits + 254 colons 
      borrow DNS packet buffer which is always larger than 1000 bytes */
-  while (fscanf(daemon->lease_stream, "%lu %255s %d.%d.%d.%d %255s %764s",
-		&ei, daemon->dhcp_buff2, &a0, &a1, &a2, &a3, 
-		daemon->dhcp_buff, daemon->packet) == 8)
-    {
-#ifndef HAVE_BROKEN_RTC
-      /* strictly time_t is opaque, but this hack should work on all sane systems,
-	 even when sizeof(time_t) == 8 */
-      time_t expires = (time_t)ei;
-      
-      if (ei != 0  && difftime(now, expires) > 0)
-	{
-	  file_dirty = 1;
-	  continue; /* expired */
-	}
-#endif
-
-      hw_len = parse_hex(daemon->dhcp_buff2, hwaddr, DHCP_CHADDR_MAX, NULL, &hw_type);
-      /* For backwards compatibility, no explict MAC address type means ether. */
-      if (hw_type == 0 && hw_len != 0)
-	hw_type = ARPHRD_ETHER;
-
-      addr.s_addr = htonl((a0<<24) + (a1<<16) + (a2<<8) + a3);
-
-      /* decode hex in place */
-      if (strcmp(daemon->packet, "*") == 0)
+  if (leasestream)
+    while (fscanf(leasestream, "%lu %255s %16s %255s %764s",
+		  &ei, daemon->dhcp_buff2, daemon->namebuff, 
+		  daemon->dhcp_buff, daemon->packet) == 5)
+      {
+	hw_len = parse_hex(daemon->dhcp_buff2, (unsigned char *)daemon->dhcp_buff2, DHCP_CHADDR_MAX, NULL, &hw_type);
+	/* For backwards compatibility, no explict MAC address type means ether. */
+	if (hw_type == 0 && hw_len != 0)
+	  hw_type = ARPHRD_ETHER;
+	
+	addr.s_addr = inet_addr(daemon->namebuff);
+	
+	/* decode hex in place */
 	clid_len = 0;
-      else
-	clid_len = parse_hex(daemon->packet, (unsigned char *)daemon->packet, 255, NULL, NULL);
-      
-      if (!(lease = lease_allocate(hwaddr, (unsigned char *)daemon->packet, hw_len, hw_type, clid_len, addr)))
-	die (_("too many stored leases"), NULL);
-      
+	if (strcmp(daemon->packet, "*") != 0)
+	  clid_len = parse_hex(daemon->packet, (unsigned char *)daemon->packet, 255, NULL, NULL);
+	
+	if (!(lease = lease_allocate(addr)))
+	  die (_("too many stored leases"), NULL);
+	/* not actually new */
+	lease->new = 0;
+	
 #ifdef HAVE_BROKEN_RTC
-      if (ei != 0)
-	lease->expires = (time_t)ei + now;
-      else
-	lease->expires = (time_t)0;
-      lease->length = ei;
+	if (ei != 0)
+	  lease->expires = (time_t)ei + now;
+	else
+	  lease->expires = (time_t)0;
+	lease->length = ei;
 #else
-      lease->expires = expires;
+	/* strictly time_t is opaque, but this hack should work on all sane systems,
+	   even when sizeof(time_t) == 8 */
+	lease->expires = (time_t)ei;
 #endif
+	
+	lease_set_hwaddr(lease, (unsigned char *)daemon->dhcp_buff2, (unsigned char *)daemon->packet, hw_len, hw_type, clid_len);
+	
+	if (strcmp(daemon->dhcp_buff, "*") !=  0)
+	  lease_set_hostname(lease, daemon->dhcp_buff, daemon->domain_suffix, 0);
+      }
+  
+  if (!daemon->lease_stream)
+    {
+      int rc = 0;
 
-      if (strcmp(daemon->dhcp_buff, "*") !=  0)
-	lease_set_hostname(lease, daemon->dhcp_buff, daemon->domain_suffix, 0);
+      /* shell returns 127 for "command not found", 126 for bad permissions. */
+      if (!leasestream || (rc = pclose(leasestream)) == -1 || WEXITSTATUS(rc) == 127 || WEXITSTATUS(rc) == 126)
+	{
+	  if (WEXITSTATUS(rc) == 127)
+	    errno = ENOENT;
+	  else if (WEXITSTATUS(rc) == 126)
+	    errno = EACCES;
+	  die(_("cannot run lease-init script %s: %s"), daemon->lease_change_command);
+	}
+      
+      if (WEXITSTATUS(rc) != 0)
+	{
+	  sprintf(daemon->dhcp_buff, "%d", WEXITSTATUS(rc));
+	  die(_("lease-init script returned exit code %s"), daemon->dhcp_buff);
+	}
     }
+
+  /* Some leases may have expired */
+  file_dirty = 0;
+  lease_prune(NULL, now);
+  dns_dirty = 1;
 }
 
 void lease_update_from_configs(struct daemon *daemon)
@@ -103,67 +144,83 @@ void lease_update_from_configs(struct daemon *daemon)
       lease_set_hostname(lease, name, daemon->domain_suffix, 1); /* updates auth flag only */
 }
 
-void lease_update_file(struct daemon *daemon)
+static void ourprintf(struct daemon *daemon, int *errp, char *format, ...)
+{
+  va_list ap;
+  
+  va_start(ap, format);
+  if (!(*errp) && vfprintf(daemon->lease_stream, format, ap) < 0)
+    *errp = errno;
+  va_end(ap);
+}
+
+void lease_update_file(struct daemon *daemon, time_t now)
 {
   struct dhcp_lease *lease;
-  int i;
-  
-  if (file_dirty != 0)
+  time_t next_event;
+  int i, err = 0;
+
+  if (file_dirty != 0 && daemon->lease_stream)
     {
       errno = 0;
       rewind(daemon->lease_stream);
       if (errno != 0 || ftruncate(fileno(daemon->lease_stream), 0) != 0)
-	{
-	write_err:
-	  syslog(LOG_ERR, _("failed to write %s: %m (retry in %ds)"), daemon->lease_file, LEASE_RETRY);
-	  alarm(LEASE_RETRY);
-	  return;
-	}
+	err = errno;
       
       for (lease = leases; lease; lease = lease->next)
 	{
 #ifdef HAVE_BROKEN_RTC
-	  if (fprintf(daemon->lease_stream, "%u ", lease->length) < 0)
-	    goto write_err;
+	  ourprintf(daemon, &err, "%u ", lease->length);
 #else
-	  if (fprintf(daemon->lease_stream, "%lu ", (unsigned long)lease->expires) < 0)
-	    goto write_err;
+	  ourprintf(daemon, &err, "%lu ", (unsigned long)lease->expires);
 #endif
-	  if ((lease->hwaddr_type != ARPHRD_ETHER || lease->hwaddr_len == 0) && 
-	      fprintf(daemon->lease_stream, "%.2x-", lease->hwaddr_type) < 0)
-	    goto write_err;
+	  if (lease->hwaddr_type != ARPHRD_ETHER || lease->hwaddr_len == 0) 
+	    ourprintf(daemon, &err, "%.2x-", lease->hwaddr_type);
 	  for (i = 0; i < lease->hwaddr_len; i++)
 	    {
-	      if (fprintf(daemon->lease_stream, "%.2x", lease->hwaddr[i]) < 0)
-		goto write_err;
-	      if (i != lease->hwaddr_len - 1 &&
-		  fprintf(daemon->lease_stream, ":") < 0)
-		goto write_err;
+	      ourprintf(daemon, &err, "%.2x", lease->hwaddr[i]);
+	      if (i != lease->hwaddr_len - 1)
+		ourprintf(daemon, &err, ":");
 	    }
-	  if (fprintf(daemon->lease_stream, " %s %s ", inet_ntoa(lease->addr),
-		      lease->hostname && strlen(lease->hostname) != 0 ? lease->hostname : "*") < 0)
-	    goto write_err;
+	  ourprintf(daemon, &err, " %s %s ", inet_ntoa(lease->addr),
+		    lease->hostname && strlen(lease->hostname) != 0 ? lease->hostname : "*");
 	  
 	  if (lease->clid && lease->clid_len != 0)
 	    {
 	      for (i = 0; i < lease->clid_len - 1; i++)
-		if (fprintf(daemon->lease_stream, "%.2x:", lease->clid[i]) < 0)
-		  goto write_err;
-	      if (fprintf(daemon->lease_stream, "%.2x\n", lease->clid[i]) < 0)
-		goto write_err;
+		ourprintf(daemon, &err, "%.2x:", lease->clid[i]);
+	      ourprintf(daemon, &err, "%.2x\n", lease->clid[i]);
 	    }
 	  else
-	    if (fprintf(daemon->lease_stream, "*\n") < 0)
-	      goto write_err;
-	  
+	    ourprintf(daemon, &err, "*\n");	  
 	}
-
-      if (fflush(daemon->lease_stream) != 0)
-	goto write_err;
-      if (fsync(fileno(daemon->lease_stream)) < 0)
-	goto write_err;
-      file_dirty = 0;
+      
+      if (fflush(daemon->lease_stream) != 0 ||
+	  fsync(fileno(daemon->lease_stream)) < 0)
+	err = errno;
+      
+      if (!err)
+	file_dirty = 0;
     }
+  
+  /* Set alarm for when the first lease expires + slop. */
+  for (next_event = 0, lease = leases; lease; lease = lease->next)
+    if (lease->expires != 0 &&
+	(next_event == 0 || difftime(next_event, lease->expires + 10) > 0.0))
+      next_event = lease->expires + 10;
+   
+  if (err)
+    {
+      if (next_event == 0 || difftime(next_event, LEASE_RETRY + now) > 0.0)
+	next_event = LEASE_RETRY + now;
+      
+      syslog(LOG_ERR, _("failed to write %s: %s (retry in %us)"), 
+	     daemon->lease_file, strerror(err),
+	     (unsigned int)difftime(next_event, now));
+    }
+
+  if (next_event != 0)
+    alarm((unsigned)difftime(next_event, now)); 
 }
 
 void lease_update_dns(struct daemon *daemon)
@@ -194,18 +251,16 @@ void lease_prune(struct dhcp_lease *target, time_t now)
       if ((lease->expires != 0 && difftime(now, lease->expires) > 0) || lease == target)
 	{
 	  file_dirty = 1;
-
-	  *up = lease->next; /* unlink */
 	  if (lease->hostname)
-	    {
-	      free(lease->hostname); 
-	      dns_dirty = 1;
-	    }
-	  if (lease->fqdn)
-	    free(lease->fqdn);
-	  if (lease->clid)
-	    free(lease->clid);
-	  free(lease);
+	    dns_dirty = 1;
+	  
+	  *up = lease->next; /* unlink */
+	  
+	  /* Put on old_leases list 'till we
+	     can run the script */
+	  lease->next = old_leases;
+	  old_leases = lease;
+	  
 	  leases_left++;
 	}
       else
@@ -248,30 +303,20 @@ struct dhcp_lease *lease_find_by_addr(struct in_addr addr)
 }
 
 
-struct dhcp_lease *lease_allocate(unsigned char *hwaddr, unsigned char *clid, 
-				  int hw_len, int hw_type, int clid_len, struct in_addr addr)
+struct dhcp_lease *lease_allocate(struct in_addr addr)
 {
   struct dhcp_lease *lease;
   if (!leases_left || !(lease = malloc(sizeof(struct dhcp_lease))))
     return NULL;
 
-  lease->clid = NULL;
-  lease->hostname = lease->fqdn = NULL;  
+  memset(lease, 0, sizeof(struct dhcp_lease));
+  lease->new = 1;
   lease->addr = addr;
-  memset(lease->hwaddr, 0, DHCP_CHADDR_MAX);
-  lease->hwaddr_len = 0;
-  lease->hwaddr_type = 0;
+  lease->hwaddr_len = 256; /* illegal value */
   lease->expires = 1;
 #ifdef HAVE_BROKEN_RTC
   lease->length = 0xffffffff; /* illegal value */
 #endif
-  
-  if (!lease_set_hwaddr(lease, hwaddr, clid, hw_len, hw_type, clid_len))
-    {
-      free(lease);
-      return NULL;
-    }
-
   lease->next = leases;
   leases = lease;
   
@@ -296,7 +341,7 @@ void lease_set_expires(struct dhcp_lease *lease, unsigned int len, time_t now)
       dns_dirty = 1;
       lease->expires = exp;
 #ifndef HAVE_BROKEN_RTC
-      file_dirty = 1;
+      lease->aux_changed = file_dirty = 1;
 #endif
     }
   
@@ -304,27 +349,22 @@ void lease_set_expires(struct dhcp_lease *lease, unsigned int len, time_t now)
   if (len != lease->length)
     {
       lease->length = len;
-      file_dirty = 1;
+      lease->aux_changed = file_dirty = 1; 
     }
 #endif
 } 
 
-int lease_set_hwaddr(struct dhcp_lease *lease, unsigned char *hwaddr,
+void lease_set_hwaddr(struct dhcp_lease *lease, unsigned char *hwaddr,
 		      unsigned char *clid, int hw_len, int hw_type, int clid_len)
 {
-  /* must have some sort of unique-id */
-  if (hw_len == 0 && (clid_len == 0 || !clid))
-    return 0;
-
   if (hw_len != lease->hwaddr_len ||
       hw_type != lease->hwaddr_type || 
-      hw_len == 0 ||
-      memcmp(lease->hwaddr, hwaddr, hw_len) != 0)
+      (hw_len != 0 && memcmp(lease->hwaddr, hwaddr, hw_len) != 0))
     {
-      file_dirty = 1;
       memcpy(lease->hwaddr, hwaddr, hw_len);
       lease->hwaddr_len = hw_len;
       lease->hwaddr_type = hw_type;
+      lease->changed = file_dirty = 1; /* run script on change */
     }
 
   /* only update clid when one is available, stops packets
@@ -337,20 +377,19 @@ int lease_set_hwaddr(struct dhcp_lease *lease, unsigned char *hwaddr,
 
       if (lease->clid_len != clid_len)
 	{
-	  file_dirty = 1;
+	  lease->aux_changed = file_dirty = 1;
 	  if (lease->clid)
 	    free(lease->clid);
 	  if (!(lease->clid = malloc(clid_len)))
-	    return 0;
+	    return;
 	}
       else if (memcmp(lease->clid, clid, clid_len) != 0)
-	file_dirty = 1;
-      
+	lease->aux_changed = file_dirty = 1;
+	  
       lease->clid_len = clid_len;
       memcpy(lease->clid, clid, clid_len);
     }
 
-  return 1;
 }
 
 void lease_set_hostname(struct dhcp_lease *lease, char *name, char *suffix, int auth)
@@ -363,7 +402,7 @@ void lease_set_hostname(struct dhcp_lease *lease, char *name, char *suffix, int
       lease->auth_name = auth;
       return;
     }
-
+  
   if (!name && !lease->hostname)
     return;
 
@@ -379,7 +418,11 @@ void lease_set_hostname(struct dhcp_lease *lease, char *name, char *suffix, int
 	  {
 	    if (lease_tmp->auth_name && !auth)
 	      return;
-	    new_name = lease_tmp->hostname;
+	    /* this shouldn't happen unless updates are very quick and the
+	       script very slow, we just avoid a memory leak if it does. */
+	    if (lease_tmp->old_hostname)
+	      free(lease_tmp->old_hostname);
+	    lease_tmp->old_hostname = lease_tmp->hostname;
 	    lease_tmp->hostname = NULL;
 	    if (lease_tmp->fqdn)
 	      {
@@ -401,7 +444,13 @@ void lease_set_hostname(struct dhcp_lease *lease, char *name, char *suffix, int
     }
 
   if (lease->hostname)
-    free(lease->hostname);
+    {
+      /* run script to say we lost our old name */
+      if (lease->old_hostname)
+	free(lease->old_hostname);
+      lease->old_hostname = lease->hostname;
+    }
+
   if (lease->fqdn)
     free(lease->fqdn);
   
@@ -410,8 +459,87 @@ void lease_set_hostname(struct dhcp_lease *lease, char *name, char *suffix, int
   lease->auth_name = auth;
   
   file_dirty = 1;
-  dns_dirty = 1;
+  dns_dirty = 1; 
+  lease->changed = 1; /* run script on change */
 }
 
+/* deleted leases get transferred to the old_leases list.
+   remove them here, after calling the lease change
+   script. Also run the lease change script on new/modified leases.
 
+   Return zero if nothing to do. */
+int do_script_run(struct daemon *daemon)
+{
+  struct dhcp_lease *lease;
+
+  if (old_leases)
+    {
+      lease = old_leases;
+                  
+      /* If the lease still has an old_hostname, do the "old" action on that first */
+      if (lease->old_hostname)
+	{
+	  queue_script(daemon, ACTION_OLD_HOSTNAME, lease, lease->old_hostname);
+	  free(lease->old_hostname);
+	  lease->old_hostname = NULL;
+	  return 1;
+	}
+      else 
+	{
+	  queue_script(daemon, ACTION_DEL, lease, lease->hostname);
+	  old_leases = lease->next;
+	  
+	  if (lease->hostname)
+	    free(lease->hostname); 
+	  if (lease->fqdn)
+	    free(lease->fqdn);
+	  if (lease->clid)
+	    free(lease->clid);
+	  if (lease->vendorclass)
+	    free(lease->vendorclass);
+	  if (lease->userclass)
+	    free(lease->userclass);
+	  free(lease);
+	    
+	  return 1; 
+	}
+    }
+  
+  /* make sure we announce the loss of a hostname before its new location. */
+  for (lease = leases; lease; lease = lease->next)
+    if (lease->old_hostname)
+      {	
+	queue_script(daemon, ACTION_OLD_HOSTNAME, lease, lease->old_hostname);
+	free(lease->old_hostname);
+	lease->old_hostname = NULL;
+	return 1;
+      }
+  
+  for (lease = leases; lease; lease = lease->next)
+    if (lease->new || lease->changed || 
+	(lease->aux_changed && (daemon->options & OPT_LEASE_RO)))
+      {
+	queue_script(daemon, lease->new ? ACTION_ADD : ACTION_OLD, lease, lease->hostname);
+	lease->new = lease->changed = lease->aux_changed = 0;
+	
+	/* these are used for the "add" call, then junked, since they're not in the database */
+	if (lease->vendorclass)
+	  {
+	    free(lease->vendorclass);
+	    lease->vendorclass = NULL;
+	  }
+	if (lease->userclass)
+	  {
+	    free(lease->userclass);
+	    lease->userclass = NULL;
+	  }
+	
+	return 1;
+      }
+
+  return 0; /* nothing to do */
+}
+	  
+
+      
 

src/netlink.c

@@ -18,6 +18,14 @@
 #include <linux/netlink.h>
 #include <linux/rtnetlink.h>
 
+/* linux 2.6.19 buggers up the headers, patch it up here. */ 
+#ifndef IFA_RTA
+#  define IFA_RTA(r)  \
+       ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ifaddrmsg))))
+
+#  include <linux/if_addr.h>
+#endif
+
 static struct iovec iov;
 
 static void nl_err(struct nlmsghdr *h);
@@ -36,10 +44,26 @@ void netlink_init(struct daemon *daemon)
   addr.nl_groups = RTMGRP_IPV4_ROUTE;
 #endif
   
-  if ((daemon->netlinkfd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE)) == -1 ||
-      bind(daemon->netlinkfd, (struct sockaddr *)&addr, sizeof(addr)) == -1)
-    die(_("cannot create RTnetlink socket: %s"), NULL);
+  /* May not be able to have permission to set multicast groups don't die in that case */
+  if ((daemon->netlinkfd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE)) != -1)
+    {
+      if (bind(daemon->netlinkfd, (struct sockaddr *)&addr, sizeof(addr)) == -1)
+	{
+	  addr.nl_groups = 0;
+	  if (errno != EPERM || bind(daemon->netlinkfd, (struct sockaddr *)&addr, sizeof(addr)) == -1)
+	    daemon->netlinkfd = -1;
+	}
+    }
   
+  if (daemon->netlinkfd == -1)
+    die(_("cannot create netlink socket: %s"), NULL);
+  else
+    {
+      int flags = fcntl(daemon->netlinkfd, F_GETFD);
+      if (flags != -1)
+	fcntl(daemon->netlinkfd, F_SETFD, flags | FD_CLOEXEC); 
+    }
+
   iov.iov_len = 200;
   iov.iov_base = safe_malloc(iov.iov_len);
 }
@@ -104,7 +128,7 @@ int iface_enumerate(struct daemon *daemon, void *parm, int (*ipv4_callback)(), i
  again:
   req.nlh.nlmsg_len = sizeof(req);
   req.nlh.nlmsg_type = RTM_GETADDR;
-  req.nlh.nlmsg_flags = NLM_F_ROOT | NLM_F_MATCH | NLM_F_REQUEST;
+  req.nlh.nlmsg_flags = NLM_F_ROOT | NLM_F_MATCH | NLM_F_REQUEST | NLM_F_ACK; 
   req.nlh.nlmsg_pid = 0;
   req.nlh.nlmsg_seq = ++seq;
   req.g.rtgen_family = family; 
@@ -205,7 +229,7 @@ static void nl_err(struct nlmsghdr *h)
 {
   struct nlmsgerr *err = NLMSG_DATA(h);
   if (err->error != 0)
-    syslog(LOG_ERR, _("RTnetlink returns error: %s"), strerror(-(err->error)));
+    syslog(LOG_ERR, _("netlink returns error: %s"), strerror(-(err->error)));
 }
 
 /* We arrange to receive netlink multicast messages whenever the network route is added.
@@ -224,45 +248,6 @@ static void nl_routechange(struct daemon *daemon, struct nlmsghdr *h)
 		     &daemon->srv_save->addr.sa, sa_len(&daemon->srv_save->addr)) == -1 && retry_send()); 
     }
 }
-
-void arp_inject(int fd, struct in_addr ip_addr, int iface, 
-		unsigned char *mac, unsigned int mac_len)
-{
-  struct sockaddr_nl addr;
-  struct {
-    struct nlmsghdr nlh;
-    struct ndmsg m;
-    struct rtattr addr_attr;
-    struct in_addr addr;
-    struct rtattr ll_attr;
-    char mac[DHCP_CHADDR_MAX];
-  } req;
-  
-  memset(&req, 0, sizeof(req));
-  memset(&addr, 0, sizeof(addr));
-
-  addr.nl_family = AF_NETLINK;
-
-  req.nlh.nlmsg_len = sizeof(req);
-  req.nlh.nlmsg_type = RTM_NEWNEIGH;
-  req.nlh.nlmsg_flags = NLM_F_REQUEST | NLM_F_REPLACE | NLM_F_CREATE;
-
-  req.m.ndm_family = AF_INET;
-  req.m.ndm_ifindex = iface;
-  req.m.ndm_state = NUD_REACHABLE;
-
-  req.addr_attr.rta_type = NDA_DST;
-  req.addr_attr.rta_len = RTA_LENGTH(sizeof(struct in_addr));
-  req.addr = ip_addr;
-
-  req.ll_attr.rta_type = NDA_LLADDR;
-  req.ll_attr.rta_len = RTA_LENGTH(mac_len);
-  memcpy(req.mac, mac, mac_len);
-
-  while(sendto(fd, (void *)&req, sizeof(req), 0, (struct sockaddr *)&addr, sizeof(addr)) == -1 && 
-	retry_send());
-}
-
 #endif
 
       

src/network.c

@@ -12,46 +12,76 @@
 
 #include "dnsmasq.h"
 
-int iface_check(struct daemon *daemon, int family, struct all_addr *addr, char *name)
+int iface_check(struct daemon *daemon, int family, struct all_addr *addr, 
+		struct ifreq *ifr, int *indexp)
 {
   struct iname *tmp;
+  int ret = 1;
 
-  for (tmp = daemon->if_except; tmp; tmp = tmp->next)
-    if (tmp->name && (strcmp(tmp->name, name) == 0))
-      return 0;
+  /* Note: have to check all and not bail out early, so that we set the
+     "used" flags. */
 
-  if (daemon->if_names || daemon->if_addrs)
+  if (indexp)
     {
+#if defined(__FreeBSD__) || defined(__DragonFly__)
+      /* One form of bridging on FreeBSD has the property that packets
+	 can be recieved on bridge interfaces which do not have an IP address.
+	 We allow these to be treated as aliases of another interface which does have
+	 an IP address with --dhcp-bridge=interface,alias,alias */
+      struct dhcp_bridge *bridge, *alias;
+      for (bridge = daemon->bridges; bridge; bridge = bridge->next)
+	{
+	  for (alias = bridge->alias; alias; alias = alias->next)
+	    if (strncmp(ifr->ifr_name, alias->iface, IF_NAMESIZE) == 0)
+	      {
+		int newindex;
+		
+		if (!(newindex = if_nametoindex(bridge->iface)))
+		  {
+		    syslog(LOG_WARNING, _("unknown interface %s in bridge-interface"), ifr->ifr_name);
+		    return 0;
+		  }
+		else 
+		  {
+		    *indexp = newindex;
+		    strncpy(ifr->ifr_name,  bridge->iface, IF_NAMESIZE);
+		    break;
+		  }
+	      }
+	  if (alias)
+	    break;
+	}
+#endif
+    }
+  
+  if (daemon->if_names || (addr && daemon->if_addrs))
+    {
+      ret = 0;
+
       for (tmp = daemon->if_names; tmp; tmp = tmp->next)
-	if (tmp->name && (strcmp(tmp->name, name) == 0))
-	  {
-	    tmp->used = 1;
-	    return 1;
-	  }
-      
+	if (tmp->name && (strcmp(tmp->name, ifr->ifr_name) == 0))
+	  ret = tmp->used = 1;
+	        
       for (tmp = daemon->if_addrs; tmp; tmp = tmp->next)
-	if (tmp->addr.sa.sa_family == family)
+	if (addr && tmp->addr.sa.sa_family == family)
 	  {
 	    if (family == AF_INET &&
 		tmp->addr.in.sin_addr.s_addr == addr->addr.addr4.s_addr)
-	      {
-		tmp->used = 1;
-		return 1;
-	      }
+	      ret = tmp->used = 1;
 #ifdef HAVE_IPV6
 	    else if (family == AF_INET6 &&
 		     IN6_ARE_ADDR_EQUAL(&tmp->addr.in6.sin6_addr, 
 					&addr->addr.addr6))
-	      {
-		tmp->used = 1;
-		return 1;
-	      }
+	      ret = tmp->used = 1;
 #endif
 	  }          
-      return 0;
     }
   
-  return 1; 
+  for (tmp = daemon->if_except; tmp; tmp = tmp->next)
+    if (tmp->name && (strcmp(tmp->name, ifr->ifr_name) == 0))
+      ret = 0;
+  
+  return ret; 
 }
       
 static int iface_allowed(struct daemon *daemon, struct irec **irecp, int if_index, 
@@ -60,6 +90,8 @@ static int iface_allowed(struct daemon *daemon, struct irec **irecp, int if_inde
   struct irec *iface;
   int fd;
   struct ifreq ifr;
+  int dhcp_ok = 1;
+  struct iname *tmp;
   
   /* check whether the interface IP has been added already 
      we call this routine multiple times. */
@@ -113,12 +145,16 @@ static int iface_allowed(struct daemon *daemon, struct irec **irecp, int if_inde
     }
   
   if (addr->sa.sa_family == AF_INET &&
-      !iface_check(daemon, AF_INET, (struct all_addr *)&addr->in.sin_addr, ifr.ifr_name))
+      !iface_check(daemon, AF_INET, (struct all_addr *)&addr->in.sin_addr, &ifr, NULL))
     return 1;
-
+  
+  for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
+    if (tmp->name && (strcmp(tmp->name, ifr.ifr_name) == 0))
+      dhcp_ok = 0;
+  
 #ifdef HAVE_IPV6
   if (addr->sa.sa_family == AF_INET6 &&
-      !iface_check(daemon, AF_INET6, (struct all_addr *)&addr->in6.sin6_addr, ifr.ifr_name))
+      !iface_check(daemon, AF_INET6, (struct all_addr *)&addr->in6.sin6_addr, &ifr, NULL))
     return 1;
 #endif
 
@@ -127,8 +163,9 @@ static int iface_allowed(struct daemon *daemon, struct irec **irecp, int if_inde
     {
       iface->addr = *addr;
       iface->netmask = netmask;
+      iface->dhcp_ok = dhcp_ok;
       iface->next = *irecp;
-      *irecp = iface; 
+      *irecp = iface;
       return 1;
     }
   
@@ -145,6 +182,7 @@ static int iface_allowed_v6(struct daemon *daemon, struct in6_addr *local,
   
   netmask.s_addr = 0;
   
+  memset(&addr, 0, sizeof(addr));
 #ifdef HAVE_SOCKADDR_SA_LEN
   addr.in6.sin6_len = sizeof(addr.in6);
 #endif
@@ -152,8 +190,7 @@ static int iface_allowed_v6(struct daemon *daemon, struct in6_addr *local,
   addr.in6.sin6_addr = *local;
   addr.in6.sin6_port = htons(daemon->port);
   addr.in6.sin6_scope_id = scope;
-  addr.in6.sin6_flowinfo = 0;
-
+  
   return iface_allowed(daemon, (struct irec **)vparam, if_index, &addr, netmask);
 }
 #endif
@@ -162,7 +199,8 @@ static int iface_allowed_v4(struct daemon *daemon, struct in_addr local, int if_
 			    struct in_addr netmask, struct in_addr broadcast, void *vparam)
 {
   union mysockaddr addr;
-  
+
+  memset(&addr, 0, sizeof(addr));
 #ifdef HAVE_SOCKADDR_SA_LEN
   addr.in.sin_len = sizeof(addr.in);
 #endif
@@ -184,21 +222,32 @@ int enumerate_interfaces(struct daemon *daemon)
 #endif
 }
 
-#if defined(HAVE_IPV6) && \
-       (defined(HAVE_LINUX_NETWORK) || \
-       (defined(IP_RECVDSTADDR) && defined(IP_RECVIF) && defined(IP_SENDSRCADDR)))
+/* set NONBLOCK and CLOEXEC bits on fd: See Stevens 16.6 */
+int fix_fd(int fd)
+{
+  int flags;
+
+  if ((flags = fcntl(fd, F_GETFL)) == -1 ||
+      fcntl(fd, F_SETFL, flags | O_NONBLOCK) == -1 ||
+      (flags = fcntl(fd, F_GETFD)) == -1 ||
+      fcntl(fd, F_SETFD, flags | FD_CLOEXEC) == -1)
+    return 0;
+
+  return 1;
+}
+
+#if defined(HAVE_IPV6)
 static int create_ipv6_listener(struct listener **link, int port)
 {
   union mysockaddr addr;
-  int tcpfd, fd, flags, save;
+  int tcpfd, fd;
   struct listener *l;
   int opt = 1;
 
+  memset(&addr, 0, sizeof(addr));
   addr.in6.sin6_family = AF_INET6;
   addr.in6.sin6_addr = in6addr_any;
   addr.in6.sin6_port = htons(port);
-  addr.in6.sin6_flowinfo = 0;
-  addr.in6.sin6_scope_id = 0;
 #ifdef HAVE_SOCKADDR_SA_LEN
   addr.in6.sin6_len = sizeof(addr.in6);
 #endif
@@ -210,21 +259,14 @@ static int create_ipv6_listener(struct listener **link, int port)
 	    errno == EINVAL);
   
   if ((tcpfd = socket(AF_INET6, SOCK_STREAM, 0)) == -1)
-    {
-      save = errno;
-      close(fd);
-      errno = save;
-      return 0;
-    }
-  
+    return 0;
+      
   if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)) == -1 ||
       setsockopt(tcpfd, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)) == -1 ||
       setsockopt(fd, IPV6_LEVEL, IPV6_V6ONLY, &opt, sizeof(opt)) == -1 ||
       setsockopt(tcpfd, IPV6_LEVEL, IPV6_V6ONLY, &opt, sizeof(opt)) == -1 ||
-      (flags = fcntl(fd, F_GETFL, 0)) == -1 ||
-      fcntl(fd, F_SETFL, flags | O_NONBLOCK) == -1 ||
-      (flags = fcntl(tcpfd, F_GETFL, 0)) == -1 ||
-      fcntl(tcpfd, F_SETFL, flags | O_NONBLOCK) == -1 ||
+      !fix_fd(fd) ||
+      !fix_fd(tcpfd) ||
 #ifdef IPV6_RECVPKTINFO
       setsockopt(fd, IPV6_LEVEL, IPV6_RECVPKTINFO, &opt, sizeof(opt)) == -1 ||
 #else
@@ -233,17 +275,12 @@ static int create_ipv6_listener(struct listener **link, int port)
       bind(tcpfd, (struct sockaddr *)&addr, sa_len(&addr)) == -1 ||
       listen(tcpfd, 5) == -1 ||
       bind(fd, (struct sockaddr *)&addr, sa_len(&addr)) == -1) 
-    {
-      save = errno;
-      close(fd);
-      close(tcpfd);
-      errno = save;
-      return 0;
-    }
-  
+    return 0;
+      
   l = safe_malloc(sizeof(struct listener));
   l->fd = fd;
   l->tcpfd = tcpfd;
+  l->tftpfd = -1;
   l->family = AF_INET6;
   l->next = NULL;
   *link = l;
@@ -252,18 +289,14 @@ static int create_ipv6_listener(struct listener **link, int port)
 }
 #endif
 
-struct listener *create_wildcard_listeners(int port)
+struct listener *create_wildcard_listeners(int port, int have_tftp)
 {
-#if !(defined(HAVE_LINUX_NETWORK) || (defined(IP_RECVDSTADDR) && defined(IP_RECVIF) && defined(IP_SENDSRCADDR)))
-  port = 0; /* eliminate warning */
-  return NULL;
-#else
   union mysockaddr addr;
   int opt = 1;
   struct listener *l, *l6 = NULL;
-  int flags;
-  int tcpfd, fd;
+  int tcpfd, fd, tftpfd = -1;
 
+  memset(&addr, 0, sizeof(addr));
   addr.in.sin_family = AF_INET;
   addr.in.sin_addr.s_addr = INADDR_ANY;
   addr.in.sin_port = htons(port);
@@ -271,26 +304,19 @@ struct listener *create_wildcard_listeners(int port)
   addr.in.sin_len = sizeof(struct sockaddr_in);
 #endif
 
-  if ((fd = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
+  if ((fd = socket(AF_INET, SOCK_DGRAM, 0)) == -1 ||
+      (tcpfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
     return NULL;
   
-  if ((tcpfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
-    {
-      close (fd);
-      return NULL;
-    }
-  
   if (setsockopt(tcpfd, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)) == -1 ||
       bind(tcpfd, (struct sockaddr *)&addr, sa_len(&addr)) == -1 ||
       listen(tcpfd, 5) == -1 ||
-      (flags = fcntl(tcpfd, F_GETFL, 0)) == -1 ||
-      fcntl(tcpfd, F_SETFL, flags | O_NONBLOCK) == -1 ||
+      !fix_fd(tcpfd) ||
 #ifdef HAVE_IPV6
       !create_ipv6_listener(&l6, port) ||
 #endif
       setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)) == -1 ||
-      (flags = fcntl(fd, F_GETFL, 0)) == -1 ||
-      fcntl(fd, F_SETFL, flags | O_NONBLOCK) == -1 ||
+      !fix_fd(fd) ||
 #if defined(HAVE_LINUX_NETWORK) 
       setsockopt(fd, SOL_IP, IP_PKTINFO, &opt, sizeof(opt)) == -1 ||
 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
@@ -298,29 +324,43 @@ struct listener *create_wildcard_listeners(int port)
       setsockopt(fd, IPPROTO_IP, IP_RECVIF, &opt, sizeof(opt)) == -1 ||
 #endif 
       bind(fd, (struct sockaddr *)&addr, sa_len(&addr)) == -1)
+    return NULL;
+
+#ifdef HAVE_TFTP
+  if (have_tftp)
     {
-      close(fd);
-      close(tcpfd);
-      return NULL;
+      addr.in.sin_port = htons(TFTP_PORT);
+      if ((tftpfd = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
+	return NULL;
+      
+      if (setsockopt(tftpfd, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)) == -1 ||
+	  !fix_fd(tftpfd) ||
+#if defined(HAVE_LINUX_NETWORK) 
+	  setsockopt(tftpfd, SOL_IP, IP_PKTINFO, &opt, sizeof(opt)) == -1 ||
+#elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
+	  setsockopt(tftpfd, IPPROTO_IP, IP_RECVDSTADDR, &opt, sizeof(opt)) == -1 ||
+	  setsockopt(tftpfd, IPPROTO_IP, IP_RECVIF, &opt, sizeof(opt)) == -1 ||
+#endif 
+	  bind(tftpfd, (struct sockaddr *)&addr, sa_len(&addr)) == -1)
+	return NULL;
     }
+#endif
   
   l = safe_malloc(sizeof(struct listener));
   l->family = AF_INET;
   l->fd = fd;
   l->tcpfd = tcpfd;
+  l->tftpfd = tftpfd;
   l->next = l6;
 
   return l;
-
-#endif
 }
 
 struct listener *create_bound_listeners(struct daemon *daemon)
 {
-
   struct listener *listeners = NULL;
   struct irec *iface;
-  int flags, opt = 1;
+  int opt = 1;
   
   for (iface = daemon->interfaces; iface; iface = iface->next)
     {
@@ -328,15 +368,14 @@ struct listener *create_bound_listeners(struct daemon *daemon)
       new->family = iface->addr.sa.sa_family;
       new->iface = iface;
       new->next = listeners;
+      new->tftpfd = -1;
+
       if ((new->tcpfd = socket(iface->addr.sa.sa_family, SOCK_STREAM, 0)) == -1 ||
 	  (new->fd = socket(iface->addr.sa.sa_family, SOCK_DGRAM, 0)) == -1 ||
 	  setsockopt(new->fd, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)) == -1 ||
 	  setsockopt(new->tcpfd, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)) == -1 ||
-	  /* See Stevens 16.6 */
-	  (flags = fcntl(new->tcpfd, F_GETFL, 0)) == -1 ||
-	  fcntl(new->tcpfd, F_SETFL, flags | O_NONBLOCK) == -1 ||
-	  (flags = fcntl(new->fd, F_GETFL, 0)) == -1 ||
-	  fcntl(new->fd, F_SETFL, flags | O_NONBLOCK) == -1)
+	  !fix_fd(new->tcpfd) ||
+	  !fix_fd(new->fd))
 	die(_("failed to create listening socket: %s"), NULL);
       
 #ifdef HAVE_IPV6
@@ -372,15 +411,26 @@ struct listener *create_bound_listeners(struct daemon *daemon)
 	   if (listen(new->tcpfd, 5) == -1)
 	     die(_("failed to listen on socket: %s"), NULL);
 	 }
+
+      if ((daemon->options & OPT_TFTP) && iface->addr.sa.sa_family == AF_INET && iface->dhcp_ok)
+	{
+	  short save = iface->addr.in.sin_port;
+	  iface->addr.in.sin_port = htons(TFTP_PORT);
+	  if ((new->tftpfd = socket(AF_INET, SOCK_DGRAM, 0)) == -1 ||
+	      setsockopt(new->tftpfd, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)) == -1 ||
+	      !fix_fd(new->tftpfd) ||
+	      bind(new->tftpfd, &iface->addr.sa, sa_len(&iface->addr)) == -1)
+	    die(_("failed to create TFTP socket: %s"), NULL);
+	  iface->addr.in.sin_port = save;
+	}
     }
-  
+
   return listeners;
 }
 
 struct serverfd *allocate_sfd(union mysockaddr *addr, struct serverfd **sfds)
 {
   struct serverfd *sfd;
-  int flags;
 
   /* may have a suitable one already */
   for (sfd = *sfds; sfd; sfd = sfd->next )
@@ -399,8 +449,7 @@ struct serverfd *allocate_sfd(union mysockaddr *addr, struct serverfd **sfds)
     }
   
   if (bind(sfd->fd, (struct sockaddr *)addr, sa_len(addr)) == -1 ||
-      (flags = fcntl(sfd->fd, F_GETFL, 0)) == -1 ||
-      fcntl(sfd->fd, F_SETFL, flags | O_NONBLOCK) == -1)
+      !fix_fd(sfd->fd))
     {
       int errsave = errno; /* save error from bind. */
       close(sfd->fd);
@@ -422,11 +471,6 @@ void check_servers(struct daemon *daemon)
   struct server *new, *tmp, *ret = NULL;
   int port = 0;
 
-  /* forward table rules reference servers, so have to blow them away */
-  forward_init(0);
-  
-  daemon->last_server = daemon->srv_save = NULL;
-  
   for (new = daemon->servers; new; new = tmp)
     {
       tmp = new->next;
@@ -435,6 +479,14 @@ void check_servers(struct daemon *daemon)
 	{
 	  port = prettyprint_addr(&new->addr, daemon->namebuff);
 
+	  /* 0.0.0.0 is nothing, the stack treats it like 127.0.0.1 */
+	  if (new->addr.sa.sa_family == AF_INET &&
+	      new->addr.in.sin_addr.s_addr == 0)
+	    {
+	      free(new);
+	      continue;
+	    }
+
 	  for (iface = daemon->interfaces; iface; iface = iface->next)
 	    if (sockaddr_isequal(&new->addr, &iface->addr))
 	      break;
@@ -478,25 +530,37 @@ void check_servers(struct daemon *daemon)
   
   daemon->servers = ret;
 }
-  
-void reload_servers(char *fname, struct daemon *daemon)
+
+/* Return zero if no servers found, in that case we keep polling.
+   This is a protection against an update-time/write race on resolv.conf */
+int reload_servers(char *fname, struct daemon *daemon)
 {
   FILE *f;
   char *line;
   struct server *old_servers = NULL;
   struct server *new_servers = NULL;
-  struct server *serv = daemon->servers;
+  struct server *serv;
+  int gotone = 0;
 
+  /* buff happens to be MAXDNAME long... */
+  if (!(f = fopen(fname, "r")))
+    {
+      syslog(LOG_ERR, _("failed to read %s: %m"), fname);
+      return 0;
+    }
+  
   /* move old servers to free list - we can reuse the memory 
      and not risk malloc if there are the same or fewer new servers. 
      Servers which were specced on the command line go to the new list. */
-  while (serv)
+  for (serv = daemon->servers; serv;)
     {
       struct server *tmp = serv->next;
       if (serv->flags & SERV_FROM_RESOLV)
 	{
 	  serv->next = old_servers;
-	  old_servers = serv;
+	  old_servers = serv; 
+	  /* forward table rules reference servers, so have to blow them away */
+	  server_gone(daemon, serv);
 	}
       else
 	{
@@ -505,82 +569,68 @@ void reload_servers(char *fname, struct daemon *daemon)
 	}
       serv = tmp;
     }
-
-  /* buff happens to be NAXDNAME long... */
-  f = fopen(fname, "r");
-  if (!f)
-    {
-      syslog(LOG_ERR, _("failed to read %s: %m"), fname);
-    }
-  else
-    {
-      syslog(LOG_INFO, _("reading %s"), fname);
-      while ((line = fgets(daemon->namebuff, MAXDNAME, f)))
-	{
-	  union  mysockaddr addr, source_addr;
-	  char *token = strtok(line, " \t\n\r");
-	  struct server *serv;
-	  
-	  if (!token || strcmp(token, "nameserver") != 0)
-	    continue;
-	  if (!(token = strtok(NULL, " \t\n\r")))
-	    continue;
-	  
-#ifdef HAVE_IPV6
-          if (inet_pton(AF_INET, token, &addr.in.sin_addr) > 0)
-#else
-          if ((addr.in.sin_addr.s_addr = inet_addr(token)) != (in_addr_t) -1)
-#endif
-	    {
-#ifdef HAVE_SOCKADDR_SA_LEN
-	      source_addr.in.sin_len = addr.in.sin_len = sizeof(source_addr.in);
-#endif
-	      source_addr.in.sin_family = addr.in.sin_family = AF_INET;
-	      addr.in.sin_port = htons(NAMESERVER_PORT);
-	      source_addr.in.sin_addr.s_addr = INADDR_ANY;
-	      source_addr.in.sin_port = htons(daemon->query_port);
-	    }
-#ifdef HAVE_IPV6
-	  else if (inet_pton(AF_INET6, token, &addr.in6.sin6_addr) > 0)
-	    {
-#ifdef HAVE_SOCKADDR_SA_LEN
-	      source_addr.in6.sin6_len = addr.in6.sin6_len = sizeof(source_addr.in6);
-#endif
-	      source_addr.in6.sin6_family = addr.in6.sin6_family = AF_INET6;
-	      addr.in6.sin6_port = htons(NAMESERVER_PORT);
-	      source_addr.in6.sin6_flowinfo = addr.in6.sin6_flowinfo = 0;
-	      source_addr.in6.sin6_scope_id = addr.in6.sin6_scope_id = 0;
-	      source_addr.in6.sin6_addr = in6addr_any;
-	      source_addr.in6.sin6_port = htons(daemon->query_port);
-	    }
-#endif /* IPV6 */
-	  else
-	    continue;
-	  
-	  if (old_servers)
-	    {
-	      serv = old_servers;
-	      old_servers = old_servers->next;
-	    }
-	  else if (!(serv = malloc(sizeof (struct server))))
-	    continue;
-	  
-	  /* this list is reverse ordered: 
-	     it gets reversed again in check_servers */
-	  serv->next = new_servers;
-	  new_servers = serv;
-	  serv->addr = addr;
-	  serv->source_addr = source_addr;
-	  serv->domain = NULL;
-	  serv->sfd = NULL;
-	  serv->flags = SERV_FROM_RESOLV;
-	}
   
-      fclose(f);
-    }
+  while ((line = fgets(daemon->namebuff, MAXDNAME, f)))
+    {
+      union mysockaddr addr, source_addr;
+      char *token = strtok(line, " \t\n\r");
+      
+      if (!token || strcmp(token, "nameserver") != 0)
+	continue;
+      if (!(token = strtok(NULL, " \t\n\r")))
+	continue;
+      
+      memset(&addr, 0, sizeof(addr));
+      memset(&source_addr, 0, sizeof(source_addr));
+      
+      if ((addr.in.sin_addr.s_addr = inet_addr(token)) != (in_addr_t) -1)
+	{
+#ifdef HAVE_SOCKADDR_SA_LEN
+	  source_addr.in.sin_len = addr.in.sin_len = sizeof(source_addr.in);
+#endif
+	  source_addr.in.sin_family = addr.in.sin_family = AF_INET;
+	  addr.in.sin_port = htons(NAMESERVER_PORT);
+	  source_addr.in.sin_addr.s_addr = INADDR_ANY;
+	  source_addr.in.sin_port = htons(daemon->query_port);
+	}
+#ifdef HAVE_IPV6
+      else if (inet_pton(AF_INET6, token, &addr.in6.sin6_addr) > 0)
+	{
+#ifdef HAVE_SOCKADDR_SA_LEN
+	  source_addr.in6.sin6_len = addr.in6.sin6_len = sizeof(source_addr.in6);
+#endif
+	  source_addr.in6.sin6_family = addr.in6.sin6_family = AF_INET6;
+	  addr.in6.sin6_port = htons(NAMESERVER_PORT);
+	  source_addr.in6.sin6_addr = in6addr_any;
+	  source_addr.in6.sin6_port = htons(daemon->query_port);
+	}
+#endif /* IPV6 */
+      else
+	continue;
+      
+      if (old_servers)
+	{
+	  serv = old_servers;
+	  old_servers = old_servers->next;
+	}
+      else if (!(serv = malloc(sizeof (struct server))))
+	continue;
+      
+      /* this list is reverse ordered: 
+	 it gets reversed again in check_servers */
+      serv->next = new_servers;
+      new_servers = serv;
+      serv->addr = addr;
+      serv->source_addr = source_addr;
+      serv->domain = NULL;
+      serv->sfd = NULL;
+      serv->flags = SERV_FROM_RESOLV;
 
+      gotone = 1;
+    }
+  
   /* Free any memory not used. */
-  while(old_servers)
+  while (old_servers)
     {
       struct server *tmp = old_servers->next;
       free(old_servers);
@@ -588,6 +638,9 @@ void reload_servers(char *fname, struct daemon *daemon)
     }
 
   daemon->servers = new_servers;
+  fclose(f);
+
+  return gotone;
 }
 
 

src/rfc1035.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000 - 2005 Simon Kelley
+/* dnsmasq is Copyright (c) 2000 - 2006 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -32,7 +32,7 @@ static int extract_name(HEADER *header, size_t plen, unsigned char **pp,
       unsigned int label_type = l & 0xc0;
       if (label_type == 0xc0) /* pointer */
 	{ 
-	  if (p - (unsigned char *)header + 1u >= plen)
+	  if ((size_t)(p - (unsigned char *)header + 1) >= plen)
 	    return 0;
 	      
 	  /* get offset */
@@ -70,7 +70,7 @@ static int extract_name(HEADER *header, size_t plen, unsigned char **pp,
 	  /* output is \[x<hex>/siz]. which is digs+9 chars */
 	  if (cp - (unsigned char *)name + digs + 9 >= MAXDNAME)
 	    return 0;
-	  if (p - (unsigned char *)header + ((count-1)>>3) + 1u >= plen)
+	  if ((size_t)(p - (unsigned char *)header + ((count-1)>>3) + 1) >= plen)
 	    return 0;
 
 	  *cp++ = '\\';
@@ -94,7 +94,7 @@ static int extract_name(HEADER *header, size_t plen, unsigned char **pp,
 	{ /* label_type = 0 -> label. */
 	  if (cp - (unsigned char *)name + l + 1 >= MAXDNAME)
 	    return 0;
-	  if (p - (unsigned char *)header + 1u >= plen)
+	  if ((size_t)(p - (unsigned char *)header + 1) >= plen)
 	    return 0;
 	  for(j=0; j<l; j++, p++)
 	    if (isExtract)
@@ -134,7 +134,11 @@ static int extract_name(HEADER *header, size_t plen, unsigned char **pp,
     }
 
   if (isExtract)
-    *--cp = 0; /* terminate: lose final period */
+    {
+      if (cp != (unsigned char *)name)
+	cp--;
+      *cp = 0; /* terminate: lose final period */
+    }
   else if (*cp != 0)
     retvalue = 2;
     
@@ -337,7 +341,8 @@ static unsigned char *skip_section(unsigned char *ansp, int count, HEADER *heade
    retransmision and to detect answers to questions we didn't ask, which 
    might be poisoning attacks. Note that we decode the name rather 
    than CRC the raw bytes, since replies might be compressed differently. 
-   We ignore case in the names for the same reason. */
+   We ignore case in the names for the same reason. Return all-ones
+   if there is not question section. */
 unsigned int questions_crc(HEADER *header, size_t plen, char *name)
 {
   int q;
@@ -403,21 +408,49 @@ size_t resize_packet(HEADER *header, size_t plen, unsigned char *pheader, size_t
   return ansp - (unsigned char *)header;
 }
 
-unsigned char *find_pseudoheader(HEADER *header, size_t plen, size_t  *len, unsigned char **p)
+unsigned char *find_pseudoheader(HEADER *header, size_t plen, size_t  *len, unsigned char **p, int *is_sign)
 {
   /* See if packet has an RFC2671 pseudoheader, and if so return a pointer to it. 
-     also return length of pseudoheader in *len and pointer to the UDP size in *p */
+     also return length of pseudoheader in *len and pointer to the UDP size in *p
+     Finally, check to see if a packet is signed. If it is we cannot change a single bit before
+     forwarding. We look for SIG and TSIG in the addition section, and TKEY queries (for GSS-TSIG) */
   
   int i, arcount = ntohs(header->arcount);
-  unsigned char *ansp;
-  unsigned short rdlen, type;
+  unsigned char *ansp = (unsigned char *)(header+1);
+  unsigned short rdlen, type, class;
+  unsigned char *ret = NULL;
 
-  if (arcount == 0 || !(ansp = skip_questions(header, plen)))
+  if (is_sign)
+    {
+      *is_sign = 0;
+
+      if (header->opcode == QUERY)
+	{
+	  for (i = 0; i < ntohs(header->qdcount); i++)
+	    {
+	      if (!(ansp = skip_name(ansp, header, plen)))
+		return NULL;
+	      
+	      GETSHORT(type, ansp); 
+	      GETSHORT(class, ansp);
+	      
+	      if (class == C_IN && type == T_TKEY)
+		*is_sign = 1;
+	    }
+	}
+    }
+  else
+    {
+      if (!(ansp = skip_questions(header, plen)))
+	return NULL;
+    }
+    
+  if (arcount == 0)
     return NULL;
   
   if (!(ansp = skip_section(ansp, ntohs(header->ancount) + ntohs(header->nscount), header, plen)))
     return NULL; 
-    
+  
   for (i = 0; i < arcount; i++)
     {
       unsigned char *save, *start = ansp;
@@ -426,22 +459,28 @@ unsigned char *find_pseudoheader(HEADER *header, size_t plen, size_t  *len, unsi
 
       GETSHORT(type, ansp);
       save = ansp;
-      ansp += 6; /* class, TTL */
+      GETSHORT(class, ansp);
+      ansp += 4; /* TTL */
       GETSHORT(rdlen, ansp);
       if ((size_t)(ansp + rdlen - (unsigned char *)header) > plen) 
 	return NULL;
-       ansp += rdlen;
-       if (type == T_OPT)
+      ansp += rdlen;
+      if (type == T_OPT)
 	{
 	  if (len)
 	    *len = ansp - start;
 	  if (p)
 	    *p = save;
-	  return start;
+	  ret = start;
 	}
+      else if (is_sign && 
+	       i == arcount - 1 && 
+	       class == C_ANY && 
+	       (type == T_SIG || type == T_TSIG))
+	*is_sign = 1;
     }
   
-  return NULL;
+  return ret;
 }
       
   
@@ -740,7 +779,8 @@ void extract_addresses(HEADER *header, size_t qlen, char *name, time_t now, stru
 }
 
 /* If the packet holds exactly one query
-   return 1 and leave the name from the query in name. */
+   return F_IPV4 or F_IPV6  and leave the name from the query in name. 
+   Abuse F_BIGNAME to indicate an NS query - yuck. */
 
 unsigned short extract_request(HEADER *header, size_t qlen, char *name, unsigned short *typep)
 {
@@ -770,6 +810,8 @@ unsigned short extract_request(HEADER *header, size_t qlen, char *name, unsigned
 	return F_IPV6;
       if (qtype == T_ANY)
 	return  F_IPV4 | F_IPV6;
+      if (qtype == T_NS || qtype == T_SOA)
+	return F_QUERY | F_BIGNAME;
     }
   
   return F_QUERY;
@@ -971,27 +1013,25 @@ size_t answer_request(HEADER *header, char *limit, size_t qlen, struct daemon *d
 {
   char *name = daemon->namebuff;
   unsigned char *p, *ansp, *pheader;
-  int qtype, qclass, is_arpa;
+  int qtype, qclass;
   struct all_addr addr;
   unsigned int nameoffset;
   unsigned short flag;
   int qdcount = ntohs(header->qdcount); 
   int q, ans, anscount = 0, addncount = 0;
   int dryrun = 0, sec_reqd = 0;
+  int is_sign;
   struct crec *crecp;
   int nxdomain = 0, auth = 1, trunc = 0;
   struct mx_srv_record *rec;
  
-  if (!qdcount || header->opcode != QUERY )
-    return 0;
-
   /* If there is an RFC2671 pseudoheader then it will be overwritten by
      partial replies, so we have to do a dry run to see if we can answer
      the query. We check to see if the do bit is set, if so we always
      forward rather than answering from the cache, which doesn't include
      security information. */
 
-  if (find_pseudoheader(header, qlen, NULL, &pheader))
+  if (find_pseudoheader(header, qlen, NULL, &pheader, &is_sign))
     { 
       unsigned short udpsz, ext_rcode, flags;
       unsigned char *psave = pheader;
@@ -1006,12 +1046,15 @@ size_t answer_request(HEADER *header, char *limit, size_t qlen, struct daemon *d
 	 than we allow, trim it so that we don't get an overlarge
 	 response from upstream */
 
-      if (udpsz > daemon->edns_pktsz)
+      if (!is_sign && (udpsz > daemon->edns_pktsz))
 	PUTSHORT(daemon->edns_pktsz, psave); 
 
       dryrun = 1;
     }
 
+  if (!qdcount || header->opcode != QUERY )
+    return 0;
+  
   for (rec = daemon->mxnames; rec; rec = rec->next)
     rec->offset = 0;
   
@@ -1031,11 +1074,7 @@ size_t answer_request(HEADER *header, char *limit, size_t qlen, struct daemon *d
       /* now extract name as .-concatenated string into name */
       if (!extract_name(header, qlen, &p, name, 1))
 	return 0; /* bad packet */
-      
-      /* see if it's w.z.y.z.in-addr.arpa format */
-
-      is_arpa = in_arpa_name_2_addr(name, &addr);
-      
+            
       GETSHORT(qtype, p); 
       GETSHORT(qclass, p);
 
@@ -1066,7 +1105,16 @@ size_t answer_request(HEADER *header, char *limit, size_t qlen, struct daemon *d
 	{
 	  if (qtype == T_PTR || qtype == T_ANY)
 	    {
-	      if (!(crecp = cache_find_by_addr(NULL, &addr, now, is_arpa)))
+	      /* see if it's w.z.y.z.in-addr.arpa format */
+	      int is_arpa = in_arpa_name_2_addr(name, &addr);
+	      struct ptr_record *ptr;
+
+	      for (ptr = daemon->ptr; ptr; ptr = ptr->next)
+		if (hostname_isequal(name, ptr->name))
+		  break;
+
+	      if (!ptr &&
+		  !(crecp = cache_find_by_addr(NULL, &addr, now, is_arpa)))
 		{ 
 		  if (is_arpa == F_IPV4 && (daemon->options & OPT_BOGUSPRIV) && private_net(&addr))
 		    {
@@ -1077,6 +1125,21 @@ size_t answer_request(HEADER *header, char *limit, size_t qlen, struct daemon *d
 			log_query(F_CONFIG | F_REVERSE | F_IPV4 | F_NEG | F_NXDOMAIN, name, &addr, 0, NULL, 0);
 		    }
 		}
+	      else if (ptr)
+		{
+		  ans = 1;
+		  if (!dryrun)
+		    {
+		      log_query(F_CNAME | F_FORWARD | F_CONFIG | F_BIGNAME, name, NULL, 0, NULL, 0);
+		      for (ptr = daemon->ptr; ptr; ptr = ptr->next)
+			if (hostname_isequal(name, ptr->name))
+			  {
+			    if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->local_ttl, NULL,
+						    T_PTR, C_IN, "d", ptr->ptr))
+			      anscount++;
+			  }
+		    }
+		}
 	      else do 
 		{ 
 		  /* don't answer wildcard queries with data not from /etc/hosts or dhcp leases */

src/tftp.c

@@ -0,0 +1,510 @@
+/* dnsmasq is Copyright (c) 2000-2006 Simon Kelley
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 dated June, 1991.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+*/
+
+#include "dnsmasq.h"
+
+#ifdef HAVE_TFTP
+
+static struct tftp_file *check_tftp_fileperm(struct daemon *daemon, ssize_t *len);
+static void free_transfer(struct tftp_transfer *transfer);
+static ssize_t tftp_err(int err, char *packet, char *mess, char *file);
+static ssize_t tftp_err_oops(char *packet, char *file);
+static ssize_t get_block(char *packet, struct tftp_transfer *transfer);
+static char *next(char **p, char *end);
+
+#define OP_RRQ  1
+#define OP_WRQ  2
+#define OP_DATA 3
+#define OP_ACK  4
+#define OP_ERR  5
+#define OP_OACK 6
+
+#define ERR_NOTDEF 0
+#define ERR_FNF    1
+#define ERR_PERM   2
+#define ERR_FULL   3
+#define ERR_ILL    4
+
+void tftp_request(struct listener *listen, struct daemon *daemon, time_t now)
+{
+  ssize_t len;
+  char *packet = daemon->packet;
+  char *filename, *mode, *p, *end, *opt;
+  struct sockaddr_in addr, peer;
+  struct msghdr msg;
+  struct cmsghdr *cmptr;
+  struct iovec iov;
+  struct ifreq ifr;
+  int is_err = 1, if_index = 0;
+  struct iname *tmp;
+  struct tftp_transfer *transfer, *t;
+
+  union {
+    struct cmsghdr align; /* this ensures alignment */
+#ifdef HAVE_LINUX_NETWORK
+    char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
+#else
+    char control[CMSG_SPACE(sizeof(struct sockaddr_dl))];
+#endif
+  } control_u; 
+
+  msg.msg_controllen = sizeof(control_u);
+  msg.msg_control = control_u.control;
+  msg.msg_flags = 0;
+  msg.msg_name = &peer;
+  msg.msg_namelen = sizeof(peer);
+  msg.msg_iov = &iov;
+  msg.msg_iovlen = 1;
+
+  iov.iov_base = packet;
+  iov.iov_len = daemon->packet_buff_sz;
+
+  /* we overwrote the buffer... */
+  daemon->srv_save = NULL;
+
+  if ((len = recvmsg(listen->tftpfd, &msg, 0)) < 2)
+    return;
+  
+  if (daemon->options & OPT_NOWILD)
+    addr = listen->iface->addr.in;
+  else
+    {
+      addr.sin_addr.s_addr = 0;
+      
+#if defined(HAVE_LINUX_NETWORK)
+      for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
+	if (cmptr->cmsg_level == SOL_IP && cmptr->cmsg_type == IP_PKTINFO)
+	  {
+	    addr.sin_addr = ((struct in_pktinfo *)CMSG_DATA(cmptr))->ipi_spec_dst;
+	    if_index = ((struct in_pktinfo *)CMSG_DATA(cmptr))->ipi_ifindex;
+	  }
+      if (!(ifr.ifr_ifindex = if_index) || 
+	  ioctl(listen->tftpfd, SIOCGIFNAME, &ifr) == -1)
+	return;
+      
+#elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
+      for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
+	if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
+	  addr.sin_addr = *((struct in_addr *)CMSG_DATA(cmptr));
+	else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
+	  if_index = ((struct sockaddr_dl *)CMSG_DATA(cmptr))->sdl_index;
+      
+      if (if_index == 0 || !if_indextoname(if_index, ifr.ifr_name))
+	return;
+      
+#endif
+      
+      if (addr.sin_addr.s_addr == 0)
+	return;
+      
+      if (!iface_check(daemon, AF_INET, (struct all_addr *)&addr, &ifr, &if_index))
+	return;
+      
+      /* allowed interfaces are the same as for DHCP */
+      for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
+	if (tmp->name && (strcmp(tmp->name, ifr.ifr_name) == 0))
+	  return;
+      
+    }
+  
+  /* tell kernel to use ephemeral port */
+  addr.sin_port = 0;
+  addr.sin_family = AF_INET;
+#ifdef HAVE_SOCKADDR_SA_LEN
+  addr.sin_len = sizeof(addr);
+#endif
+  
+  if (!(transfer = malloc(sizeof(struct tftp_transfer))))
+    return;
+  
+  if ((transfer->sockfd = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
+    {
+      free(transfer);
+      return;
+    }
+  
+  transfer->peer = peer;
+  transfer->timeout = now + 1;
+  transfer->backoff = 1;
+  transfer->block = 1;
+  transfer->blocksize = 512;
+  transfer->file = NULL;
+  transfer->opt_blocksize = transfer->opt_transize = 0;
+
+  if (bind(transfer->sockfd, (struct sockaddr *)&addr, sizeof(addr)) == -1 ||
+      !fix_fd(transfer->sockfd))
+    {
+      free_transfer(transfer);
+      return;
+    }
+
+  p = packet + 2;
+  end = packet + len;
+
+  if (ntohs(*((unsigned short *)packet)) != OP_RRQ ||
+      !(filename = next(&p, end)) ||
+      !(mode = next(&p, end)) ||
+      strcasecmp(mode, "octet") != 0)
+    len = tftp_err(ERR_ILL, packet, _("unsupported request from %s"), inet_ntoa(peer.sin_addr));
+  else
+    {
+      while ((opt = next(&p, end)))
+	{
+	  if (strcasecmp(opt, "blksize") == 0 &&
+	      (opt = next(&p, end)) &&
+	      !(daemon->options & OPT_TFTP_NOBLOCK))
+	    {
+	      transfer->blocksize = atoi(opt);
+	      if (transfer->blocksize < 1)
+		transfer->blocksize = 1;
+	      if (transfer->blocksize > (unsigned)daemon->packet_buff_sz - 4)
+		transfer->blocksize = (unsigned)daemon->packet_buff_sz - 4;
+	      transfer->opt_blocksize = 1;
+	      transfer->block = 0;
+	    }
+	  
+	  if (strcasecmp(opt, "tsize") == 0 && next(&p, end))
+	    {
+	      transfer->opt_transize = 1;
+	      transfer->block = 0;
+	    }
+	}
+
+      if (daemon->tftp_prefix)
+	{
+	  strncpy(daemon->namebuff, daemon->tftp_prefix, MAXDNAME);
+	  if (daemon->tftp_prefix[strlen(daemon->tftp_prefix)-1] != '/' &&
+	      filename[0] != '/')
+	    strncat(daemon->namebuff, "/", MAXDNAME);
+	}
+      else if (filename[0] != '/')
+	strncpy(daemon->namebuff, "/", MAXDNAME);
+      else
+	daemon->namebuff[0] = 0;
+	
+      strncat(daemon->namebuff, filename, MAXDNAME);
+      daemon->namebuff[MAXDNAME-1] = 0;
+
+      /* If we're doing many tranfers from the same file, only 
+	 open it once this saves lots of file descriptors 
+	 when mass-booting a big cluster, for instance. */
+      for (t = daemon->tftp_trans; t; t = t->next)
+	if (strcmp(t->file->filename, daemon->namebuff) == 0)
+	  break;
+
+      if (t)
+	{
+	  /* file already open */
+	  transfer->file = t->file;
+	  transfer->file->refcount++;
+	}
+      else 
+	/* check permissions and open file */
+	transfer->file = check_tftp_fileperm(daemon, &len);
+      
+      if (transfer->file)
+	{
+	  if ((len = get_block(packet, transfer)) == -1)
+	    len = tftp_err_oops(packet, daemon->namebuff);
+	  else
+	    is_err = 0;
+	}
+    }
+  
+  while (sendto(transfer->sockfd, packet, len, 0, 
+		(struct sockaddr *)&peer, sizeof(peer)) == -1 && errno == EINTR);
+  
+  if (is_err)
+    free_transfer(transfer);
+  else
+    {
+      syslog(LOG_INFO, _("TFTP sent %s to %s"), daemon->namebuff, inet_ntoa(peer.sin_addr));
+      transfer->next = daemon->tftp_trans;
+      daemon->tftp_trans = transfer;
+    }
+}
+ 
+static struct tftp_file *check_tftp_fileperm(struct daemon *daemon, ssize_t *len)
+{
+  char *packet = daemon->packet, *namebuff = daemon->namebuff;
+  struct tftp_file *file;
+  uid_t uid = geteuid();
+  struct stat statbuf;
+
+  /* trick to ban moving out of the subtree */
+  if (daemon->tftp_prefix && strstr(namebuff, "/../"))
+    {
+      errno = EACCES;
+      goto perm;
+    }
+
+  if (stat(namebuff, &statbuf) == -1)
+    {
+      if (errno == ENOENT || errno == ENOTDIR)
+	goto nofile;
+      else if (errno == EACCES)
+	goto perm;
+      else
+	goto oops;
+    }
+
+  /* running as root, must be world-readable */
+  if (uid == 0)
+    {
+      if (!(statbuf.st_mode & S_IROTH))
+	{
+	  errno = EACCES;
+	  goto perm;
+	}
+    }
+  /* in secure mode, must be owned by user running dnsmasq */
+  else if ((daemon->options & OPT_TFTP_SECURE) && uid != statbuf.st_uid)
+    {
+      errno = EACCES;
+      goto perm;
+    }
+
+  if (!(file = malloc(sizeof(struct tftp_file) + strlen(namebuff) + 1)))
+    {
+      errno = ENOMEM;
+      goto oops;
+    }
+
+  if ((file->fd = open(namebuff, O_RDONLY)) == -1)
+    {
+      free(file);
+      if (errno == EACCES || errno == EISDIR)
+	goto perm;
+      else
+	goto oops;
+    }
+
+  file->size = statbuf.st_size;
+  file->refcount = 1;
+  strcpy(file->filename, namebuff);
+  return file;
+
+nofile:
+  *len = tftp_err(ERR_FNF, packet, _("file %s not found"), namebuff);
+  return NULL;
+
+ perm:
+  *len =  tftp_err(ERR_PERM, packet, _("cannot access %s: %s"), namebuff);
+  return NULL;
+
+oops:
+  *len =  tftp_err_oops(packet, namebuff);
+  return NULL;
+}
+
+void check_tftp_listeners(struct daemon *daemon, fd_set *rset, time_t now)
+{
+  struct tftp_transfer *transfer, *tmp, **up;
+  ssize_t len;
+  
+  struct ack {
+    unsigned short op, block;
+  } *mess = (struct ack *)daemon->packet;
+  
+  /* Check for activity on any existing transfers */
+  for (transfer = daemon->tftp_trans, up = &daemon->tftp_trans; transfer; transfer = tmp)
+    {
+      tmp = transfer->next;
+      
+      if (FD_ISSET(transfer->sockfd, rset))
+	{
+	  /* we overwrote the buffer... */
+	  daemon->srv_save = NULL;
+	  
+	  if ((len = recv(transfer->sockfd, daemon->packet, daemon->packet_buff_sz, 0)) >= (ssize_t)sizeof(struct ack))
+	    {
+	      if (ntohs(mess->op) == OP_ACK && ntohs(mess->block) == (unsigned short)transfer->block) 
+		{
+		  /* Got ack, ensure we take the (re)transmit path */
+		  transfer->timeout = now;
+		  transfer->backoff = 0;
+		  transfer->block++;
+		}
+	      else if (ntohs(mess->op) == OP_ERR)
+		{
+		  char *p = daemon->packet + sizeof(struct ack);
+		  char *end = daemon->packet + len;
+		  char *err = next(&p, end);
+		  /* Sanitise error message */
+		  if (!err)
+		    err = "";
+		  else
+		    {
+		      char *q, *r;
+		      for (q = r = err; *r; r++)
+			if (isprint(*r))
+			  *(q++) = *r;
+		      *q = 0;
+		    }
+		  syslog(LOG_ERR, _("TFTP error %d %s received from %s"),
+			 (int)ntohs(mess->block), err, 
+			 inet_ntoa(transfer->peer.sin_addr));	
+		  
+		  /* Got err, ensure we take abort */
+		  transfer->timeout = now;
+		  transfer->backoff = 100;
+		}
+	    }
+	}
+      
+      if (difftime(now, transfer->timeout) >= 0.0)
+	{
+	  int endcon = 0;
+
+	  /* timeout, retransmit */
+	  transfer->timeout += 1<<(transfer->backoff);
+	  	  
+	  /* we overwrote the buffer... */
+	  daemon->srv_save = NULL;
+	 
+	  if ((len = get_block(daemon->packet, transfer)) == -1)
+	    {
+	      len = tftp_err_oops(daemon->packet, transfer->file->filename);
+	      endcon = 1;
+	    }
+	  else if (++transfer->backoff > 5)
+	    {
+	      /* don't complain about timeout when we're awaiting the last
+		 ACK, some clients never send it */
+	      if (len != 0)
+		syslog(LOG_ERR, _("TFTP failed sending %s to %s"), 
+		       transfer->file->filename, inet_ntoa(transfer->peer.sin_addr));
+	      len = 0;
+	    }
+	  
+	  if (len != 0)
+	    while(sendto(transfer->sockfd, daemon->packet, len, 0, 
+			 (struct sockaddr *)&transfer->peer, sizeof(transfer->peer)) == -1 && errno == EINTR);
+	  
+	  if (endcon || len == 0)
+	    {
+	      /* unlink */
+	      *up = tmp;
+	      free_transfer(transfer);
+	      continue;
+	    }
+	}
+
+      up = &transfer->next;
+    }
+}
+
+static void free_transfer(struct tftp_transfer *transfer)
+{
+  close(transfer->sockfd);
+  if (transfer->file && (--transfer->file->refcount) == 0)
+    {
+      close(transfer->file->fd);
+      free(transfer->file);
+    }
+  free(transfer);
+}
+
+static char *next(char **p, char *end)
+{
+  char *ret = *p;
+  size_t len;
+
+  if (*(end-1) != 0 || 
+      *p == end ||
+      (len = strlen(ret)) == 0)
+    return NULL;
+
+  *p += len + 1;
+  return ret;
+}
+
+static ssize_t tftp_err(int err, char *packet, char *message, char *file)
+{
+  struct errmess {
+    unsigned short op, err;
+    char message[];
+  } *mess = (struct errmess *)packet;
+  ssize_t ret = 4;
+  char *errstr = strerror(errno);
+ 
+  mess->op = htons(OP_ERR);
+  mess->err = htons(err);
+  ret += (snprintf(mess->message, 500,  message, file, errstr) + 1);
+  if (err != ERR_FNF)
+    syslog(LOG_ERR, "TFTP %s", mess->message);
+  
+  return  ret;
+}
+
+static ssize_t tftp_err_oops(char *packet, char *file)
+{
+  return tftp_err(ERR_NOTDEF, packet, _("cannot read %s: %s"), file);
+}
+
+/* return -1 for error, zero for done. */
+static ssize_t get_block(char *packet, struct tftp_transfer *transfer)
+{
+  if (transfer->block == 0)
+    {
+      /* send OACK */
+      char *p;
+      struct oackmess {
+	unsigned short op;
+	char data[];
+      } *mess = (struct oackmess *)packet;
+      
+      p = mess->data;
+      mess->op = htons(OP_OACK);
+      if (transfer->opt_blocksize)
+	{
+	  p += (sprintf(p, "blksize") + 1);
+	  p += (sprintf(p, "%d", transfer->blocksize) + 1);
+	}
+      if (transfer->opt_transize)
+	{
+	  p += (sprintf(p,"tsize") + 1);
+	  p += (sprintf(p, "%u", (unsigned int)transfer->file->size) + 1);
+	}
+
+      return p - packet;
+    }
+  else
+    {
+      /* send data packet */
+      struct datamess {
+	unsigned short op, block;
+	unsigned char data[];
+      } *mess = (struct datamess *)packet;
+      
+      off_t offset = transfer->blocksize * (transfer->block - 1);
+      size_t size = transfer->file->size - offset; 
+      
+      if (offset > transfer->file->size)
+	return 0; /* finished */
+      
+      if (size > transfer->blocksize)
+	size = transfer->blocksize;
+      
+      lseek(transfer->file->fd, offset, SEEK_SET);
+      
+      mess->op = htons(OP_DATA);
+      mess->block = htons((unsigned short)(transfer->block));
+      
+      if (!read_write(transfer->file->fd, mess->data, size, 1))
+	return -1;
+      else
+	return size + 4;
+    }
+}
+
+#endif

src/util.c

@@ -92,11 +92,12 @@ unsigned short rand16(void)
 int legal_char(char c)
 {
   /* check for legal char a-z A-Z 0-9 - 
-     (also / , used for RFC2317 and _ used in windows queries) */
+     (also / , used for RFC2317 and _ used in windows queries
+     and space, for DNS-SD stuff) */
   if ((c >= 'A' && c <= 'Z') ||
       (c >= 'a' && c <= 'z') ||
       (c >= '0' && c <= '9') ||
-      c == '-' || c == '/' || c == '_')
+      c == '-' || c == '/' || c == '_' || c == ' ')
     return 1;
   
   return 0;
@@ -396,3 +397,62 @@ int expand_buf(struct iovec *iov, size_t size)
 
   return 1;
 }
+
+char *print_mac(struct daemon *daemon, unsigned char *mac, int len)
+{
+  char *p = daemon->namebuff;
+  int i;
+   
+  if (len == 0)
+    sprintf(p, "<null>");
+  else
+    for (i = 0; i < len; i++)
+      p += sprintf(p, "%.2x%s", mac[i], (i == len - 1) ? "" : ":");
+  
+  return daemon->namebuff;
+}
+
+void bump_maxfd(int fd, int *max)
+{
+  if (fd > *max)
+    *max = fd;
+}
+
+void log_start(struct daemon *daemon)
+{
+  if (daemon->options & OPT_DEBUG)   
+    {
+#ifdef LOG_PERROR
+      openlog("dnsmasq", LOG_PERROR, daemon->log_fac);
+#else
+      openlog("dnsmasq", 0, daemon->log_fac);
+#endif
+    }
+  else
+    openlog("dnsmasq", LOG_PID, daemon->log_fac);
+}
+
+int read_write(int fd, unsigned char *packet, int size, int rw)
+{
+  ssize_t n, done;
+  
+  for (done = 0; done < size; done += n)
+    {
+    retry:
+      if (rw)
+        n = read(fd, &packet[done], (size_t)(size - done));
+      else
+        n = write(fd, &packet[done], (size_t)(size - done));
+
+      if (n == 0)
+        return 0;
+      else if (n == -1)
+        {
+          if (errno == EINTR || errno == ENOMEM || errno == ENOBUFS)
+            goto retry;
+          else
+            return 0;
+        }
+    }
+  return 1;
+}