import of dnsmasq-2.51.tar.gz

COPYING-v3

@@ -0,0 +1,674 @@
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU General Public License is a free, copyleft license for
+software and other kinds of works.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+the GNU General Public License is intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.  We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors.  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights.  Therefore, you have
+certain responsibilities if you distribute copies of the software, or if
+you modify it: responsibilities to respect the freedom of others.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received.  You must make sure that they, too, receive
+or can get the source code.  And you must show them these terms so they
+know their rights.
+
+  Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+  For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software.  For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+  Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the manufacturer
+can do so.  This is fundamentally incompatible with the aim of
+protecting users' freedom to change the software.  The systematic
+pattern of such abuse occurs in the area of products for individuals to
+use, which is precisely where it is most unacceptable.  Therefore, we
+have designed this version of the GPL to prohibit the practice for those
+products.  If such problems arise substantially in other domains, we
+stand ready to extend this provision to those domains in future versions
+of the GPL, as needed to protect the freedom of users.
+
+  Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish to
+avoid the special danger that patents applied to a free program could
+make it effectively proprietary.  To prevent this, the GPL assures that
+patents cannot be used to render the program non-free.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Use with the GNU Affero General Public License.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU Affero General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+    <program>  Copyright (C) <year>  <name of author>
+    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, your program's commands
+might be different; for a GUI interface, you would use an "about box".
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU GPL, see
+<http://www.gnu.org/licenses/>.
+
+  The GNU General Public License does not permit incorporating your program
+into proprietary programs.  If your program is a subroutine library, you
+may consider it more useful to permit linking proprietary applications with
+the library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.  But first, please read
+<http://www.gnu.org/philosophy/why-not-lgpl.html>.

FAQ

@@ -1,7 +1,7 @@
 Q: Why does dnsmasq open UDP ports >1024 as well as port 53.
    Is this a security problem/trojan/backdoor?
 
-A: The high ports that dnsmasq opens is for replies from the upstream
+A: The high ports that dnsmasq opens are for replies from the upstream
    nameserver(s). Queries from dnsmasq to upstream nameservers are sent
    from these ports and replies received to them. The reason for doing this is
    that most firewall setups block incoming packets _to_ port 53, in order
@@ -16,6 +16,14 @@ A: The high ports that dnsmasq opens is for replies from the upstream
    you to specify the UDP port to be used for this purpose.  If not
    specified, the operating system will select an available port number
    just as it did before.
+
+   Second addendum: following the discovery of a security flaw in the
+   DNS protocol, dnsmasq from version 2.43 has changed behavior. It
+   now uses a new, randomly selected, port for each query. The old
+   default behaviour (use one port allocated by the OS) is available by
+   setting --query-port=0, and setting the query port to a positive
+   value is still works. You should think hard and know what you are
+   doing before using either of these options.
  
 Q: Why doesn't dnsmasq support DNS queries over TCP? Don't the RFC's specify
    that?
@@ -39,10 +47,9 @@ A: They are negative entries: that's what the N flag means. Dnsmasq asked
 
 Q: Will dnsmasq compile/run on non-Linux systems?
 
-A: Yes, there is explicit support for *BSD and MacOS X. There are
-   start-up scripts for MacOS X Tiger and Panther in /contrib. Earlier
-   dnsmasq releases ran under Solaris, but that capability has
-   rotted. Dnsmasq will link with uclibc to provide small
+A: Yes, there is explicit support for *BSD and MacOS X and Solaris. 
+   There are start-up scripts for MacOS X Tiger and Panther 
+   in /contrib. Dnsmasq will link with uclibc to provide small
    binaries suitable for use in embedded systems such as
    routers. (There's special code to support machines with flash
    filesystems and no battery-backed RTC.)
@@ -50,7 +57,7 @@ A: Yes, there is explicit support for *BSD and MacOS X. There are
    ports and building dnsmasq with "make MAKE=gmake" 
    For other systems, try altering the settings in config.h.
  
-Q: My companies' nameserver knows about some names which aren't in the
+Q: My company's nameserver knows about some names which aren't in the
    public DNS. Even though I put it first in /etc/resolv.conf, it
    dosen't work: dnsmasq seems not to use the nameservers in the order
    given. What am I doing wrong?
@@ -227,7 +234,7 @@ A: What is happening is this: The boot process sends a DHCP
 Q: What network types are supported by the DHCP server?
   
 A: Ethernet (and 802.11 wireless) are supported on all platforms. On
-   Linux Token Ring is also supported.
+   Linux all network types (including FireWire) are supported.
 
 Q: What is this strange "bind-interface" option?
 
@@ -325,6 +332,17 @@ A: By default, the identity of a machine is determined by using the
    method for setting the client-id varies with DHCP client software,
    dhcpcd uses the "-I" flag. Windows uses a registry setting,
    see http://www.jsiinc.com/SUBF/TIP2800/rh2845.htm
+Addendum:
+   From version 2.46, dnsmasq has a solution to this which doesn't
+   involve setting client-IDs. It's possible to put more than one MAC
+   address in a --dhcp-host configuration. This tells dnsmasq that it
+   should use the specified IP for any of the specified MAC addresses,
+   and furthermore it gives dnsmasq permission to sumarily abandon a
+   lease to one of the MAC addresses if another one comes along. Note
+   that this will work fine only as longer as only one interface is
+   up at any time. There is no way for dnsmasq to enforce this
+   constraint: if you configure multiple MAC addresses and violate 
+   this rule, bad things will happen.
 
 Q: Can dnsmasq do DHCP on IP-alias interfaces?
 
@@ -380,12 +398,20 @@ A: This a variant on the iptables problem. Explicit details on how to
    http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2005q3/000431.html
  
 
-Q: Dnsmasq logs "running as root because setting capabilities failed"
-   when it starts up. Why did that happen and what can do to fix it?
+Q: I'm using dnsmasq on a machine with the shorewall firewall, and
+   DHCP doesn't work. What's the problem?
+
+A: This a variant on the iptables problem. Explicit details on how to
+   proceed can be found at 
+   http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2007q4/001764.html
+
+
+Q: Dnsmasq fails to start up with a message about capabilities.
+   Why did that happen and what can do to fix it?
 
 A: Change your kernel configuration: either deselect CONFIG_SECURITY
-   _or_ select CONFIG_SECURITY_CAPABILITIES.
-
+   _or_ select CONFIG_SECURITY_CAPABILITIES. Alternatively, you can 
+   remove the need to set capabilities by running dnsmasq as root.
 
 Q: Where can I get .rpms Suitable for Suse?
 
@@ -429,9 +455,6 @@ A: In almost all cases: none. If you have the normal arrangement with
    chain reaction runaway will occur. To avoid this, use syslog-ng
    and turn on syslog-ng's dns-cache function.
 
- 
-
-
 
 
 

Makefile

@@ -1,18 +1,46 @@
-PREFIX ?= /usr/local
-BINDIR ?= ${PREFIX}/sbin
-MANDIR ?= ${PREFIX}/share/man
-LOCALEDIR ?= ${PREFIX}/share/locale
+# dnsmasq is Copyright (c) 2000-2009 Simon Kelley
+#
+#  This program is free software; you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation; version 2 dated June, 1991, or
+#  (at your option) version 3 dated 29 June, 2007.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#    
+#  You should have received a copy of the GNU General Public License
+#  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+PREFIX = /usr/local
+BINDIR = ${PREFIX}/sbin
+MANDIR = ${PREFIX}/share/man
+LOCALEDIR = ${PREFIX}/share/locale
 
 SRC = src
 PO = po
 MAN = man
 
-CFLAGS?= -O2
+PKG_CONFIG = pkg-config
+INSTALL = install
+MSGMERGE = msgmerge
+MSGFMT = msgfmt
+XGETTEXT = xgettext
+
+#################################################################
+
+DNSMASQ_CFLAGS=`echo $(COPTS) | ../bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --cflags dbus-1` 
+DNSMASQ_LIBS=  `echo $(COPTS) | ../bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --libs dbus-1` 
+SUNOS_LIBS= `if uname | grep SunOS 2>&1 >/dev/null; then echo -lsocket -lnsl -lposix4; fi`
 
 all :   dnsmasq
 
 dnsmasq :
-	$(MAKE) I18N=-DNO_GETTEXT -f ../bld/Makefile -C $(SRC) dnsmasq 
+	@cd $(SRC) && $(MAKE) \
+ DNSMASQ_CFLAGS="$(DNSMASQ_CFLAGS)" \
+ DNSMASQ_LIBS="$(DNSMASQ_LIBS) $(SUNOS_LIBS)" \
+ -f ../bld/Makefile dnsmasq 
 
 clean :
 	rm -f *~ $(SRC)/*.mo contrib/*/*~ */*~ $(SRC)/*.pot 
@@ -21,24 +49,30 @@ clean :
 install : all install-common
 
 install-common :
-	install -d $(DESTDIR)$(BINDIR) -d $(DESTDIR)$(MANDIR)/man8
-	install -m 644 $(MAN)/dnsmasq.8 $(DESTDIR)$(MANDIR)/man8 
-	install -m 755 $(SRC)/dnsmasq $(DESTDIR)$(BINDIR)
+	$(INSTALL) -d $(DESTDIR)$(BINDIR) -d $(DESTDIR)$(MANDIR)/man8
+	$(INSTALL) -m 644 $(MAN)/dnsmasq.8 $(DESTDIR)$(MANDIR)/man8 
+	$(INSTALL) -m 755 $(SRC)/dnsmasq $(DESTDIR)$(BINDIR)
 
 all-i18n :
-	$(MAKE) I18N=-DLOCALEDIR='\"$(LOCALEDIR)\"' -f ../bld/Makefile -C $(SRC) dnsmasq
-	cd $(PO); for f in *.po; do \
-		$(MAKE) -f ../bld/Makefile -C ../$(SRC) $${f%.po}.mo; \
+	@cd $(SRC) && $(MAKE) \
+ I18N=-DLOCALEDIR='\"$(LOCALEDIR)\"' \
+ DNSMASQ_CFLAGS="$(DNSMASQ_CFLAGS) `$(PKG_CONFIG) --cflags libidn`" \
+ DNSMASQ_LIBS="$(DNSMASQ_LIBS) $(SUNOS_LIBS) `$(PKG_CONFIG) --libs libidn`"  \
+ -f ../bld/Makefile dnsmasq 
+	@cd $(PO); for f in *.po; do \
+		cd ../$(SRC) && $(MAKE) \
+ MSGMERGE=$(MSGMERGE) MSGFMT=$(MSGFMT) XGETTEXT=$(XGETTEXT) \
+ -f ../bld/Makefile $${f%.po}.mo; \
 	done
 
 install-i18n : all-i18n install-common
-	cd $(SRC); ../bld/install-mo $(DESTDIR)$(LOCALEDIR)
-	cd $(MAN); ../bld/install-man $(DESTDIR)$(MANDIR)
+	cd $(SRC); ../bld/install-mo $(DESTDIR)$(LOCALEDIR) $(INSTALL)
+	cd $(MAN); ../bld/install-man $(DESTDIR)$(MANDIR) $(INSTALL)
 
 merge :
-	$(MAKE) I18N=-DLOCALEDIR='\"$(LOCALEDIR)\"' -f ../bld/Makefile -C $(SRC) dnsmasq.pot
-	cd $(PO); for f in *.po; do \
-		msgmerge -U $$f ../$(SRC)/dnsmasq.pot; \
+	@cd $(SRC) && $(MAKE) XGETTEXT=$(XGETTEXT) -f ../bld/Makefile dnsmasq.pot
+	@cd $(PO); for f in *.po; do \
+		echo -n msgmerge $$f && $(MSGMERGE) --no-wrap -U $$f ../$(SRC)/dnsmasq.pot; \
 	done
 
 

bld/Makefile

@@ -1,19 +1,17 @@
-CFLAGS ?= -O2
-PKG_CONFIG ?= pkg-config
+CFLAGS = -Wall -W -O2
 
-
-OBJS = cache.o rfc1035.o util.o option.o forward.o isc.o network.o \
+OBJS = cache.o rfc1035.o util.o option.o forward.o network.o \
        dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \
        helper.o tftp.o log.o
 
 .c.o:
-	$(CC) $(CFLAGS) $(COPTS) $(I18N) `echo $(COPTS) | ../bld/pkg-wrapper $(PKG_CONFIG) --cflags dbus-1` $(RPM_OPT_FLAGS) -Wall -W -c $<
+	$(CC) $(CFLAGS) $(COPTS) $(I18N) $(DNSMASQ_CFLAGS) $(RPM_OPT_FLAGS) -c $<
 
 dnsmasq : $(OBJS)
-	$(CC) $(LDFLAGS) -o $@  $(OBJS) `echo $(COPTS) | ../bld/pkg-wrapper $(PKG_CONFIG) --libs dbus-1` $(LIBS) 
+	$(CC) $(LDFLAGS) -o $@  $(OBJS) $(DNSMASQ_LIBS) $(LIBS) 
  
 dnsmasq.pot : $(OBJS:.o=.c) dnsmasq.h config.h
-	xgettext -d dnsmasq --foreign-user --keyword=_ -o dnsmasq.pot -i $(OBJS:.o=.c)
+	$(XGETTEXT) -d dnsmasq --foreign-user --omit-header --keyword=_ -o $@ -i $(OBJS:.o=.c)
 
 %.mo : ../po/%.po dnsmasq.pot
-	msgmerge -o - ../po/$*.po dnsmasq.pot | msgfmt -o $*.mo -
+	$(MSGMERGE) -o - ../po/$*.po dnsmasq.pot | $(MSGFMT) -o $*.mo -

bld/install-man

@@ -2,8 +2,8 @@
 
 for f in *; do
   if [ -d $f ]; then
-     install -d $1/$f/man8 
-     install -m 644 $f/dnsmasq.8 $1/$f/man8
+     $2 -m 755 -d $1/$f/man8 
+     $2 -m 644 $f/dnsmasq.8 $1/$f/man8
      echo installing $1/$f/man8/dnsmasq.8
   fi
 done

bld/install-mo

@@ -1,8 +1,8 @@
 #!/bin/sh
 
 for f in *.mo; do
-  install -d $1/${f%.mo}/LC_MESSAGES
-  install -m 644 $f $1/${f%.mo}/LC_MESSAGES/dnsmasq.mo
+  $2 -m 755 -d $1/${f%.mo}/LC_MESSAGES
+  $2 -m 644 $f $1/${f%.mo}/LC_MESSAGES/dnsmasq.mo
   echo installing $1/${f%.mo}/LC_MESSAGES/dnsmasq.mo
 done
 

bld/pkg-wrapper

@@ -1,6 +1,10 @@
 #!/bin/sh
 
-if grep -q "^\#.*define.*HAVE_DBUS" config.h || grep -q HAVE_DBUS ; then
+search=$1
+shift
+
+if grep "^\#.*define.*$search" config.h 2>&1 >/dev/null || \
+   grep $search 2>&1 >/dev/null ; then
   exec $*
 fi
 

contrib/Solaris10/README

@@ -0,0 +1,28 @@
+From: David Connelly <dconnelly@gmail.com>
+Date: Mon, Apr 7, 2008 at 3:31 AM
+Subject: Solaris 10 service manifest
+To: dnsmasq-discuss@lists.thekelleys.org.uk
+
+
+I've found dnsmasq much easier to set up on my home server running Solaris
+10 than the stock dhcp/dns server, which is probably overkill anyway for my
+simple home network needs. Since Solaris now uses SMF (Service Management
+Facility) to manage services I thought I'd create a simple service manifest
+for the dnsmasq service. The manifest currently assumes that dnsmasq has
+been installed in '/usr/local/sbin/dnsmasq' and the configuration file in
+'/usr/local/etc/dnsmasq.conf', so you may have to adjust these paths for
+your local installation. Here are the steps I followed to install and enable
+the dnsmasq service:
+  # svccfg import dnsmasq.xml
+  # svcadm enable dnsmasq
+
+To confirm that the service is enabled and online:
+
+  # svcs -l dnsmasq
+
+I've just started learning about SMF so if anyone has any
+corrections/feedback they are more than welcome.
+
+Thanks,
+David
+

contrib/Solaris10/dnsmasq.xml

@@ -0,0 +1,65 @@
+<?xml version='1.0'?>
+<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
+
+<!-- Service manifest for dnsmasq -->
+
+<service_bundle type='manifest' name='dnsmasq'>
+  <service name='network/dnsmasq' type='service' version='1'>
+
+    <create_default_instance enabled='false'/>
+    <single_instance/>
+
+    <dependency name='multi-user'
+                grouping='require_all'
+                restart_on='refresh'
+                type='service'>
+      <service_fmri value='svc:/milestone/multi-user'/>
+    </dependency>
+
+    <dependency name='config'
+		grouping='require_all'
+		restart_on='restart'
+		type='path'>
+      <service_fmri value='file:///usr/local/etc/dnsmasq.conf'/>
+    </dependency>
+
+    <dependent name='dnsmasq_multi-user-server'
+               grouping='optional_all'
+               restart_on='none'>
+      <service_fmri value='svc:/milestone/multi-user-server' />
+    </dependent>
+
+    <exec_method type='method' name='start'
+                 exec='/usr/local/sbin/dnsmasq -C /usr/local/etc/dnsmasq.conf'
+                 timeout_seconds='60' >
+      <method_context>
+        <method_credential user='root' group='root' privileges='all'/>
+      </method_context>
+    </exec_method>
+
+    <exec_method type='method'
+                 name='stop'
+                 exec=':kill'
+                 timeout_seconds='60'/>
+
+    <exec_method type='method'
+                 name='refresh'
+                 exec=':kill -HUP'
+                 timeout_seconds='60' />
+
+    <template>
+      <common_name>
+        <loctext xml:lang='C'>dnsmasq server</loctext>
+      </common_name>
+      <description>
+        <loctext xml:lang='C'>
+dnsmasq - A lightweight DHCP and caching DNS server.
+        </loctext>
+      </description>
+      <documentation>
+        <manpage title='dnsmasq' section='8' manpath='/usr/local/man'/>
+      </documentation>
+    </template>
+
+  </service>
+</service_bundle>

contrib/lease-access/README

@@ -0,0 +1,20 @@
+Hello,
+
+For some specific application I needed to deny access to a MAC address
+to a lease. For this reason I modified the dhcp-script behavior and is
+called with an extra parameter "access" once a dhcp request or discover
+is received. In that case if the exit code of the script is zero,
+dnsmasq continues normally, and if non-zero the packet is ignored.
+
+This was not added as a security feature but as a mean to handle
+differently some addresses. It is also quite intrusive since it requires
+changes in several other subsystems.
+
+It attach the patch in case someone is interested.
+
+regards,
+Nikos
+
+nmav@gennetsa.com
+
+

contrib/lease-access/lease.access.patch

@@ -0,0 +1,578 @@
+Index: src/dnsmasq.c
+===================================================================
+--- src/dnsmasq.c	(revision 696)
++++ src/dnsmasq.c	(revision 821)
+@@ -59,7 +59,6 @@
+ static int set_dns_listeners(time_t now, fd_set *set, int *maxfdp);
+ static void check_dns_listeners(fd_set *set, time_t now);
+ static void sig_handler(int sig);
+-static void async_event(int pipe, time_t now);
+ static void fatal_event(struct event_desc *ev);
+ static void poll_resolv(void);
+ 
+@@ -275,7 +274,7 @@
+   piperead = pipefd[0];
+   pipewrite = pipefd[1];
+   /* prime the pipe to load stuff first time. */
+-  send_event(pipewrite, EVENT_RELOAD, 0); 
++  send_event(pipewrite, EVENT_RELOAD, 0, 0); 
+ 
+   err_pipe[1] = -1;
+   
+@@ -340,7 +339,7 @@
+ 	    }
+ 	  else if (getuid() == 0)
+ 	    {
+-	      send_event(err_pipe[1], EVENT_PIDFILE, errno);
++	      send_event(err_pipe[1], EVENT_PIDFILE, errno, 0);
+ 	      _exit(0);
+ 	    }
+ 	}
+@@ -372,7 +371,7 @@
+ 	  (setgroups(0, &dummy) == -1 ||
+ 	   setgid(gp->gr_gid) == -1))
+ 	{
+-	  send_event(err_pipe[1], EVENT_GROUP_ERR, errno);
++	  send_event(err_pipe[1], EVENT_GROUP_ERR, errno, 0);
+ 	  _exit(0);
+ 	}
+   
+@@ -415,14 +414,14 @@
+ 
+ 	  if (bad_capabilities != 0)
+ 	    {
+-	      send_event(err_pipe[1], EVENT_CAP_ERR, bad_capabilities);
++	      send_event(err_pipe[1], EVENT_CAP_ERR, bad_capabilities, 0);
+ 	      _exit(0);
+ 	    }
+ 	  
+ 	  /* finally drop root */
+ 	  if (setuid(ent_pw->pw_uid) == -1)
+ 	    {
+-	      send_event(err_pipe[1], EVENT_USER_ERR, errno);
++	      send_event(err_pipe[1], EVENT_USER_ERR, errno, 0);
+ 	      _exit(0);
+ 	    }     
+ 
+@@ -434,7 +433,7 @@
+ 	  /* lose the setuid and setgid capbilities */
+ 	  if (capset(hdr, data) == -1)
+ 	    {
+-	      send_event(err_pipe[1], EVENT_CAP_ERR, errno);
++	      send_event(err_pipe[1], EVENT_CAP_ERR, errno, 0);
+ 	      _exit(0);
+ 	    }
+ #endif
+@@ -647,7 +646,7 @@
+ 	}
+       
+       if (FD_ISSET(piperead, &rset))
+-	async_event(piperead, now);
++	async_event(piperead, now, NULL, 0);
+       
+ #ifdef HAVE_LINUX_NETWORK
+       if (FD_ISSET(daemon->netlinkfd, &rset))
+@@ -674,7 +673,7 @@
+ #endif      
+ 
+       if (daemon->dhcp && FD_ISSET(daemon->dhcpfd, &rset))
+-	dhcp_packet(now);
++	dhcp_packet(piperead, now);
+ 
+ #ifndef NO_FORK
+       if (daemon->helperfd != -1 && FD_ISSET(daemon->helperfd, &wset))
+@@ -719,17 +718,18 @@
+       else
+ 	return;
+ 
+-      send_event(pipewrite, event, 0); 
++      send_event(pipewrite, event, 0, 0); 
+       errno = errsave;
+     }
+ }
+ 
+-void send_event(int fd, int event, int data)
++void send_event(int fd, int event, int data, int priv)
+ {
+   struct event_desc ev;
+   
+   ev.event = event;
+   ev.data = data;
++  ev.priv = priv;
+   
+   /* error pipe, debug mode. */
+   if (fd == -1)
+@@ -771,14 +771,17 @@
+       die(_("cannot open %s: %s"), daemon->log_file ? daemon->log_file : "log", EC_FILE);
+     }
+ }	
+-      
+-static void async_event(int pipe, time_t now)
++
++/* returns the private data of the event
++ */
++int async_event(int pipe, time_t now, struct event_desc* event, unsigned int secs)
+ {
+   pid_t p;
+   struct event_desc ev;
+   int i;
+ 
+-  if (read_write(pipe, (unsigned char *)&ev, sizeof(ev), 1))
++  if (read_timeout(pipe, (unsigned char *)&ev, sizeof(ev), now, secs) > 0) 
++    {
+     switch (ev.event)
+       {
+       case EVENT_RELOAD:
+@@ -872,6 +875,14 @@
+ 	flush_log();
+ 	exit(EC_GOOD);
+       }
++    }
++  else
++    return -1; /* timeout */
++
++  if (event)
++    memcpy( event, &ev, sizeof(ev));
++    
++  return 0;
+ }
+ 
+ static void poll_resolv()
+Index: src/config.h
+===================================================================
+--- src/config.h	(revision 696)
++++ src/config.h	(revision 821)
+@@ -51,6 +51,8 @@
+ #define TFTP_MAX_CONNECTIONS 50 /* max simultaneous connections */
+ #define LOG_MAX 5 /* log-queue length */
+ #define RANDFILE "/dev/urandom"
++#define SCRIPT_TIMEOUT 6
++#define LEASE_CHECK_TIMEOUT 10
+ 
+ /* DBUS interface specifics */
+ #define DNSMASQ_SERVICE "uk.org.thekelleys.dnsmasq"
+Index: src/dnsmasq.h
+===================================================================
+--- src/dnsmasq.h	(revision 696)
++++ src/dnsmasq.h	(revision 821)
+@@ -116,6 +116,7 @@
+ /* Async event queue */
+ struct event_desc {
+   int event, data;
++  unsigned int priv;
+ };
+ 
+ #define EVENT_RELOAD    1
+@@ -390,6 +391,7 @@
+ #define ACTION_OLD_HOSTNAME  2
+ #define ACTION_OLD           3
+ #define ACTION_ADD           4
++#define ACTION_ACCESS        5
+ 
+ #define DHCP_CHADDR_MAX 16
+ 
+@@ -709,6 +711,7 @@
+ char *print_mac(char *buff, unsigned char *mac, int len);
+ void bump_maxfd(int fd, int *max);
+ int read_write(int fd, unsigned char *packet, int size, int rw);
++int read_timeout(int fd, unsigned char *packet, int size, time_t now, int secs);
+ 
+ /* log.c */
+ void die(char *message, char *arg1, int exit_code);
+@@ -748,7 +751,7 @@
+ 
+ /* dhcp.c */
+ void dhcp_init(void);
+-void dhcp_packet(time_t now);
++void dhcp_packet(int piperead, time_t now);
+ 
+ struct dhcp_context *address_available(struct dhcp_context *context, 
+ 				       struct in_addr addr,
+@@ -792,14 +795,16 @@
+ void rerun_scripts(void);
+ 
+ /* rfc2131.c */
+-size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
++size_t dhcp_reply(int pipefd, struct dhcp_context *context, char *iface_name, int int_index,
+ 		  size_t sz, time_t now, int unicast_dest, int *is_inform);
+ 
+ /* dnsmasq.c */
+ int make_icmp_sock(void);
+ int icmp_ping(struct in_addr addr);
+-void send_event(int fd, int event, int data);
++void send_event(int fd, int event, int data, int priv);
+ void clear_cache_and_reload(time_t now);
++int wait_for_child(int pipe);
++int async_event(int pipe, time_t now, struct event_desc*, unsigned int timeout);
+ 
+ /* isc.c */
+ #ifdef HAVE_ISC_READER
+@@ -832,9 +837,9 @@
+ /* helper.c */
+ #ifndef NO_FORK
+ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd);
+-void helper_write(void);
++int helper_write(void);
+ void queue_script(int action, struct dhcp_lease *lease, 
+-		  char *hostname, time_t now);
++		  char *hostname, time_t now, unsigned int uid);
+ int helper_buf_empty(void);
+ #endif
+ 
+Index: src/util.c
+===================================================================
+--- src/util.c	(revision 696)
++++ src/util.c	(revision 821)
+@@ -444,3 +444,38 @@
+   return 1;
+ }
+ 
++int read_timeout(int fd, unsigned char *packet, int size, time_t now, int secs)
++{
++  ssize_t n, done;
++  time_t expire;
++  
++  expire = now + secs;
++  
++  for (done = 0; done < size; done += n)
++    {
++    retry:
++      if (secs > 0) alarm(secs);
++      n = read(fd, &packet[done], (size_t)(size - done));
++
++      if (n == 0)
++        return 0;
++      else if (n == -1)
++        {
++          if (errno == EINTR) {
++            my_syslog(LOG_INFO, _("read timed out (errno %d)"), errno);
++            return 0;
++          }
++
++          if (retry_send() || errno == ENOMEM || errno == ENOBUFS || errno == EAGAIN)
++            {
++              if (secs == 0 || (secs > 0 && dnsmasq_time() < expire))
++                goto retry;
++            }
++
++          my_syslog(LOG_INFO, _("error in read (timeout %d, errno %d)"), secs, errno);
++          return 0;
++        }
++    }
++  return 1;
++}
++
+Index: src/dhcp.c
+===================================================================
+--- src/dhcp.c	(revision 696)
++++ src/dhcp.c	(revision 821)
+@@ -103,7 +103,7 @@
+   daemon->dhcp_packet.iov_base = safe_malloc(daemon->dhcp_packet.iov_len);
+ }
+   
+-void dhcp_packet(time_t now)
++void dhcp_packet(int piperead, time_t now)
+ {
+   struct dhcp_packet *mess;
+   struct dhcp_context *context;
+@@ -239,7 +239,8 @@
+   if (!iface_enumerate(&parm, complete_context, NULL))
+     return;
+   lease_prune(NULL, now); /* lose any expired leases */
+-  iov.iov_len = dhcp_reply(parm.current, ifr.ifr_name, iface_index, (size_t)sz, 
++
++  iov.iov_len = dhcp_reply(piperead, parm.current, ifr.ifr_name, iface_index, (size_t)sz, 
+ 			   now, unicast_dest, &is_inform);
+   lease_update_file(now);
+   lease_update_dns();
+Index: src/helper.c
+===================================================================
+--- src/helper.c	(revision 696)
++++ src/helper.c	(revision 821)
+@@ -45,6 +45,7 @@
+ #endif
+   unsigned char hwaddr[DHCP_CHADDR_MAX];
+   char interface[IF_NAMESIZE];
++  unsigned int uid;
+ };
+ 
+ static struct script_data *buf = NULL;
+@@ -60,7 +61,7 @@
+      then fork our process. */
+   if (pipe(pipefd) == -1 || !fix_fd(pipefd[1]) || (pid = fork()) == -1)
+     {
+-      send_event(err_fd, EVENT_PIPE_ERR, errno);
++      send_event(err_fd, EVENT_PIPE_ERR, errno, 0);
+       _exit(0);
+     }
+ 
+@@ -87,13 +88,13 @@
+ 	{
+ 	  if (daemon->options & OPT_NO_FORK)
+ 	    /* send error to daemon process if no-fork */
+-	    send_event(event_fd, EVENT_HUSER_ERR, errno);
++	    send_event(event_fd, EVENT_HUSER_ERR, errno, 0);
+ 	  else
+ 	    {
+ 	      /* kill daemon */
+-	      send_event(event_fd, EVENT_DIE, 0);
++	      send_event(event_fd, EVENT_DIE, 0, 0);
+ 	      /* return error */
+-	      send_event(err_fd, EVENT_HUSER_ERR, errno);;
++	      send_event(err_fd, EVENT_HUSER_ERR, errno, 0);
+ 	    }
+ 	  _exit(0);
+ 	}
+@@ -122,6 +123,8 @@
+ 	action_str = "del";
+       else if (data.action == ACTION_ADD)
+ 	action_str = "add";
++      else if (data.action == ACTION_ACCESS)
++	action_str = "access";
+       else if (data.action == ACTION_OLD || data.action == ACTION_OLD_HOSTNAME)
+ 	action_str = "old";
+       else
+@@ -178,9 +181,11 @@
+ 		{
+ 		  /* On error send event back to main process for logging */
+ 		  if (WIFSIGNALED(status))
+-		    send_event(event_fd, EVENT_KILLED, WTERMSIG(status));
+-		  else if (WIFEXITED(status) && WEXITSTATUS(status) != 0)
+-		    send_event(event_fd, EVENT_EXITED, WEXITSTATUS(status));
++		    send_event(event_fd, EVENT_KILLED, WTERMSIG(status), data.uid);
++		  else if (WIFEXITED(status))
++		    send_event(event_fd, EVENT_EXITED, WEXITSTATUS(status), data.uid);
++                  else
++		    send_event(event_fd, EVENT_EXITED, -1, data.uid);
+ 		  break;
+ 		}
+ 	      
+@@ -263,7 +268,7 @@
+ 	  err = errno;
+ 	}
+       /* failed, send event so the main process logs the problem */
+-      send_event(event_fd, EVENT_EXEC_ERR, err);
++      send_event(event_fd, EVENT_EXEC_ERR, err, data.uid);
+       _exit(0); 
+     }
+ }
+@@ -295,7 +300,7 @@
+ }
+  
+ /* pack up lease data into a buffer */    
+-void queue_script(int action, struct dhcp_lease *lease, char *hostname, time_t now)
++void queue_script(int action, struct dhcp_lease *lease, char *hostname, time_t now, unsigned int uid)
+ {
+   unsigned char *p;
+   size_t size;
+@@ -332,6 +337,7 @@
+       buf_size = size;
+     }
+ 
++  buf->uid = uid;
+   buf->action = action;
+   buf->hwaddr_len = lease->hwaddr_len;
+   buf->hwaddr_type = lease->hwaddr_type;
+@@ -393,12 +399,15 @@
+   return bytes_in_buf == 0;
+ }
+ 
+-void helper_write(void)
++/* returns -1 if write failed for a reason, 1 if no data exist
++ * and 0 if everything was ok.
++ */
++int helper_write(void)
+ {
+   ssize_t rc;
+ 
+   if (bytes_in_buf == 0)
+-    return;
++    return 1;
+   
+   if ((rc = write(daemon->helperfd, buf, bytes_in_buf)) != -1)
+     {
+@@ -409,9 +418,11 @@
+   else
+     {
+       if (errno == EAGAIN || errno == EINTR)
+-	return;
++	return -1;
+       bytes_in_buf = 0;
+     }
++    
++  return 0;
+ }
+ 
+ #endif
+Index: src/rfc2131.c
+===================================================================
+--- src/rfc2131.c	(revision 696)
++++ src/rfc2131.c	(revision 821)
+@@ -100,8 +100,49 @@
+ 				      int clid_len, unsigned char *clid, int *len_out);
+ static void match_vendor_opts(unsigned char *opt, struct dhcp_opt *dopt); 
+ 
++static int check_access_script( int piperead, struct dhcp_lease *lease, struct dhcp_packet *mess, time_t now)
++{
++#ifndef NO_FORK
++unsigned int uid;
++struct event_desc ev;
++int ret;
++struct dhcp_lease _lease;
++
++  if (daemon->lease_change_command == NULL) return 0; /* ok */
++
++  if (!lease) { /* if host has not been seen before lease is NULL */
++      memset(&_lease, 0, sizeof(_lease));
++      lease = &_lease;
++      lease_set_hwaddr(lease, mess->chaddr, NULL, mess->hlen, mess->htype, 0);
++  }
++
++  uid = rand16();
++  queue_script(ACTION_ACCESS, lease, NULL, now, uid);
++
++  /* send all data to helper process */
++  do 
++    {
++      helper_write();
++    } while (helper_buf_empty() == 0);
++
++  /* wait for our event */
++  ret = 0;
++  do 
++    {
++      ret = async_event( piperead, now, &ev, SCRIPT_TIMEOUT);
++    }
++  while(ev.priv != uid && ret >= 0);
++
++  if (ret < 0 || ev.data != 0) /* timeout or error */
++    {
++      return -1;
++    }
++
++#endif
++  return 0; /* ok */
++}
+ 	  
+-size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
++size_t dhcp_reply(int piperead, struct dhcp_context *context, char *iface_name, int int_index,
+ 		  size_t sz, time_t now, int unicast_dest, int *is_inform)
+ {
+   unsigned char *opt, *clid = NULL;
+@@ -252,7 +293,7 @@
+ 	mac->netid.next = netid;
+ 	netid = &mac->netid;
+       }
+-  
++
+   /* Determine network for this packet. Our caller will have already linked all the 
+      contexts which match the addresses of the receiving interface but if the 
+      machine has an address already, or came via a relay, or we have a subnet selector, 
+@@ -329,7 +370,7 @@
+ 	    my_syslog(LOG_INFO, _("Available DHCP range: %s -- %s"), daemon->namebuff, inet_ntoa(context_tmp->end));
+ 	}
+     }
+-
++    
+   mess->op = BOOTREPLY;
+   
+   config = find_config(daemon->dhcp_conf, context, clid, clid_len, 
+@@ -418,7 +459,7 @@
+ 	      else
+ 		mess->yiaddr = lease->addr;
+ 	    }
+-	  
++
+ 	  if (!message && 
+ 	      !lease && 
+ 	      (!(lease = lease_allocate(mess->yiaddr))))
+@@ -641,7 +682,14 @@
+       memcpy(req_options, option_ptr(opt, 0), option_len(opt));
+       req_options[option_len(opt)] = OPTION_END;
+     }
+-  
++
++  if (mess_type == DHCPREQUEST || mess_type == DHCPDISCOVER)
++    if (check_access_script(piperead, lease, mess, now) < 0)
++      {
++        my_syslog(LOG_INFO, _("Ignoring client due to access script"));
++        return 0;
++      }
++
+   switch (mess_type)
+     {
+     case DHCPDECLINE:
+Index: src/log.c
+===================================================================
+--- src/log.c	(revision 696)
++++ src/log.c	(revision 821)
+@@ -73,7 +73,7 @@
+ 
+   if (!log_reopen(daemon->log_file))
+     {
+-      send_event(errfd, EVENT_LOG_ERR, errno);
++      send_event(errfd, EVENT_LOG_ERR, errno, 0);
+       _exit(0);
+     }
+ 
+Index: src/lease.c
+===================================================================
+--- src/lease.c	(revision 696)
++++ src/lease.c	(revision 821)
+@@ -511,7 +511,7 @@
+       if (lease->old_hostname)
+ 	{
+ #ifndef NO_FORK
+-	  queue_script(ACTION_OLD_HOSTNAME, lease, lease->old_hostname, now);
++	  queue_script(ACTION_OLD_HOSTNAME, lease, lease->old_hostname, now, 0);
+ #endif
+ 	  free(lease->old_hostname);
+ 	  lease->old_hostname = NULL;
+@@ -520,7 +520,7 @@
+       else 
+ 	{
+ #ifndef NO_FORK
+-	  queue_script(ACTION_DEL, lease, lease->hostname, now);
++	  queue_script(ACTION_DEL, lease, lease->hostname, now, 0);
+ #endif
+ 	  old_leases = lease->next;
+ 	  
+@@ -540,7 +540,7 @@
+     if (lease->old_hostname)
+       {	
+ #ifndef NO_FORK
+-	queue_script(ACTION_OLD_HOSTNAME, lease, lease->old_hostname, now);
++	queue_script(ACTION_OLD_HOSTNAME, lease, lease->old_hostname, now, 0);
+ #endif
+ 	free(lease->old_hostname);
+ 	lease->old_hostname = NULL;
+@@ -552,7 +552,7 @@
+ 	(lease->aux_changed && (daemon->options & OPT_LEASE_RO)))
+       {
+ #ifndef NO_FORK
+-	queue_script(lease->new ? ACTION_ADD : ACTION_OLD, lease, lease->hostname, now);
++	queue_script(lease->new ? ACTION_ADD : ACTION_OLD, lease, lease->hostname, now, 0);
+ #endif
+ 	lease->new = lease->changed = lease->aux_changed = 0;
+ 	
+Index: man/dnsmasq.8
+===================================================================
+--- man/dnsmasq.8	(revision 696)
++++ man/dnsmasq.8	(revision 821)
+@@ -724,12 +724,15 @@
+ .B \-6 --dhcp-script=<path>
+ Whenever a new DHCP lease is created, or an old one destroyed, the
+ binary specified by this option is run. The arguments to the process
+-are "add", "old" or "del", the MAC
++are "add", "old", "access" or "del", the MAC
+ address of the host (or "<null>"), the IP address, and the hostname,
+ if known. "add" means a lease has been created, "del" means it has
+ been destroyed, "old" is a notification of an existing lease when
+ dnsmasq starts or a change to MAC address or hostname of an existing
+ lease (also, lease length or expiry and client-id, if leasefile-ro is set).
++The "access" keyword means that a request was just received and depending
++on the script exit status request for address will be granted, if exit status
++is zero or not if it is non-zero.
+ The process is run as root (assuming that dnsmasq was originally run as
+ root) even if dnsmasq is configured to change UID to an unprivileged user.
+ The environment is inherited from the invoker of dnsmasq, and if the

contrib/try-all-ns/README-2.47

@@ -0,0 +1,11 @@
+A remake of patch Bob Carroll had posted to dnsmasq,
+now compatible with version 2.47. Hopefully he doesn't 
+mind (sending a copy of this mail to him too).
+
+Maybe the patch in question is not acceptible
+as it doesn't add new switch, rather it binds itself to "strict-order".
+
+What it does is: if you have strict-order in the 
+dnsmasq config file and query a domain that would result 
+in NXDOMAIN, it iterates the whole given nameserver list 
+until the last one says NXDOMAIN.

contrib/try-all-ns/dnsmasq-2.47_no_nxdomain_until_end.patch

@@ -0,0 +1,17 @@
+diff -ur dnsmasq-2.47/src/forward.c dnsmasq-2.47-patched/src/forward.c
+--- dnsmasq-2.47/src/forward.c	2009-02-01 17:59:48.000000000 +0200
++++ dnsmasq-2.47-patched/src/forward.c	2009-03-18 19:10:22.000000000 +0200
+@@ -488,9 +488,12 @@
+     return;
+    
+   server = forward->sentto;
++
++  if ( (header->rcode == NXDOMAIN) && ((daemon->options & OPT_ORDER) != 0) && (server->next != NULL) )
++    header->rcode = SERVFAIL;
+   
+   if ((header->rcode == SERVFAIL || header->rcode == REFUSED) &&
+-      !(daemon->options & OPT_ORDER) &&
++      ((daemon->options & OPT_ORDER) != 0) &&
+       forward->forwardall == 0)
+     /* for broken servers, attempt to send to another one. */
+     {

dbus/DBus-interface

@@ -21,6 +21,9 @@ and avoids startup races with the provider of nameserver information.
 Dnsmasq provides one service on the DBus: uk.org.thekelleys.dnsmasq
 and a single object: /uk/org/thekelleys/dnsmasq
 
+1. METHODS
+----------
+
 Methods are of the form
 
 uk.org.thekelleys.<method>
@@ -91,4 +94,38 @@ Each call to SetServers completely replaces the set of servers
 specified by via the DBus, but it leaves any servers specified via the
 command line or /etc/dnsmasq.conf or /etc/resolv.conf alone.
 
+2. SIGNALS
+----------
 
+If dnsmasq's DHCP server is active, it will send signals over DBUS whenever
+the DHCP lease database changes. Think of these signals as transactions on
+a database with the IP address acting as the primary key.
+
+Signals are of the form:
+
+uk.org.thekelleys.<signal>
+
+and their parameters are:
+
+STRING "192.168.1.115"
+STRING "01:23:45:67:89:ab"
+STRING "hostname.or.fqdn"
+
+
+Available signals are:
+
+DhcpLeaseAdded
+---------------
+
+This signal is emitted when a DHCP lease for a given IP address is created.
+
+DhcpLeaseDeleted
+----------------
+
+This signal is emitted when a DHCP lease for a given IP address is deleted.
+
+DhcpLeaseUpdated
+----------------
+
+This signal is emitted when a DHCP lease for a given IP address is updated.
+ 

dbus/dnsmasq.conf

@@ -5,12 +5,10 @@
 	<policy user="root">
 		<allow own="uk.org.thekelleys.dnsmasq"/>
 		<allow send_destination="uk.org.thekelleys.dnsmasq"/>
-                <allow send_interface="uk.org.thekelleys.dnsmasq"/>
 	</policy>
 	<policy context="default">
                 <deny own="uk.org.thekelleys.dnsmasq"/>
                 <deny send_destination="uk.org.thekelleys.dnsmasq"/>
-                <deny send_interface="uk.org.thekelleys.dnsmasq"/>
         </policy>
 </busconfig>
 

dnsmasq.conf.example

@@ -19,7 +19,7 @@
 # Uncomment this to filter useless windows-originated DNS requests
 # which can trigger dial-on-demand links needlessly.
 # Note that (amongst other things) this blocks all SRV requests,
-# so don't use it if you use eg Kerberos.
+# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk.
 # This option only affects forwarding, SRV records originating for
 # dnsmasq (via srv-host= lines) are not suppressed by it.
 #filterwin2k
@@ -61,6 +61,18 @@
 # webserver.
 #address=/doubleclick.net/127.0.0.1
 
+# --address (and --server) work with IPv6 addresses too.
+#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
+
+# You can control how dnsmasq talks to a server: this forces 
+# queries to 10.1.2.3 to be routed via eth1
+# --server=10.1.2.3@eth1
+
+# and this sets the source (ie local) address used to talk to
+# 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that
+# IP on the machine, obviously).
+# --server=10.1.2.3@192.168.1.1#55
+
 # If you want dnsmasq to change uid and gid to something other
 # than the default, edit the following lines.
 #user=
@@ -110,6 +122,12 @@
 # 3) Provides the domain part for "expand-hosts"
 #domain=thekelleys.org.uk
 
+# Set a different domain for a particular subnet
+#domain=wireless.thekelleys.org.uk,192.168.2.0/24
+
+# Same idea, but range rather then subnet
+#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200
+
 # Uncomment this to enable the integrated DHCP server, you need
 # to supply the range of addresses available for lease and optionally
 # a lease time. If you have more than one network, you will need to
@@ -145,7 +163,15 @@
 # the name fred and IP address 192.168.0.60 and lease time 45 minutes
 #dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m
 
-# Give the machine which says it's name is "bert" IP address
+# Give a host with ethernet address 11:22:33:44:55:66 or
+# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume
+# that these two ethernet interfaces will never be in use at the same
+# time, and give the IP address to the second, even if it is already
+# in use by the first. Useful for laptops with wired and wireless
+# addresses.
+#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60
+
+# Give the machine which says its name is "bert" IP address
 # 192.168.0.70 and an infinite lease
 #dhcp-host=bert,192.168.0.70,infinite
 
@@ -258,12 +284,12 @@
 # http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
 # adapted for a typical dnsmasq installation where the host running
 # dnsmasq is also the host running samba.
-# you may want to uncomment them if you use Windows clients and Samba.
+# you may want to uncomment some or all of them if you use 
+# Windows clients and Samba.
 #dhcp-option=19,0           # option ip-forwarding off
 #dhcp-option=44,0.0.0.0     # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
 #dhcp-option=45,0.0.0.0     # netbios datagram distribution server
 #dhcp-option=46,8           # netbios node type
-#dhcp-option=47             # empty netbios scope.
 
 # Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
 # probably doesn't support this......
@@ -303,12 +329,63 @@
 # Reboot time. (Note 'i' to send 32-bit value)
 #dhcp-option-force=211,30i
 
-# Set the boot filename for BOOTP. You will only need 
+# Set the boot filename for netboot/PXE. You will only need 
 # this is you want to boot machines over the network and you will need
 # a TFTP server; either dnsmasq's built in TFTP server or an
 # external one. (See below for how to enable the TFTP server.)
 #dhcp-boot=pxelinux.0
 
+# Boot for Etherboot gPXE. The idea is to send two different
+# filenames, the first loads gPXE, and the second tells gPXE what to
+# load. The dhcp-match sets the gpxe tag for requests from gPXE.
+#dhcp-match=gpxe,175 # gPXE sends a 175 option.
+#dhcp-boot=net:#gpxe,undionly.kpxe
+#dhcp-boot=mybootimage
+ 
+# Encapsulated options for Etherboot gPXE. All the options are
+# encapsulated within option 175
+#dhcp-option=encap:175, 1, 5b         # priority code
+#dhcp-option=encap:175, 176, 1b       # no-proxydhcp 
+#dhcp-option=encap:175, 177, string   # bus-id 
+#dhcp-option=encap:175, 189, 1b       # BIOS drive code
+#dhcp-option=encap:175, 190, user     # iSCSI username
+#dhcp-option=encap:175, 191, pass     # iSCSI password
+
+# Test for the architecture of a netboot client. PXE clients are
+# supposed to send their architecture as option 93. (See RFC 4578)
+#dhcp-match=peecees, option:client-arch, 0 #x86-32
+#dhcp-match=itanics, option:client-arch, 2 #IA64
+#dhcp-match=hammers, option:client-arch, 6 #x86-64
+#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64 
+
+# Do real PXE, rather than just booting a single file, this is an
+# alternative to dhcp-boot.
+#pxe-prompt="What system shall I netboot?"
+# or with timeout before first available action is taken:
+#pxe-prompt="Press F8 for menu.", 60
+
+# Available boot services. for PXE.
+#pxe-service=x86PC, "Boot from local disk", 0
+
+# Loads <tftp-root>/pxelinux.0 from dnsmasq TFTP server.
+#pxe-service=x86PC, "Install Linux", pxelinux 
+
+# Loads <tftp-root>/pxelinux.0 from TFTP server at 1.2.3.4.
+# Beware this fails on old PXE ROMS.
+#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4 
+
+# Use bootserver on network, found my multicast or broadcast.
+#pxe-service=x86PC, "Install windows from RIS server", 1
+
+# Use bootserver at a known IP address.
+#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4
+
+# If you have multicast-FTP available,
+# information for that can be passed in a similar way using options 1
+# to 5. See page 19 of
+# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf  
+
+  
 # Enable dnsmasq's built-in TFTP server
 #enable-tftp
 
@@ -319,11 +396,17 @@
 # the user dnsmasq is running as will be send over the net.
 #tftp-secure
 
+# This option stops dnsmasq from negotiating a larger blocksize for TFTP 
+# transfers. It will slow things down, but may rescue some broken TFTP
+# clients.
+#tftp-no-blocksize
+
 # Set the boot file name only when the "red" tag is set.
 #dhcp-boot=net:red,pxelinux.red-net
 
-# An example of dhcp-boot with an external server: the name and IP
+# An example of dhcp-boot with an external TFTP server: the name and IP
 # address of the server are given after the filename.
+# Can fail with old PXE ROMS. Overridden by --pxe-service.
 #dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3
 
 # Set the limit on DHCP leases, the default is 150
@@ -376,7 +459,8 @@
 #alias=1.2.3.4,5.6.7.8
 # and this maps 1.2.3.x to 5.6.7.x
 #alias=1.2.3.0,5.6.7.0,255.255.255.0
-
+# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
+#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
 
 # Change these lines if you want dnsmasq to serve MX records.
 
@@ -439,6 +523,10 @@
 #Example zeroconf
 #txt-record=_http._tcp.example.com,name=value,paper=A4
 
+# Provide an alias for a "local" DNS name. Note that this _only_ works
+# for targets which are names from DHCP or /etc/hosts. Give host
+# "bert" another name, bertrand
+#cname=bertand,bert
 
 # For debugging purposes, log each DNS query as it passes through
 # dnsmasq.

doc.html

@@ -11,7 +11,7 @@ Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP
  server and allows machines with DHCP-allocated addresses
  to appear in the DNS with names configured either in each host or
  in a central configuration file. Dnsmasq supports static and dynamic 
- DHCP leases and BOOTP/TFTP for network booting of diskless machines.
+ DHCP leases and BOOTP/TFTP/PXE for network booting of diskless machines.
 <P>
  Dnsmasq is targeted at home networks using NAT and 
 connected to the internet via a modem, cable-modem or ADSL
@@ -19,8 +19,8 @@ connection but would be a good choice for any smallish network (up to
 1000 clients is known to work) where low
 resource use and ease of configuration are important. 
 <P>
-Supported platforms include Linux (with glibc and uclibc), *BSD and
-Mac OS X.
+Supported platforms include Linux (with glibc and uclibc), *BSD,
+Solaris and Mac OS X.
 Dnsmasq is included in at least the following Linux distributions:
 Gentoo, Debian, Slackware, Suse, Fedora,
 Smoothwall, IP-Cop, floppyfw, Firebox, LEAF, Freesco, fli4l,
@@ -59,7 +59,7 @@ improving performance (especially on modem connections).
 </LI>
 <LI>
 Dnsmasq can be configured to automatically pick up the addresses of
-it's upstream nameservers from ppp or dhcp configuration. It will
+its upstream nameservers from ppp or dhcp configuration. It will
 automatically reload this information if it changes. This facility
 will be of particular interest to maintainers of Linux firewall
 distributions since it allows dns configuration to be made automatic.
@@ -89,12 +89,15 @@ Dnsmasq is part of the Debian distribution, it can be downloaded from
 <A HREF="http://ftp.debian.org/debian/pool/main/d/dnsmasq/"> here</A> or installed using <TT>apt</TT>.
 
 <H2>Links.</H2>
-There is an article in German on dnsmasq at <A
-HREF="http://www.linuxnetmag.com/de/issue7/m7dnsmasq1.html">http://www.linuxnetmag.com/de/issue7/m7dnsmasq1.html</A>
-and Damien Raude-Morvan has one in French at <A HREF="http://www.drazzib.com/docs-dnsmasq.html">http://www.drazzib.com/docs-dnsmasq.html</A>
+Damien Raude-Morvan has an article in French at <A HREF="http://www.drazzib.com/docs-dnsmasq.html">http://www.drazzib.com/docs-dnsmasq.html</A>
 There is a good article about dnsmasq at <A
 HREF="http://www.enterprisenetworkingplanet.com/netos/article.php/3377351">http://www.enterprisenetworkingplanet.com/netos/article.php/3377351</A>
-and Ilya Evseev has an article in Russian about dnsmasq to be found at <A HREF="http://ilya-evseev.narod.ru/articles/dnsmasq"> http://ilya-evseev.narod.ru/articles/dnsmasq</A>
+and another at <A
+HREF="http://www.linux.com/articles/149040">http://www.linux.com/articles/149040</A>
+and Ilya Evseev has an article in Russian about dnsmasq to be found at
+<A HREF="http://ilya-evseev.narod.ru/articles/dnsmasq">
+http://ilya-evseev.narod.ru/articles/dnsmasq</A>. Ismael Ull has an
+article about dnsmasq in Spanish at <A HREF="http://www.mey-online.com.ar/blog/index.php/archives/guia-rapida-de-dnsmasq">http://www.mey-online.com.ar/blog/index.php/archives/guia-rapida-de-dnsmasq</A>
 <H2>License.</H2>
 Dnsmasq is distributed under the GPL. See the file COPYING in the distribution 
 for details.

man/dnsmasq.8

@@ -15,8 +15,8 @@ contents of /etc/hosts so that local hostnames
 which do not appear in the global DNS can be resolved and also answers
 DNS queries for DHCP configured hosts.
 .PP
-The dnsmasq DHCP server supports static address assignments, multiple
-networks, DHCP-relay and RFC3011 subnet specifiers. It automatically
+The dnsmasq DHCP server supports static address assignments and multiple
+networks. It automatically
 sends a sensible default set of DHCP options, and can be configured to
 send any desired set of DHCP options, including vendor-encapsulated
 options. It includes a secure, read-only,
@@ -31,17 +31,22 @@ BSD, unless the GNU getopt library is linked, the long form of the
 options does not work on the command line; it is still recognised in
 the configuration file.
 .TP
+.B --test
+Read and syntax check configuration file(s). Exit with code 0 if all
+is OK, or a non-zero code otherwise. Do not start up dnsmasq.
+.TP
 .B \-h, --no-hosts
 Don't read the hostnames in /etc/hosts.
 .TP
 .B \-H, --addn-hosts=<file>
 Additional hosts file. Read the specified file as well as /etc/hosts. If -h is given, read
 only the specified file. This option may be repeated for more than one
-additional hosts file.
+additional hosts file. If a directory is given, then read all the files contained in that directory. 
 .TP
 .B \-E, --expand-hosts
 Add the domain to simple names (without a period) in /etc/hosts
-in the same way as for DHCP-derived names.
+in the same way as for DHCP-derived names. Note that this does not
+apply to domain names in cnames, PTR records, TXT records etc.
 .TP
 .B \-T, --local-ttl=<time>
 When replying with information from /etc/hosts or the DHCP leases
@@ -52,6 +57,14 @@ time-to-live (in seconds) to be given for these replies. This will
 reduce the load on the server at the expense of clients using stale
 data under some circumstances.
 .TP
+.B --neg-ttl=<time>
+Negative replies from upstream servers normally contain time-to-live
+information in SOA records which dnsmasq uses for caching. If the
+replies from upstream servers omit this information, dnsmasq does not
+cache the reply. This option gives a default value for time-to-live
+(in seconds) which dnsmasq uses to cache negative replies even in 
+the absence of an SOA record. 
+.TP
 .B \-k, --keep-in-foreground
 Do not go into the background at startup but otherwise run as
 normal. This is intended for use when dnsmasq is run under daemontools
@@ -69,7 +82,7 @@ Log the results of DNS queries handled by dnsmasq. Enable a full cache dump on r
 .B \-8, --log-facility=<facility>
 Set the facility to which dnsmasq will send syslog entries, this
 defaults to DAEMON, and to LOCAL0 when debug mode is in operation. If
-the facilty given contains at least one '/' character, it is taken to
+the facility given contains at least one '/' character, it is taken to
 be a filename, and dnsmasq logs to the given file, instead of
 syslog. (Errors whilst reading configuration will still go to syslog,
 but all output from a successful startup, and all output whilst
@@ -105,8 +118,8 @@ as. The defaults to "dip", if available, to facilitate access to
 Print the version number.
 .TP
 .B \-p, --port=<port>
-Listen on <port> instead of the standard DNS port (53). Useful mainly for
-debugging.
+Listen on <port> instead of the standard DNS port (53). Setting this
+to zero completely disables DNS function, leaving only DHCP and/or TFTP.
 .TP
 .B \-P, --edns-packet-max=<size>
 Specify the largest EDNS.0 UDP packet which is supported by the DNS
@@ -114,9 +127,18 @@ forwarder. Defaults to 1280, which is the RFC2671-recommended maximum
 for ethernet.
 .TP
 .B \-Q, --query-port=<query_port>
-Send outbound DNS queries from, and listen for their replies on, the specific UDP port <query_port> instead of using one chosen at runtime.  Useful to simplify your
-firewall rules; without this, your firewall would have to allow connections from outside DNS servers to a range of UDP ports, or dynamically adapt to the
-port being used by the current dnsmasq instance.
+Send outbound DNS queries from, and listen for their replies on, the
+specific UDP port <query_port> instead of using random ports. NOTE
+that using this option will make dnsmasq less secure against DNS
+spoofing attacks but it may be faster and use less resources.  Setting this option
+to zero makes dnsmasq use a single port allocated to it by the
+OS: this was the default behaviour in versions prior to 2.43. 
+.TP
+.B --min-port=<port>
+Do not use ports less than that given as source for outbound DNS
+queries. Dnsmasq picks random ports as source for outbound queries:
+when this option is given, the ports used will always to larger
+than that specified. Useful for systems behind firewalls. 
 .TP
 .B \-i, --interface=<interface name>
 Listen only on the specified interface(s). Dnsmasq automatically adds
@@ -191,13 +213,17 @@ Bogus private reverse lookups. All reverse lookups for private IP ranges (ie 192
 which are not found in /etc/hosts or the DHCP leases file are answered
 with "no such domain" rather than being forwarded upstream.
 .TP
-.B \-V, --alias=<old-ip>,<new-ip>[,<mask>]
+.B \-V, --alias=[<old-ip>]|[<start-ip>-<end-ip>],<new-ip>[,<mask>]
 Modify IPv4 addresses returned from upstream nameservers; old-ip is
 replaced by new-ip. If the optional mask is given then any address
 which matches the masked old-ip will be re-written. So, for instance
 .B --alias=1.2.3.0,6.7.8.0,255.255.255.0 
 will map 1.2.3.56 to 6.7.8.56 and 1.2.3.67 to 6.7.8.67. This is what
-Cisco PIX routers call "DNS doctoring".
+Cisco PIX routers call "DNS doctoring". If the old IP is given as
+range, then only addresses in the range, rather than a whole subnet,
+are re-written. So 
+.B --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
+maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
 .TP 
 .B \-B, --bogus-nxdomain=<ipaddr>
 Transform replies which contain the IP address given into "No such
@@ -236,10 +262,21 @@ been built with DBus support.
 .TP 
 .B \-o, --strict-order
 By default, dnsmasq will send queries to any of the upstream servers
-it knows about and tries to favour servers to are known to
+it knows about and tries to favour servers that are known to
 be up. Setting this flag forces dnsmasq to try each query with each
 server strictly in the order they appear in /etc/resolv.conf
 .TP
+.B --all-servers
+By default, when dnsmasq has more than one upstream server available,
+it will send queries to just one server. Setting this flag forces
+dnsmasq to send all queries to all available servers. The reply from
+the server which answers first will be returned to the original requestor.
+.TP
+.B --stop-dns-rebind
+Reject (and log) addresses from upstream nameservers which are in the
+private IP ranges. This blocks an attack where a browser behind a
+firewall is used to probe machines on the local network.
+.TP
 .B \-n, --no-poll
 Don't poll /etc/resolv.conf for changes.
 .TP
@@ -253,7 +290,7 @@ Tells dnsmasq to never forward queries for plain names, without dots
 or domain parts, to upstream nameservers. If the name is not known
 from /etc/hosts or DHCP then a "not found" answer is returned.
 .TP
-.B \-S, --local, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>][@<source>[#<port>]]]
+.B \-S, --local, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>][@<source-ip>|<interface>[#<port>]]
 Specify IP address of upstream servers directly. Setting this flag does
 not suppress reading of /etc/resolv.conf, use -R to do that. If one or
 more 
@@ -284,13 +321,18 @@ is a synonym for
 .B server
 to make configuration files clearer in this case.
 
-The optional second IP address after the @ character tells
-dnsmasq how to set the source address of the queries to this
-nameserver. It should be an address belonging to the machine on which
+The optional string after the @ character tells
+dnsmasq how to set the source of the queries to this
+nameserver. It should be an ip-address, which should belong to the machine on which
 dnsmasq is running otherwise this server line will be logged and then
-ignored. The query-port flag is ignored for any servers which have a
+ignored, or an interface name. If an interface name is given, then
+queries to the server will be forced via that interface; if an
+ip-address is given then the source address of the queries will be set
+to that address.
+The query-port flag is ignored for any servers which have a
 source address specified but the port may be specified directly as
-part of the source address.
+part of the source address. Forcing queries to an interface is not
+implemented on all platforms supported by dnsmasq.
 .TP
 .B \-A, --address=/<domain>/[domain/]<ipaddr>
 Specify an IP address to return for any host in the given domains.
@@ -349,12 +391,23 @@ so  any number may be included, split by commas.
 .B --ptr-record=<name>[,<target>]
 Return a PTR DNS record.
 .TP
+.B --naptr-record=<name>,<order>,<preference>,<flags>,<service>,<regexp>[,<replacement>]
+Return an NAPTR DNS record, as specified in RFC3403.
+.TP
+.B --cname=<cname>,<target>
+Return a CNAME record which indicates that <cname> is really
+<target>. There are significant limitations on the target; it must be a
+DNS name which is known to dnsmasq from /etc/hosts (or additional
+hosts files) or from DHCP. If the target does not satisfy this
+criteria, the whole cname is ignored. The cname must be unique, but it
+is permissable to have more than one cname pointing to the same target.
+.TP
 .B --interface-name=<name>,<interface>
 Return a DNS record associating the name with the primary address on
 the given interface. This flag specifies an A record for the given
 name in the same way as an /etc/hosts line, except that the address is
 not constant, but taken from the given interface. If the interface is
-down, not configured or non-existant, an empty record is returned. The
+down, not configured or non-existent, an empty record is returned. The
 matching PTR record is also created, mapping the interface address to
 the name. More than one name may be associated with an interface
 address by repeating the flag; in that case the first instance is used
@@ -374,24 +427,22 @@ Set the maximum number of concurrent DNS queries. The default value is
 where this needs to be increased is when using web-server log file
 resolvers, which can generate large numbers of concurrent queries.
 .TP
-.B \-F, --dhcp-range=[[net:]network-id,]<start-addr>,<end-addr>[[,<netmask>],<broadcast>][,<default lease time>]
+.B \-F, --dhcp-range=[[net:]network-id,]<start-addr>,<end-addr>[[,<netmask>],<broadcast>][,<lease time>]
 Enable the DHCP server. Addresses will be given out from the range
 <start-addr> to <end-addr> and from statically defined addresses given
 in 
 .B dhcp-host
 options. If the lease time is given, then leases
 will be given for that length of time. The lease time is in seconds,
-or minutes (eg 45m) or hours (eg 1h) or the literal "infinite". This
+or minutes (eg 45m) or hours (eg 1h) or "infinite". If not given,
+the default lease time is one hour. The
+minimum lease time is two minutes. This
 option may be repeated, with different addresses, to enable DHCP
 service to more than one network. For directly connected networks (ie,
 networks on which the machine running dnsmasq has an interface) the
 netmask is optional. It is, however, required for networks which
 receive DHCP service via a relay agent. The broadcast address is
-always optional. On some broken systems, dnsmasq can listen on only
-one interface when using DHCP, and the name of that interface must be
-given using the
-.B interface
-option. This limitation currently affects OpenBSD before version 4.0. It is always
+always optional. It is always
 allowed to have more than one dhcp-range in a single subnet. The optional
 network-id is a alphanumeric label which marks this network so that
 dhcp options may be specified on a per-network basis. 
@@ -400,10 +451,18 @@ a tag to matching it. Only one tag may be set, but more than one tag may be matc
 The end address may be replaced by the keyword 
 .B static
 which tells dnsmasq to enable DHCP for the network specified, but not
-to dynamically allocate IP addresses. Only hosts which have static
+to dynamically allocate IP addresses: only hosts which have static
 addresses given via 
 .B dhcp-host
-or from /etc/ethers will be served.
+or from /etc/ethers will be served. The end address may be replaced by
+the keyword
+.B proxy
+in which case dnsmasq will provide proxy-DHCP on the specified
+subnet. (See 
+.B pxe-prompt
+and 
+.B pxe-service
+for details.)
 .TP
 .B \-G, --dhcp-host=[<hwaddr>][,id:<client_id>|*][,net:<netid>][,<ipaddr>][,<hostname>][,<lease_time>][,ignore]
 Specify per host parameters for the DHCP server. This allows a machine
@@ -428,9 +487,11 @@ hardware addresses to identify hosts by prefixing with 'id:'. Thus:
 refers to the host with client identifier 01:02:03:04. It is also
 allowed to specify the client ID as text, like this:
 .B --dhcp-host=id:clientidastext,..... 
+
 The special option id:* means "ignore any client-id 
 and use MAC addresses only." This is useful when a client presents a client-id sometimes 
 but not others.
+
 If a name appears in /etc/hosts, the associated address can be
 allocated to a DHCP lease, but only if a 
 .B --dhcp-host
@@ -441,8 +502,10 @@ instance
 .B --dhcp-host=00:20:e0:3b:13:af,ignore
 This is
 useful when there is another DHCP server on the network which should
-be used by some machines. The net:<network-id> sets the network-id tag
-whenever this dhcp-host directive is in use.This can be used to 
+be used by some machines.
+
+The net:<network-id> sets the network-id tag
+whenever this dhcp-host directive is in use. This can be used to 
 selectively send DHCP options just for this host. When a host matches any
 dhcp-host directive (or one implied by /etc/ethers) then the special
 network-id tag "known" is set. This allows dnsmasq to be configured to
@@ -453,13 +516,27 @@ wildcard bytes, so for example
 .B --dhcp-host=00:20:e0:3b:13:*,ignore 
 will cause dnsmasq to ignore a range of hardware addresses. Note that
 the "*" will need to be escaped or quoted on a command line, but not
-in the configuration file. Hardware addresses normally match any
+in the configuration file.
+
+Hardware addresses normally match any
 network (ARP) type, but it is possible to restrict them to a single
 ARP type by preceding them with the ARP-type (in HEX) and "-". so 
 .B --dhcp-host=06-00:20:e0:3b:13:af,1.2.3.4 
 will only match a
 Token-Ring hardware address, since the ARP-address type for token ring
-is 6.
+is 6. 
+
+As a special case, it is possible to include more than one
+hardware address. eg:
+.B --dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.2
+This allows an IP address to be associated with
+multiple hardware addresses, and gives dnsmasq permission to abandon a
+DHCP lease to one of the hardware addresses when another one asks for
+a lease. Beware that this is a dangerous thing to do, it will only
+work reliably if only one of the hardware addresses is active at any
+time and there is no way for dnsmasq to enforce this. It is, for instance,
+useful to allocate a stable IP address to a laptop which
+has both wired and wireless interfaces.
 .TP
 .B --dhcp-hostsfile=<file>
 Read DHCP host information from the specified file. The file contains 
@@ -467,6 +544,16 @@ information about one host per line. The format of a line is the same
 as text to the right of '=' in --dhcp-host. The advantage of storing DHCP host information
 in this file is that it can be changed without re-starting dnsmasq:
 the file will be re-read when dnsmasq receives SIGHUP.
+.TP
+.B --dhcp-optsfile=<file>
+Read DHCP option information from the specified file. The advantage of 
+using this option is the same as for --dhcp-hostsfile: the
+dhcp-optsfile will be re-read when dnsmasq receives SIGHUP. Note that
+it is possible to encode the information in a
+.B --dhcp-boot
+flag as DHCP options, using the options names bootfile-name,
+server-ip-address and tftp-server. This allows these to be included
+in a dhcp-optsfile.
 .TP 
 .B \-Z, --read-ethers
 Read /etc/ethers for information about hosts for the DHCP server. The
@@ -477,7 +564,7 @@ have exactly the same effect as
 options containing the same information. /etc/ethers is re-read when 
 dnsmasq receives SIGHUP.
 .TP
-.B \-O, --dhcp-option=[<network-id>,[<network-id>,]][vendor:[<vendor-class>],][<opt>|option:<opt-name>],[<value>[,<value>]]
+.B \-O, --dhcp-option=[<network-id>,[<network-id>,]][encap:<opt>,][vendor:[<vendor-class>],][<opt>|option:<opt-name>],[<value>[,<value>]]
 Specify different or extra options to DHCP clients. By default,
 dnsmasq sends some standard options to DHCP clients, the netmask and
 broadcast address are set to the same as the host running dnsmasq, and
@@ -537,16 +624,32 @@ client. It is
 possible to omit the vendorclass completely;
 .B --dhcp-option=vendor:,1,0.0.0.0
 in which case the encapsulated option is always sent.
+
+Options may be encapsulated within other options: for instance
+.B --dhcp-option=encap:175, 190, "iscsi-client0"
+will send option 175, within which is the option 190. If multiple
+options are given which are encapsulated with the same option number
+then they will be correctly combined into one encapsulated option.
+encap: and vendor: are may not both be set in the same dhcp-option.
+
 The address 0.0.0.0 is not treated specially in
-encapsulated vendor class options.
+encapsulated options.
 .TP
-.B --dhcp-option-force=[<network-id>,[<network-id>,]][vendor:[<vendor-class>],]<opt>,[<value>[,<value>]]
+.B --dhcp-option-force=[<network-id>,[<network-id>,]][encap:<opt>,][vendor:[<vendor-class>],]<opt>,[<value>[,<value>]]
 This works in exactly the same way as
 .B --dhcp-option
 except that the option will always be sent, even if the client does
 not ask for it in the parameter request list. This is sometimes
 needed, for example when sending options to PXELinux.
 .TP
+.B --dhcp-no-override
+Disable re-use of the DHCP servername and filename fields as extra
+option space. If it can, dnsmasq moves the boot server and filename
+information (from dhcp-boot) out of their dedicated fields into
+DHCP options. This make extra space available in the DHCP packet for
+options but can, rarely, confuse old or broken clients. This flag
+forces "simple and safe" behaviour to avoid problems in such a case.
+.TP
 .B \-U, --dhcp-vendorclass=<network-id>,<vendor-class>
 Map from a vendor-class string to a network id tag. Most DHCP clients provide a 
 "vendor class" which represents, in some sense, the type of host. This option 
@@ -582,7 +685,24 @@ simple string. If an exact match is achieved between the circuit or
 agent ID and one provided by a relay agent, the network-id tag is set.
 .TP
 .B --dhcp-subscrid=<network-id>,<subscriber-id>
-Map from RFC3993 subscriber-d relay agent options to network-id tags.
+Map from RFC3993 subscriber-id relay agent options to network-id tags.
+.TP
+.B --dhcp-match=<network-id>,<option number>|option:<option name>[,<value>]
+Without a value, set the network-id tag if the client sends a DHCP
+option of the given number or name. When a value is given, set the tag only if
+the option is sent and matches the value. The value may be of the form
+"01:ff:*:02" in which case the value must match (apart from widcards)
+but the option sent may have unmatched data past the end of the
+value. The value may also be of the same form as in 
+.B dhcp-option
+in which case the option sent is treated as an array, and one element
+must match, so
+
+--dhcp-match=efi-ia32,option:client-arch,6
+
+will set the tag "efi-ia32" if the the number 6 appears in the list of
+architectures sent by the client in option 93. (See RFC 4578 for
+details.)  If the value is a string, substring matching is used. 
 .TP
 .B \-J, --dhcp-ignore=<network-id>[,<network-id>]
 When all the given network-ids match the set of network-ids derived
@@ -592,12 +712,19 @@ not allocate it a DHCP lease.
 .B --dhcp-ignore-names[=<network-id>[,<network-id>]]
 When all the given network-ids match the set of network-ids derived
 from the net, host, vendor and user classes, ignore any hostname
-provided by the host. Note that, unlike dhcp-ignore, it is permissable
+provided by the host. Note that, unlike dhcp-ignore, it is permissible
 to supply no netid tags, in which case DHCP-client supplied hostnames
 are always ignored, and DHCP hosts are added to the DNS using only
 dhcp-host configuration in dnsmasq and the contents of /etc/hosts and
 /etc/ethers.
 .TP
+.B --dhcp-broadcast=<network-id>[,<network-id>]
+When all the given network-ids match the set of network-ids derived
+from the net, host, vendor and user classes, always use broadcast to
+communicate with the host when it is unconfigured. Most DHCP clients which
+need broadcast replies set a flag in their requests so that this
+happens automatically, some old BOOTP clients do not.
+.TP
 .B \-M, --dhcp-boot=[net:<network-id>,]<filename>,[<servername>[,<server address>]]
 Set BOOTP options to be returned by the DHCP server. Server name and
 address are optional: if not provided, the name is left empty, and the
@@ -608,6 +735,57 @@ is providing a TFTP service (see
 If the optional network-id(s) are given,
 they must match for this configuration to be sent. Note that
 network-ids are prefixed by "net:" to distinguish them.
+.TP
+.B --pxe-service=[net:<network-id>,]<CSA>,<menu text>,<basename>|<bootservicetype>[,<server address>]
+Most uses of PXE boot-ROMS simply allow the PXE
+system to obtain an IP address and then download the file specified by
+.B dhcp-boot
+and execute it. However the PXE system is capable of more complex
+functions when supported by a suitable DHCP server.
+
+This specifies a boot option which may appear in a PXE boot menu. <CSA> is
+client system type, only services of the correct type will appear in a
+menu. The known types are x86PC, PC98, IA64_EFI, Alpha, Arc_x86,
+Intel_Lean_Client, IA32_EFI, BC_EFI, Xscale_EFI and X86-64_EFI; an
+integer may be used for other types. The
+parameter after the menu text may be a file name, in which case dnsmasq acts as a
+boot server and directs the PXE client to download the file by TFTP,
+either from itself (
+.B enable-tftp 
+must be set for this to work) or another TFTP server if the final IP
+address is given.
+Note that the "layer"
+suffix (normally ".0") is supplied by PXE, and should not be added to
+the basename. If an integer boot service type, rather than a basename
+is given, then the PXE client will search for a
+suitable boot service for that type on the network. This search may be done
+by multicast or broadcast, or direct to a server if its IP address is provided.  A boot service
+type of 0 is special, and will abort the net boot procedure and
+continue booting from local media.
+.TP
+.B --pxe-prompt=[net:<network-id>,]<prompt>[,<timeout>]
+Setting this provides a prompt to be displayed after PXE boot. If the
+timeout is given then after the
+timeout has elapsed with no keyboard input, the first available menu
+option will be automatically executed. If the timeout is zero then the first available menu
+item will be executed immediately. If 
+.B pxe-prompt
+is ommitted the system will wait for user input if there are multiple
+items in the menu, but boot immediately if
+there is only one. See
+.B pxe-service 
+for details of menu items.
+
+Dnsmasq supports PXE "proxy-DHCP", in this case another DHCP server on
+the network is responsible for allocating IP addresses, and dnsmasq
+simply provides the information given in 
+.B pxe-prompt
+and
+.B pxe-service
+to allow netbooting. This mode is enabled using the
+.B proxy
+keyword in
+.B dhcp-range.
 .TP  
 .B \-X, --dhcp-lease-max=<number>
 Limits dnsmasq to the specified maximum number of DHCP leases. The
@@ -621,13 +799,23 @@ It changes the behaviour from strict RFC compliance so that DHCP requests on
 unknown leases from unknown hosts are not ignored. This allows new hosts
 to get a lease without a tedious timeout under all circumstances. It also 
 allows dnsmasq to rebuild its lease database without each client needing to 
-reaquire a lease, if the database is lost.
+reacquire a lease, if the database is lost.
 .TP
-.B \-3, --bootp-dynamic
+.B --dhcp-alternate-port[=<server port>[,<client port>]]
+Change the ports used for DHCP from the default. If this option is
+given alone, without arguments, it changes the ports used for DHCP
+from 67 and 68 to 1067 and 1068. If a single argument is given, that
+port number is used for the server and the port number plus one used
+for the client. Finally, two port numbers allows arbitrary
+specification of both server and client ports for DHCP.
+.TP
+.B \-3, --bootp-dynamic[=<network-id>[,<network-id>]]
 Enable dynamic allocation of IP addresses to BOOTP clients. Use this
 with care, since each address allocated to a BOOTP client is leased
 forever, and therefore becomes permanently unavailable for re-use by
-other hosts.
+other hosts. if this is given without tags, then it unconditionally
+enables dynamic allocation. With tags, only when the tags are all
+set. It may be repeated with different tag sets. 
 .TP
 .B \-5, --no-ping
 By default, the DHCP server will attempt to ensure that an address in
@@ -641,31 +829,28 @@ Extra logging for DHCP: log all the options sent to DHCP clients and
 the netid tags used to determine them.
 .TP
 .B \-l, --dhcp-leasefile=<path>
-Use the specified file to store DHCP lease information. If this option
-is given but no dhcp-range option is given then dnsmasq version 1
-behaviour is activated. The file given is assumed to be an ISC dhcpd
-lease file and parsed for leases which are then added to the DNS
-system if they have a hostname. This functionality may have been
-excluded from dnsmasq at compile time, in which case an error will
-occur. In any case note that ISC leasefile integration is a deprecated
-feature. It should not be used in new installations, and will be
-removed in a future release.
+Use the specified file to store DHCP lease information.
 .TP 
 .B \-6 --dhcp-script=<path>
 Whenever a new DHCP lease is created, or an old one destroyed, the
-binary specified by this option is run. The arguments to the process
+executable specified by this option is run. The arguments to the process
 are "add", "old" or "del", the MAC
-address of the host (or "<null>"), the IP address, and the hostname,
+address of the host, the IP address, and the hostname,
 if known. "add" means a lease has been created, "del" means it has
 been destroyed, "old" is a notification of an existing lease when
 dnsmasq starts or a change to MAC address or hostname of an existing
 lease (also, lease length or expiry and client-id, if leasefile-ro is set).
-The process is run as root (assuming that dnsmasq was originally run as
+If the MAC address is from a network type other than ethernet,
+it will have the network type prepended, eg "06-01:23:45:67:89:ab" for
+token ring. The process is run as root (assuming that dnsmasq was originally run as
 root) even if dnsmasq is configured to change UID to an unprivileged user.
 The environment is inherited from the invoker of dnsmasq, and if the
 host provided a client-id, this is stored in the environment variable
-DNSMASQ_CLIENT_ID. If the client provides vendor-class or user-class 
-information, these are provided in DNSMASQ_VENDOR_CLASS and 
+DNSMASQ_CLIENT_ID. If the fully-qualified domain name of the host is
+known, the domain part is stored in DNSMASQ_DOMAIN. 
+If the client provides vendor-class, hostname or user-class,
+ these are provided in DNSMASQ_VENDOR_CLASS
+DNSMASQ_SUPPLIED_HOSTNAME and 
 DNSMASQ_USER_CLASS0..DNSMASQ_USER_CLASSn variables, but only for
 "add" actions or "old" actions when a host resumes an existing lease,
 since these data are not held in dnsmasq's lease
@@ -677,8 +862,11 @@ always stored in DNSMASQ_TIME_REMAINING.
 If a lease used to have a hostname, which is
 removed, an "old" event is generated with the new state of the lease, 
 ie no name, and the former name is provided in the environment 
-variable DNSMASQ_OLD_HOSTNAME.
-All file decriptors are
+variable DNSMASQ_OLD_HOSTNAME. DNSMASQ_INTERFACE stores the name of
+the interface on which the request arrived; this is not set for "old"
+actions when dnsmasq restarts. DNSMASQ_RELAY_ADDRESS is set if the client
+used a DHCP relay to contact dnsmasq and the IP address of the relay is known.
+All file descriptors are
 closed except stdin, stdout and stderr which are open to /dev/null
 (except in debug mode).
 The script is not invoked concurrently: if subsequent lease 
@@ -688,7 +876,10 @@ all existing leases as they are read from the lease file. Expired
 leases will be called with "del" and others with "old". <path>
 must be an absolute pathname, no PATH search occurs. When dnsmasq
 receives a HUP signal, the script will be invoked for existing leases
-with an "old " event. 
+with an "old " event.
+.TP
+.B --dhcp-scriptuser
+Specify the user as which to run the lease-change script. This defaults to root, but can be changed to another user using this flag. 
 .TP 
 .B \-9, --leasefile-ro
 Completely suppress use of the lease database file. The file will not
@@ -706,12 +897,13 @@ to the client-id and lease length and expiry time.
 .TP
 .B --bridge-interface=<interface>,<alias>[,<alias>]
 Treat DHCP request packets arriving at any of the <alias> interfaces
-as if they had arrived at <interface>. This option is only available
-on FreeBSD and Dragonfly BSD, and is necessary when using "old style" bridging, since
+as if they had arrived at <interface>. This option is necessary when
+using "old style" bridging on BSD platforms, since
 packets arrive at tap interfaces which don't have an IP address.
 .TP
-.B \-s, --domain=<domain>
-Specifies the domain for the DHCP server. This has two effects;
+.B \-s, --domain=<domain>[,<address range>]
+Specifies DNS domains for the DHCP server. Domains may be be given 
+unconditionally (without the IP range) or for limited IP ranges. This has two effects;
 firstly it causes the DHCP server to return the domain to any hosts
 which request it, and secondly it sets the domain which it is legal
 for DHCP-configured hosts to claim. The intention is to constrain
@@ -728,12 +920,33 @@ and have a machine whose DHCP hostname is "laptop". The IP address for that mach
 .B dnsmasq
 both as "laptop" and "laptop.thekelleys.org.uk". If the domain is
 given as "#" then the domain is read from the first "search" directive
-in /etc/resolv.conf (or equivalent). 
+in /etc/resolv.conf (or equivalent). The address range can be of the form
+<ip address>,<ip address> or <ip address>/<netmask> or just a single
+<ip address>. See 
+.B --dhcp-fqdn
+which can change the behaviour of dnsmasq with domains.
+.TP
+.B --dhcp-fqdn
+In the default mode, dnsmasq inserts the unqualified names of
+DHCP clients into the DNS. For this reason, the names must be unique,
+even if two clients which have the same name are in different
+domains. If a second DHCP client appears which has the same name as an
+existing client, the name is transfered to the new client. If 
+.B --dhcp-fqdn
+is set, this behaviour changes: the unqualified name is no longer
+put in the DNS, only the qualified name. Two DHCP clients with the
+same name may both keep the name, provided that the domain part is
+different (ie the fully qualified names differ.) To ensure that all
+names have a domain part, there must be at least 
+.B --domain 
+without an address specified when 
+.B --dhcp-fqdn 
+is set.
 .TP
 .B --enable-tftp
 Enable the TFTP server function. This is deliberately limited to that
-needed to net-boot a client: Only reading is allowed, and only in
-binary/octet mode. The tsize and blksize extensions are supported.
+needed to net-boot a client. Only reading is allowed; the tsize and
+blksize extensions are supported (tsize is only supported in octet mode).
 .TP
 .B --tftp-root=<directory>
 Look for files to transfer using TFTP relative to the given
@@ -768,21 +981,33 @@ one file descriptor for each concurrent TFTP connection and one
 file descriptor per unique file (plus a few others). So serving the
 same file simultaneously to n clients will use require about n + 10 file
 descriptors, serving different files simultaneously to n clients will
-require about (2*n) + 10 descriptors.
+require about (2*n) + 10 descriptors. If 
+.B --tftp-port-range
+is given, that can affect the number of concurrent connections.
 .TP
 .B --tftp-no-blocksize
 Stop the TFTP server from negotiating the "blocksize" option with a
 client. Some buggy clients request this option but then behave badly
 when it is granted.
+.TP
+.B --tftp-port-range=<start>,<end>
+A TFTP server listens on a well-known port (69) for connection initiation,
+but it also uses a dynamically-allocated port for each
+connection. Normally these are allocated by the OS, but this option
+specifies a range of ports for use by TFTP transfers. This can be
+useful when TFTP has to traverse a firewall. The start of the range
+cannot be lower than 1025 unless dnsmasq is running as root. The number
+of concurrent TFTP connections is limited by the size of the port range. 
 .TP  
 .B \-C, --conf-file=<file>
 Specify a different configuration file. The conf-file option is also allowed in
 configuration files, to include multiple configuration files.
 .TP
-.B \-7, --conf-dir=<directory>
+.B \-7, --conf-dir=<directory>[,<file-extension>......]
 Read all the files in the given directory as configuration
-files. Files whose names end in ~ or start with . or start and end
-with # are skipped. This flag may be given on the command
+files. If extension(s) are given, any files which end in those
+extensions are skipped. Any files whose names end in ~ or start with . or start and end
+with # are always skipped. This flag may be given on the command
 line or in a configuration file.
 .SH CONFIG FILE
 At startup, dnsmasq reads
@@ -800,8 +1025,8 @@ in the OPTIONS section but without the leading "--". Lines starting with # are c
 options which may only be specified once, the configuration file overrides 
 the command line.  Quoting is allowed in a config file:
 between " quotes the special meanings of ,:. and # are removed and the
-following escapes are allowed: \\\\ \\" \\t \\a \\b \\r and \\n. The later 
-corresponding to tab, bell, backspace, return and newline.
+following escapes are allowed: \\\\ \\" \\t \\e \\b \\r and \\n. The later 
+corresponding to tab, escape, backspace, return and newline.
 .SH NOTES
 When it receives a SIGHUP, 
 .B dnsmasq 
@@ -809,7 +1034,7 @@ clears its cache and then re-loads
 .I /etc/hosts
 and 
 .I /etc/ethers 
-and any file given by --dhcp-hostsfile.
+and any file given by --dhcp-hostsfile, --dhcp-optsfile or --addn-hosts.
 The dhcp lease change script is called for all
 existing DHCP leases. If 
 .B
@@ -821,10 +1046,12 @@ does NOT re-read the configuration file.
 .PP
 When it receives a SIGUSR1,
 .B dnsmasq 
-writes cache statistics to the system log. It writes the cache size,
+writes statistics to the system log. It writes the cache size,
 the number of names which have had to removed from the cache before
 they expired in order to make room for new names and the total number
-of names that have been inserted into the cache. In 
+of names that have been inserted into the cache. For each upstream
+server it gives the number of queries sent, and the number which
+resulted in an error. In 
 .B --no-daemon
 mode or when full logging is enabled (-q), a complete dump of the
 contents of the cache is made.
@@ -837,7 +1064,7 @@ will close and reopen the log file. Note that during this operation,
 dnsmasq will not be running as root. When it first creates the logfile
 dnsmasq changes the ownership of the file to the non-root user it will run
 as. Logrotate should be configured to create a new log file with
-the ownership which matches the exising one before sending SIGUSR2.
+the ownership which matches the existing one before sending SIGUSR2.
 If TCP DNS queries are in progress, the old logfile will remain open in
 child processes which are handling TCP queries and may continue to be
 written. There is a limit of 150 seconds, after which all existing TCP
@@ -918,6 +1145,9 @@ collects a set of valid network-id tags, one from the
 .B dhcp-range
 used to allocate the address, one from any matching 
 .B dhcp-host
+(and "known" if a dhcp-host matches) 
+the tag "bootp" for BOOTP requests, a tag whose name is the 
+name if the interface on which the request arrived,
 and possibly many from matching vendor classes and user
 classes sent by the DHCP client. Any 
 .B dhcp-option 
@@ -962,7 +1192,7 @@ normally if backgrounding is not enabled.
 2 - A problem with network access occurred (address in use, attempt
 to use privileged ports without permission).
 .PP
-3 - A problem occured with a filesystem operation (missing
+3 - A problem occurred with a filesystem operation (missing
 file/directory, permissions).
 .PP
 4 - Memory allocation failure.
@@ -1017,6 +1247,24 @@ or an additional hosts file. The list can be very long,
 dnsmasq has been tested successfully with one million names. That size
 file needs a 1GHz processor and about 60Mb of RAM.
 
+.SH INTERNATIONALISATION
+Dnsmasq can be compiled to support internationalisation. To do this,
+the make targets "all-i18n" and "install-i18n" should be used instead of
+the standard targets "all" and "install". When internationalisation
+is compiled in, dnsmasq will produce log messages in the local
+language and support internationalised domain names (IDN). Domain
+names in /etc/hosts, /etc/ethers and /etc/dnsmasq.conf which contain
+non-ASCII characters will be translated to the DNS-internal punycode
+representation. Note that
+dnsmasq determines both the language for messages and the assumed
+charset for configuration
+files from the LANG environment variable. This should be set to the system
+default value by the script which is responsible for starting
+dnsmasq. When editing the configuration files, be careful to do so
+using only the system-default locale and not user-specific one, since
+dnsmasq has no direct way of determining the charset in use, and must
+assume that it is the system default. 
+ 
 .SH FILES
 .IR /etc/dnsmasq.conf 
 

man/es/dnsmasq.8

@@ -17,9 +17,8 @@ resueltos. Tambi
 vía DHCP.
 .PP
 El servidor DHCP dnsmasq incluye soporte para asignación de direcciones
-estáticas, redes múltiples, DHCP-relay y especificadores de subredes
-RFC3011. Automáticamente envía un predeterminado sensible de opciones
-DHCP, y puede ser configurado para enviar cualquier opciones DHCP deseadas,
+estáticas y redes múltiples. Automáticamente envía un predeterminado sensible de
+opciones DHCP, y puede ser configurado para enviar cualquier opciones DHCP deseadas,
 incluyendo opciones encapsuladas por vendedores. Incluye un servidor seguro
 TFTP solo-lectura para permitir el inicio vía red/PXE de hosts DHCP. Tambíen
 incluye soporte para BOOTP.
@@ -33,13 +32,20 @@ archivo PID. En BSD, a menos que la librer
 la forma larga de las opciones no funciona en la línea de comandos,
 pero todavía es reconocida en el archivo de configuración.
 .TP
+.B --test
+Leer archivo(s) de configuración y revisar su sintaxis. Salir con código
+0 si todo está bien, o un código no-cero en cualquier otro caso. No
+iniciar dnsmasq.
+.TP
 .B \-h, --no-hosts
 No leer los nombres de hosts en /etc/hosts.
 .TP
 .B \-H, --addn-hosts=<archivo>
 Archivo de hosts adicional. Leer el archivo especificado adicionalmente
 a /etc/hosts. Si se brinda -h, leer solo el archivo especificado. Esta
-opción puede ser repetida para más de un archivo de hosts adicional.
+opción puede ser repetida para más de un archivo de hosts adicional. Si
+un directorio es brindado, entonces leer todos los archivos contenidos en
+ese directorio.
 .TP
 .B \-E, --expand-hosts
 Agregar el dominio a nombres sencillos (sin punto) en /etc/hosts de la
@@ -55,6 +61,15 @@ cierto tiempo de vida (en segundos) para estas respuestas. Esto
 reduce la carga sobre el servidor al costo de que los clientes
 usaran datos añejos bajo algunas circunstancias.
 .TP
+.B --neg-ttl=<tiempo>
+Respuestas negativas desde servidores upstream normalmente contienen
+información time-to-live (tiempo de vida) en expedientes SOA que
+dnsmasq usa para hacer caché. Si las respuestas de servidores upstream
+omiten esta información, dnsmasq no mete la respuesta en el caché.
+Esta opción brinda un valor predeterminado para el time-to-live que
+dnsmasq usa para meter respuestas en el caché aún en la ausencia de
+un expediente SOA.
+.TP
 .B \-k, --keep-in-foreground
 No ir hacia el fondo al iniciar, pero aparte de eso ejecutar como
 normal. La intención de esto es para cuando dnsmasq es ejecutado
@@ -113,7 +128,8 @@ Mostrar el n
 .TP
 .B \-p, --port=<puerto>
 Escuchar en el puerto <puerto> en vez del puerto estándar DNS (53).
-Principalmente útil para debugging.
+Fijar esto a cero deshabilita completamente la función DNS, dejando
+solo DHCP y/o TFTP.
 .TP
 .B \-P, --edns-packet-max=<tamaño>
 Especificar el paquete UDP EDNS.0 más grande que es soportado por
@@ -122,12 +138,20 @@ m
 .TP
 .B \-Q, --query-port=<puerto>
 Enviar búsquedas outbound desde, y escuchar por respuestas en,
-el puerto UDP <puerto> en vez de usar uno escojido a la hora
-de inicio. Esto es útil para simplificar las reglas del firewall;
-sin esto, su firewall tendría que permitir conecciones desde
-servidores DNS foráneos hacia un rango de puertos UDP, o
-adaptarse dinámicamente al puerto siendo usado por la actual
-instancia de dnsmasq.
+el puerto UDP <puerto> en vez de usar puertos aleatorios. Nótese
+que usar esta opción hace que dnsmasq sea menos seguro contra
+ataques de spoofing DNS, pero puede ser más rápido y usar menos
+recursos.
+Fijar esta opción a zero hace que dnsmasq use un solo puerto,
+asignado por el sistema operativo (esto era el comportamiento
+predeterminado en versiones anteriores a 2.43).
+.TP
+.B --min-port=<puerto>
+No usar puertos menores a <puerto> como remitentes para búsquedas
+DNS outbound. Dnsmasq escoje puertos aleatorios como remitentes
+para búsquedas DNS outbound. Cuando esta opción es brindada, los
+puertos usados siempre serán mayores que el especificado. Esto es
+útil para sistemas detras de firewalls.
 .TP
 .B \-i, --interface=<nombre de interface>
 Escuchar solo en las interfaces especificadas. Dnsmasq automáticamente
@@ -207,15 +231,19 @@ privados (192.168.x.x, etc.) los cuales no se encuentren en
 /etc/hosts o en el archivo de arriendos DHCP es respondida con
 "dominio no existente" en vez de ser reenviada upstream.
 .TP
-.B \-V, --alias=<IP viejo>,<IP nuevo>[,<máscara>]
+.B \-V, --alias=[<IP viejo>]|[<IP inicio>-<IP final>],<IP nuevo>[,<máscara>]
 Modificar direcciones IPv4 retornadas desde servidores DNS upstream;
 <IP viejo> es remplazado con <IP nuevo>. Si la máscara opcional
 es brindada, entonces cualquier dirección que coincida con el
 <IP viejo> enmascarado será re-escrita. Así que, por ejemplo,
 .B --alias=1.2.3.0,6.7.8.0,255.255.255.0 trazará 1.2.3.56 a 6.7.8.56
 y 1.2.3.67 a 6.7.8.67. Esto es lo que
-ruteadores Cisco PIX llaman "DNS doctoring".
-.TP 
+ruteadores Cisco PIX llaman "DNS doctoring". Si la dirección vieja es
+brindada como un rango, entonces solo direcciones en ese rango, y no
+la subred entera, son re-escritas. De tal manera que
+.B --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
+relaciona 192.168.0.10->192.168.0.40 a 10.0.0.10->10.0.0.40
+.TP
 .B \-B, --bogus-nxdomain=<dirección IP>
 Transformar respuestas que contienen la dirección IP brindada a
 respuestas tipo "Dominio no existe". La intención de esto es actuar
@@ -263,6 +291,18 @@ cuales sabe que est
 probar cada búsqueda con cada servidor estrictamente en el orden
 que aparecen en /etc/resolv.conf
 .TP
+.B --all-servers
+Por predeterminado, cuando dnsmasq tiene más de un servidor upstream
+disponible, enviará búsquedas a solo un servidor. Fijar esta opción
+forza a dnsmasq a enviar todas las búsquedas a todos los servidores
+disponibles. La respuesta del servidor que responda primero será
+devuelta al solicitante original.
+.TP
+.B --stop-dns-rebind
+Denegar (y bitacorear) direcciones de servidores upstream que están
+dentro de rangos IP privados. Esto bloquea un ataque donde un navegador
+detrás de un firewall es usado para analizar máquinas en la red local.
+.TP
 .B \-n, --no-poll
 No revisar periodicamente a /etc/resolv.conf en busca de cambios.
 .TP
@@ -277,7 +317,7 @@ sin puntos o partes de dominios, a servidores upstream. Si el nombre
 no se conoce desde /etc/hosts o desde DHCP entonces una respuesta
 "no encontrado" es devuelta.
 .TP
-.B \-S, --local, --server=[/[<dominio>]/[dominio/]][<dirección IP>[#<puerto>][@<remitente>[#<puerto>]]]
+.B \-S, --local, --server=[/[<dominio>]/[dominio/]][<dirección IP>[#<puerto>][@<IP de remitente>|<interface>[#<puerto>]]
 Especificar la dirección IP de servidores upstream directamente. Fijar
 esta opción no suprime la lectura de /etc/resolv.conf, use -R para
 hacer eso. Si uno a más dominios opcionales son brindados, ese servidor
@@ -307,14 +347,19 @@ es un sin
 .B server
 para hacer los archivos de configuración mas claros en este caso.
 
-La segunda dirección IP opcional después del carácter @ le dice
-a dnsmasq como fijar la dirección de remitente de las búsquedas
-hacia este servidor DNS. Debe ser una dirección perteneciente a
-la máquina en la cual corre dnsmasq, de forma contraria esta
-línea de servidor será bitacoreada y después ignorada. La opción
-query-port es ignorada para cualquier servidores que tengan una
-dirección remitente especificada, pero el puerto puede ser
-especificado directamente como parte de la dirección remitente.
+El string opcional despues del carácter @ le dice a dnsmasq como fijar
+el remitente de las búsquedas hacia este servidor DNS. Debe ser una
+dirección IP, la cual debe ser perteneciente a la máquina en la cual
+corre dnsmasq, de forma contraria esta línea de servidor será bitacoreada
+y después ignorada, o un nombre de interface. Si un nombre de interface
+es brindado, entonces búsquedas hacia el servidor serán forzadas vía esa
+interface; si una dirección IP es brindada, entonces la dirección de
+remitente de las búsquedas será fijada a esa dirección.
+La etiqueta query-port es ignorada para cualquier servidores que tengan
+una dirección remitente especificada, pero el puerto puede ser
+especificado directamente como parte de la dirección remitente. Forzar
+búsquedas a una interface no está implementado en todas las plataformas
+soportadas por dnsmasq.
 .TP
 .B \-A, --address=/<dominio>/[dominio/]<dirección IP>
 Especificar una dirección IP para retornar por cualquier host en
@@ -376,8 +421,18 @@ comas.
 .B --ptr-record=<nombre>[,<target>]
 Retornar un récord DNS PTR.
 .TP
+.B --naptr-record=<nombre>,<orden>,<preferencia>,<opciones>,<servicio>,<regexp>[,<remplazo>]
+Retornar un récord DNS NAPTR, como especificado en RFC3403.
+.TP
+.B --cname=<cname>,<target>
+Retornar un expediente CNAME que indica que <cname> es realmente <target>. Hay
+limitaciones significativas en el target. Debe ser un nombre DNS que le es conocido
+a dnsmasq desde /etc/hosts (o archivos hosts adicionales) o de DHCP. Si el target
+no satisface este criterio, el cname entero es ignorado. El cname debe ser único,
+pero es permisible tener más de un cname indicando el mismo target.
+.TP
 .B --interface-name=<nombre>,<interface>
-Retornar un récord DNS, asociando el nombre con la dirección primaria
+Retornar un expediente DNS, asociando el nombre con la dirección primaria
 en la interface brindada. Esta opción especifica un expediente tipo A
 para el nombre brindado de la misma forma que una línea de /etc/hosts,
 excepto que la dirección no es constante y es en vez tomada de la
@@ -404,39 +459,43 @@ de casos. La
 es al usar resolvedores de bitácoras de servidores web, los cuales pueden
 generar un número inmenso de búsquedas simultáneas.
 .TP
-.B \-F, --dhcp-range=[[net:]network-id,]<dirección-inicio>,<dirección-final>[[,<máscara>],<broadcast>][,<tiempo de arriendo predeterminado>]
+.B \-F, --dhcp-range=[[net:]network-id,]<dirección-inicio>,<dirección-final>[[,<máscara>],<broadcast>][,<tiempo de arriendo>]
 Habilitar el servidor DHCP. Direcciones serán distribuidas desde el
 rango <dirección-inicio> hasta <dirección-final> y desde direcciones definidas
 estáticamente en opciones
 .B dhcp-host
 Si el tiempo de arriendo es especificado, entonces arriendos serán
 otorgados por esa cantidad de tiempo. El tiempo de arriendo es en
-segundos, o minutos (por ejemplo, 45m), o horas (por ejemplo, 1h), o el
-literal "infinite". Esta opción puede ser repetida, con diferentes
+segundos, o minutos (por ejemplo, 45m), u horas (por ejemplo, 1h), o
+"infinite". Si no es brindada, el tiempo de arriendo predeterminado
+es de una hora. El tiempo de arriendo mínimo es de dos minutos.
+Esta opción puede ser repetida, con diferentes
 direcciones, para habilitar servicio DHCP en más de una red. Para
 redes conectadas diréctamente (en otras palabras, redes en las
 cuales la máquina corriendo dnsmasq tiene una interface) la
 máscara de subred es opcional. Pero, es requerida para redes que
 reciben servicio DHCP vía un agente de relay. La dirección de
-broadcast siempre es opcional. En algunos sistemas rotos, dnsmasq
-solo puede escuchar en una interface cuando se usa DHCP, y el
-nombre de esa interface debe ser brindado usando la opción
-.B interface
-Esta limitación actualmente afecta a OpenBSD antes de versión 4.0.
-Siempre se permite tener más de un rango dhcp (dhcp-range) en una
-subred. El parámetro opcional network-id es una etiqueta alfanumérica
-la cual marca esta red de tal forma que opciones dhcp puedan ser
-especificadas en base a cada red.
+broadcast siempre es opcional. Siempre se permite tener más de
+un rango dhcp (dhcp-range) en una subred. El parámetro opcional
+network-id es una etiqueta alfanumérica la cual marca esta red de
+tal forma que opciones dhcp puedan ser especificadas en base a cada red.
 Cuando es prefijada con 'net:' entonces el significado cambia
 de "fijar etiqueta" a "coincidir con etiqueta". Solo una etiqueta puede
 ser fijada, pero más de una puede ser revisada por coincidencias. La
 dirección final puede ser remplazada por la palabra clave
 .B static
 la cual le dice a dnsmasq que debe habilitar DHCP para la red
-especificada, pero no alocar dinámicamente direcciones IP.
+especificada, pero no alocar dinámicamente direcciones IP:
 Solo hosts que tienen direcciones estáticas brindadas vía
 .B dhcp-host
-o desde /etc/ethers serán servidas.
+o desde /etc/ethers serán servidas. La dirección final puede ser
+remplazada por la palabra clave
+.B proxy
+caso en el cual dnsmasq proveerá proxy-DHCP en la subred especificada. (Ver
+.B pxe-prompt
+y
+.B pxe-service
+para detalles.)
 .TP
 .B \-G, --dhcp-host=[<dirección de hardware>][,id:<client_id>|*][,net:<netid>][,<dirección IP>][,<nombre de host>][,<tiempo de arriendo>][,ignore]
 Especificar parámetros por host para el servidor DHCP. Esto permite
@@ -462,9 +521,11 @@ hardware para identificar hosts prefijando 'id:'. O sea que:
 se refiere al host con identificador de cliente 01:02:03:04.
 También se permite especificar el ID de cliente como texto, así:
 .B --dhcp-host=id:iddeclientecomotexto,.....
+
 La opción especial id:* significa "ignorar cualquier ID de cliente
 y usar solamente direcciones MAC." Esto es útil cuando un cliente
 presenta un ID de cliente algunas veces pero otras no.
+
 Si un nombre aparece en /etc/hosts, la dirección asociada puede
 ser alocada a un arriendo DHCP, pero solo si existe una opción
 .B --dhcp-host
@@ -473,14 +534,16 @@ le dice a dnsmasq que no debe ofrecer jam
 una máquina. La máquina puede ser especificada por dirección de
 hardware, ID de cliente, o nombre de host, por ejemplo:
 .B --dhcp-host=00:20:e0:3b:13:af,ignore
-Esto es útil cuando hay otro servidor DHCP en la red para ser
-usado por algúnas máquinas. El net:<network-id> fija la etiqueta
-network-id cuando sea que esta directiva dhcp-host está en uso.
-Esto puede ser usado para enviar selectivamente opciones DHCP
-a este host. Cuando un host coincide con cualquier directiva
-dhcp-host (o una implicada por /etc/ethers) entonces la etiqueta
-network-id especial "known" es fijada. Esto permite que dnsmasq sea
-configurado para ignorar pedidos desde máquinas desconocidas usando
+Esto es útil cuando hay otro servidor DHCP en la red que debe ser
+usado por algúnas máquinas.
+
+El net:<network-id> fija la etiqueta network-id cuando sea que
+esta directiva dhcp-host está en uso. Esto puede ser usado para
+enviar selectivamente opciones DHCP a este host. Cuando un host
+coincide con cualquier directiva dhcp-host (o una implicada por
+/etc/ethers) entonces la etiqueta network-id especial "known" es
+fijada. Esto permite que dnsmasq sea configurado para ignorar
+pedidos desde máquinas desconocidas usando
 .B --dhcp-ignore=#known
 Direcciones ethernet (pero no client-ids) pueden tener bytes
 comodínes, así que por ejemplo
@@ -488,16 +551,34 @@ comod
 causará que dnsmasq ignore un rango de direcciones ethernet. Nótese
 que el "*" necesitará ser escapado o escrito entre comillas en la
 línea de comandos, pero no en el archivo de configuración.
+
 Direcciones de hardware normalmente coinciden con cualquier
 tipo de red (ARP), pero es posible restringirlas a un tipo ARP
 singular precediendolo con el tipo ARP (en HEX) y "-". Así que
 .B --dhcp-host=06-00:20:e0:3b:13:af,1.2.3.4
 solo coincidiría con una dirección de hardware Token-Ring, dado que
 el tipo ARP para Token-Ring es 6.
+
+Como caso especial, es posible incluir más de una dirección de
+hardware. Ejemplo:
+.B --dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.2
+Esto permite que una dirección IP sea asociada con
+direcciones de hardware múltiples, y le brinda a dnsmasq permiso
+para abandonar un arriendo DHCP a una de las direcciones de hardware
+cuando otra pide un arriendo. Nótese que esto es algo peligroso,
+sólo funcionará dependiblemente si una de las direcciones de hardware
+está activa en cualquier momento y dnsmasq no tiene forma de enforzar
+esto. Pero es útil, por ejemplo, para alocar una dirección IP estable
+a una laptop que tiene interface alámbrica e inalámbrica.
 .TP
 .B --dhcp-hostsfile=<archivo>
 Leer información host DHCP desde el archivo especificado. El archivo contiene información de un host por línea. El formato de una línea es igual que texto hacia la derecha de '=' en --dhcp-host. La ventaja de almacenar información host DHCP en este archivo es que puede ser cambiada sin tener que reiniciar dnsmasq. El archivo será re-leído cuando dnsmasq recibe un SIGHUP.
 .TP
+.B --dhcp-optsfile=<archivo>
+Leer información sobre opciones DHCP desde el archivo especificado. La
+ventaja de usar esta opción es la misma que con --dhcp-hostsfile: el
+archivo dhcp-optsfile será re-leído cuando dnsmasq recibe un SIGHUP.
+.TP
 .B \-Z, --read-ethers
 Leer /etc/ethers en busca de información sobre hosts para el servidor
 DHCP. El formato de /etc/ethers es una dirección de hardware, seguida
@@ -506,7 +587,7 @@ dnsmasq, estas l
 .B --dhcp-host
 que contienen la misma información. /etc/ethers es re-leída cuando dnsmasq recibe un SIGHUP.
 .TP
-.B \-O, --dhcp-option=[<network-id>,[<network-id>,]][vendor:[<vendor-class>],][<opt>|option:<opt-name>],[<value>[,<value>]]
+.B \-O, --dhcp-option=[<network-id>,[<network-id>,]][encap:<opt>,][vendor:[<vendor-class>],][<opt>|option:<opt-name>],[<value>[,<value>]]
 Especificar opciones diferentes o extra a clientes DHCP. Por
 predeterminado, dnsmasq envía algunas opciones estándar a clientes
 DHCP. La máscara de subred y dirección broadcast son fijadas igual
@@ -569,17 +650,30 @@ vendor-class (n
 seleccionar opciones encapsuladas en preferencia sobre cualquiera enviada
 por el cliente. Es posible omitir el vendorclass completamente;
 .B --dhcp-option=vendor:,1,0.0.0.0
-caso en el cuál la opción encapsulada siempre es enviada. La dirección
-0.0.0.0 no es tratada de forma especial en opciones de clase de vendedor
-encapsuladas.
+caso en el cuál la opción encapsulada siempre es enviada.
+Opciones pueden ser encapsuladas dentro de otras opciones, por ejemplo:
+.B --dhcp-option=encap:175, 190, "iscsi-client0"
+enviará opción 175, dentro de la cual está opción 190. Si múltiples
+opciones son brindadas que están encapsuladas con el mismo número de
+opción entonces serán correctamente combinadas en una opción encapsulada.
+encap: y vendor: no pueden ser fijadas ambas dentro de la misma opción dhcp-option.
+La dirección 0.0.0.0 no es tratada de forma especial en opciones encapsuladas.
 .TP
-.B --dhcp-option-force=[<network-id>,[<network-id>,]][vendor:[<vendor-class>],]<opt>,[<value>[,<value>]]
+.B --dhcp-option-force=[<network-id>,[<network-id>,]][encap:<opt>,][vendor:[<vendor-class>],]<opt>,[<value>[,<value>]]
 Esto funciona exáctamente de la misma forma que
 .B --dhcp-option
 excepto que la opción siempre será enviada, aún si el cliente no la pide en
 la lista de pedido de parámetros. Esto se necesita aveces, por ejemplo cuando
 enviando opciones a PXELinux.
 .TP
+.B --dhcp-no-override
+Deshabilitar la reutilización de los campos DHCP de nombre de servidor y
+archivo como espacio para opciones extra. Si puede, dnsmasq mueve la información
+del servidor boot y del nombre de archivo (de dhcp-boot) de sus campos dedicados
+hacia opciones DHCP. Esto crea espacio extra en el paquete DHCP para opciones,
+pero puede raramente confundir clientes viejos o defectuosos. Esta opción forza
+comportamiento "simple y sencillo" para prevenir problemas en tales casos.
+.TP
 .B \-U, --dhcp-vendorclass=<network-id>,<vendor-class>
 Trazar desde un string vendor-class a un network id. La mayoría de los
 clientes DHCP proveen una "vendor class" la cual representa, en cierto
@@ -619,6 +713,22 @@ network-id es fijado.
 .B --dhcp-subscrid=<network-id>,<subscriber-id>
 Trazar de opciones relay subscriber-id RFC3993 a opciones network-id.
 .TP
+.B --dhcp-match=<network-id>,<option number>|option:<option name>[,<value>]
+Sin un valor, fijar la etiqueta network-id si el cliente envía una opción
+DHCP del número o valor brindado. Cuando un valor es brindado, fijar la
+etiqueta solo si la opción es enviada y coincide con el valor. El valor puede
+ser de la forma "01:ff:*:02", caso en el cual el valor debe coincidir (aparte
+de los comodines) pero la opción enviada puede tener data que no coincide despues
+del final del valor. El valor también puede ser de la misma forma que
+.B dhcp-option
+caso en el cual la opción enviada es tratada como un array, y un elemento debe
+coincidir, así que
+
+--dhcp-match=efi-ia32,option:client-arch,6
+
+fijará la etiqueta a "efi-ia32" si el número 6 aparece en la lista de
+architecturas enviada por los clientes en opción 93. (Ver RFC 4578 para
+detalles.) Si el valor es un string, coincidencia substring es usada.
 .B \-J, --dhcp-ignore=<network-id>[,<network-id>]
 Cuando todos los network ids brindados coincidan con el juego de
 network ids derivados de las clases net, host, y vendor, ignorar
@@ -633,6 +743,14 @@ y en tal caso nombres de host proveidos por clientes DHCP siempre son
 ignorados, y hosts DHCP son agregados al DNS usando solo la configuración
 dhcp-host en dnsmasq y el contenido de /etc/hosts y /etc/ethers.
 .TP
+.B --dhcp-broadcast=<network-id>[,<network-id>]
+Cuando todos los network-ids brindados coinciden con el juego de network-ids
+derivados de la red, host, clases de vendedor y usuarios, siempre usar
+broadcast para comunicarse con el host cuando está sin configurar. La
+mayoría de clientes DHCP que necesitan respuestas broadcast fijan una
+opción en sus pedidos para que esto pase automaticamente, algunos
+clientes BOOTP viejos no lo hacen.
+.TP
 .B \-M, --dhcp-boot=[net:<network-id>,]<filename>,[<servername>[,<server address>]]
 Fijar opciones BOOTP que han de ser devueltas por el servidor DHCP. Nombre
 y dirección de servidor son opcionales: si no son brindadas, el nombre es
@@ -643,7 +761,58 @@ dnsmasq. Si dnsmasq est
 el inicio atravéz de una red. Si las opcionales network-ids son brindadas,
 ellas deberán coincidir para que esta configuración sea enviada. Nótese
 que network-ids están prefijadas con "net:" para distinguirlas.
-.TP  
+.TP
+.B --pxe-service=[net:<network-id>,]<CSA>,<texto de menú>,<nombre base>|<tipo de servicio boot>[,<dirección de servidor>]
+La mayoría de usos para boot-ROMS PXE simplemente permiten al sistema PXE
+obtener una dirección IP y entonces bajar el archivo especificado por
+.B dhcp-boot
+y ejecutarlo. Sin embargo, el sistema PXE es capaz de llevar
+a cabo funciones más complejas cuando están soportadas por un
+servidor DHCP adecuado.
+
+Esto especifica una opción boot que puede aparecer en un menú de boot
+PXE. <CSA> es tipo de sistema de cliente, solo servicios del tipo correcto
+aparecerán en un menú. Los tipos conocidos son x86PC, PC98, IA64_EFI,
+Alpha, Arc_x86, Intel_Lean_Client, IA32_EFI, BC_EFI, Xscale_EFI y X86-64_EFI;
+un número entero puede ser utilizado para otros tipos. El parámetro después
+del texto de menú puede ser un nombre de archivo, caso en el cuál dnsmasq
+actúa como un servidor boot y le ordena al cliente PXE bajar el archivo
+vía TFTP, ya sea de sí mismo (
+.B enable-tftp
+debe estar fijado para que esto funcione) o desde otro servidor TFTP si la
+dirección IP final es brindada.
+Nótese que el sufijo "layer" (normalmente ".0") es brindado por PXE, y
+no debe ser agregado al nombre base. Si un número entero es brindado en vez
+de un nombre base, entonces el cliente PXE buscará un servicio boot adecuado
+para ese tipo de red. Esta búsqueda puede ser hecha mediante multicast o
+broadcast, o directamente a un servidor si la dirección IP es brindada. Un
+tipo de servicio boot de 0 es especial, y abortará el proceso boot de red
+y continuará desde medio local.
+.TP
+.B --pxe-prompt=[net:<network-id>,]<prompt>[,<timeout>]
+Fijar esto hace que un aviso sea expuesto despues del boot PXE. Si el timeout
+es brindado, entonces despues que el timeout se haya vencido sin input del
+teclado, la primera opción del menú sera automaticamente ejecutada. Si el
+timeout es cero entonces la primera opción del menú sera automaticamente
+ejecutada. Si
+.B pxe-prompt
+es omitido, el sistema esperará para el input del usuario si hay múltiples
+artículos en el menú, pero hará boot imediatamente si hay solo uno. Ver
+.B pxe-service
+para detalles sobre artículos de menu.
+
+Dnsmasq tiene soporte para "proxy-DHCP" PXE, en este caso otro servidor
+DHCP en la red es responsable por asignar direcciones IP, y dnsmasq
+simplemente provee la dirección brindada en
+.B pxe-prompt
+y
+.B pxe-service
+para permitir boot a travez de la red. Este modo es habilitado usando
+la palabra clave
+.B proxy
+en
+.B dhcp-range.
+.TP
 .B \-X, --dhcp-lease-max=<número>
 Limita a dnsmasq a el número especificado de arriendos DHCP. El
 predeterminado es 150. El limite es para prevenir ataques DoS desde
@@ -656,14 +825,25 @@ servidor DHCP en la red. Cambia el comportamiento de RFC de tal manera
 que pedidos desde hosts no conocidos no serán ignorados. Esto permite que
 hosts nuevos puedan conseguir un arriendo sin sin un timeout bajo toda
 circunstancia. También permite que dnsmasq reconstruya su base de datos
-de arriendos sin que cada cliente requiera un arriendo, si la base de datos
-es perdida.
+de arriendos sin que cada cliente necesite readquirir un arriendo
+si la base de datos es perdida.
 .TP
-.B \-3, --bootp-dynamic
+.B --dhcp-alternate-port[=<puerto de servidor>[,<puerto de cliente>]]
+Cambiar del predeterminado los puertos usados para DHCP. Si esta opción
+es brindada sola, sin argumentos, cambia los puertos usados para DHCP
+de 67 y 68 a 1067 y 1068. Si un solo argumento es brindado, ese puerto
+es usado para el servidor y el número de puerto mas uno es usado
+para el cliente. Finalmente, dos números permiten que se especifiquen
+ambos los puertos de servidor y cliente para DHCP.
+.TP
+.B \-3, --bootp-dynamic[=<network-id>[,<network-id>]]
 Habilitar alocación dinámica de direcciones IP a clientes BOOTP. Usar
 esto con cuidado, ya que cada dirección alocada a un cliente BOOTP
 es arrendada para siempre, y consecuentemente queda no-disponible
-para re-uso por otros hosts.
+para re-uso por otros hosts. Si esto es brindado sin etiquetas,
+entonces incondicionalmente habilita alocación dinámica. Con
+etiquetas, solo cuando todas las etiquetas están fijadas. Puede
+ser repetido con diferentes juegos de etiquetas.
 .TP
 .B \-5, --no-ping
 Por predetermindado, el servidor DHCP tratará de asegurarse que una
@@ -679,32 +859,28 @@ clientes DHCP y las etiquetas netid usadas para determinarlos.
 .TP
 .B \-l, --dhcp-leasefile=<path>
 Usar el archivo especificado para almacenar información de arriendos
-DHCP. Si esta opción es brindada, pero ninguna opcion dhcp-range es
-brindada, entonces se activa comportamiento tipo dnsmasq versión 1.
-El archivo brindado se asume es un archivo de arriendos dhcpd ISC y
-es analizado en busca de arriendos los cuales son agregados al sistema
-DNS si tienen un nombre de host. Esta funcionalidad pudo haber sido
-excluida de dnsmasq a la hora de compilación, y en tal caso ocurrirá
-un error. Nótese que la integración de archivos de
-arriendo ISC es una caracterísctica depreciada. No debería ser usada
-en instalaciones nuevas, y será eliminada en una versión futura.
+DHCP.
 .TP
 .B \-6 --dhcp-script=<path>
 Cuando un arriendo DHCP nuevo es creado, o uno viejo es
-destruido, el binario especificado por esta opción es ejecutado.
+destruido, el ejecutable especificado por esta opción es ejecutado.
 Los argumentos para el binario son "add", "old", o "del", la dirección
-MAC del host (o "<null>"), la dirección IP, y el hostname, si es
+MAC del host, la dirección IP, y el hostname, si es
 conocido. "add" significa que un arriendo ha sido creado, "del" que
 ha sido destruido, y "old" es una notificación de un arriendo existente
 cuando dnsmasq inicia o un cambio a una MAC o nombre host de un arriendo
 existente (también, tiempo de arriendo o vencimiento y client-id, si
-leasefile-ro está fijado). El proceso es ejecutado como root (asumiendo
-que dnsmasq fue originalmente ejecutado como root) aún si dnsmasq está
-configurado para cambiar su UID a un usuario sin privilegios.
+leasefile-ro está fijado). Si la dirección MAC es de un tipo de red
+que no es ethernet, tendrá el tipo de red precolocado, por ejemplo
+"06-01:23:45:67:89:ab" para token ring. El proceso es ejecutado como root
+(asumiendo que dnsmasq fue originalmente ejecutado como root) aún si dnsmasq
+está configurado para cambiar su UID a un usuario sin privilegios.
 El ambiente es heredado del usuario que ha invocado a dnsmasq, y si el
 host brindó un client-id, es almacenado en la variable de ambiente
-DNSMASQ_CLIENT_ID. Si el cliente brinda información de clase de vendedor
-o usuario, estos son brindados en las variables DNSMASQ_VENDOR_CLASS y
+DNSMASQ_CLIENT_ID. Si el dominio completamente calificado del host
+es conocido, la parte de dominio es almacenada en DNSMASQ_DOMAIN. Si
+el cliente brinda información de clase de vendedoro usuario,
+estos son brindados en las variables DNSMASQ_VENDOR_CLASS y
 DNSMASQ_USER_CLASS0..DNSMASQ_USER_CLASSn, pero solo para acciones "add"
 y "old" cuando un host resume un arriendo existente, dado a que estos
 datos no son almacenados en la base de datos de arriendos de dnsmasq.
@@ -716,7 +892,9 @@ es almacenado en DNSMASQ_TIME_REMAINING.
 Si un arriendo solía tener un nombre de host, el cual es removido, un
 evento "old" es generado con el nuevo estado del arriendo, (por ejemplo, sin
 nombre), y el nombre anterior es brindado en la variable de ambiente
-DNSMASQ_OLD_HOSTNAME.
+DNSMASQ_OLD_HOSTNAME. DNSMASQ_INTERFACE almacena el nombre de la interface
+en la cual llegó el pedido; esto no es fijado para acciones "viejas"
+cuando dnsmasq re-inicia.
 Todos los descriptores de archivo están cerrados
 excepto stdin, stdout, y stderr los cuales están abiertos a /dev/null
 (excepto en modo debug).
@@ -729,6 +907,11 @@ con "del" y otros con "old". <path> debe ser un path absoluto, ninguna
 búsqueda PATH ocurre. Cuando dnsmasq recibe una señal HUP, el guión será
 invocado para arriendos existentes con un evento "old".
 .TP
+.B --dhcp-scriptuser
+Especificar el usuario como el cual se debe correr el archivo
+guión de cambio de arriendos. Este es root por predeterminado,
+pero puede ser cambiado a otro usuario mediante esta opción.
+.TP
 .B \-9, --leasefile-ro
 Suprimir completamente el uso del archivo de arriendos. El archivo no será
 creado, leído, ni escrito. Cambiar la manera en la cuál el archivo guión de
@@ -745,16 +928,16 @@ cuando hay cambios hechos a el client-id y tiempos de arriendo y vencimiento.
 .TP
 .B --bridge-interface=<nombre de interface>,<alias>[,<alias>]
 Tratar paquetes de pedidos DHCP que llegan a cualquiera de las interfaces <alias>
-como si hubieran llegado a la interface <nombre de interface>. Esta opción solo
-está disponible en FreeBSD y Dragonfly BSD, y es necesaria cuando se usan
-puentes "estilo viejo", ya que los paquetes llegan a interfaces tap que no
-tienen una dirección IP.
+como si hubieran llegado a la interface <nombre de interface>. Esta opción
+es necesaria al usar bridging estilo viejo en plataformas BSD, dado a que
+los paquetes llegan a interfaces tap que no tienen una dirección IP.
 .TP
-.B \-s, --domain=<dominio>
-Especifica el dominio para el servidor DHCP. Esto tiene dos efectos:
-Primeramente, causa que el servidor DHCP le devuelva el dominio a
-cualquier host que lo pida. Segundamente, fija el dominio para el cual
-es legal para hosts configurados mediante DHCP reclamar. La intención es
+.B \-s, --domain=<dominio>[,<rango de IPs>]
+Especifica los dominios DNS para el servidor DHCP. Dominios pueden ser
+brindados incondicionalmente (sin el rango de IPs) o para rangos limitados. Esto
+tiene dos efectos: Primeramente, causa que el servidor DHCP le devuelva el
+dominio a cualquier host que lo pida. Segundamente, fija el dominio para el
+cual es legal para hosts configurados mediante DHCP reclamar. La intención es
 restringir nombres de host para que un host no-confiado en la LAN no
 pueda proclamar su nombre vía DHCP, como por ejemplo "microsoft.com" y
 capturar tráfico no destinado a ella. Si ningún sufijo de dominio es
@@ -771,13 +954,34 @@ de esa m
 .B dnsmasq
 como "laptop" y "laptop.thekelleys.org.uk". Si el dominio es brindado
 como "#" entonces el dominio es leido desde la primera directiva search
-en /etc/resolv.conf (o equivalente).
+en /etc/resolv.conf (o equivalente). El rango de direcciones puede ser
+<dirección IP>,<dirección IP> or <dirección IP>/<máscara de subred>. Ver
+.B --dhcp-fqdn el cual puede cambiar el comportamiento de dnsmasq con
+dominios.
+.TP
+.B --dhcp-fqdn
+En el modo predeterminado, dnsmasq pone los nombres no-calificados
+de clientes DHCP en el DNS. Por esta razón, los nombres deben ser únicos,
+aún si dos clientes que tienen el mismo nombre están en dominios
+diferentes. Si un segundo cliente DHCP aparece el cual tiene el mismo
+nombre que un cliente existente, el nombre es transferido al cliente nuevo. Si
+.B --dhcp-fqdn
+está fijado, este comportamiento cambia: El nombre no-calificado
+no es puesto en el DNS, solo el nombre calificado. Dos clientes DHCP con
+el mismo nombre pueden ambos quedarse con el nombre, con tal que la parte
+de dominio sea diferente (o sea que los nombres completamente calificados
+difieran). Para asegurar que todos los nombres tengan una parte de dominio,
+debe haber al menos
+.B --domain
+sin una dirección especificada cuando
+.B --dhcp-fqdn
+está fijado.
 .TP
 .B --enable-tftp
 Habilitar la función de servidor TFTP. Esto está deliberadamente limitado
-a lo necesario para hacerle a un cliente un inicio vía red: solo lectura es
-permitida, y solo en modo binario/octeto. Las extensiones "tsize" y "blksize"
-están soportadas.
+a lo necesario para hacerle a un cliente un inicio vía red. Solo lectura es
+permitida; las extensiones tsize y blksize son soportadas (tsize solo es
+soportada en modo octeto).
 .TP
 .B --tftp-root=<directorio>
 Buscar, relativo al directorio brindado, archivos para transferir mediante el
@@ -812,13 +1016,25 @@ un descriptor de archivo por cada coneccion TFTP concurrente, y por archivo
 único (mas algunos otros). De tal manera que servirle el mismo archivo
 simultáneo a n clientes requerirá el uso de n + 10 descriptores de archivo,
 y servirles archivos diferentes simultáneamente requerirá (2*n) + 10
-descriptores.
+descriptores. Si
+.B --tftp-port-range
+es brindado, eso puede afectar el número de conexiones simultáneas.
 .TP
 .B --tftp-no-blocksize
 No permitir que el servidor negocie la opción "blocksize" con un cliente.
 Algunos clientes con errores piden esta opción pero se portán mal cuando se
 les brinda.
 .TP
+.B --tftp-port-range=<inicio>,<final>
+Un servidor TFTP escucha por inicios de conexión en un puerto bien conocido
+(69), pero tambien usa un puerto dinamicamente seleccionado para cada
+conexión. Normalmente estos son seleccionados por el sistema operativo,
+pero esta opción especifica un rango de puertos para ser usado por transferencias
+TFTP. Esto puede ser útil cuando TFTP tiene que pasar atraves de un firewall.
+El comienzo del rango no puede ser menor a 1025 a menos que dnsmasq esté corriendo
+como root. El número de conexiones simultáneas está limitado por el tamaño del
+rango de puertos.
+.TP
 .B \-C, --conf-file=<archivo>
 Especificar un archivo de configuración diferente. La opción conf-file
 también es permitida en archivos de configuración, para incluir múltiples
@@ -845,8 +1061,8 @@ y son ignoradas. Para opciones que solo pueden ser especificadas una
 sola vez, el archivo de configuración invalida la línea de comandos.
 Las comillas son permitidas en el archivo de configuración: entre comillas
 tipo " los significados especiales de ,:. y # son eliminados y los
-siguientes escapes son permitidos: \\\\ \\" \\t \\a \\b \\r y \\n. El
-último corresponde a tab, bell, backspace, return y newline.
+siguientes escapes son permitidos: \\\\ \\" \\t \\e \\b \\r y \\n.
+Corresponden a tab, escape, backspace, return y newline.
 .SH NOTAS
 Al recibir un SIGHUP
 .B dnsmasq 
@@ -854,7 +1070,8 @@ libera su cache y entonces recarga
 .I /etc/hosts
 y
 .I /etc/ethers
-al igual que cualquier archivo brindado con --dhcp-hostsfile.
+al igual que cualquier archivo brindado con --dhcp-hostsfile, --dhcp-optsfile,
+o --addn-hosts.
 El archivo guión de cambio de arriendos es llamado para todos los arriendos
 DHCP existentes. Si
 .B
@@ -866,10 +1083,12 @@ NO re-lee el archivo de configuraci
 .PP
 Al recibir un SIGUSR1,
 .B dnsmasq 
-escribe estadísticas de caché a la bitácora del sistema. Escribe el tamaño
+escribe estadísticas a la bitácora del sistema. Escribe el tamaño
 del caché, el numero de nombres que han tenido que ser removidos del
 caché antes de que vencieran para hacer espacio para nombres nuevos, y el
-número total de nombres que han sido insertados en el caché. En modo
+número total de nombres que han sido insertados en el caché. Para cada
+servidor upstream brinda el número de búsquedas enviadas, y el
+número que resultaron en error. En modo
 .B --no-daemon
 o cuando bitacoréo completo está habilitado (-q), una descarga completa de
 el contenido del caché es hecha.
@@ -962,9 +1181,11 @@ una del
 .B dhcp-range
 usado para alocar la dirección, una de cualquier
 .B dhcp-host
-que coincida, y posiblemente muchas de clases de vendedor y usuario
-que coinicdan que hayan sido enviadas por el cliente DHCP.
-Cualquier opción
+que coincida (y "known" si un dhcp-host coincide), la etiqueta "bootp"
+para pedidos BOOTP, una etiqueta cuyo nombre es el nombre de la
+interface donde llegó el pedido, y posiblemente muchas de clases
+de vendedor y usuario que coincidan que hayan sido enviadas por
+el cliente DHCP. Cualquier opción
 .B dhcp-option 
 que tenga etiquetas network-id será usada en preferencia de una opción
 .B dhcp-option,

src/bpf.c

@@ -1,20 +1,22 @@
-/* dnsmasq is Copyright (c) 2000-2006 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2009 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; version 2 dated June, 1991.
-
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
+     
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "dnsmasq.h"
 
-#ifndef HAVE_LINUX_NETWORK
-
-#include <net/bpf.h>
+#if defined(HAVE_BSD_NETWORK) || defined(HAVE_SOLARIS_NETWORK)
 
 static struct iovec ifconf = {
   .iov_base = NULL,
@@ -26,120 +28,6 @@ static struct iovec ifreq = {
   .iov_len = 0
 };
 
-void init_bpf(void)
-{
-  int i = 0;
-
-  while (1) 
-    {
-      /* useful size which happens to be sufficient */
-      if (expand_buf(&ifreq, sizeof(struct ifreq)))
-	{
-	  sprintf(ifreq.iov_base, "/dev/bpf%d", i++);
-	  if ((daemon->dhcp_raw_fd = open(ifreq.iov_base, O_RDWR, 0)) != -1)
-	    return;
-	}
-      if (errno != EBUSY)
-	die(_("cannot create DHCP BPF socket: %s"), NULL, EC_BADNET);
-    }	     
-}
-
-void send_via_bpf(struct dhcp_packet *mess, size_t len,
-		  struct in_addr iface_addr, struct ifreq *ifr)
-{
-   /* Hairy stuff, packet either has to go to the
-      net broadcast or the destination can't reply to ARP yet,
-      but we do know the physical address. 
-      Build the packet by steam, and send directly, bypassing
-      the kernel IP stack */
-  
-  struct ether_header ether; 
-  struct ip ip;
-  struct udphdr {
-    u16 uh_sport;               /* source port */
-    u16 uh_dport;               /* destination port */
-    u16 uh_ulen;                /* udp length */
-    u16 uh_sum;                 /* udp checksum */
-  } udp;
-  
-  u32 i, sum;
-  struct iovec iov[4];
-
-  /* Only know how to do ethernet on *BSD */
-  if (mess->htype != ARPHRD_ETHER || mess->hlen != ETHER_ADDR_LEN)
-    {
-      my_syslog(LOG_WARNING, _("DHCP request for unsupported hardware type (%d) received on %s"), 
-		mess->htype, ifr->ifr_name);
-      return;
-    }
-   
-  ifr->ifr_addr.sa_family = AF_LINK;
-  if (ioctl(daemon->dhcpfd, SIOCGIFADDR, ifr) < 0)
-    return;
-  
-  memcpy(ether.ether_shost, LLADDR((struct sockaddr_dl *)&ifr->ifr_addr), ETHER_ADDR_LEN);
-  ether.ether_type = htons(ETHERTYPE_IP);
-  
-  if (ntohs(mess->flags) & 0x8000)
-    {
-      memset(ether.ether_dhost, 255,  ETHER_ADDR_LEN);
-      ip.ip_dst.s_addr = INADDR_BROADCAST;
-    }
-  else
-    {
-      memcpy(ether.ether_dhost, mess->chaddr, ETHER_ADDR_LEN); 
-      ip.ip_dst.s_addr = mess->yiaddr.s_addr;
-    }
-  
-  ip.ip_p = IPPROTO_UDP;
-  ip.ip_src.s_addr = iface_addr.s_addr;
-  ip.ip_len = htons(sizeof(struct ip) + 
-		    sizeof(struct udphdr) +
-		    len) ;
-  ip.ip_hl = sizeof(struct ip) / 4;
-  ip.ip_v = IPVERSION;
-  ip.ip_tos = 0;
-  ip.ip_id = htons(0);
-  ip.ip_off = htons(0x4000); /* don't fragment */
-  ip.ip_ttl = IPDEFTTL;
-  ip.ip_sum = 0;
-  for (sum = 0, i = 0; i < sizeof(struct ip) / 2; i++)
-    sum += ((u16 *)&ip)[i];
-  while (sum>>16)
-    sum = (sum & 0xffff) + (sum >> 16);  
-  ip.ip_sum = (sum == 0xffff) ? sum : ~sum;
-  
-  udp.uh_sport = htons(DHCP_SERVER_PORT);
-  udp.uh_dport = htons(DHCP_CLIENT_PORT);
-  if (len & 1)
-    ((char *)mess)[len] = 0; /* for checksum, in case length is odd. */
-  udp.uh_sum = 0;
-  udp.uh_ulen = sum = htons(sizeof(struct udphdr) + len);
-  sum += htons(IPPROTO_UDP);
-  for (i = 0; i < 4; i++)
-    sum += ((u16 *)&ip.ip_src)[i];
-  for (i = 0; i < sizeof(struct udphdr)/2; i++)
-    sum += ((u16 *)&udp)[i];
-  for (i = 0; i < (len + 1) / 2; i++)
-    sum += ((u16 *)mess)[i];
-  while (sum>>16)
-    sum = (sum & 0xffff) + (sum >> 16);
-  udp.uh_sum = (sum == 0xffff) ? sum : ~sum;
-  
-  ioctl(daemon->dhcp_raw_fd, BIOCSETIF, ifr);
-  
-  iov[0].iov_base = &ether;
-  iov[0].iov_len = sizeof(ether);
-  iov[1].iov_base = &ip;
-  iov[1].iov_len = sizeof(ip);
-  iov[2].iov_base = &udp;
-  iov[2].iov_len = sizeof(udp);
-  iov[3].iov_base = mess;
-  iov[3].iov_len = len;
-
-  while (writev(daemon->dhcp_raw_fd, iov, 4) == -1 && retry_send());
-}
-
 int iface_enumerate(void *parm, int (*ipv4_callback)(), int (*ipv6_callback)())
 {
   char *ptr;
@@ -175,20 +63,24 @@ int iface_enumerate(void *parm, int (*ipv4_callback)(), int (*ipv6_callback)())
 	}
     }
   
-  for (ptr = ifc.ifc_buf; ptr < ifc.ifc_buf + ifc.ifc_len; ptr += len )
+  for (ptr = ifc.ifc_buf; ptr < (char *)(ifc.ifc_buf + ifc.ifc_len); ptr += len)
     {
       /* subsequent entries may not be aligned, so copy into
 	 an aligned buffer to avoid nasty complaints about 
 	 unaligned accesses. */
-#ifdef HAVE_SOCKADDR_SA_LEN
-      len = ((struct ifreq *)ptr)->ifr_addr.sa_len + IF_NAMESIZE;
-#else
+
       len = sizeof(struct ifreq);
+      
+#ifdef HAVE_SOCKADDR_SA_LEN
+      ifr = (struct ifreq *)ptr;
+      if (ifr->ifr_addr.sa_len > sizeof(ifr->ifr_ifru))
+	len = ifr->ifr_addr.sa_len + offsetof(struct ifreq, ifr_ifru);
 #endif
+      
       if (!expand_buf(&ifreq, len))
 	goto err;
 
-      ifr = ifreq.iov_base;
+      ifr = (struct ifreq *)ifreq.iov_base;
       memcpy(ifr, ptr, len);
            
       if (ifr->ifr_addr.sa_family == AF_INET && ipv4_callback)
@@ -235,5 +127,128 @@ int iface_enumerate(void *parm, int (*ipv4_callback)(), int (*ipv6_callback)())
 
   return ret;
 }
+#endif
+
+
+#if defined(HAVE_BSD_NETWORK) && defined(HAVE_DHCP)
+#include <net/bpf.h>
+
+void init_bpf(void)
+{
+  int i = 0;
+
+  while (1) 
+    {
+      /* useful size which happens to be sufficient */
+      if (expand_buf(&ifreq, sizeof(struct ifreq)))
+	{
+	  sprintf(ifreq.iov_base, "/dev/bpf%d", i++);
+	  if ((daemon->dhcp_raw_fd = open(ifreq.iov_base, O_RDWR, 0)) != -1)
+	    return;
+	}
+      if (errno != EBUSY)
+	die(_("cannot create DHCP BPF socket: %s"), NULL, EC_BADNET);
+    }	     
+}
+
+void send_via_bpf(struct dhcp_packet *mess, size_t len,
+		  struct in_addr iface_addr, struct ifreq *ifr)
+{
+   /* Hairy stuff, packet either has to go to the
+      net broadcast or the destination can't reply to ARP yet,
+      but we do know the physical address. 
+      Build the packet by steam, and send directly, bypassing
+      the kernel IP stack */
+  
+  struct ether_header ether; 
+  struct ip ip;
+  struct udphdr {
+    u16 uh_sport;               /* source port */
+    u16 uh_dport;               /* destination port */
+    u16 uh_ulen;                /* udp length */
+    u16 uh_sum;                 /* udp checksum */
+  } udp;
+  
+  u32 i, sum;
+  struct iovec iov[4];
+
+  /* Only know how to do ethernet on *BSD */
+  if (mess->htype != ARPHRD_ETHER || mess->hlen != ETHER_ADDR_LEN)
+    {
+      my_syslog(MS_DHCP | LOG_WARNING, _("DHCP request for unsupported hardware type (%d) received on %s"), 
+		mess->htype, ifr->ifr_name);
+      return;
+    }
+   
+  ifr->ifr_addr.sa_family = AF_LINK;
+  if (ioctl(daemon->dhcpfd, SIOCGIFADDR, ifr) < 0)
+    return;
+  
+  memcpy(ether.ether_shost, LLADDR((struct sockaddr_dl *)&ifr->ifr_addr), ETHER_ADDR_LEN);
+  ether.ether_type = htons(ETHERTYPE_IP);
+  
+  if (ntohs(mess->flags) & 0x8000)
+    {
+      memset(ether.ether_dhost, 255,  ETHER_ADDR_LEN);
+      ip.ip_dst.s_addr = INADDR_BROADCAST;
+    }
+  else
+    {
+      memcpy(ether.ether_dhost, mess->chaddr, ETHER_ADDR_LEN); 
+      ip.ip_dst.s_addr = mess->yiaddr.s_addr;
+    }
+  
+  ip.ip_p = IPPROTO_UDP;
+  ip.ip_src.s_addr = iface_addr.s_addr;
+  ip.ip_len = htons(sizeof(struct ip) + 
+		    sizeof(struct udphdr) +
+		    len) ;
+  ip.ip_hl = sizeof(struct ip) / 4;
+  ip.ip_v = IPVERSION;
+  ip.ip_tos = 0;
+  ip.ip_id = htons(0);
+  ip.ip_off = htons(0x4000); /* don't fragment */
+  ip.ip_ttl = IPDEFTTL;
+  ip.ip_sum = 0;
+  for (sum = 0, i = 0; i < sizeof(struct ip) / 2; i++)
+    sum += ((u16 *)&ip)[i];
+  while (sum>>16)
+    sum = (sum & 0xffff) + (sum >> 16);  
+  ip.ip_sum = (sum == 0xffff) ? sum : ~sum;
+  
+  udp.uh_sport = htons(daemon->dhcp_server_port);
+  udp.uh_dport = htons(daemon->dhcp_client_port);
+  if (len & 1)
+    ((char *)mess)[len] = 0; /* for checksum, in case length is odd. */
+  udp.uh_sum = 0;
+  udp.uh_ulen = sum = htons(sizeof(struct udphdr) + len);
+  sum += htons(IPPROTO_UDP);
+  sum += ip.ip_src.s_addr & 0xffff;
+  sum += (ip.ip_src.s_addr >> 16) & 0xffff;
+  sum += ip.ip_dst.s_addr & 0xffff;
+  sum += (ip.ip_dst.s_addr >> 16) & 0xffff;
+  for (i = 0; i < sizeof(struct udphdr)/2; i++)
+    sum += ((u16 *)&udp)[i];
+  for (i = 0; i < (len + 1) / 2; i++)
+    sum += ((u16 *)mess)[i];
+  while (sum>>16)
+    sum = (sum & 0xffff) + (sum >> 16);
+  udp.uh_sum = (sum == 0xffff) ? sum : ~sum;
+  
+  ioctl(daemon->dhcp_raw_fd, BIOCSETIF, ifr);
+  
+  iov[0].iov_base = &ether;
+  iov[0].iov_len = sizeof(ether);
+  iov[1].iov_base = &ip;
+  iov[1].iov_len = sizeof(ip);
+  iov[2].iov_base = &udp;
+  iov[2].iov_len = sizeof(udp);
+  iov[3].iov_base = mess;
+  iov[3].iov_len = len;
+
+  while (writev(daemon->dhcp_raw_fd, iov, 4) == -1 && retry_send());
+}
 
 #endif
+
+

src/cache.c

@@ -1,19 +1,26 @@
-/* dnsmasq is Copyright (c) 2000-2007 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2009 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; version 2 dated June, 1991.
-
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
+     
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "dnsmasq.h"
 
 static struct crec *cache_head = NULL, *cache_tail = NULL, **hash_table = NULL;
-static struct crec *dhcp_spare = NULL, *new_chain = NULL;
+#ifdef HAVE_DHCP
+static struct crec *dhcp_spare = NULL;
+#endif
+static struct crec *new_chain = NULL;
 static int cache_inserted = 0, cache_live_freed = 0, insert_error;
 static union bigname *big_free = NULL;
 static int bignames_left, hash_size;
@@ -41,6 +48,7 @@ static const struct {
   { 25,  "KEY" },
   { 28,  "AAAA" },
   { 33,  "SRV" },
+  { 35,  "NAPTR" },
   { 36,  "KX" },
   { 37,  "CERT" },
   { 38,  "A6" },
@@ -59,7 +67,6 @@ static const struct {
 static void cache_free(struct crec *crecp);
 static void cache_unlink(struct crec *crecp);
 static void cache_link(struct crec *crecp);
-static char *record_source(struct hostsfile *add_hosts, int index);
 static void rehash(int size);
 static void cache_hash(struct crec *crecp);
 
@@ -219,7 +226,7 @@ char *cache_get_name(struct crec *crecp)
 {
   if (crecp->flags & F_BIGNAME)
     return crecp->name.bname->name;
-  else if (crecp->flags & F_DHCP) 
+  else if (crecp->flags & (F_DHCP | F_CONFIG)) 
     return crecp->name.namep;
   
   return crecp->name.sname;
@@ -355,10 +362,11 @@ struct crec *cache_insert(char *name, struct all_addr *addr,
   struct crec *new;
   union bigname *big_name = NULL;
   int freed_all = flags & F_REVERSE;
+  int free_avail = 0;
 
-  log_query(flags | F_UPSTREAM, name, addr, 0, NULL, 0);
+  log_query(flags | F_UPSTREAM, name, addr, NULL);
 
-  /* CONFIG bit no needed except for logging */
+  /* CONFIG bit means something else when stored in cache entries */
   flags &= ~F_CONFIG;
 
   /* if previous insertion failed give up now. */
@@ -388,8 +396,19 @@ struct crec *cache_insert(char *name, struct all_addr *addr,
     
     if (new->flags & (F_FORWARD | F_REVERSE))
       { 
+	/* If free_avail set, we believe that an entry has been freed.
+	   Bugs have been known to make this not true, resulting in
+	   a tight loop here. If that happens, abandon the
+	   insert. Once in this state, all inserts will probably fail. */
+	if (free_avail)
+	  {
+	    insert_error = 1;
+	    return NULL;
+	  }
+		
 	if (freed_all)
 	  {
+	    free_avail = 1; /* Must be free space now. */
 	    cache_scan_free(cache_get_name(new), &new->addr.addr, now, new->flags);
 	    cache_live_freed++;
 	  }
@@ -484,7 +503,8 @@ struct crec *cache_find_by_name(struct crec *crecp, char *name, time_t now, unsi
       /* first search, look for relevant entries and push to top of list
 	 also free anything which has expired */
       struct crec *next, **up, **insert = NULL, **chainp = &ans;
-         
+      int ins_flags = 0;
+      
       for (up = hash_bucket(name), crecp = *up; crecp; crecp = next)
 	{
 	  next = crecp->hash_next;
@@ -506,20 +526,27 @@ struct crec *cache_find_by_name(struct crec *crecp, char *name, time_t now, unsi
 		      cache_link(crecp);
 		    }
 	      	      
-		  /* move all but the first entry up the hash chain
-		     this implements round-robin */
-		  if (!insert)
-		    {
-		      insert = up; 
-		      up = &crecp->hash_next; 
-		    }
-		  else
+		  /* Move all but the first entry up the hash chain
+		     this implements round-robin. 
+		     Make sure that re-ordering doesn't break the hash-chain
+		     order invariants. 
+		  */
+		  if (insert && (crecp->flags & (F_REVERSE | F_IMMORTAL)) == ins_flags)
 		    {
 		      *up = crecp->hash_next;
 		      crecp->hash_next = *insert;
 		      *insert = crecp;
 		      insert = &crecp->hash_next;
 		    }
+		  else
+		    {
+		      if (!insert)
+			{
+			  insert = up;
+			  ins_flags = crecp->flags & (F_REVERSE | F_IMMORTAL);
+			}
+		      up = &crecp->hash_next; 
+		    }
 		}
 	      else
 		/* case : not expired, incorrect entry. */
@@ -618,153 +645,231 @@ static void add_hosts_entry(struct crec *cache, struct all_addr *addr, int addrl
 			    unsigned short flags, int index, int addr_dup)
 {
   struct crec *lookup = cache_find_by_name(NULL, cache->name.sname, 0, flags & (F_IPV4 | F_IPV6));
-  int i;
-  
+  int i, nameexists = 0;
+  struct cname *a;
+
   /* Remove duplicates in hosts files. */
-  if (lookup && (lookup->flags & F_HOSTS) &&
-      memcmp(&lookup->addr.addr, addr, addrlen) == 0)
-    free(cache);
-  else
+  if (lookup && (lookup->flags & F_HOSTS))
     {
-      /* Ensure there is only one address -> name mapping (first one trumps) 
-	 We do this by steam here, first we see if the address is the same as
-	 the last one we saw, which eliminates most in the case of an ad-block 
-	 file with thousands of entries for the same address.
-	 Then we search and bail at the first matching address that came from
-	 a HOSTS file. Since the first host entry gets reverse, we know 
-	 then that it must exist without searching exhaustively for it. */
-     
-      if (addr_dup)
-	flags &= ~F_REVERSE;
-      else
-	for (i=0; i<hash_size; i++)
-	  {
-	    for (lookup = hash_table[i]; lookup; lookup = lookup->hash_next)
-	      if ((lookup->flags & F_HOSTS) && 
-		  (lookup->flags & flags & (F_IPV4 | F_IPV6)) &&
-		  memcmp(&lookup->addr.addr, addr, addrlen) == 0)
-		{
-		  flags &= ~F_REVERSE;
-		  break;
-		}
-	    if (lookup)
+      nameexists = 1;
+      if (memcmp(&lookup->addr.addr, addr, addrlen) == 0)
+	{
+	  free(cache);
+	  return;
+	}
+    }
+  
+  /* Ensure there is only one address -> name mapping (first one trumps) 
+     We do this by steam here, first we see if the address is the same as
+     the last one we saw, which eliminates most in the case of an ad-block 
+     file with thousands of entries for the same address.
+     Then we search and bail at the first matching address that came from
+     a HOSTS file. Since the first host entry gets reverse, we know 
+     then that it must exist without searching exhaustively for it. */
+  
+  if (addr_dup)
+    flags &= ~F_REVERSE;
+  else
+    for (i=0; i<hash_size; i++)
+      {
+	for (lookup = hash_table[i]; lookup; lookup = lookup->hash_next)
+	  if ((lookup->flags & F_HOSTS) && 
+	      (lookup->flags & flags & (F_IPV4 | F_IPV6)) &&
+	      memcmp(&lookup->addr.addr, addr, addrlen) == 0)
+	    {
+	      flags &= ~F_REVERSE;
 	      break;
-	  }
+	    }
+	if (lookup)
+	  break;
+      }
+  
+  cache->flags = flags;
+  cache->uid = index;
+  memcpy(&cache->addr.addr, addr, addrlen);
+  cache_hash(cache);
+  
+  /* don't need to do alias stuff for second and subsequent addresses. */
+  if (!nameexists)
+    for (a = daemon->cnames; a; a = a->next)
+      if (hostname_isequal(cache->name.sname, a->target) &&
+	  (lookup = whine_malloc(sizeof(struct crec))))
+	{
+	  lookup->flags = F_FORWARD | F_IMMORTAL | F_CONFIG | F_HOSTS | F_CNAME;
+	  lookup->name.namep = a->alias;
+	  lookup->addr.cname.cache = cache;
+	  lookup->addr.cname.uid = index;
+	  cache_hash(lookup);
+	}
+}
+
+static int eatspace(FILE *f)
+{
+  int c, nl = 0;
+
+  while (1)
+    {
+      if ((c = getc(f)) == '#')
+	while (c != '\n' && c != EOF)
+	  c = getc(f);
       
-      cache->flags = flags;
-      cache->uid = index;
-      memcpy(&cache->addr.addr, addr, addrlen);
-      cache_hash(cache);
+      if (c == EOF)
+	return 1;
+
+      if (!isspace(c))
+	{
+	  ungetc(c, f);
+	  return nl;
+	}
+
+      if (c == '\n')
+	nl = 1;
+    }
+}
+	 
+static int gettok(FILE *f, char *token)
+{
+  int c, count = 0;
+ 
+  while (1)
+    {
+      if ((c = getc(f)) == EOF)
+	return (count == 0) ? EOF : 1;
+
+      if (isspace(c) || c == '#')
+	{
+	  ungetc(c, f);
+	  return eatspace(f);
+	}
+      
+      if (count < (MAXDNAME - 1))
+	{
+	  token[count++] = c;
+	  token[count] = 0;
+	}
     }
 }
 
-static int read_hostsfile(char *filename, int opts, char *buff, char *domain_suffix, int index, int cache_size)
+static int read_hostsfile(char *filename, int index, int cache_size)
 {  
   FILE *f = fopen(filename, "r");
-  char *line;
+  char *token = daemon->namebuff, *domain_suffix = NULL;
   int addr_count = 0, name_count = cache_size, lineno = 0;
-  unsigned short flags, saved_flags = 0;
+  unsigned short flags = 0, saved_flags = 0;
   struct all_addr addr, saved_addr;
+  int atnl, addrlen = 0, addr_dup;
 
   if (!f)
     {
       my_syslog(LOG_ERR, _("failed to load names from %s: %s"), filename, strerror(errno));
       return 0;
     }
-    
-  while ((line = fgets(buff, MAXDNAME, f)))
+  
+  eatspace(f);
+  
+  while ((atnl = gettok(f, token)) != EOF)
     {
-      char *token = strtok(line, " \t\n\r");
-      int addrlen, addr_dup = 0;
-              
+      addr_dup = 0;
       lineno++;
-
-      if (!token || (*token == '#')) 
-	continue;
-
+      
 #ifdef HAVE_IPV6      
       if (inet_pton(AF_INET, token, &addr) > 0)
 	{
 	  flags = F_HOSTS | F_IMMORTAL | F_FORWARD | F_REVERSE | F_IPV4;
 	  addrlen = INADDRSZ;
+	  domain_suffix = get_domain(addr.addr.addr4);
 	}
       else if (inet_pton(AF_INET6, token, &addr) > 0)
 	{
 	  flags = F_HOSTS | F_IMMORTAL | F_FORWARD | F_REVERSE | F_IPV6;
 	  addrlen = IN6ADDRSZ;
+	  domain_suffix = daemon->domain_suffix;
 	}
 #else 
-     if ((addr.addr.addr4.s_addr = inet_addr(token)) != (in_addr_t) -1)
-        {
-          flags = F_HOSTS | F_IMMORTAL | F_FORWARD | F_REVERSE | F_IPV4;
-          addrlen = INADDRSZ;
+      if ((addr.addr.addr4.s_addr = inet_addr(token)) != (in_addr_t) -1)
+	{
+	  flags = F_HOSTS | F_IMMORTAL | F_FORWARD | F_REVERSE | F_IPV4;
+	  addrlen = INADDRSZ;
+	  domain_suffix = get_domain(addr.addr.addr4);
 	}
 #endif
       else
 	{
 	  my_syslog(LOG_ERR, _("bad address at %s line %d"), filename, lineno); 
+	  while (atnl == 0)
+	    atnl = gettok(f, token);
 	  continue;
 	}
+      
+      if (saved_flags == flags && memcmp(&addr, &saved_addr, addrlen) == 0)
+	addr_dup = 1;
+      else
+	{
+	  saved_flags = flags;
+	  saved_addr = addr;
+	}
+      
+      addr_count++;
+      
+      /* rehash every 1000 names. */
+      if ((name_count - cache_size) > 1000)
+	{
+	  rehash(name_count);
+	  cache_size = name_count;
+	} 
+      
+      while (atnl == 0)
+	{
+	  struct crec *cache;
+	  int fqdn, nomem;
+	  char *canon;
+	  
+	  if ((atnl = gettok(f, token)) == EOF)
+	    break;
+
+	  fqdn = !!strchr(token, '.');
+
+	  if ((canon = canonicalise(token, &nomem)))
+	    {
+	      /* If set, add a version of the name with a default domain appended */
+	      if ((daemon->options & OPT_EXPAND) && domain_suffix && !fqdn && 
+		  (cache = whine_malloc(sizeof(struct crec) + 
+					strlen(canon)+2+strlen(domain_suffix)-SMALLDNAME)))
+		{
+		  strcpy(cache->name.sname, canon);
+		  strcat(cache->name.sname, ".");
+		  strcat(cache->name.sname, domain_suffix);
+		  add_hosts_entry(cache, &addr, addrlen, flags, index, addr_dup);
+		  addr_dup = 1;
+		  name_count++;
+		}
+	      if ((cache = whine_malloc(sizeof(struct crec) + strlen(canon)+1-SMALLDNAME)))
+		{
+		  strcpy(cache->name.sname, canon);
+		  add_hosts_entry(cache, &addr, addrlen, flags, index, addr_dup);
+		  name_count++;
+		}
+	      free(canon);
+	      
+	    }
+	  else if (!nomem)
+	    my_syslog(LOG_ERR, _("bad name at %s line %d"), filename, lineno); 
+	}
+    } 
 
-     if (saved_flags == flags && memcmp(&addr, &saved_addr, addrlen) == 0)
-       addr_dup = 1;
-     else
-       {
-	 saved_flags = flags;
-	 saved_addr = addr;
-       }
-     
-     addr_count++;
-     
-     /* rehash every 1000 names. */
-     if ((name_count - cache_size) > 1000)
-       {
-	 rehash(name_count);
-	 cache_size = name_count;
-       }
-     
-     while ((token = strtok(NULL, " \t\n\r")) && (*token != '#'))
-       {
-	 struct crec *cache;
-	 int fqdn = !!strchr(token, '.');
-	 if (canonicalise(token))
-	   {
-	     /* If set, add a version of the name with a default domain appended */
-	     if ((opts & OPT_EXPAND) && domain_suffix && !fqdn && 
-		 (cache = whine_malloc(sizeof(struct crec) + 
-				       strlen(token)+2+strlen(domain_suffix)-SMALLDNAME)))
-	       {
-		 strcpy(cache->name.sname, token);
-		 strcat(cache->name.sname, ".");
-		 strcat(cache->name.sname, domain_suffix);
-		 add_hosts_entry(cache, &addr, addrlen, flags, index, addr_dup);
-		 addr_dup = 1;
-		 name_count++;
-	       }
-	     if ((cache = whine_malloc(sizeof(struct crec) + strlen(token)+1-SMALLDNAME)))
-	       {
-		 strcpy(cache->name.sname, token);
-		 add_hosts_entry(cache, &addr, addrlen, flags, index, addr_dup);
-		 name_count++;
-	       }
-	   }
-	 else
-	   my_syslog(LOG_ERR, _("bad name at %s line %d"), filename, lineno); 
-       }
-    }
-  
   fclose(f);
   rehash(name_count);
-
+  
   my_syslog(LOG_INFO, _("read %s - %d addresses"), filename, addr_count);
-
+  
   return name_count;
 }
 	    
-void cache_reload(int opts, char *buff, char *domain_suffix, struct hostsfile *addn_hosts)
+void cache_reload(void)
 {
   struct crec *cache, **up, *tmp;
   int i, total_size = daemon->cachesize;
+  struct hostsfile *ah;
 
   cache_inserted = cache_live_freed = 0;
   
@@ -791,22 +896,125 @@ void cache_reload(int opts, char *buff, char *domain_suffix, struct hostsfile *a
 	  up = &cache->hash_next;
       }
   
-  if ((opts & OPT_NO_HOSTS) && !addn_hosts)
+  if ((daemon->options & OPT_NO_HOSTS) && !daemon->addn_hosts)
     {
       if (daemon->cachesize > 0)
 	my_syslog(LOG_INFO, _("cleared cache"));
       return;
     }
 
-  if (!(opts & OPT_NO_HOSTS))
-    total_size = read_hostsfile(HOSTSFILE, opts, buff, domain_suffix, 0, total_size);
-  while (addn_hosts)
+  if (!(daemon->options & OPT_NO_HOSTS))
+    total_size = read_hostsfile(HOSTSFILE, 0, total_size);
+  
+  for (i = 0, ah = daemon->addn_hosts; ah; ah = ah->next)
     {
-      total_size = read_hostsfile(addn_hosts->fname, opts, buff, domain_suffix, addn_hosts->index, total_size);
-      addn_hosts = addn_hosts->next;
-    }  
+      if (i <= ah->index)
+	i = ah->index + 1;
+
+      if (ah->flags & AH_DIR)
+	ah->flags |= AH_INACTIVE;
+      else
+	ah->flags &= ~AH_INACTIVE;
+    }
+
+  for (ah = daemon->addn_hosts; ah; ah = ah->next)
+    if (!(ah->flags & AH_INACTIVE))
+      {
+	struct stat buf;
+	if (stat(ah->fname, &buf) != -1 && S_ISDIR(buf.st_mode))
+	  {
+	    DIR *dir_stream;
+	    struct dirent *ent;
+	    
+	    /* don't read this as a file */
+	    ah->flags |= AH_INACTIVE;
+	    
+	    if (!(dir_stream = opendir(ah->fname)))
+	      my_syslog(LOG_ERR, _("cannot access directory %s: %s"), 
+			ah->fname, strerror(errno));
+	    else
+	      {
+		while ((ent = readdir(dir_stream)))
+		  {
+		    size_t lendir = strlen(ah->fname);
+		    size_t lenfile = strlen(ent->d_name);
+		    struct hostsfile *ah1;
+		    char *path;
+		    
+		    /* ignore emacs backups and dotfiles */
+		    if (lenfile == 0 || 
+			ent->d_name[lenfile - 1] == '~' ||
+			(ent->d_name[0] == '#' && ent->d_name[lenfile - 1] == '#') ||
+			ent->d_name[0] == '.')
+		      continue;
+		    
+		    /* see if we have an existing record.
+		       dir is ah->fname 
+		       file is ent->d_name
+		       path to match is ah1->fname */
+
+		    for (ah1 = daemon->addn_hosts; ah1; ah1 = ah1->next)
+		      {
+			if (lendir < strlen(ah1->fname) &&
+			    strstr(ah1->fname, ah->fname) == ah1->fname &&
+			    ah1->fname[lendir] == '/' &&
+			    strcmp(ah1->fname + lendir + 1, ent->d_name) == 0)
+			  {
+			    ah1->flags &= ~AH_INACTIVE;
+			    break;
+			  }
+		      }
+		    
+		    /* make new record */
+		    if (!ah1)
+		      {
+			if (!(ah1 = whine_malloc(sizeof(struct hostsfile))))
+			  continue;
+			
+			if (!(path = whine_malloc(lendir + lenfile + 2)))
+			  {
+			    free(ah1);
+			    continue;
+			  }
+		      	
+			strcpy(path, ah->fname);
+			strcat(path, "/");
+			strcat(path, ent->d_name);
+			ah1->fname = path;
+			ah1->index = i++;
+			ah1->flags = AH_DIR;
+			ah1->next = daemon->addn_hosts;
+			daemon->addn_hosts = ah1;
+		      }
+		    
+		    /* inactivate record if not regular file */
+		    if ((ah1->flags & AH_DIR) && stat(ah1->fname, &buf) != -1 && !S_ISREG(buf.st_mode))
+		      ah1->flags |= AH_INACTIVE; 
+
+		  }
+		closedir(dir_stream);
+	      }
+	  }
+      }
+	    
+  for (ah = daemon->addn_hosts; ah; ah = ah->next)
+    if (!(ah->flags & AH_INACTIVE))
+      total_size = read_hostsfile(ah->fname, ah->index, total_size);
 } 
 
+char *get_domain(struct in_addr addr)
+{
+  struct cond_domain *c;
+
+  for (c = daemon->cond_domain; c; c = c->next)
+    if (ntohl(addr.s_addr) >= ntohl(c->start.s_addr) &&
+        ntohl(addr.s_addr) <= ntohl(c->end.s_addr))
+      return c->domain;
+
+  return daemon->domain_suffix;
+}
+
+#ifdef HAVE_DHCP
 void cache_unhash_dhcp(void)
 {
   struct crec *cache, **up;
@@ -827,14 +1035,14 @@ void cache_unhash_dhcp(void)
 void cache_add_dhcp_entry(char *host_name, 
 			  struct in_addr *host_address, time_t ttd) 
 {
-  struct crec *crec;
+  struct crec *crec = NULL, *aliasc;
   unsigned short flags =  F_DHCP | F_FORWARD | F_IPV4 | F_REVERSE;
-
-  if (!host_name)
-    return;
-
-  if ((crec = cache_find_by_name(NULL, host_name, 0, F_IPV4 | F_CNAME)))
+  int in_hosts = 0;
+  struct cname *a;
+  
+  while ((crec = cache_find_by_name(crec, host_name, 0, F_IPV4 | F_CNAME)))
     {
+      /* check all addresses associated with name */
       if (crec->flags & F_HOSTS)
 	{
 	  if (crec->addr.addr.addr.addr4.s_addr != host_address->s_addr)
@@ -844,24 +1052,34 @@ void cache_add_dhcp_entry(char *host_name,
 			_("not giving name %s to the DHCP lease of %s because "
 			  "the name exists in %s with address %s"), 
 			host_name, inet_ntoa(*host_address),
-			record_source(daemon->addn_hosts, crec->uid), daemon->namebuff);
+			record_source(crec->uid), daemon->namebuff);
+	      return;
 	    }
-	  return;
+	  else
+	    /* if in hosts, don't need DHCP record */
+	    in_hosts = 1;
 	}
       else if (!(crec->flags & F_DHCP))
-	cache_scan_free(host_name, NULL, 0, crec->flags & (F_IPV4 | F_CNAME | F_FORWARD));
-    }
- 
-  if ((crec = cache_find_by_addr(NULL, (struct all_addr *)host_address, 0, F_IPV4)))
-    {
-      if (crec->flags & F_NEG)
-	cache_scan_free(NULL, (struct all_addr *)host_address, 0, F_IPV4 | F_REVERSE);
-      else
-	/* avoid multiple reverse mappings */
-	flags &= ~F_REVERSE;
+	{
+	  cache_scan_free(host_name, NULL, 0, crec->flags & (F_IPV4 | F_CNAME | F_FORWARD));
+	  /* scan_free deletes all addresses associated with name */
+	  break;
+	}
     }
+  
+   if (in_hosts)
+    return;
 
-  if ((crec = dhcp_spare))
+   if ((crec = cache_find_by_addr(NULL, (struct all_addr *)host_address, 0, F_IPV4)))
+     {
+       if (crec->flags & F_NEG)
+	 cache_scan_free(NULL, (struct all_addr *)host_address, 0, F_IPV4 | F_REVERSE);
+       else
+	 /* avoid multiple reverse mappings */
+	 flags &= ~F_REVERSE;
+     }
+   
+   if ((crec = dhcp_spare))
     dhcp_spare = dhcp_spare->next;
   else /* need new one */
     crec = whine_malloc(sizeof(struct crec));
@@ -875,17 +1093,69 @@ void cache_add_dhcp_entry(char *host_name,
 	crec->ttd = ttd;
       crec->addr.addr.addr.addr4 = *host_address;
       crec->name.namep = host_name;
+      crec->uid = uid++;
       cache_hash(crec);
+
+      for (a = daemon->cnames; a; a = a->next)
+	if (hostname_isequal(host_name, a->target))
+	  {
+	    if ((aliasc = dhcp_spare))
+	      dhcp_spare = dhcp_spare->next;
+	    else /* need new one */
+	      aliasc = whine_malloc(sizeof(struct crec));
+	    
+	    if (aliasc)
+	      {
+		aliasc->flags = F_FORWARD | F_CONFIG | F_DHCP | F_CNAME;
+		if (ttd == 0)
+		  aliasc->flags |= F_IMMORTAL;
+		else
+		  aliasc->ttd = ttd;
+		aliasc->name.namep = a->alias;
+		aliasc->addr.cname.cache = crec;
+		aliasc->addr.cname.uid = crec->uid;
+		cache_hash(aliasc);
+	      }
+	  }
     }
 }
+#endif
+
 
 void dump_cache(time_t now)
 {
-  my_syslog(LOG_INFO, _("time %lu, cache size %d, %d/%d cache insertions re-used unexpired cache entries."), 
-	    (unsigned long)now, daemon->cachesize, cache_live_freed, cache_inserted); 
+  struct server *serv, *serv1;
+
+  my_syslog(LOG_INFO, _("time %lu"), (unsigned long)now);
+  my_syslog(LOG_INFO, _("cache size %d, %d/%d cache insertions re-used unexpired cache entries."), 
+	    daemon->cachesize, cache_live_freed, cache_inserted);
+  my_syslog(LOG_INFO, _("queries forwarded %u, queries answered locally %u"), 
+	    daemon->queries_forwarded, daemon->local_answer);
+
+  if (!addrbuff && !(addrbuff = whine_malloc(ADDRSTRLEN)))
+    return;
+
+  /* sum counts from different records for same server */
+  for (serv = daemon->servers; serv; serv = serv->next)
+    serv->flags &= ~SERV_COUNTED;
   
-  if ((daemon->options & (OPT_DEBUG | OPT_LOG)) &&
-      (addrbuff || (addrbuff = whine_malloc(ADDRSTRLEN))))
+  for (serv = daemon->servers; serv; serv = serv->next)
+    if (!(serv->flags & (SERV_NO_ADDR | SERV_LITERAL_ADDRESS | SERV_COUNTED)))
+      {
+	int port;
+	unsigned int queries = 0, failed_queries = 0;
+	for (serv1 = serv; serv1; serv1 = serv1->next)
+	  if (!(serv1->flags & (SERV_NO_ADDR | SERV_LITERAL_ADDRESS | SERV_COUNTED)) && sockaddr_isequal(&serv->addr, &serv1->addr))
+	    {
+	      serv1->flags |= SERV_COUNTED;
+	      queries += serv1->queries;
+	      failed_queries += serv1->failed_queries;
+	    }
+	port = prettyprint_addr(&serv->addr, addrbuff);
+	my_syslog(LOG_INFO, _("server %s#%d: queries sent %u, retried or failed %u"), addrbuff, port, queries, failed_queries);
+      }
+  
+  if ((daemon->options & (OPT_DEBUG | OPT_LOG)))
     {
       struct crec *cache ;
       int i;
@@ -940,28 +1210,34 @@ void dump_cache(time_t now)
     }
 }
 
-static char *record_source(struct hostsfile *addn_hosts, int index)
+char *record_source(int index)
 {
-  char *source = HOSTSFILE;
-  while (addn_hosts)
-    { 
-      if (addn_hosts->index == index)
-	{
-	  source = addn_hosts->fname;
-	  break;
-	}
-      addn_hosts = addn_hosts->next;
-    }
+  struct hostsfile *ah;
 
-  return source;
+  if (index == 0)
+    return HOSTSFILE;
+
+  for (ah = daemon->addn_hosts; ah; ah = ah->next)
+    if (ah->index == index)
+      return ah->fname;
+  
+  return "<unknown>";
 }
 
-void log_query(unsigned short flags, char *name, struct all_addr *addr, 
-	       unsigned short type, struct hostsfile *addn_hosts, int index)
+void querystr(char *str, unsigned short type)
+{
+  unsigned int i;
+  
+  sprintf(str, "query[type=%d]", type); 
+  for (i = 0; i < (sizeof(typestr)/sizeof(typestr[0])); i++)
+    if (typestr[i].type == type)
+      sprintf(str,"query[%s]", typestr[i].name);
+}
+
+void log_query(unsigned short flags, char *name, struct all_addr *addr, char *arg)
 {
   char *source, *dest = addrbuff;
   char *verb = "is";
-  char types[20];
   
   if (!(daemon->options & OPT_LOG))
     return;
@@ -988,38 +1264,36 @@ void log_query(unsigned short flags, char *name, struct all_addr *addr,
 	{
 	  if (flags & F_IPV4)
 	    dest = "NXDOMAIN-IPv4";
-	  else 
-	    dest = "NXDOMAIN-IPv6"; 
+	  else if (flags & F_IPV6)
+	    dest = "NXDOMAIN-IPv6";
+	  else
+	    dest = "NXDOMAIN";
 	}
       else
 	{      
 	  if (flags & F_IPV4)
 	    dest = "NODATA-IPv4";
-	  else 
+	  else if (flags & F_IPV6)
 	    dest = "NODATA-IPv6";
+	  else
+	    dest = "NODATA";
 	}
     }
   else if (flags & F_CNAME)
     {
-      /* nasty abuse of IPV4 and IPV6 flags */
-      if (flags & F_IPV4)
-	dest = "<MX>";
-      else if (flags & F_IPV6)
-	dest = "<SRV>";
-      else if (flags & F_NXDOMAIN)
-	dest = "<TXT>";
-      else if (flags & F_BIGNAME)
-	dest = "<PTR>";
+      /* nasty abuse of NXDOMAIN and CNAME flags */
+      if (flags & F_NXDOMAIN)
+	dest = arg;
       else
 	dest = "<CNAME>";
     }
     
-  if (flags & F_DHCP)
+  if (flags & F_CONFIG)
+    source = "config";
+  else if (flags & F_DHCP)
     source = "DHCP";
   else if (flags & F_HOSTS)
-    source = record_source(addn_hosts, index);
-  else if (flags & F_CONFIG)
-    source = "config";
+    source = arg;
   else if (flags & F_UPSTREAM)
     source = "reply";
   else if (flags & F_SERVER)
@@ -1029,16 +1303,7 @@ void log_query(unsigned short flags, char *name, struct all_addr *addr,
     }
   else if (flags & F_QUERY)
     {
-      unsigned int i;
-      
-      if (type != 0)
-        {
-          sprintf(types, "query[type=%d]", type); 
-          for (i = 0; i < (sizeof(typestr)/sizeof(typestr[0])); i++)
-	    if (typestr[i].type == type)
-	      sprintf(types,"query[%s]", typestr[i].name);
-	}
-      source = types;
+      source = arg;
       verb = "from";
     }
   else

src/config.h

@@ -1,22 +1,29 @@
-/* dnsmasq is Copyright (c) 2000-2007 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2009 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; version 2 dated June, 1991.
-
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
+     
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-#define VERSION "2.40"
+#define VERSION "2.51"
 
 #define FTABSIZ 150 /* max number of outstanding requests (default) */
 #define MAX_PROCS 20 /* max no children for TCP requests */
 #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */
 #define EDNS_PKTSZ 1280 /* default max EDNS.0 UDP packet from RFC2671 */
 #define TIMEOUT 10 /* drop UDP queries after TIMEOUT seconds */
+#define FORWARD_TEST 50 /* try all servers every 50 queries */
+#define FORWARD_TIME 10 /* or 10 seconds */
+#define RANDOM_SOCKS 64 /* max simultaneous random ports */
 #define LEASE_RETRY 60 /* on error, retry writing leasefile after LEASE_RETRY seconds */
 #define CACHESIZ 150 /* default cache size */
 #define MAXLEASES 150 /* maximum number of DHCP leases */
@@ -33,24 +40,37 @@
 #  define RESOLVFILE "/etc/resolv.conf"
 #endif
 #define RUNFILE "/var/run/dnsmasq.pid"
-#if defined(__FreeBSD__) || defined (__OpenBSD__) || defined(__DragonFly__)
-#   define LEASEFILE "/var/db/dnsmasq.leases"
-#else
-#   define LEASEFILE "/var/lib/misc/dnsmasq.leases"
+
+#ifndef LEASEFILE
+#   if defined(__FreeBSD__) || defined (__OpenBSD__) || defined(__DragonFly__) || defined(__NetBSD__)
+#      define LEASEFILE "/var/db/dnsmasq.leases"
+#   elif defined(__sun__) || defined (__sun)
+#      define LEASEFILE "/var/cache/dnsmasq.leases"
+#   else
+#      define LEASEFILE "/var/lib/misc/dnsmasq.leases"
+#   endif
 #endif
-#if defined(__FreeBSD__)
-#   define CONFFILE "/usr/local/etc/dnsmasq.conf"
-#else
-#   define CONFFILE "/etc/dnsmasq.conf"
+
+#ifndef CONFFILE
+#   if defined(__FreeBSD__)
+#      define CONFFILE "/usr/local/etc/dnsmasq.conf"
+#   else
+#      define CONFFILE "/etc/dnsmasq.conf"
+#   endif
 #endif
+
 #define DEFLEASE 3600 /* default lease time, 1 hour */
 #define CHUSER "nobody"
 #define CHGRP "dip"
 #define DHCP_SERVER_PORT 67
 #define DHCP_CLIENT_PORT 68
+#define DHCP_SERVER_ALTPORT 1067
+#define DHCP_CLIENT_ALTPORT 1068
 #define TFTP_PORT 69
 #define TFTP_MAX_CONNECTIONS 50 /* max simultaneous connections */
 #define LOG_MAX 5 /* log-queue length */
+#define RANDFILE "/dev/urandom"
+#define DAD_WAIT 20 /* retry binding IPv6 sockets for this long */
 
 /* DBUS interface specifics */
 #define DNSMASQ_SERVICE "uk.org.thekelleys.dnsmasq"
@@ -79,22 +99,14 @@
 #endif
 
 
-/* Get linux C library versions. */
-#if defined(__linux__) && !defined(__UCLIBC__) && !defined(__uClinux__)
-/*#  include <libio.h> */
-#  include <features.h> 
-#endif
-
-
 /* Follows system specific switches. If you run on a 
    new system, you may want to edit these. 
    May replace this with Autoconf one day. 
 
 HAVE_LINUX_NETWORK
-   define this to do networking the Linux way. When it's defined, the code will
-   use IP_PKTINFO, Linux capabilities and the RTnetlink system. If it's not defined,
-   a few facilities will be lost, namely support for multiple addresses on an interface,
-   DNS query retransmission, and (on some systems) wildcard interface binding.
+HAVE_BSD_NETWORK
+HAVE_SOLARIS_NETWORK
+   define exactly one of these to alter interaction with kernel networking.
 
 HAVE_BROKEN_RTC
    define this on embedded systems which don't have an RTC
@@ -110,13 +122,15 @@ HAVE_BROKEN_RTC
    NOTE: when enabling or disabling this, be sure to delete any old
    leases file, otherwise dnsmasq may get very confused.
 
-HAVE_ISC_READER 
-   define this to include the old ISC dhcpcd integration. Note that you cannot
-   set both HAVE_ISC_READER and HAVE_BROKEN_RTC.
-
 HAVE_TFTP
    define this to get dnsmasq's built-in TFTP server.
 
+HAVE_DHCP
+   define this to get dnsmasq's DHCP server.
+
+HAVE_SCRIPT
+   define this to get the ability to call scripts on lease-change
+
 HAVE_GETOPT_LONG
    define this if you have GNU libc or GNU getopt. 
 
@@ -124,19 +138,6 @@ HAVE_ARC4RANDOM
    define this if you have arc4random() to get better security from DNS spoofs
    by using really random ids (OpenBSD) 
 
-HAVE_RANDOM
-   define this if you have the 4.2BSD random() function (and its
-   associated srandom() function), which is at least as good as (if not
-   better than) the rand() function.
-
-HAVE_DEV_RANDOM
-   define this if you have the /dev/random device, which gives truly
-   random numbers but may run out of random numbers.
-
-HAVE_DEV_URANDOM
-   define this if you have the /dev/urandom device, which gives
-   semi-random numbers when it runs out of truly random numbers.
-
 HAVE_SOCKADDR_SA_LEN
    define this if struct sockaddr has sa_len field (*BSD) 
 
@@ -149,43 +150,44 @@ NOTES:
    For Linux you should define 
       HAVE_LINUX_NETWORK
       HAVE_GETOPT_LONG
-      HAVE_RANDOM
-      HAVE_DEV_RANDOM
-      HAVE_DEV_URANDOM
   you should NOT define 
       HAVE_ARC4RANDOM
       HAVE_SOCKADDR_SA_LEN
 
    For *BSD systems you should define 
+     HAVE_BSD_NETWORK
      HAVE_SOCKADDR_SA_LEN
-     HAVE_RANDOM
-   you should NOT define  
-     HAVE_LINUX_NETWORK 
    and you MAY define  
      HAVE_ARC4RANDOM - OpenBSD and FreeBSD and NetBSD version 2.0 or later
-     HAVE_DEV_URANDOM - OpenBSD and FreeBSD and NetBSD
-     HAVE_DEV_RANDOM - FreeBSD  and NetBSD 
-                       (OpenBSD with hardware random number generator)
      HAVE_GETOPT_LONG - NetBSD, later FreeBSD 
                        (FreeBSD and OpenBSD only if you link GNU getopt) 
 
 */
 
 /* platform independent options- uncomment to enable */
+#define HAVE_DHCP
 #define HAVE_TFTP
+#define HAVE_SCRIPT
 /* #define HAVE_BROKEN_RTC */
-/* #define HAVE_ISC_READER */
 /* #define HAVE_DBUS */
 
-#if defined(HAVE_BROKEN_RTC) && defined(HAVE_ISC_READER)
-#  error HAVE_ISC_READER is not compatible with HAVE_BROKEN_RTC
-#endif
-
-/* Allow TFTP to be disabled with COPT=-DNO_TFTP */
+/* Allow TFTP to be disabled with COPTS=-DNO_TFTP */
 #ifdef NO_TFTP
 #undef HAVE_TFTP
 #endif
 
+/* Allow DHCP to be disabled with COPTS=-DNO_DHCP */
+#ifdef NO_DHCP
+#undef HAVE_DHCP
+#endif
+
+/* Allow scripts to be disabled with COPTS=-DNO_SCRIPT */
+#ifdef NO_SCRIPT
+#undef HAVE_SCRIPT
+#endif
+
+
+
 /* platform dependent options. */
 
 /* Must preceed __linux__ since uClinux defines __linux__ too. */
@@ -193,9 +195,6 @@ NOTES:
 #define HAVE_LINUX_NETWORK
 #define HAVE_GETOPT_LONG
 #undef HAVE_ARC4RANDOM
-#define HAVE_RANDOM
-#define HAVE_DEV_URANDOM
-#define HAVE_DEV_RANDOM
 #undef HAVE_SOCKADDR_SA_LEN
 /* Never use fork() on uClinux. Note that this is subtly different from the
    --keep-in-foreground option, since it also  suppresses forking new 
@@ -208,13 +207,8 @@ NOTES:
 #if defined(__UCLIBC_HAS_GNU_GETOPT__) || \
    ((__UCLIBC_MAJOR__==0) && (__UCLIBC_MINOR__==9) && (__UCLIBC_SUBLEVEL__<21))
 #    define HAVE_GETOPT_LONG
-#else
-#    undef HAVE_GETOPT_LONG
 #endif
 #undef HAVE_ARC4RANDOM
-#define HAVE_RANDOM
-#define HAVE_DEV_URANDOM
-#define HAVE_DEV_RANDOM
 #undef HAVE_SOCKADDR_SA_LEN
 #if !defined(__ARCH_HAS_MMU__) && !defined(__UCLIBC_HAS_MMU__)
 #  define NO_FORK
@@ -230,53 +224,47 @@ NOTES:
 #define HAVE_LINUX_NETWORK
 #define HAVE_GETOPT_LONG
 #undef HAVE_ARC4RANDOM
-#define HAVE_RANDOM
-#define HAVE_DEV_URANDOM
-#define HAVE_DEV_RANDOM
 #undef HAVE_SOCKADDR_SA_LEN
-/* glibc < 2.2  has broken Sockaddr_in6 so we have to use our own. */
-/* glibc < 2.2 doesn't define in_addr_t */
-#if defined(__GLIBC__) && (__GLIBC__ == 2) && \
-    defined(__GLIBC_MINOR__) && (__GLIBC_MINOR__ < 2)
-typedef unsigned long in_addr_t; 
-#   define HAVE_BROKEN_SOCKADDR_IN6
-#endif
 
-#elif defined(__FreeBSD__) || defined(__OpenBSD__) || defined(__DragonFly__)
-#undef HAVE_LINUX_NETWORK
+#elif defined(__FreeBSD__) || \
+      defined(__OpenBSD__) || \
+      defined(__DragonFly__) || \
+      defined (__FreeBSD_kernel__)
+#define HAVE_BSD_NETWORK
 /* Later verions of FreeBSD have getopt_long() */
 #if defined(optional_argument) && defined(required_argument)
 #   define HAVE_GETOPT_LONG
-#else
-#   undef HAVE_GETOPT_LONG
 #endif
-#define HAVE_ARC4RANDOM
-#define HAVE_RANDOM
-#define HAVE_DEV_URANDOM
+#if !defined (__FreeBSD_kernel__)
+#   define HAVE_ARC4RANDOM
+#endif
 #define HAVE_SOCKADDR_SA_LEN
 
 #elif defined(__APPLE__)
-#undef HAVE_LINUX_NETWORK
+#define HAVE_BSD_NETWORK
 #undef HAVE_GETOPT_LONG
 #define HAVE_ARC4RANDOM
-#define HAVE_RANDOM
-#define HAVE_DEV_URANDOM
 #define HAVE_SOCKADDR_SA_LEN
 /* Define before sys/socket.h is included so we get socklen_t */
 #define _BSD_SOCKLEN_T_
-/* This is not defined in Mac OS X arpa/nameserv.h */
-#define IN6ADDRSZ 16
  
 #elif defined(__NetBSD__)
-#undef HAVE_LINUX_NETWORK
+#define HAVE_BSD_NETWORK
 #define HAVE_GETOPT_LONG
 #undef HAVE_ARC4RANDOM
-#define HAVE_RANDOM
-#define HAVE_DEV_URANDOM
-#define HAVE_DEV_RANDOM
 #define HAVE_SOCKADDR_SA_LEN
+
+#elif defined(__sun) || defined(__sun__)
+#define HAVE_SOLARIS_NETWORK
+#define HAVE_GETOPT_LONG
+#undef HAVE_ARC4RANDOM
+#undef HAVE_SOCKADDR_SA_LEN
+#define _XPG4_2
+#define __EXTENSIONS__
+#define ETHER_ADDR_LEN 6 
  
 #endif
+
 /* Decide if we're going to support IPv6 */
 /* IPv6 can be forced off with "make COPTS=-DNO_IPV6" */
 /* We assume that systems which don't have IPv6
@@ -298,3 +286,8 @@ typedef unsigned long in_addr_t;
 #  define ADDRSTRLEN 16 /* 4*3 + 3 dots + NULL */
 #endif
 
+/* Can't do scripts without fork */
+#ifdef NOFORK
+#  undef HAVE_SCRIPT
+#endif
+

src/dbus.c

@@ -1,22 +1,61 @@
-/* dnsmasq is Copyright (c) 2000-2005 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2009 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; version 2 dated June, 1991.
-
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
+     
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "dnsmasq.h"
 
 #ifdef HAVE_DBUS
 
-#define DBUS_API_SUBJECT_TO_CHANGE
 #include <dbus/dbus.h>
 
+const char* introspection_xml =
+"<!DOCTYPE node PUBLIC \"-//freedesktop//DTD D-BUS Object Introspection 1.0//EN\"\n"
+"\"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd\">\n"
+"<node name=\"" DNSMASQ_PATH "\">\n"
+"  <interface name=\"org.freedesktop.DBus.Introspectable\">\n"
+"    <method name=\"Introspect\">\n"
+"      <arg name=\"data\" direction=\"out\" type=\"s\"/>\n"
+"    </method>\n"
+"  </interface>\n"
+"  <interface name=\"" DNSMASQ_SERVICE "\">\n"
+"    <method name=\"ClearCache\">\n"
+"    </method>\n"
+"    <method name=\"GetVersion\">\n"
+"      <arg name=\"version\" direction=\"out\" type=\"s\"/>\n"
+"    </method>\n"
+"    <method name=\"SetServers\">\n"
+"      <arg name=\"servers\" direction=\"in\" type=\"av\"/>\n"
+"    </method>\n"
+"    <signal name=\"DhcpLeaseAdded\">\n"
+"      <arg name=\"ipaddr\" type=\"s\"/>\n"
+"      <arg name=\"hwaddr\" type=\"s\"/>\n"
+"      <arg name=\"hostname\" type=\"s\"/>\n"
+"    </signal>\n"
+"    <signal name=\"DhcpLeaseDeleted\">\n"
+"      <arg name=\"ipaddr\" type=\"s\"/>\n"
+"      <arg name=\"hwaddr\" type=\"s\"/>\n"
+"      <arg name=\"hostname\" type=\"s\"/>\n"
+"    </signal>\n"
+"    <signal name=\"DhcpLeaseUpdated\">\n"
+"      <arg name=\"ipaddr\" type=\"s\"/>\n"
+"      <arg name=\"hwaddr\" type=\"s\"/>\n"
+"      <arg name=\"hostname\" type=\"s\"/>\n"
+"    </signal>\n"
+"  </interface>\n"
+"</node>\n";
+
 struct watch {
   DBusWatch *watch;      
   struct watch *next;
@@ -112,9 +151,9 @@ static void dbus_read_servers(DBusMessage *message)
 #else
 	  if (i == sizeof(struct in6_addr)-1)
 	    {
-	      memcpy(&addr.in6.sin6_addr, p, sizeof(addr.in6));
+	      memcpy(&addr.in6.sin6_addr, p, sizeof(struct in6_addr));
 #ifdef HAVE_SOCKADDR_SA_LEN
-              source_addr.in6.sin6_len = addr.in6.sin6_len = sizeof(addr.in6);
+              source_addr.in6.sin6_len = addr.in6.sin6_len = sizeof(struct sockaddr_in6);
 #endif
               source_addr.in6.sin6_family = addr.in6.sin6_family = AF_INET6;
               addr.in6.sin6_port = htons(NAMESERVER_PORT);
@@ -163,8 +202,11 @@ static void dbus_read_servers(DBusMessage *message)
 	    if (!serv && (serv = whine_malloc(sizeof (struct server))))
 	      {
 		/* Not found, create a new one. */
+		memset(serv, 0, sizeof(struct server));
+		
 		if (domain)
 		  serv->domain = whine_malloc(strlen(domain)+1);
+		
 		if (domain && !serv->domain)
 		  {
 		    free(serv);
@@ -175,7 +217,6 @@ static void dbus_read_servers(DBusMessage *message)
 		    serv->next = daemon->servers;
 		    daemon->servers = serv;
 		    serv->flags = SERV_FROM_DBUS;
-		    serv->sfd = NULL;
 		    if (domain)
 		      {
 			strcpy(serv->domain, domain);
@@ -223,7 +264,15 @@ DBusHandlerResult message_handler(DBusConnection *connection,
 {
   char *method = (char *)dbus_message_get_member(message);
    
-  if (strcmp(method, "GetVersion") == 0)
+  if (dbus_message_is_method_call(message, DBUS_INTERFACE_INTROSPECTABLE, "Introspect"))
+    {
+      DBusMessage *reply = dbus_message_new_method_return(message);
+
+      dbus_message_append_args(reply, DBUS_TYPE_STRING, &introspection_xml, DBUS_TYPE_INVALID);
+      dbus_connection_send (connection, reply, NULL);
+      dbus_message_unref (reply);
+    }
+  else if (strcmp(method, "GetVersion") == 0)
     {
       char *v = VERSION;
       DBusMessage *reply = dbus_message_new_method_return(message);
@@ -277,7 +326,10 @@ char *dbus_init(void)
   daemon->dbus = connection; 
   
   if ((message = dbus_message_new_signal(DNSMASQ_PATH, DNSMASQ_SERVICE, "Up")))
-    dbus_connection_send(connection, message, NULL);
+    {
+      dbus_connection_send(connection, message, NULL);
+      dbus_message_unref(message);
+    }
 
   return NULL;
 }
@@ -292,7 +344,7 @@ void set_dbus_listeners(int *maxfdp,
     if (dbus_watch_get_enabled(w->watch))
       {
 	unsigned int flags = dbus_watch_get_flags(w->watch);
-	int fd = dbus_watch_get_fd(w->watch);
+	int fd = dbus_watch_get_unix_fd(w->watch);
 	
 	bump_maxfd(fd, maxfdp);
 	
@@ -315,7 +367,7 @@ void check_dbus_listeners(fd_set *rset, fd_set *wset, fd_set *eset)
     if (dbus_watch_get_enabled(w->watch))
       {
 	unsigned int flags = 0;
-	int fd = dbus_watch_get_fd(w->watch);
+	int fd = dbus_watch_get_unix_fd(w->watch);
 	
 	if (FD_ISSET(fd, rset))
 	  flags |= DBUS_WATCH_READABLE;
@@ -338,4 +390,47 @@ void check_dbus_listeners(fd_set *rset, fd_set *wset, fd_set *eset)
     }
 }
 
+void emit_dbus_signal(int action, struct dhcp_lease *lease, char *hostname)
+{
+  DBusConnection *connection = (DBusConnection *)daemon->dbus;
+  DBusMessage* message = NULL;
+  DBusMessageIter args;
+  char *action_str, *addr, *mac = daemon->namebuff;
+  unsigned char *p;
+  int i;
+
+  if (!connection)
+    return;
+  
+  if (!hostname)
+    hostname = "";
+  
+  p = extended_hwaddr(lease->hwaddr_type, lease->hwaddr_len,
+		      lease->hwaddr, lease->clid_len, lease->clid, &i);
+  print_mac(mac, p, i);
+  
+  if (action == ACTION_DEL)
+    action_str = "DhcpLeaseDeleted";
+  else if (action == ACTION_ADD)
+    action_str = "DhcpLeaseAdded";
+  else if (action == ACTION_OLD)
+    action_str = "DhcpLeaseUpdated";
+  else
+    return;
+
+  addr = inet_ntoa(lease->addr);
+
+  if (!(message = dbus_message_new_signal(DNSMASQ_PATH, DNSMASQ_SERVICE, action_str)))
+    return;
+  
+  dbus_message_iter_init_append(message, &args);
+
+  if (dbus_message_iter_append_basic(&args, DBUS_TYPE_STRING, &addr) &&
+      dbus_message_iter_append_basic(&args, DBUS_TYPE_STRING, &mac) &&
+      dbus_message_iter_append_basic(&args, DBUS_TYPE_STRING, &hostname))
+    dbus_connection_send(connection, message, NULL);
+  
+  dbus_message_unref(message);
+}
+
 #endif

src/dhcp.c

@@ -1,17 +1,23 @@
-/* dnsmasq is Copyright (c) 2000-2006 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2009 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; version 2 dated June, 1991.
-
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
+     
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "dnsmasq.h"
 
+#ifdef HAVE_DHCP
+
 struct iface_param {
   struct in_addr relay, primary;
   struct dhcp_context *current;
@@ -26,15 +32,20 @@ void dhcp_init(void)
   int fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);
   struct sockaddr_in saddr;
   int oneopt = 1;
-  struct dhcp_config *configs, *cp;
+#if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
+  int mtu = IP_PMTUDISC_DONT;
+#endif
 
   if (fd == -1)
-    die (_("cannot create DHCP socket : %s"), NULL, EC_BADNET);
+    die (_("cannot create DHCP socket: %s"), NULL, EC_BADNET);
   
-  if (!fix_fd(fd) || 
+  if (!fix_fd(fd) ||
+#if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
+      setsockopt(fd, SOL_IP, IP_MTU_DISCOVER, &mtu, sizeof(mtu)) == -1 ||
+#endif
 #if defined(HAVE_LINUX_NETWORK)
       setsockopt(fd, SOL_IP, IP_PKTINFO, &oneopt, sizeof(oneopt)) == -1 ||
-#elif defined(IP_RECVIF)
+#else
       setsockopt(fd, IPPROTO_IP, IP_RECVIF, &oneopt, sizeof(oneopt)) == -1 ||
 #endif
       setsockopt(fd, SOL_SOCKET, SO_BROADCAST, &oneopt, sizeof(oneopt)) == -1)  
@@ -42,12 +53,7 @@ void dhcp_init(void)
   
   /* When bind-interfaces is set, there might be more than one dnmsasq
      instance binding port 67. That's OK if they serve different networks.
-     Need to set REUSEADDR to make this posible, or REUSEPORT on *BSD.
-     OpenBSD <= 4.0 screws up IP_RECVIF when SO_REUSEPORT is set, but
-     OpenBSD <= 3.9 doesn't have IP_RECVIF anyway, so we just have to elide
-     this for OpenBSD 4.0, if you want more than one instance on oBSD4.0, tough. */
-
-#ifndef OpenBSD4_0
+     Need to set REUSEADDR to make this posible, or REUSEPORT on *BSD. */
   if (daemon->options & OPT_NOWILD)
     {
 #ifdef SO_REUSEPORT
@@ -58,11 +64,10 @@ void dhcp_init(void)
       if (rc == -1)
 	die(_("failed to set SO_REUSE{ADDR|PORT} on DHCP socket: %s"), NULL, EC_BADNET);
     }
-#endif
   
   memset(&saddr, 0, sizeof(saddr));
   saddr.sin_family = AF_INET;
-  saddr.sin_port = htons(DHCP_SERVER_PORT);
+  saddr.sin_port = htons(daemon->dhcp_server_port);
   saddr.sin_addr.s_addr = INADDR_ANY;
 #ifdef HAVE_SOCKADDR_SA_LEN
   saddr.sin_len = sizeof(struct sockaddr_in);
@@ -73,7 +78,7 @@ void dhcp_init(void)
 
   daemon->dhcpfd = fd;
 
-#ifndef HAVE_LINUX_NETWORK
+#if defined(HAVE_BSD_NETWORK)
   /* When we're not using capabilities, we need to do this here before
      we drop root. Also, set buffer size small, to avoid wasting
      kernel buffers */
@@ -88,21 +93,8 @@ void dhcp_init(void)
   init_bpf();
 #endif
   
-  /* If the same IP appears in more than one host config, then DISCOVER
-     for one of the hosts will get the address, but REQUEST will be NAKed,
-     since the address is reserved by the other one -> protocol loop. 
-     Also check that FQDNs match the domain we are using. */
-  for (configs = daemon->dhcp_conf; configs; configs = configs->next)
-    {
-      char *domain;
-      for (cp = configs->next; cp; cp = cp->next)
-	if ((configs->flags & cp->flags & CONFIG_ADDR) && configs->addr.s_addr == cp->addr.s_addr)
-	  die(_("duplicate IP address %s in dhcp-config directive."), inet_ntoa(cp->addr), EC_BADCONF);
-      
-      if ((configs->flags & CONFIG_NAME) && (domain = strip_hostname(configs->hostname)))
-	die(_("illegal domain %s in dhcp-config directive."), domain, EC_BADCONF);
-    }
-  
+  check_dhcp_hosts(1);
+    
   daemon->dhcp_packet.iov_len = sizeof(struct dhcp_packet); 
   daemon->dhcp_packet.iov_base = safe_malloc(daemon->dhcp_packet.iov_len);
 }
@@ -124,9 +116,11 @@ void dhcp_packet(time_t now)
 
   union {
     struct cmsghdr align; /* this ensures alignment */
-#ifdef HAVE_LINUX_NETWORK
+#if defined(HAVE_LINUX_NETWORK)
     char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
-#else
+#elif defined(HAVE_SOLARIS_NETWORK)
+    char control[CMSG_SPACE(sizeof(unsigned int))];
+#elif defined(HAVE_BSD_NETWORK) 
     char control[CMSG_SPACE(sizeof(struct sockaddr_dl))];
 #endif
   } control_u;
@@ -138,16 +132,33 @@ void dhcp_packet(time_t now)
   msg.msg_iov = &daemon->dhcp_packet;
   msg.msg_iovlen = 1;
   
-  do
+  while (1)
     {
       msg.msg_flags = 0;
-      while ((sz = recvmsg(daemon->dhcpfd, &msg, MSG_PEEK)) == -1 && errno == EINTR);
+      while ((sz = recvmsg(daemon->dhcpfd, &msg, MSG_PEEK | MSG_TRUNC)) == -1 && errno == EINTR);
+      
+      if (sz == -1)
+	return;
+      
+      if (!(msg.msg_flags & MSG_TRUNC))
+	break;
+
+      /* Very new Linux kernels return the actual size needed, 
+	 older ones always return truncated size */
+      if ((size_t)sz == daemon->dhcp_packet.iov_len)
+	{
+	  if (!expand_buf(&daemon->dhcp_packet, sz + 100))
+	    return;
+	}
+      else
+	{
+	  expand_buf(&daemon->dhcp_packet, sz);
+	  break;
+	}
     }
-  while (sz != -1 && (msg.msg_flags & MSG_TRUNC) &&
-	 expand_buf(&daemon->dhcp_packet, daemon->dhcp_packet.iov_len + 100));
   
   /* expand_buf may have moved buffer */
-  mess = daemon->dhcp_packet.iov_base;
+  mess = (struct dhcp_packet *)daemon->dhcp_packet.iov_base;
   msg.msg_controllen = sizeof(control_u);
   msg.msg_control = control_u.control;
   msg.msg_flags = 0;
@@ -156,7 +167,7 @@ void dhcp_packet(time_t now)
 
   while ((sz = recvmsg(daemon->dhcpfd, &msg, 0)) == -1 && errno == EINTR);
  
-  if (sz < (ssize_t)(sizeof(*mess) - sizeof(mess->options)))
+  if ((msg.msg_flags & MSG_TRUNC) || sz < (ssize_t)(sizeof(*mess) - sizeof(mess->options)))
     return;
   
 #if defined (HAVE_LINUX_NETWORK)
@@ -168,37 +179,31 @@ void dhcp_packet(time_t now)
 	  if (((struct in_pktinfo *)CMSG_DATA(cmptr))->ipi_addr.s_addr != INADDR_BROADCAST)
 	    unicast_dest = 1;
 	}
-  
-  if (!(ifr.ifr_ifindex = iface_index) || 
-      ioctl(daemon->dhcpfd, SIOCGIFNAME, &ifr) == -1)
-    return;
-  
-#elif defined(IP_RECVIF)
+
+#elif defined(HAVE_BSD_NETWORK) 
   if (msg.msg_controllen >= sizeof(struct cmsghdr))
     for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
       if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
-	iface_index = ((struct sockaddr_dl *)CMSG_DATA(cmptr))->sdl_index;
+        iface_index = ((struct sockaddr_dl *)CMSG_DATA(cmptr))->sdl_index;
+
   
-  if (!iface_index || !if_indextoname(iface_index, ifr.ifr_name))
+#elif defined(HAVE_SOLARIS_NETWORK) 
+  if (msg.msg_controllen >= sizeof(struct cmsghdr))
+    for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
+      if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
+	iface_index = *((unsigned int *)CMSG_DATA(cmptr));
+	  
+#endif
+	
+  if (!indextoname(daemon->dhcpfd, iface_index, ifr.ifr_name))
     return;
-  
+
 #ifdef MSG_BCAST
   /* OpenBSD tells us when a packet was broadcast */
   if (!(msg.msg_flags & MSG_BCAST))
     unicast_dest = 1;
 #endif
 
-#else
-  /* fallback for systems without IP_RECVIF - allow only one interface
-     and assume packets arrive from it - yuk. */
-  {
-    struct iname *name;
-    for (name = daemon->if_names; name->isloop; name = name->next);
-    strcpy(ifr.ifr_name, name->name);
-    iface_index = if_nametoindex(name->name);
-  }
-#endif
-
   ifr.ifr_addr.sa_family = AF_INET;
   if (ioctl(daemon->dhcpfd, SIOCGIFADDR, &ifr) != -1 )
     {
@@ -206,7 +211,7 @@ void dhcp_packet(time_t now)
       iface_addr = ((struct sockaddr_in *) &ifr.ifr_addr)->sin_addr;
     }
 
-  if (!iface_check(AF_INET, (struct all_addr *)addrp, &ifr, &iface_index))
+  if (!iface_check(AF_INET, (struct all_addr *)addrp, ifr.ifr_name, &iface_index))
     return;
   
   for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
@@ -216,9 +221,9 @@ void dhcp_packet(time_t now)
   /* interface may have been changed by alias in iface_check */
   if (!addrp)
     {
-      if (ioctl(daemon->dhcpfd, SIOCGIFADDR, &ifr) != -1)
+      if (ioctl(daemon->dhcpfd, SIOCGIFADDR, &ifr) == -1)
 	{
-	  my_syslog(LOG_WARNING, _("DHCP packet received on %s which has no address"), ifr.ifr_name);
+	  my_syslog(MS_DHCP | LOG_WARNING, _("DHCP packet received on %s which has no address"), ifr.ifr_name);
 	  return;
 	}
       else
@@ -237,7 +242,7 @@ void dhcp_packet(time_t now)
   if (!iface_enumerate(&parm, complete_context, NULL))
     return;
   lease_prune(NULL, now); /* lose any expired leases */
-  iov.iov_len = dhcp_reply(parm.current, ifr.ifr_name, (size_t)sz, 
+  iov.iov_len = dhcp_reply(parm.current, ifr.ifr_name, iface_index, (size_t)sz, 
 			   now, unicast_dest, &is_inform);
   lease_update_file(now);
   lease_update_dns();
@@ -253,7 +258,7 @@ void dhcp_packet(time_t now)
   iov.iov_base = daemon->dhcp_packet.iov_base;
   
   /* packet buffer may have moved */
-  mess = daemon->dhcp_packet.iov_base;
+  mess = (struct dhcp_packet *)daemon->dhcp_packet.iov_base;
   
 #ifdef HAVE_SOCKADDR_SA_LEN
   dest.sin_len = sizeof(struct sockaddr_in);
@@ -262,7 +267,7 @@ void dhcp_packet(time_t now)
   if (mess->giaddr.s_addr)
     {
       /* Send to BOOTP relay  */
-      dest.sin_port = htons(DHCP_SERVER_PORT);
+      dest.sin_port = htons(daemon->dhcp_server_port);
       dest.sin_addr = mess->giaddr; 
     }
   else if (mess->ciaddr.s_addr)
@@ -274,11 +279,11 @@ void dhcp_packet(time_t now)
       if ((!is_inform && dest.sin_addr.s_addr != mess->ciaddr.s_addr) ||
 	  dest.sin_port == 0 || dest.sin_addr.s_addr == 0)
 	{
-	  dest.sin_port = htons(DHCP_CLIENT_PORT); 
+	  dest.sin_port = htons(daemon->dhcp_client_port); 
 	  dest.sin_addr = mess->ciaddr;
 	}
     } 
-#ifdef HAVE_LINUX_NETWORK
+#if defined(HAVE_LINUX_NETWORK)
   else if ((ntohs(mess->flags) & 0x8000) || mess->hlen == 0 ||
 	   mess->hlen > sizeof(ifr.ifr_addr.sa_data) || mess->htype == 0)
     {
@@ -287,14 +292,14 @@ void dhcp_packet(time_t now)
       msg.msg_control = control_u.control;
       msg.msg_controllen = sizeof(control_u);
       cmptr = CMSG_FIRSTHDR(&msg);
-      dest.sin_addr.s_addr = INADDR_BROADCAST;
-      dest.sin_port = htons(DHCP_CLIENT_PORT);
       pkt = (struct in_pktinfo *)CMSG_DATA(cmptr);
       pkt->ipi_ifindex = iface_index;
       pkt->ipi_spec_dst.s_addr = 0;
       msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
       cmptr->cmsg_level = SOL_IP;
-      cmptr->cmsg_type = IP_PKTINFO;
+      cmptr->cmsg_type = IP_PKTINFO;  
+      dest.sin_addr.s_addr = INADDR_BROADCAST;
+      dest.sin_port = htons(daemon->dhcp_client_port);
     }
   else
     {
@@ -302,7 +307,7 @@ void dhcp_packet(time_t now)
 	 struct sockaddr limits size to 14 bytes. */
       struct arpreq req;
       dest.sin_addr = mess->yiaddr;
-      dest.sin_port = htons(DHCP_CLIENT_PORT);
+      dest.sin_port = htons(daemon->dhcp_client_port);
       *((struct sockaddr_in *)&req.arp_pa) = dest;
       req.arp_ha.sa_family = mess->htype;
       memcpy(req.arp_ha.sa_data, mess->chaddr, mess->hlen);
@@ -310,7 +315,31 @@ void dhcp_packet(time_t now)
       req.arp_flags = ATF_COM;
       ioctl(daemon->dhcpfd, SIOCSARP, &req);
     }
-#else
+#elif defined(HAVE_SOLARIS_NETWORK)
+  else if ((ntohs(mess->flags) & 0x8000) || mess->hlen != ETHER_ADDR_LEN || mess->htype != ARPHRD_ETHER)
+    {
+      /* broadcast to 255.255.255.255 (or mac address invalid) */
+      dest.sin_addr.s_addr = INADDR_BROADCAST;
+      dest.sin_port = htons(daemon->dhcp_client_port);
+      /* note that we don't specify the interface here: that's done by the
+	 IP_BOUND_IF sockopt lower down. */
+    }
+  else
+    {
+      /* unicast to unconfigured client. Inject mac address direct into ARP cache. 
+	 Note that this only works for ethernet on solaris, because we use SIOCSARP
+	 and not SIOCSXARP, which would be perfect, except that it returns ENXIO 
+	 mysteriously. Bah. Fall back to broadcast for other net types. */
+      struct arpreq req;
+      dest.sin_addr = mess->yiaddr;
+      dest.sin_port = htons(daemon->dhcp_client_port);
+      *((struct sockaddr_in *)&req.arp_pa) = dest;
+      req.arp_ha.sa_family = AF_UNSPEC;
+      memcpy(req.arp_ha.sa_data, mess->chaddr, mess->hlen);
+      req.arp_flags = ATF_COM;
+      ioctl(daemon->dhcpfd, SIOCSARP, &req);
+    }
+#elif defined(HAVE_BSD_NETWORK)
   else 
     {
       send_via_bpf(mess, iov.iov_len, iface_addr, &ifr);
@@ -318,6 +347,10 @@ void dhcp_packet(time_t now)
     }
 #endif
    
+#ifdef HAVE_SOLARIS_NETWORK
+  setsockopt(daemon->dhcpfd, IPPROTO_IP, IP_BOUND_IF, &iface_index, sizeof(iface_index));
+#endif
+  
   while(sendmsg(daemon->dhcpfd, &msg, 0) == -1 && retry_send());
 }
  
@@ -349,7 +382,7 @@ static int complete_context(struct in_addr local, int if_index,
 	  {
 	    strcpy(daemon->dhcp_buff, inet_ntoa(context->start));
 	    strcpy(daemon->dhcp_buff2, inet_ntoa(context->end));
-	    my_syslog(LOG_WARNING, _("DHCP range %s -- %s is not consistent with netmask %s"),
+	    my_syslog(MS_DHCP | LOG_WARNING, _("DHCP range %s -- %s is not consistent with netmask %s"),
 		      daemon->dhcp_buff, daemon->dhcp_buff2, inet_ntoa(netmask));
 	  }	
  	context->netmask = netmask;
@@ -392,7 +425,9 @@ static int complete_context(struct in_addr local, int if_index,
   return 1;
 }
 	  
-struct dhcp_context *address_available(struct dhcp_context *context, struct in_addr taddr)
+struct dhcp_context *address_available(struct dhcp_context *context, 
+				       struct in_addr taddr,
+				       struct dhcp_netid *netids)
 {
   /* Check is an address is OK for this network, check all
      possible ranges. Make sure that the address isn't in use
@@ -412,14 +447,17 @@ struct dhcp_context *address_available(struct dhcp_context *context, struct in_a
 
       if (!(tmp->flags & CONTEXT_STATIC) &&
 	  addr >= start &&
-	  addr <= end)
+	  addr <= end &&
+	  match_netid(tmp->filter, netids, 1))
 	return tmp;
     }
 
   return NULL;
 }
 
-struct dhcp_context *narrow_context(struct dhcp_context *context, struct in_addr taddr)
+struct dhcp_context *narrow_context(struct dhcp_context *context, 
+				    struct in_addr taddr,
+				    struct dhcp_netid *netids)
 {
   /* We start of with a set of possible contexts, all on the current physical interface.
      These are chained on ->current.
@@ -431,19 +469,24 @@ struct dhcp_context *narrow_context(struct dhcp_context *context, struct in_addr
   
   struct dhcp_context *tmp;
 
-  if ((tmp = address_available(context, taddr)))
-    return tmp;
+  if (!(tmp = address_available(context, taddr, netids)))
+    {
+      for (tmp = context; tmp; tmp = tmp->current)
+	if (is_same_net(taddr, tmp->start, tmp->netmask) && 
+	    (tmp->flags & CONTEXT_STATIC))
+	  break;
+      
+      if (!tmp)
+	for (tmp = context; tmp; tmp = tmp->current)
+	  if (is_same_net(taddr, tmp->start, tmp->netmask))
+	    break;
+    }
   
-  for (tmp = context; tmp; tmp = tmp->current)
-    if (is_same_net(taddr, tmp->start, tmp->netmask) && 
-	(tmp->flags & CONTEXT_STATIC))
-      return tmp;
-
-  for (tmp = context; tmp; tmp = tmp->current)
-    if (is_same_net(taddr, tmp->start, tmp->netmask))
-      return tmp;
-
-  return NULL;
+  /* Only one context allowed now */
+  if (tmp)
+    tmp->current = NULL;
+  
+  return tmp;
 }
 
 struct dhcp_config *config_find_by_address(struct dhcp_config *configs, struct in_addr addr)
@@ -458,12 +501,12 @@ struct dhcp_config *config_find_by_address(struct dhcp_config *configs, struct i
 }
 
 /* Is every member of check matched by a member of pool? 
-   If negonly, match unless there's a negative tag which matches. */
-int match_netid(struct dhcp_netid *check, struct dhcp_netid *pool, int negonly)
+   If tagnotneeded, untagged is OK */
+int match_netid(struct dhcp_netid *check, struct dhcp_netid *pool, int tagnotneeded)
 {
   struct dhcp_netid *tmp1;
   
-  if (!check && !negonly)
+  if (!check && !tagnotneeded)
     return 0;
 
   for (; check; check = check->next)
@@ -473,7 +516,7 @@ int match_netid(struct dhcp_netid *check, struct dhcp_netid *pool, int negonly)
 	  for (tmp1 = pool; tmp1; tmp1 = tmp1->next)
 	    if (strcmp(check->net, tmp1->net) == 0)
 	      break;
-	  if (!tmp1 || negonly)
+	  if (!tmp1)
 	    return 0;
 	}
       else
@@ -520,9 +563,16 @@ int address_allocate(struct dhcp_context *context,
 	      if (addr.s_addr == d->router.s_addr)
 		break;
 
+	    /* Addresses which end in .255 and .0 are broken in Windows even when using 
+	       supernetting. ie dhcp-range=192.168.0.1,192.168.1.254,255,255,254.0
+	       then 192.168.0.255 is a valid IP address, but not for Windows as it's
+	       in the class C range. See  KB281579. We therefore don't allocate these 
+	       addresses to avoid hard-to-diagnose problems. Thanks Bill. */	    
 	    if (!d &&
 		!lease_find_by_addr(addr) && 
-		!config_find_by_address(daemon->dhcp_conf, addr))
+		!config_find_by_address(daemon->dhcp_conf, addr) &&
+		(!IN_CLASSC(ntohl(addr.s_addr)) || 
+		 ((ntohl(addr.s_addr) & 0xff) != 0xff && ((ntohl(addr.s_addr) & 0xff) != 0x0))))
 	      {
 		struct ping_result *r, *victim = NULL;
 		int count, max = (int)(0.6 * (((float)PING_CACHE_TIME)/
@@ -595,6 +645,19 @@ static int is_addr_in_context(struct dhcp_context *context, struct dhcp_config *
   return 0;
 }
 
+int config_has_mac(struct dhcp_config *config, unsigned char *hwaddr, int len, int type)
+{
+  struct hwaddr_config *conf_addr;
+  
+  for (conf_addr = config->hwaddr; conf_addr; conf_addr = conf_addr->next)
+    if (conf_addr->wildcard_mask == 0 &&
+	conf_addr->hwaddr_len == len &&
+	(conf_addr->hwaddr_type == type || conf_addr->hwaddr_type == 0) &&
+	memcmp(conf_addr->hwaddr, hwaddr, len) == 0)
+      return 1;
+  
+  return 0;
+}
 
 struct dhcp_config *find_config(struct dhcp_config *configs,
 				struct dhcp_context *context,
@@ -602,8 +665,10 @@ struct dhcp_config *find_config(struct dhcp_config *configs,
 				unsigned char *hwaddr, int hw_len, 
 				int hw_type, char *hostname)
 {
-  struct dhcp_config *config; 
-  
+  int count, new;
+  struct dhcp_config *config, *candidate; 
+  struct hwaddr_config *conf_addr;
+
   if (clid)
     for (config = configs; config; config = config->next)
       if (config->flags & CONFIG_CLID)
@@ -623,11 +688,7 @@ struct dhcp_config *find_config(struct dhcp_config *configs,
   
 
   for (config = configs; config; config = config->next)
-    if ((config->flags & CONFIG_HWADDR) &&
-	config->wildcard_mask == 0 &&
-	config->hwaddr_len == hw_len &&
-	(config->hwaddr_type == hw_type || config->hwaddr_type == 0) &&
-	memcmp(config->hwaddr, hwaddr, hw_len) == 0 &&
+    if (config_has_mac(config, hwaddr, hw_len, hw_type) &&
 	is_addr_in_context(context, config))
       return config;
   
@@ -637,17 +698,21 @@ struct dhcp_config *find_config(struct dhcp_config *configs,
 	  hostname_isequal(config->hostname, hostname) &&
 	  is_addr_in_context(context, config))
 	return config;
-  
-  for (config = configs; config; config = config->next)
-    if ((config->flags & CONFIG_HWADDR) &&
-	config->wildcard_mask != 0 &&
-	config->hwaddr_len == hw_len &&	
-	(config->hwaddr_type == hw_type || config->hwaddr_type == 0) &&
-	is_addr_in_context(context, config) &&
-	memcmp_masked(config->hwaddr, hwaddr, hw_len, config->wildcard_mask))
-      return config;
-        
-  return NULL;
+
+  /* use match with fewest wildcast octets */
+  for (candidate = NULL, count = 0, config = configs; config; config = config->next)
+    if (is_addr_in_context(context, config))
+      for (conf_addr = config->hwaddr; conf_addr; conf_addr = conf_addr->next)
+	if (conf_addr->wildcard_mask != 0 &&
+	    conf_addr->hwaddr_len == hw_len &&	
+	    (conf_addr->hwaddr_type == hw_type || conf_addr->hwaddr_type == 0) &&
+	    (new = memcmp_masked(conf_addr->hwaddr, hwaddr, hw_len, conf_addr->wildcard_mask)) > count)
+	  {
+	    count = new;
+	    candidate = config;
+	  }
+
+  return candidate;
 }
 
 void dhcp_read_ethers(void)
@@ -666,7 +731,7 @@ void dhcp_read_ethers(void)
   
   if (!f)
     {
-      my_syslog(LOG_ERR, _("failed to read %s:%s"), ETHERSFILE, strerror(errno));
+      my_syslog(MS_DHCP | LOG_ERR, _("failed to read %s: %s"), ETHERSFILE, strerror(errno));
       return;
     }
 
@@ -680,6 +745,7 @@ void dhcp_read_ethers(void)
 	  /* cannot have a clid */
 	  if (config->flags & CONFIG_NAME)
 	    free(config->hostname);
+	  free(config->hwaddr);
 	  free(config);
 	}
       else
@@ -688,20 +754,22 @@ void dhcp_read_ethers(void)
 
   while (fgets(buff, MAXDNAME, f))
     {
+      char *host = NULL;
+      
       lineno++;
       
-      while (strlen(buff) > 0 && isspace(buff[strlen(buff)-1]))
+      while (strlen(buff) > 0 && isspace((int)buff[strlen(buff)-1]))
 	buff[strlen(buff)-1] = 0;
       
-      if ((*buff == '#') || (*buff == '+'))
+      if ((*buff == '#') || (*buff == '+') || (*buff == 0))
 	continue;
       
-      for (ip = buff; *ip && !isspace(*ip); ip++);
-      for(; *ip && isspace(*ip); ip++)
+      for (ip = buff; *ip && !isspace((int)*ip); ip++);
+      for(; *ip && isspace((int)*ip); ip++)
 	*ip = 0;
       if (!*ip || parse_hex(buff, hwaddr, ETHER_ADDR_LEN, NULL, NULL) != ETHER_ADDR_LEN)
 	{
-	  my_syslog(LOG_ERR, _("bad line at %s line %d"), ETHERSFILE, lineno); 
+	  my_syslog(MS_DHCP | LOG_ERR, _("bad line at %s line %d"), ETHERSFILE, lineno); 
 	  continue;
 	}
       
@@ -714,7 +782,7 @@ void dhcp_read_ethers(void)
 	{
 	  if ((addr.s_addr = inet_addr(ip)) == (in_addr_t)-1)
 	    {
-	      my_syslog(LOG_ERR, _("bad address at %s line %d"), ETHERSFILE, lineno); 
+	      my_syslog(MS_DHCP | LOG_ERR, _("bad address at %s line %d"), ETHERSFILE, lineno); 
 	      continue;
 	    }
 
@@ -726,35 +794,49 @@ void dhcp_read_ethers(void)
 	}
       else 
 	{
-	  if (!canonicalise(ip) || strip_hostname(ip))
+	  int nomem;
+	  if (!(host = canonicalise(ip, &nomem)) || !legal_hostname(host))
 	    {
-	      my_syslog(LOG_ERR, _("bad name at %s line %d"), ETHERSFILE, lineno); 
+	      if (!nomem)
+		my_syslog(MS_DHCP | LOG_ERR, _("bad name at %s line %d"), ETHERSFILE, lineno); 
+	      free(host);
 	      continue;
 	    }
 	      
 	  flags = CONFIG_NAME;
 
 	  for (config = daemon->dhcp_conf; config; config = config->next)
-	    if ((config->flags & CONFIG_NAME) && hostname_isequal(config->hostname, ip))
+	    if ((config->flags & CONFIG_NAME) && hostname_isequal(config->hostname, host))
 	      break;
 	}
-      
+
+      if (config && (config->flags & CONFIG_FROM_ETHERS))
+	{
+	  my_syslog(MS_DHCP | LOG_ERR, _("ignoring %s line %d, duplicate name or IP address"), ETHERSFILE, lineno); 
+	  continue;
+	}
+	
       if (!config)
 	{ 
 	  for (config = daemon->dhcp_conf; config; config = config->next)
-	    if ((config->flags & CONFIG_HWADDR) && 
-		config->wildcard_mask == 0 &&
-		config->hwaddr_len == ETHER_ADDR_LEN &&
-		(config->hwaddr_type == ARPHRD_ETHER || config->hwaddr_type == 0) &&
-		memcmp(config->hwaddr, hwaddr, ETHER_ADDR_LEN) == 0)
-	      break;
+	    {
+	      struct hwaddr_config *conf_addr = config->hwaddr;
+	      if (conf_addr && 
+		  conf_addr->next == NULL && 
+		  conf_addr->wildcard_mask == 0 &&
+		  conf_addr->hwaddr_len == ETHER_ADDR_LEN &&
+		  (conf_addr->hwaddr_type == ARPHRD_ETHER || conf_addr->hwaddr_type == 0) &&
+		  memcmp(conf_addr->hwaddr, hwaddr, ETHER_ADDR_LEN) == 0)
+		break;
+	    }
 	  
 	  if (!config)
 	    {
 	      if (!(config = whine_malloc(sizeof(struct dhcp_config))))
 		continue;
 	      config->flags = CONFIG_FROM_ETHERS;
-	      config->wildcard_mask = 0;
+	      config->hwaddr = NULL;
+	      config->domain = NULL;
 	      config->next = daemon->dhcp_conf;
 	      daemon->dhcp_conf = config;
 	    }
@@ -763,81 +845,68 @@ void dhcp_read_ethers(void)
 	  
 	  if (flags & CONFIG_NAME)
 	    {
-	      if ((config->hostname = whine_malloc(strlen(ip)+1)))
-		strcpy(config->hostname, ip);
-	      else
-		config->flags &= ~CONFIG_NAME;
+	      config->hostname = host;
+	      host = NULL;
 	    }
 	  
 	  if (flags & CONFIG_ADDR)
 	    config->addr = addr;
 	}
       
-      config->flags |= CONFIG_HWADDR | CONFIG_NOCLID;
-      memcpy(config->hwaddr, hwaddr, ETHER_ADDR_LEN);
-      config->hwaddr_len = ETHER_ADDR_LEN;
-      config->hwaddr_type = ARPHRD_ETHER;
+      config->flags |= CONFIG_NOCLID;
+      if (!config->hwaddr)
+	config->hwaddr = whine_malloc(sizeof(struct hwaddr_config));
+      if (config->hwaddr)
+	{
+	  memcpy(config->hwaddr->hwaddr, hwaddr, ETHER_ADDR_LEN);
+	  config->hwaddr->hwaddr_len = ETHER_ADDR_LEN;
+	  config->hwaddr->hwaddr_type = ARPHRD_ETHER;
+	  config->hwaddr->wildcard_mask = 0;
+	  config->hwaddr->next = NULL;
+	}
       count++;
+      
+      free(host);
+
     }
   
   fclose(f);
 
-  my_syslog(LOG_INFO, _("read %s - %d addresses"), ETHERSFILE, count);
+  my_syslog(MS_DHCP | LOG_INFO, _("read %s - %d addresses"), ETHERSFILE, count);
 }
 
-void dhcp_read_hosts(void)
+void check_dhcp_hosts(int fatal)
 {
-  struct dhcp_config *configs, *cp, **up;
-  int count;
-
-  /* remove existing... */
-  for (up = &daemon->dhcp_conf, configs = daemon->dhcp_conf; configs; configs = cp)
-    {
-      cp = configs->next;
-      
-      if (configs->flags & CONFIG_BANK)
-	{
-	  if (configs->flags & CONFIG_CLID)
-	    free(configs->clid);
-	  if (configs->flags & CONFIG_NETID)
-	    free(configs->netid.net);
-	  if (configs->flags & CONFIG_NAME)
-	    free(configs->hostname);
-
-	  *up = configs->next;
-	  free(configs);
-	}
-      else
-	up = &configs->next;
-    }
+  /* If the same IP appears in more than one host config, then DISCOVER
+     for one of the hosts will get the address, but REQUEST will be NAKed,
+     since the address is reserved by the other one -> protocol loop. 
+     Also check that FQDNs match the domain we are using. */
   
-  one_file(daemon->dhcp_hosts_file, 1, 1);
-
-  for (count = 0, configs = daemon->dhcp_conf; configs; configs = configs->next)
+  struct dhcp_config *configs, *cp;
+ 
+  for (configs = daemon->dhcp_conf; configs; configs = configs->next)
     {
-      if (configs->flags & CONFIG_BANK)
-	{
-	  char *domain;
-	  count++;
-	  
-	  for (cp = configs->next; cp; cp = cp->next)
-	    if ((configs->flags & cp->flags & CONFIG_ADDR) && configs->addr.s_addr == cp->addr.s_addr)
-	      {
-		my_syslog(LOG_ERR, _("duplicate IP address %s in %s."), inet_ntoa(cp->addr), daemon->dhcp_hosts_file);
-		configs->flags &= ~CONFIG_ADDR;
-	      }
-	  
-	  if ((configs->flags & CONFIG_NAME) && (domain = strip_hostname(configs->hostname)))
-	    {
-	      my_syslog(LOG_ERR, _("illegal domain %s in %s."), domain, daemon->dhcp_hosts_file);
-	      free(configs->hostname);
-	      configs->flags &= ~CONFIG_NAME;
-	    }
-	}
+      char *domain;
+
+      if ((configs->flags & DHOPT_BANK) || fatal)
+       {
+	 for (cp = configs->next; cp; cp = cp->next)
+	   if ((configs->flags & cp->flags & CONFIG_ADDR) && configs->addr.s_addr == cp->addr.s_addr)
+	     {
+	       if (fatal)
+		 die(_("duplicate IP address %s in dhcp-config directive."), 
+		     inet_ntoa(cp->addr), EC_BADCONF);
+	       else
+		 my_syslog(MS_DHCP | LOG_ERR, _("duplicate IP address %s in %s."), 
+			   inet_ntoa(cp->addr), daemon->dhcp_hosts_file);
+	       configs->flags &= ~CONFIG_ADDR;
+	     }
+	 
+	 /* split off domain part */
+	 if ((configs->flags & CONFIG_NAME) && (domain = strip_hostname(configs->hostname)))
+	   configs->domain = domain;
+       }
     }
-
-  my_syslog(LOG_INFO, _("read %s - %d hosts"), daemon->dhcp_hosts_file, count);
-
 }
 
 void dhcp_update_configs(struct dhcp_config *configs)
@@ -856,44 +925,65 @@ void dhcp_update_configs(struct dhcp_config *configs)
     if (config->flags & CONFIG_ADDR_HOSTS)
       config->flags &= ~(CONFIG_ADDR | CONFIG_ADDR_HOSTS);
   
-  for (config = configs; config; config = config->next)
-    if (!(config->flags & CONFIG_ADDR) &&
-	(config->flags & CONFIG_NAME) && 
-	(crec = cache_find_by_name(NULL, config->hostname, 0, F_IPV4)) &&
-	(crec->flags & F_HOSTS))
-      {
-	if (config_find_by_address(configs, crec->addr.addr.addr.addr4))
-	  my_syslog(LOG_WARNING, _("duplicate IP address %s (%s) in dhcp-config directive"), 
-		    inet_ntoa(crec->addr.addr.addr.addr4), config->hostname);
-	else
-	  {
-	    config->addr = crec->addr.addr.addr.addr4;
-	    config->flags |= CONFIG_ADDR | CONFIG_ADDR_HOSTS;
-	  }
-      }
+  
+  if (daemon->port != 0)
+    for (config = configs; config; config = config->next)
+      if (!(config->flags & CONFIG_ADDR) &&
+	  (config->flags & CONFIG_NAME) && 
+	  (crec = cache_find_by_name(NULL, config->hostname, 0, F_IPV4)) &&
+	  (crec->flags & F_HOSTS))
+	{
+	  if (cache_find_by_name(crec, config->hostname, 0, F_IPV4))
+	    {
+	      /* use primary (first) address */
+	      while (crec && !(crec->flags & F_REVERSE))
+		crec = cache_find_by_name(crec, config->hostname, 0, F_IPV4);
+	      if (!crec)
+		continue; /* should be never */
+	      my_syslog(MS_DHCP | LOG_WARNING, _("%s has more than one address in hostsfile, using %s for DHCP"), 
+			config->hostname, inet_ntoa(crec->addr.addr.addr.addr4));
+	    }
+
+	  if (config_find_by_address(configs, crec->addr.addr.addr.addr4))
+	    my_syslog(MS_DHCP | LOG_WARNING, _("duplicate IP address %s (%s) in dhcp-config directive"), 
+		      inet_ntoa(crec->addr.addr.addr.addr4), config->hostname);
+	  else 
+	    {
+	      config->addr = crec->addr.addr.addr.addr4;
+	      config->flags |= CONFIG_ADDR | CONFIG_ADDR_HOSTS;
+	    }
+	}
 }
 
 /* If we've not found a hostname any other way, try and see if there's one in /etc/hosts
    for this address. If it has a domain part, that must match the set domain and
-   it gets stripped. */
+   it gets stripped. The set of legal domain names is bigger than the set of legal hostnames
+   so check here that the domain name is legal as a hostname. */
 char *host_from_dns(struct in_addr addr)
 {
-  struct crec *lookup = cache_find_by_addr(NULL, (struct all_addr *)&addr, 0, F_IPV4);
+  struct crec *lookup;
   char *hostname = NULL;
+  char *d1, *d2;
+
+  if (daemon->port == 0)
+    return NULL; /* DNS disabled. */
   
+  lookup = cache_find_by_addr(NULL, (struct all_addr *)&addr, 0, F_IPV4);
   if (lookup && (lookup->flags & F_HOSTS))
     {
       hostname = daemon->dhcp_buff;
       strncpy(hostname, cache_get_name(lookup), 256);
       hostname[255] = 0;
-      if (strip_hostname(hostname))
+      d1 = strip_hostname(hostname);
+      d2 = get_domain(addr);
+      if (!legal_hostname(hostname) || (d1 && (!d2 || !hostname_isequal(d1, d2))))
 	hostname = NULL;
     }
   
   return hostname;
 }
 
-/* return illegal domain or NULL if OK */
+/* return domain or NULL if none. */
 char *strip_hostname(char *hostname)
 {
   char *dot = strchr(hostname, '.');
@@ -902,9 +992,11 @@ char *strip_hostname(char *hostname)
     return NULL;
   
   *dot = 0; /* truncate */
-  
-  if (*(dot+1) && (!daemon->domain_suffix || !hostname_isequal(dot+1, daemon->domain_suffix)))
+  if (strlen(dot+1) != 0)
     return dot+1;
   
   return NULL;
 }
+
+#endif
+

src/dnsmasq.c

@@ -1,13 +1,17 @@
-/* dnsmasq is Copyright (c) 2000-2006 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2009 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; version 2 dated June, 1991.
-
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
+     
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "dnsmasq.h"
@@ -29,23 +33,28 @@ static char *compile_opts =
 #ifdef NO_FORK
 "no-MMU "
 #endif
-#ifndef HAVE_ISC_READER
-"no-"
-#endif
-"ISC-leasefile "
 #ifndef HAVE_DBUS
 "no-"
 #endif
 "DBus "
-#ifdef NO_GETTEXT
+#ifndef LOCALEDIR
 "no-"
 #endif
 "I18N "
+#ifndef HAVE_DHCP
+"no-"
+#endif
+"DHCP "
+#if defined(HAVE_DHCP) && !defined(HAVE_SCRIPT)
+"no-scripts "
+#endif
 #ifndef HAVE_TFTP
 "no-"
 #endif
 "TFTP";
 
+
+
 static volatile pid_t pid = 0;
 static volatile int pipewrite;
 
@@ -53,20 +62,31 @@ static int set_dns_listeners(time_t now, fd_set *set, int *maxfdp);
 static void check_dns_listeners(fd_set *set, time_t now);
 static void sig_handler(int sig);
 static void async_event(int pipe, time_t now);
+static void fatal_event(struct event_desc *ev);
 static void poll_resolv(void);
 
 int main (int argc, char **argv)
 {
   int bind_fallback = 0;
-  int bad_capabilities = 0;
-  time_t now, last = 0;
+  time_t now;
   struct sigaction sigact;
   struct iname *if_tmp;
-  int piperead, pipefd[2];
-  struct passwd *ent_pw;
+  int piperead, pipefd[2], err_pipe[2];
+  struct passwd *ent_pw = NULL;
+#if defined(HAVE_DHCP) && defined(HAVE_SCRIPT)
+  uid_t script_uid = 0;
+  gid_t script_gid = 0;
+#endif
+  struct group *gp = NULL;
   long i, max_fd = sysconf(_SC_OPEN_MAX);
+  char *baduser = NULL;
+  int log_err;
+#if defined(HAVE_LINUX_NETWORK)
+  cap_user_header_t hdr = NULL;
+  cap_user_data_t data = NULL;
+#endif 
 
-#ifndef NO_GETTEXT
+#ifdef LOCALEDIR
   setlocale(LC_ALL, "");
   bindtextdomain("dnsmasq", LOCALEDIR); 
   textdomain("dnsmasq");
@@ -95,15 +115,13 @@ int main (int argc, char **argv)
   daemon->packet_buff_sz = daemon->edns_pktsz > DNSMASQ_PACKETSZ ? 
     daemon->edns_pktsz : DNSMASQ_PACKETSZ;
   daemon->packet = safe_malloc(daemon->packet_buff_sz);
-  
+
+#ifdef HAVE_DHCP
   if (!daemon->lease_file)
     {
       if (daemon->dhcp)
 	daemon->lease_file = LEASEFILE;
     }
-#ifndef HAVE_ISC_READER
-  else if (!daemon->dhcp)
-    die(_("ISC dhcpd integration not available: set HAVE_ISC_READER in src/config.h"), NULL, EC_BADCONF);
 #endif
   
   /* Close any file descriptors we inherited apart from std{in|out|err} */
@@ -128,25 +146,25 @@ int main (int argc, char **argv)
     die(_("TFTP server not available: set HAVE_TFTP in src/config.h"), NULL, EC_BADCONF);
 #endif
 
+#ifdef HAVE_SOLARIS_NETWORK
+  if (daemon->max_logs != 0)
+    die(_("asychronous logging is not available under Solaris"), NULL, EC_BADCONF);
+#endif
+  
+  rand_init();
+  
   now = dnsmasq_time();
   
+#ifdef HAVE_DHCP
   if (daemon->dhcp)
     {
-#if !defined(HAVE_LINUX_NETWORK) && !defined(IP_RECVIF)
-      int c;
-      struct iname *tmp;
-      for (c = 0, tmp = daemon->if_names; tmp; tmp = tmp->next)
-	if (!tmp->isloop)
-	  c++;
-      if (c != 1)
-	die(_("must set exactly one interface on broken systems without IP_RECVIF"), NULL, EC_BADCONF);
-#endif
       /* Note that order matters here, we must call lease_init before
 	 creating any file descriptors which shouldn't be leaked
 	 to the lease-script init process. */
       lease_init(now);
       dhcp_init();
     }
+#endif
 
   if (!enumerate_interfaces())
     die(_("failed to find list of interfaces: %s"), NULL, EC_MISC);
@@ -166,11 +184,13 @@ int main (int argc, char **argv)
 	    die(_("no interface with address %s"), daemon->namebuff, EC_BADNET);
 	  }
     }
-  else if (!(daemon->listeners = create_wildcard_listeners()))
+  else if ((daemon->port != 0 || (daemon->options & OPT_TFTP)) &&
+	   !(daemon->listeners = create_wildcard_listeners()))
     die(_("failed to create listening socket: %s"), NULL, EC_BADNET);
   
-  cache_init();
-
+  if (daemon->port != 0)
+    cache_init();
+    
   if (daemon->options & OPT_DBUS)
 #ifdef HAVE_DBUS
     {
@@ -184,78 +204,147 @@ int main (int argc, char **argv)
   die(_("DBus not available: set HAVE_DBUS in src/config.h"), NULL, EC_BADCONF);
 #endif
   
-  /* If query_port is set then create a socket now, before dumping root
-     for use to access nameservers without more specific source addresses.
-     This allows query_port to be a low port */
-  if (daemon->query_port)
+  if (daemon->port != 0)
+    pre_allocate_sfds();
+
+#if defined(HAVE_DHCP) && defined(HAVE_SCRIPT)
+  /* Note getpwnam returns static storage */
+  if (daemon->dhcp && daemon->lease_change_command && daemon->scriptuser)
     {
-      union  mysockaddr addr;
-      memset(&addr, 0, sizeof(addr));
-      addr.in.sin_family = AF_INET;
-      addr.in.sin_addr.s_addr = INADDR_ANY;
-      addr.in.sin_port = htons(daemon->query_port);
-#ifdef HAVE_SOCKADDR_SA_LEN
-      addr.in.sin_len = sizeof(struct sockaddr_in);
-#endif
-      allocate_sfd(&addr, &daemon->sfds);
-#ifdef HAVE_IPV6
-      memset(&addr, 0, sizeof(addr));
-      addr.in6.sin6_family = AF_INET6;
-      addr.in6.sin6_addr = in6addr_any;
-      addr.in6.sin6_port = htons(daemon->query_port);
-#ifdef HAVE_SOCKADDR_SA_LEN
-      addr.in6.sin6_len = sizeof(struct sockaddr_in6);
-#endif
-      allocate_sfd(&addr, &daemon->sfds);
-#endif
+      if ((ent_pw = getpwnam(daemon->scriptuser)))
+	{
+	  script_uid = ent_pw->pw_uid;
+	  script_gid = ent_pw->pw_gid;
+	 }
+      else
+	baduser = daemon->scriptuser;
     }
+#endif
   
+  if (daemon->username && !(ent_pw = getpwnam(daemon->username)))
+    baduser = daemon->username;
+  else if (daemon->groupname && !(gp = getgrnam(daemon->groupname)))
+    baduser = daemon->groupname;
+
+  if (baduser)
+    die(_("unknown user or group: %s"), baduser, EC_BADCONF);
+   
+  /* implement group defaults, "dip" if available, or group associated with uid */
+  if (!daemon->group_set && !gp)
+    {
+      if (!(gp = getgrnam(CHGRP)) && ent_pw)
+	gp = getgrgid(ent_pw->pw_gid);
+      
+      /* for error message */
+      if (gp)
+	daemon->groupname = gp->gr_name; 
+    }
+
+#if defined(HAVE_LINUX_NETWORK)
+  /* determine capability API version here, while we can still
+     call safe_malloc */
+  if (ent_pw && ent_pw->pw_uid != 0)
+    {
+      int capsize = 1; /* for header version 1 */
+      hdr = safe_malloc(sizeof(*hdr));
+
+      /* find version supported by kernel */
+      memset(hdr, 0, sizeof(*hdr));
+      capget(hdr, NULL);
+      
+      if (hdr->version != LINUX_CAPABILITY_VERSION_1)
+	{
+	  /* if unknown version, use largest supported version (3) */
+	  if (hdr->version != LINUX_CAPABILITY_VERSION_2)
+	    hdr->version = LINUX_CAPABILITY_VERSION_3;
+	  capsize = 2;
+	}
+      
+      data = safe_malloc(sizeof(*data) * capsize);
+      memset(data, 0, sizeof(*data) * capsize);
+    }
+#endif
+
   /* Use a pipe to carry signals and other events back to the event loop 
-     in a race-free manner */
-  if (pipe(pipefd) == -1 || !fix_fd(pipefd[0]) || !fix_fd(pipefd[1])) 
-    die(_("cannot create pipe: %s"), NULL, EC_MISC);
+     in a race-free manner and another to carry errors to daemon-invoking process */
+  safe_pipe(pipefd, 1);
   
   piperead = pipefd[0];
   pipewrite = pipefd[1];
   /* prime the pipe to load stuff first time. */
   send_event(pipewrite, EVENT_RELOAD, 0); 
+
+  err_pipe[1] = -1;
   
   if (!(daemon->options & OPT_DEBUG))   
     {
-      FILE *pidfile;
       int nullfd;
 
       /* The following code "daemonizes" the process. 
 	 See Stevens section 12.4 */
+      
+      if (chdir("/") != 0)
+	die(_("cannot chdir to filesystem root: %s"), NULL, EC_MISC); 
 
 #ifndef NO_FORK      
       if (!(daemon->options & OPT_NO_FORK))
 	{
 	  pid_t pid;
 	  
-	  if ((pid = fork()) == -1 )
-	    die(_("cannot fork into background: %s"), NULL, EC_MISC);
+	  /* pipe to carry errors back to original process.
+	     When startup is complete we close this and the process terminates. */
+	  safe_pipe(err_pipe, 0);
 	  
+	  if ((pid = fork()) == -1)
+	    /* fd == -1 since we've not forked, never returns. */
+	    send_event(-1, EVENT_FORK_ERR, errno);
+	   
 	  if (pid != 0)
-	    _exit(EC_GOOD);
+	    {
+	      struct event_desc ev;
+	      
+	      /* close our copy of write-end */
+	      close(err_pipe[1]);
+	      
+	      /* check for errors after the fork */
+	      if (read_write(err_pipe[0], (unsigned char *)&ev, sizeof(ev), 1))
+		fatal_event(&ev);
+	      
+	      _exit(EC_GOOD);
+	    } 
+	  
+	  close(err_pipe[0]);
+
+	  /* NO calls to die() from here on. */
 	  
 	  setsid();
-	  pid = fork();
-
-	  if (pid != 0 && pid != -1)
+	 
+	  if ((pid = fork()) == -1)
+	    send_event(err_pipe[1], EVENT_FORK_ERR, errno);
+	 
+	  if (pid != 0)
 	    _exit(0);
 	}
 #endif
-      
-      chdir("/");
             
       /* write pidfile _after_ forking ! */
-      if (daemon->runfile && (pidfile = fopen(daemon->runfile, "w")))
-      	{
-	  fprintf(pidfile, "%d\n", (int) getpid());
-	  fclose(pidfile);
+      if (daemon->runfile)
+	{
+	  FILE *pidfile;
+	  
+	  /* only complain if started as root */
+	  if ((pidfile = fopen(daemon->runfile, "w")))
+	    {
+	      fprintf(pidfile, "%d\n", (int) getpid());
+	      fclose(pidfile);
+	    }
+	  else if (getuid() == 0)
+	    {
+	      send_event(err_pipe[1], EVENT_PIDFILE, errno);
+	      _exit(0);
+	    }
 	}
-      
+         
       /* open  stdout etc to /dev/null */
       nullfd = open("/dev/null", O_RDWR);
       dup2(nullfd, STDOUT_FILENO);
@@ -264,65 +353,89 @@ int main (int argc, char **argv)
       close(nullfd);
     }
   
-  /* if we are to run scripts, we need to fork a helper before dropping root. */
-#ifndef NO_FORK
-  daemon->helperfd = create_helper(pipewrite, max_fd);
-#endif
+   log_err = log_start(ent_pw, err_pipe[1]); 
    
-  ent_pw = daemon->username ? getpwnam(daemon->username) : NULL;
+   /* if we are to run scripts, we need to fork a helper before dropping root. */
+  daemon->helperfd = -1;
+#if defined(HAVE_DHCP) && defined(HAVE_SCRIPT) 
+  if (daemon->dhcp && daemon->lease_change_command)
+    daemon->helperfd = create_helper(pipewrite, err_pipe[1], script_uid, script_gid, max_fd);
+#endif
 
-  /* before here, we should only call die(), after here, only call syslog() */
-  log_start(ent_pw); 
-
-  if (!(daemon->options & OPT_DEBUG))   
+  if (!(daemon->options & OPT_DEBUG) && getuid() == 0)   
     {
-      /* UID changing, etc */
-      if (daemon->groupname || ent_pw)
-	{
-	  gid_t dummy;
-	  struct group *gp;
-	  
-	  /* change group for /etc/ppp/resolv.conf otherwise get the group for "nobody" */
-	  if ((daemon->groupname && (gp = getgrnam(daemon->groupname))) || 
-	      (ent_pw && (gp = getgrgid(ent_pw->pw_gid))))
-	    {
-	      /* remove all supplimentary groups */
-	      setgroups(0, &dummy);
-	      setgid(gp->gr_gid);
-	    } 
-	}
+      int bad_capabilities = 0;
+      gid_t dummy;
       
+      /* remove all supplimentary groups */
+      if (gp && 
+	  (setgroups(0, &dummy) == -1 ||
+	   setgid(gp->gr_gid) == -1))
+	{
+	  send_event(err_pipe[1], EVENT_GROUP_ERR, errno);
+	  _exit(0);
+	}
+  
       if (ent_pw && ent_pw->pw_uid != 0)
 	{     
-#ifdef HAVE_LINUX_NETWORK
+#if defined(HAVE_LINUX_NETWORK)
 	  /* On linux, we keep CAP_NETADMIN (for ARP-injection) and
 	     CAP_NET_RAW (for icmp) if we're doing dhcp */
-	  cap_user_header_t hdr = safe_malloc(sizeof(*hdr));
-	  cap_user_data_t data = safe_malloc(sizeof(*data));
-	  hdr->version = _LINUX_CAPABILITY_VERSION;
-	  hdr->pid = 0; /* this process */
 	  data->effective = data->permitted = data->inheritable =
-	    (1 << CAP_NET_ADMIN) | (1 << CAP_NET_RAW) |
-	    (1 << CAP_SETGID) | (1 << CAP_SETUID);
+	    (1 << CAP_NET_ADMIN) | (1 << CAP_NET_RAW) | (1 << CAP_SETUID);
 	  
 	  /* Tell kernel to not clear capabilities when dropping root */
 	  if (capset(hdr, data) == -1 || prctl(PR_SET_KEEPCAPS, 1) == -1)
 	    bad_capabilities = errno;
-	  else
-#endif
+			  
+#elif defined(HAVE_SOLARIS_NETWORK)
+	  /* http://developers.sun.com/solaris/articles/program_privileges.html */
+	  priv_set_t *priv_set;
+	  
+	  if (!(priv_set = priv_str_to_set("basic", ",", NULL)) ||
+	      priv_addset(priv_set, PRIV_NET_ICMPACCESS) == -1 ||
+	      priv_addset(priv_set, PRIV_SYS_NET_CONFIG) == -1)
+	    bad_capabilities = errno;
+
+	  if (priv_set && bad_capabilities == 0)
 	    {
-	      /* finally drop root */
-	      setuid(ent_pw->pw_uid);
-	      
-#ifdef HAVE_LINUX_NETWORK
-	      data->effective = data->permitted = 
-		(1 << CAP_NET_ADMIN) | (1 << CAP_NET_RAW);
-	      data->inheritable = 0;
-	      
-	      /* lose the setuid and setgid capbilities */
-	      capset(hdr, data);
-#endif
+	      priv_inverse(priv_set);
+	  
+	      if (setppriv(PRIV_OFF, PRIV_LIMIT, priv_set) == -1)
+		bad_capabilities = errno;
 	    }
+
+	  if (priv_set)
+	    priv_freeset(priv_set);
+
+#endif    
+
+	  if (bad_capabilities != 0)
+	    {
+	      send_event(err_pipe[1], EVENT_CAP_ERR, bad_capabilities);
+	      _exit(0);
+	    }
+	  
+	  /* finally drop root */
+	  if (setuid(ent_pw->pw_uid) == -1)
+	    {
+	      send_event(err_pipe[1], EVENT_USER_ERR, errno);
+	      _exit(0);
+	    }     
+
+#ifdef HAVE_LINUX_NETWORK
+	  data->effective = data->permitted = 
+	    (1 << CAP_NET_ADMIN) | (1 << CAP_NET_RAW);
+	  data->inheritable = 0;
+	  
+	  /* lose the setuid and setgid capbilities */
+	  if (capset(hdr, data) == -1)
+	    {
+	      send_event(err_pipe[1], EVENT_CAP_ERR, errno);
+	      _exit(0);
+	    }
+#endif
+	  
 	}
     }
   
@@ -331,7 +444,9 @@ int main (int argc, char **argv)
     prctl(PR_SET_DUMPABLE, 1);
 #endif
 
-  if (daemon->cachesize != 0)
+  if (daemon->port == 0)
+    my_syslog(LOG_INFO, _("started, version %s DNS disabled"), VERSION);
+  else if (daemon->cachesize != 0)
     my_syslog(LOG_INFO, _("started, version %s cachesize %d"), VERSION, daemon->cachesize);
   else
     my_syslog(LOG_INFO, _("started, version %s cache disabled"), VERSION);
@@ -348,6 +463,10 @@ int main (int argc, char **argv)
     }
 #endif
 
+  if (log_err != 0)
+    my_syslog(LOG_WARNING, _("warning: failed to change owner of %s: %s"), 
+	      daemon->log_file, strerror(log_err));
+
   if (bind_fallback)
     my_syslog(LOG_WARNING, _("setting --bind-interfaces option because of OS limitations"));
   
@@ -356,7 +475,7 @@ int main (int argc, char **argv)
       if (if_tmp->name && !if_tmp->used)
 	my_syslog(LOG_WARNING, _("warning: interface %s does not currently exist"), if_tmp->name);
    
-  if (daemon->options & OPT_NO_RESOLV)
+  if (daemon->port != 0 && (daemon->options & OPT_NO_RESOLV))
     {
       if (daemon->resolv_files && !daemon->resolv_files->is_default)
 	my_syslog(LOG_WARNING, _("warning: ignoring resolv-file flag because no-resolv is set"));
@@ -368,6 +487,7 @@ int main (int argc, char **argv)
   if (daemon->max_logs != 0)
     my_syslog(LOG_INFO, _("asynchronous logging enabled, queue limit is %d messages"), daemon->max_logs);
 
+#ifdef HAVE_DHCP
   if (daemon->dhcp)
     {
       struct dhcp_context *dhcp_tmp;
@@ -376,13 +496,16 @@ int main (int argc, char **argv)
 	{
 	  prettyprint_time(daemon->dhcp_buff2, dhcp_tmp->lease_time);
 	  strcpy(daemon->dhcp_buff, inet_ntoa(dhcp_tmp->start));
-	  my_syslog(LOG_INFO, 
+	  my_syslog(MS_DHCP | LOG_INFO, 
 		    (dhcp_tmp->flags & CONTEXT_STATIC) ? 
 		    _("DHCP, static leases only on %.0s%s, lease time %s") :
+		    (dhcp_tmp->flags & CONTEXT_PROXY) ?
+		    _("DHCP, proxy on subnet %.0s%s%.0s") :
 		    _("DHCP, IP range %s -- %s, lease time %s"),
 		    daemon->dhcp_buff, inet_ntoa(dhcp_tmp->end), daemon->dhcp_buff2);
 	}
     }
+#endif
 
 #ifdef HAVE_TFTP
   if (daemon->options & OPT_TFTP)
@@ -392,7 +515,7 @@ int main (int argc, char **argv)
 	max_fd = FD_SETSIZE;
 #endif
 
-      my_syslog(LOG_INFO, "TFTP %s%s %s", 
+      my_syslog(MS_TFTP | LOG_INFO, "TFTP %s%s %s", 
 		daemon->tftp_prefix ? _("root is ") : _("enabled"),
 		daemon->tftp_prefix ? daemon->tftp_prefix: "",
 		daemon->options & OPT_TFTP_SECURE ? _("secure mode") : "");
@@ -410,27 +533,30 @@ int main (int argc, char **argv)
 	max_fd = max_fd/2;
       else
 	max_fd = max_fd - 20;
+      
+      /* if we have to use a limited range of ports, 
+	 that will limit the number of transfers */
+      if (daemon->start_tftp_port != 0 &&
+	  daemon->end_tftp_port - daemon->start_tftp_port + 1 < max_fd)
+	max_fd = daemon->end_tftp_port - daemon->start_tftp_port + 1;
 
       if (daemon->tftp_max > max_fd)
 	{
 	  daemon->tftp_max = max_fd;
-	  my_syslog(LOG_WARNING, 
+	  my_syslog(MS_TFTP | LOG_WARNING, 
 		    _("restricting maximum simultaneous TFTP transfers to %d"), 
 		    daemon->tftp_max);
 	}
     }
 #endif
 
-  if (!(daemon->options & OPT_DEBUG) && (getuid() == 0 || geteuid() == 0))
-    {
-      if (bad_capabilities)
-	my_syslog(LOG_WARNING, _("warning: setting capabilities failed: %s"), strerror(bad_capabilities));
-
-      my_syslog(LOG_WARNING, _("running as root"));
-    }
+  /* finished start-up - release original process */
+  if (err_pipe[1] != -1)
+    close(err_pipe[1]);
+  
+  if (daemon->port != 0)
+    check_servers();
   
-  check_servers();
-
   pid = getpid();
   
   while (1)
@@ -465,11 +591,13 @@ int main (int argc, char **argv)
       set_dbus_listeners(&maxfd, &rset, &wset, &eset);
 #endif	
   
+#ifdef HAVE_DHCP
       if (daemon->dhcp)
 	{
 	  FD_SET(daemon->dhcpfd, &rset);
 	  bump_maxfd(daemon->dhcpfd, &maxfd);
 	}
+#endif
 
 #ifdef HAVE_LINUX_NETWORK
       FD_SET(daemon->netlinkfd, &rset);
@@ -479,7 +607,8 @@ int main (int argc, char **argv)
       FD_SET(piperead, &rset);
       bump_maxfd(piperead, &maxfd);
 
-#ifndef NO_FORK
+#ifdef HAVE_DHCP
+#  ifdef HAVE_SCRIPT
       while (helper_buf_empty() && do_script_run(now));
 
       if (!helper_buf_empty())
@@ -487,11 +616,12 @@ int main (int argc, char **argv)
 	  FD_SET(daemon->helperfd, &wset);
 	  bump_maxfd(daemon->helperfd, &maxfd);
 	}
-#else
+#  else
       /* need this for other side-effects */
       while (do_script_run(now));
+#  endif
 #endif
-      
+   
       /* must do this just before select(), when we know no
 	 more calls to my_syslog() can occur */
       set_log_writer(&wset, &maxfd);
@@ -508,16 +638,13 @@ int main (int argc, char **argv)
 
       /* Check for changes to resolv files once per second max. */
       /* Don't go silent for long periods if the clock goes backwards. */
-      if (last == 0 || difftime(now, last) > 1.0 || difftime(now, last) < -1.0)
+      if (daemon->last_resolv == 0 || 
+	  difftime(now, daemon->last_resolv) > 1.0 || 
+	  difftime(now, daemon->last_resolv) < -1.0)
 	{
-	  last = now;
+	  daemon->last_resolv = now;
 
-#ifdef HAVE_ISC_READER
-	  if (daemon->lease_file && !daemon->dhcp)
-	    load_dhcp(now);
-#endif
-
-	  if (!(daemon->options & OPT_NO_POLL))
+	  if (daemon->port != 0 && !(daemon->options & OPT_NO_POLL))
 	    poll_resolv();
 	}
       
@@ -541,19 +668,21 @@ int main (int argc, char **argv)
 	}
       check_dbus_listeners(&rset, &wset, &eset);
 #endif
-
+      
       check_dns_listeners(&rset, now);
 
 #ifdef HAVE_TFTP
       check_tftp_listeners(&rset, now);
 #endif      
 
+#ifdef HAVE_DHCP
       if (daemon->dhcp && FD_ISSET(daemon->dhcpfd, &rset))
 	dhcp_packet(now);
 
-#ifndef NO_FORK
+#  ifdef HAVE_SCRIPT
       if (daemon->helperfd != -1 && FD_ISSET(daemon->helperfd, &wset))
 	helper_write();
+#  endif
 #endif
 
     }
@@ -605,11 +734,51 @@ void send_event(int fd, int event, int data)
   
   ev.event = event;
   ev.data = data;
-  /* pipe is non-blocking and struct event_desc is smaller than
-     PIPE_BUF, so this either fails or writes everything */
-  while (write(fd, &ev, sizeof(ev)) == -1 && errno == EINTR);
+  
+  /* error pipe, debug mode. */
+  if (fd == -1)
+    fatal_event(&ev);
+  else
+    /* pipe is non-blocking and struct event_desc is smaller than
+       PIPE_BUF, so this either fails or writes everything */
+    while (write(fd, &ev, sizeof(ev)) == -1 && errno == EINTR);
 }
 
+static void fatal_event(struct event_desc *ev)
+{
+  errno = ev->data;
+  
+  switch (ev->event)
+    {
+    case EVENT_DIE:
+      exit(0);
+
+    case EVENT_FORK_ERR:
+      die(_("cannot fork into background: %s"), NULL, EC_MISC);
+  
+    case EVENT_PIPE_ERR:
+      die(_("failed to create helper: %s"), NULL, EC_MISC);
+  
+    case EVENT_CAP_ERR:
+      die(_("setting capabilities failed: %s"), NULL, EC_MISC);
+
+    case EVENT_USER_ERR:
+    case EVENT_HUSER_ERR:
+      die(_("failed to change user-id to %s: %s"), 
+	  ev->event == EVENT_USER_ERR ? daemon->username : daemon->scriptuser,
+	  EC_MISC);
+
+    case EVENT_GROUP_ERR:
+      die(_("failed to change group-id to %s: %s"), daemon->groupname, EC_MISC);
+      
+    case EVENT_PIDFILE:
+      die(_("failed to open pidfile %s: %s"), daemon->runfile, EC_FILE);
+
+    case EVENT_LOG_ERR:
+      die(_("cannot open %s: %s"), daemon->log_file ? daemon->log_file : "log", EC_FILE);
+    }
+}	
+      
 static void async_event(int pipe, time_t now)
 {
   pid_t p;
@@ -621,24 +790,29 @@ static void async_event(int pipe, time_t now)
       {
       case EVENT_RELOAD:
 	clear_cache_and_reload(now);
-	if (daemon->resolv_files && (daemon->options & OPT_NO_POLL))
+	if (daemon->port != 0 && daemon->resolv_files && (daemon->options & OPT_NO_POLL))
 	  {
 	    reload_servers(daemon->resolv_files->name);
 	    check_servers();
 	  }
+#ifdef HAVE_DHCP
 	rerun_scripts();
+#endif
 	break;
 	
       case EVENT_DUMP:
-	dump_cache(now);
+	if (daemon->port != 0)
+	  dump_cache(now);
 	break;
 	
       case EVENT_ALARM:
+#ifdef HAVE_DHCP
 	if (daemon->dhcp)
 	  {
 	    lease_prune(NULL, now);
 	    lease_update_file(now);
 	  }
+#endif
 	break;
 		
       case EVENT_CHILD:
@@ -664,11 +838,14 @@ static void async_event(int pipe, time_t now)
 	break;
 
       case EVENT_EXEC_ERR:
-	my_syslog(LOG_ERR, _("failed to execute %s: %s"), daemon->lease_change_command, strerror(ev.data));
+	my_syslog(LOG_ERR, _("failed to execute %s: %s"), 
+		  daemon->lease_change_command, strerror(ev.data));
 	break;
 
-      case EVENT_PIPE_ERR:
-	my_syslog(LOG_ERR, _("failed to create helper: %s"), strerror(ev.data));
+	/* necessary for fatal errors in helper */
+      case EVENT_HUSER_ERR:
+      case EVENT_DIE:
+	fatal_event(&ev);
 	break;
 
       case EVENT_REOPEN:
@@ -685,7 +862,7 @@ static void async_event(int pipe, time_t now)
 	  if (daemon->tcp_pids[i] != 0)
 	    kill(daemon->tcp_pids[i], SIGALRM);
 	
-#ifndef NO_FORK
+#if defined(HAVE_DHCP) && defined(HAVE_SCRIPT)
 	/* handle pending lease transitions */
 	if (daemon->helperfd != -1)
 	  {
@@ -701,6 +878,9 @@ static void async_event(int pipe, time_t now)
 	
 	if (daemon->lease_stream)
 	  fclose(daemon->lease_stream);
+
+	if (daemon->runfile)
+	  unlink(daemon->runfile);
 	
 	my_syslog(LOG_INFO, _("exiting on receipt of SIGTERM"));
 	flush_log();
@@ -746,7 +926,7 @@ static void poll_resolv()
 	  warned = 0;
 	  check_servers();
 	  if (daemon->options & OPT_RELOAD)
-	    cache_reload(daemon->options, daemon->namebuff, daemon->domain_suffix, daemon->addn_hosts);
+	    cache_reload();
 	}
       else 
 	{
@@ -762,25 +942,29 @@ static void poll_resolv()
 
 void clear_cache_and_reload(time_t now)
 {
-  cache_reload(daemon->options, daemon->namebuff, daemon->domain_suffix, daemon->addn_hosts);
+  if (daemon->port != 0)
+    cache_reload();
+  
+#ifdef HAVE_DHCP
   if (daemon->dhcp)
     {
       if (daemon->options & OPT_ETHERS)
 	dhcp_read_ethers();
-      if (daemon->dhcp_hosts_file)
-	dhcp_read_hosts();
+      reread_dhcp();
       dhcp_update_configs(daemon->dhcp_conf);
+      check_dhcp_hosts(0);
       lease_update_from_configs(); 
       lease_update_file(now); 
       lease_update_dns();
     }
+#endif
 }
 
 static int set_dns_listeners(time_t now, fd_set *set, int *maxfdp)
 {
   struct serverfd *serverfdp;
   struct listener *listener;
-  int wait, i;
+  int wait = 0, i;
   
 #ifdef HAVE_TFTP
   int  tftp = 0;
@@ -794,18 +978,27 @@ static int set_dns_listeners(time_t now, fd_set *set, int *maxfdp)
 #endif
   
   /* will we be able to get memory? */
-  get_new_frec(now, &wait);
+  if (daemon->port != 0)
+    get_new_frec(now, &wait);
   
   for (serverfdp = daemon->sfds; serverfdp; serverfdp = serverfdp->next)
     {
       FD_SET(serverfdp->fd, set);
       bump_maxfd(serverfdp->fd, maxfdp);
     }
-	  
+
+  if (daemon->port != 0 && !daemon->osport)
+    for (i = 0; i < RANDOM_SOCKS; i++)
+      if (daemon->randomsocks[i].refcount != 0)
+	{
+	  FD_SET(daemon->randomsocks[i].fd, set);
+	  bump_maxfd(daemon->randomsocks[i].fd, maxfdp);
+	}
+  
   for (listener = daemon->listeners; listener; listener = listener->next)
     {
       /* only listen for queries if we have resources */
-      if (wait == 0)
+      if (listener->fd != -1 && wait == 0)
 	{
 	  FD_SET(listener->fd, set);
 	  bump_maxfd(listener->fd, maxfdp);
@@ -813,13 +1006,14 @@ static int set_dns_listeners(time_t now, fd_set *set, int *maxfdp)
 
       /* death of a child goes through the select loop, so
 	 we don't need to explicitly arrange to wake up here */
-      for (i = 0; i < MAX_PROCS; i++)
-	if (daemon->tcp_pids[i] == 0)
-	  {
-	    FD_SET(listener->tcpfd, set);
-	    bump_maxfd(listener->tcpfd, maxfdp);
-	    break;
-	  }
+      if  (listener->tcpfd != -1)
+	for (i = 0; i < MAX_PROCS; i++)
+	  if (daemon->tcp_pids[i] == 0)
+	    {
+	      FD_SET(listener->tcpfd, set);
+	      bump_maxfd(listener->tcpfd, maxfdp);
+	      break;
+	    }
 
 #ifdef HAVE_TFTP
       if (tftp <= daemon->tftp_max && listener->tftpfd != -1)
@@ -837,23 +1031,30 @@ static int set_dns_listeners(time_t now, fd_set *set, int *maxfdp)
 static void check_dns_listeners(fd_set *set, time_t now)
 {
   struct serverfd *serverfdp;
-  struct listener *listener;	  
-  
+  struct listener *listener;
+  int i;
+
   for (serverfdp = daemon->sfds; serverfdp; serverfdp = serverfdp->next)
     if (FD_ISSET(serverfdp->fd, set))
-      reply_query(serverfdp, now);
+      reply_query(serverfdp->fd, serverfdp->source_addr.sa.sa_family, now);
+  
+  if (daemon->port != 0 && !daemon->osport)
+    for (i = 0; i < RANDOM_SOCKS; i++)
+      if (daemon->randomsocks[i].refcount != 0 && 
+	  FD_ISSET(daemon->randomsocks[i].fd, set))
+	reply_query(daemon->randomsocks[i].fd, daemon->randomsocks[i].family, now);
   
   for (listener = daemon->listeners; listener; listener = listener->next)
     {
-      if (FD_ISSET(listener->fd, set))
+      if (listener->fd != -1 && FD_ISSET(listener->fd, set))
 	receive_query(listener, now); 
- 
+      
 #ifdef HAVE_TFTP     
       if (listener->tftpfd != -1 && FD_ISSET(listener->tftpfd, set))
 	tftp_request(listener, now);
 #endif
 
-      if (FD_ISSET(listener->tcpfd, set))
+      if (listener->tcpfd != -1 && FD_ISSET(listener->tcpfd, set))
 	{
 	  int confd;
 	  struct irec *iface = NULL;
@@ -958,7 +1159,7 @@ static void check_dns_listeners(fd_set *set, time_t now)
     }
 }
 
-
+#ifdef HAVE_DHCP
 int make_icmp_sock(void)
 {
   int fd;
@@ -997,7 +1198,7 @@ int icmp_ping(struct in_addr addr)
   int gotreply = 0;
   time_t start, now;
 
-#ifdef HAVE_LINUX_NETWORK
+#if defined(HAVE_LINUX_NETWORK) || defined (HAVE_SOLARIS_NETWORK)
   if ((fd = make_icmp_sock()) == -1)
     return 0;
 #else
@@ -1072,7 +1273,7 @@ int icmp_ping(struct in_addr addr)
 	}
     }
   
-#ifdef HAVE_LINUX_NETWORK
+#if defined(HAVE_LINUX_NETWORK) || defined(HAVE_SOLARIS_NETWORK)
   close(fd);
 #else
   opt = 1;
@@ -1081,5 +1282,6 @@ int icmp_ping(struct in_addr addr)
 
   return gotreply;
 }
+#endif
 
  

src/dnsmasq.h

@@ -1,26 +1,44 @@
-/* dnsmasq is Copyright (c) 2000-2007 Simon Kelley
-
+/* dnsmasq is Copyright (c) 2000-2009 Simon Kelley
+ 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; version 2 dated June, 1991.
-
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
+     
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-#define COPYRIGHT "Copyright (C) 2000-2007 Simon Kelley" 
+#define COPYRIGHT "Copyright (C) 2000-2009 Simon Kelley" 
+
+#ifndef NO_LARGEFILE
+/* Ensure we can use files >2GB (log files may grow this big) */
+#  define _LARGEFILE_SOURCE 1
+#  define _FILE_OFFSET_BITS 64
+#endif
+
+/* Get linux C library versions. */
+#ifdef __linux__
+#  define _GNU_SOURCE
+#  include <features.h> 
+#endif
 
 /* get these before config.h  for IPv6 stuff... */
 #include <sys/types.h> 
+#include <sys/socket.h>
 #include <netinet/in.h>
 
 #ifdef __APPLE__
-/* need this before arpa/nameser.h */
-#  define BIND_8_COMPAT
+#  include <nameser.h>
+#  include <arpa/nameser_compat.h>
+#else
+#  include <arpa/nameser.h>
 #endif
-#include <arpa/nameser.h>
 
 /* and this. */
 #include <getopt.h>
@@ -28,7 +46,7 @@
 #include "config.h"
 
 #define gettext_noop(S) (S)
-#ifdef NO_GETTEXT
+#ifndef LOCALEDIR
 #  define _(S) (S)
 #else
 #  include <libintl.h>
@@ -38,8 +56,10 @@
 
 #include <arpa/inet.h>
 #include <sys/stat.h>
-#include <sys/socket.h>
 #include <sys/ioctl.h>
+#if defined(HAVE_SOLARIS_NETWORK)
+#include <sys/sockio.h>
+#endif
 #include <sys/select.h>
 #include <sys/wait.h>
 #include <sys/time.h>
@@ -53,12 +73,13 @@
 #include <fcntl.h>
 #include <ctype.h>
 #include <signal.h>
+#include <stddef.h>
 #include <time.h>
 #include <errno.h>
 #include <pwd.h>
 #include <grp.h>
 #include <stdarg.h>
-#if defined(__OpenBSD__) || defined(__NetBSD__)
+#if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__sun__) || defined (__sun)
 #  include <netinet/if_ether.h>
 #else
 #  include <net/ethernet.h>
@@ -74,15 +95,22 @@
 #  include <net/if_dl.h>
 #endif
 
-#ifdef HAVE_LINUX_NETWORK
+#if defined(HAVE_LINUX_NETWORK)
 #include <linux/capability.h>
 /* There doesn't seem to be a universally-available 
-   userpace header for this. */
+   userpace header for these. */
 extern int capset(cap_user_header_t header, cap_user_data_t data);
+extern int capget(cap_user_header_t header, cap_user_data_t data);
+#define LINUX_CAPABILITY_VERSION_1  0x19980330
+#define LINUX_CAPABILITY_VERSION_2  0x20071026
+#define LINUX_CAPABILITY_VERSION_3  0x20080522
+
 #include <sys/prctl.h>
+#elif defined(HAVE_SOLARIS_NETWORK)
+#include <priv.h>
 #endif
 
-/* daemon is function in teh C library.... */
+/* daemon is function in the C library.... */
 #define daemon dnsmasq_daemon
 
 /* Async event queue */
@@ -100,6 +128,14 @@ struct event_desc {
 #define EVENT_KILLED    8
 #define EVENT_EXEC_ERR  9
 #define EVENT_PIPE_ERR  10
+#define EVENT_USER_ERR  11
+#define EVENT_CAP_ERR   12
+#define EVENT_PIDFILE   13
+#define EVENT_HUSER_ERR 14
+#define EVENT_GROUP_ERR 15
+#define EVENT_DIE       16
+#define EVENT_LOG_ERR   17
+#define EVENT_FORK_ERR  18
 
 /* Exit codes. */
 #define EC_GOOD        0
@@ -117,35 +153,43 @@ struct event_desc {
 */
 #define DNSMASQ_PACKETSZ PACKETSZ+MAXDNAME+RRFIXEDSZ
 
-#define OPT_BOGUSPRIV      (1<<0)
-#define OPT_FILTER         (1<<1)
-#define OPT_LOG            (1<<2)
-#define OPT_SELFMX         (1<<3)
-#define OPT_NO_HOSTS       (1<<4)
-#define OPT_NO_POLL        (1<<5)
-#define OPT_DEBUG          (1<<6)
-#define OPT_ORDER          (1<<7)
-#define OPT_NO_RESOLV      (1<<8)
-#define OPT_EXPAND         (1<<9)
-#define OPT_LOCALMX        (1<<10)
-#define OPT_NO_NEG         (1<<11)
-#define OPT_NODOTS_LOCAL   (1<<12)
-#define OPT_NOWILD         (1<<13)
-#define OPT_ETHERS         (1<<14)
-#define OPT_RESOLV_DOMAIN  (1<<15)
-#define OPT_NO_FORK        (1<<16)
-#define OPT_AUTHORITATIVE  (1<<17)
-#define OPT_LOCALISE       (1<<18)
-#define OPT_DBUS           (1<<19)
-#define OPT_BOOTP_DYNAMIC  (1<<20)
-#define OPT_NO_PING        (1<<21)
-#define OPT_LEASE_RO       (1<<22)
-#define OPT_RELOAD         (1<<24)
-#define OPT_TFTP           (1<<25)
-#define OPT_TFTP_SECURE    (1<<26)
-#define OPT_TFTP_NOBLOCK   (1<<27)
-#define OPT_LOG_OPTS       (1<<28)
-#define OPT_TFTP_APREF     (1<<29)
+#define OPT_BOGUSPRIV      (1u<<0)
+#define OPT_FILTER         (1u<<1)
+#define OPT_LOG            (1u<<2)
+#define OPT_SELFMX         (1u<<3)
+#define OPT_NO_HOSTS       (1u<<4)
+#define OPT_NO_POLL        (1u<<5)
+#define OPT_DEBUG          (1u<<6)
+#define OPT_ORDER          (1u<<7)
+#define OPT_NO_RESOLV      (1u<<8)
+#define OPT_EXPAND         (1u<<9)
+#define OPT_LOCALMX        (1u<<10)
+#define OPT_NO_NEG         (1u<<11)
+#define OPT_NODOTS_LOCAL   (1u<<12)
+#define OPT_NOWILD         (1u<<13)
+#define OPT_ETHERS         (1u<<14)
+#define OPT_RESOLV_DOMAIN  (1u<<15)
+#define OPT_NO_FORK        (1u<<16)
+#define OPT_AUTHORITATIVE  (1u<<17)
+#define OPT_LOCALISE       (1u<<18)
+#define OPT_DBUS           (1u<<19)
+#define OPT_DHCP_FQDN      (1u<<20)
+#define OPT_NO_PING        (1u<<21)
+#define OPT_LEASE_RO       (1u<<22)
+#define OPT_ALL_SERVERS    (1u<<23)
+#define OPT_RELOAD         (1u<<24)
+#define OPT_TFTP           (1u<<25)
+#define OPT_TFTP_SECURE    (1u<<26)
+#define OPT_TFTP_NOBLOCK   (1u<<27)
+#define OPT_LOG_OPTS       (1u<<28)
+#define OPT_TFTP_APREF     (1u<<29)
+#define OPT_NO_OVERRIDE    (1u<<30)
+#define OPT_NO_REBIND      (1u<<31)
+
+/* extra flags for my_syslog, we use a couple of facilities since they are known 
+   not to occupy the same bits as priorities, no matter how syslog.h is set up. */
+#define MS_TFTP LOG_USER
+#define MS_DHCP LOG_DAEMON 
 
 struct all_addr {
   union {
@@ -163,7 +207,7 @@ struct bogus_addr {
 
 /* dns doctor param */
 struct doctor {
-  struct in_addr in, out, mask;
+  struct in_addr in, end, out, mask;
   struct doctor *next;
 };
 
@@ -174,6 +218,12 @@ struct mx_srv_record {
   struct mx_srv_record *next;
 };
 
+struct naptr {
+  char *name, *replace, *regexp, *services, *flags;
+  unsigned int order, pref;
+  struct naptr *next;
+};
+
 struct txt_record {
   char *name, *txt;
   unsigned short class, len;
@@ -185,6 +235,11 @@ struct ptr_record {
   struct ptr_record *next;
 };
 
+struct cname {
+  char *alias, *target;
+  struct cname *next;
+};
+
 struct interface_name {
   char *name; /* domain name */
   char *intr; /* interface name */
@@ -238,19 +293,7 @@ struct crec {
 union mysockaddr {
   struct sockaddr sa;
   struct sockaddr_in in;
-#ifdef HAVE_BROKEN_SOCKADDR_IN6
-  /* early versions of glibc don't include sin6_scope_id in sockaddr_in6
-     but latest kernels _require_ it to be set. The choice is to have
-     dnsmasq fail to compile on back-level libc or fail to run
-     on latest kernels with IPv6. Or to do this: sorry that it's so gross. */
-  struct my_sockaddr_in6 {
-    sa_family_t     sin6_family;    /* AF_INET6 */
-    uint16_t        sin6_port;      /* transport layer port # */
-    uint32_t        sin6_flowinfo;  /* IPv6 traffic class & flow info */
-    struct in6_addr sin6_addr;      /* IPv6 address */
-    uint32_t        sin6_scope_id;  /* set of interfaces for a scope */
-  } in6;
-#elif defined(HAVE_IPV6)
+#if defined(HAVE_IPV6)
   struct sockaddr_in6 in6;
 #endif
 };
@@ -265,25 +308,34 @@ union mysockaddr {
 #define SERV_FROM_DBUS       128  /* 1 if source is DBus */
 #define SERV_MARK            256  /* for mark-and-delete */
 #define SERV_TYPE    (SERV_HAS_DOMAIN | SERV_FOR_NODOTS)
+#define SERV_COUNTED         512  /* workspace for log code */
 
 struct serverfd {
   int fd;
   union mysockaddr source_addr;
+  char interface[IF_NAMESIZE+1];
   struct serverfd *next;
 };
 
+struct randfd {
+  int fd;
+  unsigned short refcount, family;
+};
+  
 struct server {
   union mysockaddr addr, source_addr;
+  char interface[IF_NAMESIZE+1];
   struct serverfd *sfd; 
   char *domain; /* set if this server only handles a domain. */ 
   int flags, tcpfd;
+  unsigned int queries, failed_queries;
   struct server *next; 
 };
 
 struct irec {
   union mysockaddr addr;
   struct in_addr netmask; /* only valid for IPv4 */
-  int dhcp_ok;
+  int dhcp_ok, mtu;
   struct irec *next;
 };
 
@@ -310,8 +362,11 @@ struct resolvc {
 };
 
 /* adn-hosts parms from command-line */
+#define AH_DIR      1
+#define AH_INACTIVE 2
 struct hostsfile {
   struct hostsfile *next;
+  int flags;
   char *fname;
   int index; /* matches to cache entries for logging */
 };
@@ -320,6 +375,10 @@ struct frec {
   union mysockaddr source;
   struct all_addr dest;
   struct server *sentto; /* NULL means free */
+  struct randfd *rfd4;
+#ifdef HAVE_IPV6
+  struct randfd *rfd6;
+#endif
   unsigned int iface;
   unsigned short orig_id, new_id;
   int fd, forwardall;
@@ -351,9 +410,10 @@ struct dhcp_lease {
 #endif
   int hwaddr_len, hwaddr_type;
   unsigned char hwaddr[DHCP_CHADDR_MAX]; 
-  struct in_addr addr;
-  unsigned char *vendorclass, *userclass;
-  unsigned int vendorclass_len, userclass_len;
+  struct in_addr addr, override, giaddr;
+  unsigned char *vendorclass, *userclass, *supplied_hostname;
+  unsigned int vendorclass_len, userclass_len, supplied_hostname_len;
+  int last_interface;
   struct dhcp_lease *next;
 };
 
@@ -367,23 +427,28 @@ struct dhcp_netid_list {
   struct dhcp_netid_list *next;
 };
 
+struct hwaddr_config {
+  int hwaddr_len, hwaddr_type;
+  unsigned char hwaddr[DHCP_CHADDR_MAX];
+  unsigned int wildcard_mask;
+  struct hwaddr_config *next;
+};
+
 struct dhcp_config {
   unsigned int flags;
   int clid_len;          /* length of client identifier */
   unsigned char *clid;   /* clientid */
-  int hwaddr_len, hwaddr_type;
-  unsigned char hwaddr[DHCP_CHADDR_MAX]; 
-  char *hostname;
+  char *hostname, *domain;
   struct dhcp_netid netid;
   struct in_addr addr;
   time_t decline_time;
-  unsigned int lease_time, wildcard_mask;
+  unsigned int lease_time;
+  struct hwaddr_config *hwaddr;
   struct dhcp_config *next;
 };
 
 #define CONFIG_DISABLE           1
 #define CONFIG_CLID              2
-#define CONFIG_HWADDR            4
 #define CONFIG_TIME              8
 #define CONFIG_NAME             16
 #define CONFIG_ADDR             32
@@ -396,7 +461,12 @@ struct dhcp_config {
 
 struct dhcp_opt {
   int opt, len, flags;
-  unsigned char *val, *vendor_class;
+  union {
+    int encap;
+    unsigned int wildcard_mask;
+    unsigned char *vendor_class;
+  } u;
+  unsigned char *val;
   struct dhcp_netid *netid;
   struct dhcp_opt *next;
 };
@@ -404,8 +474,14 @@ struct dhcp_opt {
 #define DHOPT_ADDR               1
 #define DHOPT_STRING             2
 #define DHOPT_ENCAPSULATE        4
-#define DHOPT_VENDOR_MATCH       8
+#define DHOPT_ENCAP_MATCH        8
 #define DHOPT_FORCE             16
+#define DHOPT_BANK              32
+#define DHOPT_ENCAP_DONE        64
+#define DHOPT_MATCH            128
+#define DHOPT_VENDOR           256
+#define DHOPT_HEX              512
+#define DHOPT_VENDOR_MATCH    1024
 
 struct dhcp_boot {
   char *file, *sname;
@@ -414,6 +490,14 @@ struct dhcp_boot {
   struct dhcp_boot *next;
 };
 
+struct pxe_service {
+  unsigned short CSA, type; 
+  char *menu, *basename;
+  struct in_addr server;
+  struct dhcp_netid *netid;
+  struct pxe_service *next;
+};
+
 #define MATCH_VENDOR     1
 #define MATCH_USER       2
 #define MATCH_CIRCUIT    3
@@ -422,7 +506,7 @@ struct dhcp_boot {
 
 /* vendorclass, userclass, remote-id or cicuit-id */
 struct dhcp_vendor {
-  int len, match_type;
+  int len, match_type, option;
   char *data;
   struct dhcp_netid netid;
   struct dhcp_vendor *next;
@@ -436,12 +520,16 @@ struct dhcp_mac {
   struct dhcp_mac *next;
 };
 
-#if defined(__FreeBSD__) || defined(__DragonFly__)
 struct dhcp_bridge {
   char iface[IF_NAMESIZE];
   struct dhcp_bridge *alias, *next;
 };
-#endif
+
+struct cond_domain {
+  char *domain;
+  struct in_addr start, end;
+  struct cond_domain *next;
+};
 
 struct dhcp_context {
   unsigned int lease_time, addr_epoch;
@@ -456,6 +544,7 @@ struct dhcp_context {
 #define CONTEXT_STATIC    1
 #define CONTEXT_NETMASK   2
 #define CONTEXT_BRDCAST   4
+#define CONTEXT_PROXY     8
 
 
 typedef unsigned char u8;
@@ -490,9 +579,10 @@ struct tftp_transfer {
   int sockfd;
   time_t timeout;
   int backoff;
-  unsigned int block, blocksize;
+  unsigned int block, blocksize, expansion;
+  off_t offset;
   struct sockaddr_in peer;
-  char opt_blocksize, opt_transize;
+  char opt_blocksize, opt_transize, netascii, carrylf;
   struct tftp_file *file;
   struct tftp_transfer *next;
 };
@@ -504,14 +594,19 @@ extern struct daemon {
 
   unsigned int options;
   struct resolvc default_resolv, *resolv_files;
+  time_t last_resolv;
   struct mx_srv_record *mxnames;
+  struct naptr *naptr;
   struct txt_record *txt;
   struct ptr_record *ptr;
+  struct cname *cnames;
   struct interface_name *int_names;
   char *mxtarget;
   char *lease_file; 
-  char *username, *groupname;
+  char *username, *groupname, *scriptuser;
+  int group_set, osport;
   char *domain_suffix;
+  struct cond_domain *cond_domain;
   char *runfile; 
   char *lease_change_command;
   struct iname *if_names, *if_addrs, *if_except, *dhcp_except;
@@ -521,48 +616,57 @@ extern struct daemon {
   char *log_file; /* optional log file */
   int max_logs;  /* queue limit */
   int cachesize, ftabsize;
-  int port, query_port;
-  unsigned long local_ttl;
+  int port, query_port, min_port;
+  unsigned long local_ttl, neg_ttl;
   struct hostsfile *addn_hosts;
   struct dhcp_context *dhcp;
   struct dhcp_config *dhcp_conf;
-  struct dhcp_opt *dhcp_opts;
+  struct dhcp_opt *dhcp_opts, *dhcp_match;
   struct dhcp_vendor *dhcp_vendors;
   struct dhcp_mac *dhcp_macs;
   struct dhcp_boot *boot_config;
-  struct dhcp_netid_list *dhcp_ignore, *dhcp_ignore_names;
-  char *dhcp_hosts_file;
-  int dhcp_max, tftp_max; 
+  struct pxe_service *pxe_services;
+  int enable_pxe;
+  struct dhcp_netid_list *dhcp_ignore, *dhcp_ignore_names, *force_broadcast, *bootp_dynamic;
+  char *dhcp_hosts_file, *dhcp_opts_file;
+  int dhcp_max, tftp_max;
+  int dhcp_server_port, dhcp_client_port;
+  int start_tftp_port, end_tftp_port; 
   unsigned int min_leasetime;
   struct doctor *doctors;
   unsigned short edns_pktsz;
+  char *tftp_prefix; 
 
   /* globally used stuff for DNS */
   char *packet; /* packet buffer */
   int packet_buff_sz; /* size of above */
   char *namebuff; /* MAXDNAME size buffer */
+  unsigned int local_answer, queries_forwarded;
+  struct frec *frec_list;
   struct serverfd *sfds;
   struct irec *interfaces;
   struct listener *listeners;
   struct server *last_server;
+  time_t forwardtime;
+  int forwardcount;
   struct server *srv_save; /* Used for resend on DoD */
   size_t packet_len;       /*      "        "        */
+  struct randfd *rfd_save; /*      "        "        */
   pid_t tcp_pids[MAX_PROCS];
- 
+  struct randfd randomsocks[RANDOM_SOCKS];
+
   /* DHCP state */
   int dhcpfd, helperfd; 
-#ifdef HAVE_LINUX_NETWORK
+#if defined(HAVE_LINUX_NETWORK)
   int netlinkfd;
-#else
+#elif defined(HAVE_BSD_NETWORK)
   int dhcp_raw_fd, dhcp_icmp_fd;
 #endif
   struct iovec dhcp_packet;
   char *dhcp_buff, *dhcp_buff2;
   struct ping_result *ping_results;
   FILE *lease_stream;
-#if defined(__FreeBSD__) || defined(__DragonFly__)
   struct dhcp_bridge *bridges;
-#endif
 
   /* DBus stuff */
   /* void * here to avoid depending on dbus headers outside dbus.c */
@@ -573,13 +677,14 @@ extern struct daemon {
 
   /* TFTP stuff */
   struct tftp_transfer *tftp_trans;
-  char *tftp_prefix; 
+
 } *daemon;
 
 /* cache.c */
 void cache_init(void);
-void log_query(unsigned short flags, char *name, struct all_addr *addr, 
-	       unsigned short type, struct hostsfile *addn_hosts, int index);
+void log_query(unsigned short flags, char *name, struct all_addr *addr, char *arg); 
+char *record_source(int index);
+void querystr(char *str, unsigned short type);
 struct crec *cache_find_by_addr(struct crec *crecp,
 				struct all_addr *addr, time_t now, 
 				unsigned short prot);
@@ -589,11 +694,12 @@ void cache_end_insert(void);
 void cache_start_insert(void);
 struct crec *cache_insert(char *name, struct all_addr *addr,
 			  time_t now, unsigned long ttl, unsigned short flags);
-void cache_reload(int opts, char *buff, char *domain_suffix, struct hostsfile  *addn_hosts);
+void cache_reload(void);
 void cache_add_dhcp_entry(char *host_name, struct in_addr *host_address, time_t ttd);
 void cache_unhash_dhcp(void);
 void dump_cache(time_t now);
 char *cache_get_name(struct crec *crecp);
+char *get_domain(struct in_addr addr);
 
 /* rfc1035.c */
 unsigned short extract_request(HEADER *header, size_t qlen, 
@@ -601,7 +707,7 @@ unsigned short extract_request(HEADER *header, size_t qlen,
 size_t setup_reply(HEADER *header, size_t  qlen,
 		   struct all_addr *addrp, unsigned short flags,
 		   unsigned long local_ttl);
-void extract_addresses(HEADER *header, size_t qlen, char *namebuff, time_t now);
+int extract_addresses(HEADER *header, size_t qlen, char *namebuff, time_t now);
 size_t answer_request(HEADER *header, char *limit, size_t qlen,  
 		   struct in_addr local_addr, struct in_addr local_netmask, time_t now);
 int check_for_bogus_wildcard(HEADER *header, size_t qlen, char *name, 
@@ -614,11 +720,13 @@ size_t resize_packet(HEADER *header, size_t plen,
 		  unsigned char *pheader, size_t hlen);
 
 /* util.c */
+void rand_init(void);
 unsigned short rand16(void);
-int legal_char(char c);
-int canonicalise(char *s);
+int legal_hostname(char *c);
+char *canonicalise(char *s, int *nomem);
 unsigned char *do_rfc1035_name(unsigned char *p, char *sval);
 void *safe_malloc(size_t size);
+void safe_pipe(int *fd, int read_noblock);
 void *whine_malloc(size_t size);
 int sa_len(union mysockaddr *addr);
 int sockaddr_isequal(union mysockaddr *s1, union mysockaddr *s2);
@@ -639,7 +747,7 @@ int read_write(int fd, unsigned char *packet, int size, int rw);
 
 /* log.c */
 void die(char *message, char *arg1, int exit_code);
-void log_start(struct passwd *ent_pw);
+int log_start(struct passwd *ent_pw, int errfd);
 int log_reopen(char *log_file);
 void my_syslog(int priority, const char *format, ...);
 void set_log_writer(fd_set *set, int *maxfdp);
@@ -648,11 +756,11 @@ void flush_log(void);
 
 /* option.c */
 void read_opts (int argc, char **argv, char *compile_opts);
-char *option_string(unsigned char opt);
-void one_file(char *file, int nest, int hosts);
+char *option_string(unsigned char opt, int *is_ip, int *is_name);
+void reread_dhcp(void);
 
 /* forward.c */
-void reply_query(struct serverfd *sfd, time_t now);
+void reply_query(int fd, int family, time_t now);
 void receive_query(struct listener *listen, time_t now);
 unsigned char *tcp_request(int confd, time_t now,
 			   struct in_addr local_addr, struct in_addr netmask);
@@ -660,27 +768,33 @@ void server_gone(struct server *server);
 struct frec *get_new_frec(time_t now, int *wait);
 
 /* network.c */
-struct serverfd *allocate_sfd(union mysockaddr *addr, struct serverfd **sfds);
+int indextoname(int fd, int index, char *name);
+int local_bind(int fd, union mysockaddr *addr, char *intname, int is_tcp);
+int random_sock(int family);
+void pre_allocate_sfds(void);
 int reload_servers(char *fname);
 void check_servers(void);
 int enumerate_interfaces();
 struct listener *create_wildcard_listeners(void);
 struct listener *create_bound_listeners(void);
-int iface_check(int family, struct all_addr *addr, 
-		struct ifreq *ifr, int *indexp);
+int iface_check(int family, struct all_addr *addr, char *name, int *indexp);
 int fix_fd(int fd);
 struct in_addr get_ifaddr(char *intr);
 
 /* dhcp.c */
+#ifdef HAVE_DHCP
 void dhcp_init(void);
 void dhcp_packet(time_t now);
-
-struct dhcp_context *address_available(struct dhcp_context *context, struct in_addr addr);
-struct dhcp_context *narrow_context(struct dhcp_context *context, struct in_addr taddr);
-int match_netid(struct dhcp_netid *check, struct dhcp_netid *pool, int negonly);
-int address_allocate(struct dhcp_context *context,
+struct dhcp_context *address_available(struct dhcp_context *context, 
+				       struct in_addr addr,
+				       struct dhcp_netid *netids);
+struct dhcp_context *narrow_context(struct dhcp_context *context, 
+				    struct in_addr taddr,
+				    struct dhcp_netid *netids);
+int match_netid(struct dhcp_netid *check, struct dhcp_netid *pool, int negonly);int address_allocate(struct dhcp_context *context,
 		     struct in_addr *addrp, unsigned char *hwaddr, int hw_len,
 		     struct dhcp_netid *netids, time_t now);
+int config_has_mac(struct dhcp_config *config, unsigned char *hwaddr, int len, int type);
 struct dhcp_config *find_config(struct dhcp_config *configs,
 				struct dhcp_context *context,
 				unsigned char *clid, int clid_len,
@@ -688,21 +802,24 @@ struct dhcp_config *find_config(struct dhcp_config *configs,
 				int hw_type, char *hostname);
 void dhcp_update_configs(struct dhcp_config *configs);
 void dhcp_read_ethers(void);
-void dhcp_read_hosts(void);
+void check_dhcp_hosts(int fatal);
 struct dhcp_config *config_find_by_address(struct dhcp_config *configs, struct in_addr addr);
 char *strip_hostname(char *hostname);
 char *host_from_dns(struct in_addr addr);
+char *get_domain(struct in_addr addr);
+#endif
 
 /* lease.c */
+#ifdef HAVE_DHCP
 void lease_update_file(time_t now);
 void lease_update_dns();
 void lease_init(time_t now);
 struct dhcp_lease *lease_allocate(struct in_addr addr);
 void lease_set_hwaddr(struct dhcp_lease *lease, unsigned char *hwaddr,
 		      unsigned char *clid, int hw_len, int hw_type, int clid_len);
-void lease_set_hostname(struct dhcp_lease *lease, char *name, 
-			char *suffix, int auth);
+void lease_set_hostname(struct dhcp_lease *lease, char *name, int auth);
 void lease_set_expires(struct dhcp_lease *lease, unsigned int len, time_t now);
+void lease_set_interface(struct dhcp_lease *lease, int interface);
 struct dhcp_lease *lease_find_by_client(unsigned char *hwaddr, int hw_len, int hw_type,  
 					unsigned char *clid, int clid_len);
 struct dhcp_lease *lease_find_by_addr(struct in_addr addr);
@@ -710,47 +827,51 @@ void lease_prune(struct dhcp_lease *target, time_t now);
 void lease_update_from_configs(void);
 int do_script_run(time_t now);
 void rerun_scripts(void);
+#endif
 
 /* rfc2131.c */
-size_t dhcp_reply(struct dhcp_context *context, char *iface_name, 
+#ifdef HAVE_DHCP
+size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 		  size_t sz, time_t now, int unicast_dest, int *is_inform);
+unsigned char *extended_hwaddr(int hwtype, int hwlen, unsigned char *hwaddr, 
+			       int clid_len, unsigned char *clid, int *len_out);
+#endif
 
 /* dnsmasq.c */
+#ifdef HAVE_DHCP
 int make_icmp_sock(void);
 int icmp_ping(struct in_addr addr);
+#endif
 void send_event(int fd, int event, int data);
 void clear_cache_and_reload(time_t now);
 
-/* isc.c */
-#ifdef HAVE_ISC_READER
-void load_dhcp(time_t now);
-#endif
-
 /* netlink.c */
 #ifdef HAVE_LINUX_NETWORK
 void netlink_init(void);
-int iface_enumerate(void *parm, int (*ipv4_callback)(), int (*ipv6_callback)());
 void netlink_multicast(void);
 #endif
 
 /* bpf.c */
-#ifndef HAVE_LINUX_NETWORK
+#ifdef HAVE_BSD_NETWORK
 void init_bpf(void);
 void send_via_bpf(struct dhcp_packet *mess, size_t len,
 		  struct in_addr iface_addr, struct ifreq *ifr);
-int iface_enumerate(void *parm, int (*ipv4_callback)(), int (*ipv6_callback)());
 #endif
 
+/* bpf.c or netlink.c */
+int iface_enumerate(void *parm, int (*ipv4_callback)(), int (*ipv6_callback)());
+
 /* dbus.c */
 #ifdef HAVE_DBUS
 char *dbus_init(void);
 void check_dbus_listeners(fd_set *rset, fd_set *wset, fd_set *eset);
 void set_dbus_listeners(int *maxfdp, fd_set *rset, fd_set *wset, fd_set *eset);
+void emit_dbus_signal(int action, struct dhcp_lease *lease, char *hostname);
 #endif
 
 /* helper.c */
-#ifndef NO_FORK
-int create_helper(int log_fd, long max_fd);
+#if defined(HAVE_DHCP) && !defined(NO_FORK)
+int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd);
 void helper_write(void);
 void queue_script(int action, struct dhcp_lease *lease, 
 		  char *hostname, time_t now);

src/forward.c

@@ -1,27 +1,30 @@
-/* dnsmasq is Copyright (c) 2000 - 2005 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2009 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; version 2 dated June, 1991.
-
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
+     
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "dnsmasq.h"
 
-static struct frec *frec_list = NULL;
-
 static struct frec *lookup_frec(unsigned short id, unsigned int crc);
 static struct frec *lookup_frec_by_sender(unsigned short id,
 					  union mysockaddr *addr,
 					  unsigned int crc);
 static unsigned short get_id(int force, unsigned short force_id, unsigned int crc);
+static void free_frec(struct frec *f);
+static struct randfd *allocate_rfd(int family);
 
-
-/* Send a UDP packet with it's source address set as "source" 
+/* Send a UDP packet with its source address set as "source" 
    unless nowild is true, when we just send it with the kernel default */
 static void send_from(int fd, int nowild, char *packet, size_t len, 
 		      union mysockaddr *to, struct all_addr *source,
@@ -140,7 +143,7 @@ static unsigned short search_servers(time_t now, struct all_addr **addrpp,
 		  *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
 #endif 
 	      }
-	    else if (!flags)
+	    else if (!flags || (flags & F_NXDOMAIN))
 	      flags = F_NOERR;
 	  } 
       }
@@ -161,9 +164,9 @@ static unsigned short search_servers(time_t now, struct all_addr **addrpp,
 	      flags = F_NXDOMAIN;
 	    else if (serv->flags & SERV_LITERAL_ADDRESS)
 	      {
-		if ((sflag | F_QUERY ) & qtype)
+		if (sflag & qtype)
 		  {
-		    flags = qtype & ~F_BIGNAME;
+		    flags = sflag;
 		    if (serv->addr.sa.sa_family == AF_INET) 
 		      *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
 #ifdef HAVE_IPV6
@@ -171,37 +174,36 @@ static unsigned short search_servers(time_t now, struct all_addr **addrpp,
 		      *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
 #endif
 		  }
-		else if (!flags)
+		else if (!flags || (flags & F_NXDOMAIN))
 		  flags = F_NOERR;
 	      }
 	  } 
       }
 
-  if (flags & ~(F_NOERR | F_NXDOMAIN)) /* flags set here means a literal found */
-    {
-      if (flags & F_QUERY)
-	log_query(F_CONFIG | F_FORWARD | F_NEG, qdomain, NULL, 0, NULL, 0);
-      else
-	log_query(F_CONFIG | F_FORWARD | flags, qdomain, *addrpp, 0, NULL, 0);
-    }
-  else if (qtype && !(qtype & F_BIGNAME) && 
-	   (daemon->options & OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') && namelen != 0)
-    /* don't forward simple names, make exception from NS queries and empty name. */
+  if (flags == 0 && !(qtype & F_BIGNAME) && 
+      (daemon->options & OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') && namelen != 0)
+    /* don't forward simple names, make exception for NS queries and empty name. */
     flags = F_NXDOMAIN;
     
   if (flags == F_NXDOMAIN && check_for_local_domain(qdomain, now))
     flags = F_NOERR;
 
-  if (flags == F_NXDOMAIN || flags == F_NOERR)
-    log_query(F_CONFIG | F_FORWARD | F_NEG | qtype | (flags & F_NXDOMAIN), qdomain, NULL, 0, NULL, 0);
+  if (flags)
+    {
+      int logflags = 0;
+      
+      if (flags == F_NXDOMAIN || flags == F_NOERR)
+	logflags = F_NEG | qtype;
+  
+      log_query(logflags | flags | F_CONFIG | F_FORWARD, qdomain, *addrpp, NULL);
+    }
 
   return  flags;
 }
 
-/* returns new last_server */	
-static void forward_query(int udpfd, union mysockaddr *udpaddr,
-			  struct all_addr *dst_addr, unsigned int dst_iface,
-			  HEADER *header, size_t plen, time_t now, struct frec *forward)
+static int forward_query(int udpfd, union mysockaddr *udpaddr,
+			 struct all_addr *dst_addr, unsigned int dst_iface,
+			 HEADER *header, size_t plen, time_t now, struct frec *forward)
 {
   char *domain = NULL;
   int type = 0;
@@ -218,6 +220,7 @@ static void forward_query(int udpfd, union mysockaddr *udpaddr,
     {
       /* retry on existing query, send to all available servers  */
       domain = forward->sentto->domain;
+      forward->sentto->failed_queries++;
       if (!(daemon->options & OPT_ORDER))
 	{
 	  forward->forwardall = 1;
@@ -259,10 +262,14 @@ static void forward_query(int udpfd, union mysockaddr *udpaddr,
 	  
 	  if (type != 0  || (daemon->options & OPT_ORDER))
 	    start = daemon->servers;
-	  else if (!(start = daemon->last_server))
+	  else if (!(start = daemon->last_server) ||
+		   daemon->forwardcount++ > FORWARD_TEST ||
+		   difftime(now, daemon->forwardtime) > FORWARD_TIME)
 	    {
 	      start = daemon->servers;
 	      forward->forwardall = 1;
+	      daemon->forwardcount = 0;
+	      daemon->forwardtime = now;
 	    }
 	}
     }
@@ -286,7 +293,34 @@ static void forward_query(int udpfd, union mysockaddr *udpaddr,
 	      (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) &&
 	      !(start->flags & SERV_LITERAL_ADDRESS))
 	    {
-	      if (sendto(start->sfd->fd, (char *)header, plen, 0,
+	      int fd;
+
+	      /* find server socket to use, may need to get random one. */
+	      if (start->sfd)
+		fd = start->sfd->fd;
+	      else 
+		{
+#ifdef HAVE_IPV6
+		  if (start->addr.sa.sa_family == AF_INET6)
+		    {
+		      if (!forward->rfd6 &&
+			  !(forward->rfd6 = allocate_rfd(AF_INET6)))
+			break;
+		      daemon->rfd_save = forward->rfd6;
+		      fd = forward->rfd6->fd;
+		    }
+		  else
+#endif
+		    {
+		      if (!forward->rfd4 &&
+			  !(forward->rfd4 = allocate_rfd(AF_INET)))
+			break;
+		      daemon->rfd_save = forward->rfd4;
+		      fd = forward->rfd4->fd;
+		    }
+		}
+	      
+	      if (sendto(fd, (char *)header, plen, 0,
 			 &start->addr.sa,
 			 sa_len(&start->addr)) == -1)
 		{
@@ -303,14 +337,13 @@ static void forward_query(int udpfd, union mysockaddr *udpaddr,
 		    strcpy(daemon->namebuff, "query");
 		  if (start->addr.sa.sa_family == AF_INET)
 		    log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff, 
-			      (struct all_addr *)&start->addr.in.sin_addr, 0,
-			      NULL, 0); 
+			      (struct all_addr *)&start->addr.in.sin_addr, NULL); 
 #ifdef HAVE_IPV6
 		  else
 		    log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff, 
-			      (struct all_addr *)&start->addr.in6.sin6_addr, 0,
-			      NULL, 0);
+			      (struct all_addr *)&start->addr.in6.sin6_addr, NULL);
 #endif 
+		  start->queries++;
 		  forwarded = 1;
 		  forward->sentto = start;
 		  if (!forward->forwardall) 
@@ -327,11 +360,11 @@ static void forward_query(int udpfd, union mysockaddr *udpaddr,
 	}
       
       if (forwarded)
-	  return;
+	return 1;
       
       /* could not send on, prepare to return */ 
       header->id = htons(forward->orig_id);
-      forward->sentto = NULL; /* cancel */
+      free_frec(forward); /* cancel */
     }	  
   
   /* could not send on, return empty answer or address if known for whole domain */
@@ -341,7 +374,7 @@ static void forward_query(int udpfd, union mysockaddr *udpaddr,
       send_from(udpfd, daemon->options & OPT_NOWILD, (char *)header, plen, udpaddr, dst_addr, dst_iface);
     }
 
-  return;
+  return 0;
 }
 
 static size_t process_reply(HEADER *header, time_t now, 
@@ -352,8 +385,8 @@ static size_t process_reply(HEADER *header, time_t now,
   size_t plen; 
 
   /* If upstream is advertising a larger UDP packet size
-	 than we allow, trim it so that we don't get overlarge
-	 requests for the client. We can't do this for signed packets. */
+     than we allow, trim it so that we don't get overlarge
+     requests for the client. We can't do this for signed packets. */
 
   if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign)) && !is_sign)
     {
@@ -399,7 +432,11 @@ static size_t process_reply(HEADER *header, time_t now,
 	  header->rcode = NOERROR;
 	}
       
-      extract_addresses(header, n, daemon->namebuff, now);
+      if (extract_addresses(header, n, daemon->namebuff, now))
+	{
+	  my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected"));
+	  munged = 1;
+	}
     }
   
   /* do this after extract_addresses. Ensure NODATA reply and remove
@@ -419,7 +456,7 @@ static size_t process_reply(HEADER *header, time_t now,
 }
 
 /* sets new last_server */
-void reply_query(struct serverfd *sfd, time_t now)
+void reply_query(int fd, int family, time_t now)
 {
   /* packet from peer server, extract data for cache, and send to
      original requester */
@@ -427,90 +464,101 @@ void reply_query(struct serverfd *sfd, time_t now)
   union mysockaddr serveraddr;
   struct frec *forward;
   socklen_t addrlen = sizeof(serveraddr);
-  ssize_t n = recvfrom(sfd->fd, daemon->packet, daemon->edns_pktsz, 0, &serveraddr.sa, &addrlen);
+  ssize_t n = recvfrom(fd, daemon->packet, daemon->edns_pktsz, 0, &serveraddr.sa, &addrlen);
   size_t nn;
-
+  struct server *server;
+  
   /* packet buffer overwritten */
   daemon->srv_save = NULL;
   
   /* Determine the address of the server replying  so that we can mark that as good */
-  serveraddr.sa.sa_family = sfd->source_addr.sa.sa_family;
+  serveraddr.sa.sa_family = family;
 #ifdef HAVE_IPV6
   if (serveraddr.sa.sa_family == AF_INET6)
     serveraddr.in6.sin6_flowinfo = 0;
 #endif
   
+  /* spoof check: answer must come from known server, */
+  for (server = daemon->servers; server; server = server->next)
+    if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) &&
+	sockaddr_isequal(&server->addr, &serveraddr))
+      break;
+   
   header = (HEADER *)daemon->packet;
   
-  if (n >= (int)sizeof(HEADER) && header->qr && 
-      (forward = lookup_frec(ntohs(header->id), questions_crc(header, n, daemon->namebuff))))
+  if (!server ||
+      n < (int)sizeof(HEADER) || !header->qr ||
+      !(forward = lookup_frec(ntohs(header->id), questions_crc(header, n, daemon->namebuff))))
+    return;
+   
+  server = forward->sentto;
+  
+  if ((header->rcode == SERVFAIL || header->rcode == REFUSED) &&
+      !(daemon->options & OPT_ORDER) &&
+      forward->forwardall == 0)
+    /* for broken servers, attempt to send to another one. */
     {
-      struct server *server = forward->sentto;
+      unsigned char *pheader;
+      size_t plen;
+      int is_sign;
       
-      if ((header->rcode == SERVFAIL || header->rcode == REFUSED) &&
-	  !(daemon->options & OPT_ORDER) &&
-	  forward->forwardall == 0)
-	/* for broken servers, attempt to send to another one. */
+      /* recreate query from reply */
+      pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign);
+      if (!is_sign)
 	{
-	  unsigned char *pheader;
-	  size_t plen;
-	  int is_sign;
+	  header->ancount = htons(0);
+	  header->nscount = htons(0);
+	  header->arcount = htons(0);
+	  if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
+	    {
+	      header->qr = 0;
+	      header->tc = 0;
+	      forward_query(-1, NULL, NULL, 0, header, nn, now, forward);
+	      return;
+	    }
+	}
+    }   
+  
+  if ((forward->sentto->flags & SERV_TYPE) == 0)
+    {
+      if (header->rcode == SERVFAIL || header->rcode == REFUSED)
+	server = NULL;
+      else
+	{
+	  struct server *last_server;
 	  
-	  /* recreate query from reply */
-	  pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign);
-	  if (!is_sign)
-	    {
-	      header->ancount = htons(0);
-	      header->nscount = htons(0);
-	      header->arcount = htons(0);
-	      if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
-		{
-		  header->qr = 0;
-		  header->tc = 0;
-		  forward_query(-1, NULL, NULL, 0, header, nn, now, forward);
-		  return;
-		}
-	    }
-	}   
-      
-      if ((forward->sentto->flags & SERV_TYPE) == 0)
+	  /* find good server by address if possible, otherwise assume the last one we sent to */ 
+	  for (last_server = daemon->servers; last_server; last_server = last_server->next)
+	    if (!(last_server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR)) &&
+		sockaddr_isequal(&last_server->addr, &serveraddr))
+	      {
+		server = last_server;
+		break;
+	      }
+	} 
+      if (!(daemon->options & OPT_ALL_SERVERS))
+	daemon->last_server = server;
+    }
+  
+  /* If the answer is an error, keep the forward record in place in case
+     we get a good reply from another server. Kill it when we've
+     had replies from all to avoid filling the forwarding table when
+     everything is broken */
+  if (forward->forwardall == 0 || --forward->forwardall == 1 || 
+      (header->rcode != REFUSED && header->rcode != SERVFAIL))
+    {
+      if ((nn = process_reply(header, now, server, (size_t)n)))
 	{
-	  if (header->rcode == SERVFAIL || header->rcode == REFUSED)
-	    server = NULL;
-	  else
-	    {
-	      struct server *last_server;
-	      /* find good server by address if possible, otherwise assume the last one we sent to */ 
-	      for (last_server = daemon->servers; last_server; last_server = last_server->next)
-		if (!(last_server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR)) &&
-		    sockaddr_isequal(&last_server->addr, &serveraddr))
-		  {
-		    server = last_server;
-		    break;
-		  }
-	    } 
-	  daemon->last_server = server;
-	}
-      
-      /* If the answer is an error, keep the forward record in place in case
-	 we get a good reply from another server. Kill it when we've
-	 had replies from all to avoid filling the forwarding table when
-	 everything is broken */
-      if (forward->forwardall == 0 || --forward->forwardall == 1 || 
-	  (header->rcode != REFUSED && header->rcode != SERVFAIL))
-	{
-	  if ((nn = process_reply(header, now, server, (size_t)n)))
-	    {
-	      header->id = htons(forward->orig_id);
-	      header->ra = 1; /* recursion if available */
-	      send_from(forward->fd, daemon->options & OPT_NOWILD, daemon->packet, nn, 
-			&forward->source, &forward->dest, forward->iface);
-	    }
-	  forward->sentto = NULL; /* cancel */
+	  header->id = htons(forward->orig_id);
+	  header->ra = 1; /* recursion if available */
+	  send_from(forward->fd, daemon->options & OPT_NOWILD, daemon->packet, nn, 
+		    &forward->source, &forward->dest, forward->iface);
 	}
+      free_frec(forward); /* cancel */
     }
 }
 
+
 void receive_query(struct listener *listen, time_t now)
 {
   HEADER *header = (HEADER *)daemon->packet;
@@ -531,6 +579,9 @@ void receive_query(struct listener *listen, time_t now)
 #endif
 #if defined(HAVE_LINUX_NETWORK)
     char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
+#elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
+    char control[CMSG_SPACE(sizeof(struct in_addr)) +
+		 CMSG_SPACE(sizeof(unsigned int))];
 #elif defined(IP_RECVDSTADDR)
     char control[CMSG_SPACE(sizeof(struct in_addr)) +
 		 CMSG_SPACE(sizeof(struct sockaddr_dl))];
@@ -598,7 +649,11 @@ void receive_query(struct listener *listen, time_t now)
 	    if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
 	      dst_addr_4 = dst_addr.addr.addr4 = *((struct in_addr *)CMSG_DATA(cmptr));
 	    else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
+#ifdef HAVE_SOLARIS_NETWORK
+	      if_index = *((unsigned int *)CMSG_DATA(cmptr));
+#else
 	      if_index = ((struct sockaddr_dl *)CMSG_DATA(cmptr))->sdl_index;
+#endif
 	}
 #endif
       
@@ -616,19 +671,8 @@ void receive_query(struct listener *listen, time_t now)
       
       /* enforce available interface configuration */
       
-      if (if_index == 0)
-	return;
-      
-#ifdef SIOCGIFNAME
-      ifr.ifr_ifindex = if_index;
-      if (ioctl(listen->fd, SIOCGIFNAME, &ifr) == -1)
-	return;
-#else
-      if (!if_indextoname(if_index, ifr.ifr_name))
-	return;
-#endif
-      
-      if (!iface_check(listen->family, &dst_addr, &ifr, &if_index))
+      if (!indextoname(listen->fd, if_index, ifr.ifr_name) ||
+	  !iface_check(listen->family, &dst_addr, ifr.ifr_name, &if_index))
 	return;
       
       if (listen->family == AF_INET &&
@@ -641,23 +685,33 @@ void receive_query(struct listener *listen, time_t now)
   
   if (extract_request(header, (size_t)n, daemon->namebuff, &type))
     {
+      char types[20];
+
+      querystr(types, type);
+
       if (listen->family == AF_INET) 
 	log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff, 
-		  (struct all_addr *)&source_addr.in.sin_addr, type, NULL, 0);
+		  (struct all_addr *)&source_addr.in.sin_addr, types);
 #ifdef HAVE_IPV6
       else
 	log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff, 
-		  (struct all_addr *)&source_addr.in6.sin6_addr, type, NULL, 0);
+		  (struct all_addr *)&source_addr.in6.sin6_addr, types);
 #endif
     }
 
   m = answer_request (header, ((char *) header) + PACKETSZ, (size_t)n, 
 		      dst_addr_4, netmask, now);
   if (m >= 1)
-    send_from(listen->fd, daemon->options & OPT_NOWILD, (char *)header, m, &source_addr, &dst_addr, if_index);
+    {
+      send_from(listen->fd, daemon->options & OPT_NOWILD, (char *)header, 
+		m, &source_addr, &dst_addr, if_index);
+      daemon->local_answer++;
+    }
+  else if (forward_query(listen->fd, &source_addr, &dst_addr, if_index,
+			 header, (size_t)n, now, NULL))
+    daemon->queries_forwarded++;
   else
-    forward_query(listen->fd, &source_addr, &dst_addr, if_index,
-		  header, (size_t)n, now, NULL);
+    daemon->local_answer++;
 }
 
 /* The daemon forks before calling this: it should deal with one connection,
@@ -696,13 +750,17 @@ unsigned char *tcp_request(int confd, time_t now,
 	  
 	  if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) != -1)
 	    {
+	      char types[20];
+
+	      querystr(types, qtype);
+
 	      if (peer_addr.sa.sa_family == AF_INET) 
 		log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff, 
-			  (struct all_addr *)&peer_addr.in.sin_addr, qtype, NULL, 0);
+			  (struct all_addr *)&peer_addr.in.sin_addr, types);
 #ifdef HAVE_IPV6
 	      else
 		log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff, 
-			  (struct all_addr *)&peer_addr.in6.sin6_addr, qtype, NULL, 0);
+			  (struct all_addr *)&peer_addr.in6.sin6_addr, types);
 #endif
 	    }
 	}
@@ -757,7 +815,8 @@ unsigned char *tcp_request(int confd, time_t now,
 		  
 		  if ((last_server->tcpfd == -1) &&
 		      (last_server->tcpfd = socket(last_server->addr.sa.sa_family, SOCK_STREAM, 0)) != -1 &&
-		      connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1)
+		      (!local_bind(last_server->tcpfd,  &last_server->source_addr, last_server->interface, 1) ||
+		       connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1))
 		    {
 		      close(last_server->tcpfd);
 		      last_server->tcpfd = -1;
@@ -765,7 +824,7 @@ unsigned char *tcp_request(int confd, time_t now,
 		  
 		  if (last_server->tcpfd == -1)	
 		    continue;
-		  
+
 		  c1 = size >> 8;
 		  c2 = size;
 		  
@@ -779,7 +838,7 @@ unsigned char *tcp_request(int confd, time_t now,
 		      last_server->tcpfd = -1;
 		      continue;
 		    } 
-	      
+		  
 		  m = (c1 << 8) | c2;
 		  if (!read_write(last_server->tcpfd, packet, m, 1))
 		    return packet;
@@ -788,11 +847,11 @@ unsigned char *tcp_request(int confd, time_t now,
 		    strcpy(daemon->namebuff, "query");
 		  if (last_server->addr.sa.sa_family == AF_INET)
 		    log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff, 
-			      (struct all_addr *)&last_server->addr.in.sin_addr, 0, NULL, 0); 
+			      (struct all_addr *)&last_server->addr.in.sin_addr, NULL); 
 #ifdef HAVE_IPV6
 		  else
 		    log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff, 
-			      (struct all_addr *)&last_server->addr.in6.sin6_addr, 0, NULL, 0);
+			      (struct all_addr *)&last_server->addr.in6.sin6_addr, NULL);
 #endif 
 		  
 		  /* There's no point in updating the cache, since this process will exit and
@@ -830,34 +889,103 @@ static struct frec *allocate_frec(time_t now)
   
   if ((f = (struct frec *)whine_malloc(sizeof(struct frec))))
     {
-      f->next = frec_list;
+      f->next = daemon->frec_list;
       f->time = now;
       f->sentto = NULL;
-      frec_list = f;
+      f->rfd4 = NULL;
+#ifdef HAVE_IPV6
+      f->rfd6 = NULL;
+#endif
+      daemon->frec_list = f;
     }
 
   return f;
 }
 
+static struct randfd *allocate_rfd(int family)
+{
+  static int finger = 0;
+  int i;
+
+  /* limit the number of sockets we have open to avoid starvation of 
+     (eg) TFTP. Once we have a reasonable number, randomness should be OK */
+
+  for (i = 0; i < RANDOM_SOCKS; i++)
+    if (daemon->randomsocks[i].refcount == 0)
+      {
+	if ((daemon->randomsocks[i].fd = random_sock(family)) == -1)
+	  break;
+      
+	daemon->randomsocks[i].refcount = 1;
+	daemon->randomsocks[i].family = family;
+	return &daemon->randomsocks[i];
+      }
+
+  /* No free ones or cannot get new socket, grab an existing one */
+  for (i = 0; i < RANDOM_SOCKS; i++)
+    {
+      int j = (i+finger) % RANDOM_SOCKS;
+      if (daemon->randomsocks[j].refcount != 0 &&
+	  daemon->randomsocks[j].family == family && 
+	  daemon->randomsocks[j].refcount != 0xffff)
+	{
+	  finger = j;
+	  daemon->randomsocks[j].refcount++;
+	  return &daemon->randomsocks[j];
+	}
+    }
+
+  return NULL; /* doom */
+}
+
+static void free_frec(struct frec *f)
+{
+  if (f->rfd4 && --(f->rfd4->refcount) == 0)
+    close(f->rfd4->fd);
+    
+  f->rfd4 = NULL;
+  f->sentto = NULL;
+  
+#ifdef HAVE_IPV6
+  if (f->rfd6 && --(f->rfd6->refcount) == 0)
+    close(f->rfd6->fd);
+    
+  f->rfd6 = NULL;
+#endif
+}
+
 /* if wait==NULL return a free or older than TIMEOUT record.
    else return *wait zero if one available, or *wait is delay to
-   when the oldest in-use record will expire. */
+   when the oldest in-use record will expire. Impose an absolute
+   limit of 4*TIMEOUT before we wipe things (for random sockets) */
 struct frec *get_new_frec(time_t now, int *wait)
 {
-  struct frec *f, *oldest;
+  struct frec *f, *oldest, *target;
   int count;
   
   if (wait)
     *wait = 0;
 
-  for (f = frec_list, oldest = NULL, count = 0; f; f = f->next, count++)
+  for (f = daemon->frec_list, oldest = NULL, target =  NULL, count = 0; f; f = f->next, count++)
     if (!f->sentto)
+      target = f;
+    else 
       {
-	f->time = now;
-	return f;
+	if (difftime(now, f->time) >= 4*TIMEOUT)
+	  {
+	    free_frec(f);
+	    target = f;
+	  }
+	
+	if (!oldest || difftime(f->time, oldest->time) <= 0)
+	  oldest = f;
       }
-    else if (!oldest || difftime(f->time, oldest->time) <= 0)
-      oldest = f;
+
+  if (target)
+    {
+      target->time = now;
+      return target;
+    }
   
   /* can't find empty one, use oldest if there is one
      and it's older than timeout */
@@ -872,7 +1000,7 @@ struct frec *get_new_frec(time_t now, int *wait)
 
       if (!wait)
 	{
-	  oldest->sentto = 0;
+	  free_frec(oldest);
 	  oldest->time = now;
 	}
       return oldest;
@@ -898,7 +1026,7 @@ static struct frec *lookup_frec(unsigned short id, unsigned int crc)
 {
   struct frec *f;
 
-  for(f = frec_list; f; f = f->next)
+  for(f = daemon->frec_list; f; f = f->next)
     if (f->sentto && f->new_id == id && 
 	(f->crc == crc || crc == 0xffffffff))
       return f;
@@ -912,7 +1040,7 @@ static struct frec *lookup_frec_by_sender(unsigned short id,
 {
   struct frec *f;
   
-  for(f = frec_list; f; f = f->next)
+  for(f = daemon->frec_list; f; f = f->next)
     if (f->sentto &&
 	f->orig_id == id && 
 	f->crc == crc &&
@@ -927,9 +1055,9 @@ void server_gone(struct server *server)
 {
   struct frec *f;
   
-  for (f = frec_list; f; f = f->next)
+  for (f = daemon->frec_list; f; f = f->next)
     if (f->sentto && f->sentto == server)
-      f->sentto = NULL;
+      free_frec(f);
   
   if (daemon->last_server == server)
     daemon->last_server = NULL;
@@ -950,7 +1078,7 @@ static unsigned short get_id(int force, unsigned short force_id, unsigned int cr
     {
       struct frec *f = lookup_frec(force_id, crc);
       if (f)
-	f->sentto = NULL; /* free */
+	free_frec(f); /* free */
       ret = force_id;
     }
   else do 

src/helper.c

@@ -1,13 +1,17 @@
-/* dnsmasq is Copyright (c) 2000-2006 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2009 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; version 2 dated June, 1991.
-
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
+     
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "dnsmasq.h"
@@ -24,13 +28,15 @@
    main process.
 */
 
-#ifndef NO_FORK
+#if defined(HAVE_DHCP) && defined(HAVE_SCRIPT)
+
+static void my_setenv(const char *name, const char *value, int *error);
 
 struct script_data
 {
   unsigned char action, hwaddr_len, hwaddr_type;
-  unsigned char clid_len, hostname_len, uclass_len, vclass_len;
-  struct in_addr addr;
+  unsigned char clid_len, hostname_len, uclass_len, vclass_len, shost_len;
+  struct in_addr addr, giaddr;
   unsigned int remaining_time;
 #ifdef HAVE_BROKEN_RTC
   unsigned int length;
@@ -38,27 +44,24 @@ struct script_data
   time_t expires;
 #endif
   unsigned char hwaddr[DHCP_CHADDR_MAX];
+  char interface[IF_NAMESIZE];
 };
 
 static struct script_data *buf = NULL;
 static size_t bytes_in_buf = 0, buf_size = 0;
 
-int create_helper(int event_fd, long max_fd)
+int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
 {
   pid_t pid;
   int i, pipefd[2];
   struct sigaction sigact;
 
-  if (!daemon->dhcp || !daemon->lease_change_command)
-    return -1;
-  
   /* create the pipe through which the main program sends us commands,
-     then fork our process. By now it's too late to die(), we just log 
-     any failure via the main process. */
+     then fork our process. */
   if (pipe(pipefd) == -1 || !fix_fd(pipefd[1]) || (pid = fork()) == -1)
     {
-      send_event(event_fd, EVENT_PIPE_ERR, errno);
-      return -1;
+      send_event(err_fd, EVENT_PIPE_ERR, errno);
+      _exit(0);
     }
 
   if (pid != 0)
@@ -75,8 +78,30 @@ int create_helper(int event_fd, long max_fd)
   sigaction(SIGTERM, &sigact, NULL);
   sigaction(SIGALRM, &sigact, NULL);
 
-  /* close all the sockets etc, we don't need them here */
-  for (max_fd--; max_fd > 0; max_fd--)
+  if (!(daemon->options & OPT_DEBUG) && uid != 0)
+    {
+      gid_t dummy;
+      if (setgroups(0, &dummy) == -1 || 
+	  setgid(gid) == -1 || 
+	  setuid(uid) == -1)
+	{
+	  if (daemon->options & OPT_NO_FORK)
+	    /* send error to daemon process if no-fork */
+	    send_event(event_fd, EVENT_HUSER_ERR, errno);
+	  else
+	    {
+	      /* kill daemon */
+	      send_event(event_fd, EVENT_DIE, 0);
+	      /* return error */
+	      send_event(err_fd, EVENT_HUSER_ERR, errno);
+	    }
+	  _exit(0);
+	}
+    }
+
+  /* close all the sockets etc, we don't need them here. This closes err_fd, so that
+     main process can return. */
+  for (max_fd--; max_fd >= 0; max_fd--)
     if (max_fd != STDOUT_FILENO && max_fd != STDERR_FILENO && 
 	max_fd != STDIN_FILENO && max_fd != pipefd[0] && max_fd != event_fd)
       close(max_fd);
@@ -87,6 +112,7 @@ int create_helper(int event_fd, long max_fd)
       struct script_data data;
       char *p, *action_str, *hostname = NULL;
       unsigned char *buf = (unsigned char *)daemon->namebuff;
+      int err = 0;
 
       /* we read zero bytes when pipe closed: this is our signal to exit */ 
       if (!read_write(pipefd[0], (unsigned char *)&data, sizeof(data), 1))
@@ -104,13 +130,13 @@ int create_helper(int event_fd, long max_fd)
       /* stringify MAC into dhcp_buff */
       p = daemon->dhcp_buff;
       if (data.hwaddr_type != ARPHRD_ETHER || data.hwaddr_len == 0) 
-	p += sprintf(p, "%.2x-", data.hwaddr_type);
+        p += sprintf(p, "%.2x-", data.hwaddr_type);
       for (i = 0; (i < data.hwaddr_len) && (i < DHCP_CHADDR_MAX); i++)
-	{
-	  p += sprintf(p, "%.2x", data.hwaddr[i]);
-	  if (i != data.hwaddr_len - 1)
-	    p += sprintf(p, ":");
-	}
+        {
+          p += sprintf(p, "%.2x", data.hwaddr[i]);
+          if (i != data.hwaddr_len - 1)
+            p += sprintf(p, ":");
+        }
       
       /* and CLID into packet */
       if (!read_write(pipefd[0], buf, data.clid_len, 1))
@@ -129,7 +155,8 @@ int create_helper(int event_fd, long max_fd)
       sprintf(daemon->dhcp_buff2, "%lu ", (unsigned long)data.expires);
 #endif
       
-      if (!read_write(pipefd[0], buf, data.hostname_len + data.uclass_len + data.vclass_len, 1))
+      if (!read_write(pipefd[0], buf, 
+		      data.hostname_len + data.uclass_len + data.vclass_len + data.shost_len, 1))
 	continue;
       
       /* possible fork errors are all temporary resource problems */
@@ -166,16 +193,15 @@ int create_helper(int event_fd, long max_fd)
 	}
       
       if (data.clid_len != 0)
-	setenv("DNSMASQ_CLIENT_ID", daemon->packet, 1);
-      else
-	unsetenv("DNSMASQ_CLIENT_ID");
-      
+	my_setenv("DNSMASQ_CLIENT_ID", daemon->packet, &err);
+
+      if (strlen(data.interface) != 0)
+	my_setenv("DNSMASQ_INTERFACE", data.interface, &err);
+            
 #ifdef HAVE_BROKEN_RTC
-      setenv("DNSMASQ_LEASE_LENGTH", daemon->dhcp_buff2, 1);
-      unsetenv("DNSMASQ_LEASE_EXPIRES");
+      my_setenv("DNSMASQ_LEASE_LENGTH", daemon->dhcp_buff2, &err);
 #else
-      setenv("DNSMASQ_LEASE_EXPIRES", daemon->dhcp_buff2, 1); 
-      unsetenv("DNSMASQ_LEASE_LENGTH");
+      my_setenv("DNSMASQ_LEASE_EXPIRES", daemon->dhcp_buff2, &err); 
 #endif
       
       if (data.vclass_len != 0)
@@ -184,11 +210,9 @@ int create_helper(int event_fd, long max_fd)
 	  /* cannot have = chars in env - truncate if found . */
 	  if ((p = strchr((char *)buf, '=')))
 	    *p = 0;
-	  setenv("DNSMASQ_VENDOR_CLASS", (char *)buf, 1);
+	  my_setenv("DNSMASQ_VENDOR_CLASS", (char *)buf, &err);
 	  buf += data.vclass_len;
 	}
-      else 
-	unsetenv("DNSMASQ_VENDOR_CLASS");
       
       if (data.uclass_len != 0)
 	{
@@ -203,30 +227,47 @@ int create_helper(int event_fd, long max_fd)
 	      if (strlen((char *)buf) != 0)
 		{
 		  sprintf(daemon->dhcp_buff2, "DNSMASQ_USER_CLASS%i", i++);
-		  setenv(daemon->dhcp_buff2, (char *)buf, 1);
+		  my_setenv(daemon->dhcp_buff2, (char *)buf, &err);
 		}
 	      buf += len;
 	    }
 	}
       
+      if (data.shost_len != 0)
+	{
+	  buf[data.shost_len - 1] = 0; /* don't trust zero-term */
+	  /* cannot have = chars in env - truncate if found . */
+	  if ((p = strchr((char *)buf, '=')))
+	    *p = 0;
+	  my_setenv("DNSMASQ_SUPPLIED_HOSTNAME", (char *)buf, &err);
+	  buf += data.shost_len;
+	}
+
+      if (data.giaddr.s_addr != 0)
+	my_setenv("DNSMASQ_RELAY_ADDRESS", inet_ntoa(data.giaddr), &err); 
+
       sprintf(daemon->dhcp_buff2, "%u ", data.remaining_time);
-      setenv("DNSMASQ_TIME_REMAINING", daemon->dhcp_buff2, 1);
+      my_setenv("DNSMASQ_TIME_REMAINING", daemon->dhcp_buff2, &err);
       
       if (data.hostname_len != 0)
 	{
+	  char *dot;
 	  hostname = (char *)buf;
 	  hostname[data.hostname_len - 1] = 0;
-	  if (!canonicalise(hostname))
+	  if (!legal_hostname(hostname))
 	    hostname = NULL;
+	  else if ((dot = strchr(hostname, '.')))
+	    {
+	      my_setenv("DNSMASQ_DOMAIN", dot+1, &err);
+	      *dot = 0;
+	    }
 	}
       
       if (data.action == ACTION_OLD_HOSTNAME && hostname)
 	{
-	  setenv("DNSMASQ_OLD_HOSTNAME", hostname, 1);
+	  my_setenv("DNSMASQ_OLD_HOSTNAME", hostname, &err);
 	  hostname = NULL;
 	}
-      else
-	unsetenv("DNSMASQ_OLD_HOSTNAME");
 
       /* we need to have the event_fd around if exec fails */
       if ((i = fcntl(event_fd, F_GETFD)) != -1)
@@ -234,23 +275,33 @@ int create_helper(int event_fd, long max_fd)
       close(pipefd[0]);
 
       p =  strrchr(daemon->lease_change_command, '/');
-      execl(daemon->lease_change_command, 
-	    p ? p+1 : daemon->lease_change_command,
-	    action_str, daemon->dhcp_buff, inet_ntoa(data.addr), hostname, (char*)NULL);
-      
+      if (err == 0)
+	{
+	  execl(daemon->lease_change_command, 
+		p ? p+1 : daemon->lease_change_command,
+		action_str, daemon->dhcp_buff, inet_ntoa(data.addr), hostname, (char*)NULL);
+	  err = errno;
+	}
       /* failed, send event so the main process logs the problem */
-      send_event(event_fd, EVENT_EXEC_ERR, errno);
+      send_event(event_fd, EVENT_EXEC_ERR, err);
       _exit(0); 
     }
 }
 
+static void my_setenv(const char *name, const char *value, int *error)
+{
+  if (*error == 0 && setenv(name, value, 1) != 0)
+    *error = errno;
+}
+ 
 /* pack up lease data into a buffer */    
 void queue_script(int action, struct dhcp_lease *lease, char *hostname, time_t now)
 {
   unsigned char *p;
   size_t size;
-  unsigned int i, hostname_len = 0, clid_len = 0, vclass_len = 0, uclass_len = 0;
-
+  unsigned int hostname_len = 0, clid_len = 0, vclass_len = 0;
+  unsigned int uclass_len = 0, shost_len = 0;
+  
   /* no script */
   if (daemon->helperfd == -1)
     return;
@@ -259,18 +310,20 @@ void queue_script(int action, struct dhcp_lease *lease, char *hostname, time_t n
     vclass_len = lease->vendorclass_len;
   if (lease->userclass)
     uclass_len = lease->userclass_len;
+  if (lease->supplied_hostname)
+    shost_len = lease->supplied_hostname_len;
   if (lease->clid)
     clid_len = lease->clid_len;
   if (hostname)
     hostname_len = strlen(hostname) + 1;
 
-  size = sizeof(struct script_data) +  clid_len + vclass_len + uclass_len + hostname_len;
+  size = sizeof(struct script_data) +  clid_len + vclass_len + uclass_len + shost_len + hostname_len;
 
   if (size > buf_size)
     {
       struct script_data *new;
       
-      /* start with resonable size, will almost never need extending. */
+      /* start with reasonable size, will almost never need extending. */
       if (size < sizeof(struct script_data) + 200)
 	size = sizeof(struct script_data) + 200;
 
@@ -288,9 +341,25 @@ void queue_script(int action, struct dhcp_lease *lease, char *hostname, time_t n
   buf->clid_len = clid_len;
   buf->vclass_len = vclass_len;
   buf->uclass_len = uclass_len;
+  buf->shost_len = shost_len;
   buf->hostname_len = hostname_len;
   buf->addr = lease->addr;
+  buf->giaddr = lease->giaddr;
   memcpy(buf->hwaddr, lease->hwaddr, lease->hwaddr_len);
+  buf->interface[0] = 0;
+#ifdef HAVE_LINUX_NETWORK
+  if (lease->last_interface != 0)
+    {
+      struct ifreq ifr;
+      ifr.ifr_ifindex = lease->last_interface;
+      if (ioctl(daemon->dhcpfd, SIOCGIFNAME, &ifr) != -1)
+	strncpy(buf->interface, ifr.ifr_name, IF_NAMESIZE);
+    }
+#else
+  if (lease->last_interface != 0)
+    if_indextoname(lease->last_interface, buf->interface);
+#endif
+  
 #ifdef HAVE_BROKEN_RTC 
   buf->length = lease->length;
 #else
@@ -314,13 +383,17 @@ void queue_script(int action, struct dhcp_lease *lease, char *hostname, time_t n
       memcpy(p, lease->userclass, uclass_len);
       p += uclass_len;
     }
-  /* substitute * for space */
-  for (i = 0; i < hostname_len; i++)
-    if ((daemon->options & OPT_LEASE_RO) && hostname[i] == ' ')
-      *(p++) = '*';
-    else
-      *(p++) = hostname[i];
-  
+  if (shost_len != 0)
+    {
+      memcpy(p, lease->supplied_hostname, shost_len);
+      p += shost_len;
+    } 
+  if (hostname_len != 0)
+    {
+      memcpy(p, hostname, hostname_len);
+      p += hostname_len;
+    }
+
   bytes_in_buf = p - (unsigned char *)buf;
 }
 

src/isc.c

@@ -1,248 +0,0 @@
-/* dnsmasq is Copyright (c) 2000 - 2005 by Simon Kelley
-
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; version 2 dated June, 1991.
-
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-*/
-
-
-/* Code in this file is based on contributions by John Volpe. */
-
-#include "dnsmasq.h"
-
-#ifdef HAVE_ISC_READER
-
-#define MAXTOK 50
-
-struct isc_lease {
-  char *name, *fqdn;
-  time_t expires;
-  struct in_addr addr;
-  struct isc_lease *next;
-};
-
-static struct isc_lease *leases = NULL;
-static off_t lease_file_size = (off_t)0;
-static ino_t lease_file_inode = (ino_t)0;
-static int logged_lease = 0;
-
-static int next_token (char *token, int buffsize, FILE * fp)
-{
-  int c, count = 0;
-  char *cp = token;
-  
-  while((c = getc(fp)) != EOF)
-    {
-      if (c == '#')
-	do { c = getc(fp); } while (c != '\n' && c != EOF);
-      
-      if (c == ' ' || c == '\t' || c == '\n' || c == ';')
-	{
-	  if (count)
-	    break;
-	}
-      else if ((c != '"') && (count<buffsize-1))
-	{
-	  *cp++ = c;
-	  count++;
-	}
-    }
-  
-  *cp = 0;
-  return count ? 1 : 0;
-}
-
-void load_dhcp(time_t now)
-{
-  char *hostname = daemon->namebuff;
-  char token[MAXTOK], *dot;
-  struct in_addr host_address;
-  time_t ttd, tts;
-  FILE *fp;
-  struct isc_lease *lease, *tmp, **up;
-  struct stat statbuf;
-
-  if (stat(daemon->lease_file, &statbuf) == -1)
-    {
-      if (!logged_lease)
-	my_syslog(LOG_WARNING, _("failed to access %s: %s"), daemon->lease_file, strerror(errno));
-      logged_lease = 1;
-      return;
-    }
-  
-  logged_lease = 0;
-  
-  if ((statbuf.st_size <= lease_file_size) &&
-      (statbuf.st_ino == lease_file_inode))
-    return;
-  
-  lease_file_size = statbuf.st_size;
-  lease_file_inode = statbuf.st_ino;
-  
-  if (!(fp = fopen (daemon->lease_file, "r")))
-    {
-      my_syslog (LOG_ERR, _("failed to load %s: %s"), daemon->lease_file, strerror(errno));
-      return;
-    }
-  
-  my_syslog (LOG_INFO, _("reading %s"), daemon->lease_file);
-
-  while ((next_token(token, MAXTOK, fp)))
-    {
-      if (strcmp(token, "lease") == 0)
-        {
-          hostname[0] = '\0';
-	  ttd = tts = (time_t)(-1);
-	  if (next_token(token, MAXTOK, fp) && 
-	      (host_address.s_addr = inet_addr(token)) != (in_addr_t) -1)
-            {
-              if (next_token(token, MAXTOK, fp) && *token == '{')
-                {
-                  while (next_token(token, MAXTOK, fp) && *token != '}')
-                    {
-                      if ((strcmp(token, "client-hostname") == 0) ||
-			  (strcmp(token, "hostname") == 0))
-			{
-			  if (next_token(hostname, MAXDNAME, fp))
-			    if (!canonicalise(hostname))
-			      {
-				*hostname = 0;
-				my_syslog(LOG_ERR, _("bad name in %s"), daemon->lease_file); 
-			      }
-			}
-                      else if ((strcmp(token, "ends") == 0) ||
-			       (strcmp(token, "starts") == 0))
-                        {
-                          struct tm lease_time;
-			  int is_ends = (strcmp(token, "ends") == 0);
-			  if (next_token(token, MAXTOK, fp) &&  /* skip weekday */
-			      next_token(token, MAXTOK, fp) &&  /* Get date from lease file */
-			      sscanf (token, "%d/%d/%d", 
-				      &lease_time.tm_year,
-				      &lease_time.tm_mon,
-				      &lease_time.tm_mday) == 3 &&
-			      next_token(token, MAXTOK, fp) &&
-			      sscanf (token, "%d:%d:%d:", 
-				      &lease_time.tm_hour,
-				      &lease_time.tm_min, 
-				      &lease_time.tm_sec) == 3)
-			    {
-			      /* There doesn't seem to be a universally available library function
-				 which converts broken-down _GMT_ time to seconds-in-epoch.
-				 The following was borrowed from ISC dhcpd sources, where
-                                 it is noted that it might not be entirely accurate for odd seconds.
-				 Since we're trying to get the same answer as dhcpd, that's just
-				 fine here. */
-			      static const int months [11] = { 31, 59, 90, 120, 151, 181,
-							       212, 243, 273, 304, 334 };
-			      time_t time = ((((((365 * (lease_time.tm_year - 1970) + /* Days in years since '70 */
-						  (lease_time.tm_year - 1969) / 4 +   /* Leap days since '70 */
-						  (lease_time.tm_mon > 1                /* Days in months this year */
-						   ? months [lease_time.tm_mon - 2]
-						   : 0) +
-						  (lease_time.tm_mon > 2 &&         /* Leap day this year */
-						   !((lease_time.tm_year - 1972) & 3)) +
-						  lease_time.tm_mday - 1) * 24) +   /* Day of month */
-						lease_time.tm_hour) * 60) +
-					      lease_time.tm_min) * 60) + lease_time.tm_sec;
-			      if (is_ends)
-				ttd = time;
-			      else
-				tts = time;			    }
-                        }
-		    }
-		  
-		  /* missing info? */
-		  if (!*hostname)
-		    continue;
-		  if (ttd == (time_t)(-1))
-		    continue;
-		  
-		  /* We use 0 as infinite in ttd */
-		  if ((tts != -1) && (ttd == tts - 1))
-		    ttd = (time_t)0;
-		  else if (difftime(now, ttd) > 0)
-		    continue;
-
-		  if ((dot = strchr(hostname, '.')))
-		    { 
-		      if (!daemon->domain_suffix || hostname_isequal(dot+1, daemon->domain_suffix))
-			{
-			  my_syslog(LOG_WARNING, 
-				    _("Ignoring DHCP lease for %s because it has an illegal domain part"), 
-				    hostname);
-			  continue;
-			}
-		      *dot = 0;
-		    }
-
-		  for (lease = leases; lease; lease = lease->next)
-		    if (hostname_isequal(lease->name, hostname))
-		      {
-			lease->expires = ttd;
-			lease->addr = host_address;
-			break;
-		      }
-
-		  if (!lease && (lease = whine_malloc(sizeof(struct isc_lease))))
-		    {
-		      lease->expires = ttd;
-		      lease->addr = host_address;
-		      lease->fqdn =  NULL;
-		      lease->next = leases;
-		      if (!(lease->name = whine_malloc(strlen(hostname)+1)))
-			free(lease);
-		      else
-			{
-			  leases = lease;
-			  strcpy(lease->name, hostname);
-			  if (daemon->domain_suffix && 
-			      (lease->fqdn = whine_malloc(strlen(hostname) + strlen(daemon->domain_suffix) + 2)))
-			    {
-			      strcpy(lease->fqdn, hostname);
-			      strcat(lease->fqdn, ".");
-			      strcat(lease->fqdn, daemon->domain_suffix);
-			    }
-			}
-		    }
-		}
-	    }
-	}
-    }
-
-  fclose(fp);
-  
-  /* prune expired leases */
-  for (lease = leases, up = &leases; lease; lease = tmp)
-     {
-       tmp = lease->next;
-       if (lease->expires != (time_t)0 && difftime(now, lease->expires) > 0)
-	 {
-	   *up = lease->next; /* unlink */
-	   free(lease->name);
-	   if (lease->fqdn)
-	     free(lease->fqdn);
-	   free(lease);
-	 }
-       else
-	 up = &lease->next;
-     }
-
-     
-  /* remove all existing DHCP cache entries */
-  cache_unhash_dhcp();
-
-  for (lease = leases; lease; lease = lease->next)
-    {
-      cache_add_dhcp_entry(lease->fqdn, &lease->addr, lease->expires);
-      cache_add_dhcp_entry(lease->name, &lease->addr, lease->expires);
-    }
-}
-
-#endif
-

src/lease.c

@@ -1,17 +1,23 @@
-/* dnsmasq is Copyright (c) 2000-2006 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2009 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; version 2 dated June, 1991.
-
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
+     
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "dnsmasq.h"
 
+#ifdef HAVE_DHCP
+
 static struct dhcp_lease *leases = NULL, *old_leases = NULL;
 static int dns_dirty, file_dirty, leases_left;
 
@@ -36,14 +42,20 @@ void lease_init(time_t now)
 	 initial state of the database. If leasefile-ro is
 	 set without a script, we just do without any 
 	 lease database. */
-      if (!daemon->lease_change_command)
+#ifdef HAVE_SCRIPT
+      if (daemon->lease_change_command)
 	{
-	  file_dirty = dns_dirty = 0;
-	  return;
+	  strcpy(daemon->dhcp_buff, daemon->lease_change_command);
+	  strcat(daemon->dhcp_buff, " init");
+	  leasestream = popen(daemon->dhcp_buff, "r");
 	}
-      strcpy(daemon->dhcp_buff, daemon->lease_change_command);
-      strcat(daemon->dhcp_buff, " init");
-      leasestream = popen(daemon->dhcp_buff, "r");
+      else
+#endif
+	{
+          file_dirty = dns_dirty = 0;
+          return;
+        }
+
     }
   else
     {
@@ -53,7 +65,7 @@ void lease_init(time_t now)
       if (!leasestream)
 	die(_("cannot open or create lease file %s: %s"), daemon->lease_file, EC_FILE);
       
-      /* a+ mode lease pointer at end. */
+      /* a+ mode leaves pointer at end. */
       rewind(leasestream);
     }
   
@@ -94,19 +106,14 @@ void lease_init(time_t now)
 	lease_set_hwaddr(lease, (unsigned char *)daemon->dhcp_buff2, (unsigned char *)daemon->packet, hw_len, hw_type, clid_len);
 	
 	if (strcmp(daemon->dhcp_buff, "*") !=  0)
-	  {
-	    char *p;
-	    /* unprotect spaces */
-	    for (p = strchr(daemon->dhcp_buff, '*'); p; p = strchr(p, '*'))
-	      *p = ' ';
-	    lease_set_hostname(lease, daemon->dhcp_buff, daemon->domain_suffix, 0);
-	  }
+	  lease_set_hostname(lease, daemon->dhcp_buff, 0);
 
 	/* set these correctly: the "old" events are generated later from
 	   the startup synthesised SIGHUP. */
 	lease->new = lease->changed = 0;
       }
   
+#ifdef HAVE_SCRIPT
   if (!daemon->lease_stream)
     {
       int rc = 0;
@@ -127,6 +134,7 @@ void lease_init(time_t now)
 	  die(_("lease-init script returned exit code %s"), daemon->dhcp_buff, WEXITSTATUS(rc) + EC_INIT_OFFSET);
 	}
     }
+#endif
 
   /* Some leases may have expired */
   file_dirty = 0;
@@ -147,9 +155,9 @@ void lease_update_from_configs(void)
 			      lease->hwaddr, lease->hwaddr_len, lease->hwaddr_type, NULL)) && 
 	(config->flags & CONFIG_NAME) &&
 	(!(config->flags & CONFIG_ADDR) || config->addr.s_addr == lease->addr.s_addr))
-      lease_set_hostname(lease, config->hostname, daemon->domain_suffix, 1);
+      lease_set_hostname(lease, config->hostname, 1);
     else if ((name = host_from_dns(lease->addr)))
-      lease_set_hostname(lease, name, daemon->domain_suffix, 1); /* updates auth flag only */
+      lease_set_hostname(lease, name, 1); /* updates auth flag only */
 }
 
 static void ourprintf(int *errp, char *format, ...)
@@ -167,7 +175,6 @@ void lease_update_file(time_t now)
   struct dhcp_lease *lease;
   time_t next_event;
   int i, err = 0;
-  char *p;
 
   if (file_dirty != 0 && daemon->lease_stream)
     {
@@ -193,15 +200,8 @@ void lease_update_file(time_t now)
 	    }
 
 	  ourprintf(&err, " %s ", inet_ntoa(lease->addr));
-	  
-	  /* substitute * for space: "*" is an illegal name, as is " " */
-	  if (lease->hostname)
-	    for (p = lease->hostname; *p; p++)
-	      ourprintf(&err, "%c", *p == ' ' ? '*' : *p);
-	  else
-	    ourprintf(&err, "*");
-	  ourprintf(&err, " ");
-	  
+	  ourprintf(&err, "%s ", lease->hostname ? lease->hostname : "*");
+	  	  
 	  if (lease->clid && lease->clid_len != 0)
 	    {
 	      for (i = 0; i < lease->clid_len - 1; i++)
@@ -231,7 +231,7 @@ void lease_update_file(time_t now)
       if (next_event == 0 || difftime(next_event, LEASE_RETRY + now) > 0.0)
 	next_event = LEASE_RETRY + now;
       
-      my_syslog(LOG_ERR, _("failed to write %s: %s (retry in %us)"), 
+      my_syslog(MS_DHCP | LOG_ERR, _("failed to write %s: %s (retry in %us)"), 
 		daemon->lease_file, strerror(err),
 		(unsigned int)difftime(next_event, now));
     }
@@ -244,14 +244,17 @@ void lease_update_dns(void)
 {
   struct dhcp_lease *lease;
   
-  if (dns_dirty)
+  if (daemon->port != 0 && dns_dirty)
     {
       cache_unhash_dhcp();
       
       for (lease = leases; lease; lease = lease->next)
 	{
-	  cache_add_dhcp_entry(lease->fqdn, &lease->addr, lease->expires);
-	  cache_add_dhcp_entry(lease->hostname, &lease->addr, lease->expires);
+	  if (lease->fqdn)
+	    cache_add_dhcp_entry(lease->fqdn, &lease->addr, lease->expires);
+	     
+	  if (!(daemon->options & OPT_DHCP_FQDN) && lease->hostname)
+	    cache_add_dhcp_entry(lease->hostname, &lease->addr, lease->expires);
 	}
       
       dns_dirty = 0;
@@ -408,11 +411,33 @@ void lease_set_hwaddr(struct dhcp_lease *lease, unsigned char *hwaddr,
 
 }
 
-void lease_set_hostname(struct dhcp_lease *lease, char *name, char *suffix, int auth)
+static void kill_name(struct dhcp_lease *lease)
+{
+  /* run script to say we lost our old name */
+  
+  /* this shouldn't happen unless updates are very quick and the
+     script very slow, we just avoid a memory leak if it does. */
+  free(lease->old_hostname);
+  
+  /* If we know the fqdn, pass that. The helper will derive the
+     unqualified name from it, free the unqulaified name here. */
+
+  if (lease->fqdn)
+    {
+      lease->old_hostname = lease->fqdn;
+      free(lease->hostname);
+    }
+  else
+    lease->old_hostname = lease->hostname;
+
+  lease->hostname = lease->fqdn = NULL;
+}
+
+void lease_set_hostname(struct dhcp_lease *lease, char *name, int auth)
 {
   struct dhcp_lease *lease_tmp;
   char *new_name = NULL, *new_fqdn = NULL;
-
+  
   if (lease->hostname && name && hostname_isequal(lease->hostname, name))
     {
       lease->auth_name = auth;
@@ -429,44 +454,47 @@ void lease_set_hostname(struct dhcp_lease *lease, char *name, char *suffix, int
   
   if (name)
     {
-      for (lease_tmp = leases; lease_tmp; lease_tmp = lease_tmp->next)
-	if (lease_tmp->hostname && hostname_isequal(lease_tmp->hostname, name))
-	  {
-	    if (lease_tmp->auth_name && !auth)
-	      return;
-	    /* this shouldn't happen unless updates are very quick and the
-	       script very slow, we just avoid a memory leak if it does. */
-	    free(lease_tmp->old_hostname);
-	    lease_tmp->old_hostname = lease_tmp->hostname;
-	    lease_tmp->hostname = NULL;
-	    if (lease_tmp->fqdn)
-	      {
-		new_fqdn = lease_tmp->fqdn;
-		lease_tmp->fqdn = NULL;
-	      }
-	    break;
-	  }
-     
-      if (!new_name && (new_name = whine_malloc(strlen(name) + 1)))
-	strcpy(new_name, name);
-      
-      if (suffix && !new_fqdn && (new_fqdn = whine_malloc(strlen(name) + strlen(suffix) + 2)))
+      if ((new_name = whine_malloc(strlen(name) + 1)))
 	{
-	  strcpy(new_fqdn, name);
-	  strcat(new_fqdn, ".");
-	  strcat(new_fqdn, suffix);
+	  char *suffix = get_domain(lease->addr);
+	  strcpy(new_name, name);
+	  if (suffix && (new_fqdn = whine_malloc(strlen(new_name) + strlen(suffix) + 2)))
+	    {
+	      strcpy(new_fqdn, name);
+	      strcat(new_fqdn, ".");
+	      strcat(new_fqdn, suffix);
+	    }
+	}
+	  
+      /* Depending on mode, we check either unqualified name or FQDN. */
+      for (lease_tmp = leases; lease_tmp; lease_tmp = lease_tmp->next)
+	{
+	  if (daemon->options & OPT_DHCP_FQDN)
+	    {
+	      if (!new_fqdn || !lease_tmp->fqdn || !hostname_isequal(lease_tmp->fqdn, new_fqdn) )
+		continue;
+	    }
+	  else
+	    {
+	      if (!new_name || !lease_tmp->hostname || !hostname_isequal(lease_tmp->hostname, new_name) )
+		continue; 
+	    }
+	  
+	  if (lease_tmp->auth_name && !auth)
+	    {
+	      free(new_name);
+	      free(new_fqdn);
+	      return;
+	    }
+	
+	  kill_name(lease_tmp);
+	  break;
 	}
     }
 
   if (lease->hostname)
-    {
-      /* run script to say we lost our old name */
-      free(lease->old_hostname);
-      lease->old_hostname = lease->hostname;
-    }
+    kill_name(lease);
 
-  free(lease->fqdn);
-  
   lease->hostname = new_name;
   lease->fqdn = new_fqdn;
   lease->auth_name = auth;
@@ -476,6 +504,15 @@ void lease_set_hostname(struct dhcp_lease *lease, char *name, char *suffix, int
   lease->changed = 1; /* run script on change */
 }
 
+void lease_set_interface(struct dhcp_lease *lease, int interface)
+{
+  if (lease->last_interface == interface)
+    return;
+
+  lease->last_interface = interface;
+  lease->changed = 1;
+}
+
 void rerun_scripts(void)
 {
   struct dhcp_lease *lease;
@@ -493,6 +530,13 @@ int do_script_run(time_t now)
 {
   struct dhcp_lease *lease;
 
+#ifdef HAVE_DBUS
+  /* If we're going to be sending DBus signals, but the connection is not yet up,
+     delay everything until it is. */
+  if ((daemon->options & OPT_DBUS) && !daemon->dbus)
+    return 0;
+#endif
+
   if (old_leases)
     {
       lease = old_leases;
@@ -500,7 +544,7 @@ int do_script_run(time_t now)
       /* If the lease still has an old_hostname, do the "old" action on that first */
       if (lease->old_hostname)
 	{
-#ifndef NO_FORK
+#ifdef HAVE_SCRIPT
 	  queue_script(ACTION_OLD_HOSTNAME, lease, lease->old_hostname, now);
 #endif
 	  free(lease->old_hostname);
@@ -509,16 +553,20 @@ int do_script_run(time_t now)
 	}
       else 
 	{
-#ifndef NO_FORK
-	  queue_script(ACTION_DEL, lease, lease->hostname, now);
+	  kill_name(lease);
+#ifdef HAVE_SCRIPT
+	  queue_script(ACTION_DEL, lease, lease->old_hostname, now);
+#endif
+#ifdef HAVE_DBUS
+	  emit_dbus_signal(ACTION_DEL, lease, lease->old_hostname);
 #endif
 	  old_leases = lease->next;
 	  
-	  free(lease->hostname); 
-	  free(lease->fqdn);
+	  free(lease->old_hostname); 
 	  free(lease->clid);
 	  free(lease->vendorclass);
 	  free(lease->userclass);
+	  free(lease->supplied_hostname);
 	  free(lease);
 	    
 	  return 1; 
@@ -529,7 +577,7 @@ int do_script_run(time_t now)
   for (lease = leases; lease; lease = lease->next)
     if (lease->old_hostname)
       {	
-#ifndef NO_FORK
+#ifdef HAVE_SCRIPT
 	queue_script(ACTION_OLD_HOSTNAME, lease, lease->old_hostname, now);
 #endif
 	free(lease->old_hostname);
@@ -541,8 +589,13 @@ int do_script_run(time_t now)
     if (lease->new || lease->changed || 
 	(lease->aux_changed && (daemon->options & OPT_LEASE_RO)))
       {
-#ifndef NO_FORK
-	queue_script(lease->new ? ACTION_ADD : ACTION_OLD, lease, lease->hostname, now);
+#ifdef HAVE_SCRIPT
+	queue_script(lease->new ? ACTION_ADD : ACTION_OLD, lease, 
+		     lease->fqdn ? lease->fqdn : lease->hostname, now);
+#endif
+#ifdef HAVE_DBUS
+	emit_dbus_signal(lease->new ? ACTION_ADD : ACTION_OLD, lease,
+			 lease->fqdn ? lease->fqdn : lease->hostname);
 #endif
 	lease->new = lease->changed = lease->aux_changed = 0;
 	
@@ -552,12 +605,17 @@ int do_script_run(time_t now)
 	
 	free(lease->userclass);
 	lease->userclass = NULL;
-		
+	
+	free(lease->supplied_hostname);
+	lease->supplied_hostname = NULL;
+			
 	return 1;
       }
 
   return 0; /* nothing to do */
 }
+
+#endif
 	  
 
       

src/log.c

@@ -1,13 +1,17 @@
-/* dnsmasq is Copyright (c) 2000-2007 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2009 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; version 2 dated June, 1991.
-
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
+     
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "dnsmasq.h"
@@ -46,8 +50,10 @@ static struct log_entry *entries = NULL;
 static struct log_entry *free_entries = NULL;
 
 
-void log_start(struct passwd *ent_pw)
+int log_start(struct passwd *ent_pw, int errfd)
 {
+  int ret = 0;
+
   log_stderr = !!(daemon->options & OPT_DEBUG);
 
   if (daemon->log_fac != -1)
@@ -66,15 +72,11 @@ void log_start(struct passwd *ent_pw)
   max_logs = daemon->max_logs;
 
   if (!log_reopen(daemon->log_file))
-    die(_("cannot open %s: %s"), daemon->log_file ? daemon->log_file : "log", EC_FILE);
-  
-  /* If we're running as root and going to change uid later,
-     change the ownership here so that the file is always owned by
-     the dnsmasq user. Then logrotate can just copy the owner.
-     Failure of the chown call is OK, (for instance when started as non-root) */
-  if (log_to_file && ent_pw && ent_pw->pw_uid != 0)
-    fchown(log_fd, ent_pw->pw_uid, -1);
- 
+    {
+      send_event(errfd, EVENT_LOG_ERR, errno);
+      _exit(0);
+    }
+
   /* if queuing is inhibited, make sure we allocate
      the one required buffer now. */
   if (max_logs == 0)
@@ -83,29 +85,50 @@ void log_start(struct passwd *ent_pw)
       free_entries->next = NULL;
       entries_alloced = 1;
     }
+
+  /* If we're running as root and going to change uid later,
+     change the ownership here so that the file is always owned by
+     the dnsmasq user. Then logrotate can just copy the owner.
+     Failure of the chown call is OK, (for instance when started as non-root) */
+  if (log_to_file && ent_pw && ent_pw->pw_uid != 0 && 
+      fchown(log_fd, ent_pw->pw_uid, -1) != 0)
+    ret = errno;
+
+  return ret;
 }
 
 int log_reopen(char *log_file)
 {
-  int flags;
-  
   if (log_fd != -1)
     close(log_fd);
 
   /* NOTE: umask is set to 022 by the time this gets called */
      
   if (log_file)
-    log_fd = open(log_file, O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR|S_IRGRP); 
+    {
+      log_fd = open(log_file, O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR|S_IRGRP);
+      return log_fd != -1;
+    }
   else
-    log_fd = socket(AF_UNIX, connection_type, 0);
-  
-  if (log_fd == -1)
-    return 0;
-  
-  /* if max_logs is zero, leave the socket blocking */
-  if (max_logs != 0 && (flags = fcntl(log_fd, F_GETFL)) != -1)
-    fcntl(log_fd, F_SETFL, flags | O_NONBLOCK);
+#ifdef HAVE_SOLARIS_NETWORK
+    /* Solaris logging is "different", /dev/log is not unix-domain socket.
+       Just leave log_fd == -1 and use the vsyslog call for everything.... */
+#   define _PATH_LOG ""  /* dummy */
+    log_fd = -1;
+#else
+    {
+       int flags;
+       log_fd = socket(AF_UNIX, connection_type, 0);
       
+      if (log_fd == -1)
+	return 0;
+      
+      /* if max_logs is zero, leave the socket blocking */
+      if (max_logs != 0 && (flags = fcntl(log_fd, F_GETFL)) != -1)
+	fcntl(log_fd, F_SETFL, flags | O_NONBLOCK);
+    }
+#endif
+
   return 1;
 }
 
@@ -187,7 +210,7 @@ static void log_write(void)
 #ifdef HAVE_SOCKADDR_SA_LEN
 	      logaddr.sun_len = sizeof(logaddr) - sizeof(logaddr.sun_path) + strlen(_PATH_LOG) + 1; 
 #endif
-	      logaddr.sun_family = AF_LOCAL;
+	      logaddr.sun_family = AF_UNIX;
 	      strncpy(logaddr.sun_path, _PATH_LOG, sizeof(logaddr.sun_path));
 	      
 	      /* Got connection back? try again. */
@@ -225,6 +248,10 @@ static void log_write(void)
     }
 }
 
+/* priority is one of LOG_DEBUG, LOG_INFO, LOG_NOTICE, etc. See sys/syslog.h.
+   OR'd to priority can be MS_TFTP, MS_DHCP, ... to be able to do log separation between
+   DNS, DHCP and TFTP services.
+*/
 void my_syslog(int priority, const char *format, ...)
 {
   va_list ap;
@@ -233,16 +260,24 @@ void my_syslog(int priority, const char *format, ...)
   char *p;
   size_t len;
   pid_t pid = getpid();
+  char *func = "";
 
-  va_start(ap, format); 
+  if ((LOG_FACMASK & priority) == MS_TFTP)
+    func = "-tftp";
+  else if ((LOG_FACMASK & priority) == MS_DHCP)
+    func = "-dhcp";
+      
+  priority = LOG_PRI(priority);
   
   if (log_stderr) 
     {
-      fprintf(stderr, "dnsmasq: ");
+      fprintf(stderr, "dnsmasq%s: ", func);
+      va_start(ap, format);
       vfprintf(stderr, format, ap);
+      va_end(ap);
       fputc('\n', stderr);
     }
-  
+
   if (log_fd == -1)
     {
       /* fall-back to syslog if we die during startup or fail during running. */
@@ -252,6 +287,7 @@ void my_syslog(int priority, const char *format, ...)
 	  openlog("dnsmasq", LOG_PID, log_fac);
 	  isopen = 1;
 	}
+      va_start(ap, format);  
       vsyslog(priority, format, ap);
       va_end(ap);
       return;
@@ -281,10 +317,13 @@ void my_syslog(int priority, const char *format, ...)
       p = entry->payload;
       if (!log_to_file)
 	p += sprintf(p, "<%d>", priority | log_fac);
-      
-      p += sprintf(p, "%.15s dnsmasq[%d]: ", ctime(&time_now) + 4, pid);
+
+      p += sprintf(p, "%.15s dnsmasq%s[%d]: ", ctime(&time_now) + 4, func, (int)pid);
+        
       len = p - entry->payload;
+      va_start(ap, format);  
       len += vsnprintf(p, MAX_MESSAGE - len, format, ap) + 1; /* include zero-terminator */
+      va_end(ap);
       entry->length = len > MAX_MESSAGE ? MAX_MESSAGE : len;
       entry->offset = 0;
       entry->pid = pid;
@@ -331,8 +370,6 @@ void my_syslog(int priority, const char *format, ...)
 	  log_write();
 	}
     } 
- 
-  va_end(ap);
 }
 
 void set_log_writer(fd_set *set, int *maxfdp)

src/netlink.c

@@ -1,13 +1,17 @@
- /* dnsmasq is Copyright (c) 2000-2006 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2009 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; version 2 dated June, 1991.
-
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
+     
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "dnsmasq.h"
@@ -27,6 +31,7 @@
 #endif
 
 static struct iovec iov;
+static u32 netlink_pid;
 
 static void nl_err(struct nlmsghdr *h);
 static void nl_routechange(struct nlmsghdr *h);
@@ -34,6 +39,7 @@ static void nl_routechange(struct nlmsghdr *h);
 void netlink_init(void)
 {
   struct sockaddr_nl addr;
+  socklen_t slen = sizeof(addr);
 
   addr.nl_family = AF_NETLINK;
   addr.nl_pad = 0;
@@ -55,48 +61,63 @@ void netlink_init(void)
 	}
     }
   
-  if (daemon->netlinkfd == -1)
+  if (daemon->netlinkfd == -1 || 
+      getsockname(daemon->netlinkfd, (struct sockaddr *)&addr, &slen) == 1)
     die(_("cannot create netlink socket: %s"), NULL, EC_MISC);
+   
+  /* save pid assigned by bind() and retrieved by getsockname() */ 
+  netlink_pid = addr.nl_pid;
   
-  iov.iov_len = 200;
+  iov.iov_len = 100;
   iov.iov_base = safe_malloc(iov.iov_len);
 }
 
 static ssize_t netlink_recv(void)
 {
   struct msghdr msg;
+  struct sockaddr_nl nladdr;
   ssize_t rc;
 
-  msg.msg_control = NULL;
-  msg.msg_controllen = 0;
-  msg.msg_name = NULL;
-  msg.msg_namelen = 0;
-  msg.msg_iov = &iov;
-  msg.msg_iovlen = 1;
-    
   while (1)
     {
+      msg.msg_control = NULL;
+      msg.msg_controllen = 0;
+      msg.msg_name = &nladdr;
+      msg.msg_namelen = sizeof(nladdr);
+      msg.msg_iov = &iov;
+      msg.msg_iovlen = 1;
       msg.msg_flags = 0;
-      while ((rc = recvmsg(daemon->netlinkfd, &msg, MSG_PEEK)) == -1 && errno == EINTR);
       
-      /* 2.2.x doesn't suport MSG_PEEK at all, returning EOPNOTSUPP, so we just grab a 
-	 big buffer and pray in that case. */
-      if (rc == -1 && errno == EOPNOTSUPP)
+      while ((rc = recvmsg(daemon->netlinkfd, &msg, MSG_PEEK | MSG_TRUNC)) == -1 && errno == EINTR);
+      
+      /* make buffer big enough */
+      if (rc != -1 && (msg.msg_flags & MSG_TRUNC))
 	{
-	  if (!expand_buf(&iov, 2000))
-	    return -1;
-	  break;
+	  /* Very new Linux kernels return the actual size needed, older ones always return truncated size */
+	  if ((size_t)rc == iov.iov_len)
+	    {
+	      if (expand_buf(&iov, rc + 100))
+		continue;
+	    }
+	  else
+	    expand_buf(&iov, rc);
 	}
-      
-      if (rc == -1 || !(msg.msg_flags & MSG_TRUNC))
-        break;
-            
-      if (!expand_buf(&iov, iov.iov_len + 100))
-	return -1;
-    }
 
-  /* finally, read it for real */
-  while ((rc = recvmsg(daemon->netlinkfd, &msg, 0)) == -1 && errno == EINTR);
+      /* read it for real */
+      msg.msg_flags = 0;
+      while ((rc = recvmsg(daemon->netlinkfd, &msg, 0)) == -1 && errno == EINTR);
+      
+      /* Make sure this is from the kernel */
+      if (rc == -1 || nladdr.nl_pid == 0)
+	break;
+    }
+      
+  /* discard stuff which is truncated at this point (expand_buf() may fail) */
+  if (msg.msg_flags & MSG_TRUNC)
+    {
+      rc = -1;
+      errno = ENOMEM;
+    }
   
   return rc;
 }
@@ -137,13 +158,20 @@ int iface_enumerate(void *parm, int (*ipv4_callback)(), int (*ipv6_callback)())
   while (1)
     {
       if ((len = netlink_recv()) == -1)
-	return 0;
-  
+	{
+	  if (errno == ENOBUFS)
+	    {
+	      sleep(1);
+	      goto again;
+	    }
+	  return 0;
+	}
+
       for (h = (struct nlmsghdr *)iov.iov_base; NLMSG_OK(h, (size_t)len); h = NLMSG_NEXT(h, len))
- 	if (h->nlmsg_type == NLMSG_ERROR)
-	  nl_err(h);
-	else if (h->nlmsg_seq != seq)
+	if (h->nlmsg_seq != seq || h->nlmsg_pid != netlink_pid)
 	  nl_routechange(h); /* May be multicast arriving async */
+	else if (h->nlmsg_type == NLMSG_ERROR)
+	  nl_err(h);
 	else if (h->nlmsg_type == NLMSG_DONE)
 	  {
 #ifdef HAVE_IPV6
@@ -204,10 +232,17 @@ int iface_enumerate(void *parm, int (*ipv4_callback)(), int (*ipv6_callback)())
     }
 }
 
+
 void netlink_multicast(void)
 {
   ssize_t len;
   struct nlmsghdr *h;
+  int flags;
+  
+  /* don't risk blocking reading netlink messages here. */
+  if ((flags = fcntl(daemon->netlinkfd, F_GETFL)) == -1 ||
+      fcntl(daemon->netlinkfd, F_SETFL, flags | O_NONBLOCK) == -1) 
+    return;
   
   if ((len = netlink_recv()) != -1)
     {
@@ -217,11 +252,15 @@ void netlink_multicast(void)
 	else
 	  nl_routechange(h);
     }
+
+  /* restore non-blocking status */
+  fcntl(daemon->netlinkfd, F_SETFL, flags); 
 }
 
 static void nl_err(struct nlmsghdr *h)
 {
   struct nlmsgerr *err = NLMSG_DATA(h);
+  
   if (err->error != 0)
     my_syslog(LOG_ERR, _("netlink returns error: %s"), strerror(-(err->error)));
 }
@@ -230,18 +269,35 @@ static void nl_err(struct nlmsghdr *h)
    If this happens and we still have a DNS packet in the buffer, we re-send it.
    This helps on DoD links, where frequently the packet which triggers dialling is
    a DNS query, which then gets lost. By re-sending, we can avoid the lookup
-   failing. */ 
+   failing. Note that we only accept these messages from the kernel (pid == 0) */ 
 static void nl_routechange(struct nlmsghdr *h)
 {
-  if (h->nlmsg_type == RTM_NEWROUTE && daemon->srv_save)
+  if (h->nlmsg_pid == 0 && h->nlmsg_type == RTM_NEWROUTE)
     {
       struct rtmsg *rtm = NLMSG_DATA(h);
-      if (rtm->rtm_type == RTN_UNICAST &&
-	  rtm->rtm_scope == RT_SCOPE_LINK) 
-	while(sendto(daemon->srv_save->sfd->fd, daemon->packet, daemon->packet_len, 0,
-		     &daemon->srv_save->addr.sa, sa_len(&daemon->srv_save->addr)) == -1 && retry_send()); 
+      int fd;
+
+      if (rtm->rtm_type != RTN_UNICAST || rtm->rtm_scope != RT_SCOPE_LINK)
+	return;
+
+      /* Force re-reading resolv file right now, for luck. */
+      daemon->last_resolv = 0;
+
+      if (daemon->srv_save)
+	{
+	  if (daemon->srv_save->sfd)
+	    fd = daemon->srv_save->sfd->fd;
+	  else if (daemon->rfd_save && daemon->rfd_save->refcount != 0)
+	    fd = daemon->rfd_save->fd;
+	  else
+	    return;
+	  
+	  while(sendto(fd, daemon->packet, daemon->packet_len, 0,
+		       &daemon->srv_save->addr.sa, sa_len(&daemon->srv_save->addr)) == -1 && retry_send()); 
+	}
     }
 }
+
 #endif
 
       

src/network.c

@@ -1,19 +1,52 @@
-/* dnsmasq is Copyright (c) 2000 - 2006 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2009 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; version 2 dated June, 1991.
-
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
+     
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "dnsmasq.h"
 
-int iface_check(int family, struct all_addr *addr, 
-		struct ifreq *ifr, int *indexp)
+#ifdef HAVE_LINUX_NETWORK
+
+int indextoname(int fd, int index, char *name)
+{
+  struct ifreq ifr;
+  
+  if (index == 0)
+    return 0;
+
+  ifr.ifr_ifindex = index;
+  if (ioctl(fd, SIOCGIFNAME, &ifr) == -1)
+    return 0;
+
+  strncpy(name, ifr.ifr_name, IF_NAMESIZE);
+
+  return 1;
+}
+
+#else
+
+int indextoname(int fd, int index, char *name)
+{ 
+  if (index == 0 || !if_indextoname(index, name))
+    return 0;
+
+  return 1;
+}
+
+#endif
+
+int iface_check(int family, struct all_addr *addr, char *name, int *indexp)
 {
   struct iname *tmp;
   int ret = 1;
@@ -23,8 +56,7 @@ int iface_check(int family, struct all_addr *addr,
 
   if (indexp)
     {
-#if defined(__FreeBSD__) || defined(__DragonFly__)
-      /* One form of bridging on FreeBSD has the property that packets
+      /* One form of bridging on BSD has the property that packets
 	 can be recieved on bridge interfaces which do not have an IP address.
 	 We allow these to be treated as aliases of another interface which does have
 	 an IP address with --dhcp-bridge=interface,alias,alias */
@@ -32,26 +64,25 @@ int iface_check(int family, struct all_addr *addr,
       for (bridge = daemon->bridges; bridge; bridge = bridge->next)
 	{
 	  for (alias = bridge->alias; alias; alias = alias->next)
-	    if (strncmp(ifr->ifr_name, alias->iface, IF_NAMESIZE) == 0)
+	    if (strncmp(name, alias->iface, IF_NAMESIZE) == 0)
 	      {
 		int newindex;
 		
 		if (!(newindex = if_nametoindex(bridge->iface)))
 		  {
-		    my_syslog(LOG_WARNING, _("unknown interface %s in bridge-interface"), ifr->ifr_name);
+		    my_syslog(LOG_WARNING, _("unknown interface %s in bridge-interface"), name);
 		    return 0;
 		  }
 		else 
 		  {
 		    *indexp = newindex;
-		    strncpy(ifr->ifr_name,  bridge->iface, IF_NAMESIZE);
+		    strncpy(name,  bridge->iface, IF_NAMESIZE);
 		    break;
 		  }
 	      }
 	  if (alias)
 	    break;
 	}
-#endif
     }
   
   if (daemon->if_names || (addr && daemon->if_addrs))
@@ -59,7 +90,7 @@ int iface_check(int family, struct all_addr *addr,
       ret = 0;
 
       for (tmp = daemon->if_names; tmp; tmp = tmp->next)
-	if (tmp->name && (strcmp(tmp->name, ifr->ifr_name) == 0))
+	if (tmp->name && (strcmp(tmp->name, name) == 0))
 	  ret = tmp->used = 1;
 	        
       for (tmp = daemon->if_addrs; tmp; tmp = tmp->next)
@@ -78,7 +109,7 @@ int iface_check(int family, struct all_addr *addr,
     }
   
   for (tmp = daemon->if_except; tmp; tmp = tmp->next)
-    if (tmp->name && (strcmp(tmp->name, ifr->ifr_name) == 0))
+    if (tmp->name && (strcmp(tmp->name, name) == 0))
       ret = 0;
   
   return ret; 
@@ -88,7 +119,7 @@ static int iface_allowed(struct irec **irecp, int if_index,
 			 union mysockaddr *addr, struct in_addr netmask) 
 {
   struct irec *iface;
-  int fd;
+  int fd, mtu = 0, loopback;
   struct ifreq ifr;
   int dhcp_ok = 1;
   struct iname *tmp;
@@ -99,16 +130,8 @@ static int iface_allowed(struct irec **irecp, int if_index,
     if (sockaddr_isequal(&iface->addr, addr))
       return 1;
   
-#ifdef HAVE_LINUX_NETWORK
-  ifr.ifr_ifindex = if_index;
-#endif
-  
   if ((fd = socket(PF_INET, SOCK_DGRAM, 0)) == -1 ||
-#ifdef HAVE_LINUX_NETWORK
-      ioctl(fd, SIOCGIFNAME, &ifr) == -1 ||
-#else
-      !if_indextoname(if_index, ifr.ifr_name) ||
-#endif
+      !indextoname(fd, if_index, ifr.ifr_name) ||
       ioctl(fd, SIOCGIFFLAGS, &ifr) == -1)
     {
       if (fd != -1)
@@ -119,12 +142,17 @@ static int iface_allowed(struct irec **irecp, int if_index,
 	}
       return 0;
     }
+   
+  loopback = ifr.ifr_flags & IFF_LOOPBACK;
+
+  if (ioctl(fd, SIOCGIFMTU, &ifr) != -1)
+    mtu = ifr.ifr_mtu;
   
   close(fd);
   
   /* If we are restricting the set of interfaces to use, make
      sure that loopback interfaces are in that set. */
-  if (daemon->if_names && (ifr.ifr_flags & IFF_LOOPBACK))
+  if (daemon->if_names && loopback)
     {
       struct iname *lo;
       for (lo = daemon->if_names; lo; lo = lo->next)
@@ -146,7 +174,7 @@ static int iface_allowed(struct irec **irecp, int if_index,
     }
   
   if (addr->sa.sa_family == AF_INET &&
-      !iface_check(AF_INET, (struct all_addr *)&addr->in.sin_addr, &ifr, NULL))
+      !iface_check(AF_INET, (struct all_addr *)&addr->in.sin_addr, ifr.ifr_name, NULL))
     return 1;
   
   for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
@@ -155,7 +183,7 @@ static int iface_allowed(struct irec **irecp, int if_index,
   
 #ifdef HAVE_IPV6
   if (addr->sa.sa_family == AF_INET6 &&
-      !iface_check(AF_INET6, (struct all_addr *)&addr->in6.sin6_addr, &ifr, NULL))
+      !iface_check(AF_INET6, (struct all_addr *)&addr->in6.sin6_addr, ifr.ifr_name, NULL))
     return 1;
 #endif
 
@@ -165,6 +193,7 @@ static int iface_allowed(struct irec **irecp, int if_index,
       iface->addr = *addr;
       iface->netmask = netmask;
       iface->dhcp_ok = dhcp_ok;
+      iface->mtu = mtu;
       iface->next = *irecp;
       *irecp = iface;
       return 1;
@@ -213,7 +242,6 @@ static int iface_allowed_v4(struct in_addr local, int if_index,
   return iface_allowed((struct irec **)vparam, if_index, &addr, netmask);
 }
    
-
 int enumerate_interfaces(void)
 {
 #ifdef HAVE_IPV6
@@ -293,7 +321,7 @@ struct listener *create_wildcard_listeners(void)
   union mysockaddr addr;
   int opt = 1;
   struct listener *l, *l6 = NULL;
-  int tcpfd, fd, tftpfd = -1;
+  int tcpfd = -1, fd = -1, tftpfd = -1;
 
   memset(&addr, 0, sizeof(addr));
   addr.in.sin_family = AF_INET;
@@ -303,28 +331,32 @@ struct listener *create_wildcard_listeners(void)
   addr.in.sin_len = sizeof(struct sockaddr_in);
 #endif
 
-  if ((fd = socket(AF_INET, SOCK_DGRAM, 0)) == -1 ||
-      (tcpfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
-    return NULL;
-  
-  if (setsockopt(tcpfd, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)) == -1 ||
-      bind(tcpfd, (struct sockaddr *)&addr, sa_len(&addr)) == -1 ||
-      listen(tcpfd, 5) == -1 ||
-      !fix_fd(tcpfd) ||
+  if (daemon->port != 0)
+    {
+      
+      if ((fd = socket(AF_INET, SOCK_DGRAM, 0)) == -1 ||
+	  (tcpfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
+	return NULL;
+      
+      if (setsockopt(tcpfd, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)) == -1 ||
+	  bind(tcpfd, (struct sockaddr *)&addr, sa_len(&addr)) == -1 ||
+	  listen(tcpfd, 5) == -1 ||
+	  !fix_fd(tcpfd) ||
 #ifdef HAVE_IPV6
-      !create_ipv6_listener(&l6, daemon->port) ||
+	  !create_ipv6_listener(&l6, daemon->port) ||
 #endif
-      setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)) == -1 ||
-      !fix_fd(fd) ||
+	  setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)) == -1 ||
+	  !fix_fd(fd) ||
 #if defined(HAVE_LINUX_NETWORK) 
-      setsockopt(fd, SOL_IP, IP_PKTINFO, &opt, sizeof(opt)) == -1 ||
+	  setsockopt(fd, SOL_IP, IP_PKTINFO, &opt, sizeof(opt)) == -1 ||
 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
-      setsockopt(fd, IPPROTO_IP, IP_RECVDSTADDR, &opt, sizeof(opt)) == -1 ||
-      setsockopt(fd, IPPROTO_IP, IP_RECVIF, &opt, sizeof(opt)) == -1 ||
+	  setsockopt(fd, IPPROTO_IP, IP_RECVDSTADDR, &opt, sizeof(opt)) == -1 ||
+	  setsockopt(fd, IPPROTO_IP, IP_RECVIF, &opt, sizeof(opt)) == -1 ||
 #endif 
-      bind(fd, (struct sockaddr *)&addr, sa_len(&addr)) == -1)
-    return NULL;
-
+	  bind(fd, (struct sockaddr *)&addr, sa_len(&addr)) == -1)
+	return NULL;
+    }
+  
 #ifdef HAVE_TFTP
   if (daemon->options & OPT_TFTP)
     {
@@ -358,8 +390,11 @@ struct listener *create_bound_listeners(void)
 {
   struct listener *listeners = NULL;
   struct irec *iface;
-  int opt = 1;
-  
+  int rc, opt = 1;
+#ifdef HAVE_IPV6
+  static int dad_count = 0;
+#endif
+
   for (iface = daemon->interfaces; iface; iface = iface->next)
     {
       struct listener *new = safe_malloc(sizeof(struct listener));
@@ -367,49 +402,60 @@ struct listener *create_bound_listeners(void)
       new->iface = iface;
       new->next = listeners;
       new->tftpfd = -1;
+      new->tcpfd = -1;
+      new->fd = -1;
+      listeners = new;
 
-      if ((new->tcpfd = socket(iface->addr.sa.sa_family, SOCK_STREAM, 0)) == -1 ||
-	  (new->fd = socket(iface->addr.sa.sa_family, SOCK_DGRAM, 0)) == -1 ||
-	  setsockopt(new->fd, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)) == -1 ||
-	  setsockopt(new->tcpfd, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)) == -1 ||
-	  !fix_fd(new->tcpfd) ||
-	  !fix_fd(new->fd))
-	die(_("failed to create listening socket: %s"), NULL, EC_BADNET);
-      
-#ifdef HAVE_IPV6
-      if (iface->addr.sa.sa_family == AF_INET6)
-	{
-	  if (setsockopt(new->fd, IPV6_LEVEL, IPV6_V6ONLY, &opt, sizeof(opt)) == -1 ||
-	      setsockopt(new->tcpfd, IPV6_LEVEL, IPV6_V6ONLY, &opt, sizeof(opt)) == -1)
-	    die(_("failed to set IPV6 options on listening socket: %s"), NULL, EC_BADNET);
-	}
-#endif
-      
-      if (bind(new->tcpfd, &iface->addr.sa, sa_len(&iface->addr)) == -1 ||
-	  bind(new->fd, &iface->addr.sa, sa_len(&iface->addr)) == -1)
+      if (daemon->port != 0)
 	{
+	  if ((new->tcpfd = socket(iface->addr.sa.sa_family, SOCK_STREAM, 0)) == -1 ||
+	      (new->fd = socket(iface->addr.sa.sa_family, SOCK_DGRAM, 0)) == -1 ||
+	      setsockopt(new->fd, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)) == -1 ||
+	      setsockopt(new->tcpfd, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)) == -1 ||
+	      !fix_fd(new->tcpfd) ||
+	      !fix_fd(new->fd))
+	    die(_("failed to create listening socket: %s"), NULL, EC_BADNET);
+	  
 #ifdef HAVE_IPV6
-	  if (iface->addr.sa.sa_family == AF_INET6 && errno == ENODEV)
+	  if (iface->addr.sa.sa_family == AF_INET6)
 	    {
-	      close(new->tcpfd);
-	      close(new->fd);
-	      free(new);
+	      if (setsockopt(new->fd, IPV6_LEVEL, IPV6_V6ONLY, &opt, sizeof(opt)) == -1 ||
+		  setsockopt(new->tcpfd, IPV6_LEVEL, IPV6_V6ONLY, &opt, sizeof(opt)) == -1)
+		die(_("failed to set IPV6 options on listening socket: %s"), NULL, EC_BADNET);
 	    }
-	  else
 #endif
+
+	  while(1)
+	    {
+	      if ((rc = bind(new->fd, &iface->addr.sa, sa_len(&iface->addr))) != -1)
+		break;
+	      
+#ifdef HAVE_IPV6
+	      /* An interface may have an IPv6 address which is still undergoing DAD. 
+		 If so, the bind will fail until the DAD completes, so we try over 20 seconds
+		 before failing. */
+	      if (iface->addr.sa.sa_family == AF_INET6 && (errno == ENODEV || errno == EADDRNOTAVAIL) && 
+		  dad_count++ < DAD_WAIT)
+		{
+		  sleep(1);
+		  continue;
+		}
+#endif
+	      break;
+	    }
+	  
+	  if (rc == -1 || bind(new->tcpfd, &iface->addr.sa, sa_len(&iface->addr)) == -1)
 	    {
 	      prettyprint_addr(&iface->addr, daemon->namebuff);
 	      die(_("failed to bind listening socket for %s: %s"), 
 		  daemon->namebuff, EC_BADNET);
 	    }
+	    
+	  if (listen(new->tcpfd, 5) == -1)
+	    die(_("failed to listen on socket: %s"), NULL, EC_BADNET);
 	}
-      else
-	 {
-	   listeners = new;     
-	   if (listen(new->tcpfd, 5) == -1)
-	     die(_("failed to listen on socket: %s"), NULL, EC_BADNET);
-	 }
 
+#ifdef HAVE_TFTP
       if ((daemon->options & OPT_TFTP) && iface->addr.sa.sa_family == AF_INET && iface->dhcp_ok)
 	{
 	  short save = iface->addr.in.sin_port;
@@ -421,18 +467,127 @@ struct listener *create_bound_listeners(void)
 	    die(_("failed to create TFTP socket: %s"), NULL, EC_BADNET);
 	  iface->addr.in.sin_port = save;
 	}
+#endif
+
     }
 
   return listeners;
 }
 
-struct serverfd *allocate_sfd(union mysockaddr *addr, struct serverfd **sfds)
+
+/* return a UDP socket bound to a random port, have to cope with straying into
+   occupied port nos and reserved ones. */
+int random_sock(int family)
+{
+  int fd;
+
+  if ((fd = socket(family, SOCK_DGRAM, 0)) != -1)
+    {
+      union mysockaddr addr;
+      unsigned int ports_avail = 65536u - (unsigned short)daemon->min_port;
+      int tries = ports_avail < 30 ? 3 * ports_avail : 100;
+
+      memset(&addr, 0, sizeof(addr));
+      addr.sa.sa_family = family;
+
+      /* don't loop forever if all ports in use. */
+
+      if (fix_fd(fd))
+	while(tries--)
+	  {
+	    unsigned short port = rand16();
+	    
+	    if (daemon->min_port != 0)
+	      port = htons(daemon->min_port + (port % ((unsigned short)ports_avail)));
+	    
+	    if (family == AF_INET) 
+	      {
+		addr.in.sin_addr.s_addr = INADDR_ANY;
+		addr.in.sin_port = port;
+#ifdef HAVE_SOCKADDR_SA_LEN
+		addr.in.sin_len = sizeof(struct sockaddr_in);
+#endif
+	      }
+#ifdef HAVE_IPV6
+	    else
+	      {
+		addr.in6.sin6_addr = in6addr_any; 
+		addr.in6.sin6_port = port;
+#ifdef HAVE_SOCKADDR_SA_LEN
+		addr.in6.sin6_len = sizeof(struct sockaddr_in6);
+#endif
+	      }
+#endif
+	    
+	    if (bind(fd, (struct sockaddr *)&addr, sa_len(&addr)) == 0)
+	      return fd;
+	    
+	    if (errno != EADDRINUSE && errno != EACCES)
+	      break;
+	  }
+
+      close(fd);
+    }
+
+  return -1; 
+}
+  
+
+int local_bind(int fd, union mysockaddr *addr, char *intname, int is_tcp)
+{
+  union mysockaddr addr_copy = *addr;
+
+  /* cannot set source _port_ for TCP connections. */
+  if (is_tcp)
+    {
+      if (addr_copy.sa.sa_family == AF_INET)
+	addr_copy.in.sin_port = 0;
+#ifdef HAVE_IPV6
+      else
+	addr_copy.in6.sin6_port = 0;
+#endif
+    }
+  
+  if (bind(fd, (struct sockaddr *)&addr_copy, sa_len(&addr_copy)) == -1)
+    return 0;
+    
+#if defined(SO_BINDTODEVICE)
+  if (intname[0] != 0 &&
+      setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, intname, strlen(intname)) == -1)
+    return 0;
+#endif
+
+  return 1;
+}
+
+static struct serverfd *allocate_sfd(union mysockaddr *addr, char *intname)
 {
   struct serverfd *sfd;
+  int errsave;
 
+  /* when using random ports, servers which would otherwise use
+     the INADDR_ANY/port0 socket have sfd set to NULL */
+  if (!daemon->osport && intname[0] == 0)
+    {
+      errno = 0;
+      
+      if (addr->sa.sa_family == AF_INET &&
+	  addr->in.sin_addr.s_addr == INADDR_ANY &&
+	  addr->in.sin_port == htons(0)) 
+	return NULL;
+
+#ifdef HAVE_IPV6
+      if (addr->sa.sa_family == AF_INET6 &&
+	  memcmp(&addr->in6.sin6_addr, &in6addr_any, sizeof(in6addr_any)) == 0 &&
+	  addr->in6.sin6_port == htons(0)) 
+	return NULL;
+#endif
+    }
+      
   /* may have a suitable one already */
-  for (sfd = *sfds; sfd; sfd = sfd->next )
-    if (sockaddr_isequal(&sfd->source_addr, addr))
+  for (sfd = daemon->sfds; sfd; sfd = sfd->next )
+    if (sockaddr_isequal(&sfd->source_addr, addr) &&
+	strcmp(intname, sfd->interface) == 0)
       return sfd;
   
   /* need to make a new one. */
@@ -446,23 +601,69 @@ struct serverfd *allocate_sfd(union mysockaddr *addr, struct serverfd **sfds)
       return NULL;
     }
   
-  if (bind(sfd->fd, (struct sockaddr *)addr, sa_len(addr)) == -1 ||
-      !fix_fd(sfd->fd))
-    {
-      int errsave = errno; /* save error from bind. */
+  if (!local_bind(sfd->fd, addr, intname, 0) || !fix_fd(sfd->fd))
+    { 
+      errsave = errno; /* save error from bind. */
       close(sfd->fd);
       free(sfd);
       errno = errsave;
       return NULL;
     }
-  
+    
+  strcpy(sfd->interface, intname); 
   sfd->source_addr = *addr;
-  sfd->next = *sfds;
-  *sfds = sfd;
-  
-  return sfd;
+  sfd->next = daemon->sfds;
+  daemon->sfds = sfd;
+  return sfd; 
 }
 
+/* create upstream sockets during startup, before root is dropped which may be needed
+   this allows query_port to be a low port and interface binding */
+void pre_allocate_sfds(void)
+{
+  struct server *srv;
+  
+  if (daemon->query_port != 0)
+    {
+      union  mysockaddr addr;
+      memset(&addr, 0, sizeof(addr));
+      addr.in.sin_family = AF_INET;
+      addr.in.sin_addr.s_addr = INADDR_ANY;
+      addr.in.sin_port = htons(daemon->query_port);
+#ifdef HAVE_SOCKADDR_SA_LEN
+      addr.in.sin_len = sizeof(struct sockaddr_in);
+#endif
+      allocate_sfd(&addr, "");
+#ifdef HAVE_IPV6
+      memset(&addr, 0, sizeof(addr));
+      addr.in6.sin6_family = AF_INET6;
+      addr.in6.sin6_addr = in6addr_any;
+      addr.in6.sin6_port = htons(daemon->query_port);
+#ifdef HAVE_SOCKADDR_SA_LEN
+      addr.in6.sin6_len = sizeof(struct sockaddr_in6);
+#endif
+      allocate_sfd(&addr, "");
+#endif
+    }
+  
+  for (srv = daemon->servers; srv; srv = srv->next)
+    if (!(srv->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) &&
+	!allocate_sfd(&srv->source_addr, srv->interface) &&
+	errno != 0 &&
+	(daemon->options & OPT_NOWILD))
+      {
+	prettyprint_addr(&srv->addr, daemon->namebuff);
+	if (srv->interface[0] != 0)
+	  {
+	    strcat(daemon->namebuff, " ");
+	    strcat(daemon->namebuff, srv->interface);
+	  }
+	die(_("failed to bind server socket for %s: %s"),
+	    daemon->namebuff, EC_BADNET);
+      }  
+}
+
+
 void check_servers(void)
 {
   struct irec *iface;
@@ -496,7 +697,9 @@ void check_servers(void)
 	    }
 	  
 	  /* Do we need a socket set? */
-	  if (!new->sfd && !(new->sfd = allocate_sfd(&new->source_addr, &daemon->sfds)))
+	  if (!new->sfd && 
+	      !(new->sfd = allocate_sfd(&new->source_addr, new->interface)) &&
+	      errno != 0)
 	    {
 	      my_syslog(LOG_WARNING, 
 			_("ignoring nameserver %s - cannot make/bind socket: %s"),
@@ -525,6 +728,8 @@ void check_servers(void)
 	  else if (!(new->flags & SERV_LITERAL_ADDRESS))
 	    my_syslog(LOG_INFO, _("using nameserver %s#%d for %s %s"), daemon->namebuff, port, s1, s2);
 	}
+      else if (new->interface[0] != 0)
+	my_syslog(LOG_INFO, _("using nameserver %s#%d(via %s)"), daemon->namebuff, port, new->interface); 
       else
 	my_syslog(LOG_INFO, _("using nameserver %s#%d"), daemon->namebuff, port); 
     }
@@ -626,9 +831,10 @@ int reload_servers(char *fname)
       serv->addr = addr;
       serv->source_addr = source_addr;
       serv->domain = NULL;
+      serv->interface[0] = 0;
       serv->sfd = NULL;
       serv->flags = SERV_FROM_RESOLV;
-
+      serv->queries = serv->failed_queries = 0;
       gotone = 1;
     }
   

src/rfc1035.c

@@ -1,13 +1,17 @@
-/* dnsmasq is Copyright (c) 2000 - 2006 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2009 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; version 2 dated June, 1991.
-
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
+     
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "dnsmasq.h"
@@ -17,8 +21,14 @@ static int add_resource_record(HEADER *header, char *limit, int *truncp,
 			       unsigned long ttl, unsigned int *offset, unsigned short type, 
 			       unsigned short class, char *format, ...);
 
+#define CHECK_LEN(header, pp, plen, len) \
+    ((size_t)((pp) - (unsigned char *)(header) + (len)) <= (plen))
+
+#define ADD_RDLEN(header, pp, plen, len) \
+    (!CHECK_LEN(header, pp, plen, len) ? 0 : (long)((pp) += (len)), 1)
+
 static int extract_name(HEADER *header, size_t plen, unsigned char **pp, 
-			char *name, int isExtract)
+			char *name, int isExtract, int extrabytes)
 {
   unsigned char *cp = (unsigned char *)name, *p = *pp, *p1 = NULL;
   unsigned int j, l, hops = 0;
@@ -27,19 +37,47 @@ static int extract_name(HEADER *header, size_t plen, unsigned char **pp,
   if (isExtract)
     *cp = 0;
 
-  while ((l = *p++))
-    {
-      unsigned int label_type = l & 0xc0;
+  while (1)
+    { 
+      unsigned int label_type;
+
+      if (!CHECK_LEN(header, p, plen, 1))
+	return 0;
+      
+      if ((l = *p++) == 0) 
+	/* end marker */
+	{
+	  /* check that there are the correct no of bytes after the name */
+	  if (!CHECK_LEN(header, p, plen, extrabytes))
+	    return 0;
+	  
+	  if (isExtract)
+	    {
+	      if (cp != (unsigned char *)name)
+		cp--;
+	      *cp = 0; /* terminate: lose final period */
+	    }
+	  else if (*cp != 0)
+	    retvalue = 2;
+	  
+	  if (p1) /* we jumped via compression */
+	    *pp = p1;
+	  else
+	    *pp = p;
+	  
+	  return retvalue;
+	}
+
+      label_type = l & 0xc0;
+      
       if (label_type == 0xc0) /* pointer */
 	{ 
-	  if ((size_t)(p - (unsigned char *)header + 1) >= plen)
+	  if (!CHECK_LEN(header, p, plen, 1))
 	    return 0;
 	      
 	  /* get offset */
 	  l = (l&0x3f) << 8;
 	  l |= *p++;
-	  if (l >= plen) 
-	    return 0;
 	  
 	  if (!p1) /* first jump, save location to go back to */
 	    p1 = p;
@@ -70,7 +108,7 @@ static int extract_name(HEADER *header, size_t plen, unsigned char **pp,
 	  /* output is \[x<hex>/siz]. which is digs+9 chars */
 	  if (cp - (unsigned char *)name + digs + 9 >= MAXDNAME)
 	    return 0;
-	  if ((size_t)(p - (unsigned char *)header + ((count-1)>>3) + 1) >= plen)
+	  if (!CHECK_LEN(header, p, plen, (count-1)>>3))
 	    return 0;
 
 	  *cp++ = '\\';
@@ -94,12 +132,14 @@ static int extract_name(HEADER *header, size_t plen, unsigned char **pp,
 	{ /* label_type = 0 -> label. */
 	  if (cp - (unsigned char *)name + l + 1 >= MAXDNAME)
 	    return 0;
-	  if ((size_t)(p - (unsigned char *)header + 1) >= plen)
+	  if (!CHECK_LEN(header, p, plen, l))
 	    return 0;
+	  
 	  for(j=0; j<l; j++, p++)
 	    if (isExtract)
 	      {
-		if (legal_char(*p))
+		unsigned char c = *p;
+		if (isascii(c) && !iscntrl(c) && c != '.')
 		  *cp++ = *p;
 		else
 		  return 0;
@@ -128,26 +168,7 @@ static int extract_name(HEADER *header, size_t plen, unsigned char **pp,
 	  else if (*cp != 0 && *cp++ != '.')
 	    retvalue = 2;
 	}
-      
-      if ((unsigned int)(p - (unsigned char *)header) >= plen)
-	return 0;
     }
-
-  if (isExtract)
-    {
-      if (cp != (unsigned char *)name)
-	cp--;
-      *cp = 0; /* terminate: lose final period */
-    }
-  else if (*cp != 0)
-    retvalue = 2;
-    
-  if (p1) /* we jumped via compression */
-    *pp = p1;
-  else
-    *pp = p;
-
-  return retvalue;
 }
  
 /* Max size of input string (for IPv6) is 75 chars.) */
@@ -223,7 +244,7 @@ static int in_arpa_name_2_addr(char *namein, struct all_addr *addrp)
       if (*name == '\\' && *(name+1) == '[' && 
 	  (*(name+2) == 'x' || *(name+2) == 'X'))
 	{	  
-	  for (j = 0, cp1 = name+3; *cp1 && isxdigit(*cp1) && j < 32; cp1++, j++)
+	  for (j = 0, cp1 = name+3; *cp1 && isxdigit((int) *cp1) && j < 32; cp1++, j++)
 	    {
 	      char xdig[2];
 	      xdig[0] = *cp1;
@@ -257,15 +278,17 @@ static int in_arpa_name_2_addr(char *namein, struct all_addr *addrp)
   return 0;
 }
 
-static unsigned char *skip_name(unsigned char *ansp, HEADER *header, size_t plen)
+static unsigned char *skip_name(unsigned char *ansp, HEADER *header, size_t plen, int extrabytes)
 {
   while(1)
     {
-      unsigned int label_type = (*ansp) & 0xc0;
+      unsigned int label_type;
       
-      if ((unsigned int)(ansp - (unsigned char *)header) >= plen)
+      if (!CHECK_LEN(header, ansp, plen, 1))
 	return NULL;
       
+      label_type = (*ansp) & 0xc0;
+
       if (label_type == 0xc0)
 	{
 	  /* pointer for compression. */
@@ -279,6 +302,9 @@ static unsigned char *skip_name(unsigned char *ansp, HEADER *header, size_t plen
 	  /* Extended label type */
 	  unsigned int count;
 	  
+	  if (!CHECK_LEN(header, ansp, plen, 2))
+	    return NULL;
+	  
 	  if (((*ansp++) & 0x3f) != 1)
 	    return NULL; /* we only understand bitstrings */
 	  
@@ -292,12 +318,17 @@ static unsigned char *skip_name(unsigned char *ansp, HEADER *header, size_t plen
       else
 	{ /* label type == 0 Bottom six bits is length */
 	  unsigned int len = (*ansp++) & 0x3f;
+	  
+	  if (!ADD_RDLEN(header, ansp, plen, len))
+	    return NULL;
+
 	  if (len == 0)
 	    break; /* zero length label marks the end. */
-	  
-	  ansp += len;
 	}
     }
+
+  if (!CHECK_LEN(header, ansp, plen, extrabytes))
+    return NULL;
   
   return ansp;
 }
@@ -309,12 +340,10 @@ static unsigned char *skip_questions(HEADER *header, size_t plen)
 
   for (q = ntohs(header->qdcount); q != 0; q--)
     {
-      if (!(ansp = skip_name(ansp, header, plen)))
+      if (!(ansp = skip_name(ansp, header, plen, 4)))
 	return NULL;
       ansp += 4; /* class and type */
     }
-  if ((unsigned int)(ansp - (unsigned char *)header) > plen) 
-     return NULL;
   
   return ansp;
 }
@@ -325,13 +354,12 @@ static unsigned char *skip_section(unsigned char *ansp, int count, HEADER *heade
   
   for (i = 0; i < count; i++)
     {
-      if (!(ansp = skip_name(ansp, header, plen)))
+      if (!(ansp = skip_name(ansp, header, plen, 10)))
 	return NULL; 
       ansp += 8; /* type, class, TTL */
       GETSHORT(rdlen, ansp);
-      if ((unsigned int)(ansp + rdlen - (unsigned char *)header) > plen) 
+      if (!ADD_RDLEN(header, ansp, plen, rdlen))
 	return NULL;
-      ansp += rdlen;
     }
 
   return ansp;
@@ -351,7 +379,7 @@ unsigned int questions_crc(HEADER *header, size_t plen, char *name)
 
   for (q = ntohs(header->qdcount); q != 0; q--) 
     {
-      if (!extract_name(header, plen, &p, name, 1))
+      if (!extract_name(header, plen, &p, name, 1, 4))
 	return crc; /* bad packet */
       
       for (p1 = (unsigned char *)name; *p1; p1++)
@@ -377,7 +405,7 @@ unsigned int questions_crc(HEADER *header, size_t plen, char *name)
 	}
 
       p += 4;
-      if ((unsigned int)(p - (unsigned char *)header) > plen)
+      if (!CHECK_LEN(header, p, plen, 0))
 	return crc; /* bad packet */
     }
 
@@ -389,12 +417,13 @@ size_t resize_packet(HEADER *header, size_t plen, unsigned char *pheader, size_t
 {
   unsigned char *ansp = skip_questions(header, plen);
     
+  /* if packet is malformed, just return as-is. */
   if (!ansp)
-    return 0;
+    return plen;
   
   if (!(ansp = skip_section(ansp, ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount),
 			    header, plen)))
-    return 0;
+    return plen;
     
   /* restore pseudoheader */
   if (pheader && ntohs(header->arcount) == 0)
@@ -428,7 +457,7 @@ unsigned char *find_pseudoheader(HEADER *header, size_t plen, size_t  *len, unsi
 	{
 	  for (i = ntohs(header->qdcount); i != 0; i--)
 	    {
-	      if (!(ansp = skip_name(ansp, header, plen)))
+	      if (!(ansp = skip_name(ansp, header, plen, 4)))
 		return NULL;
 	      
 	      GETSHORT(type, ansp); 
@@ -454,7 +483,7 @@ unsigned char *find_pseudoheader(HEADER *header, size_t plen, size_t  *len, unsi
   for (i = 0; i < arcount; i++)
     {
       unsigned char *save, *start = ansp;
-      if (!(ansp = skip_name(ansp, header, plen)))
+      if (!(ansp = skip_name(ansp, header, plen, 10)))
 	return NULL; 
 
       GETSHORT(type, ansp);
@@ -462,9 +491,8 @@ unsigned char *find_pseudoheader(HEADER *header, size_t plen, size_t  *len, unsi
       GETSHORT(class, ansp);
       ansp += 4; /* TTL */
       GETSHORT(rdlen, ansp);
-      if ((size_t)(ansp + rdlen - (unsigned char *)header) > plen) 
+      if (!ADD_RDLEN(header, ansp, plen, rdlen))
 	return NULL;
-      ansp += rdlen;
       if (type == T_OPT)
 	{
 	  if (len)
@@ -497,6 +525,59 @@ static int private_net(struct in_addr addr)
     ((ip_addr & 0xFFFF0000) == 0xA9FE0000)  /* 169.254.0.0/16 (zeroconf) */ ;
 }
 
+static unsigned char *do_doctor(unsigned char *p, int count, HEADER *header, size_t qlen)
+{
+  int i, qtype, qclass, rdlen;
+  unsigned long ttl;
+
+  for (i = count; i != 0; i--)
+    {
+      if (!(p = skip_name(p, header, qlen, 10)))
+	return 0; /* bad packet */
+      
+      GETSHORT(qtype, p); 
+      GETSHORT(qclass, p);
+      GETLONG(ttl, p);
+      GETSHORT(rdlen, p);
+      
+      if ((qclass == C_IN) && (qtype == T_A))
+	{
+	  struct doctor *doctor;
+	  struct in_addr addr;
+	  
+	  if (!CHECK_LEN(header, p, qlen, INADDRSZ))
+	    return 0;
+	   
+	   /* alignment */
+	  memcpy(&addr, p, INADDRSZ);
+	  
+	  for (doctor = daemon->doctors; doctor; doctor = doctor->next)
+	    {
+	      if (doctor->end.s_addr == 0)
+		{
+		  if (!is_same_net(doctor->in, addr, doctor->mask))
+		    continue;
+		}
+	      else if (ntohl(doctor->in.s_addr) > ntohl(addr.s_addr) || 
+		       ntohl(doctor->end.s_addr) < ntohl(addr.s_addr))
+		continue;
+	     
+	      addr.s_addr &= ~doctor->mask.s_addr;
+	      addr.s_addr |= (doctor->out.s_addr & doctor->mask.s_addr);
+	      /* Since we munged the data, the server it came from is no longer authoritative */
+	      header->aa = 0;
+	      memcpy(p, &addr, INADDRSZ);
+	      break;
+	    }
+	}
+      
+      if (!ADD_RDLEN(header, p, qlen, rdlen))
+	 return 0; /* bad packet */
+    }
+  
+  return p; 
+}
+
 static int find_soa(HEADER *header, size_t qlen)
 {
   unsigned char *p;
@@ -506,12 +587,12 @@ static int find_soa(HEADER *header, size_t qlen)
   
   /* first move to NS section and find TTL from any SOA section */
   if (!(p = skip_questions(header, qlen)) ||
-      !(p = skip_section(p, ntohs(header->ancount), header, qlen)))
-    return 0; /* bad packet */
+      !(p = do_doctor(p, ntohs(header->ancount), header, qlen)))
+    return 0;  /* bad packet */
   
   for (i = ntohs(header->nscount); i != 0; i--)
     {
-      if (!(p = skip_name(p, header, qlen)))
+      if (!(p = skip_name(p, header, qlen, 10)))
 	return 0; /* bad packet */
       
       GETSHORT(qtype, p); 
@@ -526,10 +607,10 @@ static int find_soa(HEADER *header, size_t qlen)
 	    minttl = ttl;
 
 	  /* MNAME */
-	  if (!(p = skip_name(p, header, qlen)))
+	  if (!(p = skip_name(p, header, qlen, 0)))
 	    return 0;
 	  /* RNAME */
-	  if (!(p = skip_name(p, header, qlen)))
+	  if (!(p = skip_name(p, header, qlen, 20)))
 	    return 0;
 	  p += 16; /* SERIAL REFRESH RETRY EXPIRE */
 	  
@@ -537,59 +618,27 @@ static int find_soa(HEADER *header, size_t qlen)
 	  if (ttl < minttl)
 	    minttl = ttl;
 	}
-      else
-	p += rdlen;
-      
-      if ((size_t)(p - (unsigned char *)header) > qlen)
+      else if (!ADD_RDLEN(header, p, qlen, rdlen))
 	return 0; /* bad packet */
     }
- 
-  if (daemon->doctors)
-    for (i = ntohs(header->arcount); i != 0; i--)
-      {
-	if (!(p = skip_name(p, header, qlen)))
-	  return 0; /* bad packet */
-      
-	GETSHORT(qtype, p); 
-	GETSHORT(qclass, p);
-	GETLONG(ttl, p);
-	GETSHORT(rdlen, p);
-	
-	if ((qclass == C_IN) && (qtype == T_A))
-	  {
-	    struct doctor *doctor;
-	    struct in_addr addr;
-	    
-	    /* alignment */
-	    memcpy(&addr, p, INADDRSZ);
-	    
-	    for (doctor = daemon->doctors; doctor; doctor = doctor->next)
-	      if (is_same_net(doctor->in, addr, doctor->mask))
-		{
-		  addr.s_addr &= ~doctor->mask.s_addr;
-		  addr.s_addr |= (doctor->out.s_addr & doctor->mask.s_addr);
-		  /* Since we munged the data, the server it came from is no longer authoritative */
-		  header->aa = 0;
-		  memcpy(p, &addr, INADDRSZ);
-		  break;
-		}
-	  }
-	
-	p += rdlen;
-	
-	if ((size_t)(p - (unsigned char *)header) > qlen)
-	  return 0; /* bad packet */
-      }
- 
-  return found_soa ? minttl : 0;
+  
+  /* rewrite addresses in additioal section too */
+  if (!do_doctor(p, ntohs(header->arcount), header, qlen))
+    return 0;
+  
+  if (!found_soa)
+    minttl = daemon->neg_ttl;
+
+  return minttl;
 }
 
 /* Note that the following code can create CNAME chains that don't point to a real record,
    either because of lack of memory, or lack of SOA records.  These are treated by the cache code as 
-   expired and cleaned out that way. */
-void extract_addresses(HEADER *header, size_t qlen, char *name, time_t now)
+   expired and cleaned out that way. 
+   Return 1 if we reject an address because it look like parct of dns-rebinding attack. */
+int extract_addresses(HEADER *header, size_t qlen, char *name, time_t now)
 {
-  unsigned char *p, *p1, *endrr;
+  unsigned char *p, *p1, *endrr, *namep;
   int i, j, qtype, qclass, aqtype, aqclass, ardlen, res, searched_soa = 0;
   unsigned long ttl = 0;
   struct all_addr addr;
@@ -613,8 +662,9 @@ void extract_addresses(HEADER *header, size_t qlen, char *name, time_t now)
       int flags = header->rcode == NXDOMAIN ? F_NXDOMAIN : 0;
       unsigned long cttl = ULONG_MAX, attl;
       
-      if (!extract_name(header, qlen, &p, name, 1))
-	return; /* bad packet */
+      namep = p;
+      if (!extract_name(header, qlen, &p, name, 1, 4))
+	return 0; /* bad packet */
            
       GETSHORT(qtype, p); 
       GETSHORT(qclass, p);
@@ -635,12 +685,15 @@ void extract_addresses(HEADER *header, size_t qlen, char *name, time_t now)
 	    {
 	    cname_loop:
 	      if (!(p1 = skip_questions(header, qlen)))
-		return;
+		return 0;
 	      
 	      for (j = ntohs(header->ancount); j != 0; j--) 
 		{
-		  if (!(res = extract_name(header, qlen, &p1, name, 0)))
-		    return; /* bad packet */
+		  unsigned char *tmp = namep;
+		  /* the loop body overwrites the original name, so get it back here. */
+		  if (!extract_name(header, qlen, &tmp, name, 1, 0) ||
+		      !(res = extract_name(header, qlen, &p1, name, 0, 10)))
+		    return 0; /* bad packet */
 		  
 		  GETSHORT(aqtype, p1); 
 		  GETSHORT(aqclass, p1);
@@ -654,13 +707,13 @@ void extract_addresses(HEADER *header, size_t qlen, char *name, time_t now)
 
 		  if (aqclass == C_IN && res != 2 && (aqtype == T_CNAME || aqtype == T_PTR))
 		    {
-		      if (!extract_name(header, qlen, &p1, name, 1))
-			return;
+		      if (!extract_name(header, qlen, &p1, name, 1, 0))
+			return 0;
 		      
 		      if (aqtype == T_CNAME)
 			{
 			  if (!cname_count--)
-			    return; /* looped CNAMES */
+			    return 0; /* looped CNAMES */
 			  goto cname_loop;
 			}
 		      
@@ -669,8 +722,8 @@ void extract_addresses(HEADER *header, size_t qlen, char *name, time_t now)
 		    }
 		  
 		  p1 = endrr;
-		  if ((size_t)(p1 - (unsigned char *)header) > qlen)
-		    return; /* bad packet */
+		  if (!CHECK_LEN(header, p1, qlen, 0))
+		    return 0; /* bad packet */
 		}
 	    }
 	  
@@ -710,12 +763,12 @@ void extract_addresses(HEADER *header, size_t qlen, char *name, time_t now)
 	    {
 	    cname_loop1:
 	      if (!(p1 = skip_questions(header, qlen)))
-		return;
+		return 0;
 	      
 	      for (j = ntohs(header->ancount); j != 0; j--) 
 		{
-		  if (!(res = extract_name(header, qlen, &p1, name, 0)))
-		    return; /* bad packet */
+		  if (!(res = extract_name(header, qlen, &p1, name, 0, 10)))
+		    return 0; /* bad packet */
 		  
 		  GETSHORT(aqtype, p1); 
 		  GETSHORT(aqclass, p1);
@@ -728,7 +781,7 @@ void extract_addresses(HEADER *header, size_t qlen, char *name, time_t now)
 		      if (aqtype == T_CNAME)
 			{
 			  if (!cname_count--)
-			    return; /* looped CNAMES */
+			    return 0; /* looped CNAMES */
 			  newc = cache_insert(name, NULL, now, attl, F_CNAME | F_FORWARD);
 			  if (newc && cpp)
 			    {
@@ -740,15 +793,25 @@ void extract_addresses(HEADER *header, size_t qlen, char *name, time_t now)
 			  if (attl < cttl)
 			    cttl = attl;
 			  
-			  if (!extract_name(header, qlen, &p1, name, 1))
-			    return;
+			  if (!extract_name(header, qlen, &p1, name, 1, 0))
+			    return 0;
 			  goto cname_loop1;
 			}
 		      else
 			{
 			  found = 1;
+			  
 			  /* copy address into aligned storage */
+			  if (!CHECK_LEN(header, p1, qlen, addrlen))
+			    return 0; /* bad packet */
 			  memcpy(&addr, p1, addrlen);
+			  
+			  /* check for returned address in private space */
+			  if ((daemon->options & OPT_NO_REBIND) &&
+			      (flags & F_IPV4) &&
+			      private_net(addr.addr.addr4))
+			    return 1;
+			  
 			  newc = cache_insert(name, &addr, now, attl, flags | F_FORWARD);
 			  if (newc && cpp)
 			    {
@@ -760,8 +823,8 @@ void extract_addresses(HEADER *header, size_t qlen, char *name, time_t now)
 		    }
 		  
 		  p1 = endrr;
-		  if ((size_t)(p1 - (unsigned char *)header) > qlen)
-		    return; /* bad packet */
+		  if (!CHECK_LEN(header, p1, qlen, 0))
+		    return 0; /* bad packet */
 		}
 	    }
 	  
@@ -773,7 +836,7 @@ void extract_addresses(HEADER *header, size_t qlen, char *name, time_t now)
 		  ttl = find_soa(header, qlen);
 		}
 	      /* If there's no SOA to get the TTL from, but there is a CNAME 
-		 pointing at this, inherit it's TTL */
+		 pointing at this, inherit its TTL */
 	      if (ttl || cpp)
 		{
 		  newc = cache_insert(name, NULL, now, ttl ? ttl : cttl, F_FORWARD | F_NEG | flags);	
@@ -787,7 +850,11 @@ void extract_addresses(HEADER *header, size_t qlen, char *name, time_t now)
 	}
     }
   
-  cache_end_insert();
+  /* Don't put stuff from a truncated packet into the cache, but do everything else */
+  if (!header->tc)
+    cache_end_insert();
+
+  return 0;
 }
 
 /* If the packet holds exactly one query
@@ -805,7 +872,7 @@ unsigned short extract_request(HEADER *header, size_t qlen, char *name, unsigned
   if (ntohs(header->qdcount) != 1 || header->opcode != QUERY)
     return 0; /* must be exactly one query. */
   
-  if (!extract_name(header, qlen, &p, name, 1))
+  if (!extract_name(header, qlen, &p, name, 1, 4))
     return 0; /* bad packet */
    
   GETSHORT(qtype, p); 
@@ -844,7 +911,7 @@ size_t setup_reply(HEADER *header, size_t qlen,
   header->ancount = htons(0); /* no answers unless changed below */
   if (flags == F_NEG)
     header->rcode = SERVFAIL; /* couldn't get memory */
-  else if (flags == F_NOERR || flags == F_QUERY)
+  else if (flags == F_NOERR)
     header->rcode = NOERROR; /* empty domain */
   else if (flags == F_NXDOMAIN)
     header->rcode = NXDOMAIN;
@@ -919,7 +986,7 @@ int check_for_bogus_wildcard(HEADER *header, size_t qlen, char *name,
 
   for (i = ntohs(header->ancount); i != 0; i--)
     {
-      if (!extract_name(header, qlen, &p, name, 1))
+      if (!extract_name(header, qlen, &p, name, 1, 10))
 	return 0; /* bad packet */
   
       GETSHORT(qtype, p); 
@@ -928,19 +995,25 @@ int check_for_bogus_wildcard(HEADER *header, size_t qlen, char *name,
       GETSHORT(rdlen, p);
       
       if (qclass == C_IN && qtype == T_A)
-	for (baddrp = baddr; baddrp; baddrp = baddrp->next)
-	  if (memcmp(&baddrp->addr, p, INADDRSZ) == 0)
-	    {
-	      /* Found a bogus address. Insert that info here, since there no SOA record
-		 to get the ttl from in the normal processing */
-	      cache_start_insert();
-	      cache_insert(name, NULL, now, ttl, F_IPV4 | F_FORWARD | F_NEG | F_NXDOMAIN | F_CONFIG);
-	      cache_end_insert();
-	      
-	      return 1;
-	    }
+	{
+	  if (!CHECK_LEN(header, p, qlen, INADDRSZ))
+	    return 0;
+	  
+	  for (baddrp = baddr; baddrp; baddrp = baddrp->next)
+	    if (memcmp(&baddrp->addr, p, INADDRSZ) == 0)
+	      {
+		/* Found a bogus address. Insert that info here, since there no SOA record
+		   to get the ttl from in the normal processing */
+		cache_start_insert();
+		cache_insert(name, NULL, now, ttl, F_IPV4 | F_FORWARD | F_NEG | F_NXDOMAIN | F_CONFIG);
+		cache_end_insert();
+		
+		return 1;
+	      }
+	}
       
-      p += rdlen;
+      if (!ADD_RDLEN(header, p, qlen, rdlen))
+	return 0;
     }
   
   return 0;
@@ -1010,6 +1083,16 @@ static int add_resource_record(HEADER *header, char *limit, int *truncp, unsigne
 	memcpy(p, sval, usval);
 	p += usval;
 	break;
+
+      case 'z':
+	sval = va_arg(ap, char *);
+	usval = sval ? strlen(sval) : 0;
+	if (usval > 255)
+	  usval = 255;
+	*p++ = (unsigned char)usval;
+	memcpy(p, sval, usval);
+	p += usval;
+	break;
       }
 
   va_end(ap);	/* clean up variable argument pointer */
@@ -1029,6 +1112,18 @@ static int add_resource_record(HEADER *header, char *limit, int *truncp, unsigne
   return 1;
 }
 
+static unsigned long crec_ttl(struct crec *crecp, time_t now)
+{
+  /* Return 0 ttl for DHCP entries, which might change
+     before the lease expires. */
+
+  if  (crecp->flags & (F_IMMORTAL | F_DHCP))
+    return daemon->local_ttl;
+  
+  return crecp->ttd - now;
+}
+  
+
 /* return zero if we can't answer from cache, or packet size if we can */
 size_t answer_request(HEADER *header, char *limit, size_t qlen,  
 		      struct in_addr local_addr, struct in_addr local_netmask, time_t now) 
@@ -1093,7 +1188,7 @@ size_t answer_request(HEADER *header, char *limit, size_t qlen,
       nameoffset = p - (unsigned char *)header;
 
       /* now extract name as .-concatenated string into name */
-      if (!extract_name(header, qlen, &p, name, 1))
+      if (!extract_name(header, qlen, &p, name, 1, 4))
 	return 0; /* bad packet */
             
       GETSHORT(qtype, p); 
@@ -1111,7 +1206,7 @@ size_t answer_request(HEADER *header, char *limit, size_t qlen,
 		  ans = 1;
 		  if (!dryrun)
 		    {
-		      log_query(F_CNAME | F_FORWARD | F_CONFIG | F_NXDOMAIN, name, NULL, 0, NULL, 0);
+		      log_query(F_CNAME | F_FORWARD | F_CONFIG | F_NXDOMAIN, name, NULL, "<TXT>");
 		      if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 					      daemon->local_ttl, NULL,
 					      T_TXT, t->class, "t", t->len, t->txt))
@@ -1150,7 +1245,7 @@ size_t answer_request(HEADER *header, char *limit, size_t qlen,
 		  ans = 1;
 		  if (!dryrun)
 		    {
-		      log_query(F_IPV4 | F_REVERSE | F_CONFIG, intr->name, &addr, 0, NULL, 0);
+		      log_query(F_IPV4 | F_REVERSE | F_CONFIG, intr->name, &addr, NULL);
 		      if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 					      daemon->local_ttl, NULL,
 					      T_PTR, C_IN, "d", intr->name))
@@ -1162,7 +1257,7 @@ size_t answer_request(HEADER *header, char *limit, size_t qlen,
 		  ans = 1;
 		  if (!dryrun)
 		    {
-		      log_query(F_CNAME | F_FORWARD | F_CONFIG | F_BIGNAME, name, NULL, 0, NULL, 0);
+		      log_query(F_CNAME | F_FORWARD | F_CONFIG | F_NXDOMAIN, name, NULL, "<PTR>");
 		      for (ptr = daemon->ptr; ptr; ptr = ptr->next)
 			if (hostname_isequal(name, ptr->name) &&
 			    add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
@@ -1186,7 +1281,7 @@ size_t answer_request(HEADER *header, char *limit, size_t qlen,
 			if (crecp->flags & F_NXDOMAIN)
 			  nxdomain = 1;
 			if (!dryrun)
-			  log_query(crecp->flags & ~F_FORWARD, name, &addr, 0, NULL, 0);
+			  log_query(crecp->flags & ~F_FORWARD, name, &addr, NULL);
 		      }
 		    else if ((crecp->flags & (F_HOSTS | F_DHCP)) || !sec_reqd)
 		      {
@@ -1195,18 +1290,11 @@ size_t answer_request(HEADER *header, char *limit, size_t qlen,
 			  auth = 0;
 			if (!dryrun)
 			  {
-			    unsigned long ttl;
-			    /* Return 0 ttl for DHCP entries, which might change
-			       before the lease expires. */
-			    if  (crecp->flags & (F_IMMORTAL | F_DHCP))
-			      ttl = daemon->local_ttl;
-			    else
-			      ttl = crecp->ttd - now;
+			    log_query(crecp->flags & ~F_FORWARD, cache_get_name(crecp), &addr, 
+				      record_source(crecp->uid));
 			    
-			    log_query(crecp->flags & ~F_FORWARD, cache_get_name(crecp), &addr,
-				      0, daemon->addn_hosts, crecp->uid);
-			    
-			    if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, ttl, NULL,
+			    if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
+						    crec_ttl(crecp, now), NULL,
 						    T_PTR, C_IN, "d", cache_get_name(crecp)))
 			      anscount++;
 			  }
@@ -1221,7 +1309,7 @@ size_t answer_request(HEADER *header, char *limit, size_t qlen,
 		  nxdomain = 1;
 		  if (!dryrun)
 		    log_query(F_CONFIG | F_REVERSE | F_IPV4 | F_NEG | F_NXDOMAIN, 
-			      name, &addr, 0, NULL, 0);
+			      name, &addr, NULL);
 		}
 	    }
 	    
@@ -1245,7 +1333,7 @@ size_t answer_request(HEADER *header, char *limit, size_t qlen,
 		  ans = 1;
 		  if (!dryrun)
 		    {
-		      log_query(F_FORWARD | F_CONFIG | F_IPV4, name, &addr, 0, NULL, 0);
+		      log_query(F_FORWARD | F_CONFIG | F_IPV4, name, &addr, NULL);
 		      if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 					      daemon->local_ttl, NULL, type, C_IN, "4", &addr))
 			anscount++;
@@ -1268,10 +1356,10 @@ size_t answer_request(HEADER *header, char *limit, size_t qlen,
 		      if (!dryrun)
 			{
 			  if ((addr.addr.addr4 = get_ifaddr(intr->intr)).s_addr == (in_addr_t) -1)
-			    log_query(F_FORWARD | F_CONFIG | F_IPV4 | F_NEG, name, NULL, 0, NULL, 0);
+			    log_query(F_FORWARD | F_CONFIG | F_IPV4 | F_NEG, name, NULL, NULL);
 			  else
 			    {
-			      log_query(F_FORWARD | F_CONFIG | F_IPV4, name, &addr, 0, NULL, 0);
+			      log_query(F_FORWARD | F_CONFIG | F_IPV4, name, &addr, NULL);
 			      if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 						      daemon->local_ttl, NULL, type, C_IN, "4", &addr))
 				anscount++;
@@ -1313,8 +1401,9 @@ size_t answer_request(HEADER *header, char *limit, size_t qlen,
 			{
 			  if (!dryrun)
 			    {
-			      log_query(crecp->flags, name, NULL, 0, daemon->addn_hosts, crecp->uid);
-			      if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, crecp->ttd - now, &nameoffset,
+			      log_query(crecp->flags, name, NULL, record_source(crecp->uid));
+			      if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
+						      crec_ttl(crecp, now), &nameoffset,
 						      T_CNAME, C_IN, "d", cache_get_name(crecp->addr.cname.cache)))
 				anscount++;
 			    }
@@ -1330,7 +1419,7 @@ size_t answer_request(HEADER *header, char *limit, size_t qlen,
 			  if (crecp->flags & F_NXDOMAIN)
 			    nxdomain = 1;
 			  if (!dryrun)
-			    log_query(crecp->flags, name, NULL, 0, NULL, 0);
+			    log_query(crecp->flags, name, NULL, NULL);
 			}
 		      else if ((crecp->flags & (F_HOSTS | F_DHCP)) || !sec_reqd)
 			{
@@ -1347,17 +1436,11 @@ size_t answer_request(HEADER *header, char *limit, size_t qlen,
 			  ans = 1;
 			  if (!dryrun)
 			    {
-			      unsigned long ttl;
-			      
-			      if  (crecp->flags & (F_IMMORTAL | F_DHCP))
-				ttl = daemon->local_ttl;
-			      else
-				ttl = crecp->ttd - now;
-			      
 			      log_query(crecp->flags & ~F_REVERSE, name, &crecp->addr.addr,
-					0, daemon->addn_hosts, crecp->uid);
+					record_source(crecp->uid));
 			      
-			      if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, ttl, NULL, type, C_IN, 
+			      if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
+						      crec_ttl(crecp, now), NULL, type, C_IN, 
 						      type == T_A ? "4" : "6", &crecp->addr))
 				anscount++;
 			    }
@@ -1376,7 +1459,7 @@ size_t answer_request(HEADER *header, char *limit, size_t qlen,
 		  if (!dryrun)
 		    {
 		      unsigned int offset;
-		      log_query(F_CNAME | F_FORWARD | F_CONFIG | F_IPV4, name, NULL, 0, NULL, 0);
+		      log_query(F_CNAME | F_FORWARD | F_CONFIG | F_NXDOMAIN, name, NULL, "<MX>");
 		      if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->local_ttl,
 					      &offset, T_MX, C_IN, "sd", rec->weight, rec->target))
 			{
@@ -1393,7 +1476,7 @@ size_t answer_request(HEADER *header, char *limit, size_t qlen,
 		  ans = 1;
 		  if (!dryrun)
 		    {
-		      log_query(F_CNAME | F_FORWARD | F_CONFIG | F_IPV4, name, NULL, 0, NULL, 0);
+		      log_query(F_CNAME | F_FORWARD | F_CONFIG | F_NXDOMAIN, name, NULL, "<MX>");
 		      if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->local_ttl, NULL, 
 					      T_MX, C_IN, "sd", 1, 
 					      (daemon->options & OPT_SELFMX) ? name : daemon->mxtarget))
@@ -1413,7 +1496,7 @@ size_t answer_request(HEADER *header, char *limit, size_t qlen,
 		    if (!dryrun)
 		      {
 			unsigned int offset;
-			log_query(F_CNAME | F_FORWARD | F_CONFIG | F_IPV6, name, NULL, 0, NULL, 0);
+			log_query(F_CNAME | F_FORWARD | F_CONFIG | F_NXDOMAIN, name, NULL, "<SRV>");
 			if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->local_ttl, 
 						&offset, T_SRV, C_IN, "sssd", 
 						rec->priority, rec->weight, rec->srvport, rec->target))
@@ -1429,9 +1512,27 @@ size_t answer_request(HEADER *header, char *limit, size_t qlen,
 		{
 		  ans = 1;
 		  if (!dryrun)
-		    log_query(F_CONFIG | F_NEG, name, NULL, 0, NULL, 0);
+		    log_query(F_CONFIG | F_NEG, name, NULL, NULL);
 		}
 	    }
+
+	  if (qtype == T_NAPTR || qtype == T_ANY)
+	    {
+	      struct naptr *na;
+	      for (na = daemon->naptr; na; na = na->next)
+		if (hostname_isequal(name, na->name))
+		  {
+		    ans = 1;
+		    if (!dryrun)
+		      {
+			log_query(F_CNAME | F_FORWARD | F_CONFIG | F_NXDOMAIN, name, NULL, "<NAPTR>");
+			if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->local_ttl, 
+						NULL, T_NAPTR, C_IN, "sszzzd", 
+						na->order, na->pref, na->flags, na->services, na->regexp, na->replace))
+			  anscount++;
+		      }
+		  }
+	    }
 	  
 	  if (qtype == T_MAILB)
 	    ans = 1, nxdomain = 1;
@@ -1440,7 +1541,7 @@ size_t answer_request(HEADER *header, char *limit, size_t qlen,
 	    {
 	      ans = 1; 
 	      if (!dryrun)
-		log_query(F_CONFIG | F_NEG, name, &addr, 0, NULL, 0);
+		log_query(F_CONFIG | F_NEG, name, &addr, NULL);
 	    }
 	}
 
@@ -1467,7 +1568,6 @@ size_t answer_request(HEADER *header, char *limit, size_t qlen,
 	crecp = NULL;
 	while ((crecp = cache_find_by_name(crecp, rec->target, now, F_IPV4 | F_IPV6)))
 	  {
-	    unsigned long ttl;
 #ifdef HAVE_IPV6
 	    int type =  crecp->flags & F_IPV4 ? T_A : T_AAAA;
 #else
@@ -1476,12 +1576,8 @@ size_t answer_request(HEADER *header, char *limit, size_t qlen,
 	    if (crecp->flags & F_NEG)
 	      continue;
 
-	    if  (crecp->flags & (F_IMMORTAL | F_DHCP))
-	      ttl = daemon->local_ttl;
-	    else
-	      ttl = crecp->ttd - now;
-	    
-	    if (add_resource_record(header, limit, NULL, rec->offset, &ansp, ttl, NULL, type, C_IN, 
+	    if (add_resource_record(header, limit, NULL, rec->offset, &ansp, 
+				    crec_ttl(crecp, now), NULL, type, C_IN, 
 				    crecp->flags & F_IPV4 ? "4" : "6", &crecp->addr))
 	      addncount++;
 	  }

src/tftp.c

@@ -1,13 +1,17 @@
-/* dnsmasq is Copyright (c) 2000-2007 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2009 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; version 2 dated June, 1991.
-
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
+     
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "dnsmasq.h"
@@ -41,18 +45,23 @@ void tftp_request(struct listener *listen, time_t now)
   char *filename, *mode, *p, *end, *opt;
   struct sockaddr_in addr, peer;
   struct msghdr msg;
-  struct cmsghdr *cmptr;
   struct iovec iov;
   struct ifreq ifr;
-  int is_err = 1, if_index = 0;
+  int is_err = 1, if_index = 0, mtu = 0;
   struct iname *tmp;
   struct tftp_transfer *transfer;
-
+  int port = daemon->start_tftp_port; /* may be zero to use ephemeral port */
+#if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
+  int mtuflag = IP_PMTUDISC_DONT;
+#endif
+  
   union {
     struct cmsghdr align; /* this ensures alignment */
-#ifdef HAVE_LINUX_NETWORK
+#if defined(HAVE_LINUX_NETWORK)
     char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
-#else
+#elif defined(HAVE_SOLARIS_NETWORK)
+    char control[CMSG_SPACE(sizeof(unsigned int))];
+#elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
     char control[CMSG_SPACE(sizeof(struct sockaddr_dl))];
 #endif
   } control_u; 
@@ -75,9 +84,15 @@ void tftp_request(struct listener *listen, time_t now)
     return;
   
   if (daemon->options & OPT_NOWILD)
-    addr = listen->iface->addr.in;
+    {
+      addr = listen->iface->addr.in;
+      mtu = listen->iface->mtu;
+    }
   else
     {
+      char name[IF_NAMESIZE];
+      struct cmsghdr *cmptr;
+      
       addr.sin_addr.s_addr = 0;
       
 #if defined(HAVE_LINUX_NETWORK)
@@ -87,38 +102,40 @@ void tftp_request(struct listener *listen, time_t now)
 	    addr.sin_addr = ((struct in_pktinfo *)CMSG_DATA(cmptr))->ipi_spec_dst;
 	    if_index = ((struct in_pktinfo *)CMSG_DATA(cmptr))->ipi_ifindex;
 	  }
-      if (!(ifr.ifr_ifindex = if_index) || 
-	  ioctl(listen->tftpfd, SIOCGIFNAME, &ifr) == -1)
-	return;
       
+#elif defined(HAVE_SOLARIS_NETWORK)
+      for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
+	if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
+	  addr.sin_addr = *((struct in_addr *)CMSG_DATA(cmptr));
+	else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
+	  if_index = *((unsigned int *)CMSG_DATA(cmptr));
+
+
 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
       for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
 	if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
 	  addr.sin_addr = *((struct in_addr *)CMSG_DATA(cmptr));
 	else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
 	  if_index = ((struct sockaddr_dl *)CMSG_DATA(cmptr))->sdl_index;
-      
-      if (if_index == 0 || !if_indextoname(if_index, ifr.ifr_name))
-	return;
-      
+           
 #endif
       
-      if (addr.sin_addr.s_addr == 0)
-	return;
-      
-      if (!iface_check(AF_INET, (struct all_addr *)&addr.sin_addr, 
-		       &ifr, &if_index))
+      if (!indextoname(listen->tftpfd, if_index, name) ||
+	  addr.sin_addr.s_addr == 0 ||
+	  !iface_check(AF_INET, (struct all_addr *)&addr.sin_addr, name, &if_index))
 	return;
       
       /* allowed interfaces are the same as for DHCP */
       for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
-	if (tmp->name && (strcmp(tmp->name, ifr.ifr_name) == 0))
+	if (tmp->name && (strcmp(tmp->name, name) == 0))
 	  return;
-      
+     
+      strncpy(name, ifr.ifr_name, IF_NAMESIZE);
+      if (ioctl(listen->tftpfd, SIOCGIFMTU, &ifr) != -1)
+	mtu = ifr.ifr_mtu;      
     }
   
-  /* tell kernel to use ephemeral port */
-  addr.sin_port = 0;
+  addr.sin_port = htons(port);
   addr.sin_family = AF_INET;
 #ifdef HAVE_SOCKADDR_SA_LEN
   addr.sin_len = sizeof(addr);
@@ -138,64 +155,94 @@ void tftp_request(struct listener *listen, time_t now)
   transfer->backoff = 1;
   transfer->block = 1;
   transfer->blocksize = 512;
+  transfer->offset = 0;
   transfer->file = NULL;
   transfer->opt_blocksize = transfer->opt_transize = 0;
+  transfer->netascii = transfer->carrylf = 0;
 
-  if (bind(transfer->sockfd, (struct sockaddr *)&addr, sizeof(addr)) == -1 ||
-      !fix_fd(transfer->sockfd))
+  /* if we have a nailed-down range, iterate until we find a free one. */
+  while (1)
     {
-      free_transfer(transfer);
-      return;
+      if (bind(transfer->sockfd, (struct sockaddr *)&addr, sizeof(addr)) == -1 ||
+#if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
+	  setsockopt(transfer->sockfd, SOL_IP, IP_MTU_DISCOVER, &mtuflag, sizeof(mtuflag)) == -1 ||
+#endif
+	  !fix_fd(transfer->sockfd))
+	{
+	  if (errno == EADDRINUSE && daemon->start_tftp_port != 0)
+	    {
+	      if (++port <= daemon->end_tftp_port)
+		{ 
+		  addr.sin_port = htons(port);
+		  continue;
+		}
+	      my_syslog(MS_TFTP | LOG_ERR, _("unable to get free port for TFTP"));
+	    }
+	  free_transfer(transfer);
+	  return;
+	}
+      break;
     }
-
+  
   p = packet + 2;
   end = packet + len;
 
   if (ntohs(*((unsigned short *)packet)) != OP_RRQ ||
       !(filename = next(&p, end)) ||
       !(mode = next(&p, end)) ||
-      strcasecmp(mode, "octet") != 0)
+      (strcasecmp(mode, "octet") != 0 && strcasecmp(mode, "netascii") != 0))
     len = tftp_err(ERR_ILL, packet, _("unsupported request from %s"), inet_ntoa(peer.sin_addr));
   else
     {
+      if (strcasecmp(mode, "netascii") == 0)
+	transfer->netascii = 1;
+      
       while ((opt = next(&p, end)))
 	{
-	  if (strcasecmp(opt, "blksize") == 0 &&
-	      (opt = next(&p, end)) &&
-	      !(daemon->options & OPT_TFTP_NOBLOCK))
+	  if (strcasecmp(opt, "blksize") == 0)
 	    {
-	      transfer->blocksize = atoi(opt);
-	      if (transfer->blocksize < 1)
-		transfer->blocksize = 1;
-	      if (transfer->blocksize > (unsigned)daemon->packet_buff_sz - 4)
-		transfer->blocksize = (unsigned)daemon->packet_buff_sz - 4;
-	      transfer->opt_blocksize = 1;
-	      transfer->block = 0;
+	      if ((opt = next(&p, end)) &&
+		  !(daemon->options & OPT_TFTP_NOBLOCK))
+		{
+		  transfer->blocksize = atoi(opt);
+		  if (transfer->blocksize < 1)
+		    transfer->blocksize = 1;
+		  if (transfer->blocksize > (unsigned)daemon->packet_buff_sz - 4)
+		    transfer->blocksize = (unsigned)daemon->packet_buff_sz - 4;
+		  /* 32 bytes for IP, UDP and TFTP headers */
+		  if (mtu != 0 && transfer->blocksize > (unsigned)mtu - 32)
+		    transfer->blocksize = (unsigned)mtu - 32;
+		  transfer->opt_blocksize = 1;
+		  transfer->block = 0;
+		}
 	    }
-	  
-	  if (strcasecmp(opt, "tsize") == 0 && next(&p, end))
+	  else if (strcasecmp(opt, "tsize") == 0 && next(&p, end) && !transfer->netascii)
 	    {
 	      transfer->opt_transize = 1;
 	      transfer->block = 0;
 	    }
 	}
 
+      /* cope with backslashes from windows boxen. */
+      while ((p = strchr(filename, '\\')))
+	*p = '/';
+
       strcpy(daemon->namebuff, "/");
       if (daemon->tftp_prefix)
 	{
 	  if (daemon->tftp_prefix[0] == '/')
 	    daemon->namebuff[0] = 0;
-	  strncat(daemon->namebuff, daemon->tftp_prefix, MAXDNAME);
+	  strncat(daemon->namebuff, daemon->tftp_prefix, (MAXDNAME-1) - strlen(daemon->namebuff));
 	  if (daemon->tftp_prefix[strlen(daemon->tftp_prefix)-1] != '/')
-	    strncat(daemon->namebuff, "/", MAXDNAME);
+	    strncat(daemon->namebuff, "/", (MAXDNAME-1) - strlen(daemon->namebuff));
 
 	  if (daemon->options & OPT_TFTP_APREF)
 	    {
 	      size_t oldlen = strlen(daemon->namebuff);
 	      struct stat statbuf;
 	      
-	      strncat(daemon->namebuff, inet_ntoa(peer.sin_addr), MAXDNAME);
-	      strncat(daemon->namebuff, "/", MAXDNAME);
+	      strncat(daemon->namebuff, inet_ntoa(peer.sin_addr), (MAXDNAME-1) - strlen(daemon->namebuff));
+	      strncat(daemon->namebuff, "/", (MAXDNAME-1) - strlen(daemon->namebuff));
 	      
 	      /* remove unique-directory if it doesn't exist */
 	      if (stat(daemon->namebuff, &statbuf) == -1 || !S_ISDIR(statbuf.st_mode))
@@ -213,8 +260,7 @@ void tftp_request(struct listener *listen, time_t now)
 	}
       else if (filename[0] == '/')
 	daemon->namebuff[0] = 0;
-      strncat(daemon->namebuff, filename, MAXDNAME);
-      daemon->namebuff[MAXDNAME-1] = 0;
+      strncat(daemon->namebuff, filename, (MAXDNAME-1) - strlen(daemon->namebuff));
 
       /* check permissions and open file */
       if ((transfer->file = check_tftp_fileperm(&len)))
@@ -233,7 +279,7 @@ void tftp_request(struct listener *listen, time_t now)
     free_transfer(transfer);
   else
     {
-      my_syslog(LOG_INFO, _("TFTP sent %s to %s"), daemon->namebuff, inet_ntoa(peer.sin_addr));
+      my_syslog(MS_TFTP | LOG_INFO, _("TFTP sent %s to %s"), daemon->namebuff, inet_ntoa(peer.sin_addr));
       transfer->next = daemon->tftp_trans;
       daemon->tftp_trans = transfer;
     }
@@ -348,7 +394,8 @@ void check_tftp_listeners(fd_set *rset, time_t now)
 		  /* Got ack, ensure we take the (re)transmit path */
 		  transfer->timeout = now;
 		  transfer->backoff = 0;
-		  transfer->block++;
+		  if (transfer->block++ != 0)
+		    transfer->offset += transfer->blocksize - transfer->expansion;
 		}
 	      else if (ntohs(mess->op) == OP_ERR)
 		{
@@ -362,11 +409,11 @@ void check_tftp_listeners(fd_set *rset, time_t now)
 		    {
 		      char *q, *r;
 		      for (q = r = err; *r; r++)
-			if (isprint(*r))
+			if (isprint((int)*r))
 			  *(q++) = *r;
 		      *q = 0;
 		    }
-		  my_syslog(LOG_ERR, _("TFTP error %d %s received from %s"),
+		  my_syslog(MS_TFTP | LOG_ERR, _("TFTP error %d %s received from %s"),
 			    (int)ntohs(mess->block), err, 
 			    inet_ntoa(transfer->peer.sin_addr));	
 		  
@@ -397,7 +444,7 @@ void check_tftp_listeners(fd_set *rset, time_t now)
 	      /* don't complain about timeout when we're awaiting the last
 		 ACK, some clients never send it */
 	      if (len != 0)
-		my_syslog(LOG_ERR, _("TFTP failed sending %s to %s"), 
+		my_syslog(MS_TFTP | LOG_ERR, _("TFTP failed sending %s to %s"), 
 			  transfer->file->filename, inet_ntoa(transfer->peer.sin_addr));
 	      len = 0;
 	    }
@@ -456,8 +503,7 @@ static ssize_t tftp_err(int err, char *packet, char *message, char *file)
   mess->op = htons(OP_ERR);
   mess->err = htons(err);
   ret += (snprintf(mess->message, 500,  message, file, errstr) + 1);
-  if (err != ERR_FNF)
-    my_syslog(LOG_ERR, "TFTP %s", mess->message);
+  my_syslog(MS_TFTP | LOG_ERR, "TFTP %s", mess->message);
   
   return  ret;
 }
@@ -502,24 +548,52 @@ static ssize_t get_block(char *packet, struct tftp_transfer *transfer)
 	unsigned char data[];
       } *mess = (struct datamess *)packet;
       
-      off_t offset = transfer->blocksize * (transfer->block - 1);
-      size_t size = transfer->file->size - offset; 
+      size_t size = transfer->file->size - transfer->offset; 
       
-      if (offset > transfer->file->size)
+      if (transfer->offset > transfer->file->size)
 	return 0; /* finished */
       
       if (size > transfer->blocksize)
 	size = transfer->blocksize;
       
-      lseek(transfer->file->fd, offset, SEEK_SET);
-      
       mess->op = htons(OP_DATA);
       mess->block = htons((unsigned short)(transfer->block));
       
-      if (!read_write(transfer->file->fd, mess->data, size, 1))
+      if (lseek(transfer->file->fd, transfer->offset, SEEK_SET) == (off_t)-1 ||
+	  !read_write(transfer->file->fd, mess->data, size, 1))
 	return -1;
-      else
-	return size + 4;
+      
+      transfer->expansion = 0;
+      
+      /* Map '\n' to CR-LF in netascii mode */
+      if (transfer->netascii)
+	{
+	  size_t i;
+	  int newcarrylf;
+
+	  for (i = 0, newcarrylf = 0; i < size; i++)
+	    if (mess->data[i] == '\n' && ( i != 0 || !transfer->carrylf))
+	      {
+		if (size == transfer->blocksize)
+		  {
+		    transfer->expansion++;
+		    if (i == size - 1)
+		      newcarrylf = 1; /* don't expand LF again if it moves to the next block */
+		  }
+		else
+		  size++; /* room in this block */
+	      
+		/* make space and insert CR */
+		memmove(&mess->data[i+1], &mess->data[i], size - (i + 1));
+		mess->data[i] = '\r';
+		
+		i++;
+	      }
+	  transfer->carrylf = newcarrylf;
+	  
+	}
+
+      return size + 4;
     }
 }
 

src/util.c

@@ -1,17 +1,22 @@
-/* dnsmasq is Copyright (c) 2000 - 2005 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2009 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; version 2 dated June, 1991.
-
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
+      
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
+/* The SURF random number generator was taken from djbdns-1.05, by 
+   Daniel J Bernstein, which is public domain. */
 
-/* Some code in this file contributed by Rob Funk. */
 
 #include "dnsmasq.h"
 
@@ -19,117 +24,184 @@
 #include <sys/times.h>
 #endif
 
-/* Prefer arc4random(3) over random(3) over rand(3) */
-/* Also prefer /dev/urandom over /dev/random, to preserve the entropy pool */
-#ifdef HAVE_ARC4RANDOM
-# define rand()		arc4random()
-# define srand(s)	(void)0
-# define RANDFILE	(NULL)
-#else
-# ifdef HAVE_RANDOM
-#  define rand()	random()
-#  define srand(s)	srandom(s)
-# endif
-# ifdef HAVE_DEV_URANDOM
-#  define RANDFILE	"/dev/urandom"
-# else
-#  ifdef HAVE_DEV_RANDOM
-#   define RANDFILE	"/dev/random"
-#  else
-#   define RANDFILE	(NULL)
-#  endif
-# endif
+#ifdef LOCALEDIR
+#include <idna.h>
 #endif
 
+#ifdef HAVE_ARC4RANDOM
+void rand_init(void)
+{
+  return;
+}
+
 unsigned short rand16(void)
 {
-  static int been_seeded = 0;
-  const char *randfile = RANDFILE;
+   return (unsigned short) (arc4random() >> 15);
+}
+
+#else
+
+/* SURF random number generator */
+
+typedef unsigned int uint32;
+
+static uint32 seed[32];
+static uint32 in[12];
+static uint32 out[8];
+
+void rand_init()
+{
+  int fd = open(RANDFILE, O_RDONLY);
   
-  if (! been_seeded) 
-    {
-      int fd, n = 0;
-      unsigned int c = 0, seed = 0, badseed;
-      char sbuf[sizeof(seed)];
-      char *s;
-      struct timeval now;
+  if (fd == -1 ||
+      !read_write(fd, (unsigned char *)&seed, sizeof(seed), 1) ||
+      !read_write(fd, (unsigned char *)&in, sizeof(in), 1))
+    die(_("failed to seed the random number generator: %s"), NULL, EC_MISC);
+  
+  close(fd);
+}
 
-      /* get the bad seed as a backup */
-      /* (but we'd rather have something more random) */
-      gettimeofday(&now, NULL);
-      badseed = now.tv_sec ^ now.tv_usec ^ (getpid() << 16);
-      
-      fd = open(randfile, O_RDONLY);
-      if (fd < 0) 
-	seed = badseed;
-      else
-	{
-	  s = (char *) &seed;
-	  while ((c < sizeof(seed)) &&
-		 ((n = read(fd, sbuf, sizeof(seed)) > 0))) 
-	    {
-	      memcpy(s, sbuf, n);
-	      s += n;
-	      c += n;
-	    }
-	  if (n < 0)
-	    seed = badseed;
-	  close(fd);
-	}
+#define ROTATE(x,b) (((x) << (b)) | ((x) >> (32 - (b))))
+#define MUSH(i,b) x = t[i] += (((x ^ seed[i]) + sum) ^ ROTATE(x,b));
 
-      srand(seed);
-      been_seeded = 1;
+static void surf(void)
+{
+  uint32 t[12]; uint32 x; uint32 sum = 0;
+  int r; int i; int loop;
+
+  for (i = 0;i < 12;++i) t[i] = in[i] ^ seed[12 + i];
+  for (i = 0;i < 8;++i) out[i] = seed[24 + i];
+  x = t[11];
+  for (loop = 0;loop < 2;++loop) {
+    for (r = 0;r < 16;++r) {
+      sum += 0x9e3779b9;
+      MUSH(0,5) MUSH(1,7) MUSH(2,9) MUSH(3,13)
+      MUSH(4,5) MUSH(5,7) MUSH(6,9) MUSH(7,13)
+      MUSH(8,5) MUSH(9,7) MUSH(10,9) MUSH(11,13)
     }
-  
-  /* Some rand() implementations have less randomness in low bits
-   * than in high bits, so we only pay attention to the high ones.
-   * But most implementations don't touch the high bit, so we 
-   * ignore that one.
-   */
-  return( (unsigned short) (rand() >> 15) );
+    for (i = 0;i < 8;++i) out[i] ^= t[i + 4];
+  }
 }
 
-int legal_char(char c)
+unsigned short rand16(void)
 {
-  /* check for legal char a-z A-Z 0-9 - 
-     (also / , used for RFC2317 and _ used in windows queries
-     and space, for DNS-SD stuff) */
-  if ((c >= 'A' && c <= 'Z') ||
-      (c >= 'a' && c <= 'z') ||
-      (c >= '0' && c <= '9') ||
-      c == '-' || c == '/' || c == '_' || c == ' ')
-    return 1;
-  
-  return 0;
+  static int outleft = 0;
+
+  if (!outleft) {
+    if (!++in[0]) if (!++in[1]) if (!++in[2]) ++in[3];
+    surf();
+    outleft = 8;
+  }
+
+  return (unsigned short) out[--outleft];
 }
-  
-int canonicalise(char *s)
+
+#endif
+
+static int check_name(char *in)
 {
-  /* check for legal chars and remove trailing . 
+  /* remove trailing . 
      also fail empty string and label > 63 chars */
-  size_t dotgap = 0, l = strlen(s);
+  size_t dotgap = 0, l = strlen(in);
   char c;
   int nowhite = 0;
-
+  
   if (l == 0 || l > MAXDNAME) return 0;
-
-  if (s[l-1] == '.')
+  
+  if (in[l-1] == '.')
     {
       if (l == 1) return 0;
-      s[l-1] = 0;
+      in[l-1] = 0;
     }
   
-  while ((c = *s))
+  for (; (c = *in); in++)
     {
       if (c == '.')
 	dotgap = 0;
-      else if (!legal_char(c) || (++dotgap > MAXLABEL))
+      else if (++dotgap > MAXLABEL)
 	return 0;
+      else if (isascii(c) && iscntrl(c)) 
+	/* iscntrl only gives expected results for ascii */
+	return 0;
+#ifndef LOCALEDIR
+      else if (!isascii(c))
+	return 0;
+#endif
       else if (c != ' ')
 	nowhite = 1;
-      s++;
     }
-  return nowhite;
+
+  if (!nowhite)
+    return 0;
+
+  return 1;
+}
+
+/* Hostnames have a more limited valid charset than domain names
+   so check for legal char a-z A-Z 0-9 - _ 
+   Note that this may receive a FQDN, so only check the first label 
+   for the tighter criteria. */
+int legal_hostname(char *name)
+{
+  char c;
+
+  if (!check_name(name))
+    return 0;
+
+  for (; (c = *name); name++)
+    /* check for legal char a-z A-Z 0-9 - _ . */
+    {
+      if ((c >= 'A' && c <= 'Z') ||
+	  (c >= 'a' && c <= 'z') ||
+	  (c >= '0' && c <= '9') ||
+	  c == '-' || c == '_')
+	continue;
+      
+      /* end of hostname part */
+      if (c == '.')
+	return 1;
+      
+      return 0;
+    }
+  
+  return 1;
+}
+  
+char *canonicalise(char *in, int *nomem)
+{
+  char *ret = NULL;
+#ifdef LOCALEDIR
+  int rc;
+#endif
+
+  if (nomem)
+    *nomem = 0;
+  
+  if (!check_name(in))
+    return NULL;
+  
+#ifdef LOCALEDIR
+  if ((rc = idna_to_ascii_lz(in, &ret, 0)) != IDNA_SUCCESS)
+    {
+      if (ret)
+	free(ret);
+
+      if (nomem && (rc == IDNA_MALLOC_ERROR || rc == IDNA_DLOPEN_ERROR))
+	{
+	  my_syslog(LOG_ERR, _("failed to allocate memory"));
+	  *nomem = 1;
+	}
+    
+      return NULL;
+    }
+#else
+  if ((ret = whine_malloc(strlen(in)+1)))
+    strcpy(ret, in);
+  else if (nomem)
+    *nomem = 1;    
+#endif
+
+  return ret;
 }
 
 unsigned char *do_rfc1035_name(unsigned char *p, char *sval)
@@ -159,6 +231,14 @@ void *safe_malloc(size_t size)
   return ret;
 }    
 
+void safe_pipe(int *fd, int read_noblock)
+{
+  if (pipe(fd) == -1 || 
+      !fix_fd(fd[1]) ||
+      (read_noblock && !fix_fd(fd[0])))
+    die(_("cannot create pipe: %s"), NULL, EC_MISC);
+}
+
 void *whine_malloc(size_t size)
 {
   void *ret = malloc(size);
@@ -329,14 +409,19 @@ int parse_hex(char *in, unsigned char *out, int maxlen,
   return i;
 }
 
+/* return 0 for no match, or (no matched octets) + 1 */
 int memcmp_masked(unsigned char *a, unsigned char *b, int len, unsigned int mask)
 {
-  int i;
-  for (i = len - 1; i >= 0; i--, mask = mask >> 1)
-    if (!(mask & 1) && a[i] != b[i])
-      return 0;
-
-  return 1;
+  int i, count;
+  for (count = 1, i = len - 1; i >= 0; i--, mask = mask >> 1)
+    if (!(mask & 1))
+      {
+	if (a[i] == b[i])
+	  count++;
+	else
+	  return 0;
+      }
+  return count;
 }
 
 /* _note_ may copy buffer */
@@ -344,7 +429,7 @@ int expand_buf(struct iovec *iov, size_t size)
 {
   void *new;
 
-  if (size <= iov->iov_len)
+  if (size <= (size_t)iov->iov_len)
     return 1;
 
   if (!(new = whine_malloc(size)))
@@ -426,3 +511,4 @@ int read_write(int fd, unsigned char *packet, int size, int rw)
     }
   return 1;
 }
+