import of dnsmasq-2.53.tar.gz

FAQ

@@ -456,6 +456,16 @@ A: In almost all cases: none. If you have the normal arrangement with
    and turn on syslog-ng's dns-cache function.
 
 
+Q: DHCP doesn't work with windows Vista, but everything else is fine.
+
+A: The DHCP client on windows Vista (and possibly later versions)
+   demands that the DHCP server send replies as broadcasts. Most other
+   clients don't do this. The broadcasts are send to
+   255.255.255.255. A badly configured firewall which blocks such
+   packets will show exactly these symptoms (Vista fails, others
+   work).
+
+  
 
 
 

Makefile

@@ -1,4 +1,4 @@
-# dnsmasq is Copyright (c) 2000-2008 Simon Kelley
+# dnsmasq is Copyright (c) 2000-2010 Simon Kelley
 #
 #  This program is free software; you can redistribute it and/or modify
 #  it under the terms of the GNU General Public License as published by
@@ -10,38 +10,41 @@
 #  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 #  GNU General Public License for more details.
 #    
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#  You should have received a copy of the GNU General Public License
+#  along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 PREFIX = /usr/local
 BINDIR = ${PREFIX}/sbin
 MANDIR = ${PREFIX}/share/man
 LOCALEDIR = ${PREFIX}/share/locale
 
+PKG_CONFIG = pkg-config
+INSTALL = install
+MSGMERGE = msgmerge
+MSGFMT = msgfmt
+XGETTEXT = xgettext
+
+CFLAGS = -Wall -W -O2
+
+#################################################################
+
 SRC = src
 PO = po
 MAN = man
 
-PKG_CONFIG = pkg-config
-AWK = nawk
-INSTALL = install
+DNSMASQ_CFLAGS=`echo $(COPTS) | ../bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --cflags dbus-1` 
+DNSMASQ_LIBS=  `echo $(COPTS) | ../bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --libs dbus-1` 
+SUNOS_LIBS= `if uname | grep SunOS 2>&1 >/dev/null; then echo -lsocket -lnsl -lposix4; fi`
 
-DBUS_MINOR=" `echo $(COPTS) | ../bld/pkg-wrapper $(PKG_CONFIG) --modversion dbus-1 | $(AWK) -F . -- '{ if ($$(NF-1)) print \"-DDBUS_MINOR=\"$$(NF-1) }'`" 
-DBUS_CFLAGS="`echo $(COPTS) | ../bld/pkg-wrapper $(PKG_CONFIG) --cflags dbus-1`" 
-DBUS_LIBS="  `echo $(COPTS) | ../bld/pkg-wrapper $(PKG_CONFIG) --libs dbus-1`" 
-SUNOS_VER="  `if uname | grep SunOS 2>&1 >/dev/null; then uname -r | $(AWK) -F . -- '{ print \"-DSUNOS_VER=\"$$2 }'; fi`"
-SUNOS_LIBS=" `if uname | grep SunOS 2>&1 >/dev/null; then echo -lsocket -lnsl -lposix4; fi `"
+OBJS = cache.o rfc1035.o util.o option.o forward.o network.o \
+       dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \
+       helper.o tftp.o log.o
 
-all :   dnsmasq
-
-dnsmasq :
-	cd $(SRC) && $(MAKE) \
- DBUS_MINOR=$(DBUS_MINOR) \
- DBUS_CFLAGS=$(DBUS_CFLAGS) \
- DBUS_LIBS=$(DBUS_LIBS) \
- SUNOS_LIBS=$(SUNOS_LIBS) \
- SUNOS_VER=$(SUNOS_VER) \
- -f ../bld/Makefile dnsmasq 
+all :
+	@cd $(SRC) && $(MAKE) \
+ BUILD_CFLAGS="$(DNSMASQ_CFLAGS)" \
+ BUILD_LIBS="$(DNSMASQ_LIBS) $(SUNOS_LIBS)" \
+ -f ../Makefile dnsmasq 
 
 clean :
 	rm -f *~ $(SRC)/*.mo contrib/*/*~ */*~ $(SRC)/*.pot 
@@ -55,26 +58,40 @@ install-common :
 	$(INSTALL) -m 755 $(SRC)/dnsmasq $(DESTDIR)$(BINDIR)
 
 all-i18n :
-	cd $(SRC) && $(MAKE) \
+	@cd $(SRC) && $(MAKE) \
  I18N=-DLOCALEDIR='\"$(LOCALEDIR)\"' \
- DBUS_MINOR=$(DBUS_MINOR) \
- DBUS_CFLAGS=$(DBUS_CFLAGS) \
- DBUS_LIBS=$(DBUS_LIBS) \
- SUNOS_LIBS=$(SUNOS_LIBS) \
- SUNOS_VER=$(SUNOS_VER) \
- -f ../bld/Makefile dnsmasq 
-	cd $(PO); for f in *.po; do \
-		cd ../$(SRC) && $(MAKE) -f ../bld/Makefile $${f%.po}.mo; \
+ BUILD_CFLAGS="$(DNSMASQ_CFLAGS) `$(PKG_CONFIG) --cflags libidn`" \
+ BUILD_LIBS="$(DNSMASQ_LIBS) $(SUNOS_LIBS) `$(PKG_CONFIG) --libs libidn`"  \
+ -f ../Makefile dnsmasq
+	@cd $(PO); for f in *.po; do \
+		cd ../$(SRC) && $(MAKE) \
+ -f ../Makefile $${f%.po}.mo; \
 	done
 
 install-i18n : all-i18n install-common
-	cd $(SRC); ../bld/install-mo $(DESTDIR)$(LOCALEDIR)
-	cd $(MAN); ../bld/install-man $(DESTDIR)$(MANDIR)
+	cd $(SRC); ../bld/install-mo $(DESTDIR)$(LOCALEDIR) $(INSTALL)
+	cd $(MAN); ../bld/install-man $(DESTDIR)$(MANDIR) $(INSTALL)
 
 merge :
-	$(MAKE) I18N=-DLOCALEDIR='\"$(LOCALEDIR)\"' -f ../bld/Makefile -C $(SRC) dnsmasq.pot
-	cd $(PO); for f in *.po; do \
-		msgmerge --no-wrap -U $$f ../$(SRC)/dnsmasq.pot; \
+	@cd $(SRC) && $(MAKE) -f ../Makefile dnsmasq.pot
+	@cd $(PO); for f in *.po; do \
+		echo -n msgmerge $$f && $(MSGMERGE) --no-wrap -U $$f ../$(SRC)/dnsmasq.pot; \
 	done
 
 
+# rules below are targets in recusive makes with cwd=$(SRC)
+
+.c.o:
+	$(CC) $(CFLAGS) $(COPTS) $(I18N) $(BUILD_CFLAGS) $(RPM_OPT_FLAGS) -c $<
+
+dnsmasq : $(OBJS)
+	$(CC) $(LDFLAGS) -o $@ $(OBJS) $(BUILD_LIBS) $(LIBS) 
+
+dnsmasq.pot : $(OBJS:.o=.c) dnsmasq.h config.h
+	$(XGETTEXT) -d dnsmasq --foreign-user --omit-header --keyword=_ -o $@ -i $(OBJS:.o=.c)
+
+%.mo : ../po/%.po dnsmasq.pot
+	$(MSGMERGE) -o - ../po/$*.po dnsmasq.pot | $(MSGFMT) -o $*.mo -
+
+
+.PHONY : all clean install install-common all-i18n install-i18n merge 

bld/Makefile

@@ -1,17 +0,0 @@
-CFLAGS = -Wall -W -O2
-
-OBJS = cache.o rfc1035.o util.o option.o forward.o network.o \
-       dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \
-       helper.o tftp.o log.o
-
-.c.o:
-	$(CC) $(CFLAGS) $(COPTS) $(DBUS_MINOR) $(I18N) $(DBUS_CFLAGS) $(SUNOS_VER) $(RPM_OPT_FLAGS) -c $<
-
-dnsmasq : $(OBJS)
-	$(CC) $(LDFLAGS) -o $@  $(OBJS) $(DBUS_LIBS) $(SUNOS_LIBS) $(LIBS) 
- 
-dnsmasq.pot : $(OBJS:.o=.c) dnsmasq.h config.h
-	xgettext -d dnsmasq --foreign-user --keyword=_ -o dnsmasq.pot -i $(OBJS:.o=.c)
-
-%.mo : ../po/%.po dnsmasq.pot
-	msgmerge -o - ../po/$*.po dnsmasq.pot | msgfmt -o $*.mo -

bld/install-man

@@ -2,8 +2,8 @@
 
 for f in *; do
   if [ -d $f ]; then
-     install -m 755 -d $1/$f/man8 
-     install -m 644 $f/dnsmasq.8 $1/$f/man8
+     $2 -m 755 -d $1/$f/man8 
+     $2 -m 644 $f/dnsmasq.8 $1/$f/man8
      echo installing $1/$f/man8/dnsmasq.8
   fi
 done

bld/install-mo

@@ -1,8 +1,8 @@
 #!/bin/sh
 
 for f in *.mo; do
-  install -m 755 -d $1/${f%.mo}/LC_MESSAGES
-  install -m 644 $f $1/${f%.mo}/LC_MESSAGES/dnsmasq.mo
+  $2 -m 755 -d $1/${f%.mo}/LC_MESSAGES
+  $2 -m 644 $f $1/${f%.mo}/LC_MESSAGES/dnsmasq.mo
   echo installing $1/${f%.mo}/LC_MESSAGES/dnsmasq.mo
 done
 

bld/pkg-wrapper

@@ -1,7 +1,10 @@
 #!/bin/sh
 
-if grep "^\#.*define.*HAVE_DBUS" config.h 2>&1 >/dev/null || \
-   grep HAVE_DBUS 2>&1 >/dev/null ; then
+search=$1
+shift
+
+if grep "^\#.*define.*$search" config.h 2>&1 >/dev/null || \
+   grep $search 2>&1 >/dev/null ; then
   exec $*
 fi
 

contrib/CPE-WAN/README

@@ -0,0 +1,36 @@
+Dnsmasq from version 2.52 has a couple of rather application-specific
+features designed to allow for implementation of the DHCP part of CPE
+WAN management protocol.
+
+http://www.broadband-forum.org/technical/download/TR-069_Amendment-2.pdf
+http://en.wikipedia.org/wiki/TR-069
+
+The relevant sections are F.2.1 "Gateway Requirements" and F.2.5 "DHCP
+Vendor Options".
+
+First, dnsmasq checks for DHCP requests which contain an option-125
+vendor-class option which in turn holds a vendor section for IANA
+enterprise number 3561 which contains sub-options codes 1 and 2. If
+this is present  then the network-tag "cpewan-id" is set. 
+This allows dnsmasq to be configured to reply with the correct 
+GatewayManufacturerOUI, GatewaySerialNumber and GatewayProductClass like this:
+
+dhcp-option=cpewan-id,vi-encap:3561,4,"<GatewayManufacturerOUI>"
+dhcp-option=cpewan-id,vi-encap:3561,5,"<SerialNumber>"
+dhcp-option=cpewan-id,vi-encap:3561,6,"<ProductClass>"
+
+Second, the received sub-options 1, 2, and 3 are passed to the DHCP
+lease-change script as the environment variables DNSMASQ_CPEWAN_OUI,
+DNSMASQ_CPEWAN_SERIAL, and DNSMASQ_CPEWAN_CLASS respectively. This allows
+the script to be used to maintain a ManageableDevice table as
+specified in F.2.1. Note that this data is not retained in dnsmasq's
+internal DHCP lease database, so it is not available on every call to 
+the script (this is the same as some other data such as vendor and
+user classes). It will however be available for at least the "add"
+call, and should be stored then against the IP address as primary 
+key for future use.
+
+
+This feature was added to dnsmasq under sponsorship from Ericsson.
+
+

contrib/MacOSX-launchd/launchd-README.txt

@@ -0,0 +1,38 @@
+This is a launchd item for Mac OS X and Mac OS X Server.
+For more information about launchd, the
+"System wide and per-user daemon/agent manager", see the launchd
+man page, or the wikipedia page: http://en.wikipedia.org/wiki/Launchd
+
+This launchd item uses the following flags:
+--keep-in-foreground - this is crucial for use with launchd
+--log-queries - this is optional and you can remove it
+--log-facility=/var/log/dnsmasq.log - again optional instead of system.log
+
+To use this launchd item for dnsmasq:
+
+If you don't already have a folder /Library/LaunchDaemons, then create one:
+sudo mkdir /Library/LaunchDaemons
+sudo chown root:admin /Library/LaunchDaemons
+sudo chmod 775 /Library/LaunchDaemons 
+
+Copy uk.org.thekelleys.dnsmasq.plist there and then set ownership/permissions:
+sudo cp uk.org.thekelleys.dnsmasq.plist /Library/LaunchDaemons/
+sudo chown root:admin /Library/LaunchDaemons/uk.org.thekelleys.dnsmasq.plist
+sudo chmod 644 /Library/LaunchDaemons/uk.org.thekelleys.dnsmasq.plist
+
+Optionally, edit your dnsmasq configuration file to your liking.
+
+To start the launchd job, which starts dnsmaq, reboot or use the command:
+sudo launchctl load /Library/LaunchDaemons/uk.org.thekelleys.dnsmasq.plist
+
+To stop the launchd job, which stops dnsmasq, use the command:
+sudo launchctl unload /Library/LaunchDaemons/uk.org.thekelleys.dnsmasq.plist
+
+If you want to permanently stop the launchd job, so it doesn't start the job even after a reboot, use the following command:
+sudo launchctl unload -w /Library/LaunchDaemons/uk.org.thekelleys.dnsmasq.plist
+
+If you make a change to the configuration file, you should relaunch dnsmasq;
+to do this unload and then load again:
+
+sudo launchctl unload /Library/LaunchDaemons/uk.org.thekelleys.dnsmasq.plist
+sudo launchctl load /Library/LaunchDaemons/uk.org.thekelleys.dnsmasq.plist

contrib/MacOSX-launchd/uk.org.thekelleys.dnsmasq.plist

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Label</key>
+	<string>uk.org.thekelleys.dnsmasq</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>/usr/local/sbin/dnsmasq</string>
+		<string>--keep-in-foreground</string>
+		<string>--log-queries</string>
+		<string>--log-facility=/var/log/dnsmasq.log</string>
+	</array>
+	<key>RunAtLoad</key>
+	<true/>
+</dict>
+</plist>

contrib/Solaris10/README-sparc

@@ -0,0 +1,8 @@
+Hi Simon,
+
+I just wanted to let you know that I have built a Solaris .pkg install package of your dnsmasq utility for people to use.  Feel free to point them in my direction if you have people who want this sort of thing.
+
+http://ejesconsulting.wordpress.com/2010/05/12/gnu-dnsmasq-for-opensolaris-sparc/
+
+Thanks
+-evan

contrib/Solaris10/README.create_package

@@ -0,0 +1,25 @@
+Ok, script attached ... seems to be working ok for me, 
+tried to install and remove a few times. It does the
+right thing with the smf when installing, you can then 
+simply enable the service. Upon removal it cleans up the
+files but won't clean up the services (I think until
+a reboot) ... I've only started looking at the new 
+packages stuff in the last day or two, so I could be 
+missing something, but I can't find any way to force
+ a proper cleanup.
+
+It requires that you have a writable repository setup 
+as per the docs on the opensolaris website and it will
+create a dnsmasq package (package name is a variable 
+in the script). The script takes a version number for 
+the package and assumes that it's in the contrib/Solaris10 
+directory, it then works out the base tree directory 
+from $0.
+
+i.e.  $ contrib/Solaris10/create_package 2.52-1
+or   $ cd contrib/Solaris10; ./create_package 2.52-1
+
+It's a bit more complex than it could be because I 
+prefer putting the daemon in /usr/sbin and the config 
+in /etc, so the script will actually create a new 
+version of the existing contrib dnsmasq.xml.

contrib/Solaris10/create_package

@@ -0,0 +1,87 @@
+#!/bin/sh
+
+#
+# For our package, and for the SMF script, we need to define where we
+# want things to go...
+#
+BIN_DIR="/usr/sbin"
+CONF_DIR="/etc"
+MAN_DIR="/usr/share/man/man8"
+
+PACKAGE_NAME="dnsmasq"
+
+#
+# Since we know we are in the contrib directory we can work out where
+# the rest of the tree is...
+#
+BASEDIR="`dirname $0`/../.."
+
+#
+# We need a version number to use for the package creation...
+#
+if [ $# != 1 ]; then
+	echo "Usage: $0 <package_version_number>" >&2
+	exit 1
+fi
+VERSION="$1"
+
+#
+# First thing we do is fix-up the smf file to use the paths we prefer...
+#
+if [ ! -f "${BASEDIR}/contrib/Solaris10/dnsmasq.xml" ]; then
+	echo "$0: unable to find contrib/Solaris10/dnsmasq.xml" >&2
+	exit 1
+fi
+
+echo "Fixing up smf file ... \c"
+cat "${BASEDIR}/contrib/Solaris10/dnsmasq.xml" | \
+	sed 	-e "s%/usr/local/etc%${CONF_DIR}%" \
+		-e "s%/usr/local/sbin%${BIN_DIR}%" \
+		-e "s%/usr/local/man%${MAN_DIR}%" > ${BASEDIR}/contrib/Solaris10/dnsmasq-pkg.xml
+echo "done."
+
+echo "Creating packaging file ... \c"
+cat <<EOF >${BASEDIR}/contrib/Solaris10/dnsmasq_package.inc
+#
+# header
+#
+set name=pkg.name		value="dnsmasq"
+set name=pkg.description	value="dnsmasq daemon - dns, dhcp, tftp etc"
+set name=pkg.detailed_url	value="http://www.thekelleys.org.uk/dnsmasq/doc.html"
+set name=info.maintainer	value="TBD (tbd@tbd.com)"
+set name=info.upstream		value="dnsmasq-discuss@lists.thekelleys.org.uk"
+set name=info.upstream_url	value="http://www.thekelleys.org.uk/dnsmasq/doc.html"
+#
+# dependencies ... none?
+#
+
+#
+# directories
+#
+dir mode=0755 owner=root group=bin path=${BIN_DIR}/
+dir mode=0755 owner=root group=sys path=${CONF_DIR}/
+dir mode=0755 owner=root group=sys path=${MAN_DIR}/
+dir mode=0755 owner=root group=sys path=/var/
+dir mode=0755 owner=root group=sys path=/var/svc
+dir mode=0755 owner=root group=sys path=/var/svc/manifest
+dir mode=0755 owner=root group=sys path=/var/svc/manifest/network
+
+#
+# files
+#
+file ${BASEDIR}/src/dnsmasq mode=0555 owner=root group=bin path=${BIN_DIR}/dnsmasq
+file ${BASEDIR}/man/dnsmasq.8 mode=0555 owner=root group=bin path=${MAN_DIR}/dnsmasq.8
+file ${BASEDIR}/dnsmasq.conf.example mode=0644 owner=root group=sys path=${CONF_DIR}/dnsmasq.conf preserve=strawberry
+file ${BASEDIR}/contrib/Solaris10/dnsmasq-pkg.xml mode=0644 owner=root group=sys path=/var/svc/manifest/network/dnsmasq.xml restart_fmri=svc:/system/manifest-import:default
+
+EOF
+echo "done."
+
+echo "Creating package..."
+eval `pkgsend open ${PACKAGE_NAME}@${VERSION}`
+pkgsend include ${BASEDIR}/contrib/Solaris10/dnsmasq_package.inc
+if [ "$?" = 0 ]; then
+	pkgsend close
+else
+	echo "Errors"
+fi

contrib/lease-access/README

@@ -0,0 +1,20 @@
+Hello,
+
+For some specific application I needed to deny access to a MAC address
+to a lease. For this reason I modified the dhcp-script behavior and is
+called with an extra parameter "access" once a dhcp request or discover
+is received. In that case if the exit code of the script is zero,
+dnsmasq continues normally, and if non-zero the packet is ignored.
+
+This was not added as a security feature but as a mean to handle
+differently some addresses. It is also quite intrusive since it requires
+changes in several other subsystems.
+
+It attach the patch in case someone is interested.
+
+regards,
+Nikos
+
+nmav@gennetsa.com
+
+

contrib/lease-access/lease.access.patch

@@ -0,0 +1,578 @@
+Index: src/dnsmasq.c
+===================================================================
+--- src/dnsmasq.c	(revision 696)
++++ src/dnsmasq.c	(revision 821)
+@@ -59,7 +59,6 @@
+ static int set_dns_listeners(time_t now, fd_set *set, int *maxfdp);
+ static void check_dns_listeners(fd_set *set, time_t now);
+ static void sig_handler(int sig);
+-static void async_event(int pipe, time_t now);
+ static void fatal_event(struct event_desc *ev);
+ static void poll_resolv(void);
+ 
+@@ -275,7 +274,7 @@
+   piperead = pipefd[0];
+   pipewrite = pipefd[1];
+   /* prime the pipe to load stuff first time. */
+-  send_event(pipewrite, EVENT_RELOAD, 0); 
++  send_event(pipewrite, EVENT_RELOAD, 0, 0); 
+ 
+   err_pipe[1] = -1;
+   
+@@ -340,7 +339,7 @@
+ 	    }
+ 	  else if (getuid() == 0)
+ 	    {
+-	      send_event(err_pipe[1], EVENT_PIDFILE, errno);
++	      send_event(err_pipe[1], EVENT_PIDFILE, errno, 0);
+ 	      _exit(0);
+ 	    }
+ 	}
+@@ -372,7 +371,7 @@
+ 	  (setgroups(0, &dummy) == -1 ||
+ 	   setgid(gp->gr_gid) == -1))
+ 	{
+-	  send_event(err_pipe[1], EVENT_GROUP_ERR, errno);
++	  send_event(err_pipe[1], EVENT_GROUP_ERR, errno, 0);
+ 	  _exit(0);
+ 	}
+   
+@@ -415,14 +414,14 @@
+ 
+ 	  if (bad_capabilities != 0)
+ 	    {
+-	      send_event(err_pipe[1], EVENT_CAP_ERR, bad_capabilities);
++	      send_event(err_pipe[1], EVENT_CAP_ERR, bad_capabilities, 0);
+ 	      _exit(0);
+ 	    }
+ 	  
+ 	  /* finally drop root */
+ 	  if (setuid(ent_pw->pw_uid) == -1)
+ 	    {
+-	      send_event(err_pipe[1], EVENT_USER_ERR, errno);
++	      send_event(err_pipe[1], EVENT_USER_ERR, errno, 0);
+ 	      _exit(0);
+ 	    }     
+ 
+@@ -434,7 +433,7 @@
+ 	  /* lose the setuid and setgid capbilities */
+ 	  if (capset(hdr, data) == -1)
+ 	    {
+-	      send_event(err_pipe[1], EVENT_CAP_ERR, errno);
++	      send_event(err_pipe[1], EVENT_CAP_ERR, errno, 0);
+ 	      _exit(0);
+ 	    }
+ #endif
+@@ -647,7 +646,7 @@
+ 	}
+       
+       if (FD_ISSET(piperead, &rset))
+-	async_event(piperead, now);
++	async_event(piperead, now, NULL, 0);
+       
+ #ifdef HAVE_LINUX_NETWORK
+       if (FD_ISSET(daemon->netlinkfd, &rset))
+@@ -674,7 +673,7 @@
+ #endif      
+ 
+       if (daemon->dhcp && FD_ISSET(daemon->dhcpfd, &rset))
+-	dhcp_packet(now);
++	dhcp_packet(piperead, now);
+ 
+ #ifndef NO_FORK
+       if (daemon->helperfd != -1 && FD_ISSET(daemon->helperfd, &wset))
+@@ -719,17 +718,18 @@
+       else
+ 	return;
+ 
+-      send_event(pipewrite, event, 0); 
++      send_event(pipewrite, event, 0, 0); 
+       errno = errsave;
+     }
+ }
+ 
+-void send_event(int fd, int event, int data)
++void send_event(int fd, int event, int data, int priv)
+ {
+   struct event_desc ev;
+   
+   ev.event = event;
+   ev.data = data;
++  ev.priv = priv;
+   
+   /* error pipe, debug mode. */
+   if (fd == -1)
+@@ -771,14 +771,17 @@
+       die(_("cannot open %s: %s"), daemon->log_file ? daemon->log_file : "log", EC_FILE);
+     }
+ }	
+-      
+-static void async_event(int pipe, time_t now)
++
++/* returns the private data of the event
++ */
++int async_event(int pipe, time_t now, struct event_desc* event, unsigned int secs)
+ {
+   pid_t p;
+   struct event_desc ev;
+   int i;
+ 
+-  if (read_write(pipe, (unsigned char *)&ev, sizeof(ev), 1))
++  if (read_timeout(pipe, (unsigned char *)&ev, sizeof(ev), now, secs) > 0) 
++    {
+     switch (ev.event)
+       {
+       case EVENT_RELOAD:
+@@ -872,6 +875,14 @@
+ 	flush_log();
+ 	exit(EC_GOOD);
+       }
++    }
++  else
++    return -1; /* timeout */
++
++  if (event)
++    memcpy( event, &ev, sizeof(ev));
++    
++  return 0;
+ }
+ 
+ static void poll_resolv()
+Index: src/config.h
+===================================================================
+--- src/config.h	(revision 696)
++++ src/config.h	(revision 821)
+@@ -51,6 +51,8 @@
+ #define TFTP_MAX_CONNECTIONS 50 /* max simultaneous connections */
+ #define LOG_MAX 5 /* log-queue length */
+ #define RANDFILE "/dev/urandom"
++#define SCRIPT_TIMEOUT 6
++#define LEASE_CHECK_TIMEOUT 10
+ 
+ /* DBUS interface specifics */
+ #define DNSMASQ_SERVICE "uk.org.thekelleys.dnsmasq"
+Index: src/dnsmasq.h
+===================================================================
+--- src/dnsmasq.h	(revision 696)
++++ src/dnsmasq.h	(revision 821)
+@@ -116,6 +116,7 @@
+ /* Async event queue */
+ struct event_desc {
+   int event, data;
++  unsigned int priv;
+ };
+ 
+ #define EVENT_RELOAD    1
+@@ -390,6 +391,7 @@
+ #define ACTION_OLD_HOSTNAME  2
+ #define ACTION_OLD           3
+ #define ACTION_ADD           4
++#define ACTION_ACCESS        5
+ 
+ #define DHCP_CHADDR_MAX 16
+ 
+@@ -709,6 +711,7 @@
+ char *print_mac(char *buff, unsigned char *mac, int len);
+ void bump_maxfd(int fd, int *max);
+ int read_write(int fd, unsigned char *packet, int size, int rw);
++int read_timeout(int fd, unsigned char *packet, int size, time_t now, int secs);
+ 
+ /* log.c */
+ void die(char *message, char *arg1, int exit_code);
+@@ -748,7 +751,7 @@
+ 
+ /* dhcp.c */
+ void dhcp_init(void);
+-void dhcp_packet(time_t now);
++void dhcp_packet(int piperead, time_t now);
+ 
+ struct dhcp_context *address_available(struct dhcp_context *context, 
+ 				       struct in_addr addr,
+@@ -792,14 +795,16 @@
+ void rerun_scripts(void);
+ 
+ /* rfc2131.c */
+-size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
++size_t dhcp_reply(int pipefd, struct dhcp_context *context, char *iface_name, int int_index,
+ 		  size_t sz, time_t now, int unicast_dest, int *is_inform);
+ 
+ /* dnsmasq.c */
+ int make_icmp_sock(void);
+ int icmp_ping(struct in_addr addr);
+-void send_event(int fd, int event, int data);
++void send_event(int fd, int event, int data, int priv);
+ void clear_cache_and_reload(time_t now);
++int wait_for_child(int pipe);
++int async_event(int pipe, time_t now, struct event_desc*, unsigned int timeout);
+ 
+ /* isc.c */
+ #ifdef HAVE_ISC_READER
+@@ -832,9 +837,9 @@
+ /* helper.c */
+ #ifndef NO_FORK
+ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd);
+-void helper_write(void);
++int helper_write(void);
+ void queue_script(int action, struct dhcp_lease *lease, 
+-		  char *hostname, time_t now);
++		  char *hostname, time_t now, unsigned int uid);
+ int helper_buf_empty(void);
+ #endif
+ 
+Index: src/util.c
+===================================================================
+--- src/util.c	(revision 696)
++++ src/util.c	(revision 821)
+@@ -444,3 +444,38 @@
+   return 1;
+ }
+ 
++int read_timeout(int fd, unsigned char *packet, int size, time_t now, int secs)
++{
++  ssize_t n, done;
++  time_t expire;
++  
++  expire = now + secs;
++  
++  for (done = 0; done < size; done += n)
++    {
++    retry:
++      if (secs > 0) alarm(secs);
++      n = read(fd, &packet[done], (size_t)(size - done));
++
++      if (n == 0)
++        return 0;
++      else if (n == -1)
++        {
++          if (errno == EINTR) {
++            my_syslog(LOG_INFO, _("read timed out (errno %d)"), errno);
++            return 0;
++          }
++
++          if (retry_send() || errno == ENOMEM || errno == ENOBUFS || errno == EAGAIN)
++            {
++              if (secs == 0 || (secs > 0 && dnsmasq_time() < expire))
++                goto retry;
++            }
++
++          my_syslog(LOG_INFO, _("error in read (timeout %d, errno %d)"), secs, errno);
++          return 0;
++        }
++    }
++  return 1;
++}
++
+Index: src/dhcp.c
+===================================================================
+--- src/dhcp.c	(revision 696)
++++ src/dhcp.c	(revision 821)
+@@ -103,7 +103,7 @@
+   daemon->dhcp_packet.iov_base = safe_malloc(daemon->dhcp_packet.iov_len);
+ }
+   
+-void dhcp_packet(time_t now)
++void dhcp_packet(int piperead, time_t now)
+ {
+   struct dhcp_packet *mess;
+   struct dhcp_context *context;
+@@ -239,7 +239,8 @@
+   if (!iface_enumerate(&parm, complete_context, NULL))
+     return;
+   lease_prune(NULL, now); /* lose any expired leases */
+-  iov.iov_len = dhcp_reply(parm.current, ifr.ifr_name, iface_index, (size_t)sz, 
++
++  iov.iov_len = dhcp_reply(piperead, parm.current, ifr.ifr_name, iface_index, (size_t)sz, 
+ 			   now, unicast_dest, &is_inform);
+   lease_update_file(now);
+   lease_update_dns();
+Index: src/helper.c
+===================================================================
+--- src/helper.c	(revision 696)
++++ src/helper.c	(revision 821)
+@@ -45,6 +45,7 @@
+ #endif
+   unsigned char hwaddr[DHCP_CHADDR_MAX];
+   char interface[IF_NAMESIZE];
++  unsigned int uid;
+ };
+ 
+ static struct script_data *buf = NULL;
+@@ -60,7 +61,7 @@
+      then fork our process. */
+   if (pipe(pipefd) == -1 || !fix_fd(pipefd[1]) || (pid = fork()) == -1)
+     {
+-      send_event(err_fd, EVENT_PIPE_ERR, errno);
++      send_event(err_fd, EVENT_PIPE_ERR, errno, 0);
+       _exit(0);
+     }
+ 
+@@ -87,13 +88,13 @@
+ 	{
+ 	  if (daemon->options & OPT_NO_FORK)
+ 	    /* send error to daemon process if no-fork */
+-	    send_event(event_fd, EVENT_HUSER_ERR, errno);
++	    send_event(event_fd, EVENT_HUSER_ERR, errno, 0);
+ 	  else
+ 	    {
+ 	      /* kill daemon */
+-	      send_event(event_fd, EVENT_DIE, 0);
++	      send_event(event_fd, EVENT_DIE, 0, 0);
+ 	      /* return error */
+-	      send_event(err_fd, EVENT_HUSER_ERR, errno);;
++	      send_event(err_fd, EVENT_HUSER_ERR, errno, 0);
+ 	    }
+ 	  _exit(0);
+ 	}
+@@ -122,6 +123,8 @@
+ 	action_str = "del";
+       else if (data.action == ACTION_ADD)
+ 	action_str = "add";
++      else if (data.action == ACTION_ACCESS)
++	action_str = "access";
+       else if (data.action == ACTION_OLD || data.action == ACTION_OLD_HOSTNAME)
+ 	action_str = "old";
+       else
+@@ -178,9 +181,11 @@
+ 		{
+ 		  /* On error send event back to main process for logging */
+ 		  if (WIFSIGNALED(status))
+-		    send_event(event_fd, EVENT_KILLED, WTERMSIG(status));
+-		  else if (WIFEXITED(status) && WEXITSTATUS(status) != 0)
+-		    send_event(event_fd, EVENT_EXITED, WEXITSTATUS(status));
++		    send_event(event_fd, EVENT_KILLED, WTERMSIG(status), data.uid);
++		  else if (WIFEXITED(status))
++		    send_event(event_fd, EVENT_EXITED, WEXITSTATUS(status), data.uid);
++                  else
++		    send_event(event_fd, EVENT_EXITED, -1, data.uid);
+ 		  break;
+ 		}
+ 	      
+@@ -263,7 +268,7 @@
+ 	  err = errno;
+ 	}
+       /* failed, send event so the main process logs the problem */
+-      send_event(event_fd, EVENT_EXEC_ERR, err);
++      send_event(event_fd, EVENT_EXEC_ERR, err, data.uid);
+       _exit(0); 
+     }
+ }
+@@ -295,7 +300,7 @@
+ }
+  
+ /* pack up lease data into a buffer */    
+-void queue_script(int action, struct dhcp_lease *lease, char *hostname, time_t now)
++void queue_script(int action, struct dhcp_lease *lease, char *hostname, time_t now, unsigned int uid)
+ {
+   unsigned char *p;
+   size_t size;
+@@ -332,6 +337,7 @@
+       buf_size = size;
+     }
+ 
++  buf->uid = uid;
+   buf->action = action;
+   buf->hwaddr_len = lease->hwaddr_len;
+   buf->hwaddr_type = lease->hwaddr_type;
+@@ -393,12 +399,15 @@
+   return bytes_in_buf == 0;
+ }
+ 
+-void helper_write(void)
++/* returns -1 if write failed for a reason, 1 if no data exist
++ * and 0 if everything was ok.
++ */
++int helper_write(void)
+ {
+   ssize_t rc;
+ 
+   if (bytes_in_buf == 0)
+-    return;
++    return 1;
+   
+   if ((rc = write(daemon->helperfd, buf, bytes_in_buf)) != -1)
+     {
+@@ -409,9 +418,11 @@
+   else
+     {
+       if (errno == EAGAIN || errno == EINTR)
+-	return;
++	return -1;
+       bytes_in_buf = 0;
+     }
++    
++  return 0;
+ }
+ 
+ #endif
+Index: src/rfc2131.c
+===================================================================
+--- src/rfc2131.c	(revision 696)
++++ src/rfc2131.c	(revision 821)
+@@ -100,8 +100,49 @@
+ 				      int clid_len, unsigned char *clid, int *len_out);
+ static void match_vendor_opts(unsigned char *opt, struct dhcp_opt *dopt); 
+ 
++static int check_access_script( int piperead, struct dhcp_lease *lease, struct dhcp_packet *mess, time_t now)
++{
++#ifndef NO_FORK
++unsigned int uid;
++struct event_desc ev;
++int ret;
++struct dhcp_lease _lease;
++
++  if (daemon->lease_change_command == NULL) return 0; /* ok */
++
++  if (!lease) { /* if host has not been seen before lease is NULL */
++      memset(&_lease, 0, sizeof(_lease));
++      lease = &_lease;
++      lease_set_hwaddr(lease, mess->chaddr, NULL, mess->hlen, mess->htype, 0);
++  }
++
++  uid = rand16();
++  queue_script(ACTION_ACCESS, lease, NULL, now, uid);
++
++  /* send all data to helper process */
++  do 
++    {
++      helper_write();
++    } while (helper_buf_empty() == 0);
++
++  /* wait for our event */
++  ret = 0;
++  do 
++    {
++      ret = async_event( piperead, now, &ev, SCRIPT_TIMEOUT);
++    }
++  while(ev.priv != uid && ret >= 0);
++
++  if (ret < 0 || ev.data != 0) /* timeout or error */
++    {
++      return -1;
++    }
++
++#endif
++  return 0; /* ok */
++}
+ 	  
+-size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
++size_t dhcp_reply(int piperead, struct dhcp_context *context, char *iface_name, int int_index,
+ 		  size_t sz, time_t now, int unicast_dest, int *is_inform)
+ {
+   unsigned char *opt, *clid = NULL;
+@@ -252,7 +293,7 @@
+ 	mac->netid.next = netid;
+ 	netid = &mac->netid;
+       }
+-  
++
+   /* Determine network for this packet. Our caller will have already linked all the 
+      contexts which match the addresses of the receiving interface but if the 
+      machine has an address already, or came via a relay, or we have a subnet selector, 
+@@ -329,7 +370,7 @@
+ 	    my_syslog(LOG_INFO, _("Available DHCP range: %s -- %s"), daemon->namebuff, inet_ntoa(context_tmp->end));
+ 	}
+     }
+-
++    
+   mess->op = BOOTREPLY;
+   
+   config = find_config(daemon->dhcp_conf, context, clid, clid_len, 
+@@ -418,7 +459,7 @@
+ 	      else
+ 		mess->yiaddr = lease->addr;
+ 	    }
+-	  
++
+ 	  if (!message && 
+ 	      !lease && 
+ 	      (!(lease = lease_allocate(mess->yiaddr))))
+@@ -641,7 +682,14 @@
+       memcpy(req_options, option_ptr(opt, 0), option_len(opt));
+       req_options[option_len(opt)] = OPTION_END;
+     }
+-  
++
++  if (mess_type == DHCPREQUEST || mess_type == DHCPDISCOVER)
++    if (check_access_script(piperead, lease, mess, now) < 0)
++      {
++        my_syslog(LOG_INFO, _("Ignoring client due to access script"));
++        return 0;
++      }
++
+   switch (mess_type)
+     {
+     case DHCPDECLINE:
+Index: src/log.c
+===================================================================
+--- src/log.c	(revision 696)
++++ src/log.c	(revision 821)
+@@ -73,7 +73,7 @@
+ 
+   if (!log_reopen(daemon->log_file))
+     {
+-      send_event(errfd, EVENT_LOG_ERR, errno);
++      send_event(errfd, EVENT_LOG_ERR, errno, 0);
+       _exit(0);
+     }
+ 
+Index: src/lease.c
+===================================================================
+--- src/lease.c	(revision 696)
++++ src/lease.c	(revision 821)
+@@ -511,7 +511,7 @@
+       if (lease->old_hostname)
+ 	{
+ #ifndef NO_FORK
+-	  queue_script(ACTION_OLD_HOSTNAME, lease, lease->old_hostname, now);
++	  queue_script(ACTION_OLD_HOSTNAME, lease, lease->old_hostname, now, 0);
+ #endif
+ 	  free(lease->old_hostname);
+ 	  lease->old_hostname = NULL;
+@@ -520,7 +520,7 @@
+       else 
+ 	{
+ #ifndef NO_FORK
+-	  queue_script(ACTION_DEL, lease, lease->hostname, now);
++	  queue_script(ACTION_DEL, lease, lease->hostname, now, 0);
+ #endif
+ 	  old_leases = lease->next;
+ 	  
+@@ -540,7 +540,7 @@
+     if (lease->old_hostname)
+       {	
+ #ifndef NO_FORK
+-	queue_script(ACTION_OLD_HOSTNAME, lease, lease->old_hostname, now);
++	queue_script(ACTION_OLD_HOSTNAME, lease, lease->old_hostname, now, 0);
+ #endif
+ 	free(lease->old_hostname);
+ 	lease->old_hostname = NULL;
+@@ -552,7 +552,7 @@
+ 	(lease->aux_changed && (daemon->options & OPT_LEASE_RO)))
+       {
+ #ifndef NO_FORK
+-	queue_script(lease->new ? ACTION_ADD : ACTION_OLD, lease, lease->hostname, now);
++	queue_script(lease->new ? ACTION_ADD : ACTION_OLD, lease, lease->hostname, now, 0);
+ #endif
+ 	lease->new = lease->changed = lease->aux_changed = 0;
+ 	
+Index: man/dnsmasq.8
+===================================================================
+--- man/dnsmasq.8	(revision 696)
++++ man/dnsmasq.8	(revision 821)
+@@ -724,12 +724,15 @@
+ .B \-6 --dhcp-script=<path>
+ Whenever a new DHCP lease is created, or an old one destroyed, the
+ binary specified by this option is run. The arguments to the process
+-are "add", "old" or "del", the MAC
++are "add", "old", "access" or "del", the MAC
+ address of the host (or "<null>"), the IP address, and the hostname,
+ if known. "add" means a lease has been created, "del" means it has
+ been destroyed, "old" is a notification of an existing lease when
+ dnsmasq starts or a change to MAC address or hostname of an existing
+ lease (also, lease length or expiry and client-id, if leasefile-ro is set).
++The "access" keyword means that a request was just received and depending
++on the script exit status request for address will be granted, if exit status
++is zero or not if it is non-zero.
+ The process is run as root (assuming that dnsmasq was originally run as
+ root) even if dnsmasq is configured to change UID to an unprivileged user.
+ The environment is inherited from the invoker of dnsmasq, and if the

contrib/static-arp/static-arp

@@ -0,0 +1,35 @@
+#!/bin/sh
+
+# Contributed by Darren Hoo <darren.hoo@gmail.com>
+
+# If you use dnsmasq as DHCP server on a router, you may have
+# met with attackers trying ARP Poison Routing (APR) on your
+# local area network. This script will setup a 'permanent' entry
+# in the router's ARP table upon each DHCP transaction so as to
+# make the attacker's efforts less successful.
+
+# Usage:
+# edit /etc/dnsmasq.conf and specify the path of this script
+# to  dhcp-script, for example:
+#  dhcp-script=/usr/sbin/static-arp
+
+# if $1 is add or old, update the static arp table entry.
+# if $1 is del, then delete the entry from the table
+# if $1 is init which is called by dnsmasq at startup, it's ignored
+
+ARP=/usr/sbin/arp
+
+# Arguments.
+# $1 is action (add, del, old)
+# $2 is MAC
+# $3 is address
+# $4 is hostname (optional, may be unset)
+
+if [ ${1} = del ] ; then
+         ${ARP} -d $3
+fi
+
+if [ ${1} = old ] || [ ${1} = add ] ; then
+         ${ARP} -s $3 $2
+fi
+

contrib/try-all-ns/README-2.47

@@ -0,0 +1,11 @@
+A remake of patch Bob Carroll had posted to dnsmasq,
+now compatible with version 2.47. Hopefully he doesn't 
+mind (sending a copy of this mail to him too).
+
+Maybe the patch in question is not acceptible
+as it doesn't add new switch, rather it binds itself to "strict-order".
+
+What it does is: if you have strict-order in the 
+dnsmasq config file and query a domain that would result 
+in NXDOMAIN, it iterates the whole given nameserver list 
+until the last one says NXDOMAIN.

contrib/try-all-ns/dnsmasq-2.47_no_nxdomain_until_end.patch

@@ -0,0 +1,17 @@
+diff -ur dnsmasq-2.47/src/forward.c dnsmasq-2.47-patched/src/forward.c
+--- dnsmasq-2.47/src/forward.c	2009-02-01 17:59:48.000000000 +0200
++++ dnsmasq-2.47-patched/src/forward.c	2009-03-18 19:10:22.000000000 +0200
+@@ -488,9 +488,12 @@
+     return;
+    
+   server = forward->sentto;
++
++  if ( (header->rcode == NXDOMAIN) && ((daemon->options & OPT_ORDER) != 0) && (server->next != NULL) )
++    header->rcode = SERVFAIL;
+   
+   if ((header->rcode == SERVFAIL || header->rcode == REFUSED) &&
+-      !(daemon->options & OPT_ORDER) &&
++      ((daemon->options & OPT_ORDER) != 0) &&
+       forward->forwardall == 0)
+     /* for broken servers, attempt to send to another one. */
+     {

dbus/dnsmasq.conf

@@ -5,12 +5,10 @@
 	<policy user="root">
 		<allow own="uk.org.thekelleys.dnsmasq"/>
 		<allow send_destination="uk.org.thekelleys.dnsmasq"/>
-                <allow send_interface="uk.org.thekelleys.dnsmasq"/>
 	</policy>
 	<policy context="default">
                 <deny own="uk.org.thekelleys.dnsmasq"/>
                 <deny send_destination="uk.org.thekelleys.dnsmasq"/>
-                <deny send_interface="uk.org.thekelleys.dnsmasq"/>
         </policy>
 </busconfig>
 

dnsmasq.conf.example

@@ -66,12 +66,12 @@
 
 # You can control how dnsmasq talks to a server: this forces 
 # queries to 10.1.2.3 to be routed via eth1
-# --server=10.1.2.3@eth1
+# server=10.1.2.3@eth1
 
 # and this sets the source (ie local) address used to talk to
 # 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that
 # IP on the machine, obviously).
-# --server=10.1.2.3@192.168.1.1#55
+# server=10.1.2.3@192.168.1.1#55
 
 # If you want dnsmasq to change uid and gid to something other
 # than the default, edit the following lines.
@@ -141,10 +141,22 @@
 # don't need to worry about this.
 #dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h
 
-# This is an example of a DHCP range with a network-id, so that
+# This is an example of a DHCP range which sets a tag, so that
 # some DHCP options may be set only for this network.
-#dhcp-range=red,192.168.0.50,192.168.0.150
+#dhcp-range=set:red,192.168.0.50,192.168.0.150
 
+# Use this DHCP range only when the tag "green" is set. 
+#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h
+
+# Specify a subnet which can't be used for dynamic address allocation,
+# is available for hosts with matching --dhcp-host lines. Note that
+# dhcp-host declarations will be ignored unless there is a dhcp-range
+# of some type for the subnet in question.
+# In this case the netmask is implied (it comes from the network
+# configuration on the machine running dnsmasq) it is possible to give 
+# an explict netmask instead.
+#dhcp-range=192.168.0.0,static
+ 
 # Supply parameters for specified hosts using DHCP. There are lots
 # of valid alternatives, so we will give examples of each. Note that
 # IP addresses DO NOT have to be in the range given above, they just
@@ -200,29 +212,29 @@
 
 # Send extra options which are tagged as "red" to
 # the machine with ethernet address 11:22:33:44:55:66
-#dhcp-host=11:22:33:44:55:66,net:red
+#dhcp-host=11:22:33:44:55:66,set:red
 
 # Send extra options which are tagged as "red" to
 # any machine with ethernet address starting 11:22:33:
-#dhcp-host=11:22:33:*:*:*,net:red
+#dhcp-host=11:22:33:*:*:*,set:red
 
 # Ignore any clients which are specified in dhcp-host lines
 # or /etc/ethers. Equivalent to ISC "deny unkown-clients".
 # This relies on the special "known" tag which is set when 
 # a host is matched.
-#dhcp-ignore=#known
+#dhcp-ignore=tag:!known
 
 # Send extra options which are tagged as "red" to any machine whose
 # DHCP vendorclass string includes the substring "Linux"
-#dhcp-vendorclass=red,Linux
+#dhcp-vendorclass=set:red,Linux
 
 # Send extra options which are tagged as "red" to any machine one
 # of whose DHCP userclass strings includes the substring "accounts"
-#dhcp-userclass=red,accounts
+#dhcp-userclass=set:red,accounts
 
 # Send extra options which are tagged as "red" to any machine whose
 # MAC address matches the pattern.
-#dhcp-mac=red,00:60:8C:*:*:*
+#dhcp-mac=set:red,00:60:8C:*:*:*
 
 # If this line is uncommented, dnsmasq will read /etc/ethers and act
 # on the ethernet-address/IP pairs found there just as if they had
@@ -276,8 +288,8 @@
 
 # Specify an option which will only be sent to the "red" network
 # (see dhcp-range for the declaration of the "red" network)
-# Note that the net: part must precede the option: part.
-#dhcp-option = net:red, option:ntp-server, 192.168.1.1
+# Note that the tag: part must precede the option: part.
+#dhcp-option = tag:red, option:ntp-server, 192.168.1.1
 
 # The following DHCP options set up dnsmasq in the same way as is specified
 # for the ISC dhcpcd in
@@ -329,7 +341,7 @@
 # Reboot time. (Note 'i' to send 32-bit value)
 #dhcp-option-force=211,30i
 
-# Set the boot filename for BOOTP. You will only need 
+# Set the boot filename for netboot/PXE. You will only need 
 # this is you want to boot machines over the network and you will need
 # a TFTP server; either dnsmasq's built in TFTP server or an
 # external one. (See below for how to enable the TFTP server.)
@@ -338,10 +350,54 @@
 # Boot for Etherboot gPXE. The idea is to send two different
 # filenames, the first loads gPXE, and the second tells gPXE what to
 # load. The dhcp-match sets the gpxe tag for requests from gPXE.
-#dhcp-match=gpxe,175 # gPXE sends a 175 option.
-#dhcp-boot=net:#gpxe,undionly.kpxe
+#dhcp-match=set:gpxe,175 # gPXE sends a 175 option.
+#dhcp-boot=tag:!gpxe,undionly.kpxe
 #dhcp-boot=mybootimage
  
+# Encapsulated options for Etherboot gPXE. All the options are
+# encapsulated within option 175
+#dhcp-option=encap:175, 1, 5b         # priority code
+#dhcp-option=encap:175, 176, 1b       # no-proxydhcp 
+#dhcp-option=encap:175, 177, string   # bus-id 
+#dhcp-option=encap:175, 189, 1b       # BIOS drive code
+#dhcp-option=encap:175, 190, user     # iSCSI username
+#dhcp-option=encap:175, 191, pass     # iSCSI password
+
+# Test for the architecture of a netboot client. PXE clients are
+# supposed to send their architecture as option 93. (See RFC 4578)
+#dhcp-match=peecees, option:client-arch, 0 #x86-32
+#dhcp-match=itanics, option:client-arch, 2 #IA64
+#dhcp-match=hammers, option:client-arch, 6 #x86-64
+#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64 
+
+# Do real PXE, rather than just booting a single file, this is an
+# alternative to dhcp-boot.
+#pxe-prompt="What system shall I netboot?"
+# or with timeout before first available action is taken:
+#pxe-prompt="Press F8 for menu.", 60
+
+# Available boot services. for PXE.
+#pxe-service=x86PC, "Boot from local disk"
+
+# Loads <tftp-root>/pxelinux.0 from dnsmasq TFTP server.
+#pxe-service=x86PC, "Install Linux", pxelinux 
+
+# Loads <tftp-root>/pxelinux.0 from TFTP server at 1.2.3.4.
+# Beware this fails on old PXE ROMS.
+#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4 
+
+# Use bootserver on network, found my multicast or broadcast.
+#pxe-service=x86PC, "Install windows from RIS server", 1
+
+# Use bootserver at a known IP address.
+#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4
+
+# If you have multicast-FTP available,
+# information for that can be passed in a similar way using options 1
+# to 5. See page 19 of
+# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf  
+
+  
 # Enable dnsmasq's built-in TFTP server
 #enable-tftp
 
@@ -352,11 +408,17 @@
 # the user dnsmasq is running as will be send over the net.
 #tftp-secure
 
+# This option stops dnsmasq from negotiating a larger blocksize for TFTP 
+# transfers. It will slow things down, but may rescue some broken TFTP
+# clients.
+#tftp-no-blocksize
+
 # Set the boot file name only when the "red" tag is set.
 #dhcp-boot=net:red,pxelinux.red-net
 
-# An example of dhcp-boot with an external server: the name and IP
+# An example of dhcp-boot with an external TFTP server: the name and IP
 # address of the server are given after the filename.
+# Can fail with old PXE ROMS. Overridden by --pxe-service.
 #dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3
 
 # Set the limit on DHCP leases, the default is 150
@@ -409,7 +471,8 @@
 #alias=1.2.3.4,5.6.7.8
 # and this maps 1.2.3.x to 5.6.7.x
 #alias=1.2.3.0,5.6.7.0,255.255.255.0
-
+# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
+#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
 
 # Change these lines if you want dnsmasq to serve MX records.
 
@@ -439,11 +502,11 @@
 # set for this to work.)
 
 # A SRV record sending LDAP for the example.com domain to
-# ldapserver.example.com port 289
+# ldapserver.example.com port 389
 #srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
 
 # A SRV record sending LDAP for the example.com domain to
-# ldapserver.example.com port 289 (using domain=)
+# ldapserver.example.com port 389 (using domain=)
 #domain=example.com
 #srv-host=_ldap._tcp,ldapserver.example.com,389
 

doc.html

@@ -11,7 +11,7 @@ Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP
  server and allows machines with DHCP-allocated addresses
  to appear in the DNS with names configured either in each host or
  in a central configuration file. Dnsmasq supports static and dynamic 
- DHCP leases and BOOTP/TFTP for network booting of diskless machines.
+ DHCP leases and BOOTP/TFTP/PXE for network booting of diskless machines.
 <P>
  Dnsmasq is targeted at home networks using NAT and 
 connected to the internet via a modem, cable-modem or ADSL
@@ -89,12 +89,15 @@ Dnsmasq is part of the Debian distribution, it can be downloaded from
 <A HREF="http://ftp.debian.org/debian/pool/main/d/dnsmasq/"> here</A> or installed using <TT>apt</TT>.
 
 <H2>Links.</H2>
-There is an article in German on dnsmasq at <A
-HREF="http://www.linuxnetmag.com/de/issue7/m7dnsmasq1.html">http://www.linuxnetmag.com/de/issue7/m7dnsmasq1.html</A>
-and Damien Raude-Morvan has one in French at <A HREF="http://www.drazzib.com/docs-dnsmasq.html">http://www.drazzib.com/docs-dnsmasq.html</A>
+Damien Raude-Morvan has an article in French at <A HREF="http://www.drazzib.com/docs-dnsmasq.html">http://www.drazzib.com/docs-dnsmasq.html</A>
 There is a good article about dnsmasq at <A
 HREF="http://www.enterprisenetworkingplanet.com/netos/article.php/3377351">http://www.enterprisenetworkingplanet.com/netos/article.php/3377351</A>
-and Ilya Evseev has an article in Russian about dnsmasq to be found at <A HREF="http://ilya-evseev.narod.ru/articles/dnsmasq"> http://ilya-evseev.narod.ru/articles/dnsmasq</A>
+and another at <A
+HREF="http://www.linux.com/articles/149040">http://www.linux.com/articles/149040</A>
+and Ilya Evseev has an article in Russian about dnsmasq to be found at
+<A HREF="http://ilya-evseev.narod.ru/articles/dnsmasq">
+http://ilya-evseev.narod.ru/articles/dnsmasq</A>. Ismael Ull has an
+article about dnsmasq in Spanish at <A HREF="http://www.mey-online.com.ar/blog/index.php/archives/guia-rapida-de-dnsmasq">http://www.mey-online.com.ar/blog/index.php/archives/guia-rapida-de-dnsmasq</A>
 <H2>License.</H2>
 Dnsmasq is distributed under the GPL. See the file COPYING in the distribution 
 for details.

man/dnsmasq.8

@@ -15,8 +15,8 @@ contents of /etc/hosts so that local hostnames
 which do not appear in the global DNS can be resolved and also answers
 DNS queries for DHCP configured hosts.
 .PP
-The dnsmasq DHCP server supports static address assignments, multiple
-networks, DHCP-relay and RFC3011 subnet specifiers. It automatically
+The dnsmasq DHCP server supports static address assignments and multiple
+networks. It automatically
 sends a sensible default set of DHCP options, and can be configured to
 send any desired set of DHCP options, including vendor-encapsulated
 options. It includes a secure, read-only,
@@ -31,17 +31,22 @@ BSD, unless the GNU getopt library is linked, the long form of the
 options does not work on the command line; it is still recognised in
 the configuration file.
 .TP
+.B --test
+Read and syntax check configuration file(s). Exit with code 0 if all
+is OK, or a non-zero code otherwise. Do not start up dnsmasq.
+.TP
 .B \-h, --no-hosts
 Don't read the hostnames in /etc/hosts.
 .TP
 .B \-H, --addn-hosts=<file>
 Additional hosts file. Read the specified file as well as /etc/hosts. If -h is given, read
 only the specified file. This option may be repeated for more than one
-additional hosts file.
+additional hosts file. If a directory is given, then read all the files contained in that directory. 
 .TP
 .B \-E, --expand-hosts
 Add the domain to simple names (without a period) in /etc/hosts
-in the same way as for DHCP-derived names.
+in the same way as for DHCP-derived names. Note that this does not
+apply to domain names in cnames, PTR records, TXT records etc.
 .TP
 .B \-T, --local-ttl=<time>
 When replying with information from /etc/hosts or the DHCP leases
@@ -60,6 +65,12 @@ cache the reply. This option gives a default value for time-to-live
 (in seconds) which dnsmasq uses to cache negative replies even in 
 the absence of an SOA record. 
 .TP
+.B --max-ttl=<time>
+Set a maximum TTL value that will be handed out to clients. The specified
+maximum TTL will be given to clients instead of the true TTL value if it is 
+lower. The true TTL value is however kept in the cache to avoid flooding 
+the upstream DNS servers.
+.TP
 .B \-k, --keep-in-foreground
 Do not go into the background at startup but otherwise run as
 normal. This is intended for use when dnsmasq is run under daemontools
@@ -79,7 +90,8 @@ Set the facility to which dnsmasq will send syslog entries, this
 defaults to DAEMON, and to LOCAL0 when debug mode is in operation. If
 the facility given contains at least one '/' character, it is taken to
 be a filename, and dnsmasq logs to the given file, instead of
-syslog. (Errors whilst reading configuration will still go to syslog,
+syslog. If the facility is '-' then dnsmasq logs to stderr.
+(Errors whilst reading configuration will still go to syslog,
 but all output from a successful startup, and all output whilst
 running, will go exclusively to the file.) When logging to a file,
 dnsmasq will close and reopen the file when it receives SIGUSR2. This 
@@ -118,8 +130,7 @@ to zero completely disables DNS function, leaving only DHCP and/or TFTP.
 .TP
 .B \-P, --edns-packet-max=<size>
 Specify the largest EDNS.0 UDP packet which is supported by the DNS
-forwarder. Defaults to 1280, which is the RFC2671-recommended maximum
-for ethernet.
+forwarder. Defaults to 4096, which is the RFC5625-recommended size.
 .TP
 .B \-Q, --query-port=<query_port>
 Send outbound DNS queries from, and listen for their replies on, the
@@ -208,13 +219,17 @@ Bogus private reverse lookups. All reverse lookups for private IP ranges (ie 192
 which are not found in /etc/hosts or the DHCP leases file are answered
 with "no such domain" rather than being forwarded upstream.
 .TP
-.B \-V, --alias=<old-ip>,<new-ip>[,<mask>]
+.B \-V, --alias=[<old-ip>]|[<start-ip>-<end-ip>],<new-ip>[,<mask>]
 Modify IPv4 addresses returned from upstream nameservers; old-ip is
 replaced by new-ip. If the optional mask is given then any address
 which matches the masked old-ip will be re-written. So, for instance
 .B --alias=1.2.3.0,6.7.8.0,255.255.255.0 
 will map 1.2.3.56 to 6.7.8.56 and 1.2.3.67 to 6.7.8.67. This is what
-Cisco PIX routers call "DNS doctoring".
+Cisco PIX routers call "DNS doctoring". If the old IP is given as
+range, then only addresses in the range, rather than a whole subnet,
+are re-written. So 
+.B --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
+maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
 .TP 
 .B \-B, --bogus-nxdomain=<ipaddr>
 Transform replies which contain the IP address given into "No such
@@ -268,6 +283,17 @@ Reject (and log) addresses from upstream nameservers which are in the
 private IP ranges. This blocks an attack where a browser behind a
 firewall is used to probe machines on the local network.
 .TP
+.B --rebind-localhost-ok
+Exempt 127.0.0.0/8 from rebinding checks. This address range is
+returned by realtime black hole servers, so blocking it may disable
+these services.
+.TP 
+.B  --rebind-domain-ok=[<domain>]|[[/<domain>/[<domain>/]
+Do not detect and block dns-rebind on queries to these domains. The
+argument may be either a single domain, or multiple domains surrounded
+by '/', like the --server syntax, eg. 
+.B  --rebind-domain-ok=/domain1/domain2/domain3/
+.TP
 .B \-n, --no-poll
 Don't poll /etc/resolv.conf for changes.
 .TP
@@ -300,7 +326,19 @@ dots in them. A non-standard port may be specified as
 part of the IP
 address using a # character.
 More than one -S flag is allowed, with
-repeated domain or ipaddr parts as required. 
+repeated domain or ipaddr parts as required.
+
+More specific domains take precendence over less specific domains, so:
+.B --server=/google.com/1.2.3.4
+.B --server=/www.google.com/2.3.4.5
+will send queries for *.google.com to 1.2.3.4, except *www.google.com,
+which will go to 2.3.4.5
+
+The special server address '#' means, "use the standard servers", so
+.B --server=/google.com/1.2.3.4
+.B --server=/www.google.com/#
+will send queries for *.google.com to 1.2.3.4, except *www.google.com which will
+be forwarded as usual.
 
 Also permitted is a -S
 flag which gives a domain but no IP address; this tells dnsmasq that
@@ -418,39 +456,50 @@ Set the maximum number of concurrent DNS queries. The default value is
 where this needs to be increased is when using web-server log file
 resolvers, which can generate large numbers of concurrent queries.
 .TP
-.B \-F, --dhcp-range=[[net:]network-id,]<start-addr>,<end-addr>[[,<netmask>],<broadcast>][,<default lease time>]
+.B \-F, --dhcp-range=[interface:<interface>,][tag:<tag>[,tag:<tag>],][set:<tag],]<start-addr>,<end-addr>[,<netmask>[,<broadcast>]][,<lease time>]
 Enable the DHCP server. Addresses will be given out from the range
 <start-addr> to <end-addr> and from statically defined addresses given
 in 
 .B dhcp-host
 options. If the lease time is given, then leases
 will be given for that length of time. The lease time is in seconds,
-or minutes (eg 45m) or hours (eg 1h) or the literal "infinite". The
+or minutes (eg 45m) or hours (eg 1h) or "infinite". If not given,
+the default lease time is one hour. The
 minimum lease time is two minutes. This
 option may be repeated, with different addresses, to enable DHCP
 service to more than one network. For directly connected networks (ie,
 networks on which the machine running dnsmasq has an interface) the
 netmask is optional. It is, however, required for networks which
 receive DHCP service via a relay agent. The broadcast address is
-always optional. On some broken systems, dnsmasq can listen on only
-one interface when using DHCP, and the name of that interface must be
-given using the
-.B interface
-option. This limitation currently affects OpenBSD before version 4.0. It is always
-allowed to have more than one dhcp-range in a single subnet. The optional
-network-id is a alphanumeric label which marks this network so that
+always optional. It is always
+allowed to have more than one dhcp-range in a single subnet. 
+
+The optional 
+.B set:<tag> 
+sets an alphanumeric label which marks this network so that
 dhcp options may be specified on a per-network basis. 
-When it is prefixed with 'net:' then its meaning changes from setting
+When it is prefixed with 'tag:' instead, then its meaning changes from setting
 a tag to matching it. Only one tag may be set, but more than one tag may be matched.
 The end address may be replaced by the keyword 
 .B static
 which tells dnsmasq to enable DHCP for the network specified, but not
-to dynamically allocate IP addresses. Only hosts which have static
+to dynamically allocate IP addresses: only hosts which have static
 addresses given via 
 .B dhcp-host
-or from /etc/ethers will be served.
+or from /etc/ethers will be served. The end address may be replaced by
+the keyword
+.B proxy
+in which case dnsmasq will provide proxy-DHCP on the specified
+subnet. (See 
+.B pxe-prompt
+and 
+.B pxe-service
+for details.)
+
+The interface:<interface name> section is not normally used. See the
+NOTES section for details of this.
 .TP
-.B \-G, --dhcp-host=[<hwaddr>][,id:<client_id>|*][,net:<netid>][,<ipaddr>][,<hostname>][,<lease_time>][,ignore]
+.B \-G, --dhcp-host=[<hwaddr>][,id:<client_id>|*][,set:<tag>][,<ipaddr>][,<hostname>][,<lease_time>][,ignore]
 Specify per host parameters for the DHCP server. This allows a machine
 with a particular hardware address to be always allocated the same
 hostname, IP address and lease time. A hostname specified like this
@@ -465,9 +514,15 @@ an infinite DHCP lease.
 .B --dhcp-host=lap,192.168.0.199 
 tells
 dnsmasq to always allocate the machine lap the IP address
-192.168.0.199. Addresses allocated like this are not constrained to be
-in the range given by the --dhcp-range option, but they must be on the
-network being served by the DHCP server. It is allowed to use client identifiers rather than
+192.168.0.199. 
+
+Addresses allocated like this are not constrained to be
+in the range given by the --dhcp-range option, but they must be in
+the same subnet as some valid dhcp-range.  For
+subnets which don't need a pool of dynamically allocated addresses,
+use the "static" keyword in the dhcp-range declaration.
+
+It is allowed to use client identifiers rather than
 hardware addresses to identify hosts by prefixing with 'id:'. Thus: 
 .B --dhcp-host=id:01:02:03:04,..... 
 refers to the host with client identifier 01:02:03:04. It is also
@@ -481,7 +536,14 @@ but not others.
 If a name appears in /etc/hosts, the associated address can be
 allocated to a DHCP lease, but only if a 
 .B --dhcp-host
-option specifying the name also exists. The special keyword "ignore"
+option specifying the name also exists. Only one hostname can be
+given in a 
+.B dhcp-host
+option, but aliases are possible by using CNAMEs. (See 
+.B --cname
+).
+
+The special keyword "ignore"
 tells dnsmasq to never offer a DHCP lease to a machine. The machine
 can be specified by hardware address, client ID or hostname, for
 instance
@@ -490,13 +552,15 @@ This is
 useful when there is another DHCP server on the network which should
 be used by some machines.
 
-The net:<network-id> sets the network-id tag
+The set:<tag> contruct sets the tag
 whenever this dhcp-host directive is in use. This can be used to 
-selectively send DHCP options just for this host. When a host matches any
+selectively send DHCP options just for this host. More than one tag
+can be set in a dhcp-host directive (but not in other places where
+"set:<tag>" is allowed). When a host matches any
 dhcp-host directive (or one implied by /etc/ethers) then the special
-network-id tag "known" is set. This allows dnsmasq to be configured to
+tag "known" is set. This allows dnsmasq to be configured to
 ignore requests from unknown machines using
-.B --dhcp-ignore=#known
+.B --dhcp-ignore=tag:!known
 Ethernet addresses (but not client-ids) may have
 wildcard bytes, so for example 
 .B --dhcp-host=00:20:e0:3b:13:*,ignore 
@@ -513,13 +577,15 @@ Token-Ring hardware address, since the ARP-address type for token ring
 is 6. 
 
 As a special case, it is possible to include more than one
-hardware address. This allows an IP address to be associated with
+hardware address. eg:
+.B --dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.2
+This allows an IP address to be associated with
 multiple hardware addresses, and gives dnsmasq permission to abandon a
 DHCP lease to one of the hardware addresses when another one asks for
 a lease. Beware that this is a dangerous thing to do, it will only
 work reliably if only one of the hardware addresses is active at any
-time and there is no way for dnsmasq to enforce this. It is, however
-useful, for instance to allocate a stable IP address to a laptop which
+time and there is no way for dnsmasq to enforce this. It is, for instance,
+useful to allocate a stable IP address to a laptop which
 has both wired and wireless interfaces.
 .TP
 .B --dhcp-hostsfile=<file>
@@ -532,7 +598,12 @@ the file will be re-read when dnsmasq receives SIGHUP.
 .B --dhcp-optsfile=<file>
 Read DHCP option information from the specified file. The advantage of 
 using this option is the same as for --dhcp-hostsfile: the
-dhcp-optsfile will be re-read when dnsmasq receives SIGHUP.
+dhcp-optsfile will be re-read when dnsmasq receives SIGHUP. Note that
+it is possible to encode the information in a
+.B --dhcp-boot
+flag as DHCP options, using the options names bootfile-name,
+server-ip-address and tftp-server. This allows these to be included
+in a dhcp-optsfile.
 .TP 
 .B \-Z, --read-ethers
 Read /etc/ethers for information about hosts for the DHCP server. The
@@ -543,7 +614,7 @@ have exactly the same effect as
 options containing the same information. /etc/ethers is re-read when 
 dnsmasq receives SIGHUP.
 .TP
-.B \-O, --dhcp-option=[<network-id>,[<network-id>,]][vendor:[<vendor-class>],][<opt>|option:<opt-name>],[<value>[,<value>]]
+.B \-O, --dhcp-option=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap:<enterprise>,][vendor:[<vendor-class>],][<opt>|option:<opt-name>],[<value>[,<value>]]
 Specify different or extra options to DHCP clients. By default,
 dnsmasq sends some standard options to DHCP clients, the netmask and
 broadcast address are set to the same as the host running dnsmasq, and
@@ -566,8 +637,8 @@ or
 The special address 0.0.0.0 is taken to mean "the address of the
 machine running dnsmasq". Data types allowed are comma separated
 dotted-quad IP addresses, a decimal number, colon-separated hex digits
-and a text string. If the optional network-ids are given then
-this option is only sent when all the network-ids are matched.
+and a text string. If the optional tags are given then
+this option is only sent when all the tags are matched.
 
 Special processing is done on a text argument for option 119, to
 conform with RFC 3397. Text or dotted-quad IP addresses as arguments
@@ -603,10 +674,24 @@ client. It is
 possible to omit the vendorclass completely;
 .B --dhcp-option=vendor:,1,0.0.0.0
 in which case the encapsulated option is always sent.
+
+Options may be encapsulated within other options: for instance
+.B --dhcp-option=encap:175, 190, "iscsi-client0"
+will send option 175, within which is the option 190. If multiple
+options are given which are encapsulated with the same option number
+then they will be correctly combined into one encapsulated option.
+encap: and vendor: are may not both be set in the same dhcp-option.
+
+The final variant on encapsulated options is "Vendor-Identifying
+Vendor Options" as specified by RFC3925. These are denoted like this: 
+.B --dhcp-option=vi-encap:2, 10, "text"
+The number in the vi-encap: section is the IANA enterprise number
+used to identify this option.
+
 The address 0.0.0.0 is not treated specially in
-encapsulated vendor class options.
+encapsulated options.
 .TP
-.B --dhcp-option-force=[<network-id>,[<network-id>,]][vendor:[<vendor-class>],]<opt>,[<value>[,<value>]]
+.B --dhcp-option-force=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap:<enterprise>,][vendor:[<vendor-class>],]<opt>,[<value>[,<value>]]
 This works in exactly the same way as
 .B --dhcp-option
 except that the option will always be sent, even if the client does
@@ -621,20 +706,20 @@ DHCP options. This make extra space available in the DHCP packet for
 options but can, rarely, confuse old or broken clients. This flag
 forces "simple and safe" behaviour to avoid problems in such a case.
 .TP
-.B \-U, --dhcp-vendorclass=<network-id>,<vendor-class>
-Map from a vendor-class string to a network id tag. Most DHCP clients provide a 
+.B \-U, --dhcp-vendorclass=set:<tag>,<vendor-class>
+Map from a vendor-class string to a tag. Most DHCP clients provide a 
 "vendor class" which represents, in some sense, the type of host. This option 
 maps vendor classes to tags, so that DHCP options may be selectively delivered
 to different classes of hosts. For example 
-.B dhcp-vendorclass=printers,Hewlett-Packard JetDirect
+.B dhcp-vendorclass=set:printers,Hewlett-Packard JetDirect
 will allow options to be set only for HP printers like so:
-.B --dhcp-option=printers,3,192.168.4.4 
+.B --dhcp-option=tag:printers,3,192.168.4.4 
 The vendor-class string is
 substring matched against the vendor-class supplied by the client, to
-allow fuzzy matching.
+allow fuzzy matching. The set: prefix is optional but allowed for consistency.
 .TP
-.B \-j, --dhcp-userclass=<network-id>,<user-class>
-Map from a user-class string to a network id tag (with substring
+.B \-j, --dhcp-userclass=set:<tag>,<user-class>
+Map from a user-class string to a tag (with substring
 matching, like vendor classes). Most DHCP clients provide a 
 "user class" which is configurable. This option
 maps user classes to tags, so that DHCP options may be selectively delivered
@@ -642,62 +727,162 @@ to different classes of hosts. It is possible, for instance to use
 this to set a different printer server for hosts in the class
 "accounts" than for hosts in the class "engineering".
 .TP
-.B \-4, --dhcp-mac=<network-id>,<MAC address>
-Map from a MAC address to a network-id tag. The MAC address may include
+.B \-4, --dhcp-mac=set:<tag>,<MAC address>
+Map from a MAC address to a tag. The MAC address may include
 wildcards. For example
-.B --dhcp-mac=3com,01:34:23:*:*:*
+.B --dhcp-mac=set:3com,01:34:23:*:*:*
 will set the tag "3com" for any host whose MAC address matches the pattern.
 .TP
-.B --dhcp-circuitid=<network-id>,<circuit-id>, --dhcp-remoteid=<network-id>,<remote-id>
-Map from RFC3046 relay agent options to network-id tags. This data may
+.B --dhcp-circuitid=set:<tag>,<circuit-id>, --dhcp-remoteid=set:<tag>,<remote-id>
+Map from RFC3046 relay agent options to tags. This data may
 be provided by DHCP relay agents. The circuit-id or remote-id is
 normally given as colon-separated hex, but is also allowed to be a
 simple string. If an exact match is achieved between the circuit or
-agent ID and one provided by a relay agent, the network-id tag is set.
+agent ID and one provided by a relay agent, the tag is set.
 .TP
-.B --dhcp-subscrid=<network-id>,<subscriber-id>
-Map from RFC3993 subscriber-id relay agent options to network-id tags.
+.B --dhcp-subscrid=set:<tag>,<subscriber-id>
+Map from RFC3993 subscriber-id relay agent options to tags.
 .TP
-.B --dhcp-match=<network-id>,<option number>
-Set the network-id tag if the client sends a DHCP option of the given
-number. This can be used to identify particular clients which send
-information using private option numbers.
+.B --dhcp-proxy[=<ip addr>]......
+A normal DHCP relay agent is only used to forward the initial parts of
+a DHCP interaction to the DHCP server. Once a client is configured, it
+communicates directly with the server. This is undesirable if the
+relay agent is addding extra information to the DHCP packets, such as
+that used by
+.B dhcp-circuitid
+and
+.B dhcp-remoteid.
+A full relay implementation can use the RFC 5107 serverid-override
+option to force the DHCP server to use the relay as a full proxy, with all
+packets passing through it. This flag provides an alternative method
+of doing the same thing, for relays which don't support RFC
+5107. Given alone, it manipulates the server-id for all interactions
+via relays. If a list of IP addresses is given, only interactions via
+relays at those addresses are affected.
 .TP
-.B \-J, --dhcp-ignore=<network-id>[,<network-id>]
-When all the given network-ids match the set of network-ids derived
-from the net, host, vendor and user classes, ignore the host and do
+.B --dhcp-match=set:<tag>,<option number>|option:<option name>|vi-encap:<enterprise>[,<value>]
+Without a value, set the tag if the client sends a DHCP
+option of the given number or name. When a value is given, set the tag only if
+the option is sent and matches the value. The value may be of the form
+"01:ff:*:02" in which case the value must match (apart from widcards)
+but the option sent may have unmatched data past the end of the
+value. The value may also be of the same form as in 
+.B dhcp-option
+in which case the option sent is treated as an array, and one element
+must match, so
+
+--dhcp-match=set:efi-ia32,option:client-arch,6
+
+will set the tag "efi-ia32" if the the number 6 appears in the list of
+architectures sent by the client in option 93. (See RFC 4578 for
+details.)  If the value is a string, substring matching is used.
+
+The special form with vi-encap:<enterpise number> matches against
+vendor-identifying vendor classes for the specified enterprise. Please
+see RFC 3925 for more details of these rare and interesting beasts.
+.TP
+.B --tag-if=set:<tag>[,set:<tag>[,tag:<tag>[,tag:<tag>]]]
+Perform boolean operations on tags. Any tag appearing as set:<tag> is set if
+all the tags which appear as tag:<tag> are set, (or unset when tag:!<tag> is used)
+If no tag:<tag> appears set:<tag> tags are set unconditionally.
+Any number of set: and tag: forms may appear, in any order. 
+Tag-if lines ares executed in order, so if the tag in tag:<tag> is a
+tag set by another
+.B tag-if,
+the line which sets the tag must precede the one which tests it.
+.TP
+.B \-J, --dhcp-ignore=tag:<tag>[,tag:<tag>]
+When all the given tags appear in the tag set ignore the host and do
 not allocate it a DHCP lease.
 .TP
-.B --dhcp-ignore-names[=<network-id>[,<network-id>]]
-When all the given network-ids match the set of network-ids derived
-from the net, host, vendor and user classes, ignore any hostname
+.B --dhcp-ignore-names[=tag:<tag>[,tag:<tag>]]
+When all the given tags appear in the tag set, ignore any hostname
 provided by the host. Note that, unlike dhcp-ignore, it is permissible
-to supply no netid tags, in which case DHCP-client supplied hostnames
+to supply no tags, in which case DHCP-client supplied hostnames
 are always ignored, and DHCP hosts are added to the DNS using only
 dhcp-host configuration in dnsmasq and the contents of /etc/hosts and
 /etc/ethers.
 .TP
-.B --dhcp-broadcast=<network-id>[,<network-id>]
-When all the given network-ids match the set of network-ids derived
-from the net, host, vendor and user classes, always use broadcast to
-communicate with the host when it is unconfigured. Most DHCP clients which
+.B --dhcp-generate-names=tag:<tag>[,tag:<tag>]
+Generate a name for DHCP clients which do not otherwise have one,
+using the MAC address expressed in hex, seperated by dashes. Note that
+if a host provides a name, it will be used by preference to this,
+unless 
+.B --dhcp-ignore-names 
+is set.
+.TP
+.B --dhcp-broadcast[=tag:<tag>[,tag:<tag>]]
+When all the given tags appear in the tag set, always use broadcast to
+communicate with the host when it is unconfigured. It is permissible
+to supply no tags, in which case this is unconditional. Most DHCP clients which
 need broadcast replies set a flag in their requests so that this
 happens automatically, some old BOOTP clients do not.
 .TP
-.B \-M, --dhcp-boot=[net:<network-id>,]<filename>,[<servername>[,<server address>]]
+.B \-M, --dhcp-boot=[tag:<tag>,]<filename>,[<servername>[,<server address>]]
 Set BOOTP options to be returned by the DHCP server. Server name and
 address are optional: if not provided, the name is left empty, and the
 address set to the address of the machine running dnsmasq. If dnsmasq
 is providing a TFTP service (see 
 .B --enable-tftp
 ) then only the filename is required here to enable network booting.
-If the optional network-id(s) are given,
-they must match for this configuration to be sent. Note that
-network-ids are prefixed by "net:" to distinguish them.
+If the optional tag(s) are given,
+they must match for this configuration to be sent. 
+.TP
+.B --pxe-service=[tag:<tag>,]<CSA>,<menu text>[,<basename>|<bootservicetype>][,<server address>]
+Most uses of PXE boot-ROMS simply allow the PXE
+system to obtain an IP address and then download the file specified by
+.B dhcp-boot
+and execute it. However the PXE system is capable of more complex
+functions when supported by a suitable DHCP server.
+
+This specifies a boot option which may appear in a PXE boot menu. <CSA> is
+client system type, only services of the correct type will appear in a
+menu. The known types are x86PC, PC98, IA64_EFI, Alpha, Arc_x86,
+Intel_Lean_Client, IA32_EFI, BC_EFI, Xscale_EFI and X86-64_EFI; an
+integer may be used for other types. The
+parameter after the menu text may be a file name, in which case dnsmasq acts as a
+boot server and directs the PXE client to download the file by TFTP,
+either from itself (
+.B enable-tftp 
+must be set for this to work) or another TFTP server if the final IP
+address is given.
+Note that the "layer"
+suffix (normally ".0") is supplied by PXE, and should not be added to
+the basename. If an integer boot service type, rather than a basename
+is given, then the PXE client will search for a
+suitable boot service for that type on the network. This search may be done
+by broadcast, or direct to a server if its IP address is provided.  
+If no boot service type or filename is provided (or a boot service type of 0 is specified)
+then the menu entry will abort the net boot procedure and
+continue booting from local media.
+.TP
+.B --pxe-prompt=[tag:<tag>,]<prompt>[,<timeout>]
+Setting this provides a prompt to be displayed after PXE boot. If the
+timeout is given then after the
+timeout has elapsed with no keyboard input, the first available menu
+option will be automatically executed. If the timeout is zero then the first available menu
+item will be executed immediately. If 
+.B pxe-prompt
+is ommitted the system will wait for user input if there are multiple
+items in the menu, but boot immediately if
+there is only one. See
+.B pxe-service 
+for details of menu items.
+
+Dnsmasq supports PXE "proxy-DHCP", in this case another DHCP server on
+the network is responsible for allocating IP addresses, and dnsmasq
+simply provides the information given in 
+.B pxe-prompt
+and
+.B pxe-service
+to allow netbooting. This mode is enabled using the
+.B proxy
+keyword in
+.B dhcp-range.
 .TP  
 .B \-X, --dhcp-lease-max=<number>
 Limits dnsmasq to the specified maximum number of DHCP leases. The
-default is 150. This limit is to prevent DoS attacks from hosts which
+default is 1000. This limit is to prevent DoS attacks from hosts which
 create thousands of leases and use lots of memory in the dnsmasq
 process.
 .TP
@@ -734,22 +919,16 @@ tried. This flag disables this check. Use with caution.
 .TP
 .B --log-dhcp
 Extra logging for DHCP: log all the options sent to DHCP clients and
-the netid tags used to determine them.
+the tags used to determine them.
 .TP
 .B \-l, --dhcp-leasefile=<path>
-Use the specified file to store DHCP lease information. If this option
-is given but no dhcp-range option is given then dnsmasq version 1
-behaviour is activated. The file given is assumed to be an ISC dhcpd
-lease file and parsed for leases which are then added to the DNS
-system if they have a hostname. This functionality may have been
-excluded from dnsmasq at compile time, in which case an error will
-occur. In any case note that ISC leasefile integration is a deprecated
-feature. It should not be used in new installations, and will be
-removed in a future release.
+Use the specified file to store DHCP lease information.
 .TP 
 .B \-6 --dhcp-script=<path>
 Whenever a new DHCP lease is created, or an old one destroyed, the
-executable specified by this option is run. The arguments to the process
+executable specified by this option is run.  <path>
+must be an absolute pathname, no PATH search occurs. 
+The arguments to the process
 are "add", "old" or "del", the MAC
 address of the host, the IP address, and the hostname,
 if known. "add" means a lease has been created, "del" means it has
@@ -760,35 +939,61 @@ If the MAC address is from a network type other than ethernet,
 it will have the network type prepended, eg "06-01:23:45:67:89:ab" for
 token ring. The process is run as root (assuming that dnsmasq was originally run as
 root) even if dnsmasq is configured to change UID to an unprivileged user.
-The environment is inherited from the invoker of dnsmasq, and if the
-host provided a client-id, this is stored in the environment variable
-DNSMASQ_CLIENT_ID. If the fully-qualified domain name of the host is
-known, the domain part is stored in DNSMASQ_DOMAIN. 
-If the client provides vendor-class or user-class 
-information, these are provided in DNSMASQ_VENDOR_CLASS and 
+
+The environment is inherited from the invoker of dnsmasq, with some or
+all of the following variables added.
+
+DNSMASQ_CLIENT_ID if the host provided a client-id.
+
+DNSMASQ_DOMAIN if the fully-qualified domain name of the host is
+known, this is set to the  domain part.
+
+If the client provides vendor-class, hostname or user-class, 
+these are provided in DNSMASQ_VENDOR_CLASS
+DNSMASQ_SUPPLIED_HOSTNAME and 
 DNSMASQ_USER_CLASS0..DNSMASQ_USER_CLASSn variables, but only for
 "add" actions or "old" actions when a host resumes an existing lease,
 since these data are not held in dnsmasq's lease
-database. If dnsmasq was compiled with HAVE_BROKEN_RTC, then
+database.
+
+If dnsmasq was compiled with HAVE_BROKEN_RTC, then
 the length of the lease (in seconds) is stored in
 DNSMASQ_LEASE_LENGTH, otherwise the time of lease expiry is stored in
 DNSMASQ_LEASE_EXPIRES. The number of seconds until lease expiry is
 always stored in DNSMASQ_TIME_REMAINING. 
+
 If a lease used to have a hostname, which is
 removed, an "old" event is generated with the new state of the lease, 
 ie no name, and the former name is provided in the environment 
-variable DNSMASQ_OLD_HOSTNAME. DNSMASQ_INTERFACE stores the name of
+variable DNSMASQ_OLD_HOSTNAME. 
+
+DNSMASQ_INTERFACE stores the name of
 the interface on which the request arrived; this is not set for "old"
-actions when dnsmasq restarts.
+actions when dnsmasq restarts. 
+
+DNSMASQ_RELAY_ADDRESS is set if the client
+used a DHCP relay to contact dnsmasq and the IP address of the relay
+is known. 
+
+DNSMASQ_TAGS contains all the tags set during the
+DHCP transaction, separated by spaces.
+
 All file descriptors are
 closed except stdin, stdout and stderr which are open to /dev/null
 (except in debug mode).
-The script is not invoked concurrently: if subsequent lease 
-changes occur, the script is not invoked again until any existing 
-invocation exits. At dnsmasq startup, the script will be invoked for
+
+The script is not invoked concurrently: at most one instance
+of the script is ever running (dnsmasq waits for an instance of script to exit
+before running the next). Changes to the lease database are which
+require the script to be invoked are queued awaiting exit of a running instance.
+If this queueing allows multiple state changes occur to a single
+lease before the script can be run then 
+earlier states are discarded and the current state of that lease is
+reflected when the script finally runs. 
+
+At dnsmasq startup, the script will be invoked for
 all existing leases as they are read from the lease file. Expired
-leases will be called with "del" and others with "old". <path>
-must be an absolute pathname, no PATH search occurs. When dnsmasq
+leases will be called with "del" and others with "old". When dnsmasq
 receives a HUP signal, the script will be invoked for existing leases
 with an "old " event.
 .TP
@@ -811,8 +1016,8 @@ to the client-id and lease length and expiry time.
 .TP
 .B --bridge-interface=<interface>,<alias>[,<alias>]
 Treat DHCP request packets arriving at any of the <alias> interfaces
-as if they had arrived at <interface>. This option is only available
-on BSD platforms, and is necessary when using "old style" bridging, since
+as if they had arrived at <interface>. This option is necessary when
+using "old style" bridging on BSD platforms, since
 packets arrive at tap interfaces which don't have an IP address.
 .TP
 .B \-s, --domain=<domain>[,<address range>]
@@ -857,17 +1062,20 @@ without an address specified when
 .B --dhcp-fqdn 
 is set.
 .TP
-.B --enable-tftp
+.B --enable-tftp[=<interface>]
 Enable the TFTP server function. This is deliberately limited to that
 needed to net-boot a client. Only reading is allowed; the tsize and
-blksize extensions are supported (tsize is only supported in octet mode).
+blksize extensions are supported (tsize is only supported in octet
+mode). See NOTES section for use of the interface argument.
+
 .TP
-.B --tftp-root=<directory>
+.B --tftp-root=<directory>[,<interface>]
 Look for files to transfer using TFTP relative to the given
 directory. When this is set, TFTP paths which include ".." are
 rejected, to stop clients getting outside the specified root.
 Absolute paths (starting with /) are allowed, but they must be within
-the tftp-root.
+the tftp-root. If the optional interface argument is given, the
+directory is only used for TFTP requests via that interface.
 .TP
 .B --tftp-unique-root
 Add the IP address of the TFTP client as a path component on the end
@@ -917,10 +1125,11 @@ of concurrent TFTP connections is limited by the size of the port range.
 Specify a different configuration file. The conf-file option is also allowed in
 configuration files, to include multiple configuration files.
 .TP
-.B \-7, --conf-dir=<directory>
+.B \-7, --conf-dir=<directory>[,<file-extension>......]
 Read all the files in the given directory as configuration
-files. Files whose names end in ~ or start with . or start and end
-with # are skipped. This flag may be given on the command
+files. If extension(s) are given, any files which end in those
+extensions are skipped. Any files whose names end in ~ or start with . or start and end
+with # are always skipped. This flag may be given on the command
 line or in a configuration file.
 .SH CONFIG FILE
 At startup, dnsmasq reads
@@ -1053,31 +1262,41 @@ the CNAME. To work around this, add the CNAME to /etc/hosts so that
 the CNAME is shadowed too.
 
 .PP
-The network-id system works as follows: For each DHCP request, dnsmasq
-collects a set of valid network-id tags, one from the 
+The tag system works as follows: For each DHCP request, dnsmasq
+collects a set of valid tags from active configuration lines which
+include set:<tag>, including one from the 
 .B dhcp-range
 used to allocate the address, one from any matching 
 .B dhcp-host
 (and "known" if a dhcp-host matches) 
-the tag "bootp" for BOOTP requests, a tag whose name is the 
-name if the interface on which the request arrived,
-and possibly many from matching vendor classes and user
-classes sent by the DHCP client. Any 
+The tag "bootp" is set for BOOTP requests, and a tag whose name is the 
+name of the interface on which the request arrived is also set.
+
+Any configuration lines which includes one or more tag:<tag> contructs
+will only be valid if all that tags are matched in the set derived
+above. Typically this is dhcp-option.
 .B dhcp-option 
-which has network-id tags will be used in preference  to an untagged 
+which has tags will be used in preference  to an untagged 
 .B dhcp-option,
 provided that _all_ the tags match somewhere in the
-set collected as described above. The prefix '#' on a tag means 'not'
-so --dhcp=option=#purple,3,1.2.3.4 sends the option when the
-network-id tag purple is not in the set of valid tags.
+set collected as described above. The prefix '!' on a tag means 'not'
+so --dhcp=option=tag:!purple,3,1.2.3.4 sends the option when the
+tag purple is not in the set of valid tags. (If using this in a
+command line rather than a configuration file, be sure to escape !,
+which is a shell metacharacter)
 .PP
-If the network-id in a
+Note that for 
 .B dhcp-range 
-is prefixed with 'net:' then its meaning changes from setting a
-tag to matching it. Thus if there is more than dhcp-range on a subnet,
-and one is tagged with a network-id which is set (for instance
-from a vendorclass option) then hosts which set the netid tag will be 
-allocated addresses in the tagged range.
+both tag:<tag> and set:<tag> are allowed, to both select the range in
+use based on (eg) dhcp-host, and to affect the options sent, based on
+the range selected.
+
+This system evolved from an earlier, more limited one and for backward
+compatibility "net:" may be used instead of "tag:" and "set:" may be
+omitted. (Except in 
+.B dhcp-host,
+where "net:" may be used instead of "set:".) For the same reason, '#'
+may be used instead of '!' to indicate NOT.
 .PP 
 The DHCP server in dnsmasq will function as a BOOTP server also,
 provided that the MAC address and IP address for clients are given,
@@ -1090,11 +1309,56 @@ configurations or in
 configuration option is present to activate the DHCP server
 on a particular network. (Setting --bootp-dynamic removes the need for
 static address mappings.) The filename
-parameter in a BOOTP request is matched against netids in
-.B  dhcp-option 
-configurations, as is the tag "bootp", allowing some control over the options returned to
+parameter in a BOOTP request is used as a tag,
+as is the tag "bootp", allowing some control over the options returned to
 different classes of hosts.
 
+.B dhcp-range
+may have an interface name supplied as
+"interface:<interface-name>". The semantics if this are as follows:
+For DHCP, if any other dhcp-range exists _without_ an interface name,
+then the interface name is ignored and and dnsmasq behaves as if the
+interface parts did not exist, otherwise DHCP is only provided to 
+interfaces mentioned in dhcp-range
+declarations. For DNS, if there are no
+.B --interface
+or 
+.B --listen-address
+flags, behaviour is unchanged by the interface part. If either of
+these flags are present, the interfaces mentioned in
+dhcp-ranges are added to the set which get DNS service.
+
+Similarly, 
+.B enable-tftp
+may take an interface name, which enables TFTP only for a particular
+interface, ignoring 
+.B --interface 
+or
+.B --listen-address
+flags. In addition 
+.B --tftp-secure
+and
+.B --tftp-unique-root
+and
+.B --tftp-no-blocksize
+are ignored for requests from such interfaces. (A 
+.B --tftp-root
+directive giving a root path and an interface should be 
+provided too.)
+
+These rules may seem odd at first sight, but  they
+allow a single line  of the form "dhcp-range=interface:virt0,192.168.0.4,192.168.0.200"
+to be added to dnsmasq configuration which then supplies
+DHCP and DNS services to that interface, without affecting
+what services are supplied to other interfaces and irrespective of 
+the existance or lack of "interface=<interface>" 
+lines elsewhere in the dnsmasq configuration.
+"enable-tftp=virt0" and "tftp-root=<root>,virt0" do the same job for TFTP.
+ The idea is
+that such a line can be added automatically by libvirt
+or equivalent systems, without disturbing any manual
+configuration.
+
 .SH EXIT CODES
 .PP
 0 - Dnsmasq successfully forked into the background, or terminated
@@ -1125,10 +1389,7 @@ following applies to dnsmasq-2.37: earlier versions did not scale as well.
  
 .PP
 Dnsmasq is capable of handling DNS and DHCP for at least a thousand
-clients. Clearly to do this the value of 
-.B --dhcp-lease-max
-must be increased,
-and lease times should not be very short (less than one hour). The
+clients. The DHCP lease times should not be very short (less than one hour). The
 value of 
 .B --dns-forward-max 
 can be increased: start with it equal to
@@ -1160,6 +1421,24 @@ or an additional hosts file. The list can be very long,
 dnsmasq has been tested successfully with one million names. That size
 file needs a 1GHz processor and about 60Mb of RAM.
 
+.SH INTERNATIONALISATION
+Dnsmasq can be compiled to support internationalisation. To do this,
+the make targets "all-i18n" and "install-i18n" should be used instead of
+the standard targets "all" and "install". When internationalisation
+is compiled in, dnsmasq will produce log messages in the local
+language and support internationalised domain names (IDN). Domain
+names in /etc/hosts, /etc/ethers and /etc/dnsmasq.conf which contain
+non-ASCII characters will be translated to the DNS-internal punycode
+representation. Note that
+dnsmasq determines both the language for messages and the assumed
+charset for configuration
+files from the LANG environment variable. This should be set to the system
+default value by the script which is responsible for starting
+dnsmasq. When editing the configuration files, be careful to do so
+using only the system-default locale and not user-specific one, since
+dnsmasq has no direct way of determining the charset in use, and must
+assume that it is the system default. 
+ 
 .SH FILES
 .IR /etc/dnsmasq.conf 
 

man/es/dnsmasq.8

@@ -17,9 +17,8 @@ resueltos. Tambi
 vía DHCP.
 .PP
 El servidor DHCP dnsmasq incluye soporte para asignación de direcciones
-estáticas, redes múltiples, DHCP-relay y especificadores de subredes
-RFC3011. Automáticamente envía un predeterminado sensible de opciones
-DHCP, y puede ser configurado para enviar cualquier opciones DHCP deseadas,
+estáticas y redes múltiples. Automáticamente envía un predeterminado sensible de
+opciones DHCP, y puede ser configurado para enviar cualquier opciones DHCP deseadas,
 incluyendo opciones encapsuladas por vendedores. Incluye un servidor seguro
 TFTP solo-lectura para permitir el inicio vía red/PXE de hosts DHCP. Tambíen
 incluye soporte para BOOTP.
@@ -33,17 +32,25 @@ archivo PID. En BSD, a menos que la librer
 la forma larga de las opciones no funciona en la línea de comandos,
 pero todavía es reconocida en el archivo de configuración.
 .TP
+.B --test
+Leer archivo(s) de configuración y revisar su sintaxis. Salir con código
+0 si todo está bien, o un código no-cero en cualquier otro caso. No
+iniciar dnsmasq.
+.TP
 .B \-h, --no-hosts
 No leer los nombres de hosts en /etc/hosts.
 .TP
 .B \-H, --addn-hosts=<archivo>
 Archivo de hosts adicional. Leer el archivo especificado adicionalmente
 a /etc/hosts. Si se brinda -h, leer solo el archivo especificado. Esta
-opción puede ser repetida para más de un archivo de hosts adicional.
+opción puede ser repetida para más de un archivo de hosts adicional. Si
+un directorio es brindado, entonces leer todos los archivos contenidos en
+ese directorio.
 .TP
 .B \-E, --expand-hosts
 Agregar el dominio a nombres sencillos (sin punto) en /etc/hosts de la
-misma manera que con nombres derivados de DHCP.
+misma manera que con nombres derivados de DHCP. Nótese que esto no
+aplica a nombres de dominio en cnames, expedientes PTR, TXT, etc.
 .TP
 .B \-T, --local-ttl=<tiempo>
 Al responder con información desde /etc/hosts o desde el archivo
@@ -61,8 +68,14 @@ informaci
 dnsmasq usa para hacer caché. Si las respuestas de servidores upstream
 omiten esta información, dnsmasq no mete la respuesta en el caché.
 Esta opción brinda un valor predeterminado para el time-to-live que
-dnsmasq usa para meter respuestas en el caché aún en la ausencia de
-un expediente SOA.
+dnsmasq usa para meter respuestas negativas en el caché aún en la
+ausencia de un expediente SOA.
+.TP
+.B --max-ttl=<tiempo>
+Fijar un valor TTL (tiempo de vida) máximo que será entregado a
+clientes. El TTL máximo especificado será otorgado a clientes en vez
+del TTL verdadero si es menor. El valor TTL real es mantenido en el caché
+para prevenir la inundación de los servidores DNS upstream.
 .TP
 .B \-k, --keep-in-foreground
 No ir hacia el fondo al iniciar, pero aparte de eso ejecutar como
@@ -84,7 +97,8 @@ Fijar la facilidad a la cual dnsmasq deber
 esto es DAEMON por predeterminado, y LOCAL0 cuando el modo debug está
 en operación. Si la facilidad brindada contiene por lo menos un carácter
 "/", se trata como un nombre de archivo, y dnsmasq bitacoreará a dicho
-archivo, en vez de syslog. (Errores durante la lectura de la configuración
+archivo, en vez de syslog. Si la facilidad es '-' entonces dnsmasq
+bitacorea a stderr. (Errores durante la lectura de la configuración
 irán a syslog todavía, pero todo output desde un inicio exitoso, y todo
 output mientras en ejecución, irá a este archivo exclusivamente.)
 Al bitacorear a un archivo, dnsmasq cerrará y reabrirá el archivo al
@@ -127,8 +141,8 @@ solo DHCP y/o TFTP.
 .TP
 .B \-P, --edns-packet-max=<tamaño>
 Especificar el paquete UDP EDNS.0 más grande que es soportado por
-el reenviador DNS. Por predeterminado es 1280, lo cual es el
-máximo recomendado en RFC2671 para ethernet.
+el reenviador DNS. Por predeterminado es 4096, lo cual es el
+tamaño recomendado en RFC5625.
 .TP
 .B \-Q, --query-port=<puerto>
 Enviar búsquedas outbound desde, y escuchar por respuestas en,
@@ -225,15 +239,19 @@ privados (192.168.x.x, etc.) los cuales no se encuentren en
 /etc/hosts o en el archivo de arriendos DHCP es respondida con
 "dominio no existente" en vez de ser reenviada upstream.
 .TP
-.B \-V, --alias=<IP viejo>,<IP nuevo>[,<máscara>]
+.B \-V, --alias=[<IP viejo>]|[<IP inicio>-<IP final>],<IP nuevo>[,<máscara>]
 Modificar direcciones IPv4 retornadas desde servidores DNS upstream;
 <IP viejo> es remplazado con <IP nuevo>. Si la máscara opcional
 es brindada, entonces cualquier dirección que coincida con el
 <IP viejo> enmascarado será re-escrita. Así que, por ejemplo,
 .B --alias=1.2.3.0,6.7.8.0,255.255.255.0 trazará 1.2.3.56 a 6.7.8.56
 y 1.2.3.67 a 6.7.8.67. Esto es lo que
-ruteadores Cisco PIX llaman "DNS doctoring".
-.TP 
+ruteadores Cisco PIX llaman "DNS doctoring". Si la dirección vieja es
+brindada como un rango, entonces solo direcciones en ese rango, y no
+la subred entera, son re-escritas. De tal manera que
+.B --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
+relaciona 192.168.0.10->192.168.0.40 a 10.0.0.10->10.0.0.40
+.TP
 .B \-B, --bogus-nxdomain=<dirección IP>
 Transformar respuestas que contienen la dirección IP brindada a
 respuestas tipo "Dominio no existe". La intención de esto es actuar
@@ -293,6 +311,17 @@ Denegar (y bitacorear) direcciones de servidores upstream que est
 dentro de rangos IP privados. Esto bloquea un ataque donde un navegador
 detrás de un firewall es usado para analizar máquinas en la red local.
 .TP
+.B --rebind-localhost-ok
+Eximir a 127.0.0.0/8 de verificaciones de rebinding. Este rango de
+direcciones es retornado por servidores de tiempo real tipo hoyo
+negro, así que bloquearlo puede deshabilitar estos servicios.
+.TP
+.B  --rebind-domain-ok=[<domain>]|[[/<domain>/[<domain>/]
+No detectar y bloquear dns-rebind en búsquedas a estos dominios. El
+argumento puede ser o un dominio sencillo, o múltiples dominios
+rodeados por '/', como el syntax de --server, por ejemplo
+.B  --rebind-domain-ok=/dominio1/dominio2/dominio3/
+.TP
 .B \-n, --no-poll
 No revisar periodicamente a /etc/resolv.conf en busca de cambios.
 .TP
@@ -328,6 +357,20 @@ ser especificado como parte de la direcci
 #. Más de una opción -S es permitida, con partes de dominio o
 dirección IP repetidas como sea necesario.
 
+Dominios más específicos toman precedencia sobre los menos específicos,
+así que:
+.B --server=/google.com/1.2.3.4
+.B --server=/www.google.com/2.3.4.5
+enviará búsquedas por *.google.com hacia 1.2.3.4, excepto
+*www.google.com, el cual irá a 2.3.4.5.
+
+La dirección especial de servidor '#' significa "usar los servidores
+estándares", así que
+.B --server=/google.com/1.2.3.4
+.B --server=/www.google.com/#
+enviará búsquedas por *.google.com hacia 1.2.3.4, excepto
+*www.google.com, el cual será reenviado de manera usual.
+
 También se permite una opción -S la cual brinda un dominio pero
 ninguna dirección IP; esto le dice a dnsmasq que un dominio es local
 y puede responder a búsquedas desde /etc/hosts o DHCP pero nunca
@@ -449,41 +492,51 @@ de casos. La
 es al usar resolvedores de bitácoras de servidores web, los cuales pueden
 generar un número inmenso de búsquedas simultáneas.
 .TP
-.B \-F, --dhcp-range=[[net:]network-id,]<dirección-inicio>,<dirección-final>[[,<máscara>],<broadcast>][,<tiempo de arriendo predeterminado>]
+.B \-F, --dhcp-range=[interface:<interface>,][tag:<tag>[,tag:<tag>],][set:<tag],]<dirección-inicio>,<dirección-final>[,<netmask>[,<broadcast>]][,<tiempo de arriendo>]
 Habilitar el servidor DHCP. Direcciones serán distribuidas desde el
 rango <dirección-inicio> hasta <dirección-final> y desde direcciones definidas
 estáticamente en opciones
 .B dhcp-host
 Si el tiempo de arriendo es especificado, entonces arriendos serán
 otorgados por esa cantidad de tiempo. El tiempo de arriendo es en
-segundos, o minutos (por ejemplo, 45m), o horas (por ejemplo, 1h), o el
-literal "infinite". Esta opción puede ser repetida, con diferentes
+segundos, o minutos (por ejemplo, 45m), u horas (por ejemplo, 1h), o
+"infinite". Si no es brindada, el tiempo de arriendo predeterminado
+es de una hora. El tiempo de arriendo mínimo es de dos minutos.
+Esta opción puede ser repetida, con diferentes
 direcciones, para habilitar servicio DHCP en más de una red. Para
 redes conectadas diréctamente (en otras palabras, redes en las
 cuales la máquina corriendo dnsmasq tiene una interface) la
 máscara de subred es opcional. Pero, es requerida para redes que
 reciben servicio DHCP vía un agente de relay. La dirección de
-broadcast siempre es opcional. En algunos sistemas rotos, dnsmasq
-solo puede escuchar en una interface cuando se usa DHCP, y el
-nombre de esa interface debe ser brindado usando la opción
-.B interface
-Esta limitación actualmente afecta a OpenBSD antes de versión 4.0.
-Siempre se permite tener más de un rango dhcp (dhcp-range) en una
-subred. El parámetro opcional network-id es una etiqueta alfanumérica
-la cual marca esta red de tal forma que opciones dhcp puedan ser
-especificadas en base a cada red.
-Cuando es prefijada con 'net:' entonces el significado cambia
+broadcast siempre es opcional. Siempre se permite tener más de
+un rango dhcp (dhcp-range) en una subred.
+
+El parámetro opcional
+.B set:<tag>
+fija una etiqueta alfanumérica la cual marca esta red de
+tal forma que opciones dhcp puedan ser especificadas en base a cada red.
+Cuando es prefijada con 'tag:' en vez, entonces el significado cambia
 de "fijar etiqueta" a "coincidir con etiqueta". Solo una etiqueta puede
 ser fijada, pero más de una puede ser revisada por coincidencias. La
 dirección final puede ser remplazada por la palabra clave
 .B static
 la cual le dice a dnsmasq que debe habilitar DHCP para la red
-especificada, pero no alocar dinámicamente direcciones IP.
+especificada, pero no alocar dinámicamente direcciones IP:
 Solo hosts que tienen direcciones estáticas brindadas vía
 .B dhcp-host
-o desde /etc/ethers serán servidas.
+o desde /etc/ethers serán servidas. La dirección final puede ser
+remplazada por la palabra clave
+.B proxy
+caso en el cual dnsmasq proveerá proxy-DHCP en la subred especificada. (Ver
+.B pxe-prompt
+y
+.B pxe-service
+para detalles.)
+
+La sección interface:<interface name> no es normalmente usada. Ver la
+sección NOTAS para detalles sobre esto.
 .TP
-.B \-G, --dhcp-host=[<dirección de hardware>][,id:<client_id>|*][,net:<netid>][,<dirección IP>][,<nombre de host>][,<tiempo de arriendo>][,ignore]
+.B \-G, --dhcp-host=[<hwaddr>][,id:<client_id>|*][,set:<tag>][,<ipaddr>][,<hostname>][,<tiempo_de_arriendo>][,ignorar]
 Especificar parámetros por host para el servidor DHCP. Esto permite
 que una máquina con una dirección de hardware particular sea siempre
 alocada el mismo nombre de host, dirección IP, y tiempo de arriendo.
@@ -498,10 +551,15 @@ le dice a dnsmasq que debe darle a la m
 ethernet 00:20:e0:3b:13:af el nombre wap, y un arriendo DHCP infinito.
 .B --dhcp-host=lap,192.168.0.199
 le dice a dnsmasq que siempre debe alocarle a la maquina lap
-la dirección IP 192.168.0.199. Direcciones alocadas de esta manera
-no tienen que estar dentro del rango dado con la opción --dhcp-range,
-pero deben estar en la red siendo servida por el servidor DHCP. Se
-permite usar identificadores de clientes en vez de direcciones de
+la dirección IP 192.168.0.199.
+
+Direcciones alocadas de esta manera no tienen que estar dentro
+del rango dado con la opción --dhcp-range, pero deben estar en la subred
+de un rango DHCP (dhcp-range) válido. Para subredes que no necesitan
+una collección de direcciones dinamicamente alocadas, usar la palabra
+clave "static" in la declaración dhcp-range.
+
+Es permitido usar identificadores de cliente en vez de direcciones de
 hardware para identificar hosts prefijando 'id:'. O sea que:
 .B --dhcp-host=id:01:02:03:04,.....
 se refiere al host con identificador de cliente 01:02:03:04.
@@ -515,7 +573,14 @@ presenta un ID de cliente algunas veces pero otras no.
 Si un nombre aparece en /etc/hosts, la dirección asociada puede
 ser alocada a un arriendo DHCP, pero solo si existe una opción
 .B --dhcp-host
-la cual especifica el nombre también. La palabra clave "ignore"
+la cual especifica el nombre también. Solo un hostname puede ser
+brindado en una opción
+.B dhcp-host
+pero aliases son posibles por medio del uso de CNAMEs. (Ver
+.B --cname
+).
+
+La palabra clave "ignore"
 le dice a dnsmasq que no debe ofrecer jamás un arriendo DHCP a
 una máquina. La máquina puede ser especificada por dirección de
 hardware, ID de cliente, o nombre de host, por ejemplo:
@@ -523,14 +588,16 @@ hardware, ID de cliente, o nombre de host, por ejemplo:
 Esto es útil cuando hay otro servidor DHCP en la red que debe ser
 usado por algúnas máquinas.
 
-El net:<network-id> fija la etiqueta network-id cuando sea que
+El set:<tag> fija la etiqueta cuando sea que
 esta directiva dhcp-host está en uso. Esto puede ser usado para
-enviar selectivamente opciones DHCP a este host. Cuando un host
-coincide con cualquier directiva dhcp-host (o una implicada por
-/etc/ethers) entonces la etiqueta network-id especial "known" es
+enviar selectivamente opciones DHCP a este host. Más de una etiqueta
+puede ser fijada en una directiva dhcp-host (pero no en otros lugares
+donde "set:<tag>" es permitido). Cuando un host coincide con 
+cualquier directiva dhcp-host (o una implicada por
+/etc/ethers) entonces la etiqueta especial "known" es
 fijada. Esto permite que dnsmasq sea configurado para ignorar
 pedidos desde máquinas desconocidas usando
-.B --dhcp-ignore=#known
+.B --dhcp-ignore=tag:!known
 Direcciones ethernet (pero no client-ids) pueden tener bytes
 comodínes, así que por ejemplo
 .B --dhcp-host=00:20:e0:3b:13:*,ignore
@@ -546,14 +613,16 @@ solo coincidir
 el tipo ARP para Token-Ring es 6.
 
 Como caso especial, es posible incluir más de una dirección de
-hardware. Esto permite que una dirección IP sea asociada con
+hardware. Ejemplo:
+.B --dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.2
+Esto permite que una dirección IP sea asociada con
 direcciones de hardware múltiples, y le brinda a dnsmasq permiso
 para abandonar un arriendo DHCP a una de las direcciones de hardware
 cuando otra pide un arriendo. Nótese que esto es algo peligroso,
 sólo funcionará dependiblemente si una de las direcciones de hardware
 está activa en cualquier momento y dnsmasq no tiene forma de enforzar
 esto. Pero es útil, por ejemplo, para alocar una dirección IP estable
-a una laptop que tiene interfaces alámbricas e inalámbricas.
+a una laptop que tiene interface alámbrica e inalámbrica.
 .TP
 .B --dhcp-hostsfile=<archivo>
 Leer información host DHCP desde el archivo especificado. El archivo contiene información de un host por línea. El formato de una línea es igual que texto hacia la derecha de '=' en --dhcp-host. La ventaja de almacenar información host DHCP en este archivo es que puede ser cambiada sin tener que reiniciar dnsmasq. El archivo será re-leído cuando dnsmasq recibe un SIGHUP.
@@ -562,6 +631,11 @@ Leer informaci
 Leer información sobre opciones DHCP desde el archivo especificado. La
 ventaja de usar esta opción es la misma que con --dhcp-hostsfile: el
 archivo dhcp-optsfile será re-leído cuando dnsmasq recibe un SIGHUP.
+Nótese que es posible colocar la información mediante
+.B --dhcp-boot
+como opciones DHCP, usando los nombres de opción bootfile-name,
+server-ip-address, y tftp-server. Esto permite que sean incluidas en
+un archivo dhcp-optsfile.
 .TP
 .B \-Z, --read-ethers
 Leer /etc/ethers en busca de información sobre hosts para el servidor
@@ -569,9 +643,10 @@ DHCP. El formato de /etc/ethers es una direcci
 por ya sea un nombre de host o una dirección IP. Al ser leidas por
 dnsmasq, estas líneas tienen exáctamente el mismo efecto que opciones
 .B --dhcp-host
-que contienen la misma información. /etc/ethers es re-leída cuando dnsmasq recibe un SIGHUP.
+que contienen la misma información. /etc/ethers es re-leída cuando
+dnsmasq recibe un SIGHUP.
 .TP
-.B \-O, --dhcp-option=[<network-id>,[<network-id>,]][vendor:[<vendor-class>],][<opt>|option:<opt-name>],[<value>[,<value>]]
+.B \-O, --dhcp-option=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap:<enterprise>,][vendor:[<vendor-class>],][<opt>|option:<opt-name>],[<value>[,<value>]]
 Especificar opciones diferentes o extra a clientes DHCP. Por
 predeterminado, dnsmasq envía algunas opciones estándar a clientes
 DHCP. La máscara de subred y dirección broadcast son fijadas igual
@@ -596,9 +671,9 @@ o
 La dirección especial 0.0.0.0 es entendida que significa "la
 dirección de la máquina que corre dnsmasq". Tipos de data permitidos
 son direcciones IP de cuatro segmentos, un número decimal, dígitos hex
-separados por colones, y un string de texto. Si las network-ids
+separados por colones, y un string de texto. Si las etiquetas
 opcionales son brindadas, entonces esta opción es solo enviada cuando
-todas las network-ids coinciden.
+todas las etiquetas coinciden.
 
 Procesamiento especial es llevado a cabo en un argumento de texto para
 la opción 119, en conforme con RFC3397. Direcciones IP textuales o de
@@ -634,11 +709,23 @@ vendor-class (n
 seleccionar opciones encapsuladas en preferencia sobre cualquiera enviada
 por el cliente. Es posible omitir el vendorclass completamente;
 .B --dhcp-option=vendor:,1,0.0.0.0
-caso en el cuál la opción encapsulada siempre es enviada. La dirección
-0.0.0.0 no es tratada de forma especial en opciones de clase de vendedor
-encapsuladas.
+caso en el cuál la opción encapsulada siempre es enviada.
+Opciones pueden ser encapsuladas dentro de otras opciones, por ejemplo:
+.B --dhcp-option=encap:175, 190, "iscsi-client0"
+enviará opción 175, dentro de la cual está opción 190. Si múltiples
+opciones son brindadas que están encapsuladas con el mismo número de
+opción entonces serán correctamente combinadas en una opción encapsulada.
+encap: y vendor: no pueden ser fijadas ambas dentro de la misma opción dhcp-option.
+
+La variante final en opciones encapsuladas es "Vendor-Identifying Vendor Options"
+como especificado en RFC3925. Estos son denotados así:
+.B --dhcp-option=rfc3925-encap:2, 10, "text"
+El número en la sección rfc3925-encap: es el número enterprise usado
+para identificar esta opción.
+
+La dirección 0.0.0.0 no es tratada de forma especial en opciones encapsuladas.
 .TP
-.B --dhcp-option-force=[<network-id>,[<network-id>,]][vendor:[<vendor-class>],]<opt>,[<value>[,<value>]]
+.B --dhcp-option-force=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap:<enterprise>,][vendor:[<vendor-class>],]<opt>,[<value>[,<value>]]
 Esto funciona exáctamente de la misma forma que
 .B --dhcp-option
 excepto que la opción siempre será enviada, aún si el cliente no la pide en
@@ -653,20 +740,21 @@ hacia opciones DHCP. Esto crea espacio extra en el paquete DHCP para opciones,
 pero puede raramente confundir clientes viejos o defectuosos. Esta opción forza
 comportamiento "simple y sencillo" para prevenir problemas en tales casos.
 .TP
-.B \-U, --dhcp-vendorclass=<network-id>,<vendor-class>
-Trazar desde un string vendor-class a un network id. La mayoría de los
+.B \-U, --dhcp-vendorclass=set:<tag>,<vendor-class>
+Trazar desde un string vendor-class a una etiqueta. La mayoría de los
 clientes DHCP proveen una "vendor class" la cual representa, en cierto
 sentido, el tipo de host. Esta opción traza clases de vendedor a network
 ids, de tal forma que opciones DHCP pueden ser selectivamente entregadas
 a diferentes clases de hosts. Por ejemplo
-.B dhcp-vendorclass=printers,Hewlett-Packard JetDirect
+.B dhcp-vendorclass=set:printers,Hewlett-Packard JetDirect
 peritiría que opciones sean fijadas solo para impresoras HP así:
-.B --dhcp-option=printers,3,192.168.4.4 
+.B --dhcp-option=tag:printers,3,192.168.4.4
 El string vendor-class es coordinado con el vendor-class proveido por
-el cliente, para permitir coincidencias borrosas.
+el cliente, para permitir coincidencias borrosas. El prefijo set: es
+opcional, pero permitido por razones de consistencia.
 .TP
-.B \-j, --dhcp-userclass=<network-id>,<user-class>
-Trazar desde un string user-class a un network id (con coordinación
+.B \-j, --dhcp-userclass=set:<tag>,<user-class>
+Trazar desde un string user-class a una etiqueta (con coordinación
 substring, como con vendor-class). La mayoría de los clientes DHCP
 proveen un "user class" el cual es configurable. Esta opción traza
 clases user a network ids, de tal manera que opciones DHCP puedan
@@ -674,65 +762,166 @@ ser selectivamente enviadas a diferentes tipos de hosts. Es posible,
 por ejemplo, usar esto para especificar una impresora diferente para
 hosts en la clase "cuentas" que para los de la clase "ingenieria".
 .TP
-.B \-4, --dhcp-mac=<network-id>,<dirección MAC>
-Trazar desde una dirección MAC a una network id. La dirección MAC
+.B \-4, --dhcp-mac=set:<tag>,<MAC address>
+Trazar desde una dirección MAC a una etiqueta. La dirección MAC
 puede incluir comodínes. Por ejemplo:
-.B --dhcp-mac=3com,01:34:23:*:*:*
+.B --dhcp-mac=set:3com,01:34:23:*:*:*
 fijaría el tag "3com" a cualquier host el cual su MAC coincida con
 el patrón.
 .TP
 .B --dhcp-circuitid=<network-id>,<circuit-id>, --dhcp-remoteid=<network-id>,<remote-id>
-Trazar de opciones agente de relay RFC3046 a opciones network-id. Estos
+Trazar de opciones agente de relay RFC3046 a etiquetas. Estos
 datos pueden ser proveídos por agentes de relay DHCP. El circuit-id o
 remote-id es normlamente brindado como hex separado por doblepuntos, pero
 también se permite un string simple. Si se obtiene una coincidencia exacta
 entre el circuit o agent ID y uno proveído por un agente de relay,
-network-id es fijado.
+la etiqueta es fijada.
 .TP
-.B --dhcp-subscrid=<network-id>,<subscriber-id>
-Trazar de opciones relay subscriber-id RFC3993 a opciones network-id.
+.B --dhcp-subscrid=set:<tag>,<subscriber-id>
+Trazar de opciones relay subscriber-id RFC3993 a etiquetas.
 .TP
-.B --dhcp-match=<network-id>,<número de opción>
-Fijar la opción network-id si el cliente envía un opción DHCP del nombre
-brindado. Esto puede ser utilizado para identificar clientes particulares
-que envían información usando números privados de opciones.
+.B --dhcp-proxy[=<ip addr>]......
+Un agente de relay normal es usado solamente para reenviar las partes
+iniciales de una interacción DHCP con el servidor DHCP. Una vez que
+un cliente es configurado, se comunica diectamente con el servidor. Esto
+es indeseable si el agente de relay está agregando información extra a
+los paquetes DHCP, tal como usado por
+.B dhcp-circuitid
+y
+.B dhcp-remoteid.
+Una implementación relay completa puede usar la opción serverid-override
+RFC 5107 para obligar al servidor DHCP a usar el relay como un proxy
+completo, con todos los paquetes pasando a travez de el. Esta opción
+provee una manera alternativa de hacer la misma cosa, para relays que
+no tienen soporte RFC 5107. Brindada por si sola, manipula el server-id
+para todas las interacciones via relays. Si una lista de IPs es brindada,
+solo interacciones via relays en esas direcciones son afectadas.
 .TP
-.B \-J, --dhcp-ignore=<network-id>[,<network-id>]
-Cuando todos los network ids brindados coincidan con el juego de
-network ids derivados de las clases net, host, y vendor, ignorar
-el host y no brindarle un arriendo DHCP.
+.B --dhcp-match=set:<tag>,<option number>|option:<option name>|vi-encap:<enterprise>[,<value>]
+Sin un valor, fijar la etiqueta si el cliente envía una opción
+DHCP del número o valor brindado. Cuando un valor es brindado, fijar la
+etiqueta solo si la opción es enviada y coincide con el valor. El valor puede
+ser de la forma "01:ff:*:02", caso en el cual el valor debe coincidir (aparte
+de los comodines) pero la opción enviada puede tener data que no coincide despues
+del final del valor. El valor también puede ser de la misma forma que
+.B dhcp-option
+caso en el cual la opción enviada es tratada como un array, y un elemento debe
+coincidir, así que
+
+--dhcp-match=set:efi-ia32,option:client-arch,6
+
+fijará la etiqueta a "efi-ia32" si el número 6 aparece en la lista de
+architecturas enviada por los clientes en opción 93. (Ver RFC 4578 para
+detalles.) Si el valor es un string, coincidencia substring es usada.
+
+La forma especial con vi-encap:<enterpise number> busca coincidencia con
+clases de vendedor identificadoras para el enterprise especificado. Por
+favor ver RFC 3925 para mas detalles sobre estas bestias raras e interesantes.
 .TP
-.B --dhcp-ignore-names[=<network-id>[,<network-id>]]
-Cuando todos los network-ids brindados coinciden con el juego de
-network-ids derivado de la red, host, classes de vendedor y usuario,
-ignorar cualquier nombre de host proveido por el host. Nótese que,
-a diferencia de dhcp-ignore, es permisible no brindar ningún tag netid,
+.B --tag-if=set:<tag>[,set:<tag>[,tag:<tag>[,tag:<tag>]]]
+Llevar a cabo operaciones boolean en etiquetas. Cualquier etiqueta
+que aparece como set:<tag> es fijada si todas las etiquetas que aparecen
+como tag:<tag> estan fijadas, (o desfijadas cuando tag:!<tag> es
+usado). Si ningún tag:<tag> aparece, etiquetas set:<tag> son fijadas
+incondicionalmente. Cualquier cantidad de formas set: y tag:
+pueden aparecer, en cualquier orden. Líneas tag-if son ejecutadas
+en orden, así que si la etiqueta en tag:<tag> es una etiqueta fijada
+por otra
+.B tag-if,
+la línea que fija la etiqueta debe preceder a la que comprueba.
+.TP
+.B \-J, --dhcp-ignore=tag:<tag>[,tag:<tag>]
+Cuando todoas las etiquetas brindadas aparecen en el juego de etiquetas
+ignorar el host y no brindarle un arriendo DHCP.
+.TP
+.B --dhcp-ignore-names[=tag:<tag>[,tag:<tag>]]
+Cuando todos las etiquetas brindadas aparecen en el juego de etiquetas, ignorar cualquier nombre de host proveido por el host. Nótese que,
+a diferencia de dhcp-ignore, es permisible no brindar ninguna etiqueta,
 y en tal caso nombres de host proveidos por clientes DHCP siempre son
 ignorados, y hosts DHCP son agregados al DNS usando solo la configuración
 dhcp-host en dnsmasq y el contenido de /etc/hosts y /etc/ethers.
 .TP
-.B --dhcp-broadcast=<network-id>[,<network-id>]
-Cuando todos los network-ids brindados coinciden con el juego de network-ids
-derivados de la red, host, clases de vendedor y usuarios, siempre usar
-broadcast para comunicarse con el host cuando está sin configurar. La
-mayoría de clientes DHCP que necesitan respuestas broadcast fijan una
-opción en sus pedidos para que esto pase automaticamente, algunos
-clientes BOOTP viejos no lo hacen.
+.B --dhcp-generate-names=tag:<tag>[,tag:<tag>]
+Generar un nombre para clientes DHCP que de otra forma no tienen uno,
+usando la dirección MAC expresada en hex, separada por guiones. Nótese
+que si un host provee un nombre, será usado preferiblemente sobre este,
+a menos que
+.B --dhcp-ignore-names
+esté fijado.
 .TP
-.B \-M, --dhcp-boot=[net:<network-id>,]<filename>,[<servername>[,<server address>]]
+.B --dhcp-broadcast[=tag:<tag>[,tag:<tag>]]
+Cuando todas las etiquetas aparecen en el juego de etiquetas, siempre
+usar broadcast para comunicar con el host cuando no está configurado.
+Es permisible omitir las etiquetas, caso en el cual esto es
+incondicional. La mayoría de clientes DHCP que necesitan
+respuestas broadcast fijan una opción en sus pedidos para que esto pase automaticamente, algunos clientes BOOTP viejos no lo hacen.
+.TP
+.B \-M, --dhcp-boot=[tag:<tag>,]<filename>,[<servername>[,<server address>]]
 Fijar opciones BOOTP que han de ser devueltas por el servidor DHCP. Nombre
 y dirección de servidor son opcionales: si no son brindadas, el nombre es
 dejado en blanco, y la dirección es fijada a la de la máquina que corre
 dnsmasq. Si dnsmasq está brindando servicio TFTP (ver
 .B --enable-tftp
 ) entonces solo el nombre de archivo es requirido aquí para habilitar
-el inicio atravéz de una red. Si las opcionales network-ids son brindadas,
+el inicio atravéz de una red. Si las opcionales etiquetas son brindadas,
 ellas deberán coincidir para que esta configuración sea enviada. Nótese
 que network-ids están prefijadas con "net:" para distinguirlas.
-.TP  
+.TP
+.B --pxe-service=[tag:<tag>,]<CSA>,<menu text>[,<basename>|<bootservicetype>][,<server address>]
+La mayoría de usos para boot-ROMS PXE simplemente permiten al sistema PXE
+obtener una dirección IP y entonces bajar el archivo especificado por
+.B dhcp-boot
+y ejecutarlo. Sin embargo, el sistema PXE es capaz de llevar
+a cabo funciones más complejas cuando están soportadas por un
+servidor DHCP adecuado.
+
+Esto especifica una opción boot que puede aparecer en un menú de boot
+PXE. <CSA> es tipo de sistema de cliente, solo servicios del tipo correcto
+aparecerán en un menú. Los tipos conocidos son x86PC, PC98, IA64_EFI,
+Alpha, Arc_x86, Intel_Lean_Client, IA32_EFI, BC_EFI, Xscale_EFI y X86-64_EFI;
+un número entero puede ser utilizado para otros tipos. El parámetro después
+del texto de menú puede ser un nombre de archivo, caso en el cuál dnsmasq
+actúa como un servidor boot y le ordena al cliente PXE bajar el archivo
+vía TFTP, ya sea de sí mismo (
+.B enable-tftp
+debe estar fijado para que esto funcione) o desde otro servidor TFTP si la
+dirección IP final es brindada.
+Nótese que el sufijo "layer" (normalmente ".0") es brindado por PXE, y
+no debe ser agregado al nombre base. Si un número entero es brindado en vez
+de un nombre base, entonces el cliente PXE buscará un servicio boot adecuado
+para ese tipo de red. Esta búsqueda puede ser hecha mediante broadcast,
+o directamente a un servidor si la dirección IP es brindada. Si ningún tipo
+de servicio boot o nombre de archivo es brindado (o un tipo de servicio boot
+de 0 es especificado), entonces la opción de menú abortará el proceso net boot
+y continuará desde el medio local.
+.TP
+.B --pxe-prompt=[tag:<tag>,]<prompt>[,<timeout>]
+Fijar esto hace que un aviso sea expuesto despues del boot PXE. Si el timeout
+es brindado, entonces despues que el timeout se haya vencido sin input del
+teclado, la primera opción del menú sera automaticamente ejecutada. Si el
+timeout es cero entonces la primera opción del menú sera automaticamente
+ejecutada. Si
+.B pxe-prompt
+es omitido, el sistema esperará para el input del usuario si hay múltiples
+artículos en el menú, pero hará boot imediatamente si hay solo uno. Ver
+.B pxe-service
+para detalles sobre artículos de menu.
+
+Dnsmasq tiene soporte para "proxy-DHCP" PXE, en este caso otro servidor
+DHCP en la red es responsable por asignar direcciones IP, y dnsmasq
+simplemente provee la dirección brindada en
+.B pxe-prompt
+y
+.B pxe-service
+para permitir boot a travez de la red. Este modo es habilitado usando
+la palabra clave
+.B proxy
+en
+.B dhcp-range.
+.TP
 .B \-X, --dhcp-lease-max=<número>
 Limita a dnsmasq a el número especificado de arriendos DHCP. El
-predeterminado es 150. El limite es para prevenir ataques DoS desde
+predeterminado es 1000. El limite es para prevenir ataques DoS desde
 hosts que crean cientos de arriendos y usan mucha de la memoria del
 proceso dnsmasq.
 .TP
@@ -772,23 +961,16 @@ cuidado.
 .TP
 .B --log-dhcp
 Bitacoréo extra para DHCP: Bitacorear todas las opciones enviadas a
-clientes DHCP y las etiquetas netid usadas para determinarlos.
+clientes DHCP y las etiquetas usadas para determinarlos.
 .TP
 .B \-l, --dhcp-leasefile=<path>
 Usar el archivo especificado para almacenar información de arriendos
-DHCP. Si esta opción es brindada, pero ninguna opcion dhcp-range es
-brindada, entonces se activa comportamiento tipo dnsmasq versión 1.
-El archivo brindado se asume es un archivo de arriendos dhcpd ISC y
-es analizado en busca de arriendos los cuales son agregados al sistema
-DNS si tienen un nombre de host. Esta funcionalidad pudo haber sido
-excluida de dnsmasq a la hora de compilación, y en tal caso ocurrirá
-un error. Nótese que la integración de archivos de
-arriendo ISC es una caracterísctica depreciada. No debería ser usada
-en instalaciones nuevas, y será eliminada en una versión futura.
+DHCP.
 .TP
 .B \-6 --dhcp-script=<path>
 Cuando un arriendo DHCP nuevo es creado, o uno viejo es
 destruido, el ejecutable especificado por esta opción es ejecutado.
+<path> debe ser un pathname absoluto, ninguna búsqueda PATH ocurre.
 Los argumentos para el binario son "add", "old", o "del", la dirección
 MAC del host, la dirección IP, y el hostname, si es
 conocido. "add" significa que un arriendo ha sido creado, "del" que
@@ -800,36 +982,64 @@ que no es ethernet, tendr
 "06-01:23:45:67:89:ab" para token ring. El proceso es ejecutado como root
 (asumiendo que dnsmasq fue originalmente ejecutado como root) aún si dnsmasq
 está configurado para cambiar su UID a un usuario sin privilegios.
-El ambiente es heredado del usuario que ha invocado a dnsmasq, y si el
-host brindó un client-id, es almacenado en la variable de ambiente
-DNSMASQ_CLIENT_ID. Si el dominio completamente calificado del host
-es conocido, la parte de dominio es almacenada en DNSMASQ_DOMAIN. Si
-el cliente brinda información de clase de vendedoro usuario,
-estos son brindados en las variables DNSMASQ_VENDOR_CLASS y
+
+
+El ambiente es heredado del usuario que ha invocado a dnsmasq, con algunas
+o todas de las siguientes variables agregadas.
+
+DNSMASQ_CLIENT_ID si el host brindo un client-id.
+
+DNSMASQ_DOMAIN si el nombre de dominio completamente calificado del host
+es conocido, esto es fijado a la parte del dominio.
+
+Si el cliente brinda vendor-class, hostname o user-class, estos son
+brindados en las variables
+DNSMASQ_VENDOR_CLASS, DNSMASQ_SUPPLIED_HOSTNAME, y
 DNSMASQ_USER_CLASS0..DNSMASQ_USER_CLASSn, pero solo para acciones "add"
-y "old" cuando un host resume un arriendo existente, dado a que estos
+y "old" cuando un host reanuda un arriendo existente, dado a que estos
 datos no son almacenados en la base de datos de arriendos de dnsmasq.
+
 Si dnsmasq fue compilado con HAVE_BROKEN_RTC, entonces la duración del
 arriendo (en segundos) es almacenada en DNSMASQ_LEASE_LENGTH, de otra
 manera el tiempo de vencimiento es almacenado en DNSMASQ_LEASE_EXPIRES.
 El número de segundos faltante para el vencimiento del arriendo siempre
 es almacenado en DNSMASQ_TIME_REMAINING.
+
 Si un arriendo solía tener un nombre de host, el cual es removido, un
 evento "old" es generado con el nuevo estado del arriendo, (por ejemplo, sin
 nombre), y el nombre anterior es brindado en la variable de ambiente
-DNSMASQ_OLD_HOSTNAME. DNSMASQ_INTERFACE almacena el nombre de la interface
+DNSMASQ_OLD_HOSTNAME.
+
+DNSMASQ_INTERFACE almacena el nombre de la interface
 en la cual llegó el pedido; esto no es fijado para acciones "viejas"
 cuando dnsmasq re-inicia.
+
+DNSMASQ_RELAY_ADDRESS es fijado si el cliente
+usó un relay DHCP para contactar a dnsmasq y la dirección IP del relay
+es conocida.
+
+DNSMASQ_TAGS contiene todas las etiquetas network-id fijadas
+durante la transacción DHCP, separadas por espacios.
+
 Todos los descriptores de archivo están cerrados
 excepto stdin, stdout, y stderr los cuales están abiertos a /dev/null
 (excepto en modo debug).
-Este guión no es invocado concurrentemente: si cambios de arriendos
-subsiguientes ocurren, el guión no es invocado otra vez hasta que
-cualquier invocación existente haga exit. Al inicio de dnsmasq, el guión
+
+Este guión no es invocado concurrentemente: máximo una instamcia del
+guión está corriendo a la vez (dnsmasq espera a que una instancia de
+guión haga exit antes de correr la siguiente). Cambios a la base de
+datos de arriendos que requieren que el guión sea invocado son puestos
+en cola esperando el exit de una instancia corriente. Si esta cola permite
+que cambios multiples de estado le ocurran a un arriendo individual antes
+de que el guión pueda ser ejecutado entonces estados anteriores son descartados
+y el estado actual del arriendo es reflejado cuando el guión finalmente corre.
+
+Al inicio de dnsmasq, el guión
 será invocado para todos los arriendos existentes mientras van siendo
 leídos desde el archivo de arriendos. Arriendos vencidos serán llamados
 con "del" y otros con "old". <path> debe ser un path absoluto, ninguna
-búsqueda PATH ocurre. Cuando dnsmasq recibe una señal HUP, el guión será
+búsqueda PATH ocurre cuando arriendos dnsmasq serán llamados con "del"
+y otros con "old". Cuando dnsmasq recibe una señal HUP, el guión será
 invocado para arriendos existentes con un evento "old".
 .TP
 .B --dhcp-scriptuser
@@ -853,10 +1063,9 @@ cuando hay cambios hechos a el client-id y tiempos de arriendo y vencimiento.
 .TP
 .B --bridge-interface=<nombre de interface>,<alias>[,<alias>]
 Tratar paquetes de pedidos DHCP que llegan a cualquiera de las interfaces <alias>
-como si hubieran llegado a la interface <nombre de interface>. Esta opción solo
-está disponible en plataformas BSD, y es necesaria cuando se usan
-puentes "estilo viejo", ya que los paquetes llegan a interfaces tap que no
-tienen una dirección IP.
+como si hubieran llegado a la interface <nombre de interface>. Esta opción
+es necesaria al usar bridging estilo viejo en plataformas BSD, dado a que
+los paquetes llegan a interfaces tap que no tienen una dirección IP.
 .TP
 .B \-s, --domain=<dominio>[,<rango de IPs>]
 Especifica los dominios DNS para el servidor DHCP. Dominios pueden ser
@@ -903,18 +1112,20 @@ sin una direcci
 .B --dhcp-fqdn
 está fijado.
 .TP
-.B --enable-tftp
+.B --enable-tftp[=<interface>]
 Habilitar la función de servidor TFTP. Esto está deliberadamente limitado
 a lo necesario para hacerle a un cliente un inicio vía red. Solo lectura es
 permitida; las extensiones tsize y blksize son soportadas (tsize solo es
-soportada en modo octeto).
+soportada en modo octeto). Ver sección de NOTAS para el uso de el argumento
+de interface.
 .TP
-.B --tftp-root=<directorio>
+.B --tftp-root=<directory>[,<interface>]
 Buscar, relativo al directorio brindado, archivos para transferir mediante el
 uso de TFTP. Cuando esta opción está fijada, paths TFTP que incluyen ".." son
 rechazados, para prevenir que clientes salgan de la raíz especificada. Paths
 absolutos (los que comienzan con "/") están permitidos, pero deben estar
-dentro del tftp-root.
+dentro del tftp-root. Si el argumento opcional de interface es brindado, el
+directorio es solo usado para pedidos TFTP vía esa interface.
 .TP
 .B --tftp-unique-root
 Agregar la dirección IP del cliente TFTP como un componente path del lado del
@@ -966,11 +1177,13 @@ Especificar un archivo de configuraci
 también es permitida en archivos de configuración, para incluir múltiples
 archivos de configuración.
 .TP
-.B \-7, --conf-dir=<directorio>
+.B \-7, --conf-dir=<directorio>[,<file-extension>......]
 Leer todos los archivos dentro del directorio brindado como archivos
-de configuración. Archivos cuyos nombres terminen con ~ o comienzen
-con . o comienzen y terminen con # son ignorados. Esta opción puede
-ser brindada en la línea de comandos o en un archivo de configuración.
+de configuración. Si extensiones son brindadas, cualquier archivo que
+termine en esas extensiones son ignorados. Cualquier archivos cuyos nombres
+terminen con ~ o comienzen con . o comienzen y terminen con # siempre son
+ignorados. Esta opción puede ser brindada en la línea de comandos o en un
+archivo de configuración.
 .SH ARCHIVO DE CONFIGURACION
 Al inicio, dnsmasq lee
 .I /etc/dnsmasq.conf,
@@ -1100,36 +1313,46 @@ apunta a un nombre sombreado, entonces buscando el CNAME a trav
 dnsmasq resultará en que la dirección no-sombreada será asociada con
 el destino del CNAME. Para circumventar esto, agregar el CNAME a
 /etc/hosts de tal manera que el CNAME es sombreado también.
+
 .PP
-El sistema network-id funciona de la siguiente manera: Para cada pedido
-DHCP, dnsmasq colecciona un juego de etiquetas network-id válidas,
-una del
+El sistema de etiquetas funciona de la siguiente manera: Para cada pedido
+DHCP, dnsmasq colecciona un juego de etiquetas válidas de líneas de
+configuración activas que incluyen set:<tag>, incluyendo una del
 .B dhcp-range
 usado para alocar la dirección, una de cualquier
 .B dhcp-host
-que coincida (y "known" si un dhcp-host coincide), la etiqueta "bootp"
-para pedidos BOOTP, una etiqueta cuyo nombre es el nombre de la
-interface donde llegó el pedido, y posiblemente muchas de clases
-de vendedor y usuario que coincidan que hayan sido enviadas por
-el cliente DHCP. Cualquier opción
+que coincida (y "known" si un dhcp-host coincide).
+La etiqueta "bootp" es fijada para pedidos BOOTP, y una etiqueta cuyo
+nombre es el nombre de la interface donde llegó el pedido tambien es
+fijada.
+
+Cualquier linea de configuración que incluya uno o mas
+construcciones tag:<tag> solo será válida si todas las etiquetas
+coinciden en el juego derivado arriba. Típicamente esto es dhcp-option.
 .B dhcp-option 
-que tenga etiquetas network-id será usada en preferencia de una opción
+que tenga etiquetas será usada en preferencia de una opción
 .B dhcp-option,
 sin etiqueta, con tal que _todas_ las etiquetas coincidan en alguna
-parte del juego coleccionado describido arriba. El prefijo "#" en una
-etiqueta significa "no" así que --dhcp=option=#purple,3,1.2.3.4 envía
-la opción cuando la etiqueta network-id "purple" no está en el juego
-de etiquetas válidas.
+parte del juego coleccionado describido arriba. El prefijo '!' en una
+etiqueta significa "no" así que --dhcp=option=tag:!purple,3,1.2.3.4 envía
+la opción cuando la etiqueta "purple" no está en el juego
+de etiquetas válidas. (Si se está usando esto en una línea de comandos
+en vez de un archivo de configuración, asegurese de escapar !, el cual
+es un metacaracter de shell.)
+.PP
+Nótese que para
+.B dhcp-range
+ambos tag:<tag> y set:<tag> son permitidos, para seleccionar el rango
+en uso basado en (por ejemplo) dhcp-host, y para afectar las opciones
+enviadas, basadas en el rango seleccionado.
+
+Este sistema evolucionó de uno anterior mas limitado y para compatibildad
+reversa "net:" puede ser usada en vez de "tag:" y "set:" puede ser
+omitida. (Excepto en
+.B dhcp-host,
+donde "net:" puede ser usado en vez de "set:".) Por la misma razón, '#'
+puede ser usado en vez de '!' para indicar NO.
 .PP
-Si el network-id en un
-.B dhcp-range 
-es prefijado con "net:", entonces su significado cambia de "fijar
-etiqueta" a "coincidir con etiqueta". O sea que si hay más de un
-dhcp-range en en una subred, y uno tiene una etiqueta network-id la
-cual está fijada (por ejemplo una opción de clase de vendedor) entonces
-hosts que fijen la etiqueta network-id serán alocados direcciones en
-el rango etiquetado.
-.PP 
 El servidor DHCP de dnsmasq funcionará como servidor BOOTP tambien,
 con tal que las direcciones MAC y IP de los clientes sean brindadas,
 ya sea usando configuraciones
@@ -1140,11 +1363,54 @@ o en
 .B dhcp-range 
 esté presente para activar el servidor DHCP en una red particular.
 (Fijar --bootp-dynamic elimina la necesidad de trazados estáticos.) El
-parámetro de nombre de archivos en un pedido BOOTP es revisado para
-ver si coincide con algún network-id en configuraciónes
-.B dhcp-option 
-al igual que la etiqueta "bootp", permitiendo así algún control sobre
-las opciones devueltas a diferentes clases de hosts.
+parámetro de nombre de archivos en un pedido BOOTP es usado como
+una etiqueta, al igual que la etiqueta "bootp", permitiendo así algún
+control sobre las opciones devueltas a diferentes clases de hosts.
+
+.B dhcp-range
+puede tener un nombre de interface brindado como
+"interface:<interface-name>". La semántica de esto es así:
+Para DHCP, si cualquier otro dhcp-range existe _sin_ un nombre de
+interface, entonces el nombre de interface es ignorado y dnsmasq
+se comporta como si las partes de interface no existieran, de otra forma
+DHCP solo se provee a interfaces mencionadas en declaraciones
+dhcp-range. Para DNS, si no hay opciones
+.B --interface
+o
+.B --listen-address
+el comportamiento no se modifica por la parte de interface. Si cualquiera
+de estas opciones está presente, las interfaces mencionadas en dhcp-ranges
+son agregadas all juego que obtienen servicio DNS.
+
+Similarmente,
+.B enable-tftp
+puede tomar un nombre de interface, el cual habilita TFTP solo para una
+interface en particular, ignorando opciones
+.B --interface
+o
+.B --listen-address.
+Adicionalmente, 
+.B --tftp-secure
+y
+.B --tftp-unique-root
+y
+.B --tftp-no-blocksize
+son ignorados por pedidos desde dichas interfaces. (Una directiva
+.B --tftp-root
+brindando un path raíz y una interface debe ser brindada tambien.)
+
+Estas reglas pueden parecer raras a primera vista, pero permiten que
+una simple linea de la forma
+"dhcp-range=interface:virt0,192.168.0.4,192.168.0.200" sea agregada a
+configuración dnsmasq, lo cual brinda servicios DHCP y DNS a esa interface,
+sin afectar los servicios en otras interfaces y irrespectivamente de
+la existencia o no de lineas "interface=<interface>" en alguna otra parte
+de la configuración dnsmasq.
+"enable-tftp=virt0" y "tftp-root=<root>,virt0" hacen el mismo trabajo
+para TFTP.
+La idea es que una linea así pueda ser agregada automaticamente
+por libvirt o sistemas equivalentes, sin estorbar alguna
+configuración manual.
 
 .SH CÓDIGOS EXIT
 .PP
@@ -1177,10 +1443,8 @@ no escalaban tan bien.
 
 .PP
 Dnsmasq es capaz de soportar con DNS y DHCP a por lo menos mil (1,000)
-clientes. Por supuesto que para lograr esto debe aumentarse el valor de
-.B --dhcp-lease-max
-, y tiempos de arriendo no deben ser muy cortos (menos de una hora).
-El valor de
+clientes. Los tiempos de arriendo no deben ser muy cortos (menos
+de una hora). El valor de
 .B --dns-forward-max
 puede ser aumentado: comienze con el equivalente a el número de clientes y
 auméntelo si parece lento el DNS. Nótese que el rendimiento DNS depende
@@ -1211,6 +1475,23 @@ o en un archivo hosts adicional. La lista puede ser muy larga. Dnsmasq ha sido
 probado exitósamente con un millón de nombres. Ese tamaño de archivo necesita
 un CPU de 1GHz y aproximadamente 60MB de RAM.
 
+.SH INTERNACIONALIZACION
+
+Dnsmasq puede ser compilado con soporte para internacionalización. Para hacer esto,
+los targets make "all-i18n" y "install-i18n" deberán ser usados en vez de
+los targets estándares "all" y "install". Cuando internacionalización es
+compilada, dnsmasq producirá mensajes de bitácora en el lenguaje local y soportará
+dominios internacionalizados (IDN). Nombres de dominio en /etc/hosts, /etc/ethers,
+y /etc/dnsmasq.conf que contienen carácteres no-ASCII serán traducidos a
+representación interna DNS punycode. Nótese que dnsmasq determina ambos el
+lenguaje para mensajes y el juego de carácteres asumido para archivos de configuración
+de la variable ambiental LANG. Esto debe estar fijado al valor predeterminado del sistema
+por el guión responsable de iniciar dnsmasq. Al editar archivos de configuración,
+tener cuidado de hacerlo usando solo el locale predeterminado del sistema y no
+uno especifico del usuario, dado a que dnsmasq no tiene ninguna manera directa de
+determinar el juego de caracteres en uso, y debe asumir que es el predeterminado
+del sistema.
+
 .SH ARCHIVOS
 .IR /etc/dnsmasq.conf 
 

man/fr/dnsmasq.8

@@ -16,9 +16,8 @@ fichier /etc/hosts afin que les noms locaux n'apparaissant pas dans les DNS
 globaux soient tout de même résolus, et assure également la résolution de nom
 pour les hôtes présents dans le service DHCP.
 .PP
-Le serveur DHCP Dnsmasq DHCP supporte les définitions d'adresses statiques, les
-réseaux multiples, le relai DHCP et les spécifications de sous-réseaux conformes
-à la RFC3011. Il envoie par défaut un jeu raisonnable de paramètres DHCP, et
+Le serveur DHCP Dnsmasq DHCP supporte les définitions d'adresses statiques et les
+réseaux multiples. Il envoie par défaut un jeu raisonnable de paramètres DHCP, et
 peut être configuré pour envoyer n'importe quel option DHCP.
 Il inclut un serveur TFTP sécurisé en lecture seule permettant le démarrage via
 le réseau/PXE de clients DHCP et supporte également le protocole BOOTP.
@@ -33,6 +32,11 @@ Sur BSD, à moins que le logiciel ne soit compilé avec la bibliothèque GNU
 getopt, la forme longue des options ne fonctionne pas en ligne de commande; Elle
 est toujours supportée dans le fichier de configuration.
 .TP
+.B --test
+Vérifie la syntaxe du ou des fichiers de configurations. Se termine avec le
+code de retour 0 si tout est OK, ou un code différent de 0 dans le cas
+contraire. Ne démarre pas Dnsmasq.
+.TP
 .B \-h, --no-hosts
 Ne pas charger les noms du fichier /etc/hosts.
 .TP
@@ -41,12 +45,14 @@ Fichiers d'hôtes additionnels. Lire le fichier spécifié en plus de /etc/hosts
 Si 
 .B -h
 est spécifié, lire uniquement le fichier spécifié. Cette option peut être
-répétée afin d'ajouter d'autres fichiers.
+répétée afin d'ajouter d'autres fichiers. Si un répertoire est donné, lis les
+fichiers contenus dans ce répertoire.
 .TP
 .B \-E, --expand-hosts
 Ajoute le nom de domaine aux noms simples (ne contenant pas de point dans le
 nom) contenus dans le fichier /etc/hosts, de la même façon que pour le service
-DHCP.
+DHCP. Notez que cela ne s'applique pas au nom de domaine dans les CNAME, les
+enregistrements PTR, TXT, etc...
 .TP
 .B \-T, --local-ttl=<durée>
 Lorsque Dnsmasq répond avec une information provenant du fichier /etc/hosts ou
@@ -67,6 +73,12 @@ option permet de doner une valeur de durée de vie par défaut (en secondes) que
 dnsmasq utilise pour mettre les réponses négatives dans son cache, même en
 l'absence d'enregistrement SOA.
 .TP
+.B --max-ttl=<durée>
+Définie la valeur de TTL maximum qui sera fournie aux clients. La valeur maximum
+de TTL spécifiée sera fournie aux clients en remplacement de la vraie valeur de TTL
+si cette dernière est supérieure. La valeur réelle de TTL est cependant conservée dans
+le cache afin d'éviter de saturer les serveurs DNS en amont.
+.TP
 .B \-k, --keep-in-foreground
 Ne pas aller en tâche de fond au lancement, mais en dehors de cela, fonctionner
 normalement. Ce mode est prévu pour les cas où Dnsmasq est lancé par daemontools
@@ -88,10 +100,12 @@ réception d'un signal SIGUSR1.
 Définit la "facility" dans laquelle Dnsmasq enverra ses entrées syslog, par
 défaut DAEMON ou LOCAL0 si le mode debug est activé. Si la "facility" contient
 au moins un caractère "/", alors Dnsmasq considère qu'il s'agit d'un fichier et
-enverra les logs dans le fichier correspondant à la place du syslog. (Les
-erreurs lors de la lecture de la configuration vont toujours vers le syslog,
-mais tous les messages postérieures à un démarrage réussi seront exclusivement
-envoyés vers le fichier de logs). Lorsque Dnsmasq est configuré pour envoyer
+enverra les logs dans le fichier correspondant à la place du syslog. Si la
+"facility" est '-', alors dnsmasq envoie les logs sur la sortie d'erreur
+standard stderr. (Les erreurs lors de la lecture de la configuration vont
+toujours vers le syslog, mais tous les messages postérieurs à un démarrage
+réussi seront exclusivement envoyés vers le fichier de logs).
+Lorsque Dnsmasq est configuré pour envoyer
 ses traces vers un fichier, la réception d'un signal SIGUSR2 entraine la
 fermeture et réouverture du fichier. Cela permet la rotation de fichiers de
 traces sans nécessiter l'arrêt de Dnsmasq.
@@ -134,8 +148,7 @@ que le DHCP ou le TFTP.
 .TP
 .B \-P, --edns-packet-max=<taille>
 Spécifie la taille maximum de paquet UDP EDNS.0 supporté par le relai DNS. Le
-défaut est de 1280, qui est la valeur maximale
-recommandée pour ethernet dans la RFC2671.
+défaut est de 4096, qui est la valeur recommandée dans la RFC5625.
 .TP
 .B \-Q, --query-port=<numéro de port>
 Envoie et écoute les requêtes DNS sortantes depuis le port UDP spécifié par
@@ -236,7 +249,7 @@ trouvées dans /etc/hosts ou dans le fichier de baux DHCP se voient retournées
 une réponse "pas de tel domaine" ("no such domain") au lieu d'être transmises
 aux serveurs de nom amont ("upstream server").
 .TP
-.B \-V, --alias=<ancienne IP>,<nouvelle IP>[,<masque>]
+.B \-V, --alias=[<ancienne IP>]|[<IP de début>-<IP de fin>],<nouvelle IP>[,<masque>]
 Modifie les adresses IPv4 retournées par les serveurs de nom amont;
 <ancienne IP> est remplacée par <nouvelle IP>. Si le <masque> optionnel est
 fourni, alors toute adresse correspondant à l'adresse <ancienne IP>/<masque>
@@ -244,7 +257,11 @@ sera réécrite. Ainsi par exemple
 .B --alias=1.2.3.0,6.7.8.0,255.255.255.0 
 modifiera 1.2.3.56 en 6.7.8.56 et 1.2.3.67 en 6.7.8.67. 
 Cette fonctionnalité correspond à ce que les routeurs Cisco PIX appellent
-"bidouillage DNS" ("DNS doctoring").
+"bidouillage DNS" ("DNS doctoring"). Si l'ancienne IP est donnée sous la forme
+d'une gamme d'adresses, alors seules les adresses dans cette gamme seront
+réecrites, et non le sous-réseau dans son ensemble. Ainsi,
+.B --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
+fait correspondre 192.168.0.10->192.168.0.40 à 10.0.0.10->10.0.0.40
 .TP 
 .B \-B, --bogus-nxdomain=<adresse IP>
 Transforme les réponses contenant l'adresse IP fournie en réponses "pas de tel
@@ -308,6 +325,19 @@ serveurs amonts suite à une résolution de nom. Cela bloque les attaques cherch
 à détourner de leur usage les logiciels de navigation web ('browser') en s'en
 servant pour découvrir les machines situées sur le réseau local.
 .TP
+.B --rebind-localhost-ok
+Exclue 127.0.0/8 des vérifications de réassociation DNS. Cette gamme d'adresses
+est retournée par les serveurs Realtime Blackhole (RBL, utilisés dans la
+lutte contre le spam), la bloquer peut entraîner des disfonctionnements de ces
+services.
+.TP 
+.B  --rebind-domain-ok=[<domaine>]|[[/<domaine>/[<domaine>/]
+Ne pas détecter ni bloquer les actions de type dns-rebind pour ces domaines.
+Cette option peut prendre comme valeur soit un nom de domaine soit plusieurs
+noms de domains entourés par des '/', selon une syntaxe similaire à l'option
+--server, c-à-d :
+.B  --rebind-domain-ok=/domaine1/domaine2/domaine3/
+.TP
 .B \-n, --no-poll
 Ne pas vérifier régulièrement si le fichier /etc/resolv.conf a été modifié.
 .TP
@@ -345,6 +375,20 @@ option
 .B -S
 est autorisée, en répétant les domaines et adresses IP comme requis.
 
+Le domaine le plus spécifique l'emporte sur le domaine le moins spécifique,
+ainsi :
+.B --server=/google.com/1.2.3.4
+.B --server=/www.google.com/2.3.4.5
+enverra les requêtes pour *.google.com à 1.2.3.4, à l'exception des requêtes
+*www.google.com, qui seront envoyées à 2.3.4.5.
+
+L'adresse spéciale '#' signifie "utiliser les serveurs standards", ainsi
+.B --server=/google.com/1.2.3.4
+.B --server=/www.google.com/#
+enverra les requêtes pour *.google.com à 1.2.3.4, à l'exception des requêtes
+pour *www.google.com qui seront envoyées comme d'habitude (c-à-d aux serveurs
+définis par défaut).
+
 Il est également permis de donner une option
 .B -S
 avec un nom de domaine mais sans
@@ -455,6 +499,14 @@ Définit un enregistrement DNS de type PTR.
 .B --naptr-record=<nom>,<ordre>,<préférence>,<drapeaux>,<service>,<expr. régulière>[,<remplacement>]
 Retourne un enregistrement de type NAPTR, tel que spécifié dans le RFC3403.
 .TP
+.B --cname=<cname>,<cible>
+Retourne un enregistrement de type CNAME qui indique que <cname> est en
+réalité <cible>. Il existe des contraintes significatives sur la valeur
+de cible; il doit s'agir d'un nom DNS qui est connu de dnsmasq via /etc/hosts
+(ou un fichier hôtes additionnel) ou via DHCP. Si une cible ne satisfait
+pas ces critères, le CNAME est ignoré. Le CNAME doit être unique, mais
+il est autorisé d'avoir plus d'un CNAME pointant vers la même cible.
+.TP
 .B --interface-name=<nom>,<interface>
 Définit un entregistrement DNS associant le nom avec l'adresse primaire sur
 l'interface donnée en argument. Cette option spécifie un enregistrement de type
@@ -485,7 +537,7 @@ lorsqu'un serveur web a la résolution de nom activée pour l'enregistrement de
 son journal des requêtes, ce qui peut générer un nombre important de requêtes
 simultanées.
 .TP
-.B \-F, --dhcp-range=[[net:]identifiant de réseau,]<adresse de début>,<adresse de fin>[[,<masque de réseau>],<broadcast>][,<durée de bail par défaut>]
+.B \-F, --dhcp-range=[interface:<interface>,][tag:<label>[,tag:<label>],][set:<label],]<adresse de début>,<adresse de fin>[,<masque de réseau>[,<broadcast>]][,<durée de bail>]
 Active le serveur DHCP. Les adresses seront données dans la plage comprise entre
 <adresse de début> et <adresse de fin> et à partir des adresses définies
 statiquement dans l'option
@@ -493,7 +545,9 @@ statiquement dans l'option
 Si une durée de bail est donnée, alors les baux seront donnés pour cette
 durée. La durée de bail est donnée en secondes, en minutes (exemple : 45m),
 en heures (exemple : 1h) ou être la chaine de caractère "infinite" pour une
-durée indéterminée. La valeur minimum pour un bail DHCP est de 2 minutes.
+durée indéterminée. Si aucune valeur n'est donnée, une durée de bail par défaut
+de une heure est appliquée. La valeur minimum pour un bail DHCP est de 2
+minutes.
 Cette option peut être répétée, avec différentes adresses,
 pour activer le service DHCP sur plus d'un réseau. Pour des réseaux directement
 connectés (c'est-à-dire des réseaux dans lesquels la machine sur laquelle tourne
@@ -501,27 +555,37 @@ Dnsmasq possède une interface), le masque de réseau est optionnel. Il est par
 contre requis pour les réseaux pour lesquels le service DHCP se fait via un
 relais DHCP ("relay agent"). L'adresse de broadcast est toujours optionnelle.
 
-Sur certains systèmes, Dnsmasq ne peut écouter que sur une interface lorsqu'il
-utilise DHCP, et le nom de l'interface doit être spécifié par l'option 
-.B interface.
-Cette limitation affecte tous les systèmes OpenBSD avant la version 4.0. Il
-est toujours possible d'avoir plus d'une plage DHCP pour un même sous-réseau.
-
-L'identifiant de réseau optionnel est un label alphanumérique qui permet de
-marquer ce réseau afin de fournir des options DHCP spécifiques à chaque réseau.
-Lorsque préfixé par 'net:', la signification change est au lieu de définir un
+Il est toujours possible d'avoir plus d'une plage DHCP pour un même
+sous-réseau.
+L'identifiant de label optionnel
+.B set:<label>
+fournie une étiquette alphanumérique qui identifie ce réseau, afin de permettre
+la fourniture d'options DHCP spécifiques à chaque réseau.
+Lorsque préfixé par 'tag:', la signification change, et au lieu de définir un
 label, il définit le label pour laquelle la règle s'applique. Un seul label peut-
 être défini mais plusieurs labels peuvent coïncider.
 
 L'adresse de fin peut être remplacée par le mot-clef
 .B static
 ("statique") qui indique à Dnsmasq d'activer le service DHCP pour le réseau
-spécifié, mais de ne pas activer l'allocation dynamique d'adresses IP. Seuls les
-hôtes possédant des adresses IP statiques fournies via 
+spécifié, mais de ne pas activer l'allocation dynamique d'adresses IP : Seuls
+les hôtes possédant des adresses IP statiques fournies via 
 .B dhcp-host
 ou présentes dans le fichier /etc/ethers seront alors servis par le DHCP.
+
+L'adresse de fin peut-être remplacée par le mot-clef
+.B proxy
+, auquel cas Dnsmasq fournira un service de DHCP proxy pour le sous-réseau
+spécifié. (voir
+.B pxe-prompt
+et
+.B pxe-service
+pour plus de détails).
+
+La section interface:<nom d'interface> n'est normalement pas utilisée. Se
+référer aux indications de la section NOTES pour plus de détail à ce sujet.
 .TP
-.B \-G, --dhcp-host=[<adresse matérielle>][,id:<identifiant client>|*][,net:<identifiant de réseau>][,<adresse IP>][,<nom d'hôte>][,<durée de bail>][,ignore]
+.B \-G, --dhcp-host=[<adresse matérielle>][,id:<identifiant client>|*][,set:<label>][,<adresse IP>][,<nom d'hôte>][,<durée de bail>][,ignore]
 Spécifie les paramètres DHCP relatifs à un hôte. Cela permet à une machine
 possédant une adresse matérielle spécifique de se voir toujours allouée les
 mêmes nom d'hôte, adresse IP et durée de bail. Un nom d'hôte spécifié comme
@@ -535,9 +599,15 @@ spécifie à Dnsmasq de fournir à la machine d'adresse matérielle
 
 .B --dhcp-host=lap,192.168.0.199 
 spécifie à Dnsmasq d'allouer toujours à la machine portant le nom lap
-l'adresse IP 92.168.0.199. Les adresses allouées comme ceci ne sont pas
-contraintes dans une plage d'adresse spécifiée par une option --dhcp-range, mais
-elles doivent être sur un réseau servi par le serveur DHCP. Il est possible
+l'adresse IP 192.168.0.199.
+
+Les adresses allouées de la sorte ne sont pas contraintes à une plage d'adresse
+spécifiée par une option --dhcp-range, mais elles se trouver dans le même
+sous-réseau qu'une plage dhcp-range valide. Pour les sous-réseaux qui n'ont pas
+besoin d'adresses dynamiquement allouées, utiliser le mot-clef "static" dans la
+déclaration de plage d'adresses dhcp-range.
+
+Il est possible
 d'utiliser des identifiants clients plutôt que des adresses matérielles pour
 identifier les hôtes, en préfixant par ceux-ci par 'id:'. Ainsi, 
 .B --dhcp-host=id:01:02:03:04,..... 
@@ -545,6 +615,7 @@ réfère à l'hôte d'identifiant 01:02:03:04. Il est également possible de
 spécifier l'identifiant client sous la forme d'une chaîne de caractères, comme
 ceci :
 .B --dhcp-host=id:identifiantclientsousformedechaine,..... 
+
 L'option spéciale id:* signifie : "ignorer tout identifiant client et n'utiliser
 que l'adresse matérielle". Cela est utile lorsqu'un client présente un
 identifiant client mais pas les autres.
@@ -552,20 +623,29 @@ identifiant client mais pas les autres.
 Si un nom apparaît dans /etc/hosts, l'adresse associée peut être allouée à un
 bail DHCP mais seulement si une option
 .B --dhcp-host
-spécifiant le nom existe par ailleurs. Le mot clef "ignore" ("ignorer") indique
+spécifiant le nom existe par ailleurs. Seul un nom d'hôte peut-être donné dans
+une option
+.B dhcp-host
+, mais les alias sont possibles au travers de l'utilisation des CNAMEs. (Voir
+.B --cname
+).
+Le mot clef "ignore" ("ignorer") indique
 à Dnsmasq de ne jamais fournir de bail DHCP à une machine. La machine peut être
 spécifiée par son adresse matérielle, son identifiant client ou son nom d'hôte.
 Par exemple
 .B --dhcp-host=00:20:e0:3b:13:af,ignore
 Cela est utile lorsqu'un autre serveur DHCP sur le réseau doit être utilisé par
-certaines machines. Le paramètre net:<identifiant réseau> permet de définir un
+certaines machines.
+
+Le paramètre set:<identifiant réseau> permet de définir un
 identifiant de réseau lorsque l'option dhcp-host est utilisée. Cela peut servir
-à sélectionner des options DHCP juste pour cet hôte. Lorsqu'une machine coïncide
-avec une directive dhcp-host (ou une impliquée par /etc/ethers), alors
-l'identifiant réseau réservé "known" ("connu") est associé. Cela permet à
+à sélectionner des options DHCP juste pour cet hôte. Plus d'un label peut être
+fourni dans une directive dhcp-host (et dans cette seule directive). Lorsqu'une
+machine coïncide avec une directive dhcp-host (ou une impliquée par
+/etc/ethers), alors le label réservé "known" ("connu") est associé. Cela permet à
 Dnsmasq d'être configuré pour ignorer les requêtes issus de machines inconnue
  par le biais de 
-.B --dhcp-ignore=#known.
+.B --dhcp-ignore=tag:!known.
 
 Les adresses ethernet (mais pas les identifiants clients) peuvent être définies
 avec des octets joker, ainsi par exemple
@@ -573,12 +653,26 @@ avec des octets joker, ainsi par exemple
 demande à Dnsmasq d'ignorer une gamme d'adresses matérielles. Il est  à noter
 que "*" doit-être précédé d'un caractère d'échappement ou mis entre guillemets
 lorsque spécifié en option de ligne de commande, mais pas dans le fichier de
-configuration. Les adresses matérielles coïncident en principe avec n'importe
+configuration.
+
+Les adresses matérielles coïncident en principe avec n'importe
 quel type de réseau (ARP), mais il est possible de les limiter à un seul type
 ARP en les précédant du type ARP (en Hexadécimal) et de "-". Ainsi
 .B --dhcp-host=06-00:20:e0:3b:13:af,1.2.3.4 
 coïncidera uniquement avec des adresses matérielles Token-Ring, puisque le type
 ARP pour une adresse Token-Ring est 6.
+
+Un cas spécial correspond à l'inclusion d'une ou plusieurs adresses
+matérielles, c-à-d :
+.B --dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.2.
+Cela permet à une adresse IP d'être associé à plusieurs adresses
+matérielles, et donne à dnsmasq la permission d'abandonner un bail DHCP
+attribué à l'une de ces adresses lorsqu'une autre adresse dans la liste
+demande un bail. Ceci est une opération dangereuse qui ne fonctionnera
+de manière fiable que si une adresse matérielle est active à un moment
+donné et dnsmasq n'a aucun moyen de s'assurer de cela. Cela est utile,
+par exemple, pour allouer une adresse IP stable à un laptop qui
+aurait à la fois une connexion filaire et sans-fil.
 .TP
 .B --dhcp-hostsfile=<fichier>
 Lis les informations d'hôtes DHCP dans le fichier spécifié. Le fichier contient
@@ -592,7 +686,11 @@ relu lorsque Dnsmasq reçoit un signal SIGHUP.
 .B --dhcp-optsfile=<fichier>
 Lis les informations relatives aux options DHCP dans le fichier spécifié.
 L'intérêt d'utiliser cette option est le même que pour --dhcp-hostsfile : le
-fichier spécifié ser rechargé à la réception par dnsmasq d'un signal SIGHUP.
+fichier spécifié sera rechargé à la réception par dnsmasq d'un signal SIGHUP.
+Notez qu'il est possible d'encoder l'information via
+.B --dhcp-boot
+en utilisant les noms optionnels bootfile-name, server-ip-address et
+tftp-server. Ceci permet d'inclure ces options dans un fichier "dhcp-optsfile".DNSMASQ_SUPPLIED_HOSTNAME
 .TP
 .B \-Z, --read-ethers
 Lis les informations d'hôtes DHCP dans le fichier /etc/ethers. Le format de
@@ -603,7 +701,7 @@ par Dnsmasq, ces lignes ont exactement le même effet que l'option
 contenant les mêmes informations. /etc/ethers est relu à la réception d'un
 signal SIGHUP par Dnsmasq.
 .TP
-.B \-O, --dhcp-option=[<identifiant_de_réseau>,[<identifiant_de_réseau>,]][vendor:[<classe_vendeur>],][<opt>|option:<nom d'option>],[<valeur>[,<valeur>]]
+.B \-O, --dhcp-option=[tag:<label>,[tag:<label>]][encap:<option>,][vi-encap:<entreprise>,][vendor:[<classe_vendeur>],][<option>|option:<nom d'option>],[<valeur>[,<valeur>]]
 Spécifie des options différentes ou supplémentaires pour des clients DHCP. Par
 défaut, Dnsmasq envoie un ensemble standard d'options aux clients DHCP : le
 masque de réseau et l'adresse de broadcast sont les mêmes que pour l'hôte
@@ -629,8 +727,8 @@ L'adresse 0.0.0.0 prends ici le sens "d'adresse de la machine sur laquelle
 tourne Dnsmasq". Les types de données autorisées sont des adresses IP sous la
 forme de 4 chiffres séparés par des points, un nombre décimal, une liste de
 caractères hexadécimaux séparés par des 2 points, ou une chaîne de caractères.
-Si des identifiants de réseaux sont fournis, alors cette option n'est envoyée
-qu'aux réseaux dont tous les identifiants coïncident.
+Si des labels optionnels sont fournis, alors cette option n'est envoyée
+qu'aux réseaux dont tous les labels coïncident avec ceux de la requête.
 
 Un traitement spécial est effectué sur les chaînes de caractères fournies pour
 l'option 119, conformément à la RFC 3397. Les chaînes de caractères ou les
@@ -673,10 +771,26 @@ pour sélectionner les options encapsulées, de préférence à toute option env
 par le client. Il est possible d'omettre complètement une classe de vendeur :
 .B --dhcp-option=vendor:,1,0.0.0.0
 Dans ce cas l'option encapsulée est toujours envoyée.
+
+Les options peuvent-être encapsulées au sein d'autres options :
+par exemple
+.B --dhcp-option=encap:175, 190, "iscsi-client0"
+enverra l'option 175, au sein de laquelle se trouve l'option 190.
+Plusieurs options encapsulées avec le même numéro d'option seront correctement
+combinées au sein d'une seule option encapsulée. Il n'est pas possible de
+spécifier encap: et vendor: au sein d'une même option dhcp.
+
+La dernière variante pour les options encapsulées est "l'option de Vendeur
+identifiant le vendeur" ("Vendor-Identifying Vendor Options") telle que
+décrite dans le RFC3925. Celles-ci sont spécifiées comme suit :
+.B --dhcp-option=vi-encap:2, 10, "text"
+Le numéro dans la section vi-encap: est le numéro IANA de l'entreprise servant
+à identifier cette option.
+
 L'adresse 0.0.0.0 n'est pas traitée de manière particulière lorsque fournie dans
-une option encapsulée de classe de vendeur.
+une option encapsulée.
 .TP
-.B --dhcp-option-force=[<identifiant de réseau>,[<identifiant de réseau>,]][vendor:[<classe de vendeur>],]<opt>,[<valeur>[,<valeur>]]
+.B --dhcp-option-force=[tag:<label>,[tag:<label>]][encap:<option>,][vi-encap:<entreprise>,][vendor:[<classe_vendeur>],][<option>|option:<nom d'option>],[<valeur>[,<valeur>]]
 Cela fonctionne exactement de la même façon que
 .B --dhcp-option
 sauf que cette option sera toujours envoyée, même si le client ne la demande pas
@@ -694,22 +808,25 @@ quelques rares cas, perturber des clients vieux ou défectueux. Cette
 option force le comportement à l'utilisation des valeurs "simples et sûres"
 afin d'éviter des problèmes dans de tels cas.
 .TP
-.B \-U, --dhcp-vendorclass=<identifiant de réseau>,<classe de vendeur>
-Associe une chaîne de classe de vendeur à un indentifiant de réseau. La plupart
+.B \-U, --dhcp-vendorclass=set:<label>,<classe de vendeur>
+Associe une chaîne de classe de vendeur à un label. La plupart
 des clients DHCP fournissent une "classe de vendeur" ("vendor class") qui
 représente, d'une certaine façon, le type d'hôte. Cette option associe des
 classes de vendeur à des labels, de telle sorte que des options DHCP peuvent-être
 fournie de manière sélective aux différentes classes d'hôtes. Par exemple,
+.B dhcp-vendorclass=set:printers,Hewlett-Packard JetDirect
+ou
 .B dhcp-vendorclass=printers,Hewlett-Packard JetDirect
 permet de n'allouer des options qu'aux imprimantes HP de la manière suivante :
-.B --dhcp-option=printers,3,192.168.4.4
+.B --dhcp-option=tag:printers,3,192.168.4.4
 La chaîne de caractères de la classe de vendeur founie en argument est cherchée
 en temps que sous-chaîne de caractères au sein de la classe de vendeur fournie
 par le client, de façon à permettre la recherche d'un sous-ensemble de la chaîne
-de caractères ("fuzzy matching").
+de caractères ("fuzzy matching"). Le préfixe set: est optionnel mais autorisé
+afin de conserver une certaine homogénéité.
 .TP
-.B \-j, --dhcp-userclass=<identifiant de réseau>,<classe utilisateur>
-Associe une chaîne de classe d'utilisateur à un identifiant réseau (effectue la
+.B \-j, --dhcp-userclass=set:<label>,<classe utilisateur>
+Associe une chaîne de classe d'utilisateur à un label (effectue la
 recherche sur des sous-chaînes, comme pour les classes de vendeur). La plupart
 des clients permettent de configurer une "classe d'utilisateur". Cette option
 associe une classe d'utilisateur à un label, de telle manière qu'il soit
@@ -718,56 +835,109 @@ Il est possible, par exemple, d'utiliser ceci pour définir un serveur
 d'impression différent pour les hôtes de la classe "comptes" et ceux de la
 classe "ingénierie".
 .TP
-.B \-4, --dhcp-mac=<identifiant de réseau>,<adresse MAC>
-Associe une adresse matérielle (MAC) à un identifiant réseau. L'adresse
+.B \-4, --dhcp-mac=set:<label>,<adresse MAC>
+Associe une adresse matérielle (MAC) à un label. L'adresse
 matérielle peut inclure des jokers. Par exemple
-.B --dhcp-mac=3com,01:34:23:*:*:*
+.B --dhcp-mac=set:3com,01:34:23:*:*:*
 permet de définir le label "3com" pour n'importe quel hôte dont l'adresse
 matérielle coïncide avec les critères définis.
 .TP
-.B --dhcp-circuitid=<identifiant de réseau>,<identifiant de circuit>, --dhcp-remoteid=<identifiant de réseau>,<identifiant distant>
-Associe des options de relais DHCP issus de la RFC3046 à des identifiants de
-réseau. Cette information peut-être fournie par des relais DHCP. L'identifiant
+.B --dhcp-circuitid=set:<label>,<identifiant de circuit>, --dhcp-remoteid=set:<label>,<identifiant distant>
+Associe des options de relais DHCP issus de la RFC3046 à des labels.
+Cette information peut-être fournie par des relais DHCP. L'identifiant
 de circuit ou l'identifiant distant est normalement fourni sous la forme d'une
 chaîne de valeurs hexadécimales séparées par des ":", mais il est également
 possible qu'elle le soit sous la forme d'une simple chaîne de caractères. Si
 l'identifiant de circuit ou d'agent correspond exactement à celui fourni par le
-relais DHCP, alors l'identifiant de réseau est positionné.
+relais DHCP, alors le label est apposé.
 .TP
-.B --dhcp-subscrid=<identifiant de réseau>,<identifiant d'abonné>
-Associe des options de relais DHCP issues de la RFC3993 à des identifiants de
-réseau.
+.B --dhcp-subscrid=set:<label>,<identifiant d'abonné>
+Associe des options de relais DHCP issues de la RFC3993 à des labels.
 .TP
-.B --dhcp-match=<identifiant de réseau>,<numéro d'option>
-Associe l'identifiant de réseau si le client envoie une option DHCP
-avec le numéro spécifié. Cela peut-être utilisé pour identifier des
-clients spécifiques qui envoient des informations par le biais de
-numéros privés d'option.
+.B --dhcp-proxy[=<adresse ip>]......
+Un agent relai DHCP normal est uniquement utilisé pour faire suivre les
+éléments initiaux de l'interaction avec le serveur DHCP. Une fois que le
+client est configuré, il communique directement avec le serveur. Cela n'est pas
+souhaitable si le relais rajoute des informations supplémentaires aux paquets
+DHCP, telles que celles utilisées dans
+.B dhcp-circuitid
+et
+.B dhcp-remoteid.
+Une implémentation complète de relai peut utiliser l'option serverid-override
+de la RFC 5107 afin de forcer le serveur DHCP à utiliser le relai en temps que
+proxy complet, de sorte que tous les paquets passent par le relai. Cette option
+permet d'obtenir le même résultat pour des relais ne supportant pas la RFC
+5107. Fournie seule, elle manipule la valeur de server-id pour toutes les
+interactions via des relais. Si une liste d'adresses IP est donnée, seules les
+interactions avec les relais dont l'adresse est dans la liste seront affectées.
 .TP
-.B \-J, --dhcp-ignore=<identifiant de réseau>[,<identifiant de réseau>]
-Lorsque tous les identifiants de réseau fournis coïncident avec la liste
-d'identifiants réseau dérivée des classes de réseau, hôte, vendeur et
-utilisateur, ignorer l'hôte et ne pas donner de bail DHCP.
+.B --dhcp-match=set:<label>,<numéro d'option>|option:<nom d'option>|vi-encap:<entreprise>[,<valeur>]
+Si aucune valeur n'est spécifiée, associe le label si le client
+envoie une option DHCP avec le numéro ou le nom spécifié. Lorsqu'une valeur est
+fournie, positionne le label seulement dans le cas où l'option est fournie et
+correspond à la valeur. La valeur peut-être de la forme "01:ff:*:02", auquel
+cas le début de l'option doit correspondre (en respectant les jokers). La
+valeur peut aussi être de la même forme que dans
+.B dhcp-option
+, auquel cas l'option est traitée comme un tableau de valeur, et un des
+éléments doit correspondre, ainsi
+
+--dhcp-match=set:efi-ia32,option:client-arch,6
+
+spécifie le label "efi-ia32" si le numéro 6 apparaît dnas la liste
+d'architectures envoyé par le client au sein de l'option 93. (se réferer
+au RFC 4578 pour plus de détails). Si la valeur est un chaine de caractères,
+celle-ci est recherchée (correspondance en temps que sous-chaîne).
+
+Pour la forme particulière vi-encap:<numéro d'entreprise>, la comparaison se
+fait avec les classes de vendeur "identifiant de vendeur" ("vendor-identifying
+vendor classes") pour l'entreprise dont le numéro est fourni en option.
+Veuillez vous réferer à la RFC 3925 pour plus de détail.
 .TP
-.B --dhcp-ignore-names[=<identifiant de réseau>[,<identifiant de réseau>]]
-Lorsque tous les identifiant de réseau coïncident avec la liste d'identifiants
-réseau dérivées des classes de réseau, hôte, vendeur et utilisateur, ignorer le
+.B --tag-if=set:<label>[,set:<label>[,tag:<label>[,tag:<label>]]]
+Effectue une opération booléenne sur les labels. Si tous les labels
+apparaissant dans la liste tag:<label> sont positionnés, alors tous les
+la de la liste "set:<labels>" sont positionnés (ou supprimés, dans le cas
+où "tag:!<label>" utilisé).
+Si aucun tag:<label> n'est spécifié, alors tous les labels fournis par
+set:<label> sont positionnés.
+N'importe quel nombre de set: ou tag: peuvent être fournis, et l'ordre est sans
+importance.
+Les lignes tag-if sont executées dans l'ordre, ce qui fait que si un label dans
+tag:<label> est un label positionné par une rêgle
+.B tag-if,
+la ligne qui positionne le label doit précéder celle qui le teste.
+.TP
+.B \-J, --dhcp-ignore=tag:<label>[,tag:<label>]
+Lorsque tous les labels fournis dans l'option sont présents, ignorer l'hôte et
+ne pas donner de bail DHCP.
+.TP
+.B --dhcp-ignore-names[=tag:<label>[,tag:<label>]]
+Lorsque tous les labels fournis dans l'option sont présents, ignorer le
 nom de machine fourni par l'hôte. Il est à noter que, à la différence de
-l'option "dhcp-ignore", il est permis de ne pas fournir d'identifiant réseau.
+l'option "dhcp-ignore", il est permis de ne pas fournir de label.
 Dans ce cas, les noms d'hôtes fournis par les clients DHCP seront toujours
 ignorés, et les noms d'hôtes seront ajoutés au DNS en utilisant uniquement la
 configuration dhcp-host de Dnsmasq, ainsi que le contenu des fichiers /etc/hosts
 et /etc/ethers.
 .TP
-.B --dhcp-broadcast=<identifiant de réseau>[,<identifiant de réseau>]
-Lorsque tous les identifiants de réseaux fournis correspondent à ceux
-obtenus à partir des classes de réseau, d'hôte ou d'utilisateur, force
-l'utilisation du broadcast pour communiquer avec l'hôte lorsque celui-ci n'est
-pas configuré. La plupart des clients DHCP nécessitant une réponse par le biais
+.B --dhcp-generate-names=tag:<label>[,tag:<label>]
+Générer un nom pour les clients DHCP qui autrement n'en aurait pas, en
+utilisant l'adresse MAC sous sa forme hexadécimale, séparée par des tirets.
+Noter que si un hôte fourni un nom, celui-ci sera utilisé de préférence au nom
+autogénéré, à moins que
+.B --dhcp-ignore-names 
+ne soit positionné.
+.TP
+.B --dhcp-broadcast=[tag:<label>[,tag:<label>]]
+Lorsque tous les labels fournis dans l'option sont présents, toujours utiliser
+le broadcast pour communiquer avec l'hôte lorsque celui-ci n'est
+pas configuré. Il est possible de ne spécifier aucun label, auquel cas cette
+option s'applique inconditionnellement. La plupart des clients DHCP nécessitant une réponse par le biais
 d'un broadcast activent une option dans leur requête, ce qui fait que cela
 se fait automatiquement, mais ce n'est pas la cas de certains vieux clients BOOTP.
 .TP
-.B \-M, --dhcp-boot=[net:<identifiant de réseau>,]<nom de fichier>,[<nom de serveur>[,<adresse de serveur>]]
+.B \-M, --dhcp-boot=[tag:<label>,]<nom de fichier>,[<nom de serveur>[,<adresse de serveur>]]
 Spécifie les options BOOTP devant être retournées par le serveur DHCP. Le nom de
 serveur ainsi que l'adresse sont optionnels : s'ils ne sont pas fournis, le nom
 est laissé vide et l'adresse fournie est celle de la machine sur laquelle
@@ -775,12 +945,65 @@ s'exécute Dnsmasq. Si Dnsmasq founit un service TFTP (voir
 .B --enable-tftp
 ), alors seul un nom de fichier est requis ici pour permettre un démarrage par
 le réseau.
-Si d'éventuels identifiants de réseau sont fournis, ils doivent coïncider avec
-ceux du client pour que cet élement de configuration lui soit envoyé. Il est à
-noter que les identifiants de réseau doivent-être préfixés par "net:".
-.TP  
+Si d'éventuels labels sont fournis, ils doivent coïncider avec
+ceux du client pour que cet élement de configuration lui soit envoyé.
+.TP
+.B --pxe-service=[tag:<label>,]<CSA>,<entrée de menu>[,<nom de fichier>|<type de service de démarrage>][,<adresse de serveur>]
+La plupart des ROMS de démarrage PXE ne permettent au système PXE que la simple
+obtention d'une adresse IP, le téléchargement du fichier spécifié dans
+.B dhcp-boot
+et son exécution. Cependant, le système PXE est capable de fonctions bien plus
+complexes pour peu que le serveur DHCP soit adapté.
+
+Ceci spécifie l'option de démarrage qui apparaitra dans un menu de démarrage
+PXE. <CSA> est le type du système client. Seuls des types de services valides
+apparaitront dans un menu. Les types connus sont x86PC, PC98, IA64_EFI, Alpha,
+Arc_x86, Intel_Lean_Client, IA32_EFI, BC_EFI, Xscale_EFI et X86-64_EFI;
+D'autres types peuvent-être spécifiés sous la forme d'une valeur entière. Le
+paramètre après le texte correspondant à l'entrée dans le menu peut être un nom
+de fichier, auquel cas Dnsmasq agit comme un serveur de démarrage et indique au
+client PXE qu'il faut télécharger ce fichier via TFTP, soit depuis ce serveur
+(l'option
+.B enable-tftp 
+doit être spécifiée pour que cela marche), soit depuis un autre serveur TFTP
+si une adresse de serveur est fournie.
+Veuillez noter que le suffixe de "couche" (en principe ".0") est fourni par PXE
+et ne doit pas être rajouté au nom de fichier. Si une valeur numérique entière
+est fournir pour le type de démarrage, en remplacement du nom de fichier, le
+client PXE devra chercher un service de démarrage de ce type sur le réseau.
+Cette recherche peut être faite via broadcast ou directement auprès d'un
+serveur si son adresse IP est fournie dans l'option.
+Si aucun nom de fichier n'est donné ni aucune valeur de type de service de
+démarrage n'est fournie (ou qu'une valeur de 0 est donnée pour le type de
+service), alors l'entrée de menu provoque l'interruption du démarrage par
+le réseau et la poursuite du démarrage sur un média local.
+.TP
+.B --pxe-prompt=[tag:<label>,]<invite>[,<délai>]
+Cette option permet d'afficher une invite à la suite du démarrage PXE. Si un
+délai est fourni, alors la première entrée du menu de démarrage sera
+automatiquement exécutée après ce délai. Si le délai vaut 0, alors la première
+entrée disponible sera exécutée immédiatement. Si
+.B pxe-prompt
+est omis, le système attendra un choix de l'utilisateur s'il existe plusieurs
+entrées dans le menu, ou démarrera immédiatement dans le cas où il n'y a qu'une
+seule entrée. Voir
+.B pxe-service 
+pour plus de détails sur les entrées de menu.
+
+Dnsmasq peut servir de "proxy-DHCP" PXE, dans le cas où un autre serveur DHCP
+sur le réseau est responsable de l'allocation des adresses IP, auquel cas
+Dnsmasq se contente de fournir les informations données dans les options
+.B pxe-prompt
+et
+.B pxe-service
+pour permettre le démarrage par le réseau. Ce mode est activé en utilisant le
+mot-clef
+.B proxy
+dans
+.B dhcp-range.
+.TP
 .B \-X, --dhcp-lease-max=<nombre>
-Limite Dnsmasq à un maximum de <nombre> baux DHCP. Le défaut est de 150. Cette
+Limite Dnsmasq à un maximum de <nombre> baux DHCP. Le défaut est de 1000. Cette
 limite permet d'éviter des attaques de déni de service ("DoS") par des hôtes
 créant des milliers de baux et utilisant beaucoup de mémoire dans le processus
 Dnsmasq.
@@ -802,10 +1025,14 @@ numéro est utilisé pour le port serveur et ce numéro plus 1 est utilisé pour
 port client. Enfin, en fournissant deux numéros de ports, il est possible de
 spécifier arbitrairement 2 ports à la fois pour le serveur et pour le client DHCP.
 .TP
-.B \-3, --bootp-dynamic
+.B \-3, --bootp-dynamic[=<identifiant de réseau>[,<identifiant de réseau>]]
 Permet l'allocation dynamique d'adresses IP à des clients BOOTP. Utiliser cette
 option avec précaution, une adresse allouée à un client BOOTP étant perpétuelle,
-et de fait n'est plus disponibles pour d'autres hôtes.
+et de fait n'est plus disponibles pour d'autres hôtes. Si aucun argument n'est
+donné, alors cette option permet une allocation dynamique dans tous les cas. Si
+des arguments sont spécifiés, alors l'allocation ne se fait que lorsque tous
+les identifiants coïncident. Il est possible de répeter cette option avec
+plusieurs jeux d'arguments.
 .TP
 .B \-5, --no-ping
 Par défaut, le serveur DHCP tente de s'assurer qu'une adresse n'est pas utilisée
@@ -817,63 +1044,82 @@ utiliser avec précaution.
 .TP
 .B --log-dhcp
 Traces additionnelles pour le service DHCP : enregistre toutes les options
-envoyées aux clients DHCP et les identifiants de réseaux utilisés pour la
+envoyées aux clients DHCP et les labels utilisés pour la
 détermination de celles-ci.
 .TP
 .B \-l, --dhcp-leasefile=<chemin de fichier>
 Utilise le fichier dont le chemin est fourni pour stocker les informations de
-baux DHCP. Si cette option est fournie mais qu'aucune option de type dhcp-range
-n'est donnée, alors un comportement de type Dnsmasq version 1 est activé. Le
-fichier fourni est supposé être un fichier de baux DHCP de type ISC DHCPD et est
-parcouru à la recherche de baux contenant des noms d'hôtes. Les noms trouvés
-sont rajoutés au DNS. Cette fonctionalité peut être exclue de Dnsmasq à la
-compilation, auquel cas une erreur sera produite. Il est à noter que
-l'intégration avec un fichier de baux au format ISC est une fonctionalité
-obsolète. Elle ne devrait pas être utilisée dans les nouvelles installations et
-sera retirée dans une future version.
+baux DHCP.
 .TP 
 .B \-6 --dhcp-script=<chemin de fichier>
 Lorsqu'un bail DHCP est créé, ou qu'un ancien est supprimé, le fichier dont le
-chemin  est spécifié est exécuté. Les arguments fournis à celui-ci sont soit
+chemin  est spécifié est exécuté. Le <chemin de fichier> doit être un chemin
+absolu, aucune recherche n'est effectuée via la variable d'environnement PATH.
+Les arguments fournis à celui-ci sont soit
 "add" ("ajouter"), "old" ("ancien") ou "del" ("supprimer"), suivi de l'adresse
-MAC de l'hôte (ou "<null>") puis l'adresse IP et le nom d'hôte si celui-ci est
+MAC de l'hôte puis l'adresse IP et le nom d'hôte si celui-ci est
 connu."add" signifie qu'un bail a été créé, "del" signifie qu'il a été supprimé,
 "old" notifie que le bail existait au lancement de Dnsmasq, ou un changement
 d'adresse MAC ou de nom d'hôte pour un bail existant (ou, dans le cas où
 leasefile-ro est spécifié, un changement de durée de bail ou d'identifiant
-d'hôte). Le processus est exécuté en temps que super-utilisateur (si Dnsmasq a
-été lancé en temps que "root"), même si Dnsmasq est configuré pour changer son
-UID pour celle d'un utilisateur non-privilégié. L'environnement est hérité de
-celui de l'invocation du processus Dnsmasq, et si l'hôte fournit un identifiant
-de client, celui-ci est stocké dans la variable d'environnement
-DNSMASQ_CLIENT_ID. Si le client fournit une information de classe de vendeur ou
-de classe d'utilisateur, celles-ci sont positionnées dans les variables
-DNSMASQ_VENDOR_CLASS et DNSMASQ_USER_CLASS0 à DNSMASQ_USER_CLASSn
-respectivement, mais seulement pour les actions "add" et "old" lorsqu'un hôte
-reprend un bail existant, ces variables n'étant pas stockées dans la base de
-baux de Dnsmasq. Si Dnsmasq a été compilé avec l'option HAVE_BROKEN_RTC
-("horloge RTC défectueuse"), alors la durée du bail (en secondes) est stockée
-dans la variable DNSMASQ_LEASE_LENGTH, sinon la date d'expiration du bail est
-toujours stocké dans la variable d'environnement DNSMASQ_LEASE_EXPIRES. Le
-nombre de secondes avant expiration est toujours stocké dans
-DNSMASQ_TIME_REMAINING. Si un bail était associé à un nom d'hôte et que celui-ci
-est supprimé, un évênement de type "old" est généré avec le nouveau statut du
-bail, c-à-d sans nom d'hôte, et le nom initial est fourni dans la variable
-d'environnement DNSMASQ_OLD_HOSTNAME. La variable DNSMASQ_INTERFACE contient le nom de
-l'interface sur laquelle la requête est arrivée; ceci n'est pas renseigné
-dans le cas des actions "old" ayant lieu après un redémarrage de dnsmasq.
+d'hôte). Si l'adresse Mac est d'un type de réseau autre qu'ethernet, il est
+nécessaire de la préceder du type de réseau, par exemple "06-01:23:45:67:89:ab"
+pour du token ring. Le processus est exécuté en temps que super-utilisateur 
+(si Dnsmasq a été lancé en temps que "root"), même si Dnsmasq est configuré 
+pour changer son UID pour celle d'un utilisateur non-privilégié.
+
+L'environnement est hérité de celui de l'invocation du processus Dnsmasq,
+auquel se rajoute quelques unes ou toutes les variables décrites ci-dessous :
+
+DNSMASQ_CLIENT_ID, si l'hôte a fourni un identifiant de client.
+
+DNSMASQ_DOMAIN si le nom de domaine pleinement qualifié de l'hôte est connu, la
+part relative au domaine y est stockée.
+
+Si le client fournit une information de classe de vendeur, un nom d'hôte, ou
+des classes d'utilisateur, celles-ci sont fournies dans les
+variables DNSMASQ_VENDOR_CLASS et DNSMASQ_USER_CLASS0 à DNSMASQ_USER_CLASSn
+et DNSMASQ_SUPPLIED_HOSTNAME respectivement, mais seulement pour les actions
+"add" et "old" lorsqu'un hôte reprend un bail existant, ces variables n'étant
+pas stockées dans la base de baux de Dnsmasq.
+
+Si Dnsmasq a été compilé avec l'option HAVE_BROKEN_RTC ("horloge RTC
+défectueuse"), alors la durée du bail (en secondes) est stockée dans la
+variable DNSMASQ_LEASE_LENGTH, sinon la date d'expiration du bail est toujours
+stocké dans la variable d'environnement DNSMASQ_LEASE_EXPIRES. Le nombre de
+secondes avant expiration est toujours stocké dans DNSMASQ_TIME_REMAINING.
+
+Si un bail était associé à un nom d'hôte et
+que celui-ci est supprimé, un évênement de type "old" est généré avec le
+nouveau statut du bail, c-à-d sans nom d'hôte, et le nom initial est fourni
+dans la variable d'environnement DNSMASQ_OLD_HOSTNAME.
+
+La variable DNSMASQ_INTERFACE contient le nom de l'interface sur laquelle la
+requête est arrivée; ceci n'est pas renseigné dans le cas des actions "old"
+ayant lieu après un redémarrage de dnsmasq.
+
+La variable DNSMASQ_RELAY_ADDRESS est renseignée si le client a utilisé un
+relai DHCP pour contacter Dnsmasq, si l'adresse IP du relai est connue.
+
+DNSMASQ_TAGS contient tous les labels fournis pendant la transaction DHCP,
+séparés par des espaces.
+
 Tous les descripteurs de fichiers sont fermés, sauf stdin, stdout et stderr qui
 sont ouverts sur /dev/null (sauf en mode déverminage).
-Le script n'est pas lancé de manière concurrente : si un autre changement de
-bail intervient, le script ne sera relancé que lorsque l'exécution actuelle sera
-terminée.
+
+Le script n'est pas lancé de manière concurrente : au plus une instance du
+script est executée à la fois (dnsmasq attends qu'une instance de script se
+termine avant de lancer la suivante). Les changements dans la base des baux
+nécessitant le lancement du script sont placé en attente dans une queue jusqu'à
+terminaison d'une instance du script en cours. Si cette mise en queue fait que
+plusieurs changements d'états apparaissent pour un bail donné avant que le
+script puisse être lancé, alors les états les plus anciens sont supprimés et
+lorsque le script sera finalement lancé, ce sera avec l'état courant du bail.
+
 Au démarrage de Dnsmasq, le script sera invoqué pour chacun des baux existants
-dans le fichier des baux. Le script sera lancé avec l'action "del" pour les baux
-expirés, et "old" pour les autres. <chemin de fichier> doit être un chemin
-absolu (c'est-à-dire partant de la racine "/"), aucune recherche n'aura lieu
-dans les répertoires de la variable d'environnement PATH. Lorsque Dnsmasq reçoit
-un signal HUP, le script sera invoqué avec une action "old" pour tous les baux
-existants.
+dans le fichier des baux. Le script sera lancé avec l'action "del" pour les
+baux expirés, et "old" pour les autres. Lorsque Dnsmasq reçoit un signal HUP,
+le script sera invoqué avec une action "old" pour tous les baux existants.
 .TP 
 .B --dhcp-scriptuser
 Spécifie l'utilisateur sous lequel le script lease-change doit être exécuté. La
@@ -901,12 +1147,14 @@ longueur de bail ou de date d'expiration.
 .B --bridge-interface=<interface>,<alias>[,<alias>]
 Traiter les requêtes DHCP arrivant sur n'importe laquelle des interfaces <alias>
 comme si elles arrivaient de l'interface <interface>. Cette option est
-uniquement disponible sur les plateformes BSD, et est uniquement nécessaire
-lors de l'utilisation de pont ethernet "ancien mode", puisque dans ce cas les
-paquets arrivent sur des interfaces "tap" n'ayant pas d'adresse IP.
+nécessaire lors de l'utilisation de pont ethernet "ancien mode" sur plate-forme
+BSD, puisque dans ce cas les paquets arrivent sur des interfaces "tap" n'ont
+pas d'adresse IP.
 .TP
-.B \-s, --domain=<domaine>
-Spécifie le domaine du serveur DHCP. Cela a deux effets; tout d'abord, le
+.B \-s, --domain=<domaine>[,<gamme d'adresses>]
+Spécifie le domaine du serveur DHCP. Le domaine peut être donné de manière
+inconditionnelle (sans spécifier de gamme d'adresses IP) ou pour des gammes
+d'adresses IP limitées. Cela a deux effets; tout d'abord, le
 serveur DHCP retourne le domaine à tous les hôtes le demandant, deuxièmement,
 cela spécifie le domaine valide pour les hôtes DHCP configurés. Le but de cela
 est de contraindre les noms d'hôte afin qu'aucun hôte sur le LAN ne puisse
@@ -925,20 +1173,45 @@ et avoir une machine dont le nom DHCP serait "laptop". L'adresse IP de cette
 machine sera disponible à la fois pour "laptop" et "laptop.thekelleys.org.uk".
 Si la valeur fournie pour <domaine> est "#", alors le nom de domaine est
 positionné à la première valeur de la directive "search" du fichier
-/etc/resolv.conf (ou équivalent).
+/etc/resolv.conf (ou équivalent). La gamme d'adresses peut être de la forme
+<adresse ip>,<adresse ip> ou <adresse ip>/<masque de réseau> voire une simple
+<adresse ip>. Voir
+.B --dhcp-fqdn
+qui peut changer le comportement de dnsmasq relatif aux domaines.
 .TP
-.B --enable-tftp
+.B --dhcp-fqdn
+Dans le mode par défaut, dnsmasq insère les noms non-qualifiés des clients
+DHCP dans le DNS. Pour cette raison, les noms doivent être uniques, même si
+deux clients ayant le même nom sont dans deux domaines différents. Si un
+deuxième client DHCP apparaît ayant le même nom qu'un client déjà existant,
+ce nom est transféré au nouveau client. Si
+.B --dhcp-fqdn
+est spécifié, ce comportement change : les noms non qualifiés ne sont plus
+rajoutés dans le DNS, seuls les noms qualifiés le sont. Deux clients DHCP
+avec le même nom peuvent tous les deux garder le nom, pour peu que la partie
+relative au domaine soit différente (c-à-d que les noms pleinements qualifiés
+diffèrent). Pour d'assurer que tous les noms ont une partie domaine, il doit-y
+avoir au moins un
+.B --domain
+sans gamme d'adresses de spécifié lorsque l'option
+.B --dhcp-fqdn 
+est configurée.
+.TP
+.B --enable-tftp[=<interface>]
 Active la fonction serveur TFTP. Celui-ci est de manière délibérée limité aux
 fonctions nécessaires au démarrage par le réseau ("net-boot") d'un client. Seul
 un accès en lecture est possible; les extensions tsize et blksize sont supportées
-(tsize est seulement supporté en mode octet).
+(tsize est seulement supporté en mode octet). Voir dans la section NOTES les
+informations relatives à la spécification de l'interface.
 .TP
-.B --tftp-root=<répertoire>
+.B --tftp-root=<répertoire>[,<interface>]
 Les fichiers à fournir dans les transferts TFTP seront cherchés en prenant le
 répertoire fourni comme racine. Lorsque cela est fourni, les chemins TFTP
 incluant ".." sont rejetés, afin d'éviter que les clients ne puissent sortir de
 la racine spécifiée. Les chemins absolus (commençant par "/") sont autorisés,
-mais ils doivent être à la racine TFTP fournie.
+mais ils doivent être à la racine TFTP fournie. Si l'option interface est
+spécifiée, le répertoire n'est utilisé que pour les requêtes TFTP reçues sur
+cette interface.
 .TP
 .B --tftp-unique-root
 Ajouter l'adresse IP du client TFTP en temps qu'élément de chemin, à la suite
@@ -1013,10 +1286,12 @@ Spécifie un fichier de configuration différent. L'option "conf-file" est
 également autorisée dans des fichiers de configuration, ce qui permet
 l'inclusion de multiples fichiers de configuration.
 .TP
-.B \-7, --conf-dir=<répertoire>
+.B \-7, --conf-dir=<répertoire>[,<extension de fichier>...]
 Lis tous les fichiers du répertoire spécifié et les traite comme des fichiers de
-configuration. Les fichiers dont les noms se terminent en ~ ou commençant par .,
-ainsi que ceux commençant ou se terminant par # ne sont pas pris en compte.
+configuration. Si des extensions sont données, tout fichier finissant par ces
+extensions seront ignorés. Tout fichier dont le nom se termine en ~ ou commence
+par ., ainsi que ceux commençant ou se terminant par # seront systématiquement
+ignorés.
 Cette option peut être donnée en ligne de commande ou dans un fichier de
 configuration.
 .SH FICHIER DE CONFIGURATION
@@ -1158,35 +1433,48 @@ exception à ceci : si le DNS amont contient un CNAME qui pointe vers un nom
 présent dans /etc/hosts, alors la recherche du CNAME via Dnsmasq fournira
 l'adresse DNS amont. Pour contourner cela, il suffit de mettre l'entrée
 correspondant au CNAME dans /etc/hosts.
-
 .PP
-les identifiants de réseau fonctionnent comme suit : Dnsmasq associe à chaque
-requête DHCP un ensemble d'identifiants de réseau; un pour la plage d'adresse
-DHCP (
+le système de label fonctionne comme suit : pour chaque requête DHCP, dnsmasq
+associe un ensemble de labels obtenus à partir des lignes de la configuration
+incluant set:<label>, y compris un pour la plage d'adresse (
 .B dhcp-range
-) utilisée pour allouer l'adresse, une pour chaque entrée
+) utilisée pour allouer l'adresse, un pour chaque entrée
 .B dhcp-host
-associée et éventuellement une pour chaque classe de vendeur ou d'utilisateur
-fournie par le client DHCP dans sa requête. Les options DHCP (
+associée (auquel est rajouté le mot-clef "known" si une entrée dhcp-host
+coïncide).
+
+Le label "bootp" est associé aux requêtes BOOTP, un label dont le nom est le
+nom de l'interface sur laquelle la requête est arrivée.
+
+Pour les lignes de configuration comportant des éléments tag:<label>,
+seules seront valides celles pour lesquels tous les labels correspondants
+seront présents. C'est typiquement le cas des lignes dhcp-options.
+Un
 .B dhcp-option 
-) ayant un identifiant de réseau seront utilisés de préférence à celles
-sans identifiants de réseau, pour peu que
-.I tous
-les labels correspondent.
-Le préfixe '#' sur un label est un indicateur de négation, ainsi
-.B --dhcp=option=#purple,3,1.2.3.4
-envoie l'option lorsque le label "purple" n'est pas dans la liste de labels
-valides pour l'hôte considéré.
+possédant des labels sera utilisé de préférence à un
+.B dhcp-option 
+sans label, pour peu que _tous_ les labels positionnés correspondent à l'ensemble
+de labels décrit plus haut.
+Le préfixe '!' sur un label est un indicateur de négation, ainsi
+.B --dhcp=option=tag:!purple,3,1.2.3.4
+n'envoie l'option que lorsque le label "purple" n'est pas dans la liste de
+labels définis pour l'hôte considéré. (dans le cas de l'utilisation dans une
+ligne de commande au lieu d'un fichier de configuration, ne pas oublier
+d'échapper le caractère !, qui est un méta-caractère d'interpréteur de commande
+shell).
 .PP
-Si l'identifiant de réseau dans la plage d'adresses DHCP (
-.B dhcp-range 
-) est préfixé par 'net:', alors sa signification change : au lieu d'associer un
-label à la plage spécifiée, cela indique un label de réseau devant être spécifié
-par le client DHCP. Ainsi, s'il y a plus d'une plage d'adresses DHCP sur un
-sous-réseau, et que l'une est préfixée par un identifiant de réseau (par exemple
-l'un spécifié dans une option de classe de vendeur), alors un hôte ayant
-l'identifiant de réseau en question positionné se verra allouer une adresse dans
-la plage d'adresses DHCP préfixée.
+Veuillez noter que pour
+.B dhcp-range
+, les éléments tag:<label> et set:<label> sont tous les deux autorisés
+pour sélectionner la plage à utiliser selon, par exemple, le dhcp-host,
+et pour affecter l'option envoyée, sur la base de la plage sélectionnée.
+
+Ce système a évolué d'un système plus ancien et aux possibilités plus limitées,
+et pour des raisons de compatibilité "net:" peut être utilisé à la place de
+"tag:" et "set:" peut-être omis (à l'exception de
+.B dhcp-host,
+où "net:" peut-être utilisé à la place de "set:"). Pour les mêmes raisons, '#'
+peut-être utilisé à la place de '!' pour indiquer la négation.
 .PP 
 Le serveur DHCP intégré dans Dnsmasq fonctionne également en temps que serveur
 BOOTP, pour peu que l'adresse MAC et l'adresse IP des clients soient fournies,
@@ -1199,12 +1487,55 @@ ou dans le fichier
 soit présente afin d'activer le serveur DHCP pour un réseau donné (L'option
 .B --bootp-dynamic
 supprime la nécessité des associations statiques). Le paramètre
-"filename" (nom de fichier) de la requête BOOTP est comparé avec les
-identifiants de réseaux des options
-.B  dhcp-option 
-ainsi que le label "bootp", ce qui permet de contrôler les options retournées
+"filename" (nom de fichier) de la requête BOOTP est utilisé comme label, ainsi
+que le label "bootp", permettant un certain contrôle sur les options retournées
 aux différentes classes d'hôtes.
 
+Il est possible de spécifier un nom d'interface à
+.B dhcp-range
+sous la forme "interface:<nom d'interface>". La sémantique est comme suit :
+Pour le DHCP, s'il existe une autre valeur de dhcp-range pour laquelle
+_aucun_ nom d'interface n'est donné, alors le nom d'interface est ignoré
+et dnsmasq se comporte comme si la partie spécifiant l'interface n'existait
+pas, sinon le service DHCP n'est fourni qu'aux interfaces mentionnées dans
+les déclarations dhcp-range. Pour le DNS, si il n'y a pas d'option
+.B --interface
+ou
+.B --listen-address
+, alors le comportement n'est pas impacté par la spécification d'interface. Si
+l'une ou l'autre de ces options est présente, alors les interfaces mentionnées
+dans les plages d'adresses dhcp-range sont rajoutées à la liste de celles
+où le service DNS est assuré.
+
+De manière similaire,
+.B enable-tftp
+peut prendre un nom d'interface, ce qui active le TFTP pour cette seule
+interface, en ignorant les options
+.B --interface 
+ou
+.B --listen-address
+De plus, 
+.B --tftp-secure
+, 
+.B --tftp-unique-root
+et
+.B --tftp-no-blocksize
+sont ignorées pour les requêtes sur de telles interfaces. (une directive
+.B --tftp-root
+donnant le chemin de la racine et une interface doit-être fournie).
+
+Ces règles peuvent paraître étrange à première vue, mais elles permettent
+d'ajouter à la configuration de dnsmasq des lignes de configuration de la
+forme "dhcp-range=interface:virt0,192.168.0.4,192.168.0.200" afin de fournir
+un service DHCP et DNS sur cette interface, sans pour autant affecter les
+services fournis sur d'autres interfaces, malgré l'absence de paramètres
+"interface=<interface>" sur les autres lignes de configuration.
+"enable-tftp=virt0" et "tftp-root=<root>,virt0" effectuent la même chose pour
+TFTP.
+L'idée de tout cela est de permettre l'addition de telles lignes
+automatiquement par libvirt ou un système équivalent, sans perturbation
+d'une configuration manuelle existant par ailleurs.
+
 .SH CODES DE SORTIE
 .PP
 0 - Dnsmasq s'est correctement lancé en tâche de fond, ou alors s'est
@@ -1236,10 +1567,8 @@ ultérieur : les versions précédentes ne montaient pas en charge aussi bien.
  
 .PP
 Dnsmasq est capable de gérer le DNS et DHCP pour au moins un millier de clients.
-Evidement, pour cela la valeur de 
-.B --dhcp-lease-max
-doit être augmentée et la durée des baux ne doit pas être très courte (moins
-d'une heure). La valeur de
+Pour cela, la durée des bail ne doit pas être très courte (moins d'une heure).
+La valeur de
 .B --dns-forward-max 
 peut-être augmentée : commencer par la rendre égale au nombre de clients et
 l'augmenter si le DNS semble lent. Noter que la performance du DNS dépends
@@ -1269,6 +1598,25 @@ ou d'un fichier d'hôte additionnel. Cette liste peut-être très longue, Dnsmas
 ayant été testé avec succès avec un million de noms. Cette taille de fichier
 nécessite un processeur à 1 Ghz et environ 60 Mo de RAM.
 
+.SH INTERNATIONALISATION
+Dnsmasq peut être compilé pour supporter l'internationalisation. Pour cela,
+les cibles "all-i18n" et "install-i18n" doivent être données à make, en lieu
+et place des cibles standards "all" et "install". Lorsque compilé avec le
+support de l'internationalisation, dnsmasq supporte les noms de domaines
+internationalisés ("internationalised domain names" ou IDN), et les messages de
+traces ("logs") sont écrits dans la langue locale. Les noms de domaines dans
+/etc/hosts, /etc/ethers et /etc/dnsmasq.conf contenant des caractères
+non-ASCII seront transformés selon la représentation punycode interne
+aux DNS. Veuillez noter que dnsmasq détermine la langue pour les messages
+ainsi que le jeu de caractères susceptible d'être utilisé dans les fichiers
+de configuration à partir de la variable d'environnement LANG. Ceci devrait
+être configuré à la valeur par défaut du système par les scripts démarrant
+dnsmasq. Lorsque les fichiers de configuration sont édités, veuillez faire
+attention à le faire en utilisant la valeur de locale par défaut du système
+et non une valeur spécifique à l'utilisateur, puisque dnsmasq n'a aucun
+moyen de déterminer directement la valeur de jeu de caractère utilisé,
+et assume de ce fait qu'il s'agit de la valeur par défaut du système.
+
 .SH FICHIERS
 .IR /etc/dnsmasq.conf 
 

src/bpf.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2008 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2010 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -10,8 +10,8 @@
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
      
-  You should have received a copy of the GNU General Public License
-  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "dnsmasq.h"
@@ -63,16 +63,20 @@ int iface_enumerate(void *parm, int (*ipv4_callback)(), int (*ipv6_callback)())
 	}
     }
   
-  for (ptr = ifc.ifc_buf; ptr < ifc.ifc_buf + ifc.ifc_len; ptr += len )
+  for (ptr = ifc.ifc_buf; ptr < (char *)(ifc.ifc_buf + ifc.ifc_len); ptr += len)
     {
       /* subsequent entries may not be aligned, so copy into
 	 an aligned buffer to avoid nasty complaints about 
 	 unaligned accesses. */
-#ifdef HAVE_SOCKADDR_SA_LEN
-      len = ((struct ifreq *)ptr)->ifr_addr.sa_len + offsetof(struct ifreq, ifr_ifru);
-#else
+
       len = sizeof(struct ifreq);
+      
+#ifdef HAVE_SOCKADDR_SA_LEN
+      ifr = (struct ifreq *)ptr;
+      if (ifr->ifr_addr.sa_len > sizeof(ifr->ifr_ifru))
+	len = ifr->ifr_addr.sa_len + offsetof(struct ifreq, ifr_ifru);
 #endif
+      
       if (!expand_buf(&ifreq, len))
 	goto err;
 
@@ -126,7 +130,7 @@ int iface_enumerate(void *parm, int (*ipv4_callback)(), int (*ipv6_callback)())
 #endif
 
 
-#if defined(HAVE_BSD_NETWORK)
+#if defined(HAVE_BSD_NETWORK) && defined(HAVE_DHCP)
 #include <net/bpf.h>
 
 void init_bpf(void)
@@ -171,7 +175,7 @@ void send_via_bpf(struct dhcp_packet *mess, size_t len,
   /* Only know how to do ethernet on *BSD */
   if (mess->htype != ARPHRD_ETHER || mess->hlen != ETHER_ADDR_LEN)
     {
-      my_syslog(LOG_WARNING, _("DHCP request for unsupported hardware type (%d) received on %s"), 
+      my_syslog(MS_DHCP | LOG_WARNING, _("DHCP request for unsupported hardware type (%d) received on %s"), 
 		mess->htype, ifr->ifr_name);
       return;
     }

src/cache.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2008 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2010 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -10,14 +10,17 @@
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
      
-  You should have received a copy of the GNU General Public License
-  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "dnsmasq.h"
 
 static struct crec *cache_head = NULL, *cache_tail = NULL, **hash_table = NULL;
-static struct crec *dhcp_spare = NULL, *new_chain = NULL;
+#ifdef HAVE_DHCP
+static struct crec *dhcp_spare = NULL;
+#endif
+static struct crec *new_chain = NULL;
 static int cache_inserted = 0, cache_live_freed = 0, insert_error;
 static union bigname *big_free = NULL;
 static int bignames_left, hash_size;
@@ -223,7 +226,7 @@ char *cache_get_name(struct crec *crecp)
 {
   if (crecp->flags & F_BIGNAME)
     return crecp->name.bname->name;
-  else if (crecp->flags & F_DHCP) 
+  else if (crecp->flags & (F_DHCP | F_CONFIG)) 
     return crecp->name.namep;
   
   return crecp->name.sname;
@@ -363,7 +366,7 @@ struct crec *cache_insert(char *name, struct all_addr *addr,
 
   log_query(flags | F_UPSTREAM, name, addr, NULL);
 
-  /* CONFIG bit no needed except for logging */
+  /* CONFIG bit means something else when stored in cache entries */
   flags &= ~F_CONFIG;
 
   /* if previous insertion failed give up now. */
@@ -690,10 +693,10 @@ static void add_hosts_entry(struct crec *cache, struct all_addr *addr, int addrl
   if (!nameexists)
     for (a = daemon->cnames; a; a = a->next)
       if (hostname_isequal(cache->name.sname, a->target) &&
-	  (lookup = whine_malloc(sizeof(struct crec) + strlen(a->alias)+1-SMALLDNAME)))
+	  (lookup = whine_malloc(sizeof(struct crec))))
 	{
-	  lookup->flags = F_FORWARD | F_IMMORTAL | F_HOSTS | F_CNAME;
-	  strcpy(lookup->name.sname, a->alias);
+	  lookup->flags = F_FORWARD | F_IMMORTAL | F_CONFIG | F_HOSTS | F_CNAME;
+	  lookup->name.namep = a->alias;
 	  lookup->addr.cname.cache = cache;
 	  lookup->addr.cname.uid = index;
 	  cache_hash(lookup);
@@ -818,35 +821,38 @@ static int read_hostsfile(char *filename, int index, int cache_size)
       while (atnl == 0)
 	{
 	  struct crec *cache;
-	  int fqdn;
+	  int fqdn, nomem;
+	  char *canon;
 	  
 	  if ((atnl = gettok(f, token)) == EOF)
 	    break;
 
 	  fqdn = !!strchr(token, '.');
 
-	  if (canonicalise(token))
+	  if ((canon = canonicalise(token, &nomem)))
 	    {
 	      /* If set, add a version of the name with a default domain appended */
 	      if ((daemon->options & OPT_EXPAND) && domain_suffix && !fqdn && 
 		  (cache = whine_malloc(sizeof(struct crec) + 
-					strlen(token)+2+strlen(domain_suffix)-SMALLDNAME)))
+					strlen(canon)+2+strlen(domain_suffix)-SMALLDNAME)))
 		{
-		  strcpy(cache->name.sname, token);
+		  strcpy(cache->name.sname, canon);
 		  strcat(cache->name.sname, ".");
 		  strcat(cache->name.sname, domain_suffix);
 		  add_hosts_entry(cache, &addr, addrlen, flags, index, addr_dup);
 		  addr_dup = 1;
 		  name_count++;
 		}
-	      if ((cache = whine_malloc(sizeof(struct crec) + strlen(token)+1-SMALLDNAME)))
+	      if ((cache = whine_malloc(sizeof(struct crec) + strlen(canon)+1-SMALLDNAME)))
 		{
-		  strcpy(cache->name.sname, token);
+		  strcpy(cache->name.sname, canon);
 		  add_hosts_entry(cache, &addr, addrlen, flags, index, addr_dup);
 		  name_count++;
 		}
+	      free(canon);
+	      
 	    }
-	  else
+	  else if (!nomem)
 	    my_syslog(LOG_ERR, _("bad name at %s line %d"), filename, lineno); 
 	}
     } 
@@ -859,10 +865,11 @@ static int read_hostsfile(char *filename, int index, int cache_size)
   return name_count;
 }
 	    
-void cache_reload(struct hostsfile *addn_hosts)
+void cache_reload(void)
 {
   struct crec *cache, **up, *tmp;
   int i, total_size = daemon->cachesize;
+  struct hostsfile *ah;
 
   cache_inserted = cache_live_freed = 0;
   
@@ -889,7 +896,7 @@ void cache_reload(struct hostsfile *addn_hosts)
 	  up = &cache->hash_next;
       }
   
-  if ((daemon->options & OPT_NO_HOSTS) && !addn_hosts)
+  if ((daemon->options & OPT_NO_HOSTS) && !daemon->addn_hosts)
     {
       if (daemon->cachesize > 0)
 	my_syslog(LOG_INFO, _("cleared cache"));
@@ -898,13 +905,116 @@ void cache_reload(struct hostsfile *addn_hosts)
 
   if (!(daemon->options & OPT_NO_HOSTS))
     total_size = read_hostsfile(HOSTSFILE, 0, total_size);
-  while (addn_hosts)
+  
+  for (i = 0, ah = daemon->addn_hosts; ah; ah = ah->next)
     {
-      total_size = read_hostsfile(addn_hosts->fname, addn_hosts->index, total_size);
-      addn_hosts = addn_hosts->next;
-    }  
+      if (i <= ah->index)
+	i = ah->index + 1;
+
+      if (ah->flags & AH_DIR)
+	ah->flags |= AH_INACTIVE;
+      else
+	ah->flags &= ~AH_INACTIVE;
+    }
+
+  for (ah = daemon->addn_hosts; ah; ah = ah->next)
+    if (!(ah->flags & AH_INACTIVE))
+      {
+	struct stat buf;
+	if (stat(ah->fname, &buf) != -1 && S_ISDIR(buf.st_mode))
+	  {
+	    DIR *dir_stream;
+	    struct dirent *ent;
+	    
+	    /* don't read this as a file */
+	    ah->flags |= AH_INACTIVE;
+	    
+	    if (!(dir_stream = opendir(ah->fname)))
+	      my_syslog(LOG_ERR, _("cannot access directory %s: %s"), 
+			ah->fname, strerror(errno));
+	    else
+	      {
+		while ((ent = readdir(dir_stream)))
+		  {
+		    size_t lendir = strlen(ah->fname);
+		    size_t lenfile = strlen(ent->d_name);
+		    struct hostsfile *ah1;
+		    char *path;
+		    
+		    /* ignore emacs backups and dotfiles */
+		    if (lenfile == 0 || 
+			ent->d_name[lenfile - 1] == '~' ||
+			(ent->d_name[0] == '#' && ent->d_name[lenfile - 1] == '#') ||
+			ent->d_name[0] == '.')
+		      continue;
+		    
+		    /* see if we have an existing record.
+		       dir is ah->fname 
+		       file is ent->d_name
+		       path to match is ah1->fname */
+
+		    for (ah1 = daemon->addn_hosts; ah1; ah1 = ah1->next)
+		      {
+			if (lendir < strlen(ah1->fname) &&
+			    strstr(ah1->fname, ah->fname) == ah1->fname &&
+			    ah1->fname[lendir] == '/' &&
+			    strcmp(ah1->fname + lendir + 1, ent->d_name) == 0)
+			  {
+			    ah1->flags &= ~AH_INACTIVE;
+			    break;
+			  }
+		      }
+		    
+		    /* make new record */
+		    if (!ah1)
+		      {
+			if (!(ah1 = whine_malloc(sizeof(struct hostsfile))))
+			  continue;
+			
+			if (!(path = whine_malloc(lendir + lenfile + 2)))
+			  {
+			    free(ah1);
+			    continue;
+			  }
+		      	
+			strcpy(path, ah->fname);
+			strcat(path, "/");
+			strcat(path, ent->d_name);
+			ah1->fname = path;
+			ah1->index = i++;
+			ah1->flags = AH_DIR;
+			ah1->next = daemon->addn_hosts;
+			daemon->addn_hosts = ah1;
+		      }
+		    
+		    /* inactivate record if not regular file */
+		    if ((ah1->flags & AH_DIR) && stat(ah1->fname, &buf) != -1 && !S_ISREG(buf.st_mode))
+		      ah1->flags |= AH_INACTIVE; 
+
+		  }
+		closedir(dir_stream);
+	      }
+	  }
+      }
+	    
+  for (ah = daemon->addn_hosts; ah; ah = ah->next)
+    if (!(ah->flags & AH_INACTIVE))
+      total_size = read_hostsfile(ah->fname, ah->index, total_size);
 } 
 
+char *get_domain(struct in_addr addr)
+{
+  struct cond_domain *c;
+
+  for (c = daemon->cond_domain; c; c = c->next)
+    if (ntohl(addr.s_addr) >= ntohl(c->start.s_addr) &&
+        ntohl(addr.s_addr) <= ntohl(c->end.s_addr))
+      return c->domain;
+
+  return daemon->domain_suffix;
+}
+
+#ifdef HAVE_DHCP
 void cache_unhash_dhcp(void)
 {
   struct crec *cache, **up;
@@ -935,19 +1045,22 @@ void cache_add_dhcp_entry(char *host_name,
       /* check all addresses associated with name */
       if (crec->flags & F_HOSTS)
 	{
-	  if (crec->addr.addr.addr.addr4.s_addr != host_address->s_addr)
+	  /* if in hosts, don't need DHCP record */
+	  in_hosts = 1;
+	  
+	  if (crec->flags & F_CNAME)
+	    my_syslog(LOG_WARNING, 
+		      _("%s is a CNAME, not giving it to the DHCP lease of %s"),
+		      host_name, inet_ntoa(*host_address));
+	  else if (crec->addr.addr.addr.addr4.s_addr != host_address->s_addr)
 	    {
 	      strcpy(daemon->namebuff, inet_ntoa(crec->addr.addr.addr.addr4));
 	      my_syslog(LOG_WARNING, 
 			_("not giving name %s to the DHCP lease of %s because "
 			  "the name exists in %s with address %s"), 
 			host_name, inet_ntoa(*host_address),
-			record_source(daemon->addn_hosts, crec->uid), daemon->namebuff);
-	      return;
-	    }
-	  else
-	    /* if in hosts, don't need DHCP record */
-	    in_hosts = 1;
+			record_source(crec->uid), daemon->namebuff);
+	    }	  
 	}
       else if (!(crec->flags & F_DHCP))
 	{
@@ -996,7 +1109,7 @@ void cache_add_dhcp_entry(char *host_name,
 	    
 	    if (aliasc)
 	      {
-		aliasc->flags = F_FORWARD | F_DHCP | F_CNAME;
+		aliasc->flags = F_FORWARD | F_CONFIG | F_DHCP | F_CNAME;
 		if (ttd == 0)
 		  aliasc->flags |= F_IMMORTAL;
 		else
@@ -1009,6 +1122,7 @@ void cache_add_dhcp_entry(char *host_name,
 	  }
     }
 }
+#endif
 
 
 void dump_cache(time_t now)
@@ -1099,20 +1213,18 @@ void dump_cache(time_t now)
     }
 }
 
-char *record_source(struct hostsfile *addn_hosts, int index)
+char *record_source(int index)
 {
-  char *source = HOSTSFILE;
-  while (addn_hosts)
-    { 
-      if (addn_hosts->index == index)
-	{
-	  source = addn_hosts->fname;
-	  break;
-	}
-      addn_hosts = addn_hosts->next;
-    }
+  struct hostsfile *ah;
 
-  return source;
+  if (index == 0)
+    return HOSTSFILE;
+
+  for (ah = daemon->addn_hosts; ah; ah = ah->next)
+    if (ah->index == index)
+      return ah->fname;
+  
+  return "<unknown>";
 }
 
 void querystr(char *str, unsigned short type)
@@ -1179,12 +1291,12 @@ void log_query(unsigned short flags, char *name, struct all_addr *addr, char *ar
 	dest = "<CNAME>";
     }
     
-  if (flags & F_DHCP)
+  if (flags & F_CONFIG)
+    source = "config";
+  else if (flags & F_DHCP)
     source = "DHCP";
   else if (flags & F_HOSTS)
     source = arg;
-  else if (flags & F_CONFIG)
-    source = "config";
   else if (flags & F_UPSTREAM)
     source = "reply";
   else if (flags & F_SERVER)

src/config.h

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2008 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2010 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -10,21 +10,23 @@
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
      
-  You should have received a copy of the GNU General Public License
-  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-#define VERSION "2.46"
+#define VERSION "2.54"
 
 #define FTABSIZ 150 /* max number of outstanding requests (default) */
 #define MAX_PROCS 20 /* max no children for TCP requests */
 #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */
-#define EDNS_PKTSZ 1280 /* default max EDNS.0 UDP packet from RFC2671 */
+#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */
 #define TIMEOUT 10 /* drop UDP queries after TIMEOUT seconds */
+#define FORWARD_TEST 50 /* try all servers every 50 queries */
+#define FORWARD_TIME 20 /* or 10 seconds */
 #define RANDOM_SOCKS 64 /* max simultaneous random ports */
 #define LEASE_RETRY 60 /* on error, retry writing leasefile after LEASE_RETRY seconds */
 #define CACHESIZ 150 /* default cache size */
-#define MAXLEASES 150 /* maximum number of DHCP leases */
+#define MAXLEASES 1000 /* maximum number of DHCP leases */
 #define PING_WAIT 3 /* wait for ping address-in-use test */
 #define PING_CACHE_TIME 30 /* Ping test assumed to be valid this long. */
 #define DECLINE_BACKOFF 600 /* disable DECLINEd static addresses for this long */
@@ -38,18 +40,25 @@
 #  define RESOLVFILE "/etc/resolv.conf"
 #endif
 #define RUNFILE "/var/run/dnsmasq.pid"
-#if defined(__FreeBSD__) || defined (__OpenBSD__) || defined(__DragonFly__)
-#   define LEASEFILE "/var/db/dnsmasq.leases"
-#elif defined(__sun__) || defined (__sun)
-#   define LEASEFILE "/var/cache/dnsmasq.leases"
-#else
-#   define LEASEFILE "/var/lib/misc/dnsmasq.leases"
+
+#ifndef LEASEFILE
+#   if defined(__FreeBSD__) || defined (__OpenBSD__) || defined(__DragonFly__) || defined(__NetBSD__)
+#      define LEASEFILE "/var/db/dnsmasq.leases"
+#   elif defined(__sun__) || defined (__sun)
+#      define LEASEFILE "/var/cache/dnsmasq.leases"
+#   else
+#      define LEASEFILE "/var/lib/misc/dnsmasq.leases"
+#   endif
 #endif
-#if defined(__FreeBSD__)
-#   define CONFFILE "/usr/local/etc/dnsmasq.conf"
-#else
-#   define CONFFILE "/etc/dnsmasq.conf"
+
+#ifndef CONFFILE
+#   if defined(__FreeBSD__)
+#      define CONFFILE "/usr/local/etc/dnsmasq.conf"
+#   else
+#      define CONFFILE "/etc/dnsmasq.conf"
+#   endif
 #endif
+
 #define DEFLEASE 3600 /* default lease time, 1 hour */
 #define CHUSER "nobody"
 #define CHGRP "dip"
@@ -57,10 +66,12 @@
 #define DHCP_CLIENT_PORT 68
 #define DHCP_SERVER_ALTPORT 1067
 #define DHCP_CLIENT_ALTPORT 1068
+#define PXE_PORT 4011
 #define TFTP_PORT 69
 #define TFTP_MAX_CONNECTIONS 50 /* max simultaneous connections */
 #define LOG_MAX 5 /* log-queue length */
 #define RANDFILE "/dev/urandom"
+#define DAD_WAIT 20 /* retry binding IPv6 sockets for this long */
 
 /* DBUS interface specifics */
 #define DNSMASQ_SERVICE "uk.org.thekelleys.dnsmasq"
@@ -98,9 +109,6 @@ HAVE_BSD_NETWORK
 HAVE_SOLARIS_NETWORK
    define exactly one of these to alter interaction with kernel networking.
 
-HAVE_SOLARIS_PRIVS
-   define for Solaris > 10 which can split privileges.
-
 HAVE_BROKEN_RTC
    define this on embedded systems which don't have an RTC
    which keeps time over reboots. Causes dnsmasq to use uptime
@@ -118,6 +126,12 @@ HAVE_BROKEN_RTC
 HAVE_TFTP
    define this to get dnsmasq's built-in TFTP server.
 
+HAVE_DHCP
+   define this to get dnsmasq's DHCP server.
+
+HAVE_SCRIPT
+   define this to get the ability to call scripts on lease-change
+
 HAVE_GETOPT_LONG
    define this if you have GNU libc or GNU getopt. 
 
@@ -133,11 +147,6 @@ HAVE_DBUS
    define some methods to allow (re)configuration of the upstream DNS 
    servers via DBus.
 
-HAVE_BSD_BRIDGE
-   Define this to enable the --bridge-interface option, useful on some
-   BSD systems.
-
-
 NOTES:
    For Linux you should define 
       HAVE_LINUX_NETWORK
@@ -157,7 +166,9 @@ NOTES:
 */
 
 /* platform independent options- uncomment to enable */
+#define HAVE_DHCP
 #define HAVE_TFTP
+#define HAVE_SCRIPT
 /* #define HAVE_BROKEN_RTC */
 /* #define HAVE_DBUS */
 
@@ -166,6 +177,18 @@ NOTES:
 #undef HAVE_TFTP
 #endif
 
+/* Allow DHCP to be disabled with COPTS=-DNO_DHCP */
+#ifdef NO_DHCP
+#undef HAVE_DHCP
+#endif
+
+/* Allow scripts to be disabled with COPTS=-DNO_SCRIPT */
+#ifdef NO_SCRIPT
+#undef HAVE_SCRIPT
+#endif
+
+
+
 /* platform dependent options. */
 
 /* Must preceed __linux__ since uClinux defines __linux__ too. */
@@ -203,32 +226,24 @@ NOTES:
 #define HAVE_GETOPT_LONG
 #undef HAVE_ARC4RANDOM
 #undef HAVE_SOCKADDR_SA_LEN
-/* glibc < 2.2  has broken Sockaddr_in6 so we have to use our own. */
-/* glibc < 2.2 doesn't define in_addr_t */
-#if defined(__GLIBC__) && (__GLIBC__ == 2) && \
-    defined(__GLIBC_MINOR__) && (__GLIBC_MINOR__ < 2)
-typedef unsigned long in_addr_t; 
-#   define HAVE_BROKEN_SOCKADDR_IN6
-#endif
 
 #elif defined(__FreeBSD__) || \
       defined(__OpenBSD__) || \
       defined(__DragonFly__) || \
-      defined (__FreeBSD_kernel__)
+      defined(__FreeBSD_kernel__)
 #define HAVE_BSD_NETWORK
 /* Later verions of FreeBSD have getopt_long() */
 #if defined(optional_argument) && defined(required_argument)
 #   define HAVE_GETOPT_LONG
 #endif
-#if !defined (__FreeBSD_kernel__)
+#if !defined(__FreeBSD_kernel__)
 #   define HAVE_ARC4RANDOM
 #endif
 #define HAVE_SOCKADDR_SA_LEN
-#define HAVE_BSD_BRIDGE
 
 #elif defined(__APPLE__)
 #define HAVE_BSD_NETWORK
-#undef HAVE_GETOPT_LONG
+#define HAVE_GETOPT_LONG
 #define HAVE_ARC4RANDOM
 #define HAVE_SOCKADDR_SA_LEN
 /* Define before sys/socket.h is included so we get socklen_t */
@@ -239,34 +254,14 @@ typedef unsigned long in_addr_t;
 #define HAVE_GETOPT_LONG
 #undef HAVE_ARC4RANDOM
 #define HAVE_SOCKADDR_SA_LEN
-#define HAVE_BSD_BRIDGE
 
 #elif defined(__sun) || defined(__sun__)
 #define HAVE_SOLARIS_NETWORK
-/* only Solaris 10 does split privs. */
-#if (SUNOS_VER >= 10)
-#  define HAVE_SOLARIS_PRIVS
-#  define HAVE_GETOPT_LONG
-#endif
-/* some CMSG stuff missing on early solaris */
-#ifndef OSSH_ALIGNBYTES
-#  define OSSH_ALIGNBYTES (sizeof(int) - 1)
-#endif
-#ifndef __CMSG_ALIGN
-#  define __CMSG_ALIGN(p) (((u_int)(p) + OSSH_ALIGNBYTES) &~ OSSH_ALIGNBYTES)
-#endif
-#ifndef CMSG_LEN
-#  define CMSG_LEN(len)   (__CMSG_ALIGN(sizeof(struct cmsghdr)) + (len))
-#endif
-#ifndef CMSG_SPACE
-#  define CMSG_SPACE(len) (__CMSG_ALIGN(sizeof(struct cmsghdr)) + __CMSG_ALIGN(len))
-#endif
+#define HAVE_GETOPT_LONG
 #undef HAVE_ARC4RANDOM
 #undef HAVE_SOCKADDR_SA_LEN
-
-#define _XPG4_2
-#define __EXTENSIONS__
-#define ETHER_ADDR_LEN 6
+#define ETHER_ADDR_LEN 6 
+ 
 #endif
 
 /* Decide if we're going to support IPv6 */
@@ -290,3 +285,8 @@ typedef unsigned long in_addr_t;
 #  define ADDRSTRLEN 16 /* 4*3 + 3 dots + NULL */
 #endif
 
+/* Can't do scripts without fork */
+#ifdef NOFORK
+#  undef HAVE_SCRIPT
+#endif
+

src/dbus.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2008 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2010 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -10,17 +10,52 @@
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
      
-  You should have received a copy of the GNU General Public License
-  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "dnsmasq.h"
 
 #ifdef HAVE_DBUS
 
-#define DBUS_API_SUBJECT_TO_CHANGE
 #include <dbus/dbus.h>
 
+const char* introspection_xml =
+"<!DOCTYPE node PUBLIC \"-//freedesktop//DTD D-BUS Object Introspection 1.0//EN\"\n"
+"\"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd\">\n"
+"<node name=\"" DNSMASQ_PATH "\">\n"
+"  <interface name=\"org.freedesktop.DBus.Introspectable\">\n"
+"    <method name=\"Introspect\">\n"
+"      <arg name=\"data\" direction=\"out\" type=\"s\"/>\n"
+"    </method>\n"
+"  </interface>\n"
+"  <interface name=\"" DNSMASQ_SERVICE "\">\n"
+"    <method name=\"ClearCache\">\n"
+"    </method>\n"
+"    <method name=\"GetVersion\">\n"
+"      <arg name=\"version\" direction=\"out\" type=\"s\"/>\n"
+"    </method>\n"
+"    <method name=\"SetServers\">\n"
+"      <arg name=\"servers\" direction=\"in\" type=\"av\"/>\n"
+"    </method>\n"
+"    <signal name=\"DhcpLeaseAdded\">\n"
+"      <arg name=\"ipaddr\" type=\"s\"/>\n"
+"      <arg name=\"hwaddr\" type=\"s\"/>\n"
+"      <arg name=\"hostname\" type=\"s\"/>\n"
+"    </signal>\n"
+"    <signal name=\"DhcpLeaseDeleted\">\n"
+"      <arg name=\"ipaddr\" type=\"s\"/>\n"
+"      <arg name=\"hwaddr\" type=\"s\"/>\n"
+"      <arg name=\"hostname\" type=\"s\"/>\n"
+"    </signal>\n"
+"    <signal name=\"DhcpLeaseUpdated\">\n"
+"      <arg name=\"ipaddr\" type=\"s\"/>\n"
+"      <arg name=\"hwaddr\" type=\"s\"/>\n"
+"      <arg name=\"hostname\" type=\"s\"/>\n"
+"    </signal>\n"
+"  </interface>\n"
+"</node>\n";
+
 struct watch {
   DBusWatch *watch;      
   struct watch *next;
@@ -229,7 +264,15 @@ DBusHandlerResult message_handler(DBusConnection *connection,
 {
   char *method = (char *)dbus_message_get_member(message);
    
-  if (strcmp(method, "GetVersion") == 0)
+  if (dbus_message_is_method_call(message, DBUS_INTERFACE_INTROSPECTABLE, "Introspect"))
+    {
+      DBusMessage *reply = dbus_message_new_method_return(message);
+
+      dbus_message_append_args(reply, DBUS_TYPE_STRING, &introspection_xml, DBUS_TYPE_INVALID);
+      dbus_connection_send (connection, reply, NULL);
+      dbus_message_unref (reply);
+    }
+  else if (strcmp(method, "GetVersion") == 0)
     {
       char *v = VERSION;
       DBusMessage *reply = dbus_message_new_method_return(message);
@@ -301,11 +344,7 @@ void set_dbus_listeners(int *maxfdp,
     if (dbus_watch_get_enabled(w->watch))
       {
 	unsigned int flags = dbus_watch_get_flags(w->watch);
-#if (DBUS_MINOR > 0)
 	int fd = dbus_watch_get_unix_fd(w->watch);
-#else
-	int fd = dbus_watch_get_fd(w->watch);
-#endif
 	
 	bump_maxfd(fd, maxfdp);
 	
@@ -328,11 +367,7 @@ void check_dbus_listeners(fd_set *rset, fd_set *wset, fd_set *eset)
     if (dbus_watch_get_enabled(w->watch))
       {
 	unsigned int flags = 0;
-#if (DBUS_MINOR > 0)
 	int fd = dbus_watch_get_unix_fd(w->watch);
-#else
-	int fd = dbus_watch_get_fd(w->watch);
-#endif
 	
 	if (FD_ISSET(fd, rset))
 	  flags |= DBUS_WATCH_READABLE;
@@ -355,16 +390,26 @@ void check_dbus_listeners(fd_set *rset, fd_set *wset, fd_set *eset)
     }
 }
 
-void emit_dbus_signal(int action, char *mac, char *hostname, char *addr)
+#ifdef HAVE_DHCP
+void emit_dbus_signal(int action, struct dhcp_lease *lease, char *hostname)
 {
   DBusConnection *connection = (DBusConnection *)daemon->dbus;
   DBusMessage* message = NULL;
   DBusMessageIter args;
-  const char *action_str;
+  char *action_str, *addr, *mac = daemon->namebuff;
+  unsigned char *p;
+  int i;
 
   if (!connection)
     return;
-
+  
+  if (!hostname)
+    hostname = "";
+  
+  p = extended_hwaddr(lease->hwaddr_type, lease->hwaddr_len,
+		      lease->hwaddr, lease->clid_len, lease->clid, &i);
+  print_mac(mac, p, i);
+  
   if (action == ACTION_DEL)
     action_str = "DhcpLeaseDeleted";
   else if (action == ACTION_ADD)
@@ -374,6 +419,8 @@ void emit_dbus_signal(int action, char *mac, char *hostname, char *addr)
   else
     return;
 
+  addr = inet_ntoa(lease->addr);
+
   if (!(message = dbus_message_new_signal(DNSMASQ_PATH, DNSMASQ_SERVICE, action_str)))
     return;
   
@@ -386,5 +433,6 @@ void emit_dbus_signal(int action, char *mac, char *hostname, char *addr)
   
   dbus_message_unref(message);
 }
+#endif
 
 #endif

src/dhcp.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2008 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2010 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -10,12 +10,14 @@
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
      
-  You should have received a copy of the GNU General Public License
-  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "dnsmasq.h"
 
+#ifdef HAVE_DHCP
+
 struct iface_param {
   struct in_addr relay, primary;
   struct dhcp_context *current;
@@ -25,7 +27,7 @@ struct iface_param {
 static int complete_context(struct in_addr local, int if_index, 
 			    struct in_addr netmask, struct in_addr broadcast, void *vparam);
 
-void dhcp_init(void)
+static int make_fd(int port)
 {
   int fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);
   struct sockaddr_in saddr;
@@ -35,7 +37,7 @@ void dhcp_init(void)
 #endif
 
   if (fd == -1)
-    die (_("cannot create DHCP socket : %s"), NULL, EC_BADNET);
+    die (_("cannot create DHCP socket: %s"), NULL, EC_BADNET);
   
   if (!fix_fd(fd) ||
 #if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
@@ -43,7 +45,7 @@ void dhcp_init(void)
 #endif
 #if defined(HAVE_LINUX_NETWORK)
       setsockopt(fd, SOL_IP, IP_PKTINFO, &oneopt, sizeof(oneopt)) == -1 ||
-#elif defined(IP_RECVIF)
+#else
       setsockopt(fd, IPPROTO_IP, IP_RECVIF, &oneopt, sizeof(oneopt)) == -1 ||
 #endif
       setsockopt(fd, SOL_SOCKET, SO_BROADCAST, &oneopt, sizeof(oneopt)) == -1)  
@@ -51,12 +53,7 @@ void dhcp_init(void)
   
   /* When bind-interfaces is set, there might be more than one dnmsasq
      instance binding port 67. That's OK if they serve different networks.
-     Need to set REUSEADDR to make this posible, or REUSEPORT on *BSD.
-     OpenBSD <= 4.0 screws up IP_RECVIF when SO_REUSEPORT is set, but
-     OpenBSD <= 3.9 doesn't have IP_RECVIF anyway, so we just have to elide
-     this for OpenBSD 4.0, if you want more than one instance on oBSD4.0, tough. */
-
-#ifndef OpenBSD4_0
+     Need to set REUSEADDR to make this posible, or REUSEPORT on *BSD. */
   if (daemon->options & OPT_NOWILD)
     {
 #ifdef SO_REUSEPORT
@@ -67,11 +64,10 @@ void dhcp_init(void)
       if (rc == -1)
 	die(_("failed to set SO_REUSE{ADDR|PORT} on DHCP socket: %s"), NULL, EC_BADNET);
     }
-#endif
   
   memset(&saddr, 0, sizeof(saddr));
   saddr.sin_family = AF_INET;
-  saddr.sin_port = htons(daemon->dhcp_server_port);
+  saddr.sin_port = htons(port);
   saddr.sin_addr.s_addr = INADDR_ANY;
 #ifdef HAVE_SOCKADDR_SA_LEN
   saddr.sin_len = sizeof(struct sockaddr_in);
@@ -80,7 +76,20 @@ void dhcp_init(void)
   if (bind(fd, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in)))
     die(_("failed to bind DHCP server socket: %s"), NULL, EC_BADNET);
 
-  daemon->dhcpfd = fd;
+  return fd;
+}
+
+void dhcp_init(void)
+{
+#if defined(HAVE_BSD_NETWORK)
+  int oneopt = 1;
+#endif
+
+  daemon->dhcpfd = make_fd(daemon->dhcp_server_port);
+  if (daemon->enable_pxe)
+    daemon->pxefd = make_fd(PXE_PORT);
+  else
+    daemon->pxefd = -1;
 
 #if defined(HAVE_BSD_NETWORK)
   /* When we're not using capabilities, we need to do this here before
@@ -103,8 +112,9 @@ void dhcp_init(void)
   daemon->dhcp_packet.iov_base = safe_malloc(daemon->dhcp_packet.iov_len);
 }
   
-void dhcp_packet(time_t now)
+void dhcp_packet(time_t now, int pxe_fd)
 {
+  int fd = pxe_fd ? daemon->pxefd : daemon->dhcpfd;
   struct dhcp_packet *mess;
   struct dhcp_context *context;
   struct iname *tmp;
@@ -117,14 +127,17 @@ void dhcp_packet(time_t now)
   int iface_index = 0, unicast_dest = 0, is_inform = 0;
   struct in_addr iface_addr, *addrp = NULL;
   struct iface_param parm;
-
+#ifdef HAVE_LINUX_NETWORK
+  struct arpreq arp_req;
+#endif
+  
   union {
     struct cmsghdr align; /* this ensures alignment */
 #if defined(HAVE_LINUX_NETWORK)
     char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
 #elif defined(HAVE_SOLARIS_NETWORK)
     char control[CMSG_SPACE(sizeof(unsigned int))];
-#elif defined(IP_RECVIF) 
+#elif defined(HAVE_BSD_NETWORK) 
     char control[CMSG_SPACE(sizeof(struct sockaddr_dl))];
 #endif
   } control_u;
@@ -136,13 +149,30 @@ void dhcp_packet(time_t now)
   msg.msg_iov = &daemon->dhcp_packet;
   msg.msg_iovlen = 1;
   
-  do
+  while (1)
     {
       msg.msg_flags = 0;
-      while ((sz = recvmsg(daemon->dhcpfd, &msg, MSG_PEEK)) == -1 && errno == EINTR);
+      while ((sz = recvmsg(fd, &msg, MSG_PEEK | MSG_TRUNC)) == -1 && errno == EINTR);
+      
+      if (sz == -1)
+	return;
+      
+      if (!(msg.msg_flags & MSG_TRUNC))
+	break;
+
+      /* Very new Linux kernels return the actual size needed, 
+	 older ones always return truncated size */
+      if ((size_t)sz == daemon->dhcp_packet.iov_len)
+	{
+	  if (!expand_buf(&daemon->dhcp_packet, sz + 100))
+	    return;
+	}
+      else
+	{
+	  expand_buf(&daemon->dhcp_packet, sz);
+	  break;
+	}
     }
-  while (sz != -1 && (msg.msg_flags & MSG_TRUNC) &&
-	 expand_buf(&daemon->dhcp_packet, daemon->dhcp_packet.iov_len + 100));
   
   /* expand_buf may have moved buffer */
   mess = (struct dhcp_packet *)daemon->dhcp_packet.iov_base;
@@ -152,9 +182,9 @@ void dhcp_packet(time_t now)
   msg.msg_name = &dest;
   msg.msg_namelen = sizeof(dest);
 
-  while ((sz = recvmsg(daemon->dhcpfd, &msg, 0)) == -1 && errno == EINTR);
+  while ((sz = recvmsg(fd, &msg, 0)) == -1 && errno == EINTR);
  
-  if (sz < (ssize_t)(sizeof(*mess) - sizeof(mess->options)))
+  if ((msg.msg_flags & MSG_TRUNC) || sz < (ssize_t)(sizeof(*mess) - sizeof(mess->options)))
     return;
   
 #if defined (HAVE_LINUX_NETWORK)
@@ -162,45 +192,57 @@ void dhcp_packet(time_t now)
     for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
       if (cmptr->cmsg_level == SOL_IP && cmptr->cmsg_type == IP_PKTINFO)
 	{
-	  iface_index = ((struct in_pktinfo *)CMSG_DATA(cmptr))->ipi_ifindex;
-	  if (((struct in_pktinfo *)CMSG_DATA(cmptr))->ipi_addr.s_addr != INADDR_BROADCAST)
+	  union {
+	    unsigned char *c;
+	    struct in_pktinfo *p;
+	  } p;
+	  p.c = CMSG_DATA(cmptr);
+	  iface_index = p.p->ipi_ifindex;
+	  if (p.p->ipi_addr.s_addr != INADDR_BROADCAST)
 	    unicast_dest = 1;
 	}
-  
-  if (!(ifr.ifr_ifindex = iface_index) || 
-      ioctl(daemon->dhcpfd, SIOCGIFNAME, &ifr) == -1)
-    return;
-  
-#elif defined(IP_RECVIF)
+
+#elif defined(HAVE_BSD_NETWORK) 
   if (msg.msg_controllen >= sizeof(struct cmsghdr))
     for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
       if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
-#ifdef HAVE_SOLARIS_NETWORK
-	iface_index = *((unsigned int *)CMSG_DATA(cmptr));
-#else
-        iface_index = ((struct sockaddr_dl *)CMSG_DATA(cmptr))->sdl_index;
-#endif
-	  
-  if (!iface_index || !if_indextoname(iface_index, ifr.ifr_name))
-    return;
+        {
+	  union {
+            unsigned char *c;
+            struct sockaddr_dl *s;
+          } p;
+	  p.c = CMSG_DATA(cmptr);
+	  iface_index = p.s->sdl_index;
+	}
   
+#elif defined(HAVE_SOLARIS_NETWORK) 
+  if (msg.msg_controllen >= sizeof(struct cmsghdr))
+    for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
+      if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
+	{
+	  union {
+	    unsigned char *c;
+	    unsigned int *i;
+	  } p;
+	  p.c = CMSG_DATA(cmptr);
+	  iface_index = *(p.i);
+	}
+#endif
+	
+  if (!indextoname(daemon->dhcpfd, iface_index, ifr.ifr_name))
+    return;
+
+#ifdef HAVE_LINUX_NETWORK
+  /* ARP fiddling uses original interface even if we pretend to use a different one. */
+  strncpy(arp_req.arp_dev, ifr.ifr_name, 16);
+#endif 
+
 #ifdef MSG_BCAST
   /* OpenBSD tells us when a packet was broadcast */
   if (!(msg.msg_flags & MSG_BCAST))
     unicast_dest = 1;
 #endif
 
-#else
-  /* fallback for systems without IP_RECVIF - allow only one interface
-     and assume packets arrive from it - yuk. */
-  {
-    struct iname *name;
-    for (name = daemon->if_names; name->isloop; name = name->next);
-    strcpy(ifr.ifr_name, name->name);
-    iface_index = if_nametoindex(name->name);
-  }
-#endif
-  
   ifr.ifr_addr.sa_family = AF_INET;
   if (ioctl(daemon->dhcpfd, SIOCGIFADDR, &ifr) != -1 )
     {
@@ -208,24 +250,20 @@ void dhcp_packet(time_t now)
       iface_addr = ((struct sockaddr_in *) &ifr.ifr_addr)->sin_addr;
     }
 
-  if (!iface_check(AF_INET, (struct all_addr *)addrp, &ifr, &iface_index))
+  if (!iface_check(AF_INET, (struct all_addr *)addrp, ifr.ifr_name, &iface_index))
     return;
   
   for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
     if (tmp->name && (strcmp(tmp->name, ifr.ifr_name) == 0))
       return;
-  
-  /* interface may have been changed by alias in iface_check */
-  if (!addrp)
-    {
-      if (ioctl(daemon->dhcpfd, SIOCGIFADDR, &ifr) != -1)
-	{
-	  my_syslog(LOG_WARNING, _("DHCP packet received on %s which has no address"), ifr.ifr_name);
-	  return;
-	}
-      else
-	iface_addr = ((struct sockaddr_in *) &ifr.ifr_addr)->sin_addr;
-    }
+
+  /* weird libvirt-inspired access control */
+  for (context = daemon->dhcp; context; context = context->next)
+    if (!context->interface || strcmp(context->interface, ifr.ifr_name) == 0)
+      break;
+
+  if (!context)
+    return;
   
   /* unlinked contexts are marked by context->current == context */
   for (context = daemon->dhcp; context; context = context->next)
@@ -236,11 +274,32 @@ void dhcp_packet(time_t now)
   parm.current = NULL;
   parm.ind = iface_index;
 
+    /* interface may have been changed by alias in iface_check, make sure it gets priority in case
+       there is more than one address on the interface in the same subnet */
+  if (ioctl(daemon->dhcpfd, SIOCGIFADDR, &ifr) == -1)
+    {
+      my_syslog(MS_DHCP | LOG_WARNING, _("DHCP packet received on %s which has no address"), ifr.ifr_name);
+      return;
+    }
+  else
+    {
+      iface_addr = ((struct sockaddr_in *) &ifr.ifr_addr)->sin_addr;
+      if (ioctl(daemon->dhcpfd, SIOCGIFNETMASK, &ifr) != -1)
+	{
+	  struct in_addr netmask =  ((struct sockaddr_in *) &ifr.ifr_addr)->sin_addr;
+	  if (ioctl(daemon->dhcpfd, SIOCGIFBRDADDR, &ifr) != -1)
+	    {
+	      struct in_addr broadcast =  ((struct sockaddr_in *) &ifr.ifr_addr)->sin_addr;
+	      complete_context(iface_addr, iface_index, netmask, broadcast, &parm);
+	    }
+	}
+    } 
+
   if (!iface_enumerate(&parm, complete_context, NULL))
     return;
   lease_prune(NULL, now); /* lose any expired leases */
   iov.iov_len = dhcp_reply(parm.current, ifr.ifr_name, iface_index, (size_t)sz, 
-			   now, unicast_dest, &is_inform);
+			   now, unicast_dest, &is_inform, pxe_fd);
   lease_update_file(now);
   lease_update_dns();
     
@@ -261,7 +320,12 @@ void dhcp_packet(time_t now)
   dest.sin_len = sizeof(struct sockaddr_in);
 #endif
      
-  if (mess->giaddr.s_addr)
+  if (pxe_fd)
+    { 
+      if (mess->ciaddr.s_addr != 0)
+	dest.sin_addr = mess->ciaddr;
+    }
+  else if (mess->giaddr.s_addr)
     {
       /* Send to BOOTP relay  */
       dest.sin_port = htons(daemon->dhcp_server_port);
@@ -302,15 +366,14 @@ void dhcp_packet(time_t now)
     {
       /* unicast to unconfigured client. Inject mac address direct into ARP cache. 
 	 struct sockaddr limits size to 14 bytes. */
-      struct arpreq req;
       dest.sin_addr = mess->yiaddr;
       dest.sin_port = htons(daemon->dhcp_client_port);
-      *((struct sockaddr_in *)&req.arp_pa) = dest;
-      req.arp_ha.sa_family = mess->htype;
-      memcpy(req.arp_ha.sa_data, mess->chaddr, mess->hlen);
-      strncpy(req.arp_dev, ifr.ifr_name, 16);
-      req.arp_flags = ATF_COM;
-      ioctl(daemon->dhcpfd, SIOCSARP, &req);
+      memcpy(&arp_req.arp_pa, &dest, sizeof(struct sockaddr_in));
+      arp_req.arp_ha.sa_family = mess->htype;
+      memcpy(arp_req.arp_ha.sa_data, mess->chaddr, mess->hlen);
+      /* interface name already copied in */
+      arp_req.arp_flags = ATF_COM;
+      ioctl(daemon->dhcpfd, SIOCSARP, &arp_req);
     }
 #elif defined(HAVE_SOLARIS_NETWORK)
   else if ((ntohs(mess->flags) & 0x8000) || mess->hlen != ETHER_ADDR_LEN || mess->htype != ARPHRD_ETHER)
@@ -319,7 +382,7 @@ void dhcp_packet(time_t now)
       dest.sin_addr.s_addr = INADDR_BROADCAST;
       dest.sin_port = htons(daemon->dhcp_client_port);
       /* note that we don't specify the interface here: that's done by the
-	 IP_XMIT_IF sockopt lower down. */
+	 IP_BOUND_IF sockopt lower down. */
     }
   else
     {
@@ -345,10 +408,10 @@ void dhcp_packet(time_t now)
 #endif
    
 #ifdef HAVE_SOLARIS_NETWORK
-  setsockopt(daemon->dhcpfd, IPPROTO_IP, IP_XMIT_IF, &iface_index, sizeof(iface_index));
+  setsockopt(fd, IPPROTO_IP, IP_BOUND_IF, &iface_index, sizeof(iface_index));
 #endif
   
-  while(sendmsg(daemon->dhcpfd, &msg, 0) == -1 && retry_send());
+  while(sendmsg(fd, &msg, 0) == -1 && retry_send());
 }
  
 /* This is a complex routine: it gets called with each (address,netmask,broadcast) triple 
@@ -379,7 +442,7 @@ static int complete_context(struct in_addr local, int if_index,
 	  {
 	    strcpy(daemon->dhcp_buff, inet_ntoa(context->start));
 	    strcpy(daemon->dhcp_buff2, inet_ntoa(context->end));
-	    my_syslog(LOG_WARNING, _("DHCP range %s -- %s is not consistent with netmask %s"),
+	    my_syslog(MS_DHCP | LOG_WARNING, _("DHCP range %s -- %s is not consistent with netmask %s"),
 		      daemon->dhcp_buff, daemon->dhcp_buff2, inet_ntoa(netmask));
 	  }	
  	context->netmask = netmask;
@@ -469,13 +532,15 @@ struct dhcp_context *narrow_context(struct dhcp_context *context,
   if (!(tmp = address_available(context, taddr, netids)))
     {
       for (tmp = context; tmp; tmp = tmp->current)
-      if (is_same_net(taddr, tmp->start, tmp->netmask) && 
-	  (tmp->flags & CONTEXT_STATIC))
-	break;
+	if (match_netid(tmp->filter, netids, 1) &&
+	    is_same_net(taddr, tmp->start, tmp->netmask) && 
+	    (tmp->flags & CONTEXT_STATIC))
+	  break;
       
       if (!tmp)
 	for (tmp = context; tmp; tmp = tmp->current)
-	  if (is_same_net(taddr, tmp->start, tmp->netmask))
+	  if (match_netid(tmp->filter, netids, 1) &&
+	      is_same_net(taddr, tmp->start, tmp->netmask))
 	    break;
     }
   
@@ -508,7 +573,8 @@ int match_netid(struct dhcp_netid *check, struct dhcp_netid *pool, int tagnotnee
 
   for (; check; check = check->next)
     {
-      if (check->net[0] != '#')
+      /* '#' for not is for backwards compat. */
+      if (check->net[0] != '!' && check->net[0] != '#')
 	{
 	  for (tmp1 = pool; tmp1; tmp1 = tmp1->next)
 	    if (strcmp(check->net, tmp1->net) == 0)
@@ -524,6 +590,22 @@ int match_netid(struct dhcp_netid *check, struct dhcp_netid *pool, int tagnotnee
   return 1;
 }
 
+struct dhcp_netid *run_tag_if(struct dhcp_netid *tags)
+{
+  struct tag_if *exprs;
+  struct dhcp_netid_list *list;
+
+  for (exprs = daemon->tag_if; exprs; exprs = exprs->next)
+    if (match_netid(exprs->tag, tags, 1))
+      for (list = exprs->set; list; list = list->next)
+	{
+	  list->list->next = tags;
+	  tags = list->list;
+	}
+
+  return tags;
+}
+
 int address_allocate(struct dhcp_context *context,
 		     struct in_addr *addrp, unsigned char *hwaddr, int hw_len, 
 		     struct dhcp_netid *netids, time_t now)   
@@ -537,9 +619,10 @@ int address_allocate(struct dhcp_context *context,
   int i, pass;
   unsigned int j; 
 
-  /* hash hwaddr */
+  /* hash hwaddr: use the SDBM hashing algorithm.  Seems to give good
+     dispersal even with similarly-valued "strings". */ 
   for (j = 0, i = 0; i < hw_len; i++)
-    j += hwaddr[i] + (hwaddr[i] << 8) + (hwaddr[i] << 16);
+    j += hwaddr[i] + (j << 6) + (j << 16) - j;
   
   for (pass = 0; pass <= 1; pass++)
     for (c = context; c; c = c->current)
@@ -560,9 +643,16 @@ int address_allocate(struct dhcp_context *context,
 	      if (addr.s_addr == d->router.s_addr)
 		break;
 
+	    /* Addresses which end in .255 and .0 are broken in Windows even when using 
+	       supernetting. ie dhcp-range=192.168.0.1,192.168.1.254,255,255,254.0
+	       then 192.168.0.255 is a valid IP address, but not for Windows as it's
+	       in the class C range. See  KB281579. We therefore don't allocate these 
+	       addresses to avoid hard-to-diagnose problems. Thanks Bill. */	    
 	    if (!d &&
 		!lease_find_by_addr(addr) && 
-		!config_find_by_address(daemon->dhcp_conf, addr))
+		!config_find_by_address(daemon->dhcp_conf, addr) &&
+		(!IN_CLASSC(ntohl(addr.s_addr)) || 
+		 ((ntohl(addr.s_addr) & 0xff) != 0xff && ((ntohl(addr.s_addr) & 0xff) != 0x0))))
 	      {
 		struct ping_result *r, *victim = NULL;
 		int count, max = (int)(0.6 * (((float)PING_CACHE_TIME)/
@@ -655,7 +745,8 @@ struct dhcp_config *find_config(struct dhcp_config *configs,
 				unsigned char *hwaddr, int hw_len, 
 				int hw_type, char *hostname)
 {
-  struct dhcp_config *config; 
+  int count, new;
+  struct dhcp_config *config, *candidate; 
   struct hwaddr_config *conf_addr;
 
   if (clid)
@@ -687,17 +778,21 @@ struct dhcp_config *find_config(struct dhcp_config *configs,
 	  hostname_isequal(config->hostname, hostname) &&
 	  is_addr_in_context(context, config))
 	return config;
-  
-  for (config = configs; config; config = config->next)
-    for (conf_addr = config->hwaddr; conf_addr; conf_addr = conf_addr->next)
-      if (conf_addr->wildcard_mask != 0 &&
-	  conf_addr->hwaddr_len == hw_len &&	
-	  (conf_addr->hwaddr_type == hw_type || conf_addr->hwaddr_type == 0) &&
-	  is_addr_in_context(context, config) &&
-	  memcmp_masked(conf_addr->hwaddr, hwaddr, hw_len, conf_addr->wildcard_mask))
-	return config;
-  
-  return NULL;
+
+  /* use match with fewest wildcast octets */
+  for (candidate = NULL, count = 0, config = configs; config; config = config->next)
+    if (is_addr_in_context(context, config))
+      for (conf_addr = config->hwaddr; conf_addr; conf_addr = conf_addr->next)
+	if (conf_addr->wildcard_mask != 0 &&
+	    conf_addr->hwaddr_len == hw_len &&	
+	    (conf_addr->hwaddr_type == hw_type || conf_addr->hwaddr_type == 0) &&
+	    (new = memcmp_masked(conf_addr->hwaddr, hwaddr, hw_len, conf_addr->wildcard_mask)) > count)
+	  {
+	    count = new;
+	    candidate = config;
+	  }
+
+  return candidate;
 }
 
 void dhcp_read_ethers(void)
@@ -716,7 +811,7 @@ void dhcp_read_ethers(void)
   
   if (!f)
     {
-      my_syslog(LOG_ERR, _("failed to read %s:%s"), ETHERSFILE, strerror(errno));
+      my_syslog(MS_DHCP | LOG_ERR, _("failed to read %s: %s"), ETHERSFILE, strerror(errno));
       return;
     }
 
@@ -739,12 +834,14 @@ void dhcp_read_ethers(void)
 
   while (fgets(buff, MAXDNAME, f))
     {
+      char *host = NULL;
+      
       lineno++;
       
       while (strlen(buff) > 0 && isspace((int)buff[strlen(buff)-1]))
 	buff[strlen(buff)-1] = 0;
       
-      if ((*buff == '#') || (*buff == '+'))
+      if ((*buff == '#') || (*buff == '+') || (*buff == 0))
 	continue;
       
       for (ip = buff; *ip && !isspace((int)*ip); ip++);
@@ -752,7 +849,7 @@ void dhcp_read_ethers(void)
 	*ip = 0;
       if (!*ip || parse_hex(buff, hwaddr, ETHER_ADDR_LEN, NULL, NULL) != ETHER_ADDR_LEN)
 	{
-	  my_syslog(LOG_ERR, _("bad line at %s line %d"), ETHERSFILE, lineno); 
+	  my_syslog(MS_DHCP | LOG_ERR, _("bad line at %s line %d"), ETHERSFILE, lineno); 
 	  continue;
 	}
       
@@ -765,7 +862,7 @@ void dhcp_read_ethers(void)
 	{
 	  if ((addr.s_addr = inet_addr(ip)) == (in_addr_t)-1)
 	    {
-	      my_syslog(LOG_ERR, _("bad address at %s line %d"), ETHERSFILE, lineno); 
+	      my_syslog(MS_DHCP | LOG_ERR, _("bad address at %s line %d"), ETHERSFILE, lineno); 
 	      continue;
 	    }
 
@@ -777,19 +874,28 @@ void dhcp_read_ethers(void)
 	}
       else 
 	{
-	  if (!canonicalise(ip))
+	  int nomem;
+	  if (!(host = canonicalise(ip, &nomem)) || !legal_hostname(host))
 	    {
-	      my_syslog(LOG_ERR, _("bad name at %s line %d"), ETHERSFILE, lineno); 
+	      if (!nomem)
+		my_syslog(MS_DHCP | LOG_ERR, _("bad name at %s line %d"), ETHERSFILE, lineno); 
+	      free(host);
 	      continue;
 	    }
 	      
 	  flags = CONFIG_NAME;
 
 	  for (config = daemon->dhcp_conf; config; config = config->next)
-	    if ((config->flags & CONFIG_NAME) && hostname_isequal(config->hostname, ip))
+	    if ((config->flags & CONFIG_NAME) && hostname_isequal(config->hostname, host))
 	      break;
 	}
-      
+
+      if (config && (config->flags & CONFIG_FROM_ETHERS))
+	{
+	  my_syslog(MS_DHCP | LOG_ERR, _("ignoring %s line %d, duplicate name or IP address"), ETHERSFILE, lineno); 
+	  continue;
+	}
+	
       if (!config)
 	{ 
 	  for (config = daemon->dhcp_conf; config; config = config->next)
@@ -819,10 +925,8 @@ void dhcp_read_ethers(void)
 	  
 	  if (flags & CONFIG_NAME)
 	    {
-	      if ((config->hostname = whine_malloc(strlen(ip)+1)))
-		strcpy(config->hostname, ip);
-	      else
-		config->flags &= ~CONFIG_NAME;
+	      config->hostname = host;
+	      host = NULL;
 	    }
 	  
 	  if (flags & CONFIG_ADDR)
@@ -841,11 +945,14 @@ void dhcp_read_ethers(void)
 	  config->hwaddr->next = NULL;
 	}
       count++;
+      
+      free(host);
+
     }
   
   fclose(f);
 
-  my_syslog(LOG_INFO, _("read %s - %d addresses"), ETHERSFILE, count);
+  my_syslog(MS_DHCP | LOG_INFO, _("read %s - %d addresses"), ETHERSFILE, count);
 }
 
 void check_dhcp_hosts(int fatal)
@@ -870,7 +977,7 @@ void check_dhcp_hosts(int fatal)
 		 die(_("duplicate IP address %s in dhcp-config directive."), 
 		     inet_ntoa(cp->addr), EC_BADCONF);
 	       else
-		 my_syslog(LOG_ERR, _("duplicate IP address %s in %s."), 
+		 my_syslog(MS_DHCP | LOG_ERR, _("duplicate IP address %s in %s."), 
 			   inet_ntoa(cp->addr), daemon->dhcp_hosts_file);
 	       configs->flags &= ~CONFIG_ADDR;
 	     }
@@ -913,12 +1020,12 @@ void dhcp_update_configs(struct dhcp_config *configs)
 		crec = cache_find_by_name(crec, config->hostname, 0, F_IPV4);
 	      if (!crec)
 		continue; /* should be never */
-	      my_syslog(LOG_WARNING, _("%s has more than one address in hostsfile, using %s for DHCP"), 
+	      my_syslog(MS_DHCP | LOG_WARNING, _("%s has more than one address in hostsfile, using %s for DHCP"), 
 			config->hostname, inet_ntoa(crec->addr.addr.addr.addr4));
 	    }
 
 	  if (config_find_by_address(configs, crec->addr.addr.addr.addr4))
-	    my_syslog(LOG_WARNING, _("duplicate IP address %s (%s) in dhcp-config directive"), 
+	    my_syslog(MS_DHCP | LOG_WARNING, _("duplicate IP address %s (%s) in dhcp-config directive"), 
 		      inet_ntoa(crec->addr.addr.addr.addr4), config->hostname);
 	  else 
 	    {
@@ -930,29 +1037,41 @@ void dhcp_update_configs(struct dhcp_config *configs)
 
 /* If we've not found a hostname any other way, try and see if there's one in /etc/hosts
    for this address. If it has a domain part, that must match the set domain and
-   it gets stripped. */
+   it gets stripped. The set of legal domain names is bigger than the set of legal hostnames
+   so check here that the domain name is legal as a hostname. 
+   NOTE: we're only allowed to overwrite daemon->dhcp_buff if we succeed. */
 char *host_from_dns(struct in_addr addr)
 {
   struct crec *lookup;
-  char *hostname = NULL;
-  char *d1, *d2;
 
   if (daemon->port == 0)
     return NULL; /* DNS disabled. */
   
   lookup = cache_find_by_addr(NULL, (struct all_addr *)&addr, 0, F_IPV4);
+
   if (lookup && (lookup->flags & F_HOSTS))
     {
-      hostname = daemon->dhcp_buff;
-      strncpy(hostname, cache_get_name(lookup), 256);
-      hostname[255] = 0;
-      d1 = strip_hostname(hostname);
-      d2 = get_domain(addr);
-      if (d1 && (!d2 || hostname_isequal(d1, d2)))
-	hostname = NULL;
+      char *dot, *hostname = cache_get_name(lookup);
+      dot = strchr(hostname, '.');
+      
+      if (dot && strlen(dot+1) != 0)
+	{
+	  char *d2 = get_domain(addr);
+	  if (!d2 || !hostname_isequal(dot+1, d2))
+	    return NULL; /* wrong domain */
+	}
+
+      if (!legal_hostname(hostname))
+	return NULL;
+      
+      strncpy(daemon->dhcp_buff, hostname, 256);
+      daemon->dhcp_buff[255] = 0;
+      strip_hostname(daemon->dhcp_buff);
+
+      return daemon->dhcp_buff;
     }
   
-  return hostname;
+  return NULL;
 }
 
 /* return domain or NULL if none. */
@@ -970,14 +1089,5 @@ char *strip_hostname(char *hostname)
   return NULL;
 }
 
-char *get_domain(struct in_addr addr)
-{
-  struct cond_domain *c;
+#endif
 
-  for (c = daemon->cond_domain; c; c = c->next)
-    if (ntohl(addr.s_addr) >= ntohl(c->start.s_addr) &&
-	ntohl(addr.s_addr) <= ntohl(c->end.s_addr))
-      return c->domain;
-  
-  return daemon->domain_suffix;
-}

src/dnsmasq.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2008 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2010 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -10,8 +10,8 @@
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
      
-  You should have received a copy of the GNU General Public License
-  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "dnsmasq.h"
@@ -33,9 +33,6 @@ static char *compile_opts =
 #ifdef NO_FORK
 "no-MMU "
 #endif
-#ifdef HAVE_BSD_BRIDGE
-"BSD-bridge "
-#endif
 #ifndef HAVE_DBUS
 "no-"
 #endif
@@ -44,11 +41,20 @@ static char *compile_opts =
 "no-"
 #endif
 "I18N "
+#ifndef HAVE_DHCP
+"no-"
+#endif
+"DHCP "
+#if defined(HAVE_DHCP) && !defined(HAVE_SCRIPT)
+"no-scripts "
+#endif
 #ifndef HAVE_TFTP
 "no-"
 #endif
 "TFTP";
 
+
+
 static volatile pid_t pid = 0;
 static volatile int pipewrite;
 
@@ -57,7 +63,6 @@ static void check_dns_listeners(fd_set *set, time_t now);
 static void sig_handler(int sig);
 static void async_event(int pipe, time_t now);
 static void fatal_event(struct event_desc *ev);
-static void poll_resolv(void);
 
 int main (int argc, char **argv)
 {
@@ -67,9 +72,11 @@ int main (int argc, char **argv)
   struct iname *if_tmp;
   int piperead, pipefd[2], err_pipe[2];
   struct passwd *ent_pw = NULL;
+#if defined(HAVE_DHCP) && defined(HAVE_SCRIPT)
   uid_t script_uid = 0;
   gid_t script_gid = 0;
-  struct group *gp= NULL;
+#endif
+  struct group *gp = NULL;
   long i, max_fd = sysconf(_SC_OPEN_MAX);
   char *baduser = NULL;
   int log_err;
@@ -108,11 +115,13 @@ int main (int argc, char **argv)
     daemon->edns_pktsz : DNSMASQ_PACKETSZ;
   daemon->packet = safe_malloc(daemon->packet_buff_sz);
 
+#ifdef HAVE_DHCP
   if (!daemon->lease_file)
     {
       if (daemon->dhcp)
 	daemon->lease_file = LEASEFILE;
     }
+#endif
   
   /* Close any file descriptors we inherited apart from std{in|out|err} */
   for (i = 0; i < max_fd; i++)
@@ -132,7 +141,7 @@ int main (int argc, char **argv)
 #endif
 
 #ifndef HAVE_TFTP
-  if (daemon->options & OPT_TFTP)
+  if (daemon->tftp_unlimited || daemon->tftp_interfaces)
     die(_("TFTP server not available: set HAVE_TFTP in src/config.h"), NULL, EC_BADCONF);
 #endif
 
@@ -145,23 +154,16 @@ int main (int argc, char **argv)
   
   now = dnsmasq_time();
   
+#ifdef HAVE_DHCP
   if (daemon->dhcp)
     {
-#if !defined(HAVE_LINUX_NETWORK) && !defined(IP_RECVIF)
-      int c;
-      struct iname *tmp;
-      for (c = 0, tmp = daemon->if_names; tmp; tmp = tmp->next)
-	if (!tmp->isloop)
-	  c++;
-      if (c != 1)
-	die(_("must set exactly one interface on broken systems without IP_RECVIF"), NULL, EC_BADCONF);
-#endif
       /* Note that order matters here, we must call lease_init before
 	 creating any file descriptors which shouldn't be leaked
 	 to the lease-script init process. */
       lease_init(now);
       dhcp_init();
     }
+#endif
 
   if (!enumerate_interfaces())
     die(_("failed to find list of interfaces: %s"), NULL, EC_MISC);
@@ -181,7 +183,7 @@ int main (int argc, char **argv)
 	    die(_("no interface with address %s"), daemon->namebuff, EC_BADNET);
 	  }
     }
-  else if ((daemon->port != 0 || (daemon->options & OPT_TFTP)) &&
+  else if ((daemon->port != 0 || daemon->tftp_interfaces || daemon->tftp_unlimited) &&
 	   !(daemon->listeners = create_wildcard_listeners()))
     die(_("failed to create listening socket: %s"), NULL, EC_BADNET);
   
@@ -204,6 +206,7 @@ int main (int argc, char **argv)
   if (daemon->port != 0)
     pre_allocate_sfds();
 
+#if defined(HAVE_DHCP) && defined(HAVE_SCRIPT)
   /* Note getpwnam returns static storage */
   if (daemon->dhcp && daemon->lease_change_command && daemon->scriptuser)
     {
@@ -215,6 +218,7 @@ int main (int argc, char **argv)
       else
 	baduser = daemon->scriptuser;
     }
+#endif
   
   if (daemon->username && !(ent_pw = getpwnam(daemon->username)))
     baduser = daemon->username;
@@ -273,8 +277,6 @@ int main (int argc, char **argv)
   
   if (!(daemon->options & OPT_DEBUG))   
     {
-      int nullfd;
-
       /* The following code "daemonizes" the process. 
 	 See Stevens section 12.4 */
       
@@ -290,8 +292,9 @@ int main (int argc, char **argv)
 	     When startup is complete we close this and the process terminates. */
 	  safe_pipe(err_pipe, 0);
 	  
-	  if ((pid = fork()) == -1 )
-	    die(_("cannot fork into background: %s"), NULL, EC_MISC);
+	  if ((pid = fork()) == -1)
+	    /* fd == -1 since we've not forked, never returns. */
+	    send_event(-1, EVENT_FORK_ERR, errno);
 	   
 	  if (pid != 0)
 	    {
@@ -312,9 +315,11 @@ int main (int argc, char **argv)
 	  /* NO calls to die() from here on. */
 	  
 	  setsid();
-	  pid = fork();
-
-	  if (pid != 0 && pid != -1)
+	 
+	  if ((pid = fork()) == -1)
+	    send_event(err_pipe[1], EVENT_FORK_ERR, errno);
+	 
+	  if (pid != 0)
 	    _exit(0);
 	}
 #endif
@@ -336,20 +341,23 @@ int main (int argc, char **argv)
 	      _exit(0);
 	    }
 	}
-         
-      /* open  stdout etc to /dev/null */
-      nullfd = open("/dev/null", O_RDWR);
-      dup2(nullfd, STDOUT_FILENO);
-      dup2(nullfd, STDERR_FILENO);
-      dup2(nullfd, STDIN_FILENO);
-      close(nullfd);
     }
   
-   log_err = log_start(ent_pw, err_pipe[1]); 
+   log_err = log_start(ent_pw, err_pipe[1]);
+
+   if (!(daemon->options & OPT_DEBUG)) 
+     {       
+       /* open  stdout etc to /dev/null */
+       int nullfd = open("/dev/null", O_RDWR);
+       dup2(nullfd, STDOUT_FILENO);
+       dup2(nullfd, STDERR_FILENO);
+       dup2(nullfd, STDIN_FILENO);
+       close(nullfd);
+     }
    
    /* if we are to run scripts, we need to fork a helper before dropping root. */
   daemon->helperfd = -1;
-#ifndef NO_FORK
+#if defined(HAVE_DHCP) && defined(HAVE_SCRIPT) 
   if (daemon->dhcp && daemon->lease_change_command)
     daemon->helperfd = create_helper(pipewrite, err_pipe[1], script_uid, script_gid, max_fd);
 #endif
@@ -380,7 +388,7 @@ int main (int argc, char **argv)
 	  if (capset(hdr, data) == -1 || prctl(PR_SET_KEEPCAPS, 1) == -1)
 	    bad_capabilities = errno;
 			  
-#elif defined(HAVE_SOLARIS_PRIVS)
+#elif defined(HAVE_SOLARIS_NETWORK)
 	  /* http://developers.sun.com/solaris/articles/program_privileges.html */
 	  priv_set_t *priv_set;
 	  
@@ -400,9 +408,6 @@ int main (int argc, char **argv)
 	  if (priv_set)
 	    priv_freeset(priv_set);
 
-#elif defined(HAVE_SOLARIS_NETWORK)
-
-	  bad_capabilities = ENOTSUP;
 #endif    
 
 	  if (bad_capabilities != 0)
@@ -482,6 +487,7 @@ int main (int argc, char **argv)
   if (daemon->max_logs != 0)
     my_syslog(LOG_INFO, _("asynchronous logging enabled, queue limit is %d messages"), daemon->max_logs);
 
+#ifdef HAVE_DHCP
   if (daemon->dhcp)
     {
       struct dhcp_context *dhcp_tmp;
@@ -490,23 +496,26 @@ int main (int argc, char **argv)
 	{
 	  prettyprint_time(daemon->dhcp_buff2, dhcp_tmp->lease_time);
 	  strcpy(daemon->dhcp_buff, inet_ntoa(dhcp_tmp->start));
-	  my_syslog(LOG_INFO, 
+	  my_syslog(MS_DHCP | LOG_INFO, 
 		    (dhcp_tmp->flags & CONTEXT_STATIC) ? 
 		    _("DHCP, static leases only on %.0s%s, lease time %s") :
+		    (dhcp_tmp->flags & CONTEXT_PROXY) ?
+		    _("DHCP, proxy on subnet %.0s%s%.0s") :
 		    _("DHCP, IP range %s -- %s, lease time %s"),
 		    daemon->dhcp_buff, inet_ntoa(dhcp_tmp->end), daemon->dhcp_buff2);
 	}
     }
+#endif
 
 #ifdef HAVE_TFTP
-  if (daemon->options & OPT_TFTP)
+  if (daemon->tftp_unlimited || daemon->tftp_interfaces)
     {
 #ifdef FD_SETSIZE
       if (FD_SETSIZE < (unsigned)max_fd)
 	max_fd = FD_SETSIZE;
 #endif
 
-      my_syslog(LOG_INFO, "TFTP %s%s %s", 
+      my_syslog(MS_TFTP | LOG_INFO, "TFTP %s%s %s", 
 		daemon->tftp_prefix ? _("root is ") : _("enabled"),
 		daemon->tftp_prefix ? daemon->tftp_prefix: "",
 		daemon->options & OPT_TFTP_SECURE ? _("secure mode") : "");
@@ -534,7 +543,7 @@ int main (int argc, char **argv)
       if (daemon->tftp_max > max_fd)
 	{
 	  daemon->tftp_max = max_fd;
-	  my_syslog(LOG_WARNING, 
+	  my_syslog(MS_TFTP | LOG_WARNING, 
 		    _("restricting maximum simultaneous TFTP transfers to %d"), 
 		    daemon->tftp_max);
 	}
@@ -582,11 +591,18 @@ int main (int argc, char **argv)
       set_dbus_listeners(&maxfd, &rset, &wset, &eset);
 #endif	
   
+#ifdef HAVE_DHCP
       if (daemon->dhcp)
 	{
 	  FD_SET(daemon->dhcpfd, &rset);
 	  bump_maxfd(daemon->dhcpfd, &maxfd);
+	  if (daemon->pxefd != -1)
+	    {
+	      FD_SET(daemon->pxefd, &rset);
+	      bump_maxfd(daemon->pxefd, &maxfd);
+	    }
 	}
+#endif
 
 #ifdef HAVE_LINUX_NETWORK
       FD_SET(daemon->netlinkfd, &rset);
@@ -596,7 +612,8 @@ int main (int argc, char **argv)
       FD_SET(piperead, &rset);
       bump_maxfd(piperead, &maxfd);
 
-#ifndef NO_FORK
+#ifdef HAVE_DHCP
+#  ifdef HAVE_SCRIPT
       while (helper_buf_empty() && do_script_run(now));
 
       if (!helper_buf_empty())
@@ -604,11 +621,12 @@ int main (int argc, char **argv)
 	  FD_SET(daemon->helperfd, &wset);
 	  bump_maxfd(daemon->helperfd, &maxfd);
 	}
-#else
+#  else
       /* need this for other side-effects */
       while (do_script_run(now));
+#  endif
 #endif
-      
+   
       /* must do this just before select(), when we know no
 	 more calls to my_syslog() can occur */
       set_log_writer(&wset, &maxfd);
@@ -629,10 +647,11 @@ int main (int argc, char **argv)
 	  difftime(now, daemon->last_resolv) > 1.0 || 
 	  difftime(now, daemon->last_resolv) < -1.0)
 	{
-	  daemon->last_resolv = now;
+	  /* poll_resolv doesn't need to reload first time through, since 
+	     that's queued anyway. */
 
-	  if (daemon->port != 0 && !(daemon->options & OPT_NO_POLL))
-	    poll_resolv();
+	  poll_resolv(0, daemon->last_resolv != 0, now); 	  
+	  daemon->last_resolv = now;
 	}
       
       if (FD_ISSET(piperead, &rset))
@@ -662,12 +681,19 @@ int main (int argc, char **argv)
       check_tftp_listeners(&rset, now);
 #endif      
 
-      if (daemon->dhcp && FD_ISSET(daemon->dhcpfd, &rset))
-	dhcp_packet(now);
+#ifdef HAVE_DHCP
+      if (daemon->dhcp)
+	{
+	  if (FD_ISSET(daemon->dhcpfd, &rset))
+	    dhcp_packet(now, 0);
+	  if (daemon->pxefd != -1 && FD_ISSET(daemon->pxefd, &rset))
+	    dhcp_packet(now, 1);
+	}
 
-#ifndef NO_FORK
+#  ifdef HAVE_SCRIPT
       if (daemon->helperfd != -1 && FD_ISSET(daemon->helperfd, &wset))
 	helper_write();
+#  endif
 #endif
 
     }
@@ -737,6 +763,9 @@ static void fatal_event(struct event_desc *ev)
     {
     case EVENT_DIE:
       exit(0);
+
+    case EVENT_FORK_ERR:
+      die(_("cannot fork into background: %s"), NULL, EC_MISC);
   
     case EVENT_PIPE_ERR:
       die(_("failed to create helper: %s"), NULL, EC_MISC);
@@ -777,7 +806,9 @@ static void async_event(int pipe, time_t now)
 	    reload_servers(daemon->resolv_files->name);
 	    check_servers();
 	  }
+#ifdef HAVE_DHCP
 	rerun_scripts();
+#endif
 	break;
 	
       case EVENT_DUMP:
@@ -786,11 +817,13 @@ static void async_event(int pipe, time_t now)
 	break;
 	
       case EVENT_ALARM:
+#ifdef HAVE_DHCP
 	if (daemon->dhcp)
 	  {
 	    lease_prune(NULL, now);
 	    lease_update_file(now);
 	  }
+#endif
 	break;
 		
       case EVENT_CHILD:
@@ -840,7 +873,7 @@ static void async_event(int pipe, time_t now)
 	  if (daemon->tcp_pids[i] != 0)
 	    kill(daemon->tcp_pids[i], SIGALRM);
 	
-#ifndef NO_FORK
+#if defined(HAVE_DHCP) && defined(HAVE_SCRIPT)
 	/* handle pending lease transitions */
 	if (daemon->helperfd != -1)
 	  {
@@ -856,6 +889,9 @@ static void async_event(int pipe, time_t now)
 	
 	if (daemon->lease_stream)
 	  fclose(daemon->lease_stream);
+
+	if (daemon->runfile)
+	  unlink(daemon->runfile);
 	
 	my_syslog(LOG_INFO, _("exiting on receipt of SIGTERM"));
 	flush_log();
@@ -863,7 +899,7 @@ static void async_event(int pipe, time_t now)
       }
 }
 
-static void poll_resolv()
+void poll_resolv(int force, int do_reload, time_t now)
 {
   struct resolvc *res, *latest;
   struct stat statbuf;
@@ -871,19 +907,37 @@ static void poll_resolv()
   /* There may be more than one possible file. 
      Go through and find the one which changed _last_.
      Warn of any which can't be read. */
+
+  if (daemon->port == 0 || (daemon->options & OPT_NO_POLL))
+    return;
+  
   for (latest = NULL, res = daemon->resolv_files; res; res = res->next)
     if (stat(res->name, &statbuf) == -1)
       {
+	if (force)
+	  {
+	    res->mtime = 0; 
+	    continue;
+	  }
+
 	if (!res->logged)
 	  my_syslog(LOG_WARNING, _("failed to access %s: %s"), res->name, strerror(errno));
 	res->logged = 1;
+	
+	if (res->mtime != 0)
+	  { 
+	    /* existing file evaporated, force selection of the latest
+	       file even if its mtime hasn't changed since we last looked */
+	    poll_resolv(1, do_reload, now);
+	    return;
+	  }
       }
     else
       {
 	res->logged = 0;
-	if (statbuf.st_mtime != res->mtime)
-	  {
-	    res->mtime = statbuf.st_mtime;
+	if (force || (statbuf.st_mtime != res->mtime))
+          {
+            res->mtime = statbuf.st_mtime;
 	    if (difftime(statbuf.st_mtime, last_change) > 0.0)
 	      {
 		last_change = statbuf.st_mtime;
@@ -900,8 +954,8 @@ static void poll_resolv()
 	  my_syslog(LOG_INFO, _("reading %s"), latest->name);
 	  warned = 0;
 	  check_servers();
-	  if (daemon->options & OPT_RELOAD)
-	    cache_reload(daemon->addn_hosts);
+	  if ((daemon->options & OPT_RELOAD) && do_reload)
+	    clear_cache_and_reload(now);
 	}
       else 
 	{
@@ -918,8 +972,9 @@ static void poll_resolv()
 void clear_cache_and_reload(time_t now)
 {
   if (daemon->port != 0)
-    cache_reload(daemon->addn_hosts);
+    cache_reload();
   
+#ifdef HAVE_DHCP
   if (daemon->dhcp)
     {
       if (daemon->options & OPT_ETHERS)
@@ -931,6 +986,7 @@ void clear_cache_and_reload(time_t now)
       lease_update_file(now); 
       lease_update_dns();
     }
+#endif
 }
 
 static int set_dns_listeners(time_t now, fd_set *set, int *maxfdp)
@@ -1088,11 +1144,13 @@ static void check_dns_listeners(fd_set *set, time_t now)
 	      
 	      dst_addr_4.s_addr = 0;
 	      
-	       /* Arrange for SIGALARM after CHILD_LIFETIME seconds to
-		  terminate the process. */
+#ifndef NO_FORK
+	      /* Arrange for SIGALARM after CHILD_LIFETIME seconds to
+		 terminate the process. */
 	      if (!(daemon->options & OPT_DEBUG))
 		alarm(CHILD_LIFETIME);
-	      
+#endif
+
 	      /* start with no upstream connections. */
 	      for (s = daemon->servers; s; s = s->next)
 		 s->tcpfd = -1; 
@@ -1132,7 +1190,7 @@ static void check_dns_listeners(fd_set *set, time_t now)
     }
 }
 
-
+#ifdef HAVE_DHCP
 int make_icmp_sock(void)
 {
   int fd;
@@ -1255,5 +1313,6 @@ int icmp_ping(struct in_addr addr)
 
   return gotreply;
 }
+#endif
 
  

src/dnsmasq.h

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2008 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2010 Simon Kelley
  
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -10,11 +10,11 @@
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
      
-  You should have received a copy of the GNU General Public License
-  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-#define COPYRIGHT "Copyright (C) 2000-2008 Simon Kelley" 
+#define COPYRIGHT "Copyright (c) 2000-2010 Simon Kelley" 
 
 #ifndef NO_LARGEFILE
 /* Ensure we can use files >2GB (log files may grow this big) */
@@ -22,14 +22,21 @@
 #  define _FILE_OFFSET_BITS 64
 #endif
 
-/* Get linux C library versions. */
-#ifdef __linux__
+/* Get linux C library versions and define _GNU_SOURCE for kFreeBSD. */
+#if defined(__linux__) || defined(__GLIBC__)
 #  define _GNU_SOURCE
 #  include <features.h> 
 #endif
 
+/* Need these defined early */
+#if defined(__sun) || defined(__sun__)
+#  define _XPG4_2
+#  define __EXTENSIONS__
+#endif
+
 /* get these before config.h  for IPv6 stuff... */
 #include <sys/types.h> 
+#include <sys/socket.h>
 #include <netinet/in.h>
 
 #ifdef __APPLE__
@@ -55,10 +62,9 @@
 
 #include <arpa/inet.h>
 #include <sys/stat.h>
-#include <sys/socket.h>
 #include <sys/ioctl.h>
 #if defined(HAVE_SOLARIS_NETWORK)
-#include <sys/sockio.h>
+#  include <sys/sockio.h>
 #endif
 #include <sys/select.h>
 #include <sys/wait.h>
@@ -66,6 +72,10 @@
 #include <sys/un.h>
 #include <limits.h>
 #include <net/if.h>
+#if defined(HAVE_SOLARIS_NETWORK) && !defined(ifr_mtu)
+/* Some solaris net/if./h omit this. */
+#  define ifr_mtu  ifr_ifru.ifru_metric
+#endif
 #include <unistd.h>
 #include <stdio.h>
 #include <string.h>
@@ -106,7 +116,7 @@ extern int capget(cap_user_header_t header, cap_user_data_t data);
 #define LINUX_CAPABILITY_VERSION_3  0x20080522
 
 #include <sys/prctl.h>
-#elif defined(HAVE_SOLARIS_PRIVS)
+#elif defined(HAVE_SOLARIS_NETWORK)
 #include <priv.h>
 #endif
 
@@ -135,6 +145,7 @@ struct event_desc {
 #define EVENT_GROUP_ERR 15
 #define EVENT_DIE       16
 #define EVENT_LOG_ERR   17
+#define EVENT_FORK_ERR  18
 
 /* Exit codes. */
 #define EC_GOOD        0
@@ -177,7 +188,7 @@ struct event_desc {
 #define OPT_LEASE_RO       (1u<<22)
 #define OPT_ALL_SERVERS    (1u<<23)
 #define OPT_RELOAD         (1u<<24)
-#define OPT_TFTP           (1u<<25)
+#define OPT_LOCAL_REBIND   (1u<<25)  
 #define OPT_TFTP_SECURE    (1u<<26)
 #define OPT_TFTP_NOBLOCK   (1u<<27)
 #define OPT_LOG_OPTS       (1u<<28)
@@ -185,6 +196,11 @@ struct event_desc {
 #define OPT_NO_OVERRIDE    (1u<<30)
 #define OPT_NO_REBIND      (1u<<31)
 
+/* extra flags for my_syslog, we use a couple of facilities since they are known 
+   not to occupy the same bits as priorities, no matter how syslog.h is set up. */
+#define MS_TFTP LOG_USER
+#define MS_DHCP LOG_DAEMON 
+
 struct all_addr {
   union {
     struct in_addr addr4;
@@ -201,7 +217,7 @@ struct bogus_addr {
 
 /* dns doctor param */
 struct doctor {
-  struct in_addr in, out, mask;
+  struct in_addr in, end, out, mask;
   struct doctor *next;
 };
 
@@ -287,19 +303,7 @@ struct crec {
 union mysockaddr {
   struct sockaddr sa;
   struct sockaddr_in in;
-#ifdef HAVE_BROKEN_SOCKADDR_IN6
-  /* early versions of glibc don't include sin6_scope_id in sockaddr_in6
-     but latest kernels _require_ it to be set. The choice is to have
-     dnsmasq fail to compile on back-level libc or fail to run
-     on latest kernels with IPv6. Or to do this: sorry that it's so gross. */
-  struct my_sockaddr_in6 {
-    sa_family_t     sin6_family;    /* AF_INET6 */
-    uint16_t        sin6_port;      /* transport layer port # */
-    uint32_t        sin6_flowinfo;  /* IPv6 traffic class & flow info */
-    struct in6_addr sin6_addr;      /* IPv6 address */
-    uint32_t        sin6_scope_id;  /* set of interfaces for a scope */
-  } in6;
-#elif defined(HAVE_IPV6)
+#if defined(HAVE_IPV6)
   struct sockaddr_in6 in6;
 #endif
 };
@@ -315,6 +319,8 @@ union mysockaddr {
 #define SERV_MARK            256  /* for mark-and-delete */
 #define SERV_TYPE    (SERV_HAS_DOMAIN | SERV_FOR_NODOTS)
 #define SERV_COUNTED         512  /* workspace for log code */
+#define SERV_USE_RESOLV     1024  /* forward this domain in the normal way */
+#define SERV_NO_REBIND      2048  /* inhibit dns-rebind protection */
 
 struct serverfd {
   int fd;
@@ -341,7 +347,8 @@ struct server {
 struct irec {
   union mysockaddr addr;
   struct in_addr netmask; /* only valid for IPv4 */
-  int dhcp_ok;
+  int tftp_ok, mtu;
+  char *name;
   struct irec *next;
 };
 
@@ -368,8 +375,11 @@ struct resolvc {
 };
 
 /* adn-hosts parms from command-line */
+#define AH_DIR      1
+#define AH_INACTIVE 2
 struct hostsfile {
   struct hostsfile *next;
+  int flags;
   char *fname;
   int index; /* matches to cache entries for logging */
 };
@@ -384,7 +394,7 @@ struct frec {
 #endif
   unsigned int iface;
   unsigned short orig_id, new_id;
-  int fd, forwardall;
+  int fd, forwardall, norebind;
   unsigned int crc;
   time_t time;
   struct frec *next;
@@ -413,9 +423,9 @@ struct dhcp_lease {
 #endif
   int hwaddr_len, hwaddr_type;
   unsigned char hwaddr[DHCP_CHADDR_MAX]; 
-  struct in_addr addr, override;
-  unsigned char *vendorclass, *userclass;
-  unsigned int vendorclass_len, userclass_len;
+  struct in_addr addr, override, giaddr;
+  unsigned char *extradata;
+  unsigned int extradata_len, extradata_size;
   int last_interface;
   struct dhcp_lease *next;
 };
@@ -430,6 +440,12 @@ struct dhcp_netid_list {
   struct dhcp_netid_list *next;
 };
 
+struct tag_if {
+  struct dhcp_netid_list *set;
+  struct dhcp_netid *tag;
+  struct tag_if *next;
+};
+
 struct hwaddr_config {
   int hwaddr_len, hwaddr_type;
   unsigned char hwaddr[DHCP_CHADDR_MAX];
@@ -442,7 +458,7 @@ struct dhcp_config {
   int clid_len;          /* length of client identifier */
   unsigned char *clid;   /* clientid */
   char *hostname, *domain;
-  struct dhcp_netid netid;
+  struct dhcp_netid_list *netid;
   struct in_addr addr;
   time_t decline_time;
   unsigned int lease_time;
@@ -455,7 +471,6 @@ struct dhcp_config {
 #define CONFIG_TIME              8
 #define CONFIG_NAME             16
 #define CONFIG_ADDR             32
-#define CONFIG_NETID            64
 #define CONFIG_NOCLID          128
 #define CONFIG_FROM_ETHERS     256    /* entry created by /etc/ethers */
 #define CONFIG_ADDR_HOSTS      512    /* address added by from /etc/hosts */
@@ -464,7 +479,12 @@ struct dhcp_config {
 
 struct dhcp_opt {
   int opt, len, flags;
-  unsigned char *val, *vendor_class;
+  union {
+    int encap;
+    unsigned int wildcard_mask;
+    unsigned char *vendor_class;
+  } u;
+  unsigned char *val;
   struct dhcp_netid *netid;
   struct dhcp_opt *next;
 };
@@ -472,9 +492,15 @@ struct dhcp_opt {
 #define DHOPT_ADDR               1
 #define DHOPT_STRING             2
 #define DHOPT_ENCAPSULATE        4
-#define DHOPT_VENDOR_MATCH       8
+#define DHOPT_ENCAP_MATCH        8
 #define DHOPT_FORCE             16
 #define DHOPT_BANK              32
+#define DHOPT_ENCAP_DONE        64
+#define DHOPT_MATCH            128
+#define DHOPT_VENDOR           256
+#define DHOPT_HEX              512
+#define DHOPT_VENDOR_MATCH    1024
+#define DHOPT_RFC3925         2048
 
 struct dhcp_boot {
   char *file, *sname;
@@ -483,12 +509,19 @@ struct dhcp_boot {
   struct dhcp_boot *next;
 };
 
+struct pxe_service {
+  unsigned short CSA, type; 
+  char *menu, *basename;
+  struct in_addr server;
+  struct dhcp_netid *netid;
+  struct pxe_service *next;
+};
+
 #define MATCH_VENDOR     1
 #define MATCH_USER       2
 #define MATCH_CIRCUIT    3
 #define MATCH_REMOTE     4
 #define MATCH_SUBSCRIBER 5
-#define MATCH_OPTION     6
 
 /* vendorclass, userclass, remote-id or cicuit-id */
 struct dhcp_vendor {
@@ -506,12 +539,10 @@ struct dhcp_mac {
   struct dhcp_mac *next;
 };
 
-#ifdef HAVE_BSD_BRIDGE
 struct dhcp_bridge {
   char iface[IF_NAMESIZE];
   struct dhcp_bridge *alias, *next;
 };
-#endif
 
 struct cond_domain {
   char *domain;
@@ -525,6 +556,7 @@ struct dhcp_context {
   struct in_addr local, router;
   struct in_addr start, end; /* range of available addresses */
   int flags;
+  char *interface;
   struct dhcp_netid netid, *filter;
   struct dhcp_context *next, *current;
 };
@@ -532,6 +564,7 @@ struct dhcp_context {
 #define CONTEXT_STATIC    1
 #define CONTEXT_NETMASK   2
 #define CONTEXT_BRDCAST   4
+#define CONTEXT_PROXY     8
 
 
 typedef unsigned char u8;
@@ -574,6 +607,23 @@ struct tftp_transfer {
   struct tftp_transfer *next;
 };
 
+struct addr_list {
+  struct in_addr addr;
+  struct addr_list *next;
+};
+
+struct interface_list {
+  char *interface;
+  struct interface_list *next;
+};
+
+struct tftp_prefix {
+  char *interface;
+  char *prefix;
+  struct tftp_prefix *next;
+};
+
+
 extern struct daemon {
   /* datastuctures representing the command-line and 
      config file arguments. All set (including defaults)
@@ -604,15 +654,21 @@ extern struct daemon {
   int max_logs;  /* queue limit */
   int cachesize, ftabsize;
   int port, query_port, min_port;
-  unsigned long local_ttl, neg_ttl;
+  unsigned long local_ttl, neg_ttl, max_ttl;
   struct hostsfile *addn_hosts;
   struct dhcp_context *dhcp;
   struct dhcp_config *dhcp_conf;
-  struct dhcp_opt *dhcp_opts;
+  struct dhcp_opt *dhcp_opts, *dhcp_match;
   struct dhcp_vendor *dhcp_vendors;
   struct dhcp_mac *dhcp_macs;
   struct dhcp_boot *boot_config;
-  struct dhcp_netid_list *dhcp_ignore, *dhcp_ignore_names, *force_broadcast, *bootp_dynamic;
+  struct pxe_service *pxe_services;
+  struct tag_if *tag_if; 
+  struct addr_list *override_relays;
+  int override;
+  int enable_pxe;
+  struct dhcp_netid_list *dhcp_ignore, *dhcp_ignore_names, *dhcp_gen_names; 
+  struct dhcp_netid_list *force_broadcast, *bootp_dynamic;
   char *dhcp_hosts_file, *dhcp_opts_file;
   int dhcp_max, tftp_max;
   int dhcp_server_port, dhcp_client_port;
@@ -621,6 +677,9 @@ extern struct daemon {
   struct doctor *doctors;
   unsigned short edns_pktsz;
   char *tftp_prefix; 
+  struct tftp_prefix *if_prefix; /* per-interface TFTP prefixes */
+  struct interface_list *tftp_interfaces; /* interfaces for limited TFTP service */
+  int tftp_unlimited;
 
   /* globally used stuff for DNS */
   char *packet; /* packet buffer */
@@ -632,26 +691,27 @@ extern struct daemon {
   struct irec *interfaces;
   struct listener *listeners;
   struct server *last_server;
+  time_t forwardtime;
+  int forwardcount;
   struct server *srv_save; /* Used for resend on DoD */
   size_t packet_len;       /*      "        "        */
   struct randfd *rfd_save; /*      "        "        */
-pid_t tcp_pids[MAX_PROCS];
+  pid_t tcp_pids[MAX_PROCS];
   struct randfd randomsocks[RANDOM_SOCKS];
+  int v6pktinfo; 
 
   /* DHCP state */
-  int dhcpfd, helperfd; 
-#ifdef HAVE_LINUX_NETWORK
+  int dhcpfd, helperfd, pxefd; 
+#if defined(HAVE_LINUX_NETWORK)
   int netlinkfd;
-#else
+#elif defined(HAVE_BSD_NETWORK)
   int dhcp_raw_fd, dhcp_icmp_fd;
 #endif
   struct iovec dhcp_packet;
-  char *dhcp_buff, *dhcp_buff2;
+  char *dhcp_buff, *dhcp_buff2, *dhcp_buff3;
   struct ping_result *ping_results;
   FILE *lease_stream;
-#ifdef HAVE_BSD_BRIDGE
   struct dhcp_bridge *bridges;
-#endif
 
   /* DBus stuff */
   /* void * here to avoid depending on dbus headers outside dbus.c */
@@ -668,7 +728,7 @@ pid_t tcp_pids[MAX_PROCS];
 /* cache.c */
 void cache_init(void);
 void log_query(unsigned short flags, char *name, struct all_addr *addr, char *arg); 
-char *record_source(struct hostsfile *addn_hosts, int index);
+char *record_source(int index);
 void querystr(char *str, unsigned short type);
 struct crec *cache_find_by_addr(struct crec *crecp,
 				struct all_addr *addr, time_t now, 
@@ -679,11 +739,12 @@ void cache_end_insert(void);
 void cache_start_insert(void);
 struct crec *cache_insert(char *name, struct all_addr *addr,
 			  time_t now, unsigned long ttl, unsigned short flags);
-void cache_reload(struct hostsfile  *addn_hosts);
+void cache_reload(void);
 void cache_add_dhcp_entry(char *host_name, struct in_addr *host_address, time_t ttd);
 void cache_unhash_dhcp(void);
 void dump_cache(time_t now);
 char *cache_get_name(struct crec *crecp);
+char *get_domain(struct in_addr addr);
 
 /* rfc1035.c */
 unsigned short extract_request(HEADER *header, size_t qlen, 
@@ -691,7 +752,8 @@ unsigned short extract_request(HEADER *header, size_t qlen,
 size_t setup_reply(HEADER *header, size_t  qlen,
 		   struct all_addr *addrp, unsigned short flags,
 		   unsigned long local_ttl);
-int extract_addresses(HEADER *header, size_t qlen, char *namebuff, time_t now);
+int extract_addresses(HEADER *header, size_t qlen, char *namebuff, 
+		      time_t now, int is_sign, int checkrebind);
 size_t answer_request(HEADER *header, char *limit, size_t qlen,  
 		   struct in_addr local_addr, struct in_addr local_netmask, time_t now);
 int check_for_bogus_wildcard(HEADER *header, size_t qlen, char *name, 
@@ -706,8 +768,8 @@ size_t resize_packet(HEADER *header, size_t plen,
 /* util.c */
 void rand_init(void);
 unsigned short rand16(void);
-int legal_char(char c);
-int canonicalise(char *s);
+int legal_hostname(char *c);
+char *canonicalise(char *s, int *nomem);
 unsigned char *do_rfc1035_name(unsigned char *p, char *sval);
 void *safe_malloc(size_t size);
 void safe_pipe(int *fd, int read_noblock);
@@ -740,7 +802,7 @@ void flush_log(void);
 
 /* option.c */
 void read_opts (int argc, char **argv, char *compile_opts);
-char *option_string(unsigned char opt);
+char *option_string(unsigned char opt, int *is_ip, int *is_name);
 void reread_dhcp(void);
 
 /* forward.c */
@@ -752,6 +814,7 @@ void server_gone(struct server *server);
 struct frec *get_new_frec(time_t now, int *wait);
 
 /* network.c */
+int indextoname(int fd, int index, char *name);
 int local_bind(int fd, union mysockaddr *addr, char *intname, int is_tcp);
 int random_sock(int family);
 void pre_allocate_sfds(void);
@@ -760,24 +823,25 @@ void check_servers(void);
 int enumerate_interfaces();
 struct listener *create_wildcard_listeners(void);
 struct listener *create_bound_listeners(void);
-int iface_check(int family, struct all_addr *addr, 
-		struct ifreq *ifr, int *indexp);
+int iface_check(int family, struct all_addr *addr, char *name, int *indexp);
 int fix_fd(int fd);
 struct in_addr get_ifaddr(char *intr);
 
 /* dhcp.c */
+#ifdef HAVE_DHCP
 void dhcp_init(void);
-void dhcp_packet(time_t now);
-char *get_domain(struct in_addr addr);
+void dhcp_packet(time_t now, int pxe_fd);
 struct dhcp_context *address_available(struct dhcp_context *context, 
 				       struct in_addr addr,
 				       struct dhcp_netid *netids);
 struct dhcp_context *narrow_context(struct dhcp_context *context, 
 				    struct in_addr taddr,
 				    struct dhcp_netid *netids);
-int match_netid(struct dhcp_netid *check, struct dhcp_netid *pool, int negonly);int address_allocate(struct dhcp_context *context,
+int match_netid(struct dhcp_netid *check, struct dhcp_netid *pool, int negonly);
+int address_allocate(struct dhcp_context *context,
 		     struct in_addr *addrp, unsigned char *hwaddr, int hw_len,
 		     struct dhcp_netid *netids, time_t now);
+struct dhcp_netid *run_tag_if(struct dhcp_netid *input);
 int config_has_mac(struct dhcp_config *config, unsigned char *hwaddr, int len, int type);
 struct dhcp_config *find_config(struct dhcp_config *configs,
 				struct dhcp_context *context,
@@ -791,8 +855,10 @@ struct dhcp_config *config_find_by_address(struct dhcp_config *configs, struct i
 char *strip_hostname(char *hostname);
 char *host_from_dns(struct in_addr addr);
 char *get_domain(struct in_addr addr);
+#endif
 
 /* lease.c */
+#ifdef HAVE_DHCP
 void lease_update_file(time_t now);
 void lease_update_dns();
 void lease_init(time_t now);
@@ -809,18 +875,24 @@ void lease_prune(struct dhcp_lease *target, time_t now);
 void lease_update_from_configs(void);
 int do_script_run(time_t now);
 void rerun_scripts(void);
+#endif
 
 /* rfc2131.c */
+#ifdef HAVE_DHCP
 size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
-		  size_t sz, time_t now, int unicast_dest, int *is_inform);
+		  size_t sz, time_t now, int unicast_dest, int *is_inform, int pxe_fd);
 unsigned char *extended_hwaddr(int hwtype, int hwlen, unsigned char *hwaddr, 
 			       int clid_len, unsigned char *clid, int *len_out);
+#endif
 
 /* dnsmasq.c */
+#ifdef HAVE_DHCP
 int make_icmp_sock(void);
 int icmp_ping(struct in_addr addr);
+#endif
 void send_event(int fd, int event, int data);
 void clear_cache_and_reload(time_t now);
+void poll_resolv(int force, int do_reload, time_t now);
 
 /* netlink.c */
 #ifdef HAVE_LINUX_NETWORK
@@ -843,11 +915,13 @@ int iface_enumerate(void *parm, int (*ipv4_callback)(), int (*ipv6_callback)());
 char *dbus_init(void);
 void check_dbus_listeners(fd_set *rset, fd_set *wset, fd_set *eset);
 void set_dbus_listeners(int *maxfdp, fd_set *rset, fd_set *wset, fd_set *eset);
-void emit_dbus_signal(int action, char *mac, char *hostname, char *addr);
+#  ifdef HAVE_DHCP
+void emit_dbus_signal(int action, struct dhcp_lease *lease, char *hostname);
+#  endif
 #endif
 
 /* helper.c */
-#ifndef NO_FORK
+#if defined(HAVE_DHCP) && !defined(NO_FORK)
 int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd);
 void helper_write(void);
 void queue_script(int action, struct dhcp_lease *lease, 

src/forward.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2008 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2010 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -10,8 +10,8 @@
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
      
-  You should have received a copy of the GNU General Public License
-  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "dnsmasq.h"
@@ -20,7 +20,7 @@ static struct frec *lookup_frec(unsigned short id, unsigned int crc);
 static struct frec *lookup_frec_by_sender(unsigned short id,
 					  union mysockaddr *addr,
 					  unsigned int crc);
-static unsigned short get_id(int force, unsigned short force_id, unsigned int crc);
+static unsigned short get_id(unsigned int crc);
 static void free_frec(struct frec *f);
 static struct randfd *allocate_rfd(int family);
 
@@ -65,15 +65,15 @@ static void send_from(int fd, int nowild, char *packet, size_t len,
       if (to->sa.sa_family == AF_INET)
 	{
 #if defined(HAVE_LINUX_NETWORK)
-	  struct in_pktinfo *pkt = (struct in_pktinfo *)CMSG_DATA(cmptr);
-	  pkt->ipi_ifindex = 0;
-	  pkt->ipi_spec_dst = source->addr.addr4;
+	  struct in_pktinfo p;
+	  p.ipi_ifindex = 0;
+	  p.ipi_spec_dst = source->addr.addr4;
+	  memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
 	  msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
 	  cmptr->cmsg_level = SOL_IP;
 	  cmptr->cmsg_type = IP_PKTINFO;
 #elif defined(IP_SENDSRCADDR)
-	  struct in_addr *a = (struct in_addr *)CMSG_DATA(cmptr);
-	  *a = source->addr.addr4;
+	  memcpy(CMSG_DATA(cmptr), &(source->addr.addr4), sizeof(source->addr.addr4));
 	  msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
 	  cmptr->cmsg_level = IPPROTO_IP;
 	  cmptr->cmsg_type = IP_SENDSRCADDR;
@@ -82,11 +82,12 @@ static void send_from(int fd, int nowild, char *packet, size_t len,
       else
 #ifdef HAVE_IPV6
 	{
-	  struct in6_pktinfo *pkt = (struct in6_pktinfo *)CMSG_DATA(cmptr);
-	  pkt->ipi6_ifindex = iface; /* Need iface for IPv6 to handle link-local addrs */
-	  pkt->ipi6_addr = source->addr.addr6;
+	  struct in6_pktinfo p;
+	  p.ipi6_ifindex = iface; /* Need iface for IPv6 to handle link-local addrs */
+	  p.ipi6_addr = source->addr.addr6;
+	  memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
 	  msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
-	  cmptr->cmsg_type = IPV6_PKTINFO;
+	  cmptr->cmsg_type = daemon->v6pktinfo;
 	  cmptr->cmsg_level = IPV6_LEVEL;
 	}
 #else
@@ -111,7 +112,7 @@ static void send_from(int fd, int nowild, char *packet, size_t len,
 }
           
 static unsigned short search_servers(time_t now, struct all_addr **addrpp, 
-				     unsigned short qtype, char *qdomain, int *type, char **domain)
+				     unsigned short qtype, char *qdomain, int *type, char **domain, int *norebind)
 			      
 {
   /* If the query ends in the domain in one of our servers, set
@@ -153,38 +154,44 @@ static unsigned short search_servers(time_t now, struct all_addr **addrpp,
 	char *matchstart = qdomain + namelen - domainlen;
 	if (namelen >= domainlen &&
 	    hostname_isequal(matchstart, serv->domain) &&
-	    domainlen >= matchlen &&
-	    (domainlen == 0 || namelen == domainlen || *(serv->domain) == '.' || *(matchstart-1) == '.' ))
+	    (domainlen == 0 || namelen == domainlen || *(matchstart-1) == '.' ))
 	  {
-	    unsigned short sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
-	    *type = SERV_HAS_DOMAIN;
-	    *domain = serv->domain;
-	    matchlen = domainlen;
-	    if (serv->flags & SERV_NO_ADDR)
-	      flags = F_NXDOMAIN;
-	    else if (serv->flags & SERV_LITERAL_ADDRESS)
+	    if (serv->flags & SERV_NO_REBIND)	
+	      *norebind = 1;
+	    else if (domainlen >= matchlen)
 	      {
-		if (sflag & qtype)
+		unsigned short sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
+		*type = serv->flags & (SERV_HAS_DOMAIN | SERV_USE_RESOLV | SERV_NO_REBIND);
+		*domain = serv->domain;
+		matchlen = domainlen;
+		if (serv->flags & SERV_NO_ADDR)
+		  flags = F_NXDOMAIN;
+		else if (serv->flags & SERV_LITERAL_ADDRESS)
 		  {
-		    flags = sflag;
-		    if (serv->addr.sa.sa_family == AF_INET) 
-		      *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
+		    if (sflag & qtype)
+		      {
+			flags = sflag;
+			if (serv->addr.sa.sa_family == AF_INET) 
+			  *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
 #ifdef HAVE_IPV6
-		    else
-		      *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
+			else
+			  *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
 #endif
+		      }
+		    else if (!flags || (flags & F_NXDOMAIN))
+		      flags = F_NOERR;
 		  }
-		else if (!flags || (flags & F_NXDOMAIN))
-		  flags = F_NOERR;
-	      }
-	  } 
+		else
+		  flags = 0;
+	      } 
+	  }
       }
-
+  
   if (flags == 0 && !(qtype & F_BIGNAME) && 
       (daemon->options & OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') && namelen != 0)
     /* don't forward simple names, make exception for NS queries and empty name. */
     flags = F_NXDOMAIN;
-    
+  
   if (flags == F_NXDOMAIN && check_for_local_domain(qdomain, now))
     flags = F_NOERR;
 
@@ -197,7 +204,11 @@ static unsigned short search_servers(time_t now, struct all_addr **addrpp,
   
       log_query(logflags | flags | F_CONFIG | F_FORWARD, qdomain, *addrpp, NULL);
     }
-
+  else if ((*type) & SERV_USE_RESOLV)
+    {
+      *type = 0; /* use normal servers for this domain */
+      *domain = NULL;
+    }
   return  flags;
 }
 
@@ -206,7 +217,7 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
 			 HEADER *header, size_t plen, time_t now, struct frec *forward)
 {
   char *domain = NULL;
-  int type = 0;
+  int type = 0, norebind = 0;
   struct all_addr *addrp = NULL;
   unsigned int crc = questions_crc(header, plen, daemon->namebuff);
   unsigned short flags = 0;
@@ -234,7 +245,7 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
   else 
     {
       if (gotname)
-	flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain);
+	flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
       
       if (!flags && !(forward = get_new_frec(now, NULL)))
 	/* table full - server failure. */
@@ -242,30 +253,41 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
       
       if (forward)
 	{
-	  /* force unchanging id for signed packets */
-	  int is_sign;
-	  find_pseudoheader(header, plen, NULL, NULL, &is_sign);
-	  
 	  forward->source = *udpaddr;
 	  forward->dest = *dst_addr;
 	  forward->iface = dst_iface;
 	  forward->orig_id = ntohs(header->id);
-	  forward->new_id = get_id(is_sign, forward->orig_id, crc);
+	  forward->new_id = get_id(crc);
 	  forward->fd = udpfd;
 	  forward->crc = crc;
 	  forward->forwardall = 0;
+	  forward->norebind = norebind;
 	  header->id = htons(forward->new_id);
 
-	  /* In strict_order mode, or when using domain specific servers
-	     always try servers in the order specified in resolv.conf,
+	  /* In strict_order mode, always try servers in the order 
+	     specified in resolv.conf, if a domain is given 
+	     always try all the available servers,
 	     otherwise, use the one last known to work. */
 	  
-	  if (type != 0  || (daemon->options & OPT_ORDER))
-	    start = daemon->servers;
-	  else if (!(start = daemon->last_server))
+	  if (type == 0)
+	    {
+	      if (daemon->options & OPT_ORDER)
+		start = daemon->servers;
+	      else if (!(start = daemon->last_server) ||
+		       daemon->forwardcount++ > FORWARD_TEST ||
+		       difftime(now, daemon->forwardtime) > FORWARD_TIME)
+		{
+		  start = daemon->servers;
+		  forward->forwardall = 1;
+		  daemon->forwardcount = 0;
+		  daemon->forwardtime = now;
+		}
+	    }
+	  else
 	    {
 	      start = daemon->servers;
-	      forward->forwardall = 1;
+	      if (!(daemon->options & OPT_ORDER))
+		forward->forwardall = 1;
 	    }
 	}
     }
@@ -374,7 +396,7 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
 }
 
 static size_t process_reply(HEADER *header, time_t now, 
-			    struct server *server, size_t n)
+			    struct server *server, size_t n, int check_rebind)
 {
   unsigned char *pheader, *sizep;
   int munged = 0, is_sign;
@@ -428,9 +450,9 @@ static size_t process_reply(HEADER *header, time_t now,
 	  header->rcode = NOERROR;
 	}
       
-      if (extract_addresses(header, n, daemon->namebuff, now))
+      if (extract_addresses(header, n, daemon->namebuff, now, is_sign, check_rebind))
 	{
-	  my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected"));
+	  my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff);
 	  munged = 1;
 	}
     }
@@ -543,7 +565,12 @@ void reply_query(int fd, int family, time_t now)
   if (forward->forwardall == 0 || --forward->forwardall == 1 || 
       (header->rcode != REFUSED && header->rcode != SERVFAIL))
     {
-      if ((nn = process_reply(header, now, server, (size_t)n)))
+      int check_rebind = !forward->norebind;
+
+      if (!(daemon->options & OPT_NO_REBIND))
+	check_rebind = 0;
+      
+      if ((nn = process_reply(header, now, server, (size_t)n, check_rebind)))
 	{
 	  header->id = htons(forward->orig_id);
 	  header->ra = 1; /* recursion if available */
@@ -635,21 +662,37 @@ void receive_query(struct listener *listen, time_t now)
 	for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
 	  if (cmptr->cmsg_level == SOL_IP && cmptr->cmsg_type == IP_PKTINFO)
 	    {
-	      dst_addr_4 = dst_addr.addr.addr4 = ((struct in_pktinfo *)CMSG_DATA(cmptr))->ipi_spec_dst;
-	      if_index = ((struct in_pktinfo *)CMSG_DATA(cmptr))->ipi_ifindex;
+	      union {
+		unsigned char *c;
+		struct in_pktinfo *p;
+	      } p;
+	      p.c = CMSG_DATA(cmptr);
+	      dst_addr_4 = dst_addr.addr.addr4 = p.p->ipi_spec_dst;
+	      if_index = p.p->ipi_ifindex;
 	    }
 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
       if (listen->family == AF_INET)
 	{
 	  for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
-	    if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
-	      dst_addr_4 = dst_addr.addr.addr4 = *((struct in_addr *)CMSG_DATA(cmptr));
-	    else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
-#ifdef HAVE_SOLARIS_NETWORK
-	      if_index = *((unsigned int *)CMSG_DATA(cmptr));
-#else
-	      if_index = ((struct sockaddr_dl *)CMSG_DATA(cmptr))->sdl_index;
+	    {
+	      union {
+		unsigned char *c;
+		unsigned int *i;
+		struct in_addr *a;
+#ifndef HAVE_SOLARIS_NETWORK
+		struct sockaddr_dl *s;
 #endif
+	      } p;
+	       p.c = CMSG_DATA(cmptr);
+	       if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
+		 dst_addr_4 = dst_addr.addr.addr4 = *(p.a);
+	       else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
+#ifdef HAVE_SOLARIS_NETWORK
+		 if_index = *(p.i);
+#else
+  	         if_index = p.s->sdl_index;
+#endif
+	    }
 	}
 #endif
       
@@ -657,29 +700,24 @@ void receive_query(struct listener *listen, time_t now)
       if (listen->family == AF_INET6)
 	{
 	  for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
-	    if (cmptr->cmsg_level == IPV6_LEVEL && cmptr->cmsg_type == IPV6_PKTINFO)
+	    if (cmptr->cmsg_level == IPV6_LEVEL && cmptr->cmsg_type == daemon->v6pktinfo)
 	      {
-		dst_addr.addr.addr6 = ((struct in6_pktinfo *)CMSG_DATA(cmptr))->ipi6_addr;
-		if_index =((struct in6_pktinfo *)CMSG_DATA(cmptr))->ipi6_ifindex;
+		union {
+		  unsigned char *c;
+		  struct in6_pktinfo *p;
+		} p;
+		p.c = CMSG_DATA(cmptr);
+		  
+		dst_addr.addr.addr6 = p.p->ipi6_addr;
+		if_index = p.p->ipi6_ifindex;
 	      }
 	}
 #endif
       
       /* enforce available interface configuration */
       
-      if (if_index == 0)
-	return;
-      
-#ifdef SIOCGIFNAME
-      ifr.ifr_ifindex = if_index;
-      if (ioctl(listen->fd, SIOCGIFNAME, &ifr) == -1)
-	return;
-#else
-      if (!if_indextoname(if_index, ifr.ifr_name))
-	return;
-#endif
-      
-      if (!iface_check(listen->family, &dst_addr, &ifr, &if_index))
+      if (!indextoname(listen->fd, if_index, ifr.ifr_name) ||
+	  !iface_check(listen->family, &dst_addr, ifr.ifr_name, &if_index))
 	return;
       
       if (listen->family == AF_INET &&
@@ -728,7 +766,7 @@ void receive_query(struct listener *listen, time_t now)
 unsigned char *tcp_request(int confd, time_t now,
 			   struct in_addr local_addr, struct in_addr netmask)
 {
-  int size = 0;
+  int size = 0, norebind = 0;
   size_t m;
   unsigned short qtype, gotname;
   unsigned char c1, c2;
@@ -787,7 +825,7 @@ unsigned char *tcp_request(int confd, time_t now,
 	  char *domain = NULL;
 	  
 	  if (gotname)
-	    flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain);
+	    flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
 	  
 	  if (type != 0  || (daemon->options & OPT_ORDER) || !daemon->last_server)
 	    last_server = daemon->servers;
@@ -803,7 +841,7 @@ unsigned char *tcp_request(int confd, time_t now,
 	         Note that this code subtley ensures that consecutive queries on this connection
 	         which can go to the same server, do so. */
 	      while (1) 
-		{
+ 		{
 		  if (!firstsendto)
 		    firstsendto = last_server;
 		  else
@@ -868,7 +906,7 @@ unsigned char *tcp_request(int confd, time_t now,
 		     someone might be attempting to insert bogus values into the cache by 
 		     sending replies containing questions and bogus answers. */
 		  if (crc == questions_crc(header, (unsigned int)m, daemon->namebuff))
-		    m = process_reply(header, now, last_server, (unsigned int)m);
+		    m = process_reply(header, now, last_server, (unsigned int)m, (daemon->options & OPT_NO_REBIND) && !norebind );
 		  
 		  break;
 		}
@@ -1073,22 +1111,12 @@ void server_gone(struct server *server)
     daemon->srv_save = NULL;
 }
 
-/* return unique random ids.
-   For signed packets we can't change the ID without breaking the
-   signing, so we keep the same one. In this case force is set, and this
-   routine degenerates into killing any conflicting forward record. */
-static unsigned short get_id(int force, unsigned short force_id, unsigned int crc)
+/* return unique random ids. */
+static unsigned short get_id(unsigned int crc)
 {
   unsigned short ret = 0;
   
-  if (force)
-    {
-      struct frec *f = lookup_frec(force_id, crc);
-      if (f)
-	free_frec(f); /* free */
-      ret = force_id;
-    }
-  else do 
+  do 
     ret = rand16();
   while (lookup_frec(ret, crc));
   

src/helper.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2008 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2010 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -10,8 +10,8 @@
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
      
-  You should have received a copy of the GNU General Public License
-  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "dnsmasq.h"
@@ -28,15 +28,16 @@
    main process.
 */
 
-#ifndef NO_FORK
+#if defined(HAVE_DHCP) && defined(HAVE_SCRIPT)
 
 static void my_setenv(const char *name, const char *value, int *error);
+static unsigned char *grab_extradata(unsigned char *buf, unsigned char *end,  char *env, int *err);
 
 struct script_data
 {
   unsigned char action, hwaddr_len, hwaddr_type;
-  unsigned char clid_len, hostname_len, uclass_len, vclass_len;
-  struct in_addr addr;
+  unsigned char clid_len, hostname_len, ed_len;
+  struct in_addr addr, giaddr;
   unsigned int remaining_time;
 #ifdef HAVE_BROKEN_RTC
   unsigned int length;
@@ -93,7 +94,7 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
 	      /* kill daemon */
 	      send_event(event_fd, EVENT_DIE, 0);
 	      /* return error */
-	      send_event(err_fd, EVENT_HUSER_ERR, errno);;
+	      send_event(err_fd, EVENT_HUSER_ERR, errno);
 	    }
 	  _exit(0);
 	}
@@ -101,7 +102,7 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
 
   /* close all the sockets etc, we don't need them here. This closes err_fd, so that
      main process can return. */
-  for (max_fd--; max_fd > 0; max_fd--)
+  for (max_fd--; max_fd >= 0; max_fd--)
     if (max_fd != STDOUT_FILENO && max_fd != STDERR_FILENO && 
 	max_fd != STDIN_FILENO && max_fd != pipefd[0] && max_fd != event_fd)
       close(max_fd);
@@ -112,6 +113,7 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
       struct script_data data;
       char *p, *action_str, *hostname = NULL;
       unsigned char *buf = (unsigned char *)daemon->namebuff;
+      unsigned char *end, *alloc_buff = NULL;
       int err = 0;
 
       /* we read zero bytes when pipe closed: this is our signal to exit */ 
@@ -138,8 +140,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
             p += sprintf(p, ":");
         }
       
-      /* and CLID into packet */
-      if (!read_write(pipefd[0], buf, data.clid_len, 1))
+      /* and CLID into packet, avoid overwrite from bad data */
+      if ((data.clid_len > daemon->packet_buff_sz) || !read_write(pipefd[0], buf, data.clid_len, 1))
 	continue;
       for (p = daemon->packet, i = 0; i < data.clid_len; i++)
 	{
@@ -150,17 +152,25 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
       
       /* and expiry or length into dhcp_buff2 */
 #ifdef HAVE_BROKEN_RTC
-      sprintf(daemon->dhcp_buff2, "%u ", data.length);
+      sprintf(daemon->dhcp_buff2, "%u", data.length);
 #else
-      sprintf(daemon->dhcp_buff2, "%lu ", (unsigned long)data.expires);
+      sprintf(daemon->dhcp_buff2, "%lu", (unsigned long)data.expires);
 #endif
       
-      if (!read_write(pipefd[0], buf, data.hostname_len + data.uclass_len + data.vclass_len, 1))
+      /* supplied data may just exceed normal buffer (unlikely) */
+      if ((data.hostname_len + data.ed_len) > daemon->packet_buff_sz && 
+	  !(alloc_buff = buf = malloc(data.hostname_len + data.ed_len)))
+	continue;
+      
+      if (!read_write(pipefd[0], buf, 
+		      data.hostname_len + data.ed_len, 1))
 	continue;
       
       /* possible fork errors are all temporary resource problems */
       while ((pid = fork()) == -1 && (errno == EAGAIN || errno == ENOMEM))
 	sleep(2);
+
+      free(alloc_buff);
       
       if (pid == -1)
 	continue;
@@ -203,52 +213,44 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
       my_setenv("DNSMASQ_LEASE_EXPIRES", daemon->dhcp_buff2, &err); 
 #endif
       
-      if (data.vclass_len != 0)
-	{
-	  buf[data.vclass_len - 1] = 0; /* don't trust zero-term */
-	  /* cannot have = chars in env - truncate if found . */
-	  if ((p = strchr((char *)buf, '=')))
-	    *p = 0;
-	  my_setenv("DNSMASQ_VENDOR_CLASS", (char *)buf, &err);
-	  buf += data.vclass_len;
-	}
-      
-      if (data.uclass_len != 0)
-	{
-	  unsigned char *end = buf + data.uclass_len;
-	  buf[data.uclass_len - 1] = 0; /* don't trust zero-term */
-	  
-	  for (i = 0; buf < end;)
-	    {
-	      size_t len = strlen((char *)buf) + 1;
-	      if ((p = strchr((char *)buf, '=')))
-		*p = 0;
-	      if (strlen((char *)buf) != 0)
-		{
-		  sprintf(daemon->dhcp_buff2, "DNSMASQ_USER_CLASS%i", i++);
-		  my_setenv(daemon->dhcp_buff2, (char *)buf, &err);
-		}
-	      buf += len;
-	    }
-	}
-      
-      sprintf(daemon->dhcp_buff2, "%u ", data.remaining_time);
-      my_setenv("DNSMASQ_TIME_REMAINING", daemon->dhcp_buff2, &err);
-      
       if (data.hostname_len != 0)
 	{
 	  char *dot;
 	  hostname = (char *)buf;
 	  hostname[data.hostname_len - 1] = 0;
-	  if (!canonicalise(hostname))
+	  if (!legal_hostname(hostname))
 	    hostname = NULL;
 	  else if ((dot = strchr(hostname, '.')))
 	    {
 	      my_setenv("DNSMASQ_DOMAIN", dot+1, &err);
 	      *dot = 0;
-	    }
+	    } 
+	  buf += data.hostname_len;
+	}
+
+      end = buf + data.ed_len;
+      buf = grab_extradata(buf, end, "DNSMASQ_VENDOR_CLASS", &err);
+      buf = grab_extradata(buf, end, "DNSMASQ_SUPPLIED_HOSTNAME", &err);
+      buf = grab_extradata(buf, end, "DNSMASQ_CPEWAN_OUI", &err);
+      buf = grab_extradata(buf, end, "DNSMASQ_CPEWAN_SERIAL", &err);   
+      buf = grab_extradata(buf, end, "DNSMASQ_CPEWAN_CLASS", &err);
+      buf = grab_extradata(buf, end, "DNSMASQ_TAGS", &err);
+      
+      for (i = 0; buf; i++)
+	{
+	  sprintf(daemon->dhcp_buff2, "DNSMASQ_USER_CLASS%i", i);
+	  buf = grab_extradata(buf, end, daemon->dhcp_buff2, &err);
 	}
       
+      if (data.giaddr.s_addr != 0)
+	my_setenv("DNSMASQ_RELAY_ADDRESS", inet_ntoa(data.giaddr), &err); 
+
+      if (data.action != ACTION_DEL)
+	{
+	  sprintf(daemon->dhcp_buff2, "%u", data.remaining_time);
+	  my_setenv("DNSMASQ_TIME_REMAINING", daemon->dhcp_buff2, &err);
+	}
+
       if (data.action == ACTION_OLD_HOSTNAME && hostname)
 	{
 	  my_setenv("DNSMASQ_OLD_HOSTNAME", hostname, &err);
@@ -276,59 +278,52 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
 
 static void my_setenv(const char *name, const char *value, int *error)
 {
-  if (*error == 0)
-    {
-#if defined(HAVE_SOLARIS_NETWORK) && !defined(HAVE_SOLARIS_PRIVS)
-      /* old Solaris is missing setenv..... */
-      char *p;
-      
-      if (!(p = malloc(strlen(name) + strlen(value) + 2)))
-	*error = ENOMEM;
-      else
-	{
-	  strcpy(p, name);
-	  strcat(p, "=");
-	  strcat(p, value);
-	  
-	  if (putenv(p) != 0)
-	    *error = errno;
-	}
-#else
-      if (setenv(name, value, 1) != 0)
-	*error = errno;
-#endif
-    }
+  if (*error == 0 && setenv(name, value, 1) != 0)
+    *error = errno;
 }
  
+static unsigned char *grab_extradata(unsigned char *buf, unsigned char *end,  char *env, int *err)
+{
+  unsigned char *next;
+
+  if (!buf || (buf == end))
+    return NULL;
+
+  for (next = buf; *next != 0; next++)
+    if (next == end)
+      return NULL;
+  
+  if (next != buf)
+    {
+      char *p;
+      /* No "=" in value */
+      if ((p = strchr((char *)buf, '=')))
+	*p = 0;
+      my_setenv(env, (char *)buf, err);
+    }
+
+  return next + 1;
+}
+
 /* pack up lease data into a buffer */    
 void queue_script(int action, struct dhcp_lease *lease, char *hostname, time_t now)
 {
   unsigned char *p;
   size_t size;
-  int i;
-  unsigned int hostname_len = 0, clid_len = 0, vclass_len = 0, uclass_len = 0;
+  unsigned int hostname_len = 0, clid_len = 0, ed_len = 0;
   
-#ifdef HAVE_DBUS
-  p = extended_hwaddr(lease->hwaddr_type, lease->hwaddr_len,
-		      lease->hwaddr, lease->clid_len, lease->clid, &i);
-  print_mac(daemon->namebuff, p, i);
-  emit_dbus_signal(action, daemon->namebuff, hostname ? hostname : "", inet_ntoa(lease->addr));
-#endif
-
   /* no script */
   if (daemon->helperfd == -1)
     return;
 
-  if (lease->vendorclass)
-    vclass_len = lease->vendorclass_len;
-  if (lease->userclass)
-    uclass_len = lease->userclass_len;
+  if (lease->extradata)
+    ed_len = lease->extradata_len;
   if (lease->clid)
     clid_len = lease->clid_len;
   if (hostname)
     hostname_len = strlen(hostname) + 1;
 
-  size = sizeof(struct script_data) +  clid_len + vclass_len + uclass_len + hostname_len;
+  size = sizeof(struct script_data) +  clid_len + ed_len + hostname_len;
 
   if (size > buf_size)
     {
@@ -350,24 +345,13 @@ void queue_script(int action, struct dhcp_lease *lease, char *hostname, time_t n
   buf->hwaddr_len = lease->hwaddr_len;
   buf->hwaddr_type = lease->hwaddr_type;
   buf->clid_len = clid_len;
-  buf->vclass_len = vclass_len;
-  buf->uclass_len = uclass_len;
+  buf->ed_len = ed_len;
   buf->hostname_len = hostname_len;
   buf->addr = lease->addr;
+  buf->giaddr = lease->giaddr;
   memcpy(buf->hwaddr, lease->hwaddr, lease->hwaddr_len);
-  buf->interface[0] = 0;
-#ifdef HAVE_LINUX_NETWORK
-  if (lease->last_interface != 0)
-    {
-      struct ifreq ifr;
-      ifr.ifr_ifindex = lease->last_interface;
-      if (ioctl(daemon->dhcpfd, SIOCGIFNAME, &ifr) != -1)
-	strncpy(buf->interface, ifr.ifr_name, IF_NAMESIZE);
-    }
-#else
-  if (lease->last_interface != 0)
-    if_indextoname(lease->last_interface, buf->interface);
-#endif
+  if (!indextoname(daemon->dhcpfd, lease->last_interface, buf->interface))
+    buf->interface[0] = 0;
   
 #ifdef HAVE_BROKEN_RTC 
   buf->length = lease->length;
@@ -382,24 +366,16 @@ void queue_script(int action, struct dhcp_lease *lease, char *hostname, time_t n
       memcpy(p, lease->clid, clid_len);
       p += clid_len;
     }
-  if (vclass_len != 0)
+  if (hostname_len != 0)
     {
-      memcpy(p, lease->vendorclass, vclass_len);
-      p += vclass_len;
+      memcpy(p, hostname, hostname_len);
+      p += hostname_len;
     }
-  if (uclass_len != 0)
+  if (ed_len != 0)
     {
-      memcpy(p, lease->userclass, uclass_len);
-      p += uclass_len;
+      memcpy(p, lease->extradata, ed_len);
+      p += ed_len;
     }
-  /* substitute * for space: spaces are allowed in hostnames (for DNS-SD)
-     and are likley to be a security hole in most scripts. */
-  for (i = 0; i < (int)hostname_len; i++)
-    if ((daemon->options & OPT_LEASE_RO) && hostname[i] == ' ')
-      *(p++) = '*';
-    else
-      *(p++) = hostname[i];
-  
   bytes_in_buf = p - (unsigned char *)buf;
 }
 

src/lease.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2008 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2010 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -10,12 +10,14 @@
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
      
-  You should have received a copy of the GNU General Public License
-  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "dnsmasq.h"
 
+#ifdef HAVE_DHCP
+
 static struct dhcp_lease *leases = NULL, *old_leases = NULL;
 static int dns_dirty, file_dirty, leases_left;
 
@@ -27,11 +29,12 @@ void lease_init(time_t now)
   int clid_len, hw_len, hw_type;
   FILE *leasestream;
   
-  /* These two each hold a DHCP option max size 255
+  /* These each hold a DHCP option max size 255
      and get a terminating zero added */
   daemon->dhcp_buff = safe_malloc(256);
   daemon->dhcp_buff2 = safe_malloc(256); 
-  
+  daemon->dhcp_buff3 = safe_malloc(256);
+ 
   leases_left = daemon->dhcp_max;
 
   if (daemon->options & OPT_LEASE_RO)
@@ -40,14 +43,20 @@ void lease_init(time_t now)
 	 initial state of the database. If leasefile-ro is
 	 set without a script, we just do without any 
 	 lease database. */
-      if (!daemon->lease_change_command)
+#ifdef HAVE_SCRIPT
+      if (daemon->lease_change_command)
 	{
-	  file_dirty = dns_dirty = 0;
-	  return;
+	  strcpy(daemon->dhcp_buff, daemon->lease_change_command);
+	  strcat(daemon->dhcp_buff, " init");
+	  leasestream = popen(daemon->dhcp_buff, "r");
 	}
-      strcpy(daemon->dhcp_buff, daemon->lease_change_command);
-      strcat(daemon->dhcp_buff, " init");
-      leasestream = popen(daemon->dhcp_buff, "r");
+      else
+#endif
+	{
+          file_dirty = dns_dirty = 0;
+          return;
+        }
+
     }
   else
     {
@@ -57,7 +66,7 @@ void lease_init(time_t now)
       if (!leasestream)
 	die(_("cannot open or create lease file %s: %s"), daemon->lease_file, EC_FILE);
       
-      /* a+ mode lease pointer at end. */
+      /* a+ mode leaves pointer at end. */
       rewind(leasestream);
     }
   
@@ -98,19 +107,14 @@ void lease_init(time_t now)
 	lease_set_hwaddr(lease, (unsigned char *)daemon->dhcp_buff2, (unsigned char *)daemon->packet, hw_len, hw_type, clid_len);
 	
 	if (strcmp(daemon->dhcp_buff, "*") !=  0)
-	  {
-	    char *p;
-	    /* unprotect spaces */
-	    for (p = strchr(daemon->dhcp_buff, '*'); p; p = strchr(p, '*'))
-	      *p = ' ';
-	    lease_set_hostname(lease, daemon->dhcp_buff, 0);
-	  }
+	  lease_set_hostname(lease, daemon->dhcp_buff, 0);
 
 	/* set these correctly: the "old" events are generated later from
 	   the startup synthesised SIGHUP. */
 	lease->new = lease->changed = 0;
       }
   
+#ifdef HAVE_SCRIPT
   if (!daemon->lease_stream)
     {
       int rc = 0;
@@ -131,6 +135,7 @@ void lease_init(time_t now)
 	  die(_("lease-init script returned exit code %s"), daemon->dhcp_buff, WEXITSTATUS(rc) + EC_INIT_OFFSET);
 	}
     }
+#endif
 
   /* Some leases may have expired */
   file_dirty = 0;
@@ -171,7 +176,6 @@ void lease_update_file(time_t now)
   struct dhcp_lease *lease;
   time_t next_event;
   int i, err = 0;
-  char *p;
 
   if (file_dirty != 0 && daemon->lease_stream)
     {
@@ -197,15 +201,8 @@ void lease_update_file(time_t now)
 	    }
 
 	  ourprintf(&err, " %s ", inet_ntoa(lease->addr));
-	  
-	  /* substitute * for space: "*" is an illegal name, as is " " */
-	  if (lease->hostname)
-	    for (p = lease->hostname; *p; p++)
-	      ourprintf(&err, "%c", *p == ' ' ? '*' : *p);
-	  else
-	    ourprintf(&err, "*");
-	  ourprintf(&err, " ");
-	  
+	  ourprintf(&err, "%s ", lease->hostname ? lease->hostname : "*");
+	  	  
 	  if (lease->clid && lease->clid_len != 0)
 	    {
 	      for (i = 0; i < lease->clid_len - 1; i++)
@@ -235,7 +232,7 @@ void lease_update_file(time_t now)
       if (next_event == 0 || difftime(next_event, LEASE_RETRY + now) > 0.0)
 	next_event = LEASE_RETRY + now;
       
-      my_syslog(LOG_ERR, _("failed to write %s: %s (retry in %us)"), 
+      my_syslog(MS_DHCP | LOG_ERR, _("failed to write %s: %s (retry in %us)"), 
 		daemon->lease_file, strerror(err),
 		(unsigned int)difftime(next_event, now));
     }
@@ -548,7 +545,7 @@ int do_script_run(time_t now)
       /* If the lease still has an old_hostname, do the "old" action on that first */
       if (lease->old_hostname)
 	{
-#ifndef NO_FORK
+#ifdef HAVE_SCRIPT
 	  queue_script(ACTION_OLD_HOSTNAME, lease, lease->old_hostname, now);
 #endif
 	  free(lease->old_hostname);
@@ -558,15 +555,17 @@ int do_script_run(time_t now)
       else 
 	{
 	  kill_name(lease);
-#ifndef NO_FORK
+#ifdef HAVE_SCRIPT
 	  queue_script(ACTION_DEL, lease, lease->old_hostname, now);
+#endif
+#ifdef HAVE_DBUS
+	  emit_dbus_signal(ACTION_DEL, lease, lease->old_hostname);
 #endif
 	  old_leases = lease->next;
 	  
 	  free(lease->old_hostname); 
 	  free(lease->clid);
-	  free(lease->vendorclass);
-	  free(lease->userclass);
+	  free(lease->extradata);
 	  free(lease);
 	    
 	  return 1; 
@@ -577,7 +576,7 @@ int do_script_run(time_t now)
   for (lease = leases; lease; lease = lease->next)
     if (lease->old_hostname)
       {	
-#ifndef NO_FORK
+#ifdef HAVE_SCRIPT
 	queue_script(ACTION_OLD_HOSTNAME, lease, lease->old_hostname, now);
 #endif
 	free(lease->old_hostname);
@@ -589,24 +588,27 @@ int do_script_run(time_t now)
     if (lease->new || lease->changed || 
 	(lease->aux_changed && (daemon->options & OPT_LEASE_RO)))
       {
-#ifndef NO_FORK
+#ifdef HAVE_SCRIPT
 	queue_script(lease->new ? ACTION_ADD : ACTION_OLD, lease, 
 		     lease->fqdn ? lease->fqdn : lease->hostname, now);
+#endif
+#ifdef HAVE_DBUS
+	emit_dbus_signal(lease->new ? ACTION_ADD : ACTION_OLD, lease,
+			 lease->fqdn ? lease->fqdn : lease->hostname);
 #endif
 	lease->new = lease->changed = lease->aux_changed = 0;
 	
-	/* these are used for the "add" call, then junked, since they're not in the database */
-	free(lease->vendorclass);
-	lease->vendorclass = NULL;
+	/* this is used for the "add" call, then junked, since they're not in the database */
+	free(lease->extradata);
+	lease->extradata = NULL;
 	
-	free(lease->userclass);
-	lease->userclass = NULL;
-		
 	return 1;
       }
 
   return 0; /* nothing to do */
 }
+
+#endif
 	  
 
       

src/log.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2008 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2010 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -10,8 +10,8 @@
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
      
-  You should have received a copy of the GNU General Public License
-  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "dnsmasq.h"
@@ -30,7 +30,8 @@
 
 /* defaults in case we die() before we log_start() */
 static int log_fac = LOG_DAEMON;
-static int log_stderr = 0; 
+static int log_stderr = 0;
+static int echo_stderr = 0;
 static int log_fd = -1;
 static int log_to_file = 0;
 static int entries_alloced = 0;
@@ -54,7 +55,7 @@ int log_start(struct passwd *ent_pw, int errfd)
 {
   int ret = 0;
 
-  log_stderr = !!(daemon->options & OPT_DEBUG);
+  echo_stderr = !!(daemon->options & OPT_DEBUG);
 
   if (daemon->log_fac != -1)
     log_fac = daemon->log_fac;
@@ -67,6 +68,12 @@ int log_start(struct passwd *ent_pw, int errfd)
     { 
       log_to_file = 1;
       daemon->max_logs = 0;
+      if (strcmp(daemon->log_file, "-") == 0)
+	{
+	  log_stderr = 1;
+	  echo_stderr = 0;
+	  log_fd = dup(STDERR_FILENO);
+	}
     }
   
   max_logs = daemon->max_logs;
@@ -90,7 +97,7 @@ int log_start(struct passwd *ent_pw, int errfd)
      change the ownership here so that the file is always owned by
      the dnsmasq user. Then logrotate can just copy the owner.
      Failure of the chown call is OK, (for instance when started as non-root) */
-  if (log_to_file && ent_pw && ent_pw->pw_uid != 0 && 
+  if (log_to_file && !log_stderr && ent_pw && ent_pw->pw_uid != 0 && 
       fchown(log_fd, ent_pw->pw_uid, -1) != 0)
     ret = errno;
 
@@ -99,37 +106,34 @@ int log_start(struct passwd *ent_pw, int errfd)
 
 int log_reopen(char *log_file)
 {
-  if (log_fd != -1)
-    close(log_fd);
-
-  /* NOTE: umask is set to 022 by the time this gets called */
-     
-  if (log_file)
-    {
-      log_fd = open(log_file, O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR|S_IRGRP);
-      return log_fd != -1;
-    }
-  else
+  if (!log_stderr)
+    {      
+      if (log_fd != -1)
+	close(log_fd);
+      
+      /* NOTE: umask is set to 022 by the time this gets called */
+      
+      if (log_file)
+	log_fd = open(log_file, O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR|S_IRGRP);      
+      else
+	{
 #ifdef HAVE_SOLARIS_NETWORK
-    /* Solaris logging is "different", /dev/log is not unix-domain socket.
-       Just leave log_fd == -1 and use the vsyslog call for everything.... */
+	  /* Solaris logging is "different", /dev/log is not unix-domain socket.
+	     Just leave log_fd == -1 and use the vsyslog call for everything.... */
 #   define _PATH_LOG ""  /* dummy */
-    log_fd = -1;
+	  return 1;
 #else
-    {
-       int flags;
-       log_fd = socket(AF_UNIX, connection_type, 0);
-      
-      if (log_fd == -1)
-	return 0;
-      
-      /* if max_logs is zero, leave the socket blocking */
-      if (max_logs != 0 && (flags = fcntl(log_fd, F_GETFL)) != -1)
-	fcntl(log_fd, F_SETFL, flags | O_NONBLOCK);
-    }
+	  int flags;
+	  log_fd = socket(AF_UNIX, connection_type, 0);
+	  
+	  /* if max_logs is zero, leave the socket blocking */
+	  if (log_fd != -1 && max_logs != 0 && (flags = fcntl(log_fd, F_GETFL)) != -1)
+	    fcntl(log_fd, F_SETFL, flags | O_NONBLOCK);
 #endif
-
-  return 1;
+	}
+    }
+  
+  return log_fd != -1;
 }
 
 static void free_entry(void)
@@ -248,6 +252,10 @@ static void log_write(void)
     }
 }
 
+/* priority is one of LOG_DEBUG, LOG_INFO, LOG_NOTICE, etc. See sys/syslog.h.
+   OR'd to priority can be MS_TFTP, MS_DHCP, ... to be able to do log separation between
+   DNS, DHCP and TFTP services.
+*/
 void my_syslog(int priority, const char *format, ...)
 {
   va_list ap;
@@ -256,10 +264,23 @@ void my_syslog(int priority, const char *format, ...)
   char *p;
   size_t len;
   pid_t pid = getpid();
+  char *func = "";
 
-  if (log_stderr) 
+  if ((LOG_FACMASK & priority) == MS_TFTP)
+    func = "-tftp";
+  else if ((LOG_FACMASK & priority) == MS_DHCP)
+    func = "-dhcp";
+      
+#ifdef LOG_PRI
+  priority = LOG_PRI(priority);
+#else
+  /* Solaris doesn't have LOG_PRI */
+  priority &= LOG_PRIMASK;
+#endif
+
+  if (echo_stderr) 
     {
-      fprintf(stderr, "dnsmasq: ");
+      fprintf(stderr, "dnsmasq%s: ", func);
       va_start(ap, format);
       vfprintf(stderr, format, ap);
       va_end(ap);
@@ -305,8 +326,9 @@ void my_syslog(int priority, const char *format, ...)
       p = entry->payload;
       if (!log_to_file)
 	p += sprintf(p, "<%d>", priority | log_fac);
-      
-      p += sprintf(p, "%.15s dnsmasq[%d]: ", ctime(&time_now) + 4, (int)pid);
+
+      p += sprintf(p, "%.15s dnsmasq%s[%d]: ", ctime(&time_now) + 4, func, (int)pid);
+        
       len = p - entry->payload;
       va_start(ap, format);  
       len += vsnprintf(p, MAX_MESSAGE - len, format, ap) + 1; /* include zero-terminator */
@@ -376,14 +398,19 @@ void check_log_writer(fd_set *set)
 
 void flush_log(void)
 {
-  /* block until queue empty */
-  if (log_fd != -1)
+  /* write until queue empty */
+  while (log_fd != -1)
     {
-      int flags;
-      if ((flags = fcntl(log_fd, F_GETFL)) != -1)
-	fcntl(log_fd, F_SETFL, flags & ~O_NONBLOCK);
+      struct timespec waiter;
       log_write();
-      close(log_fd);
+      if (!entries)
+	{
+	  close(log_fd);	
+	  break;
+	}
+      waiter.tv_sec = 0;
+      waiter.tv_nsec = 1000000; /* 1 ms */
+      nanosleep(&waiter, NULL);
     }
 }
 
@@ -394,11 +421,13 @@ void die(char *message, char *arg1, int exit_code)
   if (!arg1)
     arg1 = errmess;
 
-  log_stderr = 1; /* print as well as log when we die.... */
-  fputc('\n', stderr); /* prettyfy  startup-script message */
+  if (!log_stderr)
+    {
+      echo_stderr = 1; /* print as well as log when we die.... */
+      fputc('\n', stderr); /* prettyfy  startup-script message */
+    }
   my_syslog(LOG_CRIT, message, arg1, errmess);
-  
-  log_stderr = 0;
+  echo_stderr = 0;
   my_syslog(LOG_CRIT, _("FAILED to start up"));
   flush_log();
   

src/netlink.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2008 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2010 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -10,8 +10,8 @@
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
      
-  You should have received a copy of the GNU General Public License
-  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "dnsmasq.h"
@@ -31,6 +31,7 @@
 #endif
 
 static struct iovec iov;
+static u32 netlink_pid;
 
 static void nl_err(struct nlmsghdr *h);
 static void nl_routechange(struct nlmsghdr *h);
@@ -38,6 +39,7 @@ static void nl_routechange(struct nlmsghdr *h);
 void netlink_init(void)
 {
   struct sockaddr_nl addr;
+  socklen_t slen = sizeof(addr);
 
   addr.nl_family = AF_NETLINK;
   addr.nl_pad = 0;
@@ -59,48 +61,63 @@ void netlink_init(void)
 	}
     }
   
-  if (daemon->netlinkfd == -1)
+  if (daemon->netlinkfd == -1 || 
+      getsockname(daemon->netlinkfd, (struct sockaddr *)&addr, &slen) == 1)
     die(_("cannot create netlink socket: %s"), NULL, EC_MISC);
+   
+  /* save pid assigned by bind() and retrieved by getsockname() */ 
+  netlink_pid = addr.nl_pid;
   
-  iov.iov_len = 200;
+  iov.iov_len = 100;
   iov.iov_base = safe_malloc(iov.iov_len);
 }
 
 static ssize_t netlink_recv(void)
 {
   struct msghdr msg;
+  struct sockaddr_nl nladdr;
   ssize_t rc;
 
-  msg.msg_control = NULL;
-  msg.msg_controllen = 0;
-  msg.msg_name = NULL;
-  msg.msg_namelen = 0;
-  msg.msg_iov = &iov;
-  msg.msg_iovlen = 1;
-    
   while (1)
     {
+      msg.msg_control = NULL;
+      msg.msg_controllen = 0;
+      msg.msg_name = &nladdr;
+      msg.msg_namelen = sizeof(nladdr);
+      msg.msg_iov = &iov;
+      msg.msg_iovlen = 1;
       msg.msg_flags = 0;
-      while ((rc = recvmsg(daemon->netlinkfd, &msg, MSG_PEEK)) == -1 && errno == EINTR);
       
-      /* 2.2.x doesn't suport MSG_PEEK at all, returning EOPNOTSUPP, so we just grab a 
-	 big buffer and pray in that case. */
-      if (rc == -1 && errno == EOPNOTSUPP)
+      while ((rc = recvmsg(daemon->netlinkfd, &msg, MSG_PEEK | MSG_TRUNC)) == -1 && errno == EINTR);
+      
+      /* make buffer big enough */
+      if (rc != -1 && (msg.msg_flags & MSG_TRUNC))
 	{
-	  if (!expand_buf(&iov, 2000))
-	    return -1;
-	  break;
+	  /* Very new Linux kernels return the actual size needed, older ones always return truncated size */
+	  if ((size_t)rc == iov.iov_len)
+	    {
+	      if (expand_buf(&iov, rc + 100))
+		continue;
+	    }
+	  else
+	    expand_buf(&iov, rc);
 	}
-      
-      if (rc == -1 || !(msg.msg_flags & MSG_TRUNC))
-        break;
-            
-      if (!expand_buf(&iov, iov.iov_len + 100))
-	return -1;
-    }
 
-  /* finally, read it for real */
-  while ((rc = recvmsg(daemon->netlinkfd, &msg, 0)) == -1 && errno == EINTR);
+      /* read it for real */
+      msg.msg_flags = 0;
+      while ((rc = recvmsg(daemon->netlinkfd, &msg, 0)) == -1 && errno == EINTR);
+      
+      /* Make sure this is from the kernel */
+      if (rc == -1 || nladdr.nl_pid == 0)
+	break;
+    }
+      
+  /* discard stuff which is truncated at this point (expand_buf() may fail) */
+  if (msg.msg_flags & MSG_TRUNC)
+    {
+      rc = -1;
+      errno = ENOMEM;
+    }
   
   return rc;
 }
@@ -141,13 +158,20 @@ int iface_enumerate(void *parm, int (*ipv4_callback)(), int (*ipv6_callback)())
   while (1)
     {
       if ((len = netlink_recv()) == -1)
-	return 0;
-  
+	{
+	  if (errno == ENOBUFS)
+	    {
+	      sleep(1);
+	      goto again;
+	    }
+	  return 0;
+	}
+
       for (h = (struct nlmsghdr *)iov.iov_base; NLMSG_OK(h, (size_t)len); h = NLMSG_NEXT(h, len))
- 	if (h->nlmsg_type == NLMSG_ERROR)
-	  nl_err(h);
-	else if (h->nlmsg_seq != seq)
+	if (h->nlmsg_seq != seq || h->nlmsg_pid != netlink_pid)
 	  nl_routechange(h); /* May be multicast arriving async */
+	else if (h->nlmsg_type == NLMSG_ERROR)
+	  nl_err(h);
 	else if (h->nlmsg_type == NLMSG_DONE)
 	  {
 #ifdef HAVE_IPV6
@@ -208,10 +232,17 @@ int iface_enumerate(void *parm, int (*ipv4_callback)(), int (*ipv6_callback)())
     }
 }
 
+
 void netlink_multicast(void)
 {
   ssize_t len;
   struct nlmsghdr *h;
+  int flags;
+  
+  /* don't risk blocking reading netlink messages here. */
+  if ((flags = fcntl(daemon->netlinkfd, F_GETFL)) == -1 ||
+      fcntl(daemon->netlinkfd, F_SETFL, flags | O_NONBLOCK) == -1) 
+    return;
   
   if ((len = netlink_recv()) != -1)
     {
@@ -221,11 +252,15 @@ void netlink_multicast(void)
 	else
 	  nl_routechange(h);
     }
+
+  /* restore non-blocking status */
+  fcntl(daemon->netlinkfd, F_SETFL, flags); 
 }
 
 static void nl_err(struct nlmsghdr *h)
 {
   struct nlmsgerr *err = NLMSG_DATA(h);
+  
   if (err->error != 0)
     my_syslog(LOG_ERR, _("netlink returns error: %s"), strerror(-(err->error)));
 }
@@ -234,10 +269,10 @@ static void nl_err(struct nlmsghdr *h)
    If this happens and we still have a DNS packet in the buffer, we re-send it.
    This helps on DoD links, where frequently the packet which triggers dialling is
    a DNS query, which then gets lost. By re-sending, we can avoid the lookup
-   failing. */ 
+   failing. Note that we only accept these messages from the kernel (pid == 0) */ 
 static void nl_routechange(struct nlmsghdr *h)
 {
-  if (h->nlmsg_type == RTM_NEWROUTE)
+  if (h->nlmsg_pid == 0 && h->nlmsg_type == RTM_NEWROUTE)
     {
       struct rtmsg *rtm = NLMSG_DATA(h);
       int fd;
@@ -246,8 +281,8 @@ static void nl_routechange(struct nlmsghdr *h)
 	return;
 
       /* Force re-reading resolv file right now, for luck. */
-      daemon->last_resolv = 0;
-
+      poll_resolv(1, 1, dnsmasq_time()); 
+      
       if (daemon->srv_save)
 	{
 	  if (daemon->srv_save->sfd)

src/network.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2008 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2010 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -10,60 +10,66 @@
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
      
-  You should have received a copy of the GNU General Public License
-  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "dnsmasq.h"
 
-int iface_check(int family, struct all_addr *addr, 
-		struct ifreq *ifr, int *indexp)
+#ifdef HAVE_LINUX_NETWORK
+
+int indextoname(int fd, int index, char *name)
+{
+  struct ifreq ifr;
+  
+  if (index == 0)
+    return 0;
+
+  ifr.ifr_ifindex = index;
+  if (ioctl(fd, SIOCGIFNAME, &ifr) == -1)
+    return 0;
+
+  strncpy(name, ifr.ifr_name, IF_NAMESIZE);
+
+  return 1;
+}
+
+#else
+
+int indextoname(int fd, int index, char *name)
+{ 
+  if (index == 0 || !if_indextoname(index, name))
+    return 0;
+
+  return 1;
+}
+
+#endif
+
+int iface_check(int family, struct all_addr *addr, char *name, int *indexp)
 {
   struct iname *tmp;
   int ret = 1;
 
   /* Note: have to check all and not bail out early, so that we set the
      "used" flags. */
-
-  if (indexp)
-    {
-#ifdef HAVE_BSD_BRIDGE
-      /* One form of bridging on BSD has the property that packets
-	 can be recieved on bridge interfaces which do not have an IP address.
-	 We allow these to be treated as aliases of another interface which does have
-	 an IP address with --dhcp-bridge=interface,alias,alias */
-      struct dhcp_bridge *bridge, *alias;
-      for (bridge = daemon->bridges; bridge; bridge = bridge->next)
-	{
-	  for (alias = bridge->alias; alias; alias = alias->next)
-	    if (strncmp(ifr->ifr_name, alias->iface, IF_NAMESIZE) == 0)
-	      {
-		int newindex;
-		
-		if (!(newindex = if_nametoindex(bridge->iface)))
-		  {
-		    my_syslog(LOG_WARNING, _("unknown interface %s in bridge-interface"), ifr->ifr_name);
-		    return 0;
-		  }
-		else 
-		  {
-		    *indexp = newindex;
-		    strncpy(ifr->ifr_name,  bridge->iface, IF_NAMESIZE);
-		    break;
-		  }
-	      }
-	  if (alias)
-	    break;
-	}
-#endif
-    }
   
   if (daemon->if_names || (addr && daemon->if_addrs))
     {
+#ifdef HAVE_DHCP
+      struct dhcp_context *range;
+#endif
+
       ret = 0;
 
+#ifdef HAVE_DHCP
+      for (range = daemon->dhcp; range; range = range->next)
+	if (range->interface && strcmp(range->interface, name) == 0)
+	  ret = 1;
+#endif
+
       for (tmp = daemon->if_names; tmp; tmp = tmp->next)
-	if (tmp->name && (strcmp(tmp->name, ifr->ifr_name) == 0))
+	if (tmp->name && (strcmp(tmp->name, name) == 0))
 	  ret = tmp->used = 1;
 	        
       for (tmp = daemon->if_addrs; tmp; tmp = tmp->next)
@@ -82,9 +88,40 @@ int iface_check(int family, struct all_addr *addr,
     }
   
   for (tmp = daemon->if_except; tmp; tmp = tmp->next)
-    if (tmp->name && (strcmp(tmp->name, ifr->ifr_name) == 0))
+    if (tmp->name && (strcmp(tmp->name, name) == 0))
       ret = 0;
   
+  if (indexp)
+    {
+      /* One form of bridging on BSD has the property that packets
+	 can be recieved on bridge interfaces which do not have an IP address.
+	 We allow these to be treated as aliases of another interface which does have
+	 an IP address with --dhcp-bridge=interface,alias,alias */
+      struct dhcp_bridge *bridge, *alias;
+      for (bridge = daemon->bridges; bridge; bridge = bridge->next)
+	{
+	  for (alias = bridge->alias; alias; alias = alias->next)
+	    if (strncmp(name, alias->iface, IF_NAMESIZE) == 0)
+	      {
+		int newindex;
+		
+		if (!(newindex = if_nametoindex(bridge->iface)))
+		  {
+		    my_syslog(LOG_WARNING, _("unknown interface %s in bridge-interface"), name);
+		    return 0;
+		  }
+		else 
+		  {
+		    *indexp = newindex;
+		    strncpy(name,  bridge->iface, IF_NAMESIZE);
+		    break;
+		  }
+	      }
+	  if (alias)
+	    break;
+	}
+    }
+  
   return ret; 
 }
       
@@ -92,27 +129,22 @@ static int iface_allowed(struct irec **irecp, int if_index,
 			 union mysockaddr *addr, struct in_addr netmask) 
 {
   struct irec *iface;
-  int fd;
+  int fd, mtu = 0, loopback;
   struct ifreq ifr;
-  int dhcp_ok = 1;
+  int tftp_ok = daemon->tftp_unlimited;
+#ifdef HAVE_DHCP
   struct iname *tmp;
-  
+#endif
+  struct interface_list *ir = NULL;
+
   /* check whether the interface IP has been added already 
      we call this routine multiple times. */
   for (iface = *irecp; iface; iface = iface->next) 
     if (sockaddr_isequal(&iface->addr, addr))
       return 1;
   
-#ifdef HAVE_LINUX_NETWORK
-  ifr.ifr_ifindex = if_index;
-#endif
-  
   if ((fd = socket(PF_INET, SOCK_DGRAM, 0)) == -1 ||
-#ifdef HAVE_LINUX_NETWORK
-      ioctl(fd, SIOCGIFNAME, &ifr) == -1 ||
-#else
-      !if_indextoname(if_index, ifr.ifr_name) ||
-#endif
+      !indextoname(fd, if_index, ifr.ifr_name) ||
       ioctl(fd, SIOCGIFFLAGS, &ifr) == -1)
     {
       if (fd != -1)
@@ -123,12 +155,17 @@ static int iface_allowed(struct irec **irecp, int if_index,
 	}
       return 0;
     }
+   
+  loopback = ifr.ifr_flags & IFF_LOOPBACK;
+
+  if (ioctl(fd, SIOCGIFMTU, &ifr) != -1)
+    mtu = ifr.ifr_mtu;
   
   close(fd);
   
   /* If we are restricting the set of interfaces to use, make
      sure that loopback interfaces are in that set. */
-  if (daemon->if_names && (ifr.ifr_flags & IFF_LOOPBACK))
+  if (daemon->if_names && loopback)
     {
       struct iname *lo;
       for (lo = daemon->if_names; lo; lo = lo->next)
@@ -149,26 +186,45 @@ static int iface_allowed(struct irec **irecp, int if_index,
 	}
     }
   
-  if (addr->sa.sa_family == AF_INET &&
-      !iface_check(AF_INET, (struct all_addr *)&addr->in.sin_addr, &ifr, NULL))
-    return 1;
-  
-  for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
-    if (tmp->name && (strcmp(tmp->name, ifr.ifr_name) == 0))
-      dhcp_ok = 0;
-  
-#ifdef HAVE_IPV6
-  if (addr->sa.sa_family == AF_INET6 &&
-      !iface_check(AF_INET6, (struct all_addr *)&addr->in6.sin6_addr, &ifr, NULL))
-    return 1;
+#ifdef HAVE_TFTP
+  /* implement wierd TFTP service rules */
+  if (addr->sa.sa_family == AF_INET)
+    for (ir = daemon->tftp_interfaces; ir; ir = ir->next)
+      if (strcmp(ir->interface, ifr.ifr_name) == 0)
+	{
+	  tftp_ok = 1;
+	  break;
+	}
 #endif
 
+  if (!ir)
+    {
+      if (addr->sa.sa_family == AF_INET &&
+	  !iface_check(AF_INET, (struct all_addr *)&addr->in.sin_addr, ifr.ifr_name, NULL))
+	return 1;
+      
+#ifdef HAVE_DHCP
+      for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
+	if (tmp->name && (strcmp(tmp->name, ifr.ifr_name) == 0))
+	  tftp_ok = 0;
+#endif
+      
+#ifdef HAVE_IPV6
+      if (addr->sa.sa_family == AF_INET6 &&
+	  !iface_check(AF_INET6, (struct all_addr *)&addr->in6.sin6_addr, ifr.ifr_name, NULL))
+	return 1;
+#endif
+    }
+
   /* add to list */
   if ((iface = whine_malloc(sizeof(struct irec))))
     {
       iface->addr = *addr;
       iface->netmask = netmask;
-      iface->dhcp_ok = dhcp_ok;
+      iface->tftp_ok = tftp_ok;
+      iface->mtu = mtu;
+      if ((iface->name = whine_malloc(strlen(ifr.ifr_name)+1)))
+	strcpy(iface->name, ifr.ifr_name);
       iface->next = *irecp;
       *irecp = iface;
       return 1;
@@ -217,7 +273,6 @@ static int iface_allowed_v4(struct in_addr local, int if_index,
   return iface_allowed((struct irec **)vparam, if_index, &addr, netmask);
 }
    
-
 int enumerate_interfaces(void)
 {
 #ifdef HAVE_IPV6
@@ -270,16 +325,35 @@ static int create_ipv6_listener(struct listener **link, int port)
       setsockopt(tcpfd, IPV6_LEVEL, IPV6_V6ONLY, &opt, sizeof(opt)) == -1 ||
       !fix_fd(fd) ||
       !fix_fd(tcpfd) ||
-#ifdef IPV6_RECVPKTINFO
-      setsockopt(fd, IPV6_LEVEL, IPV6_RECVPKTINFO, &opt, sizeof(opt)) == -1 ||
-#else
-      setsockopt(fd, IPV6_LEVEL, IPV6_PKTINFO, &opt, sizeof(opt)) == -1 ||
-#endif
       bind(tcpfd, (struct sockaddr *)&addr, sa_len(&addr)) == -1 ||
       listen(tcpfd, 5) == -1 ||
       bind(fd, (struct sockaddr *)&addr, sa_len(&addr)) == -1) 
     return 0;
-      
+
+  /* The API changed around Linux 2.6.14 but the old ABI is still supported:
+     handle all combinations of headers and kernel.
+     OpenWrt note that this fixes the problem addressed by your very broken patch. */
+
+  daemon->v6pktinfo = IPV6_PKTINFO;
+
+#ifdef IPV6_RECVPKTINFO
+#  ifdef IPV6_2292PKTINFO
+  if (setsockopt(fd, IPV6_LEVEL, IPV6_RECVPKTINFO, &opt, sizeof(opt)) == -1)
+    {
+      if (errno == ENOPROTOOPT && setsockopt(fd, IPV6_LEVEL, IPV6_2292PKTINFO, &opt, sizeof(opt)) != -1)
+	daemon->v6pktinfo = IPV6_2292PKTINFO;
+      else
+	return 0;
+    }
+#  else
+  if (setsockopt(fd, IPV6_LEVEL, IPV6_RECVPKTINFO, &opt, sizeof(opt)) == -1)
+    return 0;
+#  endif 
+#else
+  if (setsockopt(fd, IPV6_LEVEL, IPV6_PKTINFO, &opt, sizeof(opt)) == -1)
+    return 0;
+#endif
+  
   l = safe_malloc(sizeof(struct listener));
   l->fd = fd;
   l->tcpfd = tcpfd;
@@ -334,7 +408,7 @@ struct listener *create_wildcard_listeners(void)
     }
   
 #ifdef HAVE_TFTP
-  if (daemon->options & OPT_TFTP)
+  if (daemon->tftp_unlimited || daemon->tftp_interfaces)
     {
       addr.in.sin_port = htons(TFTP_PORT);
       if ((tftpfd = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
@@ -366,8 +440,11 @@ struct listener *create_bound_listeners(void)
 {
   struct listener *listeners = NULL;
   struct irec *iface;
-  int opt = 1;
-  
+  int rc, opt = 1;
+#ifdef HAVE_IPV6
+  static int dad_count = 0;
+#endif
+
   for (iface = daemon->interfaces; iface; iface = iface->next)
     {
       struct listener *new = safe_malloc(sizeof(struct listener));
@@ -377,6 +454,7 @@ struct listener *create_bound_listeners(void)
       new->tftpfd = -1;
       new->tcpfd = -1;
       new->fd = -1;
+      listeners = new;
 
       if (daemon->port != 0)
 	{
@@ -396,32 +474,39 @@ struct listener *create_bound_listeners(void)
 		die(_("failed to set IPV6 options on listening socket: %s"), NULL, EC_BADNET);
 	    }
 #endif
-	  
-	  if (bind(new->tcpfd, &iface->addr.sa, sa_len(&iface->addr)) == -1 ||
-	      bind(new->fd, &iface->addr.sa, sa_len(&iface->addr)) == -1)
+
+	  while(1)
 	    {
+	      if ((rc = bind(new->fd, &iface->addr.sa, sa_len(&iface->addr))) != -1)
+		break;
+	      
 #ifdef HAVE_IPV6
-	      if (iface->addr.sa.sa_family == AF_INET6 && (errno == ENODEV || errno == EADDRNOTAVAIL))
+	      /* An interface may have an IPv6 address which is still undergoing DAD. 
+		 If so, the bind will fail until the DAD completes, so we try over 20 seconds
+		 before failing. */
+	      if (iface->addr.sa.sa_family == AF_INET6 && (errno == ENODEV || errno == EADDRNOTAVAIL) && 
+		  dad_count++ < DAD_WAIT)
 		{
-		  close(new->tcpfd);
-		  close(new->fd);
-		  free(new);
-		  new = NULL;
+		  sleep(1);
+		  continue;
 		}
-	      else
 #endif
-		{
-		  prettyprint_addr(&iface->addr, daemon->namebuff);
-		  die(_("failed to bind listening socket for %s: %s"), 
-		      daemon->namebuff, EC_BADNET);
-		}
+	      break;
 	    }
-	  else if (listen(new->tcpfd, 5) == -1)
+	  
+	  if (rc == -1 || bind(new->tcpfd, &iface->addr.sa, sa_len(&iface->addr)) == -1)
+	    {
+	      prettyprint_addr(&iface->addr, daemon->namebuff);
+	      die(_("failed to bind listening socket for %s: %s"), 
+		  daemon->namebuff, EC_BADNET);
+	    }
+	    
+	  if (listen(new->tcpfd, 5) == -1)
 	    die(_("failed to listen on socket: %s"), NULL, EC_BADNET);
 	}
 
 #ifdef HAVE_TFTP
-      if ((daemon->options & OPT_TFTP) && iface->addr.sa.sa_family == AF_INET && iface->dhcp_ok)
+      if (iface->addr.sa.sa_family == AF_INET && iface->tftp_ok)
 	{
 	  short save = iface->addr.in.sin_port;
 	  iface->addr.in.sin_port = htons(TFTP_PORT);
@@ -434,8 +519,6 @@ struct listener *create_bound_listeners(void)
 	}
 #endif
 
-      if (new)
-	listeners = new;
     }
 
   return listeners;
@@ -519,8 +602,8 @@ int local_bind(int fd, union mysockaddr *addr, char *intname, int is_tcp)
     return 0;
     
 #if defined(SO_BINDTODEVICE)
-  if (strlen(intname) != 0 &&
-      setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, intname, sizeof(intname)) == -1)
+  if (intname[0] != 0 &&
+      setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, intname, IF_NAMESIZE) == -1)
     return 0;
 #endif
 
@@ -534,7 +617,7 @@ static struct serverfd *allocate_sfd(union mysockaddr *addr, char *intname)
 
   /* when using random ports, servers which would otherwise use
      the INADDR_ANY/port0 socket have sfd set to NULL */
-  if (!daemon->osport)
+  if (!daemon->osport && intname[0] == 0)
     {
       errno = 0;
       
@@ -614,13 +697,13 @@ void pre_allocate_sfds(void)
     }
   
   for (srv = daemon->servers; srv; srv = srv->next)
-    if (!(srv->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) &&
+    if (!(srv->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR | SERV_USE_RESOLV | SERV_NO_REBIND)) &&
 	!allocate_sfd(&srv->source_addr, srv->interface) &&
 	errno != 0 &&
 	(daemon->options & OPT_NOWILD))
       {
-	prettyprint_addr(&srv->addr, daemon->namebuff);
-	if (strlen(srv->interface) != 0)
+	prettyprint_addr(&srv->source_addr, daemon->namebuff);
+	if (srv->interface[0] != 0)
 	  {
 	    strcat(daemon->namebuff, " ");
 	    strcat(daemon->namebuff, srv->interface);
@@ -637,11 +720,15 @@ void check_servers(void)
   struct server *new, *tmp, *ret = NULL;
   int port = 0;
 
+  /* interface may be new since startup */
+  if (!(daemon->options & OPT_NOWILD))
+    enumerate_interfaces();
+  
   for (new = daemon->servers; new; new = tmp)
     {
       tmp = new->next;
       
-      if (!(new->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)))
+      if (!(new->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR | SERV_USE_RESOLV | SERV_NO_REBIND)))
 	{
 	  port = prettyprint_addr(&new->addr, daemon->namebuff);
 
@@ -680,25 +767,30 @@ void check_servers(void)
       new->next = ret;
       ret = new;
       
-      if (new->flags & (SERV_HAS_DOMAIN | SERV_FOR_NODOTS))
+      if (!(new->flags & SERV_NO_REBIND))
 	{
-	  char *s1, *s2;
-	  if (!(new->flags & SERV_HAS_DOMAIN))
-	    s1 = _("unqualified"), s2 = _("names");
-	  else if (strlen(new->domain) == 0)
-	    s1 = _("default"), s2 = "";
+	  if (new->flags & (SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_USE_RESOLV))
+	    {
+	      char *s1, *s2;
+	      if (!(new->flags & SERV_HAS_DOMAIN))
+		s1 = _("unqualified"), s2 = _("names");
+	      else if (strlen(new->domain) == 0)
+		s1 = _("default"), s2 = "";
+	      else
+		s1 = _("domain"), s2 = new->domain;
+	      
+	      if (new->flags & SERV_NO_ADDR)
+		my_syslog(LOG_INFO, _("using local addresses only for %s %s"), s1, s2);
+	      else if (new->flags & SERV_USE_RESOLV)
+		my_syslog(LOG_INFO, _("using standard nameservers for %s %s"), s1, s2);
+	      else if (!(new->flags & SERV_LITERAL_ADDRESS))
+		my_syslog(LOG_INFO, _("using nameserver %s#%d for %s %s"), daemon->namebuff, port, s1, s2);
+	    }
+	  else if (new->interface[0] != 0)
+	    my_syslog(LOG_INFO, _("using nameserver %s#%d(via %s)"), daemon->namebuff, port, new->interface); 
 	  else
-	    s1 = _("domain"), s2 = new->domain;
-	  
-	  if (new->flags & SERV_NO_ADDR)
-	    my_syslog(LOG_INFO, _("using local addresses only for %s %s"), s1, s2);
-	  else if (!(new->flags & SERV_LITERAL_ADDRESS))
-	    my_syslog(LOG_INFO, _("using nameserver %s#%d for %s %s"), daemon->namebuff, port, s1, s2);
+	    my_syslog(LOG_INFO, _("using nameserver %s#%d"), daemon->namebuff, port); 
 	}
-      else if (strlen(new->interface) != 0)
-	my_syslog(LOG_INFO, _("using nameserver %s#%d(via %s)"), daemon->namebuff, port, new->interface); 
-      else
-	my_syslog(LOG_INFO, _("using nameserver %s#%d"), daemon->namebuff, port); 
     }
   
   daemon->servers = ret;
@@ -825,16 +917,19 @@ struct in_addr get_ifaddr(char *intr)
 {
   struct listener *l;
   struct ifreq ifr;
+  struct sockaddr_in ret;
+  
+  ret.sin_addr.s_addr = -1;
 
   for (l = daemon->listeners; l && l->family != AF_INET; l = l->next);
   
   strncpy(ifr.ifr_name, intr, IF_NAMESIZE);
   ifr.ifr_addr.sa_family = AF_INET;
   
-  if (!l || ioctl(l->fd, SIOCGIFADDR, &ifr) == -1)
-    ((struct sockaddr_in *) &ifr.ifr_addr)->sin_addr.s_addr = -1;
+  if (l &&  ioctl(l->fd, SIOCGIFADDR, &ifr) != -1)
+    memcpy(&ret, &ifr.ifr_addr, sizeof(ret)); 
   
-  return ((struct sockaddr_in *) &ifr.ifr_addr)->sin_addr;
+  return ret.sin_addr;
 }
 
 

src/rfc1035.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2008 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2010 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -10,8 +10,8 @@
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
      
-  You should have received a copy of the GNU General Public License
-  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "dnsmasq.h"
@@ -25,7 +25,7 @@ static int add_resource_record(HEADER *header, char *limit, int *truncp,
     ((size_t)((pp) - (unsigned char *)(header) + (len)) <= (plen))
 
 #define ADD_RDLEN(header, pp, plen, len) \
-    (!CHECK_LEN(header, pp, plen, len) ? 0 : (int)((pp) += (len)), 1)
+    (!CHECK_LEN(header, pp, plen, len) ? 0 : (long)((pp) += (len)), 1)
 
 static int extract_name(HEADER *header, size_t plen, unsigned char **pp, 
 			char *name, int isExtract, int extrabytes)
@@ -138,7 +138,8 @@ static int extract_name(HEADER *header, size_t plen, unsigned char **pp,
 	  for(j=0; j<l; j++, p++)
 	    if (isExtract)
 	      {
-		if (legal_char(*p))
+		unsigned char c = *p;
+		if (isascii(c) && !iscntrl(c) && c != '.')
 		  *cp++ = *p;
 		else
 		  return 0;
@@ -512,26 +513,31 @@ unsigned char *find_pseudoheader(HEADER *header, size_t plen, size_t  *len, unsi
       
   
 /* is addr in the non-globally-routed IP space? */ 
-static int private_net(struct in_addr addr) 
+static int private_net(struct in_addr addr, int ban_localhost) 
 {
   in_addr_t ip_addr = ntohl(addr.s_addr);
 
   return
-    ((ip_addr & 0xFF000000) == 0x7F000000)  /* 127.0.0.0/8    (loopback) */ || 
+    (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost)  /* 127.0.0.0/8    (loopback) */ || 
     ((ip_addr & 0xFFFF0000) == 0xC0A80000)  /* 192.168.0.0/16 (private)  */ ||
     ((ip_addr & 0xFF000000) == 0x0A000000)  /* 10.0.0.0/8     (private)  */ ||
     ((ip_addr & 0xFFF00000) == 0xAC100000)  /* 172.16.0.0/12  (private)  */ ||
     ((ip_addr & 0xFFFF0000) == 0xA9FE0000)  /* 169.254.0.0/16 (zeroconf) */ ;
 }
 
-static unsigned char *do_doctor(unsigned char *p, int count, HEADER *header, size_t qlen)
+static unsigned char *do_doctor(unsigned char *p, int count, HEADER *header, size_t qlen, char *name)
 {
   int i, qtype, qclass, rdlen;
   unsigned long ttl;
 
   for (i = count; i != 0; i--)
     {
-      if (!(p = skip_name(p, header, qlen, 10)))
+      if (name && (daemon->options & OPT_LOG))
+	{
+	  if (!extract_name(header, qlen, &p, name, 1, 10))
+	    return 0;
+	}
+      else if (!(p = skip_name(p, header, qlen, 10)))
 	return 0; /* bad packet */
       
       GETSHORT(qtype, p); 
@@ -539,28 +545,60 @@ static unsigned char *do_doctor(unsigned char *p, int count, HEADER *header, siz
       GETLONG(ttl, p);
       GETSHORT(rdlen, p);
       
-      if ((qclass == C_IN) && (qtype == T_A))
+      if (qclass == C_IN && qtype == T_A)
 	{
 	  struct doctor *doctor;
 	  struct in_addr addr;
 	  
 	  if (!CHECK_LEN(header, p, qlen, INADDRSZ))
 	    return 0;
-	   
-	   /* alignment */
+	  
+	  /* alignment */
 	  memcpy(&addr, p, INADDRSZ);
 	  
 	  for (doctor = daemon->doctors; doctor; doctor = doctor->next)
-	    if (is_same_net(doctor->in, addr, doctor->mask))
-	      {
-		addr.s_addr &= ~doctor->mask.s_addr;
-		addr.s_addr |= (doctor->out.s_addr & doctor->mask.s_addr);
-		/* Since we munged the data, the server it came from is no longer authoritative */
-		header->aa = 0;
-		memcpy(p, &addr, INADDRSZ);
-		break;
-	      }
+	    {
+	      if (doctor->end.s_addr == 0)
+		{
+		  if (!is_same_net(doctor->in, addr, doctor->mask))
+		    continue;
+		}
+	      else if (ntohl(doctor->in.s_addr) > ntohl(addr.s_addr) || 
+		       ntohl(doctor->end.s_addr) < ntohl(addr.s_addr))
+		continue;
+	      
+	      addr.s_addr &= ~doctor->mask.s_addr;
+	      addr.s_addr |= (doctor->out.s_addr & doctor->mask.s_addr);
+	      /* Since we munged the data, the server it came from is no longer authoritative */
+	      header->aa = 0;
+	      memcpy(p, &addr, INADDRSZ);
+	      break;
+	    }
 	}
+      else if (qtype == T_TXT && name && (daemon->options & OPT_LOG))
+	{
+	  unsigned char *p1 = p;
+	  if (!CHECK_LEN(header, p1, qlen, rdlen))
+	    return 0;
+	  while ((p1 - p) < rdlen)
+	    {
+	      unsigned int i, len = *p1;
+	      unsigned char *p2 = p1;
+	      /* make counted string zero-term  and sanitise */
+	      for (i = 0; i < len; i++)
+		if (isprint(*(p2+1)))
+		  {
+		    *p2 = *(p2+1);
+		    p2++;
+		  }
+	      *p2 = 0;
+	      my_syslog(LOG_DEBUG, "reply %s is %s", name, p1);
+	      /* restore */
+	      memmove(p1 + 1, p1, len);
+	      *p1 = len;
+	      p1 += len+1;
+	    }
+	}		  
       
       if (!ADD_RDLEN(header, p, qlen, rdlen))
 	 return 0; /* bad packet */
@@ -569,7 +607,7 @@ static unsigned char *do_doctor(unsigned char *p, int count, HEADER *header, siz
   return p; 
 }
 
-static int find_soa(HEADER *header, size_t qlen)
+static int find_soa(HEADER *header, size_t qlen, char *name)
 {
   unsigned char *p;
   int qtype, qclass, rdlen;
@@ -578,7 +616,7 @@ static int find_soa(HEADER *header, size_t qlen)
   
   /* first move to NS section and find TTL from any SOA section */
   if (!(p = skip_questions(header, qlen)) ||
-      !(p = do_doctor(p, ntohs(header->ancount), header, qlen)))
+      !(p = do_doctor(p, ntohs(header->ancount), header, qlen, name)))
     return 0;  /* bad packet */
   
   for (i = ntohs(header->nscount); i != 0; i--)
@@ -614,7 +652,7 @@ static int find_soa(HEADER *header, size_t qlen)
     }
   
   /* rewrite addresses in additioal section too */
-  if (!do_doctor(p, ntohs(header->arcount), header, qlen))
+  if (!do_doctor(p, ntohs(header->arcount), header, qlen, NULL))
     return 0;
   
   if (!found_soa)
@@ -626,8 +664,8 @@ static int find_soa(HEADER *header, size_t qlen)
 /* Note that the following code can create CNAME chains that don't point to a real record,
    either because of lack of memory, or lack of SOA records.  These are treated by the cache code as 
    expired and cleaned out that way. 
-   Return 1 if we reject an address because it look like parct of dns-rebinding attack. */
-int extract_addresses(HEADER *header, size_t qlen, char *name, time_t now)
+   Return 1 if we reject an address because it look like part of dns-rebinding attack. */
+int extract_addresses(HEADER *header, size_t qlen, char *name, time_t now, int is_sign, int check_rebind)
 {
   unsigned char *p, *p1, *endrr, *namep;
   int i, j, qtype, qclass, aqtype, aqclass, ardlen, res, searched_soa = 0;
@@ -636,11 +674,11 @@ int extract_addresses(HEADER *header, size_t qlen, char *name, time_t now)
 
   cache_start_insert();
 
-  /* find_soa is needed for dns_doctor side-effects, so don't call it lazily if there are any. */
-  if (daemon->doctors)
+  /* find_soa is needed for dns_doctor and logging side-effects, so don't call it lazily if there are any. */
+  if (daemon->doctors || (daemon->options & OPT_LOG))
     {
       searched_soa = 1;
-      ttl = find_soa(header, qlen);
+      ttl = find_soa(header, qlen, name);
     }
   
   /* go through the questions. */
@@ -689,6 +727,11 @@ int extract_addresses(HEADER *header, size_t qlen, char *name, time_t now)
 		  GETSHORT(aqtype, p1); 
 		  GETSHORT(aqclass, p1);
 		  GETLONG(attl, p1);
+		  if ((daemon->max_ttl != 0) && (attl > daemon->max_ttl) && !is_sign)
+		    {
+		      (p1) -= NS_INT32SZ;
+		      PUTLONG(daemon->max_ttl, p1);
+		    }
 		  GETSHORT(ardlen, p1);
 		  endrr = p1+ardlen;
 		  
@@ -723,7 +766,7 @@ int extract_addresses(HEADER *header, size_t qlen, char *name, time_t now)
 	      if (!searched_soa)
 		{
 		  searched_soa = 1;
-		  ttl = find_soa(header, qlen);
+		  ttl = find_soa(header, qlen, NULL);
 		}
 	      if (ttl)
 		cache_insert(NULL, &addr, now, ttl, name_encoding | F_REVERSE | F_NEG | flags);	
@@ -764,6 +807,11 @@ int extract_addresses(HEADER *header, size_t qlen, char *name, time_t now)
 		  GETSHORT(aqtype, p1); 
 		  GETSHORT(aqclass, p1);
 		  GETLONG(attl, p1);
+		  if ((daemon->max_ttl != 0) && (attl > daemon->max_ttl) && !is_sign)
+		    {
+		      (p1) -= NS_INT32SZ;
+		      PUTLONG(daemon->max_ttl, p1);
+		    }
 		  GETSHORT(ardlen, p1);
 		  endrr = p1+ardlen;
 		  
@@ -798,9 +846,9 @@ int extract_addresses(HEADER *header, size_t qlen, char *name, time_t now)
 			  memcpy(&addr, p1, addrlen);
 			  
 			  /* check for returned address in private space */
-			  if ((daemon->options & OPT_NO_REBIND) &&
+			  if (check_rebind &&
 			      (flags & F_IPV4) &&
-			      private_net(addr.addr.addr4))
+			      private_net(addr.addr.addr4, !(daemon->options & OPT_LOCAL_REBIND)))
 			    return 1;
 			  
 			  newc = cache_insert(name, &addr, now, attl, flags | F_FORWARD);
@@ -824,7 +872,7 @@ int extract_addresses(HEADER *header, size_t qlen, char *name, time_t now)
 	      if (!searched_soa)
 		{
 		  searched_soa = 1;
-		  ttl = find_soa(header, qlen);
+		  ttl = find_soa(header, qlen, NULL);
 		}
 	      /* If there's no SOA to get the TTL from, but there is a CNAME 
 		 pointing at this, inherit its TTL */
@@ -1111,7 +1159,11 @@ static unsigned long crec_ttl(struct crec *crecp, time_t now)
   if  (crecp->flags & (F_IMMORTAL | F_DHCP))
     return daemon->local_ttl;
   
-  return crecp->ttd - now;
+  /* Return the Max TTL value if it is lower then the actual TTL */
+  if (daemon->max_ttl == 0 || ((unsigned)(crecp->ttd - now) < daemon->max_ttl))
+    return crecp->ttd - now;
+  else
+    return daemon->max_ttl;
 }
   
 
@@ -1282,7 +1334,7 @@ size_t answer_request(HEADER *header, char *limit, size_t qlen,
 			if (!dryrun)
 			  {
 			    log_query(crecp->flags & ~F_FORWARD, cache_get_name(crecp), &addr, 
-				      record_source(daemon->addn_hosts, crecp->uid));
+				      record_source(crecp->uid));
 			    
 			    if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 						    crec_ttl(crecp, now), NULL,
@@ -1293,7 +1345,7 @@ size_t answer_request(HEADER *header, char *limit, size_t qlen,
 		  } while ((crecp = cache_find_by_addr(crecp, &addr, now, is_arpa)));
 	      else if (is_arpa == F_IPV4 && 
 		       (daemon->options & OPT_BOGUSPRIV) && 
-		       private_net(addr.addr.addr4))
+		       private_net(addr.addr.addr4, 1))
 		{
 		  /* if not in cache, enabled and private IPV4 address, return NXDOMAIN */
 		  ans = 1;
@@ -1318,18 +1370,41 @@ size_t answer_request(HEADER *header, char *limit, size_t qlen,
 	      if (qtype != type && qtype != T_ANY)
 		continue;
 	      
-	      /* Check for "A for A"  queries */
-	      if (qtype == T_A && (addr.addr.addr4.s_addr = inet_addr(name)) != (in_addr_t) -1)
+	      /* Check for "A for A"  queries; be rather conservative 
+		 about what looks like dotted-quad.  */
+	      if (qtype == T_A)
 		{
-		  ans = 1;
-		  if (!dryrun)
+		  char *cp;
+		  unsigned int i, a;
+		  int x;
+
+		  for (cp = name, i = 0, a = 0; *cp; i++)
 		    {
-		      log_query(F_FORWARD | F_CONFIG | F_IPV4, name, &addr, NULL);
-		      if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
-					      daemon->local_ttl, NULL, type, C_IN, "4", &addr))
-			anscount++;
+		      if (!isdigit(*cp) || (x = strtol(cp, &cp, 10)) > 255) 
+			{
+			  i = 5;
+			  break;
+			}
+		      
+		      a = (a << 8) + x;
+		      
+		      if (*cp == '.') 
+			cp++;
+		    }
+		  
+		  if (i == 4)
+		    {
+		      ans = 1;
+		      if (!dryrun)
+			{
+			  addr.addr.addr4.s_addr = htonl(a);
+			  log_query(F_FORWARD | F_CONFIG | F_IPV4, name, &addr, NULL);
+			  if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
+						  daemon->local_ttl, NULL, type, C_IN, "4", &addr))
+			    anscount++;
+			}
+		      continue;
 		    }
-		  continue;
 		}
 
 	      /* interface name stuff */
@@ -1392,7 +1467,7 @@ size_t answer_request(HEADER *header, char *limit, size_t qlen,
 			{
 			  if (!dryrun)
 			    {
-			      log_query(crecp->flags, name, NULL, record_source(daemon->addn_hosts, crecp->uid));
+			      log_query(crecp->flags, name, NULL, record_source(crecp->uid));
 			      if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 						      crec_ttl(crecp, now), &nameoffset,
 						      T_CNAME, C_IN, "d", cache_get_name(crecp->addr.cname.cache)))
@@ -1428,7 +1503,7 @@ size_t answer_request(HEADER *header, char *limit, size_t qlen,
 			  if (!dryrun)
 			    {
 			      log_query(crecp->flags & ~F_REVERSE, name, &crecp->addr.addr,
-					record_source(daemon->addn_hosts, crecp->uid));
+					record_source(crecp->uid));
 			      
 			      if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 						      crec_ttl(crecp, now), NULL, type, C_IN, 

src/tftp.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2008 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2010 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -10,15 +10,15 @@
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
      
-  You should have received a copy of the GNU General Public License
-  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "dnsmasq.h"
 
 #ifdef HAVE_TFTP
 
-static struct tftp_file *check_tftp_fileperm(ssize_t *len);
+static struct tftp_file *check_tftp_fileperm(ssize_t *len, char *prefix, int special);
 static void free_transfer(struct tftp_transfer *transfer);
 static ssize_t tftp_err(int err, char *packet, char *mess, char *file);
 static ssize_t tftp_err_oops(char *packet, char *file);
@@ -45,24 +45,30 @@ void tftp_request(struct listener *listen, time_t now)
   char *filename, *mode, *p, *end, *opt;
   struct sockaddr_in addr, peer;
   struct msghdr msg;
-  struct cmsghdr *cmptr;
   struct iovec iov;
   struct ifreq ifr;
-  int is_err = 1, if_index = 0;
+  int is_err = 1, if_index = 0, mtu = 0, special = 0;
+#ifdef HAVE_DHCP
   struct iname *tmp;
+#endif
   struct tftp_transfer *transfer;
   int port = daemon->start_tftp_port; /* may be zero to use ephemeral port */
 #if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
-  int mtu = IP_PMTUDISC_DONT;
+  int mtuflag = IP_PMTUDISC_DONT;
 #endif
-  
+  char namebuff[IF_NAMESIZE];
+  char *name;
+  char *prefix = daemon->tftp_prefix;
+  struct tftp_prefix *pref;
+  struct interface_list *ir;
+
   union {
     struct cmsghdr align; /* this ensures alignment */
 #if defined(HAVE_LINUX_NETWORK)
     char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
 #elif defined(HAVE_SOLARIS_NETWORK)
     char control[CMSG_SPACE(sizeof(unsigned int))];
-#else
+#elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
     char control[CMSG_SPACE(sizeof(struct sockaddr_dl))];
 #endif
   } control_u; 
@@ -85,52 +91,104 @@ void tftp_request(struct listener *listen, time_t now)
     return;
   
   if (daemon->options & OPT_NOWILD)
-    addr = listen->iface->addr.in;
+    {
+      addr = listen->iface->addr.in;
+      mtu = listen->iface->mtu;
+      name = listen->iface->name;
+    }
   else
     {
+      struct cmsghdr *cmptr;
+      int check;
+      struct interface_list *ir;
+
       addr.sin_addr.s_addr = 0;
       
 #if defined(HAVE_LINUX_NETWORK)
       for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
 	if (cmptr->cmsg_level == SOL_IP && cmptr->cmsg_type == IP_PKTINFO)
 	  {
-	    addr.sin_addr = ((struct in_pktinfo *)CMSG_DATA(cmptr))->ipi_spec_dst;
-	    if_index = ((struct in_pktinfo *)CMSG_DATA(cmptr))->ipi_ifindex;
+	    union {
+	      unsigned char *c;
+	      struct in_pktinfo *p;
+	    } p;
+	    p.c = CMSG_DATA(cmptr);
+	    addr.sin_addr = p.p->ipi_spec_dst;
+	    if_index = p.p->ipi_ifindex;
 	  }
-      if (!(ifr.ifr_ifindex = if_index) || 
-	  ioctl(listen->tftpfd, SIOCGIFNAME, &ifr) == -1)
-	return;
       
+#elif defined(HAVE_SOLARIS_NETWORK)
+      for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
+	{
+	  union {
+	    unsigned char *c;
+	    struct in_addr *a;
+	    unsigned int *i;
+	  } p;
+	  p.c = CMSG_DATA(cmptr);
+	  if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
+	    addr.sin_addr = *(p.a);
+	  else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
+	    if_index = *(p.i);
+	}
+
 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
       for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
-	if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
-	  addr.sin_addr = *((struct in_addr *)CMSG_DATA(cmptr));
-	else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
-#ifdef HAVE_SOLARIS_NETWORK
-	  if_index = *((unsigned int *)CMSG_DATA(cmptr));
-#else
-          if_index = ((struct sockaddr_dl *)CMSG_DATA(cmptr))->sdl_index;
+	{
+	  union {
+	    unsigned char *c;
+	    struct in_addr *a;
+	    struct sockaddr_dl *s;
+	  } p;
+	  p.c = CMSG_DATA(cmptr);
+	  if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
+	    addr.sin_addr = *(p.a);
+	  else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
+	    if_index = p.s->sdl_index;
+	}
+	  
 #endif
       
-      if (if_index == 0 || !if_indextoname(if_index, ifr.ifr_name))
+      if (!indextoname(listen->tftpfd, if_index, namebuff) ||
+	  addr.sin_addr.s_addr == 0)
 	return;
-      
+
+      name = namebuff;
+      check = iface_check(AF_INET, (struct all_addr *)&addr.sin_addr, name, &if_index);
+
+      /* wierd TFTP service override */
+      for (ir = daemon->tftp_interfaces; ir; ir = ir->next)
+	if (strcmp(ir->interface, name) == 0)
+	  break;
+       
+      if (!ir)
+	{
+	  if (!daemon->tftp_unlimited || !check)
+	    return;
+	  
+#ifdef HAVE_DHCP      
+	  /* allowed interfaces are the same as for DHCP */
+	  for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
+	    if (tmp->name && (strcmp(tmp->name, name) == 0))
+	      return;
 #endif
-      
-      if (addr.sin_addr.s_addr == 0)
-	return;
-      
-      if (!iface_check(AF_INET, (struct all_addr *)&addr.sin_addr, 
-		       &ifr, &if_index))
-	return;
-      
-      /* allowed interfaces are the same as for DHCP */
-      for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
-	if (tmp->name && (strcmp(tmp->name, ifr.ifr_name) == 0))
-	  return;
-      
+	}
+
+      strncpy(ifr.ifr_name, name, IF_NAMESIZE);
+      if (ioctl(listen->tftpfd, SIOCGIFMTU, &ifr) != -1)
+	mtu = ifr.ifr_mtu;      
     }
   
+  /* check for per-interface prefix */ 
+  for (pref = daemon->if_prefix; pref; pref = pref->next)
+    if (strcmp(pref->interface, name) == 0)
+      prefix = pref->prefix;
+
+  /* wierd TFTP interfaces disable special options. */
+  for (ir = daemon->tftp_interfaces; ir; ir = ir->next)
+    if (strcmp(ir->interface, name) == 0)
+      special = 1;
+
   addr.sin_port = htons(port);
   addr.sin_family = AF_INET;
 #ifdef HAVE_SOCKADDR_SA_LEN
@@ -161,7 +219,7 @@ void tftp_request(struct listener *listen, time_t now)
     {
       if (bind(transfer->sockfd, (struct sockaddr *)&addr, sizeof(addr)) == -1 ||
 #if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
-	  setsockopt(transfer->sockfd, SOL_IP, IP_MTU_DISCOVER, &mtu, sizeof(mtu)) == -1 ||
+	  setsockopt(transfer->sockfd, SOL_IP, IP_MTU_DISCOVER, &mtuflag, sizeof(mtuflag)) == -1 ||
 #endif
 	  !fix_fd(transfer->sockfd))
 	{
@@ -172,7 +230,7 @@ void tftp_request(struct listener *listen, time_t now)
 		  addr.sin_port = htons(port);
 		  continue;
 		}
-	      my_syslog(LOG_ERR, _("unable to get free port for TFTP"));
+	      my_syslog(MS_TFTP | LOG_ERR, _("unable to get free port for TFTP"));
 	    }
 	  free_transfer(transfer);
 	  return;
@@ -195,42 +253,50 @@ void tftp_request(struct listener *listen, time_t now)
       
       while ((opt = next(&p, end)))
 	{
-	  if (strcasecmp(opt, "blksize") == 0 &&
-	      (opt = next(&p, end)) &&
-	      !(daemon->options & OPT_TFTP_NOBLOCK))
+	  if (strcasecmp(opt, "blksize") == 0)
 	    {
-	      transfer->blocksize = atoi(opt);
-	      if (transfer->blocksize < 1)
-		transfer->blocksize = 1;
-	      if (transfer->blocksize > (unsigned)daemon->packet_buff_sz - 4)
-		transfer->blocksize = (unsigned)daemon->packet_buff_sz - 4;
-	      transfer->opt_blocksize = 1;
-	      transfer->block = 0;
+	      if ((opt = next(&p, end)) &&
+		  (special || !(daemon->options & OPT_TFTP_NOBLOCK)))
+		{
+		  transfer->blocksize = atoi(opt);
+		  if (transfer->blocksize < 1)
+		    transfer->blocksize = 1;
+		  if (transfer->blocksize > (unsigned)daemon->packet_buff_sz - 4)
+		    transfer->blocksize = (unsigned)daemon->packet_buff_sz - 4;
+		  /* 32 bytes for IP, UDP and TFTP headers */
+		  if (mtu != 0 && transfer->blocksize > (unsigned)mtu - 32)
+		    transfer->blocksize = (unsigned)mtu - 32;
+		  transfer->opt_blocksize = 1;
+		  transfer->block = 0;
+		}
 	    }
-	  
-	  if (strcasecmp(opt, "tsize") == 0 && next(&p, end) && !transfer->netascii)
+	  else if (strcasecmp(opt, "tsize") == 0 && next(&p, end) && !transfer->netascii)
 	    {
 	      transfer->opt_transize = 1;
 	      transfer->block = 0;
 	    }
 	}
 
-      strcpy(daemon->namebuff, "/");
-      if (daemon->tftp_prefix)
-	{
-	  if (daemon->tftp_prefix[0] == '/')
-	    daemon->namebuff[0] = 0;
-	  strncat(daemon->namebuff, daemon->tftp_prefix, MAXDNAME);
-	  if (daemon->tftp_prefix[strlen(daemon->tftp_prefix)-1] != '/')
-	    strncat(daemon->namebuff, "/", MAXDNAME);
+      /* cope with backslashes from windows boxen. */
+      while ((p = strchr(filename, '\\')))
+	*p = '/';
 
-	  if (daemon->options & OPT_TFTP_APREF)
+      strcpy(daemon->namebuff, "/");
+      if (prefix)
+	{
+	  if (prefix[0] == '/')
+	    daemon->namebuff[0] = 0;
+	  strncat(daemon->namebuff, prefix, (MAXDNAME-1) - strlen(daemon->namebuff));
+	  if (prefix[strlen(prefix)-1] != '/')
+	    strncat(daemon->namebuff, "/", (MAXDNAME-1) - strlen(daemon->namebuff));
+
+	  if (!special && (daemon->options & OPT_TFTP_APREF))
 	    {
 	      size_t oldlen = strlen(daemon->namebuff);
 	      struct stat statbuf;
 	      
-	      strncat(daemon->namebuff, inet_ntoa(peer.sin_addr), MAXDNAME);
-	      strncat(daemon->namebuff, "/", MAXDNAME);
+	      strncat(daemon->namebuff, inet_ntoa(peer.sin_addr), (MAXDNAME-1) - strlen(daemon->namebuff));
+	      strncat(daemon->namebuff, "/", (MAXDNAME-1) - strlen(daemon->namebuff));
 	      
 	      /* remove unique-directory if it doesn't exist */
 	      if (stat(daemon->namebuff, &statbuf) == -1 || !S_ISDIR(statbuf.st_mode))
@@ -248,11 +314,10 @@ void tftp_request(struct listener *listen, time_t now)
 	}
       else if (filename[0] == '/')
 	daemon->namebuff[0] = 0;
-      strncat(daemon->namebuff, filename, MAXDNAME);
-      daemon->namebuff[MAXDNAME-1] = 0;
+      strncat(daemon->namebuff, filename, (MAXDNAME-1) - strlen(daemon->namebuff));
 
       /* check permissions and open file */
-      if ((transfer->file = check_tftp_fileperm(&len)))
+      if ((transfer->file = check_tftp_fileperm(&len, prefix, special)))
 	{
 	  if ((len = get_block(packet, transfer)) == -1)
 	    len = tftp_err_oops(packet, daemon->namebuff);
@@ -268,13 +333,13 @@ void tftp_request(struct listener *listen, time_t now)
     free_transfer(transfer);
   else
     {
-      my_syslog(LOG_INFO, _("TFTP sent %s to %s"), daemon->namebuff, inet_ntoa(peer.sin_addr));
+      my_syslog(MS_TFTP | LOG_INFO, _("sent %s to %s"), daemon->namebuff, inet_ntoa(peer.sin_addr));
       transfer->next = daemon->tftp_trans;
       daemon->tftp_trans = transfer;
     }
 }
  
-static struct tftp_file *check_tftp_fileperm(ssize_t *len)
+static struct tftp_file *check_tftp_fileperm(ssize_t *len, char *prefix, int special)
 {
   char *packet = daemon->packet, *namebuff = daemon->namebuff;
   struct tftp_file *file;
@@ -284,7 +349,7 @@ static struct tftp_file *check_tftp_fileperm(ssize_t *len)
   int fd = -1;
 
   /* trick to ban moving out of the subtree */
-  if (daemon->tftp_prefix && strstr(namebuff, "/../"))
+  if (prefix && strstr(namebuff, "/../"))
     goto perm;
   
   if ((fd = open(namebuff, O_RDONLY)) == -1)
@@ -311,7 +376,7 @@ static struct tftp_file *check_tftp_fileperm(ssize_t *len)
 	goto perm;
     }
   /* in secure mode, must be owned by user running dnsmasq */
-  else if ((daemon->options & OPT_TFTP_SECURE) && uid != statbuf.st_uid)
+  else if (!special && (daemon->options & OPT_TFTP_SECURE) && uid != statbuf.st_uid)
     goto perm;
       
   /* If we're doing many tranfers from the same file, only 
@@ -402,7 +467,7 @@ void check_tftp_listeners(fd_set *rset, time_t now)
 			  *(q++) = *r;
 		      *q = 0;
 		    }
-		  my_syslog(LOG_ERR, _("TFTP error %d %s received from %s"),
+		  my_syslog(MS_TFTP | LOG_ERR, _("error %d %s received from %s"),
 			    (int)ntohs(mess->block), err, 
 			    inet_ntoa(transfer->peer.sin_addr));	
 		  
@@ -433,7 +498,7 @@ void check_tftp_listeners(fd_set *rset, time_t now)
 	      /* don't complain about timeout when we're awaiting the last
 		 ACK, some clients never send it */
 	      if (len != 0)
-		my_syslog(LOG_ERR, _("TFTP failed sending %s to %s"), 
+		my_syslog(MS_TFTP | LOG_ERR, _("failed sending %s to %s"), 
 			  transfer->file->filename, inet_ntoa(transfer->peer.sin_addr));
 	      len = 0;
 	    }
@@ -492,8 +557,7 @@ static ssize_t tftp_err(int err, char *packet, char *message, char *file)
   mess->op = htons(OP_ERR);
   mess->err = htons(err);
   ret += (snprintf(mess->message, 500,  message, file, errstr) + 1);
-  if (err != ERR_FNF)
-    my_syslog(LOG_ERR, "TFTP %s", mess->message);
+  my_syslog(MS_TFTP | LOG_ERR, "%s", mess->message);
   
   return  ret;
 }

src/util.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2008 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2010 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -9,15 +9,13 @@
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
-     
-  You should have received a copy of the GNU General Public License
-  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+      
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-/* Some code in this file contributed by Rob Funk. */
-
 /* The SURF random number generator was taken from djbdns-1.05, by 
-   Daniel J Berstein, which is public domain. */
+   Daniel J Bernstein, which is public domain. */
 
 
 #include "dnsmasq.h"
@@ -26,6 +24,9 @@
 #include <sys/times.h>
 #endif
 
+#ifdef LOCALEDIR
+#include <idna.h>
+#endif
 
 #ifdef HAVE_ARC4RANDOM
 void rand_init(void)
@@ -97,48 +98,110 @@ unsigned short rand16(void)
 
 #endif
 
-
-int legal_char(char c)
+static int check_name(char *in)
 {
-  /* check for legal char a-z A-Z 0-9 - 
-     (also / , used for RFC2317 and _ used in windows queries
-     and space, for DNS-SD stuff) */
-  if ((c >= 'A' && c <= 'Z') ||
-      (c >= 'a' && c <= 'z') ||
-      (c >= '0' && c <= '9') ||
-      c == '-' || c == '/' || c == '_' || c == ' ')
-    return 1;
-  
-  return 0;
-}
-  
-int canonicalise(char *s)
-{
-  /* check for legal chars and remove trailing . 
+  /* remove trailing . 
      also fail empty string and label > 63 chars */
-  size_t dotgap = 0, l = strlen(s);
+  size_t dotgap = 0, l = strlen(in);
   char c;
   int nowhite = 0;
-
+  
   if (l == 0 || l > MAXDNAME) return 0;
-
-  if (s[l-1] == '.')
+  
+  if (in[l-1] == '.')
     {
       if (l == 1) return 0;
-      s[l-1] = 0;
+      in[l-1] = 0;
     }
   
-  while ((c = *s))
+  for (; (c = *in); in++)
     {
       if (c == '.')
 	dotgap = 0;
-      else if (!legal_char(c) || (++dotgap > MAXLABEL))
+      else if (++dotgap > MAXLABEL)
 	return 0;
+      else if (isascii(c) && iscntrl(c)) 
+	/* iscntrl only gives expected results for ascii */
+	return 0;
+#ifndef LOCALEDIR
+      else if (!isascii(c))
+	return 0;
+#endif
       else if (c != ' ')
 	nowhite = 1;
-      s++;
     }
-  return nowhite;
+
+  if (!nowhite)
+    return 0;
+
+  return 1;
+}
+
+/* Hostnames have a more limited valid charset than domain names
+   so check for legal char a-z A-Z 0-9 - _ 
+   Note that this may receive a FQDN, so only check the first label 
+   for the tighter criteria. */
+int legal_hostname(char *name)
+{
+  char c;
+
+  if (!check_name(name))
+    return 0;
+
+  for (; (c = *name); name++)
+    /* check for legal char a-z A-Z 0-9 - _ . */
+    {
+      if ((c >= 'A' && c <= 'Z') ||
+	  (c >= 'a' && c <= 'z') ||
+	  (c >= '0' && c <= '9') ||
+	  c == '-' || c == '_')
+	continue;
+      
+      /* end of hostname part */
+      if (c == '.')
+	return 1;
+      
+      return 0;
+    }
+  
+  return 1;
+}
+  
+char *canonicalise(char *in, int *nomem)
+{
+  char *ret = NULL;
+#ifdef LOCALEDIR
+  int rc;
+#endif
+
+  if (nomem)
+    *nomem = 0;
+  
+  if (!check_name(in))
+    return NULL;
+  
+#ifdef LOCALEDIR
+  if ((rc = idna_to_ascii_lz(in, &ret, 0)) != IDNA_SUCCESS)
+    {
+      if (ret)
+	free(ret);
+
+      if (nomem && (rc == IDNA_MALLOC_ERROR || rc == IDNA_DLOPEN_ERROR))
+	{
+	  my_syslog(LOG_ERR, _("failed to allocate memory"));
+	  *nomem = 1;
+	}
+    
+      return NULL;
+    }
+#else
+  if ((ret = whine_malloc(strlen(in)+1)))
+    strcpy(ret, in);
+  else if (nomem)
+    *nomem = 1;    
+#endif
+
+  return ret;
 }
 
 unsigned char *do_rfc1035_name(unsigned char *p, char *sval)
@@ -346,14 +409,19 @@ int parse_hex(char *in, unsigned char *out, int maxlen,
   return i;
 }
 
+/* return 0 for no match, or (no matched octets) + 1 */
 int memcmp_masked(unsigned char *a, unsigned char *b, int len, unsigned int mask)
 {
-  int i;
-  for (i = len - 1; i >= 0; i--, mask = mask >> 1)
-    if (!(mask & 1) && a[i] != b[i])
-      return 0;
-
-  return 1;
+  int i, count;
+  for (count = 1, i = len - 1; i >= 0; i--, mask = mask >> 1)
+    if (!(mask & 1))
+      {
+	if (a[i] == b[i])
+	  count++;
+	else
+	  return 0;
+      }
+  return count;
 }
 
 /* _note_ may copy buffer */