Fix compiler warning.

it was introduced by commit 08933475ab

Signed-off-by: Martin Schiller <ms@dev.tdt.de>

.gitattributes

@@ -0,0 +1 @@
+VERSION export-subst

.gitignore

@@ -0,0 +1,14 @@
+src/*.o
+src/*.mo
+src/dnsmasq.pot
+src/dnsmasq
+src/dnsmasq_baseline
+src/.copts_*
+contrib/lease-tools/dhcp_lease_time
+contrib/lease-tools/dhcp_release
+contrib/lease-tools/dhcp_release6
+debian/files
+debian/substvars
+debian/utils-substvars
+debian/trees/
+debian/build/

Android.mk

@@ -0,0 +1,3 @@
+ifneq ($(TARGET_SIMULATOR),true)
+include $(call all-subdir-makefiles)
+endif

CHANGELOG.archive

@@ -56,7 +56,7 @@ release 0.95  Major rewrite: remove calls to gethostbyname() and talk
               any more memory after start-up. The NAT-like forwarding was
               inspired by a suggestion from Eli Chen <eli@routefree.com>
 
-release 0.96  Fixed embarrasing thinko in cache linked-list code.
+release 0.96  Fixed embarrassing thinko in cache linked-list code.
                              
 release 0.98  Some enhancements and bug-fixes. 
               Thanks to "Denis Carre" <denis.carre@laposte.net> and Martin 
@@ -78,7 +78,7 @@ release 0.98  Some enhancements and bug-fixes.
                   ids, to thwart DNS spoofers.
               (7) Dnsmasq no longer forwards queries when the 
 	          "recursion desired" bit is not set in the header.
-	      (8) Fixed getopt code to work on compliers with unsigned char.
+	      (8) Fixed getopt code to work on compilers with unsigned char.
               
 release 0.991 Added -b flag: when set causes dnsmasq to always answer
 	      reverse queries on the RFC 1918 private IP space itself and
@@ -88,7 +88,7 @@ release 0.991 Added -b flag: when set causes dnsmasq to always answer
               Fixed a bug which stopped dnsmasq working on a box with
               two or more interfaces with the same IP address. 
 
-              Fixed cacheing of CNAMEs. Previously, a CNAME which pointed
+              Fixed caching of CNAMEs. Previously, a CNAME which pointed
               to  a name with many A records would not have all the addresses
               returned when being answered from the cache.
 
@@ -191,7 +191,7 @@ release 1.1   Added --user argument to allow user to change to
 
 release 1.2   Added IPv6 DNS record support. AAAA records are cached
               and read from /etc/hosts. Reverse-lookups in the
-	      ip6.int and ip6.arpa domains are suppored. Dnsmasq can
+	      ip6.int and ip6.arpa domains are supported. Dnsmasq can
               talk to upstream servers via IPv6 if it finds IP6 addresses
               in /etc/resolv.conf and it offers DNS service automatically
               if IPv6 support is present in the kernel.
@@ -214,7 +214,7 @@ release 1.3   Some versions of the Linux kernel return EINVAL rather
               starting, rather than after the first query - principle 
               of least surprise applies here.     
 
-release 1.4   Fix a bug with DHPC lease parsing which broke in
+release 1.4   Fix a bug with DHCP lease parsing which broke in
               non-UTC timezones. Thanks to Mark Wormgoor for
               spotting and diagnosing this. Fixed versions in
               the .spec files this time. Fixed bug in Suse startup
@@ -258,7 +258,7 @@ release 1.7   Fix a problem with cache not clearing properly
               on receipt of SIGHUP. Bug spotted by Sat Deshpande.
 
               In group-id changing code:
-	      1) Drop supplimentary groups.
+	      1) Drop supplementary groups.
               2) Change gid before dropping root (patch from Soewono Effendi.)
               3) Change group to "dip" if it exists, to allow access
                  to /etc/ppp/resolv.conf (suggestion from Jorg Sommer.)
@@ -297,7 +297,7 @@ release 1.9   Fixes to rpm .spec files.
               required. The difference is not really visible with
               bloated libcs like glibc, but should dramatically reduce
               memory requirements when linked against ulibc for use on
-              embeded routers, and that's the point really. Thanks to
+              embedded routers, and that's the point really. Thanks to
               Matthew Natalier for prompting this.   
 
 	      Changed debug mode (-d) so that all logging appears on
@@ -319,12 +319,12 @@ release 1.9   Fixes to rpm .spec files.
               uClinux. Thanks to Matthew Natalier for uClinux stuff. 
 
 release 1.10  Log warnings if resolv.conf or dhcp.leases are not
-              accessable for any reason, as suggested by Hinrich Eilts.
+              accessible for any reason, as suggested by Hinrich Eilts.
 
 	      Fixed wrong address printing in error message about
 	      no interface with address.
 
-	      Updated docs and split installation instuctions into setup.html.
+	      Updated docs and split installation instructions into setup.html.
 
 	      Fix bug in CNAME chasing code: One CNAME pointing
 	      to many A records would lose A records after the 
@@ -346,7 +346,7 @@ release 1.10  Log warnings if resolv.conf or dhcp.leases are not
 
 	      Added -S option to directly specify upstream servers and
               added ability to direct queries for specific domains to
-              specfic servers. Suggested by Jens Vonderheide.
+              specific servers. Suggested by Jens Vonderheide.
 
 	      Upgraded random ID generation - patch from Rob Funk.	      
 
@@ -386,13 +386,13 @@ release 1.11  Actually implement the -R flag promised in the 1.10 man page.
               names in /etc/hosts -suggestion from Phil Harman.
 
 	      Always return a zero time-to-live for names derived from 
-	      DHCP which stops anthing else caching these
+	      DHCP which stops anything else caching these
               names. Previously the TTL was derived from the lease
               time but that is incorrect since a lease can be given
               up early: dnsmasq would know this but anything with the
               name cached with long TTL would not be updated.
 
-	      Extended HAVE_IPV6 config flag to allow compliation on
+	      Extended HAVE_IPV6 config flag to allow compilation on
 	      old systems which don't have modern library routines
 	      like inet_ntop(). Thanks to Phil Harman for the patch.
 
@@ -471,7 +471,7 @@ release 1.14  Fixed man page description of -b option which confused
 	      /etc/resolv.conf.
 	      (Thanks to Klaas Teschauer)
 	      
-	      Check that recieved queries have only rfc1035-legal characters
+	      Check that received queries have only rfc1035-legal characters
 	      in them. This check is mainly to avoid bad strings being
 	      sent to syslog.
 
@@ -549,7 +549,7 @@ release 1.16  Allow "/" characters in domain names - this fixes
 
 release 1.17  Fixed crash with DHCP hostnames > 40 characters.
 
-              Fixed name-comparision routines to not depend on Locale,
+              Fixed name-comparison routines to not depend on Locale,
               in theory this versions since 1.15 could lock up or give
               wrong results when run with locale != 'C'.
 
@@ -574,7 +574,7 @@ release 1.18  Added round-robin DNS for names which have more than one
 	      forwarded because -D is in effect, return NXDOMAIN not
 	      an empty reply.
 
-	      Add code to return the software version in repsonse to the
+	      Add code to return the software version in response to the
 	      correct magic query in the same way as BIND. Use  
 	      "dig version.bind chaos txt" to make the query.
 
@@ -635,7 +635,7 @@ release 2.0
              dynamic allocation.
 
 	     Allow dhcp-host options for the same host with different
-	     IP adresses where the correct one will be selected for
+	     IP addresses where the correct one will be selected for
 	     the network the host appears on.
 
 	     Fix parsing of --dhcp-option to allow more than one
@@ -674,7 +674,7 @@ release 2.1
              
              Fix unaligned access warnings on BSD/Alpha.
 
-	     Allow empty DHCP options, like so: dhpc-option=44
+	     Allow empty DHCP options, like so: dhcp-option=44
  
              Allow single-byte DHCP options like so: dhcp-option=20,1
 
@@ -745,7 +745,7 @@ release 2.3
 	     around a bug in the DHCP client in HP Jetdirect printers.
 	     Thanks to Marko Stolle for finding this problem.
 
-	     Return DHCP T1 and T2 times, with "fuzz" to desychronise lease
+	     Return DHCP T1 and T2 times, with "fuzz" to desynchronise lease
 	     renewals, as specified in the RFC.
 	     
 	     Ensure that the END option is always present in DHCP
@@ -838,7 +838,7 @@ release 2.4
 	     by Chad Skeeters.
 
 	     Fixed bug in /etc/ethers parsing code triggered by tab
-	     characters. Qudos to Dag Wieers for hepling to nail that
+	     characters. Kudos to Dag Wieers for helping to nail that
 	     one.
  	     
 	     Added "bind-interfaces" option correctly.	     
@@ -975,7 +975,7 @@ release 2.8
 	     configuration. Specifically: (1) options are matched on
 	     the netids from dhcp-range, dhcp-host, vendor class and
 	     user class(es). Multiple net-ids are allowed and options
-	     are searched on them all. (2) matches agains vendor class
+	     are searched on them all. (2) matches against vendor class
 	     and user class are now on a substring, if the given
 	     string is a substring of the vendor/user class, then a
 	     match occurs. Thanks again to Richard Musil for prompting
@@ -997,7 +997,7 @@ release 2.8
 
 	     Add checks against DHCP clients which return zero-length
 	     hostnames. This avoids the potential lease-loss problems
-	     reffered to above. Also, if a client sends a hostname when
+	     referred to above. Also, if a client sends a hostname when
 	     it creates a lease but subsequently sends no or a
 	     zero-length hostname whilst renewing, continue to use the
 	     existing hostname, don't wipe it out. 
@@ -1010,7 +1010,7 @@ release 2.9
 	     but to the address of another interface were ignored
 	     unless the loopback interface was explicitly configured.
 	     2) on OpenBSD failure to configure one interface now
-	     causes a fatal error on startup rather than an huge
+	     causes a fatal error on startup rather than a huge
 	     stream of log messages. Thanks to Erik Jan Tromp for 
 	     finding that bug.
 
@@ -1019,7 +1019,7 @@ release 2.9
 	     broken. The new algorithm is to pick as before for the
 	     first try, but if a query is retried, to send to all
 	     available servers in parallel. The first one to reply
-	     then becomes prefered for the next query. This should 
+	     then becomes preferred for the next query. This should 
 	     improve reliability without generating significant extra
 	     upstream load.
 
@@ -1027,7 +1027,7 @@ release 2.9
 	     unqualified domains introduced in version 2.8 
 	      
 	     Allow fallback to "bind-interfaces" at runtime: Some
-	     verions of *BSD seem to have enough stuff in the header
+	     versions of *BSD seem to have enough stuff in the header
 	     files to build but no kernel support. Also now log if
 	     "bind-interfaces" is forced on.
 
@@ -1049,7 +1049,7 @@ release 2.9
 	     first name found is now returned for reverse lookups,
 	     rather than all of them.
 
-	     Add back fatal errors when nonexistant 
+	     Add back fatal errors when nonexistent 
 	     interfaces or interface addresses are given but only in
 	     "bind-interfaces" mode. Principle of least surprise applies.
 	     
@@ -1193,7 +1193,7 @@ version 2.14
 
 version 2.15
             Fixed NXDOMAIN/NODATA confusion for locally known
-            names. We now return a NODATA reponse for names which are
+            names. We now return a NODATA response for names which are
             locally known. Now a query for (eg AAAA or MX) for a name
 	    with an IPv4 address in /etc/hosts which fails upstream
             will generate a NODATA response. Note that the query 
@@ -1229,7 +1229,7 @@ version 2.16
 
             Set NONBLOCK on all listening sockets to workaround non-POSIX
             compliance in Linux 2.4 and 2.6. This fixes rare hangs which
-            occured when corrupted packets were received. Thanks to
+            occurred when corrupted packets were received. Thanks to
 	    Joris van Rantwijk for chasing that down.
  
 	    Updated config.h for NetBSD. Thanks to Martin Lambers.
@@ -1297,7 +1297,7 @@ version 2.18
 	    interfaces with more than one IPv6 address. Thanks to
             Martin Pels for help with that.
 
-	    Fix problems which occured when more than one dhcp-range
+	    Fix problems which occurred when more than one dhcp-range
 	    was specified in the same subnet: sometimes parameters
 	    (lease time, network-id tag) from the wrong one would be
 	    used. Thanks to Rory Campbell-Lange for the bug report.
@@ -1314,7 +1314,7 @@ version 2.19
 	    Thanks to Richard Atterer for the bug report.
 
 	    Check for under-length option fields in DHCP packets, a
-	    zero length client-id, in particluar, could seriously
+	    zero length client-id, in particular, could seriously
 	    confuse dnsmasq 'till now. Thanks to Will Murname for help
 	    with that.
 
@@ -1389,7 +1389,7 @@ version 2.21
 	    recursive queries.
 
 	    Fix DHCP address allocation problem when netid tags are in
-	    use. Thanks to Will Murnane for the bug report and
+	    use. Thanks to Will Murname for the bug report and
 	    subsequent testing.
 
 	    Add an additional data section to the reply for MX and SRV
@@ -1505,7 +1505,7 @@ version 2.23
             from dnsmasq --version. Thanks to Dirk Schenkewitz for 
             the suggestion. 
 
-	    Fix pathalogical behaviour when a broken client keeps sending
+	    Fix pathological behaviour when a broken client keeps sending
             DHCPDISCOVER messages repeatedly and fast. Because dealing with
             each of these takes a few seconds, (because of the ping) then a 
 	    queue of DHCP packets could build up. Now, the results of a ping 
@@ -1593,7 +1593,7 @@ version 2.24
 	    than one dhcp-range is available. Thanks to Sorin Panca
 	    for help chasing this down.
 
-	    Added more explict error mesages to the hosts file and
+	    Added more explicit error messages to the hosts file and
 	    ethers file reading code. Markus Kaiserswerth suffered to
 	    make this happen.
 
@@ -1617,7 +1617,7 @@ version 2.25
 
             Fixed Suse spec file - thanks to Steven Springl.
 
-	    Fixed DHCP bug when two distict subnets are on the same
+	    Fixed DHCP bug when two distinct subnets are on the same
 	    physical interface. Thanks to Pawel Zawora for finding
 	    this and suggesting the fix.
 
@@ -1740,7 +1740,7 @@ version 2.28
 	    Fixed regression in netlink code under 2.2.x kernels which 
 	    occurred in 2.27. Erik Jan Tromp is the vintage kernel fan 
 	    who found this. P.S. It looks like this "netlink bind:
-	    permission denied" problem occured in kernels at least as
+	    permission denied" problem occurred in kernels at least as
 	    late a 2.4.18. Good information from Alain Richoux.
 
 	    Added a warning when it's impossible to give a host its
@@ -1761,7 +1761,7 @@ version 2.28
 	    Eric House and Eric Spakman for help in chasing this down.
 
 	    Tolerate configuration screwups which lead to the DHCP
-	    server attemping to allocate its own address to a
+	    server attempting to allocate its own address to a
 	    client; eg setting the whole subnet range as a DHCP
 	    range. Addresses in use by the server are now excluded
 	    from use by clients.
@@ -2067,7 +2067,7 @@ version 2.36
 	    kernel. Thanks to Philip Wall for the bug report.
 
 	    Added --dhcp-bridge option, but only to the FreeBSD
-	    build. This fixes an oddity with a a particular bridged
+	    build. This fixes an oddity with a particular bridged
 	    network configuration on FreeBSD. Thanks to Luigi Rizzo
 	    for the patch.
 
@@ -2273,7 +2273,7 @@ version 2.40
 	    this.
 
 	    Use client-id as hash-seed for DHCP address allocation
-	    with Firewire and Infiniband, as these don't supply an MAC
+	    with Firewire and InfiniBand, as these don't supply a MAC
 	    address. 
 
 	    Tweaked TFTP file-open code to make it behave sensibly
@@ -2307,7 +2307,7 @@ version 2.40
 	    Continue to use unqualified hostnames provided by DHCP
 	    clients, even if the domain part is illegal. (The domain
 	    is	ignored, and an error logged.) Previously in this
-	    situation, the whole name whould have been
+	    situation, the whole name would have been
 	    rejected. Thanks to Jima for the patch.
 	    
 	    Handle EINTR returns from wait() correctly and reap
@@ -2319,7 +2319,7 @@ version 2.40
 	    leases file and passed to the lease-change
 	    script. Suggestion from Ben Voigt.
 
-	    Re-run the lease chamge script with an "old" event for
+	    Re-run the lease change script with an "old" event for
 	    each lease when dnsmasq receives a SIGHUP.
 
 	    Added more useful exit codes, including passing on a
@@ -2417,7 +2417,7 @@ version 2.41
 	    Changed behavior of DHCP server to always return total length of
 	    a new lease in DHCPOFFER, even if an existing lease
 	    exists. (It used to return the time remaining on the lease
-	    whne one existed.) This fixes problems with the Sony Ericsson
+	    when one existed.) This fixes problems with the Sony Ericsson
 	    K610i phone. Thanks to Hakon Stordahl for finding and
 	    fixing this.
 
@@ -2433,7 +2433,7 @@ version 2.41
 
 	    Add --dhcp-match flag, to check for arbitrary options in
 	    DHCP messages from clients. This enables use of dnsmasq
-	    with gPXE. Thanks to Rance Hall for the suggestion.
+	    with iPXE. Thanks to Rance Hall for the suggestion.
 
 	    Added --dhcp-broadcast, to force broadcast replies to DHCP
 	    clients which need them but are too dumb or too old to
@@ -2476,7 +2476,7 @@ version 2.42
 
 	    Fix OS detection logic to cope with GNU/FreeBSD.
 
-	    Fix unitialised variable in DBus code - thanks to Roy
+	    Fix uninitialised variable in DBus code - thanks to Roy
 	    Marples.
 
 	    Fix network enumeration code to work on later NetBSD -

FAQ

@@ -9,7 +9,7 @@ A: The high ports that dnsmasq opens are for replies from the upstream
    from port 53 the replies would be _to_ port 53 and get blocked.
 
    This is not a security hole since dnsmasq will only accept replies to that
-   port: queries are  dropped. The replies must be to oustanding queries
+   port: queries are dropped. The replies must be to outstanding queries
    which dnsmasq has forwarded, otherwise they are dropped too.
  
    Addendum: dnsmasq now has the option "query-port" (-Q), which allows
@@ -22,7 +22,7 @@ A: The high ports that dnsmasq opens are for replies from the upstream
    now uses a new, randomly selected, port for each query. The old
    default behaviour (use one port allocated by the OS) is available by
    setting --query-port=0, and setting the query port to a positive
-   value is still works. You should think hard and know what you are
+   value still works. You should think hard and know what you are
    doing before using either of these options.
  
 Q: Why doesn't dnsmasq support DNS queries over TCP? Don't the RFC's specify
@@ -59,7 +59,7 @@ A: Yes, there is explicit support for *BSD and MacOS X and Solaris.
  
 Q: My company's nameserver knows about some names which aren't in the
    public DNS. Even though I put it first in /etc/resolv.conf, it
-   dosen't work: dnsmasq seems not to use the nameservers in the order
+   doesn't work: dnsmasq seems not to use the nameservers in the order
    given. What am I doing wrong?
 
 A: By default, dnsmasq treats all the nameservers it knows about as
@@ -112,7 +112,7 @@ A: Resolver code sometime does strange things when given names without
    hostname  will fix things. (ie "ping myhost" fails, but "ping
    myhost." works. The solution is to make sure that all your hosts
    have a domain set ("domain" in resolv.conf, or set a domain in 
-   your DHCP server, see below fr Windows XP and Mac OS X). 
+   your DHCP server, see below for Windows XP and Mac OS X). 
    Any domain  will do, but "localnet" is traditional. Now when you
    resolve "myhost" the resolver will attempt to look up 
    "myhost.localnet" so you need to have dnsmasq reply to that name. 
@@ -144,19 +144,19 @@ Q: Who are Verisign, what do they have to do with the bogus-nxdomain
    option in dnsmasq and why should I wory about it?
 
 A: [note: this was written in September 2003, things may well change.]
-   Versign run the .com and .net top-level-domains. They have just
+   Verisign run the .com and .net top-level-domains. They have just
    changed the configuration of their servers so that unknown .com and
    .net domains, instead of returning an error code NXDOMAIN, (no such
-   domain) return the address of a host at Versign which runs a web
+   domain) return the address of a host at Verisign which runs a web
    server showing a search page. Most right-thinking people regard
    this new behaviour as broken :-).  You can test to see if you are
-   suffering Versign brokeness by run a command like 
+   suffering Verisign brokenness by run a command like 
    
    host jlsdajkdalld.com
 
    If you get "jlsdajkdalld.com" does not exist, then all is fine, if
    host returns an IP address, then the DNS is broken. (Try a few
-   different unlikely domains, just in case you picked a wierd one
+   different unlikely domains, just in case you picked a weird one
    which really _is_ registered.)
 
    Assuming that your DNS is broken, and you want to fix it, simply
@@ -180,7 +180,7 @@ A: There are a couple of configuration gotchas which have been
    whilst the ISC one works.
 
    The first thing to check is the broadcast address set for the
-   ethernet interface. This is normally the adddress on the connected
+   ethernet interface. This is normally the address on the connected
    network with all ones in the host part. For instance if the 
    address of the ethernet interface is 192.168.55.7 and the netmask
    is 255.255.255.0 then the broadcast address should be
@@ -205,7 +205,7 @@ A: By default, none of the DHCP clients send the host-name when asking
    send with the "hostname" keyword in /etc/network/interfaces. (See
    "man interfaces" for details.) That doesn't work for dhclient, were
    you have to add something like "send host-name daisy" to
-   /etc/dhclient.conf [Update: the lastest dhcpcd packages _do_ send
+   /etc/dhclient.conf [Update: the latest dhcpcd packages _do_ send
    the hostname by default.
 
 Q: I'm network booting my machines, and trying to give them static
@@ -236,53 +236,70 @@ Q: What network types are supported by the DHCP server?
 A: Ethernet (and 802.11 wireless) are supported on all platforms. On
    Linux all network types (including FireWire) are supported.
 
-Q: What is this strange "bind-interface" option?
+Q: What are these strange "bind-interface" and "bind-dynamic" options?
 
-A: The DNS spec says that the reply to a DNS query must come from the
-   same address it was sent to. The traditional way to write an UDP
-   server to do this is to find all of the addresses belonging to the
-   machine (ie all the interfaces on the machine) and then create a
-   socket for each interface which is bound to the address of the
-   interface. Then when a packet is sent to address A, it is received
-   on the socket bound to address A and when the reply is also sent
-   via that socket, the source address is set to A by the kernel and
-   everything works. This is the how dnsmasq works when
-   "bind-interfaces" is set, with the obvious extension that is misses
-   out creating sockets for some interfaces depending on the
-   --interface, --address and --except-interface flags.  The
-   disadvantage of this approach is that it breaks if interfaces don't
-   exist or are not configured when the daemon starts and does the
-   socket creation step. In a hotplug-aware world this is a real
-   problem.
+A: Dnsmasq from v2.63 can operate in one of three different "networking
+   modes". This is unfortunate as it requires users configuring dnsmasq
+   to take into account some rather bizarre constraints and select the
+   mode which best fits the requirements of a particular installation.
+   The origin of these are deficiencies in the Unix networking
+   model and APIs and each mode has different advantages and
+   problems. Just to add to the confusion, not all modes are available on
+   all platforms (due the to lack of supporting network APIs).To further
+   add to the confusion, the rules for the DHCP subsystem on dnsmasq are
+   different to the rules for the DNS and TFTP subsystems.
 
-   The alternative approach is to have only one socket, which is bound
-   to the correct port and the wildcard IP address (0.0.0.0). That
-   socket will receive _all_ packets sent to port 53, no matter what
-   destination address they have. This solves the problem of
-   interfaces which are created or reconfigured after daemon
-   start-up. To make this work is more complicated because of the
-   "reply source address" problem. When a UDP packet is sent by a
-   socket bound to 0.0.0.0 its source address will be set to the
-   address of one of the machine's interfaces, but which one is not
-   determined and can vary depending on the OS being run. To get round
-   this it is neccessary to use a scary advanced API to determine the
-   address to which a query was sent, and force that to be the source
-   address in the reply. For IPv4 this stuff in non-portable and quite
-   often not even available (It's different between FreeBSD 5.x and
-   Linux, for instance, and FreeBSD 4.x, Linux 2.0.x and OpenBSD don't
-   have it at all.) Hence "bind-interfaces" has to always be available
-   as a fall back. For IPv6 the API is standard and universally
-   available.
+   The three modes are "wildcard", "bind-interfaces" and "bind-dynamic".
 
-   It could be argued that if the --interface or --address flags are
-   used then binding interfaces is more appropriate, but using
-   wildcard binding means that dnsmasq will quite happily start up
-   after being told to use interfaces which don't exist, but which are
-   created later. Wildcard binding breaks the scenario when dnsmasq is
-   listening on one interface and another server (most probably BIND)
-   is listening on another. It's not possible for BIND to bind to an
-   (address,port) pair when dnsmasq has bound (wildcard,port), hence
-   the ability to explicitly turn off wildcard binding.
+   In "wildcard" mode, dnsmasq binds the wildcard IP address (0.0.0.0 or
+   ::). This allows it to receive all the packets sent to the server on
+   the relevant port. Access control (--interface, --except-interface,
+   --listen-address, etc) is implemented by dnsmasq: it queries the
+   kernel to determine the interface on which a packet was received and
+   the address to which it was sent, and applies the configured
+   rules. Wildcard mode is the default if neither of the other modes are
+   specified. 
+
+   In "bind-interfaces" mode, dnsmasq runs through all the network
+   interfaces available when it starts, finds the set of IP addresses on
+   those interfaces, filters that set using the access control
+   configuration, and then binds the set of IP addresses. Only packets
+   sent to the allowed addresses are delivered by the kernel to dnsmasq.
+
+   In "bind-dynamic" mode, access control filtering is done both by
+   binding individual IP addresses, as for bind-interfaces, and by
+   inspecting individual packets on arrival as for wildcard mode. In
+   addition, dnsmasq notices when new interfaces appear or new addresses
+   appear on existing interfaces, and the resulting IP addresses are
+   bound automatically without having to restart dnsmasq.
+
+   The mode chosen has four different effects: co-existence with other
+   servers, semantics of --interface access control, effect of new
+   interfaces, and legality of --interface specifications for
+   non-existent interfaces. We will deal with these in order.
+
+   A dnsmasq instance running in wildcard mode precludes a machine from
+   running a second instance of dnsmasq or any other DNS, TFTP or DHCP
+   server. Attempts to do so will fail with an "address in use" error. 
+   Dnsmasq running in --bind-interfaces or bind-dynamic mode allow other
+   instances of dnsmasq or other servers, as long as no two servers are
+   configured to listen on the same interface address. 
+
+   The semantics of --interface varies subtly between wildcard or
+   bind-dynamic mode and bind-interfaces mode. The situation where this
+   matters is a request which arrives via one interface (A), but with a
+   destination address of a second interface (B) and when dnsmasq is
+   configured to listen only on B. In wildcard or bind-dynamic mode, such
+   a request will be ignored, in bind-interfaces mode, it will be
+   accepted.
+
+   The creation of new network interfaces after dnsmasq starts is ignored
+   by dnsmasq when in --bind-interfaces mode. In wildcard or bind-dynamic
+   mode, such interfaces are handled normally.
+
+   An --interface specification for a non-existent interface is a fatal
+   error at start-up when in --bind-interfaces mode, by just generates a
+   warning in wildcard or bind-dynamic mode.
 
 Q: Why doesn't Kerberos work/why can't I get sensible answers to
    queries for SRV records.
@@ -296,15 +313,25 @@ Q: Can I get email notification when a new version of dnsmasq is
    released?
 
 A: Yes, new releases of dnsmasq are always announced through
-   freshmeat.net, and they allow you to subcribe to email alerts when
+   freshmeat.net, and they allow you to subscribe to email alerts when
    new versions of particular projects are released. New releases are
    also announced in the dnsmasq-discuss mailing list, subscribe at 
    http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
 
 Q: What does the dhcp-authoritative option do? 
 
-A: See http://www.isc.org/index.pl?/sw/dhcp/authoritative.php - that's
-   for the ISC daemon, but the same applies to dnsmasq.
+A: The DHCP spec says that when a DHCP server receives a renewal request
+   from a client it has no knowledge of, it should just ignore it.
+   This is because it's supported to have more than one DHCP server
+   on a network, and another DHCP server may be dealing with the client.
+   This has the unfortunate effect that when _no_ DHCP replies to 
+   the client, it takes some time for the client to time-out and start 
+   to get a new lease. Setting this option makes dnsmasq violate the
+   standard to the extent that it will send a NAK reply to the client, 
+   causing it to immediately start to get a new lease. This improves 
+   behaviour when machines move networks, and in the case that the DHCP
+   lease database is lost. As long as there are not more tha one DHCP
+   server on the network, it's safe to enable the option.
 
 Q: Why does my Gentoo box pause for a minute before getting a new
    lease?
@@ -332,18 +359,64 @@ A: By default, the identity of a machine is determined by using the
    method for setting the client-id varies with DHCP client software,
    dhcpcd uses the "-I" flag. Windows uses a registry setting,
    see http://www.jsiinc.com/SUBF/TIP2800/rh2845.htm
+
 Addendum:
    From version 2.46, dnsmasq has a solution to this which doesn't
    involve setting client-IDs. It's possible to put more than one MAC
    address in a --dhcp-host configuration. This tells dnsmasq that it
    should use the specified IP for any of the specified MAC addresses,
-   and furthermore it gives dnsmasq permission to sumarily abandon a
+   and furthermore it gives dnsmasq permission to summarily abandon a
    lease to one of the MAC addresses if another one comes along. Note
    that this will work fine only as longer as only one interface is
    up at any time. There is no way for dnsmasq to enforce this
    constraint: if you configure multiple MAC addresses and violate 
    this rule, bad things will happen.
 
+Addendum-II: The link above is dead, the former contents of the link are:
+
+------------------------------------------------------------------------------
+How can I keep the same DHCP client reservation, if the MAC address changes?
+
+When you reserve an IP address for a DHCP client, you provide the
+MAC address of the client's NIC.
+
+It is possible to use a custom identifier, which is sent as 
+option 61 in the client's DHCP Discover and Request packet.
+
+The DhcpClientIdentifier is a REG_DWORD value that is located at:
+
+Windows NT 4.0 SP2+
+
+HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<Adapter Name>'X'\Parameters\Tcpip
+
+where <Adapter Name> is the NIC driver name and 'X' is the number of the NIC.
+
+Windows 2000
+
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TcpIp\Parameters\Interfaces\<NIC GUID>
+
+where <NIC GUID> is the GUID of the NIC.
+
+The valid range of data is 0x0 - 0xFFFFFFFF. The custom identifier is send as 4 bytes, 
+8 hexadecimal character, in groups of 2 hexadecimal characters, with the groups being 
+sent in reverse order. If the custom identifier is less than 8 hexadeciaml characters, 
+it is zero padded at the end. Examples:
+
+Custom Client                 Client Reservation
+Identifier                    on DHCP Server
+12345678                      78563412
+123456                        56341200
+1234                          34120000
+1234567                       67452301
+12345                         45230100
+123                           23010000
+A18F42                        428FA100
+CF432                         32F40C00
+C32D1BE                       BED1320C
+
+-------------------------------------------------------------------------------------------------------
+
+
 Q: Can dnsmasq do DHCP on IP-alias interfaces?
 
 A: Yes, from version-2.21. The support is only available running under
@@ -354,7 +427,7 @@ A: Yes, from version-2.21. The support is only available running under
    If a physical interface has more than one IP address or aliases
    with extra IP addresses, then any dhcp-ranges corresponding to
    these addresses can be used for address allocation. So if an
-   interface has addresses 192.168.1.0/24 and 192.68.2.0/24 and there
+   interface has addresses 192.168.1.0/24 and 192.168.2.0/24 and there
    are DHCP ranges 192.168.1.100-192.168.1.200 and
    192.168.2.100-192.168.2.200 then both ranges would be used for host
    connected to the physical interface. A more typical use might be to
@@ -381,7 +454,7 @@ A: Probably the nameserver is an authoritative nameserver for a
 Q: Does the dnsmasq DHCP server probe addresses before allocating
    them, as recommended in RFC2131?
 
-A: Yes, dynmaically allocated IP addresses are checked by sending an
+A: Yes, dynamically allocated IP addresses are checked by sending an
    ICMP echo request (ping). If a reply is received, then dnsmasq
    assumes that the address is in use, and attempts to allocate an
    different address. The wait for a reply is between two and three
@@ -413,10 +486,11 @@ A: Change your kernel configuration: either deselect CONFIG_SECURITY
    _or_ select CONFIG_SECURITY_CAPABILITIES. Alternatively, you can 
    remove the need to set capabilities by running dnsmasq as root.
 
-Q: Where can I get .rpms Suitable for Suse?
 
-A: Dnsmasq is in Suse itself, and the latest releases are also
-   available at ftp://ftp.suse.com/pub/people/ug/
+Q: Where can I get .rpms Suitable for openSUSE/SLES?
+
+A: Dnsmasq is in openSUSE itself, and the latest releases are also
+   available at http://download.opensuse.org/repositories/network/
 
 
 Q: Can I run dnsmasq in a Linux vserver?
@@ -456,8 +530,28 @@ A: In almost all cases: none. If you have the normal arrangement with
    and turn on syslog-ng's dns-cache function.
 
 
+Q: DHCP doesn't work with windows Vista, but everything else is fine.
 
+A: The DHCP client on windows Vista (and possibly later versions)
+   demands that the DHCP server send replies as broadcasts. Most other
+   clients don't do this. The broadcasts are send to
+   255.255.255.255. A badly configured firewall which blocks such
+   packets will show exactly these symptoms (Vista fails, others
+   work).
 
+  
+Q: DHCP doesn't work with windows 7 but everything else is fine.
+
+A: There seems to be a problem if Windows 7 doesn't get a value for
+   DHCP option 252 in DHCP packets it gets from the server. The
+   symptoms have been variously reported as continual DHCPINFORM
+   requests in an attempt to get an option-252, or even ignoring DHCP
+   offers completely (and failing to get an IP address) if there is no
+   option-252 supplied. DHCP option 252 is for WPAD, WWW Proxy 
+   Auto Detection and if you don't want or need to use that, then 
+   simplest fix seems to be to supply an empty option with:
+
+   dhcp-option=252,"\n"
 
 
 

Makefile

@@ -1,4 +1,4 @@
-# dnsmasq is Copyright (c) 2000-2009 Simon Kelley
+# dnsmasq is Copyright (c) 2000-2016 Simon Kelley
 #
 #  This program is free software; you can redistribute it and/or modify
 #  it under the terms of the GNU General Public License as published by
@@ -13,66 +13,160 @@
 #  You should have received a copy of the GNU General Public License
 #  along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-PREFIX = /usr/local
-BINDIR = ${PREFIX}/sbin
-MANDIR = ${PREFIX}/share/man
-LOCALEDIR = ${PREFIX}/share/locale
+# NOTE: Building the i18n targets requires GNU-make 
 
-SRC = src
-PO = po
-MAN = man
 
-PKG_CONFIG = pkg-config
-INSTALL = install
-MSGMERGE = msgmerge
-MSGFMT = msgfmt
-XGETTEXT = xgettext
+# Variables you may well want to override.
+
+PREFIX        = /usr/local
+BINDIR        = $(PREFIX)/sbin
+MANDIR        = $(PREFIX)/share/man
+LOCALEDIR     = $(PREFIX)/share/locale
+BUILDDIR      = $(SRC)
+DESTDIR       = 
+CFLAGS        = -Wall -W -O2
+LDFLAGS       = 
+COPTS         = 
+RPM_OPT_FLAGS = 
+LIBS          = 
 
 #################################################################
 
-DNSMASQ_CFLAGS=`echo $(COPTS) | ../bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --cflags dbus-1` 
-DNSMASQ_LIBS=  `echo $(COPTS) | ../bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --libs dbus-1` 
-SUNOS_LIBS= `if uname | grep SunOS 2>&1 >/dev/null; then echo -lsocket -lnsl -lposix4; fi`
+# Variables you might want to override.
 
-all :   dnsmasq
+PKG_CONFIG = pkg-config
+INSTALL    = install
+MSGMERGE   = msgmerge
+MSGFMT     = msgfmt
+XGETTEXT   = xgettext
 
-dnsmasq :
-	@cd $(SRC) && $(MAKE) \
- DNSMASQ_CFLAGS="$(DNSMASQ_CFLAGS)" \
- DNSMASQ_LIBS="$(DNSMASQ_LIBS) $(SUNOS_LIBS)" \
- -f ../bld/Makefile dnsmasq 
+SRC = src
+PO  = po
+MAN = man
 
-clean :
-	rm -f *~ $(SRC)/*.mo contrib/*/*~ */*~ $(SRC)/*.pot 
-	rm -f $(SRC)/*.o $(SRC)/dnsmasq.a $(SRC)/dnsmasq core */core
+#################################################################
+
+# pmake way. (NB no spaces to keep gmake 3.82 happy)
+top!=pwd
+# GNU make way.
+top?=$(CURDIR)
+
+dbus_cflags =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --cflags dbus-1` 
+dbus_libs =     `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --libs dbus-1` 
+ubus_libs =     `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_UBUS $(PKG_CONFIG) --copy -lubox -lubus`
+idn_cflags =    `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --cflags libidn` 
+idn_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --libs libidn` 
+idn2_cflags =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LIBIDN2 $(PKG_CONFIG) --cflags libidn2`
+idn2_libs =     `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LIBIDN2 $(PKG_CONFIG) --libs libidn2`
+ct_cflags =     `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --cflags libnetfilter_conntrack`
+ct_libs =       `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --libs libnetfilter_conntrack`
+lua_cflags =    `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --cflags lua5.2` 
+lua_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs lua5.2` 
+nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags nettle hogweed`
+nettle_libs =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs nettle hogweed`
+gmp_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC NO_GMP --copy -lgmp`
+sunos_libs =    `if uname | grep SunOS >/dev/null 2>&1; then echo -lsocket -lnsl -lposix4; fi`
+version =     -DVERSION='\"`$(top)/bld/get-version $(top)`\"'
+
+sum?=$(shell $(CC) -DDNSMASQ_COMPILE_OPTS $(COPTS) -E $(top)/$(SRC)/dnsmasq.h | ( md5sum 2>/dev/null || md5 ) | cut -f 1 -d ' ')
+sum!=$(CC) -DDNSMASQ_COMPILE_OPTS $(COPTS) -E $(top)/$(SRC)/dnsmasq.h | ( md5sum 2>/dev/null || md5 ) | cut -f 1 -d ' '
+copts_conf = .copts_$(sum)
+
+objs = cache.o rfc1035.o util.o option.o forward.o network.o \
+       dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \
+       helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \
+       dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \
+       domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \
+       poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o metrics.o
+
+hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \
+       dns-protocol.h radv-protocol.h ip6addr.h metrics.h
+
+all : $(BUILDDIR)
+	@cd $(BUILDDIR) && $(MAKE) \
+ top="$(top)" \
+ build_cflags="$(version) $(dbus_cflags) $(idn2_cflags) $(idn_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags)" \
+ build_libs="$(dbus_libs) $(idn2_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs) $(ubus_libs)" \
+ -f $(top)/Makefile dnsmasq 
+
+mostly_clean :
+	rm -f $(BUILDDIR)/*.mo $(BUILDDIR)/*.pot 
+	rm -f $(BUILDDIR)/.copts_* $(BUILDDIR)/*.o $(BUILDDIR)/dnsmasq.a $(BUILDDIR)/dnsmasq
+
+clean : mostly_clean
+	rm -f $(BUILDDIR)/dnsmasq_baseline
+	rm -f core */core
+	rm -f *~ contrib/*/*~ */*~
 
 install : all install-common
 
 install-common :
-	$(INSTALL) -d $(DESTDIR)$(BINDIR) -d $(DESTDIR)$(MANDIR)/man8
+	$(INSTALL) -d $(DESTDIR)$(BINDIR)
+	$(INSTALL) -d $(DESTDIR)$(MANDIR)/man8
 	$(INSTALL) -m 644 $(MAN)/dnsmasq.8 $(DESTDIR)$(MANDIR)/man8 
-	$(INSTALL) -m 755 $(SRC)/dnsmasq $(DESTDIR)$(BINDIR)
+	$(INSTALL) -m 755 $(BUILDDIR)/dnsmasq $(DESTDIR)$(BINDIR)
 
-all-i18n :
-	@cd $(SRC) && $(MAKE) \
- I18N=-DLOCALEDIR='\"$(LOCALEDIR)\"' \
- DNSMASQ_CFLAGS="$(DNSMASQ_CFLAGS) `$(PKG_CONFIG) --cflags libidn`" \
- DNSMASQ_LIBS="$(DNSMASQ_LIBS) $(SUNOS_LIBS) `$(PKG_CONFIG) --libs libidn`"  \
- -f ../bld/Makefile dnsmasq 
-	@cd $(PO); for f in *.po; do \
-		cd ../$(SRC) && $(MAKE) \
- MSGMERGE=$(MSGMERGE) MSGFMT=$(MSGFMT) XGETTEXT=$(XGETTEXT) \
- -f ../bld/Makefile $${f%.po}.mo; \
+all-i18n : $(BUILDDIR)
+	@cd $(BUILDDIR) && $(MAKE) \
+ top="$(top)" \
+ i18n=-DLOCALEDIR=\'\"$(LOCALEDIR)\"\' \
+ build_cflags="$(version) $(dbus_cflags) $(idn2_cflags) $(idn_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags)" \
+ build_libs="$(dbus_libs) $(idn2_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs)"  \
+ -f $(top)/Makefile dnsmasq
+	for f in `cd $(PO); echo *.po`; do \
+		cd $(top) && cd $(BUILDDIR) && $(MAKE) top="$(top)" -f $(top)/Makefile $${f%.po}.mo; \
 	done
 
 install-i18n : all-i18n install-common
-	cd $(SRC); ../bld/install-mo $(DESTDIR)$(LOCALEDIR) $(INSTALL)
+	cd $(BUILDDIR); $(top)/bld/install-mo $(DESTDIR)$(LOCALEDIR) $(INSTALL)
 	cd $(MAN); ../bld/install-man $(DESTDIR)$(MANDIR) $(INSTALL)
 
-merge :
-	@cd $(SRC) && $(MAKE) XGETTEXT=$(XGETTEXT) -f ../bld/Makefile dnsmasq.pot
-	@cd $(PO); for f in *.po; do \
-		echo -n msgmerge $$f && $(MSGMERGE) --no-wrap -U $$f ../$(SRC)/dnsmasq.pot; \
+merge : 
+	@cd $(BUILDDIR) && $(MAKE) top="$(top)" -f $(top)/Makefile dnsmasq.pot
+	for f in `cd $(PO); echo *.po`; do \
+		echo -n msgmerge $(PO)/$$f && $(MSGMERGE) --no-wrap -U $(PO)/$$f $(BUILDDIR)/dnsmasq.pot; \
 	done
 
+# Canonicalise .po file.
+%.po : 
+	@cd $(BUILDDIR) && $(MAKE) -f $(top)/Makefile dnsmasq.pot
+	mv $(PO)/$*.po $(PO)/$*.po.orig && $(MSGMERGE) --no-wrap $(PO)/$*.po.orig $(BUILDDIR)/dnsmasq.pot >$(PO)/$*.po; 
 
+$(BUILDDIR):
+	mkdir -p $(BUILDDIR)
+
+# rules below are helpers for size tracking
+
+baseline : mostly_clean all
+	@cd $(BUILDDIR) && \
+	   mv dnsmasq dnsmasq_baseline
+
+bloatcheck : $(BUILDDIR)/dnsmasq_baseline mostly_clean all
+	@cd $(BUILDDIR) && \
+           $(top)/bld/bloat-o-meter dnsmasq_baseline dnsmasq; \
+           size dnsmasq_baseline dnsmasq
+
+# rules below are targets in recursive makes with cwd=$(BUILDDIR)
+
+$(copts_conf): $(hdrs)
+	@rm -f *.o .copts_*
+	@touch $@
+
+$(objs:.o=.c) $(hdrs):
+	ln -s $(top)/$(SRC)/$@ .
+
+$(objs): $(copts_conf) $(hdrs)
+
+.c.o:
+	$(CC) $(CFLAGS) $(COPTS) $(i18n) $(build_cflags) $(RPM_OPT_FLAGS) -c $<	
+
+dnsmasq : $(objs)
+	$(CC) $(LDFLAGS) -o $@ $(objs) $(build_libs) $(LIBS) 
+
+dnsmasq.pot : $(objs:.o=.c) $(hdrs)
+	$(XGETTEXT) -d dnsmasq --foreign-user --omit-header --keyword=_ -o $@ -i $(objs:.o=.c)
+
+%.mo : $(top)/$(PO)/%.po dnsmasq.pot
+	$(MSGMERGE) -o - $(top)/$(PO)/$*.po dnsmasq.pot | $(MSGFMT) -o $*.mo -
+
+.PHONY : all clean mostly_clean install install-common all-i18n install-i18n merge baseline bloatcheck

VERSION

@@ -0,0 +1 @@
+$Format:%d$

bld/Android.mk

@@ -0,0 +1,25 @@
+LOCAL_PATH := external/dnsmasq/src
+
+#########################
+
+include $(CLEAR_VARS)
+LOCAL_SRC_FILES :=  bpf.c cache.c dbus.c dhcp.c dnsmasq.c \
+                    forward.c helper.c lease.c log.c \
+                    netlink.c network.c option.c rfc1035.c \
+		    rfc2131.c tftp.c util.c conntrack.c \
+		    dhcp6.c rfc3315.c dhcp-common.c outpacket.c \
+		    radv.c slaac.c auth.c ipset.c domain.c \
+	            dnssec.c dnssec-openssl.c blockdata.c tables.c \
+		    loop.c inotify.c poll.c rrfilter.c edns0.c arp.c \
+		    crypto.c dump.c ubus.c
+
+LOCAL_MODULE := dnsmasq
+
+LOCAL_C_INCLUDES := external/dnsmasq/src
+
+LOCAL_CFLAGS := -O2 -g -W -Wall -D__ANDROID__ -DNO_IPV6 -DNO_TFTP -DNO_SCRIPT
+LOCAL_SYSTEM_SHARED_LIBRARIES := libc libcutils
+
+LOCAL_LDLIBS := -L$(SYSROOT)/usr/lib -llog
+
+include $(BUILD_EXECUTABLE)

bld/Makefile

@@ -1,17 +0,0 @@
-CFLAGS = -Wall -W -O2
-
-OBJS = cache.o rfc1035.o util.o option.o forward.o network.o \
-       dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \
-       helper.o tftp.o log.o
-
-.c.o:
-	$(CC) $(CFLAGS) $(COPTS) $(I18N) $(DNSMASQ_CFLAGS) $(RPM_OPT_FLAGS) -c $<
-
-dnsmasq : $(OBJS)
-	$(CC) $(LDFLAGS) -o $@  $(OBJS) $(DNSMASQ_LIBS) $(LIBS) 
- 
-dnsmasq.pot : $(OBJS:.o=.c) dnsmasq.h config.h
-	$(XGETTEXT) -d dnsmasq --foreign-user --omit-header --keyword=_ -o $@ -i $(OBJS:.o=.c)
-
-%.mo : ../po/%.po dnsmasq.pot
-	$(MSGMERGE) -o - ../po/$*.po dnsmasq.pot | $(MSGFMT) -o $*.mo -

bld/bloat-o-meter

@@ -0,0 +1,130 @@
+#!/usr/bin/env python
+#
+# Copyright 2004 Matt Mackall <mpm@selenic.com>
+#
+# Inspired by perl Bloat-O-Meter (c) 1997 by Andi Kleen
+#
+# This software may be used and distributed according to the terms
+# of the GNU General Public License, incorporated herein by reference.
+
+import sys, os#, re
+
+def usage():
+    sys.stderr.write("usage: %s [-t] file1 file2\n" % sys.argv[0])
+    sys.exit(-1)
+
+f1, f2 = (None, None)
+flag_timing, dashes = (False, False)
+
+for f in sys.argv[1:]:
+    if f.startswith("-"):
+        if f == "--": # sym_args
+            dashes = True
+            break
+        if f == "-t": # timings
+            flag_timing = True
+    else:
+        if not os.path.exists(f):
+            sys.stderr.write("Error: file '%s' does not exist\n" % f)
+            usage()
+        if f1 is None:
+            f1 = f
+        elif f2 is None:
+            f2 = f
+if flag_timing:
+    import time
+if f1 is None or f2 is None:
+    usage()
+
+sym_args = " ".join(sys.argv[3 + flag_timing + dashes:])
+def getsizes(file):
+    sym, alias, lut = {}, {}, {}
+    for l in os.popen("readelf -W -s %s %s" % (sym_args, file)).readlines():
+        l = l.strip()
+        if not (len(l) and l[0].isdigit() and len(l.split()) == 8):
+            continue
+        num, value, size, typ, bind, vis, ndx, name = l.split()
+        if ndx == "UND": continue # skip undefined
+        if typ in ["SECTION", "FILES"]: continue # skip sections and files
+        if "." in name: name = "static." + name.split(".")[0]
+        value = int(value, 16)
+        size = int(size, 16) if size.startswith('0x') else int(size)
+        if vis != "DEFAULT" and bind != "GLOBAL": # see if it is an alias
+            alias[(value, size)] = {"name" : name}
+        else:
+            sym[name] = {"addr" : value, "size":  size}
+            lut[(value, size)] = 0
+    for addr, sz in iter(alias.keys()):
+        # If the non-GLOBAL sym has an implementation elsewhere then
+        # it's an alias, disregard it.
+        if not (addr, sz) in lut:
+            # If this non-GLOBAL sym does not have an implementation at
+            # another address, then treat it as a normal symbol.
+            sym[alias[(addr, sz)]["name"]] = {"addr" : addr, "size": sz}
+    for l in os.popen("readelf -W -S " + file).readlines():
+        x = l.split()
+        if len(x)<6: continue
+        # Should take these into account too!
+        #if x[1] not in [".text", ".rodata", ".symtab", ".strtab"]: continue
+        if x[1] not in [".rodata"]: continue
+        sym[x[1]] = {"addr" : int(x[3], 16), "size" : int(x[5], 16)}
+    return sym
+
+if flag_timing:
+    start_t1 = int(time.time() * 1e9)
+old = getsizes(f1)
+if flag_timing:
+    end_t1 = int(time.time() * 1e9)
+    start_t2 = int(time.time() * 1e9)
+new = getsizes(f2)
+if flag_timing:
+    end_t2 = int(time.time() * 1e9)
+    start_t3 = int(time.time() * 1e9)
+grow, shrink, add, remove, up, down = 0, 0, 0, 0, 0, 0
+delta, common = [], {}
+
+for name in iter(old.keys()):
+    if name in new:
+        common[name] = 1
+
+for name in old:
+    if name not in common:
+        remove += 1
+        sz = old[name]["size"]
+        down += sz
+        delta.append((-sz, name))
+
+for name in new:
+    if name not in common:
+        add += 1
+        sz = new[name]["size"]
+        up += sz
+        delta.append((sz, name))
+
+for name in common:
+        d = new[name].get("size", 0) - old[name].get("size", 0)
+        if d>0: grow, up = grow+1, up+d
+        elif d<0: shrink, down = shrink+1, down-d
+        else:
+            continue
+        delta.append((d, name))
+
+delta.sort()
+delta.reverse()
+if flag_timing:
+    end_t3 = int(time.time() * 1e9)
+
+print("%-48s %7s %7s %+7s" % ("function", "old", "new", "delta"))
+for d, n in delta:
+    if d:
+        old_sz = old.get(n, {}).get("size", "-")
+        new_sz = new.get(n, {}).get("size", "-")
+        print("%-48s %7s %7s %+7d" % (n, old_sz, new_sz, d))
+print("-"*78)
+total="(add/remove: %s/%s grow/shrink: %s/%s up/down: %s/%s)%%sTotal: %s bytes"\
+    % (add, remove, grow, shrink, up, -down, up-down)
+print(total % (" "*(80-len(total))))
+if flag_timing:
+    print("\n%d/%d; %d Parse origin/new; processing nsecs" %
+        (end_t1-start_t1, end_t2-start_t2, end_t3-start_t3))
+    print("total nsecs: %d" % (end_t3-start_t1))

bld/get-version

@@ -0,0 +1,38 @@
+#!/bin/sh
+
+# Determine the version string to build into a binary.
+# When building in the git repository, we can use the output 
+# of "git describe" which gives an unequivocal answer.
+#
+# Failing that, we use the contents of the VERSION file
+# which has a set of references substituted into it by git.
+# If we can find one which matches $v[0-9].* then we assume it's
+# a version-number tag, else we just use the whole string.
+# If there is more than one v[0-9].* tag, sort them and use the
+# first. This favours, eg v2.63 over 2.63rc6.
+
+# Change directory to the toplevel source directory.
+if test -z "$1" || ! test -d "$1" || ! cd "$1"; then
+    echo "$0: First argument $1 must be toplevel dir." >&2
+    exit 1
+fi
+
+if which git >/dev/null 2>&1 && \
+    ([ -d .git ] || grep '^gitdir:' .git >/dev/null 2>&1) && \
+    git describe >/dev/null 2>&1; then 
+    git describe | sed 's/^v//'
+elif grep '\$Format:%d\$' $1/VERSION >/dev/null 2>&1; then
+    # unsubstituted VERSION, but no git available.
+    echo UNKNOWN
+else
+     vers=`cat $1/VERSION | sed 's/[(), ]/,/ g' | tr ',' '\n' | grep ^v[0-9]`
+
+     if [ $? -eq 0 ]; then
+         echo "${vers}" | sort -r | head -n 1 | sed 's/^v//'
+     else
+         cat $1/VERSION
+     fi
+fi
+
+exit 0
+

bld/install-man

@@ -4,6 +4,6 @@ for f in *; do
   if [ -d $f ]; then
      $2 -m 755 -d $1/$f/man8 
      $2 -m 644 $f/dnsmasq.8 $1/$f/man8
-     echo installing $1/$f/man8/dnsmasq.8
+     echo installing $f/man8/dnsmasq.8
   fi
 done

bld/install-mo

@@ -3,7 +3,7 @@
 for f in *.mo; do
   $2 -m 755 -d $1/${f%.mo}/LC_MESSAGES
   $2 -m 644 $f $1/${f%.mo}/LC_MESSAGES/dnsmasq.mo
-  echo installing $1/${f%.mo}/LC_MESSAGES/dnsmasq.mo
+  echo installing ${f%.mo}/LC_MESSAGES/dnsmasq.mo
 done
 
 

bld/pkg-wrapper

@@ -2,10 +2,39 @@
 
 search=$1
 shift
+pkg=$1
+shift
+op=$1
+shift
 
-if grep "^\#.*define.*$search" config.h 2>&1 >/dev/null || \
-   grep $search 2>&1 >/dev/null ; then
-  exec $*
+in=`cat`
+
+if grep "^\#[[:space:]]*define[[:space:]]*$search" config.h >/dev/null 2>&1 || \
+    echo $in | grep $search >/dev/null 2>&1; then
+# Nasty, nasty, in --copy, arg 2 is another config to search for, use with NO_GMP
+    if [ $op = "--copy" ]; then
+	if grep "^\#[[:space:]]*define[[:space:]]*$pkg" config.h >/dev/null 2>&1 || \
+            echo $in | grep $pkg >/dev/null 2>&1; then
+	    pkg=""
+	else 
+	    pkg="$*"
+	fi
+    elif grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \
+	      echo $in | grep ${search}_STATIC >/dev/null 2>&1; then
+	pkg=`$pkg  --static $op $*`
+    else
+	pkg=`$pkg $op $*`
+    fi
+
+    if grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \
+	echo $in | grep ${search}_STATIC >/dev/null 2>&1; then
+	if [ $op = "--libs" ] || [ $op = "--copy" ]; then
+	    echo "-Wl,-Bstatic $pkg -Wl,-Bdynamic"
+	else
+	    echo "$pkg" 
+	fi
+    else
+	echo "$pkg"
+    fi
 fi
 
-

contrib/CPE-WAN/README

@@ -0,0 +1,36 @@
+Dnsmasq from version 2.52 has a couple of rather application-specific
+features designed to allow for implementation of the DHCP part of CPE
+WAN management protocol.
+
+http://www.broadband-forum.org/technical/download/TR-069_Amendment-2.pdf
+http://en.wikipedia.org/wiki/TR-069
+
+The relevant sections are F.2.1 "Gateway Requirements" and F.2.5 "DHCP
+Vendor Options".
+
+First, dnsmasq checks for DHCP requests which contain an option-125
+vendor-class option which in turn holds a vendor section for IANA
+enterprise number 3561 which contains sub-options codes 1 and 2. If
+this is present  then the network-tag "cpewan-id" is set. 
+This allows dnsmasq to be configured to reply with the correct 
+GatewayManufacturerOUI, GatewaySerialNumber and GatewayProductClass like this:
+
+dhcp-option=cpewan-id,vi-encap:3561,4,"<GatewayManufacturerOUI>"
+dhcp-option=cpewan-id,vi-encap:3561,5,"<SerialNumber>"
+dhcp-option=cpewan-id,vi-encap:3561,6,"<ProductClass>"
+
+Second, the received sub-options 1, 2, and 3 are passed to the DHCP
+lease-change script as the environment variables DNSMASQ_CPEWAN_OUI,
+DNSMASQ_CPEWAN_SERIAL, and DNSMASQ_CPEWAN_CLASS respectively. This allows
+the script to be used to maintain a ManageableDevice table as
+specified in F.2.1. Note that this data is not retained in dnsmasq's
+internal DHCP lease database, so it is not available on every call to 
+the script (this is the same as some other data such as vendor and
+user classes). It will however be available for at least the "add"
+call, and should be stored then against the IP address as primary 
+key for future use.
+
+
+This feature was added to dnsmasq under sponsorship from Ericsson.
+
+

contrib/MacOSX-launchd/launchd-README.txt

@@ -0,0 +1,38 @@
+This is a launchd item for Mac OS X and Mac OS X Server.
+For more information about launchd, the
+"System wide and per-user daemon/agent manager", see the launchd
+man page, or the wikipedia page: http://en.wikipedia.org/wiki/Launchd
+
+This launchd item uses the following flags:
+--keep-in-foreground - this is crucial for use with launchd
+--log-queries - this is optional and you can remove it
+--log-facility=/var/log/dnsmasq.log - again optional instead of system.log
+
+To use this launchd item for dnsmasq:
+
+If you don't already have a folder /Library/LaunchDaemons, then create one:
+sudo mkdir /Library/LaunchDaemons
+sudo chown root:admin /Library/LaunchDaemons
+sudo chmod 775 /Library/LaunchDaemons 
+
+Copy uk.org.thekelleys.dnsmasq.plist there and then set ownership/permissions:
+sudo cp uk.org.thekelleys.dnsmasq.plist /Library/LaunchDaemons/
+sudo chown root:admin /Library/LaunchDaemons/uk.org.thekelleys.dnsmasq.plist
+sudo chmod 644 /Library/LaunchDaemons/uk.org.thekelleys.dnsmasq.plist
+
+Optionally, edit your dnsmasq configuration file to your liking.
+
+To start the launchd job, which starts dnsmasq, reboot or use the command:
+sudo launchctl load /Library/LaunchDaemons/uk.org.thekelleys.dnsmasq.plist
+
+To stop the launchd job, which stops dnsmasq, use the command:
+sudo launchctl unload /Library/LaunchDaemons/uk.org.thekelleys.dnsmasq.plist
+
+If you want to permanently stop the launchd job, so it doesn't start the job even after a reboot, use the following command:
+sudo launchctl unload -w /Library/LaunchDaemons/uk.org.thekelleys.dnsmasq.plist
+
+If you make a change to the configuration file, you should relaunch dnsmasq;
+to do this unload and then load again:
+
+sudo launchctl unload /Library/LaunchDaemons/uk.org.thekelleys.dnsmasq.plist
+sudo launchctl load /Library/LaunchDaemons/uk.org.thekelleys.dnsmasq.plist

contrib/MacOSX-launchd/uk.org.thekelleys.dnsmasq.plist

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Label</key>
+	<string>uk.org.thekelleys.dnsmasq</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>/usr/local/sbin/dnsmasq</string>
+		<string>--keep-in-foreground</string>
+	</array>
+	<key>RunAtLoad</key>
+	<true/>
+</dict>
+</plist>

contrib/Solaris10/README-sparc

@@ -0,0 +1,8 @@
+Hi Simon,
+
+I just wanted to let you know that I have built a Solaris .pkg install package of your dnsmasq utility for people to use.  Feel free to point them in my direction if you have people who want this sort of thing.
+
+http://ejesconsulting.wordpress.com/2010/05/12/gnu-dnsmasq-for-opensolaris-sparc/
+
+Thanks
+-evan

contrib/Solaris10/README.create_package

@@ -0,0 +1,25 @@
+Ok, script attached ... seems to be working ok for me, 
+tried to install and remove a few times. It does the
+right thing with the smf when installing, you can then 
+simply enable the service. Upon removal it cleans up the
+files but won't clean up the services (I think until
+a reboot) ... I've only started looking at the new 
+packages stuff in the last day or two, so I could be 
+missing something, but I can't find any way to force
+ a proper cleanup.
+
+It requires that you have a writable repository setup 
+as per the docs on the opensolaris website and it will
+create a dnsmasq package (package name is a variable 
+in the script). The script takes a version number for 
+the package and assumes that it's in the contrib/Solaris10 
+directory, it then works out the base tree directory 
+from $0.
+
+i.e.  $ contrib/Solaris10/create_package 2.52-1
+or   $ cd contrib/Solaris10; ./create_package 2.52-1
+
+It's a bit more complex than it could be because I 
+prefer putting the daemon in /usr/sbin and the config 
+in /etc, so the script will actually create a new 
+version of the existing contrib dnsmasq.xml.

contrib/Solaris10/create_package

@@ -0,0 +1,87 @@
+#!/bin/sh
+
+#
+# For our package, and for the SMF script, we need to define where we
+# want things to go...
+#
+BIN_DIR="/usr/sbin"
+CONF_DIR="/etc"
+MAN_DIR="/usr/share/man/man8"
+
+PACKAGE_NAME="dnsmasq"
+
+#
+# Since we know we are in the contrib directory we can work out where
+# the rest of the tree is...
+#
+BASEDIR="`dirname $0`/../.."
+
+#
+# We need a version number to use for the package creation...
+#
+if [ $# != 1 ]; then
+	echo "Usage: $0 <package_version_number>" >&2
+	exit 1
+fi
+VERSION="$1"
+
+#
+# First thing we do is fix-up the smf file to use the paths we prefer...
+#
+if [ ! -f "${BASEDIR}/contrib/Solaris10/dnsmasq.xml" ]; then
+	echo "$0: unable to find contrib/Solaris10/dnsmasq.xml" >&2
+	exit 1
+fi
+
+echo "Fixing up smf file ... \c"
+cat "${BASEDIR}/contrib/Solaris10/dnsmasq.xml" | \
+	sed 	-e "s%/usr/local/etc%${CONF_DIR}%" \
+		-e "s%/usr/local/sbin%${BIN_DIR}%" \
+		-e "s%/usr/local/man%${MAN_DIR}%" > ${BASEDIR}/contrib/Solaris10/dnsmasq-pkg.xml
+echo "done."
+
+echo "Creating packaging file ... \c"
+cat <<EOF >${BASEDIR}/contrib/Solaris10/dnsmasq_package.inc
+#
+# header
+#
+set name=pkg.name		value="dnsmasq"
+set name=pkg.description	value="dnsmasq daemon - dns, dhcp, tftp etc"
+set name=pkg.detailed_url	value="http://www.thekelleys.org.uk/dnsmasq/doc.html"
+set name=info.maintainer	value="TBD (tbd@tbd.com)"
+set name=info.upstream		value="dnsmasq-discuss@lists.thekelleys.org.uk"
+set name=info.upstream_url	value="http://www.thekelleys.org.uk/dnsmasq/doc.html"
+#
+# dependencies ... none?
+#
+
+#
+# directories
+#
+dir mode=0755 owner=root group=bin path=${BIN_DIR}/
+dir mode=0755 owner=root group=sys path=${CONF_DIR}/
+dir mode=0755 owner=root group=sys path=${MAN_DIR}/
+dir mode=0755 owner=root group=sys path=/var/
+dir mode=0755 owner=root group=sys path=/var/svc
+dir mode=0755 owner=root group=sys path=/var/svc/manifest
+dir mode=0755 owner=root group=sys path=/var/svc/manifest/network
+
+#
+# files
+#
+file ${BASEDIR}/src/dnsmasq mode=0555 owner=root group=bin path=${BIN_DIR}/dnsmasq
+file ${BASEDIR}/man/dnsmasq.8 mode=0555 owner=root group=bin path=${MAN_DIR}/dnsmasq.8
+file ${BASEDIR}/dnsmasq.conf.example mode=0644 owner=root group=sys path=${CONF_DIR}/dnsmasq.conf preserve=strawberry
+file ${BASEDIR}/contrib/Solaris10/dnsmasq-pkg.xml mode=0644 owner=root group=sys path=/var/svc/manifest/network/dnsmasq.xml restart_fmri=svc:/system/manifest-import:default
+
+EOF
+echo "done."
+
+echo "Creating package..."
+eval `pkgsend open ${PACKAGE_NAME}@${VERSION}`
+pkgsend include ${BASEDIR}/contrib/Solaris10/dnsmasq_package.inc
+if [ "$?" = 0 ]; then
+	pkgsend close
+else
+	echo "Errors"
+fi

contrib/Suse/README.susefirewall

@@ -1,9 +1,9 @@
 This is a patch against SuSEfirewall2-3.1-206 (SuSE 9.x and older)
-It fixes the depancy from the dns daemon name 'named'
+It fixes the dependency from the dns daemon name 'named'
 After appending the patch, the SuSEfirewall is again able to autodetect 
 the dnsmasq named service.
 This is a very old bug in the SuSEfirewall script.
-The SuSE people think the name of the dns server will allways 'named'
+The SuSE people think the name of the dns server will always 'named'
 
 
 --- /sbin/SuSEfirewall2.orig	2004-01-23 13:30:09.000000000 +0100

contrib/conntrack/README

@@ -0,0 +1,54 @@
+Linux iptables includes that ability to mark individual network packets
+with a "firewall mark".  Additionally there is a component called
+"conntrack" which tries to string sequences of related packets together
+into a "connection" (it even relates sequences of UDP and ICMP packets).
+ There is a related mark for a connection called a "connection mark".
+Marks can be copied freely between the firewall and connection marks
+
+Using these two features it become possible to tag all related traffic
+in arbitrary ways, eg authenticated users, traffic from a particular IP,
+port, etc. Unfortunately any kind of "proxy" breaks this relationship
+because network packets go in one side of the proxy and a completely new
+connection comes out of the other side.  However, sometimes, we want to
+maintain that relationship through the proxy and continue the connection
+mark on packets upstream of our proxy
+
+Dnsmasq includes such a feature enabled by the --conntrack
+option. This allows, for example, using iptables to mark traffic from
+a particular IP, and that mark to be persisted to requests made *by*
+Dnsmasq. Such a feature could be useful for bandwidth accounting,
+captive portals and the like. Note a similar feature has been 
+implemented in Squid 2.2
+
+
+As an example consider the following iptables rules:
+
+
+1) iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
+2) iptables -t mangle -A PREROUTING -m mark --mark 0 -s 192.168.111.137
+-j MARK --set-mark 137
+3) iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
+
+4) iptables -t mangle -A OUTPUT -m mark ! --mark 0 -j CONNMARK --save-mark
+
+1-3) are all applied to the PREROUTING table and affect all packets
+entering the firewall.
+
+1) copies any existing connection mark into the firewall mark. 2) Checks
+the packet not already marked and if not applies an arbitrary mark based
+on IP address. 3) Saves the firewall mark back to the connection mark
+(which will persist it across related packets)
+
+4) is applied to the OUTPUT table, which is where we first see packets
+generated locally. Dnsmasq will have already copied the firewall mark
+from the request, across to the new packet, and so all that remains is
+for iptables to copy it to the connection mark so it's persisted across
+packets.
+
+Note: iptables can be quite confusing to the beginner. The following
+diagram is extremely helpful in understanding the flows
+	http://linux-ip.net/nf/nfk-traversal.png
+Additionally the following URL contains a useful "starting guide" on
+linux connection tracking/marking
+	http://home.regit.org/netfilter-en/netfilter-connmark/
+

contrib/dbus-test/dbus-test.py

@@ -0,0 +1,43 @@
+#!/usr/bin/python
+import dbus
+
+bus = dbus.SystemBus()
+p = bus.get_object("uk.org.thekelleys.dnsmasq", "/uk/org/thekelleys/dnsmasq")
+l = dbus.Interface(p, dbus_interface="uk.org.thekelleys.dnsmasq")
+
+# The new more flexible SetServersEx method
+array = dbus.Array()
+array.append(["1.2.3.5"])
+array.append(["1.2.3.4#664", "foobar.com"])
+array.append(["1003:1234:abcd::1%eth0", "eng.mycorp.com", "lab.mycorp.com"])
+print l.SetServersEx(array)
+
+# Must create a new object for dnsmasq as the introspection gives the wrong
+# signature for SetServers (av) while the code only expects a bunch of arguments
+# instead of an array of variants
+p = bus.get_object("uk.org.thekelleys.dnsmasq", "/uk/org/thekelleys/dnsmasq", introspect=False)
+l = dbus.Interface(p, dbus_interface="uk.org.thekelleys.dnsmasq")
+
+# The previous method; all addresses in machine byte order
+print l.SetServers(dbus.UInt32(16909060), # 1.2.3.5
+                   dbus.UInt32(16909061), # 1.2.3.4
+                   "foobar.com",
+                   dbus.Byte(0x10),       # 1003:1234:abcd::1
+                   dbus.Byte(0x03),
+                   dbus.Byte(0x12),
+                   dbus.Byte(0x34),
+                   dbus.Byte(0xab),
+                   dbus.Byte(0xcd),
+                   dbus.Byte(0x00),
+                   dbus.Byte(0x00),
+                   dbus.Byte(0x00),
+                   dbus.Byte(0x00),
+                   dbus.Byte(0x00),
+                   dbus.Byte(0x00),
+                   dbus.Byte(0x00),
+                   dbus.Byte(0x00),
+                   dbus.Byte(0x00),
+                   dbus.Byte(0x01),
+                   "eng.mycorp.com",
+                   "lab.mycorp.com")
+

contrib/lease-access/lease.access.patch

@@ -55,7 +55,7 @@ Index: src/dnsmasq.c
  	    }     
  
 @@ -434,7 +433,7 @@
- 	  /* lose the setuid and setgid capbilities */
+ 	  /* lose the setuid and setgid capabilities */
  	  if (capset(hdr, data) == -1)
  	    {
 -	      send_event(err_pipe[1], EVENT_CAP_ERR, errno);

contrib/lease-tools/Makefile

@@ -0,0 +1,6 @@
+CFLAGS?= -O2 -Wall -W
+
+all: dhcp_release dhcp_release6 dhcp_lease_time
+
+clean:
+	rm -f *~ *.o core dhcp_release dhcp_release6 dhcp_lease_time

contrib/lease-tools/dhcp_lease_time.1

@@ -0,0 +1,25 @@
+.TH DHCP_LEASE_TIME 1
+.SH NAME
+dhcp_lease_time \- Query remaining time of a lease on a the local dnsmasq DHCP server.
+.SH SYNOPSIS
+.B  dhcp_lease_time <address>
+.SH "DESCRIPTION"
+Send a DHCPINFORM message to a dnsmasq server running on the local host
+and print (to stdout) the time remaining in any lease for the given
+address. The time is given as string printed to stdout.
+
+If an error occurs or no lease exists for the given address, 
+nothing is sent to stdout a message is sent to stderr and a
+non-zero error code is returned.
+
+Requires dnsmasq 2.67 or later and may not work with other DHCP servers.
+
+The address argument is a dotted-quad IP addresses and mandatory.
+.SH LIMITATIONS
+Only works with IPv4 addresses and DHCP leases. 
+.SH SEE ALSO
+.BR dnsmasq (8)
+.SH AUTHOR
+This manual page was written by Simon Kelley <simon@thekelleys.org.uk>.
+
+

contrib/lease-tools/dhcp_lease_time.c

@@ -20,7 +20,7 @@
    nothing is sent to stdout a message is sent to stderr and a
    non-zero error code is returned.
 
-   Requires dnsmasq 2.40 or later. 
+   This version requires dnsmasq 2.67 or later. 
 */
 
 #include <sys/types.h> 
@@ -46,6 +46,7 @@
 #define OPTION_LEASE_TIME        51
 #define OPTION_OVERLOAD          52
 #define OPTION_MESSAGE_TYPE      53
+#define OPTION_REQUESTED_OPTIONS 55
 #define OPTION_END               255
 #define DHCPINFORM               8
 #define DHCP_SERVER_PORT         67
@@ -82,7 +83,7 @@ static unsigned char *option_find1(unsigned char *p, unsigned char *end, int opt
           if (p >= end - 2)
             return NULL; /* malformed packet */
           opt_len = option_len(p);
-          if (p >= end - (2 + opt_len))
+          if (end - p >= (2 + opt_len))
             return NULL; /* malformed packet */
           if (*p == opt && opt_len >= minsize)
             return p;
@@ -167,6 +168,12 @@ int main(int argc, char **argv)
   *(p++) = 1;
   *(p++) = DHCPINFORM;
 
+  /* Explicitly request the lease time, it won't be sent otherwise:
+     this is a dnsmasq extension, not standard. */
+  *(p++) = OPTION_REQUESTED_OPTIONS;
+  *(p++) = 1;
+  *(p++) = OPTION_LEASE_TIME;
+  
   *(p++) = OPTION_END;
  
   dest.sin_family = AF_INET; 
@@ -199,13 +206,13 @@ int main(int argc, char **argv)
 	{
 	  unsigned int x;
 	  if ((x = t/86400))
-	    printf("%dd", x);
+	    printf("%ud", x);
 	  if ((x = (t/3600)%24))
-	    printf("%dh", x);
+	    printf("%uh", x);
 	  if ((x = (t/60)%60))
-	    printf("%dm", x);
+	    printf("%um", x);
 	  if ((x = t%60))
-	    printf("%ds", x);
+	    printf("%us", x);
 	}
       return 0;
     }

contrib/lease-tools/dhcp_release.1

@@ -0,0 +1,37 @@
+.TH DHCP_RELEASE 1
+.SH NAME
+dhcp_release \- Release a DHCP lease on a the local dnsmasq DHCP server.
+.SH SYNOPSIS
+.B dhcp_release <interface> <address> <MAC address> <client_id>
+.SH "DESCRIPTION"
+A utility which forces the DHCP server running on this machine to release a 
+DHCP lease.
+.PP
+Send a DHCPRELEASE message via the specified interface to tell the
+local DHCP server to delete a particular lease. 
+
+The interface argument is the interface in which a DHCP
+request _would_ be received if it was coming from the client, 
+rather than being faked up here.
+   
+The address argument is a dotted-quad IP addresses and mandatory. 
+   
+The MAC address is colon separated hex, and is mandatory. It may be 
+prefixed by an address-type byte followed by -, eg
+
+10-11:22:33:44:55:66
+
+but if the address-type byte is missing it is assumed to be 1, the type 
+for ethernet. This encoding is the one used in dnsmasq lease files.
+
+The client-id is optional. If it is "*" then it treated as being missing.
+.SH NOTES
+MUST be run as root - will fail otherwise.
+.SH LIMITATIONS
+Only usable on IPv4 DHCP leases.
+.SH SEE ALSO
+.BR dnsmasq (8)
+.SH AUTHOR
+This manual page was written by Simon Kelley <simon@thekelleys.org.uk>.
+
+

contrib/lease-tools/dhcp_release.c

@@ -117,7 +117,7 @@ static ssize_t netlink_recv(int fd)
       msg.msg_flags = 0;
       while ((rc = recvmsg(fd, &msg, MSG_PEEK)) == -1 && errno == EINTR);
       
-      /* 2.2.x doesn't suport MSG_PEEK at all, returning EOPNOTSUPP, so we just grab a 
+      /* 2.2.x doesn't support MSG_PEEK at all, returning EOPNOTSUPP, so we just grab a 
          big buffer and pray in that case. */
       if (rc == -1 && errno == EOPNOTSUPP)
         {
@@ -178,7 +178,7 @@ static int is_same_net(struct in_addr a, struct in_addr b, struct in_addr mask)
   return (a.s_addr & mask.s_addr) == (b.s_addr & mask.s_addr);
 }
 
-static struct in_addr find_interface(struct in_addr client, int fd, int index)
+static struct in_addr find_interface(struct in_addr client, int fd, unsigned int index)
 {
   struct sockaddr_nl addr;
   struct nlmsghdr *h;
@@ -255,10 +255,6 @@ int main(int argc, char **argv)
   struct ifreq ifr;
   int fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);
   int nl = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
-  struct iovec iov;
- 
-  iov.iov_len = 200;
-  iov.iov_base = malloc(iov.iov_len);
 
   if (argc < 4 || argc > 5)
     { 
@@ -274,13 +270,19 @@ int main(int argc, char **argv)
   
   /* This voodoo fakes up a packet coming from the correct interface, which really matters for 
      a DHCP server */
-  strcpy(ifr.ifr_name, argv[1]);
+  strncpy(ifr.ifr_name, argv[1], sizeof(ifr.ifr_name)-1);
+  ifr.ifr_name[sizeof(ifr.ifr_name)-1] = '\0';
   if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, &ifr, sizeof(ifr)) == -1)
     {
       perror("cannot setup interface");
       exit(1);
     }
   
+  if (inet_addr(argv[2]) == INADDR_NONE)
+    {
+      perror("invalid ip address");
+      exit(1);
+    }
   
   lease.s_addr = inet_addr(argv[2]);
   server = find_interface(lease, nl, if_nametoindex(argv[1]));

contrib/lease-tools/dhcp_release6.1

@@ -0,0 +1,38 @@
+.TH DHCP_RELEASE 1
+.SH NAME
+dhcp_release6 \- Release a DHCPv6 lease on a the local dnsmasq DHCP server.
+.SH SYNOPSIS
+.B dhcp_release6 --iface <interface> --client-id <client-id> --server-id
+server-id --iaid <iaid>  --ip <IP>  [--dry-run] [--help]
+.SH "DESCRIPTION"
+A utility which forces the DHCP server running on this machine to release a 
+DHCPv6 lease.
+.SS OPTIONS
+.IP "-a, --ip"
+IPv6 address to release.
+.IP "-c, --client-id"
+Colon-separated hex string representing DHCPv6 client id. Normally
+it can be found in leases file both on client and server.
+.IP "-d, --dry-run"
+Print hexadecimal representation of generated DHCPv6 release packet to standard
+output and exit.
+.IP "-h, --help"
+print usage information to standard output and exit.
+.IP "-i, --iaid"
+Decimal representation of DHCPv6 IAID. Normally it can be found in leases file
+both on client and server.
+.IP "-n, --iface"
+Network interface to send a DHCPv6 release packet from.
+.IP "-s, --server-id"
+Colon-separated hex string representing DHCPv6 server id. Normally
+it can be found in leases file both on client and server.
+.SH NOTES
+MUST be run as root - will fail otherwise.
+.SH LIMITATIONS
+Only usable on IPv6 DHCP leases.
+.SH SEE ALSO
+.BR dnsmasq (8)
+.SH AUTHOR
+This manual page was written by Simon Kelley <simon@thekelleys.org.uk>.
+
+

contrib/lease-tools/dhcp_release6.c

@@ -0,0 +1,499 @@
+/*
+ dhcp_release6 --iface <interface> --client-id <client-id> --server-id
+ server-id --iaid <iaid>  --ip <IP>  [--dry-run] [--help]
+ MUST be run as root - will fail otherwise
+ */
+
+/* Send a DHCPRELEASE message  to IPv6 multicast address  via the specified interface
+ to tell the local DHCP server to delete a particular lease.
+ 
+ The interface argument is the interface in which a DHCP
+ request _would_ be received if it was coming from the client,
+ rather than being faked up here.
+ 
+ The client-id argument is colon-separated hex string and mandatory. Normally
+ it can be found in leases file both on client and server
+
+ The server-id argument is colon-separated hex string and mandatory. Normally
+ it can be found in leases file both on client and server.
+ 
+ The iaid argument is numeric string and mandatory. Normally
+ it can be found in leases file both on client and server.
+ 
+ IP is an IPv6 address to release
+ 
+ If --dry-run is specified, dhcp_release6 just prints hexadecimal representation of
+ packet to send to stdout and exits.
+ 
+ If --help is specified, dhcp_release6 print usage information to stdout and exits
+ 
+ 
+ 
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <strings.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+#include <getopt.h>
+#include <errno.h>
+#include <unistd.h>
+
+#define NOT_REPLY_CODE 115
+typedef unsigned char u8;
+typedef unsigned short u16;
+typedef unsigned int u32;
+
+enum DHCP6_TYPES
+  {
+    SOLICIT = 1,
+    ADVERTISE = 2,
+    REQUEST = 3,
+    CONFIRM = 4,
+    RENEW = 5,
+    REBIND = 6,
+    REPLY = 7,
+    RELEASE = 8,
+    DECLINE = 9,
+    RECONFIGURE = 10,
+    INFORMATION_REQUEST = 11,
+    RELAY_FORW = 12,
+    RELAY_REPL = 13
+    
+  };
+
+enum DHCP6_OPTIONS
+  {
+    CLIENTID = 1,
+    SERVERID = 2,
+    IA_NA = 3,
+    IA_TA = 4,
+    IAADDR = 5,
+    ORO = 6,
+    PREFERENCE = 7,
+    ELAPSED_TIME = 8,
+    RELAY_MSG = 9,
+    AUTH = 11,
+    UNICAST = 12,
+    STATUS_CODE = 13,
+    RAPID_COMMIT = 14,
+    USER_CLASS = 15,
+    VENDOR_CLASS = 16,
+    VENDOR_OPTS = 17,
+    INTERFACE_ID = 18,
+    RECONF_MSG = 19,
+    RECONF_ACCEPT = 20,
+  };
+
+enum DHCP6_STATUSES
+  {
+    SUCCESS = 0,
+    UNSPEC_FAIL = 1,
+    NOADDR_AVAIL=2,
+    NO_BINDING  = 3,
+    NOT_ON_LINK = 4,
+    USE_MULTICAST =5
+  };
+
+static struct option longopts[] = {
+  {"ip", required_argument, 0, 'a' },
+  {"server-id", required_argument, 0, 's' },
+  {"client-id", required_argument, 0, 'c' },
+  {"iface", required_argument, 0, 'n' },
+  {"iaid", required_argument, 0, 'i' },
+  {"dry-run", no_argument, 0, 'd' },
+  {"help", no_argument, 0, 'h' },
+  {0,     0,           0,   0 }
+};
+
+const short DHCP6_CLIENT_PORT = 546;
+const short DHCP6_SERVER_PORT = 547;
+
+const char*  DHCP6_MULTICAST_ADDRESS = "ff02::1:2";
+
+struct dhcp6_option {
+  uint16_t type;
+  uint16_t len;
+  char  value[1024];
+};
+
+struct dhcp6_iaaddr_option {
+  uint16_t type;
+  uint16_t len;
+  struct in6_addr ip;
+  uint32_t preferred_lifetime;
+  uint32_t valid_lifetime;
+};
+
+struct dhcp6_iana_option {
+  uint16_t type;
+  uint16_t len;
+  uint32_t iaid;
+  uint32_t t1;
+  uint32_t t2;
+  char options[1024];
+};
+
+
+struct dhcp6_packet {
+  size_t len;
+  char buf[2048];  
+};
+
+size_t pack_duid(const char* str, char* dst)
+{
+  char* tmp = strdup(str);
+  char* tmp_to_free = tmp;
+  char *ptr;
+  uint8_t write_pos = 0;
+  while ((ptr = strtok (tmp, ":")))
+    {
+      dst[write_pos] = (uint8_t) strtol(ptr, NULL, 16);
+      write_pos += 1;
+      tmp = NULL;
+    }
+  
+  free(tmp_to_free);
+  return write_pos;
+}
+
+struct dhcp6_option create_client_id_option(const char* duid)
+{
+  struct dhcp6_option option;
+  option.type = htons(CLIENTID);
+  bzero(option.value, sizeof(option.value));
+  option.len  = htons(pack_duid(duid, option.value));
+  return option;
+}
+
+struct dhcp6_option create_server_id_option(const char* duid)
+{
+  struct dhcp6_option   option;
+  option.type = htons(SERVERID);
+  bzero(option.value, sizeof(option.value));
+  option.len  = htons(pack_duid(duid, option.value));
+  return option;
+}
+
+struct dhcp6_iaaddr_option create_iaadr_option(const char* ip)
+{
+  struct dhcp6_iaaddr_option result;
+  result.type =htons(IAADDR);
+  /* no suboptions needed here, so length is 24  */
+  result.len = htons(24);
+  result.preferred_lifetime = 0;
+  result.valid_lifetime = 0;
+  int s = inet_pton(AF_INET6, ip, &(result.ip));
+  if (s <= 0) {
+    if (s == 0)
+      fprintf(stderr, "Not in presentation format");
+    else
+      perror("inet_pton");
+    exit(EXIT_FAILURE);
+  }
+
+  return result;
+}
+
+struct dhcp6_iana_option  create_iana_option(const char * iaid, struct dhcp6_iaaddr_option  ia_addr)
+{
+  struct dhcp6_iana_option  result;
+  result.type = htons(IA_NA);
+  result.iaid = htonl(atoi(iaid));
+  result.t1 = 0;
+  result.t2 = 0;
+  result.len = htons(12 + ntohs(ia_addr.len) + 2 * sizeof(uint16_t));
+  memcpy(result.options, &ia_addr, ntohs(ia_addr.len) + 2 * sizeof(uint16_t));
+  return result;
+}
+
+struct dhcp6_packet create_release_packet(const char* iaid, const char* ip, const char* client_id, const char* server_id)
+{
+  struct dhcp6_packet result;
+  bzero(result.buf, sizeof(result.buf));
+  /* message_type */
+  result.buf[0] = RELEASE;
+  /* tx_id */
+  bzero(result.buf+1, 3);
+  
+  struct dhcp6_option client_option = create_client_id_option(client_id);
+  struct dhcp6_option server_option = create_server_id_option(server_id);
+  struct dhcp6_iaaddr_option iaaddr_option = create_iaadr_option(ip);
+  struct dhcp6_iana_option iana_option = create_iana_option(iaid, iaaddr_option);
+  int offset = 4;
+  memcpy(result.buf + offset, &client_option, ntohs(client_option.len) + 2*sizeof(uint16_t));
+  offset += (ntohs(client_option.len)+ 2 *sizeof(uint16_t) );
+  memcpy(result.buf + offset, &server_option, ntohs(server_option.len) + 2*sizeof(uint16_t) );
+  offset += (ntohs(server_option.len)+ 2* sizeof(uint16_t));
+  memcpy(result.buf + offset, &iana_option, ntohs(iana_option.len) + 2*sizeof(uint16_t) );
+  offset += (ntohs(iana_option.len)+ 2* sizeof(uint16_t));
+  result.len = offset;
+  return result;
+}
+
+uint16_t parse_iana_suboption(char* buf, size_t len)
+{
+  size_t current_pos = 0;
+  char option_value[1024];
+  while (current_pos < len)
+    {
+      uint16_t option_type, option_len;
+      memcpy(&option_type,buf + current_pos, sizeof(uint16_t));
+      memcpy(&option_len,buf + current_pos + sizeof(uint16_t), sizeof(uint16_t));
+      option_type = ntohs(option_type);
+      option_len = ntohs(option_len);
+      current_pos += 2 * sizeof(uint16_t);
+      if (option_type == STATUS_CODE)
+	{
+	  uint16_t status;
+	  memcpy(&status, buf + current_pos, sizeof(uint16_t));
+	  status = ntohs(status);
+	  if (status != SUCCESS)
+	    {
+	      memcpy(option_value, buf + current_pos + sizeof(uint16_t) , option_len - sizeof(uint16_t));
+	      option_value[option_len-sizeof(uint16_t)] ='\0';
+	      fprintf(stderr, "Error: %s\n", option_value);
+            }
+	  return status;
+        }
+    }
+
+  return -2;
+}
+
+int16_t parse_packet(char* buf, size_t len)
+{
+  int16_t ret = -1;
+  uint8_t type = buf[0];
+  /*skipping tx id. you need it, uncomment following line
+    uint16_t tx_id = ntohs((buf[1] <<16) + (buf[2] <<8) + buf[3]);
+  */
+  size_t current_pos = 4;
+  if (type != REPLY )
+    return NOT_REPLY_CODE;
+  
+  char option_value[1024];
+  while (current_pos < len)
+    {
+      uint16_t option_type, option_len;
+      memcpy(&option_type,buf + current_pos, sizeof(uint16_t));
+      memcpy(&option_len,buf + current_pos + sizeof(uint16_t), sizeof(uint16_t));
+      option_type = ntohs(option_type);
+      option_len = ntohs(option_len);
+      current_pos += 2 * sizeof(uint16_t);
+      if (option_type == STATUS_CODE)
+	{
+	  uint16_t status;
+	  memcpy(&status, buf + current_pos, sizeof(uint16_t));
+	  status = ntohs(status);
+	  if (status != SUCCESS)
+	    {
+	      memcpy(option_value, buf + current_pos +sizeof(uint16_t) , option_len -sizeof(uint16_t));
+	      fprintf(stderr, "Error: %d %s\n", status, option_value);
+	      return status;
+	    }
+
+	  /* Got success status, return that if there's no specific error in an IA_NA. */
+	  ret = SUCCESS;   
+        }
+
+      if (option_type == IA_NA )
+	{
+	  uint16_t result = parse_iana_suboption(buf + current_pos +24, option_len -24);
+	  if (result)
+	    return result;
+	}
+      
+      current_pos += option_len;
+    }
+
+  return ret;
+}
+
+void usage(const char* arg, FILE* stream)
+{
+  const char* usage_string ="--ip IPv6 --iface IFACE --server-id SERVER_ID --client-id CLIENT_ID --iaid IAID [--dry-run] | --help";
+  fprintf (stream, "Usage: %s %s\n", arg, usage_string);   
+}
+
+int send_release_packet(const char* iface, struct dhcp6_packet* packet)
+{
+  struct sockaddr_in6 server_addr, client_addr;
+  char response[1400];
+  int sock = socket(PF_INET6, SOCK_DGRAM, 0);
+  int i = 0;
+  if (sock < 0)
+    {
+      perror("creating socket");
+      return -1;
+    }
+  
+    if (setsockopt(sock, SOL_SOCKET, 25, iface, strlen(iface)) == -1)
+      {
+        perror("SO_BINDTODEVICE");
+        close(sock);
+        return -1;
+      }
+    
+    memset(&server_addr, 0, sizeof(server_addr));
+    server_addr.sin6_family = AF_INET6;
+    client_addr.sin6_family = AF_INET6;
+    client_addr.sin6_port = htons(DHCP6_CLIENT_PORT);
+    client_addr.sin6_flowinfo = 0;
+    client_addr.sin6_scope_id =0;
+    inet_pton(AF_INET6, "::", &client_addr.sin6_addr);
+    bind(sock, (struct sockaddr*)&client_addr, sizeof(struct sockaddr_in6));
+    inet_pton(AF_INET6, DHCP6_MULTICAST_ADDRESS, &server_addr.sin6_addr);
+    server_addr.sin6_port = htons(DHCP6_SERVER_PORT);
+    int16_t recv_size = 0;
+    for (i = 0; i < 5; i++)
+      {
+        if (sendto(sock, packet->buf, packet->len, 0, (struct sockaddr *)&server_addr, sizeof(server_addr)) < 0)
+	  {
+	    perror("sendto failed");
+            exit(4);
+	  }
+	
+        recv_size = recvfrom(sock, response, sizeof(response), MSG_DONTWAIT, NULL, 0);
+        if (recv_size == -1)
+	  {
+            if (errno == EAGAIN)
+	      {
+		sleep(1);
+		continue;
+	      }
+	    else
+	      {
+                perror("recvfrom");
+	      }
+	  }
+	
+        int16_t result = parse_packet(response, recv_size);
+        if (result == NOT_REPLY_CODE)
+	  {
+            sleep(1);
+            continue;
+	  }
+
+        close(sock);
+        return result;
+      }
+
+    close(sock);
+    fprintf(stderr, "Response timed out\n");
+    return -1;   
+}
+
+
+int main(int argc, char *  const argv[])
+{
+  const char* UNINITIALIZED = "";
+  const char* iface = UNINITIALIZED;
+  const char* ip = UNINITIALIZED;
+  const char* client_id = UNINITIALIZED;
+  const char* server_id = UNINITIALIZED;
+  const char* iaid = UNINITIALIZED;
+  int dry_run = 0;
+  while (1)
+    {
+      int option_index = 0;
+      int c = getopt_long(argc, argv, "a:s:c:n:i:hd", longopts, &option_index);
+      if (c == -1)
+	break;
+        
+      switch(c)
+	{
+	case 0:
+	  if (longopts[option_index].flag !=0)
+	    break;
+	  
+	  printf ("option %s", longopts[option_index].name);
+	  if (optarg)
+	    printf (" with arg %s", optarg);
+	  printf ("\n");
+	  break;
+
+	case 'i':
+	  iaid = optarg;
+	  break;
+	case 'n':
+	  iface = optarg;
+	  break;
+	case 'a':
+	  ip = optarg;
+	  break;
+	case 'c':
+	  client_id = optarg;
+	  break;
+	case 'd':
+	  dry_run = 1;
+	  break;
+	case 's':
+	  server_id = optarg;
+	  break;
+	case 'h':
+	  usage(argv[0], stdout);
+	  return 0;
+	case '?':
+	  usage(argv[0], stderr);
+	  return -1;
+	default:
+	  abort();
+	  
+        }
+    }
+  
+  if (iaid == UNINITIALIZED)
+    {
+      fprintf(stderr, "Missing required iaid parameter\n");
+      usage(argv[0], stderr);
+      return -1;
+    }
+  
+    if (server_id == UNINITIALIZED)
+      {
+        fprintf(stderr, "Missing required server-id parameter\n");
+        usage(argv[0], stderr);
+        return -1;
+      }
+    
+    if (client_id == UNINITIALIZED)
+      {
+        fprintf(stderr, "Missing required client-id parameter\n");
+        usage(argv[0], stderr);
+        return -1;
+      }
+    
+    if (ip == UNINITIALIZED)
+      {
+        fprintf(stderr, "Missing required ip parameter\n");
+        usage(argv[0], stderr);
+        return -1;
+      }
+    
+    if (iface == UNINITIALIZED)
+      {
+	fprintf(stderr, "Missing required iface parameter\n");
+        usage(argv[0], stderr);
+        return -1;
+      }
+
+    
+    
+    struct dhcp6_packet packet = create_release_packet(iaid, ip, client_id, server_id);
+
+    if (dry_run)
+      {
+        uint16_t i;
+
+        for(i=0; i<packet.len; i++)
+	  printf("%hhx", packet.buf[i]);
+        
+        printf("\n");
+        return 0;
+      }
+
+    return send_release_packet(iface, &packet);
+}

contrib/mactable/macscript

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+STATUS_FILE="/tmp/dnsmasq-ip-mac.status"
+
+# Script for dnsmasq lease-change hook.
+# Maintains the above file with an IP address/MAC address pairs,
+# one lease per line. Works with IPv4 and IPv6 leases, file is
+# atomically updated, so no races for users of the data.
+
+action="$1"
+mac="$2"   # IPv4
+ip="$3"
+
+# ensure it always exists.
+
+if [ ! -f "$STATUS_FILE" ]; then
+  touch "$STATUS_FILE"
+fi
+
+if [  -n "$DNSMASQ_IAID" ]; then
+    mac="$DNSMASQ_MAC"   # IPv6
+fi
+
+# worry about an add or old action when the MAC address is not known:
+# leave any old one in place in that case.
+
+if [ "$action" = "add" -o "$action" = "old" -o "$action" = "del" ]; then
+  if [ -n "$mac" -o "$action" = "del" ]; then
+    sed "/^${ip//./\.} / d" "$STATUS_FILE" > "$STATUS_FILE".new
+  
+    if [ "$action" = "add" -o "$action" = "old" ]; then
+       echo "$ip $mac" >> "$STATUS_FILE".new
+    fi
+    mv  "$STATUS_FILE".new "$STATUS_FILE" # atomic update.
+  fi
+fi

contrib/port-forward/dnsmasq-portforward

@@ -34,11 +34,21 @@ if [ ${DNSMASQ_OLD_HOSTNAME} ] && [ ${action} = old ] ; then
     hostname=${DNSMASQ_OLD_HOSTNAME}
 fi
 
+# IPv6 leases are not our concern. no NAT there!
+if [ ${DNSMASQ_IAID} ] ; then
+   exit 0
+fi
+
 # action init is not relevant, and will only be seen when leasefile-ro is set.
 if [ ${action} = init ] ; then
     exit 0
 fi
 
+# action tftp is not relevant.
+if [ ${action} = tftp ] ; then
+    exit 0
+fi
+
 if [ ${hostname} ]; then
     ports=$(sed -n -e "/^${hostname}\ .*/ s/^.* //p" ${PORTSFILE})
 

contrib/port-forward/portforward

@@ -3,7 +3,7 @@
 # first column of this file, then a DNAT port-forward will be set up 
 # to the address which has just been allocated by DHCP . The second field 
 # is port number(s). If there is only one, then the port-forward goes to 
-# the same port on the DHCP-client, if there are two seperated with a 
+# the same port on the DHCP-client, if there are two separated with a 
 # colon, then the second number is the port to which the connection 
 # is forwarded on the DHCP-client. By default, forwarding is set up 
 # for TCP, but it can done for UDP instead by prefixing the port to "u". 

contrib/reverse-dns/README

@@ -0,0 +1,18 @@
+The script reads stdin and replaces all IP addresses with names before
+outputting it again. IPs from private networks are reverse looked  up
+via dns. Other IP addresses are searched for in the dnsmasq query log.
+This gives names (CNAMEs if I understand DNS correctly) that are closer
+to the name the client originally asked for then the names obtained by
+reverse lookup. Just run
+
+netstat -n -4 | ./reverse_replace.sh 
+
+to see what it does. It needs 
+
+log-queries
+log-facility=/var/log/dnsmasq.log
+
+in the dnsmasq configuration.
+
+The script runs on debian (with ash installed) and on busybox.
+

contrib/reverse-dns/reverse_replace.sh

@@ -0,0 +1,125 @@
+#!/bin/ash
+# $Id: reverse_replace.sh 18 2015-03-01 16:12:35Z jo $
+#
+# Usage e.g.: netstat -n -4 | reverse_replace.sh 
+# Parses stdin for IP4 addresses and replaces them 
+# with names retrieved by parsing the dnsmasq log.
+# This currently only gives CNAMEs. But these 
+# usually tell you more than the ones from reverse 
+# lookups. 
+#
+# This has been tested on debian and asuswrt. Please
+# report successful tests on other platforms.
+#
+# Author: Joachim Zobel <jz-2014@heute-morgen.de>
+# License: Consider this MIT style licensed. You can 
+#   do as you ike, but you must not remove my name.
+#
+
+LOG=/var/log/dnsmasq.log
+MAX_LINES=15000
+
+# sed regex do match IPs
+IP_regex='[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'
+# private IP ranges
+IP_private='\(^127\.\)\|\(^192\.168\.\)\|\(^10\.\)\|\(^172\.1[6-9]\.\)\|\(^172\.2[0-9]\.\)\|\(^172\.3[0-1]\.\)'
+
+#######################################################################
+# Find Commands
+  
+HOST=nslookup
+if type host > /dev/null 2>&1; then
+  # echo "No need for nslookup, host is there"
+  HOST=host
+fi
+
+#######################################################################
+# Functions
+
+# Use shell variables for an (IP) lookup table
+create_lookup_table()
+{
+  # Parse log into lookup table
+  local CMDS="$( tail -"$MAX_LINES" "$LOG" | \
+    grep " is $IP_regex" | \
+    sed "s#.* \([^ ]*\) is \($IP_regex\).*#set_val \2 \1;#" )"
+
+  local IFS='
+'
+  for CMD in $CMDS
+  do
+    eval $CMD
+  done
+}
+
+set_val()
+{
+  local _IP=$(echo $1 | tr . _)
+  local KEY="__IP__$_IP"
+  eval "$KEY"=$2
+}
+
+get_val()
+{
+  local _IP=$(echo $1 | tr . _)
+  local KEY="__IP__$_IP"
+  eval echo -n '${'"$KEY"'}'
+}
+
+dns_lookup()
+{
+  local IP=$1
+
+  local RTN="$($HOST $IP | \
+        sed 's#\s\+#\n#g' | \
+        grep -v '^$' | \
+        tail -1 | tr -d '\n' | \
+        sed 's#\.$##')"
+  if echo $RTN | grep -q NXDOMAIN; then
+    echo -n $IP
+  else
+    echo -n "$RTN"
+  fi     
+}
+
+reverse_dns()
+{
+  local IP=$1
+
+  # Skip if it is not an IP
+  if ! echo $IP | grep -q "^$IP_regex$"; then
+    echo -n $IP
+    return 
+  fi
+    
+  # Do a dns lookup, if it is a local IP
+  if echo $IP | grep -q $IP_private; then
+    dns_lookup $IP
+    return
+  fi
+    
+  local NAME="$(get_val $IP)"
+  
+  if [ -z "$NAME" ]; then
+    echo -n $IP
+  else
+    echo -n $NAME
+  fi
+}
+
+#######################################################################
+# Main
+create_lookup_table
+
+while read LINE; do
+  for IP in $(echo "$LINE" | \
+              sed "s#\b\($IP_regex\)\b#\n\1\n#g" | \
+              grep $IP_regex) 
+  do
+    NAME=`reverse_dns $IP `
+    # echo "$NAME $IP"
+    LINE=`echo "$LINE" | sed "s#$IP#$NAME#" ` 
+  done
+  echo $LINE
+done
+

contrib/static-arp/static-arp

@@ -0,0 +1,35 @@
+#!/bin/sh
+
+# Contributed by Darren Hoo <darren.hoo@gmail.com>
+
+# If you use dnsmasq as DHCP server on a router, you may have
+# met with attackers trying ARP Poison Routing (APR) on your
+# local area network. This script will setup a 'permanent' entry
+# in the router's ARP table upon each DHCP transaction so as to
+# make the attacker's efforts less successful.
+
+# Usage:
+# edit /etc/dnsmasq.conf and specify the path of this script
+# to  dhcp-script, for example:
+#  dhcp-script=/usr/sbin/static-arp
+
+# if $1 is add or old, update the static arp table entry.
+# if $1 is del, then delete the entry from the table
+# if $1 is init which is called by dnsmasq at startup, it's ignored
+
+ARP=/usr/sbin/arp
+
+# Arguments.
+# $1 is action (add, del, old)
+# $2 is MAC
+# $3 is address
+# $4 is hostname (optional, may be unset)
+
+if [ ${1} = del ] ; then
+         ${ARP} -d $3
+fi
+
+if [ ${1} = old ] || [ ${1} = add ] ; then
+         ${ARP} -s $3 $2
+fi
+

contrib/systemd/README

@@ -0,0 +1,16 @@
+Hello,
+
+I created a systemd service file for dnsmasq.
+systemd is a sysvinit replacement (see [1] for more information).
+One of the goals of systemd is to encourage standardization between different
+distributions. This means, while I also submitted a ticket in Debian GNU/Linux,
+I would like to ask you to accept this service file as the upstream
+distributor, so that other distributions can use the same service file and
+don’t have to ship their own.
+
+Please include this file in your next release (just like in init script).
+
+
+[1] http://en.wikipedia.org/wiki/Systemd
+
+

contrib/systemd/dbus_activation

@@ -0,0 +1,57 @@
+To: dnsmasq-discuss@lists.thekelleys.org.uk
+From: Alex Elsayed <eternaleye+usenet@gmail.com>
+Date: Tue, 15 May 2012 01:53:54 -0700
+Subject: [Dnsmasq-discuss] [PATCH] Support dbus activation
+
+Introduce dbus service file and turn dbus on in the systemd
+unit.
+
+Note to packagers:
+To add support for dbus activation, you must install the dbus
+service file (dbus/uk.org.thekelleys.dnsmasq.service) into
+$DATADIR/dbus-1/system-services.
+
+---
+ contrib/systemd/dnsmasq.service        |    2 +-
+ dbus/uk.org.thekelleys.dnsmasq.service |    7 +++++++
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+ create mode 100644 dbus/uk.org.thekelleys.dnsmasq.service
+
+diff --git a/contrib/systemd/dnsmasq.service 
+b/contrib/systemd/dnsmasq.service
+index a27fe6d..4a784d3 100644
+--- a/contrib/systemd/dnsmasq.service
++++ b/contrib/systemd/dnsmasq.service
+@@ -5,7 +5,7 @@ Description=A lightweight DHCP and caching DNS server
+ Type=dbus
+ BusName=uk.org.thekelleys.dnsmasq
+ ExecStartPre=/usr/sbin/dnsmasq --test
+-ExecStart=/usr/sbin/dnsmasq -k
++ExecStart=/usr/sbin/dnsmasq -k -1
+ ExecReload=/bin/kill -HUP $MAINPID
+ 
+ [Install]
+diff --git a/dbus/uk.org.thekelleys.dnsmasq.service 
+b/dbus/uk.org.thekelleys.dnsmasq.service
+new file mode 100644
+index 0000000..f5fe98d
+--- /dev/null
++++ b/dbus/uk.org.thekelleys.dnsmasq.service
+@@ -0,0 +1,7 @@
++[D-BUS Service]
++Name=uk.org.thekelleys.dnsmasq
++Exec=/usr/sbin/dnsmasq -k -1
++User=root
++SystemdService=dnsmasq.service
++
++
+-- 
+1.7.10.2
+
+
+
+_______________________________________________
+Dnsmasq-discuss mailing list
+Dnsmasq-discuss@lists.thekelleys.org.uk
+http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
+

contrib/systemd/dnsmasq.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=dnsmasq - A lightweight DHCP and caching DNS server
+
+[Service]
+Type=dbus
+BusName=uk.org.thekelleys.dnsmasq
+ExecStartPre=/usr/sbin/dnsmasq --test
+ExecStart=/usr/sbin/dnsmasq -k
+ExecReload=/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target

contrib/try-all-ns/README-2.47

@@ -2,7 +2,7 @@ A remake of patch Bob Carroll had posted to dnsmasq,
 now compatible with version 2.47. Hopefully he doesn't 
 mind (sending a copy of this mail to him too).
 
-Maybe the patch in question is not acceptible
+Maybe the patch in question is not acceptable
 as it doesn't add new switch, rather it binds itself to "strict-order".
 
 What it does is: if you have strict-order in the 

contrib/try-all-ns/README-2.78

@@ -0,0 +1,10 @@
+Hi,
+I updated the try-all-ns patch to work with the latest version of git. Ended up implementing it on top of master, 2.78test2-7-g63437ff. As that specific if-clause has been changed in the last few commits, it's not compatible for 2.77, sadly.
+
+Find the patch attached.
+
+Regards,
+
+Rasmus Ahlberg
+Software Developer, R&D
+Electrolux Small Appliances

contrib/try-all-ns/dnsmasq-2.68-try-all-ns

@@ -0,0 +1,29 @@
+From: Jesse Glick <jglick@cloudbees.com>
+To: dnsmasq-discuss@lists.thekelleys.org.uk
+Subject: Re: [Dnsmasq-discuss] Ability to delegate to one server but fall
+ back to another after NXDOMAIN?
+
+
+On Wed, Jan 15, 2014 at 12:30 PM, Simon Kelley <simon@thekelleys.org.uk> wrote:
+> > There's a (very old) patch in contrib/try-all-ns that would make a starting point
+This does not apply against trunk, so I tried to rework it. The
+following appears to do what I expect:
+
+diff --git a/src/forward.c b/src/forward.c
+index 8167229..76070b5 100644
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -610,7 +610,11 @@ void reply_query(int fd, int family, time_t now)
+
+   if ((RCODE(header) == SERVFAIL || RCODE(header) == REFUSED) &&
+       !option_bool(OPT_ORDER) &&
+-      forward->forwardall == 0)
++      forward->forwardall == 0 ||
++      /* try each in turn */
++      RCODE(header) == NXDOMAIN &&
++      option_bool(OPT_ORDER) &&
++      server->next != NULL)
+     /* for broken servers, attempt to send to another one. */
+     {
+       unsigned char *pheader;
+

contrib/try-all-ns/dnsmasq-2.78xx-try-all-ns.patch

@@ -0,0 +1,20 @@
+diff --git a/src/forward.c b/src/forward.c
+index e3fa94b..ecf3b98 100644
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -789,9 +789,12 @@ void reply_query(int fd, int family, time_t now)
+ 
+   /* Note: if we send extra options in the EDNS0 header, we can't recreate
+      the query from the reply. */
+-  if (RCODE(header) == REFUSED &&
+-      forward->forwardall == 0 &&
+-      !(forward->flags & FREC_HAS_EXTRADATA))
++  if ((RCODE(header) == REFUSED &&
++        forward->forwardall == 0 &&
++       !(forward->flags & FREC_HAS_EXTRADATA)) ||
++      /* If strict-order is set, try next server on NXDOMAIN reply */
++      (RCODE(header) == NXDOMAIN && option_bool(OPT_ORDER) &&
++       server->next != NULL))
+     /* for broken servers, attempt to send to another one. */
+     {
+       unsigned char *pheader;

contrib/webmin/README

@@ -1,5 +1,5 @@
 
-This is the README for the DNSmasq webmin module.
+This is the README for the Dnsmasq webmin module.
 
 Problems:
 
@@ -48,7 +48,7 @@ wade through the config file and man pages again.
 
 If you modify it, or add a language file, and you have a spare moment,
 please e-mail me - I won't be upset at all if you fix my poor coding!
-(rather the opposite - I'd be pleased someone found it usefull)
+(rather the opposite - I'd be pleased someone found it useful)
 
 Cheers,
 	Neil Fisher <neil@magnecor.com.au>

contrib/wrt/Makefile

@@ -1,6 +0,0 @@
-CFLAGS?= -O2 -Wall -W
-
-all: dhcp_release dhcp_lease_time
-
-clean:
-	rm -f *~ *.o core dhcp_release dhcp_lease_time

contrib/wrt/README

@@ -4,7 +4,7 @@ reboot, then it will eventually be restored as hosts renew their
 leases. Until a host renews (which may take hours/days) it will
 not exist in the DNS if dnsmasq's DDNS function is in use.
 
-*WRT systems remount all non-volatile fileystems read-only after boot,
+*WRT systems remount all non-volatile filesystems read-only after boot,
 so the normal leasefile will not work. They do, however have NV
 storage, accessed with the nvram command:
 
@@ -62,7 +62,7 @@ about 100 bytes, so restricting the number of leases to 50 will limit
 use to half that. (The default limit in the distributed source is 150)
 
 Any UI script which reads the dnsmasq leasefile will have to be
-ammended, probably by changing it to read the output of 
+amended, probably by changing it to read the output of 
 `lease_update init` instead.
  
 

dbus/DBus-interface

@@ -19,7 +19,8 @@ and avoids startup races with the provider of nameserver information.
 
 
 Dnsmasq provides one service on the DBus: uk.org.thekelleys.dnsmasq
-and a single object: /uk/org/thekelleys/dnsmasq
+and a single object: /uk/org/thekelleys/dnsmasq 
+The name of the service may be changed by giving an argument to --enable-dbus.
 
 1. METHODS
 ----------
@@ -39,6 +40,14 @@ ClearCache
 Returns nothing. Clears the domain name cache and re-reads
 /etc/hosts. The same as sending dnsmasq a HUP signal.
 
+SetFilterWin2KOption
+--------------------
+Takes boolean, sets or resets the --filterwin2k option.
+
+SetBogusPrivOption
+------------------
+Takes boolean, sets or resets the --bogus-priv option.
+
 SetServers
 ----------
 Returns nothing. Takes a set of arguments representing the new
@@ -94,6 +103,152 @@ Each call to SetServers completely replaces the set of servers
 specified by via the DBus, but it leaves any servers specified via the
 command line or /etc/dnsmasq.conf or /etc/resolv.conf alone.
 
+SetServersEx
+------------
+
+This function is more flexible and the SetServers function, in that it can
+handle address scoping, port numbers, and is easier for clients to use.
+
+Returns nothing. Takes a set of arguments representing the new
+upstream DNS servers to be used by dnsmasq. All addresses (both IPv4 and IPv6)
+are represented as STRINGS.  Each server address may be followed by one or more
+STRINGS, which are the domains for which the preceding server should be used.
+
+This function takes an array of STRING arrays, where each inner array represents
+a set of DNS servers and domains for which those servers may be used.  Each
+string represents a list of upstream DNS servers first, and domains second.
+Mixing of domains and servers within a the string array is not allowed.
+
+Examples.
+
+[
+  ["1.2.3.4", "foobar.com"],
+  ["1003:1234:abcd::1%eth0", "eng.mycorp.com", "lab.mycorp.com"]
+]
+
+is equivalent to
+
+--server=/foobar.com/1.2.3.4 \
+  --server=/eng.mycorp.com/lab.mycorp.com/1003:1234:abcd::1%eth0
+
+An IPv4 address of 0.0.0.0 is interpreted as "no address, local only",
+so
+
+[ ["0.0.0.0", "local.domain"] ]
+
+is equivalent to
+
+--local=/local.domain/
+
+
+Each call to SetServersEx completely replaces the set of servers
+specified by via the DBus, but it leaves any servers specified via the
+command line or /etc/dnsmasq.conf or /etc/resolv.conf alone.
+
+
+SetDomainServers
+----------------
+
+Yes another variation for setting DNS servers, with the capability of
+SetServersEx, but without using arrays of arrays, which are not
+sendable with dbus-send. The arguments are an array of strings which
+are identical to the equivalent arguments --server, so the example
+for SetServersEx is represented as
+
+[
+  "/foobar.com/1.2.3.4"
+  "/eng.mycorp.com/lab.mycorp.com/1003:1234:abcd::1%eth0"
+]
+
+GetLoopServers
+--------------
+
+(Only available if dnsmasq compiled with HAVE_LOOP)
+
+Return an array of strings, each string is the IP address of an upstream
+server which has been found to loop queries back to this dnsmasq instance, and 
+it therefore not being used.
+
+AddDhcpLease
+------------
+
+Returns nothing. Adds or updates a DHCP or DHCPv6 lease to the internal lease
+database, as if a client requested and obtained a lease.
+
+If a lease for the IPv4 or IPv6 address already exist, it is overwritten.
+
+Note that this function will trigger the DhcpLeaseAdded or DhcpLeaseUpdated
+D-Bus signal and will run the configured DHCP lease script accordingly.
+
+This function takes many arguments which are the lease parameters:
+- A string with the textual representation of the IPv4 or IPv6 address of the
+  client.
+
+  Examples:
+  "192.168.1.115"
+  "1003:1234:abcd::1%eth0"
+  "2001:db8:abcd::1"
+
+- A string representing the hardware address of the client, using the same
+  format as the one used in the lease database.
+
+  Examples:
+
+  "00:23:45:67:89:ab"
+  "06-00:20:e0:3b:13:af" (token ring)
+
+- The hostname of the client, as an array of bytes (so there is no problem
+  with non-ASCII character encoding). May be empty.
+
+  Example (for "hostname.or.fqdn"):
+  [104, 111, 115, 116, 110, 97, 109, 101, 46, 111, 114, 46, 102, 113, 100, 110]
+
+- The client identifier (IPv4) or DUID (IPv6) as an array of bytes. May be
+  empty.
+
+  Examples:
+
+  DHCPv6 DUID:
+  [0, 3, 0, 1, 0, 35, 69, 103, 137, 171]
+  DHCPv4 client identifier:
+  [255, 12, 34, 56, 78, 0, 1, 0, 1, 29, 9, 99, 190, 35, 69, 103, 137, 171]
+
+- The duration of the lease, in seconds. If the lease is updated, then
+  the duration replaces the previous duration.
+
+  Example:
+
+  7200
+
+- The IAID (Identity association identifier) of the DHCPv6 lease, as a network
+  byte-order unsigned integer. For DHCPv4 leases, this must be set to 0.
+
+  Example (for IPv6):
+
+  203569230
+
+- A boolean which, if true, indicates that the DHCPv6 lease is for a temporary
+  address (IA_TA). If false, the DHCPv6 lease is for a non-temporary address
+  (IA_NA). For DHCPv4 leases, this must be set to false.
+
+RemoveDhcpLease
+---------------
+
+Returns nothing. Removes a DHCP or DHCPv6 lease to the internal lease
+database, as if a client sent a release message to abandon a lease.
+
+This function takes only one parameter: the text representation of the
+IPv4 or IPv6 address of the lease to remove.
+
+Note that this function will trigger the DhcpLeaseRemoved signal and the
+configured DHCP lease script will be run with the "del" action.
+
+GetMetrics
+----------
+
+Returns an array with various metrics for DNS and DHCP.
+
+
 2. SIGNALS
 ----------
 

debian/conffiles

@@ -0,0 +1,5 @@
+/etc/init.d/dnsmasq
+/etc/default/dnsmasq
+/etc/dnsmasq.conf
+/etc/resolvconf/update.d/dnsmasq
+/etc/insserv.conf.d/dnsmasq

debian/control

@@ -0,0 +1,62 @@
+Source: dnsmasq
+Section: net
+Priority: optional
+Build-depends: gettext, libnetfilter-conntrack-dev [linux-any],
+               libidn11-dev, libdbus-1-dev (>=0.61), libgmp-dev, 
+               nettle-dev (>=2.4-3), libbsd-dev [!linux-any],
+	       liblua5.2-dev
+Maintainer: Simon Kelley <simon@thekelleys.org.uk>
+Homepage: http://www.thekelleys.org.uk/dnsmasq/doc.html
+Standards-Version: 3.9.8
+
+Package: dnsmasq
+Architecture: all
+Depends: netbase, dnsmasq-base,
+         init-system-helpers (>= 1.18~), lsb-base (>= 3.0-6)
+Suggests: resolvconf
+Conflicts: resolvconf (<<1.15)
+Description: Small caching DNS proxy and DHCP/TFTP server
+ Dnsmasq is a lightweight, easy to configure, DNS forwarder and DHCP
+ server. It is designed to provide DNS and optionally, DHCP, to a 
+ small network. It can serve the names of local machines which are 
+ not in the global DNS. The DHCP server integrates with the DNS 
+ server and allows machines with DHCP-allocated addresses
+ to appear in the DNS with names configured either in each host or
+ in a central configuration file. Dnsmasq supports static and dynamic 
+ DHCP leases and BOOTP/TFTP for network booting of diskless machines.
+
+Package: dnsmasq-base
+Architecture: any
+Depends: adduser, ${shlibs:Depends}
+Breaks: dnsmasq (<< 2.63-1~)
+Replaces: dnsmasq (<< 2.63-1~), dnsmasq-base
+Recommends: dns-root-data
+Provides: dnsmasq-base
+Conflicts: dnsmasq-base-lua
+Description: Small caching DNS proxy and DHCP/TFTP server
+ This package contains the dnsmasq executable and documentation, but
+ not the infrastructure required to run it as a system daemon. For
+ that, install the dnsmasq package.
+
+Package: dnsmasq-base-lua
+Architecture: any
+Depends: adduser, ${shlibs:Depends}
+Breaks: dnsmasq (<< 2.63-1~)
+Replaces: dnsmasq (<< 2.63-1~), dnsmasq-base
+Recommends: dns-root-data
+Provides: dnsmasq-base
+Conflicts: dnsmasq-base
+Description: Small caching DNS proxy and DHCP/TFTP server
+ This package contains the dnsmasq executable and documentation, but
+ not the infrastructure required to run it as a system daemon. For
+ that, install the dnsmasq package. This package is an alternative
+ to dnsmasq-base which includes the LUA interpreter.
+ 
+Package: dnsmasq-utils
+Architecture: linux-any
+Depends: ${shlibs:Depends}
+Conflicts: dnsmasq (<<2.40)
+Description: Utilities for manipulating DHCP leases
+ Small utilities to query a DHCP server's lease database and
+ remove leases from it. These programs are distributed with dnsmasq
+ and may not work correctly with other DHCP servers.

debian/copyright

@@ -0,0 +1,21 @@
+dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+
+It was downloaded from: http://www.thekelleys.org.uk/dnsmasq/
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+On Debian GNU/Linux systems, the text of the GNU general public license is 
+available in the file /usr/share/common-licenses/GPL-2 or 
+/usr/share/common-licenses/GPL-3
+
+The Debian package of dnsmasq was created by Simon Kelley with assistance 
+from Lars Bahner.
+

debian/dbus.conf

@@ -0,0 +1,18 @@
+<!DOCTYPE busconfig PUBLIC
+ "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+	<policy user="root">
+		<allow own="uk.org.thekelleys.dnsmasq"/>
+		<allow send_destination="uk.org.thekelleys.dnsmasq"/>
+	</policy>
+        <policy user="dnsmasq">
+                <allow own="uk.org.thekelleys.dnsmasq"/>
+                <allow send_destination="uk.org.thekelleys.dnsmasq"/>
+        </policy>
+	<policy context="default">
+                <deny own="uk.org.thekelleys.dnsmasq"/>
+                <deny send_destination="uk.org.thekelleys.dnsmasq"/>
+        </policy>
+</busconfig>
+

debian/default

@@ -0,0 +1,33 @@
+# This file has five functions: 
+# 1) to completely disable starting dnsmasq, 
+# 2) to set DOMAIN_SUFFIX by running `dnsdomainname` 
+# 3) to select an alternative config file
+#    by setting DNSMASQ_OPTS to --conf-file=<file>
+# 4) to tell dnsmasq to read the files in /etc/dnsmasq.d for
+#    more configuration variables.
+# 5) to stop the resolvconf package from controlling dnsmasq's
+#    idea of which upstream nameservers to use.
+# For upgraders from very old versions, all the shell variables set 
+# here in previous versions are still honored by the init script
+# so if you just keep your old version of this file nothing will break.
+
+#DOMAIN_SUFFIX=`dnsdomainname`
+#DNSMASQ_OPTS="--conf-file=/etc/dnsmasq.alt"
+
+# Whether or not to run the dnsmasq daemon; set to 0 to disable.
+ENABLED=1
+
+# By default search this drop directory for configuration options.
+# Libvirt leaves a file here to make the system dnsmasq play nice.
+# Comment out this line if you don't want this. The dpkg-* are file
+# endings which cause dnsmasq to skip that file. This avoids pulling
+# in backups made by dpkg.
+CONFIG_DIR=/etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new
+
+# If the resolvconf package is installed, dnsmasq will use its output 
+# rather than the contents of /etc/resolv.conf to find upstream 
+# nameservers. Uncommenting this line inhibits this behaviour.
+# Note that including a "resolv-file=<filename>" line in 
+# /etc/dnsmasq.conf is not enough to override resolvconf if it is
+# installed: the line below must be uncommented.
+#IGNORE_RESOLVCONF=yes

debian/dnsmasq-base.conffiles

@@ -0,0 +1 @@
+/etc/dbus-1/system.d/dnsmasq.conf

debian/dnsmasq-base.postinst

@@ -0,0 +1,24 @@
+#!/bin/sh
+set -e
+
+# Create the dnsmasq user in dnsmasq-base, so that Dbus doesn't complain.
+      
+# create a user to run as (code stolen from dovecot-common)
+if [ "$1" = "configure" ]; then
+  if [ -z "`id -u dnsmasq 2> /dev/null`" ]; then
+    adduser --system  --home /var/lib/misc --gecos "dnsmasq" \
+            --no-create-home --disabled-password \
+            --quiet dnsmasq || true
+  fi
+
+  # Make the directory where we keep the pid file - this
+  # has to be owned by "dnsmasq" so that the file can be unlinked.
+  # This is only actually used by the dnsmasq binary package, not
+  # dnsmasq-base, but it's much easier to create it here so that
+  # we don't have synchronisation issues with the creation of the
+  # dnsmasq user. 
+  if [ ! -d /run/dnsmasq ]; then
+    mkdir /run/dnsmasq
+    chown dnsmasq:nogroup /run/dnsmasq
+  fi
+fi

debian/dnsmasq-base.postrm

@@ -0,0 +1,11 @@
+#!/bin/sh
+set -e
+
+if [ purge = "$1" ]; then
+   if [ -x "$(command -v deluser)" ]; then
+     deluser --quiet --system dnsmasq > /dev/null || true
+  else
+     echo >&2 "not removing dnsmasq system account because deluser command was not found"
+  fi
+  rm -rf /run/dnsmasq
+fi

debian/init

@@ -0,0 +1,321 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:       dnsmasq
+# Required-Start: $network $remote_fs $syslog
+# Required-Stop:  $network $remote_fs $syslog
+# Default-Start:  2 3 4 5
+# Default-Stop:   0 1 6
+# Description:    DHCP and DNS server
+### END INIT INFO
+
+# Don't exit on error status
+set +e
+
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+DAEMON=/usr/sbin/dnsmasq
+NAME=dnsmasq
+DESC="DNS forwarder and DHCP server"
+
+# Most configuration options in /etc/default/dnsmasq are deprecated
+# but still honoured.
+ENABLED=1
+if [ -r /etc/default/$NAME ]; then
+	. /etc/default/$NAME
+fi
+
+# Get the system locale, so that messages are in the correct language, and the 
+# charset for IDN is correct
+if [ -r /etc/default/locale ]; then
+        . /etc/default/locale
+        export LANG
+fi
+
+# The following test ensures the dnsmasq service is not started, when the
+# package 'dnsmasq' is removed but not purged, even if the dnsmasq-base 
+# package is still in place.
+test -e /usr/share/dnsmasq/installed-marker || exit 0
+ 
+test -x $DAEMON || exit 0
+
+# Provide skeleton LSB log functions for backports which don't have LSB functions.
+if [ -f /lib/lsb/init-functions ]; then
+         . /lib/lsb/init-functions
+else
+         log_warning_msg () {
+            echo "${@}."
+         }
+
+         log_success_msg () {
+            echo "${@}."
+         }
+
+         log_daemon_msg () {
+            echo -n "${1}: $2"
+         }
+
+	 log_end_msg () {
+            if [ $1 -eq 0 ]; then
+              echo "."
+            elif [ $1 -eq 255 ]; then
+              /bin/echo -e " (warning)."
+            else
+              /bin/echo -e " failed!"
+            fi
+         }
+fi
+
+# RESOLV_CONF:
+# If the resolvconf package is installed then use the resolv conf file
+# that it provides as the default.  Otherwise use /etc/resolv.conf as
+# the default.
+#
+# If IGNORE_RESOLVCONF is set in /etc/default/dnsmasq or an explicit
+# filename is set there then this inhibits the use of the resolvconf-provided
+# information.
+#
+# Note that if the resolvconf package is installed it is not possible to 
+# override it just by configuration in /etc/dnsmasq.conf, it is necessary
+# to set IGNORE_RESOLVCONF=yes in /etc/default/dnsmasq.
+
+if [ ! "$RESOLV_CONF" ] &&
+   [ "$IGNORE_RESOLVCONF" != "yes" ] &&
+   [ -x /sbin/resolvconf ]
+then
+	RESOLV_CONF=/run/dnsmasq/resolv.conf
+fi
+
+for INTERFACE in $DNSMASQ_INTERFACE; do
+	DNSMASQ_INTERFACES="$DNSMASQ_INTERFACES -i $INTERFACE"
+done
+
+for INTERFACE in $DNSMASQ_EXCEPT; do
+	DNSMASQ_INTERFACES="$DNSMASQ_INTERFACES -I $INTERFACE"
+done
+
+if [ ! "$DNSMASQ_USER" ]; then
+   DNSMASQ_USER="dnsmasq"
+fi
+
+# This tells dnsmasq to ignore DNS requests that don't come from a local network.
+# It's automatically ignored if  --interface --except-interface, --listen-address 
+# or --auth-server exist in the configuration, so for most installations, it will
+# have no effect, but for otherwise-unconfigured installations, it stops dnsmasq
+# from being vulnerable to DNS-reflection attacks.
+
+DNSMASQ_OPTS="$DNSMASQ_OPTS --local-service"
+
+# If the dns-root-data package is installed, then the trust anchors will be 
+# available in $ROOT_DS, in BIND zone-file format. Reformat as dnsmasq
+# --trust-anchor options.
+
+ROOT_DS="/usr/share/dns/root.ds"
+
+if [ -f $ROOT_DS ]; then
+    DNSMASQ_OPTS="$DNSMASQ_OPTS `env LC_ALL=C sed -rne "s/^([.a-zA-Z0-9]+)([[:space:]]+[0-9]+)*([[:space:]]+IN)*[[:space:]]+DS[[:space:]]+/--trust-anchor=\1,/;s/[[:space:]]+/,/gp" $ROOT_DS | tr '\n' ' '`"
+fi
+
+start()
+{
+        # Return
+	#   0 if daemon has been started
+	#   1 if daemon was already running
+	#   2 if daemon could not be started
+
+        # /run may be volatile, so we need to ensure that
+        # /run/dnsmasq exists here as well as in postinst
+        if [ ! -d /run/dnsmasq ]; then
+           mkdir /run/dnsmasq || return 2
+           chown dnsmasq:nogroup /run/dnsmasq || return 2
+        fi
+	[ -x /sbin/restorecon ] && /sbin/restorecon /run/dnsmasq
+	
+	start-stop-daemon --start --quiet --pidfile /run/dnsmasq/$NAME.pid --exec $DAEMON --test > /dev/null || return 1
+	start-stop-daemon --start --quiet --pidfile /run/dnsmasq/$NAME.pid --exec $DAEMON -- \
+		-x /run/dnsmasq/$NAME.pid \
+	        ${MAILHOSTNAME:+ -m $MAILHOSTNAME} \
+		${MAILTARGET:+ -t $MAILTARGET} \
+		${DNSMASQ_USER:+ -u $DNSMASQ_USER} \
+		${DNSMASQ_INTERFACES:+ $DNSMASQ_INTERFACES} \
+		${DHCP_LEASE:+ -l $DHCP_LEASE} \
+		${DOMAIN_SUFFIX:+ -s $DOMAIN_SUFFIX} \
+		${RESOLV_CONF:+ -r $RESOLV_CONF} \
+		${CACHESIZE:+ -c $CACHESIZE} \
+	        ${CONFIG_DIR:+ -7 $CONFIG_DIR} \
+		${DNSMASQ_OPTS:+ $DNSMASQ_OPTS} \
+		|| return 2
+}
+
+start_resolvconf()
+{
+# If interface "lo" is explicitly disabled in /etc/default/dnsmasq
+# Then dnsmasq won't be providing local DNS, so don't add it to
+# the resolvconf server set.
+	for interface in $DNSMASQ_EXCEPT
+	do
+		[ $interface = lo ] && return
+	done
+
+# Also skip this if DNS functionality is disabled in /etc/dnsmasq.conf
+	if grep -qs '^port=0' /etc/dnsmasq.conf; then
+		return
+	fi
+
+        if [ -x /sbin/resolvconf ] ; then
+		echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.$NAME
+	fi
+	return 0
+}
+
+stop()
+{
+	# Return
+	#   0 if daemon has been stopped
+	#   1 if daemon was already stopped
+	#   2 if daemon could not be stopped
+	#   other if a failure occurred
+	start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile /run/dnsmasq/$NAME.pid --name $NAME
+}
+
+stop_resolvconf()
+{
+	if [ -x /sbin/resolvconf ] ; then
+		/sbin/resolvconf -d lo.$NAME
+	fi
+	return 0
+}
+
+status()
+{
+	# Return
+	#   0 if daemon is running
+	#   1 if daemon is dead and pid file exists
+	#   3 if daemon is not running
+	#   4 if daemon status is unknown
+	start-stop-daemon --start --quiet --pidfile /run/dnsmasq/$NAME.pid --exec $DAEMON --test > /dev/null
+	case "$?" in
+		0) [ -e "/run/dnsmasq/$NAME.pid" ] && return 1 ; return 3 ;;
+		1) return 0 ;;
+		*) return 4 ;;
+	esac
+}
+
+case "$1" in
+  start)
+	test "$ENABLED" != "0" || exit 0
+	log_daemon_msg "Starting $DESC" "$NAME"
+	start
+	case "$?" in
+		0)
+			log_end_msg 0
+			start_resolvconf
+			exit 0
+			;;
+		1)
+			log_success_msg "(already running)"
+			exit 0
+			;;
+		*)
+			log_end_msg 1
+			exit 1
+			;;
+	esac
+	;;
+  stop)
+	stop_resolvconf
+	if [ "$ENABLED" != "0" ]; then
+             log_daemon_msg "Stopping $DESC" "$NAME"
+	fi
+	stop
+        RETVAL="$?"
+	if [ "$ENABLED" = "0" ]; then
+	    case "$RETVAL" in
+	       0) log_daemon_msg "Stopping $DESC" "$NAME"; log_end_msg 0 ;;
+            esac 
+	    exit 0
+	fi
+	case "$RETVAL" in
+		0) log_end_msg 0 ; exit 0 ;;
+		1) log_warning_msg "(not running)" ; exit 0 ;;
+		*) log_end_msg 1; exit 1 ;;
+	esac
+	;;
+  restart|force-reload)
+	test "$ENABLED" != "0" || exit 1
+	$DAEMON --test ${CONFIG_DIR:+ -7 $CONFIG_DIR} ${DNSMASQ_OPTS:+ $DNSMASQ_OPTS} >/dev/null 2>&1
+	if [ $? -ne 0 ]; then
+	    NAME="configuration syntax check"
+	    RETVAL="2"
+	else   
+	    stop_resolvconf
+	    stop
+	    RETVAL="$?"
+        fi
+	log_daemon_msg "Restarting $DESC" "$NAME"
+	case "$RETVAL" in
+		0|1)
+		        sleep 2
+			start
+			case "$?" in
+				0)
+					log_end_msg 0
+					start_resolvconf
+					exit 0
+					;;
+			        *)
+					log_end_msg 1
+					exit 1
+					;;
+			esac
+			;;
+		*)
+			log_end_msg 1
+			exit 1
+			;;
+	esac
+	;;
+  status)
+	log_daemon_msg "Checking $DESC" "$NAME"
+	status
+	case "$?" in
+		0) log_success_msg "(running)" ; exit 0 ;;
+		1) log_success_msg "(dead, pid file exists)" ; exit 1 ;;
+		3) log_success_msg "(not running)" ; exit 3 ;;
+		*) log_success_msg "(unknown)" ; exit 4 ;;
+	esac
+	;;
+  dump-stats)
+        kill -s USR1 `cat /run/dnsmasq/$NAME.pid`
+	;;
+  systemd-start-resolvconf)
+	start_resolvconf
+	;;
+  systemd-stop-resolvconf)
+	stop_resolvconf
+	;;
+  systemd-exec)
+# /run may be volatile, so we need to ensure that
+        # /run/dnsmasq exists here as well as in postinst
+        if [ ! -d /run/dnsmasq ]; then
+           mkdir /run/dnsmasq || return 2
+           chown dnsmasq:nogroup /run/dnsmasq || return 2
+        fi
+	exec $DAEMON -x /run/dnsmasq/$NAME.pid \
+	    ${MAILHOSTNAME:+ -m $MAILHOSTNAME} \
+	    ${MAILTARGET:+ -t $MAILTARGET} \
+	    ${DNSMASQ_USER:+ -u $DNSMASQ_USER} \
+	    ${DNSMASQ_INTERFACES:+ $DNSMASQ_INTERFACES} \
+	    ${DHCP_LEASE:+ -l $DHCP_LEASE} \
+	    ${DOMAIN_SUFFIX:+ -s $DOMAIN_SUFFIX} \
+	    ${RESOLV_CONF:+ -r $RESOLV_CONF} \
+	    ${CACHESIZE:+ -c $CACHESIZE} \
+	    ${CONFIG_DIR:+ -7 $CONFIG_DIR} \
+	    ${DNSMASQ_OPTS:+ $DNSMASQ_OPTS} 
+	;;
+  *)
+	echo "Usage: /etc/init.d/$NAME {start|stop|restart|force-reload|dump-stats|status}" >&2
+	exit 3
+	;;
+esac
+
+exit 0
+

debian/insserv

@@ -0,0 +1 @@
+$named dnsmasq

debian/installed-marker

@@ -0,0 +1,2 @@
+# This file indicates dnsmasq (and not just dnsmasq-base) is installed.
+# It is an implementation detail of the dnsmasq init script.

debian/lintian-override

@@ -0,0 +1,3 @@
+# dnsmasq-base and dnsmasq-base-lua are mutually exclusive and both
+# provide /usr/share/doc/dnsmasq-base
+dnsmasq-base-lua binary: usr-share-doc-symlink-without-dependency dnsmasq-base

debian/postinst

@@ -0,0 +1,38 @@
+#!/bin/sh
+set -e
+
+# Code copied from dh_systemd_enable ----------------------
+# This will only remove masks created by d-s-h on package removal.
+deb-systemd-helper unmask dnsmasq.service >/dev/null || true
+
+# was-enabled defaults to true, so new installations run enable.
+if deb-systemd-helper --quiet was-enabled dnsmasq.service; then
+	# Enables the unit on first installation, creates new
+	# symlinks on upgrades if the unit file has changed.
+	deb-systemd-helper enable dnsmasq.service >/dev/null || true
+else
+	# Update the statefile to add new symlinks (if any), which need to be
+	# cleaned up on purge. Also remove old symlinks.
+	deb-systemd-helper update-state dnsmasq.service >/dev/null || true
+fi
+# End code copied from dh_systemd_enable ------------------
+
+if [ -x /etc/init.d/dnsmasq ]; then
+   update-rc.d dnsmasq defaults 15 85 >/dev/null
+
+   if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ]; then
+      if [ -e /run/dnsmasq/dnsmasq.pid ]; then
+          ACTION=restart
+      else
+          ACTION=start
+      fi
+
+      if [ -x /usr/sbin/invoke-rc.d ] ; then
+         invoke-rc.d dnsmasq $ACTION || true
+      else
+         /etc/init.d/dnsmasq $ACTION || true
+      fi
+   fi
+fi
+
+

debian/postrm

@@ -0,0 +1,22 @@
+#!/bin/sh
+set -e
+
+if [ purge = "$1" ]; then
+   update-rc.d dnsmasq remove >/dev/null
+fi
+
+# Code copied from dh_systemd_enable ----------------------
+if [ "$1" = "remove" ]; then
+	if [ -x "/usr/bin/deb-systemd-helper" ]; then
+		deb-systemd-helper mask dnsmasq.service >/dev/null
+	fi
+fi
+
+if [ "$1" = "purge" ]; then
+	if [ -x "/usr/bin/deb-systemd-helper" ]; then
+		deb-systemd-helper purge dnsmasq.service >/dev/null
+		deb-systemd-helper unmask dnsmasq.service >/dev/null
+	fi
+fi
+# End code copied from dh_systemd_enable ------------------
+

debian/prerm

@@ -0,0 +1,14 @@
+#!/bin/sh
+set -e
+
+if [ "$1" = "remove" ]; then
+  if [ -x /usr/sbin/invoke-rc.d ] ; then
+      invoke-rc.d dnsmasq stop || true
+  else
+      /etc/init.d/dnsmasq stop || true
+  fi
+fi
+
+exit 0
+
+

debian/readme

@@ -0,0 +1,79 @@
+Notes on configuring dnsmasq as packaged for Debian.
+
+(1) To configure dnsmasq edit /etc/dnsmasq.conf. The file is well
+    commented; see also the dnsmasq.8 man page for explanation of
+    the options. The file /etc/default/dnsmasq also exists but it
+    shouldn't need to be touched in most cases. To set up DHCP
+    options you might need to refer to a copy of RFC 2132. This is 
+    available on Debian systems in the package doc-rfc-std as the file
+    /usr/share/doc/RFC/draft-standard/rfc2132.txt.gz .
+
+(2) Installing the dnsmasq package also creates the directory
+    /etc/dnsmasq.d which is searched by dnsmasq for configuration file
+    fragments. This behaviour can be disabled by editing 
+    /etc/default/dnsmasq.
+
+(3) If the Debian resolvconf package is installed then, regardless
+    of what interface configuration daemons are employed, the list of
+    nameservers to which dnsmasq should forward queries can be found
+    in /var/run/dnsmasq/resolv.conf; also, 127.0.0.1 is listed as the
+    first nameserver address in /etc/resolv.conf. This works using the
+    default configurations of resolvconf and dnsmasq.
+
+(4) In the absence of resolvconf, if you are using dhcpcd then
+    dnsmasq should read the list of nameservers from the automatically
+    generated file /etc/dhcpc/resolv.conf.  You should list 127.0.0.1
+    as the first nameserver address in /etc/resolv.conf.
+
+(5) In the absence of resolvconf, if you are using pppd then
+    dnsmasq should read the list of nameservers from the automatically
+    generated file /etc/ppp/resolv.conf.  You should list 127.0.0.1
+    as the first nameserver address in /etc/resolv.conf.
+
+(6) In the absence of resolvconf, dns-nameservers lines in 
+    /etc/network/interfaces are ignored. If you do not use
+    resolvconf, list 127.0.0.1 as the first nameserver address
+    in /etc/resolv.conf and configure your nameservers using
+    "server=<IP-address>" lines in /etc/dnsmasq.conf.
+
+(7) If you run multiple DNS servers on a single machine, each
+    listening on a different interface, then it is necessary to use 
+    the bind-interfaces option by uncommenting "bind-interfaces" in 
+    /etc/dnsmasq.conf. This option stops dnsmasq from binding the 
+    wildcard address and allows servers listening on port 53 on
+    interfaces not in use by dnsmasq to work. The Debian 
+    libvirt package will add a configuration file in /etc/dnsmasq.d
+    which does this so that the "system" dnsmasq and "private" dnsmasq
+    instances started by libvirt do not clash.
+
+(8) The following options are supported in DEB_BUILD_OPTIONS
+      noopt       : compile without optimisation.
+      nostrip     : don't remove symbols from binary. 
+      nodocs      : omit documentation.
+      notftp      : omit TFTP support.
+      nodhcp      : omit DHCP support.
+      nodhcp6     : omit DHCPv6 support.
+      noscript    : omit lease-change script support.
+      uselua      : provide support for lease-change scripts written
+                    in Lua.
+      noipv6      : omit IPv6 support.
+      nodbus      : omit DBus support.
+      noconntrack : omit connection tracking support. 
+      noipset     : omit IPset support.
+      nortc       : compile alternate mode suitable for systems without an RTC.
+      noi18n      : omit translations and internationalisation support.
+      noidn       : omit international domain name support, must be
+                    combined with noi18n to be effective.
+      gitversion  : set the version of the produced packages from the
+                    git-derived versioning information on the source,
+                    rather than the debian changelog. 
+
+(9) Dnsmasq comes as three packages - dnsmasq-utils, dnsmasq-base and
+    dnsmasq. Dnsmasq-base provides the dnsmasq executable and
+    documentation (including this file). Dnsmasq, which depends on
+    dnsmasq-base, provides the init script and configuration
+    infrastructure. This file assumes that both are installed. It is
+    possible to install only dnsmasq-base and use dnsmasq as a
+    non-"system" daemon. Libvirt, for instance, does this.
+    Dnsmasq-utils provides the utilities dhcp_release and 
+    dhcp_lease_time.

debian/readme.dnsmasq.d

@@ -0,0 +1,7 @@
+# All files in this directory will be read by dnsmasq as 
+# configuration files, except if their names end in 
+# ".dpkg-dist",".dpkg-old" or ".dpkg-new"
+#
+# This can be changed by editing /etc/default/dnsmasq
+
+

debian/resolvconf

@@ -0,0 +1,84 @@
+#!/bin/sh
+#
+# Script to update the resolver list for dnsmasq
+#
+# N.B. Resolvconf may run us even if dnsmasq is not (yet) running.
+# If dnsmasq is installed then we go ahead and update the resolver list
+# in case dnsmasq is started later.
+#
+# Assumption: On entry, PWD contains the resolv.conf-type files.
+#
+# This file is part of the dnsmasq package.
+#
+
+set -e
+
+RUN_DIR="/run/dnsmasq"
+RSLVRLIST_FILE="${RUN_DIR}/resolv.conf"
+TMP_FILE="${RSLVRLIST_FILE}_new.$$"
+MY_NAME_FOR_RESOLVCONF="dnsmasq"
+
+[ -x /usr/sbin/dnsmasq ] || exit 0
+[ -x /lib/resolvconf/list-records ] || exit 1
+
+PATH=/bin:/sbin
+
+report_err() { echo "$0: Error: $*" >&2 ; }
+
+# Stores arguments (minus duplicates) in RSLT, separated by spaces
+# Doesn't work properly if an argument itself contains whitespace
+uniquify()
+{
+	RSLT=""
+	while [ "$1" ] ; do
+		for E in $RSLT ; do
+			[ "$1" = "$E" ] && { shift ; continue 2 ; }
+		done
+		RSLT="${RSLT:+$RSLT }$1"
+		shift
+	done
+}
+
+if [ ! -d "$RUN_DIR" ] && ! mkdir --parents --mode=0755 "$RUN_DIR" ; then
+	report_err "Failed trying to create directory $RUN_DIR"
+	exit 1
+fi
+
+RSLVCNFFILES=""
+for F in $(/lib/resolvconf/list-records --after "lo.$MY_NAME_FOR_RESOLVCONF") ; do
+	case "$F" in
+	    "lo.$MY_NAME_FOR_RESOLVCONF")
+		# Omit own record	 
+		;;
+	    lo.*)
+		# Include no more records after one for a local nameserver
+		RSLVCNFFILES="${RSLVCNFFILES:+$RSLVCNFFILES }$F"
+		break
+		;;
+	  *)
+		RSLVCNFFILES="${RSLVCNFFILES:+$RSLVCNFFILES }$F"
+		;;
+	esac
+done
+
+NMSRVRS=""
+if [ "$RSLVCNFFILES" ] ; then
+	uniquify $(sed -n -e 's/^[[:space:]]*nameserver[[:space:]]\+//p' $RSLVCNFFILES)
+	NMSRVRS="$RSLT"
+fi
+
+# Dnsmasq uses the mtime of $RSLVRLIST_FILE, with a resolution of one second,
+# to detect changes in the file. This means that if a resolvconf update occurs
+# within one second of the previous one then dnsmasq may fail to notice the
+# more recent change. To work around this problem we sleep one second here
+# if necessary in order to ensure that the new mtime is different.
+if [ -f "$RSLVRLIST_FILE" ] && [ "$(ls -go --time-style='+%s' "$RSLVRLIST_FILE" | { read p h s t n ; echo "$t" ; })" = "$(date +%s)" ] ; then
+	sleep 1
+fi
+
+clean_up() { rm -f "$TMP_FILE" ; }
+trap clean_up EXIT
+: >| "$TMP_FILE"
+for N in $NMSRVRS ; do echo "nameserver $N" >> "$TMP_FILE" ; done
+mv -f "$TMP_FILE" "$RSLVRLIST_FILE"
+

debian/resolvconf-package

@@ -0,0 +1,13 @@
+#!/bin/sh
+# Resolvconf packaging event hook script for the dnsmasq package
+restart_dnsmasq() {
+    if which invoke-rc.d >/dev/null 2>&1 ; then
+        invoke-rc.d dnsmasq restart
+    elif [ -x /etc/init.d/dnsmasq ] ; then
+        /etc/init.d/dnsmasq restart
+    fi
+}
+
+case "$1" in
+  install) restart_dnsmasq ;;
+esac

debian/rules

@@ -0,0 +1,291 @@
+#!/usr/bin/make -f
+# debian/rules file - for dnsmasq.
+# Copyright 2001-2018 by Simon Kelley
+# Based on the sample in the debian hello package which carries the following:
+# Copyright 1994,1995 by Ian Jackson.
+# I hereby give you perpetual unlimited permission to copy,
+# modify and relicense this file, provided that you do not remove
+# my name from the file itself.  (I assert my moral right of
+# paternity under the Copyright, Designs and Patents Act 1988.)
+# This file may have to be extensively modified
+
+package=dnsmasq-base
+
+dpkg_buildflags := DEB_BUILD_MAINT_OPTIONS="hardening=+all,+pie,+bindnow" dpkg-buildflags
+
+CFLAGS = $(shell $(dpkg_buildflags) --get CFLAGS)
+CFLAGS += $(shell $(dpkg_buildflags) --get CPPFLAGS)
+CFLAGS += -Wall -W
+
+LDFLAGS = $(shell $(dpkg_buildflags) --get LDFLAGS)
+
+DEB_COPTS = $(COPTS)
+
+TARGET = install-i18n
+
+DEB_HOST_ARCH_OS := $(shell dpkg-architecture -qDEB_HOST_ARCH_OS)
+DEB_HOST_GNU_TYPE := $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
+DEB_BUILD_GNU_TYPE := $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
+BUILD_DATE := $(shell dpkg-parsechangelog --show-field Date)
+
+ifeq ($(origin CC),default)
+     CC = $(DEB_HOST_GNU_TYPE)-gcc
+endif
+
+# Support non-cross-builds on systems without gnu-triplet-binaries for pkg-config.
+ifeq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
+     PKG_CONFIG=pkg-config
+else
+     PKG_CONFIG=$(DEB_HOST_GNU_TYPE)-pkg-config	
+endif
+
+# Force package version based on git tags.
+ifneq (,$(filter gitversion,$(DEB_BUILD_OPTIONS)))
+     PACKAGE_VERSION = $(shell bld/get-version `pwd` |  sed 's/test/~&/; s/[a-z]/~&/;  s/-/./g; s/$$/-1/; s/^/-v/';)
+endif
+
+ifeq (,$(filter nodbus,$(DEB_BUILD_OPTIONS)))
+     DEB_COPTS += -DHAVE_DBUS
+endif
+
+ifeq (,$(filter noidn, $(DEB_BUILD_OPTIONS)))
+	DEB_COPTS += -DHAVE_IDN
+endif
+
+ifeq (,$(filter noconntrack,$(DEB_BUILD_OPTIONS)))
+ifeq ($(DEB_HOST_ARCH_OS),linux)
+     DEB_COPTS += -DHAVE_CONNTRACK
+endif
+endif
+
+ifneq (,$(filter noipset,$(DEB_BUILD_OPTIONS)))
+     DEB_COPTS += -DNO_IPSET
+endif
+
+ifneq (,$(filter nodhcp6,$(DEB_BUILD_OPTIONS)))
+     DEB_COPTS += -DNO_DHCP6
+endif
+
+ifneq (,$(filter noipv6,$(DEB_BUILD_OPTIONS)))
+     DEB_COPTS += -DNO_IPV6
+endif
+
+ifneq (,$(filter notftp,$(DEB_BUILD_OPTIONS)))
+     DEB_COPTS += -DNO_TFTP
+endif
+
+ifneq (,$(filter nodhcp,$(DEB_BUILD_OPTIONS)))
+     DEB_COPTS += -DNO_DHCP
+endif
+
+ifneq (,$(filter noscript,$(DEB_BUILD_OPTIONS)))
+     DEB_COPTS += -DNO_SCRIPT
+endif
+
+ifneq (,$(filter nortc,$(DEB_BUILD_OPTIONS)))
+     DEB_COPTS += -DHAVE_BROKEN_RTC
+endif
+
+ifneq (,$(filter noi18n,$(DEB_BUILD_OPTIONS)))
+     TARGET = install
+endif
+
+ifneq (,$(filter uselua,$(DEB_BUILD_OPTIONS)))
+     DEB_COPTS += -DHAVE_LUASCRIPT
+endif
+
+ifeq (,$(filter nodnssec,$(DEB_BUILD_OPTIONS)))
+     DEB_COPTS += -DHAVE_DNSSEC
+endif
+
+ifneq ($(DEB_HOST_ARCH_OS),linux)
+     # For strlcpy in FreeBSD
+     LDFLAGS += -lbsd
+endif
+
+define build_tree
+	rm -rf $1
+	install -m 755 \
+		-d $1/DEBIAN \
+		-d $1/etc/dbus-1/system.d \
+	        -d $1/usr/share/doc/$(package) \
+		-d $1/usr/share/doc/$(package)/examples \
+		-d $1/usr/share/$(package) \
+	        -d $1/var/lib/misc
+
+endef
+
+define add_docs
+# Need to remove paypal links in Debian Package for policy reasons.
+	sed -e /\<H2\>Donations/Q -e /icon.png/d doc.html -e /favicon.ico/d >$1/usr/share/doc/$(package)/doc.html
+	echo "</BODY>" >>$1/usr/share/doc/$(package)/doc.html 
+	install -m 644 setup.html $1/usr/share/doc/$(package)/.
+	install -m 644 dnsmasq.conf.example $1/usr/share/doc/$(package)/examples/.
+	install -m 644 FAQ $1/usr/share/doc/$(package)/.
+	gzip -9n $1/usr/share/doc/$(package)/FAQ
+	install -m 644 CHANGELOG $1/usr/share/doc/$(package)/changelog
+	gzip -9n $1/usr/share/doc/$(package)/changelog
+	install -m 644 CHANGELOG.archive $1/usr/share/doc/$(package)/changelog.archive
+	gzip -9n $1/usr/share/doc/$(package)/changelog.archive
+	install -m 644 dbus/DBus-interface $1/usr/share/doc/$(package)/.
+	gzip -9n $1/usr/share/doc/$(package)/DBus-interface	
+	gzip -9n $1/usr/share/man/man8/dnsmasq.8
+	for f in $1/usr/share/man/*; do \
+		if [ -f $$f/man8/dnsmasq.8 ]; then \
+                       gzip -9n $$f/man8/dnsmasq.8 ; \
+                fi \
+	done
+endef
+
+define add_files
+	install -m 644 trust-anchors.conf $1/usr/share/$(package)/.
+	install -m 644 debian/dnsmasq-base.conffiles $1/DEBIAN/conffiles
+	install -m 755 debian/dnsmasq-base.postinst $1/DEBIAN/postinst
+	install -m 755 debian/dnsmasq-base.postrm  $1/DEBIAN/postrm
+	install -m 644 debian/changelog $1/usr/share/doc/$(package)/changelog.Debian
+	gzip -9n $1/usr/share/doc/$(package)/changelog.Debian
+	install -m 644 debian/readme $1/usr/share/doc/$(package)/README.Debian
+	install -m 644 debian/copyright $1/usr/share/doc/$(package)/copyright
+	install -m 644 debian/dbus.conf $1/etc/dbus-1/system.d/dnsmasq.conf
+endef
+
+clean:
+	$(checkdir)
+	make BUILDDIR=debian/build/no-lua clean
+	make BUILDDIR=debian/build/lua clean
+	make -C contrib/lease-tools clean
+	rm -rf debian/build debian/trees debian/*~ debian/files debian/substvars debian/utils-substvars
+
+binary-indep:	checkroot
+	$(checkdir)
+	rm -rf debian/trees/daemon
+	install -m 755 \
+	        -d debian/trees/daemon/DEBIAN \
+		-d debian/trees/daemon/usr/share/doc \
+	        -d debian/trees/daemon/etc/init.d \
+		-d debian/trees/daemon/etc/dnsmasq.d \
+	        -d debian/trees/daemon/etc/resolvconf/update.d \
+		-d debian/trees/daemon/usr/lib/resolvconf/dpkg-event.d \
+		-d debian/trees/daemon/usr/share/dnsmasq \
+	        -d debian/trees/daemon/etc/default \
+		-d debian/trees/daemon/lib/systemd/system \
+		-d debian/trees/daemon/usr/lib/tmpfiles.d \
+                -d debian/trees/daemon/etc/insserv.conf.d
+	install -m 644 debian/conffiles debian/trees/daemon/DEBIAN
+	install -m 755 debian/postinst debian/postrm debian/prerm debian/trees/daemon/DEBIAN
+	install -m 755 debian/init debian/trees/daemon/etc/init.d/dnsmasq
+	install -m 755 debian/resolvconf debian/trees/daemon/etc/resolvconf/update.d/dnsmasq
+	install -m 755 debian/resolvconf-package debian/trees/daemon/usr/lib/resolvconf/dpkg-event.d/dnsmasq
+	install -m 644 debian/installed-marker debian/trees/daemon/usr/share/dnsmasq
+	install -m 644 debian/default debian/trees/daemon/etc/default/dnsmasq
+	install -m 644 dnsmasq.conf.example debian/trees/daemon/etc/dnsmasq.conf
+	install -m 644 debian/readme.dnsmasq.d debian/trees/daemon/etc/dnsmasq.d/README
+	install -m 644 debian/systemd.service debian/trees/daemon/lib/systemd/system/dnsmasq.service
+	install -m 644 debian/tmpfiles.conf debian/trees/daemon/usr/lib/tmpfiles.d/dnsmasq.conf
+	install -m 644 debian/insserv debian/trees/daemon/etc/insserv.conf.d/dnsmasq
+	ln -s $(package) debian/trees/daemon/usr/share/doc/dnsmasq
+	cd debian/trees/daemon && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | LC_ALL=C sort -z | xargs -r0 md5sum > DEBIAN/md5sums	
+	dpkg-gencontrol $(PACKAGE_VERSION) -T -pdnsmasq -Pdebian/trees/daemon
+	find debian/trees/daemon -depth -newermt '$(BUILD_DATE)' -print0 | xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
+	chown -R root.root debian/trees/daemon
+	chmod -R g-ws debian/trees/daemon
+	dpkg --build debian/trees/daemon ..
+
+binary-arch:	checkroot 
+	$(call build_tree,debian/trees/base)
+	make $(TARGET) BUILDDIR=debian/build/no-lua PREFIX=/usr DESTDIR=`pwd`/debian/trees/base CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" COPTS="$(DEB_COPTS)" CC=$(CC) PKG_CONFIG=$(PKG_CONFIG)
+ifeq (,$(findstring nodocs,$(DEB_BUILD_OPTIONS)))
+	$(call add_docs,debian/trees/base)
+else	
+	rm -rf debian/trees/base/usr/share/man
+endif
+	$(call add_files,debian/trees/base)
+ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
+	$(DEB_HOST_GNU_TYPE)-strip -R .note -R .comment debian/trees/base/usr/sbin/dnsmasq
+endif
+	cd debian/trees/base && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | LC_ALL=C sort -z | xargs -r0 md5sum > DEBIAN/md5sums
+	dpkg-shlibdeps --warnings=1 debian/trees/base/usr/sbin/dnsmasq
+	dpkg-gencontrol $(PACKAGE_VERSION) -pdnsmasq-base -Pdebian/trees/base
+	find debian/trees/base -depth -newermt '$(BUILD_DATE)' -print0 | xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
+	chown -R root.root debian/trees/base
+	chmod -R g-ws debian/trees/base 
+	dpkg --build debian/trees/base ..
+
+	$(call build_tree,debian/trees/lua-base)
+	make $(TARGET) BUILDDIR=debian/build/lua PREFIX=/usr DESTDIR=`pwd`/debian/trees/lua-base CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" COPTS="-DHAVE_LUASCRIPT $(DEB_COPTS)" CC=$(CC) PKG_CONFIG=$(PKG_CONFIG)
+ifeq (,$(findstring nodocs,$(DEB_BUILD_OPTIONS)))
+	$(call add_docs,debian/trees/lua-base)
+else	
+	rm -rf debian/trees/lua-base/usr/share/man
+endif
+	$(call add_files,debian/trees/lua-base)
+	install -m 755 -d debian/trees/lua-base/usr/share/lintian/overrides
+	install -m 644 debian/lintian-override debian/trees/lua-base/usr/share/lintian/overrides/dnsmasq-base-lua
+ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
+	$(DEB_HOST_GNU_TYPE)-strip -R .note -R .comment debian/trees/lua-base/usr/sbin/dnsmasq
+endif
+	ln -s $(package) debian/trees/lua-base/usr/share/doc/dnsmasq-base-lua
+	cd debian/trees/lua-base && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | LC_ALL=C sort -z | xargs -r0 md5sum > DEBIAN/md5sums
+	dpkg-shlibdeps --warnings=1 debian/trees/lua-base/usr/sbin/dnsmasq
+	dpkg-gencontrol $(PACKAGE_VERSION) -pdnsmasq-base-lua -Pdebian/trees/lua-base
+	find debian/trees/lua-base -depth -newermt '$(BUILD_DATE)' -print0 | xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
+	chown -R root.root debian/trees/lua-base
+	chmod -R g-ws debian/trees/lua-base 
+	dpkg --build debian/trees/lua-base ..
+
+
+ifeq ($(DEB_HOST_ARCH_OS),linux)
+	rm -rf debian/trees/utils
+	install -m 755 -d debian/trees/utils/DEBIAN \
+	               -d debian/trees/utils/usr/bin \
+                       -d debian/trees/utils/usr/share/doc/dnsmasq-utils
+ifeq (,$(findstring nodocs,$(DEB_BUILD_OPTIONS)))
+	install -m 755 -d debian/trees/utils/usr/share/man/man1
+endif
+	make -C contrib/lease-tools PREFIX=/usr DESTDIR=`pwd`/debian/trees/utils CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" COPTS="$(DEB_COPTS)" CC=$(CC) PKG_CONFIG=$(PKG_CONFIG)
+	install -m 755 contrib/lease-tools/dhcp_release debian/trees/utils/usr/bin/dhcp_release
+	install -m 755 contrib/lease-tools/dhcp_release6 debian/trees/utils/usr/bin/dhcp_release6
+	install -m 755 contrib/lease-tools/dhcp_lease_time debian/trees/utils/usr/bin/dhcp_lease_time
+ifeq (,$(findstring nodocs,$(DEB_BUILD_OPTIONS)))
+	install -m 644 contrib/lease-tools/dhcp_release.1 debian/trees/utils/usr/share/man/man1/dhcp_release.1
+	gzip -9n debian/trees/utils/usr/share/man/man1/dhcp_release.1
+	install -m 644 contrib/lease-tools/dhcp_release6.1 debian/trees/utils/usr/share/man/man1/dhcp_release6.1
+	gzip -9n debian/trees/utils/usr/share/man/man1/dhcp_release6.1
+	install -m 644 contrib/lease-tools/dhcp_lease_time.1 debian/trees/utils/usr/share/man/man1/dhcp_lease_time.1
+	gzip -9n debian/trees/utils/usr/share/man/man1/dhcp_lease_time.1
+endif
+	install -m 644 debian/copyright debian/trees/utils/usr/share/doc/dnsmasq-utils/copyright
+	install -m 644 debian/changelog debian/trees/utils/usr/share/doc/dnsmasq-utils/changelog.Debian
+	gzip -9n debian/trees/utils/usr/share/doc/dnsmasq-utils/changelog.Debian
+ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
+	$(DEB_HOST_GNU_TYPE)-strip -R .note -R .comment debian/trees/utils/usr/bin/dhcp_release
+	$(DEB_HOST_GNU_TYPE)-strip -R .note -R .comment debian/trees/utils/usr/bin/dhcp_release6
+	$(DEB_HOST_GNU_TYPE)-strip -R .note -R .comment debian/trees/utils/usr/bin/dhcp_lease_time
+endif	
+	cd debian/trees/utils && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | LC_ALL=C sort -z | xargs -r0 md5sum > DEBIAN/md5sums
+	dpkg-shlibdeps -Tdebian/utils-substvars debian/trees/utils/usr/bin/dhcp_release debian/trees/utils/usr/bin/dhcp_release6 debian/trees/utils/usr/bin/dhcp_lease_time 
+	dpkg-gencontrol $(PACKAGE_VERSION) -Tdebian/utils-substvars -pdnsmasq-utils -Pdebian/trees/utils
+	find debian/trees/utils -depth -newermt '$(BUILD_DATE)' -print0 | xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
+	chown -R root.root debian/trees/utils
+	chmod -R g-ws debian/trees/utils 
+	dpkg --build debian/trees/utils ..
+endif
+
+define checkdir
+	test -f Makefile -a -f debian/rules
+endef
+
+# Below here is fairly generic really
+
+binary:		binary-arch binary-indep
+
+build:		
+build-arch:
+build-indep:
+
+checkroot:
+	test root = "`whoami`"
+
+.PHONY: binary binary-arch binary-indep clean checkroot
+
+

debian/source/format

@@ -0,0 +1 @@
+1.0

debian/systemd.service

@@ -0,0 +1,31 @@
+[Unit]
+Description=dnsmasq - A lightweight DHCP and caching DNS server
+Requires=network.target
+Wants=nss-lookup.target
+Before=nss-lookup.target
+After=network.target
+
+[Service]
+Type=forking
+PIDFile=/run/dnsmasq/dnsmasq.pid
+
+# Test the config file and refuse starting if it is not valid.
+ExecStartPre=/usr/sbin/dnsmasq --test
+
+# We run dnsmasq via the /etc/init.d/dnsmasq script which acts as a
+# wrapper picking up extra configuration files and then execs dnsmasq
+# itself, when called with the "systemd-exec" function.
+ExecStart=/etc/init.d/dnsmasq systemd-exec
+
+# The systemd-*-resolvconf functions configure (and deconfigure)
+# resolvconf to work with the dnsmasq DNS server. They're called like
+# this to get correct error handling (ie don't start-resolvconf if the 
+# dnsmasq daemon fails to start.
+ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf
+ExecStop=/etc/init.d/dnsmasq systemd-stop-resolvconf
+
+
+ExecReload=/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target

debian/tmpfiles.conf

@@ -0,0 +1 @@
+d /run/dnsmasq 755 dnsmasq nogroup

dnsmasq.conf.example

@@ -4,17 +4,34 @@
 # as the long options legal on the command line. See
 # "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
 
+# Listen on this specific port instead of the standard DNS port
+# (53). Setting this to zero completely disables DNS function,
+# leaving only DHCP and/or TFTP.
+#port=5353
+
 # The following two options make you a better netizen, since they
 # tell dnsmasq to filter out queries which the public DNS cannot
 # answer, and which load the servers (especially the root servers)
-# uneccessarily. If you have a dial-on-demand link they also stop
-# these requests from bringing up the link uneccessarily.
+# unnecessarily. If you have a dial-on-demand link they also stop
+# these requests from bringing up the link unnecessarily.
 
 # Never forward plain names (without a dot or domain part)
 #domain-needed
 # Never forward addresses in the non-routed address spaces.
 #bogus-priv
 
+# Uncomment these to enable DNSSEC validation and caching:
+# (Requires dnsmasq to be built with DNSSEC option.)
+#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf
+#dnssec
+
+# Replies which are not DNSSEC signed may be legitimate, because the domain
+# is unsigned, or may be forgeries. Setting this option tells dnsmasq to
+# check that an unsigned reply is OK, by finding a secure proof that a DS 
+# record somewhere between the root and the domain does not exist. 
+# The cost of setting this is that even queries in unsigned domains will need
+# one or more extra DNS queries to verify.
+#dnssec-check-unsigned
 
 # Uncomment this to filter useless windows-originated DNS requests
 # which can trigger dial-on-demand links needlessly.
@@ -48,7 +65,7 @@
 # non-public domains.
 #server=/localnet/192.168.0.1
 
-# Example of routing PTR queries to nameservers: this will send all 
+# Example of routing PTR queries to nameservers: this will send all
 # address->name queries for 192.168.3/24 to nameserver 10.1.2.3
 #server=/3.168.192.in-addr.arpa/10.1.2.3
 
@@ -57,21 +74,25 @@
 #local=/localnet/
 
 # Add domains which you want to force to an IP address here.
-# The example below send any host in doubleclick.net to a local
-# webserver.
-#address=/doubleclick.net/127.0.0.1
+# The example below send any host in double-click.net to a local
+# web-server.
+#address=/double-click.net/127.0.0.1
 
 # --address (and --server) work with IPv6 addresses too.
 #address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
 
-# You can control how dnsmasq talks to a server: this forces 
+# Add the IPs of all queries to yahoo.com, google.com, and their
+# subdomains to the vpn and search ipsets:
+#ipset=/yahoo.com/google.com/vpn,search
+
+# You can control how dnsmasq talks to a server: this forces
 # queries to 10.1.2.3 to be routed via eth1
-# --server=10.1.2.3@eth1
+# server=10.1.2.3@eth1
 
 # and this sets the source (ie local) address used to talk to
-# 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that
+# 10.1.2.3 to 192.168.1.1 port 55 (there must be an interface with that
 # IP on the machine, obviously).
-# --server=10.1.2.3@192.168.1.1#55
+# server=10.1.2.3@192.168.1.1#55
 
 # If you want dnsmasq to change uid and gid to something other
 # than the default, edit the following lines.
@@ -90,7 +111,7 @@
 #listen-address=
 # If you want dnsmasq to provide only DNS service on an interface,
 # configure it as shown above, and then use the following line to
-# disable DHCP on it.
+# disable DHCP and TFTP on it.
 #no-dhcp-interface=
 
 # On systems which support it, dnsmasq binds the wildcard address,
@@ -141,17 +162,68 @@
 # don't need to worry about this.
 #dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h
 
-# This is an example of a DHCP range with a network-id, so that
+# This is an example of a DHCP range which sets a tag, so that
 # some DHCP options may be set only for this network.
-#dhcp-range=red,192.168.0.50,192.168.0.150
+#dhcp-range=set:red,192.168.0.50,192.168.0.150
+
+# Use this DHCP range only when the tag "green" is set.
+#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h
+
+# Specify a subnet which can't be used for dynamic address allocation,
+# is available for hosts with matching --dhcp-host lines. Note that
+# dhcp-host declarations will be ignored unless there is a dhcp-range
+# of some type for the subnet in question.
+# In this case the netmask is implied (it comes from the network
+# configuration on the machine running dnsmasq) it is possible to give
+# an explicit netmask instead.
+#dhcp-range=192.168.0.0,static
+
+# Enable DHCPv6. Note that the prefix-length does not need to be specified
+# and defaults to 64 if missing/
+#dhcp-range=1234::2, 1234::500, 64, 12h
+
+# Do Router Advertisements, BUT NOT DHCP for this subnet.
+#dhcp-range=1234::, ra-only 
+
+# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and
+# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack 
+# hosts. Use the DHCPv4 lease to derive the name, network segment and 
+# MAC address and assume that the host will also have an
+# IPv6 address calculated using the SLAAC algorithm.
+#dhcp-range=1234::, ra-names
+
+# Do Router Advertisements, BUT NOT DHCP for this subnet.
+# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.)
+#dhcp-range=1234::, ra-only, 48h
+
+# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA
+# so that clients can use SLAAC addresses as well as DHCP ones.
+#dhcp-range=1234::2, 1234::500, slaac
+
+# Do Router Advertisements and stateless DHCP for this subnet. Clients will
+# not get addresses from DHCP, but they will get other configuration information.
+# They will use SLAAC for addresses.
+#dhcp-range=1234::, ra-stateless
+
+# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses
+# from DHCPv4 leases.
+#dhcp-range=1234::, ra-stateless, ra-names
+
+# Do router advertisements for all subnets where we're doing DHCPv6
+# Unless overridden by ra-stateless, ra-names, et al, the router 
+# advertisements will have the M and O bits set, so that the clients
+# get addresses and configuration from DHCPv6, and the A bit reset, so the 
+# clients don't use SLAAC addresses.
+#enable-ra
 
 # Supply parameters for specified hosts using DHCP. There are lots
 # of valid alternatives, so we will give examples of each. Note that
 # IP addresses DO NOT have to be in the range given above, they just
 # need to be on the same network. The order of the parameters in these
-# do not matter, it's permissble to give name,adddress and MAC in any order
+# do not matter, it's permissible to give name, address and MAC in any
+# order.
 
-# Always allocate the host with ethernet address 11:22:33:44:55:66
+# Always allocate the host with Ethernet address 11:22:33:44:55:66
 # The IP address 192.168.0.60
 #dhcp-host=11:22:33:44:55:66,192.168.0.60
 
@@ -159,13 +231,13 @@
 # 11:22:33:44:55:66 to be "fred"
 #dhcp-host=11:22:33:44:55:66,fred
 
-# Always give the host with ethernet address 11:22:33:44:55:66
+# Always give the host with Ethernet address 11:22:33:44:55:66
 # the name fred and IP address 192.168.0.60 and lease time 45 minutes
 #dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m
 
-# Give a host with ethernet address 11:22:33:44:55:66 or
+# Give a host with Ethernet address 11:22:33:44:55:66 or
 # 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume
-# that these two ethernet interfaces will never be in use at the same
+# that these two Ethernet interfaces will never be in use at the same
 # time, and give the IP address to the second, even if it is already
 # in use by the first. Useful for laptops with wired and wireless
 # addresses.
@@ -179,6 +251,13 @@
 # the IP address 192.168.0.60
 #dhcp-host=id:01:02:02:04,192.168.0.60
 
+# Always give the InfiniBand interface with hardware address
+# 80:00:00:48:fe:80:00:00:00:00:00:00:f4:52:14:03:00:28:05:81 the
+# ip address 192.168.0.61. The client id is derived from the prefix
+# ff:00:00:00:00:00:02:00:00:02:c9:00 and the last 8 pairs of
+# hex digits of the hardware address.
+#dhcp-host=id:ff:00:00:00:00:00:02:00:00:02:c9:00:f4:52:14:03:00:28:05:81,192.168.0.61
+
 # Always give the host with client identifier "marjorie"
 # the IP address 192.168.0.60
 #dhcp-host=id:marjorie,192.168.0.60
@@ -188,41 +267,47 @@
 # it asks for a DHCP lease.
 #dhcp-host=judge
 
-# Never offer DHCP service to a machine whose ethernet
+# Never offer DHCP service to a machine whose Ethernet
 # address is 11:22:33:44:55:66
 #dhcp-host=11:22:33:44:55:66,ignore
 
-# Ignore any client-id presented by the machine with ethernet
+# Ignore any client-id presented by the machine with Ethernet
 # address 11:22:33:44:55:66. This is useful to prevent a machine
 # being treated differently when running under different OS's or
 # between PXE boot and OS boot.
 #dhcp-host=11:22:33:44:55:66,id:*
 
 # Send extra options which are tagged as "red" to
-# the machine with ethernet address 11:22:33:44:55:66
-#dhcp-host=11:22:33:44:55:66,net:red
+# the machine with Ethernet address 11:22:33:44:55:66
+#dhcp-host=11:22:33:44:55:66,set:red
 
 # Send extra options which are tagged as "red" to
-# any machine with ethernet address starting 11:22:33:
-#dhcp-host=11:22:33:*:*:*,net:red
+# any machine with Ethernet address starting 11:22:33:
+#dhcp-host=11:22:33:*:*:*,set:red
 
-# Ignore any clients which are specified in dhcp-host lines
-# or /etc/ethers. Equivalent to ISC "deny unkown-clients".
-# This relies on the special "known" tag which is set when 
+# Give a fixed IPv6 address and name to client with 
+# DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2
+# Note the MAC addresses CANNOT be used to identify DHCPv6 clients.
+# Note also that the [] around the IPv6 address are obligatory.
+#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5] 
+
+# Ignore any clients which are not specified in dhcp-host lines
+# or /etc/ethers. Equivalent to ISC "deny unknown-clients".
+# This relies on the special "known" tag which is set when
 # a host is matched.
-#dhcp-ignore=#known
+#dhcp-ignore=tag:!known
 
 # Send extra options which are tagged as "red" to any machine whose
 # DHCP vendorclass string includes the substring "Linux"
-#dhcp-vendorclass=red,Linux
+#dhcp-vendorclass=set:red,Linux
 
 # Send extra options which are tagged as "red" to any machine one
 # of whose DHCP userclass strings includes the substring "accounts"
-#dhcp-userclass=red,accounts
+#dhcp-userclass=set:red,accounts
 
 # Send extra options which are tagged as "red" to any machine whose
 # MAC address matches the pattern.
-#dhcp-mac=red,00:60:8C:*:*:*
+#dhcp-mac=set:red,00:60:8C:*:*:*
 
 # If this line is uncommented, dnsmasq will read /etc/ethers and act
 # on the ethernet-address/IP pairs found there just as if they had
@@ -232,11 +317,11 @@
 
 # Send options to hosts which ask for a DHCP lease.
 # See RFC 2132 for details of available options.
-# Common options can be given to dnsmasq by name: 
+# Common options can be given to dnsmasq by name:
 # run "dnsmasq --help dhcp" to get a list.
 # Note that all the common settings, such as netmask and
 # broadcast address, DNS server and default route, are given
-# sane defaults by dnsmasq. You very likely will not need 
+# sane defaults by dnsmasq. You very likely will not need
 # any dhcp-options. If you use Windows clients and Samba, there
 # are some options which are recommended, they are detailed at the
 # end of this section.
@@ -250,13 +335,31 @@
 
 # Override the default route supplied by dnsmasq and send no default
 # route at all. Note that this only works for the options sent by
-# default (1, 3, 6, 12, 28) the same line will send a zero-length option 
+# default (1, 3, 6, 12, 28) the same line will send a zero-length option
 # for all other option numbers.
 #dhcp-option=3
 
 # Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5
 #dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
 
+# Send DHCPv6 option. Note [] around IPv6 addresses.
+#dhcp-option=option6:dns-server,[1234::77],[1234::88]
+
+# Send DHCPv6 option for namservers as the machine running 
+# dnsmasq and another.
+#dhcp-option=option6:dns-server,[::],[1234::88]
+
+# Ask client to poll for option changes every six hours. (RFC4242)
+#dhcp-option=option6:information-refresh-time,6h
+
+# Set option 58 client renewal time (T1). Defaults to half of the
+# lease time if not specified. (RFC2132)
+#dhcp-option=option:T1,1m
+
+# Set option 59 rebinding time (T2). Defaults to 7/8 of the
+# lease time if not specified. (RFC2132)
+#dhcp-option=option:T2,2m
+
 # Set the NTP time server address to be the same machine as
 # is running dnsmasq
 #dhcp-option=42,0.0.0.0
@@ -276,21 +379,24 @@
 
 # Specify an option which will only be sent to the "red" network
 # (see dhcp-range for the declaration of the "red" network)
-# Note that the net: part must precede the option: part.
-#dhcp-option = net:red, option:ntp-server, 192.168.1.1
+# Note that the tag: part must precede the option: part.
+#dhcp-option = tag:red, option:ntp-server, 192.168.1.1
 
 # The following DHCP options set up dnsmasq in the same way as is specified
 # for the ISC dhcpcd in
 # http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
 # adapted for a typical dnsmasq installation where the host running
 # dnsmasq is also the host running samba.
-# you may want to uncomment some or all of them if you use 
+# you may want to uncomment some or all of them if you use
 # Windows clients and Samba.
 #dhcp-option=19,0           # option ip-forwarding off
 #dhcp-option=44,0.0.0.0     # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
 #dhcp-option=45,0.0.0.0     # netbios datagram distribution server
 #dhcp-option=46,8           # netbios node type
 
+# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
+#dhcp-option=252,"\n"
+
 # Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
 # probably doesn't support this......
 #dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com
@@ -298,10 +404,10 @@
 # Send RFC-3442 classless static routes (note the netmask encoding)
 #dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
 
-# Send vendor-class specific options encapsulated in DHCP option 43. 
+# Send vendor-class specific options encapsulated in DHCP option 43.
 # The meaning of the options is defined by the vendor-class so
 # options are sent only when the client supplied vendor class
-# matches the class given here. (A substring match is OK, so "MSFT" 
+# matches the class given here. (A substring match is OK, so "MSFT"
 # matches "MSFT" and "MSFT 5.0"). This example sets the
 # mtftp address to 0.0.0.0 for PXEClients.
 #dhcp-option=vendor:PXEClient,1,0.0.0.0
@@ -318,7 +424,7 @@
 
 # Send options to PXELinux. Note that we need to send the options even
 # though they don't appear in the parameter request list, so we need
-# to use dhcp-option-force here. 
+# to use dhcp-option-force here.
 # See http://syslinux.zytor.com/pxe.php#special for details.
 # Magic number - needed before anything else is recognised
 #dhcp-option-force=208,f1:00:74:7e
@@ -329,24 +435,27 @@
 # Reboot time. (Note 'i' to send 32-bit value)
 #dhcp-option-force=211,30i
 
-# Set the boot filename for netboot/PXE. You will only need 
-# this is you want to boot machines over the network and you will need
-# a TFTP server; either dnsmasq's built in TFTP server or an
+# Set the boot filename for netboot/PXE. You will only need
+# this if you want to boot machines over the network and you will need
+# a TFTP server; either dnsmasq's built-in TFTP server or an
 # external one. (See below for how to enable the TFTP server.)
 #dhcp-boot=pxelinux.0
 
-# Boot for Etherboot gPXE. The idea is to send two different
-# filenames, the first loads gPXE, and the second tells gPXE what to
-# load. The dhcp-match sets the gpxe tag for requests from gPXE.
-#dhcp-match=gpxe,175 # gPXE sends a 175 option.
-#dhcp-boot=net:#gpxe,undionly.kpxe
-#dhcp-boot=mybootimage
- 
-# Encapsulated options for Etherboot gPXE. All the options are
+# The same as above, but use custom tftp-server instead machine running dnsmasq
+#dhcp-boot=pxelinux,server.name,192.168.1.100
+
+# Boot for iPXE. The idea is to send two different
+# filenames, the first loads iPXE, and the second tells iPXE what to
+# load. The dhcp-match sets the ipxe tag for requests from iPXE.
+#dhcp-boot=undionly.kpxe
+#dhcp-match=set:ipxe,175 # iPXE sends a 175 option.
+#dhcp-boot=tag:ipxe,http://boot.ipxe.org/demo/boot.php
+
+# Encapsulated options for iPXE. All the options are
 # encapsulated within option 175
 #dhcp-option=encap:175, 1, 5b         # priority code
-#dhcp-option=encap:175, 176, 1b       # no-proxydhcp 
-#dhcp-option=encap:175, 177, string   # bus-id 
+#dhcp-option=encap:175, 176, 1b       # no-proxydhcp
+#dhcp-option=encap:175, 177, string   # bus-id
 #dhcp-option=encap:175, 189, 1b       # BIOS drive code
 #dhcp-option=encap:175, 190, user     # iSCSI username
 #dhcp-option=encap:175, 191, pass     # iSCSI password
@@ -356,7 +465,7 @@
 #dhcp-match=peecees, option:client-arch, 0 #x86-32
 #dhcp-match=itanics, option:client-arch, 2 #IA64
 #dhcp-match=hammers, option:client-arch, 6 #x86-64
-#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64 
+#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64
 
 # Do real PXE, rather than just booting a single file, this is an
 # alternative to dhcp-boot.
@@ -365,14 +474,14 @@
 #pxe-prompt="Press F8 for menu.", 60
 
 # Available boot services. for PXE.
-#pxe-service=x86PC, "Boot from local disk", 0
+#pxe-service=x86PC, "Boot from local disk"
 
 # Loads <tftp-root>/pxelinux.0 from dnsmasq TFTP server.
-#pxe-service=x86PC, "Install Linux", pxelinux 
+#pxe-service=x86PC, "Install Linux", pxelinux
 
 # Loads <tftp-root>/pxelinux.0 from TFTP server at 1.2.3.4.
 # Beware this fails on old PXE ROMS.
-#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4 
+#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4
 
 # Use bootserver on network, found my multicast or broadcast.
 #pxe-service=x86PC, "Install windows from RIS server", 1
@@ -383,32 +492,43 @@
 # If you have multicast-FTP available,
 # information for that can be passed in a similar way using options 1
 # to 5. See page 19 of
-# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf  
+# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf
+
 
-  
 # Enable dnsmasq's built-in TFTP server
 #enable-tftp
 
-# Set the root directory for files availble via FTP.
+# Set the root directory for files available via FTP.
 #tftp-root=/var/ftpd
 
+# Do not abort if the tftp-root is unavailable
+#tftp-no-fail
+
 # Make the TFTP server more secure: with this set, only files owned by
 # the user dnsmasq is running as will be send over the net.
 #tftp-secure
 
-# This option stops dnsmasq from negotiating a larger blocksize for TFTP 
+# This option stops dnsmasq from negotiating a larger blocksize for TFTP
 # transfers. It will slow things down, but may rescue some broken TFTP
 # clients.
 #tftp-no-blocksize
 
 # Set the boot file name only when the "red" tag is set.
-#dhcp-boot=net:red,pxelinux.red-net
+#dhcp-boot=tag:red,pxelinux.red-net
 
 # An example of dhcp-boot with an external TFTP server: the name and IP
 # address of the server are given after the filename.
 # Can fail with old PXE ROMS. Overridden by --pxe-service.
 #dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3
 
+# If there are multiple external tftp servers having a same name
+# (using /etc/hosts) then that name can be specified as the
+# tftp_servername (the third option to dhcp-boot) and in that
+# case dnsmasq resolves this name and returns the resultant IP
+# addresses in round robin fashion. This facility can be used to
+# load balance the tftp load among a set of servers.
+#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name
+
 # Set the limit on DHCP leases, the default is 150
 #dhcp-lease-max=150
 
@@ -421,16 +541,24 @@
 # and take over the lease for any client which broadcasts on the network,
 # whether it has a record of the lease or not. This avoids long timeouts
 # when a machine wakes up on a new network. DO NOT enable this if there's
-# the slighest chance that you might end up accidentally configuring a DHCP
+# the slightest chance that you might end up accidentally configuring a DHCP
 # server for your campus/company accidentally. The ISC server uses
 # the same option, and this URL provides more information:
-# http://www.isc.org/index.pl?/sw/dhcp/authoritative.php
+# http://www.isc.org/files/auth.html
 #dhcp-authoritative
 
+# Set the DHCP server to enable DHCPv4 Rapid Commit Option per RFC 4039.
+# In this mode it will respond to a DHCPDISCOVER message including a Rapid Commit
+# option with a DHCPACK including a Rapid Commit option and fully committed address
+# and configuration information. This must only be enabled if either the server is 
+# the only server for the subnet, or multiple servers are present and they each
+# commit a binding for all clients.
+#dhcp-rapid-commit
+
 # Run an executable when a DHCP lease is created or destroyed.
-# The arguments sent to the script are "add" or "del", 
+# The arguments sent to the script are "add" or "del",
 # then the MAC address, the IP address and finally the hostname
-# if there is one. 
+# if there is one.
 #dhcp-script=/bin/echo
 
 # Set the cachesize here.
@@ -439,7 +567,7 @@
 # If you want to disable negative caching, uncomment this.
 #no-negcache
 
-# Normally responses which come form /etc/hosts and the DHCP lease
+# Normally responses which come from /etc/hosts and the DHCP lease
 # file have Time-To-Live set as zero, which conventionally means
 # do not cache further. If you are happy to trade lower load on the
 # server for potentially stale date, you can set a time-to-live (in
@@ -490,11 +618,11 @@
 # set for this to work.)
 
 # A SRV record sending LDAP for the example.com domain to
-# ldapserver.example.com port 289
+# ldapserver.example.com port 389
 #srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
 
 # A SRV record sending LDAP for the example.com domain to
-# ldapserver.example.com port 289 (using domain=)
+# ldapserver.example.com port 389 (using domain=)
 #domain=example.com
 #srv-host=_ldap._tcp,ldapserver.example.com,389
 
@@ -535,6 +663,17 @@
 # Log lots of extra information about DHCP transactions.
 #log-dhcp
 
-# Include a another lot of configuration options.
+# Include another lot of configuration options.
 #conf-file=/etc/dnsmasq.more.conf
 #conf-dir=/etc/dnsmasq.d
+
+# Include all the files in a directory except those ending in .bak
+#conf-dir=/etc/dnsmasq.d,.bak
+
+# Include all files in a directory which end in .conf
+#conf-dir=/etc/dnsmasq.d/,*.conf
+
+# If a DHCP client claims that its name is "wpad", ignore that.
+# This fixes a security hole. see CERT Vulnerability VU#598349
+#dhcp-name-match=set:wpad-ignore,wpad
+#dhcp-ignore-names=tag:wpad-ignore

doc.html

@@ -1,113 +1,101 @@
 <HTML>
 <HEAD>
-<TITLE> Dnsmasq - a DNS forwarder for NAT firewalls.</TITLE>
+<TITLE> Dnsmasq - network services for small networks.</TITLE>
+<link rel="icon" href="http://www.thekelleys.org.uk/dnsmasq/images/favicon.ico">
 </HEAD>
 <BODY BGCOLOR="WHITE"> 
-<H1 ALIGN=center>Dnsmasq</H1> 
-Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP
- server. It is designed to provide DNS and, optionally, DHCP, to a 
- small network. It can serve the names of local machines which are 
- not in the global DNS. The DHCP server integrates with the DNS 
- server and allows machines with DHCP-allocated addresses
- to appear in the DNS with names configured either in each host or
- in a central configuration file. Dnsmasq supports static and dynamic 
- DHCP leases and BOOTP/TFTP/PXE for network booting of diskless machines.
+<table width="100%" border="0" cellpadding="0" cellspacing="0">
+<tr>
+<td align="left" valign="middle"><img border="0" src="http://www.thekelleys.org.uk/dnsmasq/images/icon.png" /></td>
+<td align="middle" valign="middle"><h1>Dnsmasq</h1></td>
+<td align="right" valign="middle"><img border="0" src="http://www.thekelleys.org.uk/dnsmasq/images/icon.png" /></td></tr>
+</table>
+Dnsmasq provides network infrastructure for small networks: DNS, DHCP, router advertisement and network boot. It is designed to be 
+lightweight and have a small footprint, suitable for resource constrained routers and firewalls. It has also been widely used 
+for tethering on smartphones and portable hotspots, and to support virtual networking in virtualisation frameworks.
+Supported platforms include Linux (with glibc and uclibc), Android, *BSD, and Mac OS X. Dnsmasq is included in most
+Linux distributions and the ports systems of FreeBSD, OpenBSD and NetBSD. Dnsmasq provides full IPv6 support.
+
 <P>
- Dnsmasq is targeted at home networks using NAT and 
-connected to the internet via a modem, cable-modem or ADSL
-connection but would be a good choice for any smallish network (up to
-1000 clients is known to work) where low
-resource use and ease of configuration are important. 
-<P>
-Supported platforms include Linux (with glibc and uclibc), *BSD,
-Solaris and Mac OS X.
-Dnsmasq is included in at least the following Linux distributions:
-Gentoo, Debian, Slackware, Suse, Fedora,
-Smoothwall, IP-Cop, floppyfw, Firebox, LEAF, Freesco, fli4l,
-CoyoteLinux, Endian Firewall and
-Clarkconnect. It is also available as FreeBSD, OpenBSD and NetBSD ports and is used in
-Linksys wireless routers (dd-wrt, openwrt and the stock firmware) and the m0n0wall project.
-<P>
-Dnsmasq provides the following features:
+The DNS subsystem provides a local DNS server for the network, with forwarding of all query types to upstream recursive DNS servers and
+caching of common record types (A, AAAA, CNAME and PTR, also DNSKEY and DS when DNSSEC is enabled). 
 <DIR>
-
-<LI> 
-The DNS configuration of machines behind the firewall is simple and
-doesn't depend on the details of the ISP's dns servers
-<LI>
-Clients which try to do DNS lookups while  a modem link to the
-internet is down will time out immediately.
-</LI>
-<LI>
-Dnsmasq will serve names from the /etc/hosts file on the firewall
-machine: If the names of local machines are there, then they can all
-be addressed without having to maintain /etc/hosts on each machine.
-</LI>
-<LI>
-The integrated DHCP server supports static and dynamic DHCP leases and
-multiple networks and IP ranges. It works across BOOTP relays and
-supports DHCP options including RFC3397 DNS search lists.
-Machines which are configured by DHCP have their names automatically 
-included in the DNS and the names can specified by each machine or
-centrally by associating a name with a MAC address in the dnsmasq
-config file.
-</LI>
-<LI>
-Dnsmasq caches internet addresses (A records and AAAA records) and address-to-name
-mappings (PTR records), reducing the load on upstream servers and
-improving performance (especially on modem connections). 
-</LI>
-<LI>
-Dnsmasq can be configured to automatically pick up the addresses of
-its upstream nameservers from ppp or dhcp configuration. It will
-automatically reload this information if it changes. This facility
-will be of particular interest to maintainers of Linux firewall
-distributions since it allows dns configuration to be made automatic.
-</LI>
-<LI>
-On IPv6-enabled boxes, dnsmasq can both talk to upstream servers via IPv6 
-and offer DNS service via IPv6. On dual-stack (IPv4 and IPv6) boxes it talks
-both protocols and can even act as IPv6-to-IPv4 or IPv4-to-IPv6 forwarder.
-</LI>
-<LI>
-Dnsmasq can be configured to send queries for certain domains to
-upstream servers handling only those domains. This makes integration
-with private DNS systems easy.
-</LI>
-<LI>
-Dnsmasq supports MX and SRV records and can be configured to return MX records
-for any or all local machines.
-</LI>
+<LI>Local DNS names can be defined by reading /etc/hosts, by importing names from the DHCP subsystem, or by configuration of a wide range of useful record types.</LI>
+<LI>Upstream servers can be configured in a variety of convenient ways, including  dynamic configuration as these change on moving upstream network.
+<LI>Authoritative DNS mode allows local DNS names may be exported to zone in the global DNS. Dnsmasq acts as authoritative server for this zone, and also provides 
+zone transfer to secondaries for the zone, if required.</LI>
+<LI>DNSSEC validation may be performed on DNS replies from upstream nameservers, providing security against spoofing and cache poisoning.</LI>
+<LI>Specified sub-domains can be directed to their own upstream DNS servers, making VPN configuration easy.</LI>
+<LI>Internationalised domain names are supported.
 </DIR>
+<P>
+The DHCP subsystem supports DHCPv4, DHCPv6, BOOTP and PXE.
+<DIR>
+<LI> Both static and dynamic DHCP leases are supported, along with stateless mode in DHCPv6.</LI>
+<LI> The PXE system is a full PXE server, supporting netboot menus and multiple architecture support. It
+includes proxy-mode, where the PXE system co-operates with another DHCP server.</LI>
+<LI> There is a built in read-only TFTP server to support netboot.</LI>
+<LI> Machines which are configured by DHCP have their names automatically 
+included in the DNS and the names can specified by each machine or
+centrally by associating a name with a MAC address or UID in the dnsmasq
+configuration file.</LI>
+</DIR>
+<P>
+The Router Advertisement subsystem provides basic autoconfiguration for IPv6 hosts. It can be used stand-alone or in conjunction with DHCPv6.
+<DIR>
+<LI> The M and O bits are configurable, to control hosts' use of DHCPv6.</LI>
+<LI> Router advertisements can include the RDNSS option.</LI>
+<LI> There is a mode which uses name information from DHCPv4 configuration to provide DNS entries
+ for autoconfigured IPv6 addresses which would otherwise be anonymous.</LI>
+</DIR>
+<P>
+ 
+For extra compactness, unused features may be omitted at compile time.
 
-<H2>Download.</H2>
 
-<A HREF="http://www.thekelleys.org.uk/dnsmasq/"> Download</A> dnsmasq here. 
+<H2>Get code.</H2>
+
+<A HREF="http://www.thekelleys.org.uk/dnsmasq/">Download</A> dnsmasq here. 
 The tarball includes this documentation, source, and manpage.
 There is also a <A HREF="CHANGELOG"> CHANGELOG</A> and a <A HREF="FAQ">FAQ</A>.
-Dnsmasq is part of the Debian distribution, it can be downloaded from 
-<A HREF="http://ftp.debian.org/debian/pool/main/d/dnsmasq/"> here</A> or installed using <TT>apt</TT>.
 
-<H2>Links.</H2>
-Damien Raude-Morvan has an article in French at <A HREF="http://www.drazzib.com/docs-dnsmasq.html">http://www.drazzib.com/docs-dnsmasq.html</A>
-There is a good article about dnsmasq at <A
-HREF="http://www.enterprisenetworkingplanet.com/netos/article.php/3377351">http://www.enterprisenetworkingplanet.com/netos/article.php/3377351</A>
-and another at <A
-HREF="http://www.linux.com/articles/149040">http://www.linux.com/articles/149040</A>
-and Ilya Evseev has an article in Russian about dnsmasq to be found at
-<A HREF="http://ilya-evseev.narod.ru/articles/dnsmasq">
-http://ilya-evseev.narod.ru/articles/dnsmasq</A>. Ismael Ull has an
-article about dnsmasq in Spanish at <A HREF="http://www.mey-online.com.ar/blog/index.php/archives/guia-rapida-de-dnsmasq">http://www.mey-online.com.ar/blog/index.php/archives/guia-rapida-de-dnsmasq</A>
+Dnsmasq has a git repository which contains the complete release
+history of version 2 and development history from 2.60. You can 
+<A HREF="http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=summary">browse</A>
+the repo, or get a copy using git protocol with the command
+
+<PRE><TT>git clone git://thekelleys.org.uk/dnsmasq.git </TT></PRE>
+
+or
+
+<PRE><TT>git clone http://thekelleys.org.uk/git/dnsmasq.git </TT></PRE>
+
 <H2>License.</H2>
-Dnsmasq is distributed under the GPL. See the file COPYING in the distribution 
+Dnsmasq is distributed under the GPL, version 2 or version 3 at your discretion. See the files COPYING and COPYING-v3 in the distribution 
 for details.
 
 <H2>Contact.</H2>
 There is a dnsmasq mailing list at <A
 HREF="http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss">
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss</A> which should be the
-first location for queries, bugreports, suggestions etc.
-Dnsmasq was written by Simon Kelley. You can contact me at <A
+first location for queries, bugreports, suggestions etc. The list is mirrored, with a
+search facility, at <A HREF="https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/">
+https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/</A>.
+You can contact me at <A
 HREF="mailto:simon@thekelleys.org.uk">simon@thekelleys.org.uk</A>.
+
+<H2>Donations.</H2>
+Dnsmasq is mainly written and maintained by Simon Kelley. For most of its life, dnsmasq has been a spare-time project. 
+These days I'm working on it as my main activity. 
+I don't have an employer or anyone who pays me regularly to work on dnsmasq. If you'd like to make 
+a contribution towards my expenses, please use the donation button below.
+<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top">
+<input type="hidden" name="cmd" value="_s-xclick">
+<input type="hidden" name="hosted_button_id" value="V3X9GVW5GX6DA">
+<input type="image" src="https://www.paypalobjects.com/en_US/GB/i/btn/btn_donateCC_LG.gif" border="0" name="submit" alt="PayPal – The safer, easier way to pay online.">
+<img alt="" border="0" src="https://www.paypalobjects.com/en_GB/i/scr/pixel.gif" width="1" height="1">
+</form>
+
+
 </BODY>
 

logo/README

@@ -0,0 +1,12 @@
+Dnsmasq logo, contributed by Justin Clift.
+
+The source format is Inkscape SVG vector format, which is scalable and
+easy to export to other formats. For convenience I've included a 56x31
+png export and a 16x16 ico suitable for use as a web favicon.
+
+Simon Kelley, 22/10/2010
+
+
+
+
+ 

logo/icon.svg

@@ -0,0 +1,157 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:xlink="http://www.w3.org/1999/xlink"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   version="1.1"
+   x="0px"
+   y="0px"
+   width="56"
+   height="31"
+   viewBox="0 0 56 31"
+   enable-background="new 0 0 72.833 46.667"
+   xml:space="preserve"
+   id="svg2"
+   inkscape:version="0.47 r22583"
+   sodipodi:docname="dnsmasq_icon.svg"
+   inkscape:export-filename="/x/centos_home/jc/workspace/git_repos/libvirt-media/libvirt-media/png/dnsmasq_icon.png"
+   inkscape:export-xdpi="90"
+   inkscape:export-ydpi="90"><metadata
+   id="metadata27"><rdf:RDF><cc:Work
+       rdf:about=""><dc:format>image/svg+xml</dc:format><dc:type
+         rdf:resource="http://purl.org/dc/dcmitype/StillImage" /><dc:title></dc:title></cc:Work></rdf:RDF></metadata><defs
+   id="defs25"><inkscape:perspective
+   sodipodi:type="inkscape:persp3d"
+   inkscape:vp_x="0 : 23.3335 : 1"
+   inkscape:vp_y="0 : 1000 : 0"
+   inkscape:vp_z="72.833 : 23.3335 : 1"
+   inkscape:persp3d-origin="36.4165 : 15.555667 : 1"
+   id="perspective4857" />
+	<filter
+   id="filter3802"
+   inkscape:label="filter1"
+   color-interpolation-filters="sRGB" /><linearGradient
+   inkscape:collect="always"
+   xlink:href="#SVGID_3_"
+   id="linearGradient4929"
+   gradientUnits="userSpaceOnUse"
+   x1="30.564501"
+   y1="-8.8144999"
+   x2="32.937"
+   y2="32.715599" />
+		<linearGradient
+   inkscape:collect="always"
+   xlink:href="#SVGID_3_"
+   id="linearGradient5798"
+   gradientUnits="userSpaceOnUse"
+   x1="30.564501"
+   y1="-8.8144999"
+   x2="32.937"
+   y2="32.715599" /><linearGradient
+   inkscape:collect="always"
+   xlink:href="#SVGID_3_"
+   id="linearGradient5812"
+   gradientUnits="userSpaceOnUse"
+   x1="30.564501"
+   y1="-8.8144999"
+   x2="32.937"
+   y2="32.715599" /><filter
+   id="filter6262"
+   inkscape:label="Drop shadow"
+   width="1.5"
+   height="1.5"
+   x="-0.25"
+   y="-0.25"
+   color-interpolation-filters="sRGB"><feGaussianBlur
+     id="feGaussianBlur6264"
+     in="SourceAlpha"
+     stdDeviation="2.500000"
+     result="blur" /><feColorMatrix
+     id="feColorMatrix6266"
+     result="bluralpha"
+     type="matrix"
+     values="1 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0.500000 0 " /><feOffset
+     id="feOffset6268"
+     in="bluralpha"
+     dx="2.700000"
+     dy="2.600000"
+     result="offsetBlur" /><feMerge
+     id="feMerge6270"><feMergeNode
+       id="feMergeNode6272"
+       in="offsetBlur" /><feMergeNode
+       id="feMergeNode6274"
+       in="SourceGraphic" /></feMerge></filter></defs><sodipodi:namedview
+   pagecolor="#ffffff"
+   bordercolor="#666666"
+   borderopacity="1"
+   objecttolerance="10"
+   gridtolerance="10"
+   guidetolerance="10"
+   inkscape:pageopacity="0"
+   inkscape:pageshadow="2"
+   inkscape:window-width="1568"
+   inkscape:window-height="1076"
+   id="namedview23"
+   showgrid="false"
+   inkscape:zoom="8"
+   inkscape:cx="31.966768"
+   inkscape:cy="21.211869"
+   inkscape:window-x="567"
+   inkscape:window-y="328"
+   inkscape:window-maximized="0"
+   inkscape:current-layer="layer1"
+   inkscape:showpageshadow="false"
+   showborder="true" />
+<g
+   inkscape:groupmode="layer"
+   id="layer1"
+   inkscape:label="dnsmasq"
+   style="display:inline"
+   transform="translate(5.2838057,-15.545371)"><g
+     id="g3790"
+     transform="matrix(0.8183832,0,0,0.8183832,65.304897,9.8747678)"
+     style="filter:url(#filter6262)"
+     inkscape:export-xdpi="90"
+     inkscape:export-ydpi="90"><g
+       transform="translate(-91.018462,1.0687099)"
+       id="g9">
+			<path
+   style="fill:#6700ad"
+   inkscape:connector-curvature="0"
+   id="path11"
+   d="M 54.997,12.151 C 50.083,9.132 43.29,7.266 35.791,7.266 c -7.5,0 -14.29,1.866 -19.204,4.885 -4.915,3.016 -7.956,7.184 -7.956,11.789 0,4.604 3.041,8.772 7.956,11.788 4.914,3.02 11.704,-4.271 19.204,-4.271 7.499,0 14.292,7.291 19.206,4.271 4.914,-3.016 7.955,-7.185 7.955,-11.788 0,-4.606 -3.041,-8.773 -7.955,-11.789 z M 24.996,24.318 c -2.698,0 -4.885,-0.922 -4.885,-2.061 0,-1.14 2.187,-2.063 4.885,-2.063 2.697,0 4.885,0.924 4.885,2.063 0,1.139 -2.188,2.061 -4.885,2.061 z m 21.501,0.191 c -2.686,0 -4.861,-0.856 -4.861,-1.912 0,-1.054 2.176,-1.911 4.861,-1.911 2.685,0 4.863,0.857 4.863,1.911 0,1.056 -2.178,1.912 -4.863,1.912 z" />
+			<path
+   style="fill:none;stroke:#ffb616;stroke-width:1.85353255"
+   inkscape:connector-curvature="0"
+   id="path13"
+   d="M 54.997,12.151 C 50.083,9.132 43.29,7.266 35.791,7.266 c -7.5,0 -14.29,1.866 -19.204,4.885 -4.915,3.016 -7.956,7.184 -7.956,11.789 0,4.604 3.041,8.772 7.956,11.788 4.914,3.02 11.704,-4.271 19.204,-4.271 7.499,0 14.292,7.291 19.206,4.271 4.914,-3.016 7.955,-7.185 7.955,-11.788 0,-4.606 -3.041,-8.773 -7.955,-11.789 z M 24.996,24.318 c -2.698,0 -4.885,-0.922 -4.885,-2.061 0,-1.14 2.187,-2.063 4.885,-2.063 2.697,0 4.885,0.924 4.885,2.063 0,1.139 -2.188,2.061 -4.885,2.061 z m 21.501,0.191 c -2.686,0 -4.861,-0.856 -4.861,-1.912 0,-1.054 2.176,-1.911 4.861,-1.911 2.685,0 4.863,0.857 4.863,1.911 0,1.056 -2.178,1.912 -4.863,1.912 z" />
+		</g><g
+       transform="translate(-91.018462,1.0687099)"
+       id="Layer_2">
+	<linearGradient
+   y2="32.715599"
+   x2="32.937"
+   y1="-8.8144999"
+   x1="30.564501"
+   gradientUnits="userSpaceOnUse"
+   id="SVGID_3_">
+		<stop
+   id="stop17"
+   style="stop-color:#FFFFFF;stop-opacity:0.73"
+   offset="0" />
+		<stop
+   id="stop19"
+   style="stop-color:#FFFFFF;stop-opacity:0"
+   offset="1" />
+	</linearGradient>
+	<path
+   inkscape:connector-curvature="0"
+   style="fill:url(#linearGradient5812)"
+   id="path21"
+   d="m 54.1,15.361 c -0.924,1.078 -2.782,1.265 -3.857,1.06 C 38,14.083 22.75,12.75 16.027,23.031 14.858,24.819 11.992,25.39 10.293,23.887 8.631,22.417 13.105,15.804 17.646,13.033 22.194,10.252 28.474,8.53 35.41,8.53 c 6.936,0 13.215,1.722 17.756,4.502 0.731,0.442 1.627,1.52 0.934,2.329 z" />
+</g></g></g></svg>

man/es/dnsmasq.8

@@ -49,7 +49,8 @@ ese directorio.
 .TP
 .B \-E, --expand-hosts
 Agregar el dominio a nombres sencillos (sin punto) en /etc/hosts de la
-misma manera que con nombres derivados de DHCP.
+misma manera que con nombres derivados de DHCP. Nótese que esto no
+aplica a nombres de dominio en cnames, expedientes PTR, TXT, etc.
 .TP
 .B \-T, --local-ttl=<tiempo>
 Al responder con información desde /etc/hosts o desde el archivo
@@ -67,8 +68,14 @@ informaci
 dnsmasq usa para hacer caché. Si las respuestas de servidores upstream
 omiten esta información, dnsmasq no mete la respuesta en el caché.
 Esta opción brinda un valor predeterminado para el time-to-live que
-dnsmasq usa para meter respuestas en el caché aún en la ausencia de
-un expediente SOA.
+dnsmasq usa para meter respuestas negativas en el caché aún en la
+ausencia de un expediente SOA.
+.TP
+.B --max-ttl=<tiempo>
+Fijar un valor TTL (tiempo de vida) máximo que será entregado a
+clientes. El TTL máximo especificado será otorgado a clientes en vez
+del TTL verdadero si es menor. El valor TTL real es mantenido en el caché
+para prevenir la inundación de los servidores DNS upstream.
 .TP
 .B \-k, --keep-in-foreground
 No ir hacia el fondo al iniciar, pero aparte de eso ejecutar como
@@ -90,7 +97,8 @@ Fijar la facilidad a la cual dnsmasq deber
 esto es DAEMON por predeterminado, y LOCAL0 cuando el modo debug está
 en operación. Si la facilidad brindada contiene por lo menos un carácter
 "/", se trata como un nombre de archivo, y dnsmasq bitacoreará a dicho
-archivo, en vez de syslog. (Errores durante la lectura de la configuración
+archivo, en vez de syslog. Si la facilidad es '-' entonces dnsmasq
+bitacorea a stderr. (Errores durante la lectura de la configuración
 irán a syslog todavía, pero todo output desde un inicio exitoso, y todo
 output mientras en ejecución, irá a este archivo exclusivamente.)
 Al bitacorear a un archivo, dnsmasq cerrará y reabrirá el archivo al
@@ -133,8 +141,8 @@ solo DHCP y/o TFTP.
 .TP
 .B \-P, --edns-packet-max=<tamaño>
 Especificar el paquete UDP EDNS.0 más grande que es soportado por
-el reenviador DNS. Por predeterminado es 1280, lo cual es el
-máximo recomendado en RFC2671 para ethernet.
+el reenviador DNS. Por predeterminado es 4096, lo cual es el
+tamaño recomendado en RFC5625.
 .TP
 .B \-Q, --query-port=<puerto>
 Enviar búsquedas outbound desde, y escuchar por respuestas en,
@@ -303,6 +311,17 @@ Denegar (y bitacorear) direcciones de servidores upstream que est
 dentro de rangos IP privados. Esto bloquea un ataque donde un navegador
 detrás de un firewall es usado para analizar máquinas en la red local.
 .TP
+.B --rebind-localhost-ok
+Eximir a 127.0.0.0/8 de verificaciones de rebinding. Este rango de
+direcciones es retornado por servidores de tiempo real tipo hoyo
+negro, así que bloquearlo puede deshabilitar estos servicios.
+.TP
+.B  --rebind-domain-ok=[<domain>]|[[/<domain>/[<domain>/]
+No detectar y bloquear dns-rebind en búsquedas a estos dominios. El
+argumento puede ser o un dominio sencillo, o múltiples dominios
+rodeados por '/', como el syntax de --server, por ejemplo
+.B  --rebind-domain-ok=/dominio1/dominio2/dominio3/
+.TP
 .B \-n, --no-poll
 No revisar periodicamente a /etc/resolv.conf en busca de cambios.
 .TP
@@ -338,6 +357,20 @@ ser especificado como parte de la direcci
 #. Más de una opción -S es permitida, con partes de dominio o
 dirección IP repetidas como sea necesario.
 
+Dominios más específicos toman precedencia sobre los menos específicos,
+así que:
+.B --server=/google.com/1.2.3.4
+.B --server=/www.google.com/2.3.4.5
+enviará búsquedas por *.google.com hacia 1.2.3.4, excepto
+*www.google.com, el cual irá a 2.3.4.5.
+
+La dirección especial de servidor '#' significa "usar los servidores
+estándares", así que
+.B --server=/google.com/1.2.3.4
+.B --server=/www.google.com/#
+enviará búsquedas por *.google.com hacia 1.2.3.4, excepto
+*www.google.com, el cual será reenviado de manera usual.
+
 También se permite una opción -S la cual brinda un dominio pero
 ninguna dirección IP; esto le dice a dnsmasq que un dominio es local
 y puede responder a búsquedas desde /etc/hosts o DHCP pero nunca
@@ -445,7 +478,8 @@ la traza reversa direcci
 .TP
 .B \-c, --cache-size=<tamaño de caché>
 Fijar el tamaño del caché de dnsmasq. El predeterminado es 150 nombres.
-Fijar el tamaño a cero deshabilita el caché.
+Fijar el tamaño a cero deshabilita el caché. Nota: el gran tamaño de
+caché afecta el rendimiento.
 .TP
 .B \-N, --no-negcache
 Deshabilitar caché negativo. El caché negativo le permite a dnsmasq
@@ -459,7 +493,7 @@ de casos. La
 es al usar resolvedores de bitácoras de servidores web, los cuales pueden
 generar un número inmenso de búsquedas simultáneas.
 .TP
-.B \-F, --dhcp-range=[[net:]network-id,]<dirección-inicio>,<dirección-final>[[,<máscara>],<broadcast>][,<tiempo de arriendo>]
+.B \-F, --dhcp-range=[interface:<interface>,][tag:<tag>[,tag:<tag>],][set:<tag],]<dirección-inicio>,<dirección-final>[,<netmask>[,<broadcast>]][,<tiempo de arriendo>]
 Habilitar el servidor DHCP. Direcciones serán distribuidas desde el
 rango <dirección-inicio> hasta <dirección-final> y desde direcciones definidas
 estáticamente en opciones
@@ -476,10 +510,13 @@ cuales la m
 máscara de subred es opcional. Pero, es requerida para redes que
 reciben servicio DHCP vía un agente de relay. La dirección de
 broadcast siempre es opcional. Siempre se permite tener más de
-un rango dhcp (dhcp-range) en una subred. El parámetro opcional
-network-id es una etiqueta alfanumérica la cual marca esta red de
+un rango dhcp (dhcp-range) en una subred.
+
+El parámetro opcional
+.B set:<tag>
+fija una etiqueta alfanumérica la cual marca esta red de
 tal forma que opciones dhcp puedan ser especificadas en base a cada red.
-Cuando es prefijada con 'net:' entonces el significado cambia
+Cuando es prefijada con 'tag:' en vez, entonces el significado cambia
 de "fijar etiqueta" a "coincidir con etiqueta". Solo una etiqueta puede
 ser fijada, pero más de una puede ser revisada por coincidencias. La
 dirección final puede ser remplazada por la palabra clave
@@ -496,8 +533,11 @@ caso en el cual dnsmasq proveer
 y
 .B pxe-service
 para detalles.)
+
+La sección interface:<interface name> no es normalmente usada. Ver la
+sección NOTAS para detalles sobre esto.
 .TP
-.B \-G, --dhcp-host=[<dirección de hardware>][,id:<client_id>|*][,net:<netid>][,<dirección IP>][,<nombre de host>][,<tiempo de arriendo>][,ignore]
+.B \-G, --dhcp-host=[<hwaddr>][,id:<client_id>|*][,set:<tag>][,<ipaddr>][,<hostname>][,<tiempo_de_arriendo>][,ignorar]
 Especificar parámetros por host para el servidor DHCP. Esto permite
 que una máquina con una dirección de hardware particular sea siempre
 alocada el mismo nombre de host, dirección IP, y tiempo de arriendo.
@@ -512,10 +552,15 @@ le dice a dnsmasq que debe darle a la m
 ethernet 00:20:e0:3b:13:af el nombre wap, y un arriendo DHCP infinito.
 .B --dhcp-host=lap,192.168.0.199
 le dice a dnsmasq que siempre debe alocarle a la maquina lap
-la dirección IP 192.168.0.199. Direcciones alocadas de esta manera
-no tienen que estar dentro del rango dado con la opción --dhcp-range,
-pero deben estar en la red siendo servida por el servidor DHCP. Se
-permite usar identificadores de clientes en vez de direcciones de
+la dirección IP 192.168.0.199.
+
+Direcciones alocadas de esta manera no tienen que estar dentro
+del rango dado con la opción --dhcp-range, pero deben estar en la subred
+de un rango DHCP (dhcp-range) válido. Para subredes que no necesitan
+una collección de direcciones dinamicamente alocadas, usar la palabra
+clave "static" in la declaración dhcp-range.
+
+Es permitido usar identificadores de cliente en vez de direcciones de
 hardware para identificar hosts prefijando 'id:'. O sea que:
 .B --dhcp-host=id:01:02:03:04,.....
 se refiere al host con identificador de cliente 01:02:03:04.
@@ -529,7 +574,14 @@ presenta un ID de cliente algunas veces pero otras no.
 Si un nombre aparece en /etc/hosts, la dirección asociada puede
 ser alocada a un arriendo DHCP, pero solo si existe una opción
 .B --dhcp-host
-la cual especifica el nombre también. La palabra clave "ignore"
+la cual especifica el nombre también. Solo un hostname puede ser
+brindado en una opción
+.B dhcp-host
+pero aliases son posibles por medio del uso de CNAMEs. (Ver
+.B --cname
+).
+
+La palabra clave "ignore"
 le dice a dnsmasq que no debe ofrecer jamás un arriendo DHCP a
 una máquina. La máquina puede ser especificada por dirección de
 hardware, ID de cliente, o nombre de host, por ejemplo:
@@ -537,14 +589,16 @@ hardware, ID de cliente, o nombre de host, por ejemplo:
 Esto es útil cuando hay otro servidor DHCP en la red que debe ser
 usado por algúnas máquinas.
 
-El net:<network-id> fija la etiqueta network-id cuando sea que
+El set:<tag> fija la etiqueta cuando sea que
 esta directiva dhcp-host está en uso. Esto puede ser usado para
-enviar selectivamente opciones DHCP a este host. Cuando un host
-coincide con cualquier directiva dhcp-host (o una implicada por
-/etc/ethers) entonces la etiqueta network-id especial "known" es
+enviar selectivamente opciones DHCP a este host. Más de una etiqueta
+puede ser fijada en una directiva dhcp-host (pero no en otros lugares
+donde "set:<tag>" es permitido). Cuando un host coincide con 
+cualquier directiva dhcp-host (o una implicada por
+/etc/ethers) entonces la etiqueta especial "known" es
 fijada. Esto permite que dnsmasq sea configurado para ignorar
 pedidos desde máquinas desconocidas usando
-.B --dhcp-ignore=#known
+.B --dhcp-ignore=tag:!known
 Direcciones ethernet (pero no client-ids) pueden tener bytes
 comodínes, así que por ejemplo
 .B --dhcp-host=00:20:e0:3b:13:*,ignore
@@ -578,6 +632,11 @@ Leer informaci
 Leer información sobre opciones DHCP desde el archivo especificado. La
 ventaja de usar esta opción es la misma que con --dhcp-hostsfile: el
 archivo dhcp-optsfile será re-leído cuando dnsmasq recibe un SIGHUP.
+Nótese que es posible colocar la información mediante
+.B --dhcp-boot
+como opciones DHCP, usando los nombres de opción bootfile-name,
+server-ip-address, y tftp-server. Esto permite que sean incluidas en
+un archivo dhcp-optsfile.
 .TP
 .B \-Z, --read-ethers
 Leer /etc/ethers en busca de información sobre hosts para el servidor
@@ -585,9 +644,10 @@ DHCP. El formato de /etc/ethers es una direcci
 por ya sea un nombre de host o una dirección IP. Al ser leidas por
 dnsmasq, estas líneas tienen exáctamente el mismo efecto que opciones
 .B --dhcp-host
-que contienen la misma información. /etc/ethers es re-leída cuando dnsmasq recibe un SIGHUP.
+que contienen la misma información. /etc/ethers es re-leída cuando
+dnsmasq recibe un SIGHUP.
 .TP
-.B \-O, --dhcp-option=[<network-id>,[<network-id>,]][encap:<opt>,][vendor:[<vendor-class>],][<opt>|option:<opt-name>],[<value>[,<value>]]
+.B \-O, --dhcp-option=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap:<enterprise>,][vendor:[<vendor-class>],][<opt>|option:<opt-name>],[<value>[,<value>]]
 Especificar opciones diferentes o extra a clientes DHCP. Por
 predeterminado, dnsmasq envía algunas opciones estándar a clientes
 DHCP. La máscara de subred y dirección broadcast son fijadas igual
@@ -612,9 +672,9 @@ o
 La dirección especial 0.0.0.0 es entendida que significa "la
 dirección de la máquina que corre dnsmasq". Tipos de data permitidos
 son direcciones IP de cuatro segmentos, un número decimal, dígitos hex
-separados por colones, y un string de texto. Si las network-ids
+separados por colones, y un string de texto. Si las etiquetas
 opcionales son brindadas, entonces esta opción es solo enviada cuando
-todas las network-ids coinciden.
+todas las etiquetas coinciden.
 
 Procesamiento especial es llevado a cabo en un argumento de texto para
 la opción 119, en conforme con RFC3397. Direcciones IP textuales o de
@@ -657,9 +717,16 @@ enviar
 opciones son brindadas que están encapsuladas con el mismo número de
 opción entonces serán correctamente combinadas en una opción encapsulada.
 encap: y vendor: no pueden ser fijadas ambas dentro de la misma opción dhcp-option.
+
+La variante final en opciones encapsuladas es "Vendor-Identifying Vendor Options"
+como especificado en RFC3925. Estos son denotados así:
+.B --dhcp-option=rfc3925-encap:2, 10, "text"
+El número en la sección rfc3925-encap: es el número enterprise usado
+para identificar esta opción.
+
 La dirección 0.0.0.0 no es tratada de forma especial en opciones encapsuladas.
 .TP
-.B --dhcp-option-force=[<network-id>,[<network-id>,]][encap:<opt>,][vendor:[<vendor-class>],]<opt>,[<value>[,<value>]]
+.B --dhcp-option-force=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap:<enterprise>,][vendor:[<vendor-class>],]<opt>,[<value>[,<value>]]
 Esto funciona exáctamente de la misma forma que
 .B --dhcp-option
 excepto que la opción siempre será enviada, aún si el cliente no la pide en
@@ -674,20 +741,21 @@ hacia opciones DHCP. Esto crea espacio extra en el paquete DHCP para opciones,
 pero puede raramente confundir clientes viejos o defectuosos. Esta opción forza
 comportamiento "simple y sencillo" para prevenir problemas en tales casos.
 .TP
-.B \-U, --dhcp-vendorclass=<network-id>,<vendor-class>
-Trazar desde un string vendor-class a un network id. La mayoría de los
+.B \-U, --dhcp-vendorclass=set:<tag>,<vendor-class>
+Trazar desde un string vendor-class a una etiqueta. La mayoría de los
 clientes DHCP proveen una "vendor class" la cual representa, en cierto
 sentido, el tipo de host. Esta opción traza clases de vendedor a network
 ids, de tal forma que opciones DHCP pueden ser selectivamente entregadas
 a diferentes clases de hosts. Por ejemplo
-.B dhcp-vendorclass=printers,Hewlett-Packard JetDirect
+.B dhcp-vendorclass=set:printers,Hewlett-Packard JetDirect
 peritiría que opciones sean fijadas solo para impresoras HP así:
-.B --dhcp-option=printers,3,192.168.4.4 
+.B --dhcp-option=tag:printers,3,192.168.4.4
 El string vendor-class es coordinado con el vendor-class proveido por
-el cliente, para permitir coincidencias borrosas.
+el cliente, para permitir coincidencias borrosas. El prefijo set: es
+opcional, pero permitido por razones de consistencia.
 .TP
-.B \-j, --dhcp-userclass=<network-id>,<user-class>
-Trazar desde un string user-class a un network id (con coordinación
+.B \-j, --dhcp-userclass=set:<tag>,<user-class>
+Trazar desde un string user-class a una etiqueta (con coordinación
 substring, como con vendor-class). La mayoría de los clientes DHCP
 proveen un "user class" el cual es configurable. Esta opción traza
 clases user a network ids, de tal manera que opciones DHCP puedan
@@ -695,26 +763,43 @@ ser selectivamente enviadas a diferentes tipos de hosts. Es posible,
 por ejemplo, usar esto para especificar una impresora diferente para
 hosts en la clase "cuentas" que para los de la clase "ingenieria".
 .TP
-.B \-4, --dhcp-mac=<network-id>,<dirección MAC>
-Trazar desde una dirección MAC a una network id. La dirección MAC
+.B \-4, --dhcp-mac=set:<tag>,<MAC address>
+Trazar desde una dirección MAC a una etiqueta. La dirección MAC
 puede incluir comodínes. Por ejemplo:
-.B --dhcp-mac=3com,01:34:23:*:*:*
+.B --dhcp-mac=set:3com,01:34:23:*:*:*
 fijaría el tag "3com" a cualquier host el cual su MAC coincida con
 el patrón.
 .TP
 .B --dhcp-circuitid=<network-id>,<circuit-id>, --dhcp-remoteid=<network-id>,<remote-id>
-Trazar de opciones agente de relay RFC3046 a opciones network-id. Estos
+Trazar de opciones agente de relay RFC3046 a etiquetas. Estos
 datos pueden ser proveídos por agentes de relay DHCP. El circuit-id o
 remote-id es normlamente brindado como hex separado por doblepuntos, pero
 también se permite un string simple. Si se obtiene una coincidencia exacta
 entre el circuit o agent ID y uno proveído por un agente de relay,
-network-id es fijado.
+la etiqueta es fijada.
 .TP
-.B --dhcp-subscrid=<network-id>,<subscriber-id>
-Trazar de opciones relay subscriber-id RFC3993 a opciones network-id.
+.B --dhcp-subscrid=set:<tag>,<subscriber-id>
+Trazar de opciones relay subscriber-id RFC3993 a etiquetas.
 .TP
-.B --dhcp-match=<network-id>,<option number>|option:<option name>[,<value>]
-Sin un valor, fijar la etiqueta network-id si el cliente envía una opción
+.B --dhcp-proxy[=<ip addr>]......
+Un agente de relay normal es usado solamente para reenviar las partes
+iniciales de una interacción DHCP con el servidor DHCP. Una vez que
+un cliente es configurado, se comunica diectamente con el servidor. Esto
+es indeseable si el agente de relay está agregando información extra a
+los paquetes DHCP, tal como usado por
+.B dhcp-circuitid
+y
+.B dhcp-remoteid.
+Una implementación relay completa puede usar la opción serverid-override
+RFC 5107 para obligar al servidor DHCP a usar el relay como un proxy
+completo, con todos los paquetes pasando a travez de el. Esta opción
+provee una manera alternativa de hacer la misma cosa, para relays que
+no tienen soporte RFC 5107. Brindada por si sola, manipula el server-id
+para todas las interacciones via relays. Si una lista de IPs es brindada,
+solo interacciones via relays en esas direcciones son afectadas.
+.TP
+.B --dhcp-match=set:<tag>,<option number>|option:<option name>|vi-encap:<enterprise>[,<value>]
+Sin un valor, fijar la etiqueta si el cliente envía una opción
 DHCP del número o valor brindado. Cuando un valor es brindado, fijar la
 etiqueta solo si la opción es enviada y coincide con el valor. El valor puede
 ser de la forma "01:ff:*:02", caso en el cual el valor debe coincidir (aparte
@@ -724,45 +809,66 @@ del final del valor. El valor tambi
 caso en el cual la opción enviada es tratada como un array, y un elemento debe
 coincidir, así que
 
---dhcp-match=efi-ia32,option:client-arch,6
+--dhcp-match=set:efi-ia32,option:client-arch,6
 
 fijará la etiqueta a "efi-ia32" si el número 6 aparece en la lista de
 architecturas enviada por los clientes en opción 93. (Ver RFC 4578 para
 detalles.) Si el valor es un string, coincidencia substring es usada.
-.B \-J, --dhcp-ignore=<network-id>[,<network-id>]
-Cuando todos los network ids brindados coincidan con el juego de
-network ids derivados de las clases net, host, y vendor, ignorar
-el host y no brindarle un arriendo DHCP.
+
+La forma especial con vi-encap:<enterpise number> busca coincidencia con
+clases de vendedor identificadoras para el enterprise especificado. Por
+favor ver RFC 3925 para mas detalles sobre estas bestias raras e interesantes.
 .TP
-.B --dhcp-ignore-names[=<network-id>[,<network-id>]]
-Cuando todos los network-ids brindados coinciden con el juego de
-network-ids derivado de la red, host, classes de vendedor y usuario,
-ignorar cualquier nombre de host proveido por el host. Nótese que,
-a diferencia de dhcp-ignore, es permisible no brindar ningún tag netid,
+.B --tag-if=set:<tag>[,set:<tag>[,tag:<tag>[,tag:<tag>]]]
+Llevar a cabo operaciones boolean en etiquetas. Cualquier etiqueta
+que aparece como set:<tag> es fijada si todas las etiquetas que aparecen
+como tag:<tag> estan fijadas, (o desfijadas cuando tag:!<tag> es
+usado). Si ningún tag:<tag> aparece, etiquetas set:<tag> son fijadas
+incondicionalmente. Cualquier cantidad de formas set: y tag:
+pueden aparecer, en cualquier orden. Líneas tag-if son ejecutadas
+en orden, así que si la etiqueta en tag:<tag> es una etiqueta fijada
+por otra
+.B tag-if,
+la línea que fija la etiqueta debe preceder a la que comprueba.
+.TP
+.B \-J, --dhcp-ignore=tag:<tag>[,tag:<tag>]
+Cuando todoas las etiquetas brindadas aparecen en el juego de etiquetas
+ignorar el host y no brindarle un arriendo DHCP.
+.TP
+.B --dhcp-ignore-names[=tag:<tag>[,tag:<tag>]]
+Cuando todos las etiquetas brindadas aparecen en el juego de etiquetas, ignorar cualquier nombre de host proveido por el host. Nótese que,
+a diferencia de dhcp-ignore, es permisible no brindar ninguna etiqueta,
 y en tal caso nombres de host proveidos por clientes DHCP siempre son
 ignorados, y hosts DHCP son agregados al DNS usando solo la configuración
 dhcp-host en dnsmasq y el contenido de /etc/hosts y /etc/ethers.
 .TP
-.B --dhcp-broadcast=<network-id>[,<network-id>]
-Cuando todos los network-ids brindados coinciden con el juego de network-ids
-derivados de la red, host, clases de vendedor y usuarios, siempre usar
-broadcast para comunicarse con el host cuando está sin configurar. La
-mayoría de clientes DHCP que necesitan respuestas broadcast fijan una
-opción en sus pedidos para que esto pase automaticamente, algunos
-clientes BOOTP viejos no lo hacen.
+.B --dhcp-generate-names=tag:<tag>[,tag:<tag>]
+Generar un nombre para clientes DHCP que de otra forma no tienen uno,
+usando la dirección MAC expresada en hex, separada por guiones. Nótese
+que si un host provee un nombre, será usado preferiblemente sobre este,
+a menos que
+.B --dhcp-ignore-names
+esté fijado.
 .TP
-.B \-M, --dhcp-boot=[net:<network-id>,]<filename>,[<servername>[,<server address>]]
+.B --dhcp-broadcast[=tag:<tag>[,tag:<tag>]]
+Cuando todas las etiquetas aparecen en el juego de etiquetas, siempre
+usar broadcast para comunicar con el host cuando no está configurado.
+Es permisible omitir las etiquetas, caso en el cual esto es
+incondicional. La mayoría de clientes DHCP que necesitan
+respuestas broadcast fijan una opción en sus pedidos para que esto pase automaticamente, algunos clientes BOOTP viejos no lo hacen.
+.TP
+.B \-M, --dhcp-boot=[tag:<tag>,]<filename>,[<servername>[,<server address>]]
 Fijar opciones BOOTP que han de ser devueltas por el servidor DHCP. Nombre
 y dirección de servidor son opcionales: si no son brindadas, el nombre es
 dejado en blanco, y la dirección es fijada a la de la máquina que corre
 dnsmasq. Si dnsmasq está brindando servicio TFTP (ver
 .B --enable-tftp
 ) entonces solo el nombre de archivo es requirido aquí para habilitar
-el inicio atravéz de una red. Si las opcionales network-ids son brindadas,
+el inicio atravéz de una red. Si las opcionales etiquetas son brindadas,
 ellas deberán coincidir para que esta configuración sea enviada. Nótese
 que network-ids están prefijadas con "net:" para distinguirlas.
 .TP
-.B --pxe-service=[net:<network-id>,]<CSA>,<texto de menú>,<nombre base>|<tipo de servicio boot>[,<dirección de servidor>]
+.B --pxe-service=[tag:<tag>,]<CSA>,<menu text>[,<basename>|<bootservicetype>][,<server address>]
 La mayoría de usos para boot-ROMS PXE simplemente permiten al sistema PXE
 obtener una dirección IP y entonces bajar el archivo especificado por
 .B dhcp-boot
@@ -784,12 +890,13 @@ direcci
 Nótese que el sufijo "layer" (normalmente ".0") es brindado por PXE, y
 no debe ser agregado al nombre base. Si un número entero es brindado en vez
 de un nombre base, entonces el cliente PXE buscará un servicio boot adecuado
-para ese tipo de red. Esta búsqueda puede ser hecha mediante multicast o
-broadcast, o directamente a un servidor si la dirección IP es brindada. Un
-tipo de servicio boot de 0 es especial, y abortará el proceso boot de red
-y continuará desde medio local.
+para ese tipo de red. Esta búsqueda puede ser hecha mediante broadcast,
+o directamente a un servidor si la dirección IP es brindada. Si ningún tipo
+de servicio boot o nombre de archivo es brindado (o un tipo de servicio boot
+de 0 es especificado), entonces la opción de menú abortará el proceso net boot
+y continuará desde el medio local.
 .TP
-.B --pxe-prompt=[net:<network-id>,]<prompt>[,<timeout>]
+.B --pxe-prompt=[tag:<tag>,]<prompt>[,<timeout>]
 Fijar esto hace que un aviso sea expuesto despues del boot PXE. Si el timeout
 es brindado, entonces despues que el timeout se haya vencido sin input del
 teclado, la primera opción del menú sera automaticamente ejecutada. Si el
@@ -815,7 +922,7 @@ en
 .TP
 .B \-X, --dhcp-lease-max=<número>
 Limita a dnsmasq a el número especificado de arriendos DHCP. El
-predeterminado es 150. El limite es para prevenir ataques DoS desde
+predeterminado es 1000. El limite es para prevenir ataques DoS desde
 hosts que crean cientos de arriendos y usan mucha de la memoria del
 proceso dnsmasq.
 .TP
@@ -855,7 +962,7 @@ cuidado.
 .TP
 .B --log-dhcp
 Bitacoréo extra para DHCP: Bitacorear todas las opciones enviadas a
-clientes DHCP y las etiquetas netid usadas para determinarlos.
+clientes DHCP y las etiquetas usadas para determinarlos.
 .TP
 .B \-l, --dhcp-leasefile=<path>
 Usar el archivo especificado para almacenar información de arriendos
@@ -864,6 +971,7 @@ DHCP.
 .B \-6 --dhcp-script=<path>
 Cuando un arriendo DHCP nuevo es creado, o uno viejo es
 destruido, el ejecutable especificado por esta opción es ejecutado.
+<path> debe ser un pathname absoluto, ninguna búsqueda PATH ocurre.
 Los argumentos para el binario son "add", "old", o "del", la dirección
 MAC del host, la dirección IP, y el hostname, si es
 conocido. "add" significa que un arriendo ha sido creado, "del" que
@@ -875,36 +983,64 @@ que no es ethernet, tendr
 "06-01:23:45:67:89:ab" para token ring. El proceso es ejecutado como root
 (asumiendo que dnsmasq fue originalmente ejecutado como root) aún si dnsmasq
 está configurado para cambiar su UID a un usuario sin privilegios.
-El ambiente es heredado del usuario que ha invocado a dnsmasq, y si el
-host brindó un client-id, es almacenado en la variable de ambiente
-DNSMASQ_CLIENT_ID. Si el dominio completamente calificado del host
-es conocido, la parte de dominio es almacenada en DNSMASQ_DOMAIN. Si
-el cliente brinda información de clase de vendedoro usuario,
-estos son brindados en las variables DNSMASQ_VENDOR_CLASS y
+
+
+El ambiente es heredado del usuario que ha invocado a dnsmasq, con algunas
+o todas de las siguientes variables agregadas.
+
+DNSMASQ_CLIENT_ID si el host brindo un client-id.
+
+DNSMASQ_DOMAIN si el nombre de dominio completamente calificado del host
+es conocido, esto es fijado a la parte del dominio.
+
+Si el cliente brinda vendor-class, hostname o user-class, estos son
+brindados en las variables
+DNSMASQ_VENDOR_CLASS, DNSMASQ_SUPPLIED_HOSTNAME, y
 DNSMASQ_USER_CLASS0..DNSMASQ_USER_CLASSn, pero solo para acciones "add"
-y "old" cuando un host resume un arriendo existente, dado a que estos
+y "old" cuando un host reanuda un arriendo existente, dado a que estos
 datos no son almacenados en la base de datos de arriendos de dnsmasq.
+
 Si dnsmasq fue compilado con HAVE_BROKEN_RTC, entonces la duración del
 arriendo (en segundos) es almacenada en DNSMASQ_LEASE_LENGTH, de otra
 manera el tiempo de vencimiento es almacenado en DNSMASQ_LEASE_EXPIRES.
 El número de segundos faltante para el vencimiento del arriendo siempre
 es almacenado en DNSMASQ_TIME_REMAINING.
+
 Si un arriendo solía tener un nombre de host, el cual es removido, un
 evento "old" es generado con el nuevo estado del arriendo, (por ejemplo, sin
 nombre), y el nombre anterior es brindado en la variable de ambiente
-DNSMASQ_OLD_HOSTNAME. DNSMASQ_INTERFACE almacena el nombre de la interface
+DNSMASQ_OLD_HOSTNAME.
+
+DNSMASQ_INTERFACE almacena el nombre de la interface
 en la cual llegó el pedido; esto no es fijado para acciones "viejas"
 cuando dnsmasq re-inicia.
+
+DNSMASQ_RELAY_ADDRESS es fijado si el cliente
+usó un relay DHCP para contactar a dnsmasq y la dirección IP del relay
+es conocida.
+
+DNSMASQ_TAGS contiene todas las etiquetas network-id fijadas
+durante la transacción DHCP, separadas por espacios.
+
 Todos los descriptores de archivo están cerrados
 excepto stdin, stdout, y stderr los cuales están abiertos a /dev/null
 (excepto en modo debug).
-Este guión no es invocado concurrentemente: si cambios de arriendos
-subsiguientes ocurren, el guión no es invocado otra vez hasta que
-cualquier invocación existente haga exit. Al inicio de dnsmasq, el guión
+
+Este guión no es invocado concurrentemente: máximo una instamcia del
+guión está corriendo a la vez (dnsmasq espera a que una instancia de
+guión haga exit antes de correr la siguiente). Cambios a la base de
+datos de arriendos que requieren que el guión sea invocado son puestos
+en cola esperando el exit de una instancia corriente. Si esta cola permite
+que cambios multiples de estado le ocurran a un arriendo individual antes
+de que el guión pueda ser ejecutado entonces estados anteriores son descartados
+y el estado actual del arriendo es reflejado cuando el guión finalmente corre.
+
+Al inicio de dnsmasq, el guión
 será invocado para todos los arriendos existentes mientras van siendo
 leídos desde el archivo de arriendos. Arriendos vencidos serán llamados
 con "del" y otros con "old". <path> debe ser un path absoluto, ninguna
-búsqueda PATH ocurre. Cuando dnsmasq recibe una señal HUP, el guión será
+búsqueda PATH ocurre cuando arriendos dnsmasq serán llamados con "del"
+y otros con "old". Cuando dnsmasq recibe una señal HUP, el guión será
 invocado para arriendos existentes con un evento "old".
 .TP
 .B --dhcp-scriptuser
@@ -927,10 +1063,14 @@ esta opci
 cuando hay cambios hechos a el client-id y tiempos de arriendo y vencimiento.
 .TP
 .B --bridge-interface=<nombre de interface>,<alias>[,<alias>]
-Tratar paquetes de pedidos DHCP que llegan a cualquiera de las interfaces <alias>
-como si hubieran llegado a la interface <nombre de interface>. Esta opción
-es necesaria al usar bridging estilo viejo en plataformas BSD, dado a que
-los paquetes llegan a interfaces tap que no tienen una dirección IP.
+Tratar paquetes de pedidos DHCP (v4 y v6) y de IPv6 Router Solicit que
+llegan a cualquiera de las interfaces <alias> como si hubieran llegado
+a la interface <nombre de interface>.  Esta opción permite que dnsmasq
+puede proporcionar los servicios DHCP y RA a través de interfaces
+ethernet sin dirección y sin puente; por ejemplo en un nodo de cálculo
+de OpenStack, donde cada una de esas interfaces es una interfaz TAP
+para una máquina virtual, o al usar bridging estilo viejo en
+plataformas BSD.
 .TP
 .B \-s, --domain=<dominio>[,<rango de IPs>]
 Especifica los dominios DNS para el servidor DHCP. Dominios pueden ser
@@ -977,18 +1117,20 @@ sin una direcci
 .B --dhcp-fqdn
 está fijado.
 .TP
-.B --enable-tftp
+.B --enable-tftp[=<interface>]
 Habilitar la función de servidor TFTP. Esto está deliberadamente limitado
 a lo necesario para hacerle a un cliente un inicio vía red. Solo lectura es
 permitida; las extensiones tsize y blksize son soportadas (tsize solo es
-soportada en modo octeto).
+soportada en modo octeto). Ver sección de NOTAS para el uso de el argumento
+de interface.
 .TP
-.B --tftp-root=<directorio>
+.B --tftp-root=<directory>[,<interface>]
 Buscar, relativo al directorio brindado, archivos para transferir mediante el
 uso de TFTP. Cuando esta opción está fijada, paths TFTP que incluyen ".." son
 rechazados, para prevenir que clientes salgan de la raíz especificada. Paths
 absolutos (los que comienzan con "/") están permitidos, pero deben estar
-dentro del tftp-root.
+dentro del tftp-root. Si el argumento opcional de interface es brindado, el
+directorio es solo usado para pedidos TFTP vía esa interface.
 .TP
 .B --tftp-unique-root
 Agregar la dirección IP del cliente TFTP como un componente path del lado del
@@ -1040,11 +1182,13 @@ Especificar un archivo de configuraci
 también es permitida en archivos de configuración, para incluir múltiples
 archivos de configuración.
 .TP
-.B \-7, --conf-dir=<directorio>
+.B \-7, --conf-dir=<directorio>[,<file-extension>......]
 Leer todos los archivos dentro del directorio brindado como archivos
-de configuración. Archivos cuyos nombres terminen con ~ o comienzen
-con . o comienzen y terminen con # son ignorados. Esta opción puede
-ser brindada en la línea de comandos o en un archivo de configuración.
+de configuración. Si extensiones son brindadas, cualquier archivo que
+termine en esas extensiones son ignorados. Cualquier archivos cuyos nombres
+terminen con ~ o comienzen con . o comienzen y terminen con # siempre son
+ignorados. Esta opción puede ser brindada en la línea de comandos o en un
+archivo de configuración.
 .SH ARCHIVO DE CONFIGURACION
 Al inicio, dnsmasq lee
 .I /etc/dnsmasq.conf,
@@ -1174,36 +1318,46 @@ apunta a un nombre sombreado, entonces buscando el CNAME a trav
 dnsmasq resultará en que la dirección no-sombreada será asociada con
 el destino del CNAME. Para circumventar esto, agregar el CNAME a
 /etc/hosts de tal manera que el CNAME es sombreado también.
+
 .PP
-El sistema network-id funciona de la siguiente manera: Para cada pedido
-DHCP, dnsmasq colecciona un juego de etiquetas network-id válidas,
-una del
+El sistema de etiquetas funciona de la siguiente manera: Para cada pedido
+DHCP, dnsmasq colecciona un juego de etiquetas válidas de líneas de
+configuración activas que incluyen set:<tag>, incluyendo una del
 .B dhcp-range
 usado para alocar la dirección, una de cualquier
 .B dhcp-host
-que coincida (y "known" si un dhcp-host coincide), la etiqueta "bootp"
-para pedidos BOOTP, una etiqueta cuyo nombre es el nombre de la
-interface donde llegó el pedido, y posiblemente muchas de clases
-de vendedor y usuario que coincidan que hayan sido enviadas por
-el cliente DHCP. Cualquier opción
+que coincida (y "known" si un dhcp-host coincide).
+La etiqueta "bootp" es fijada para pedidos BOOTP, y una etiqueta cuyo
+nombre es el nombre de la interface donde llegó el pedido tambien es
+fijada.
+
+Cualquier linea de configuración que incluya uno o mas
+construcciones tag:<tag> solo será válida si todas las etiquetas
+coinciden en el juego derivado arriba. Típicamente esto es dhcp-option.
 .B dhcp-option 
-que tenga etiquetas network-id será usada en preferencia de una opción
+que tenga etiquetas será usada en preferencia de una opción
 .B dhcp-option,
 sin etiqueta, con tal que _todas_ las etiquetas coincidan en alguna
-parte del juego coleccionado describido arriba. El prefijo "#" en una
-etiqueta significa "no" así que --dhcp=option=#purple,3,1.2.3.4 envía
-la opción cuando la etiqueta network-id "purple" no está en el juego
-de etiquetas válidas.
+parte del juego coleccionado describido arriba. El prefijo '!' en una
+etiqueta significa "no" así que --dhcp=option=tag:!purple,3,1.2.3.4 envía
+la opción cuando la etiqueta "purple" no está en el juego
+de etiquetas válidas. (Si se está usando esto en una línea de comandos
+en vez de un archivo de configuración, asegurese de escapar !, el cual
+es un metacaracter de shell.)
+.PP
+Nótese que para
+.B dhcp-range
+ambos tag:<tag> y set:<tag> son permitidos, para seleccionar el rango
+en uso basado en (por ejemplo) dhcp-host, y para afectar las opciones
+enviadas, basadas en el rango seleccionado.
+
+Este sistema evolucionó de uno anterior mas limitado y para compatibildad
+reversa "net:" puede ser usada en vez de "tag:" y "set:" puede ser
+omitida. (Excepto en
+.B dhcp-host,
+donde "net:" puede ser usado en vez de "set:".) Por la misma razón, '#'
+puede ser usado en vez de '!' para indicar NO.
 .PP
-Si el network-id en un
-.B dhcp-range 
-es prefijado con "net:", entonces su significado cambia de "fijar
-etiqueta" a "coincidir con etiqueta". O sea que si hay más de un
-dhcp-range en en una subred, y uno tiene una etiqueta network-id la
-cual está fijada (por ejemplo una opción de clase de vendedor) entonces
-hosts que fijen la etiqueta network-id serán alocados direcciones en
-el rango etiquetado.
-.PP 
 El servidor DHCP de dnsmasq funcionará como servidor BOOTP tambien,
 con tal que las direcciones MAC y IP de los clientes sean brindadas,
 ya sea usando configuraciones
@@ -1214,11 +1368,54 @@ o en
 .B dhcp-range 
 esté presente para activar el servidor DHCP en una red particular.
 (Fijar --bootp-dynamic elimina la necesidad de trazados estáticos.) El
-parámetro de nombre de archivos en un pedido BOOTP es revisado para
-ver si coincide con algún network-id en configuraciónes
-.B dhcp-option 
-al igual que la etiqueta "bootp", permitiendo así algún control sobre
-las opciones devueltas a diferentes clases de hosts.
+parámetro de nombre de archivos en un pedido BOOTP es usado como
+una etiqueta, al igual que la etiqueta "bootp", permitiendo así algún
+control sobre las opciones devueltas a diferentes clases de hosts.
+
+.B dhcp-range
+puede tener un nombre de interface brindado como
+"interface:<interface-name>". La semántica de esto es así:
+Para DHCP, si cualquier otro dhcp-range existe _sin_ un nombre de
+interface, entonces el nombre de interface es ignorado y dnsmasq
+se comporta como si las partes de interface no existieran, de otra forma
+DHCP solo se provee a interfaces mencionadas en declaraciones
+dhcp-range. Para DNS, si no hay opciones
+.B --interface
+o
+.B --listen-address
+el comportamiento no se modifica por la parte de interface. Si cualquiera
+de estas opciones está presente, las interfaces mencionadas en dhcp-ranges
+son agregadas all juego que obtienen servicio DNS.
+
+Similarmente,
+.B enable-tftp
+puede tomar un nombre de interface, el cual habilita TFTP solo para una
+interface en particular, ignorando opciones
+.B --interface
+o
+.B --listen-address.
+Adicionalmente, 
+.B --tftp-secure
+y
+.B --tftp-unique-root
+y
+.B --tftp-no-blocksize
+son ignorados por pedidos desde dichas interfaces. (Una directiva
+.B --tftp-root
+brindando un path raíz y una interface debe ser brindada tambien.)
+
+Estas reglas pueden parecer raras a primera vista, pero permiten que
+una simple linea de la forma
+"dhcp-range=interface:virt0,192.168.0.4,192.168.0.200" sea agregada a
+configuración dnsmasq, lo cual brinda servicios DHCP y DNS a esa interface,
+sin afectar los servicios en otras interfaces y irrespectivamente de
+la existencia o no de lineas "interface=<interface>" en alguna otra parte
+de la configuración dnsmasq.
+"enable-tftp=virt0" y "tftp-root=<root>,virt0" hacen el mismo trabajo
+para TFTP.
+La idea es que una linea así pueda ser agregada automaticamente
+por libvirt o sistemas equivalentes, sin estorbar alguna
+configuración manual.
 
 .SH CÓDIGOS EXIT
 .PP
@@ -1251,10 +1448,8 @@ no escalaban tan bien.
 
 .PP
 Dnsmasq es capaz de soportar con DNS y DHCP a por lo menos mil (1,000)
-clientes. Por supuesto que para lograr esto debe aumentarse el valor de
-.B --dhcp-lease-max
-, y tiempos de arriendo no deben ser muy cortos (menos de una hora).
-El valor de
+clientes. Los tiempos de arriendo no deben ser muy cortos (menos
+de una hora). El valor de
 .B --dns-forward-max
 puede ser aumentado: comienze con el equivalente a el número de clientes y
 auméntelo si parece lento el DNS. Nótese que el rendimiento DNS depende
@@ -1285,6 +1480,23 @@ o en un archivo hosts adicional. La lista puede ser muy larga. Dnsmasq ha sido
 probado exitósamente con un millón de nombres. Ese tamaño de archivo necesita
 un CPU de 1GHz y aproximadamente 60MB de RAM.
 
+.SH INTERNACIONALIZACION
+
+Dnsmasq puede ser compilado con soporte para internacionalización. Para hacer esto,
+los targets make "all-i18n" y "install-i18n" deberán ser usados en vez de
+los targets estándares "all" y "install". Cuando internacionalización es
+compilada, dnsmasq producirá mensajes de bitácora en el lenguaje local y soportará
+dominios internacionalizados (IDN). Nombres de dominio en /etc/hosts, /etc/ethers,
+y /etc/dnsmasq.conf que contienen carácteres no-ASCII serán traducidos a
+representación interna DNS punycode. Nótese que dnsmasq determina ambos el
+lenguaje para mensajes y el juego de carácteres asumido para archivos de configuración
+de la variable ambiental LANG. Esto debe estar fijado al valor predeterminado del sistema
+por el guión responsable de iniciar dnsmasq. Al editar archivos de configuración,
+tener cuidado de hacerlo usando solo el locale predeterminado del sistema y no
+uno especifico del usuario, dado a que dnsmasq no tiene ninguna manera directa de
+determinar el juego de caracteres en uso, y debe asumir que es el predeterminado
+del sistema.
+
 .SH ARCHIVOS
 .IR /etc/dnsmasq.conf 
 

setup.html

@@ -78,7 +78,7 @@ by modifying MODIFY_RESOLV_CONF_DYNAMICALLY="no" in <TT>/etc/sysconfig/network/c
  
 
 <h3>Automatic DNS server configuration with DHCP.</h3>
-You need to get your DHCP client to write the addresse(s) of the DNS
+You need to get your DHCP client to write the address(es) of the DNS
 servers to a file other than <TT>/etc/resolv.conf</TT>. For dhcpcd, the
 <TT>dhcpcd.exe</TT> script gets run with the addresses of the nameserver(s) in
 the shell variable <TT>$DNS</TT>. The following bit of shell script
@@ -86,8 +86,8 @@ uses that to write a file suitable for dnsmasq.
 <PRE>
 
 echo -n >|/etc/dhcpc/resolv.conf
-dnsservs=${DNS//,/ }
-for serv in $dnsservs; do
+dnsservers=${DNS//,/ }
+for serv in $dnsservers; do
     echo "nameserver $serv" >>/etc/dhcpc/resolv.conf
 done
 
@@ -125,7 +125,7 @@ address of its ethernet card. For the former to work, a machine needs to know it
 requests a DHCP lease. For dhcpcd, the -h option specifies this. The
 names may be anything as far as DHCP is concerned, but dnsmasq adds
 some limitations. By default the names must no have a domain part, ie
-they must just be a alphanumeric name, without any dots.  This is a
+they must just be alphanumeric names, without any dots.  This is a
 security feature to stop a machine on your network telling DHCP that
 its name is "www.microsoft.com" and thereby grabbing traffic which
 shouldn't go to it. A domain part is only allowed by dnsmasq in DHCP machine names
@@ -186,7 +186,7 @@ more than one nameserver just include as many
 
 <H2>Local domains.</H2>
 Sometimes people have local domains which they do not want forwarded
-to upstream servers. This is accomodated by using server options
+to upstream servers. This is accommodated by using server options
 without the server IP address. To make things clearer <TT>local</TT>
 is a synonym for <TT>server</TT>. For example the option
 <TT>local=/localnet/</TT> ensures that any domain name query which ends in
@@ -221,7 +221,7 @@ triggering dial-on-demand internet links.
 Sending SIGHUP to the dnsmasq process will cause it to empty its cache and 
 then re-load <TT>/etc/hosts</TT> and <TT>/etc/resolv.conf</TT>.
 <P> Sending SIGUSR1 (killall -10 dnsmasq) to the dnsmasq process will
-cause to to write cache usage statisticss to the log, typically
+cause to write cache usage statisticss to the log, typically
 <TT>/var/log/syslog</TT> or <TT>/var/log/messages</TT>.
 <P> The <TT>log-queries</TT> option tells dnsmasq to verbosely log the queries
 it is handling and causes SIGUSR1 to trigger a complete dump of the

src/arp.c

@@ -0,0 +1,247 @@
+/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+     
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "dnsmasq.h"
+
+/* Time between forced re-loads from kernel. */
+#define INTERVAL 90
+
+#define ARP_MARK  0
+#define ARP_FOUND 1  /* Confirmed */
+#define ARP_NEW   2  /* Newly created */
+#define ARP_EMPTY 3  /* No MAC addr */
+
+struct arp_record {
+  unsigned short hwlen, status;
+  int family;
+  unsigned char hwaddr[DHCP_CHADDR_MAX]; 
+  struct all_addr addr;
+  struct arp_record *next;
+};
+
+static struct arp_record *arps = NULL, *old = NULL, *freelist = NULL;
+static time_t last = 0;
+
+static int filter_mac(int family, char *addrp, char *mac, size_t maclen, void *parmv)
+{
+  struct arp_record *arp;
+
+  (void)parmv;
+
+  if (maclen > DHCP_CHADDR_MAX)
+    return 1;
+
+#ifndef HAVE_IPV6
+  if (family != AF_INET)
+    return 1;
+#endif
+
+  /* Look for existing entry */
+  for (arp = arps; arp; arp = arp->next)
+    {
+      if (family != arp->family || arp->status == ARP_NEW)
+	continue;
+      
+      if (family == AF_INET)
+	{
+	  if (arp->addr.addr.addr4.s_addr != ((struct in_addr *)addrp)->s_addr)
+	    continue;
+	}
+#ifdef HAVE_IPV6
+      else
+	{
+	  if (!IN6_ARE_ADDR_EQUAL(&arp->addr.addr.addr6, (struct in6_addr *)addrp))
+	    continue;
+	}
+#endif
+
+      if (arp->status == ARP_EMPTY)
+	{
+	  /* existing address, was negative. */
+	  arp->status = ARP_NEW;
+	  arp->hwlen = maclen;
+	  memcpy(arp->hwaddr, mac, maclen);
+	}
+      else if (arp->hwlen == maclen && memcmp(arp->hwaddr, mac, maclen) == 0)
+	/* Existing entry matches - confirm. */
+	arp->status = ARP_FOUND;
+      else
+	continue;
+      
+      break;
+    }
+
+  if (!arp)
+    {
+      /* New entry */
+      if (freelist)
+	{
+	  arp = freelist;
+	  freelist = freelist->next;
+	}
+      else if (!(arp = whine_malloc(sizeof(struct arp_record))))
+	return 1;
+      
+      arp->next = arps;
+      arps = arp;
+      arp->status = ARP_NEW;
+      arp->hwlen = maclen;
+      arp->family = family;
+      memcpy(arp->hwaddr, mac, maclen);
+      if (family == AF_INET)
+	arp->addr.addr.addr4.s_addr = ((struct in_addr *)addrp)->s_addr;
+#ifdef HAVE_IPV6
+      else
+	memcpy(&arp->addr.addr.addr6, addrp, IN6ADDRSZ);
+#endif
+    }
+  
+  return 1;
+}
+
+/* If in lazy mode, we cache absence of ARP entries. */
+int find_mac(union mysockaddr *addr, unsigned char *mac, int lazy, time_t now)
+{
+  struct arp_record *arp, *tmp, **up;
+  int updated = 0;
+
+ again:
+  
+  /* If the database is less then INTERVAL old, look in there */
+  if (difftime(now, last) < INTERVAL)
+    {
+      /* addr == NULL -> just make cache up-to-date */
+      if (!addr)
+	return 0;
+
+      for (arp = arps; arp; arp = arp->next)
+	{
+	  if (addr->sa.sa_family != arp->family)
+	    continue;
+	    
+	  if (arp->family == AF_INET &&
+	      arp->addr.addr.addr4.s_addr != addr->in.sin_addr.s_addr)
+	    continue;
+	    
+#ifdef HAVE_IPV6
+	  if (arp->family == AF_INET6 && 
+	      !IN6_ARE_ADDR_EQUAL(&arp->addr.addr.addr6, &addr->in6.sin6_addr))
+	    continue;
+#endif
+	  
+	  /* Only accept positive entries unless in lazy mode. */
+	  if (arp->status != ARP_EMPTY || lazy || updated)
+	    {
+	      if (mac && arp->hwlen != 0)
+		memcpy(mac, arp->hwaddr, arp->hwlen);
+	      return arp->hwlen;
+	    }
+	}
+    }
+
+  /* Not found, try the kernel */
+  if (!updated)
+     {
+       updated = 1;
+       last = now;
+
+       /* Mark all non-negative entries */
+       for (arp = arps; arp; arp = arp->next)
+	 if (arp->status != ARP_EMPTY)
+	   arp->status = ARP_MARK;
+       
+       iface_enumerate(AF_UNSPEC, NULL, filter_mac);
+       
+       /* Remove all unconfirmed entries to old list. */
+       for (arp = arps, up = &arps; arp; arp = tmp)
+	 {
+	   tmp = arp->next;
+	   
+	   if (arp->status == ARP_MARK)
+	     {
+	       *up = arp->next;
+	       arp->next = old;
+	       old = arp;
+	     }
+	   else
+	     up = &arp->next;
+	 }
+
+       goto again;
+     }
+
+  /* record failure, so we don't consult the kernel each time
+     we're asked for this address */
+  if (freelist)
+    {
+      arp = freelist;
+      freelist = freelist->next;
+    }
+  else
+    arp = whine_malloc(sizeof(struct arp_record));
+  
+  if (arp)
+    {      
+      arp->next = arps;
+      arps = arp;
+      arp->status = ARP_EMPTY;
+      arp->family = addr->sa.sa_family;
+      arp->hwlen = 0;
+
+      if (addr->sa.sa_family == AF_INET)
+	arp->addr.addr.addr4.s_addr = addr->in.sin_addr.s_addr;
+#ifdef HAVE_IPV6
+      else
+	memcpy(&arp->addr.addr.addr6, &addr->in6.sin6_addr, IN6ADDRSZ);
+#endif
+    }
+	  
+   return 0;
+}
+
+int do_arp_script_run(void)
+{
+  struct arp_record *arp;
+  
+  /* Notify any which went, then move to free list */
+  if (old)
+    {
+#ifdef HAVE_SCRIPT
+      if (option_bool(OPT_SCRIPT_ARP))
+	queue_arp(ACTION_ARP_DEL, old->hwaddr, old->hwlen, old->family, &old->addr);
+#endif
+      arp = old;
+      old = arp->next;
+      arp->next = freelist;
+      freelist = arp;
+      return 1;
+    }
+
+  for (arp = arps; arp; arp = arp->next)
+    if (arp->status == ARP_NEW)
+      {
+#ifdef HAVE_SCRIPT
+	if (option_bool(OPT_SCRIPT_ARP))
+	  queue_arp(ACTION_ARP, arp->hwaddr, arp->hwlen, arp->family, &arp->addr);
+#endif
+	arp->status = ARP_FOUND;
+	return 1;
+      }
+
+  return 0;
+}
+
+

src/auth.c

@@ -0,0 +1,892 @@
+/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+     
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "dnsmasq.h"
+
+#ifdef HAVE_AUTH
+
+static struct addrlist *find_addrlist(struct addrlist *list, int flag, struct all_addr *addr_u)
+{
+  do {
+    if (!(list->flags & ADDRLIST_IPV6))
+      {
+	struct in_addr netmask, addr = addr_u->addr.addr4;
+	
+	if (!(flag & F_IPV4))
+	  continue;
+	
+	netmask.s_addr = htonl(~(in_addr_t)0 << (32 - list->prefixlen));
+	
+	if  (is_same_net(addr, list->addr.addr.addr4, netmask))
+	  return list;
+      }
+#ifdef HAVE_IPV6
+    else if (is_same_net6(&(addr_u->addr.addr6), &list->addr.addr.addr6, list->prefixlen))
+      return list;
+#endif
+    
+  } while ((list = list->next));
+  
+  return NULL;
+}
+
+static struct addrlist *find_subnet(struct auth_zone *zone, int flag, struct all_addr *addr_u)
+{
+  if (!zone->subnet)
+    return NULL;
+  
+  return find_addrlist(zone->subnet, flag, addr_u);
+}
+
+static struct addrlist *find_exclude(struct auth_zone *zone, int flag, struct all_addr *addr_u)
+{
+  if (!zone->exclude)
+    return NULL;
+  
+  return find_addrlist(zone->exclude, flag, addr_u);
+}
+
+static int filter_zone(struct auth_zone *zone, int flag, struct all_addr *addr_u)
+{
+  if (find_exclude(zone, flag, addr_u))
+    return 0;
+
+  /* No subnets specified, no filter */
+  if (!zone->subnet)
+    return 1;
+  
+  return find_subnet(zone, flag, addr_u) != NULL;
+}
+
+int in_zone(struct auth_zone *zone, char *name, char **cut)
+{
+  size_t namelen = strlen(name);
+  size_t domainlen = strlen(zone->domain);
+
+  if (cut)
+    *cut = NULL;
+  
+  if (namelen >= domainlen && 
+      hostname_isequal(zone->domain, &name[namelen - domainlen]))
+    {
+      
+      if (namelen == domainlen)
+	return 1;
+      
+      if (name[namelen - domainlen - 1] == '.')
+	{
+	  if (cut)
+	    *cut = &name[namelen - domainlen - 1]; 
+	  return 1;
+	}
+    }
+
+  return 0;
+}
+
+
+size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t now, union mysockaddr *peer_addr, 
+		   int local_query, int do_bit, int have_pseudoheader) 
+{
+  char *name = daemon->namebuff;
+  unsigned char *p, *ansp;
+  int qtype, qclass, rc;
+  int nameoffset, axfroffset = 0;
+  int q, anscount = 0, authcount = 0;
+  struct crec *crecp;
+  int  auth = !local_query, trunc = 0, nxdomain = 1, soa = 0, ns = 0, axfr = 0;
+  struct auth_zone *zone = NULL;
+  struct addrlist *subnet = NULL;
+  char *cut;
+  struct mx_srv_record *rec, *move, **up;
+  struct txt_record *txt;
+  struct interface_name *intr;
+  struct naptr *na;
+  struct all_addr addr;
+  struct cname *a, *candidate;
+  unsigned int wclen;
+  
+  if (ntohs(header->qdcount) == 0 || OPCODE(header) != QUERY )
+    return 0;
+
+  /* determine end of question section (we put answers there) */
+  if (!(ansp = skip_questions(header, qlen)))
+    return 0; /* bad packet */
+  
+  /* now process each question, answers go in RRs after the question */
+  p = (unsigned char *)(header+1);
+
+  for (q = ntohs(header->qdcount); q != 0; q--)
+    {
+      unsigned short flag = 0;
+      int found = 0;
+      int cname_wildcard = 0;
+  
+      /* save pointer to name for copying into answers */
+      nameoffset = p - (unsigned char *)header;
+
+      /* now extract name as .-concatenated string into name */
+      if (!extract_name(header, qlen, &p, name, 1, 4))
+	return 0; /* bad packet */
+ 
+      GETSHORT(qtype, p); 
+      GETSHORT(qclass, p);
+      
+      if (qclass != C_IN)
+	{
+	  auth = 0;
+	  continue;
+	}
+
+      if ((qtype == T_PTR || qtype == T_SOA || qtype == T_NS) &&
+	  (flag = in_arpa_name_2_addr(name, &addr)) &&
+	  !local_query)
+	{
+	  for (zone = daemon->auth_zones; zone; zone = zone->next)
+	    if ((subnet = find_subnet(zone, flag, &addr)))
+	      break;
+	  
+	  if (!zone)
+	    {
+	      auth = 0;
+	      continue;
+	    }
+	  else if (qtype == T_SOA)
+	    soa = 1, found = 1;
+	  else if (qtype == T_NS)
+	    ns = 1, found = 1;
+	}
+
+      if (qtype == T_PTR && flag)
+	{
+	  intr = NULL;
+
+	  if (flag == F_IPV4)
+	    for (intr = daemon->int_names; intr; intr = intr->next)
+	      {
+		struct addrlist *addrlist;
+		
+		for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)
+		  if (!(addrlist->flags & ADDRLIST_IPV6) && addr.addr.addr4.s_addr == addrlist->addr.addr.addr4.s_addr)
+		    break;
+		
+		if (addrlist)
+		  break;
+		else
+		  while (intr->next && strcmp(intr->intr, intr->next->intr) == 0)
+		    intr = intr->next;
+	      }
+#ifdef HAVE_IPV6
+	  else if (flag == F_IPV6)
+	    for (intr = daemon->int_names; intr; intr = intr->next)
+	      {
+		struct addrlist *addrlist;
+		
+		for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)
+		  if ((addrlist->flags & ADDRLIST_IPV6) && IN6_ARE_ADDR_EQUAL(&addr.addr.addr6, &addrlist->addr.addr.addr6))
+		    break;
+		
+		if (addrlist)
+		  break;
+		else
+		  while (intr->next && strcmp(intr->intr, intr->next->intr) == 0)
+		    intr = intr->next;
+	      }
+#endif
+	  
+	  if (intr)
+	    {
+	      if (local_query || in_zone(zone, intr->name, NULL))
+		{	
+		  found = 1;
+		  log_query(flag | F_REVERSE | F_CONFIG, intr->name, &addr, NULL);
+		  if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
+					  daemon->auth_ttl, NULL,
+					  T_PTR, C_IN, "d", intr->name))
+		    anscount++;
+		}
+	    }
+	  
+	  if ((crecp = cache_find_by_addr(NULL, &addr, now, flag)))
+	    do { 
+	      strcpy(name, cache_get_name(crecp));
+	      
+	      if (crecp->flags & F_DHCP && !option_bool(OPT_DHCP_FQDN))
+		{
+		  char *p = strchr(name, '.');
+		  if (p)
+		    *p = 0; /* must be bare name */
+		  
+		  /* add  external domain */
+		  if (zone)
+		    {
+		      strcat(name, ".");
+		      strcat(name, zone->domain);
+		    }
+		  log_query(flag | F_DHCP | F_REVERSE, name, &addr, record_source(crecp->uid));
+		  found = 1;
+		  if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
+					  daemon->auth_ttl, NULL,
+					  T_PTR, C_IN, "d", name))
+		    anscount++;
+		}
+	      else if (crecp->flags & (F_DHCP | F_HOSTS) && (local_query || in_zone(zone, name, NULL)))
+		{
+		  log_query(crecp->flags & ~F_FORWARD, name, &addr, record_source(crecp->uid));
+		  found = 1;
+		  if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
+					  daemon->auth_ttl, NULL,
+					  T_PTR, C_IN, "d", name))
+		    anscount++;
+		}
+	      else
+		continue;
+		    
+	    } while ((crecp = cache_find_by_addr(crecp, &addr, now, flag)));
+
+	  if (found)
+	    nxdomain = 0;
+	  else
+	    log_query(flag | F_NEG | F_NXDOMAIN | F_REVERSE | (auth ? F_AUTH : 0), NULL, &addr, NULL);
+
+	  continue;
+	}
+      
+    cname_restart:
+      if (found)
+	/* NS and SOA .arpa requests have set found above. */
+	cut = NULL;
+      else
+	{
+	  for (zone = daemon->auth_zones; zone; zone = zone->next)
+	    if (in_zone(zone, name, &cut))
+	      break;
+	  
+	  if (!zone)
+	    {
+	      auth = 0;
+	      continue;
+	    }
+	}
+
+      for (rec = daemon->mxnames; rec; rec = rec->next)
+	if (!rec->issrv && (rc = hostname_issubdomain(name, rec->name)))
+	  {
+	    nxdomain = 0;
+	         
+	    if (rc == 2 && qtype == T_MX)
+	      {
+		found = 1;
+		log_query(F_CONFIG | F_RRNAME, name, NULL, "<MX>"); 
+		if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl,
+					NULL, T_MX, C_IN, "sd", rec->weight, rec->target))
+		  anscount++;
+	      }
+	  }
+      
+      for (move = NULL, up = &daemon->mxnames, rec = daemon->mxnames; rec; rec = rec->next)
+	if (rec->issrv && (rc = hostname_issubdomain(name, rec->name)))
+	  {
+	    nxdomain = 0;
+	    
+	    if (rc == 2 && qtype == T_SRV)
+	      {
+		found = 1;
+		log_query(F_CONFIG | F_RRNAME, name, NULL, "<SRV>"); 
+		if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl,
+					NULL, T_SRV, C_IN, "sssd", 
+					rec->priority, rec->weight, rec->srvport, rec->target))
+
+		  anscount++;
+	      } 
+	    
+	    /* unlink first SRV record found */
+	    if (!move)
+	      {
+		move = rec;
+		*up = rec->next;
+	      }
+	    else
+	      up = &rec->next;      
+	  }
+	else
+	  up = &rec->next;
+	  
+      /* put first SRV record back at the end. */
+      if (move)
+	{
+	  *up = move;
+	  move->next = NULL;
+	}
+
+      for (txt = daemon->rr; txt; txt = txt->next)
+	if ((rc = hostname_issubdomain(name, txt->name)))
+	  {
+	    nxdomain = 0;
+	    if (rc == 2 && txt->class == qtype)
+	      {
+		found = 1;
+		log_query(F_CONFIG | F_RRNAME, name, NULL, querystr(NULL, txt->class)); 
+		if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl,
+					NULL, txt->class, C_IN, "t", txt->len, txt->txt))
+		  anscount++;
+	      }
+	  }
+      
+      for (txt = daemon->txt; txt; txt = txt->next)
+	if (txt->class == C_IN && (rc = hostname_issubdomain(name, txt->name)))
+	  {
+	    nxdomain = 0;
+	    if (rc == 2 && qtype == T_TXT)
+	      {
+		found = 1;
+		log_query(F_CONFIG | F_RRNAME, name, NULL, "<TXT>"); 
+		if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl,
+					NULL, T_TXT, C_IN, "t", txt->len, txt->txt))
+		  anscount++;
+	      }
+	  }
+
+       for (na = daemon->naptr; na; na = na->next)
+	 if ((rc = hostname_issubdomain(name, na->name)))
+	   {
+	     nxdomain = 0;
+	     if (rc == 2 && qtype == T_NAPTR)
+	       {
+		 found = 1;
+		 log_query(F_CONFIG | F_RRNAME, name, NULL, "<NAPTR>");
+		 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl, 
+					 NULL, T_NAPTR, C_IN, "sszzzd", 
+					 na->order, na->pref, na->flags, na->services, na->regexp, na->replace))
+			  anscount++;
+	       }
+	   }
+    
+       if (qtype == T_A)
+	 flag = F_IPV4;
+       
+#ifdef HAVE_IPV6
+       if (qtype == T_AAAA)
+	 flag = F_IPV6;
+#endif
+       
+       for (intr = daemon->int_names; intr; intr = intr->next)
+	 if ((rc = hostname_issubdomain(name, intr->name)))
+	   {
+	     struct addrlist *addrlist;
+	     
+	     nxdomain = 0;
+	     
+	     if (rc == 2 && flag)
+	       for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)  
+		 if (((addrlist->flags & ADDRLIST_IPV6)  ? T_AAAA : T_A) == qtype &&
+		     (local_query || filter_zone(zone, flag, &addrlist->addr)))
+		   {
+#ifdef HAVE_IPV6
+		     if (addrlist->flags & ADDRLIST_REVONLY)
+		       continue;
+#endif
+		     found = 1;
+		     log_query(F_FORWARD | F_CONFIG | flag, name, &addrlist->addr, NULL);
+		     if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
+					     daemon->auth_ttl, NULL, qtype, C_IN, 
+					     qtype == T_A ? "4" : "6", &addrlist->addr))
+		       anscount++;
+		   }
+	     }
+       
+      if (!cut)
+	{
+	  nxdomain = 0;
+	  
+	  if (qtype == T_SOA)
+	    {
+	      auth = soa = 1; /* inhibits auth section */
+	      found = 1;
+	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<SOA>");
+	    }
+      	  else if (qtype == T_AXFR)
+	    {
+	      struct iname *peers;
+	      
+	      if (peer_addr->sa.sa_family == AF_INET)
+		peer_addr->in.sin_port = 0;
+#ifdef HAVE_IPV6
+	      else
+		{
+		  peer_addr->in6.sin6_port = 0; 
+		  peer_addr->in6.sin6_scope_id = 0;
+		}
+#endif
+	      
+	      for (peers = daemon->auth_peers; peers; peers = peers->next)
+		if (sockaddr_isequal(peer_addr, &peers->addr))
+		  break;
+	      
+	      /* Refuse all AXFR unless --auth-sec-servers or auth-peers is set */
+	      if ((!daemon->secondary_forward_server && !daemon->auth_peers) ||
+		  (daemon->auth_peers && !peers)) 
+		{
+		  if (peer_addr->sa.sa_family == AF_INET)
+		    inet_ntop(AF_INET, &peer_addr->in.sin_addr, daemon->addrbuff, ADDRSTRLEN);
+#ifdef HAVE_IPV6
+		  else
+		    inet_ntop(AF_INET6, &peer_addr->in6.sin6_addr, daemon->addrbuff, ADDRSTRLEN); 
+#endif
+		  
+		  my_syslog(LOG_WARNING, _("ignoring zone transfer request from %s"), daemon->addrbuff);
+		  return 0;
+		}
+	       	      
+	      auth = 1;
+	      soa = 1; /* inhibits auth section */
+	      ns = 1; /* ensure we include NS records! */
+	      axfr = 1;
+	      found = 1;
+	      axfroffset = nameoffset;
+	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<AXFR>");
+	    }
+      	  else if (qtype == T_NS)
+	    {
+	      auth = 1;
+	      ns = 1; /* inhibits auth section */
+	      found = 1;
+	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<NS>"); 
+	    }
+	}
+      
+      if (!option_bool(OPT_DHCP_FQDN) && cut)
+	{	  
+	  *cut = 0; /* remove domain part */
+	  
+	  if (!strchr(name, '.') && (crecp = cache_find_by_name(NULL, name, now, F_IPV4 | F_IPV6)))
+	    {
+	      if (crecp->flags & F_DHCP)
+		do
+		  { 
+		    nxdomain = 0;
+		    if ((crecp->flags & flag) && 
+			(local_query || filter_zone(zone, flag, &(crecp->addr.addr))))
+		      {
+			*cut = '.'; /* restore domain part */
+			log_query(crecp->flags, name, &crecp->addr.addr, record_source(crecp->uid));
+			*cut  = 0; /* remove domain part */
+			found = 1;
+			if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
+						daemon->auth_ttl, NULL, qtype, C_IN, 
+						qtype == T_A ? "4" : "6", &crecp->addr))
+			  anscount++;
+		      }
+		  } while ((crecp = cache_find_by_name(crecp, name, now,  F_IPV4 | F_IPV6)));
+	    }
+       	  
+	  *cut = '.'; /* restore domain part */	    
+	}
+      
+      if ((crecp = cache_find_by_name(NULL, name, now, F_IPV4 | F_IPV6)))
+	{
+	  if ((crecp->flags & F_HOSTS) || (((crecp->flags & F_DHCP) && option_bool(OPT_DHCP_FQDN))))
+	    do
+	      { 
+		 nxdomain = 0;
+		 if ((crecp->flags & flag) && (local_query || filter_zone(zone, flag, &(crecp->addr.addr))))
+		   {
+		     log_query(crecp->flags, name, &crecp->addr.addr, record_source(crecp->uid));
+		     found = 1;
+		     if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
+					     daemon->auth_ttl, NULL, qtype, C_IN, 
+					     qtype == T_A ? "4" : "6", &crecp->addr))
+		       anscount++;
+		   }
+	      } while ((crecp = cache_find_by_name(crecp, name, now, F_IPV4 | F_IPV6)));
+	}
+      
+      /* Only supply CNAME if no record for any type is known. */
+      if (nxdomain)
+	{
+	  /* Check for possible wildcard match against *.domain 
+	     return length of match, to get longest.
+	     Note that if return length of wildcard section, so
+	     we match b.simon to _both_ *.simon and b.simon
+	     but return a longer (better) match to b.simon.
+	  */  
+	  for (wclen = 0, candidate = NULL, a = daemon->cnames; a; a = a->next)
+	    if (a->alias[0] == '*')
+	      {
+		char *test = name;
+		
+		while ((test = strchr(test+1, '.')))
+		  {
+		    if (hostname_isequal(test, &(a->alias[1])))
+		      {
+			if (strlen(test) > wclen && !cname_wildcard)
+			  {
+			    wclen = strlen(test);
+			    candidate = a;
+			    cname_wildcard = 1;
+			  }
+			break;
+		      }
+		  }
+		
+	      }
+	    else if (hostname_isequal(a->alias, name) && strlen(a->alias) > wclen)
+	      {
+		/* Simple case, no wildcard */
+		wclen = strlen(a->alias);
+		candidate = a;
+	      }
+	  
+	  if (candidate)
+	    {
+	      log_query(F_CONFIG | F_CNAME, name, NULL, NULL);
+	      strcpy(name, candidate->target);
+	      if (!strchr(name, '.'))
+		{
+		  strcat(name, ".");
+		  strcat(name, zone->domain);
+		}
+	      found = 1;
+	      if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
+				      daemon->auth_ttl, &nameoffset,
+				      T_CNAME, C_IN, "d", name))
+		anscount++;
+	      
+	      goto cname_restart;
+	    }
+	  else if (cache_find_non_terminal(name, now))
+	    nxdomain = 0;
+
+	  log_query(flag | F_NEG | (nxdomain ? F_NXDOMAIN : 0) | F_FORWARD | F_AUTH, name, NULL, NULL);
+	}
+      
+    }
+  
+  /* Add auth section */
+  if (auth && zone)
+    {
+      char *authname;
+      int newoffset, offset = 0;
+
+      if (!subnet)
+	authname = zone->domain;
+      else
+	{
+	  /* handle NS and SOA for PTR records */
+	  
+	  authname = name;
+
+	  if (!(subnet->flags & ADDRLIST_IPV6))
+	    {
+	      in_addr_t a = ntohl(subnet->addr.addr.addr4.s_addr) >> 8;
+	      char *p = name;
+	      
+	      if (subnet->prefixlen >= 24)
+		p += sprintf(p, "%u.", a & 0xff);
+	      a = a >> 8;
+	      if (subnet->prefixlen >= 16 )
+		p += sprintf(p, "%u.", a & 0xff);
+	      a = a >> 8;
+	      p += sprintf(p, "%u.in-addr.arpa", a & 0xff);
+	      
+	    }
+#ifdef HAVE_IPV6
+	  else
+	    {
+	      char *p = name;
+	      int i;
+	      
+	      for (i = subnet->prefixlen-1; i >= 0; i -= 4)
+		{ 
+		  int dig = ((unsigned char *)&subnet->addr.addr.addr6)[i>>3];
+		  p += sprintf(p, "%.1x.", (i>>2) & 1 ? dig & 15 : dig >> 4);
+		}
+	      p += sprintf(p, "ip6.arpa");
+	      
+	    }
+#endif
+	}
+      
+      /* handle NS and SOA in auth section or for explicit queries */
+       newoffset = ansp - (unsigned char *)header;
+       if (((anscount == 0 && !ns) || soa) &&
+	  add_resource_record(header, limit, &trunc, 0, &ansp, 
+			      daemon->auth_ttl, NULL, T_SOA, C_IN, "ddlllll",
+			      authname, daemon->authserver,  daemon->hostmaster,
+			      daemon->soa_sn, daemon->soa_refresh, 
+			      daemon->soa_retry, daemon->soa_expiry, 
+			      daemon->auth_ttl))
+	{
+	  offset = newoffset;
+	  if (soa)
+	    anscount++;
+	  else
+	    authcount++;
+	}
+      
+      if (anscount != 0 || ns)
+	{
+	  struct name_list *secondary;
+	  
+	  newoffset = ansp - (unsigned char *)header;
+	  if (add_resource_record(header, limit, &trunc, -offset, &ansp, 
+				  daemon->auth_ttl, NULL, T_NS, C_IN, "d", offset == 0 ? authname : NULL, daemon->authserver))
+	    {
+	      if (offset == 0) 
+		offset = newoffset;
+	      if (ns) 
+		anscount++;
+	      else
+		authcount++;
+	    }
+
+	  if (!subnet)
+	    for (secondary = daemon->secondary_forward_server; secondary; secondary = secondary->next)
+	      if (add_resource_record(header, limit, &trunc, offset, &ansp, 
+				      daemon->auth_ttl, NULL, T_NS, C_IN, "d", secondary->name))
+		{
+		  if (ns) 
+		    anscount++;
+		  else
+		    authcount++;
+		}
+	}
+      
+      if (axfr)
+	{
+	  for (rec = daemon->mxnames; rec; rec = rec->next)
+	    if (in_zone(zone, rec->name, &cut))
+	      {
+		if (cut)
+		   *cut = 0;
+
+		if (rec->issrv)
+		  {
+		    if (add_resource_record(header, limit, &trunc, -axfroffset, &ansp, daemon->auth_ttl,
+					    NULL, T_SRV, C_IN, "sssd", cut ? rec->name : NULL,
+					    rec->priority, rec->weight, rec->srvport, rec->target))
+		      
+		      anscount++;
+		  }
+		else
+		  {
+		    if (add_resource_record(header, limit, &trunc, -axfroffset, &ansp, daemon->auth_ttl,
+					    NULL, T_MX, C_IN, "sd", cut ? rec->name : NULL, rec->weight, rec->target))
+		      anscount++;
+		  }
+		
+		/* restore config data */
+		if (cut)
+		  *cut = '.';
+	      }
+	      
+	  for (txt = daemon->rr; txt; txt = txt->next)
+	    if (in_zone(zone, txt->name, &cut))
+	      {
+		if (cut)
+		  *cut = 0;
+		
+		if (add_resource_record(header, limit, &trunc, -axfroffset, &ansp, daemon->auth_ttl,
+					NULL, txt->class, C_IN, "t",  cut ? txt->name : NULL, txt->len, txt->txt))
+		  anscount++;
+		
+		/* restore config data */
+		if (cut)
+		  *cut = '.';
+	      }
+	  
+	  for (txt = daemon->txt; txt; txt = txt->next)
+	    if (txt->class == C_IN && in_zone(zone, txt->name, &cut))
+	      {
+		if (cut)
+		  *cut = 0;
+		
+		if (add_resource_record(header, limit, &trunc, -axfroffset, &ansp, daemon->auth_ttl,
+					NULL, T_TXT, C_IN, "t", cut ? txt->name : NULL, txt->len, txt->txt))
+		  anscount++;
+		
+		/* restore config data */
+		if (cut)
+		  *cut = '.';
+	      }
+	  
+	  for (na = daemon->naptr; na; na = na->next)
+	    if (in_zone(zone, na->name, &cut))
+	      {
+		if (cut)
+		  *cut = 0;
+		
+		if (add_resource_record(header, limit, &trunc, -axfroffset, &ansp, daemon->auth_ttl, 
+					NULL, T_NAPTR, C_IN, "sszzzd", cut ? na->name : NULL,
+					na->order, na->pref, na->flags, na->services, na->regexp, na->replace))
+		  anscount++;
+		
+		/* restore config data */
+		if (cut)
+		  *cut = '.'; 
+	      }
+	  
+	  for (intr = daemon->int_names; intr; intr = intr->next)
+	    if (in_zone(zone, intr->name, &cut))
+	      {
+		struct addrlist *addrlist;
+		
+		if (cut)
+		  *cut = 0;
+		
+		for (addrlist = intr->addr; addrlist; addrlist = addrlist->next) 
+		  if (!(addrlist->flags & ADDRLIST_IPV6) &&
+		      (local_query || filter_zone(zone, F_IPV4, &addrlist->addr)) && 
+		      add_resource_record(header, limit, &trunc, -axfroffset, &ansp, 
+					  daemon->auth_ttl, NULL, T_A, C_IN, "4", cut ? intr->name : NULL, &addrlist->addr))
+		    anscount++;
+		
+#ifdef HAVE_IPV6
+		for (addrlist = intr->addr; addrlist; addrlist = addrlist->next) 
+		  if ((addrlist->flags & ADDRLIST_IPV6) && 
+		      (local_query || filter_zone(zone, F_IPV6, &addrlist->addr)) &&
+		      add_resource_record(header, limit, &trunc, -axfroffset, &ansp, 
+					  daemon->auth_ttl, NULL, T_AAAA, C_IN, "6", cut ? intr->name : NULL, &addrlist->addr))
+		    anscount++;
+#endif		    
+		
+		/* restore config data */
+		if (cut)
+		  *cut = '.'; 
+	      }
+             
+	  for (a = daemon->cnames; a; a = a->next)
+	    if (in_zone(zone, a->alias, &cut))
+	      {
+		strcpy(name, a->target);
+		if (!strchr(name, '.'))
+		  {
+		    strcat(name, ".");
+		    strcat(name, zone->domain);
+		  }
+		
+		if (cut)
+		  *cut = 0;
+		
+		if (add_resource_record(header, limit, &trunc, -axfroffset, &ansp, 
+					daemon->auth_ttl, NULL,
+					T_CNAME, C_IN, "d",  cut ? a->alias : NULL, name))
+		  anscount++;
+	      }
+	
+	  cache_enumerate(1);
+	  while ((crecp = cache_enumerate(0)))
+	    {
+	      if ((crecp->flags & (F_IPV4 | F_IPV6)) &&
+		  !(crecp->flags & (F_NEG | F_NXDOMAIN)) &&
+		  (crecp->flags & F_FORWARD))
+		{
+		  if ((crecp->flags & F_DHCP) && !option_bool(OPT_DHCP_FQDN))
+		    {
+		      char *cache_name = cache_get_name(crecp);
+		      if (!strchr(cache_name, '.') && 
+			  (local_query || filter_zone(zone, (crecp->flags & (F_IPV6 | F_IPV4)), &(crecp->addr.addr))))
+			{
+			  qtype = T_A;
+#ifdef HAVE_IPV6
+			  if (crecp->flags & F_IPV6)
+			    qtype = T_AAAA;
+#endif
+			  if (add_resource_record(header, limit, &trunc, -axfroffset, &ansp, 
+						  daemon->auth_ttl, NULL, qtype, C_IN, 
+						  (crecp->flags & F_IPV4) ? "4" : "6", cache_name, &crecp->addr))
+			    anscount++;
+			}
+		    }
+		  
+		  if ((crecp->flags & F_HOSTS) || (((crecp->flags & F_DHCP) && option_bool(OPT_DHCP_FQDN))))
+		    {
+		      strcpy(name, cache_get_name(crecp));
+		      if (in_zone(zone, name, &cut) && 
+			  (local_query || filter_zone(zone, (crecp->flags & (F_IPV6 | F_IPV4)), &(crecp->addr.addr))))
+			{
+			  qtype = T_A;
+#ifdef HAVE_IPV6
+			  if (crecp->flags & F_IPV6)
+			    qtype = T_AAAA;
+#endif
+			   if (cut)
+			     *cut = 0;
+
+			   if (add_resource_record(header, limit, &trunc, -axfroffset, &ansp, 
+						   daemon->auth_ttl, NULL, qtype, C_IN, 
+						   (crecp->flags & F_IPV4) ? "4" : "6", cut ? name : NULL, &crecp->addr))
+			     anscount++;
+			}
+		    }
+		}
+	    }
+	   
+	  /* repeat SOA as last record */
+	  if (add_resource_record(header, limit, &trunc, axfroffset, &ansp, 
+				  daemon->auth_ttl, NULL, T_SOA, C_IN, "ddlllll",
+				  daemon->authserver,  daemon->hostmaster,
+				  daemon->soa_sn, daemon->soa_refresh, 
+				  daemon->soa_retry, daemon->soa_expiry, 
+				  daemon->auth_ttl))
+	    anscount++;
+	  
+	}
+      
+    }
+  
+  /* done all questions, set up header and return length of result */
+  /* clear authoritative and truncated flags, set QR flag */
+  header->hb3 = (header->hb3 & ~(HB3_AA | HB3_TC)) | HB3_QR;
+
+  if (local_query)
+    {
+      /* set RA flag */
+      header->hb4 |= HB4_RA;
+    }
+  else
+    {
+      /* clear RA flag */
+      header->hb4 &= ~HB4_RA;
+    }
+
+  /* authoritative */
+  if (auth)
+    header->hb3 |= HB3_AA;
+  
+  /* truncation */
+  if (trunc)
+    header->hb3 |= HB3_TC;
+  
+  if ((auth || local_query) && nxdomain)
+    SET_RCODE(header, NXDOMAIN);
+  else
+    SET_RCODE(header, NOERROR); /* no error */
+  header->ancount = htons(anscount);
+  header->nscount = htons(authcount);
+  header->arcount = htons(0);
+
+  /* Advertise our packet size limit in our reply */
+  if (have_pseudoheader)
+    return add_pseudoheader(header,  ansp - (unsigned char *)header, (unsigned char *)limit, daemon->edns_pktsz, 0, NULL, 0, do_bit, 0);
+
+  return ansp - (unsigned char *)header;
+}
+  
+#endif  
+  
+
+

src/blockdata.c

@@ -0,0 +1,152 @@
+/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+     
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "dnsmasq.h"
+
+#ifdef HAVE_DNSSEC
+
+static struct blockdata *keyblock_free;
+static unsigned int blockdata_count, blockdata_hwm, blockdata_alloced;
+
+static void blockdata_expand(int n)
+{
+  struct blockdata *new = whine_malloc(n * sizeof(struct blockdata));
+  
+  if (new)
+    {
+      int i;
+      
+      new[n-1].next = keyblock_free;
+      keyblock_free = new;
+
+      for (i = 0; i < n - 1; i++)
+	new[i].next = &new[i+1];
+
+      blockdata_alloced += n;
+    }
+}
+
+/* Preallocate some blocks, proportional to cachesize, to reduce heap fragmentation. */
+void blockdata_init(void)
+{
+  keyblock_free = NULL;
+  blockdata_alloced = 0;
+  blockdata_count = 0;
+  blockdata_hwm = 0;
+
+  /* Note that daemon->cachesize is enforced to have non-zero size if OPT_DNSSEC_VALID is set */  
+  if (option_bool(OPT_DNSSEC_VALID))
+    blockdata_expand(daemon->cachesize);
+}
+
+void blockdata_report(void)
+{
+  if (option_bool(OPT_DNSSEC_VALID))
+    my_syslog(LOG_INFO, _("DNSSEC memory in use %u, max %u, allocated %u"), 
+	      blockdata_count * sizeof(struct blockdata),  
+	      blockdata_hwm * sizeof(struct blockdata),  
+	      blockdata_alloced * sizeof(struct blockdata));
+} 
+
+struct blockdata *blockdata_alloc(char *data, size_t len)
+{
+  struct blockdata *block, *ret = NULL;
+  struct blockdata **prev = &ret;
+  size_t blen;
+
+  while (len > 0)
+    {
+      if (!keyblock_free)
+	blockdata_expand(50);
+      
+      if (keyblock_free)
+	{
+	  block = keyblock_free;
+	  keyblock_free = block->next;
+	  blockdata_count++; 
+	}
+      else
+	{
+	  /* failed to alloc, free partial chain */
+	  blockdata_free(ret);
+	  return NULL;
+	}
+       
+      if (blockdata_hwm < blockdata_count)
+	blockdata_hwm = blockdata_count; 
+      
+      blen = len > KEYBLOCK_LEN ? KEYBLOCK_LEN : len;
+      memcpy(block->key, data, blen);
+      data += blen;
+      len -= blen;
+      *prev = block;
+      prev = &block->next;
+      block->next = NULL;
+    }
+  
+  return ret;
+}
+
+
+void blockdata_free(struct blockdata *blocks)
+{
+  struct blockdata *tmp;
+  
+  if (blocks)
+    {
+      for (tmp = blocks; tmp->next; tmp = tmp->next)
+	blockdata_count--;
+      tmp->next = keyblock_free;
+      keyblock_free = blocks; 
+      blockdata_count--;
+    }
+}
+
+/* if data == NULL, return pointer to static block of sufficient size */
+void *blockdata_retrieve(struct blockdata *block, size_t len, void *data)
+{
+  size_t blen;
+  struct  blockdata *b;
+  void *new, *d;
+  
+  static unsigned int buff_len = 0;
+  static unsigned char *buff = NULL;
+   
+  if (!data)
+    {
+      if (len > buff_len)
+	{
+	  if (!(new = whine_malloc(len)))
+	    return NULL;
+	  if (buff)
+	    free(buff);
+	  buff = new;
+	}
+      data = buff;
+    }
+  
+  for (d = data, b = block; len > 0 && b;  b = b->next)
+    {
+      blen = len > KEYBLOCK_LEN ? KEYBLOCK_LEN : len;
+      memcpy(d, b->key, blen);
+      d += blen;
+      len -= blen;
+    }
+
+  return data;
+}
+ 
+#endif

src/bpf.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2009 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -17,117 +17,235 @@
 #include "dnsmasq.h"
 
 #if defined(HAVE_BSD_NETWORK) || defined(HAVE_SOLARIS_NETWORK)
+#include <ifaddrs.h>
 
-static struct iovec ifconf = {
-  .iov_base = NULL,
-  .iov_len = 0
-};
+#include <sys/param.h>
+#if defined(HAVE_BSD_NETWORK) && !defined(__APPLE__)
+#include <sys/sysctl.h>
+#endif
+#include <net/if.h>
+#include <net/route.h>
+#include <net/if_dl.h>
+#include <netinet/if_ether.h>
+#if defined(__FreeBSD__)
+#  include <net/if_var.h> 
+#endif
+#include <netinet/in_var.h>
+#ifdef HAVE_IPV6
+#  include <netinet6/in6_var.h>
+#endif
 
-static struct iovec ifreq = {
-  .iov_base = NULL,
-  .iov_len = 0
-};
+#ifndef SA_SIZE
+#define SA_SIZE(sa)                                             \
+    (  (!(sa) || ((struct sockaddr *)(sa))->sa_len == 0) ?      \
+        sizeof(long)            :                               \
+        1 + ( (((struct sockaddr *)(sa))->sa_len - 1) | (sizeof(long) - 1) ) )
+#endif
 
-int iface_enumerate(void *parm, int (*ipv4_callback)(), int (*ipv6_callback)())
+#ifdef HAVE_BSD_NETWORK
+static int del_family = 0;
+static struct all_addr del_addr;
+#endif
+
+#if defined(HAVE_BSD_NETWORK) && !defined(__APPLE__)
+
+int arp_enumerate(void *parm, int (*callback)())
 {
-  char *ptr;
-  struct ifreq *ifr;
-  struct ifconf ifc;
-  int fd, errsav, ret = 0;
-  int lastlen = 0;
-  size_t len = 0;
-  
-  if ((fd = socket(PF_INET, SOCK_DGRAM, 0)) == -1)
+  int mib[6];
+  size_t needed;
+  char *next;
+  struct rt_msghdr *rtm;
+  struct sockaddr_inarp *sin2;
+  struct sockaddr_dl *sdl;
+  struct iovec buff;
+  int rc;
+
+  buff.iov_base = NULL;
+  buff.iov_len = 0;
+
+  mib[0] = CTL_NET;
+  mib[1] = PF_ROUTE;
+  mib[2] = 0;
+  mib[3] = AF_INET;
+  mib[4] = NET_RT_FLAGS;
+#ifdef RTF_LLINFO
+  mib[5] = RTF_LLINFO;
+#else
+  mib[5] = 0;
+#endif	
+  if (sysctl(mib, 6, NULL, &needed, NULL, 0) == -1 || needed == 0)
+    return 0;
+
+  while (1) 
+    {
+      if (!expand_buf(&buff, needed))
+	return 0;
+      if ((rc = sysctl(mib, 6, buff.iov_base, &needed, NULL, 0)) == 0 ||
+	  errno != ENOMEM)
+	break;
+      needed += needed / 8;
+    }
+  if (rc == -1)
     return 0;
   
-  while(1)
+  for (next = buff.iov_base ; next < (char *)buff.iov_base + needed; next += rtm->rtm_msglen)
     {
-      len += 10*sizeof(struct ifreq);
-      
-      if (!expand_buf(&ifconf, len))
-	goto err;
-      
-      ifc.ifc_len = len;
-      ifc.ifc_buf = ifconf.iov_base;
-      
-      if (ioctl(fd, SIOCGIFCONF, &ifc) == -1)
-	{
-	  if (errno != EINVAL || lastlen != 0)
-	    goto err;
-	}
-      else
-	{
-	  if (ifc.ifc_len == lastlen)
-	    break; /* got a big enough buffer now */
-	  lastlen = ifc.ifc_len;
-	}
+      rtm = (struct rt_msghdr *)next;
+      sin2 = (struct sockaddr_inarp *)(rtm + 1);
+      sdl = (struct sockaddr_dl *)((char *)sin2 + SA_SIZE(sin2));
+      if (!(*callback)(AF_INET, &sin2->sin_addr, LLADDR(sdl), sdl->sdl_alen, parm))
+	return 0;
     }
+
+  return 1;
+}
+#endif /* defined(HAVE_BSD_NETWORK) && !defined(__APPLE__) */
+
+
+int iface_enumerate(int family, void *parm, int (*callback)())
+{
+  struct ifaddrs *head, *addrs;
+  int errsave, fd = -1, ret = 0;
+
+  if (family == AF_UNSPEC)
+#if defined(HAVE_BSD_NETWORK) && !defined(__APPLE__)
+    return  arp_enumerate(parm, callback);
+#else
+  return 0; /* need code for Solaris and MacOS*/
+#endif
+
+  /* AF_LINK doesn't exist in Linux, so we can't use it in our API */
+  if (family == AF_LOCAL)
+    family = AF_LINK;
+
+  if (getifaddrs(&head) == -1)
+    return 0;
+
+#if defined(HAVE_BSD_NETWORK) && defined(HAVE_IPV6)
+  if (family == AF_INET6)
+    fd = socket(PF_INET6, SOCK_DGRAM, 0);
+#endif
   
-  for (ptr = ifc.ifc_buf; ptr < (char *)(ifc.ifc_buf + ifc.ifc_len); ptr += len)
+  for (addrs = head; addrs; addrs = addrs->ifa_next)
     {
-      /* subsequent entries may not be aligned, so copy into
-	 an aligned buffer to avoid nasty complaints about 
-	 unaligned accesses. */
-
-      len = sizeof(struct ifreq);
-      
-#ifdef HAVE_SOCKADDR_SA_LEN
-      ifr = (struct ifreq *)ptr;
-      if (ifr->ifr_addr.sa_len > sizeof(ifr->ifr_ifru))
-	len = ifr->ifr_addr.sa_len + offsetof(struct ifreq, ifr_ifru);
-#endif
-      
-      if (!expand_buf(&ifreq, len))
-	goto err;
-
-      ifr = (struct ifreq *)ifreq.iov_base;
-      memcpy(ifr, ptr, len);
-           
-      if (ifr->ifr_addr.sa_family == AF_INET && ipv4_callback)
+      if (addrs->ifa_addr->sa_family == family)
 	{
-	  struct in_addr addr, netmask, broadcast;
-	  broadcast.s_addr = 0;
-	  addr = ((struct sockaddr_in *) &ifr->ifr_addr)->sin_addr;
-	  if (ioctl(fd, SIOCGIFNETMASK, ifr) == -1)
+	  int iface_index = if_nametoindex(addrs->ifa_name);
+
+	  if (iface_index == 0 || !addrs->ifa_addr || 
+	      (!addrs->ifa_netmask && family != AF_LINK))
 	    continue;
-	  netmask = ((struct sockaddr_in *) &ifr->ifr_addr)->sin_addr;
-	  if (ioctl(fd, SIOCGIFBRDADDR, ifr) != -1)
-	    broadcast = ((struct sockaddr_in *) &ifr->ifr_addr)->sin_addr; 
-	  if (!((*ipv4_callback)(addr, 
-				 (int)if_nametoindex(ifr->ifr_name),
-				 netmask, broadcast, 
-				 parm)))
-	    goto err;
-	}
-#ifdef HAVE_IPV6
-      else if (ifr->ifr_addr.sa_family == AF_INET6 && ipv6_callback)
-	{
-	  struct in6_addr *addr = &((struct sockaddr_in6 *)&ifr->ifr_addr)->sin6_addr;
-	  /* voodoo to clear interface field in address */
-	  if (!(daemon->options & OPT_NOWILD) && IN6_IS_ADDR_LINKLOCAL(addr))
+
+	  if (family == AF_INET)
 	    {
-	      addr->s6_addr[2] = 0;
-	      addr->s6_addr[3] = 0;
-	    }
-	  if (!((*ipv6_callback)(addr,
-				 (int)((struct sockaddr_in6 *)&ifr->ifr_addr)->sin6_scope_id,
-				 (int)if_nametoindex(ifr->ifr_name),
-				 parm)))
-	    goto err;
-	}
+	      struct in_addr addr, netmask, broadcast;
+	      addr = ((struct sockaddr_in *) addrs->ifa_addr)->sin_addr;
+#ifdef HAVE_BSD_NETWORK
+	      if (del_family == AF_INET && del_addr.addr.addr4.s_addr == addr.s_addr)
+		continue;
 #endif
+	      netmask = ((struct sockaddr_in *) addrs->ifa_netmask)->sin_addr;
+	      if (addrs->ifa_broadaddr)
+		broadcast = ((struct sockaddr_in *) addrs->ifa_broadaddr)->sin_addr; 
+	      else 
+		broadcast.s_addr = 0;	      
+	      if (!((*callback)(addr, iface_index, NULL, netmask, broadcast, parm)))
+		goto err;
+	    }
+#ifdef HAVE_IPV6
+	  else if (family == AF_INET6)
+	    {
+	      struct in6_addr *addr = &((struct sockaddr_in6 *) addrs->ifa_addr)->sin6_addr;
+	      unsigned char *netmask = (unsigned char *) &((struct sockaddr_in6 *) addrs->ifa_netmask)->sin6_addr;
+	      int scope_id = ((struct sockaddr_in6 *) addrs->ifa_addr)->sin6_scope_id;
+	      int i, j, prefix = 0;
+	      u32 valid = 0xffffffff, preferred = 0xffffffff;
+	      int flags = 0;
+#ifdef HAVE_BSD_NETWORK
+	      if (del_family == AF_INET6 && IN6_ARE_ADDR_EQUAL(&del_addr.addr.addr6, addr))
+		continue;
+#endif
+#if defined(HAVE_BSD_NETWORK) && !defined(__APPLE__)
+	      struct in6_ifreq ifr6;
+
+	      memset(&ifr6, 0, sizeof(ifr6));
+	      safe_strncpy(ifr6.ifr_name, addrs->ifa_name, sizeof(ifr6.ifr_name));
+	      
+	      ifr6.ifr_addr = *((struct sockaddr_in6 *) addrs->ifa_addr);
+	      if (fd != -1 && ioctl(fd, SIOCGIFAFLAG_IN6, &ifr6) != -1)
+		{
+		  if (ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_TENTATIVE)
+		    flags |= IFACE_TENTATIVE;
+		  
+		  if (ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_DEPRECATED)
+		    flags |= IFACE_DEPRECATED;
+
+#ifdef IN6_IFF_TEMPORARY
+		  if (!(ifr6.ifr_ifru.ifru_flags6 & (IN6_IFF_AUTOCONF | IN6_IFF_TEMPORARY)))
+		    flags |= IFACE_PERMANENT;
+#endif
+
+#ifdef IN6_IFF_PRIVACY
+		  if (!(ifr6.ifr_ifru.ifru_flags6 & (IN6_IFF_AUTOCONF | IN6_IFF_PRIVACY)))
+		    flags |= IFACE_PERMANENT;
+#endif
+		}
+	      
+	      ifr6.ifr_addr = *((struct sockaddr_in6 *) addrs->ifa_addr);
+	      if (fd != -1 && ioctl(fd, SIOCGIFALIFETIME_IN6, &ifr6) != -1)
+		{
+		  valid = ifr6.ifr_ifru.ifru_lifetime.ia6t_vltime;
+		  preferred = ifr6.ifr_ifru.ifru_lifetime.ia6t_pltime;
+		}
+#endif
+	      	      
+	      for (i = 0; i < IN6ADDRSZ; i++, prefix += 8) 
+                if (netmask[i] != 0xff)
+		  break;
+	      
+	      if (i != IN6ADDRSZ && netmask[i]) 
+                for (j = 7; j > 0; j--, prefix++) 
+		  if ((netmask[i] & (1 << j)) == 0)
+		    break;
+	      
+	      /* voodoo to clear interface field in address */
+	      if (!option_bool(OPT_NOWILD) && IN6_IS_ADDR_LINKLOCAL(addr))
+		{
+		  addr->s6_addr[2] = 0;
+		  addr->s6_addr[3] = 0;
+		} 
+	     
+	      if (!((*callback)(addr, prefix, scope_id, iface_index, flags,
+				(int) preferred, (int)valid, parm)))
+		goto err;	      
+	    }
+#endif /* HAVE_IPV6 */
+
+#ifdef HAVE_DHCP6      
+	  else if (family == AF_LINK)
+	    { 
+	      /* Assume ethernet again here */
+	      struct sockaddr_dl *sdl = (struct sockaddr_dl *) addrs->ifa_addr;
+	      if (sdl->sdl_alen != 0 && 
+		  !((*callback)(iface_index, ARPHRD_ETHER, LLADDR(sdl), sdl->sdl_alen, parm)))
+		goto err;
+	    }
+#endif 
+	}
     }
   
   ret = 1;
 
  err:
-  errsav = errno;
-  close(fd);  
-  errno = errsav;
+  errsave = errno;
+  freeifaddrs(head); 
+  if (fd != -1)
+    close(fd);
+  errno = errsave;
 
   return ret;
 }
-#endif
+#endif /* defined(HAVE_BSD_NETWORK) || defined(HAVE_SOLARIS_NETWORK) */
 
 
 #if defined(HAVE_BSD_NETWORK) && defined(HAVE_DHCP)
@@ -139,13 +257,10 @@ void init_bpf(void)
 
   while (1) 
     {
-      /* useful size which happens to be sufficient */
-      if (expand_buf(&ifreq, sizeof(struct ifreq)))
-	{
-	  sprintf(ifreq.iov_base, "/dev/bpf%d", i++);
-	  if ((daemon->dhcp_raw_fd = open(ifreq.iov_base, O_RDWR, 0)) != -1)
-	    return;
-	}
+      sprintf(daemon->dhcp_buff, "/dev/bpf%d", i++);
+      if ((daemon->dhcp_raw_fd = open(daemon->dhcp_buff, O_RDWR, 0)) != -1)
+	return;
+
       if (errno != EBUSY)
 	die(_("cannot create DHCP BPF socket: %s"), NULL, EC_BADNET);
     }	     
@@ -246,9 +361,90 @@ void send_via_bpf(struct dhcp_packet *mess, size_t len,
   iov[3].iov_base = mess;
   iov[3].iov_len = len;
 
-  while (writev(daemon->dhcp_raw_fd, iov, 4) == -1 && retry_send());
+  while (retry_send(writev(daemon->dhcp_raw_fd, iov, 4)));
 }
 
+#endif /* defined(HAVE_BSD_NETWORK) && defined(HAVE_DHCP) */
+ 
+
+#ifdef HAVE_BSD_NETWORK
+
+void route_init(void)
+{
+  /* AF_UNSPEC: all addr families */
+  daemon->routefd = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
+  
+  if (daemon->routefd == -1 || !fix_fd(daemon->routefd))
+    die(_("cannot create PF_ROUTE socket: %s"), NULL, EC_BADNET);
+}
+
+void route_sock(void)
+{
+  struct if_msghdr *msg;
+  int rc = recv(daemon->routefd, daemon->packet, daemon->packet_buff_sz, 0);
+
+  if (rc < 4)
+    return;
+
+  msg = (struct if_msghdr *)daemon->packet;
+  
+  if (rc < msg->ifm_msglen)
+    return;
+
+   if (msg->ifm_version != RTM_VERSION)
+     {
+       static int warned = 0;
+       if (!warned)
+	 {
+	   my_syslog(LOG_WARNING, _("Unknown protocol version from route socket"));
+	   warned = 1;
+	 }
+     }
+   else if (msg->ifm_type == RTM_NEWADDR)
+     {
+       del_family = 0;
+       queue_event(EVENT_NEWADDR);
+     }
+   else if (msg->ifm_type == RTM_DELADDR)
+     {
+       /* There's a race in the kernel, such that if we run iface_enumerate() immediately
+	  we get a DELADDR event, the deleted address still appears. Here we store the deleted address
+	  in a static variable, and omit it from the set returned by iface_enumerate() */
+       int mask = ((struct ifa_msghdr *)msg)->ifam_addrs;
+       int maskvec[] = { RTA_DST, RTA_GATEWAY, RTA_NETMASK, RTA_GENMASK,
+			 RTA_IFP, RTA_IFA, RTA_AUTHOR, RTA_BRD };
+       int of;
+       unsigned int i;
+       
+       for (i = 0,  of = sizeof(struct ifa_msghdr); of < rc && i < sizeof(maskvec)/sizeof(maskvec[0]); i++) 
+	 if (mask & maskvec[i]) 
+	   {
+	     struct sockaddr *sa = (struct sockaddr *)((char *)msg + of);
+	     size_t diff = (sa->sa_len != 0) ? sa->sa_len : sizeof(long);
+	     
+	     if (maskvec[i] == RTA_IFA)
+	       {
+		 del_family = sa->sa_family;
+		 if (del_family == AF_INET)
+		   del_addr.addr.addr4 = ((struct sockaddr_in *)sa)->sin_addr;
+#ifdef HAVE_IPV6
+		 else if (del_family == AF_INET6)
+		   del_addr.addr.addr6 = ((struct sockaddr_in6 *)sa)->sin6_addr;
 #endif
+		 else
+		   del_family = 0;
+	       }
+	     
+	     of += diff;
+	     /* round up as needed */
+	     if (diff & (sizeof(long) - 1)) 
+	       of += sizeof(long) - (diff & (sizeof(long) - 1));
+	   }
+       
+       queue_event(EVENT_NEWADDR);
+     }
+}
+
+#endif /* HAVE_BSD_NETWORK */