Suppress re-entrant calls to dhcp_construct_contexts()

Conflicts:
	CHANGELOG

CHANGELOG

@@ -1,3 +1,37 @@
+version 2.72
+            Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.
+
+	    Add support for "ipsets" in *BSD, using pf. Thanks to 
+	    Sven Falempim for the patch.
+
+
+version 2.71
+            Subtle change to error handling to help DNSSEC validation 
+	    when servers fail to provide NODATA answers for 
+	    non-existent DS records.
+
+	    Tweak code which removes DNSSEC records from answers when
+	    not required. Fixes broken answers when additional section
+	    has real records in it. Thanks to Marco Davids for the bug 
+	    report.
+
+	    Fix DNSSEC validation of ANY queries. Thanks to Marco Davids
+	    for spotting that too.
+
+	    Fix total DNS failure and 100% CPU use if cachesize set to zero,
+	    regression introduced in 2.69. Thanks to James Hunt and
+	    the Ubuntu crowd for assistance in fixing this.
+
+
+version 2.70
+            Fix crash, introduced in 2.69, on TCP request when dnsmasq
+	    compiled with DNSSEC support, but running without DNSSEC
+	    enabled. Thanks to Manish Sing for spotting that one.
+
+	    Fix regression which broke ipset functionality. Thanks to 
+	    Wang Jian for the bug report.
+
+
 version 2.69
 	    Implement dynamic interface discovery on *BSD. This allows
 	    the contructor: syntax to be used in dhcp-range for DHCPv6

Makefile

@@ -69,7 +69,7 @@ objs = cache.o rfc1035.o util.o option.o forward.o network.o \
        dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \
        helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \
        dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \
-       domain.o dnssec.o blockdata.o
+       domain.o dnssec.o blockdata.o tables.c
 
 hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \
        dns-protocol.h radv-protocol.h ip6addr.h

bld/Android.mk

@@ -9,7 +9,7 @@ LOCAL_SRC_FILES :=  bpf.c cache.c dbus.c dhcp.c dnsmasq.c \
 		    rfc2131.c tftp.c util.c conntrack.c \
 		    dhcp6.c rfc3315.c dhcp-common.c outpacket.c \
 		    radv.c slaac.c auth.c ipset.c domain.c \
-	            dnssec.c dnssec-openssl.c blockdata.c
+	            dnssec.c dnssec-openssl.c blockdata.c tables.c
 
 LOCAL_MODULE := dnsmasq
 

debian/changelog

@@ -1,11 +1,53 @@
+dnsmasq (2.72-1) unstable; urgency=low
+
+   * New upstream.
+
+ -- Simon Kelley <simon@thekelleys.org.uk>  Fri, 20 May 2014 21:01:11 +0000
+
+dnsmasq (2.71-1) unstable; urgency=low
+
+   * New upstream.
+   * Fix 100% CPU-usage bug when dnsmasq started with cachesize
+     set to zero. (LP: #1314697)
+
+ -- Simon Kelley <simon@thekelleys.org.uk>  Fri, 16 May 2014 20:17:10 +0000
+
+dnsmasq (2.70-3) unstable; urgency=medium
+
+   * Write a pid-file, even when being started using systemd, since
+     other components may wish to signal dnsmasq.
+   * Enable dnsmasq systemd unit on install. Otherwise dnsmasq does not run on
+     fresh installations (without administrator handholding) and even worse it
+     is disabled on systems switching from sysv to systemd. Modify
+     postinst/postrm exactly as dh_systemd would, add dependency on
+     init-system-helpers. Closes: #724602
+
+ -- Simon Kelley <simon@thekelleys.org.uk>  Sun, 11 May 2014 17:45:21 +0000
+
+dnsmasq (2.70-2) unstable; urgency=low
+
+   * Ensure daemon not stared if dnsmasq package has been removed,
+     even if dnsmasq-base is still installed. (closes: #746941)
+   * Tidy cruft in initscript. (closes: #746940)
+
+ -- Simon Kelley <simon@thekelleys.org.uk>  Sun, 04 May 2014 21:34:11 +0000
+
+dnsmasq (2.70-1) unstable; urgency=low
+
+   * New upstream.
+
+ -- Simon Kelley <simon@thekelleys.org.uk>  Wed, 23 Apr 2014 15:14:42 +0000
+
 dnsmasq (2.69-1) unstable; urgency=low
 
    * New upstream.
    * Set --local-service. (closes: #732610)
-     This tells dnsmasq to ignore DNS requests that don't come from a local network.
-     It's automatically ignored if  --interface --except-interface, --listen-address
-     or --auth-server exist in the configuration, so for most installations, it will
-     have no effect, but for otherwise-unconfigured installations, it stops dnsmasq
+     This tells dnsmasq to ignore DNS requests that don't come
+     from a local network. It's automatically ignored if
+     --interface --except-interface, --listen-address or
+     --auth-server exist in the configuration, so for most
+     installations, it will have no effect, but for
+     otherwise-unconfigured installations, it stops dnsmasq
      from being vulnerable to DNS-reflection attacks.
 
  -- Simon Kelley <simon@thekelleys.org.uk>  Tue, 4 Feb 2014 16:28:12 +0000

debian/control

@@ -2,13 +2,15 @@ Source: dnsmasq
 Section: net
 Priority: optional
 Build-depends: gettext, libnetfilter-conntrack-dev [linux-any],
-               libidn11-dev, libdbus-1-dev (>=0.61), libgmp-dev, nettle-dev (>=2.4-3)
+               libidn11-dev, libdbus-1-dev (>=0.61), libgmp-dev, 
+               nettle-dev (>=2.4-3)
 Maintainer: Simon Kelley <simon@thekelleys.org.uk>
 Standards-Version: 3.9.3
 
 Package: dnsmasq
 Architecture: all
-Depends: netbase, dnsmasq-base(>= ${binary:Version})
+Depends: netbase, dnsmasq-base(>= ${binary:Version}),
+         init-system-helpers (>= 1.18~)
 Suggests: resolvconf
 Conflicts: resolvconf (<<1.15)
 Description: Small caching DNS proxy and DHCP/TFTP server

debian/default

@@ -27,7 +27,7 @@ CONFIG_DIR=/etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new
 # If the resolvconf package is installed, dnsmasq will use its output 
 # rather than the contents of /etc/resolv.conf to find upstream 
 # nameservers. Uncommenting this line inhibits this behaviour.
-# Not that including a "resolv-file=<filename>" line in 
+# Note that including a "resolv-file=<filename>" line in 
 # /etc/dnsmasq.conf is not enough to override resolvconf if it is
 # installed: the line below must be uncommented.
 #IGNORE_RESOLVCONF=yes

debian/init

@@ -29,6 +29,12 @@ if [ -r /etc/default/locale ]; then
         export LANG
 fi
 
+# /etc/dnsmasq.d/README is a non-conffile installed by the dnsmasq package.
+# Should the dnsmasq package be removed, the following test ensures that
+# the daemon is no longer started, even if the dnsmasq-base package is
+# still in place.
+test -e /etc/dnsmasq.d/README || exit 0
+
 test -x $DAEMON || exit 0
 
 # Provide skeleton LSB log functions for backports which don't have LSB functions.
@@ -152,9 +158,6 @@ stop()
 	#   2 if daemon could not be stopped
 	#   other if a failure occurred
 	start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile /var/run/dnsmasq/$NAME.pid --name $NAME
-	RETVAL="$?"
-	[ "$RETVAL" = 2 ] && return 2
-	return "$RETVAL"
 }
 
 stop_resolvconf()
@@ -274,9 +277,15 @@ case "$1" in
 	stop_resolvconf
 	;;
   systemd-exec)
-#  --pid-file without argument disables writing a PIDfile, we don't need one with sytemd.
+# /var/run may be volatile, so we need to ensure that
+        # /var/run/dnsmasq exists here as well as in postinst
+        if [ ! -d /var/run/dnsmasq ]; then
+           mkdir /var/run/dnsmasq || return 2
+           chown dnsmasq:nogroup /var/run/dnsmasq || return 2
+        fi
 # Enable DBus by default because we use DBus activation with systemd.
-	exec $DAEMON --keep-in-foreground --pid-file --enable-dbus \
+	exec $DAEMON --keep-in-foreground --enable-dbus \
+	    -x /var/run/dnsmasq/$NAME.pid \
 	    ${MAILHOSTNAME:+ -m $MAILHOSTNAME} \
 	    ${MAILTARGET:+ -t $MAILTARGET} \
 	    ${DNSMASQ_USER:+ -u $DNSMASQ_USER} \

debian/postinst

@@ -1,6 +1,22 @@
 #!/bin/sh
 set -e
 
+# Code copied from dh_systemd_enable ----------------------
+# This will only remove masks created by d-s-h on package removal.
+deb-systemd-helper unmask dnsmasq.service >/dev/null || true
+
+# was-enabled defaults to true, so new installations run enable.
+if deb-systemd-helper --quiet was-enabled dnsmasq.service; then
+	# Enables the unit on first installation, creates new
+	# symlinks on upgrades if the unit file has changed.
+	deb-systemd-helper enable dnsmasq.service >/dev/null || true
+else
+	# Update the statefile to add new symlinks (if any), which need to be
+	# cleaned up on purge. Also remove old symlinks.
+	deb-systemd-helper update-state dnsmasq.service >/dev/null || true
+fi
+# End code copied from dh_systemd_enable ------------------
+
 if [ -x /etc/init.d/dnsmasq ]; then
    update-rc.d dnsmasq defaults 15 85 >/dev/null
 

debian/postrm

@@ -4,3 +4,19 @@ set -e
 if [ purge = "$1" ]; then
    update-rc.d dnsmasq remove >/dev/null
 fi
+
+# Code copied from dh_systemd_enable ----------------------
+if [ "$1" = "remove" ]; then
+	if [ -x "/usr/bin/deb-systemd-helper" ]; then
+		deb-systemd-helper mask dnsmasq.service >/dev/null
+	fi
+fi
+
+if [ "$1" = "purge" ]; then
+	if [ -x "/usr/bin/deb-systemd-helper" ]; then
+		deb-systemd-helper purge dnsmasq.service >/dev/null
+		deb-systemd-helper unmask dnsmasq.service >/dev/null
+	fi
+fi
+# End code copied from dh_systemd_enable ------------------
+

debian/rules

@@ -11,18 +11,16 @@
 
 package=dnsmasq-base
 
-CFLAGS = $(shell export DEB_BUILD_OPTIONS=$(DEB_BUILD_OPTIONS); dpkg-buildflags --get CFLAGS)
-CFLAGS += $(shell dpkg-buildflags --get CPPFLAGS)
+dpkg_buildflags := DEB_BUILD_MAINT_OPTIONS="hardening=+all" dpkg-buildflags
+
+CFLAGS = $(shell $(dpkg_buildflags) --get CFLAGS)
+CFLAGS += $(shell $(dpkg_buildflags) --get CPPFLAGS)
 CFLAGS += -Wall -W
 
-LDFLAGS = $(shell dpkg-buildflags --get LDFLAGS)
+LDFLAGS = $(shell $(dpkg_buildflags) --get LDFLAGS)
 
 DEB_COPTS = $(COPTS)
 
-# The nettle library in Debian is too old to include
-# ECC support.
-DEB_COPTS += -DNO_NETTLE_ECC
-
 TARGET = install-i18n
 
 DEB_BUILD_ARCH_OS := $(shell dpkg-architecture -qDEB_BUILD_ARCH_OS)

debian/systemd.service

@@ -13,9 +13,8 @@ ExecStartPre=/usr/sbin/dnsmasq --test
 # itself, when called with the "systemd-exec" function.
 #
 # It also adds the command-line flags
-#    --keep-in-foreground --pid-file --enable-dbus 
-# to disable writing a pid-file (not needed with systemd) and 
-# enable DBus by default because we use DBus activation.
+#    --keep-in-foreground --enable-dbus 
+# to enable DBus by default because we use DBus activation.
 #
 ExecStart=/etc/init.d/dnsmasq systemd-exec
 

doc.html

@@ -1,6 +1,6 @@
 <HTML>
 <HEAD>
-<TITLE> Dnsmasq - a DNS forwarder for NAT firewalls.</TITLE>
+<TITLE> Dnsmasq - network services for small networks.</TITLE>
 <link rel="icon"
       href="http://www.thekelleys.org.uk/dnsmasq/images/favicon.ico">
 </HEAD>
@@ -11,82 +11,48 @@
 <td align="middle" valign="middle"><h1>Dnsmasq</h1></td>
 <td align="right" valign="middle"><img border="0" src="http://www.thekelleys.org.uk/dnsmasq/images/icon.png" /></td></tr>
 </table>
+Dnsmasq provides network infrastructure for small networks: DNS, DHCP, router advertisement and network boot. It is designed to be 
+lightweight and have a small footprint, suitable for resource constrained routers and firewalls. It has also been widely used 
+for tethering on smartphones and portable hotspots, and to support virtual networking in virtualisation frameworks.
+Supported platforms include Linux (with glibc and uclibc), Android, *BSD, and Mac OS X. Dnsmasq is included in most
+Linux distributions and the ports systems of FreeBSD, OpenBSD and NetBSD. Dnsmasq provides full IPv6 support.
 
-Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP
- server. It is designed to provide DNS and, optionally, DHCP, to a 
- small network. It can serve the names of local machines which are 
- not in the global DNS. The DHCP server integrates with the DNS 
- server and allows machines with DHCP-allocated addresses
- to appear in the DNS with names configured either in each host or
- in a central configuration file. Dnsmasq supports static and dynamic 
- DHCP leases and BOOTP/TFTP/PXE for network booting of diskless machines.
 <P>
- Dnsmasq is targeted at home networks using NAT and 
-connected to the internet via a modem, cable-modem or ADSL
-connection but would be a good choice for any smallish network (up to
-1000 clients is known to work) where low
-resource use and ease of configuration are important. 
-<P>
-Supported platforms include Linux (with glibc and uclibc), Android, *BSD,
-Solaris and Mac OS X.
-Dnsmasq is included in at least the following Linux distributions:
-Gentoo, Debian, Slackware, Suse, Fedora,
-Smoothwall, IP-Cop, floppyfw, Firebox, LEAF, Freesco, fli4l,
-CoyoteLinux, Endian Firewall and
-Clarkconnect. It is also available as FreeBSD, OpenBSD and NetBSD ports and is used in
-Linksys wireless routers (dd-wrt, openwrt and the stock firmware) and the m0n0wall project.
-<P>
-Dnsmasq provides the following features:
+The DNS subsystem provides a local DNS server for the network, with forwarding of all query types to upstream recursive DNS servers and
+cacheing of common record types (A, AAAA, CNAME and PTR, also DNSKEY and DS when DNSSEC is enabled). 
 <DIR>
-
-<LI> 
-The DNS configuration of machines behind the firewall is simple and
-doesn't depend on the details of the ISP's dns servers
-<LI>
-Clients which try to do DNS lookups while  a modem link to the
-internet is down will time out immediately.
-</LI>
-<LI>
-Dnsmasq will serve names from the /etc/hosts file on the firewall
-machine: If the names of local machines are there, then they can all
-be addressed without having to maintain /etc/hosts on each machine.
-</LI>
-<LI>
-The integrated DHCP server supports static and dynamic DHCP leases and
-multiple networks and IP ranges. It works across BOOTP relays and
-supports DHCP options including RFC3397 DNS search lists.
-Machines which are configured by DHCP have their names automatically 
-included in the DNS and the names can specified by each machine or
-centrally by associating a name with a MAC address in the dnsmasq
-config file.
-</LI>
-<LI>
-Dnsmasq caches internet addresses (A records and AAAA records) and address-to-name
-mappings (PTR records), reducing the load on upstream servers and
-improving performance (especially on modem connections). 
-</LI>
-<LI>
-Dnsmasq can be configured to automatically pick up the addresses of
-its upstream nameservers from ppp or dhcp configuration. It will
-automatically reload this information if it changes. This facility
-will be of particular interest to maintainers of Linux firewall
-distributions since it allows dns configuration to be made automatic.
-</LI>
-<LI>
-On IPv6-enabled boxes, dnsmasq can both talk to upstream servers via IPv6 
-and offer DNS service via IPv6. On dual-stack (IPv4 and IPv6) boxes it talks
-both protocols and can even act as IPv6-to-IPv4 or IPv4-to-IPv6 forwarder.
-</LI>
-<LI>
-Dnsmasq can be configured to send queries for certain domains to
-upstream servers handling only those domains. This makes integration
-with private DNS systems easy.
-</LI>
-<LI>
-Dnsmasq supports MX and SRV records and can be configured to return MX records
-for any or all local machines.
-</LI>
+<LI>Local DNS names can be defined by reading /etc/hosts, by importing names from the DHCP subsystem, or by configuration of a wide range of useful record types.</LI>
+<LI>Upstream servers can be configured in a variety of convenient ways, including  dynamic configuration as these change on moving upstream network.
+<LI>Authoritative DNS mode allows local DNS names may be exported to zone in the global DNS. Dnsmasq acts as authoritative server for this zone, and also provides 
+zone transfer to secondaries for the zone, if required.</LI>
+<LI>DNSSEC validation may be performed on DNS replies from upstream nameservers, providing security against spoofing and cache poisoning.</LI>
+<LI>Specified sub-domains can be directed to their own upstream DNS servers, making VPN configuration easy.</LI>
+<LI>Internationalised domain names are supported.
 </DIR>
+<P>
+The DHCP subsystem supports DHCPv4, DHCPv6, BOOTP and PXE.
+<DIR>
+<LI> Both static and dynamic DHCP leases are supported, along with stateless mode in DHCPv6.</LI>
+<LI> The PXE system is a full PXE server, supporting netboot menus and multiple architecture support. It
+includes proxy-mode, where the PXE system co-operates with another DHCP server.</LI>
+<LI> There is a built in read-only TFTP server to support netboot.</LI>
+<LI> Machines which are configured by DHCP have their names automatically 
+included in the DNS and the names can specified by each machine or
+centrally by associating a name with a MAC address or UID in the dnsmasq
+configuration file.</LI>
+</DIR>
+<P>
+The Router Advertisement subsystem provides basic autoconfiguration for IPv6 hosts. It can be used stand-alone or in conjunction with DHCPv6.
+<DIR>
+<LI> The M and O bits are configurable, to control hosts' use of DHCPv6.</LI>
+<LI> Router advertisements can include the RDNSS option.</LI>
+<LI> There is a mode which uses name information from DHCPv4 configuration to provide DNS entries
+ for autoconfigured IPv6 addresses which would otherwise be anonymous.</LI>
+</DIR>
+<P>
+ 
+For extra compactness, unused features may be omitted at compile time.
+
 
 <H2>Get code.</H2>
 
@@ -102,7 +68,7 @@ the repo, or get a copy using git protocol with the command
 <PRE><TT>git clone git://thekelleys.org.uk/dnsmasq.git </TT></PRE>
 
 <H2>License.</H2>
-Dnsmasq is distributed under the GPL. See the file COPYING in the distribution 
+Dnsmasq is distributed under the GPL, version 2 or version 3 at your discretion. See the files COPYING and COPYING-v3 in the distribution 
 for details.
 
 <H2>Contact.</H2>
@@ -110,7 +76,21 @@ There is a dnsmasq mailing list at <A
 HREF="http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss">
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss</A> which should be the
 first location for queries, bugreports, suggestions etc.
-Dnsmasq was written by Simon Kelley. You can contact me at <A
+You can contact me at <A
 HREF="mailto:simon@thekelleys.org.uk">simon@thekelleys.org.uk</A>.
+
+<H2>Donations.</H2>
+Dnsmasq is mainly written and maintained by Simon Kelley. For most of its life, dnsmasq has been a spare-time project. 
+These days I'm working on it as my main activity. 
+I don't have an employer or anyone who pays me regularly to work on dnsmasq. If you'd like to make 
+a contribution towards my expenses, please use the donation button below.
+<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top">
+<input type="hidden" name="cmd" value="_s-xclick">
+<input type="hidden" name="hosted_button_id" value="V3X9GVW5GX6DA">
+<input type="image" src="https://www.paypalobjects.com/en_US/GB/i/btn/btn_donateCC_LG.gif" border="0" name="submit" alt="PayPal – The safer, easier way to pay online.">
+<img alt="" border="0" src="https://www.paypalobjects.com/en_GB/i/scr/pixel.gif" width="1" height="1">
+</form>
+
+
 </BODY>
 

man/dnsmasq.8

@@ -794,7 +794,7 @@ and
 for details.)
 
 For IPv6, the mode may be some combination of
-.B ra-only, slaac, ra-names, ra-stateless.
+.B ra-only, slaac, ra-names, ra-stateless, ra-advrouter.
 
 .B ra-only
 tells dnsmasq to offer Router Advertisement only on this subnet,
@@ -829,6 +829,11 @@ can be combined  with
 and
 .B slaac.
 
+.B ra-advrouter
+enables a mode where router address(es) rather than prefix(es) are included in the advertisements.
+This is described in RFC-3775 section 7.2 and is used in mobile IPv6. In this mode the interval option
+is also included, as described in RFC-3775 section 7.3.
+
 .TP
 .B \-G, --dhcp-host=[<hwaddr>][,id:<client_id>|*][,set:<tag>][,<ipaddr>][,<hostname>][,<lease_time>][,ignore]
 Specify per host parameters for the DHCP server. This allows a machine

po/de.po

@@ -9,17 +9,19 @@
 # Simon Kelley <simon@thekelleys.org.uk>, 2005.
 msgid ""
 msgstr ""
-"Project-Id-Version: dnsmasq 2.53rc1\n"
+"Project-Id-Version: dnsmasq 2.70\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2009-06-18 12:24+0100\n"
-"PO-Revision-Date: 2012-04-05 17:54+0100\n"
-"Last-Translator: Conrad Kostecki <ConiKost@gmx.de>\n"
+"PO-Revision-Date: 2014-05-01 22:51+0100\n"
+"Last-Translator: Conrad Kostecki <ck@conrad-kostecki.de>\n"
 "Language-Team: German <de@li.org>\n"
 "Language: de\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
+"X-Generator: Poedit 1.6.5\n"
+"X-Poedit-SourceCharset: UTF-8\n"
 
 #: cache.c:821
 #, c-format
@@ -57,8 +59,12 @@ msgstr "%s ist ein CNAME, weise es der DHCP-Lease von %s nicht zu"
 
 #: cache.c:1114
 #, c-format
-msgid "not giving name %s to the DHCP lease of %s because the name exists in %s with address %s"
-msgstr "Name %s wurde dem DHCP-Lease von %s nicht zugewiesen, da der Name in %s bereits mit Adresse %s existiert"
+msgid ""
+"not giving name %s to the DHCP lease of %s because the name exists in %s "
+"with address %s"
+msgstr ""
+"Name %s wurde dem DHCP-Lease von %s nicht zugewiesen, da der Name in %s "
+"bereits mit Adresse %s existiert"
 
 #: cache.c:1159
 #, c-format
@@ -68,7 +74,9 @@ msgstr "Zeit %lu"
 #: cache.c:1160
 #, c-format
 msgid "cache size %d, %d/%d cache insertions re-used unexpired cache entries."
-msgstr "Cache Größe %d, %d/%d Cache-Einfügungen verwendeten nicht abgelaufene Cache-Einträge wieder."
+msgstr ""
+"Cache Größe %d, %d/%d Cache-Einfügungen verwendeten nicht abgelaufene Cache-"
+"Einträge wieder."
 
 #: cache.c:1162
 #, c-format
@@ -78,12 +86,13 @@ msgstr "%u weitergeleitete Anfragen, %u lokal beantwortete Anfragen"
 #: cache.c:1165
 #, c-format
 msgid "queries for authoritative zones %u"
-msgstr ""
+msgstr "Anfragen nach autoritativen Zonen %u"
 
 #: cache.c:1188
 #, c-format
 msgid "server %s#%d: queries sent %u, retried or failed %u"
-msgstr "Server %s#%d: %u Anfragen gesendet, %u erneut versucht oder fehlgeschlagen"
+msgstr ""
+"Server %s#%d: %u Anfragen gesendet, %u erneut versucht oder fehlgeschlagen"
 
 #: util.c:67
 #, c-format
@@ -126,11 +135,13 @@ msgstr "IP-Adresse für alle Hosts in angebenen Domänen festlegen."
 # from the manpage instead. -- MA
 #: option.c:303
 msgid "Fake reverse lookups for RFC1918 private address ranges."
-msgstr "Für private Adressbereiche nach RFC1918 \"keine solche Domain\" liefern."
+msgstr ""
+"Für private Adressbereiche nach RFC1918 \"keine solche Domain\" liefern."
 
 #: option.c:304
 msgid "Treat ipaddr as NXDOMAIN (defeats Verisign wildcard)."
-msgstr "Diese IP-Adresse als NXDOMAIN interpretieren (wehrt \"Suchhilfen\" ab)."
+msgstr ""
+"Diese IP-Adresse als NXDOMAIN interpretieren (wehrt \"Suchhilfen\" ab)."
 
 #: option.c:305
 #, c-format
@@ -325,11 +336,13 @@ msgstr "Gültigkeitsdauer für Antworten aus /etc/hosts festlegen."
 
 #: option.c:350
 msgid "Specify time-to-live in seconds for negative caching."
-msgstr "Gültigkeitsdauer in Sekunden für Caching negativer Ergebnisse festlegen."
+msgstr ""
+"Gültigkeitsdauer in Sekunden für Caching negativer Ergebnisse festlegen."
 
 #: option.c:351
 msgid "Specify time-to-live in seconds for maximum TTL to send to clients."
-msgstr "Gültigkeitsdauer in Sekunden für Caching negativer Ergebnisse festlegen."
+msgstr ""
+"Gültigkeitsdauer in Sekunden für Caching negativer Ergebnisse festlegen."
 
 #: option.c:352
 #, c-format
@@ -354,7 +367,8 @@ msgstr "SRV-Eintrag festlegen."
 
 #: option.c:357
 msgid "Display this message. Use --help dhcp for known DHCP options."
-msgstr "Diese Hilfe anzeigen. Benutzen Sie --help dhcp für bekannte DHCP-Optionen."
+msgstr ""
+"Diese Hilfe anzeigen. Benutzen Sie --help dhcp für bekannte DHCP-Optionen."
 
 #: option.c:358
 #, c-format
@@ -409,7 +423,9 @@ msgstr "MAC-Adresse (mit Jokerzeichen) auf Netzmarke abbilden."
 
 #: option.c:370
 msgid "Treat DHCP requests on aliases as arriving from interface."
-msgstr "DHCP-Anfragen von Alias-Schnittstellen für die Hauptschnittstelle beantworten."
+msgstr ""
+"DHCP-Anfragen von Alias-Schnittstellen für die Hauptschnittstelle "
+"beantworten."
 
 #: option.c:371
 msgid "Disable ICMP echo address checking in the DHCP server."
@@ -421,7 +437,8 @@ msgstr "Skript, das bei Erzeugung/Löschung einer DHCP-Lease laufen soll."
 
 #: option.c:373
 msgid "Lua script to run on DHCP lease creation and destruction."
-msgstr "Lua-Skript, welches bei Erzeugung/Löschung eines DHCP-Leases laufen soll."
+msgstr ""
+"Lua-Skript, welches bei Erzeugung/Löschung eines DHCP-Leases laufen soll."
 
 #: option.c:374
 msgid "Run lease-change scripts as this user."
@@ -455,7 +472,9 @@ msgstr "Von DHCP-Clients gelieferte Hostnamen ignorieren."
 
 #: option.c:381
 msgid "Do NOT reuse filename and server fields for extra DHCP options."
-msgstr "Dateinamen und Server-Datenfehler für zusätzliche DHCP-Optionen NICHT wiederverwenden."
+msgstr ""
+"Dateinamen und Server-Datenfehler für zusätzliche DHCP-Optionen NICHT "
+"wiederverwenden."
 
 #: option.c:382
 msgid "Enable integrated read-only TFTP server."
@@ -471,7 +490,9 @@ msgstr "IP-Adresse des Klienten an tftp-root anhängen."
 
 #: option.c:385
 msgid "Allow access only to files owned by the user running dnsmasq."
-msgstr "Zugriff nur auf Dateien gestatten, die dem dnsmasq aufrufenden Benutzer gehören."
+msgstr ""
+"Zugriff nur auf Dateien gestatten, die dem dnsmasq aufrufenden Benutzer "
+"gehören."
 
 #: option.c:386
 #, c-format
@@ -484,7 +505,7 @@ msgstr "TFTP-Blockgrößen-Erweiterung abschalten."
 
 #: option.c:388
 msgid "Convert TFTP filenames to lowercase"
-msgstr ""
+msgstr "Konvertiere TFTP Dateinamen in Kleinschreibung"
 
 #: option.c:389
 msgid "Ephemeral port range for use by TFTP transfers."
@@ -496,11 +517,13 @@ msgstr "Erweiterte DHCP-Protokollierung."
 
 #: option.c:391
 msgid "Enable async. logging; optionally set queue length."
-msgstr "Asynchrone Protokollierung einschalten, opt. Warteschlangenlänge festlegen."
+msgstr ""
+"Asynchrone Protokollierung einschalten, opt. Warteschlangenlänge festlegen."
 
 #: option.c:392
 msgid "Stop DNS rebinding. Filter private IP ranges when resolving."
-msgstr "DNS-Rebinding unterbinden, private IP-Bereiche bei der Auflösung ausfiltern."
+msgstr ""
+"DNS-Rebinding unterbinden, private IP-Bereiche bei der Auflösung ausfiltern."
 
 #: option.c:393
 msgid "Allow rebinding of 127.0.0.0/8, for RBL servers."
@@ -528,7 +551,8 @@ msgstr "DNS-NAPTR-Eintrag festlegen."
 
 #: option.c:399
 msgid "Specify lowest port available for DNS query transmission."
-msgstr "Niedrigsten verfügbaren Port für Übertragung von DNS-Anfragen festlegen."
+msgstr ""
+"Niedrigsten verfügbaren Port für Übertragung von DNS-Anfragen festlegen."
 
 #: option.c:400
 msgid "Use only fully qualified domain names for DHCP clients."
@@ -545,7 +569,7 @@ msgstr "Diese DHCP-Relais als vollwertige Proxies verwenden."
 
 #: option.c:403
 msgid "Relay DHCP requests to a remote server"
-msgstr ""
+msgstr "Leute DHCP Anfragen an entfernten Server weiter"
 
 #: option.c:404
 msgid "Specify alias name for LOCAL DNS name."
@@ -568,9 +592,10 @@ msgid "Add requestor's MAC address to forwarded DNS queries."
 msgstr "Anfragende MAC-Adresse in die weiterleitende DNS-Anfrage einfügen"
 
 #: option.c:409
-#, fuzzy
 msgid "Add requestor's IP subnet to forwarded DNS queries."
-msgstr "Anfragende MAC-Adresse in die weiterleitende DNS-Anfrage einfügen"
+msgstr ""
+"Füge das IP-Subnetz des Anfragenden in die weitergeleiteten DNS-Anfragen "
+"hinzu."
 
 #: option.c:410
 msgid "Proxy DNSSEC validation results from upstream nameservers."
@@ -582,7 +607,8 @@ msgstr "Versuche sequenzielle IP-Adressen an DHCP-Klienten zu vergeben."
 
 #: option.c:412
 msgid "Copy connection-track mark from queries to upstream connections."
-msgstr "Kopiere \"connection-track mark\" von Anfragen nach Upstream-Verbindungen."
+msgstr ""
+"Kopiere \"connection-track mark\" von Anfragen nach Upstream-Verbindungen."
 
 #: option.c:413
 msgid "Allow DHCP clients to do their own DDNS updates."
@@ -590,78 +616,78 @@ msgstr "Erlaube DHCP-Klienten ihre eigenen DDNS-Updates durchzuführen."
 
 #: option.c:414
 msgid "Send router-advertisements for interfaces doing DHCPv6"
-msgstr "Sende \"Router-Advertisments\" für Netzwerkschnittstellen, welche DHCPv6 nutzen"
+msgstr ""
+"Sende \"Router-Advertisments\" für Netzwerkschnittstellen, welche DHCPv6 "
+"nutzen"
 
 #: option.c:415
 msgid "Specify DUID_EN-type DHCPv6 server DUID"
-msgstr ""
+msgstr "Spezifiziere DUID_EN-type DHCPv6 Server DUID"
 
 #: option.c:416
-#, fuzzy
 msgid "Specify host (A/AAAA and PTR) records"
-msgstr "Einen MX-Eintrag festlegen."
+msgstr "Spezifiziere Host (A/AAAA und PTR) Einträge"
 
 #: option.c:417
-#, fuzzy
 msgid "Specify arbitrary DNS resource record"
-msgstr "DNS-TXT-Eintrag festlegen."
+msgstr "Spezifiziere einen beliebiegen DNS Eintrag"
 
 #: option.c:418
-#, fuzzy
 msgid "Bind to interfaces in use - check for new interfaces"
-msgstr "unbekannte Schnittstelle %s in bridge-interface"
+msgstr "Bindung zu Schnittstellen in Benutzung - prüfe auf neue Schnittstellen"
 
 #: option.c:419
 msgid "Export local names to global DNS"
-msgstr ""
+msgstr "Exportiere lokale Namen in das globale DNS"
 
 #: option.c:420
 msgid "Domain to export to global DNS"
-msgstr ""
+msgstr "Domain für das Exportieren des globalen DNS"
 
 #: option.c:421
 msgid "Set TTL for authoritative replies"
-msgstr ""
+msgstr "Setzte TTL für autoritative Antworten"
 
 #: option.c:422
 msgid "Set authoritive zone information"
-msgstr ""
+msgstr "Setze autoritative Zoneninformationen"
 
 #: option.c:423
 msgid "Secondary authoritative nameservers for forward domains"
-msgstr ""
+msgstr "Sekundärer autoritativer Nameserver für weitergeleitete Domains"
 
 #: option.c:424
 msgid "Peers which are allowed to do zone transfer"
-msgstr ""
+msgstr "Peers welche einen Zonentransfer durchführen dürfen"
 
 #: option.c:425
 msgid "Specify ipsets to which matching domains should be added"
 msgstr ""
+"Spezifiziere IPSets zu welcher passende Domains hinzugefügt werden sollen"
 
 #: option.c:426
 msgid "Specify a domain and address range for synthesised names"
-msgstr ""
+msgstr "Spezifiziere eine Domain und Adressbereich für synthetisierte Namen"
 
 #: option.c:428
 msgid "Specify DHCPv6 prefix class"
-msgstr ""
+msgstr "Spezifiziere DHCPv6 Prefix Klasse"
 
 #: option.c:430
 msgid "Set priority, resend-interval and router-lifetime"
-msgstr ""
+msgstr "Setze Priorität, Intervall des erneuten Sendens und Router Lebenszeit"
 
 #: option.c:431
 msgid "Do not log routine DHCP."
-msgstr ""
+msgstr "Protokolliere kein DHCP."
 
 #: option.c:432
 msgid "Do not log routine DHCPv6."
-msgstr ""
+msgstr "Protokolliere kein DHCPv6."
 
 #: option.c:433
 msgid "Do not log RA."
-msgstr ""
+msgstr "RA nicht protokollieren."
 
 #: option.c:618
 #, c-format
@@ -695,9 +721,8 @@ msgid "bad interface name"
 msgstr "unzulässiger Schnittestellenname"
 
 #: option.c:742
-#, fuzzy
 msgid "bad address"
-msgstr "Fehlerhafte IP-Adresse"
+msgstr "Fehlerhafte Adresse"
 
 #: option.c:876
 msgid "unsupported encapsulation for IPv6 option"
@@ -747,7 +772,9 @@ msgstr "Kann auf %s nicht zugreifen: %s"
 
 #: option.c:1466
 msgid "setting log facility is not possible under Android"
-msgstr "Die Einstellung Protokolliereinrichtung kann unter Android nicht gesetzt werden"
+msgstr ""
+"Die Einstellung Protokolliereinrichtung kann unter Android nicht gesetzt "
+"werden"
 
 #: option.c:1475
 msgid "bad log facility"
@@ -771,21 +798,23 @@ msgstr "unter uClinux ist die Skriptausführung nicht möglich"
 
 #: option.c:1557
 msgid "recompile with HAVE_SCRIPT defined to enable lease-change scripts"
-msgstr "Neuübersetzung mit HAVE_SCRIPT nötig, um Lease-Änderungs-Skripte auszuführen"
+msgstr ""
+"Neuübersetzung mit HAVE_SCRIPT nötig, um Lease-Änderungs-Skripte auszuführen"
 
 #: option.c:1561
 msgid "recompile with HAVE_LUASCRIPT defined to enable Lua scripts"
-msgstr "Um Benutzerdefinierte Lua-Scripte zu ermöglichen, muss mit HAVE_LUASCRIPT neu kompiliert werden"
+msgstr ""
+"Um Benutzerdefinierte Lua-Scripte zu ermöglichen, muss mit HAVE_LUASCRIPT "
+"neu kompiliert werden"
 
 #: option.c:1802 option.c:1863 option.c:1933
-#, fuzzy
 msgid "bad prefix"
-msgstr "unzulässiger Port"
+msgstr "unzulässiger Präfix"
 
 #: option.c:2167
-#, fuzzy
 msgid "recompile with HAVE_IPSET defined to enable ipset directives"
-msgstr "Um Benutzerdefinierte Lua-Scripte zu ermöglichen, muss mit HAVE_LUASCRIPT neu kompiliert werden"
+msgstr ""
+"Um IPSet-Direktiven zu aktivieren, muss mit HAVE_IPSET neu übersetzt werden"
 
 #: option.c:2347
 msgid "bad port range"
@@ -808,19 +837,16 @@ msgid "inconsistent DHCP range"
 msgstr "inkonsistenter DHCP-Bereich"
 
 #: option.c:2527
-#, fuzzy
 msgid "prefix length must be exactly 64 for RA subnets"
-msgstr "Der Prefix muss mindestens 64 sein"
+msgstr "Die Präfixlenge muss genau 64 für RA Subnetze sein"
 
 #: option.c:2529
-#, fuzzy
 msgid "prefix length must be exactly 64 for subnet constructors"
-msgstr "Der Prefix muss mindestens 64 sein"
+msgstr "Die Präfixlenge muss genau 64 für Subnet Konstruktoren sein"
 
 #: option.c:2533
-#, fuzzy
 msgid "prefix length must be at least 64"
-msgstr "Der Prefix muss mindestens 64 sein"
+msgstr "Die Präfixlänge muss mindestens 64 sein"
 
 #: option.c:2536
 msgid "inconsistent DHCPv6 range"
@@ -828,7 +854,7 @@ msgstr "Inkonsistenter DHCPv6-Bereich"
 
 #: option.c:2547
 msgid "prefix must be zero with \"constructor:\" argument"
-msgstr ""
+msgstr "Prefix muss mit dem \"constructor:\" Argument Null sein"
 
 #: option.c:2658 option.c:2706
 msgid "bad hex constant"
@@ -839,9 +865,9 @@ msgid "cannot match tags in --dhcp-host"
 msgstr "Kann die Tags in --dhcp-host nicht abgleichen"
 
 #: option.c:2728
-#, fuzzy, c-format
+#, c-format
 msgid "duplicate dhcp-host IP address %s"
-msgstr "doppelte IP-Adresse %s in %s."
+msgstr "doppelte dhcp-host IP-Adresse %s"
 
 #: option.c:2784
 msgid "bad DHCP host name"
@@ -860,17 +886,16 @@ msgid "bad dhcp-proxy address"
 msgstr "Fehlerhafte DHCP-Proxy-Adresse"
 
 #: option.c:3278
-#, fuzzy
 msgid "Bad dhcp-relay"
-msgstr "unzulässiger DHCP-Bereich"
+msgstr "unzulässiger dhcp-relay"
 
 #: option.c:3304
 msgid "bad RA-params"
-msgstr ""
+msgstr "unzulässige RA-Parameter"
 
 #: option.c:3313
 msgid "bad DUID"
-msgstr ""
+msgstr "unzulässige DUID"
 
 #: option.c:3355
 msgid "invalid alias range"
@@ -893,9 +918,8 @@ msgid "bad NAPTR record"
 msgstr "unzulässiger NAPTR-Eintrag"
 
 #: option.c:3499
-#, fuzzy
 msgid "bad RR record"
-msgstr "unzulässiger PTR-Eintrag"
+msgstr "unzulässiger RR-Eintrag"
 
 #: option.c:3528
 msgid "bad TXT record"
@@ -918,17 +942,20 @@ msgid "invalid weight"
 msgstr "unzulässige Wichtung"
 
 #: option.c:3621
-#, fuzzy
 msgid "Bad host-record"
-msgstr "unzulässiger PTR-Eintrag"
+msgstr "unzulässiger host-record"
 
 #: option.c:3638
 msgid "Bad name in host-record"
-msgstr ""
+msgstr "Unzulässiger Name in host-record"
 
 #: option.c:3668
-msgid "unsupported option (check that dnsmasq was compiled with DHCP/TFTP/DBus support)"
-msgstr "unzulässige Option (prüfen Sie, ob dnsmasq mit DHCP/TFTP/DBus-Unterstützt übersetzt wurde)"
+msgid ""
+"unsupported option (check that dnsmasq was compiled with DHCP/TFTP/DBus "
+"support)"
+msgstr ""
+"unzulässige Option (prüfen Sie, ob dnsmasq mit DHCP/TFTP/DBus-Unterstützt "
+"übersetzt wurde)"
 
 #: option.c:3726
 msgid "missing \""
@@ -951,9 +978,9 @@ msgid "error"
 msgstr "Fehler"
 
 #: option.c:3796
-#, fuzzy, c-format
+#, c-format
 msgid " at line %d of %s"
-msgstr "%s in Zeile %d von %%s"
+msgstr " in Zeile %d von %s"
 
 #: option.c:3860 tftp.c:661
 #, c-format
@@ -992,12 +1019,14 @@ msgstr "Für diese Software wird ABSOLUT KEINE GARANTIE gewährt.\n"
 #: option.c:4157
 #, c-format
 msgid "Dnsmasq is free software, and you are welcome to redistribute it\n"
-msgstr "Dnsmasq ist freie Software, und du bist willkommen es weiter zu verteilen\n"
+msgstr ""
+"Dnsmasq ist freie Software, und du bist willkommen es weiter zu verteilen\n"
 
 #: option.c:4158
 #, c-format
 msgid "under the terms of the GNU General Public License, version 2 or 3.\n"
-msgstr "unter den Bedingungen der GNU General Public Lizenz, Version 2 oder 3.\n"
+msgstr ""
+"unter den Bedingungen der GNU General Public Lizenz, Version 2 oder 3.\n"
 
 #: option.c:4169
 msgid "try --help"
@@ -1023,7 +1052,8 @@ msgstr "mit -n/--no-poll ist nur eine resolv.conf-Datei zulässig."
 
 #: option.c:4260
 msgid "must have exactly one resolv.conf to read domain from."
-msgstr "Um die Domäne zu lesen, muss genau eine resolv.conf-Datei verwendet werden."
+msgstr ""
+"Um die Domäne zu lesen, muss genau eine resolv.conf-Datei verwendet werden."
 
 #: option.c:4263 network.c:1316 dhcp.c:768
 #, c-format
@@ -1037,7 +1067,8 @@ msgstr "keine \"search\"-Anweisung in %s gefunden"
 
 #: option.c:4301
 msgid "there must be a default domain when --dhcp-fqdn is set"
-msgstr "Es muss eine standard Domain gesetzt sein, wenn --dhcp-fqdn gesetzt ist"
+msgstr ""
+"Es muss eine standard Domain gesetzt sein, wenn --dhcp-fqdn gesetzt ist"
 
 #: option.c:4305
 msgid "syntax check OK"
@@ -1050,7 +1081,7 @@ msgstr "Fehlgeschlagen, folgendes Paket zu senden: %s"
 
 #: forward.c:493
 msgid "discarding DNS reply: subnet option mismatch"
-msgstr ""
+msgstr "Verwerfe DNS Antwort: Subnetoption stimmt nicht überrein"
 
 #: forward.c:511
 #, c-format
@@ -1063,9 +1094,9 @@ msgid "possible DNS-rebind attack detected: %s"
 msgstr "möglichen DNS-Rebind-Angriff entdeckt: %s"
 
 #: forward.c:1284
-#, fuzzy, c-format
+#, c-format
 msgid "Maximum number of concurrent DNS queries reached (max: %d)"
-msgstr "Höchstzahl nebenläufiger DNS-Anfragen (%s voreingestellt)."
+msgstr "Maximale Anzahl an nebenläufiger DNS-Anfragen erreicht (Max: %d)"
 
 #: network.c:627
 #, c-format
@@ -1074,22 +1105,30 @@ msgstr "Konnte Empfangs-Socket für %s: %s nicht erzeugen"
 
 #: network.c:947
 #, c-format
-msgid "LOUD WARNING: listening on %s may accept requests via interfaces other than %s"
+msgid ""
+"LOUD WARNING: listening on %s may accept requests via interfaces other than "
+"%s"
 msgstr ""
+"LOUD WARNING: Das Abhören von %s kann die Anfragen auf der Schnittstelle "
+"akzeptieren anders als %s"
 
 #: network.c:953
-msgid "LOUD WARNING: use --bind-dynamic rather than --bind-interfaces to avoid DNS amplification attacks via these interface(s)"
+msgid ""
+"LOUD WARNING: use --bind-dynamic rather than --bind-interfaces to avoid DNS "
+"amplification attacks via these interface(s)"
 msgstr ""
+"LOUD WARNING: Es sollte --bind-dynamic anstatt --bind-interfaces benutzt "
+"werden, um DNS-Verstärkungsangriffe auf diesen Schnittstellen zu unterbinden"
 
 #: network.c:962
-#, fuzzy, c-format
+#, c-format
 msgid "warning: no addresses found for interface %s"
-msgstr "Benutze lokale Adressen nur für %s %s"
+msgstr "Warnung: Keine Adresse für die Schnittstelle %s gefunden"
 
 #: network.c:1020
-#, fuzzy, c-format
+#, c-format
 msgid "interface %s failed to join DHCPv6 multicast group: %s"
-msgstr "Konnte DHCPv6-Multicast-Gruppe nicht beitreten: %s"
+msgstr "Schnittstelle %s konnte DHCPv6-Multicast-Gruppe nicht beitreten: %s"
 
 #: network.c:1214
 #, c-format
@@ -1158,7 +1197,8 @@ msgstr "Kann nicht --conntrack UND --query-port einsetzen"
 
 #: dnsmasq.c:144
 msgid "Conntrack support not available: set HAVE_CONNTRACK in src/config.h"
-msgstr "Conntrack-Unterstützung nicht verfügbar: setze HAVE_CONNTRACK in src/config.h"
+msgstr ""
+"Conntrack-Unterstützung nicht verfügbar: setze HAVE_CONNTRACK in src/config.h"
 
 #: dnsmasq.c:149
 msgid "asychronous logging is not available under Solaris"
@@ -1169,21 +1209,22 @@ msgid "asychronous logging is not available under Android"
 msgstr "Asynchrone Protokollierung unter Android nicht verfügbar"
 
 #: dnsmasq.c:159
-#, fuzzy
 msgid "authoritative DNS not available: set HAVE_AUTH in src/config.h"
-msgstr "DBus nicht verfügbar: setzen Sie HAVE_DBUS in src/config.h"
+msgstr ""
+"Authoritatives DNS nicht verfügbar: Es muss HAVE_AUTH in src/config.h "
+"gesetzt sein"
 
 #: dnsmasq.c:169
 msgid "zone serial must be configured in --auth-soa"
-msgstr ""
+msgstr "Zonen Seriennummer muss mit --auth-soa konfiguriert werden"
 
 #: dnsmasq.c:187
 msgid "dhcp-range constructor not available on this platform"
-msgstr ""
+msgstr "dhcp-range Konstruktor ist auf dieser Plattform nicht verfübar"
 
 #: dnsmasq.c:227
 msgid "cannot set --bind-interfaces and --bind-dynamic"
-msgstr ""
+msgstr "Kann nicht --bind-interfaces und --bind-dynamic setzen"
 
 #: dnsmasq.c:231
 #, c-format
@@ -1268,7 +1309,8 @@ msgstr "Warnung: keine vorgelagerten (Upstream) Server konfiguriert"
 #: dnsmasq.c:659
 #, c-format
 msgid "asynchronous logging enabled, queue limit is %d messages"
-msgstr "asynchrone Protokollierung eingeschaltet, Warteschlange fasst %d Nachrichten"
+msgstr ""
+"asynchrone Protokollierung eingeschaltet, Warteschlange fasst %d Nachrichten"
 
 #: dnsmasq.c:680
 msgid "IPv6 router advertisement enabled"
@@ -1277,7 +1319,7 @@ msgstr "IPv6-Router-Advertisement aktiviert"
 #: dnsmasq.c:685
 #, c-format
 msgid "DHCP, sockets bound exclusively to interface %s"
-msgstr ""
+msgstr "DHCP, Sockets exklusiv an das Interface %s gebunden"
 
 # FIXME: this and the next few must be full strings to be translatable - do not assemble in code"
 #: dnsmasq.c:702
@@ -1344,7 +1386,7 @@ msgstr "Konnte Lua-Script nicht laden: %s"
 #: dnsmasq.c:1068
 #, c-format
 msgid "TFTP directory %s inaccessible: %s"
-msgstr ""
+msgstr "Das TFTP-Verzeichnis %s ist nicht zugreifbar: %s"
 
 #: dnsmasq.c:1132
 #, c-format
@@ -1433,7 +1475,7 @@ msgstr "ignoriere %s Zeile %d, doppelter Name oder doppelte IP-Adresse"
 #: dhcp.c:993 rfc3315.c:2063
 #, c-format
 msgid "DHCP relay %s -> %s"
-msgstr ""
+msgstr "DHCP Weiterleitung %s -> %s"
 
 #: lease.c:61
 #, c-format
@@ -1556,8 +1598,11 @@ msgstr "benutze konfigurierte Adresse %s nicht, weil sie an %s verleast ist"
 
 #: rfc2131.c:994
 #, c-format
-msgid "not using configured address %s because it is in use by the server or relay"
-msgstr "benutze konfigurierte Adresse %s nicht, weil sie von Server/Relais verwendet wird"
+msgid ""
+"not using configured address %s because it is in use by the server or relay"
+msgstr ""
+"benutze konfigurierte Adresse %s nicht, weil sie von Server/Relais verwendet "
+"wird"
 
 #: rfc2131.c:997
 #, c-format
@@ -1635,7 +1680,8 @@ msgstr "%u angeforderte Optionen: %s"
 #: rfc2131.c:2447
 #, c-format
 msgid "cannot send RFC3925 option: too many options for enterprise number %d"
-msgstr "Kann RFC3925-Option nicht senden: zu viele Optionen für Unternehmen Nr. %d"
+msgstr ""
+"Kann RFC3925-Option nicht senden: zu viele Optionen für Unternehmen Nr. %d"
 
 #: netlink.c:78
 #, c-format
@@ -1649,7 +1695,8 @@ msgstr "Netlink liefert Fehler %s"
 
 #: dbus.c:259
 msgid "attempt to set an IPv6 server address via DBus - no IPv6 support"
-msgstr "Versuch, via DBus eine IPv6-Serveradresse zu setzen: keine IPv6-Unterstützung"
+msgstr ""
+"Versuch, via DBus eine IPv6-Serveradresse zu setzen: keine IPv6-Unterstützung"
 
 #: dbus.c:523
 msgid "setting upstream servers from DBus"
@@ -1727,9 +1774,9 @@ msgid "cannot create DHCPv6 socket: %s"
 msgstr "Kann DHCPv6-Socket nicht erzeugen: %s"
 
 #: dhcp6.c:80
-#, fuzzy, c-format
+#, c-format
 msgid "failed to set SO_REUSE{ADDR|PORT} on DHCPv6 socket: %s"
-msgstr "kann SO_REUSE{ADDR|PORT} für DHCP-Socket nicht aktivieren: %s"
+msgstr "kann SO_REUSE{ADDR|PORT} für DHCPv6-Socket nicht aktivieren: %s"
 
 #: dhcp6.c:92
 #, c-format
@@ -1752,68 +1799,64 @@ msgid "%u available DHCPv6 subnet: %s/%d"
 msgstr "%u verfügbare(s) DHCPv6-Subnetz: %s/%d"
 
 #: rfc3315.c:376
-#, fuzzy, c-format
+#, c-format
 msgid "%u vendor class: %u"
-msgstr "%u \"Vendor class\": %s"
+msgstr "%u Herstellerklasse: %u"
 
 #: rfc3315.c:424
-#, fuzzy, c-format
+#, c-format
 msgid "%u client MAC address: %s"
-msgstr "%u Klient stellt Name bereit: %s"
+msgstr "%u Klient MAC-Adresse: %s"
 
 # FIXME: do not assemble
 #: rfc3315.c:656
-#, fuzzy, c-format
+#, c-format
 msgid "unknown prefix-class %d"
-msgstr "Unbekannter Lease"
+msgstr "unbekannte Präfixklasse %d"
 
 #: rfc3315.c:788 rfc3315.c:910
 msgid "success"
-msgstr ""
+msgstr "Erfolg"
 
 #: rfc3315.c:803 rfc3315.c:805 rfc3315.c:918 rfc3315.c:920
-#, fuzzy
 msgid "no addresses available"
-msgstr "Keine Adresse verfügbar"
+msgstr "Keine Adressen verfügbar"
 
 #: rfc3315.c:862
-#, fuzzy
 msgid "address unavailable"
 msgstr "Adresse nicht verfügbar"
 
 #: rfc3315.c:897
 msgid "not on link"
-msgstr ""
+msgstr "nicht on link"
 
 #: rfc3315.c:970 rfc3315.c:1148 rfc3315.c:1225
 msgid "no binding found"
-msgstr ""
+msgstr "Keine Bindung gefunden"
 
 #: rfc3315.c:1008
 msgid "deprecated"
-msgstr ""
+msgstr "veraltet"
 
 #: rfc3315.c:1013
-#, fuzzy
 msgid "address invalid"
-msgstr "Adresse in Nutzung"
+msgstr "Adresse ungültig"
 
 #: rfc3315.c:1058
 msgid "confirm failed"
-msgstr ""
+msgstr "Bestätigung fehlgeschlagen"
 
 #: rfc3315.c:1069
-#, fuzzy
 msgid "all addresses still on link"
-msgstr "Fehlerhafte Adresse in %s Zeile %d"
+msgstr "Alle Adressen immer noch on link"
 
 #: rfc3315.c:1157
 msgid "release received"
-msgstr ""
+msgstr "Freigabe empfangen"
 
 #: rfc3315.c:2054
 msgid "Cannot multicast to DHCPv6 server without correct interface"
-msgstr ""
+msgstr "Kann nicht zum DHCPv6 Server multicasten ohne korrekte Schnittstelle"
 
 #: dhcp-common.c:145
 #, c-format
@@ -1836,9 +1879,9 @@ msgid "duplicate IP address %s (%s) in dhcp-config directive"
 msgstr "doppelte IP-Adresse %s (%s) in \"dhcp-config\"-Anweisung"
 
 #: dhcp-common.c:494
-#, fuzzy, c-format
+#, c-format
 msgid "failed to set SO_BINDTODEVICE on DHCP socket: %s"
-msgstr "kann SO_REUSE{ADDR|PORT} für DHCP-Socket nicht aktivieren: %s"
+msgstr "kann SO_BINDTODEVICE für DHCP-Socket nicht aktivieren: %s"
 
 #: dhcp-common.c:615
 #, c-format
@@ -1852,52 +1895,52 @@ msgstr "Bekannte DHCPv6-Optionen:\n"
 
 #: dhcp-common.c:823
 msgid ", prefix deprecated"
-msgstr ""
+msgstr ", Prefix veraltet"
 
 #: dhcp-common.c:826
 #, c-format
 msgid ", lease time "
-msgstr ""
+msgstr ", Lease Zeit"
 
 #: dhcp-common.c:868
 #, c-format
 msgid "%s stateless on %s%.0s%.0s%s"
-msgstr ""
+msgstr "%s stateless auf %s%.0s%.0s%s"
 
 #: dhcp-common.c:870
-#, fuzzy, c-format
+#, c-format
 msgid "%s, static leases only on %.0s%s%s%.0s"
-msgstr "DHCP, nur statische Leases auf %.0s%s, Lease-Zeit %s"
+msgstr "%s, nur statische Leases auf %.0s%s%s%.0s"
 
 #: dhcp-common.c:872
-#, fuzzy, c-format
+#, c-format
 msgid "%s, proxy on subnet %.0s%s%.0s%.0s"
-msgstr "DHCP, Proxy im Subnetz %.0s%s%.0s"
+msgstr "%s, Proxy im Subnetz %.0s%s%.0s%.0s"
 
 #: dhcp-common.c:873
-#, fuzzy, c-format
+#, c-format
 msgid "%s, IP range %s -- %s%s%.0s"
-msgstr "DHCP, IP-Bereich %s - %s, Lease-Zeit %s "
+msgstr "%s, IP-Bereich %s -- %s%s%.0s"
 
 #: dhcp-common.c:886
 #, c-format
 msgid "DHCPv4-derived IPv6 names on %s%s"
-msgstr ""
+msgstr "DHCPv4-abgeleitete IPv6 Namen auf %s%s"
 
 #: dhcp-common.c:889
-#, fuzzy, c-format
+#, c-format
 msgid "router advertisement on %s%s"
-msgstr "Router-Advertisment nur auf %.0s%s, Lebenszeit %s"
+msgstr "Router-Advertisment auf %s%s"
 
 #: dhcp-common.c:900
 #, c-format
 msgid "DHCP relay from %s to %s via %s"
-msgstr ""
+msgstr "DHCP Weiterleitung von %s nach %s über %s"
 
 #: dhcp-common.c:902
 #, c-format
 msgid "DHCP relay from %s to %s"
-msgstr ""
+msgstr "DHCP Weiterleitung von %s nach %s"
 
 #: radv.c:98
 #, c-format
@@ -1905,19 +1948,19 @@ msgid "cannot create ICMPv6 socket: %s"
 msgstr "Kann ICMPv6-Socket nicht erzeugen: %s"
 
 #: auth.c:427
-#, fuzzy, c-format
+#, c-format
 msgid "ignoring zone transfer request from %s"
-msgstr "nicht unterstützte Anfrage von %s"
+msgstr "ignoriere Zonentransfer-Anfrage von %s"
 
 #: ipset.c:95
-#, fuzzy, c-format
+#, c-format
 msgid "failed to find kernel version: %s"
-msgstr "kann nicht an DHCP-Server-Socket binden: %s"
+msgstr "konnte Kernelversion nicht finden: %s"
 
 #: ipset.c:114
-#, fuzzy, c-format
+#, c-format
 msgid "failed to create IPset control socket: %s"
-msgstr "konnte TFTP-Socket nicht erzeugen: %s"
+msgstr "konnte IPset-Kontroll-Socket nicht erzeugen: %s"
 
 #~ msgid "no interface with address %s"
 #~ msgstr "keine Schnittstelle mit Adresse %s"

src/blockdata.c

@@ -25,7 +25,7 @@ static void blockdata_expand(int n)
 {
   struct blockdata *new = whine_malloc(n * sizeof(struct blockdata));
   
-  if (new)
+  if (n > 0 && new)
     {
       int i;
       
@@ -46,14 +46,19 @@ void blockdata_init(void)
   blockdata_alloced = 0;
   blockdata_count = 0;
   blockdata_hwm = 0;
-  
-  blockdata_expand((daemon->cachesize * 100) / sizeof(struct blockdata));
+
+  /* Note that daemon->cachesize is enforced to have non-zero size if OPT_DNSSEC_VALID is set */  
+  if (option_bool(OPT_DNSSEC_VALID))
+    blockdata_expand((daemon->cachesize * 100) / sizeof(struct blockdata));
 }
 
 void blockdata_report(void)
 {
-  my_syslog(LOG_INFO, _("DNSSEC memory in use %u, max %u, allocated %u"), 
-	    blockdata_count * sizeof(struct blockdata),  blockdata_hwm * sizeof(struct blockdata),  blockdata_alloced * sizeof(struct blockdata));
+  if (option_bool(OPT_DNSSEC_VALID))
+    my_syslog(LOG_INFO, _("DNSSEC memory in use %u, max %u, allocated %u"), 
+	      blockdata_count * sizeof(struct blockdata),  
+	      blockdata_hwm * sizeof(struct blockdata),  
+	      blockdata_alloced * sizeof(struct blockdata));
 } 
 
 struct blockdata *blockdata_alloc(char *data, size_t len)

src/config.h

@@ -330,7 +330,7 @@ HAVE_SOCKADDR_SA_LEN
 #undef HAVE_AUTH
 #endif
 
-#if defined(NO_IPSET) || !defined(HAVE_LINUX_NETWORK)
+#if defined(NO_IPSET)
 #undef HAVE_IPSET
 #endif
 

src/dhcp.c

@@ -404,7 +404,8 @@ void dhcp_packet(time_t now, int pxe_fd)
       memcpy(arp_req.arp_ha.sa_data, mess->chaddr, mess->hlen);
       /* interface name already copied in */
       arp_req.arp_flags = ATF_COM;
-      ioctl(daemon->dhcpfd, SIOCSARP, &arp_req);
+      if (ioctl(daemon->dhcpfd, SIOCSARP, &arp_req) == -1)
+	my_syslog(MS_DHCP | LOG_ERR, _("ARP-cache injection failed: %s"), strerror(errno));
     }
 #elif defined(HAVE_SOLARIS_NETWORK)
   else if ((ntohs(mess->flags) & 0x8000) || mess->hlen != ETHER_ADDR_LEN || mess->htype != ARPHRD_ETHER)

src/dhcp6.c

@@ -708,12 +708,20 @@ static int construct_worker(struct in6_addr *local, int prefix,
 
 void dhcp_construct_contexts(time_t now)
 { 
+  static int active = 0;
   struct dhcp_context *context, *tmp, **up;
   struct cparam param;
   param.newone = 0;
   param.newname = 0;
   param.now = now;
 
+  /* Various calls that we make may end up calling iface_enumerate(), which can then 
+     call us again, We're NOT re-entrant, so ignore a second invokation. */
+  if (active)
+    return;
+
+  active = 1;
+
   for (context = daemon->dhcp6; context; context = context->next)
     if (context->flags & CONTEXT_CONSTRUCTED)
       context->flags |= CONTEXT_GC;
@@ -727,8 +735,7 @@ void dhcp_construct_contexts(time_t now)
      
       if (context->flags & CONTEXT_GC && !(context->flags & CONTEXT_OLD))
 	{
-	  if ((context->flags & (CONTEXT_RA_ONLY | CONTEXT_RA_NAME | CONTEXT_RA_STATELESS)) ||
-	      option_bool(OPT_RA))
+	  if ((context->flags & CONTEXT_RA) || option_bool(OPT_RA))
 	    {
 	      /* previously constructed context has gone. advertise it's demise */
 	      context->flags |= CONTEXT_OLD;
@@ -772,6 +779,8 @@ void dhcp_construct_contexts(time_t now)
 	/* Not doing DHCP, so no lease system, manage alarms for ra only */
 	send_alarm(periodic_ra(now), now);
     }
+
+  active = 0;
 }
 
 #endif

src/dnsmasq.h

@@ -823,7 +823,7 @@ struct dhcp_context {
 #define CONTEXT_NETMASK        (1u<<1)
 #define CONTEXT_BRDCAST        (1u<<2)
 #define CONTEXT_PROXY          (1u<<3)
-#define CONTEXT_RA_ONLY        (1u<<4)
+#define CONTEXT_RA_ROUTER      (1u<<4)
 #define CONTEXT_RA_DONE        (1u<<5)
 #define CONTEXT_RA_NAME        (1u<<6)
 #define CONTEXT_RA_STATELESS   (1u<<7)
@@ -838,7 +838,6 @@ struct dhcp_context {
 #define CONTEXT_OLD            (1u<<16)
 #define CONTEXT_V6             (1u<<17)
 
-
 struct ping_result {
   struct in_addr addr;
   time_t time;

src/dnssec.c

@@ -1682,6 +1682,9 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
   GETSHORT(qtype, p1);
   GETSHORT(qclass, p1);
   ans_start = p1;
+
+  if (qtype == T_ANY)
+    have_answer = 1;
  
   /* Can't validate an RRISG query */
   if (qtype == T_RRSIG)
@@ -2132,7 +2135,7 @@ static int check_rrs(unsigned char *p, struct dns_header *header, size_t plen, i
   int i, type, class, rdlen;
   unsigned char *pp;
   
-  for (i = 0; i < ntohs(header->ancount) + ntohs(header->nscount); i++)
+  for (i = 0; i < ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount); i++)
     {
       pp = p;
 
@@ -2178,7 +2181,7 @@ size_t filter_rrsigs(struct dns_header *header, size_t plen)
   static int rr_sz = 0;
   
   unsigned char *p = (unsigned char *)(header+1);
-  int i, rdlen, qtype, qclass, rr_found, chop_an, chop_ns;
+  int i, rdlen, qtype, qclass, rr_found, chop_an, chop_ns, chop_ar;
 
   if (ntohs(header->qdcount) != 1 ||
       !(p = skip_name(p, header, plen, 4)))
@@ -2189,7 +2192,9 @@ size_t filter_rrsigs(struct dns_header *header, size_t plen)
 
   /* First pass, find pointers to start and end of all the records we wish to elide:
      records added for DNSSEC, unless explicity queried for */
-  for (rr_found = 0, chop_ns = 0, chop_an = 0, i = 0; i < ntohs(header->ancount) + ntohs(header->nscount); i++)
+  for (rr_found = 0, chop_ns = 0, chop_an = 0, chop_ar = 0, i = 0; 
+       i < ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount);
+       i++)
     {
       unsigned char *pstart = p;
       int type, class;
@@ -2217,8 +2222,10 @@ size_t filter_rrsigs(struct dns_header *header, size_t plen)
 	  
 	  if (i < ntohs(header->ancount))
 	    chop_an++;
-	  else
+	  else if (i < (ntohs(header->nscount) + ntohs(header->ancount)))
 	    chop_ns++;
+	  else
+	    chop_ar++;
 	}
       else if (!ADD_RDLEN(header, p, plen, rdlen))
 	return plen;
@@ -2255,7 +2262,8 @@ size_t filter_rrsigs(struct dns_header *header, size_t plen)
   plen = p - (unsigned char *)header;
   header->ancount = htons(ntohs(header->ancount) - chop_an);
   header->nscount = htons(ntohs(header->nscount) - chop_ns);
-  
+  header->arcount = htons(ntohs(header->arcount) - chop_ar);
+
   /* Fourth pass, fix up pointers in the remaining records */
   p = (unsigned char *)(header+1);
   

src/forward.c

@@ -535,20 +535,23 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
   (void) do_bit;
 
 #ifdef HAVE_IPSET
-  /* Similar algorithm to search_servers. */
-  struct ipsets *ipset_pos;
-  unsigned int namelen = strlen(daemon->namebuff);
-  unsigned int matchlen = 0;
-  for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next) 
+  if (daemon->ipsets && extract_request(header, n, daemon->namebuff, NULL))
     {
-      unsigned int domainlen = strlen(ipset_pos->domain);
-      char *matchstart = daemon->namebuff + namelen - domainlen;
-      if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) &&
-	  (domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) &&
-	  domainlen >= matchlen) 
+      /* Similar algorithm to search_servers. */
+      struct ipsets *ipset_pos;
+      unsigned int namelen = strlen(daemon->namebuff);
+      unsigned int matchlen = 0;
+      for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next) 
 	{
-	  matchlen = domainlen;
-	  sets = ipset_pos->sets;
+	  unsigned int domainlen = strlen(ipset_pos->domain);
+	  char *matchstart = daemon->namebuff + namelen - domainlen;
+	  if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) &&
+	      (domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) &&
+	      domainlen >= matchlen) 
+	    {
+	      matchlen = domainlen;
+	      sets = ipset_pos->sets;
+	    }
 	}
     }
 #endif
@@ -585,7 +588,7 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
      header->hb4 &= ~HB4_AD;
   
   if (OPCODE(header) != QUERY || (RCODE(header) != NOERROR && RCODE(header) != NXDOMAIN))
-    return n;
+    return resize_packet(header, n, pheader, plen);
   
   /* Complain loudly if the upstream server is non-recursive. */
   if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR && ntohs(header->ancount) == 0 &&
@@ -1344,13 +1347,20 @@ static int do_check_sign(time_t now, struct dns_header *header, size_t plen, cha
 { 
   char *name_start;
   unsigned char *p;
-  int status = dnssec_validate_ds(now, header, plen, name, keyname, class);
-  
-  if (status != STAT_INSECURE)
-    {
-      if (status == STAT_NO_DS)
-	status = STAT_INSECURE;
-      return status;
+  int status;
+
+  /* In this case only, a SERVFAIL reply allows us to continue up the tree, looking for a 
+     suitable NSEC reply to DS queries. */
+  if (RCODE(header) != SERVFAIL)
+    { 
+      status = dnssec_validate_ds(now, header, plen, name, keyname, class);
+      
+      if (status != STAT_INSECURE)
+	{
+	  if (status == STAT_NO_DS)
+	    status = STAT_INSECURE;
+	  return status;
+	}
     }
   
   p = (unsigned char *)(header+1);
@@ -1443,8 +1453,13 @@ static int  tcp_check_for_unsigned_zone(time_t now, struct dns_header *header, s
 	      newhash = hash_questions(header, (unsigned int)m, name);
 	      if (newhash && memcmp(hash, newhash, HASH_SIZE) == 0)
 		{
-		  /* Note this trashes all three name workspaces */
-		  status = tcp_key_recurse(now, STAT_NEED_DS_NEG, header, m, class, name, keyname, server, keycount);
+		   /* In this case only, a SERVFAIL reply allows us to continue up the tree, looking for a 
+		      suitable NSEC reply to DS queries. */
+		  if (RCODE(header) == SERVFAIL)
+		    status = STAT_INSECURE;
+		  else
+		    /* Note this trashes all three name workspaces */
+		    status = tcp_key_recurse(now, STAT_NEED_DS_NEG, header, m, class, name, keyname, server, keycount);
 		  
 		  /* We've found a DS which proves the bit of the DNS where the
 		     original query is, is unsigned, so the answer is OK, 
@@ -1742,7 +1757,7 @@ unsigned char *tcp_request(int confd, time_t now,
 		  struct server *firstsendto = NULL;
 #ifdef HAVE_DNSSEC
 		  unsigned char *newhash, hash[HASH_SIZE];
-		  if ((newhash = hash_questions(header, (unsigned int)size, daemon->keyname)))
+		  if ((newhash = hash_questions(header, (unsigned int)size, daemon->namebuff)))
 		    memcpy(hash, newhash, HASH_SIZE);
 		  else
 		    memset(hash, 0, HASH_SIZE);
@@ -1820,6 +1835,10 @@ unsigned char *tcp_request(int confd, time_t now,
 			}
 		      
 		      *length = htons(size);
+
+		      /* get query name again for logging - may have been overwritten */
+		      if (!(gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
+			strcpy(daemon->namebuff, "query");
 		      
 		      if (!read_write(last_server->tcpfd, packet, size + sizeof(u16), 0) ||
 			  !read_write(last_server->tcpfd, &c1, 1, 1) ||
@@ -1833,8 +1852,6 @@ unsigned char *tcp_request(int confd, time_t now,
 		      
 		      m = (c1 << 8) | c2;
 		      
-		      if (!gotname)
-			strcpy(daemon->namebuff, "query");
 		      if (last_server->addr.sa.sa_family == AF_INET)
 			log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff, 
 				  (struct all_addr *)&last_server->addr.in.sin_addr, NULL); 

src/ipset.c

@@ -16,7 +16,7 @@
 
 #include "dnsmasq.h"
 
-#ifdef HAVE_IPSET
+#if defined(HAVE_IPSET) && defined(HAVE_LINUX_NETWORK)
 
 #include <string.h>
 #include <errno.h>

src/option.c

@@ -2583,9 +2583,11 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
 		if (strcmp(a[leasepos], "static") == 0)
 		  new->flags |= CONTEXT_STATIC | CONTEXT_DHCP;
 		else if (strcmp(a[leasepos], "ra-only") == 0 || strcmp(a[leasepos], "slaac") == 0 )
-		  new->flags |= CONTEXT_RA_ONLY | CONTEXT_RA;
+		  new->flags |= CONTEXT_RA;
 		else if (strcmp(a[leasepos], "ra-names") == 0)
 		  new->flags |= CONTEXT_RA_NAME | CONTEXT_RA;
+		else if (strcmp(a[leasepos], "ra-advrouter") == 0)
+		  new->flags |= CONTEXT_RA_ROUTER | CONTEXT_RA;
 		else if (strcmp(a[leasepos], "ra-stateless") == 0)
 		  new->flags |= CONTEXT_RA_STATELESS | CONTEXT_DHCP | CONTEXT_RA;
 		else if (leasepos == 1 && inet_pton(AF_INET6, a[leasepos], &new->end6))
@@ -2615,7 +2617,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
 	    
 	    if (new->prefix != 64)
 	      {
-		if ((new->flags & (CONTEXT_RA_ONLY | CONTEXT_RA_NAME | CONTEXT_RA_STATELESS)))
+		if (new->flags & CONTEXT_RA)
 		  ret_err(_("prefix length must be exactly 64 for RA subnets"));
 		else if (new->flags & CONTEXT_TEMPLATE)
 		  ret_err(_("prefix length must be exactly 64 for subnet constructors"));

src/radv-protocol.h

@@ -49,6 +49,7 @@ struct prefix_opt {
 #define ICMP6_OPT_SOURCE_MAC   1
 #define ICMP6_OPT_PREFIX       3
 #define ICMP6_OPT_MTU          5
+#define ICMP6_OPT_ADV_INTERVAL 7
 #define ICMP6_OPT_RDNSS       25
 #define ICMP6_OPT_DNSSL       31
 

src/radv.c

@@ -28,7 +28,7 @@
 
 struct ra_param {
   time_t now;
-  int ind, managed, other, found_context, first;
+  int ind, managed, other, found_context, first, adv_router;
   char *if_name;
   struct dhcp_netid *tags;
   struct in6_addr link_local, link_global, ula;
@@ -226,6 +226,7 @@ static void send_ra(time_t now, int iface, char *iface_name, struct in6_addr *de
   parm.managed = 0;
   parm.other = 0;
   parm.found_context = 0;
+  parm.adv_router = 0;
   parm.if_name = iface_name;
   parm.first = 1;
   parm.now = now;
@@ -286,8 +287,7 @@ static void send_ra(time_t now, int iface, char *iface_name, struct in6_addr *de
 	      setaddr6part(&local, addr6part(&local) & ~((context->prefix == 64) ? (u64)-1LL : (1LLU << (128 - context->prefix)) - 1LLU));
 	     
 	      
-	      if ((context->flags & 
-		   (CONTEXT_RA_ONLY | CONTEXT_RA_NAME | CONTEXT_RA_STATELESS)))
+	      if (context->flags & CONTEXT_RA)
 		{
 		  do_slaac = 1;
 		  if (context->flags & CONTEXT_DHCP)
@@ -339,6 +339,17 @@ static void send_ra(time_t now, int iface, char *iface_name, struct in6_addr *de
   if (!old_prefix && !parm.found_context)
     return; 
   
+  /* If we're sending router address instead of prefix in at least on prefix,
+     include the advertisement interval option. */
+  if (parm.adv_router)
+    {
+      put_opt6_char(ICMP6_OPT_ADV_INTERVAL);
+      put_opt6_char(1);
+      put_opt6_short(0);
+      /* interval value is in milliseconds */
+      put_opt6_long(1000 * calc_interval(find_iface_param(iface_name)));
+    }
+
 #ifdef HAVE_LINUX_NETWORK
   /* Note that IPv6 MTU is not necessarilly the same as the IPv4 MTU
      available from SIOCGIFMTU */
@@ -500,6 +511,7 @@ static int add_prefixes(struct in6_addr *local,  int prefix,
 	  int do_slaac = 0;
 	  int deprecate  = 0;
 	  int constructed = 0;
+	  int adv_router = 0;
 	  unsigned int time = 0xffffffff;
 	  struct dhcp_context *context;
 	  
@@ -511,8 +523,7 @@ static int add_prefixes(struct in6_addr *local,  int prefix,
 	      {
 		context->saved_valid = valid;
 
-		if ((context->flags & 
-		     (CONTEXT_RA_ONLY | CONTEXT_RA_NAME | CONTEXT_RA_STATELESS)))
+		if (context->flags & CONTEXT_RA) 
 		  {
 		    do_slaac = 1;
 		    if (context->flags & CONTEXT_DHCP)
@@ -530,7 +541,17 @@ static int add_prefixes(struct in6_addr *local,  int prefix,
 		    param->managed = 1;
 		    param->other = 1;
 		  }
-		
+
+		/* Configured to advertise router address, not prefix. See RFC 3775 7.2 
+		 In this case we do all addresses associated with a context, 
+		 hence the real_prefix setting here. */
+		if (context->flags & CONTEXT_RA_ROUTER)
+		  {
+		    adv_router = 1;
+		    param->adv_router = 1;
+		    real_prefix = context->prefix;
+		  }
+
 		/* find floor time, don't reduce below 3 * RA interval. */
 		if (time > context->lease_time)
 		  {
@@ -556,7 +577,7 @@ static int add_prefixes(struct in6_addr *local,  int prefix,
 		/* subsequent prefixes on the same interface 
 		   and subsequent instances of this prefix don't need timers.
 		   Be careful not to find the same prefix twice with different
-		   addresses. */
+		   addresses unless we're advertising the actual addresses. */
 		if (!(context->flags & CONTEXT_RA_DONE))
 		  {
 		    if (!param->first)
@@ -607,13 +628,18 @@ static int add_prefixes(struct in6_addr *local,  int prefix,
 	      if ((opt = expand(sizeof(struct prefix_opt))))
 		{
 		  /* zero net part of address */
-		  setaddr6part(local, addr6part(local) & ~((real_prefix == 64) ? (u64)-1LL : (1LLU << (128 - real_prefix)) - 1LLU));
+		  if (!adv_router)
+		    setaddr6part(local, addr6part(local) & ~((real_prefix == 64) ? (u64)-1LL : (1LLU << (128 - real_prefix)) - 1LLU));
 		  
 		  opt->type = ICMP6_OPT_PREFIX;
 		  opt->len = 4;
 		  opt->prefix_len = real_prefix;
 		  /* autonomous only if we're not doing dhcp, always set "on-link" */
-		  opt->flags = do_slaac ? 0xC0 : 0x80;
+		  opt->flags = 0x80;
+		  if (do_slaac)
+		    opt->flags |= 0x40;
+		  if (adv_router)
+		    opt->flags |= 0x20;
 		  opt->valid_lifetime = htonl(valid);
 		  opt->preferred_lifetime = htonl(preferred);
 		  opt->reserved = 0; 

src/tables.c

@@ -0,0 +1,167 @@
+/* tables.c is Copyright (c) 2014 Dohnuts All Rights Reserved.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+     
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "dnsmasq.h"
+
+#if defined(HAVE_IPSET) && defined(HAVE_BSD_NETWORK)
+
+#include <sys/types.h>
+#include <sys/ioctl.h>
+
+#include <net/if.h>
+#include <netinet/in.h>
+#include <net/pfvar.h>
+
+#include <err.h>
+#include <errno.h>
+#include <fcntl.h>
+
+#define UNUSED(x) (void)(x)
+
+static char *pf_device = "/dev/pf";
+static int dev = -1;
+
+static char *pfr_strerror(int errnum)
+{
+  switch (errnum) 
+    {
+    case ESRCH:
+      return "Table does not exist";
+    case ENOENT:
+      return "Anchor or Ruleset does not exist";
+    default:
+      return strerror(errnum);
+    }
+}
+
+static int pfr_add_tables(struct pfr_table *tbl, int size, int *nadd, int flags)
+{
+  struct pfioc_table io;
+  
+  if (size < 0 || (size && tbl == NULL)) 
+    {
+      errno = EINVAL;
+      return (-1);
+    }
+  bzero(&io, sizeof io);
+  io.pfrio_flags = flags;
+  io.pfrio_buffer = tbl;
+  io.pfrio_esize = sizeof(*tbl);
+  io.pfrio_size = size;
+  if (ioctl(dev, DIOCRADDTABLES, &io))
+    return (-1);
+  if (nadd != NULL)
+    *nadd = io.pfrio_nadd;
+  return (0);
+}
+
+static int fill_addr(const struct all_addr *ipaddr, int flags, struct pfr_addr* addr) {
+  if ( !addr || !ipaddr)
+    {
+      my_syslog(LOG_ERR, _("error: fill_addr missused"));
+      return -1;
+    }
+  bzero(addr, sizeof(*addr));
+#ifdef HAVE_IPV6
+  if (flags & F_IPV6) 
+    {
+      addr->pfra_af = AF_INET6;
+      addr->pfra_net = 0x80;
+      memcpy(&(addr->pfra_ip6addr), &(ipaddr->addr), sizeof(struct in6_addr));
+    } 
+  else 
+#endif
+    {
+      addr->pfra_af = AF_INET;
+      addr->pfra_net = 0x20;
+      addr->pfra_ip4addr.s_addr = ipaddr->addr.addr4.s_addr;
+    }
+  return 1;
+}
+
+/*****************************************************************************/
+
+void ipset_init(void) 
+{
+  dev = open( pf_device, O_RDWR);
+  if (dev == -1)
+    {
+      err(1, "%s", pf_device);
+      die (_("failed to access pf devices: %s"), NULL, EC_MISC);
+    }
+}
+
+int add_to_ipset(const char *setname, const struct all_addr *ipaddr,
+		      int flags, int remove)
+{
+  struct pfr_addr addr;
+  struct pfioc_table io;
+  struct pfr_table table;
+  int n = 0, rc = 0;
+
+  if ( dev == -1 ) 
+    {
+      my_syslog(LOG_ERR, _("warning: no opened pf devices %s"), pf_device);
+      return -1;
+    }
+
+  bzero(&table, sizeof(struct pfr_table));
+  table.pfrt_flags |= PFR_TFLAG_PERSIST;
+  if ( strlen(setname) >= PF_TABLE_NAME_SIZE )
+    {
+      my_syslog(LOG_ERR, _("error: cannot use table name %s"), setname);
+      errno = ENAMETOOLONG;
+      return -1;
+    }
+  
+  if ( strlcpy(table.pfrt_name, setname,
+               sizeof(table.pfrt_name)) >= sizeof(table.pfrt_name)) 
+    {
+      my_syslog(LOG_ERR, _("error: cannot strlcpy table name %s"), setname);
+      return -1;
+    }
+  
+  if (rc = pfr_add_tables(&table, 1, &n, 0)) 
+    {
+      my_syslog(LOG_WARNING, _("warning: pfr_add_tables: %s(%d)"),
+		pfr_strerror(errno),rc);
+      return -1;
+    }
+  table.pfrt_flags &= ~PFR_TFLAG_PERSIST;
+  if (n)
+    my_syslog(LOG_INFO, _("info: table created"));
+  
+  fill_addr(ipaddr,flags,&addr);
+  bzero(&io, sizeof(io));
+  io.pfrio_flags = 0;
+  io.pfrio_table = table;
+  io.pfrio_buffer = &addr;
+  io.pfrio_esize = sizeof(addr);
+  io.pfrio_size = 1;
+  if (ioctl(dev, ( remove ? DIOCRDELADDRS : DIOCRADDADDRS ), &io)) 
+    {
+      my_syslog(LOG_WARNING, _("warning: DIOCR%sADDRS: %s"), ( remove ? "DEL" : "ADD" ), pfr_strerror(errno));
+      return -1;
+    }
+  
+  my_syslog(LOG_INFO, _("%d addresses %s"),
+            io.pfrio_nadd, ( remove ? "removed" : "added" ));
+  
+  return io.pfrio_nadd;
+}
+
+
+#endif