Changed priority to high in Debian changelog.

Unlike COPTS=-DHAVE_DNSSEC, allow usage of just sha256 function from
nettle, but keep DNSSEC disabled at build time. Skips use of internal
hash implementation without support for validation built-in.

.gitattributes

@@ -0,0 +1 @@
+VERSION export-subst

.gitignore

@@ -4,11 +4,11 @@ src/dnsmasq.pot
 src/dnsmasq
 src/dnsmasq_baseline
 src/.copts_*
-contrib/wrt/dhcp_lease_time
-contrib/wrt/dhcp_release
-debian/base/
-debian/daemon/
+contrib/lease-tools/dhcp_lease_time
+contrib/lease-tools/dhcp_release
+contrib/lease-tools/dhcp_release6
 debian/files
 debian/substvars
 debian/utils-substvars
-debian/utils/
+debian/trees/
+debian/build/

CHANGELOG

@@ -1,3 +1,622 @@
+version 2.83
+	Use the values of --min-port and --max-port in outgoing
+	TCP connections to upstream DNS servers.
+
+	Fix a remote buffer overflow problem in the DNSSEC code. Any
+	dnsmasq with DNSSEC compiled in and enabled is vulnerable to this,
+	referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683
+	CVE-2020-25687.
+
+	Be sure to only accept UDP DNS query replies at the address
+	from which the query was originated. This keeps as much entropy
+	in the {query-ID, random-port} tuple as possible, to help defeat
+	cache poisoning attacks. Refer: CVE-2020-25684.
+
+	Use the SHA-256 hash function to verify that DNS answers
+	received are for the questions originally asked. This replaces
+	the slightly insecure SHA-1 (when compiled with DNSSEC) or
+	the very insecure CRC32 (otherwise). Refer: CVE-2020-25685.
+
+	Handle multiple identical near simultaneous DNS queries better.
+	Previously, such queries would all be forwarded
+	independently. This is, in theory, inefficent but in practise
+	not a problem, _except_ that is means that an answer for any
+	of the forwarded queries will be accepted and cached.
+	An attacker can send a query multiple times, and for each repeat,
+	another {port, ID} becomes capable of accepting the answer he is
+	sending in the blind, to random IDs and ports. The chance of a
+	succesful attack is therefore multiplied by the number of repeats
+	of the query. The new behaviour detects repeated queries and
+	merely stores the clients sending repeats so that when the
+	first query completes, the answer can be sent to all the
+	clients who asked. Refer: CVE-2020-25686.
+	
+
+version 2.82
+	Improve behaviour in the face of network interfaces which come
+	and go and change index. Thanks to Petr Mensik for the patch.
+
+	Convert hard startup failure on NETLINK_NO_ENOBUFS under qemu-user
+	to a warning.
+
+	Allow IPv6 addresses ofthe form [::ffff:1.2.3.4] in --dhcp-option.
+
+	Fix crash under heavy TCP connection load introduced in 2.81.
+	Thanks to Frank for good work chasing this down.
+
+	Change default lease time for DHCPv6 to one day.
+
+	Alter calculation of preferred and valid times in router
+	advertisements, so that these do not have a floor applied
+	of the lease time in the dhcp-range if this is not explicitly
+	specified and is merely the default.
+	Thanks to Martin-Éric Racine for suggestions on this.
+
+	
+version 2.81
+	Improve cache behaviour for TCP connections. For ease of
+	implementation, dnsmasq has always forked a new process to handle
+	each incoming TCP connection. A side-effect of this is that
+	any DNS queries answered from TCP connections are not cached:
+	when TCP connections were rare, this was not a problem.
+	With the coming of DNSSEC, it is now the case that some
+	DNSSEC queries have answers which spill to TCP, and if,
+	for instance, this applies to the keys for the root, then
+	those never get cached, and performance is very bad.
+	This fix passes cache entries back from the TCP child process to
+	the main server process, and fixes the problem.
+
+	Remove the NO_FORK compile-time option, and support for uclinux.
+	In an era where everything has an MMU, this looks like
+	an anachronism, and it adds to (Ok, multiplies!) the
+	combinatorial explosion of compile-time options. Thanks to
+	Kevin Darbyshire-Bryant for the patch.
+
+	Fix line-counting when reading /etc/hosts and friends; for
+	correct error messages. Thanks to Christian Rosentreter
+	for reporting this.
+
+	Fix bug in DNS non-terminal code, added in 2.80, which could
+	sometimes cause a NODATA rather than an NXDOMAIN reply.
+	Thanks to Norman Rasmussen, Sven Mueller and Maciej Żenczykowski
+	for spotting and diagnosing the bug and providing patches.
+
+	Support TCP-fastopen (RFC-7413) on both incoming and
+	outgoing TCP connections, if supported and enabled in the OS.
+
+	Improve kernel-capability manipulation code under Linux. Dnsmasq
+	now fails early if a required capability is not available, and
+	tries not to request capabilities not required by its
+	configuration.
+
+	Add --shared-network config. This enables allocation of addresses
+	by the DHCP server in subnets where the server (or relay) does not
+	have an interface on the network in that subnet. Many thanks to
+	kamp.de for sponsoring this feature.
+	
+	Fix broken contrib/lease_tools/dhcp_lease_time.c. A packet
+	validation check got borked in commit 2b38e382 and release 2.80.
+	Thanks to Tomasz Szajner for spotting this.
+
+	Fix compilation against nettle version 3.5 and later.
+
+	Fix spurious DNSSEC validation failures when the auth section
+	of a reply contains unsigned RRs from a signed zone, 
+	with the exception that NSEC and NSEC3 RRs must always be signed.
+        Thanks to Tore Anderson for spotting and diagnosing the bug.
+
+	Add --dhcp-ignore-clid. This disables reading of DHCP client
+	identifier option (option 61), so clients are only identified by
+	MAC addresses.
+
+	Fix a bug which stopped --dhcp-name-match from working when a hostname
+	is supplied in --dhcp-host. Thanks to James Feeney for spotting this.
+
+	Fix bug which caused very rarely caused zero-length DHCPv6 packets.
+	Thanks to Dereck Higgins for spotting this.
+
+	Add --tftp-single-port option.
+
+	Enhance --conf-dir to load files in a deterministic order. Thanks to
+	Evgenii Seliavka for the suggestion and initial patch.
+
+	In the router advert code, handle case where we have two
+	different interfaces on the same IPv6 net, and we are doing
+	RA/DHCP service on only one of them. Thanks to NIIBE Yutaka
+	for spotting this case and making the initial patch.
+
+	Support prefixed ranges of ipv6 addresses in dhcp-host.
+	This eases problems chain-netbooting, where each link in the
+	chain requests an address using a different UID. With a single
+	address, only one gets the "static" address, but with this
+	fix, enough addresses can be reserved for all the stages of the
+	boot. Many thanks to Harald Jensås for his work on this idea and
+	earlier patches.
+
+	Add filtering by tag of --dhcp-host directives. Based on a patch
+	by Harald Jensås.
+
+	Allow empty server spec in --rev-server, to match --server.
+	
+	Remove DSA signature verification from DNSSEC, as specified in
+	RFC 8624. Thanks to Loganaden Velvindron for the original patch.
+
+	Add --script-on-renewal option.
+
+	
+version 2.80
+	Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method
+	for the initial patch and motivation.
+
+	Alter the default for dnssec-check-unsigned. Versions of
+	dnsmasq prior to 2.80 defaulted to not checking unsigned
+	replies, and used --dnssec-check-unsigned to switch
+        this on. Such configurations will continue to work as before,
+        but those which used the default of no checking will need to be
+        altered to explicitly select no checking. The new default is
+        because switching off checking for unsigned replies is
+	inherently dangerous. Not only does it open the possiblity of forged
+        replies, but it allows everything to appear to be working even
+        when the upstream namesevers do not support DNSSEC, and in this
+        case no DNSSEC validation at all is occuring.
+
+        Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip
+	are set. Thanks to Daniel Miess for help with this.
+
+	Add a facilty to store DNS packets sent/recieved in a
+	pcap-format file for later debugging. The file location
+	is given by the --dumpfile option, and a bitmap controlling
+	which packets should be dumped is given by the --dumpmask
+	option.
+
+	Handle the case of both standard and constructed dhcp-ranges on the
+	same interface better. We don't now contruct a dhcp-range if there's
+	already one specified. This allows the specified interface to
+	have different parameters and avoids advertising the same
+	prefix twice. Thanks to Luis Marsano for spotting this case.
+
+	Allow zone transfer in authoritative mode if auth-peer is specified,
+	even if auth-sec-servers is not. Thanks to Raphaël Halimi for
+	the suggestion.
+
+	Fix bug which sometimes caused dnsmasq to wrongly return answers
+	without DNSSEC RRs to queries with the do-bit set, but only when
+	DNSSEC validation was not enabled.
+	Thanks to Petr Menšík for spotting this.
+
+	Fix missing fatal errors with some malformed options
+	(server, local, address, rebind-domain-ok, ipset, alias).
+	Thanks to Eugene Lozovoy for spotting the problem.
+
+	Fix crash on startup with a --synth-domain which has no prefix.
+	Introduced in 2.79. Thanks to Andreas Engel for the bug report.
+
+	Fix missing EDNS0 section in some replies generated by local
+	DNS configuration which confused systemd-resolvd. Thanks to
+	Steve Dodd for characterising the problem.
+
+	Add --dhcp-name-match config option. 
+
+	Add --caa-record config option.
+
+	Implement --address=/example.com/# as (more efficient) syntactic
+	sugar for --address=/example.com/0.0.0.0 and
+	--address=/example.com/::
+	Returning null addresses is a useful technique for ad-blocking.
+	Thanks to Peter Russell for the suggestion.
+	
+	Change anti cache-snooping behaviour with queries with the
+	recursion-desired bit unset. Instead to returning SERVFAIL, we
+	now always forward, and never answer from the cache. This
+	allows "dig +trace" command to work. 
+	
+	Include in the example config file a formulation which
+	stops DHCP clients from claiming the DNS name "wpad".
+	This is a fix for the CERT Vulnerability VU#598349.
+
+	
+version 2.79
+	Fix parsing of CNAME arguments, which are confused by extra spaces.
+	Thanks to Diego Aguirre for spotting the bug.
+
+	Where available, use IP_UNICAST_IF or IPV6_UNICAST_IF to bind
+	upstream servers to an interface, rather than SO_BINDTODEVICE.
+	Thanks to Beniamino Galvani for the patch.
+
+	Always return a SERVFAIL answer to DNS queries without the
+	recursion desired bit set, UNLESS acting as an authoritative
+	DNS server. This avoids a potential route to cache snooping.
+
+	Add support for Ed25519 signatures in DNSSEC validation.
+
+	No longer support RSA/MD5 signatures in DNSSEC validation,
+	since these are not secure. This behaviour is mandated in
+	RFC-6944.
+
+	Fix incorrect error exit code from dhcp_release6 utility.
+	Thanks Gaudenz Steinlin for the bug report.
+
+	Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC
+	time validation when --dnssec-no-timecheck is in use.
+	Note that this is an incompatible change from earlier releases.
+
+	Allow more than one --bridge-interface option to refer to an
+	interface, so that we can use
+	--bridge-interface=int1,alias1
+	--bridge-interface=int1,alias2
+	as an alternative to
+	--bridge-interface=int1,alias1,alias2
+	Thanks to Neil Jerram for work on this.
+
+	Fix for DNSSEC with wildcard-derived NSEC records.
+	It's OK for NSEC records to be expanded from wildcards,
+	but in that case, the proof of non-existence is only valid
+	starting at the wildcard name, *.<domain> NOT the name expanded
+	from the wildcard. Without this check it's possible for an
+	attacker to craft an NSEC which wrongly proves non-existence.
+	Thanks to Ralph Dolmans for finding this, and co-ordinating 
+	the vulnerability tracking and fix release.
+	CVE-2017-15107 applies.
+
+	Remove special handling of A-for-A DNS queries. These
+	are no longer a significant problem in the global DNS.
+	http://cs.northwestern.edu/~ychen/Papers/DNS_ToN15.pdf
+	Thanks to Mattias Hellström for the initial patch.
+
+	Fix failure to delete dynamically created dhcp options
+	from files in -dhcp-optsdir directories. Thanks to
+	Lindgren Fredrik for the bug report.
+
+	Add to --synth-domain the ability to create names using
+	sequential numbers, as well as encodings of IP addresses.
+	For instance,
+	--synth-domain=thekelleys.org.uk,192.168.0.50,192.168.0.70,internal-*
+	creates 21 domain names of the form
+	internal-4.thekelleys.org.uk over the address range given, with
+	internal-0.thekelleys.org.uk being 192.168.0.50 and
+	internal-20.thekelleys.org.uk being 192.168.0.70
+	Thanks to Andy Hawkins for the suggestion.
+
+	Tidy up Crypto code, removing workarounds for ancient
+	versions of libnettle. We now require libnettle 3.
+
+
+version 2.78
+        Fix logic of appending ".<layer>" to PXE basename. Thanks to Chris
+	Novakovic for the patch.
+
+	Revert ping-check of address in DHCPDISCOVER if there
+	already exists a lease for the address. Under some
+	circumstances, and netbooted windows installation can reply
+	to pings before if has a DHCP lease and block allocation
+	of the address it already used during netboot. Thanks to
+	Jan Psota for spotting this.
+
+	Fix DHCP relaying, broken in 2.76 and 2.77 by commit
+	ff325644c7afae2588583f935f4ea9b9694eb52e. Thanks to
+	John Fitzgibbon for the diagnosis and patch.
+
+        Try other servers if first returns REFUSED when
+	--strict-order active. Thanks to Hans Dedecker
+	for the patch
+
+	Fix regression in 2.77, ironically added as a security
+	improvement, which resulted in a crash when a DNS
+	query exceeded 512 bytes (or the EDNS0 packet size,
+	if different.) Thanks to Christian Kujau, Arne Woerner
+	Juan Manuel Fernandez and Kevin Darbyshire-Bryant for
+	chasing this one down.  CVE-2017-13704 applies.
+
+	Fix heap overflow in DNS code. This is a potentially serious
+	security hole. It allows an attacker who can make DNS
+	requests to dnsmasq, and who controls the contents of
+	a domain, which is thereby queried, to overflow
+	(by 2 bytes) a heap buffer and either crash, or
+	even take control of, dnsmasq.
+	CVE-2017-14491 applies.
+	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
+	Kevin Hamacher and Ron Bowes of the Google Security Team for
+	finding this.
+
+	Fix heap overflow in IPv6 router advertisement code.
+	This is a potentially serious security hole, as a
+	crafted RA request can overflow a buffer and crash or
+	control dnsmasq. Attacker must be on the local network.
+	CVE-2017-14492 applies.
+        Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
+	and Kevin Hamacher of the Google Security Team for
+	finding this.
+
+	Fix stack overflow in DHCPv6 code. An attacker who can send
+	a DHCPv6 request to dnsmasq can overflow the stack frame and
+	crash or control dnsmasq.
+	CVE-2017-14493 applies.
+	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
+	Kevin Hamacher and Ron Bowes of the Google Security Team for
+	finding this.
+
+	Fix information leak in DHCPv6. A crafted DHCPv6 packet can
+	cause dnsmasq to forward memory from outside the packet
+	buffer to a DHCPv6 server when acting as a relay.
+	CVE-2017-14494 applies.
+	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
+	Kevin Hamacher and Ron Bowes of the Google Security Team for
+	finding this.
+
+	Fix DoS in DNS. Invalid boundary checks in the
+	add_pseudoheader function allows a memcpy call with negative
+	size An attacker which can send malicious DNS queries
+	to dnsmasq can trigger a DoS remotely.
+	dnsmasq is vulnerable only if one of the following option is
+	specified: --add-mac, --add-cpe-id or --add-subnet.
+	CVE-2017-14496 applies.
+	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
+	Kevin Hamacher and Ron Bowes of the Google Security Team for
+	finding this.
+
+	Fix out-of-memory Dos vulnerability. An attacker which can
+	send malicious DNS queries to dnsmasq can trigger memory
+	allocations in the add_pseudoheader function
+	The allocated memory is never freed which leads to a DoS
+	through memory exhaustion. dnsmasq is vulnerable only
+	if one of the following option is specified:
+	--add-mac, --add-cpe-id or --add-subnet.
+	CVE-2017-14495 applies.
+	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
+	Kevin Hamacher and Ron Bowes of the Google Security Team for
+	finding this.
+
+
+version 2.77
+	Generate an error when configured with a CNAME loop,
+	rather than a crash. Thanks to George Metz for
+	spotting this problem.
+
+	Calculate the length of TFTP error reply packet 
+	correctly. This fixes a problem when the error 
+	message in a TFTP packet exceeds the arbitrary 
+	limit of 500 characters. The message was correctly
+	truncated, but not the packet length, so 
+	extra data was appended. This is a possible
+	security risk, since the extra data comes from
+	a buffer which is also used for DNS, so that
+	previous DNS queries or replies may be leaked.
+	Thanks to Mozilla for funding the security audit 
+	which spotted this bug.
+
+	Fix logic error in Linux netlink code. This could
+	cause dnsmasq to enter a tight loop on systems
+	with a very large number of network interfaces.
+	Thanks to Ivan Kokshaysky for the diagnosis and
+	patch.
+
+	Fix problem with --dnssec-timestamp whereby receipt
+	of SIGHUP would erroneously engage timestamp checking.
+	Thanks to Kevin Darbyshire-Bryant for this work.
+
+	Bump zone serial on reloading /etc/hosts and friends
+	when providing authoritative DNS. Thanks to Harrald
+	Dunkel for spotting this.
+
+	Handle v4-mapped IPv6 addresses sanely in --synth-domain.
+	These have standard representation like ::ffff:1.2.3.4
+	and are now converted to names like
+	<prefix>--ffff-1-2-3-4.<domain>
+
+	Handle binding upstream servers to an interface 
+	(--server=1.2.3.4@eth0) when the named interface
+	is destroyed and recreated in the kernel. Thanks to 
+	Beniamino Galvani for the patch.
+
+	Allow wildcard CNAME records in authoritative zones.
+	For example --cname=*.example.com,default.example.com
+	Thanks to Pro Backup for sponsoring this development.
+
+	Bump the allowed backlog of TCP connections from 5 to 32,
+	and make this a compile-time configurable option. Thanks
+	to Donatas Abraitis for diagnosing this as a potential
+	problem.
+
+	Add DNSMASQ_REQUESTED_OPTIONS environment variable to the 
+	lease-change script. Thanks to ZHAO Yu for the patch.
+
+	Fix foobar in rrfilter code, that could cause malformed 
+	replies, especially when DNSSEC validation on, and 
+	the upstream server returns answer with the RRs in a 
+	particular order. The only DNS server known to tickle
+	this is Nominum's. Thanks to Dave Täht for spotting the
+	bug and assisting in the fix.
+
+	Fix the manpage which lied that only the primary address
+	of an interface is used by --interface-name.
+
+	Make --localise-queries apply to names from --interface-name.
+	Thanks to Kevin Darbyshire-Bryant and Eric Luehrsen
+	for pushing this.
+
+	Improve connection handling when talking to TCP upstream 
+	servers. Specifically, be prepared to open a new TCP
+	connection when we want to make multiple queries
+	but the upstream server accepts fewer queries per connection.
+
+	Improve logging of upstream servers when there are a lot
+	of "local addresses only" entries. Thanks to Hannu Nyman for
+	the patch.
+
+	Make --bogus-priv apply to IPv6, for the prefixes specified
+	in RFC6303. Thanks to Kevin Darbyshire-Bryant for work on this.
+
+	Allow use of MAC addresses with --tftp-unique-root. Thanks
+	to Floris Bos for the patch.
+
+	Add --dhcp-reply-delay option. Thanks to Floris Bos
+	for the patch.
+
+	Add mtu setting facility to --ra-param. Thanks to David
+	Flamand for the patch.
+
+	Capture STDOUT and STDERR output from dhcp-script and log
+	it as part of the dnsmasq log stream. Makes life easier
+	for diagnosing unexpected problems in scripts.
+	Thanks to Petr Mensik for the patch.
+
+	Generate fatal errors when failing to parse the output
+	of the dhcp-script in "init" mode. Avoids strange errors
+	when the script accidentally emits error messages.
+	Thanks to Petr Mensik for the patch.
+
+	Make --rev-server for an RFC1918 subnet work even in the
+	presence of the --bogus-priv flag. Thanks to
+	Vladislav Grishenko for the patch.
+
+	Extend --ra-param mtu: field to allow an interface name.
+	This allows the MTU of a WAN interface to be advertised on
+	the internal interfaces of a router. Thanks to
+	Vladislav Grishenko for the patch.
+
+	Do ICMP-ping check for address-in-use for DHCPv4 when
+	the client specifies an address in DHCPDISCOVER, and when
+	an address in configured locally. Thanks to Alin Năstac
+	for spotting the problem.
+
+	Add new DHCP tag "known-othernet" which is set when only a
+	dhcp-host exists for another subnet. Can be used to ensure
+	that privileged hosts are not given "guest" addresses by
+	accident. Thanks to Todd Sanket for the suggestion.
+
+	Remove historic automatic inclusion of IDN support when
+	building internationalisation support. This doesn't
+	fit now there is a choice of IDN libraries. Be sure
+	to include either -DHAVE_IDN or -DHAVE_LIBIDN2 for
+	IDN support.
+
+
+version 2.76
+	Include 0.0.0.0/8 in DNS rebind checks. This range 
+	translates to hosts on  the local network, or, at 
+	least, 0.0.0.0 accesses the local host, so could
+	be targets for DNS rebinding. See RFC 5735 section 3 
+	for details. Thanks to Stephen Röttger for the bug report.
+
+	Enhance --add-subnet to allow arbitrary subnet addresses.
+	Thanks to Ed Barsley for the patch.
+
+	Respect the --no-resolv flag in inotify code. Fixes bug
+	which caused dnsmasq to fail to start if a resolv-file 
+	was a dangling symbolic link, even of --no-resolv set.
+	Thanks to Alexander Kurtz for spotting the problem.
+
+	Fix crash when an A or AAAA record is defined locally,
+	in a hosts file, and an upstream server sends a reply
+	that the same name is empty. Thanks to Edwin Török for
+	the patch.
+
+	Fix failure to correctly calculate cache-size when 
+	reading a hosts-file fails. Thanks to André Glüpker 
+	for the patch.
+
+	Fix wrong answer to simple name query when --domain-needed
+	set, but no upstream servers configured. Dnsmasq returned
+	REFUSED, in this case, when it should be the same as when
+	upstream servers are configured - NOERROR. Thanks to 
+	Allain Legacy for spotting the problem.
+
+	Return REFUSED when running out of forwarding table slots,
+	not SERVFAIL.
+
+	Add --max-port configuration. Thanks to Hans Dedecker for
+	the patch.
+
+	Add --script-arp and two new functions for the dhcp-script.
+	These are "arp" and "arp-old" which announce the arrival and
+	removal of entries in the ARP or neighbour tables.
+
+	Extend --add-mac to allow a new encoding of the MAC address 
+	as base64, by configuring --add-mac=base64
+
+	Add --add-cpe-id option.
+
+	Don't crash with divide-by-zero if an IPv6 dhcp-range
+	is declared as a whole /64.
+	(ie xx::0 to xx::ffff:ffff:ffff:ffff) 
+	Thanks to Laurent Bendel for spotting this problem.
+
+	Add support for a TTL parameter in --host-record and
+	--cname.
+
+	Add --dhcp-ttl option.
+
+	Add --tftp-mtu option. Thanks to Patrick McLean for the 
+	initial patch.
+
+	Check return-code of inet_pton() when parsing dhcp-option.
+	Bad addresses could fail to generate errors and result in
+	garbage dhcp-options being sent. Thanks to Marc Branchaud 
+	for spotting this.
+
+	Fix wrong value for EDNS UDP packet size when using 
+	--servers-file to define upstream DNS servers. Thanks to
+	Scott Bonar for the bug report.
+
+	Move the dhcp_release and dhcp_lease_time tools from 
+	contrib/wrt to contrib/lease-tools.
+
+	Add dhcp_release6 to contrib/lease-tools. Many thanks 
+	to Sergey Nechaev for this code.
+
+	To avoid filling logs in configurations which define
+	many upstream nameservers, don't log more that 30 servers.
+	The number to be logged can be changed as SERVERS_LOGGED
+	in src/config.h.
+
+	Swap the values if BC_EFI and x86-64_EFI in --pxe-service. 
+	These were previously wrong due to an error in RFC 4578.
+	If you're using BC_EFI to boot 64-bit EFI machines, you
+	will need to update your config.
+
+	Add ARM32_EFI and ARM64_EFI as valid architectures in
+	--pxe-service.
+
+	Fix PXE booting for UEFI architectures. Modify PXE boot
+	sequence in this case to force the client to talk to dnsmasq
+	over port 4011. This makes PXE and especially proxy-DHCP PXE
+	work with these architectures.
+
+	Workaround problems with UEFI PXE clients. There exist
+	in the wild PXE clients which have problems with PXE
+	boot menus. To work around this, when there's a single
+	--pxe-service which applies to client, then that target
+	will be booted directly, rather then sending a
+	single-item boot menu.
+
+	Many thanks to Jarek Polok, Michael Kuron and Dreamcat4 
+	for their work on the long-standing UEFI PXE problem.
+
+	Subtle change in the semantics of "basename" in
+	--pxe-service. The historical behaviour has always been
+	that the actual filename downloaded from the TFTP server
+	is <basename>.<layer> where <layer> is an integer which
+	corresponds to the layer parameter supplied by the client.
+	It's not clear what the function of the "layer" 
+	actually is in the PXE protocol, and in practise layer 
+	is always zero, so the filename is <basename>.0
+	The new behaviour is the same as the old, except when
+	<basename> includes a file suffix, in which case
+	the layer suffix is no longer added. This allows
+	sensible suffices to be used, rather then the
+	meaningless ".0". Only in the unlikely event that you
+	have a config with a basename which already has a
+	suffix, is this an incompatible change, since the file
+	downloaded will change from name.suffix.0 to just 
+	name.suffix
+
+
+version 2.75
+	Fix reversion on 2.74 which caused 100% CPU use when a 
+	dhcp-script is configured. Thanks to Adrian Davey for
+	reporting the bug and testing the fix.
+
+
 version 2.74
 	Fix reversion in 2.73 where --conf-file would attempt to
 	read the default file, rather than no file.
@@ -62,7 +681,7 @@ version 2.73
 	good idea, but I've been persuaded that there are 
 	sometimes reasons to do it. (Step forward, GFW).
 	To avoid misuse, there's a hard limit on the TTL 
-	    floor of one hour. Thansk to RinSatsuki for the patch.
+	floor of one hour. Thanks to RinSatsuki for the patch.
 
 	Cope with multiple interfaces with the same link-local 
 	address. (IPv6 addresses are scoped, so this is allowed.)
@@ -152,7 +771,7 @@ version 2.72
 	Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.
 
 	Add support for "ipsets" in *BSD, using pf. Thanks to 
-	    Sven Falempim for the patch.
+	Sven Falempin for the patch.
 
 	Fix race condition which could lock up dnsmasq when an 
 	interface goes down and up rapidly. Thanks to Conrad 
@@ -164,7 +783,7 @@ version 2.72
 	Fix failure to build against Nettle-3.0. Thanks to Steven 
 	Barth for spotting this and finding the fix. 
 
-	    When assigning existing DHCP leases to intefaces by comparing 
+	When assigning existing DHCP leases to interfaces by comparing 
 	networks, handle the case that two or more interfaces have the
 	same network part, but different prefix lengths (favour the
 	longer prefix length.) Thanks to Lung-Pin Chang for the 
@@ -221,7 +840,7 @@ version 2.70
 
 version 2.69
 	Implement dynamic interface discovery on *BSD. This allows
-	    the contructor: syntax to be used in dhcp-range for DHCPv6
+	the constructor: syntax to be used in dhcp-range for DHCPv6
 	on the BSD platform. Thanks to Matthias Andree for
 	valuable research on how to implement this.
 
@@ -243,7 +862,7 @@ version 2.69
 
 	make dnsmasq COPTS=-DHAVE_DNSSEC
 
-	    this add dependencies on the nettle crypto library and the 
+	this adds dependencies on the nettle crypto library and the 
 	gmp maths library. It's possible to have these linked
 	statically with
 
@@ -262,7 +881,7 @@ version 2.69
 	conf-file=/path/to/trust-anchors.conf
 	dnssec
 
-	    to your config is all thats needed to get things
+	to your config is all that's needed to get things
 	working. The upstream nameservers have to be DNSSEC-capable
 	too, of course. Many ISP nameservers aren't, but the
 	Google public nameservers (8.8.8.8 and 8.8.4.4) are.
@@ -359,11 +978,11 @@ version 2.68
 	names as well as address literals. This makes it possible
 	to configure authoritative DNS when local address ranges
 	are dynamic and works much better than the previous
-	    work-around which exempted contructed DHCP ranges from the
+	work-around which exempted constructed DHCP ranges from the
 	IP address filtering. As a consequence, that work-around
 	is removed. Under certain circumstances, this change wil
 	break existing configuration: if you're relying on the
-	    contructed-range exception, you need to change --auth-zone
+	constructed-range exception, you need to change --auth-zone
 	to specify the same interface as is used to construct your
 	DHCP ranges, probably with a trailing "/6" like this: 
 	--auth-zone=example.com,eth0/6 to limit the addresses to
@@ -450,7 +1069,7 @@ version 2.67
 	we can't use SO_BINDTODEVICE. Thanks to Natrio for the bug
 	report. 
 
-	    Increase timeout/number of retries in TFTP to accomodate
+	Increase timeout/number of retries in TFTP to accommodate
 	AudioCodes Voice Gateways doing streaming writes to flash.
 	Thanks to Damian Kaczkowski for spotting the problem.
 
@@ -522,7 +1141,7 @@ version 2.67
 	Fix problem in DHCPv6 vendorclass/userclass matching
 	code. Thanks to Tanguy Bouzeloc for the patch.
 
- 	    Update Spanish transalation. Thanks to Vicente Soriano.
+	Update Spanish translation. Thanks to Vicente Soriano.
 
 	Add --ra-param option. Thanks to Vladislav Grishenko for
 	inspiration on this.
@@ -539,7 +1158,7 @@ version 2.67
 	suggestion. 
 
 	Avoid treating a --dhcp-host which has an IPv6 address
-	    as eligable for use with DHCPv4 on the grounds that it has
+	as eligible for use with DHCPv4 on the grounds that it has
 	no address, and vice-versa. Thanks to Yury Konovalov for
 	spotting the problem.
 
@@ -580,7 +1199,7 @@ version 2.66
 	the local DNS server if dnsmasq is configured to not act
 	as DNS server, or it's configured to a non-standard port.
 
-            Add DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBCRIBER_ID,
+	Add DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBSCRIBER_ID,
 	DNSMASQ_REMOTE_ID variables to the environment of the
 	lease-change script (and the corresponding Lua). These hold
 	information inserted into the DHCP request by a DHCP relay
@@ -623,7 +1242,7 @@ version 2.65
 	Fix failure to build with DHCP support excluded. Thanks to 
 	Gustavo Zacarias for the patch.
 
-	    Fix nasty regression in 2.64 which completely broke cacheing.
+	Fix nasty regression in 2.64 which completely broke caching.
 
 
 version 2.64
@@ -634,7 +1253,7 @@ version 2.64
 	Finesse the check for /etc/hosts names which conflict with
 	DHCP names. Previously a name/address pair in /etc/hosts
 	which didn't match the name/address of a DHCP lease would
-	    generate a warning. Now that only happesn if there is not
+	generate a warning. Now that only happens if there is not
 	also a match. This allows multiple addresses for a name in 
 	/etc/hosts with one of them assigned via DHCP.
 
@@ -644,7 +1263,7 @@ version 2.64
 	Don't report spurious netlink errors, regression in
 	2.63. Thanks to Vladislav Grishenko for the patch.
 
-	    Flag DHCP or DHCPv6 in starup logging. Thanks to 
+	Flag DHCP or DHCPv6 in startup logging. Thanks to 
 	Vladislav Grishenko for the patch.
 
 	Add SetServersEx method in DBus interface. Thanks to Dan
@@ -653,14 +1272,14 @@ version 2.64
 	Add SetDomainServers method in DBus interface. Thanks to
 	Roy Marples for the patch.
 
-	    Fix build with later Lua libraries. Thansk to Cristian
+	Fix build with later Lua libraries. Thanks to Cristian
 	Rodriguez for the patch.
 
 	Add --max-cache-ttl option. Thanks to Dennis Kaarsemaker
 	for the patch.
 
 	Fix breakage of --host-record parsing, resulting in
-	    infinte loop at startup. Regression in 2.63. Thanks to
+	infinite loop at startup. Regression in 2.63. Thanks to
 	Haim Gelfenbeyn for spotting this.
 
 	Set SO_REUSEADDRESS and SO_V6ONLY options on the DHCPv6
@@ -718,7 +1337,7 @@ version 2.63
 	still-born attempt to allow automatic isolated
 	configuration by libvirt, but have never (to my knowledge)
 	been used, had very strange semantics, and have been
-	    superceded by other mechanisms. 
+	superseded by other mechanisms. 
 
 	Fixed bug logging filenames when duplicate dhcp-host
 	addresses are found. Thanks to John Hanks for the patch.
@@ -735,7 +1354,7 @@ version 2.63
 
 	Allow "w" (for week) as multiplier in lease times, as well
 	as seconds, minutes, hours and days.  Álvaro Gámez Machado 
-	    spotted the ommission.
+	spotted the omission.
 
 	Update French translation. Thanks to Gildas Le Nadan.
 
@@ -751,7 +1370,7 @@ version 2.63
 version 2.62
 	Update German translation. Thanks to Conrad Kostecki.
 
-	    Cope with router-solict packets wich don't have a valid 
+	Cope with router-solict packets which don't have a valid 
 	source address. Thanks to Vladislav Grishenko for the patch.
 
 	Fixed bug which caused missing periodic router
@@ -787,7 +1406,7 @@ version 2.61
 
 	Add --dhcp-duid to allow DUID-EN uids to be used.
 
-	    Explicity send DHCPv6 replies to the correct port, instead
+	Explicitly send DHCPv6 replies to the correct port, instead
 	of relying on clients to send requests with the correct
 	source address, since at least one client in the wild gets
 	this wrong. Thanks to Conrad Kostecki for help tracking
@@ -805,7 +1424,7 @@ version 2.61
 	Invoke the DHCP script with action "tftp" when a TFTP file
 	transfer completes. The size of the file, address to which
 	it was sent and complete pathname are supplied. Note that
-	    version 2.60 introduced some script incompatibilties
+	version 2.60 introduced some script incompatibilities
 	associated with DHCPv6, and this is a further change. To
 	be safe, scripts should ignore unknown actions, and if
 	not IPv6-aware, should exit if the environment
@@ -835,14 +1454,14 @@ version 2.61
 
 	Add a new DHCP lease time keyword, "deprecated" for
 	--dhcp-range. This is only valid for IPv6, and sets the
-	    preffered lease time for both DHCP and RA to zero. The
+	preferred lease time for both DHCP and RA to zero. The
 	effect is that clients can continue to use the address 
 	for existing connections, but new connections will use
 	other addresses, if they exist. This makes hitless
 	renumbering at least possible.
 
 	Fix bug in address6_available() which caused DHCPv6 lease
-	    aquisition to fail if more than one dhcp-range in use.
+	acquisition to fail if more than one dhcp-range in use.
 
 	Provide RDNSS and DNSSL data in router advertisements,
 	using the settings provided for DHCP options
@@ -852,7 +1471,7 @@ version 2.61
 	SamLT for work on this.
 
 	Don't cache data from non-recursive nameservers, since it
-	    may erroneously look like a valid CNAME to a non-exitant
+	may erroneously look like a valid CNAME to a non-existent
 	name. Thanks to Ben Winslow for finding this.
 
 	Call SO_BINDTODEVICE on the DHCP socket(s) when doing DHCP
@@ -864,7 +1483,7 @@ version 2.61
 
 	Updated French translation. Thanks to Gildas Le Nadan.
 
-	    Give correct from-cache answers to explict CNAME queries.
+	Give correct from-cache answers to explicit CNAME queries.
 	Thanks to Rob Zwissler for spotting this.
 
 	Add --tftp-lowercase option. Thanks to Oliver Rath for the
@@ -1005,7 +1624,7 @@ version 2.58
 
 	Relax the need to supply a netmask in --dhcp-range for
 	networks which use a DHCP relay. Whilst this is still
-	    desireable, in the absence of a netmask dnsmasq will use
+	desirable, in the absence of a netmask dnsmasq will use
 	a default based on the class (A, B, or C) of the address. 
 	This should at least remove a cause of mysterious failure 
 	for people using RFC1918 addresses and relays.
@@ -1119,7 +1738,7 @@ version 2.56
 
 	Add --add-mac option. This is to support currently 
 	experimental DNS filtering facilities. Thanks to Benjamin
-	    Petrin for the orignal patch. 
+	Petrin for the original patch. 
 
 	Fix bug which meant that tags were ignored in dhcp-range
 	configuration specifying PXE-proxy service. Thanks to
@@ -1132,8 +1751,8 @@ version 2.56
 	the DHCP subsystem. Thanks to Olaf Westrik for the patch.
 
 	Omit timestamps from logs when a) logging to stderr and 
-	    b) --keep-in-forground is set. The logging facility on the
-	    other end of stderr can be assumned to supply them. Thanks
+	b) --keep-in-foreground is set. The logging facility on the
+	other end of stderr can be assumed to supply them. Thanks
 	to John Hallam for the patch.
 
 	Don't complain about strings longer than 255 characters in
@@ -1146,7 +1765,7 @@ version 2.56
 	script. Thanks to Ferenc Wagner for finding the problem.
 
 	Only log that a file has been sent by TFTP after the
-	    transfer has completed succesfully. 
+	transfer has completed successfully. 
 
 	A good suggestion from Ferenc Wagner: extend
 	the --domain option to allow this sort of thing:
@@ -1155,7 +1774,7 @@ version 2.56
 	--local=/thekelleys.org.uk/
 	--local=/0.168.192.in-addr.arpa/ 
 
-	    Tighten up syntax checking of hex contants in the config
+	Tighten up syntax checking of hex constants in the config
 	file.  Thanks to Fred Damen for spotting this.
 
 	Add dnsmasq logo/icon, contributed by Justin Swift. Many
@@ -1190,14 +1809,14 @@ version 2.56
 
 	By default, setting an IPv4 address for a domain but not
 	an IPv6 address causes dnsmasq to return
-	    an NODATA reply for IPv6 (or vice-versa). So
+	a NODATA reply for IPv6 (or vice-versa). So
 	--address=/google.com/1.2.3.4 stops IPv6 queries for
 	*google.com from being forwarded. Make it possible to
-	    override this behaviour by defining the sematics if the
+	override this behaviour by defining the semantics if the
 	same domain appears in  both --server and --address.
 	In that case, the --address has priority for the address
 	family in which is appears, but the --server has priority
-	    of the address family which doesn't appear in --adddress  
+	of the address family which doesn't appear in --address  
 	So:
 	--address=/google.com/1.2.3.4
 	--server=/google.com/#
@@ -1297,7 +1916,7 @@ version 2.53
 	to be added to dnsmasq configuration which then supplies
 	DHCP and DNS services to that interface, without affecting
 	what services are supplied to other interfaces and 
-	    irrespective of the existance or lack of 
+	irrespective of the existence or lack of 
 	interface=<interface> 
 	lines elsewhere in the dnsmasq configuration. The idea is
 	that such a line can be added automatically by libvirt
@@ -1673,7 +2292,7 @@ version 2.47
 
 	Updated config.h to use the same location for the lease
 	file on NetBSD as the other *BSD variants. Also allow
-	    LEASEFILE and CONFFILE symbols to be overriden in CFLAGS.  
+	LEASEFILE and CONFFILE symbols to be overridden in CFLAGS.  
 
 	Handle duplicate address detection on IPv6 more
 	intelligently. In IPv6, an interface can have an address
@@ -1696,13 +2315,13 @@ version 2.47
 
 	Support arbitrarily encapsulated DHCP options, suggestion
 	and initial patch from Samium Gromoff. This is useful for
-	    (eg) gPXE, which expect all its private options to be
+	(eg) iPXE, which expect all its private options to be
 	encapsulated inside a single option 175. So, eg, 
 
 	dhcp-option = encap:175, 190, "iscsi-client0"
 	dhcp-option = encap:175, 191, "iscsi-client0-secret"
 
-	    will provide iSCSI parameters to gPXE.
+	will provide iSCSI parameters to iPXE.
 
 	Enhance --dhcp-match to allow testing of the contents of a
 	client-sent option, as well as its presence. This

CHANGELOG.archive

@@ -56,7 +56,7 @@ release 0.95  Major rewrite: remove calls to gethostbyname() and talk
               any more memory after start-up. The NAT-like forwarding was
               inspired by a suggestion from Eli Chen <eli@routefree.com>
 
-release 0.96  Fixed embarrasing thinko in cache linked-list code.
+release 0.96  Fixed embarrassing thinko in cache linked-list code.
                              
 release 0.98  Some enhancements and bug-fixes. 
               Thanks to "Denis Carre" <denis.carre@laposte.net> and Martin 
@@ -78,7 +78,7 @@ release 0.98  Some enhancements and bug-fixes.
                   ids, to thwart DNS spoofers.
               (7) Dnsmasq no longer forwards queries when the 
 	          "recursion desired" bit is not set in the header.
-	      (8) Fixed getopt code to work on compliers with unsigned char.
+	      (8) Fixed getopt code to work on compilers with unsigned char.
               
 release 0.991 Added -b flag: when set causes dnsmasq to always answer
 	      reverse queries on the RFC 1918 private IP space itself and
@@ -88,7 +88,7 @@ release 0.991 Added -b flag: when set causes dnsmasq to always answer
               Fixed a bug which stopped dnsmasq working on a box with
               two or more interfaces with the same IP address. 
 
-              Fixed cacheing of CNAMEs. Previously, a CNAME which pointed
+              Fixed caching of CNAMEs. Previously, a CNAME which pointed
               to  a name with many A records would not have all the addresses
               returned when being answered from the cache.
 
@@ -191,7 +191,7 @@ release 1.1   Added --user argument to allow user to change to
 
 release 1.2   Added IPv6 DNS record support. AAAA records are cached
               and read from /etc/hosts. Reverse-lookups in the
-	      ip6.int and ip6.arpa domains are suppored. Dnsmasq can
+	      ip6.int and ip6.arpa domains are supported. Dnsmasq can
               talk to upstream servers via IPv6 if it finds IP6 addresses
               in /etc/resolv.conf and it offers DNS service automatically
               if IPv6 support is present in the kernel.
@@ -214,7 +214,7 @@ release 1.3   Some versions of the Linux kernel return EINVAL rather
               starting, rather than after the first query - principle 
               of least surprise applies here.     
 
-release 1.4   Fix a bug with DHPC lease parsing which broke in
+release 1.4   Fix a bug with DHCP lease parsing which broke in
               non-UTC timezones. Thanks to Mark Wormgoor for
               spotting and diagnosing this. Fixed versions in
               the .spec files this time. Fixed bug in Suse startup
@@ -258,7 +258,7 @@ release 1.7   Fix a problem with cache not clearing properly
               on receipt of SIGHUP. Bug spotted by Sat Deshpande.
 
               In group-id changing code:
-	      1) Drop supplimentary groups.
+	      1) Drop supplementary groups.
               2) Change gid before dropping root (patch from Soewono Effendi.)
               3) Change group to "dip" if it exists, to allow access
                  to /etc/ppp/resolv.conf (suggestion from Jorg Sommer.)
@@ -297,7 +297,7 @@ release 1.9   Fixes to rpm .spec files.
               required. The difference is not really visible with
               bloated libcs like glibc, but should dramatically reduce
               memory requirements when linked against ulibc for use on
-              embeded routers, and that's the point really. Thanks to
+              embedded routers, and that's the point really. Thanks to
               Matthew Natalier for prompting this.   
 
 	      Changed debug mode (-d) so that all logging appears on
@@ -319,12 +319,12 @@ release 1.9   Fixes to rpm .spec files.
               uClinux. Thanks to Matthew Natalier for uClinux stuff. 
 
 release 1.10  Log warnings if resolv.conf or dhcp.leases are not
-              accessable for any reason, as suggested by Hinrich Eilts.
+              accessible for any reason, as suggested by Hinrich Eilts.
 
 	      Fixed wrong address printing in error message about
 	      no interface with address.
 
-	      Updated docs and split installation instuctions into setup.html.
+	      Updated docs and split installation instructions into setup.html.
 
 	      Fix bug in CNAME chasing code: One CNAME pointing
 	      to many A records would lose A records after the 
@@ -346,7 +346,7 @@ release 1.10  Log warnings if resolv.conf or dhcp.leases are not
 
 	      Added -S option to directly specify upstream servers and
               added ability to direct queries for specific domains to
-              specfic servers. Suggested by Jens Vonderheide.
+              specific servers. Suggested by Jens Vonderheide.
 
 	      Upgraded random ID generation - patch from Rob Funk.	      
 
@@ -386,13 +386,13 @@ release 1.11  Actually implement the -R flag promised in the 1.10 man page.
               names in /etc/hosts -suggestion from Phil Harman.
 
 	      Always return a zero time-to-live for names derived from 
-	      DHCP which stops anthing else caching these
+	      DHCP which stops anything else caching these
               names. Previously the TTL was derived from the lease
               time but that is incorrect since a lease can be given
               up early: dnsmasq would know this but anything with the
               name cached with long TTL would not be updated.
 
-	      Extended HAVE_IPV6 config flag to allow compliation on
+	      Extended HAVE_IPV6 config flag to allow compilation on
 	      old systems which don't have modern library routines
 	      like inet_ntop(). Thanks to Phil Harman for the patch.
 
@@ -471,7 +471,7 @@ release 1.14  Fixed man page description of -b option which confused
 	      /etc/resolv.conf.
 	      (Thanks to Klaas Teschauer)
 	      
-	      Check that recieved queries have only rfc1035-legal characters
+	      Check that received queries have only rfc1035-legal characters
 	      in them. This check is mainly to avoid bad strings being
 	      sent to syslog.
 
@@ -549,7 +549,7 @@ release 1.16  Allow "/" characters in domain names - this fixes
 
 release 1.17  Fixed crash with DHCP hostnames > 40 characters.
 
-              Fixed name-comparision routines to not depend on Locale,
+              Fixed name-comparison routines to not depend on Locale,
               in theory this versions since 1.15 could lock up or give
               wrong results when run with locale != 'C'.
 
@@ -574,7 +574,7 @@ release 1.18  Added round-robin DNS for names which have more than one
 	      forwarded because -D is in effect, return NXDOMAIN not
 	      an empty reply.
 
-	      Add code to return the software version in repsonse to the
+	      Add code to return the software version in response to the
 	      correct magic query in the same way as BIND. Use  
 	      "dig version.bind chaos txt" to make the query.
 
@@ -635,7 +635,7 @@ release 2.0
              dynamic allocation.
 
 	     Allow dhcp-host options for the same host with different
-	     IP adresses where the correct one will be selected for
+	     IP addresses where the correct one will be selected for
 	     the network the host appears on.
 
 	     Fix parsing of --dhcp-option to allow more than one
@@ -674,7 +674,7 @@ release 2.1
              
              Fix unaligned access warnings on BSD/Alpha.
 
-	     Allow empty DHCP options, like so: dhpc-option=44
+	     Allow empty DHCP options, like so: dhcp-option=44
  
              Allow single-byte DHCP options like so: dhcp-option=20,1
 
@@ -745,7 +745,7 @@ release 2.3
 	     around a bug in the DHCP client in HP Jetdirect printers.
 	     Thanks to Marko Stolle for finding this problem.
 
-	     Return DHCP T1 and T2 times, with "fuzz" to desychronise lease
+	     Return DHCP T1 and T2 times, with "fuzz" to desynchronise lease
 	     renewals, as specified in the RFC.
 	     
 	     Ensure that the END option is always present in DHCP
@@ -838,7 +838,7 @@ release 2.4
 	     by Chad Skeeters.
 
 	     Fixed bug in /etc/ethers parsing code triggered by tab
-	     characters. Qudos to Dag Wieers for hepling to nail that
+	     characters. Kudos to Dag Wieers for helping to nail that
 	     one.
  	     
 	     Added "bind-interfaces" option correctly.	     
@@ -975,7 +975,7 @@ release 2.8
 	     configuration. Specifically: (1) options are matched on
 	     the netids from dhcp-range, dhcp-host, vendor class and
 	     user class(es). Multiple net-ids are allowed and options
-	     are searched on them all. (2) matches agains vendor class
+	     are searched on them all. (2) matches against vendor class
 	     and user class are now on a substring, if the given
 	     string is a substring of the vendor/user class, then a
 	     match occurs. Thanks again to Richard Musil for prompting
@@ -997,7 +997,7 @@ release 2.8
 
 	     Add checks against DHCP clients which return zero-length
 	     hostnames. This avoids the potential lease-loss problems
-	     reffered to above. Also, if a client sends a hostname when
+	     referred to above. Also, if a client sends a hostname when
 	     it creates a lease but subsequently sends no or a
 	     zero-length hostname whilst renewing, continue to use the
 	     existing hostname, don't wipe it out. 
@@ -1010,7 +1010,7 @@ release 2.9
 	     but to the address of another interface were ignored
 	     unless the loopback interface was explicitly configured.
 	     2) on OpenBSD failure to configure one interface now
-	     causes a fatal error on startup rather than an huge
+	     causes a fatal error on startup rather than a huge
 	     stream of log messages. Thanks to Erik Jan Tromp for 
 	     finding that bug.
 
@@ -1019,7 +1019,7 @@ release 2.9
 	     broken. The new algorithm is to pick as before for the
 	     first try, but if a query is retried, to send to all
 	     available servers in parallel. The first one to reply
-	     then becomes prefered for the next query. This should 
+	     then becomes preferred for the next query. This should 
 	     improve reliability without generating significant extra
 	     upstream load.
 
@@ -1027,7 +1027,7 @@ release 2.9
 	     unqualified domains introduced in version 2.8 
 	      
 	     Allow fallback to "bind-interfaces" at runtime: Some
-	     verions of *BSD seem to have enough stuff in the header
+	     versions of *BSD seem to have enough stuff in the header
 	     files to build but no kernel support. Also now log if
 	     "bind-interfaces" is forced on.
 
@@ -1049,7 +1049,7 @@ release 2.9
 	     first name found is now returned for reverse lookups,
 	     rather than all of them.
 
-	     Add back fatal errors when nonexistant 
+	     Add back fatal errors when nonexistent 
 	     interfaces or interface addresses are given but only in
 	     "bind-interfaces" mode. Principle of least surprise applies.
 	     
@@ -1193,7 +1193,7 @@ version 2.14
 
 version 2.15
             Fixed NXDOMAIN/NODATA confusion for locally known
-            names. We now return a NODATA reponse for names which are
+            names. We now return a NODATA response for names which are
             locally known. Now a query for (eg AAAA or MX) for a name
 	    with an IPv4 address in /etc/hosts which fails upstream
             will generate a NODATA response. Note that the query 
@@ -1229,7 +1229,7 @@ version 2.16
 
             Set NONBLOCK on all listening sockets to workaround non-POSIX
             compliance in Linux 2.4 and 2.6. This fixes rare hangs which
-            occured when corrupted packets were received. Thanks to
+            occurred when corrupted packets were received. Thanks to
 	    Joris van Rantwijk for chasing that down.
  
 	    Updated config.h for NetBSD. Thanks to Martin Lambers.
@@ -1297,7 +1297,7 @@ version 2.18
 	    interfaces with more than one IPv6 address. Thanks to
             Martin Pels for help with that.
 
-	    Fix problems which occured when more than one dhcp-range
+	    Fix problems which occurred when more than one dhcp-range
 	    was specified in the same subnet: sometimes parameters
 	    (lease time, network-id tag) from the wrong one would be
 	    used. Thanks to Rory Campbell-Lange for the bug report.
@@ -1314,7 +1314,7 @@ version 2.19
 	    Thanks to Richard Atterer for the bug report.
 
 	    Check for under-length option fields in DHCP packets, a
-	    zero length client-id, in particluar, could seriously
+	    zero length client-id, in particular, could seriously
 	    confuse dnsmasq 'till now. Thanks to Will Murname for help
 	    with that.
 
@@ -1389,7 +1389,7 @@ version 2.21
 	    recursive queries.
 
 	    Fix DHCP address allocation problem when netid tags are in
-	    use. Thanks to Will Murnane for the bug report and
+	    use. Thanks to Will Murname for the bug report and
 	    subsequent testing.
 
 	    Add an additional data section to the reply for MX and SRV
@@ -1505,7 +1505,7 @@ version 2.23
             from dnsmasq --version. Thanks to Dirk Schenkewitz for 
             the suggestion. 
 
-	    Fix pathalogical behaviour when a broken client keeps sending
+	    Fix pathological behaviour when a broken client keeps sending
             DHCPDISCOVER messages repeatedly and fast. Because dealing with
             each of these takes a few seconds, (because of the ping) then a 
 	    queue of DHCP packets could build up. Now, the results of a ping 
@@ -1593,7 +1593,7 @@ version 2.24
 	    than one dhcp-range is available. Thanks to Sorin Panca
 	    for help chasing this down.
 
-	    Added more explict error mesages to the hosts file and
+	    Added more explicit error messages to the hosts file and
 	    ethers file reading code. Markus Kaiserswerth suffered to
 	    make this happen.
 
@@ -1617,7 +1617,7 @@ version 2.25
 
             Fixed Suse spec file - thanks to Steven Springl.
 
-	    Fixed DHCP bug when two distict subnets are on the same
+	    Fixed DHCP bug when two distinct subnets are on the same
 	    physical interface. Thanks to Pawel Zawora for finding
 	    this and suggesting the fix.
 
@@ -1740,7 +1740,7 @@ version 2.28
 	    Fixed regression in netlink code under 2.2.x kernels which 
 	    occurred in 2.27. Erik Jan Tromp is the vintage kernel fan 
 	    who found this. P.S. It looks like this "netlink bind:
-	    permission denied" problem occured in kernels at least as
+	    permission denied" problem occurred in kernels at least as
 	    late a 2.4.18. Good information from Alain Richoux.
 
 	    Added a warning when it's impossible to give a host its
@@ -1761,7 +1761,7 @@ version 2.28
 	    Eric House and Eric Spakman for help in chasing this down.
 
 	    Tolerate configuration screwups which lead to the DHCP
-	    server attemping to allocate its own address to a
+	    server attempting to allocate its own address to a
 	    client; eg setting the whole subnet range as a DHCP
 	    range. Addresses in use by the server are now excluded
 	    from use by clients.
@@ -2067,7 +2067,7 @@ version 2.36
 	    kernel. Thanks to Philip Wall for the bug report.
 
 	    Added --dhcp-bridge option, but only to the FreeBSD
-	    build. This fixes an oddity with a a particular bridged
+	    build. This fixes an oddity with a particular bridged
 	    network configuration on FreeBSD. Thanks to Luigi Rizzo
 	    for the patch.
 
@@ -2273,7 +2273,7 @@ version 2.40
 	    this.
 
 	    Use client-id as hash-seed for DHCP address allocation
-	    with Firewire and Infiniband, as these don't supply an MAC
+	    with Firewire and InfiniBand, as these don't supply a MAC
 	    address. 
 
 	    Tweaked TFTP file-open code to make it behave sensibly
@@ -2307,7 +2307,7 @@ version 2.40
 	    Continue to use unqualified hostnames provided by DHCP
 	    clients, even if the domain part is illegal. (The domain
 	    is	ignored, and an error logged.) Previously in this
-	    situation, the whole name whould have been
+	    situation, the whole name would have been
 	    rejected. Thanks to Jima for the patch.
 	    
 	    Handle EINTR returns from wait() correctly and reap
@@ -2319,7 +2319,7 @@ version 2.40
 	    leases file and passed to the lease-change
 	    script. Suggestion from Ben Voigt.
 
-	    Re-run the lease chamge script with an "old" event for
+	    Re-run the lease change script with an "old" event for
 	    each lease when dnsmasq receives a SIGHUP.
 
 	    Added more useful exit codes, including passing on a
@@ -2417,7 +2417,7 @@ version 2.41
 	    Changed behavior of DHCP server to always return total length of
 	    a new lease in DHCPOFFER, even if an existing lease
 	    exists. (It used to return the time remaining on the lease
-	    whne one existed.) This fixes problems with the Sony Ericsson
+	    when one existed.) This fixes problems with the Sony Ericsson
 	    K610i phone. Thanks to Hakon Stordahl for finding and
 	    fixing this.
 
@@ -2433,7 +2433,7 @@ version 2.41
 
 	    Add --dhcp-match flag, to check for arbitrary options in
 	    DHCP messages from clients. This enables use of dnsmasq
-	    with gPXE. Thanks to Rance Hall for the suggestion.
+	    with iPXE. Thanks to Rance Hall for the suggestion.
 
 	    Added --dhcp-broadcast, to force broadcast replies to DHCP
 	    clients which need them but are too dumb or too old to
@@ -2476,7 +2476,7 @@ version 2.42
 
 	    Fix OS detection logic to cope with GNU/FreeBSD.
 
-	    Fix unitialised variable in DBus code - thanks to Roy
+	    Fix uninitialised variable in DBus code - thanks to Roy
 	    Marples.
 
 	    Fix network enumeration code to work on later NetBSD -

FAQ

@@ -9,7 +9,7 @@ A: The high ports that dnsmasq opens are for replies from the upstream
    from port 53 the replies would be _to_ port 53 and get blocked.
 
    This is not a security hole since dnsmasq will only accept replies to that
-   port: queries are  dropped. The replies must be to oustanding queries
+   port: queries are dropped. The replies must be to outstanding queries
    which dnsmasq has forwarded, otherwise they are dropped too.
  
    Addendum: dnsmasq now has the option "query-port" (-Q), which allows
@@ -59,7 +59,7 @@ A: Yes, there is explicit support for *BSD and MacOS X and Solaris.
  
 Q: My company's nameserver knows about some names which aren't in the
    public DNS. Even though I put it first in /etc/resolv.conf, it
-   dosen't work: dnsmasq seems not to use the nameservers in the order
+   doesn't work: dnsmasq seems not to use the nameservers in the order
    given. What am I doing wrong?
 
 A: By default, dnsmasq treats all the nameservers it knows about as
@@ -144,19 +144,19 @@ Q: Who are Verisign, what do they have to do with the bogus-nxdomain
    option in dnsmasq and why should I wory about it?
 
 A: [note: this was written in September 2003, things may well change.]
-   Versign run the .com and .net top-level-domains. They have just
+   Verisign run the .com and .net top-level-domains. They have just
    changed the configuration of their servers so that unknown .com and
    .net domains, instead of returning an error code NXDOMAIN, (no such
-   domain) return the address of a host at Versign which runs a web
+   domain) return the address of a host at Verisign which runs a web
    server showing a search page. Most right-thinking people regard
    this new behaviour as broken :-).  You can test to see if you are
-   suffering Versign brokeness by run a command like 
+   suffering Verisign brokenness by run a command like 
    
    host jlsdajkdalld.com
 
    If you get "jlsdajkdalld.com" does not exist, then all is fine, if
    host returns an IP address, then the DNS is broken. (Try a few
-   different unlikely domains, just in case you picked a wierd one
+   different unlikely domains, just in case you picked a weird one
    which really _is_ registered.)
 
    Assuming that your DNS is broken, and you want to fix it, simply
@@ -180,7 +180,7 @@ A: There are a couple of configuration gotchas which have been
    whilst the ISC one works.
 
    The first thing to check is the broadcast address set for the
-   ethernet interface. This is normally the adddress on the connected
+   ethernet interface. This is normally the address on the connected
    network with all ones in the host part. For instance if the 
    address of the ethernet interface is 192.168.55.7 and the netmask
    is 255.255.255.0 then the broadcast address should be
@@ -205,7 +205,7 @@ A: By default, none of the DHCP clients send the host-name when asking
    send with the "hostname" keyword in /etc/network/interfaces. (See
    "man interfaces" for details.) That doesn't work for dhclient, were
    you have to add something like "send host-name daisy" to
-   /etc/dhclient.conf [Update: the lastest dhcpcd packages _do_ send
+   /etc/dhclient.conf [Update: the latest dhcpcd packages _do_ send
    the hostname by default.
 
 Q: I'm network booting my machines, and trying to give them static
@@ -240,7 +240,7 @@ Q: What are these strange "bind-interface" and "bind-dynamic" options?
 
 A: Dnsmasq from v2.63 can operate in one of three different "networking
    modes". This is unfortunate as it requires users configuring dnsmasq
-   to take into account some rather bizzare contraints and select the
+   to take into account some rather bizarre constraints and select the
    mode which best fits the requirements of a particular installation.
    The origin of these are deficiencies in the Unix networking
    model and APIs and each mode has different advantages and
@@ -252,10 +252,10 @@ A: Dnsmasq from v2.63 can operate in one of three different "networking
    The three modes are "wildcard", "bind-interfaces" and "bind-dynamic".
 
    In "wildcard" mode, dnsmasq binds the wildcard IP address (0.0.0.0 or
-   ::). This allows it to recieve all the packets sent to the server on
+   ::). This allows it to receive all the packets sent to the server on
    the relevant port. Access control (--interface, --except-interface,
    --listen-address, etc) is implemented by dnsmasq: it queries the
-   kernel to determine the interface on which a packet was recieved and
+   kernel to determine the interface on which a packet was received and
    the address to which it was sent, and applies the configured
    rules. Wildcard mode is the default if neither of the other modes are
    specified. 
@@ -276,7 +276,7 @@ A: Dnsmasq from v2.63 can operate in one of three different "networking
    The mode chosen has four different effects: co-existence with other
    servers, semantics of --interface access control, effect of new
    interfaces, and legality of --interface specifications for
-   non-existent inferfaces. We will deal with these in order.
+   non-existent interfaces. We will deal with these in order.
 
    A dnsmasq instance running in wildcard mode precludes a machine from
    running a second instance of dnsmasq or any other DNS, TFTP or DHCP
@@ -297,7 +297,7 @@ A: Dnsmasq from v2.63 can operate in one of three different "networking
    by dnsmasq when in --bind-interfaces mode. In wildcard or bind-dynamic
    mode, such interfaces are handled normally.
 
-   A --interface specification for a non-existent interface is a fatal
+   An --interface specification for a non-existent interface is a fatal
    error at start-up when in --bind-interfaces mode, by just generates a
    warning in wildcard or bind-dynamic mode.
 
@@ -313,15 +313,25 @@ Q: Can I get email notification when a new version of dnsmasq is
    released?
 
 A: Yes, new releases of dnsmasq are always announced through
-   freshmeat.net, and they allow you to subcribe to email alerts when
+   freshmeat.net, and they allow you to subscribe to email alerts when
    new versions of particular projects are released. New releases are
    also announced in the dnsmasq-discuss mailing list, subscribe at 
    http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
 
 Q: What does the dhcp-authoritative option do? 
 
-A: See http://www.isc.org/files/auth.html - that's
-   for the ISC daemon, but the same applies to dnsmasq.
+A: The DHCP spec says that when a DHCP server receives a renewal request
+   from a client it has no knowledge of, it should just ignore it.
+   This is because it's supported to have more than one DHCP server
+   on a network, and another DHCP server may be dealing with the client.
+   This has the unfortunate effect that when _no_ DHCP replies to 
+   the client, it takes some time for the client to time-out and start 
+   to get a new lease. Setting this option makes dnsmasq violate the
+   standard to the extent that it will send a NAK reply to the client, 
+   causing it to immediately start to get a new lease. This improves 
+   behaviour when machines move networks, and in the case that the DHCP
+   lease database is lost. As long as there are not more tha one DHCP
+   server on the network, it's safe to enable the option.
 
 Q: Why does my Gentoo box pause for a minute before getting a new
    lease?
@@ -349,18 +359,64 @@ A: By default, the identity of a machine is determined by using the
    method for setting the client-id varies with DHCP client software,
    dhcpcd uses the "-I" flag. Windows uses a registry setting,
    see http://www.jsiinc.com/SUBF/TIP2800/rh2845.htm
+
 Addendum:
    From version 2.46, dnsmasq has a solution to this which doesn't
    involve setting client-IDs. It's possible to put more than one MAC
    address in a --dhcp-host configuration. This tells dnsmasq that it
    should use the specified IP for any of the specified MAC addresses,
-   and furthermore it gives dnsmasq permission to sumarily abandon a
+   and furthermore it gives dnsmasq permission to summarily abandon a
    lease to one of the MAC addresses if another one comes along. Note
    that this will work fine only as longer as only one interface is
    up at any time. There is no way for dnsmasq to enforce this
    constraint: if you configure multiple MAC addresses and violate 
    this rule, bad things will happen.
 
+Addendum-II: The link above is dead, the former contents of the link are:
+
+------------------------------------------------------------------------------
+How can I keep the same DHCP client reservation, if the MAC address changes?
+
+When you reserve an IP address for a DHCP client, you provide the
+MAC address of the client's NIC.
+
+It is possible to use a custom identifier, which is sent as 
+option 61 in the client's DHCP Discover and Request packet.
+
+The DhcpClientIdentifier is a REG_DWORD value that is located at:
+
+Windows NT 4.0 SP2+
+
+HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<Adapter Name>'X'\Parameters\Tcpip
+
+where <Adapter Name> is the NIC driver name and 'X' is the number of the NIC.
+
+Windows 2000
+
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TcpIp\Parameters\Interfaces\<NIC GUID>
+
+where <NIC GUID> is the GUID of the NIC.
+
+The valid range of data is 0x0 - 0xFFFFFFFF. The custom identifier is send as 4 bytes, 
+8 hexadecimal character, in groups of 2 hexadecimal characters, with the groups being 
+sent in reverse order. If the custom identifier is less than 8 hexadeciaml characters, 
+it is zero padded at the end. Examples:
+
+Custom Client                 Client Reservation
+Identifier                    on DHCP Server
+12345678                      78563412
+123456                        56341200
+1234                          34120000
+1234567                       67452301
+12345                         45230100
+123                           23010000
+A18F42                        428FA100
+CF432                         32F40C00
+C32D1BE                       BED1320C
+
+-------------------------------------------------------------------------------------------------------
+
+
 Q: Can dnsmasq do DHCP on IP-alias interfaces?
 
 A: Yes, from version-2.21. The support is only available running under
@@ -488,7 +544,7 @@ Q: DHCP doesn't work with windows 7 but everything else is fine.
 
 A: There seems to be a problem if Windows 7 doesn't get a value for
    DHCP option 252 in DHCP packets it gets from the server. The
-   symtoms have beeen variously reported as continual DHCPINFORM
+   symptoms have been variously reported as continual DHCPINFORM
    requests in an attempt to get an option-252, or even ignoring DHCP
    offers completely (and failing to get an IP address) if there is no
    option-252 supplied. DHCP option 252 is for WPAD, WWW Proxy 

Makefile

@@ -1,4 +1,4 @@
-# dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+# dnsmasq is Copyright (c) 2000-2016 Simon Kelley
 #
 #  This program is free software; you can redistribute it and/or modify
 #  it under the terms of the GNU General Public License as published by
@@ -53,14 +53,19 @@ top?=$(CURDIR)
 
 dbus_cflags =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --cflags dbus-1` 
 dbus_libs =     `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --libs dbus-1` 
+ubus_libs =     `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_UBUS "" --copy '-lubox -lubus'`
 idn_cflags =    `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --cflags libidn` 
 idn_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --libs libidn` 
+idn2_cflags =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LIBIDN2 $(PKG_CONFIG) --cflags libidn2`
+idn2_libs =     `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LIBIDN2 $(PKG_CONFIG) --libs libidn2`
 ct_cflags =     `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --cflags libnetfilter_conntrack`
 ct_libs =       `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --libs libnetfilter_conntrack`
-lua_cflags =    `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --cflags lua5.1` 
-lua_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs lua5.1` 
-nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags nettle hogweed`
-nettle_libs =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs nettle hogweed`
+lua_cflags =    `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --cflags lua5.2` 
+lua_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs lua5.2` 
+nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC     $(PKG_CONFIG) --cflags 'nettle hogweed' \
+                                                        HAVE_NETTLEHASH $(PKG_CONFIG) --cflags nettle`
+nettle_libs =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC     $(PKG_CONFIG) --libs 'nettle hogweed' \
+                                                        HAVE_NETTLEHASH $(PKG_CONFIG) --libs nettle`
 gmp_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC NO_GMP --copy -lgmp`
 sunos_libs =    `if uname | grep SunOS >/dev/null 2>&1; then echo -lsocket -lnsl -lposix4; fi`
 version =     -DVERSION='\"`$(top)/bld/get-version $(top)`\"'
@@ -73,16 +78,18 @@ objs = cache.o rfc1035.o util.o option.o forward.o network.o \
        dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \
        helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \
        dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \
-       domain.o dnssec.o blockdata.o tables.o loop.o inotify.o poll.o
+       domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \
+       poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \
+       metrics.o hash_questions.o
 
 hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \
-       dns-protocol.h radv-protocol.h ip6addr.h
+       dns-protocol.h radv-protocol.h ip6addr.h metrics.h
 
 all : $(BUILDDIR)
 	@cd $(BUILDDIR) && $(MAKE) \
  top="$(top)" \
- build_cflags="$(version) $(dbus_cflags) $(idn_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags)" \
- build_libs="$(dbus_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs)" \
+ build_cflags="$(version) $(dbus_cflags) $(idn2_cflags) $(idn_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags)" \
+ build_libs="$(dbus_libs) $(idn2_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs) $(ubus_libs)" \
  -f $(top)/Makefile dnsmasq 
 
 mostly_clean :
@@ -97,7 +104,8 @@ clean : mostly_clean
 install : all install-common
 
 install-common :
-	$(INSTALL) -d $(DESTDIR)$(BINDIR) -d $(DESTDIR)$(MANDIR)/man8
+	$(INSTALL) -d $(DESTDIR)$(BINDIR)
+	$(INSTALL) -d $(DESTDIR)$(MANDIR)/man8
 	$(INSTALL) -m 644 $(MAN)/dnsmasq.8 $(DESTDIR)$(MANDIR)/man8 
 	$(INSTALL) -m 755 $(BUILDDIR)/dnsmasq $(DESTDIR)$(BINDIR)
 
@@ -105,8 +113,8 @@ all-i18n : $(BUILDDIR)
 	@cd $(BUILDDIR) && $(MAKE) \
  top="$(top)" \
  i18n=-DLOCALEDIR=\'\"$(LOCALEDIR)\"\' \
- build_cflags="$(version) $(dbus_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags) `$(PKG_CONFIG) --cflags libidn`" \
- build_libs="$(dbus_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs) `$(PKG_CONFIG) --libs libidn`"  \
+ build_cflags="$(version) $(dbus_cflags) $(idn2_cflags) $(idn_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags)" \
+ build_libs="$(dbus_libs) $(idn2_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs) $(ubus_libs)"  \
  -f $(top)/Makefile dnsmasq
 	for f in `cd $(PO); echo *.po`; do \
 		cd $(top) && cd $(BUILDDIR) && $(MAKE) top="$(top)" -f $(top)/Makefile $${f%.po}.mo; \
@@ -122,7 +130,7 @@ merge :
 		echo -n msgmerge $(PO)/$$f && $(MSGMERGE) --no-wrap -U $(PO)/$$f $(BUILDDIR)/dnsmasq.pot; \
 	done
 
-# Cannonicalise .po file.
+# Canonicalise .po file.
 %.po : 
 	@cd $(BUILDDIR) && $(MAKE) -f $(top)/Makefile dnsmasq.pot
 	mv $(PO)/$*.po $(PO)/$*.po.orig && $(MSGMERGE) --no-wrap $(PO)/$*.po.orig $(BUILDDIR)/dnsmasq.pot >$(PO)/$*.po; 
@@ -141,7 +149,7 @@ bloatcheck : $(BUILDDIR)/dnsmasq_baseline mostly_clean all
            $(top)/bld/bloat-o-meter dnsmasq_baseline dnsmasq; \
            size dnsmasq_baseline dnsmasq
 
-# rules below are targets in recusive makes with cwd=$(BUILDDIR)
+# rules below are targets in recursive makes with cwd=$(BUILDDIR)
 
 $(copts_conf): $(hdrs)
 	@rm -f *.o .copts_*

bld/Android.mk

@@ -10,7 +10,8 @@ LOCAL_SRC_FILES :=  bpf.c cache.c dbus.c dhcp.c dnsmasq.c \
 		    dhcp6.c rfc3315.c dhcp-common.c outpacket.c \
 		    radv.c slaac.c auth.c ipset.c domain.c \
 	            dnssec.c dnssec-openssl.c blockdata.c tables.c \
-		    loop.c inotify.c poll.c
+		    loop.c inotify.c poll.c rrfilter.c edns0.c arp.c \
+		    crypto.c dump.c ubus.c metrics.c hash_questions.c
 
 LOCAL_MODULE := dnsmasq
 

bld/get-version

@@ -11,11 +11,18 @@
 # If there is more than one v[0-9].* tag, sort them and use the
 # first. This favours, eg v2.63 over 2.63rc6.
 
+# Change directory to the toplevel source directory.
+if test -z "$1" || ! test -d "$1" || ! cd "$1"; then
+    echo "$0: First argument $1 must be toplevel dir." >&2
+    exit 1
+fi
+
 if which git >/dev/null 2>&1 && \
-    ([ -d $1/.git ] || grep '^gitdir:' $1/.git >/dev/null 2>&1); then 
-    cd $1; git describe | sed 's/^v//'
+    ([ -d .git ] || grep '^gitdir:' .git >/dev/null 2>&1) && \
+    git describe >/dev/null 2>&1; then 
+    git describe | sed 's/^v//'
 elif grep '\$Format:%d\$' $1/VERSION >/dev/null 2>&1; then
-# unsubstituted VERSION, but no git available.
+    # unsubstituted VERSION, but no git available.
     echo UNKNOWN
 else
      vers=`cat $1/VERSION | sed 's/[(), ]/,/ g' | tr ',' '\n' | grep ^v[0-9]`

bld/pkg-wrapper

@@ -1,33 +1,37 @@
 #!/bin/sh
 
-search=$1
-shift
-pkg=$1
-shift
-op=$1
-shift
-
 in=`cat`
 
-if grep "^\#[[:space:]]*define[[:space:]]*$search" config.h >/dev/null 2>&1 || \
-    echo $in | grep $search >/dev/null 2>&1; then
-# Nasty, nasty, in --copy, arg 2 is another config to search for, use with NO_GMP
+search()
+{
+    grep "^\#[[:space:]]*define[[:space:]]*$1" config.h >/dev/null 2>&1 || \
+    echo $in | grep $1 >/dev/null 2>&1
+}
+
+while [ "$#" -gt 0 ]; do
+    search=$1
+    pkg=$2
+    op=$3
+    lib=$4
+    shift 4
+if search "$search"; then
+
+# Nasty, nasty, in --copy, arg 2 (if non-empty) is another config to search for, used with NO_GMP
     if [ $op = "--copy" ]; then
-	if grep "^\#[[:space:]]*define[[:space:]]*$pkg" config.h >/dev/null 2>&1 || \
-            echo $in | grep $pkg >/dev/null 2>&1; then
+	if [ -z "$pkg" ]; then
+	    pkg="$lib"
+	elif search "$pkg"; then
 	    pkg=""
 	else 
-	    pkg="$*"
+	    pkg="$lib"
 	fi
-    elif grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \
-	      echo $in | grep ${search}_STATIC >/dev/null 2>&1; then
-	pkg=`$pkg  --static $op $*`
+    elif search "${search}_STATIC"; then
+	pkg=`$pkg  --static $op $lib`
     else
-	pkg=`$pkg $op $*`
+	pkg=`$pkg $op $lib`
     fi
     
-    if grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \
-	echo $in | grep ${search}_STATIC >/dev/null 2>&1; then
+    if search "${search}_STATIC"; then
 	if [ $op = "--libs" ] || [ $op = "--copy" ]; then
 	    echo "-Wl,-Bstatic $pkg -Wl,-Bdynamic"
 	else
@@ -38,3 +42,4 @@ if grep "^\#[[:space:]]*define[[:space:]]*$search" config.h >/dev/null 2>&1 || \
     fi
 fi
 
+done

contrib/MacOSX-launchd/launchd-README.txt

@@ -22,7 +22,7 @@ sudo chmod 644 /Library/LaunchDaemons/uk.org.thekelleys.dnsmasq.plist
 
 Optionally, edit your dnsmasq configuration file to your liking.
 
-To start the launchd job, which starts dnsmaq, reboot or use the command:
+To start the launchd job, which starts dnsmasq, reboot or use the command:
 sudo launchctl load /Library/LaunchDaemons/uk.org.thekelleys.dnsmasq.plist
 
 To stop the launchd job, which stops dnsmasq, use the command:

contrib/Suse/README.susefirewall

@@ -1,9 +1,9 @@
 This is a patch against SuSEfirewall2-3.1-206 (SuSE 9.x and older)
-It fixes the depancy from the dns daemon name 'named'
+It fixes the dependency from the dns daemon name 'named'
 After appending the patch, the SuSEfirewall is again able to autodetect 
 the dnsmasq named service.
 This is a very old bug in the SuSEfirewall script.
-The SuSE people think the name of the dns server will allways 'named'
+The SuSE people think the name of the dns server will always 'named'
 
 
 --- /sbin/SuSEfirewall2.orig	2004-01-23 13:30:09.000000000 +0100

contrib/conntrack/README

@@ -13,10 +13,10 @@ connection comes out of the other side.  However, sometimes, we want to
 maintain that relationship through the proxy and continue the connection
 mark on packets upstream of our proxy
 
-DNSMasq includes such a feature enabled by the --conntrack
+Dnsmasq includes such a feature enabled by the --conntrack
 option. This allows, for example, using iptables to mark traffic from
 a particular IP, and that mark to be persisted to requests made *by*
-DNSMasq. Such a feature could be useful for bandwidth accounting,
+Dnsmasq. Such a feature could be useful for bandwidth accounting,
 captive portals and the like. Note a similar feature has been 
 implemented in Squid 2.2
 
@@ -40,7 +40,7 @@ on IP address. 3) Saves the firewall mark back to the connection mark
 (which will persist it across related packets)
 
 4) is applied to the OUTPUT table, which is where we first see packets
-generated locally. DNSMasq will have already copied the firewall mark
+generated locally. Dnsmasq will have already copied the firewall mark
 from the request, across to the new packet, and so all that remains is
 for iptables to copy it to the connection mark so it's persisted across
 packets.

contrib/lease-access/lease.access.patch

@@ -55,7 +55,7 @@ Index: src/dnsmasq.c
  	    }     
  
 @@ -434,7 +433,7 @@
- 	  /* lose the setuid and setgid capbilities */
+ 	  /* lose the setuid and setgid capabilities */
  	  if (capset(hdr, data) == -1)
  	    {
 -	      send_event(err_pipe[1], EVENT_CAP_ERR, errno);

contrib/lease-tools/Makefile

@@ -0,0 +1,6 @@
+CFLAGS?= -O2 -Wall -W
+
+all: dhcp_release dhcp_release6 dhcp_lease_time
+
+clean:
+	rm -f *~ *.o core dhcp_release dhcp_release6 dhcp_lease_time

contrib/lease-tools/dhcp_lease_time.c

@@ -83,7 +83,7 @@ static unsigned char *option_find1(unsigned char *p, unsigned char *end, int opt
           if (p >= end - 2)
             return NULL; /* malformed packet */
           opt_len = option_len(p);
-          if (p >= end - (2 + opt_len))
+          if (end - p < (2 + opt_len))
             return NULL; /* malformed packet */
           if (*p == opt && opt_len >= minsize)
             return p;
@@ -168,7 +168,7 @@ int main(int argc, char **argv)
   *(p++) = 1;
   *(p++) = DHCPINFORM;
 
-  /* Explicity request the lease time, it won't be sent otherwise:
+  /* Explicitly request the lease time, it won't be sent otherwise:
      this is a dnsmasq extension, not standard. */
   *(p++) = OPTION_REQUESTED_OPTIONS;
   *(p++) = 1;
@@ -206,13 +206,13 @@ int main(int argc, char **argv)
 	{
 	  unsigned int x;
 	  if ((x = t/86400))
-	    printf("%dd", x);
+	    printf("%ud", x);
 	  if ((x = (t/3600)%24))
-	    printf("%dh", x);
+	    printf("%uh", x);
 	  if ((x = (t/60)%60))
-	    printf("%dm", x);
+	    printf("%um", x);
 	  if ((x = t%60))
-	    printf("%ds", x);
+	    printf("%us", x);
 	}
       return 0;
     }

contrib/lease-tools/dhcp_release.c

@@ -117,7 +117,7 @@ static ssize_t netlink_recv(int fd)
       msg.msg_flags = 0;
       while ((rc = recvmsg(fd, &msg, MSG_PEEK)) == -1 && errno == EINTR);
       
-      /* 2.2.x doesn't suport MSG_PEEK at all, returning EOPNOTSUPP, so we just grab a 
+      /* 2.2.x doesn't support MSG_PEEK at all, returning EOPNOTSUPP, so we just grab a 
          big buffer and pray in that case. */
       if (rc == -1 && errno == EOPNOTSUPP)
         {
@@ -178,7 +178,7 @@ static int is_same_net(struct in_addr a, struct in_addr b, struct in_addr mask)
   return (a.s_addr & mask.s_addr) == (b.s_addr & mask.s_addr);
 }
 
-static struct in_addr find_interface(struct in_addr client, int fd, unsigned int index)
+static struct in_addr find_interface(struct in_addr client, int fd, unsigned int index, int ifrfd, struct ifreq *ifr)
 {
   struct sockaddr_nl addr;
   struct nlmsghdr *h;
@@ -218,7 +218,17 @@ static struct in_addr find_interface(struct in_addr client, int fd, unsigned int
 
       for (h = (struct nlmsghdr *)iov.iov_base; NLMSG_OK(h, (size_t)len); h = NLMSG_NEXT(h, len))
 	if (h->nlmsg_type == NLMSG_DONE)
-	  exit(0);
+          {
+	    /* No match found, return first address as src/dhcp.c code does */
+	    ifr->ifr_addr.sa_family = AF_INET;
+	    if (ioctl(ifrfd, SIOCGIFADDR, ifr) != -1)
+	      return ((struct sockaddr_in *)&ifr->ifr_addr)->sin_addr;
+	    else
+	      {
+		fprintf(stderr, "error: local IPv4 address not found\n");
+		exit(1);
+	      }
+          }
 	else if (h->nlmsg_type == RTM_NEWADDR)
           {
             struct ifaddrmsg *ifa = NLMSG_DATA(h);  
@@ -270,7 +280,8 @@ int main(int argc, char **argv)
   
   /* This voodoo fakes up a packet coming from the correct interface, which really matters for 
      a DHCP server */
-  strcpy(ifr.ifr_name, argv[1]);
+  strncpy(ifr.ifr_name, argv[1], sizeof(ifr.ifr_name)-1);
+  ifr.ifr_name[sizeof(ifr.ifr_name)-1] = '\0';
   if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, &ifr, sizeof(ifr)) == -1)
     {
       perror("cannot setup interface");
@@ -284,7 +295,7 @@ int main(int argc, char **argv)
     }
   
   lease.s_addr = inet_addr(argv[2]);
-  server = find_interface(lease, nl, if_nametoindex(argv[1]));
+  server = find_interface(lease, nl, if_nametoindex(argv[1]), fd, &ifr);
   
   memset(&packet, 0, sizeof(packet));
  

contrib/lease-tools/dhcp_release6.1

@@ -0,0 +1,38 @@
+.TH DHCP_RELEASE 1
+.SH NAME
+dhcp_release6 \- Release a DHCPv6 lease on a the local dnsmasq DHCP server.
+.SH SYNOPSIS
+.B dhcp_release6 --iface <interface> --client-id <client-id> --server-id
+server-id --iaid <iaid>  --ip <IP>  [--dry-run] [--help]
+.SH "DESCRIPTION"
+A utility which forces the DHCP server running on this machine to release a 
+DHCPv6 lease.
+.SS OPTIONS
+.IP "-a, --ip"
+IPv6 address to release.
+.IP "-c, --client-id"
+Colon-separated hex string representing DHCPv6 client id. Normally
+it can be found in leases file both on client and server.
+.IP "-d, --dry-run"
+Print hexadecimal representation of generated DHCPv6 release packet to standard
+output and exit.
+.IP "-h, --help"
+print usage information to standard output and exit.
+.IP "-i, --iaid"
+Decimal representation of DHCPv6 IAID. Normally it can be found in leases file
+both on client and server.
+.IP "-n, --iface"
+Network interface to send a DHCPv6 release packet from.
+.IP "-s, --server-id"
+Colon-separated hex string representing DHCPv6 server id. Normally
+it can be found in leases file both on client and server.
+.SH NOTES
+MUST be run as root - will fail otherwise.
+.SH LIMITATIONS
+Only usable on IPv6 DHCP leases.
+.SH SEE ALSO
+.BR dnsmasq (8)
+.SH AUTHOR
+This manual page was written by Simon Kelley <simon@thekelleys.org.uk>.
+
+

contrib/lease-tools/dhcp_release6.c

@@ -0,0 +1,499 @@
+/*
+ dhcp_release6 --iface <interface> --client-id <client-id> --server-id
+ server-id --iaid <iaid>  --ip <IP>  [--dry-run] [--help]
+ MUST be run as root - will fail otherwise
+ */
+
+/* Send a DHCPRELEASE message  to IPv6 multicast address  via the specified interface
+ to tell the local DHCP server to delete a particular lease.
+ 
+ The interface argument is the interface in which a DHCP
+ request _would_ be received if it was coming from the client,
+ rather than being faked up here.
+ 
+ The client-id argument is colon-separated hex string and mandatory. Normally
+ it can be found in leases file both on client and server
+
+ The server-id argument is colon-separated hex string and mandatory. Normally
+ it can be found in leases file both on client and server.
+ 
+ The iaid argument is numeric string and mandatory. Normally
+ it can be found in leases file both on client and server.
+ 
+ IP is an IPv6 address to release
+ 
+ If --dry-run is specified, dhcp_release6 just prints hexadecimal representation of
+ packet to send to stdout and exits.
+ 
+ If --help is specified, dhcp_release6 print usage information to stdout and exits
+ 
+ 
+ 
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <strings.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+#include <getopt.h>
+#include <errno.h>
+#include <unistd.h>
+
+#define NOT_REPLY_CODE 115
+typedef unsigned char u8;
+typedef unsigned short u16;
+typedef unsigned int u32;
+
+enum DHCP6_TYPES
+  {
+    SOLICIT = 1,
+    ADVERTISE = 2,
+    REQUEST = 3,
+    CONFIRM = 4,
+    RENEW = 5,
+    REBIND = 6,
+    REPLY = 7,
+    RELEASE = 8,
+    DECLINE = 9,
+    RECONFIGURE = 10,
+    INFORMATION_REQUEST = 11,
+    RELAY_FORW = 12,
+    RELAY_REPL = 13
+    
+  };
+
+enum DHCP6_OPTIONS
+  {
+    CLIENTID = 1,
+    SERVERID = 2,
+    IA_NA = 3,
+    IA_TA = 4,
+    IAADDR = 5,
+    ORO = 6,
+    PREFERENCE = 7,
+    ELAPSED_TIME = 8,
+    RELAY_MSG = 9,
+    AUTH = 11,
+    UNICAST = 12,
+    STATUS_CODE = 13,
+    RAPID_COMMIT = 14,
+    USER_CLASS = 15,
+    VENDOR_CLASS = 16,
+    VENDOR_OPTS = 17,
+    INTERFACE_ID = 18,
+    RECONF_MSG = 19,
+    RECONF_ACCEPT = 20,
+  };
+
+enum DHCP6_STATUSES
+  {
+    SUCCESS = 0,
+    UNSPEC_FAIL = 1,
+    NOADDR_AVAIL=2,
+    NO_BINDING  = 3,
+    NOT_ON_LINK = 4,
+    USE_MULTICAST =5
+  };
+
+static struct option longopts[] = {
+  {"ip", required_argument, 0, 'a' },
+  {"server-id", required_argument, 0, 's' },
+  {"client-id", required_argument, 0, 'c' },
+  {"iface", required_argument, 0, 'n' },
+  {"iaid", required_argument, 0, 'i' },
+  {"dry-run", no_argument, 0, 'd' },
+  {"help", no_argument, 0, 'h' },
+  {0,     0,           0,   0 }
+};
+
+const short DHCP6_CLIENT_PORT = 546;
+const short DHCP6_SERVER_PORT = 547;
+
+const char*  DHCP6_MULTICAST_ADDRESS = "ff02::1:2";
+
+struct dhcp6_option {
+  uint16_t type;
+  uint16_t len;
+  char  value[1024];
+};
+
+struct dhcp6_iaaddr_option {
+  uint16_t type;
+  uint16_t len;
+  struct in6_addr ip;
+  uint32_t preferred_lifetime;
+  uint32_t valid_lifetime;
+};
+
+struct dhcp6_iana_option {
+  uint16_t type;
+  uint16_t len;
+  uint32_t iaid;
+  uint32_t t1;
+  uint32_t t2;
+  char options[1024];
+};
+
+
+struct dhcp6_packet {
+  size_t len;
+  char buf[2048];  
+};
+
+size_t pack_duid(const char* str, char* dst)
+{
+  char* tmp = strdup(str);
+  char* tmp_to_free = tmp;
+  char *ptr;
+  uint8_t write_pos = 0;
+  while ((ptr = strtok (tmp, ":")))
+    {
+      dst[write_pos] = (uint8_t) strtol(ptr, NULL, 16);
+      write_pos += 1;
+      tmp = NULL;
+    }
+  
+  free(tmp_to_free);
+  return write_pos;
+}
+
+struct dhcp6_option create_client_id_option(const char* duid)
+{
+  struct dhcp6_option option;
+  option.type = htons(CLIENTID);
+  bzero(option.value, sizeof(option.value));
+  option.len  = htons(pack_duid(duid, option.value));
+  return option;
+}
+
+struct dhcp6_option create_server_id_option(const char* duid)
+{
+  struct dhcp6_option   option;
+  option.type = htons(SERVERID);
+  bzero(option.value, sizeof(option.value));
+  option.len  = htons(pack_duid(duid, option.value));
+  return option;
+}
+
+struct dhcp6_iaaddr_option create_iaadr_option(const char* ip)
+{
+  struct dhcp6_iaaddr_option result;
+  result.type =htons(IAADDR);
+  /* no suboptions needed here, so length is 24  */
+  result.len = htons(24);
+  result.preferred_lifetime = 0;
+  result.valid_lifetime = 0;
+  int s = inet_pton(AF_INET6, ip, &(result.ip));
+  if (s <= 0) {
+    if (s == 0)
+      fprintf(stderr, "Not in presentation format");
+    else
+      perror("inet_pton");
+    exit(EXIT_FAILURE);
+  }
+
+  return result;
+}
+
+struct dhcp6_iana_option  create_iana_option(const char * iaid, struct dhcp6_iaaddr_option  ia_addr)
+{
+  struct dhcp6_iana_option  result;
+  result.type = htons(IA_NA);
+  result.iaid = htonl(atoi(iaid));
+  result.t1 = 0;
+  result.t2 = 0;
+  result.len = htons(12 + ntohs(ia_addr.len) + 2 * sizeof(uint16_t));
+  memcpy(result.options, &ia_addr, ntohs(ia_addr.len) + 2 * sizeof(uint16_t));
+  return result;
+}
+
+struct dhcp6_packet create_release_packet(const char* iaid, const char* ip, const char* client_id, const char* server_id)
+{
+  struct dhcp6_packet result;
+  bzero(result.buf, sizeof(result.buf));
+  /* message_type */
+  result.buf[0] = RELEASE;
+  /* tx_id */
+  bzero(result.buf+1, 3);
+  
+  struct dhcp6_option client_option = create_client_id_option(client_id);
+  struct dhcp6_option server_option = create_server_id_option(server_id);
+  struct dhcp6_iaaddr_option iaaddr_option = create_iaadr_option(ip);
+  struct dhcp6_iana_option iana_option = create_iana_option(iaid, iaaddr_option);
+  int offset = 4;
+  memcpy(result.buf + offset, &client_option, ntohs(client_option.len) + 2*sizeof(uint16_t));
+  offset += (ntohs(client_option.len)+ 2 *sizeof(uint16_t) );
+  memcpy(result.buf + offset, &server_option, ntohs(server_option.len) + 2*sizeof(uint16_t) );
+  offset += (ntohs(server_option.len)+ 2* sizeof(uint16_t));
+  memcpy(result.buf + offset, &iana_option, ntohs(iana_option.len) + 2*sizeof(uint16_t) );
+  offset += (ntohs(iana_option.len)+ 2* sizeof(uint16_t));
+  result.len = offset;
+  return result;
+}
+
+uint16_t parse_iana_suboption(char* buf, size_t len)
+{
+  size_t current_pos = 0;
+  char option_value[1024];
+  while (current_pos < len)
+    {
+      uint16_t option_type, option_len;
+      memcpy(&option_type,buf + current_pos, sizeof(uint16_t));
+      memcpy(&option_len,buf + current_pos + sizeof(uint16_t), sizeof(uint16_t));
+      option_type = ntohs(option_type);
+      option_len = ntohs(option_len);
+      current_pos += 2 * sizeof(uint16_t);
+      if (option_type == STATUS_CODE)
+	{
+	  uint16_t status;
+	  memcpy(&status, buf + current_pos, sizeof(uint16_t));
+	  status = ntohs(status);
+	  if (status != SUCCESS)
+	    {
+	      memcpy(option_value, buf + current_pos + sizeof(uint16_t) , option_len - sizeof(uint16_t));
+	      option_value[option_len-sizeof(uint16_t)] ='\0';
+	      fprintf(stderr, "Error: %s\n", option_value);
+            }
+	  return status;
+        }
+    }
+
+  return -2;
+}
+
+int16_t parse_packet(char* buf, size_t len)
+{
+  int16_t ret = -1;
+  uint8_t type = buf[0];
+  /*skipping tx id. you need it, uncomment following line
+    uint16_t tx_id = ntohs((buf[1] <<16) + (buf[2] <<8) + buf[3]);
+  */
+  size_t current_pos = 4;
+  if (type != REPLY )
+    return NOT_REPLY_CODE;
+  
+  char option_value[1024];
+  while (current_pos < len)
+    {
+      uint16_t option_type, option_len;
+      memcpy(&option_type,buf + current_pos, sizeof(uint16_t));
+      memcpy(&option_len,buf + current_pos + sizeof(uint16_t), sizeof(uint16_t));
+      option_type = ntohs(option_type);
+      option_len = ntohs(option_len);
+      current_pos += 2 * sizeof(uint16_t);
+      if (option_type == STATUS_CODE)
+	{
+	  uint16_t status;
+	  memcpy(&status, buf + current_pos, sizeof(uint16_t));
+	  status = ntohs(status);
+	  if (status != SUCCESS)
+	    {
+	      memcpy(option_value, buf + current_pos +sizeof(uint16_t) , option_len -sizeof(uint16_t));
+	      fprintf(stderr, "Error: %d %s\n", status, option_value);
+	      return status;
+	    }
+
+	  /* Got success status, return that if there's no specific error in an IA_NA. */
+	  ret = SUCCESS;   
+        }
+
+      if (option_type == IA_NA )
+	{
+	  uint16_t result = parse_iana_suboption(buf + current_pos +24, option_len -24);
+	  if (result)
+	    return result;
+	}
+      
+      current_pos += option_len;
+    }
+
+  return ret;
+}
+
+void usage(const char* arg, FILE* stream)
+{
+  const char* usage_string ="--ip IPv6 --iface IFACE --server-id SERVER_ID --client-id CLIENT_ID --iaid IAID [--dry-run] | --help";
+  fprintf (stream, "Usage: %s %s\n", arg, usage_string);   
+}
+
+int send_release_packet(const char* iface, struct dhcp6_packet* packet)
+{
+  struct sockaddr_in6 server_addr, client_addr;
+  char response[1400];
+  int sock = socket(PF_INET6, SOCK_DGRAM, 0);
+  int i = 0;
+  if (sock < 0)
+    {
+      perror("creating socket");
+      return -1;
+    }
+  
+    if (setsockopt(sock, SOL_SOCKET, 25, iface, strlen(iface)) == -1)
+      {
+        perror("SO_BINDTODEVICE");
+        close(sock);
+        return -1;
+      }
+    
+    memset(&server_addr, 0, sizeof(server_addr));
+    server_addr.sin6_family = AF_INET6;
+    client_addr.sin6_family = AF_INET6;
+    client_addr.sin6_port = htons(DHCP6_CLIENT_PORT);
+    client_addr.sin6_flowinfo = 0;
+    client_addr.sin6_scope_id =0;
+    inet_pton(AF_INET6, "::", &client_addr.sin6_addr);
+    bind(sock, (struct sockaddr*)&client_addr, sizeof(struct sockaddr_in6));
+    inet_pton(AF_INET6, DHCP6_MULTICAST_ADDRESS, &server_addr.sin6_addr);
+    server_addr.sin6_port = htons(DHCP6_SERVER_PORT);
+    int16_t recv_size = 0;
+    for (i = 0; i < 5; i++)
+      {
+        if (sendto(sock, packet->buf, packet->len, 0, (struct sockaddr *)&server_addr, sizeof(server_addr)) < 0)
+	  {
+	    perror("sendto failed");
+            exit(4);
+	  }
+	
+        recv_size = recvfrom(sock, response, sizeof(response), MSG_DONTWAIT, NULL, 0);
+        if (recv_size == -1)
+	  {
+            if (errno == EAGAIN)
+	      {
+		sleep(1);
+		continue;
+	      }
+	    else
+	      {
+                perror("recvfrom");
+	      }
+	  }
+	
+        int16_t result = parse_packet(response, recv_size);
+        if (result == NOT_REPLY_CODE)
+	  {
+            sleep(1);
+            continue;
+	  }
+
+        close(sock);
+        return result;
+      }
+
+    close(sock);
+    fprintf(stderr, "Response timed out\n");
+    return -1;   
+}
+
+
+int main(int argc, char *  const argv[])
+{
+  const char* UNINITIALIZED = "";
+  const char* iface = UNINITIALIZED;
+  const char* ip = UNINITIALIZED;
+  const char* client_id = UNINITIALIZED;
+  const char* server_id = UNINITIALIZED;
+  const char* iaid = UNINITIALIZED;
+  int dry_run = 0;
+  while (1)
+    {
+      int option_index = 0;
+      int c = getopt_long(argc, argv, "a:s:c:n:i:hd", longopts, &option_index);
+      if (c == -1)
+	break;
+        
+      switch(c)
+	{
+	case 0:
+	  if (longopts[option_index].flag !=0)
+	    break;
+	  
+	  printf ("option %s", longopts[option_index].name);
+	  if (optarg)
+	    printf (" with arg %s", optarg);
+	  printf ("\n");
+	  break;
+
+	case 'i':
+	  iaid = optarg;
+	  break;
+	case 'n':
+	  iface = optarg;
+	  break;
+	case 'a':
+	  ip = optarg;
+	  break;
+	case 'c':
+	  client_id = optarg;
+	  break;
+	case 'd':
+	  dry_run = 1;
+	  break;
+	case 's':
+	  server_id = optarg;
+	  break;
+	case 'h':
+	  usage(argv[0], stdout);
+	  return 0;
+	case '?':
+	  usage(argv[0], stderr);
+	  return -1;
+	default:
+	  abort();
+	  
+        }
+    }
+  
+  if (iaid == UNINITIALIZED)
+    {
+      fprintf(stderr, "Missing required iaid parameter\n");
+      usage(argv[0], stderr);
+      return -1;
+    }
+  
+    if (server_id == UNINITIALIZED)
+      {
+        fprintf(stderr, "Missing required server-id parameter\n");
+        usage(argv[0], stderr);
+        return -1;
+      }
+    
+    if (client_id == UNINITIALIZED)
+      {
+        fprintf(stderr, "Missing required client-id parameter\n");
+        usage(argv[0], stderr);
+        return -1;
+      }
+    
+    if (ip == UNINITIALIZED)
+      {
+        fprintf(stderr, "Missing required ip parameter\n");
+        usage(argv[0], stderr);
+        return -1;
+      }
+    
+    if (iface == UNINITIALIZED)
+      {
+	fprintf(stderr, "Missing required iface parameter\n");
+        usage(argv[0], stderr);
+        return -1;
+      }
+
+    
+    
+    struct dhcp6_packet packet = create_release_packet(iaid, ip, client_id, server_id);
+
+    if (dry_run)
+      {
+        uint16_t i;
+
+        for(i=0; i<packet.len; i++)
+	  printf("%hhx", packet.buf[i]);
+        
+        printf("\n");
+        return 0;
+      }
+
+    return send_release_packet(iface, &packet);
+}

contrib/mactable/macscript

@@ -3,7 +3,7 @@
 STATUS_FILE="/tmp/dnsmasq-ip-mac.status"
 
 # Script for dnsmasq lease-change hook.
-# Maintains the above file with a IP address/MAC address pairs,
+# Maintains the above file with an IP address/MAC address pairs,
 # one lease per line. Works with IPv4 and IPv6 leases, file is
 # atomically updated, so no races for users of the data.
 

contrib/port-forward/portforward

@@ -3,7 +3,7 @@
 # first column of this file, then a DNAT port-forward will be set up 
 # to the address which has just been allocated by DHCP . The second field 
 # is port number(s). If there is only one, then the port-forward goes to 
-# the same port on the DHCP-client, if there are two seperated with a 
+# the same port on the DHCP-client, if there are two separated with a 
 # colon, then the second number is the port to which the connection 
 # is forwarded on the DHCP-client. By default, forwarding is set up 
 # for TCP, but it can done for UDP instead by prefixing the port to "u". 

contrib/reverse-dns/README

@@ -1,6 +1,6 @@
 The script reads stdin and replaces all IP addresses with names before
 outputting it again. IPs from private networks are reverse looked  up
-via dns. Other IP adresses are searched for in the dnsmasq query log.
+via dns. Other IP addresses are searched for in the dnsmasq query log.
 This gives names (CNAMEs if I understand DNS correctly) that are closer
 to the name the client originally asked for then the names obtained by
 reverse lookup. Just run
@@ -14,5 +14,5 @@ log-facility=/var/log/dnsmasq.log
 
 in the dnsmasq configuration.
 
-The script runs on debian (with ash installed) and on busybox.
+The script runs on debian (with dash installed) and on busybox.
 

contrib/reverse-dns/reverse_replace.sh

@@ -1,14 +1,14 @@
-#!/bin/ash
+#!/bin/dash
 # $Id: reverse_replace.sh 18 2015-03-01 16:12:35Z jo $
 #
 # Usage e.g.: netstat -n -4 | reverse_replace.sh 
 # Parses stdin for IP4 addresses and replaces them 
 # with names retrieved by parsing the dnsmasq log.
 # This currently only gives CNAMEs. But these 
-# usually tell ou more than the mones from reverse 
+# usually tell you more than the ones from reverse 
 # lookups. 
 #
-# This has been tested on debian and asuswrt. Plese
+# This has been tested on debian and asuswrt. Please
 # report successful tests on other platforms.
 #
 # Author: Joachim Zobel <jz-2014@heute-morgen.de>

contrib/systemd/dnsmasq.service

@@ -1,5 +1,8 @@
 [Unit]
 Description=dnsmasq - A lightweight DHCP and caching DNS server
+After=network.target
+Before=network-online.target nss-lookup.target
+Wants=nss-lookup.target
 
 [Service]
 Type=dbus

contrib/try-all-ns/README-2.47

@@ -2,7 +2,7 @@ A remake of patch Bob Carroll had posted to dnsmasq,
 now compatible with version 2.47. Hopefully he doesn't 
 mind (sending a copy of this mail to him too).
 
-Maybe the patch in question is not acceptible
+Maybe the patch in question is not acceptable
 as it doesn't add new switch, rather it binds itself to "strict-order".
 
 What it does is: if you have strict-order in the 

contrib/try-all-ns/README-2.78

@@ -0,0 +1,10 @@
+Hi,
+I updated the try-all-ns patch to work with the latest version of git. Ended up implementing it on top of master, 2.78test2-7-g63437ff. As that specific if-clause has been changed in the last few commits, it's not compatible for 2.77, sadly.
+
+Find the patch attached.
+
+Regards,
+
+Rasmus Ahlberg
+Software Developer, R&D
+Electrolux Small Appliances

contrib/try-all-ns/dnsmasq-2.78xx-try-all-ns.patch

@@ -0,0 +1,20 @@
+diff --git a/src/forward.c b/src/forward.c
+index e3fa94b..ecf3b98 100644
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -789,9 +789,12 @@ void reply_query(int fd, int family, time_t now)
+ 
+   /* Note: if we send extra options in the EDNS0 header, we can't recreate
+      the query from the reply. */
+-  if (RCODE(header) == REFUSED &&
+-      forward->forwardall == 0 &&
+-      !(forward->flags & FREC_HAS_EXTRADATA))
++  if ((RCODE(header) == REFUSED &&
++        forward->forwardall == 0 &&
++       !(forward->flags & FREC_HAS_EXTRADATA)) ||
++      /* If strict-order is set, try next server on NXDOMAIN reply */
++      (RCODE(header) == NXDOMAIN && option_bool(OPT_ORDER) &&
++       server->next != NULL))
+     /* for broken servers, attempt to send to another one. */
+     {
+       unsigned char *pheader;

contrib/webmin/README

@@ -1,5 +1,5 @@
 
-This is the README for the DNSmasq webmin module.
+This is the README for the Dnsmasq webmin module.
 
 Problems:
 
@@ -48,7 +48,7 @@ wade through the config file and man pages again.
 
 If you modify it, or add a language file, and you have a spare moment,
 please e-mail me - I won't be upset at all if you fix my poor coding!
-(rather the opposite - I'd be pleased someone found it usefull)
+(rather the opposite - I'd be pleased someone found it useful)
 
 Cheers,
 	Neil Fisher <neil@magnecor.com.au>

contrib/wrt/Makefile

@@ -1,6 +0,0 @@
-CFLAGS?= -O2 -Wall -W
-
-all: dhcp_release dhcp_lease_time
-
-clean:
-	rm -f *~ *.o core dhcp_release dhcp_lease_time

contrib/wrt/README

@@ -4,7 +4,7 @@ reboot, then it will eventually be restored as hosts renew their
 leases. Until a host renews (which may take hours/days) it will
 not exist in the DNS if dnsmasq's DDNS function is in use.
 
-*WRT systems remount all non-volatile fileystems read-only after boot,
+*WRT systems remount all non-volatile filesystems read-only after boot,
 so the normal leasefile will not work. They do, however have NV
 storage, accessed with the nvram command:
 
@@ -62,7 +62,7 @@ about 100 bytes, so restricting the number of leases to 50 will limit
 use to half that. (The default limit in the distributed source is 150)
 
 Any UI script which reads the dnsmasq leasefile will have to be
-ammended, probably by changing it to read the output of 
+amended, probably by changing it to read the output of 
 `lease_update init` instead.
  
 

dbus/DBus-interface

@@ -243,6 +243,10 @@ IPv4 or IPv6 address of the lease to remove.
 Note that this function will trigger the DhcpLeaseRemoved signal and the
 configured DHCP lease script will be run with the "del" action.
 
+GetMetrics
+----------
+
+Returns an array with various metrics for DNS and DHCP.
 
 
 2. SIGNALS

debian/changelog

@@ -1,3 +1,181 @@
+dnsmasq (2.83-1) unstable; urgency=high
+
+   * New upstream.
+   * Includes fixes to CVE-2020-25681 - CVE-2020-25687 inclusive.
+
+ -- Simon Kelley <simon@thekelleys.org.uk>  Fri, 15 Jan 2021 22:22:41 +0000
+
+dnsmasq (2.82-1) unstable; urgency=low
+
+   * New upstream.
+
+ -- Simon Kelley <simon@thekelleys.org.uk>  Fri, 26 Jun 2020 22:22:41 +0000
+
+dnsmasq (2.81-4) unstable; urgency=low
+
+   * Remove runit support when building for Ubuntu. (closes: #960401)
+
+ -- Simon Kelley <simon@thekelleys.org.uk>  Fri, 26 Jun 2020 21:52:44 +0000
+
+dnsmasq (2.81-3) unstable; urgency=low
+
+   * Fixes to control file for bug 958100
+
+ -- Simon Kelley <simon@thekelleys.org.uk>  Sun, 19 Apr 2020 21:44:12 +0000
+
+dnsmasq (2.81-2) unstable; urgency=low
+
+   * Fix FTBFS on kFreeBSD. (closes: #958100)
+	
+ -- Simon Kelley <simon@thekelleys.org.uk>  Sat, 18 Apr 2020 18:34:15 +0000
+
+dnsmasq (2.81-1) unstable; urgency=low
+
+   * New upstream.
+   * Fix nodocs/nodoc confusion in rules. (closes: #922758)
+   * Add Vcs-* fields to control. (closes: #922422)
+   * Add systemd support for multiple daemon instances. (closes: #914305)
+   * Add note explaining that ENABLED is SYSV-init only. (closes: #914755)
+   * Replace ash with dash in contrib/reverse-dns. (closes: #920224)
+   * Move to libidn2. (closes: #932695)
+   * Fix RA problem with two interfaces on same net, but RA service on
+     only one of the interfaces. (closes: #949565)
+   * Fix breakage of dig +trace. (closes: #942363)
+   * Fix build faliure with newer Nettle libraries. (closes: #940985)
+   * Support runscript init-system (closes: #929884)
+   * Security fix for CVE-2019-14834 (closes: #948373)
+	
+ -- Simon Kelley <simon@thekelleys.org.uk>  Wed, 8 Apr 2020 17:33:15 +0000
+
+dnsmasq (2.80-1) unstable; urgency=low
+
+   * New upstream. (closes: #837602) (closes: #794640) (closes: #794636)
+   * Close old bugs, long agp fixed. (closes: #802845) (closes: #754299)
+   * Provide usr/lib/tmpfiles.d/dnsmasq.conf. (closes: #872396)
+   * Run restorecon on /run/dnsmasq for SE Linux. (closes: #872397)
+
+ -- Simon Kelley <simon@thekelleys.org.uk>  Mon, 17 Sep 2018 23:11:25 +0000
+
+dnsmasq (2.79-1) unstable; urgency=low
+
+   * New upstream. (closes: #888200)
+   * Fix trust-anchor regex in init script. (closes: #884347)
+   * Fix exit code for dhcp_release6 (closes: #883596)
+   * Add project homepage to control file. (closes: #887764)
+   * New binary package dnsmasq-base-lua, includes Lua support.
+   * Remove hardwired shlibs dependency for libnettle 3.3 and
+     fix code to avoid ABI breakage as long as compiled against
+     libnettle 3.4 or later. (closes: #891315)
+
+ -- Simon Kelley <simon@thekelleys.org.uk>  Fri, 16 Feb 2018 19:54:22 +0000
+
+dnsmasq (2.78-3) unstable; urgency=high
+
+   * Make failure of pidfile chown a warning. (closes: #889857)
+
+ -- Simon Kelley <simon@thekelleys.org.uk>  Thu, 8 Feb 2018 21:26:30 +0000
+
+dnsmasq (2.78-2) unstable; urgency=high
+
+   * Change ownership of pid file, to keep systemd happy. (closes: #889336)
+
+ -- Simon Kelley <simon@thekelleys.org.uk>  Tue, 6 Feb 2018 17:21:30 +0000
+
+dnsmasq (2.78-1) unstable; urgency=high
+
+   * New upstream.
+     Security fixes for CVE-2017-13704  (closes: #877102)
+     Security fixes for CVE-2017-14491 - CVE-2017-14496 inclusive.
+
+ -- Simon Kelley <simon@thekelleys.org.uk>  Sun, 29 Sep 2017 21:34:00 +0000
+
+dnsmasq (2.77-2) unstable; urgency=low
+
+   * Improve sed regexp for parsing root.ds.
+
+ -- Simon Kelley <simon@thekelleys.org.uk>  Mon, 5 Jun 2017 20:46:32 +0000
+
+dnsmasq (2.77-1) unstable; urgency=low
+
+   * New upstream.
+   * Don't register as a resolvconf source when config file
+     includes port=0 to disable DNS.
+   * Handle gratuitous format change in /usr/share/dns/root.ds
+     (closes: #858506) (closes: #860064)
+   * Add lsb-base dependency.
+
+ -- Simon Kelley <simon@thekelleys.org.uk>  Tue, 11 Apr 2017 14:19:20 +0000
+
+dnsmasq (2.76-5) unstable; urgency=medium
+
+  * Nail libnettle dependency to avoid ABI incompatibility.
+    (closes: #846642)
+
+ -- Simon Kelley <simon@thekelleys.org.uk>  Wed, 14 Dec 2016 17:58:10 +0000
+
+dnsmasq (2.76-4.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add two upstream patches to fix binding to an interface being
+    destroyed and recreated. Closes: #834722.
+      + 2675f2061525bc954be14988d64384b74aa7bf8b
+      + 16800ea072dd0cdf14d951c4bb8d2808b3dfe53d
+
+ -- Vincent Bernat <bernat@debian.org>  Sat, 26 Nov 2016 20:15:34 +0100
+
+dnsmasq (2.76-4) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix FTCBFS: Use triplet-prefixed tools. (closes: #836072)
+
+ -- Helmut Grohne <helmut@subdivi.de>  Tue, 30 Aug 2016 13:59:12 +0200
+
+dnsmasq (2.76-3) unstable; urgency=medium
+
+   * Bump auth zone serial on SIGHUP. (closes: #833733)
+
+ -- Simon Kelley <simon@thekelleys.org.uk>  Sat, 13 Aug 2016 21:43:10 +0000
+
+dnsmasq (2.76-2) unstable; urgency=medium
+
+   * Fix to systemd to fix failure to start with bridge interface.
+     (Closes: #831372)
+
+ -- Simon Kelley <simon@thekelleys.org.uk>  Sat, 16 Jul 2016 22:09:10 +0000
+
+dnsmasq (2.76-1.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * dnsmasq: Install marker file to determine package installed state,
+    for the benefit of the init script. (Closes: #819856)
+
+ -- Christian Hofstaedtler <zeha@debian.org>  Sat, 16 Jul 2016 00:17:57 +0000
+
+dnsmasq (2.76-1.1) unstable; urgency=medium
+
+   * Non-maintainer upload.
+   * Provide nss-lookup.target for systemd, without relying on insserv.
+     Patch from Michael Biebl <biebl@debian.org>. (Closes: #826242)
+
+ -- Christian Hofstaedtler <zeha@debian.org>  Fri, 01 Jul 2016 13:41:11 +0000
+
+dnsmasq (2.76-1) unstable; urgency=low
+
+   * New upstream. (closes: #798586)
+   * Use /run/dnsmasq directly, rather than relying on link from /var/run
+     to avoid problems before /var is mounted. (closes: #800351)
+   * Test for the existence of /usr/share/doc/dnsmasq rather then
+     /etc/dnsmasq.d/README in the daemon startup script. (closes: #819856)
+   * Add --help to manpage and mention dhcp6 in summary. (closes: #821226)
+
+ -- Simon Kelley <simon@thekelleys.org.uk>  Thu, 10 Sep 2015 23:07:21 +0000
+
+dnsmasq (2.75-1) unstable; urgency=low
+
+   * New upstream. (closes: #794095)
+
+ -- Simon Kelley <simon@thekelleys.org.uk>  Thu, 30 Jul 2015 20:58:31 +0000
+
 dnsmasq (2.74-1) unstable; urgency=low
 
    * New upstream. (LP: #1468611)
@@ -28,7 +206,7 @@ dnsmasq (2.72-3) unstable; urgency=medium
      work without it. (Closes: #769486, #776530)
      - debian/init: when called with systemd-exec argument, let dnsmasq
        go into the background, so Type=forking can detect when it is ready
-   * Remove line containing only whitespace in debian/contol.
+   * Remove line containing only whitespace in debian/control.
      (closes: #777571)
 
  -- Simon Kelley <simon@thekelleys.org.uk>  Wed, 11 Feb 2015 21:56:12 +0000
@@ -640,7 +818,7 @@ dnsmasq (2.26-1) unstable; urgency=high
 dnsmasq (2.25-1) unstable; urgency=low
 
    * Remove bashisms in postinst and prerm scripts.
-   * Remove misconcieved dependency on locales.	
+   * Remove misconceived dependency on locales.	
    * Depend on adduser.
 		
  -- Simon Kelley <simon@thekelleys.org.uk>  Thu, 01 Dec 2005 21:02:12 +0000
@@ -662,7 +840,7 @@ dnsmasq (2.23-1) unstable; urgency=low
    * Add support for DNSMASQ_EXCEPT in /etc/defaults/dnsmasq.
      putting "lo" in this also disables resolvconf support.
    * No longer delete pre-existing /etc/init.d symlinks. The 
-     change in default runlevels which neccesitated this 
+     change in default runlevels which necessitated this 
      is now ancient history and anyway the startup script now 
      behaves when called twice. (closes: #312111)
    * Tightened config-file parser. (closes: #317030)
@@ -847,7 +1025,7 @@ dnsmasq (2.6-3) unstable; urgency=low
 
    * Removed reload command from start script and moved force-reload
      to be equivalent to restart. This is needed to be policy compliant
-     since SIHGUP doesn't cause dnsmasq to reload its configuration file,
+     since SIGHUP doesn't cause dnsmasq to reload its configuration file,
      only the /etc/hosts, /etc/resolv.conf etc. (closes: #244208)
 	
  -- Simon Kelley <simon@thekelleys.org.uk>  Sun, 18 Apr 2004 14:40:51 +0000
@@ -937,8 +1115,8 @@ dnsmasq (2.0-1) unstable; urgency=low
    * New upstream: This removes the ability to read the 
      the leases file of ISC DHCP and replaces it with a built-in 
      DHCP server. Apologies in advance for breaking backwards 
-     compatibilty, but this replaces a bit of a hack (the ISC stuff)
-     with a nicely engineered and much more apropriate solution.
+     compatibility, but this replaces a bit of a hack (the ISC stuff)
+     with a nicely engineered and much more appropriate solution.
      Wearing my upstream-maintainer hat, I want to lose the hack now,
      rather than have to support it into Sarge.
    * New upstream closes some bugs since they become 
@@ -964,7 +1142,7 @@ dnsmasq (1.18-1) unstable; urgency=low
    * New upstream which does round-robin. (closes: #215460)
    * Removed conflicts with other dns servers since it is now
      possible to control exactly where dnsmasq listens on multi-homed 
-     hosts, making co-existance with another nameserver 
+     hosts, making co-existence with another nameserver 
      a viable proposition. (closes #176163)
    * New upstream allows _ in hostnames and check for illegal
      names in /etc/hosts. (closes: #218842)
@@ -1050,13 +1228,13 @@ dnsmasq (1.11-2) unstable; urgency=low
 
 dnsmasq (1.11-1) unstable; urgency=low
 
-   * New uptream.
+   * New upstream.
   
  -- Simon Kelley <simon@thekelleys.org.uk>  Tues, 12 Jan 2003 22:25:17 -0100
 
 dnsmasq (1.10-1) unstable; urgency=low
 
-   * New uptream.
+   * New upstream.
    * Force service to stop in postinst before restarting. I don't
      understand the circumstances under which it would still be running at
      this point, but this is the correct fix anyway. (closes: #169718) 
@@ -1068,7 +1246,7 @@ dnsmasq (1.10-1) unstable; urgency=low
 
 dnsmasq (1.9-1) unstable; urgency=low
 
-   * New uptream.
+   * New upstream.
   
  -- Simon Kelley <simon@thekelleys.org.uk>  Mon, 23 Sept 2002 21:35:07 -0100
 

debian/control

@@ -2,17 +2,23 @@ Source: dnsmasq
 Section: net
 Priority: optional
 Build-depends: gettext, libnetfilter-conntrack-dev [linux-any],
-               libidn11-dev, libdbus-1-dev (>=0.61), libgmp-dev, 
-               nettle-dev (>=2.4-3), libbsd-dev [!linux-any]
+               libidn2-dev, libdbus-1-dev (>=0.61), libgmp-dev, 
+               nettle-dev (>=2.4-3), libbsd-dev [kfreebsd-any],
+	       liblua5.2-dev, dh-runit, debhelper-compat (= 10),
+               pkg-config
 Maintainer: Simon Kelley <simon@thekelleys.org.uk>
-Standards-Version: 3.9.5
+Homepage: http://www.thekelleys.org.uk/dnsmasq/doc.html
+Vcs-Git: http://thekelleys.org.uk/git/dnsmasq.git
+Vcs-Browser: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git
+Standards-Version: 3.9.8
 
 Package: dnsmasq
 Architecture: all
-Depends: netbase, dnsmasq-base(>= ${binary:Version}),
-         init-system-helpers (>= 1.18~)
+Depends: netbase, dnsmasq-base,
+         init-system-helpers (>= 1.18~), lsb-base (>= 3.0-6), ${misc:Depends}
 Suggests: resolvconf
-Conflicts: resolvconf (<<1.15)
+Breaks: ${runit:Breaks}
+Conflicts: resolvconf (<<1.15), ${runit:Conflicts}
 Description: Small caching DNS proxy and DHCP/TFTP server
  Dnsmasq is a lightweight, easy to configure, DNS forwarder and DHCP
  server. It is designed to provide DNS and optionally, DHCP, to a 
@@ -27,13 +33,29 @@ Package: dnsmasq-base
 Architecture: any
 Depends: adduser, ${shlibs:Depends}
 Breaks: dnsmasq (<< 2.63-1~)
-Replaces: dnsmasq (<< 2.63-1~)
+Replaces: dnsmasq (<< 2.63-1~), dnsmasq-base
 Recommends: dns-root-data
+Provides: dnsmasq-base
+Conflicts: dnsmasq-base-lua
 Description: Small caching DNS proxy and DHCP/TFTP server
  This package contains the dnsmasq executable and documentation, but
  not the infrastructure required to run it as a system daemon. For
  that, install the dnsmasq package.
 
+Package: dnsmasq-base-lua
+Architecture: any
+Depends: adduser, ${shlibs:Depends}
+Breaks: dnsmasq (<< 2.63-1~)
+Replaces: dnsmasq (<< 2.63-1~), dnsmasq-base
+Recommends: dns-root-data
+Provides: dnsmasq-base
+Conflicts: dnsmasq-base
+Description: Small caching DNS proxy and DHCP/TFTP server
+ This package contains the dnsmasq executable and documentation, but
+ not the infrastructure required to run it as a system daemon. For
+ that, install the dnsmasq package. This package is an alternative
+ to dnsmasq-base which includes the LUA interpreter.
+ 
 Package: dnsmasq-utils
 Architecture: linux-any
 Depends: ${shlibs:Depends}

debian/copyright

@@ -1,4 +1,4 @@
-dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+dnsmasq is Copyright (c) 2000-2020 Simon Kelley
 
 It was downloaded from: http://www.thekelleys.org.uk/dnsmasq/
 

debian/default

@@ -1,5 +1,5 @@
-# This file has five functions: 
-# 1) to completely disable starting dnsmasq, 
+# This file has six functions:
+# 1) to completely disable starting this dnsmasq instance
 # 2) to set DOMAIN_SUFFIX by running `dnsdomainname`
 # 3) to select an alternative config file
 #    by setting DNSMASQ_OPTS to --conf-file=<file>
@@ -7,6 +7,8 @@
 #    more configuration variables.
 # 5) to stop the resolvconf package from controlling dnsmasq's
 #    idea of which upstream nameservers to use.
+# 6) to avoid using this dnsmasq instance as the system's default resolver
+#    by setting DNSMASQ_EXCEPT="lo"
 # For upgraders from very old versions, all the shell variables set
 # here in previous versions are still honored by the init script
 # so if you just keep your old version of this file nothing will break.
@@ -15,6 +17,8 @@
 #DNSMASQ_OPTS="--conf-file=/etc/dnsmasq.alt"
 
 # Whether or not to run the dnsmasq daemon; set to 0 to disable.
+# Note that this is only valid when using SYSV init. For systemd,
+# use "systemctl disable dnsmasq"
 ENABLED=1
 
 # By default search this drop directory for configuration options.
@@ -31,3 +35,8 @@ CONFIG_DIR=/etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new
 # /etc/dnsmasq.conf is not enough to override resolvconf if it is
 # installed: the line below must be uncommented.
 #IGNORE_RESOLVCONF=yes
+
+# If the resolvconf package is installed, dnsmasq will tell resolvconf
+# to use dnsmasq under 127.0.0.1 as the system's default resolver.
+# Uncommenting this line inhibits this behaviour.
+#DNSMASQ_EXCEPT="lo"

debian/dnsmasq-base.postinst

@@ -17,8 +17,8 @@ if [ "$1" = "configure" ]; then
   # dnsmasq-base, but it's much easier to create it here so that
   # we don't have synchronisation issues with the creation of the
   # dnsmasq user. 
-  if [ ! -d /var/run/dnsmasq ]; then
-    mkdir /var/run/dnsmasq
-    chown dnsmasq:nogroup /var/run/dnsmasq
+  if [ ! -d /run/dnsmasq ]; then
+    mkdir /run/dnsmasq
+    chown dnsmasq:nogroup /run/dnsmasq
   fi
 fi

debian/dnsmasq-base.postrm

@@ -7,5 +7,5 @@ if [ purge = "$1" ]; then
   else
      echo >&2 "not removing dnsmasq system account because deluser command was not found"
   fi
-  rm -rf /var/run/dnsmasq
+  rm -rf /run/dnsmasq
 fi

debian/dnsmasq.runit

@@ -0,0 +1 @@
+debian/dnsmasq.runscript name=dnsmasq,logscript,presubj

debian/dnsmasq.runscript/finish

@@ -0,0 +1,5 @@
+#!/bin/sh -eu
+if [ -x /sbin/resolvconf ] ; then
+	/sbin/resolvconf -d lo.dnsmasq
+fi
+

debian/dnsmasq.runscript/run

@@ -0,0 +1,43 @@
+#!/lib/runit/invoke-run
+
+readonly name=dnsmasq
+readonly daemon=/usr/sbin/dnsmasq
+readonly marker=/usr/share/dnsmasq/installed-marker
+
+test -e "${marker}" || exec sv down "${name}"
+test -x "${daemon}" || exec sv down "${name}"
+
+if [ ! "${RESOLV_CONF:-}" ] &&
+   [ "${IGNORE_RESOLVCONF:-}" != "yes" ] &&
+   [ -x /sbin/resolvconf ]
+then
+	RESOLV_CONF=/run/dnsmasq/resolv.conf
+fi
+
+# This tells dnsmasq to ignore DNS requests that don't come from a local network.
+# It's automatically ignored if  --interface --except-interface, --listen-address 
+# or --auth-server exist in the configuration, so for most installations, it will
+# have no effect, but for otherwise-unconfigured installations, it stops dnsmasq
+# from being vulnerable to DNS-reflection attacks.
+
+DNSMASQ_OPTS="${DNSMASQ_OPTS:-} --local-service"
+
+# If the dns-root-data package is installed, then the trust anchors will be 
+# available in $ROOT_DS, in BIND zone-file format. Reformat as dnsmasq
+# --trust-anchor options.
+
+ROOT_DS="/usr/share/dns/root.ds"
+
+if [ -f $ROOT_DS ]; then
+    DNSMASQ_OPTS="$DNSMASQ_OPTS `env LC_ALL=C sed -rne "s/^([.a-zA-Z0-9]+)([[:space:]]+[0-9]+)*([[:space:]]+IN)*[[:space:]]+DS[[:space:]]+/--trust-anchor=\1,/;s/[[:space:]]+/,/gp" $ROOT_DS | tr '\n' ' '`"
+fi
+
+mkdir -p /run/dnsmasq
+chown dnsmasq:nogroup /run/dnsmasq
+[ -x /sbin/restorecon ] && /sbin/restorecon /run/dnsmasq
+exec "${daemon}" \
+	--keep-in-foreground \
+	--log-facility=/dev/stdout \
+	${RESOLV_CONF:+ -r $RESOLV_CONF} \
+	${DNSMASQ_OPTS} \
+	-u dnsmasq

debian/init

@@ -8,18 +8,20 @@
 # Description:    DHCP and DNS server
 ### END INIT INFO
 
-set +e   # Don't exit on error status
+# Don't exit on error status
+set +e
 
 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 DAEMON=/usr/sbin/dnsmasq
 NAME=dnsmasq
 DESC="DNS forwarder and DHCP server"
+INSTANCE="${2}"
 
 # Most configuration options in /etc/default/dnsmasq are deprecated
 # but still honoured.
 ENABLED=1
-if [ -r /etc/default/$NAME ]; then
-	. /etc/default/$NAME
+if [ -r /etc/default/${NAME}${INSTANCE:+.${INSTANCE}} ]; then
+    . /etc/default/${NAME}${INSTANCE:+.${INSTANCE}}
 fi
 
 # Get the system locale, so that messages are in the correct language, and the
@@ -29,13 +31,12 @@ if [ -r /etc/default/locale ]; then
     export LANG
 fi
 
-# /etc/dnsmasq.d/README is a non-conffile installed by the dnsmasq package.
-# Should the dnsmasq package be removed, the following test ensures that
-# the daemon is no longer started, even if the dnsmasq-base package is
-# still in place.
-test -e /etc/dnsmasq.d/README || exit 0
+# The following test ensures the dnsmasq service is not started, when the
+# package 'dnsmasq' is removed but not purged, even if the dnsmasq-base
+# package is still in place.
+test -e /usr/share/dnsmasq/installed-marker || exit 0
 
-test -x $DAEMON || exit 0
+test -x ${DAEMON} || exit 0
 
 # Provide skeleton LSB log functions for backports which don't have LSB functions.
 if [ -f /lib/lsb/init-functions ]; then
@@ -50,13 +51,13 @@ else
     }
 
     log_daemon_msg () {
-            echo -n "${1}: $2"
+        echo -n "${1}: ${2}"
     }
 
     log_end_msg () {
-            if [ $1 -eq 0 ]; then
+        if [ "${1}" -eq 0 ]; then
             echo "."
-            elif [ $1 -eq 255 ]; then
+        elif [ "${1}" -eq 255 ]; then
             /bin/echo -e " (warning)."
         else
             /bin/echo -e " failed!"
@@ -77,22 +78,22 @@ fi
 # override it just by configuration in /etc/dnsmasq.conf, it is necessary
 # to set IGNORE_RESOLVCONF=yes in /etc/default/dnsmasq.
 
-if [ ! "$RESOLV_CONF" ] &&
-   [ "$IGNORE_RESOLVCONF" != "yes" ] &&
+if [ ! "${RESOLV_CONF}" ] &&
+   [ "${IGNORE_RESOLVCONF}" != "yes" ] &&
    [ -x /sbin/resolvconf ]
 then
-	RESOLV_CONF=/var/run/dnsmasq/resolv.conf
+    RESOLV_CONF=/run/dnsmasq/resolv.conf
 fi
 
-for INTERFACE in $DNSMASQ_INTERFACE; do
-	DNSMASQ_INTERFACES="$DNSMASQ_INTERFACES -i $INTERFACE"
+for INTERFACE in ${DNSMASQ_INTERFACE}; do
+    DNSMASQ_INTERFACES="${DNSMASQ_INTERFACES} -i ${INTERFACE}"
 done
 
-for INTERFACE in $DNSMASQ_EXCEPT; do
-	DNSMASQ_INTERFACES="$DNSMASQ_INTERFACES -I $INTERFACE"
+for INTERFACE in ${DNSMASQ_EXCEPT}; do
+    DNSMASQ_INTERFACES="${DNSMASQ_INTERFACES} -I ${INTERFACE}"
 done
 
-if [ ! "$DNSMASQ_USER" ]; then
+if [ ! "${DNSMASQ_USER}" ]; then
    DNSMASQ_USER="dnsmasq"
 fi
 
@@ -102,16 +103,16 @@ fi
 # have no effect, but for otherwise-unconfigured installations, it stops dnsmasq
 # from being vulnerable to DNS-reflection attacks.
 
-DNSMASQ_OPTS="$DNSMASQ_OPTS --local-service"
+DNSMASQ_OPTS="${DNSMASQ_OPTS} --local-service"
 
 # If the dns-root-data package is installed, then the trust anchors will be
-# available in $ROOT_DS, in BIND zone-file format. Reformat as dnsmasq
+# available in ROOT_DS, in BIND zone-file format. Reformat as dnsmasq
 # --trust-anchor options.
 
 ROOT_DS="/usr/share/dns/root.ds"
 
-if [ -f $ROOT_DS ]; then
-   DNSMASQ_OPTS="$DNSMASQ_OPTS `sed -e s/". IN DS "/--trust-anchor=.,/ -e s/" "/,/g $ROOT_DS | tr '\n' ' '`" 
+if [ -f ${ROOT_DS} ]; then
+    DNSMASQ_OPTS="$DNSMASQ_OPTS `env LC_ALL=C sed -rne "s/^([.a-zA-Z0-9]+)([[:space:]]+[0-9]+)*([[:space:]]+IN)*[[:space:]]+DS[[:space:]]+/--trust-anchor=\1,/;s/[[:space:]]+/,/gp" $ROOT_DS | tr '\n' ' '`"
 fi
 
 start()
@@ -121,26 +122,27 @@ start()
     #   1 if daemon was already running
     #   2 if daemon could not be started
 
-        # /var/run may be volatile, so we need to ensure that
-        # /var/run/dnsmasq exists here as well as in postinst
-        if [ ! -d /var/run/dnsmasq ]; then
-           mkdir /var/run/dnsmasq || return 2
-           chown dnsmasq:nogroup /var/run/dnsmasq || return 2
+    # /run may be volatile, so we need to ensure that
+    # /run/dnsmasq exists here as well as in postinst
+    if [ ! -d /run/dnsmasq ]; then
+        mkdir /run/dnsmasq || { [ -d /run/dnsmasq ] || return 2 ; }
+        chown dnsmasq:nogroup /run/dnsmasq || return 2
     fi
+    [ -x /sbin/restorecon ] && /sbin/restorecon /run/dnsmasq
 
-	start-stop-daemon --start --quiet --pidfile /var/run/dnsmasq/$NAME.pid --exec $DAEMON --test > /dev/null || return 1
-	start-stop-daemon --start --quiet --pidfile /var/run/dnsmasq/$NAME.pid --exec $DAEMON -- \
-		-x /var/run/dnsmasq/$NAME.pid \
-	        ${MAILHOSTNAME:+ -m $MAILHOSTNAME} \
-		${MAILTARGET:+ -t $MAILTARGET} \
-		${DNSMASQ_USER:+ -u $DNSMASQ_USER} \
-		${DNSMASQ_INTERFACES:+ $DNSMASQ_INTERFACES} \
-		${DHCP_LEASE:+ -l $DHCP_LEASE} \
-		${DOMAIN_SUFFIX:+ -s $DOMAIN_SUFFIX} \
-		${RESOLV_CONF:+ -r $RESOLV_CONF} \
-		${CACHESIZE:+ -c $CACHESIZE} \
-	        ${CONFIG_DIR:+ -7 $CONFIG_DIR} \
-		${DNSMASQ_OPTS:+ $DNSMASQ_OPTS} \
+    start-stop-daemon --start --quiet --pidfile /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid --exec ${DAEMON} --test > /dev/null || return 1
+    start-stop-daemon --start --quiet --pidfile /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid --exec ${DAEMON} -- \
+        -x /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid \
+        ${MAILHOSTNAME:+ -m ${MAILHOSTNAME}} \
+        ${MAILTARGET:+ -t ${MAILTARGET}} \
+        ${DNSMASQ_USER:+ -u ${DNSMASQ_USER}} \
+        ${DNSMASQ_INTERFACES:+ ${DNSMASQ_INTERFACES}} \
+        ${DHCP_LEASE:+ -l ${DHCP_LEASE}} \
+        ${DOMAIN_SUFFIX:+ -s ${DOMAIN_SUFFIX}} \
+        ${RESOLV_CONF:+ -r ${RESOLV_CONF}} \
+        ${CACHESIZE:+ -c ${CACHESIZE}} \
+        ${CONFIG_DIR:+ -7 ${CONFIG_DIR}} \
+        ${DNSMASQ_OPTS:+ ${DNSMASQ_OPTS}} \
         || return 2
 }
 
@@ -149,13 +151,17 @@ start_resolvconf()
 # If interface "lo" is explicitly disabled in /etc/default/dnsmasq
 # Then dnsmasq won't be providing local DNS, so don't add it to
 # the resolvconf server set.
-	for interface in $DNSMASQ_EXCEPT
-	do
-		[ $interface = lo ] && return
+    for interface in ${DNSMASQ_EXCEPT}; do
+        [ ${interface} = lo ] && return
     done
 
+    # Also skip this if DNS functionality is disabled in /etc/dnsmasq.conf
+    if grep -qs '^port=0' /etc/dnsmasq.conf; then
+        return
+    fi
+
     if [ -x /sbin/resolvconf ] ; then
-		echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.$NAME
+        echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.${NAME}${INSTANCE:+.${INSTANCE}}
     fi
     return 0
 }
@@ -167,13 +173,13 @@ stop()
     #   1 if daemon was already stopped
     #   2 if daemon could not be stopped
     #   other if a failure occurred
-	start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile /var/run/dnsmasq/$NAME.pid --name $NAME
+    start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid --name ${NAME}
 }
 
 stop_resolvconf()
 {
     if [ -x /sbin/resolvconf ] ; then
-		/sbin/resolvconf -d lo.$NAME
+        /sbin/resolvconf -d lo.${NAME}${INSTANCE:+.${INSTANCE}}
     fi
     return 0
 }
@@ -185,20 +191,20 @@ status()
     #   1 if daemon is dead and pid file exists
     #   3 if daemon is not running
     #   4 if daemon status is unknown
-	start-stop-daemon --start --quiet --pidfile /var/run/dnsmasq/$NAME.pid --exec $DAEMON --test > /dev/null
-	case "$?" in
-		0) [ -e "/var/run/dnsmasq/$NAME.pid" ] && return 1 ; return 3 ;;
+    start-stop-daemon --start --quiet --pidfile /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid --exec ${DAEMON} --test > /dev/null
+    case "${?}" in
+      0) [ -e "/run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid" ] && return 1 ; return 3 ;;
       1) return 0 ;;
       *) return 4 ;;
     esac
 }
 
-case "$1" in
+case "${1}" in
   start)
-	test "$ENABLED" != "0" || exit 0
-	log_daemon_msg "Starting $DESC" "$NAME"
+    test "${ENABLED}" != "0" || exit 0
+    log_daemon_msg "Starting ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"
     start
-	case "$?" in
+    case "${?}" in
       0)
         log_end_msg 0
         start_resolvconf
@@ -216,40 +222,45 @@ case "$1" in
     ;;
   stop)
     stop_resolvconf
-	if [ "$ENABLED" != "0" ]; then
-             log_daemon_msg "Stopping $DESC" "$NAME"
+    if [ "${ENABLED}" != "0" ]; then
+        log_daemon_msg "Stopping ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"
     fi
     stop
-        RETVAL="$?"
-	if [ "$ENABLED" = "0" ]; then
-	    case "$RETVAL" in
-	       0) log_daemon_msg "Stopping $DESC" "$NAME"; log_end_msg 0 ;;
+    RETVAL="${?}"
+    if [ "${ENABLED}" = "0" ]; then
+        case "${RETVAL}" in
+          0) log_daemon_msg "Stopping ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"; log_end_msg 0 ;;
         esac
         exit 0
     fi
-	case "$RETVAL" in
+    case "${RETVAL}" in
       0) log_end_msg 0 ; exit 0 ;;
       1) log_warning_msg "(not running)" ; exit 0 ;;
       *) log_end_msg 1; exit 1 ;;
     esac
     ;;
+  checkconfig)
+    ${DAEMON} --test ${CONFIG_DIR:+ -7 ${CONFIG_DIR}} ${DNSMASQ_OPTS:+ ${DNSMASQ_OPTS}} >/dev/null 2>&1
+    RETVAL="${?}"
+    exit ${RETVAL}
+    ;;
   restart|force-reload)
-	test "$ENABLED" != "0" || exit 1
-	$DAEMON --test ${CONFIG_DIR:+ -7 $CONFIG_DIR} ${DNSMASQ_OPTS:+ $DNSMASQ_OPTS} >/dev/null 2>&1
-	if [ $? -ne 0 ]; then
+    test "${ENABLED}" != "0" || exit 1
+    ${DAEMON} --test ${CONFIG_DIR:+ -7 ${CONFIG_DIR}} ${DNSMASQ_OPTS:+ ${DNSMASQ_OPTS}} >/dev/null 2>&1
+    if [ ${?} -ne 0 ]; then
         NAME="configuration syntax check"
         RETVAL="2"
     else
         stop_resolvconf
         stop
-	    RETVAL="$?"
+        RETVAL="${?}"
     fi
-	log_daemon_msg "Restarting $DESC" "$NAME"
-	case "$RETVAL" in
+    log_daemon_msg "Restarting ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"
+    case "${RETVAL}" in
       0|1)
         sleep 2
         start
-			case "$?" in
+        case "${?}" in
           0)
             log_end_msg 0
             start_resolvconf
@@ -268,9 +279,9 @@ case "$1" in
     esac
     ;;
   status)
-	log_daemon_msg "Checking $DESC" "$NAME"
+    log_daemon_msg "Checking ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"
     status
-	case "$?" in
+    case "${?}" in
       0) log_success_msg "(running)" ; exit 0 ;;
       1) log_success_msg "(dead, pid file exists)" ; exit 1 ;;
       3) log_success_msg "(not running)" ; exit 3 ;;
@@ -278,7 +289,7 @@ case "$1" in
     esac
     ;;
   dump-stats)
-        kill -s USR1 `cat /var/run/dnsmasq/$NAME.pid`
+    kill -s USR1 `cat /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid`
     ;;
   systemd-start-resolvconf)
     start_resolvconf
@@ -287,29 +298,28 @@ case "$1" in
     stop_resolvconf
     ;;
   systemd-exec)
-# /var/run may be volatile, so we need to ensure that
-        # /var/run/dnsmasq exists here as well as in postinst
-        if [ ! -d /var/run/dnsmasq ]; then
-           mkdir /var/run/dnsmasq || return 2
-           chown dnsmasq:nogroup /var/run/dnsmasq || return 2
+    # /run may be volatile, so we need to ensure that
+    # /run/dnsmasq exists here as well as in postinst
+    if [ ! -d /run/dnsmasq ]; then
+        mkdir /run/dnsmasq || { [ -d /run/dnsmasq ] || return 2 ; }
+        chown dnsmasq:nogroup /run/dnsmasq || return 2
     fi
-	exec $DAEMON -x /var/run/dnsmasq/$NAME.pid \
-	    ${MAILHOSTNAME:+ -m $MAILHOSTNAME} \
-	    ${MAILTARGET:+ -t $MAILTARGET} \
-	    ${DNSMASQ_USER:+ -u $DNSMASQ_USER} \
-	    ${DNSMASQ_INTERFACES:+ $DNSMASQ_INTERFACES} \
-	    ${DHCP_LEASE:+ -l $DHCP_LEASE} \
-	    ${DOMAIN_SUFFIX:+ -s $DOMAIN_SUFFIX} \
-	    ${RESOLV_CONF:+ -r $RESOLV_CONF} \
-	    ${CACHESIZE:+ -c $CACHESIZE} \
-	    ${CONFIG_DIR:+ -7 $CONFIG_DIR} \
-	    ${DNSMASQ_OPTS:+ $DNSMASQ_OPTS} 
+    exec ${DAEMON} -x /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid \
+        ${MAILHOSTNAME:+ -m ${MAILHOSTNAME}} \
+        ${MAILTARGET:+ -t ${MAILTARGET}} \
+        ${DNSMASQ_USER:+ -u ${DNSMASQ_USER}} \
+        ${DNSMASQ_INTERFACES:+ ${DNSMASQ_INTERFACES}} \
+        ${DHCP_LEASE:+ -l ${DHCP_LEASE}} \
+        ${DOMAIN_SUFFIX:+ -s ${DOMAIN_SUFFIX}} \
+        ${RESOLV_CONF:+ -r ${RESOLV_CONF}} \
+        ${CACHESIZE:+ -c ${CACHESIZE}} \
+        ${CONFIG_DIR:+ -7 ${CONFIG_DIR}} \
+        ${DNSMASQ_OPTS:+ ${DNSMASQ_OPTS}}
     ;;
   *)
-	echo "Usage: /etc/init.d/$NAME {start|stop|restart|force-reload|dump-stats|status}" >&2
+    echo "Usage: /etc/init.d/${NAME} {start|stop|restart|force-reload|dump-stats|status}" >&2
     exit 3
     ;;
 esac
 
 exit 0
-

debian/installed-marker

@@ -0,0 +1,2 @@
+# This file indicates dnsmasq (and not just dnsmasq-base) is installed.
+# It is an implementation detail of the dnsmasq init script.

debian/lintian-override

@@ -0,0 +1,3 @@
+# dnsmasq-base and dnsmasq-base-lua are mutually exclusive and both
+# provide /usr/share/doc/dnsmasq-base
+dnsmasq-base-lua binary: usr-share-doc-symlink-without-dependency dnsmasq-base

debian/postinst

@@ -21,7 +21,7 @@ if [ -x /etc/init.d/dnsmasq ]; then
    update-rc.d dnsmasq defaults 15 85 >/dev/null
 
    if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ]; then
-      if [ -e /var/run/dnsmasq/dnsmasq.pid ]; then
+      if [ -e /run/dnsmasq/dnsmasq.pid ]; then
           ACTION=restart
       else
           ACTION=start

debian/readme

@@ -31,7 +31,7 @@ Notes on configuring dnsmasq as packaged for Debian.
     as the first nameserver address in /etc/resolv.conf.
 
 (6) In the absence of resolvconf, dns-nameservers lines in 
-    /etc/network/interfaces are ignored. If you do do not use
+    /etc/network/interfaces are ignored. If you do not use
     resolvconf, list 127.0.0.1 as the first nameserver address
     in /etc/resolv.conf and configure your nameservers using
     "server=<IP-address>" lines in /etc/dnsmasq.conf.
@@ -54,7 +54,7 @@ Notes on configuring dnsmasq as packaged for Debian.
       nodhcp      : omit DHCP support.
       nodhcp6     : omit DHCPv6 support.
       noscript    : omit lease-change script support.
-      use_lua     : provide support for lease-change scripts written
+      uselua      : provide support for lease-change scripts written
                     in Lua.
       noipv6      : omit IPv6 support.
       nodbus      : omit DBus support.
@@ -66,7 +66,7 @@ Notes on configuring dnsmasq as packaged for Debian.
                     combined with noi18n to be effective.
       gitversion  : set the version of the produced packages from the
                     git-derived versioning information on the source,
-                    rather the the debian changelog. 
+                    rather than the debian changelog. 
 
 (9) Dnsmasq comes as three packages - dnsmasq-utils, dnsmasq-base and
     dnsmasq. Dnsmasq-base provides the dnsmasq executable and

debian/resolvconf

@@ -13,7 +13,7 @@
 
 set -e
 
-RUN_DIR="/var/run/dnsmasq"
+RUN_DIR="/run/dnsmasq"
 RSLVRLIST_FILE="${RUN_DIR}/resolv.conf"
 TMP_FILE="${RSLVRLIST_FILE}_new.$$"
 MY_NAME_FOR_RESOLVCONF="dnsmasq"

debian/rules

@@ -1,6 +1,6 @@
 #!/usr/bin/make -f
 # debian/rules file - for dnsmasq.
-# Copyright 2001-2011 by Simon Kelley
+# Copyright 2001-2020 by Simon Kelley
 # Based on the sample in the debian hello package which carries the following:
 # Copyright 1994,1995 by Ian Jackson.
 # I hereby give you perpetual unlimited permission to copy,
@@ -11,7 +11,7 @@
 
 package=dnsmasq-base
 
-dpkg_buildflags := DEB_BUILD_MAINT_OPTIONS="hardening=+all" dpkg-buildflags
+dpkg_buildflags := DEB_BUILD_MAINT_OPTIONS="hardening=+all,+pie,+bindnow" dpkg-buildflags
 
 CFLAGS = $(shell $(dpkg_buildflags) --get CFLAGS)
 CFLAGS += $(shell $(dpkg_buildflags) --get CPPFLAGS)
@@ -24,8 +24,21 @@ DEB_COPTS = $(COPTS)
 TARGET = install-i18n
 
 DEB_HOST_ARCH_OS := $(shell dpkg-architecture -qDEB_HOST_ARCH_OS)
+DEB_HOST_GNU_TYPE := $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
+DEB_BUILD_GNU_TYPE := $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
 BUILD_DATE := $(shell dpkg-parsechangelog --show-field Date)
 
+ifeq ($(origin CC),default)
+     CC = $(DEB_HOST_GNU_TYPE)-gcc
+endif
+
+# Support non-cross-builds on systems without gnu-triplet-binaries for pkg-config.
+ifeq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
+     PKG_CONFIG=pkg-config
+else
+     PKG_CONFIG=$(DEB_HOST_GNU_TYPE)-pkg-config	
+endif
+
 # Force package version based on git tags.
 ifneq (,$(filter gitversion,$(DEB_BUILD_OPTIONS)))
      PACKAGE_VERSION = $(shell bld/get-version `pwd` |  sed 's/test/~&/; s/[a-z]/~&/;  s/-/./g; s/$$/-1/; s/^/-v/';)
@@ -35,6 +48,10 @@ ifeq (,$(filter nodbus,$(DEB_BUILD_OPTIONS)))
      DEB_COPTS += -DHAVE_DBUS
 endif
 
+ifeq (,$(filter noidn, $(DEB_BUILD_OPTIONS)))
+	DEB_COPTS += -DHAVE_LIBIDN2
+endif
+
 ifeq (,$(filter noconntrack,$(DEB_BUILD_OPTIONS)))
 ifeq ($(DEB_HOST_ARCH_OS),linux)
      DEB_COPTS += -DHAVE_CONNTRACK
@@ -71,9 +88,6 @@ endif
 
 ifneq (,$(filter noi18n,$(DEB_BUILD_OPTIONS)))
      TARGET = install
-     ifeq (,$(filter noidn, $(DEB_BUILD_OPTIONS)))
-	DEB_COPTS += -DHAVE_IDN
-     endif	
 endif
 
 ifneq (,$(filter uselua,$(DEB_BUILD_OPTIONS)))
@@ -84,128 +98,191 @@ ifeq (,$(filter nodnssec,$(DEB_BUILD_OPTIONS)))
      DEB_COPTS += -DHAVE_DNSSEC
 endif
 
-ifneq ($(DEB_HOST_ARCH_OS),linux)
+ifeq ($(DEB_HOST_ARCH_OS),kfreebsd)
      # For strlcpy in FreeBSD
-     LDFLAGS += -lbsd
+     LIBS += $(shell ${PKG_CONFIG} --libs libbsd-overlay)
+     CFLAGS += $(shell ${PKG_CONFIG} --cflags libbsd-overlay)
 endif
 
-clean:
-	$(checkdir)
-	rm -rf debian/daemon debian/base debian/utils debian/*~ debian/files debian/substvars debian/utils-substvars
-	make clean
-	make -C contrib/wrt clean
-
-binary-indep:	checkroot
-	$(checkdir)
-	rm -rf debian/daemon
+define build_tree
+	rm -rf $1
 	install -m 755 \
-	        -d debian/daemon/DEBIAN \
-		-d debian/daemon/usr/share/doc \
-	        -d debian/daemon/etc/init.d \
-		-d debian/daemon/etc/dnsmasq.d \
-	        -d debian/daemon/etc/resolvconf/update.d \
-		-d debian/daemon/usr/lib/resolvconf/dpkg-event.d \
-	        -d debian/daemon/etc/default \
-		-d debian/daemon/lib/systemd/system \
-                -d debian/daemon/etc/insserv.conf.d
-	install -m 644 debian/conffiles debian/daemon/DEBIAN
-	install -m 755 debian/postinst debian/postrm debian/prerm debian/daemon/DEBIAN
-	install -m 755 debian/init debian/daemon/etc/init.d/dnsmasq
-	install -m 755 debian/resolvconf debian/daemon/etc/resolvconf/update.d/dnsmasq
-	install -m 755 debian/resolvconf-package debian/daemon/usr/lib/resolvconf/dpkg-event.d/dnsmasq
-	install -m 644 debian/default debian/daemon/etc/default/dnsmasq
-	install -m 644 dnsmasq.conf.example debian/daemon/etc/dnsmasq.conf
-	install -m 644 debian/readme.dnsmasq.d debian/daemon/etc/dnsmasq.d/README
-	install -m 644 debian/systemd.service debian/daemon/lib/systemd/system/dnsmasq.service
-	install -m 644 debian/insserv debian/daemon/etc/insserv.conf.d/dnsmasq
-	ln -s $(package) debian/daemon/usr/share/doc/dnsmasq
-	cd debian/daemon && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | LC_ALL=C sort -z | xargs -r0 md5sum > DEBIAN/md5sums	
-	dpkg-gencontrol $(PACKAGE_VERSION) -T -pdnsmasq -Pdebian/daemon
-	find debian/daemon -depth -newermt '$(BUILD_DATE)' -print0 | xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
-	chown -R root.root debian/daemon
-	chmod -R g-ws debian/daemon
-	dpkg --build debian/daemon ..
+		-d $1/DEBIAN \
+		-d $1/etc/dbus-1/system.d \
+	        -d $1/usr/share/doc/$(package) \
+		-d $1/usr/share/doc/$(package)/examples \
+		-d $1/usr/share/$(package) \
+	        -d $1/var/lib/misc
 
-binary-arch:	checkroot 
-	$(checkdir)
-	rm -rf debian/base
-	install -m 755 \
-		-d debian/base/DEBIAN \
-		-d debian/base/etc/dbus-1/system.d \
-	        -d debian/base/usr/share/doc/$(package) \
-		-d debian/base/usr/share/doc/$(package)/examples \
-	        -d debian/base/var/run \
-		-d debian/base/usr/share/$(package) \
-	        -d debian/base/var/lib/misc
-	make $(TARGET) PREFIX=/usr DESTDIR=`pwd`/debian/base CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" COPTS="$(DEB_COPTS)" CC=gcc
-ifeq (,$(findstring nodocs,$(DEB_BUILD_OPTIONS)))
+endef
+
+define add_docs
 # Need to remove paypal links in Debian Package for policy reasons.
-	sed -e /\<H2\>Donations/Q -e /icon.png/d doc.html -e /favicon.ico/d >debian/base/usr/share/doc/$(package)/doc.html
-	echo "</BODY>" >>debian/base/usr/share/doc/$(package)/doc.html 
-	install -m 644 setup.html debian/base/usr/share/doc/$(package)/.
-	install -m 644 dnsmasq.conf.example debian/base/usr/share/doc/$(package)/examples/.
-	install -m 644 trust-anchors.conf debian/base/usr/share/$(package)/.
-	install -m 644 FAQ debian/base/usr/share/doc/$(package)/.
-	gzip -9n debian/base/usr/share/doc/$(package)/FAQ
-	install -m 644 CHANGELOG debian/base/usr/share/doc/$(package)/changelog
-	gzip -9n debian/base/usr/share/doc/$(package)/changelog
-	install -m 644 CHANGELOG.archive debian/base/usr/share/doc/$(package)/changelog.archive
-	gzip -9n debian/base/usr/share/doc/$(package)/changelog.archive
-	install -m 644 dbus/DBus-interface debian/base/usr/share/doc/$(package)/.
-	gzip -9n debian/base/usr/share/doc/$(package)/DBus-interface	
-endif
-	install -m 644 debian/dnsmasq-base.conffiles debian/base/DEBIAN/conffiles
-	install -m 755 debian/dnsmasq-base.postinst debian/base/DEBIAN/postinst
-	install -m 755 debian/dnsmasq-base.postrm  debian/base/DEBIAN/postrm
-	install -m 644 debian/changelog debian/base/usr/share/doc/$(package)/changelog.Debian
-	gzip -9n debian/base/usr/share/doc/$(package)/changelog.Debian
-	install -m 644 debian/readme debian/base/usr/share/doc/$(package)/README.Debian
-	install -m 644 debian/copyright debian/base/usr/share/doc/$(package)/copyright
-	install -m 644 debian/dbus.conf debian/base/etc/dbus-1/system.d/dnsmasq.conf
-	gzip -9n debian/base/usr/share/man/man8/dnsmasq.8
-	for f in debian/base/usr/share/man/*; do \
+	sed -e /\<H2\>Donations/Q -e /icon.png/d doc.html -e /favicon.ico/d >$1/usr/share/doc/$(package)/doc.html
+	echo "</BODY>" >>$1/usr/share/doc/$(package)/doc.html 
+	install -m 644 setup.html $1/usr/share/doc/$(package)/.
+	install -m 644 dnsmasq.conf.example $1/usr/share/doc/$(package)/examples/.
+	install -m 644 FAQ $1/usr/share/doc/$(package)/.
+	gzip -9n $1/usr/share/doc/$(package)/FAQ
+	install -m 644 CHANGELOG $1/usr/share/doc/$(package)/changelog
+	gzip -9n $1/usr/share/doc/$(package)/changelog
+	install -m 644 CHANGELOG.archive $1/usr/share/doc/$(package)/changelog.archive
+	gzip -9n $1/usr/share/doc/$(package)/changelog.archive
+	install -m 644 dbus/DBus-interface $1/usr/share/doc/$(package)/.
+	gzip -9n $1/usr/share/doc/$(package)/DBus-interface	
+	install -m 644 debian/systemd_howto $1/usr/share/doc/$(package)/.
+	gzip -9n $1/usr/share/doc/$(package)/systemd_howto
+	gzip -9n $1/usr/share/man/man8/dnsmasq.8
+	for f in $1/usr/share/man/*; do \
 		if [ -f $$f/man8/dnsmasq.8 ]; then \
                        gzip -9n $$f/man8/dnsmasq.8 ; \
                 fi \
 	done
-ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
-	strip -R .note -R .comment debian/base/usr/sbin/dnsmasq
+endef
+
+define add_files
+	install -m 644 trust-anchors.conf $1/usr/share/$(package)/.
+	install -m 644 debian/dnsmasq-base.conffiles $1/DEBIAN/conffiles
+	install -m 755 debian/dnsmasq-base.postinst $1/DEBIAN/postinst
+	install -m 755 debian/dnsmasq-base.postrm  $1/DEBIAN/postrm
+	install -m 644 debian/changelog $1/usr/share/doc/$(package)/changelog.Debian
+	gzip -9n $1/usr/share/doc/$(package)/changelog.Debian
+	install -m 644 debian/readme $1/usr/share/doc/$(package)/README.Debian
+	install -m 644 debian/copyright $1/usr/share/doc/$(package)/copyright
+	install -m 644 debian/dbus.conf $1/etc/dbus-1/system.d/dnsmasq.conf
+endef
+
+clean:
+	$(checkdir)
+	make BUILDDIR=debian/build/no-lua clean
+	make BUILDDIR=debian/build/lua clean
+	make -C contrib/lease-tools clean
+	rm -rf debian/build debian/trees debian/*~ debian/files debian/substvars debian/utils-substvars
+
+binary-indep:	checkroot
+	$(checkdir)
+	rm -rf debian/trees/daemon
+	install -m 755 \
+	        -d debian/trees/daemon/DEBIAN \
+		-d debian/trees/daemon/usr/share/doc/dnsmasq \
+	        -d debian/trees/daemon/etc/init.d \
+		-d debian/trees/daemon/etc/dnsmasq.d \
+	        -d debian/trees/daemon/etc/resolvconf/update.d \
+		-d debian/trees/daemon/usr/lib/resolvconf/dpkg-event.d \
+		-d debian/trees/daemon/usr/share/dnsmasq \
+		-d debian/trees/daemon/usr/share/doc/dnsmasq \
+	        -d debian/trees/daemon/etc/default \
+		-d debian/trees/daemon/lib/systemd/system \
+		-d debian/trees/daemon/usr/lib/tmpfiles.d \
+                -d debian/trees/daemon/etc/insserv.conf.d
+	install -m 644 debian/conffiles debian/trees/daemon/DEBIAN
+	install -m 755 debian/postinst debian/postrm debian/prerm debian/trees/daemon/DEBIAN
+	if ! dpkg-vendor --derives-from Ubuntu; then \
+                rm -f debian/dnsmasq.postinst.debhelper debian/dnsmasq.postrm.debhelper; \
+	      	dh_runit -pdnsmasq -Pdebian/trees/daemon; \
+		cat debian/dnsmasq.postinst.debhelper >> debian/trees/daemon/DEBIAN/postinst; \
+		cat debian/dnsmasq.postrm.debhelper   >> debian/trees/daemon/DEBIAN/postrm; \
+		cd debian/trees/daemon && find etc/sv -type f -printf '/%p\n' >>DEBIAN/conffiles; \
+	fi
+	install -m 755 debian/init debian/trees/daemon/etc/init.d/dnsmasq
+	install -m 755 debian/resolvconf debian/trees/daemon/etc/resolvconf/update.d/dnsmasq
+	install -m 755 debian/resolvconf-package debian/trees/daemon/usr/lib/resolvconf/dpkg-event.d/dnsmasq
+	install -m 644 debian/installed-marker debian/trees/daemon/usr/share/dnsmasq
+	install -m 644 debian/default debian/trees/daemon/etc/default/dnsmasq
+	install -m 644 dnsmasq.conf.example debian/trees/daemon/etc/dnsmasq.conf
+	install -m 644 debian/readme.dnsmasq.d debian/trees/daemon/etc/dnsmasq.d/README
+	install -m 644 debian/systemd.service debian/trees/daemon/lib/systemd/system/dnsmasq.service
+	install -m 644 debian/systemd@.service debian/trees/daemon/lib/systemd/system/dnsmasq@.service
+	install -m 644 debian/tmpfiles.conf debian/trees/daemon/usr/lib/tmpfiles.d/dnsmasq.conf
+	install -m 644 debian/insserv debian/trees/daemon/etc/insserv.conf.d/dnsmasq
+	install -m 644 debian/copyright debian/trees/daemon/usr/share/doc/dnsmasq/copyright
+	install -m 644 debian/changelog debian/trees/daemon/usr/share/doc/dnsmasq/changelog.Debian
+	gzip -9n debian/trees/daemon/usr/share/doc/dnsmasq/changelog.Debian
+	cd debian/trees/daemon && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | LC_ALL=C sort -z | xargs -r0 md5sum > DEBIAN/md5sums	
+	dpkg-gencontrol $(PACKAGE_VERSION) -Tdebian/dnsmasq.substvars -pdnsmasq -Pdebian/trees/daemon
+	find debian/trees/daemon -depth -newermt '$(BUILD_DATE)' -print0 | xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
+	chown -R root.root debian/trees/daemon
+	chmod -R g-ws debian/trees/daemon
+	dpkg --build debian/trees/daemon ..
+
+binary-arch:	checkroot 
+	$(call build_tree,debian/trees/base)
+	make $(TARGET) BUILDDIR=debian/build/no-lua PREFIX=/usr DESTDIR=`pwd`/debian/trees/base CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" COPTS="$(DEB_COPTS)" CC=$(CC) PKG_CONFIG=$(PKG_CONFIG) LIBS="$(LIBS)"
+ifeq (,$(findstring nodoc,$(DEB_BUILD_OPTIONS)))
+	$(call add_docs,debian/trees/base)
+else	
+	rm -rf debian/trees/base/usr/share/man
 endif
-	cd debian/base && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | LC_ALL=C sort -z | xargs -r0 md5sum > DEBIAN/md5sums
-	dpkg-shlibdeps --warnings=1 debian/base/usr/sbin/dnsmasq
-	dpkg-gencontrol $(PACKAGE_VERSION) -pdnsmasq-base -Pdebian/base
-	find debian/base -depth -newermt '$(BUILD_DATE)' -print0 | xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
-	chown -R root.root debian/base
-	chmod -R g-ws debian/base 
-	dpkg --build debian/base ..
+	$(call add_files,debian/trees/base)
+ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
+	$(DEB_HOST_GNU_TYPE)-strip -R .note -R .comment debian/trees/base/usr/sbin/dnsmasq
+endif
+	cd debian/trees/base && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | LC_ALL=C sort -z | xargs -r0 md5sum > DEBIAN/md5sums
+	dpkg-shlibdeps --warnings=1 debian/trees/base/usr/sbin/dnsmasq
+	dpkg-gencontrol $(PACKAGE_VERSION) -pdnsmasq-base -Pdebian/trees/base
+	find debian/trees/base -depth -newermt '$(BUILD_DATE)' -print0 | xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
+	chown -R root.root debian/trees/base
+	chmod -R g-ws debian/trees/base 
+	dpkg --build debian/trees/base ..
+
+	$(call build_tree,debian/trees/lua-base)
+	make $(TARGET) BUILDDIR=debian/build/lua PREFIX=/usr DESTDIR=`pwd`/debian/trees/lua-base CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" COPTS="-DHAVE_LUASCRIPT $(DEB_COPTS)" CC=$(CC) PKG_CONFIG=$(PKG_CONFIG) LIBS="$(LIBS)"
+ifeq (,$(findstring nodoc,$(DEB_BUILD_OPTIONS)))
+	$(call add_docs,debian/trees/lua-base)
+else	
+	rm -rf debian/trees/lua-base/usr/share/man
+endif
+	$(call add_files,debian/trees/lua-base)
+	install -m 755 -d debian/trees/lua-base/usr/share/lintian/overrides
+	install -m 644 debian/lintian-override debian/trees/lua-base/usr/share/lintian/overrides/dnsmasq-base-lua
+ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
+	$(DEB_HOST_GNU_TYPE)-strip -R .note -R .comment debian/trees/lua-base/usr/sbin/dnsmasq
+endif
+	ln -s $(package) debian/trees/lua-base/usr/share/doc/dnsmasq-base-lua
+	cd debian/trees/lua-base && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | LC_ALL=C sort -z | xargs -r0 md5sum > DEBIAN/md5sums
+	dpkg-shlibdeps --warnings=1 debian/trees/lua-base/usr/sbin/dnsmasq
+	dpkg-gencontrol $(PACKAGE_VERSION) -pdnsmasq-base-lua -Pdebian/trees/lua-base
+	find debian/trees/lua-base -depth -newermt '$(BUILD_DATE)' -print0 | xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
+	chown -R root.root debian/trees/lua-base
+	chmod -R g-ws debian/trees/lua-base 
+	dpkg --build debian/trees/lua-base ..
+
 
 ifeq ($(DEB_HOST_ARCH_OS),linux)
-	rm -rf debian/utils
-	install -m 755 -d debian/utils/DEBIAN \
-                       -d debian/utils/usr/share/man/man1 \
-	               -d debian/utils/usr/bin \
-                       -d debian/utils/usr/share/doc/dnsmasq-utils
-	make -C contrib/wrt PREFIX=/usr DESTDIR=`pwd`/debian/utils CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" COPTS="$(DEB_COPTS)" CC=gcc
-	install -m 755 contrib/wrt/dhcp_release debian/utils/usr/bin/dhcp_release
-	install -m 644 contrib/wrt/dhcp_release.1 debian/utils/usr/share/man/man1/dhcp_release.1
-	gzip -9n debian/utils/usr/share/man/man1/dhcp_release.1
-	install -m 755 contrib/wrt/dhcp_lease_time debian/utils/usr/bin/dhcp_lease_time
-	install -m 644 contrib/wrt/dhcp_lease_time.1 debian/utils/usr/share/man/man1/dhcp_lease_time.1
-	install -m 644 debian/copyright debian/utils/usr/share/doc/dnsmasq-utils/copyright
-	install -m 644 debian/changelog debian/utils/usr/share/doc/dnsmasq-utils/changelog.Debian
-	gzip -9n debian/utils/usr/share/doc/dnsmasq-utils/changelog.Debian
-	gzip -9n debian/utils/usr/share/man/man1/dhcp_lease_time.1
-ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
-	strip -R .note -R .comment debian/utils/usr/bin/dhcp_release
-	strip -R .note -R .comment debian/utils/usr/bin/dhcp_lease_time
+	rm -rf debian/trees/utils
+	install -m 755 -d debian/trees/utils/DEBIAN \
+	               -d debian/trees/utils/usr/bin \
+                       -d debian/trees/utils/usr/share/doc/dnsmasq-utils
+ifeq (,$(findstring nodoc,$(DEB_BUILD_OPTIONS)))
+	install -m 755 -d debian/trees/utils/usr/share/man/man1
 endif
-	cd debian/utils && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | LC_ALL=C sort -z | xargs -r0 md5sum > DEBIAN/md5sums
-	dpkg-shlibdeps -Tdebian/utils-substvars debian/utils/usr/bin/dhcp_release debian/utils/usr/bin/dhcp_lease_time
-	dpkg-gencontrol $(PACKAGE_VERSION) -Tdebian/utils-substvars -pdnsmasq-utils -Pdebian/utils
-	find debian/utils -depth -newermt '$(BUILD_DATE)' -print0 | xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
-	chown -R root.root debian/utils
-	chmod -R g-ws debian/utils 
-	dpkg --build debian/utils ..
+	make -C contrib/lease-tools PREFIX=/usr DESTDIR=`pwd`/debian/trees/utils CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" COPTS="$(DEB_COPTS)" CC=$(CC) PKG_CONFIG=$(PKG_CONFIG) LIBS="$(LIBS)"
+	install -m 755 contrib/lease-tools/dhcp_release debian/trees/utils/usr/bin/dhcp_release
+	install -m 755 contrib/lease-tools/dhcp_release6 debian/trees/utils/usr/bin/dhcp_release6
+	install -m 755 contrib/lease-tools/dhcp_lease_time debian/trees/utils/usr/bin/dhcp_lease_time
+ifeq (,$(findstring nodoc,$(DEB_BUILD_OPTIONS)))
+	install -m 644 contrib/lease-tools/dhcp_release.1 debian/trees/utils/usr/share/man/man1/dhcp_release.1
+	gzip -9n debian/trees/utils/usr/share/man/man1/dhcp_release.1
+	install -m 644 contrib/lease-tools/dhcp_release6.1 debian/trees/utils/usr/share/man/man1/dhcp_release6.1
+	gzip -9n debian/trees/utils/usr/share/man/man1/dhcp_release6.1
+	install -m 644 contrib/lease-tools/dhcp_lease_time.1 debian/trees/utils/usr/share/man/man1/dhcp_lease_time.1
+	gzip -9n debian/trees/utils/usr/share/man/man1/dhcp_lease_time.1
+endif
+	install -m 644 debian/copyright debian/trees/utils/usr/share/doc/dnsmasq-utils/copyright
+	install -m 644 debian/changelog debian/trees/utils/usr/share/doc/dnsmasq-utils/changelog.Debian
+	gzip -9n debian/trees/utils/usr/share/doc/dnsmasq-utils/changelog.Debian
+ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
+	$(DEB_HOST_GNU_TYPE)-strip -R .note -R .comment debian/trees/utils/usr/bin/dhcp_release
+	$(DEB_HOST_GNU_TYPE)-strip -R .note -R .comment debian/trees/utils/usr/bin/dhcp_release6
+	$(DEB_HOST_GNU_TYPE)-strip -R .note -R .comment debian/trees/utils/usr/bin/dhcp_lease_time
+endif	
+	cd debian/trees/utils && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | LC_ALL=C sort -z | xargs -r0 md5sum > DEBIAN/md5sums
+	dpkg-shlibdeps -Tdebian/utils-substvars debian/trees/utils/usr/bin/dhcp_release debian/trees/utils/usr/bin/dhcp_release6 debian/trees/utils/usr/bin/dhcp_lease_time 
+	dpkg-gencontrol $(PACKAGE_VERSION) -Tdebian/utils-substvars -pdnsmasq-utils -Pdebian/trees/utils
+	find debian/trees/utils -depth -newermt '$(BUILD_DATE)' -print0 | xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
+	chown -R root.root debian/trees/utils
+	chmod -R g-ws debian/trees/utils 
+	dpkg --build debian/trees/utils ..
 endif
 
 define checkdir

debian/systemd.service

@@ -1,13 +1,16 @@
 [Unit]
 Description=dnsmasq - A lightweight DHCP and caching DNS server
 Requires=network.target
+Wants=nss-lookup.target
+Before=nss-lookup.target
+After=network.target
 
 [Service]
 Type=forking
-PIDFile=/var/run/dnsmasq/dnsmasq.pid
+PIDFile=/run/dnsmasq/dnsmasq.pid
 
 # Test the config file and refuse starting if it is not valid.
-ExecStartPre=/usr/sbin/dnsmasq --test
+ExecStartPre=/etc/init.d/dnsmasq checkconfig
 
 # We run dnsmasq via the /etc/init.d/dnsmasq script which acts as a
 # wrapper picking up extra configuration files and then execs dnsmasq
@@ -15,9 +18,9 @@ ExecStartPre=/usr/sbin/dnsmasq --test
 ExecStart=/etc/init.d/dnsmasq systemd-exec
 
 # The systemd-*-resolvconf functions configure (and deconfigure)
-# resolvconf to work with the dnsmasq DNS server. They're called liek
+# resolvconf to work with the dnsmasq DNS server. They're called like
 # this to get correct error handling (ie don't start-resolvconf if the
-# dnsmasq daemon fails to start.
+# dnsmasq daemon fails to start).
 ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf
 ExecStop=/etc/init.d/dnsmasq systemd-stop-resolvconf
 

debian/systemd@.service

@@ -0,0 +1,31 @@
+[Unit]
+Description=dnsmasq (%i) - A lightweight DHCP and caching DNS server
+Requires=network.target
+Wants=nss-lookup.target
+Before=nss-lookup.target
+After=network.target
+
+[Service]
+Type=forking
+PIDFile=/run/dnsmasq/dnsmasq.%i.pid
+
+# Test the config file and refuse starting if it is not valid.
+ExecStartPre=/etc/init.d/dnsmasq checkconfig "%i"
+
+# We run dnsmasq via the /etc/init.d/dnsmasq script which acts as a
+# wrapper picking up extra configuration files and then execs dnsmasq
+# itself, when called with the "systemd-exec" function.
+ExecStart=/etc/init.d/dnsmasq systemd-exec "%i"
+
+# The systemd-*-resolvconf functions configure (and deconfigure)
+# resolvconf to work with the dnsmasq DNS server. They're called like
+# this to get correct error handling (ie don't start-resolvconf if the
+# dnsmasq daemon fails to start).
+ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf "%i"
+ExecStop=/etc/init.d/dnsmasq systemd-stop-resolvconf "%i"
+
+
+ExecReload=/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target

debian/systemd_howto

@@ -0,0 +1,41 @@
+HOWTO
+=====
+dnsmasq comes with the possibility to run multiple systemd service instances on the same machine.
+There is the main service which is enabled by default via `systemctl enable dnsmasq.service` and uses the configuration from `/etc/default/dnsmasq`.
+
+Additional service instances can be enabled via `systemctl enable dnsmasq@<instance name>.service` that use the configuration from `/etc/default/dnsmasq.<instance name>`.
+It is recommended to use a separate configuration file and directory for each instance.
+Additionally make sure that all instances use either different ports and/or ip addresses to avoid binding collisions.
+
+Example setup for an instance called "alt"
+#1 File `/etc/dnsmasq.alt.conf` copied from `/etc/dnsmasq.conf`
+#2 Directory `/etc/dnsmasq.alt.d`
+#3 File `/etc/default/dnsmasq.alt` copied from `/etc/default/dnsmasq` with following adaptions:
+   * The options DNSMASQ_OPTS and CONFIG_DIR point to the correct configuration file and directory.
+     DNSMASQ_OPTS="... --conf-file=/etc/dnsmasq.alt.conf ..."
+     CONFIG_DIR=/etc/dnsmasq.alt.d,.dpkg-dist,.dpkg-old,.dpkg-new
+   * The option DNSMASQ_EXCEPT must contain "lo" to avoid that an instance becomes the machine's DNS resolver.
+     DNSMASQ_EXCEPT="lo"
+  * If the additional instance should bind to all IP addresses of a specific interface, e.g. "dnsalt01", then the following addition could be used:
+    DNSMASQ_OPTS="... --bind-dynamic --interface=dnsalt01 ..."
+    Additionally the main instance must be stopped from binding to interfaces that are used by other instances:
+    DNSMASQ_OPTS="... --bind-dynamic --except-interface=dnsalt* ..."
+  * If the additional instance should not use the machine's DNS resolver, normally that's the dnsmasq main instance, as upstream server, then the following addition could be used:
+    IGNORE_RESOLVCONF=yes
+#4 Enable additional instance via `systemctl enable dnsmasq@alt.service`
+#5 Start additional instance without reboot via `systemctl start dnsmasq@alt.service`
+
+
+
+TODO
+====
+#1 - Found shortcoming on 2019-03-10
+Only the option DNSMASQ_EXCEPT="lo" avoids that an DNS instance will be set as the machine's DNS resolver.
+This may interfere with the wish to run an additional instance on a different port on the localhost addresses.
+My suggestion in the initial Debian report [1] was to specify an explicit variable for this.
+
+[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914305#5
+
+
+#2 - Preferred configuration way
+Should the variables DNSMASQ_INTERFACE and DNSMASQ_EXCEPT be used instead of --interface and --except-interface?  (while "lo" still has to be in DNSMASQ_EXCEPT as of now)

debian/tmpfiles.conf

@@ -0,0 +1 @@
+d /run/dnsmasq 755 dnsmasq nogroup

dnsmasq.conf.example

@@ -90,7 +90,7 @@
 # server=10.1.2.3@eth1
 
 # and this sets the source (ie local) address used to talk to
-# 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that
+# 10.1.2.3 to 192.168.1.1 port 55 (there must be an interface with that
 # IP on the machine, obviously).
 # server=10.1.2.3@192.168.1.1#55
 
@@ -189,7 +189,7 @@
 # add names to the DNS for the IPv6 address of SLAAC-configured dual-stack 
 # hosts. Use the DHCPv4 lease to derive the name, network segment and 
 # MAC address and assume that the host will also have an
-# IPv6 address calculated using the SLAAC alogrithm.
+# IPv6 address calculated using the SLAAC algorithm.
 #dhcp-range=1234::, ra-names
 
 # Do Router Advertisements, BUT NOT DHCP for this subnet.
@@ -210,7 +210,7 @@
 #dhcp-range=1234::, ra-stateless, ra-names
 
 # Do router advertisements for all subnets where we're doing DHCPv6
-# Unless overriden by ra-stateless, ra-names, et al, the router 
+# Unless overridden by ra-stateless, ra-names, et al, the router 
 # advertisements will have the M and O bits set, so that the clients
 # get addresses and configuration from DHCPv6, and the A bit reset, so the 
 # clients don't use SLAAC addresses.
@@ -251,7 +251,7 @@
 # the IP address 192.168.0.60
 #dhcp-host=id:01:02:02:04,192.168.0.60
 
-# Always give the Infiniband interface with hardware address
+# Always give the InfiniBand interface with hardware address
 # 80:00:00:48:fe:80:00:00:00:00:00:00:f4:52:14:03:00:28:05:81 the
 # ip address 192.168.0.61. The client id is derived from the prefix
 # ff:00:00:00:00:00:02:00:00:02:c9:00 and the last 8 pairs of
@@ -288,7 +288,7 @@
 # Give a fixed IPv6 address and name to client with 
 # DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2
 # Note the MAC addresses CANNOT be used to identify DHCPv6 clients.
-# Note also the they [] around the IPv6 address are obilgatory.
+# Note also that the [] around the IPv6 address are obligatory.
 #dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5] 
 
 # Ignore any clients which are not specified in dhcp-host lines
@@ -354,11 +354,11 @@
 
 # Set option 58 client renewal time (T1). Defaults to half of the
 # lease time if not specified. (RFC2132)
-#dhcp-option=option:T1:1m
+#dhcp-option=option:T1,1m
 
 # Set option 59 rebinding time (T2). Defaults to 7/8 of the
 # lease time if not specified. (RFC2132)
-#dhcp-option=option:T2:2m
+#dhcp-option=option:T2,2m
 
 # Set the NTP time server address to be the same machine as
 # is running dnsmasq
@@ -436,22 +436,22 @@
 #dhcp-option-force=211,30i
 
 # Set the boot filename for netboot/PXE. You will only need
-# this is you want to boot machines over the network and you will need
-# a TFTP server; either dnsmasq's built in TFTP server or an
+# this if you want to boot machines over the network and you will need
+# a TFTP server; either dnsmasq's built-in TFTP server or an
 # external one. (See below for how to enable the TFTP server.)
 #dhcp-boot=pxelinux.0
 
 # The same as above, but use custom tftp-server instead machine running dnsmasq
 #dhcp-boot=pxelinux,server.name,192.168.1.100
 
-# Boot for Etherboot gPXE. The idea is to send two different
-# filenames, the first loads gPXE, and the second tells gPXE what to
-# load. The dhcp-match sets the gpxe tag for requests from gPXE.
-#dhcp-match=set:gpxe,175 # gPXE sends a 175 option.
-#dhcp-boot=tag:!gpxe,undionly.kpxe
-#dhcp-boot=mybootimage
+# Boot for iPXE. The idea is to send two different
+# filenames, the first loads iPXE, and the second tells iPXE what to
+# load. The dhcp-match sets the ipxe tag for requests from iPXE.
+#dhcp-boot=undionly.kpxe
+#dhcp-match=set:ipxe,175 # iPXE sends a 175 option.
+#dhcp-boot=tag:ipxe,http://boot.ipxe.org/demo/boot.php
 
-# Encapsulated options for Etherboot gPXE. All the options are
+# Encapsulated options for iPXE. All the options are
 # encapsulated within option 175
 #dhcp-option=encap:175, 1, 5b         # priority code
 #dhcp-option=encap:175, 176, 1b       # no-proxydhcp
@@ -525,7 +525,7 @@
 # (using /etc/hosts) then that name can be specified as the
 # tftp_servername (the third option to dhcp-boot) and in that
 # case dnsmasq resolves this name and returns the resultant IP
-# addresses in round robin fasion. This facility can be used to
+# addresses in round robin fashion. This facility can be used to
 # load balance the tftp load among a set of servers.
 #dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name
 
@@ -547,6 +547,14 @@
 # http://www.isc.org/files/auth.html
 #dhcp-authoritative
 
+# Set the DHCP server to enable DHCPv4 Rapid Commit Option per RFC 4039.
+# In this mode it will respond to a DHCPDISCOVER message including a Rapid Commit
+# option with a DHCPACK including a Rapid Commit option and fully committed address
+# and configuration information. This must only be enabled if either the server is 
+# the only server for the subnet, or multiple servers are present and they each
+# commit a binding for all clients.
+#dhcp-rapid-commit
+
 # Run an executable when a DHCP lease is created or destroyed.
 # The arguments sent to the script are "add" or "del",
 # then the MAC address, the IP address and finally the hostname
@@ -664,3 +672,8 @@
 
 # Include all files in a directory which end in .conf
 #conf-dir=/etc/dnsmasq.d/,*.conf
+
+# If a DHCP client claims that its name is "wpad", ignore that.
+# This fixes a security hole. see CERT Vulnerability VU#598349
+#dhcp-name-match=set:wpad-ignore,wpad
+#dhcp-ignore-names=tag:wpad-ignore

doc.html

@@ -18,7 +18,7 @@ Linux distributions and the ports systems of FreeBSD, OpenBSD and NetBSD. Dnsmas
 
 <P>
 The DNS subsystem provides a local DNS server for the network, with forwarding of all query types to upstream recursive DNS servers and
-cacheing of common record types (A, AAAA, CNAME and PTR, also DNSKEY and DS when DNSSEC is enabled). 
+caching of common record types (A, AAAA, CNAME and PTR, also DNSKEY and DS when DNSSEC is enabled). 
 <DIR>
 <LI>Local DNS names can be defined by reading /etc/hosts, by importing names from the DHCP subsystem, or by configuration of a wide range of useful record types.</LI>
 <LI>Upstream servers can be configured in a variety of convenient ways, including  dynamic configuration as these change on moving upstream network.
@@ -66,6 +66,10 @@ the repo, or get a copy using git protocol with the command
 
 <PRE><TT>git clone git://thekelleys.org.uk/dnsmasq.git </TT></PRE>
 
+or
+
+<PRE><TT>git clone http://thekelleys.org.uk/git/dnsmasq.git </TT></PRE>
+
 <H2>License.</H2>
 Dnsmasq is distributed under the GPL, version 2 or version 3 at your discretion. See the files COPYING and COPYING-v3 in the distribution 
 for details.

man/es/dnsmasq.8

@@ -478,7 +478,8 @@ la traza reversa direcci
 .TP
 .B \-c, --cache-size=<tamaño de caché>
 Fijar el tamaño del caché de dnsmasq. El predeterminado es 150 nombres.
-Fijar el tamaño a cero deshabilita el caché.
+Fijar el tamaño a cero deshabilita el caché. Nota: el gran tamaño de
+caché afecta el rendimiento.
 .TP
 .B \-N, --no-negcache
 Deshabilitar caché negativo. El caché negativo le permite a dnsmasq

man/fr/dnsmasq.8

@@ -10,7 +10,7 @@ est un serveur à faible empreinte mémoire faisant DNS, TFTP, PXE, annonces de
 routeurs et DHCP. Il offre à la fois les services DNS et DHCP pour un réseau
 local (LAN).
 .PP
-Dnsmasq accepte les requêtes DNS et y réponds soit en utilisant un petit cache
+Dnsmasq accepte les requêtes DNS et y répond soit en utilisant un petit cache
 local, soit en effectuant une requête à un serveur DNS récursif externe (par
 exemple celui de votre fournisseur d'accès internet). Il charge le contenu du
 fichier /etc/hosts afin que les noms locaux n'apparaissant pas dans les DNS
@@ -19,25 +19,25 @@ pour les hôtes présents dans le service DHCP. Il peut aussi agir en temps que
 serveur DNS faisant autorité pour un ou plusieurs domaines, permettant à des
 noms locaux d'apparaitre dans le DNS global.
 .PP
-Le serveur DHCP Dnsmasq DHCP supporte les définitions d'adresses statiques et les
+Le serveur DHCP de Dnsmasq supporte les définitions d'adresses statiques et les
 réseaux multiples. Il fournit par défaut un jeu raisonnable de paramètres DHCP,
 et peut être configuré pour fournir n'importe quelle option DHCP.
 Il inclut un serveur TFTP sécurisé en lecture seule permettant le démarrage via
 le réseau/PXE de clients DHCP et supporte également le protocole BOOTP. Le
 support PXE est complet, et comprend un mode proxy permettant de fournir des
-informations PXE aux clients alors que l'allocation DHCP est effectuée par un
-autre serveur.
+informations PXE aux clients alors que l'allocation d'adresse via DHCP est
+effectuée par un autre serveur.
 .PP
-Le serveur DHCPv6 de dnsmasq possède non seulement les mêmes fonctionalités
+Le serveur DHCPv6 de dnsmasq possède non seulement les mêmes fonctionnalités
 que le serveur DHCPv4, mais aussi le support des annonces de routeurs ainsi
-qu'une fonctionalité permettant l'addition de ressources AAAA pour des
+qu'une fonctionnalité permettant l'addition de ressources AAAA pour des
 clients utilisant DHCPv4 et la configuration IPv6 sans état (stateless
 autoconfiguration).
 Il inclut le support d'allocations d'adresses (à la fois en DHCPv6 et en
 annonces de routeurs - RA) pour des sous-réseaux dynamiquement délégués via
 une délégation de préfixe DHCPv6.
 .PP
-Dnsmasq est developpé pour de petits systèmes embarqués. It tends à avoir
+Dnsmasq est développé pour de petits systèmes embarqués. Il tend à avoir
 l'empreinte mémoire la plus faible possible pour les fonctions supportées,
 et permet d'exclure les fonctions inutiles du binaire compilé.
 .SH OPTIONS
@@ -46,16 +46,23 @@ Dans ce cas, la fonction correspondante sera désactivée. Par exemple
 .B --pid-file=
 (sans paramètre après le =) désactive l'écriture du fichier PID.
 Sur BSD, à moins que le logiciel ne soit compilé avec la bibliothèque GNU
-getopt, la forme longue des options ne fonctionne pas en ligne de commande; Elle
+getopt, la forme longue des options ne fonctionne pas en ligne de commande; elle
 est toujours supportée dans le fichier de configuration.
 .TP
 .B --test
-Vérifie la syntaxe du ou des fichiers de configurations. Se termine avec le
+Vérifie la syntaxe du ou des fichiers de configuration. Se termine avec le
 code de retour 0 si tout est OK, ou un code différent de 0 dans le cas
 contraire. Ne démarre pas Dnsmasq.
 .TP
+.B \-w, --help
+Affiche toutes les options de ligne de commande.
+.B --help dhcp
+affiche les options de configuration connues pour DHCPv4, et
+.B --help dhcp6
+affiche les options de configuration connues pour DHCPv6.
+.TP
 .B \-h, --no-hosts
-Ne pas charger les noms du fichier /etc/hosts.
+Ne pas charger les noms d'hôtes du fichier /etc/hosts.
 .TP
 .B \-H, --addn-hosts=<fichier>
 Fichiers d'hôtes additionnels. Lire le fichier spécifié en plus de /etc/hosts.
@@ -68,7 +75,7 @@ fichiers contenus dans ce répertoire.
 .B \-E, --expand-hosts
 Ajoute le nom de domaine aux noms simples (ne contenant pas de point dans le
 nom) contenus dans le fichier /etc/hosts, de la même façon que pour le service
-DHCP. Notez que cela ne s'applique pas au nom de domaine dans les CNAME, les
+DHCP. Notez que cela ne s'applique pas aux noms de domaine dans les CNAME, les
 enregistrements PTR, TXT, etc...
 .TP
 .B \-T, --local-ttl=<durée>
@@ -86,7 +93,7 @@ Les réponses négatives provenant des serveurs amonts contiennent normalement
 une information de durée de vie (time-to-live) dans les enregistrements SOA,
 information dont dnsmasq se sert pour mettre la réponse en cache. Si la réponse
 du serveur amont omet cette information, dnsmasq ne cache pas la réponse. Cette
-option permet de doner une valeur de durée de vie par défaut (en secondes) que
+option permet de donner une valeur de durée de vie par défaut (en secondes) que
 dnsmasq utilise pour mettre les réponses négatives dans son cache, même en
 l'absence d'enregistrement SOA.
 .TP
@@ -194,7 +201,7 @@ au dessus de la valeur spécifiée. Utile pour des systèmes derrière des dispo
 garde-barrières ("firewalls").
 .TP
 .B \-i, --interface=<nom d'interface>
-N'écouter que sur l'interface réseau spécifiée. Dnsmasq aujoute automatiquement
+N'écouter que sur l'interface réseau spécifiée. Dnsmasq ajoute automatiquement
 l'interface locale ("loopback") à la liste des interfaces lorsque l'option
 .B --interface
 est utilisée.
@@ -205,13 +212,13 @@ ou
 n'est donnée, Dnsmasq écoutera sur toutes les interfaces disponibles sauf
 celle(s) spécifiée(s) par l'option
 .B --except-interface.
-Les alias d'interfaces IP (e-g "eth1:0") ne peuvent être utilisés ni avec
+Les alias d'interfaces IP (par exemple "eth1:0") ne peuvent être utilisés ni avec
 .B --interface
 ni
 .B \--except-interface.
 Utiliser l'option 
 .B --listen-address
-à la place. Un simple joker, consistant d'un '*' final, peut-être utilisé dans
+à la place. Un simple joker, consistant en un '*' final, peut être utilisé dans
 les options
 .B \--interface 
 et
@@ -229,10 +236,10 @@ sont fournies n'importe pas, et que l'option
 .B --except-interface
 l'emporte toujours sur les autres.
 .TP
-.B --auth-server=<domaine>,<interface>|<addresse IP>
+.B --auth-server=<domaine>,<interface>|<adresse IP>
 Active le mode DNS faisant autorité pour les requêtes arrivant sur cette
 interface ou sur cette adresse. Noter que l'interface ou l'adresse n'ont
-pas besoin d'être mentionées ni dans
+pas besoin d'être mentionnées ni dans
 .B --interface
 ni dans
 .B --listen-address
@@ -253,7 +260,7 @@ Ecouter sur la ou les adresse(s) IP spécifiée(s). Les options
 .B \--interface
 et
 .B \--listen-address
-peuvent-être spécifiées simultanément, auquel cas un jeu d'interfaces et
+peuvent être spécifiées simultanément, auquel cas un jeu d'interfaces et
 d'adresses seront utilisées. Notez que si
 aucune option
 .B \--interface
@@ -265,7 +272,7 @@ nécessaire de fournir explicitement son adresse IP, 127.0.0.1 via l'option
 .B \--listen-address.
 .TP
 .B \-z, --bind-interfaces
-Sur les systèmes qui le supporte, Dnsmasq s'associe avec l'interface joker
+Sur les systèmes qui le supportent, Dnsmasq s'associe avec l'interface joker
 ("wildcard"), même lorsqu'il ne doit écouter que sur certaines interfaces. Par
 la suite, il rejette les requêtes auxquelles il ne doit pas répondre. Cette
 situation présente l'avantage de fonctionner même lorsque les interfaces vont
@@ -302,7 +309,7 @@ le réseau auquel ils sont attachés). Cette possibilité est actuellement limit
 .TP
 .B \-b, --bogus-priv
 Fausse résolution inverse pour les réseaux privés. Toutes les requêtes DNS
-inverses pour des adresses IP privées (ie 192.168.x.x, etc...) qui ne sont pas
+inverses pour des adresses IP privées (192.168.x.x, etc...) qui ne sont pas
 trouvées dans /etc/hosts ou dans le fichier de baux DHCP se voient retournées
 une réponse "pas de tel domaine" ("no such domain") au lieu d'être transmises
 aux serveurs de nom amont ("upstream server").
@@ -317,7 +324,7 @@ modifiera 1.2.3.56 en 6.7.8.56 et 1.2.3.67 en 6.7.8.67.
 Cette fonctionnalité correspond à ce que les routeurs Cisco PIX appellent
 "bidouillage DNS" ("DNS doctoring"). Si l'ancienne IP est donnée sous la forme
 d'une gamme d'adresses, alors seules les adresses dans cette gamme seront
-réecrites, et non le sous-réseau dans son ensemble. Ainsi,
+réécrites, et non le sous-réseau dans son ensemble. Ainsi,
 .B --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
 fait correspondre 192.168.0.10->192.168.0.40 à 10.0.0.10->10.0.0.40
 .TP 
@@ -380,7 +387,7 @@ effectuer ses requêtes à tous les serveurs disponibles. Le résultat renvoyé
 au client sera celui fournit par le premier serveur ayant répondu.
 .TP
 .B --stop-dns-rebind
-Rejete (et enregistre dans le journal d'activité) les adresses dans la gamme
+Rejette (et enregistre dans le journal d'activité) les adresses dans la gamme
 d'adresses IP privée (au sens RFC1918) qui pourraient être renvoyées par les
 serveurs amonts suite à une résolution de nom. Cela bloque les attaques cherchant
 à détourner de leur usage les logiciels de navigation web ('browser') en s'en
@@ -389,13 +396,13 @@ servant pour découvrir les machines situées sur le réseau local.
 .B --rebind-localhost-ok
 Exclue 127.0.0/8 des vérifications de réassociation DNS. Cette gamme d'adresses
 est retournée par les serveurs Realtime Blackhole (RBL, utilisés dans la
-lutte contre le spam), la bloquer peut entraîner des disfonctionnements de ces
+lutte contre le spam), la bloquer peut entraîner des dysfonctionnements de ces
 services.
 .TP 
 .B  --rebind-domain-ok=[<domaine>]|[[/<domaine>/[<domaine>/]
 Ne pas détecter ni bloquer les actions de type dns-rebind pour ces domaines.
 Cette option peut prendre comme valeur soit un nom de domaine soit plusieurs
-noms de domains entourés par des '/', selon une syntaxe similaire à l'option
+noms de domaine entourés par des '/', selon une syntaxe similaire à l'option
 --server, c-à-d :
 .B  --rebind-domain-ok=/domaine1/domaine2/domaine3/
 .TP
@@ -474,7 +481,7 @@ serveur de nom. Il doit s'agir d'une des adresses IP appartenant à la machine s
 laquelle tourne Dnsmasq ou sinon la ligne sera ignorée et une erreur sera
 consignée dans le journal des événements, ou alors d'un nom d'interface. Si un nom
 d'interface est donné, alors les requêtes vers le serveur de nom seront envoyées
-depuis cette interface; si une adresse ip est donnée, alors l'adresse source de
+depuis cette interface; si une adresse IP est donnée, alors l'adresse source de
 la requête sera l'adresse en question. L'option query-port est ignorée pour tous
 les serveurs ayant une adresse source spécifiée, mais il est possible de la donner
 directement dans la spécification de l'adresse source. Forcer les requêtes à être
@@ -510,7 +517,7 @@ d'IP netfilter (ipset) indiqués. Domaines et sous-domaines sont résolus de la
 même façon que pour --address. Ces groupes d'IP doivent déjà exister. Voir
 ipset(8) pour plus de détails.
 .TP
-.B \-m, --mx-host=<nom de l'hôte>[[,<nom du MX>],<préference>]
+.B \-m, --mx-host=<nom de l'hôte>[[,<nom du MX>],<préférence>]
 Spécifie un enregistrement de type MX pour <nom de l'hôte> retournant le nom
 donné dans <nom du MX> (s'il est présent), ou sinon le nom spécifié dans
 l'option
@@ -612,7 +619,7 @@ l'enregistrement est donnée dans les données hexadécimales, qui peuvent
 être de la forme 01:23:45, 01 23 45,+012345 ou n'importe quelle combinaison.
 .TP
 .B --interface-name=<nom>,<interface>
-Définit un entregistrement DNS associant le nom avec l'adresse primaire sur
+Définit un enregistrement DNS associant le nom avec l'adresse primaire sur
 l'interface donnée en argument. Cette option spécifie un enregistrement de type
 A pour le nom donné en argument de la même façon que s'il était défini par une
 ligne de /etc/hosts, sauf que l'adresse n'est pas constante mais dépendante de
@@ -638,7 +645,7 @@ IPv6 pouvant commencer par '::', mais les noms DNS ne pouvant pas commencer
 par '-', si aucun préfixe n'est donné, un zéro est ajouté en début de nom.
 Ainsi, ::1 devient 0--1.
 
-La plage d'adresses peut-être de la forme
+La plage d'adresses peut être de la forme
 <adresse IP>,<adresse IP> ou <adresse IP>/<masque réseau>
 .TP
 .B --add-mac
@@ -647,7 +654,7 @@ amonts. Cela peut être utilisé dans un but de filtrage DNS par les serveurs
 amonts. L'adresse MAC peut uniquement être ajoutée si le requêteur est sur le
 même sous-réseau que le serveur dnsmasq. Veuillez noter que le mécanisme
 utilisé pour effectuer cela (une option EDNS0) n'est pas encore standardisée,
-aussi cette fonctionalité doit être considérée comme expérimentale. Notez
+aussi cette fonctionnalité doit être considérée comme expérimentale. Notez
 également qu'exposer les adresses MAC de la sorte peut avoir des implications
 en termes de sécurité et de vie privée. L'avertissement donné pour --add-subnet
 s'applique également ici.
@@ -659,19 +666,20 @@ longueur du préfixe : 32 (ou 128 dans le cas d'IPv6) transmet la totalité
 de l'adresse, 0 n'en transmet aucun mais marque néanmoins la requête ce qui
 fait qu'aucun serveur amont ne rajoutera d'adresse client. La valeur par
 défaut est zéro et pour IPv4 et pour IPv6. A noter que les serveurs amonts
-peuvent-être configurés pour retourner des valeurs différentes en fonction
+peuvent être configurés pour retourner des valeurs différentes en fonction
 de cette information mais que le cache de dnsmasq n'en tient pas compte.
-Si une instance de dnsmasq est configurée de telle maniêre que des valeurs
-différentes pourraient-être rencontrés, alors le cache devrait être désactivé.
+Si une instance de dnsmasq est configurée de telle manière que des valeurs
+différentes pourraient être rencontrées, alors le cache devrait être désactivé.
 .TP
 .B \-c, --cache-size=<taille>
 Définit la taille du cache de Dnsmasq. La valeur par défaut est de 150 noms.
-Définir une valeur de zéro désactive le cache.
+Définir une valeur de zéro désactive le cache. Remarque: la taille importante
+du cache a un impact sur les performances.
 .TP
 .B \-N, --no-negcache
 Désactive le "cache négatif". Le "cache négatif" permet à Dnsmasq de se souvenir
 des réponses de type "no such domain" fournies par les serveurs DNS en amont et
-de fournir les réponses sans avoir à re-transmettre les requêtes aux serveurs
+de fournir les réponses sans avoir à retransmettre les requêtes aux serveurs
 amont.
 .TP
 .B \-0, --dns-forward-max=<nombre de requêtes>
@@ -683,17 +691,17 @@ son journal des requêtes, ce qui peut générer un nombre important de requête
 simultanées.
 .TP
 .B --proxy-dnssec
-Un resolveur sur une machine cliente peut effectuer la validation DNSSEC de
+Un résolveur sur une machine cliente peut effectuer la validation DNSSEC de
 deux façons : il peut effectuer lui-même les opérations de chiffrements sur
 la réponse reçue, ou il peut laisser le serveur récursif amont faire la
 validation et positionner un drapeau dans la réponse au cas où celle-ci est
 correcte. Dnsmasq n'est pas un validateur DNSSEC, aussi il ne peut effectuer
 la validation comme un serveur de nom récursif, cependant il peut retransmettre
 les résultats de validation de ses serveurs amonts. Cette option permet
-l'activation de cette fonctionalité. Vous ne devriez utiliser cela que si vous
+l'activation de cette fonctionnalité. Vous ne devriez utiliser cela que si vous
 faites confiance aux serveurs amonts
 .I ainsi que le réseau entre vous et eux.
-Si vous utilisez le premier mode DNSSEC, la validation par le resolveur des
+Si vous utilisez le premier mode DNSSEC, la validation par le résolveur des
 clients, cette option n'est pas requise. Dnsmasq retourne toujours toutes les
 données nécessaires par un client pour effectuer la validation lui-même.
 .TP
@@ -703,12 +711,12 @@ Définie une zone DNS pour laquelle dnsmasq agit en temps que serveur faisant
 autorité. Les enregistrements DNS définis localement et correspondant à ce
 domaine seront fournis. Les enregistrements A et AAAA doivent se situer dans
 l'un des sous-réseaux définis, ou dans un réseau correspondant à une plage DHCP
-(ce comportement peut-être désactivé par
+(ce comportement peut être désactivé par
 .B constructor-noauth:
 ). Le ou les sous-réseaux sont également utilisé(s) pour définir les domaines
 in-addr.arpa et ip6.arpa servant à l'interrogation DNS inverse. Si la longueur
 de préfixe n'est pas spécifiée, elle sera par défaut de 24 pour IPv4 et 64 pour
-IPv6. Dans le cas d'IPv4, la longueur du masque de réseau devrait-être de 8, 16
+IPv6. Dans le cas d'IPv4, la longueur du masque de réseau devrait être de 8, 16
 ou 24, sauf si en cas de mise en place d'une délégation de la zone in-addr.arpa
 conforme au RFC 2317.
 .TP
@@ -719,7 +727,7 @@ optionnel, les valeurs par défaut devant convenir à la majorité des cas.
 .TP
 .B --auth-sec-servers=<domaine>[,<domaine>[,<domaine>...]]
 Spécifie un ou plusieurs serveur de nom secondaires pour une zone pour
-laquelle dnsmasq fait autorité. Ces serveurs doivent-être configurés pour
+laquelle dnsmasq fait autorité. Ces serveurs doivent être configurés pour
 récupérer auprès de dnsmasq les informations liées à la zone au travers d'un
 transfert de zone, et répondre aux requêtes pour toutes les zones pour
 lesquelles dnsmasq fait autorité.
@@ -733,7 +741,7 @@ seront acceptées pour tous les serveurs secondaires.
 .B --conntrack
 Lis le marquage de suivi de connexion Linux associé aux requêtes DNS entrantes
 et positionne la même marque au trafic amont utilisé pour répondre à ces
-requétes. Cela permet au trafic généré par Dnsmasq d'étre associé aux requêtes
+requêtes. Cela permet au trafic généré par Dnsmasq d'être associé aux requêtes
 l'ayant déclenché, ce qui est pratique pour la gestion de la bande passante
 (accounting) et le filtrage (firewall). Dnsmasq doit pour cela être compilé
 avec le support conntrack, le noyau doit également inclure conntrack et être
@@ -742,7 +750,7 @@ configuré pour cela. Cette option ne peut pas être combinée avec
 .TP
 .B \-F, --dhcp-range=[tag:<label>[,tag:<label>],][set:<label>],]<adresse de début>[,<adresse de fin>][,<mode>][,<masque de réseau>[,<broadcast>]][,<durée de bail>]
 .TP
-.B \-F, --dhcp-range=[tag:<label>[,tag:<label>],][set:<label>],]<addresse IPv6 de début>[,<adresse IPv6 de fin>|constructor:<interface>][,<mode>][,<longueur de préfixe>][,<durée de bail>]
+.B \-F, --dhcp-range=[tag:<label>[,tag:<label>],][set:<label>],]<adresse IPv6 de début>[,<adresse IPv6 de fin>|constructor:<interface>][,<mode>][,<longueur de préfixe>][,<durée de bail>]
 
 Active le serveur DHCP. Les adresses seront données dans la plage comprise entre
 <adresse de début> et <adresse de fin> et à partir des adresses définies
@@ -755,7 +763,7 @@ durée indéterminée. Si aucune valeur n'est donnée, une durée de bail par d
 de une heure est appliquée. La valeur minimum pour un bail DHCP est de 2
 minutes.
 
-Pour les plages IPv6, la durée de bail peut-être égale au mot-clef "deprecated"
+Pour les plages IPv6, la durée de bail peut être égale au mot-clef "deprecated"
 (obsolète); Cela positionne la durée de vie préférée envoyée dans les baux DHCP
 ou les annonces routeurs à zéro, ce qui incite les clients à utiliser d'autres
 adresses autant que possible, pour toute nouvelle connexion, en préalable à
@@ -795,7 +803,7 @@ adresses assignées à l'interface. Par exemple
 provoque la recherche d'adresses de la forme <réseau>::1 sur eth0 et crée une
 plage allant de <réseau>::1 à <réseau>:400. Si une interface est assignée à
 plus d'un réseau, les plages correspondantes seront automatiquement créées,
-rendues obsolètes puis supprimées lorsque l'adress est rendue obsolète puis
+rendues obsolètes puis supprimées lorsque l'adresse est rendue obsolète puis
 supprimée. Le nom de l'interface peut être spécifié avec un caractère joker '*'
 final.
 
@@ -809,7 +817,7 @@ obsolètes ne conviennent pas.
 
 Si une plage dhcp-range est uniquement utilisée pour du DHCP sans-état
 ("stateless") ou de l'autoconfiguration sans état ("SLAAC"), alors l'adresse
-peut-être indiquée sous la forme '::'
+peut être indiquée sous la forme '::'
 
 .B --dhcp-range=::,constructor:eth0
 
@@ -851,7 +859,7 @@ et
 .B pxe-service
 pour plus de détails).
 
-Pour IPv6, le mode peut-être une combinaison des valeurs
+Pour IPv6, le mode peut être une combinaison des valeurs
 .B ra-only, slaac, ra-names, ra-stateless, off-link.
 
 .B ra-only
@@ -883,7 +891,7 @@ connectés (et non ceux pour lesquels DHCP se fait via relai), et ne
 fonctionnera pas si un hôte utilise les "extensions de vie privée"
 ("privacy extensions").
 .B ra-names
-peut-être combiné avec
+peut être combiné avec
 .B ra-stateless
 et
 .B slaac.
@@ -914,7 +922,7 @@ sous-réseau qu'une plage dhcp-range valide. Pour les sous-réseaux qui n'ont pa
 besoin d'adresses dynamiquement allouées, utiliser le mot-clef "static" dans la
 déclaration de plage d'adresses dhcp-range.
 
-Il est possible d'utiliser des identifiants clients (appellé "DUID client" dans
+Il est possible d'utiliser des identifiants clients (appelés "DUID client" dans
 le monde IPv6) plutôt que des adresses matérielles pour identifier les hôtes,
 en préfixant ceux-ci par 'id:'. Ainsi, 
 .B --dhcp-host=id:01:02:03:04,..... 
@@ -926,7 +934,7 @@ ceci :
 Un seul
 .B dhcp-host 
 peut contenir une adresse IPv4, une adresse IPv6, ou les deux en même temps.
-Les adresses IPv6 doivent-être mises entre crochets comme suit :
+Les adresses IPv6 doivent être mises entre crochets comme suit :
 .B --dhcp-host=laptop,[1234::56]
 Les adresses IPv6 peuvent ne contenir que la partie identifiant de client :
 .B --dhcp-host=laptop,[::56]
@@ -945,7 +953,7 @@ identifiant client mais pas les autres.
 Si un nom apparaît dans /etc/hosts, l'adresse associée peut être allouée à un
 bail DHCP mais seulement si une option
 .B --dhcp-host
-spécifiant le nom existe par ailleurs. Seul un nom d'hôte peut-être donné dans
+spécifiant le nom existe par ailleurs. Seul un nom d'hôte peut être donné dans
 une option
 .B dhcp-host
 , mais les alias sont possibles au travers de l'utilisation des CNAMEs. (Voir
@@ -973,7 +981,7 @@ Les adresses ethernet (mais pas les identifiants clients) peuvent être définie
 avec des octets joker, ainsi par exemple
 .B --dhcp-host=00:20:e0:3b:13:*,ignore 
 demande à Dnsmasq d'ignorer une gamme d'adresses matérielles. Il est  à noter
-que "*" doit-être précédé d'un caractère d'échappement ou mis entre guillemets
+que "*" doit être précédé d'un caractère d'échappement ou mis entre guillemets
 lorsque spécifié en option de ligne de commande, mais pas dans le fichier de
 configuration.
 
@@ -1059,14 +1067,14 @@ qu'aux réseaux dont tous les labels coïncident avec ceux de la requête.
 Un traitement spécial est effectué sur les chaînes de caractères fournies pour
 l'option 119, conformément à la RFC 3397. Les chaînes de caractères ou les
 adresses IP sous forme de 4 chiffres séparés par des points donnés en arguments
-de l'option 120 sont traités conforméments à la RFC 3361. Les adresses IP sous
+de l'option 120 sont traités conformément à la RFC 3361. Les adresses IP sous
 forme de 4 chiffres séparés par des points suivies par une barre montante "/",
-puis une taille de masque sont encodés conforméments à la RFC 3442.
+puis une taille de masque sont encodés conformément à la RFC 3442.
 
 Les options IPv6 sont fournies en utilisant le mot-clef
 .B option6:
 suivi par le numéro d'option ou le nom d'option. L'espace de nommage des options
-IPv6 est disjint de l'espace de nommage des options IPv4. Les adresses IPv6
+IPv6 est disjoint de l'espace de nommage des options IPv4. Les adresses IPv6
 en option doivent être entourées de crochets, comme par exemple :
 .B --dhcp-option=option6:ntp-server,[1234::56]
 
@@ -1075,7 +1083,7 @@ adéquat sont envoyées pour un numéro d'option donné, il est tout à fait pos
 de persuader Dnsmasq de générer des paquets DHCP illégaux par une utilisation
 incorrecte de cette option. Lorsque la valeur est un nombre décimal, Dnsmasq
 doit déterminer la taille des données. Cela est fait en examinant le numéro de
-l'option et/ou la valeur, mais peut-être évité en rajoutant un suffixe d'une
+l'option et/ou la valeur, mais peut être évité en rajoutant un suffixe d'une
 lettre comme suit :
 b = un octet, s = 2 octets, i = 4 octets. Cela sert essentiellement pour des
 options encapsulées de classes de vendeurs (voir plus bas), pour lesquelles 
@@ -1088,7 +1096,7 @@ d'une chaîne de caractères comme nom de serveur TFTP, il est nécessaire de fa
 comme suit :
 .B --dhcp-option=66,"1.2.3.4"
 
-Les options encapsulées de classes de vendeurs peuvent-être aussi spécifiées 
+Les options encapsulées de classes de vendeurs peuvent être aussi spécifiées
 (pour IPv4 seulement) en utilisant
 .B --dhcp-option
 : par exemple
@@ -1105,7 +1113,7 @@ par le client. Il est possible d'omettre complètement une classe de vendeur :
 .B --dhcp-option=vendor:,1,0.0.0.0
 Dans ce cas l'option encapsulée est toujours envoyée.
 
-En IPv4, les options peuvent-être encapsulées au sein d'autres options :
+En IPv4, les options peuvent être encapsulées au sein d'autres options :
 par exemple
 .B --dhcp-option=encap:175, 190, "iscsi-client0"
 enverra l'option 175, au sein de laquelle se trouve l'option 190.
@@ -1128,7 +1136,7 @@ une option encapsulée.
 Cela fonctionne exactement de la même façon que
 .B --dhcp-option
 sauf que cette option sera toujours envoyée, même si le client ne la demande pas
-dans la liste de paramêtres requis. Cela est parfois nécessaire, par exemple lors
+dans la liste de paramètres requis. Cela est parfois nécessaire, par exemple lors
 de la fourniture d'options à PXELinux.
 .TP
 .B --dhcp-no-override
@@ -1149,10 +1157,10 @@ Toutes les requêtes DHCP arrivant sur cette interface seront relayées au
 serveur DHCP distant correspondant à l'adresse de serveur indiquée. Il est
 possible de relayer depuis une unique adresse locale vers différents serveurs
 distant en spécifiant plusieurs fois l'option dhcp-relay avec la même adresse
-locale et différentes adresses de serveur. L'adresse de serveur doit-être
-sous forme numérique. Dans le cas de DHCPv6, l'adresse de serveur peut-être
+locale et différentes adresses de serveur. L'adresse de serveur doit être
+sous forme numérique. Dans le cas de DHCPv6, l'adresse de serveur peut être
 l'adresse de multicast ff05::1:3 correspondant à tous les serveurs DHCP. Dans
-ce cas, l'interface doit-étre spécifiée et ne peut comporter de caractère
+ce cas, l'interface doit être spécifiée et ne peut comporter de caractère
 joker. Elle sera utilisée pour indiquer l'interface à partir de laquelle le
 multicast pourra atteindre le serveur DHCP.
 
@@ -1181,14 +1189,14 @@ vice-versa.
 Associe une chaîne de classe de vendeur à un label. La plupart
 des clients DHCP fournissent une "classe de vendeur" ("vendor class") qui
 représente, d'une certaine façon, le type d'hôte. Cette option associe des
-classes de vendeur à des labels, de telle sorte que des options DHCP peuvent-être
-fournie de manière sélective aux différentes classes d'hôtes. Par exemple,
+classes de vendeur à des labels, de telle sorte que des options DHCP peuvent être
+fournies de manière sélective aux différentes classes d'hôtes. Par exemple,
 .B dhcp-vendorclass=set:printers,Hewlett-Packard JetDirect
 ou
 .B dhcp-vendorclass=printers,Hewlett-Packard JetDirect
 permet de n'allouer des options qu'aux imprimantes HP de la manière suivante :
 .B --dhcp-option=tag:printers,3,192.168.4.4
-La chaîne de caractères de la classe de vendeur founie en argument est cherchée
+La chaîne de caractères de la classe de vendeur fournie en argument est cherchée
 en temps que sous-chaîne de caractères au sein de la classe de vendeur fournie
 par le client, de façon à permettre la recherche d'un sous-ensemble de la chaîne
 de caractères ("fuzzy matching"). Le préfixe set: est optionnel mais autorisé
@@ -1218,7 +1226,7 @@ matérielle coïncide avec les critères définis.
 .TP
 .B --dhcp-circuitid=set:<label>,<identifiant de circuit>, --dhcp-remoteid=set:<label>,<identifiant distant>
 Associe des options de relais DHCP issus de la RFC3046 à des labels.
-Cette information peut-être fournie par des relais DHCP. L'identifiant
+Cette information peut être fournie par des relais DHCP. L'identifiant
 de circuit ou l'identifiant distant est normalement fourni sous la forme d'une
 chaîne de valeurs hexadécimales séparées par des ":", mais il est également
 possible qu'elle le soit sous la forme d'une simple chaîne de caractères. Si
@@ -1231,7 +1239,7 @@ est supporté en IPv6 (mais non dhcp-circuitid).
 (IPv4 et IPv6) Associe des options de relais DHCP issues de la RFC3993 à des
 labels.
 .TP
-.B --dhcp-proxy[=<adresse ip>]......
+.B --dhcp-proxy[=<adresse IP>]......
 (IPv4 seulement) Un agent relai DHCP normal est uniquement utilisé pour faire
 suivre les éléments initiaux de l'interaction avec le serveur DHCP. Une fois
 que le client est configuré, il communique directement avec le serveur. Cela
@@ -1252,7 +1260,7 @@ interactions avec les relais dont l'adresse est dans la liste seront affectées.
 Si aucune valeur n'est spécifiée, associe le label si le client
 envoie une option DHCP avec le numéro ou le nom spécifié. Lorsqu'une valeur est
 fournie, positionne le label seulement dans le cas où l'option est fournie et
-correspond à la valeur. La valeur peut-être de la forme "01:ff:*:02", auquel
+correspond à la valeur. La valeur peut être de la forme "01:ff:*:02", auquel
 cas le début de l'option doit correspondre (en respectant les jokers). La
 valeur peut aussi être de la même forme que dans
 .B dhcp-option
@@ -1262,14 +1270,14 @@ valeur peut aussi être de la même forme que dans
 --dhcp-match=set:efi-ia32,option:client-arch,6
 
 spécifie le label "efi-ia32" si le numéro 6 apparaît dnas la liste
-d'architectures envoyé par le client au sein de l'option 93. (se réferer
+d'architectures envoyé par le client au sein de l'option 93. (se référer
 au RFC 4578 pour plus de détails). Si la valeur est un chaine de caractères,
 celle-ci est recherchée (correspondance en temps que sous-chaîne).
 
 Pour la forme particulière vi-encap:<numéro d'entreprise>, la comparaison se
 fait avec les classes de vendeur "identifiant de vendeur" ("vendor-identifying
 vendor classes") pour l'entreprise dont le numéro est fourni en option.
-Veuillez vous réferer à la RFC 3925 pour plus de détail.
+Veuillez vous référer à la RFC 3925 pour plus de détails.
 .TP
 .B --tag-if=set:<label>[,set:<label>[,tag:<label>[,tag:<label>]]]
 Effectue une opération booléenne sur les labels. Si tous les labels
@@ -1280,7 +1288,7 @@ Si aucun tag:<label> n'est spécifié, alors tous les labels fournis par
 set:<label> sont positionnés.
 N'importe quel nombre de set: ou tag: peuvent être fournis, et l'ordre est sans
 importance.
-Les lignes tag-if sont executées dans l'ordre, ce qui fait que si un label dans
+Les lignes tag-if sont exécutées dans l'ordre, ce qui fait que si un label dans
 tag:<label> est un label positionné par une rêgle
 .B tag-if,
 la ligne qui positionne le label doit précéder celle qui le teste.
@@ -1320,17 +1328,17 @@ le cas de certains vieux clients BOOTP.
 (IPv4 seulement) Spécifie les options BOOTP devant être retournées par le
 serveur DHCP. Le nom de serveur ainsi que l'adresse sont optionnels : s'ils
 ne sont pas fournis, le nom est laissé vide et l'adresse fournie est celle de
-la machine sur laquelle s'exécute Dnsmasq. Si Dnsmasq founit un service TFTP (voir
+la machine sur laquelle s'exécute Dnsmasq. Si Dnsmasq fournit un service TFTP (voir
 .B --enable-tftp
 ), alors seul un nom de fichier est requis ici pour permettre un démarrage par
 le réseau.
 Si d'éventuels labels sont fournis, ils doivent coïncider avec
-ceux du client pour que cet élement de configuration lui soit envoyé.
+ceux du client pour que cet élément de configuration lui soit envoyé.
 Une adresse de serveur TFTP peut être spécifiée à la place de l'adresse IP,
 sous la forme d'un nom de domaine qui sera cherché dans le fichier /etc/hosts.
 Ce nom peut être associé dans /etc/hosts avec plusieurs adresses IP, auquel cas
 celles-ci seront utilisées tour à tour (algorithme round-robin).
-Cela peut-être utiliser pour équilibrer la charge tftp sur plusieurs serveurs.
+Cela peut être utilisé pour équilibrer la charge tftp sur plusieurs serveurs.
 .TP
 .B --dhcp-sequential-ip
 Dnsmasq est conçu pour choisir l'adresse IP des clients DHCP en utilisant
@@ -1346,6 +1354,13 @@ Veuillez noter que dans ce mode séquentiel, les clients qui laissent expirer
 leur bail ont beaucoup plus de chance de voir leur adresse IP changer, aussi
 cette option ne devrait pas être utilisée dans un cas général.
 .TP
+.B --dhcp-ignore-clid
+Dnsmasq lit l'option 'client identifier' (RFC 2131) envoyée par les clients
+(si disponible) afin d'identifier les clients. Cela permet de distribuer la
+même adresse IP à un client utilisant plusieurs interfaces. Activer cette option
+désactive la lecture du 'client identifier', afin de toujours identifier un client
+en utilisant l'adresse MAC.
+.TP
 .B --pxe-service=[tag:<label>,]<CSA>,<entrée de menu>[,<nom de fichier>|<type de service de démarrage>][,<adresse de serveur>|<nom de serveur>]
 La plupart des ROMS de démarrage PXE ne permettent au système PXE que la simple
 obtention d'une adresse IP, le téléchargement du fichier spécifié dans
@@ -1357,7 +1372,7 @@ Ceci spécifie l'option de démarrage qui apparaitra dans un menu de démarrage
 PXE. <CSA> est le type du système client. Seuls des types de services valides
 apparaitront dans un menu. Les types connus sont x86PC, PC98, IA64_EFI, Alpha,
 Arc_x86, Intel_Lean_Client, IA32_EFI, BC_EFI, Xscale_EFI et X86-64_EFI;
-D'autres types peuvent-être spécifiés sous la forme d'une valeur entière. Le
+D'autres types peuvent être spécifiés sous la forme d'une valeur entière. Le
 paramètre après le texte correspondant à l'entrée dans le menu peut être un nom
 de fichier, auquel cas Dnsmasq agit comme un serveur de démarrage et indique au
 client PXE qu'il faut télécharger ce fichier via TFTP, soit depuis ce serveur
@@ -1376,7 +1391,7 @@ démarrage n'est fournie (ou qu'une valeur de 0 est donnée pour le type de
 service), alors l'entrée de menu provoque l'interruption du démarrage par
 le réseau et la poursuite du démarrage sur un média local. L'adresse de serveur
 peut être donnée sous la forme de nom de domaine qui est recherché dans
-/etc/hosts. Ce nom peut-être associé à plusieurs adresses IP, qui dans ce cas
+/etc/hosts. Ce nom peut être associé à plusieurs adresses IP, qui dans ce cas
 sont utilisées à tour de rôle (en "round-robin").
 .TP
 .B --pxe-prompt=[tag:<label>,]<invite>[,<délai>]
@@ -1435,7 +1450,7 @@ Utiliser cette option avec précaution, une adresse allouée à un client BOOTP
 étant perpétuelle, et de fait n'est plus disponibles pour d'autres hôtes. Si
 aucun argument n'est donné, alors cette option permet une allocation dynamique
 dans tous les cas. Si des arguments sont spécifiés, alors l'allocation ne se
-fait que lorsque tous les identifiants coïncident. Il est possible de répeter
+fait que lorsque tous les identifiants coïncident. Il est possible de répéter
 cette option avec plusieurs jeux d'arguments.
 .TP
 .B \-5, --no-ping
@@ -1560,7 +1575,7 @@ Tous les descripteurs de fichiers sont fermés, sauf stdin, stdout et stderr qui
 sont ouverts sur /dev/null (sauf en mode déverminage).
 
 Le script n'est pas lancé de manière concurrente : au plus une instance du
-script est executée à la fois (dnsmasq attends qu'une instance de script se
+script est exécutée à la fois (dnsmasq attend qu'une instance de script se
 termine avant de lancer la suivante). Les changements dans la base des baux
 nécessitant le lancement du script sont placé en attente dans une queue jusqu'à
 terminaison d'une instance du script en cours. Si cette mise en queue fait que
@@ -1575,7 +1590,7 @@ le script sera invoqué avec une action "old" pour tous les baux existants.
 
 Il existe deux autres actions pouvant apparaître comme argument au script :
 "init" et "tftp". D'autres sont susceptibles d'être rajoutées dans le futur,
-aussi les scripts devraient-être écrits de sorte à ignorer les actions
+aussi les scripts devraient être écrits de sorte à ignorer les actions
 inconnues. "init" est décrite ci-dessous dans
 .B --leasefile-ro.
 L'action "tftp" est invoquée lorsqu'un transfert de fichier TFTP s'est
@@ -1588,7 +1603,7 @@ Spécifie un script écrit en Lua, devant être exécuté lorsque des baux sont
 créés, détruits ou modifiés. Pour utiliser cette option, dnsmasq doit être
 compilé avec avec le support de Lua. L'interpréteur Lua est initialisé une
 seule fois, lorsque dnsmasq démarre, ce qui fait que les variables globales
-persistent entre les évênements liés aux baux. Le code Lua doit définir une
+persistent entre les événements liés aux baux. Le code Lua doit définir une
 fonction
 .B lease
 et peut fournir des fonctions
@@ -1637,7 +1652,7 @@ et
 .B --dhcp-scriptuser
 Spécifie l'utilisateur sous lequel le script shell lease-change ou le script
 doivent être exécutés. La valeur par défaut correspond à l'utilisateur root
-mais peut-être changée par le biais de cette option.
+mais peut être changée par le biais de cette option.
 .TP
 .B \-9, --leasefile-ro
 Supprimer complètement l'usage du fichier servant de base de donnée pour les
@@ -1649,8 +1664,8 @@ biais de l'option
 être complètement gérée par le script sur un stockage externe. En addition aux
 actions décrites dans 
 .B  --dhcp-script,
-le script de changement d'état de bail est appellé une fois, au lancement de
-Dnsmasq, avec pour seul argument "init". Lorsqu'appellé de la sorte, le script
+le script de changement d'état de bail est appelé une fois, au lancement de
+Dnsmasq, avec pour seul argument "init". Lorsqu'appelé de la sorte, le script
 doit fournir l'état de la base de baux, dans le format de fichier de baux de
 Dnsmasq, sur sa sortie standard (stdout) et retourner un code de retour de 0.
 Positionner cette option provoque également une invocation du script de
@@ -1692,20 +1707,20 @@ positionné à la première valeur de la directive "search" du fichier
 /etc/resolv.conf (ou équivalent).
 
 La gamme d'adresses peut être de la forme
-<adresse ip>,<adresse ip> ou <adresse ip>/<masque de réseau> voire une simple
-<adresse ip>. Voir
+<adresse IP>,<adresse IP> ou <adresse IP>/<masque de réseau> voire une simple
+<adresse IP>. Voir
 .B --dhcp-fqdn
 qui peut changer le comportement de dnsmasq relatif aux domaines.
 
 Si la gamme d'adresse est fournie sous la forme
-<adresse ip>/<taille de réseau>, alors le drapeau "local" peut-être rajouté
-qui a pour effect d'ajouter --local-declarations aux requêtes DNS directes et
+<adresse IP>/<taille de réseau>, alors le drapeau "local" peut être rajouté
+qui a pour effet d'ajouter --local-declarations aux requêtes DNS directes et
 inverses. C-à-d
 .B --domain=thekelleys.org.uk,192.168.0.0/24,local
 est identique à
 .B --domain=thekelleys.org.uk,192.168.0.0/24
 --local=/thekelleys.org.uk/ --local=/0.168.192.in-addr.arpa/
-La taille de réseau doit-être de 8, 16 ou 24 pour être valide.
+La taille de réseau doit être de 8, 16 ou 24 pour être valide.
 .TP
 .B --dhcp-fqdn
 Dans le mode par défaut, dnsmasq insère les noms non-qualifiés des clients
@@ -1717,8 +1732,8 @@ ce nom est transféré au nouveau client. Si
 est spécifié, ce comportement change : les noms non qualifiés ne sont plus
 rajoutés dans le DNS, seuls les noms qualifiés le sont. Deux clients DHCP
 avec le même nom peuvent tous les deux garder le nom, pour peu que la partie
-relative au domaine soit différente (c-à-d que les noms pleinements qualifiés
-diffèrent). Pour d'assurer que tous les noms ont une partie domaine, il doit-y
+relative au domaine soit différente (c-à-d que les noms pleinement qualifiés
+diffèrent). Pour s'assurer que tous les noms ont une partie domaine, il doit y
 avoir au moins un
 .B --domain
 sans gamme d'adresses de spécifié lorsque l'option
@@ -1735,7 +1750,7 @@ Windows de la mise à jour de serveurs Active Directory. Voir la RFC 4702 pour
 plus de détails.
 .TP
 .B --enable-ra
-Active la fonctionalité d'annonces routeurs IPv6 ("IPv6 Router Advertisement").
+Active la fonctionnalité d'annonces routeurs IPv6 ("IPv6 Router Advertisement").
 DHCPv6 ne gère pas la configuration complète du réseau de la même façon que
 DHCPv4. La découverte de routeurs et la découverte (éventuelle) de préfixes pour
 la création autonome d'adresse sont gérées par un protocole différent.
@@ -1747,7 +1762,7 @@ dhcp-range et, par défaut, fournir comme valeur de routeur et de DNS récursif
 la valeur d'adresse link-local appropriée parmi celles de la machine sur
 laquelle tourne dnsmasq.
 Par défaut, les bits "managed address" sont positionnés, et le bit "use SLAAC"
-("utiliser SLAAC") est réinitialisé. Cela peut-être changé pour des
+("utiliser SLAAC") est réinitialisé. Cela peut être changé pour des
 sous-réseaux donnés par le biais du mot clef de mode décris dans
 .B --dhcp-range.
 Les paramètres DNS du RFC6106 sont inclus dans les annonces. Par défaut,
@@ -1756,27 +1771,27 @@ dnsmasq est spécifiée comme DNS récursif. Si elles sont fournies, les
 options dns-server et domain-search sont utilisées respectivement pour RDNSS et
 DNSSL.
 .TP
-.B --ra-param=<interface>,[high|low],[[<intervalle d'annonce routeur>],<durée de vie route>]
+.B --ra-param=<interface>,[mtu:<valeur>|<interface>|off,][high,|low,]<intervalle d'annonce routeur>[,<durée de vie route>]
 Configure pour une interface donnée des valeurs pour les annonces routeurs
 différentes des valeurs par défaut. La valeur par défaut du champ priorité
-pour le routeur peut-être changée de "medium" (moyen) à "high" (haute) ou
+pour le routeur peut être changée de "medium" (moyen) à "high" (haute) ou
 "low" (basse). Par exemple :
-.B --ra-param=eth0,high.
-Un intervalle (en secondes) entre les annonces routeur peut-être fourni par :
+.B --ra-param=eth0,high,0.
+Un intervalle (en secondes) entre les annonces routeur peut être fourni par :
 .B --ra-param=eth0,60.
-La durée de vie de la route peut-être changée ou mise à zéro, auquel cas 
+La durée de vie de la route peut être changée ou mise à zéro, auquel cas
 le routeur peut annoncer les préfixes mais pas de route :
-.B --ra-parm=eth0,0,0
+.B --ra-param=eth0,0,0
 (une valeur de zéro pour l'intervalle signifie qu'il garde la valeur par défaut).
-Ces trois paramètres peuvent-être configurés en une fois :
-.B --ra-param=low,60,1200
+Ces quatre paramètres peuvent être configurés en une fois :
+.B --ra-param=eth0,mtu:1280,low,60,1200
 La valeur pour l'interface peut inclure un caractère joker.
 .TP
 .B --enable-tftp[=<interface>[,<interface>]]
 Active la fonction serveur TFTP. Celui-ci est de manière délibérée limité aux
 fonctions nécessaires au démarrage par le réseau ("net-boot") d'un client. Seul
 un accès en lecture est possible; les extensions tsize et blksize sont supportées
-(tsize est seulement supporté en mode octet). Sans argument optionel, le service
+(tsize est seulement supportée en mode octet). Sans argument optionnel, le service
 TFTP est fourni sur les mêmes interfaces que le service DHCP. Si une liste
 d'interfaces est fournie, cela définit les interfaces sur lesquelles le
 service TFTP sera activé.
@@ -1847,9 +1862,9 @@ Un serveur TFTP écoute sur le port prédéfini 69 ("well-known port") pour
 l'initiation de la connexion, mais utilise également un port dynamiquement
 alloué pour chaque connexion. Normalement, ces ports sont alloués par
 le système d'exploitation, mais cette option permet de spécifier une gamme
-de ports à utiliser pour les transferts TFTP. Cela peut-être utile si
+de ports à utiliser pour les transferts TFTP. Cela peut être utile si
 TFTP doit traverser un dispositif garde-barrière ("firewall"). La valeur
-de début pour la plage de port ne peut-être inférieure à 1025 sauf si
+de début pour la plage de port ne peut être inférieure à 1025 sauf si
 dnsmasq tourne en temps que super-utilisateur ("root"). Le nombre de
 connexions TFTP concurrentes est limitée par la taille de la gamme de
 ports ainsi spécifiée.
@@ -1859,8 +1874,8 @@ Un serveur TFTP écoute sur un numéro de port bien connu (69) pour l'initiation
 de la connexion, et alloue dynamiquement un port pour chaque connexion. Ces
 numéros de ports sont en principe alloués par le système d'exploitation, mais
 cette option permet de spécifier une gamme de ports à utiliser pour les
-transferts TFTP. Cela peut-être utile lorsque ceux-ci doivent traverser un
-dispositif garde-barrière ("firewall"). Le début de la plage ne peut-être
+transferts TFTP. Cela peut être utile lorsque ceux-ci doivent traverser un
+dispositif garde-barrière ("firewall"). Le début de la plage ne peut être
 inférieur à 1024 à moins que Dnsmasq ne fonctionne en temps que
 super-utilisateur ("root"). Le nombre maximal de connexions TFTP concurrentes
 est limitée par la taille de la plage de ports ainsi définie. 
@@ -1895,7 +1910,7 @@ par "--". Les lignes commençant par # sont des commentaires et sont ignorées.
 Pour les options qui ne peuvent-être spécifiées qu'une seule fois, celle du
 fichier de configuration prends le pas sur celle fournie en ligne de commande.
 Il est possible d'utiliser des guillemets afin d'éviter que les ",",":","." et
-"#" ne soit interprêtés, et il est possible d'utiliser les séquences
+"#" ne soient interprétés, et il est possible d'utiliser les séquences
 d'échappement suivantes : \\\\ \\" \\t \\e \\b \\r et \\n. Elles correspondent
 respectivement à la barre oblique descendante ("anti-slash"), guillemets doubles,
 tabulation, caractère d'échappement ("escape"), suppression ("backspace"), retour ("return") et
@@ -1940,8 +1955,8 @@ traces dans un fichier (voir
 .B --log-facility
 ), alors 
 .B Dnsmasq
-ferme et re-rouvre le fichier de traces. Il faut noter que pendant cette
-opération Dnsmasq ne s'exécute pas en temps que "root". Lorsqu'il créé un
+ferme et rouvre le fichier de traces. Il faut noter que pendant cette
+opération Dnsmasq ne s'exécute pas en tant que "root". Lorsqu'il créé un
 fichier de traces pour la première fois, Dnsmasq change le propriétaire du
 fichier afin de le faire appartenir à l'utilisateur non "root" sous lequel
 Dnsmasq s'exécute. Le logiciel de rotation de fichiers de trace logrotate doit
@@ -1983,7 +1998,7 @@ qu'une connexion PPP ne soit établie. Dans ce cas, Dnsmasq vérifie régulière
 pour voir si un fichier
 .I /etc/resolv.conf 
 est créé. Dnsmasq peut être configuré pour lire plus d'un fichier resolv.conf.
-Cela est utile sur un ordinateur portable où PPP et DHCP peuvent-être utilisés :
+Cela est utile sur un ordinateur portable où PPP et DHCP peuvent être utilisés :
 Dnsmasq peut alors être configuré pour lire à la fois
 .I /etc/ppp/resolv.conf 
 et
@@ -2007,7 +2022,7 @@ ou alors en mettant leurs adresses dans un autre fichier, par exemple
 .I /etc/resolv.dnsmasq
 et en lançant Dnsmasq avec l'option
 .B \-r /etc/resolv.dnsmasq.
-Cette deuxième technique permet la mise-à-jour dynamique des addresses de
+Cette deuxième technique permet la mise-à-jour dynamique des adresses de
 serveurs DNS amont par le biais de PPP ou DHCP.
 .PP
 Les adresses dans /etc/hosts prennent le dessus sur celles fournies par le
@@ -2067,10 +2082,10 @@ et pour affecter l'option envoyée, sur la base de la plage sélectionnée.
 
 Ce système a évolué d'un système plus ancien et aux possibilités plus limitées,
 et pour des raisons de compatibilité "net:" peut être utilisé à la place de
-"tag:" et "set:" peut-être omis (à l'exception de
+"tag:" et "set:" peut être omis (à l'exception de
 .B dhcp-host,
-où "net:" peut-être utilisé à la place de "set:"). Pour les mêmes raisons, '#'
-peut-être utilisé à la place de '!' pour indiquer la négation.
+où "net:" peut être utilisé à la place de "set:"). Pour les mêmes raisons, '#'
+peut être utilisé à la place de '!' pour indiquer la négation.
 .PP 
 Le serveur DHCP intégré dans Dnsmasq fonctionne également en temps que serveur
 BOOTP, pour peu que l'adresse MAC et l'adresse IP des clients soient fournies,
@@ -2097,7 +2112,7 @@ scénarios de complexité croissante. Le pré-requis pour chacun de ces scénari
 est l'existence d'une adresse IP globalement disponible, d'un enregistrement de
 type A ou AAAA pointant vers cette adresse, ainsi que d'un serveur DNS externe
 capable d'effectuer la délégation de la zone en question. Pour la première
-partie de ces explications, nous allons appeller serveur.exemple.com
+partie de ces explications, nous allons appeler serveur.exemple.com
 l'enregistrement A (ou AAAA) de l'adresse globalement accessible, et
 notre.zone.com la zone pour laquelle dnsmasq fait autorité.
 
@@ -2138,11 +2153,11 @@ notre.zone.com            NS    our.zone.com
 .fi
 
 L'enregistrement A pour notre.zone.com est dorénavant un enregistrement "colle"
-qui résoud le problème de poule et d'oeuf consistant à trouver l'adresse IP
+qui résout le problème de poule et d'oeuf consistant à trouver l'adresse IP
 du serveur de nom pour notre.zone.com lorsque l'enregistrement se trouve dans
 la zone en question. Il s'agit du seul rôle de cet enregistrement : comme dnsmasq
 fait désormais autorité pour notre.zone.com, il doit également fournir cet
-enregistrement. Si l'adresse externe est statique, cela peut-être réalisé par
+enregistrement. Si l'adresse externe est statique, cela peut être réalisé par
 le biais d'une entrée dans
 .B /etc/hosts 
 ou via un
@@ -2194,7 +2209,7 @@ spécifiques, vous pouvez le faire via :
 Dnsmasq joue le rôle de serveur faisant autorité pour les domaines in-addr.arpa
 et ip6.arpa associés aux sous-réseaux définis dans la déclaration de zone
 auth-zone, ce qui fait que les requêtes DNS inversées (de l'adresse vers
-le nom) peuvent-simplement être configurées avec un enregistrement NS
+le nom) peuvent simplement être configurées avec un enregistrement NS
 adéquat. Par exemple, comme nous définissons plus haut les adresses
 1.2.3.0/24 :
 .nf
@@ -2243,7 +2258,7 @@ celui fourni par
 .B --domain.
 Si l'option
 .B --dhcp-fqdn
-est fournie, alors les noms pleinemenet qualifiés associés aux baux DHCP
+est fournie, alors les noms pleinement qualifiés associés aux baux DHCP
 sont utilisés, dès lors qu'ils correspondent au nom de domaine associé
 à la zone.
 
@@ -2282,7 +2297,7 @@ Dnsmasq est capable de gérer le DNS et DHCP pour au moins un millier de clients
 Pour cela, la durée des bail ne doit pas être très courte (moins d'une heure).
 La valeur de
 .B --dns-forward-max 
-peut-être augmentée : commencer par la rendre égale au nombre de clients et
+peut être augmentée : commencer par la rendre égale au nombre de clients et
 l'augmenter si le DNS semble lent. Noter que la performance du DNS dépends
 également de la performance des serveurs amonts. La taille du cache DNS peut-
 être augmentée : la limite en dur est de 10000 entrées et la valeur par défaut
@@ -2306,7 +2321,7 @@ Il est possible d'utiliser Dnsmasq pour bloquer la publicité sur la toile
 en associant des serveurs de publicité bien connus à l'adresse 127.0.0.1 ou
 0.0.0.0 par le biais du fichier
 .B /etc/hosts 
-ou d'un fichier d'hôte additionnel. Cette liste peut-être très longue, Dnsmasq
+ou d'un fichier d'hôte additionnel. Cette liste peut être très longue, Dnsmasq
 ayant été testé avec succès avec un million de noms. Cette taille de fichier
 nécessite un processeur à 1 Ghz et environ 60 Mo de RAM.
 

setup.html

@@ -78,7 +78,7 @@ by modifying MODIFY_RESOLV_CONF_DYNAMICALLY="no" in <TT>/etc/sysconfig/network/c
  
 
 <h3>Automatic DNS server configuration with DHCP.</h3>
-You need to get your DHCP client to write the addresse(s) of the DNS
+You need to get your DHCP client to write the address(es) of the DNS
 servers to a file other than <TT>/etc/resolv.conf</TT>. For dhcpcd, the
 <TT>dhcpcd.exe</TT> script gets run with the addresses of the nameserver(s) in
 the shell variable <TT>$DNS</TT>. The following bit of shell script
@@ -86,8 +86,8 @@ uses that to write a file suitable for dnsmasq.
 <PRE>
 
 echo -n >|/etc/dhcpc/resolv.conf
-dnsservs=${DNS//,/ }
-for serv in $dnsservs; do
+dnsservers=${DNS//,/ }
+for serv in $dnsservers; do
     echo "nameserver $serv" >>/etc/dhcpc/resolv.conf
 done
 
@@ -125,7 +125,7 @@ address of its ethernet card. For the former to work, a machine needs to know it
 requests a DHCP lease. For dhcpcd, the -h option specifies this. The
 names may be anything as far as DHCP is concerned, but dnsmasq adds
 some limitations. By default the names must no have a domain part, ie
-they must just be a alphanumeric name, without any dots.  This is a
+they must just be alphanumeric names, without any dots.  This is a
 security feature to stop a machine on your network telling DHCP that
 its name is "www.microsoft.com" and thereby grabbing traffic which
 shouldn't go to it. A domain part is only allowed by dnsmasq in DHCP machine names
@@ -186,7 +186,7 @@ more than one nameserver just include as many
 
 <H2>Local domains.</H2>
 Sometimes people have local domains which they do not want forwarded
-to upstream servers. This is accomodated by using server options
+to upstream servers. This is accommodated by using server options
 without the server IP address. To make things clearer <TT>local</TT>
 is a synonym for <TT>server</TT>. For example the option
 <TT>local=/localnet/</TT> ensures that any domain name query which ends in

src/arp.c

@@ -0,0 +1,234 @@
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+     
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "dnsmasq.h"
+
+/* Time between forced re-loads from kernel. */
+#define INTERVAL 90
+
+#define ARP_MARK  0
+#define ARP_FOUND 1  /* Confirmed */
+#define ARP_NEW   2  /* Newly created */
+#define ARP_EMPTY 3  /* No MAC addr */
+
+struct arp_record {
+  unsigned short hwlen, status;
+  int family;
+  unsigned char hwaddr[DHCP_CHADDR_MAX]; 
+  union all_addr addr;
+  struct arp_record *next;
+};
+
+static struct arp_record *arps = NULL, *old = NULL, *freelist = NULL;
+static time_t last = 0;
+
+static int filter_mac(int family, char *addrp, char *mac, size_t maclen, void *parmv)
+{
+  struct arp_record *arp;
+
+  (void)parmv;
+
+  if (maclen > DHCP_CHADDR_MAX)
+    return 1;
+
+  /* Look for existing entry */
+  for (arp = arps; arp; arp = arp->next)
+    {
+      if (family != arp->family || arp->status == ARP_NEW)
+	continue;
+      
+      if (family == AF_INET)
+	{
+	  if (arp->addr.addr4.s_addr != ((struct in_addr *)addrp)->s_addr)
+	    continue;
+	}
+      else
+	{
+	  if (!IN6_ARE_ADDR_EQUAL(&arp->addr.addr6, (struct in6_addr *)addrp))
+	    continue;
+	}
+
+      if (arp->status == ARP_EMPTY)
+	{
+	  /* existing address, was negative. */
+	  arp->status = ARP_NEW;
+	  arp->hwlen = maclen;
+	  memcpy(arp->hwaddr, mac, maclen);
+	}
+      else if (arp->hwlen == maclen && memcmp(arp->hwaddr, mac, maclen) == 0)
+	/* Existing entry matches - confirm. */
+	arp->status = ARP_FOUND;
+      else
+	continue;
+      
+      break;
+    }
+
+  if (!arp)
+    {
+      /* New entry */
+      if (freelist)
+	{
+	  arp = freelist;
+	  freelist = freelist->next;
+	}
+      else if (!(arp = whine_malloc(sizeof(struct arp_record))))
+	return 1;
+      
+      arp->next = arps;
+      arps = arp;
+      arp->status = ARP_NEW;
+      arp->hwlen = maclen;
+      arp->family = family;
+      memcpy(arp->hwaddr, mac, maclen);
+      if (family == AF_INET)
+	arp->addr.addr4.s_addr = ((struct in_addr *)addrp)->s_addr;
+      else
+	memcpy(&arp->addr.addr6, addrp, IN6ADDRSZ);
+    }
+  
+  return 1;
+}
+
+/* If in lazy mode, we cache absence of ARP entries. */
+int find_mac(union mysockaddr *addr, unsigned char *mac, int lazy, time_t now)
+{
+  struct arp_record *arp, *tmp, **up;
+  int updated = 0;
+
+ again:
+  
+  /* If the database is less then INTERVAL old, look in there */
+  if (difftime(now, last) < INTERVAL)
+    {
+      /* addr == NULL -> just make cache up-to-date */
+      if (!addr)
+	return 0;
+
+      for (arp = arps; arp; arp = arp->next)
+	{
+	  if (addr->sa.sa_family != arp->family)
+	    continue;
+	    
+	  if (arp->family == AF_INET &&
+	      arp->addr.addr4.s_addr != addr->in.sin_addr.s_addr)
+	    continue;
+	    
+	  if (arp->family == AF_INET6 && 
+	      !IN6_ARE_ADDR_EQUAL(&arp->addr.addr6, &addr->in6.sin6_addr))
+	    continue;
+	  
+	  /* Only accept positive entries unless in lazy mode. */
+	  if (arp->status != ARP_EMPTY || lazy || updated)
+	    {
+	      if (mac && arp->hwlen != 0)
+		memcpy(mac, arp->hwaddr, arp->hwlen);
+	      return arp->hwlen;
+	    }
+	}
+    }
+
+  /* Not found, try the kernel */
+  if (!updated)
+     {
+       updated = 1;
+       last = now;
+
+       /* Mark all non-negative entries */
+       for (arp = arps; arp; arp = arp->next)
+	 if (arp->status != ARP_EMPTY)
+	   arp->status = ARP_MARK;
+       
+       iface_enumerate(AF_UNSPEC, NULL, filter_mac);
+       
+       /* Remove all unconfirmed entries to old list. */
+       for (arp = arps, up = &arps; arp; arp = tmp)
+	 {
+	   tmp = arp->next;
+	   
+	   if (arp->status == ARP_MARK)
+	     {
+	       *up = arp->next;
+	       arp->next = old;
+	       old = arp;
+	     }
+	   else
+	     up = &arp->next;
+	 }
+
+       goto again;
+     }
+
+  /* record failure, so we don't consult the kernel each time
+     we're asked for this address */
+  if (freelist)
+    {
+      arp = freelist;
+      freelist = freelist->next;
+    }
+  else
+    arp = whine_malloc(sizeof(struct arp_record));
+  
+  if (arp)
+    {      
+      arp->next = arps;
+      arps = arp;
+      arp->status = ARP_EMPTY;
+      arp->family = addr->sa.sa_family;
+      arp->hwlen = 0;
+
+      if (addr->sa.sa_family == AF_INET)
+	arp->addr.addr4.s_addr = addr->in.sin_addr.s_addr;
+      else
+	memcpy(&arp->addr.addr6, &addr->in6.sin6_addr, IN6ADDRSZ);
+    }
+	  
+   return 0;
+}
+
+int do_arp_script_run(void)
+{
+  struct arp_record *arp;
+  
+  /* Notify any which went, then move to free list */
+  if (old)
+    {
+#ifdef HAVE_SCRIPT
+      if (option_bool(OPT_SCRIPT_ARP))
+	queue_arp(ACTION_ARP_DEL, old->hwaddr, old->hwlen, old->family, &old->addr);
+#endif
+      arp = old;
+      old = arp->next;
+      arp->next = freelist;
+      freelist = arp;
+      return 1;
+    }
+
+  for (arp = arps; arp; arp = arp->next)
+    if (arp->status == ARP_NEW)
+      {
+#ifdef HAVE_SCRIPT
+	if (option_bool(OPT_SCRIPT_ARP))
+	  queue_arp(ACTION_ARP, arp->hwaddr, arp->hwlen, arp->family, &arp->addr);
+#endif
+	arp->status = ARP_FOUND;
+	return 1;
+      }
+
+  return 0;
+}
+
+

src/auth.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -18,36 +18,51 @@
 
 #ifdef HAVE_AUTH
 
-static struct addrlist *find_subnet(struct auth_zone *zone, int flag, struct all_addr *addr_u)
+static struct addrlist *find_addrlist(struct addrlist *list, int flag, union all_addr *addr_u)
 {
-  struct addrlist *subnet;
-
-  for (subnet = zone->subnet; subnet; subnet = subnet->next)
+  do {
+    if (!(list->flags & ADDRLIST_IPV6))
       {
-      if (!(subnet->flags & ADDRLIST_IPV6))
-	{
-	  struct in_addr netmask, addr = addr_u->addr.addr4;
+	struct in_addr netmask, addr = addr_u->addr4;
 	
 	if (!(flag & F_IPV4))
 	  continue;
 	
-	  netmask.s_addr = htonl(~(in_addr_t)0 << (32 - subnet->prefixlen));
+	netmask.s_addr = htonl(~(in_addr_t)0 << (32 - list->prefixlen));
 	
-	  if  (is_same_net(addr, subnet->addr.addr.addr4, netmask))
-	    return subnet;
+	if  (is_same_net(addr, list->addr.addr4, netmask))
+	  return list;
       }
-#ifdef HAVE_IPV6
-      else if (is_same_net6(&(addr_u->addr.addr6), &subnet->addr.addr.addr6, subnet->prefixlen))
-	return subnet;
-#endif
+    else if (is_same_net6(&(addr_u->addr6), &list->addr.addr6, list->prefixlen))
+      return list;
+    
+  } while ((list = list->next));
   
-    }
   return NULL;
 }
 
-static int filter_zone(struct auth_zone *zone, int flag, struct all_addr *addr_u)
+static struct addrlist *find_subnet(struct auth_zone *zone, int flag, union all_addr *addr_u)
 {
-  /* No zones specified, no filter */
+  if (!zone->subnet)
+    return NULL;
+  
+  return find_addrlist(zone->subnet, flag, addr_u);
+}
+
+static struct addrlist *find_exclude(struct auth_zone *zone, int flag, union all_addr *addr_u)
+{
+  if (!zone->exclude)
+    return NULL;
+  
+  return find_addrlist(zone->exclude, flag, addr_u);
+}
+
+static int filter_zone(struct auth_zone *zone, int flag, union all_addr *addr_u)
+{
+  if (find_exclude(zone, flag, addr_u))
+    return 0;
+
+  /* No subnets specified, no filter */
   if (!zone->subnet)
     return 1;
   
@@ -81,11 +96,12 @@ int in_zone(struct auth_zone *zone, char *name, char **cut)
 }
 
 
-size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t now, union mysockaddr *peer_addr, int local_query) 
+size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t now, union mysockaddr *peer_addr, 
+		   int local_query, int do_bit, int have_pseudoheader) 
 {
   char *name = daemon->namebuff;
   unsigned char *p, *ansp;
-  int qtype, qclass;
+  int qtype, qclass, rc;
   int nameoffset, axfroffset = 0;
   int q, anscount = 0, authcount = 0;
   struct crec *crecp;
@@ -97,8 +113,9 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
   struct txt_record *txt;
   struct interface_name *intr;
   struct naptr *na;
-  struct all_addr addr;
-  struct cname *a;
+  union all_addr addr;
+  struct cname *a, *candidate;
+  unsigned int wclen;
   
   if (ntohs(header->qdcount) == 0 || OPCODE(header) != QUERY )
     return 0;
@@ -112,8 +129,9 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 
   for (q = ntohs(header->qdcount); q != 0; q--)
     {
-      unsigned short flag = 0;
+      unsigned int flag = 0;
       int found = 0;
+      int cname_wildcard = 0;
   
       /* save pointer to name for copying into answers */
       nameoffset = p - (unsigned char *)header;
@@ -160,7 +178,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		struct addrlist *addrlist;
 		
 		for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)
-		  if (!(addrlist->flags & ADDRLIST_IPV6) && addr.addr.addr4.s_addr == addrlist->addr.addr.addr4.s_addr)
+		  if (!(addrlist->flags & ADDRLIST_IPV6) && addr.addr4.s_addr == addrlist->addr.addr4.s_addr)
 		    break;
 		
 		if (addrlist)
@@ -169,14 +187,13 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		  while (intr->next && strcmp(intr->intr, intr->next->intr) == 0)
 		    intr = intr->next;
 	      }
-#ifdef HAVE_IPV6
 	  else if (flag == F_IPV6)
 	    for (intr = daemon->int_names; intr; intr = intr->next)
 	      {
 		struct addrlist *addrlist;
 		
 		for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)
-		  if ((addrlist->flags & ADDRLIST_IPV6) && IN6_ARE_ADDR_EQUAL(&addr.addr.addr6, &addrlist->addr.addr.addr6))
+		  if ((addrlist->flags & ADDRLIST_IPV6) && IN6_ARE_ADDR_EQUAL(&addr.addr6, &addrlist->addr.addr6))
 		    break;
 		
 		if (addrlist)
@@ -185,7 +202,6 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		  while (intr->next && strcmp(intr->intr, intr->next->intr) == 0)
 		    intr = intr->next;
 	      }
-#endif
 	  
 	  if (intr)
 	    {
@@ -263,11 +279,11 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	}
 
       for (rec = daemon->mxnames; rec; rec = rec->next)
-	if (!rec->issrv && hostname_isequal(name, rec->name))
+	if (!rec->issrv && (rc = hostname_issubdomain(name, rec->name)))
 	  {
 	    nxdomain = 0;
 	         
-	    if (qtype == T_MX)
+	    if (rc == 2 && qtype == T_MX)
 	      {
 		found = 1;
 		log_query(F_CONFIG | F_RRNAME, name, NULL, "<MX>"); 
@@ -278,11 +294,11 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	  }
       
       for (move = NULL, up = &daemon->mxnames, rec = daemon->mxnames; rec; rec = rec->next)
-	if (rec->issrv && hostname_isequal(name, rec->name))
+	if (rec->issrv && (rc = hostname_issubdomain(name, rec->name)))
 	  {
 	    nxdomain = 0;
 	    
-	    if (qtype == T_SRV)
+	    if (rc == 2 && qtype == T_SRV)
 	      {
 		found = 1;
 		log_query(F_CONFIG | F_RRNAME, name, NULL, "<SRV>"); 
@@ -313,13 +329,13 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	}
 
       for (txt = daemon->rr; txt; txt = txt->next)
-	if (hostname_isequal(name, txt->name))
+	if ((rc = hostname_issubdomain(name, txt->name)))
 	  {
 	    nxdomain = 0;
-	    if (txt->class == qtype)
+	    if (rc == 2 && txt->class == qtype)
 	      {
 		found = 1;
-		log_query(F_CONFIG | F_RRNAME, name, NULL, "<RR>"); 
+		log_query(F_CONFIG | F_RRNAME, name, NULL, querystr(NULL, txt->class)); 
 		if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl,
 					NULL, txt->class, C_IN, "t", txt->len, txt->txt))
 		  anscount++;
@@ -327,10 +343,10 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	  }
       
       for (txt = daemon->txt; txt; txt = txt->next)
-	if (txt->class == C_IN && hostname_isequal(name, txt->name))
+	if (txt->class == C_IN && (rc = hostname_issubdomain(name, txt->name)))
 	  {
 	    nxdomain = 0;
-	    if (qtype == T_TXT)
+	    if (rc == 2 && qtype == T_TXT)
 	      {
 		found = 1;
 		log_query(F_CONFIG | F_RRNAME, name, NULL, "<TXT>"); 
@@ -341,10 +357,10 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	  }
 
        for (na = daemon->naptr; na; na = na->next)
-	 if (hostname_isequal(name, na->name))
+	 if ((rc = hostname_issubdomain(name, na->name)))
 	   {
 	     nxdomain = 0;
-	     if (qtype == T_NAPTR)
+	     if (rc == 2 && qtype == T_NAPTR)
 	       {
 		 found = 1;
 		 log_query(F_CONFIG | F_RRNAME, name, NULL, "<NAPTR>");
@@ -358,27 +374,24 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
        if (qtype == T_A)
 	 flag = F_IPV4;
        
-#ifdef HAVE_IPV6
        if (qtype == T_AAAA)
 	 flag = F_IPV6;
-#endif
        
        for (intr = daemon->int_names; intr; intr = intr->next)
-	 if (hostname_isequal(name, intr->name))
+	 if ((rc = hostname_issubdomain(name, intr->name)))
 	   {
 	     struct addrlist *addrlist;
 	     
 	     nxdomain = 0;
 	     
-	     if (flag)
+	     if (rc == 2 && flag)
 	       for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)  
 		 if (((addrlist->flags & ADDRLIST_IPV6)  ? T_AAAA : T_A) == qtype &&
 		     (local_query || filter_zone(zone, flag, &addrlist->addr)))
 		   {
-#ifdef HAVE_IPV6
 		     if (addrlist->flags & ADDRLIST_REVONLY)
 		       continue;
-#endif
+
 		     found = 1;
 		     log_query(F_FORWARD | F_CONFIG | flag, name, &addrlist->addr, NULL);
 		     if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
@@ -388,25 +401,6 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		   }
 	     }
        
-       for (a = daemon->cnames; a; a = a->next)
-	 if (hostname_isequal(name, a->alias) )
-	   {
-	     log_query(F_CONFIG | F_CNAME, name, NULL, NULL);
-	     strcpy(name, a->target);
-	     if (!strchr(name, '.'))
-	       {
-		 strcat(name, ".");
-		 strcat(name, zone->domain);
-	       }
-	     found = 1;
-	     if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
-				     daemon->auth_ttl, &nameoffset,
-				     T_CNAME, C_IN, "d", name))
-	       anscount++;
-	     
-	     goto cname_restart;
-	   }
-
       if (!cut)
 	{
 	  nxdomain = 0;
@@ -423,27 +417,24 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	      
 	      if (peer_addr->sa.sa_family == AF_INET)
 		peer_addr->in.sin_port = 0;
-#ifdef HAVE_IPV6
 	      else
 		{
 		  peer_addr->in6.sin6_port = 0; 
 		  peer_addr->in6.sin6_scope_id = 0;
 		}
-#endif
 	      
 	      for (peers = daemon->auth_peers; peers; peers = peers->next)
 		if (sockaddr_isequal(peer_addr, &peers->addr))
 		  break;
 	      
-	      /* Refuse all AXFR unless --auth-sec-servers is set */
-	      if ((!peers && daemon->auth_peers) || !daemon->secondary_forward_server)
+	      /* Refuse all AXFR unless --auth-sec-servers or auth-peers is set */
+	      if ((!daemon->secondary_forward_server && !daemon->auth_peers) ||
+		  (daemon->auth_peers && !peers)) 
 		{
 		  if (peer_addr->sa.sa_family == AF_INET)
 		    inet_ntop(AF_INET, &peer_addr->in.sin_addr, daemon->addrbuff, ADDRSTRLEN);
-#ifdef HAVE_IPV6
 		  else
 		    inet_ntop(AF_INET6, &peer_addr->in6.sin6_addr, daemon->addrbuff, ADDRSTRLEN); 
-#endif
 		  
 		  my_syslog(LOG_WARNING, _("ignoring zone transfer request from %s"), daemon->addrbuff);
 		  return 0;
@@ -477,10 +468,10 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		  { 
 		    nxdomain = 0;
 		    if ((crecp->flags & flag) && 
-			(local_query || filter_zone(zone, flag, &(crecp->addr.addr))))
+			(local_query || filter_zone(zone, flag, &(crecp->addr))))
 		      {
 			*cut = '.'; /* restore domain part */
-			log_query(crecp->flags, name, &crecp->addr.addr, record_source(crecp->uid));
+			log_query(crecp->flags, name, &crecp->addr, record_source(crecp->uid));
 			*cut  = 0; /* remove domain part */
 			found = 1;
 			if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
@@ -500,9 +491,9 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	    do
 	      { 
 		 nxdomain = 0;
-		 if ((crecp->flags & flag) && (local_query || filter_zone(zone, flag, &(crecp->addr.addr))))
+		 if ((crecp->flags & flag) && (local_query || filter_zone(zone, flag, &(crecp->addr))))
 		   {
-		     log_query(crecp->flags, name, &crecp->addr.addr, record_source(crecp->uid));
+		     log_query(crecp->flags, name, &crecp->addr, record_source(crecp->uid));
 		     found = 1;
 		     if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 					     daemon->auth_ttl, NULL, qtype, C_IN, 
@@ -512,8 +503,64 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	      } while ((crecp = cache_find_by_name(crecp, name, now, F_IPV4 | F_IPV6)));
 	}
       
-      if (!found)
+      /* Only supply CNAME if no record for any type is known. */
+      if (nxdomain)
+	{
+	  /* Check for possible wildcard match against *.domain 
+	     return length of match, to get longest.
+	     Note that if return length of wildcard section, so
+	     we match b.simon to _both_ *.simon and b.simon
+	     but return a longer (better) match to b.simon.
+	  */  
+	  for (wclen = 0, candidate = NULL, a = daemon->cnames; a; a = a->next)
+	    if (a->alias[0] == '*')
+	      {
+		char *test = name;
+		
+		while ((test = strchr(test+1, '.')))
+		  {
+		    if (hostname_isequal(test, &(a->alias[1])))
+		      {
+			if (strlen(test) > wclen && !cname_wildcard)
+			  {
+			    wclen = strlen(test);
+			    candidate = a;
+			    cname_wildcard = 1;
+			  }
+			break;
+		      }
+		  }
+		
+	      }
+	    else if (hostname_isequal(a->alias, name) && strlen(a->alias) > wclen)
+	      {
+		/* Simple case, no wildcard */
+		wclen = strlen(a->alias);
+		candidate = a;
+	      }
+	  
+	  if (candidate)
+	    {
+	      log_query(F_CONFIG | F_CNAME, name, NULL, NULL);
+	      strcpy(name, candidate->target);
+	      if (!strchr(name, '.'))
+		{
+		  strcat(name, ".");
+		  strcat(name, zone->domain);
+		}
+	      found = 1;
+	      if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
+				      daemon->auth_ttl, &nameoffset,
+				      T_CNAME, C_IN, "d", name))
+		anscount++;
+	      
+	      goto cname_restart;
+	    }
+	  else if (cache_find_non_terminal(name, now))
+	    nxdomain = 0;
+
 	  log_query(flag | F_NEG | (nxdomain ? F_NXDOMAIN : 0) | F_FORWARD | F_AUTH, name, NULL, NULL);
+	}
       
     }
   
@@ -533,19 +580,18 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 
 	  if (!(subnet->flags & ADDRLIST_IPV6))
 	    {
-	      in_addr_t a = ntohl(subnet->addr.addr.addr4.s_addr) >> 8;
+	      in_addr_t a = ntohl(subnet->addr.addr4.s_addr) >> 8;
 	      char *p = name;
 	      
 	      if (subnet->prefixlen >= 24)
-		p += sprintf(p, "%d.", a & 0xff);
+		p += sprintf(p, "%u.", a & 0xff);
 	      a = a >> 8;
 	      if (subnet->prefixlen >= 16 )
-		p += sprintf(p, "%d.", a & 0xff);
+		p += sprintf(p, "%u.", a & 0xff);
 	      a = a >> 8;
-	      p += sprintf(p, "%d.in-addr.arpa", a & 0xff);
+	      p += sprintf(p, "%u.in-addr.arpa", a & 0xff);
 	      
 	    }
-#ifdef HAVE_IPV6
 	  else
 	    {
 	      char *p = name;
@@ -553,13 +599,12 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	      
 	      for (i = subnet->prefixlen-1; i >= 0; i -= 4)
 		{ 
-		  int dig = ((unsigned char *)&subnet->addr.addr.addr6)[i>>3];
+		  int dig = ((unsigned char *)&subnet->addr.addr6)[i>>3];
 		  p += sprintf(p, "%.1x.", (i>>2) & 1 ? dig & 15 : dig >> 4);
 		}
 	      p += sprintf(p, "ip6.arpa");
 	      
 	    }
-#endif
 	}
       
       /* handle NS and SOA in auth section or for explicit queries */
@@ -583,6 +628,9 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	{
 	  struct name_list *secondary;
 	  
+	  /* Only include the machine running dnsmasq if it's acting as an auth server */
+	  if (daemon->authinterface)
+	    {
 	      newoffset = ansp - (unsigned char *)header;
 	      if (add_resource_record(header, limit, &trunc, -offset, &ansp, 
 				      daemon->auth_ttl, NULL, T_NS, C_IN, "d", offset == 0 ? authname : NULL, daemon->authserver))
@@ -594,6 +642,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		  else
 		    authcount++;
 		}
+	    }
 
 	  if (!subnet)
 	    for (secondary = daemon->secondary_forward_server; secondary; secondary = secondary->next)
@@ -696,14 +745,12 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 					  daemon->auth_ttl, NULL, T_A, C_IN, "4", cut ? intr->name : NULL, &addrlist->addr))
 		    anscount++;
 		
-#ifdef HAVE_IPV6
 		for (addrlist = intr->addr; addrlist; addrlist = addrlist->next) 
 		  if ((addrlist->flags & ADDRLIST_IPV6) && 
 		      (local_query || filter_zone(zone, F_IPV6, &addrlist->addr)) &&
 		      add_resource_record(header, limit, &trunc, -axfroffset, &ansp, 
 					  daemon->auth_ttl, NULL, T_AAAA, C_IN, "6", cut ? intr->name : NULL, &addrlist->addr))
 		    anscount++;
-#endif		    
 		
 		/* restore config data */
 		if (cut)
@@ -740,36 +787,24 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		    {
 		      char *cache_name = cache_get_name(crecp);
 		      if (!strchr(cache_name, '.') && 
-			  (local_query || filter_zone(zone, (crecp->flags & (F_IPV6 | F_IPV4)), &(crecp->addr.addr))))
-			{
-			  qtype = T_A;
-#ifdef HAVE_IPV6
-			  if (crecp->flags & F_IPV6)
-			    qtype = T_AAAA;
-#endif
-			  if (add_resource_record(header, limit, &trunc, -axfroffset, &ansp, 
-						  daemon->auth_ttl, NULL, qtype, C_IN, 
+			  (local_query || filter_zone(zone, (crecp->flags & (F_IPV6 | F_IPV4)), &(crecp->addr))) &&
+			  add_resource_record(header, limit, &trunc, -axfroffset, &ansp, 
+					      daemon->auth_ttl, NULL, (crecp->flags & F_IPV6) ? T_AAAA : T_A, C_IN, 
 					      (crecp->flags & F_IPV4) ? "4" : "6", cache_name, &crecp->addr))
 			anscount++;
 		    }
-		    }
 		  
 		  if ((crecp->flags & F_HOSTS) || (((crecp->flags & F_DHCP) && option_bool(OPT_DHCP_FQDN))))
 		    {
 		      strcpy(name, cache_get_name(crecp));
 		      if (in_zone(zone, name, &cut) && 
-			  (local_query || filter_zone(zone, (crecp->flags & (F_IPV6 | F_IPV4)), &(crecp->addr.addr))))
+			  (local_query || filter_zone(zone, (crecp->flags & (F_IPV6 | F_IPV4)), &(crecp->addr))))
 			{
-			  qtype = T_A;
-#ifdef HAVE_IPV6
-			  if (crecp->flags & F_IPV6)
-			    qtype = T_AAAA;
-#endif
 			  if (cut)
 			    *cut = 0;
 
 			  if (add_resource_record(header, limit, &trunc, -axfroffset, &ansp, 
-						   daemon->auth_ttl, NULL, qtype, C_IN, 
+						  daemon->auth_ttl, NULL, (crecp->flags & F_IPV6) ? T_AAAA : T_A, C_IN, 
 						  (crecp->flags & F_IPV4) ? "4" : "6", cut ? name : NULL, &crecp->addr))
 			    anscount++;
 			}
@@ -805,7 +840,10 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
       header->hb4 &= ~HB4_RA;
     }
 
-  /* authoritive */
+  /* data is never DNSSEC signed. */
+  header->hb4 &= ~HB4_AD;
+
+  /* authoritative */
   if (auth)
     header->hb3 |= HB3_AA;
   
@@ -820,6 +858,11 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
   header->ancount = htons(anscount);
   header->nscount = htons(authcount);
   header->arcount = htons(0);
+
+  /* Advertise our packet size limit in our reply */
+  if (have_pseudoheader)
+    return add_pseudoheader(header,  ansp - (unsigned char *)header, (unsigned char *)limit, daemon->edns_pktsz, 0, NULL, 0, do_bit, 0);
+
   return ansp - (unsigned char *)header;
 }
   

src/blockdata.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -16,8 +16,6 @@
 
 #include "dnsmasq.h"
 
-#ifdef HAVE_DNSSEC
-
 static struct blockdata *keyblock_free;
 static unsigned int blockdata_count, blockdata_hwm, blockdata_alloced;
 
@@ -25,7 +23,7 @@ static void blockdata_expand(int n)
 {
   struct blockdata *new = whine_malloc(n * sizeof(struct blockdata));
   
-  if (n > 0 && new)
+  if (new)
     {
       int i;
       
@@ -49,19 +47,18 @@ void blockdata_init(void)
 
   /* Note that daemon->cachesize is enforced to have non-zero size if OPT_DNSSEC_VALID is set */  
   if (option_bool(OPT_DNSSEC_VALID))
-    blockdata_expand((daemon->cachesize * 100) / sizeof(struct blockdata));
+    blockdata_expand(daemon->cachesize);
 }
 
 void blockdata_report(void)
 {
-  if (option_bool(OPT_DNSSEC_VALID))
-    my_syslog(LOG_INFO, _("DNSSEC memory in use %u, max %u, allocated %u"), 
+  my_syslog(LOG_INFO, _("pool memory in use %u, max %u, allocated %u"), 
 	    blockdata_count * sizeof(struct blockdata),  
 	    blockdata_hwm * sizeof(struct blockdata),  
 	    blockdata_alloced * sizeof(struct blockdata));
 } 
 
-struct blockdata *blockdata_alloc(char *data, size_t len)
+static struct blockdata *blockdata_alloc_real(int fd, char *data, size_t len)
 {
   struct blockdata *block, *ret = NULL;
   struct blockdata **prev = &ret;
@@ -89,8 +86,17 @@ struct blockdata *blockdata_alloc(char *data, size_t len)
 	blockdata_hwm = blockdata_count; 
       
       blen = len > KEYBLOCK_LEN ? KEYBLOCK_LEN : len;
+      if (data)
+	{
 	  memcpy(block->key, data, blen);
 	  data += blen;
+	}
+      else if (!read_write(fd, block->key, blen, 1))
+	{
+	  /* failed read free partial chain */
+	  blockdata_free(ret);
+	  return NULL;
+	}
       len -= blen;
       *prev = block;
       prev = &block->next;
@@ -100,6 +106,11 @@ struct blockdata *blockdata_alloc(char *data, size_t len)
   return ret;
 }
 
+struct blockdata *blockdata_alloc(char *data, size_t len)
+{
+  return blockdata_alloc_real(0, data, len);
+}
+
 void blockdata_free(struct blockdata *blocks)
 {
   struct blockdata *tmp;
@@ -148,4 +159,19 @@ void *blockdata_retrieve(struct blockdata *block, size_t len, void *data)
   return data;
 }
 
-#endif
+
+void blockdata_write(struct blockdata *block, size_t len, int fd)
+{
+  for (; len > 0 && block; block = block->next)
+    {
+      size_t blen = len > KEYBLOCK_LEN ? KEYBLOCK_LEN : len;
+      read_write(fd, block->key, blen, 0);
+      len -= blen;
+    }
+}
+
+struct blockdata *blockdata_read(int fd, size_t len)
+{
+  return blockdata_alloc_real(fd, NULL, len);
+}
+

src/bpf.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -20,7 +20,9 @@
 #include <ifaddrs.h>
 
 #include <sys/param.h>
+#if defined(HAVE_BSD_NETWORK) && !defined(__APPLE__)
 #include <sys/sysctl.h>
+#endif
 #include <net/if.h>
 #include <net/route.h>
 #include <net/if_dl.h>
@@ -29,9 +31,7 @@
 #  include <net/if_var.h> 
 #endif
 #include <netinet/in_var.h>
-#ifdef HAVE_IPV6
-#  include <netinet6/in6_var.h>
-#endif
+#include <netinet6/in6_var.h>
 
 #ifndef SA_SIZE
 #define SA_SIZE(sa)                                             \
@@ -42,7 +42,7 @@
 
 #ifdef HAVE_BSD_NETWORK
 static int del_family = 0;
-static struct all_addr del_addr;
+static union all_addr del_addr;
 #endif
 
 #if defined(HAVE_BSD_NETWORK) && !defined(__APPLE__)
@@ -103,7 +103,7 @@ int arp_enumerate(void *parm, int (*callback)())
 int iface_enumerate(int family, void *parm, int (*callback)())
 {
   struct ifaddrs *head, *addrs;
-  int errsav, fd = -1, ret = 0;
+  int errsave, fd = -1, ret = 0;
 
   if (family == AF_UNSPEC)
 #if defined(HAVE_BSD_NETWORK) && !defined(__APPLE__)
@@ -119,7 +119,7 @@ int iface_enumerate(int family, void *parm, int (*callback)())
   if (getifaddrs(&head) == -1)
     return 0;
 
-#if defined(HAVE_BSD_NETWORK) && defined(HAVE_IPV6)
+#if defined(HAVE_BSD_NETWORK)
   if (family == AF_INET6)
     fd = socket(PF_INET6, SOCK_DGRAM, 0);
 #endif
@@ -139,7 +139,7 @@ int iface_enumerate(int family, void *parm, int (*callback)())
 	      struct in_addr addr, netmask, broadcast;
 	      addr = ((struct sockaddr_in *) addrs->ifa_addr)->sin_addr;
 #ifdef HAVE_BSD_NETWORK
-	      if (del_family == AF_INET && del_addr.addr.addr4.s_addr == addr.s_addr)
+	      if (del_family == AF_INET && del_addr.addr4.s_addr == addr.s_addr)
 		continue;
 #endif
 	      netmask = ((struct sockaddr_in *) addrs->ifa_netmask)->sin_addr;
@@ -150,7 +150,6 @@ int iface_enumerate(int family, void *parm, int (*callback)())
 	      if (!((*callback)(addr, iface_index, NULL, netmask, broadcast, parm)))
 		goto err;
 	    }
-#ifdef HAVE_IPV6
 	  else if (family == AF_INET6)
 	    {
 	      struct in6_addr *addr = &((struct sockaddr_in6 *) addrs->ifa_addr)->sin6_addr;
@@ -160,14 +159,14 @@ int iface_enumerate(int family, void *parm, int (*callback)())
 	      u32 valid = 0xffffffff, preferred = 0xffffffff;
 	      int flags = 0;
 #ifdef HAVE_BSD_NETWORK
-	      if (del_family == AF_INET6 && IN6_ARE_ADDR_EQUAL(&del_addr.addr.addr6, addr))
+	      if (del_family == AF_INET6 && IN6_ARE_ADDR_EQUAL(&del_addr.addr6, addr))
 		continue;
 #endif
 #if defined(HAVE_BSD_NETWORK) && !defined(__APPLE__)
 	      struct in6_ifreq ifr6;
 
 	      memset(&ifr6, 0, sizeof(ifr6));
-	      strncpy(ifr6.ifr_name, addrs->ifa_name, sizeof(ifr6.ifr_name));
+	      safe_strncpy(ifr6.ifr_name, addrs->ifa_name, sizeof(ifr6.ifr_name));
 	      
 	      ifr6.ifr_addr = *((struct sockaddr_in6 *) addrs->ifa_addr);
 	      if (fd != -1 && ioctl(fd, SIOCGIFAFLAG_IN6, &ifr6) != -1)
@@ -217,7 +216,6 @@ int iface_enumerate(int family, void *parm, int (*callback)())
 				(int) preferred, (int)valid, parm)))
 		goto err;	      
 	    }
-#endif /* HAVE_IPV6 */
 
 #ifdef HAVE_DHCP6      
 	  else if (family == AF_LINK)
@@ -235,11 +233,11 @@ int iface_enumerate(int family, void *parm, int (*callback)())
   ret = 1;
 
  err:
-  errsav = errno;
+  errsave = errno;
   freeifaddrs(head); 
   if (fd != -1)
     close(fd);
-  errno = errsav;
+  errno = errsave;
 
   return ret;
 }
@@ -424,11 +422,9 @@ void route_sock(void)
 	       {
 		 del_family = sa->sa_family;
 		 if (del_family == AF_INET)
-		   del_addr.addr.addr4 = ((struct sockaddr_in *)sa)->sin_addr;
-#ifdef HAVE_IPV6
+		   del_addr.addr4 = ((struct sockaddr_in *)sa)->sin_addr;
 		 else if (del_family == AF_INET6)
-		   del_addr.addr.addr6 = ((struct sockaddr_in6 *)sa)->sin6_addr;
-#endif
+		   del_addr.addr6 = ((struct sockaddr_in6 *)sa)->sin6_addr;
 		 else
 		   del_family = 0;
 	       }

src/config.h

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -18,13 +18,17 @@
 #define MAX_PROCS 20 /* max no children for TCP requests */
 #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */
 #define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */
+#define TCP_BACKLOG 32  /* kernel backlog limit for TCP connections */
 #define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */
 #define SAFE_PKTSZ 1280 /* "go anywhere" UDP packet size */
-#define KEYBLOCK_LEN 40 /* choose to mininise fragmentation when storing DNSSEC keys */
+#define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */
 #define DNSSEC_WORK 50 /* Max number of queries to validate one question */
 #define TIMEOUT 10 /* drop UDP queries after TIMEOUT seconds */
 #define FORWARD_TEST 50 /* try all servers every 50 queries */
 #define FORWARD_TIME 20 /* or 20 seconds */
+#define UDP_TEST_TIME 60 /* How often to reset our idea of max packet size. */
+#define SERVERS_LOGGED 30 /* Only log this many servers when logging state */
+#define LOCALS_LOGGED 8 /* Only log this many local addresses when logging state */
 #define RANDOM_SOCKS 64 /* max simultaneous random ports */
 #define LEASE_RETRY 60 /* on error, retry writing leasefile after LEASE_RETRY seconds */
 #define CACHESIZ 150 /* default cache size */
@@ -36,9 +40,11 @@
 #define DHCP_PACKET_MAX 16384 /* hard limit on DHCP packet size */
 #define SMALLDNAME 50 /* most domain names are smaller than this */
 #define CNAME_CHAIN 10 /* chains longer than this atr dropped for loop protection */
+#define DNSSEC_MIN_TTL 60 /* DNSKEY and DS records in cache last at least this long */
 #define HOSTSFILE "/etc/hosts"
 #define ETHERSFILE "/etc/ethers"
-#define DEFLEASE 3600 /* default lease time, 1 hour */
+#define DEFLEASE 3600 /* default DHCPv4 lease time, one hour */
+#define DEFLEASE6 (3600*24) /* default lease time for DHCPv6. One day. */
 #define CHUSER "nobody"
 #define CHGRP "dip"
 #define TFTP_MAX_CONNECTIONS 50 /* max simultaneous connections */
@@ -46,6 +52,7 @@
 #define RANDFILE "/dev/urandom"
 #define DNSMASQ_SERVICE "uk.org.thekelleys.dnsmasq" /* Default - may be overridden by config */
 #define DNSMASQ_PATH "/uk/org/thekelleys/dnsmasq"
+#define DNSMASQ_UBUS_NAME "dnsmasq" /* Default - may be overridden by config */
 #define AUTH_TTL 600 /* default TTL for auth DNS */
 #define SOA_REFRESH 1200 /* SOA refresh default */
 #define SOA_RETRY 180 /* SOA retry default */
@@ -90,14 +97,17 @@ HAVE_DBUS
    support some methods to allow (re)configuration of the upstream DNS 
    servers via DBus.
 
+HAVE_UBUS
+   define this if you want to link against libubus
+
 HAVE_IDN
-   define this if you want international domain name support.
-   NOTE: for backwards compatibility, IDN support is automatically 
-         included when internationalisation support is built, using the 
-	 *-i18n makefile targets, even if HAVE_IDN is not explicitly set.
+   define this if you want international domain name 2003 support.
+   
+HAVE_LIBIDN2
+   define this if you want international domain name 2008 support.
 
 HAVE_CONNTRACK
-   define this to include code which propogates conntrack marks from
+   define this to include code which propagates conntrack marks from
    incoming DNS queries to the corresponding upstream queries. This adds
    a build-dependency on libnetfilter_conntrack, but the resulting binary will
    still run happily on a kernel without conntrack support.
@@ -110,30 +120,35 @@ HAVE_AUTH
    define this to include the facility to act as an authoritative DNS
    server for one or more zones.
 
+HAVE_NETTLEHASH
+   include just hash function from nettle, but no DNSSEC.
+
 HAVE_DNSSEC
    include DNSSEC validator.
 
+HAVE_DUMPFILE
+   include code to dump packets to a libpcap-format file for debugging.
+
 HAVE_LOOP
    include functionality to probe for and remove DNS forwarding loops.
 
 HAVE_INOTIFY
    use the Linux inotify facility to efficiently re-read configuration files.
 
-NO_IPV6
+NO_ID
+   Don't report *.bind CHAOS info to clients, forward such requests upstream instead.
 NO_TFTP
 NO_DHCP
 NO_DHCP6
 NO_SCRIPT
 NO_LARGEFILE
 NO_AUTH
+NO_DUMPFILE
 NO_INOTIFY
-   these are avilable to explictly disable compile time options which would 
-   otherwise be enabled automatically (HAVE_IPV6, >2Gb file sizes) or 
-   which are enabled  by default in the distributed source tree. Building dnsmasq
+   these are available to explicitly disable compile time options which would 
+   otherwise be enabled automatically or which are enabled  by default 
+   in the distributed source tree. Building dnsmasq
    with something like "make COPTS=-DNO_SCRIPT" will do the trick.
-
-NO_NETTLE_ECC
-   Don't include the ECDSA cypher in DNSSEC validation. Needed for older Nettle versions.
 NO_GMP
    Don't use and link against libgmp, Useful if nettle is built with --enable-mini-gmp.
 
@@ -161,6 +176,7 @@ RESOLVFILE
 #define HAVE_AUTH
 #define HAVE_IPSET 
 #define HAVE_LOOP
+#define HAVE_DUMPFILE
 
 /* Build options which require external libraries.
    
@@ -172,7 +188,9 @@ RESOLVFILE
 /* #define HAVE_LUASCRIPT */
 /* #define HAVE_DBUS */
 /* #define HAVE_IDN */
+/* #define HAVE_LIBIDN2 */
 /* #define HAVE_CONNTRACK */
+/* #define HAVE_NETTLEHASH */
 /* #define HAVE_DNSSEC */
 
 
@@ -228,27 +246,13 @@ HAVE_SOCKADDR_SA_LEN
    defined if struct sockaddr has sa_len field (*BSD) 
 */
 
-/* Must preceed __linux__ since uClinux defines __linux__ too. */
-#if defined(__uClinux__)
-#define HAVE_LINUX_NETWORK
-#define HAVE_GETOPT_LONG
-#undef HAVE_SOCKADDR_SA_LEN
-/* Never use fork() on uClinux. Note that this is subtly different from the
-   --keep-in-foreground option, since it also  suppresses forking new 
-   processes for TCP connections and disables the call-a-script on leasechange
-   system. It's intended for use on MMU-less kernels. */
-#define NO_FORK
-
-#elif defined(__UCLIBC__)
+#if defined(__UCLIBC__)
 #define HAVE_LINUX_NETWORK
 #if defined(__UCLIBC_HAS_GNU_GETOPT__) || \
    ((__UCLIBC_MAJOR__==0) && (__UCLIBC_MINOR__==9) && (__UCLIBC_SUBLEVEL__<21))
 #    define HAVE_GETOPT_LONG
 #endif
 #undef HAVE_SOCKADDR_SA_LEN
-#if !defined(__ARCH_HAS_MMU__) && !defined(__UCLIBC_HAS_MMU__)
-#  define NO_FORK
-#endif
 #if defined(__UCLIBC_HAS_IPV6__)
 #  ifndef IPV6_V6ONLY
 #    define IPV6_V6ONLY 26
@@ -266,7 +270,7 @@ HAVE_SOCKADDR_SA_LEN
       defined(__DragonFly__) || \
       defined(__FreeBSD_kernel__)
 #define HAVE_BSD_NETWORK
-/* Later verions of FreeBSD have getopt_long() */
+/* Later versions of FreeBSD have getopt_long() */
 #if defined(optional_argument) && defined(required_argument)
 #   define HAVE_GETOPT_LONG
 #endif
@@ -276,11 +280,16 @@ HAVE_SOCKADDR_SA_LEN
 #define HAVE_BSD_NETWORK
 #define HAVE_GETOPT_LONG
 #define HAVE_SOCKADDR_SA_LEN
+#define NO_IPSET
 /* Define before sys/socket.h is included so we get socklen_t */
 #define _BSD_SOCKLEN_T_
 /* Select the RFC_3542 version of the IPv6 socket API. 
    Define before netinet6/in6.h is included. */
 #define __APPLE_USE_RFC_3542
+/* Required for Mojave. */
+#ifndef SOL_TCP
+#  define SOL_TCP IPPROTO_TCP
+#endif
 #define NO_IPSET
 
 #elif defined(__NetBSD__)
@@ -296,29 +305,9 @@ HAVE_SOCKADDR_SA_LEN
  
 #endif
 
-/* Decide if we're going to support IPv6 */
-/* We assume that systems which don't have IPv6
-   headers don't have ntop and pton either */
-
-#if defined(INET6_ADDRSTRLEN) && defined(IPV6_V6ONLY)
-#  define HAVE_IPV6
-#  define ADDRSTRLEN INET6_ADDRSTRLEN
-#else
-#  if !defined(INET_ADDRSTRLEN)
-#      define INET_ADDRSTRLEN 16 /* 4*3 + 3 dots + NULL */
-#  endif
-#  undef HAVE_IPV6
-#  define ADDRSTRLEN INET_ADDRSTRLEN
-#endif
-
-
 /* rules to implement compile-time option dependencies and 
    the NO_XXX flags */
 
-#ifdef NO_IPV6
-#undef HAVE_IPV6
-#endif
-
 #ifdef NO_TFTP
 #undef HAVE_TFTP
 #endif
@@ -328,7 +317,7 @@ HAVE_SOCKADDR_SA_LEN
 #undef HAVE_DHCP6
 #endif
 
-#if defined(NO_DHCP6) || !defined(HAVE_IPV6)
+#if defined(NO_DHCP6)
 #undef HAVE_DHCP6
 #endif
 
@@ -337,7 +326,7 @@ HAVE_SOCKADDR_SA_LEN
 #define HAVE_DHCP
 #endif
 
-#if defined(NO_SCRIPT) || !defined(HAVE_DHCP) || defined(NO_FORK)
+#if defined(NO_SCRIPT)
 #undef HAVE_SCRIPT
 #undef HAVE_LUASCRIPT
 #endif
@@ -359,19 +348,20 @@ HAVE_SOCKADDR_SA_LEN
 #undef HAVE_LOOP
 #endif
 
+#ifdef NO_DUMPFILE
+#undef HAVE_DUMPFILE
+#endif
+
 #if defined (HAVE_LINUX_NETWORK) && !defined(NO_INOTIFY)
 #define HAVE_INOTIFY
 #endif
 
 /* Define a string indicating which options are in use.
-   DNSMASQP_COMPILE_OPTS is only defined in dnsmasq.c */
+   DNSMASQ_COMPILE_OPTS is only defined in dnsmasq.c */
 
 #ifdef DNSMASQ_COMPILE_OPTS
 
 static char *compile_opts = 
-#ifndef HAVE_IPV6
-"no-"
-#endif
 "IPv6 "
 #ifndef HAVE_GETOPT_LONG
 "no-"
@@ -380,21 +370,26 @@ static char *compile_opts =
 #ifdef HAVE_BROKEN_RTC
 "no-RTC "
 #endif
-#ifdef NO_FORK
-"no-MMU "
-#endif
 #ifndef HAVE_DBUS
 "no-"
 #endif
 "DBus "
+#ifndef HAVE_UBUS
+"no-"
+#endif
+"UBus "
 #ifndef LOCALEDIR
 "no-"
 #endif
 "i18n "
-#if !defined(LOCALEDIR) && !defined(HAVE_IDN)
+#if defined(HAVE_LIBIDN2)
+"IDN2 "
+#else
+ #if !defined(HAVE_IDN)
 "no-"
-#endif 
+ #endif 
 "IDN " 
+#endif
 #ifndef HAVE_DHCP
 "no-"
 #endif
@@ -404,14 +399,14 @@ static char *compile_opts =
      "no-"
 #  endif  
      "DHCPv6 "
-#  if !defined(HAVE_SCRIPT)
+#endif
+#if !defined(HAVE_SCRIPT)
      "no-scripts "
-#  else
+#else
 #  if !defined(HAVE_LUASCRIPT)
      "no-"
 #  endif
      "Lua "
-#  endif
 #endif
 #ifndef HAVE_TFTP
 "no-"
@@ -429,10 +424,17 @@ static char *compile_opts =
 "no-"
 #endif
 "auth "
+#if !defined(HAVE_NETTLEHASH) && !defined(HAVE_DNSSEC)
+"no-"
+#endif
+"nettlehash "
 #ifndef HAVE_DNSSEC
 "no-"
 #endif
 "DNSSEC "
+#ifdef NO_ID
+"no-ID "
+#endif
 #ifndef HAVE_LOOP
 "no-"
 #endif
@@ -440,8 +442,11 @@ static char *compile_opts =
 #ifndef HAVE_INOTIFY
 "no-"
 #endif
-"inotify";
-
+"inotify "
+#ifndef HAVE_DUMPFILE
+"no-"
+#endif
+"dumpfile";
 
 #endif
 

src/conntrack.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -24,7 +24,7 @@ static int gotit = 0; /* yuck */
 
 static int callback(enum nf_conntrack_msg_type type, struct nf_conntrack *ct, void *data);
 
-int get_incoming_mark(union mysockaddr *peer_addr, struct all_addr *local_addr, int istcp, unsigned int *markp)
+int get_incoming_mark(union mysockaddr *peer_addr, union all_addr *local_addr, int istcp, unsigned int *markp)
 {
   struct nf_conntrack *ct;
   struct nfct_handle *h;
@@ -36,21 +36,19 @@ int get_incoming_mark(union mysockaddr *peer_addr, struct all_addr *local_addr,
       nfct_set_attr_u8(ct, ATTR_L4PROTO, istcp ? IPPROTO_TCP : IPPROTO_UDP);
       nfct_set_attr_u16(ct, ATTR_PORT_DST, htons(daemon->port));
       
-#ifdef HAVE_IPV6
       if (peer_addr->sa.sa_family == AF_INET6)
 	{
 	  nfct_set_attr_u8(ct, ATTR_L3PROTO, AF_INET6);
 	  nfct_set_attr(ct, ATTR_IPV6_SRC, peer_addr->in6.sin6_addr.s6_addr);
 	  nfct_set_attr_u16(ct, ATTR_PORT_SRC, peer_addr->in6.sin6_port);
-	  nfct_set_attr(ct, ATTR_IPV6_DST, local_addr->addr.addr6.s6_addr);
+	  nfct_set_attr(ct, ATTR_IPV6_DST, local_addr->addr6.s6_addr);
 	}
       else
-#endif
 	{
 	  nfct_set_attr_u8(ct, ATTR_L3PROTO, AF_INET);
 	  nfct_set_attr_u32(ct, ATTR_IPV4_SRC, peer_addr->in.sin_addr.s_addr);
 	  nfct_set_attr_u16(ct, ATTR_PORT_SRC, peer_addr->in.sin_port);
-	  nfct_set_attr_u32(ct, ATTR_IPV4_DST, local_addr->addr.addr4.s_addr);
+	  nfct_set_attr_u32(ct, ATTR_IPV4_DST, local_addr->addr4.s_addr);
 	}
       
       

src/crypto.c

@@ -0,0 +1,482 @@
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+     
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "dnsmasq.h"
+
+#ifdef HAVE_DNSSEC
+
+#include <nettle/rsa.h>
+#include <nettle/ecdsa.h>
+#include <nettle/ecc-curve.h>
+#include <nettle/eddsa.h>
+#if NETTLE_VERSION_MAJOR == 3 && NETTLE_VERSION_MINOR >= 6
+#  include <nettle/gostdsa.h>
+#endif
+#endif
+
+#if defined(HAVE_DNSSEC) || defined(HAVE_NETTLEHASH)
+#include <nettle/nettle-meta.h>
+#include <nettle/bignum.h>
+
+/* Implement a "hash-function" to the nettle API, which simply returns
+   the input data, concatenated into a single, statically maintained, buffer.
+
+   Used for the EdDSA sigs, which operate on the whole message, rather 
+   than a digest. */
+
+struct null_hash_digest
+{
+  uint8_t *buff;
+  size_t len;
+};
+
+struct null_hash_ctx
+{
+  size_t len;
+};
+
+static size_t null_hash_buff_sz = 0;
+static uint8_t *null_hash_buff = NULL;
+#define BUFF_INCR 128
+
+static void null_hash_init(void *ctx)
+{
+  ((struct null_hash_ctx *)ctx)->len = 0;
+}
+
+static void null_hash_update(void *ctxv, size_t length, const uint8_t *src)
+{
+  struct null_hash_ctx *ctx = ctxv;
+  size_t new_len = ctx->len + length;
+  
+  if (new_len > null_hash_buff_sz)
+    {
+      uint8_t *new;
+      
+      if (!(new = whine_malloc(new_len + BUFF_INCR)))
+	return;
+
+      if (null_hash_buff)
+	{
+	  if (ctx->len != 0)
+	    memcpy(new, null_hash_buff, ctx->len);
+	  free(null_hash_buff);
+	}
+      
+      null_hash_buff_sz = new_len + BUFF_INCR;
+      null_hash_buff = new;
+    }
+
+  memcpy(null_hash_buff + ctx->len, src, length);
+  ctx->len += length;
+}
+ 
+
+static void null_hash_digest(void *ctx, size_t length, uint8_t *dst)
+{
+  (void)length;
+  
+  ((struct null_hash_digest *)dst)->buff = null_hash_buff;
+  ((struct null_hash_digest *)dst)->len = ((struct null_hash_ctx *)ctx)->len;
+}
+
+static struct nettle_hash null_hash = {
+  "null_hash",
+  sizeof(struct null_hash_ctx),
+  sizeof(struct null_hash_digest),
+  0,
+  (nettle_hash_init_func *) null_hash_init,
+  (nettle_hash_update_func *) null_hash_update,
+  (nettle_hash_digest_func *) null_hash_digest
+};
+
+/* Find pointer to correct hash function in nettle library */
+const struct nettle_hash *hash_find(char *name)
+{
+  if (!name)
+    return NULL;
+  
+  /* We provide a "null" hash which returns the input data as digest. */
+  if (strcmp(null_hash.name, name) == 0)
+    return &null_hash;
+
+  /* libnettle >= 3.4 provides nettle_lookup_hash() which avoids nasty ABI
+     incompatibilities if sizeof(nettle_hashes) changes between library
+     versions. It also #defines nettle_hashes, so use that to tell
+     if we have the new facilities. */
+  
+#ifdef nettle_hashes
+  return nettle_lookup_hash(name);
+#else
+  {
+    int i;
+
+    for (i = 0; nettle_hashes[i]; i++)
+      if (strcmp(nettle_hashes[i]->name, name) == 0)
+	return nettle_hashes[i];
+  }
+  
+  return NULL;
+#endif
+}
+
+/* expand ctx and digest memory allocations if necessary and init hash function */
+int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char **digestp)
+{
+  static void *ctx = NULL;
+  static unsigned char *digest = NULL;
+  static unsigned int ctx_sz = 0;
+  static unsigned int digest_sz = 0;
+
+  void *new;
+
+  if (ctx_sz < hash->context_size)
+    {
+      if (!(new = whine_malloc(hash->context_size)))
+	return 0;
+      if (ctx)
+	free(ctx);
+      ctx = new;
+      ctx_sz = hash->context_size;
+    }
+  
+  if (digest_sz < hash->digest_size)
+    {
+      if (!(new = whine_malloc(hash->digest_size)))
+	return 0;
+      if (digest)
+	free(digest);
+      digest = new;
+      digest_sz = hash->digest_size;
+    }
+
+  *ctxp = ctx;
+  *digestp = digest;
+
+  hash->init(ctx);
+
+  return 1;
+}
+
+#endif
+
+#ifdef HAVE_DNSSEC
+  
+static int dnsmasq_rsa_verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
+			      unsigned char *digest, size_t digest_len, int algo)
+{
+  unsigned char *p;
+  size_t exp_len;
+  
+  static struct rsa_public_key *key = NULL;
+  static mpz_t sig_mpz;
+
+  (void)digest_len;
+  
+  if (key == NULL)
+    {
+      if (!(key = whine_malloc(sizeof(struct rsa_public_key))))
+	return 0;
+      
+      nettle_rsa_public_key_init(key);
+      mpz_init(sig_mpz);
+    }
+  
+  if ((key_len < 3) || !(p = blockdata_retrieve(key_data, key_len, NULL)))
+    return 0;
+  
+  key_len--;
+  if ((exp_len = *p++) == 0)
+    {
+      GETSHORT(exp_len, p);
+      key_len -= 2;
+    }
+  
+  if (exp_len >= key_len)
+    return 0;
+  
+  key->size =  key_len - exp_len;
+  mpz_import(key->e, exp_len, 1, 1, 0, 0, p);
+  mpz_import(key->n, key->size, 1, 1, 0, 0, p + exp_len);
+
+  mpz_import(sig_mpz, sig_len, 1, 1, 0, 0, sig);
+  
+  switch (algo)
+    {
+    case 5: case 7:
+      return nettle_rsa_sha1_verify_digest(key, digest, sig_mpz);
+    case 8:
+      return nettle_rsa_sha256_verify_digest(key, digest, sig_mpz);
+    case 10:
+      return nettle_rsa_sha512_verify_digest(key, digest, sig_mpz);
+    }
+
+  return 0;
+}  
+
+static int dnsmasq_ecdsa_verify(struct blockdata *key_data, unsigned int key_len, 
+				unsigned char *sig, size_t sig_len,
+				unsigned char *digest, size_t digest_len, int algo)
+{
+  unsigned char *p;
+  unsigned int t;
+  struct ecc_point *key;
+
+  static struct ecc_point *key_256 = NULL, *key_384 = NULL;
+  static mpz_t x, y;
+  static struct dsa_signature *sig_struct;
+#if NETTLE_VERSION_MAJOR == 3 && NETTLE_VERSION_MINOR < 4
+#define nettle_get_secp_256r1() (&nettle_secp_256r1)
+#define nettle_get_secp_384r1() (&nettle_secp_384r1)
+#endif
+  
+  if (!sig_struct)
+    {
+      if (!(sig_struct = whine_malloc(sizeof(struct dsa_signature))))
+	return 0;
+      
+      nettle_dsa_signature_init(sig_struct);
+      mpz_init(x);
+      mpz_init(y);
+    }
+  
+  switch (algo)
+    {
+    case 13:
+      if (!key_256)
+	{
+	  if (!(key_256 = whine_malloc(sizeof(struct ecc_point))))
+	    return 0;
+	  
+	  nettle_ecc_point_init(key_256, nettle_get_secp_256r1());
+	}
+      
+      key = key_256;
+      t = 32;
+      break;
+      
+    case 14:
+      if (!key_384)
+	{
+	  if (!(key_384 = whine_malloc(sizeof(struct ecc_point))))
+	    return 0;
+	  
+	  nettle_ecc_point_init(key_384, nettle_get_secp_384r1());
+	}
+      
+      key = key_384;
+      t = 48;
+      break;
+        
+    default:
+      return 0;
+    }
+  
+  if (sig_len != 2*t || key_len != 2*t ||
+      !(p = blockdata_retrieve(key_data, key_len, NULL)))
+    return 0;
+  
+  mpz_import(x, t , 1, 1, 0, 0, p);
+  mpz_import(y, t , 1, 1, 0, 0, p + t);
+
+  if (!ecc_point_set(key, x, y))
+    return 0;
+  
+  mpz_import(sig_struct->r, t, 1, 1, 0, 0, sig);
+  mpz_import(sig_struct->s, t, 1, 1, 0, 0, sig + t);
+  
+  return nettle_ecdsa_verify(key, digest_len, digest, sig_struct);
+}
+
+#if NETTLE_VERSION_MAJOR == 3 && NETTLE_VERSION_MINOR >= 6
+static int dnsmasq_gostdsa_verify(struct blockdata *key_data, unsigned int key_len, 
+				  unsigned char *sig, size_t sig_len,
+				  unsigned char *digest, size_t digest_len, int algo)
+{
+  unsigned char *p;
+  
+  static struct ecc_point *gost_key = NULL;
+  static mpz_t x, y;
+  static struct dsa_signature *sig_struct;
+
+  if (algo != 12 ||
+      sig_len != 64 || key_len != 64 ||
+      !(p = blockdata_retrieve(key_data, key_len, NULL)))
+    return 0;
+  
+  if (!sig_struct)
+    {
+      if (!(sig_struct = whine_malloc(sizeof(struct dsa_signature))) ||
+	  !(gost_key = whine_malloc(sizeof(struct ecc_point))))
+	return 0;
+      
+      nettle_dsa_signature_init(sig_struct);
+      nettle_ecc_point_init(gost_key, nettle_get_gost_gc256b());
+      mpz_init(x);
+      mpz_init(y);
+    }
+    
+  mpz_import(x, 32 , 1, 1, 0, 0, p);
+  mpz_import(y, 32 , 1, 1, 0, 0, p + 32);
+
+  if (!ecc_point_set(gost_key, x, y))
+    return 0;
+  
+  mpz_import(sig_struct->r, 32, 1, 1, 0, 0, sig);
+  mpz_import(sig_struct->s, 32, 1, 1, 0, 0, sig + 32);
+  
+  return nettle_gostdsa_verify(gost_key, digest_len, digest, sig_struct);
+}
+#endif
+
+static int dnsmasq_eddsa_verify(struct blockdata *key_data, unsigned int key_len, 
+				unsigned char *sig, size_t sig_len,
+				unsigned char *digest, size_t digest_len, int algo)
+{
+  unsigned char *p;
+   
+  if (digest_len != sizeof(struct null_hash_digest) ||
+      !(p = blockdata_retrieve(key_data, key_len, NULL)))
+    return 0;
+  
+  /* The "digest" returned by the null_hash function is simply a struct null_hash_digest
+     which has a pointer to the actual data and a length, because the buffer
+     may need to be extended during "hashing". */
+  
+  switch (algo)
+    {
+    case 15:
+      if (key_len != ED25519_KEY_SIZE ||
+	  sig_len != ED25519_SIGNATURE_SIZE)
+	return 0;
+
+      return ed25519_sha512_verify(p,
+				   ((struct null_hash_digest *)digest)->len,
+				   ((struct null_hash_digest *)digest)->buff,
+				   sig);
+      
+#if NETTLE_VERSION_MAJOR == 3 && NETTLE_VERSION_MINOR >= 6
+    case 16:
+      if (key_len != ED448_KEY_SIZE ||
+	  sig_len != ED448_SIGNATURE_SIZE)
+	return 0;
+
+      return ed448_shake256_verify(p,
+				   ((struct null_hash_digest *)digest)->len,
+				   ((struct null_hash_digest *)digest)->buff,
+				   sig);
+#endif
+
+    }
+
+  return 0;
+}
+
+static int (*verify_func(int algo))(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
+			     unsigned char *digest, size_t digest_len, int algo)
+{
+    
+  /* Ensure at runtime that we have support for this digest */
+  if (!hash_find(algo_digest_name(algo)))
+    return NULL;
+  
+  /* This switch defines which sig algorithms we support, can't introspect Nettle for that. */
+  switch (algo)
+    {
+    case 5: case 7: case 8: case 10:
+      return dnsmasq_rsa_verify;
+
+#if NETTLE_VERSION_MAJOR == 3 && NETTLE_VERSION_MINOR >= 6
+    case 12:
+      return dnsmasq_gostdsa_verify;
+#endif
+      
+    case 13: case 14:
+      return dnsmasq_ecdsa_verify;
+
+    case 15: case 16:
+      return dnsmasq_eddsa_verify;
+    }
+  
+  return NULL;
+}
+
+int verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
+	   unsigned char *digest, size_t digest_len, int algo)
+{
+
+  int (*func)(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
+	      unsigned char *digest, size_t digest_len, int algo);
+  
+  func = verify_func(algo);
+  
+  if (!func)
+    return 0;
+
+  return (*func)(key_data, key_len, sig, sig_len, digest, digest_len, algo);
+}
+
+/* Note the ds_digest_name(), algo_digest_name() and nsec3_digest_name()
+   define which algo numbers we support. If algo_digest_name() returns
+   non-NULL for an algorithm number, we assume that algorithm is 
+   supported by verify(). */
+
+/* http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml */
+char *ds_digest_name(int digest)
+{
+  switch (digest)
+    {
+    case 1: return "sha1";
+    case 2: return "sha256";
+    case 3: return "gosthash94";
+    case 4: return "sha384";
+    default: return NULL;
+    }
+}
+ 
+/* http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml */
+char *algo_digest_name(int algo)
+{
+  switch (algo)
+    {
+    case 1: return NULL;          /* RSA/MD5 - Must Not Implement.  RFC 6944 para 2.3. */
+    case 2: return NULL;          /* Diffie-Hellman */
+    case 3: return NULL; ;        /* DSA/SHA1 - Must Not Implement. RFC 8624 section 3.1 */ 
+    case 5: return "sha1";        /* RSA/SHA1 */
+    case 6: return NULL;          /* DSA-NSEC3-SHA1 - Must Not Implement. RFC 8624 section 3.1 */
+    case 7: return "sha1";        /* RSASHA1-NSEC3-SHA1 */
+    case 8: return "sha256";      /* RSA/SHA-256 */
+    case 10: return "sha512";     /* RSA/SHA-512 */
+    case 12: return "gosthash94"; /* ECC-GOST */
+    case 13: return "sha256";     /* ECDSAP256SHA256 */
+    case 14: return "sha384";     /* ECDSAP384SHA384 */ 	
+    case 15: return "null_hash";  /* ED25519 */
+    case 16: return "null_hash";  /* ED448 */
+    default: return NULL;
+    }
+}
+  
+/* http://www.iana.org/assignments/dnssec-nsec3-parameters/dnssec-nsec3-parameters.xhtml */
+char *nsec3_digest_name(int digest)
+{
+  switch (digest)
+    {
+    case 1: return "sha1";
+    default: return NULL;
+    }
+}
+
+#endif

src/dbus.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -85,6 +85,9 @@ const char* introspection_xml_template =
 "       <arg name=\"success\" type=\"b\" direction=\"out\"/>\n"
 "    </method>\n"
 #endif
+"    <method name=\"GetMetrics\">\n"
+"      <arg name=\"metrics\" direction=\"out\" type=\"a{su}\"/>\n"
+"    </method>\n"
 "  </interface>\n"
 "</node>\n";
 
@@ -182,9 +185,6 @@ static void dbus_read_servers(DBusMessage *message)
 		}
 	    }
 
-#ifndef HAVE_IPV6
-	  my_syslog(LOG_WARNING, _("attempt to set an IPv6 server address via DBus - no IPv6 support"));
-#else
 	  if (i == sizeof(struct in6_addr))
 	    {
 	      memcpy(&addr.in6.sin6_addr, p, sizeof(struct in6_addr));
@@ -199,7 +199,6 @@ static void dbus_read_servers(DBusMessage *message)
               source_addr.in6.sin6_port = htons(daemon->query_port);
 	      skip = 0;
 	    }
-#endif
 	}
       else
 	/* At the end */
@@ -238,7 +237,7 @@ static DBusMessage *dbus_reply_server_loop(DBusMessage *message)
   for (serv = daemon->servers; serv; serv = serv->next)
     if (serv->flags & SERV_LOOP)
       {
-	prettyprint_addr(&serv->addr, daemon->addrbuff);
+	(void)prettyprint_addr(&serv->addr, daemon->addrbuff);
 	dbus_message_iter_append_basic (&args_iter, DBUS_TYPE_STRING, &daemon->addrbuff);
       }
   
@@ -457,7 +456,7 @@ static DBusMessage *dbus_add_lease(DBusMessage* message)
   int clid_len, hostname_len, hw_len, hw_type;
   dbus_uint32_t expires, ia_id;
   dbus_bool_t is_temporary;
-  struct all_addr addr;
+  union all_addr addr;
   time_t now = dnsmasq_time();
   unsigned char dhcp_chaddr[DHCP_CHADDR_MAX];
 
@@ -527,20 +526,20 @@ static DBusMessage *dbus_add_lease(DBusMessage* message)
 
   dbus_message_iter_get_basic(&iter, &is_temporary);
 
-  if (inet_pton(AF_INET, ipaddr, &addr.addr.addr4))
+  if (inet_pton(AF_INET, ipaddr, &addr.addr4))
     {
       if (ia_id != 0 || is_temporary)
 	return dbus_message_new_error(message, DBUS_ERROR_INVALID_ARGS,
 				      "ia_id and is_temporary must be zero for IPv4 lease");
       
-      if (!(lease = lease_find_by_addr(addr.addr.addr4)))
-    	lease = lease4_allocate(addr.addr.addr4);
+      if (!(lease = lease_find_by_addr(addr.addr4)))
+    	lease = lease4_allocate(addr.addr4);
     }
 #ifdef HAVE_DHCP6
-  else if (inet_pton(AF_INET6, ipaddr, &addr.addr.addr6))
+  else if (inet_pton(AF_INET6, ipaddr, &addr.addr6))
     {
-      if (!(lease = lease6_find_by_addr(&addr.addr.addr6, 128, 0)))
-	lease = lease6_allocate(&addr.addr.addr6,
+      if (!(lease = lease6_find_by_addr(&addr.addr6, 128, 0)))
+	lease = lease6_allocate(&addr.addr6,
 				is_temporary ? LEASE_TA : LEASE_NA);
       lease_set_iaid(lease, ia_id);
     }
@@ -549,8 +548,7 @@ static DBusMessage *dbus_add_lease(DBusMessage* message)
     return dbus_message_new_error_printf(message, DBUS_ERROR_INVALID_ARGS,
 					 "Invalid IP address '%s'", ipaddr);
    
-  hw_len = parse_hex((char*)hwaddr, dhcp_chaddr, DHCP_CHADDR_MAX, NULL,
-		     &hw_type);
+  hw_len = parse_hex((char*)hwaddr, dhcp_chaddr, DHCP_CHADDR_MAX, NULL, &hw_type);
   if (hw_type == 0 && hw_len != 0)
     hw_type = ARPHRD_ETHER;
   
@@ -572,7 +570,7 @@ static DBusMessage *dbus_del_lease(DBusMessage* message)
   DBusMessageIter iter;
   const char *ipaddr;
   DBusMessage *reply;
-  struct all_addr addr;
+  union all_addr addr;
   dbus_bool_t ret = 1;
   time_t now = dnsmasq_time();
 
@@ -586,11 +584,11 @@ static DBusMessage *dbus_del_lease(DBusMessage* message)
    
   dbus_message_iter_get_basic(&iter, &ipaddr);
 
-  if (inet_pton(AF_INET, ipaddr, &addr.addr.addr4))
-    lease = lease_find_by_addr(addr.addr.addr4);
+  if (inet_pton(AF_INET, ipaddr, &addr.addr4))
+    lease = lease_find_by_addr(addr.addr4);
 #ifdef HAVE_DHCP6
-  else if (inet_pton(AF_INET6, ipaddr, &addr.addr.addr6))
-    lease = lease6_find_by_addr(&addr.addr.addr6, 128, 0);
+  else if (inet_pton(AF_INET6, ipaddr, &addr.addr6))
+    lease = lease6_find_by_addr(&addr.addr6, 128, 0);
 #endif
   else
     return dbus_message_new_error_printf(message, DBUS_ERROR_INVALID_ARGS,
@@ -614,6 +612,30 @@ static DBusMessage *dbus_del_lease(DBusMessage* message)
 }
 #endif
 
+static DBusMessage *dbus_get_metrics(DBusMessage* message)
+{
+  DBusMessage *reply = dbus_message_new_method_return(message);
+  DBusMessageIter array, dict, iter;
+  int i;
+
+  dbus_message_iter_init_append(reply, &iter);
+  dbus_message_iter_open_container(&iter, DBUS_TYPE_ARRAY, "{su}", &array);
+
+  for (i = 0; i < __METRIC_MAX; i++) {
+    const char *key     = get_metric_name(i);
+    dbus_uint32_t value = daemon->metrics[i];
+
+    dbus_message_iter_open_container(&array, DBUS_TYPE_DICT_ENTRY, NULL, &dict);
+    dbus_message_iter_append_basic(&dict, DBUS_TYPE_STRING, &key);
+    dbus_message_iter_append_basic(&dict, DBUS_TYPE_UINT32, &value);
+    dbus_message_iter_close_container(&array, &dict);
+  }
+
+  dbus_message_iter_close_container(&iter, &array);
+
+  return reply;
+}
+
 DBusHandlerResult message_handler(DBusConnection *connection, 
 				  DBusMessage *message, 
 				  void *user_data)
@@ -681,6 +703,10 @@ DBusHandlerResult message_handler(DBusConnection *connection,
       reply = dbus_del_lease(message);
     }
 #endif
+  else if (strcmp(method, "GetMetrics") == 0)
+    {
+      reply = dbus_get_metrics(message);
+    }
   else if (strcmp(method, "ClearCache") == 0)
     clear_cache = 1;
   else

src/dhcp-common.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -22,9 +22,9 @@ void dhcp_common_init(void)
 {
   /* These each hold a DHCP option max size 255
      and get a terminating zero added */
-  daemon->dhcp_buff = safe_malloc(256);
-  daemon->dhcp_buff2 = safe_malloc(256); 
-  daemon->dhcp_buff3 = safe_malloc(256);
+  daemon->dhcp_buff = safe_malloc(DHCP_BUFF_SZ);
+  daemon->dhcp_buff2 = safe_malloc(DHCP_BUFF_SZ); 
+  daemon->dhcp_buff3 = safe_malloc(DHCP_BUFF_SZ);
   
   /* dhcp_packet is used by v4 and v6, outpacket only by v6 
      sizeof(struct dhcp_packet) is as good an initial size as any,
@@ -38,7 +38,7 @@ void dhcp_common_init(void)
 
 ssize_t recv_dhcp_packet(int fd, struct msghdr *msg)
 {  
-  ssize_t sz;
+  ssize_t sz, new_sz;
  
   while (1)
     {
@@ -65,9 +65,18 @@ ssize_t recv_dhcp_packet(int fd, struct msghdr *msg)
 	}
     }
   
-  while ((sz = recvmsg(fd, msg, 0)) == -1 && errno == EINTR);
+  while ((new_sz = recvmsg(fd, msg, 0)) == -1 && errno == EINTR);
 
-  return (msg->msg_flags & MSG_TRUNC) ? -1 : sz;
+  /* Some kernels seem to ignore MSG_PEEK, and dequeue the packet anyway. 
+     If that happens we get EAGAIN here because the socket is non-blocking.
+     Use the result of the original testing recvmsg as long as the buffer
+     was big enough. There's a small race here that may lose the odd packet,
+     but it's UDP anyway. */
+  
+  if (new_sz == -1 && (errno == EWOULDBLOCK || errno == EAGAIN))
+    new_sz = sz;
+  
+  return (msg->msg_flags & MSG_TRUNC) ? -1 : new_sz;
 }
 
 struct dhcp_netid *run_tag_if(struct dhcp_netid *tags)
@@ -272,34 +281,44 @@ static int is_config_in_context(struct dhcp_context *context, struct dhcp_config
   if (!context) /* called via find_config() from lease_update_from_configs() */
     return 1; 
   
-  if (!(config->flags & (CONFIG_ADDR | CONFIG_ADDR6)))
-    return 1;
-  
-#ifdef HAVE_DHCP6
-  if ((context->flags & CONTEXT_V6) && (config->flags & CONFIG_WILDCARD))
-    return 1;
-#endif
-
-  for (; context; context = context->current)
 #ifdef HAVE_DHCP6
   if (context->flags & CONTEXT_V6)
     {
-	if ((config->flags & CONFIG_ADDR6) && is_same_net6(&config->addr6, &context->start6, context->prefix))
+       struct addrlist *addr_list;
+
+       if (!(config->flags & CONFIG_ADDR6))
 	 return 1;
+       
+        for (; context; context = context->current)
+	  for (addr_list = config->addr6; addr_list; addr_list = addr_list->next)
+	    {
+	      if ((addr_list->flags & ADDRLIST_WILDCARD) && context->prefix == 64)
+		return 1;
+	      
+	      if (is_same_net6(&addr_list->addr.addr6, &context->start6, context->prefix))
+		return 1;
+	    }
     }
   else
 #endif
+    {
+      if (!(config->flags & CONFIG_ADDR))
+	return 1;
+      
+      for (; context; context = context->current)
 	if ((config->flags & CONFIG_ADDR) && is_same_net(config->addr, context->start, context->netmask))
 	  return 1;
+    }
 
   return 0;
 }
 
-struct dhcp_config *find_config(struct dhcp_config *configs,
+static struct dhcp_config *find_config_match(struct dhcp_config *configs,
 					     struct dhcp_context *context,
 					     unsigned char *clid, int clid_len,
 					     unsigned char *hwaddr, int hw_len, 
-				int hw_type, char *hostname)
+					     int hw_type, char *hostname,
+					     struct dhcp_netid *tags, int tag_not_needed)
 {
   int count, new;
   struct dhcp_config *config, *candidate; 
@@ -311,7 +330,9 @@ struct dhcp_config *find_config(struct dhcp_config *configs,
 	{
 	  if (config->clid_len == clid_len && 
 	      memcmp(config->clid, clid, clid_len) == 0 &&
-	      is_config_in_context(context, config))
+	      is_config_in_context(context, config) &&
+	      match_netid(config->filter, tags, tag_not_needed))
+	    
 	    return config;
 	  
 	  /* dhcpcd prefixes ASCII client IDs by zero which is wrong, but we try and
@@ -319,7 +340,8 @@ struct dhcp_config *find_config(struct dhcp_config *configs,
 	     see lease_update_from_configs() */
 	  if ((!context || !(context->flags & CONTEXT_V6)) && *clid == 0 && config->clid_len == clid_len-1  &&
 	      memcmp(config->clid, clid+1, clid_len-1) == 0 &&
-	      is_config_in_context(context, config))
+	      is_config_in_context(context, config) &&
+	      match_netid(config->filter, tags, tag_not_needed))
 	    return config;
 	}
   
@@ -327,14 +349,16 @@ struct dhcp_config *find_config(struct dhcp_config *configs,
   if (hwaddr)
     for (config = configs; config; config = config->next)
       if (config_has_mac(config, hwaddr, hw_len, hw_type) &&
-	  is_config_in_context(context, config))
+	  is_config_in_context(context, config) &&
+	  match_netid(config->filter, tags, tag_not_needed))
 	return config;
   
   if (hostname && context)
     for (config = configs; config; config = config->next)
       if ((config->flags & CONFIG_NAME) && 
 	  hostname_isequal(config->hostname, hostname) &&
-	  is_config_in_context(context, config))
+	  is_config_in_context(context, config) &&
+	  match_netid(config->filter, tags, tag_not_needed))
 	return config;
 
   
@@ -343,7 +367,8 @@ struct dhcp_config *find_config(struct dhcp_config *configs,
 
   /* use match with fewest wildcard octets */
   for (candidate = NULL, count = 0, config = configs; config; config = config->next)
-    if (is_config_in_context(context, config))
+    if (is_config_in_context(context, config) &&
+	match_netid(config->filter, tags, tag_not_needed))
       for (conf_addr = config->hwaddr; conf_addr; conf_addr = conf_addr->next)
 	if (conf_addr->wildcard_mask != 0 &&
 	    conf_addr->hwaddr_len == hw_len &&	
@@ -357,6 +382,21 @@ struct dhcp_config *find_config(struct dhcp_config *configs,
   return candidate;
 }
 
+/* Find tagged configs first. */
+struct dhcp_config *find_config(struct dhcp_config *configs,
+				struct dhcp_context *context,
+				unsigned char *clid, int clid_len,
+				unsigned char *hwaddr, int hw_len, 
+				int hw_type, char *hostname, struct dhcp_netid *tags)
+{
+  struct dhcp_config *ret = find_config_match(configs, context, clid, clid_len, hwaddr, hw_len, hw_type, hostname, tags, 0);
+
+  if (!ret)
+    ret = find_config_match(configs, context, clid, clid_len, hwaddr, hw_len, hw_type, hostname, tags, 1);
+
+  return ret;
+}
+
 void dhcp_update_configs(struct dhcp_config *configs)
 {
   /* Some people like to keep all static IP addresses in /etc/hosts.
@@ -371,8 +411,14 @@ void dhcp_update_configs(struct dhcp_config *configs)
   int prot = AF_INET;
 
   for (config = configs; config; config = config->next)
+  {
     if (config->flags & CONFIG_ADDR_HOSTS)
-      config->flags &= ~(CONFIG_ADDR | CONFIG_ADDR6 | CONFIG_ADDR_HOSTS);
+      config->flags &= ~(CONFIG_ADDR | CONFIG_ADDR_HOSTS);
+#ifdef HAVE_DHCP6
+    if (config->flags & CONFIG_ADDR6_HOSTS)
+      config->flags &= ~(CONFIG_ADDR6 | CONFIG_ADDR6_HOSTS);
+#endif
+  }
 
 #ifdef HAVE_DHCP6 
  again:  
@@ -403,30 +449,41 @@ void dhcp_update_configs(struct dhcp_config *configs)
 		  crec = cache_find_by_name(crec, config->hostname, 0, cacheflags);
 		if (!crec)
 		  continue; /* should be never */
-		inet_ntop(prot, &crec->addr.addr, daemon->addrbuff, ADDRSTRLEN);
+		inet_ntop(prot, &crec->addr, daemon->addrbuff, ADDRSTRLEN);
 		my_syslog(MS_DHCP | LOG_WARNING, _("%s has more than one address in hostsfile, using %s for DHCP"), 
 			  config->hostname, daemon->addrbuff);
 	      }
 	    
 	    if (prot == AF_INET && 
-		(!(conf_tmp = config_find_by_address(configs, crec->addr.addr.addr.addr4)) || conf_tmp == config))
+		(!(conf_tmp = config_find_by_address(configs, crec->addr.addr4)) || conf_tmp == config))
 	      {
-		config->addr = crec->addr.addr.addr.addr4;
+		config->addr = crec->addr.addr4;
 		config->flags |= CONFIG_ADDR | CONFIG_ADDR_HOSTS;
 		continue;
 	      }
 
 #ifdef HAVE_DHCP6
 	    if (prot == AF_INET6 && 
-		(!(conf_tmp = config_find_by_address6(configs, &crec->addr.addr.addr.addr6, 128, 0)) || conf_tmp == config))
+		(!(conf_tmp = config_find_by_address6(configs, NULL, 0, &crec->addr.addr6)) || conf_tmp == config))
 	      {
-		memcpy(&config->addr6, &crec->addr.addr.addr.addr6, IN6ADDRSZ);
-		config->flags |= CONFIG_ADDR6 | CONFIG_ADDR_HOSTS;
+		/* host must have exactly one address if comming from /etc/hosts. */
+		if (!config->addr6 && (config->addr6 = whine_malloc(sizeof(struct addrlist))))
+		  {
+		    config->addr6->next = NULL;
+		    config->addr6->flags = 0;
+		  }
+
+		if (config->addr6 && !config->addr6->next && !(config->addr6->flags & (ADDRLIST_WILDCARD|ADDRLIST_PREFIX)))
+		  {
+		    memcpy(&config->addr6->addr.addr6, &crec->addr.addr6, IN6ADDRSZ);
+		    config->flags |= CONFIG_ADDR6 | CONFIG_ADDR6_HOSTS;
+		  }
+	    
 		continue;
 	      }
 #endif
 
-	    inet_ntop(prot, &crec->addr.addr, daemon->addrbuff, ADDRSTRLEN);
+	    inet_ntop(prot, &crec->addr, daemon->addrbuff, ADDRSTRLEN);
 	    my_syslog(MS_DHCP | LOG_WARNING, _("duplicate IP address %s (%s) in dhcp-config directive"), 
 		      daemon->addrbuff, config->hostname);
 	    
@@ -485,11 +542,11 @@ char *whichdevice(void)
  
 void  bindtodevice(char *device, int fd)
 {
-  struct ifreq ifr;
-  
-  strcpy(ifr.ifr_name, device);
+  size_t len = strlen(device)+1;
+  if (len > IFNAMSIZ)
+    len = IFNAMSIZ;
   /* only allowed by root. */
-  if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, (void *)&ifr, sizeof(ifr)) == -1 &&
+  if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, device, len) == -1 &&
       errno != EPERM)
     die(_("failed to set SO_BINDTODEVICE on DHCP socket: %s"), NULL, EC_BADNET);
 }
@@ -559,6 +616,7 @@ static const struct opttab_t {
   { "nntp-server", 71, OT_ADDR_LIST }, 
   { "irc-server", 74, OT_ADDR_LIST }, 
   { "user-class", 77, 0 },
+  { "rapid-commit", 80, 0 },
   { "FQDN", 81, OT_INTERNAL },
   { "agent-id", 82, OT_INTERNAL },
   { "client-arch", 93, 2 | OT_DEC },
@@ -569,6 +627,7 @@ static const struct opttab_t {
   { "sip-server", 120, 0 },
   { "classless-static-route", 121, 0 },
   { "vendor-id-encap", 125, 0 },
+  { "tftp-server-address", 150, OT_ADDR_LIST },
   { "server-ip-address", 255, OT_ADDR_LIST }, /* special, internal only, sets siaddr */
   { NULL, 0, 0 }
 };
@@ -599,7 +658,7 @@ static const struct opttab_t opttab6[] = {
   { "sntp-server", 31,  OT_ADDR_LIST },
   { "information-refresh-time", 32, OT_TIME },
   { "FQDN", 39, OT_INTERNAL | OT_RFC1035_NAME },
-  { "ntp-server", 56,  OT_ADDR_LIST },
+  { "ntp-server", 56, 0 /* OT_ADDR_LIST | OT_RFC1035_NAME */ },
   { "bootfile-url", 59, OT_NAME },
   { "bootfile-param", 60, OT_CSTRING },
   { NULL, 0, 0 }
@@ -692,7 +751,7 @@ char *option_string(int prot, unsigned int opt, unsigned char *val, int opt_len,
 	    
 	    if (ot[o].size & OT_ADDR_LIST) 
 	      {
-		struct all_addr addr;
+		union all_addr addr;
 		int addr_len = INADDRSZ;
 
 #ifdef HAVE_DHCP6
@@ -855,14 +914,14 @@ void log_context(int family, struct dhcp_context *context)
       if (context->flags & CONTEXT_RA_STATELESS)
 	{
 	  if (context->flags & CONTEXT_TEMPLATE)
-	    strncpy(daemon->dhcp_buff, context->template_interface, 256);
+	    strncpy(daemon->dhcp_buff, context->template_interface, DHCP_BUFF_SZ);
 	  else
 	    strcpy(daemon->dhcp_buff, daemon->addrbuff);
 	}
       else 
 #endif
-	inet_ntop(family, start, daemon->dhcp_buff, 256);
-      inet_ntop(family, end, daemon->dhcp_buff3, 256);
+	inet_ntop(family, start, daemon->dhcp_buff, DHCP_BUFF_SZ);
+      inet_ntop(family, end, daemon->dhcp_buff3, DHCP_BUFF_SZ);
       my_syslog(MS_DHCP | LOG_INFO, 
 		(context->flags & CONTEXT_RA_STATELESS) ? 
 		_("%s stateless on %s%.0s%.0s%s") :

src/dhcp-protocol.h

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -19,6 +19,10 @@
 #define DHCP_CLIENT_ALTPORT 1068
 #define PXE_PORT 4011
 
+/* These each hold a DHCP option max size 255
+   and get a terminating zero added */
+#define DHCP_BUFF_SZ 256
+
 #define BOOTREQUEST              1
 #define BOOTREPLY                2
 #define DHCP_COOKIE              0x63825363
@@ -50,6 +54,7 @@
 #define OPTION_SNAME             66
 #define OPTION_FILENAME          67
 #define OPTION_USER_CLASS        77
+#define OPTION_RAPID_COMMIT      80
 #define OPTION_CLIENT_FQDN       81
 #define OPTION_AGENT_ID          82
 #define OPTION_ARCH              93

src/dhcp.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -67,9 +67,9 @@ static int make_fd(int port)
       setsockopt(fd, SOL_SOCKET, SO_BROADCAST, &oneopt, sizeof(oneopt)) == -1)  
     die(_("failed to set options on DHCP socket: %s"), NULL, EC_BADNET);
   
-  /* When bind-interfaces is set, there might be more than one dnmsasq
+  /* When bind-interfaces is set, there might be more than one dnsmasq
      instance binding port 67. That's OK if they serve different networks.
-     Need to set REUSEADDR|REUSEPORT to make this posible.
+     Need to set REUSEADDR|REUSEPORT to make this possible.
      Handle the case that REUSEPORT is defined, but the kernel doesn't 
      support it. This handles the introduction of REUSEPORT on Linux. */
   if (option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND))
@@ -145,11 +145,14 @@ void dhcp_packet(time_t now, int pxe_fd)
   struct cmsghdr *cmptr;
   struct iovec iov;
   ssize_t sz; 
-  int iface_index = 0, unicast_dest = 0, is_inform = 0;
+  int iface_index = 0, unicast_dest = 0, is_inform = 0, loopback = 0;
+  int rcvd_iface_index;
   struct in_addr iface_addr;
   struct iface_param parm;
+  time_t recvtime = now;
 #ifdef HAVE_LINUX_NETWORK
   struct arpreq arp_req;
+  struct timeval tv;
 #endif
   
   union {
@@ -176,6 +179,9 @@ void dhcp_packet(time_t now, int pxe_fd)
     return;
     
   #if defined (HAVE_LINUX_NETWORK)
+  if (ioctl(fd, SIOCGSTAMP, &tv) == 0)
+    recvtime = tv.tv_sec;
+
   if (msg.msg_controllen >= sizeof(struct cmsghdr))
     for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
       if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
@@ -217,12 +223,16 @@ void dhcp_packet(time_t now, int pxe_fd)
 	}
 #endif
 	
-  if (!indextoname(daemon->dhcpfd, iface_index, ifr.ifr_name))
+  if (!indextoname(daemon->dhcpfd, iface_index, ifr.ifr_name) ||
+      ioctl(daemon->dhcpfd, SIOCGIFFLAGS, &ifr) != 0)
     return;
   
+  mess = (struct dhcp_packet *)daemon->dhcp_packet.iov_base;
+  loopback = !mess->giaddr.s_addr && (ifr.ifr_flags & IFF_LOOPBACK);
+  
 #ifdef HAVE_LINUX_NETWORK
   /* ARP fiddling uses original interface even if we pretend to use a different one. */
-  strncpy(arp_req.arp_dev, ifr.ifr_name, 16);
+  safe_strncpy(arp_req.arp_dev, ifr.ifr_name, sizeof(arp_req.arp_dev));
 #endif 
 
   /* If the interface on which the DHCP request was received is an
@@ -230,6 +240,7 @@ void dhcp_packet(time_t now, int pxe_fd)
      --bridge-interface option), change ifr.ifr_name so that we look
      for DHCP contexts associated with the aliased interface instead
      of with the aliasing one. */
+  rcvd_iface_index = iface_index;
   for (bridge = daemon->bridges; bridge; bridge = bridge->next)
     {
       for (alias = bridge->alias; alias; alias = alias->next)
@@ -244,7 +255,7 @@ void dhcp_packet(time_t now, int pxe_fd)
 	      }
 	    else 
 	      {
-		strncpy(ifr.ifr_name,  bridge->iface, IF_NAMESIZE);
+		safe_strncpy(ifr.ifr_name,  bridge->iface, sizeof(ifr.ifr_name));
 		break;
 	      }
 	  }
@@ -262,13 +273,13 @@ void dhcp_packet(time_t now, int pxe_fd)
   if ((relay = relay_reply4((struct dhcp_packet *)daemon->dhcp_packet.iov_base, ifr.ifr_name)))
     {
       /* Reply from server, using us as relay. */
-      iface_index = relay->iface_index;
-      if (!indextoname(daemon->dhcpfd, iface_index, ifr.ifr_name))
+      rcvd_iface_index = relay->iface_index;
+      if (!indextoname(daemon->dhcpfd, rcvd_iface_index, ifr.ifr_name))
 	return;
       is_relay_reply = 1; 
       iov.iov_len = sz;
 #ifdef HAVE_LINUX_NETWORK
-      strncpy(arp_req.arp_dev, ifr.ifr_name, 16);
+      safe_strncpy(arp_req.arp_dev, ifr.ifr_name, sizeof(arp_req.arp_dev));
 #endif 
     }
   else
@@ -278,6 +289,7 @@ void dhcp_packet(time_t now, int pxe_fd)
 	iface_addr = ((struct sockaddr_in *) &ifr.ifr_addr)->sin_addr;
       else
 	{
+	  if (iface_check(AF_INET, NULL, ifr.ifr_name, NULL))
 	    my_syslog(MS_DHCP | LOG_WARNING, _("DHCP packet received on %s which has no address"), ifr.ifr_name);
 	  return;
 	}
@@ -298,7 +310,7 @@ void dhcp_packet(time_t now, int pxe_fd)
       parm.relay_local.s_addr = 0;
       parm.ind = iface_index;
       
-      if (!iface_check(AF_INET, (struct all_addr *)&iface_addr, ifr.ifr_name, NULL))
+      if (!iface_check(AF_INET, (union all_addr *)&iface_addr, ifr.ifr_name, NULL))
 	{
 	  /* If we failed to match the primary address of the interface, see if we've got a --listen-address
 	     for a secondary */
@@ -323,7 +335,7 @@ void dhcp_packet(time_t now, int pxe_fd)
 
       /* We're relaying this request */
       if  (parm.relay_local.s_addr != 0 &&
-	   relay_upstream4(parm.relay, (struct dhcp_packet *)daemon->dhcp_packet.iov_base, (size_t)sz, iface_index))
+	   relay_upstream4(parm.relay, mess, (size_t)sz, iface_index))
 	return;
 
       /* May have configured relay, but not DHCP server */
@@ -332,7 +344,7 @@ void dhcp_packet(time_t now, int pxe_fd)
 
       lease_prune(NULL, now); /* lose any expired leases */
       iov.iov_len = dhcp_reply(parm.current, ifr.ifr_name, iface_index, (size_t)sz, 
-			       now, unicast_dest, &is_inform, pxe_fd, iface_addr);
+			       now, unicast_dest, loopback, &is_inform, pxe_fd, iface_addr, recvtime);
       lease_update_file(now);
       lease_update_dns(0);
       
@@ -387,9 +399,10 @@ void dhcp_packet(time_t now, int pxe_fd)
       msg.msg_controllen = sizeof(control_u);
       cmptr = CMSG_FIRSTHDR(&msg);
       pkt = (struct in_pktinfo *)CMSG_DATA(cmptr);
-      pkt->ipi_ifindex = iface_index;
+      pkt->ipi_ifindex = rcvd_iface_index;
       pkt->ipi_spec_dst.s_addr = 0;
-      msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
+      msg.msg_controllen = CMSG_SPACE(sizeof(struct in_pktinfo));
+      cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
       cmptr->cmsg_level = IPPROTO_IP;
       cmptr->cmsg_type = IP_PKTINFO;
 
@@ -452,6 +465,11 @@ void dhcp_packet(time_t now, int pxe_fd)
 #endif
   
   while(retry_send(sendmsg(fd, &msg, 0)));
+
+  /* This can fail when, eg, iptables DROPS destination 255.255.255.255 */
+  if (errno != 0)
+    my_syslog(MS_DHCP | LOG_WARNING, _("Error sending DHCP packet to %s: %s"),
+	      inet_ntoa(dest.sin_addr), strerror(errno));
 }
 
 /* check against secondary interface addresses */
@@ -488,26 +506,20 @@ static int check_listen_addrs(struct in_addr local, int if_index, char *label,
    3) Fills in local (this host) and router (this host or relay) addresses.
    4) Links contexts which are valid for hosts directly connected to the arrival interface on ->current.
 
-   Note that the current chain may be superceded later for configured hosts or those coming via gateways. */
+   Note that the current chain may be superseded later for configured hosts or those coming via gateways. */
 
-static int complete_context(struct in_addr local, int if_index, char *label,
-			    struct in_addr netmask, struct in_addr broadcast, void *vparam)
+static void guess_range_netmask(struct in_addr addr, struct in_addr netmask)
 {
   struct dhcp_context *context;
-  struct dhcp_relay *relay;
-  struct iface_param *param = vparam;
-
-  (void)label;
 
   for (context = daemon->dhcp; context; context = context->next)
-    {
     if (!(context->flags & CONTEXT_NETMASK) &&
-	  (is_same_net(local, context->start, netmask) ||
-	   is_same_net(local, context->end, netmask)))
+	(is_same_net(addr, context->start, netmask) ||
+	 is_same_net(addr, context->end, netmask)))
       { 
 	if (context->netmask.s_addr != netmask.s_addr &&
-	    !(is_same_net(local, context->start, netmask) &&
-	      is_same_net(local, context->end, netmask)))
+	    !(is_same_net(addr, context->start, netmask) &&
+	      is_same_net(addr, context->end, netmask)))
 	  {
 	    strcpy(daemon->dhcp_buff, inet_ntoa(context->start));
 	    strcpy(daemon->dhcp_buff2, inet_ntoa(context->end));
@@ -516,7 +528,63 @@ static int complete_context(struct in_addr local, int if_index, char *label,
 	  }	
 	context->netmask = netmask;
       }
+}
 
+static int complete_context(struct in_addr local, int if_index, char *label,
+			    struct in_addr netmask, struct in_addr broadcast, void *vparam)
+{
+  struct dhcp_context *context;
+  struct dhcp_relay *relay;
+  struct iface_param *param = vparam;
+  struct shared_network *share;
+  
+  (void)label;
+
+  for (share = daemon->shared_networks; share; share = share->next)
+    {
+      
+#ifdef HAVE_DHCP6
+      if (share->shared_addr.s_addr == 0)
+	continue;
+#endif
+      
+      if (share->if_index != 0)
+	{
+	  if (share->if_index != if_index)
+	    continue;
+	}
+      else
+	{
+	  if (share->match_addr.s_addr != local.s_addr)
+	    continue;
+	}
+
+      for (context = daemon->dhcp; context; context = context->next)
+	{
+	  if (context->netmask.s_addr != 0 &&
+	      is_same_net(share->shared_addr, context->start, context->netmask) &&
+	      is_same_net(share->shared_addr, context->end, context->netmask))
+	    {
+	      /* link it onto the current chain if we've not seen it before */
+	      if (context->current == context)
+		{
+		  /* For a shared network, we have no way to guess what the default route should be. */
+		  context->router.s_addr = 0;
+		  context->local = local; /* Use configured address for Server Identifier */
+		  context->current = param->current;
+		  param->current = context;
+		}
+	      
+	      if (!(context->flags & CONTEXT_BRDCAST))
+		context->broadcast.s_addr  = context->start.s_addr | ~context->netmask.s_addr;
+	    }		
+	}
+    }
+
+  guess_range_netmask(local, netmask);
+  
+  for (context = daemon->dhcp; context; context = context->next)
+    {
       if (context->netmask.s_addr != 0 &&
 	  is_same_net(local, context->start, context->netmask) &&
 	  is_same_net(local, context->end, context->netmask))
@@ -541,7 +609,7 @@ static int complete_context(struct in_addr local, int if_index, char *label,
     }
 
   for (relay = daemon->relay4; relay; relay = relay->next)
-    if (if_index == param->ind && relay->local.addr.addr4.s_addr == local.s_addr && relay->current == relay &&
+    if (if_index == param->ind && relay->local.addr4.s_addr == local.s_addr && relay->current == relay &&
 	(param->relay_local.s_addr == 0 || param->relay_local.s_addr == local.s_addr))
       {
 	relay->current = param->relay;
@@ -588,7 +656,7 @@ struct dhcp_context *narrow_context(struct dhcp_context *context,
 {
   /* We start of with a set of possible contexts, all on the current physical interface.
      These are chained on ->current.
-     Here we have an address, and return the actual context correponding to that
+     Here we have an address, and return the actual context corresponding to that
      address. Note that none may fit, if the address came a dhcp-host and is outside
      any dhcp-range. In that case we return a static range if possible, or failing that,
      any context on the correct subnet. (If there's more than one, this is a dodgy 
@@ -630,9 +698,69 @@ struct dhcp_config *config_find_by_address(struct dhcp_config *configs, struct i
   return NULL;
 }
 
+/* Check if and address is in use by sending ICMP ping.
+   This wrapper handles a cache and load-limiting.
+   Return is NULL is address in use, or a pointer to a cache entry
+   recording that it isn't. */
+struct ping_result *do_icmp_ping(time_t now, struct in_addr addr, unsigned int hash, int loopback)
+{
+  static struct ping_result dummy;
+  struct ping_result *r, *victim = NULL;
+  int count, max = (int)(0.6 * (((float)PING_CACHE_TIME)/
+				((float)PING_WAIT)));
+
+  /* check if we failed to ping addr sometime in the last
+     PING_CACHE_TIME seconds. If so, assume the same situation still exists.
+     This avoids problems when a stupid client bangs
+     on us repeatedly. As a final check, if we did more
+     than 60% of the possible ping checks in the last 
+     PING_CACHE_TIME, we are in high-load mode, so don't do any more. */
+  for (count = 0, r = daemon->ping_results; r; r = r->next)
+    if (difftime(now, r->time) >  (float)PING_CACHE_TIME)
+      victim = r; /* old record */
+    else 
+      {
+	count++;
+	if (r->addr.s_addr == addr.s_addr)
+	  return r;
+      }
+  
+  /* didn't find cached entry */
+  if ((count >= max) || option_bool(OPT_NO_PING) || loopback)
+    {
+      /* overloaded, or configured not to check, loopback interface, return "not in use" */
+      dummy.hash = hash;
+      return &dummy;
+    }
+  else if (icmp_ping(addr))
+    return NULL; /* address in use. */
+  else
+    {
+      /* at this point victim may hold an expired record */
+      if (!victim)
+	{
+	  if ((victim = whine_malloc(sizeof(struct ping_result))))
+	    {
+	      victim->next = daemon->ping_results;
+	      daemon->ping_results = victim;
+	    }
+	}
+      
+      /* record that this address is OK for 30s 
+	 without more ping checks */
+      if (victim)
+	{
+	  victim->addr = addr;
+	  victim->time = now;
+	  victim->hash = hash;
+	}
+      return victim;
+    }
+}
+
 int address_allocate(struct dhcp_context *context,
 		     struct in_addr *addrp, unsigned char *hwaddr, int hw_len, 
-		     struct dhcp_netid *netids, time_t now)   
+		     struct dhcp_netid *netids, time_t now, int loopback)   
 {
   /* Find a free address: exclude anything in use and anything allocated to
      a particular hwaddr/clientid/hostname in our configuration.
@@ -646,7 +774,11 @@ int address_allocate(struct dhcp_context *context,
   /* hash hwaddr: use the SDBM hashing algorithm.  Seems to give good
      dispersal even with similarly-valued "strings". */ 
   for (j = 0, i = 0; i < hw_len; i++)
-    j += hwaddr[i] + (j << 6) + (j << 16) - j;
+    j = hwaddr[i] + (j << 6) + (j << 16) - j;
+
+  /* j == 0 is marker */
+  if (j == 0)
+    j = 1;
   
   for (pass = 0; pass <= 1; pass++)
     for (c = context; c; c = c->current)
@@ -684,66 +816,33 @@ int address_allocate(struct dhcp_context *context,
 		(!IN_CLASSC(ntohl(addr.s_addr)) || 
 		 ((ntohl(addr.s_addr) & 0xff) != 0xff && ((ntohl(addr.s_addr) & 0xff) != 0x0))))
 	      {
-		struct ping_result *r, *victim = NULL;
-		int count, max = (int)(0.6 * (((float)PING_CACHE_TIME)/
-					      ((float)PING_WAIT)));
-		
-		*addrp = addr;
-
-		/* check if we failed to ping addr sometime in the last
-		   PING_CACHE_TIME seconds. If so, assume the same situation still exists.
-		   This avoids problems when a stupid client bangs
-		   on us repeatedly. As a final check, if we did more
-		   than 60% of the possible ping checks in the last 
-		   PING_CACHE_TIME, we are in high-load mode, so don't do any more. */
-		for (count = 0, r = daemon->ping_results; r; r = r->next)
-		  if (difftime(now, r->time) >  (float)PING_CACHE_TIME)
-		    victim = r; /* old record */
+		/* in consec-ip mode, skip addresses equal to
+		   the number of addresses rejected by clients. This
+		   should avoid the same client being offered the same
+		   address after it has rjected it. */
+		if (option_bool(OPT_CONSEC_ADDR) && c->addr_epoch)
+		  c->addr_epoch--;
 		else
 		  {
-		      count++;
-		      if (r->addr.s_addr == addr.s_addr)
+		    struct ping_result *r;
+		    
+		    if ((r = do_icmp_ping(now, addr, j, loopback)))
 		      {
 			/* consec-ip mode: we offered this address for another client
 			   (different hash) recently, don't offer it to this one. */
-			  if (option_bool(OPT_CONSEC_ADDR) && r->hash != j)
-			    break;
-			  
+			if (!option_bool(OPT_CONSEC_ADDR) || r->hash == j)
+			  {
+			    *addrp = addr;
 			    return 1;
 			  }
 		      }
-
-		if (!r) 
-		  {
-		    if ((count < max) && !option_bool(OPT_NO_PING) && icmp_ping(addr))
+		    else
 		      {
 			/* address in use: perturb address selection so that we are
 			   less likely to try this address again. */
 			if (!option_bool(OPT_CONSEC_ADDR))
 			  c->addr_epoch++;
 		      }
-		    else
-		      {
-			/* at this point victim may hold an expired record */
-			if (!victim)
-			  {
-			    if ((victim = whine_malloc(sizeof(struct ping_result))))
-			      {
-				victim->next = daemon->ping_results;
-				daemon->ping_results = victim;
-			      }
-			  }
-			
-			/* record that this address is OK for 30s 
-			   without more ping checks */
-			if (victim)
-			  {
-			    victim->addr = addr;
-			    victim->time = now;
-			    victim->hash = j;
-			  }
-			return 1;
-		      }
 		  }
 	      }
 	    
@@ -932,7 +1031,7 @@ char *host_from_dns(struct in_addr addr)
   if (daemon->port == 0)
     return NULL; /* DNS disabled. */
   
-  lookup = cache_find_by_addr(NULL, (struct all_addr *)&addr, 0, F_IPV4);
+  lookup = cache_find_by_addr(NULL, (union all_addr *)&addr, 0, F_IPV4);
 
   if (lookup && (lookup->flags & F_HOSTS))
     {
@@ -949,8 +1048,7 @@ char *host_from_dns(struct in_addr addr)
       if (!legal_hostname(hostname))
 	return NULL;
       
-      strncpy(daemon->dhcp_buff, hostname, 256);
-      daemon->dhcp_buff[255] = 0;
+      safe_strncpy(daemon->dhcp_buff, hostname, 256);
       strip_hostname(daemon->dhcp_buff);
 
       return daemon->dhcp_buff;
@@ -962,25 +1060,25 @@ char *host_from_dns(struct in_addr addr)
 static int  relay_upstream4(struct dhcp_relay *relay, struct dhcp_packet *mess, size_t sz, int iface_index)
 {
   /* ->local is same value for all relays on ->current chain */
-  struct all_addr from;
+  union all_addr from;
   
   if (mess->op != BOOTREQUEST)
     return 0;
 
   /* source address == relay address */
-  from.addr.addr4 = relay->local.addr.addr4;
+  from.addr4 = relay->local.addr4;
   
   /* already gatewayed ? */
   if (mess->giaddr.s_addr)
     {
       /* if so check if by us, to stomp on loops. */
-      if (mess->giaddr.s_addr == relay->local.addr.addr4.s_addr)
+      if (mess->giaddr.s_addr == relay->local.addr4.s_addr)
 	return 1;
     }
   else
     {
       /* plug in our address */
-      mess->giaddr.s_addr = relay->local.addr.addr4.s_addr;
+      mess->giaddr.s_addr = relay->local.addr4.s_addr;
     }
 
   if ((mess->hops++) > 20)
@@ -991,7 +1089,7 @@ static int  relay_upstream4(struct dhcp_relay *relay, struct dhcp_packet *mess,
       union mysockaddr to;
       
       to.sa.sa_family = AF_INET;
-      to.in.sin_addr = relay->server.addr.addr4;
+      to.in.sin_addr = relay->server.addr4;
       to.in.sin_port = htons(daemon->dhcp_server_port);
       
       send_from(daemon->dhcpfd, 0, (char *)mess, sz, &to, &from, 0);
@@ -999,7 +1097,7 @@ static int  relay_upstream4(struct dhcp_relay *relay, struct dhcp_packet *mess,
       if (option_bool(OPT_LOG_OPTS))
 	{
 	  inet_ntop(AF_INET, &relay->local, daemon->addrbuff, ADDRSTRLEN);
-	  my_syslog(MS_DHCP | LOG_INFO, _("DHCP relay %s -> %s"), daemon->addrbuff, inet_ntoa(relay->server.addr.addr4));
+	  my_syslog(MS_DHCP | LOG_INFO, _("DHCP relay %s -> %s"), daemon->addrbuff, inet_ntoa(relay->server.addr4));
 	}
       
       /* Save this for replies */
@@ -1019,7 +1117,7 @@ static struct dhcp_relay *relay_reply4(struct dhcp_packet *mess, char *arrival_i
 
   for (relay = daemon->relay4; relay; relay = relay->next)
     {
-      if (mess->giaddr.s_addr == relay->local.addr.addr4.s_addr)
+      if (mess->giaddr.s_addr == relay->local.addr4.s_addr)
 	{
 	  if (!relay->interface || wildcard_match(relay->interface, arrival_interface))
 	    return relay->iface_index != 0 ? relay : NULL;

src/dhcp6-protocol.h

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -59,12 +59,12 @@
 #define OPTION6_REMOTE_ID       37
 #define OPTION6_SUBSCRIBER_ID   38
 #define OPTION6_FQDN            39
+#define OPTION6_NTP_SERVER      56
 #define OPTION6_CLIENT_MAC      79
 
-/* replace this with the real number when allocated.
-   defining this also enables the relevant code. */ 
-/* #define OPTION6_PREFIX_CLASS    99 */
-
+#define NTP_SUBOPTION_SRV_ADDR  1
+#define NTP_SUBOPTION_MC_ADDR   2
+#define NTP_SUBOPTION_SRV_FQDN  3
 
 #define DHCP6SUCCESS     0
 #define DHCP6UNSPEC      1

src/dhcp6.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -27,17 +27,10 @@ struct iface_param {
   int ind, addr_match;
 };
 
-struct mac_param {
-  struct in6_addr *target;
-  unsigned char *mac;
-  unsigned int maclen;
-};
-
 
 static int complete_context6(struct in6_addr *local,  int prefix,
 			     int scope, int if_index, int flags, 
 			     unsigned int preferred, unsigned int valid, void *vparam);
-static int find_mac(int family, char *addrp, char *mac, size_t maclen, void *parmv);
 static int make_duid1(int index, unsigned int type, char *mac, size_t maclen, void *parm); 
 
 void dhcp6_init(void)
@@ -58,9 +51,9 @@ void dhcp6_init(void)
       !set_ipv6pktinfo(fd))
     die (_("cannot create DHCPv6 socket: %s"), NULL, EC_BADNET);
   
- /* When bind-interfaces is set, there might be more than one dnmsasq
+ /* When bind-interfaces is set, there might be more than one dnsmasq
      instance binding port 547. That's OK if they serve different networks.
-     Need to set REUSEADDR|REUSEPORT to make this posible.
+     Need to set REUSEADDR|REUSEPORT to make this possible.
      Handle the case that REUSEPORT is defined, but the kernel doesn't 
      support it. This handles the introduction of REUSEPORT on Linux. */
   if (option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND))
@@ -142,7 +135,14 @@ void dhcp6_packet(time_t now)
   if (!indextoname(daemon->dhcp6fd, if_index, ifr.ifr_name))
     return;
 
-  if ((port = relay_reply6(&from, sz, ifr.ifr_name)) == 0)
+  if ((port = relay_reply6(&from, sz, ifr.ifr_name)) != 0)
+    {
+      from.sin6_port = htons(port);
+      while (retry_send(sendto(daemon->dhcp6fd, daemon->outpacket.iov_base, 
+			       save_counter(-1), 0, (struct sockaddr *)&from, 
+			       sizeof(from))));
+    }
+  else
     {
       struct dhcp_bridge *bridge, *alias;
 
@@ -227,7 +227,7 @@ void dhcp6_packet(time_t now)
 	  inet_pton(AF_INET6, ALL_SERVERS, &all_servers);
 	  
 	  if (!IN6_ARE_ADDR_EQUAL(&dst_addr, &all_servers))
-	    relay_upstream6(parm.relay, sz, &from.sin6_addr, from.sin6_scope_id);
+	    relay_upstream6(parm.relay, sz, &from.sin6_addr, from.sin6_scope_id, now);
 	  return;
 	}
       
@@ -240,10 +240,6 @@ void dhcp6_packet(time_t now)
       port = dhcp6_reply(parm.current, if_index, ifr.ifr_name, &parm.fallback, 
 			 &parm.ll_addr, &parm.ula_addr, sz, &from.sin6_addr, now);
       
-      lease_update_file(now);
-      lease_update_dns(0);
-    }
-			  
       /* The port in the source address of the original request should
 	 be correct, but at least once client sends from the server port,
 	 so we explicitly send to the client port to a client, and the
@@ -252,21 +248,26 @@ void dhcp6_packet(time_t now)
 	{
 	  from.sin6_port = htons(port);
 	  while (retry_send(sendto(daemon->dhcp6fd, daemon->outpacket.iov_base, 
-			       save_counter(0), 0, (struct sockaddr *)&from, 
+				   save_counter(-1), 0, (struct sockaddr *)&from, 
 				   sizeof(from))));
 	}
+
+      /* These need to be called _after_ we send DHCPv6 packet, since lease_update_file()
+	 may trigger sending an RA packet, which overwrites our buffer. */
+      lease_update_file(now);
+      lease_update_dns(0);
+    }
 }
 
-void get_client_mac(struct in6_addr *client, int iface, unsigned char *mac, unsigned int *maclenp, unsigned int *mactypep)
+void get_client_mac(struct in6_addr *client, int iface, unsigned char *mac, unsigned int *maclenp, unsigned int *mactypep, time_t now)
 {
-  /* Recieving a packet from a host does not populate the neighbour
+  /* Receiving a packet from a host does not populate the neighbour
      cache, so we send a neighbour discovery request if we can't 
      find the sender. Repeat a few times in case of packet loss. */
   
   struct neigh_packet neigh;
-  struct sockaddr_in6 addr;
-  struct mac_param mac_param;
-  int i;
+  union mysockaddr addr;
+  int i, maclen;
 
   neigh.type = ND_NEIGHBOR_SOLICIT;
   neigh.code = 0;
@@ -277,77 +278,56 @@ void get_client_mac(struct in6_addr *client, int iface, unsigned char *mac, unsi
    
   memset(&addr, 0, sizeof(addr));
 #ifdef HAVE_SOCKADDR_SA_LEN
-  addr.sin6_len = sizeof(struct sockaddr_in6);
+  addr.in6.sin6_len = sizeof(struct sockaddr_in6);
 #endif
-  addr.sin6_family = AF_INET6;
-  addr.sin6_port = htons(IPPROTO_ICMPV6);
-  addr.sin6_addr = *client;
-  addr.sin6_scope_id = iface;
-  
-  mac_param.target = client;
-  mac_param.maclen = 0;
-  mac_param.mac = mac;
+  addr.in6.sin6_family = AF_INET6;
+  addr.in6.sin6_port = htons(IPPROTO_ICMPV6);
+  addr.in6.sin6_addr = *client;
+  addr.in6.sin6_scope_id = iface;
   
   for (i = 0; i < 5; i++)
     {
       struct timespec ts;
       
-      iface_enumerate(AF_UNSPEC, &mac_param, find_mac);
-      
-      if (mac_param.maclen != 0)
+      if ((maclen = find_mac(&addr, mac, 0, now)) != 0)
 	break;
 	  
-      sendto(daemon->icmp6fd, &neigh, sizeof(neigh), 0, (struct sockaddr *)&addr, sizeof(addr));
+      sendto(daemon->icmp6fd, &neigh, sizeof(neigh), 0, &addr.sa, sizeof(addr));
       
       ts.tv_sec = 0;
       ts.tv_nsec = 100000000; /* 100ms */
       nanosleep(&ts, NULL);
     }
 
-  *maclenp = mac_param.maclen;
+  *maclenp = maclen;
   *mactypep = ARPHRD_ETHER;
 }
     
-static int find_mac(int family, char *addrp, char *mac, size_t maclen, void *parmv)
-{
-  struct mac_param *parm = parmv;
-  
-  if (family == AF_INET6 && IN6_ARE_ADDR_EQUAL(parm->target, (struct in6_addr *)addrp))
-    {
-      if (maclen <= DHCP_CHADDR_MAX)
-	{
-	  parm->maclen = maclen;
-	  memcpy(parm->mac, mac, maclen);
-	}
-      
-      return 0; /* found, abort */
-    }
-  
-  return 1;
-}
-
 static int complete_context6(struct in6_addr *local,  int prefix,
 			     int scope, int if_index, int flags, unsigned int preferred, 
 			     unsigned int valid, void *vparam)
 {
   struct dhcp_context *context;
+  struct shared_network *share;
   struct dhcp_relay *relay;
   struct iface_param *param = vparam;
   struct iname *tmp;
  
   (void)scope; /* warning */
   
-  if (if_index == param->ind)
-    {
+  if (if_index != param->ind)
+    return 1;
+  
   if (IN6_IS_ADDR_LINKLOCAL(local))
     param->ll_addr = *local;
   else if (IN6_IS_ADDR_ULA(local))
     param->ula_addr = *local;
       
-      if (!IN6_IS_ADDR_LOOPBACK(local) &&
-	  !IN6_IS_ADDR_LINKLOCAL(local) &&
-	  !IN6_IS_ADDR_MULTICAST(local))
-	{
+  if (IN6_IS_ADDR_LOOPBACK(local) ||
+      IN6_IS_ADDR_LINKLOCAL(local) ||
+      IN6_IS_ADDR_MULTICAST(local))
+    return 1;
+  
   /* if we have --listen-address config, see if the 
      arrival interface has a matching address. */
   for (tmp = daemon->if_addrs; tmp; tmp = tmp->next)
@@ -362,21 +342,17 @@ static int complete_context6(struct in6_addr *local,  int prefix,
   param->fallback = *local;
   
   for (context = daemon->dhcp6; context; context = context->next)
-	    {
     if ((context->flags & CONTEXT_DHCP) &&
 	!(context->flags & (CONTEXT_TEMPLATE | CONTEXT_OLD)) &&
 	prefix <= context->prefix &&
-		  is_same_net6(local, &context->start6, context->prefix) &&
-		  is_same_net6(local, &context->end6, context->prefix))
+	context->current == context)
       {
-		  
-		  
-		  /* link it onto the current chain if we've not seen it before */
-		  if (context->current == context)
+	if (is_same_net6(local, &context->start6, context->prefix) &&
+	    is_same_net6(local, &context->end6, context->prefix))
 	  {
 	    struct dhcp_context *tmp, **up;
 	    
-		      /* use interface values only for contructed contexts */
+	    /* use interface values only for constructed contexts */
 	    if (!(context->flags & CONTEXT_CONSTRUCTED))
 	      preferred = valid = 0xffffffff;
 	    else if (flags & IFACE_DEPRECATED)
@@ -398,12 +374,40 @@ static int complete_context6(struct in6_addr *local,  int prefix,
 	    context->preferred = preferred;
 	    context->valid = valid;
 	  }
+	else
+	  {
+	    for (share = daemon->shared_networks; share; share = share->next)
+	      {
+		/* IPv4 shared_address - ignore */
+		if (share->shared_addr.s_addr != 0)
+		  continue;
+			
+		if (share->if_index != 0)
+		  {
+		    if (share->if_index != if_index)
+		      continue;
+		  }
+		else
+		  {
+		    if (!IN6_ARE_ADDR_EQUAL(&share->match_addr6, local))
+		      continue;
+		  }
+		
+		if (is_same_net6(&share->shared_addr6, &context->start6, context->prefix) &&
+		    is_same_net6(&share->shared_addr6, &context->end6, context->prefix))
+		  {
+		    context->current = param->current;
+		    param->current = context;
+		    context->local6 = *local;
+		    context->preferred = context->flags & CONTEXT_DEPRECATE ? 0 :0xffffffff;
+		    context->valid = 0xffffffff;
+		  }
 	      }
 	  }      
       }
 
   for (relay = daemon->relay6; relay; relay = relay->next)
-	if (IN6_ARE_ADDR_EQUAL(local, &relay->local.addr.addr6) && relay->current == relay &&
+    if (IN6_ARE_ADDR_EQUAL(local, &relay->local.addr6) && relay->current == relay &&
 	(IN6_IS_ADDR_UNSPECIFIED(&param->relay_local) || IN6_ARE_ADDR_EQUAL(local, &param->relay_local)))
       {
 	relay->current = param->relay;
@@ -411,26 +415,29 @@ static int complete_context6(struct in6_addr *local,  int prefix,
 	param->relay_local = *local;
       }
      
-    }          
- 
   return 1;
 }
 
-struct dhcp_config *config_find_by_address6(struct dhcp_config *configs, struct in6_addr *net, int prefix, u64 addr)
+struct dhcp_config *config_find_by_address6(struct dhcp_config *configs, struct in6_addr *net, int prefix,  struct in6_addr *addr)
 {
   struct dhcp_config *config;
   
   for (config = configs; config; config = config->next)
-    if ((config->flags & CONFIG_ADDR6) &&
-	is_same_net6(&config->addr6, net, prefix) &&
-	(prefix == 128 || addr6part(&config->addr6) == addr))
+    if (config->flags & CONFIG_ADDR6)
+      {
+	struct addrlist *addr_list;
+	
+	for (addr_list = config->addr6; addr_list; addr_list = addr_list->next)
+	  if ((!net || is_same_net6(&addr_list->addr.addr6, net, prefix) || ((addr_list->flags & ADDRLIST_WILDCARD) && prefix == 64)) &&
+	      is_same_net6(&addr_list->addr.addr6, addr, (addr_list->flags & ADDRLIST_PREFIX) ? addr_list->prefixlen : 128))
 	    return config;
+      }
   
   return NULL;
 }
 
 struct dhcp_context *address6_allocate(struct dhcp_context *context,  unsigned char *clid, int clid_len, int temp_addr,
-				       int iaid, int serial, struct dhcp_netid *netids, int plain_range, struct in6_addr *ans)   
+				       unsigned int iaid, int serial, struct dhcp_netid *netids, int plain_range, struct in6_addr *ans)
 {
   /* Find a free address: exclude anything in use and anything allocated to
      a particular hwaddr/clientid/hostname in our configuration.
@@ -452,7 +459,7 @@ struct dhcp_context *address6_allocate(struct dhcp_context *context,  unsigned c
     j = rand64();
   else
     for (j = iaid, i = 0; i < clid_len; i++)
-      j += clid[i] + (j << 6) + (j << 16) - j;
+      j = clid[i] + (j << 6) + (j << 16) - j;
   
   for (pass = 0; pass <= plain_range ? 1 : 0; pass++)
     for (c = context; c; c = c->current)
@@ -463,10 +470,26 @@ struct dhcp_context *address6_allocate(struct dhcp_context *context,  unsigned c
       else
 	{ 
 	  if (!temp_addr && option_bool(OPT_CONSEC_ADDR))
-	    /* seed is largest extant lease addr in this context */
-	    start = lease_find_max_addr6(c) + serial;
+	    {
+	      /* seed is largest extant lease addr in this context,
+		 skip addresses equal to the number of addresses rejected
+		 by clients. This should avoid the same client being offered the same
+		 address after it has rjected it. */
+	      start = lease_find_max_addr6(c) + 1 + serial + c->addr_epoch;
+	      if (c->addr_epoch)
+		c->addr_epoch--;
+	    }
 	  else
-	    start = addr6part(&c->start6) + ((j + c->addr_epoch) % (1 + addr6part(&c->end6) - addr6part(&c->start6)));
+	    {
+	      u64 range = 1 + addr6part(&c->end6) - addr6part(&c->start6);
+	      u64 offset = j + c->addr_epoch;
+
+	      /* don't divide by zero if range is whole 2^64 */
+	      if (range != 0)
+		offset = offset % range;
+
+	      start = addr6part(&c->start6) + offset;
+	    }
 
 	  /* iterate until we find a free address. */
 	  addr = start;
@@ -477,14 +500,13 @@ struct dhcp_context *address6_allocate(struct dhcp_context *context,  unsigned c
 	      if (addr == addr6part(&d->local6))
 		break;
 	    
-	    if (!d &&
-		!lease6_find_by_addr(&c->start6, c->prefix, addr) && 
-		!config_find_by_address6(daemon->dhcp_conf, &c->start6, c->prefix, addr))
-	      {
 	    *ans = c->start6;
 	    setaddr6part (ans, addr);
+
+	    if (!d &&
+		!lease6_find_by_addr(&c->start6, c->prefix, addr) && 
+		!config_find_by_address6(daemon->dhcp_conf, &c->start6, c->prefix, ans))
 	      return c;
-	      }
 	    
 	    addr++;
 	    
@@ -539,27 +561,6 @@ struct dhcp_context *address6_valid(struct dhcp_context *context,
   return NULL;
 }
 
-int config_valid(struct dhcp_config *config, struct dhcp_context *context, struct in6_addr *addr)
-{
-  if (!config || !(config->flags & CONFIG_ADDR6))
-    return 0;
-
-  if ((config->flags & CONFIG_WILDCARD) && context->prefix == 64)
-    {
-      *addr = context->start6;
-      setaddr6part(addr, addr6part(&config->addr6));
-      return 1;
-    }
-  
-  if (is_same_net6(&context->start6, &config->addr6, context->prefix))
-    {
-      *addr = config->addr6;
-      return 1;
-    }
-  
-  return 0;
-}
-
 void make_duid(time_t now)
 {
   (void)now;
@@ -640,6 +641,7 @@ static int construct_worker(struct in6_addr *local, int prefix,
   char ifrn_name[IFNAMSIZ];
   struct in6_addr start6, end6;
   struct dhcp_context *template, *context;
+  struct iname *tmp;
   
   (void)scope;
   (void)flags;
@@ -659,17 +661,30 @@ static int construct_worker(struct in6_addr *local, int prefix,
   if (flags & IFACE_DEPRECATED)
     return 1;
 
-  if (!indextoname(daemon->icmp6fd, if_index, ifrn_name))
-    return 0;
+  /* Ignore interfaces where we're not doing RA/DHCP6 */
+  if (!indextoname(daemon->icmp6fd, if_index, ifrn_name) ||
+      !iface_check(AF_LOCAL, NULL, ifrn_name, NULL))
+    return 1;
+  
+  for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
+    if (tmp->name && wildcard_match(tmp->name, ifrn_name))
+      return 1;
 
   for (template = daemon->dhcp6; template; template = template->next)
-    if (!(template->flags & CONTEXT_TEMPLATE))
+    if (!(template->flags & (CONTEXT_TEMPLATE | CONTEXT_CONSTRUCTED)))
       {
 	/* non-template entries, just fill in interface and local addresses */
 	if (prefix <= template->prefix &&
 	    is_same_net6(local, &template->start6, template->prefix) &&
 	    is_same_net6(local, &template->end6, template->prefix))
 	  {
+	    /* First time found, do fast RA. */
+	    if (template->if_index == 0)
+	      {
+		ra_start_unsolicited(param->now, template);
+		param->newone = 1;
+	      }
+	    
 	    template->if_index = if_index;
 	    template->local6 = *local;
 	  }
@@ -684,25 +699,34 @@ static int construct_worker(struct in6_addr *local, int prefix,
 	setaddr6part(&end6, addr6part(&template->end6));
 	
 	for (context = daemon->dhcp6; context; context = context->next)
-	  if ((context->flags & CONTEXT_CONSTRUCTED) &&
+	  if (!(context->flags & CONTEXT_TEMPLATE) &&
 	      IN6_ARE_ADDR_EQUAL(&start6, &context->start6) &&
 	      IN6_ARE_ADDR_EQUAL(&end6, &context->end6))
 	    {
-	      int flags = context->flags;
-	      context->flags &= ~(CONTEXT_GC | CONTEXT_OLD);
-	      if (flags & CONTEXT_OLD)
+	      /* If there's an absolute address context covering this address
+		 then don't construct one as well. */
+	      if (!(context->flags & CONTEXT_CONSTRUCTED))
+		break;
+	      
+	      if (context->if_index == if_index)
 		{
-		  /* address went, now it's back */
+		  int cflags = context->flags;
+		  context->flags &= ~(CONTEXT_GC | CONTEXT_OLD);
+		  if (cflags & CONTEXT_OLD)
+		    {
+		      /* address went, now it's back, and on the same interface */
 		      log_context(AF_INET6, context); 
 		      /* fast RAs for a while */
-		  ra_start_unsolicted(param->now, context);
+		      ra_start_unsolicited(param->now, context);
 		      param->newone = 1; 
 		      /* Add address to name again */
 		      if (context->flags & CONTEXT_RA_NAME)
 			param->newname = 1;
+		    
 		    }
 		  break;
 		}
+	    }
 	
 	if (!context && (context = whine_malloc(sizeof (struct dhcp_context))))
 	  {
@@ -718,7 +742,7 @@ static int construct_worker(struct in6_addr *local, int prefix,
 	    context->next = daemon->dhcp6;
 	    daemon->dhcp6 = context;
 
-	    ra_start_unsolicted(param->now, context);
+	    ra_start_unsolicited(param->now, context);
 	    /* we created a new one, need to call
 	       lease_update_file to get periodic functions called */
 	    param->newone = 1; 
@@ -766,7 +790,7 @@ void dhcp_construct_contexts(time_t now)
 	      /* maximum time is 2 hours, from RFC */
 	      if (context->saved_valid > 7200) /* 2 hours */
 		context->saved_valid = 7200;
-	      ra_start_unsolicted(now, context);
+	      ra_start_unsolicited(now, context);
 	      param.newone = 1; /* include deletion */ 
 	      
 	      if (context->flags & CONTEXT_RA_NAME)

src/dns-protocol.h

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -16,6 +16,8 @@
 
 #define NAMESERVER_PORT 53
 #define TFTP_PORT       69
+#define MIN_PORT        1024           /* first non-reserved port */
+#define MAX_PORT        65535u
 
 #define IN6ADDRSZ       16
 #define INADDRSZ        4
@@ -74,9 +76,12 @@
 #define T_AXFR          252
 #define T_MAILB		253	
 #define T_ANY		255
+#define T_CAA           257
 
 #define EDNS0_OPTION_MAC            65001 /* dyndns.org temporary assignment */
 #define EDNS0_OPTION_CLIENT_SUBNET  8     /* IANA */
+#define EDNS0_OPTION_NOMDEVICEID    65073 /* Nominum temporary assignment */
+#define EDNS0_OPTION_NOMCPEID       65074 /* Nominum temporary assignment */
 
 struct dns_header {
   u16 id;

src/domain.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -18,21 +18,14 @@
 
 
 static struct cond_domain *search_domain(struct in_addr addr, struct cond_domain *c);
-#ifdef HAVE_IPV6
 static struct cond_domain *search_domain6(struct in6_addr *addr, struct cond_domain *c);
-#endif
 
 
-int is_name_synthetic(int flags, char *name, struct all_addr *addr)
+int is_name_synthetic(int flags, char *name, union all_addr *addr)
 {
   char *p;
   struct cond_domain *c = NULL;
-  int prot = AF_INET;
-
-#ifdef HAVE_IPV6
-  if (flags & F_IPV6)
-    prot = AF_INET6;
-#endif
+  int prot = (flags & F_IPV6) ? AF_INET6 : AF_INET;
 
   for (c = daemon->synth_domains; c; c = c->next)
     {
@@ -56,6 +49,51 @@ int is_name_synthetic(int flags, char *name, struct all_addr *addr)
       if (pref && *pref != 0)
 	continue; /* prefix match fail */
 
+      if (c->indexed)
+	{
+	  for (p = tail; *p; p++)
+	    {
+	      char c = *p;
+	      
+	      if (c < '0' || c > '9')
+		break;
+	    }
+	  
+	  if (*p != '.')
+	    continue;
+	  
+	  *p = 0;
+	  
+	  if (hostname_isequal(c->domain, p+1))
+	    {
+	      if (prot == AF_INET)
+		{
+		  unsigned int index = atoi(tail);
+
+		   if (!c->is6 &&
+		      index <= ntohl(c->end.s_addr) - ntohl(c->start.s_addr))
+		    {
+		      addr->addr4.s_addr = htonl(ntohl(c->start.s_addr) + index);
+		      found = 1;
+		    }
+		} 
+	      else
+		{
+		  u64 index = atoll(tail);
+		  
+		  if (c->is6 &&
+		      index <= addr6part(&c->end6) - addr6part(&c->start6))
+		    {
+		      u64 start = addr6part(&c->start6);
+		      addr->addr6 = c->start6;
+		      setaddr6part(&addr->addr6, start + index);
+		      found = 1;
+		    }
+		}
+	    }
+	}
+      else
+	{
 	  /* NB, must not alter name if we return zero */
 	  for (p = tail; *p; p++)
 	    {
@@ -64,10 +102,8 @@ int is_name_synthetic(int flags, char *name, struct all_addr *addr)
 	      if ((c >='0' && c <= '9') || c == '-')
 		continue;
 	      
-#ifdef HAVE_IPV6
 	      if (prot == AF_INET6 && ((c >='A' && c <= 'F') || (c >='a' && c <= 'f'))) 
 		continue;
-#endif
 	      
 	      break;
 	    }
@@ -77,16 +113,25 @@ int is_name_synthetic(int flags, char *name, struct all_addr *addr)
 	  
 	  *p = 0;	
 	  
+	  if (prot == AF_INET6 && strstr(tail, "--ffff-") == tail)
+	    {
+	      /* special hack for v4-mapped. */
+	      memcpy(tail, "::ffff:", 7);
+	      for (p = tail + 7; *p; p++)
+		if (*p == '-')
+		  *p = '.';
+	    }
+	  else
+	    {
 	      /* swap . or : for - */
 	      for (p = tail; *p; p++)
 		if (*p == '-')
 		  {
 		    if (prot == AF_INET)
 		      *p = '.';
-#ifdef HAVE_IPV6
 		    else
 		      *p = ':';
-#endif
+		  }
 	    }
 	  
 	  if (hostname_isequal(c->domain, p+1) && inet_pton(prot, tail, addr))
@@ -94,22 +139,22 @@ int is_name_synthetic(int flags, char *name, struct all_addr *addr)
 	      if (prot == AF_INET)
 		{
 		  if (!c->is6 &&
-		  ntohl(addr->addr.addr4.s_addr) >= ntohl(c->start.s_addr) &&
-		  ntohl(addr->addr.addr4.s_addr) <= ntohl(c->end.s_addr))
+		      ntohl(addr->addr4.s_addr) >= ntohl(c->start.s_addr) &&
+		      ntohl(addr->addr4.s_addr) <= ntohl(c->end.s_addr))
 		    found = 1;
 		}
-#ifdef HAVE_IPV6
 	      else
 		{
-	      u64 addrpart = addr6part(&addr->addr.addr6);
+		  u64 addrpart = addr6part(&addr->addr6);
 		  
 		  if (c->is6 &&
-		  is_same_net6(&addr->addr.addr6, &c->start6, 64) &&
+		      is_same_net6(&addr->addr6, &c->start6, 64) &&
 		      addrpart >= addr6part(&c->start6) &&
 		      addrpart <= addr6part(&c->end6))
 		    found = 1;
 		}
-#endif
+	    }
+
 	}
 
       /* restore name */
@@ -119,6 +164,7 @@ int is_name_synthetic(int flags, char *name, struct all_addr *addr)
       
       *p = '.';
       
+      
       if (found)
 	return 1;
     }
@@ -127,22 +173,30 @@ int is_name_synthetic(int flags, char *name, struct all_addr *addr)
 }
 
 
-int is_rev_synth(int flag, struct all_addr *addr, char *name)
+int is_rev_synth(int flag, union all_addr *addr, char *name)
 {
    struct cond_domain *c;
 
-   if (flag & F_IPV4 && (c = search_domain(addr->addr.addr4, daemon->synth_domains))) 
+   if (flag & F_IPV4 && (c = search_domain(addr->addr4, daemon->synth_domains))) 
      {
        char *p;
        
        *name = 0;
+       if (c->indexed)
+	 {
+	   unsigned int index = ntohl(addr->addr4.s_addr) - ntohl(c->start.s_addr);
+	   snprintf(name, MAXDNAME, "%s%u", c->prefix ? c->prefix : "", index);
+	 }
+       else
+	 {
 	   if (c->prefix)
 	     strncpy(name, c->prefix, MAXDNAME - ADDRSTRLEN);
        
-       inet_ntop(AF_INET, &addr->addr.addr4, name + strlen(name), ADDRSTRLEN);
+       	   inet_ntop(AF_INET, &addr->addr4, name + strlen(name), ADDRSTRLEN);
 	   for (p = name; *p; p++)
 	     if (*p == '.')
 	       *p = '-';
+	 }
        
        strncat(name, ".", MAXDNAME);
        strncat(name, c->domain, MAXDNAME);
@@ -150,35 +204,43 @@ int is_rev_synth(int flag, struct all_addr *addr, char *name)
        return 1;
      }
 
-#ifdef HAVE_IPV6
-   if (flag & F_IPV6 && (c = search_domain6(&addr->addr.addr6, daemon->synth_domains))) 
+   if ((flag & F_IPV6) && (c = search_domain6(&addr->addr6, daemon->synth_domains))) 
      {
        char *p;
        
        *name = 0;
+       if (c->indexed)
+	 {
+	   u64 index = addr6part(&addr->addr6) - addr6part(&c->start6);
+	   snprintf(name, MAXDNAME, "%s%llu", c->prefix ? c->prefix : "", index);
+	 }
+       else
+	 {
 	   if (c->prefix)
 	     strncpy(name, c->prefix, MAXDNAME - ADDRSTRLEN);
        
-       inet_ntop(AF_INET6, &addr->addr.addr6, name + strlen(name), ADDRSTRLEN);
+	   inet_ntop(AF_INET6, &addr->addr6, name + strlen(name), ADDRSTRLEN);
 
 	   /* IPv6 presentation address can start with ":", but valid domain names
 	      cannot start with "-" so prepend a zero in that case. */
 	   if (!c->prefix && *name == ':')
 	     {
 	       *name = '0';
-	   inet_ntop(AF_INET6, &addr->addr.addr6, name+1, ADDRSTRLEN);
+	       inet_ntop(AF_INET6, &addr->addr6, name+1, ADDRSTRLEN);
 	     }
 	   
+	   /* V4-mapped have periods.... */
 	   for (p = name; *p; p++)
-	 if (*p == ':')
+	     if (*p == ':' || *p == '.')
 	       *p = '-';
 	   
+	 }
+
        strncat(name, ".", MAXDNAME);
        strncat(name, c->domain, MAXDNAME);
        
        return 1;
      }
-#endif
    
    return 0;
 }
@@ -205,7 +267,7 @@ char *get_domain(struct in_addr addr)
   return daemon->domain_suffix;
 } 
 
-#ifdef HAVE_IPV6
+
 static struct cond_domain *search_domain6(struct in6_addr *addr, struct cond_domain *c)
 {
   u64 addrpart = addr6part(addr);
@@ -229,4 +291,3 @@ char *get_domain6(struct in6_addr *addr)
 
   return daemon->domain_suffix;
 } 
-#endif

src/dump.c

@@ -0,0 +1,211 @@
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+     
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "dnsmasq.h"
+
+#ifdef HAVE_DUMPFILE
+
+static u32 packet_count;
+
+/* https://wiki.wireshark.org/Development/LibpcapFileFormat */
+struct pcap_hdr_s {
+        u32 magic_number;   /* magic number */
+        u16 version_major;  /* major version number */
+        u16 version_minor;  /* minor version number */
+        u32 thiszone;       /* GMT to local correction */
+        u32 sigfigs;        /* accuracy of timestamps */
+        u32 snaplen;        /* max length of captured packets, in octets */
+        u32 network;        /* data link type */
+};
+
+struct pcaprec_hdr_s {
+        u32 ts_sec;         /* timestamp seconds */
+        u32 ts_usec;        /* timestamp microseconds */
+        u32 incl_len;       /* number of octets of packet saved in file */
+        u32 orig_len;       /* actual length of packet */
+};
+
+
+void dump_init(void)
+{
+  struct stat buf;
+  struct pcap_hdr_s header;
+  struct pcaprec_hdr_s pcap_header;
+
+  packet_count = 0;
+  
+  if (stat(daemon->dump_file, &buf) == -1)
+    {
+      /* doesn't exist, create and add header */
+      header.magic_number = 0xa1b2c3d4;
+      header.version_major = 2;
+      header.version_minor = 4;
+      header.thiszone = 0;
+      header.sigfigs = 0;
+      header.snaplen = daemon->edns_pktsz + 200; /* slop for IP/UDP headers */
+      header.network = 101; /* DLT_RAW http://www.tcpdump.org/linktypes.html */
+
+      if (errno != ENOENT ||
+	  (daemon->dumpfd = creat(daemon->dump_file, S_IRUSR | S_IWUSR)) == -1 ||
+	  !read_write(daemon->dumpfd, (void *)&header, sizeof(header), 0))
+	die(_("cannot create %s: %s"), daemon->dump_file, EC_FILE);
+    }
+  else if ((daemon->dumpfd = open(daemon->dump_file, O_APPEND | O_RDWR)) == -1 ||
+	   !read_write(daemon->dumpfd, (void *)&header, sizeof(header), 1))
+    die(_("cannot access %s: %s"), daemon->dump_file, EC_FILE);
+  else if (header.magic_number != 0xa1b2c3d4)
+    die(_("bad header in %s"), daemon->dump_file, EC_FILE);
+  else
+    {
+      /* count existing records */
+      while (read_write(daemon->dumpfd, (void *)&pcap_header, sizeof(pcap_header), 1))
+	{
+	  lseek(daemon->dumpfd, pcap_header.incl_len, SEEK_CUR);
+	  packet_count++;
+	}
+    }
+}
+
+void dump_packet(int mask, void *packet, size_t len, union mysockaddr *src, union mysockaddr *dst)
+{
+  struct ip ip;
+  struct ip6_hdr ip6;
+  int family;
+  struct udphdr {
+    u16 uh_sport;               /* source port */
+    u16 uh_dport;               /* destination port */
+    u16 uh_ulen;                /* udp length */
+    u16 uh_sum;                 /* udp checksum */
+  } udp;
+  struct pcaprec_hdr_s pcap_header;
+  struct timeval time;
+  u32 i, sum;
+  void *iphdr;
+  size_t ipsz;
+  int rc;
+  
+  if (daemon->dumpfd == -1 || !(mask & daemon->dump_mask))
+    return;
+  
+  /* So wireshark can Id the packet. */
+  udp.uh_sport = udp.uh_dport = htons(NAMESERVER_PORT);
+
+  if (src)
+    family = src->sa.sa_family;
+  else
+    family = dst->sa.sa_family;
+
+  if (family == AF_INET6)
+    {
+      iphdr = &ip6;
+      ipsz = sizeof(ip6);
+      memset(&ip6, 0, sizeof(ip6));
+      
+      ip6.ip6_vfc = 6 << 4;
+      ip6.ip6_plen = htons(sizeof(struct udphdr) + len);
+      ip6.ip6_nxt = IPPROTO_UDP;
+      ip6.ip6_hops = 64;
+
+      if (src)
+	{
+	  memcpy(&ip6.ip6_src, &src->in6.sin6_addr, IN6ADDRSZ);
+	  udp.uh_sport = src->in6.sin6_port;
+	}
+      
+      if (dst)
+	{
+	  memcpy(&ip6.ip6_dst, &dst->in6.sin6_addr, IN6ADDRSZ);
+	  udp.uh_dport = dst->in6.sin6_port;
+	}
+            
+      /* start UDP checksum */
+      for (sum = 0, i = 0; i < IN6ADDRSZ; i+=2)
+	{
+	  sum += ip6.ip6_src.s6_addr[i] + (ip6.ip6_src.s6_addr[i+1] << 8) ;
+	  sum += ip6.ip6_dst.s6_addr[i] + (ip6.ip6_dst.s6_addr[i+1] << 8) ;
+	  
+	}
+    }
+  else
+    {
+      iphdr = &ip;
+      ipsz = sizeof(ip);
+      memset(&ip, 0, sizeof(ip));
+      
+      ip.ip_v = IPVERSION;
+      ip.ip_hl = sizeof(struct ip) / 4;
+      ip.ip_len = htons(sizeof(struct ip) + sizeof(struct udphdr) + len); 
+      ip.ip_ttl = IPDEFTTL;
+      ip.ip_p = IPPROTO_UDP;
+      
+      if (src)
+	{
+	  ip.ip_src = src->in.sin_addr;
+	  udp.uh_sport = src->in.sin_port;
+	}
+
+      if (dst)
+	{
+	  ip.ip_dst = dst->in.sin_addr;
+	  udp.uh_dport = dst->in.sin_port;
+	}
+      
+      ip.ip_sum = 0;
+      for (sum = 0, i = 0; i < sizeof(struct ip) / 2; i++)
+	sum += ((u16 *)&ip)[i];
+      while (sum >> 16)
+	sum = (sum & 0xffff) + (sum >> 16);  
+      ip.ip_sum = (sum == 0xffff) ? sum : ~sum;
+      
+      /* start UDP checksum */
+      sum = ip.ip_src.s_addr & 0xffff;
+      sum += (ip.ip_src.s_addr >> 16) & 0xffff;
+      sum += ip.ip_dst.s_addr & 0xffff;
+      sum += (ip.ip_dst.s_addr >> 16) & 0xffff;
+    }
+  
+  if (len & 1)
+    ((unsigned char *)packet)[len] = 0; /* for checksum, in case length is odd. */
+
+  udp.uh_sum = 0;
+  udp.uh_ulen = htons(sizeof(struct udphdr) + len);
+  sum += htons(IPPROTO_UDP);
+  sum += htons(sizeof(struct udphdr) + len);
+  for (i = 0; i < sizeof(struct udphdr)/2; i++)
+    sum += ((u16 *)&udp)[i];
+  for (i = 0; i < (len + 1) / 2; i++)
+    sum += ((u16 *)packet)[i];
+  while (sum >> 16)
+    sum = (sum & 0xffff) + (sum >> 16);
+  udp.uh_sum = (sum == 0xffff) ? sum : ~sum;
+
+  rc = gettimeofday(&time, NULL);
+  pcap_header.ts_sec = time.tv_sec;
+  pcap_header.ts_usec = time.tv_usec;
+  pcap_header.incl_len = pcap_header.orig_len = ipsz + sizeof(udp) + len;
+  
+  if (rc == -1 ||
+      !read_write(daemon->dumpfd, (void *)&pcap_header, sizeof(pcap_header), 0) ||
+      !read_write(daemon->dumpfd, iphdr, ipsz, 0) ||
+      !read_write(daemon->dumpfd, (void *)&udp, sizeof(udp), 0) ||
+      !read_write(daemon->dumpfd, (void *)packet, len, 0))
+    my_syslog(LOG_ERR, _("failed to write packet dump"));
+  else
+    my_syslog(LOG_INFO, _("dumping UDP packet %u mask 0x%04x"), ++packet_count, mask);
+
+}
+
+#endif

src/edns0.c

@@ -0,0 +1,456 @@
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+     
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "dnsmasq.h"
+
+unsigned char *find_pseudoheader(struct dns_header *header, size_t plen, size_t  *len, unsigned char **p, int *is_sign, int *is_last)
+{
+  /* See if packet has an RFC2671 pseudoheader, and if so return a pointer to it. 
+     also return length of pseudoheader in *len and pointer to the UDP size in *p
+     Finally, check to see if a packet is signed. If it is we cannot change a single bit before
+     forwarding. We look for TSIG in the addition section, and TKEY queries (for GSS-TSIG) */
+  
+  int i, arcount = ntohs(header->arcount);
+  unsigned char *ansp = (unsigned char *)(header+1);
+  unsigned short rdlen, type, class;
+  unsigned char *ret = NULL;
+
+  if (is_sign)
+    {
+      *is_sign = 0;
+
+      if (OPCODE(header) == QUERY)
+	{
+	  for (i = ntohs(header->qdcount); i != 0; i--)
+	    {
+	      if (!(ansp = skip_name(ansp, header, plen, 4)))
+		return NULL;
+	      
+	      GETSHORT(type, ansp); 
+	      GETSHORT(class, ansp);
+	      
+	      if (class == C_IN && type == T_TKEY)
+		*is_sign = 1;
+	    }
+	}
+    }
+  else
+    {
+      if (!(ansp = skip_questions(header, plen)))
+	return NULL;
+    }
+    
+  if (arcount == 0)
+    return NULL;
+  
+  if (!(ansp = skip_section(ansp, ntohs(header->ancount) + ntohs(header->nscount), header, plen)))
+    return NULL; 
+  
+  for (i = 0; i < arcount; i++)
+    {
+      unsigned char *save, *start = ansp;
+      if (!(ansp = skip_name(ansp, header, plen, 10)))
+	return NULL; 
+
+      GETSHORT(type, ansp);
+      save = ansp;
+      GETSHORT(class, ansp);
+      ansp += 4; /* TTL */
+      GETSHORT(rdlen, ansp);
+      if (!ADD_RDLEN(header, ansp, plen, rdlen))
+	return NULL;
+      if (type == T_OPT)
+	{
+	  if (len)
+	    *len = ansp - start;
+
+	  if (p)
+	    *p = save;
+	  
+	  if (is_last)
+	    *is_last = (i == arcount-1);
+
+	  ret = start;
+	}
+      else if (is_sign && 
+	       i == arcount - 1 && 
+	       class == C_ANY && 
+	       type == T_TSIG)
+	*is_sign = 1;
+    }
+  
+  return ret;
+}
+ 
+
+/* replace == 2 ->delete existing option only. */
+size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *limit, 
+			unsigned short udp_sz, int optno, unsigned char *opt, size_t optlen, int set_do, int replace)
+{ 
+  unsigned char *lenp, *datap, *p, *udp_len, *buff = NULL;
+  int rdlen = 0, is_sign, is_last;
+  unsigned short flags = set_do ? 0x8000 : 0, rcode = 0;
+
+  p = find_pseudoheader(header, plen, NULL, &udp_len, &is_sign, &is_last);
+  
+  if (is_sign)
+    return plen;
+
+  if (p)
+    {
+      /* Existing header */
+      int i;
+      unsigned short code, len;
+
+      p = udp_len;
+      GETSHORT(udp_sz, p);
+      GETSHORT(rcode, p);
+      GETSHORT(flags, p);
+
+      if (set_do)
+	{
+	  p -= 2;
+	  flags |= 0x8000;
+	  PUTSHORT(flags, p);
+	}
+
+      lenp = p;
+      GETSHORT(rdlen, p);
+      if (!CHECK_LEN(header, p, plen, rdlen))
+	return plen; /* bad packet */
+      datap = p;
+
+       /* no option to add */
+      if (optno == 0)
+	return plen;
+      	  
+      /* check if option already there */
+      for (i = 0; i + 4 < rdlen;)
+	{
+	  GETSHORT(code, p);
+	  GETSHORT(len, p);
+	  
+	  /* malformed option, delete the whole OPT RR and start again. */
+	  if (i + 4 + len > rdlen)
+	    {
+	      rdlen = 0;
+	      is_last = 0;
+	      break;
+	    }
+	  
+	  if (code == optno)
+	    {
+	      if (replace == 0)
+		return plen;
+
+	      /* delete option if we're to replace it. */
+	      p -= 4;
+	      rdlen -= len + 4;
+	      memmove(p, p+len+4, rdlen - i);
+	      PUTSHORT(rdlen, lenp);
+	      lenp -= 2;
+	    }
+	  else
+	    {
+	      p += len;
+	      i += len + 4;
+	    }
+	}
+
+      /* If we're going to extend the RR, it has to be the last RR in the packet */
+      if (!is_last)
+	{
+	  /* First, take a copy of the options. */
+	  if (rdlen != 0 && (buff = whine_malloc(rdlen)))
+	    memcpy(buff, datap, rdlen);	      
+	  
+	  /* now, delete OPT RR */
+	  plen = rrfilter(header, plen, 0);
+	  
+	  /* Now, force addition of a new one */
+	  p = NULL;	  
+	}
+    }
+  
+  if (!p)
+    {
+      /* We are (re)adding the pseudoheader */
+      if (!(p = skip_questions(header, plen)) ||
+	  !(p = skip_section(p, 
+			     ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount), 
+			     header, plen)))
+      {
+	free(buff);
+	return plen;
+      }
+      if (p + 11 > limit)
+      {
+        free(buff);
+        return plen; /* Too big */
+      }
+      *p++ = 0; /* empty name */
+      PUTSHORT(T_OPT, p);
+      PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */
+      PUTSHORT(rcode, p);    /* extended RCODE and version */
+      PUTSHORT(flags, p); /* DO flag */
+      lenp = p;
+      PUTSHORT(rdlen, p);    /* RDLEN */
+      datap = p;
+      /* Copy back any options */
+      if (buff)
+	{
+          if (p + rdlen > limit)
+          {
+            free(buff);
+            return plen; /* Too big */
+          }
+	  memcpy(p, buff, rdlen);
+	  free(buff);
+	  p += rdlen;
+	}
+      
+      /* Only bump arcount if RR is going to fit */ 
+      if (((ssize_t)optlen) <= (limit - (p + 4)))
+	header->arcount = htons(ntohs(header->arcount) + 1);
+    }
+  
+  if (((ssize_t)optlen) > (limit - (p + 4)))
+    return plen; /* Too big */
+  
+  /* Add new option */
+  if (optno != 0 && replace != 2)
+    {
+      if (p + 4 > limit)
+       return plen; /* Too big */
+      PUTSHORT(optno, p);
+      PUTSHORT(optlen, p);
+      if (p + optlen > limit)
+       return plen; /* Too big */
+      memcpy(p, opt, optlen);
+      p += optlen;  
+      PUTSHORT(p - datap, lenp);
+    }
+  return p - (unsigned char *)header;
+}
+
+size_t add_do_bit(struct dns_header *header, size_t plen, unsigned char *limit)
+{
+  return add_pseudoheader(header, plen, (unsigned char *)limit, PACKETSZ, 0, NULL, 0, 1, 0);
+}
+
+static unsigned char char64(unsigned char c)
+{
+  return "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"[c & 0x3f];
+}
+
+static void encoder(unsigned char *in, char *out)
+{
+  out[0] = char64(in[0]>>2);
+  out[1] = char64((in[0]<<4) | (in[1]>>4));
+  out[2] = char64((in[1]<<2) | (in[2]>>6));
+  out[3] = char64(in[2]);
+}
+
+static size_t add_dns_client(struct dns_header *header, size_t plen, unsigned char *limit,
+			     union mysockaddr *l3, time_t now, int *cacheablep)
+{
+  int maclen, replace = 2; /* can't get mac address, just delete any incoming. */
+  unsigned char mac[DHCP_CHADDR_MAX];
+  char encode[18]; /* handle 6 byte MACs */
+
+  if ((maclen = find_mac(l3, mac, 1, now)) == 6)
+    {
+      replace = 1;
+      *cacheablep = 0;
+
+      if (option_bool(OPT_MAC_HEX))
+	print_mac(encode, mac, maclen);
+      else
+	{
+	  encoder(mac, encode);
+	  encoder(mac+3, encode+4);
+	  encode[8] = 0;
+	}
+    }
+
+  return add_pseudoheader(header, plen, limit, PACKETSZ, EDNS0_OPTION_NOMDEVICEID, (unsigned char *)encode, strlen(encode), 0, replace); 
+}
+
+
+static size_t add_mac(struct dns_header *header, size_t plen, unsigned char *limit,
+		      union mysockaddr *l3, time_t now, int *cacheablep)
+{
+  int maclen;
+  unsigned char mac[DHCP_CHADDR_MAX];
+
+  if ((maclen = find_mac(l3, mac, 1, now)) != 0)
+    {
+      *cacheablep = 0;
+      plen = add_pseudoheader(header, plen, limit, PACKETSZ, EDNS0_OPTION_MAC, mac, maclen, 0, 0); 
+    }
+  
+  return plen; 
+}
+
+struct subnet_opt {
+  u16 family;
+  u8 source_netmask, scope_netmask; 
+  u8 addr[IN6ADDRSZ];
+};
+
+static void *get_addrp(union mysockaddr *addr, const short family) 
+{
+  if (family == AF_INET6)
+    return &addr->in6.sin6_addr;
+
+  return &addr->in.sin_addr;
+}
+
+static size_t calc_subnet_opt(struct subnet_opt *opt, union mysockaddr *source, int *cacheablep)
+{
+  /* http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02 */
+  
+  int len;
+  void *addrp = NULL;
+  int sa_family = source->sa.sa_family;
+  int cacheable = 0;
+  
+  opt->source_netmask = 0;
+  opt->scope_netmask = 0;
+    
+  if (source->sa.sa_family == AF_INET6 && daemon->add_subnet6)
+    {
+      opt->source_netmask = daemon->add_subnet6->mask;
+      if (daemon->add_subnet6->addr_used) 
+	{
+	  sa_family = daemon->add_subnet6->addr.sa.sa_family;
+	  addrp = get_addrp(&daemon->add_subnet6->addr, sa_family);
+	  cacheable = 1;
+	} 
+      else 
+	addrp = &source->in6.sin6_addr;
+    }
+
+  if (source->sa.sa_family == AF_INET && daemon->add_subnet4)
+    {
+      opt->source_netmask = daemon->add_subnet4->mask;
+      if (daemon->add_subnet4->addr_used)
+	{
+	  sa_family = daemon->add_subnet4->addr.sa.sa_family;
+	  addrp = get_addrp(&daemon->add_subnet4->addr, sa_family);
+	  cacheable = 1; /* Address is constant */
+	} 
+	else 
+	  addrp = &source->in.sin_addr;
+    }
+  
+  opt->family = htons(sa_family == AF_INET6 ? 2 : 1);
+  
+  if (addrp && opt->source_netmask != 0)
+    {
+      len = ((opt->source_netmask - 1) >> 3) + 1;
+      memcpy(opt->addr, addrp, len);
+      if (opt->source_netmask & 7)
+	opt->addr[len-1] &= 0xff << (8 - (opt->source_netmask & 7));
+    }
+  else
+    {
+      cacheable = 1; /* No address ever supplied. */
+      len = 0;
+    }
+
+  if (cacheablep)
+    *cacheablep = cacheable;
+  
+  return len + 4;
+}
+ 
+static size_t add_source_addr(struct dns_header *header, size_t plen, unsigned char *limit, union mysockaddr *source, int *cacheable)
+{
+  /* http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02 */
+  
+  int len;
+  struct subnet_opt opt;
+  
+  len = calc_subnet_opt(&opt, source, cacheable);
+  return add_pseudoheader(header, plen, (unsigned char *)limit, PACKETSZ, EDNS0_OPTION_CLIENT_SUBNET, (unsigned char *)&opt, len, 0, 0);
+}
+
+int check_source(struct dns_header *header, size_t plen, unsigned char *pseudoheader, union mysockaddr *peer)
+{
+  /* Section 9.2, Check that subnet option in reply matches. */
+  
+  int len, calc_len;
+  struct subnet_opt opt;
+  unsigned char *p;
+  int code, i, rdlen;
+  
+  calc_len = calc_subnet_opt(&opt, peer, NULL);
+   
+  if (!(p = skip_name(pseudoheader, header, plen, 10)))
+    return 1;
+  
+  p += 8; /* skip UDP length and RCODE */
+  
+  GETSHORT(rdlen, p);
+  if (!CHECK_LEN(header, p, plen, rdlen))
+    return 1; /* bad packet */
+  
+  /* check if option there */
+   for (i = 0; i + 4 < rdlen; i += len + 4)
+     {
+       GETSHORT(code, p);
+       GETSHORT(len, p);
+       if (code == EDNS0_OPTION_CLIENT_SUBNET)
+	 {
+	   /* make sure this doesn't mismatch. */
+	   opt.scope_netmask = p[3];
+	   if (len != calc_len || memcmp(p, &opt, len) != 0)
+	     return 0;
+	 }
+       p += len;
+     }
+   
+   return 1;
+}
+
+/* Set *check_subnet if we add a client subnet option, which needs to checked 
+   in the reply. Set *cacheable to zero if we add an option which the answer
+   may depend on. */
+size_t add_edns0_config(struct dns_header *header, size_t plen, unsigned char *limit, 
+			union mysockaddr *source, time_t now, int *check_subnet, int *cacheable)    
+{
+  *check_subnet = 0;
+  *cacheable = 1;
+  
+  if (option_bool(OPT_ADD_MAC))
+    plen  = add_mac(header, plen, limit, source, now, cacheable);
+  
+  if (option_bool(OPT_MAC_B64) || option_bool(OPT_MAC_HEX))
+    plen = add_dns_client(header, plen, limit, source, now, cacheable);
+  
+  if (daemon->dns_client_id)
+    plen = add_pseudoheader(header, plen, limit, PACKETSZ, EDNS0_OPTION_NOMCPEID, 
+			    (unsigned char *)daemon->dns_client_id, strlen(daemon->dns_client_id), 0, 1);
+  
+  if (option_bool(OPT_CLIENT_SUBNET))
+    {
+      plen = add_source_addr(header, plen, limit, source, cacheable); 
+      *check_subnet = 1;
+    }
+	  
+  return plen;
+}

src/hash_questions.c

@@ -0,0 +1,281 @@
+/* Copyright (c) 2012-2020 Simon Kelley
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+
+/* Hash the question section. This is used to safely detect query 
+   retransmission and to detect answers to questions we didn't ask, which 
+   might be poisoning attacks. Note that we decode the name rather 
+   than CRC the raw bytes, since replies might be compressed differently. 
+   We ignore case in the names for the same reason. 
+
+   The hash used is SHA-256. If we're building with DNSSEC support,
+   we use the Nettle cypto library. If not, we prefer not to
+   add a dependency on Nettle, and use a stand-alone implementaion. 
+*/
+
+#include "dnsmasq.h"
+
+#if defined(HAVE_DNSSEC) || defined(HAVE_NETTLEHASH)
+unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name)
+{
+  int q;
+  unsigned char *p = (unsigned char *)(header+1);
+  const struct nettle_hash *hash;
+  void *ctx;
+  unsigned char *digest;
+  
+  if (!(hash = hash_find("sha256")) || !hash_init(hash, &ctx, &digest))
+    {
+      /* don't think this can ever happen. */
+      static unsigned char dummy[HASH_SIZE];
+      static int warned = 0;
+
+      if (!warned)
+	my_syslog(LOG_ERR, _("Failed to create SHA-256 hash object"));
+      warned = 1;
+     
+      return dummy;
+    }
+  
+  for (q = ntohs(header->qdcount); q != 0; q--) 
+    {
+      char *cp, c;
+
+      if (!extract_name(header, plen, &p, name, 1, 4))
+	break; /* bad packet */
+
+      for (cp = name; (c = *cp); cp++)
+	 if (c >= 'A' && c <= 'Z')
+	   *cp += 'a' - 'A';
+
+      hash->update(ctx, cp - name, (unsigned char *)name);
+      /* CRC the class and type as well */
+      hash->update(ctx, 4, p);
+
+      p += 4;
+      if (!CHECK_LEN(header, p, plen, 0))
+	break; /* bad packet */
+    }
+  
+  hash->digest(ctx, hash->digest_size, digest);
+  return digest;
+}
+
+#else /* HAVE_DNSSEC */
+
+#define SHA256_BLOCK_SIZE 32            // SHA256 outputs a 32 byte digest
+typedef unsigned char BYTE;             // 8-bit byte
+typedef unsigned int  WORD;             // 32-bit word, change to "long" for 16-bit machines
+
+typedef struct {
+  BYTE data[64];
+  WORD datalen;
+  unsigned long long bitlen;
+  WORD state[8];
+} SHA256_CTX;
+
+static void sha256_init(SHA256_CTX *ctx);
+static void sha256_update(SHA256_CTX *ctx, const BYTE data[], size_t len);
+static void sha256_final(SHA256_CTX *ctx, BYTE hash[]);
+
+
+unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name)
+{
+  int q;
+  unsigned char *p = (unsigned char *)(header+1);
+  SHA256_CTX ctx;
+  static BYTE digest[SHA256_BLOCK_SIZE];
+  
+  sha256_init(&ctx);
+    
+  for (q = ntohs(header->qdcount); q != 0; q--) 
+    {
+      char *cp, c;
+
+      if (!extract_name(header, plen, &p, name, 1, 4))
+	break; /* bad packet */
+
+      for (cp = name; (c = *cp); cp++)
+	 if (c >= 'A' && c <= 'Z')
+	   *cp += 'a' - 'A';
+
+      sha256_update(&ctx, (BYTE *)name, cp - name);
+      /* CRC the class and type as well */
+      sha256_update(&ctx, (BYTE *)p, 4);
+
+      p += 4;
+      if (!CHECK_LEN(header, p, plen, 0))
+	break; /* bad packet */
+    }
+  
+  sha256_final(&ctx, digest);
+  return (unsigned char *)digest;
+}
+
+/* Code from here onwards comes from https://github.com/B-Con/crypto-algorithms
+   and was written by Brad Conte (brad@bradconte.com), to whom all credit is given.
+
+   This code is in the public domain, and the copyright notice at the head of this 
+   file does not apply to it.
+*/
+
+
+/****************************** MACROS ******************************/
+#define ROTLEFT(a,b) (((a) << (b)) | ((a) >> (32-(b))))
+#define ROTRIGHT(a,b) (((a) >> (b)) | ((a) << (32-(b))))
+
+#define CH(x,y,z) (((x) & (y)) ^ (~(x) & (z)))
+#define MAJ(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
+#define EP0(x) (ROTRIGHT(x,2) ^ ROTRIGHT(x,13) ^ ROTRIGHT(x,22))
+#define EP1(x) (ROTRIGHT(x,6) ^ ROTRIGHT(x,11) ^ ROTRIGHT(x,25))
+#define SIG0(x) (ROTRIGHT(x,7) ^ ROTRIGHT(x,18) ^ ((x) >> 3))
+#define SIG1(x) (ROTRIGHT(x,17) ^ ROTRIGHT(x,19) ^ ((x) >> 10))
+
+/**************************** VARIABLES *****************************/
+static const WORD k[64] = {
+			   0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5,0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5,
+			   0xd807aa98,0x12835b01,0x243185be,0x550c7dc3,0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174,
+			   0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc,0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da,
+			   0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7,0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967,
+			   0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13,0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85,
+			   0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3,0xd192e819,0xd6990624,0xf40e3585,0x106aa070,
+			   0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5,0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3,
+			   0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208,0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2
+};
+
+/*********************** FUNCTION DEFINITIONS ***********************/
+static void sha256_transform(SHA256_CTX *ctx, const BYTE data[])
+{
+  WORD a, b, c, d, e, f, g, h, i, j, t1, t2, m[64];
+  
+  for (i = 0, j = 0; i < 16; ++i, j += 4)
+    m[i] = (data[j] << 24) | (data[j + 1] << 16) | (data[j + 2] << 8) | (data[j + 3]);
+  for ( ; i < 64; ++i)
+    m[i] = SIG1(m[i - 2]) + m[i - 7] + SIG0(m[i - 15]) + m[i - 16];
+
+  a = ctx->state[0];
+  b = ctx->state[1];
+  c = ctx->state[2];
+  d = ctx->state[3];
+  e = ctx->state[4];
+  f = ctx->state[5];
+  g = ctx->state[6];
+  h = ctx->state[7];
+
+  for (i = 0; i < 64; ++i)
+    {
+      t1 = h + EP1(e) + CH(e,f,g) + k[i] + m[i];
+      t2 = EP0(a) + MAJ(a,b,c);
+      h = g;
+      g = f;
+      f = e;
+      e = d + t1;
+      d = c;
+      c = b;
+      b = a;
+      a = t1 + t2;
+    }
+  
+  ctx->state[0] += a;
+  ctx->state[1] += b;
+  ctx->state[2] += c;
+  ctx->state[3] += d;
+  ctx->state[4] += e;
+  ctx->state[5] += f;
+  ctx->state[6] += g;
+  ctx->state[7] += h;
+}
+
+static void sha256_init(SHA256_CTX *ctx)
+{
+  ctx->datalen = 0;
+  ctx->bitlen = 0;
+  ctx->state[0] = 0x6a09e667;
+  ctx->state[1] = 0xbb67ae85;
+  ctx->state[2] = 0x3c6ef372;
+  ctx->state[3] = 0xa54ff53a;
+  ctx->state[4] = 0x510e527f;
+  ctx->state[5] = 0x9b05688c;
+  ctx->state[6] = 0x1f83d9ab;
+  ctx->state[7] = 0x5be0cd19;
+}
+
+static void sha256_update(SHA256_CTX *ctx, const BYTE data[], size_t len)
+{
+  WORD i;
+  
+  for (i = 0; i < len; ++i)
+    {
+      ctx->data[ctx->datalen] = data[i];
+      ctx->datalen++;
+      if (ctx->datalen == 64) {
+	sha256_transform(ctx, ctx->data);
+	ctx->bitlen += 512;
+	ctx->datalen = 0;
+      }
+    }
+}
+
+static void sha256_final(SHA256_CTX *ctx, BYTE hash[])
+{
+  WORD i;
+  
+  i = ctx->datalen;
+
+  // Pad whatever data is left in the buffer.
+  if (ctx->datalen < 56)
+    {
+      ctx->data[i++] = 0x80;
+      while (i < 56)
+	ctx->data[i++] = 0x00;
+    }
+  else
+    {
+      ctx->data[i++] = 0x80;
+      while (i < 64)
+	ctx->data[i++] = 0x00;
+      sha256_transform(ctx, ctx->data);
+      memset(ctx->data, 0, 56);
+    }
+  
+  // Append to the padding the total message's length in bits and transform.
+  ctx->bitlen += ctx->datalen * 8;
+  ctx->data[63] = ctx->bitlen;
+  ctx->data[62] = ctx->bitlen >> 8;
+  ctx->data[61] = ctx->bitlen >> 16;
+  ctx->data[60] = ctx->bitlen >> 24;
+  ctx->data[59] = ctx->bitlen >> 32;
+  ctx->data[58] = ctx->bitlen >> 40;
+  ctx->data[57] = ctx->bitlen >> 48;
+  ctx->data[56] = ctx->bitlen >> 56;
+  sha256_transform(ctx, ctx->data);
+  
+  // Since this implementation uses little endian byte ordering and SHA uses big endian,
+  // reverse all the bytes when copying the final state to the output hash.
+  for (i = 0; i < 4; ++i)
+    {
+      hash[i]      = (ctx->state[0] >> (24 - i * 8)) & 0x000000ff;
+      hash[i + 4]  = (ctx->state[1] >> (24 - i * 8)) & 0x000000ff;
+      hash[i + 8]  = (ctx->state[2] >> (24 - i * 8)) & 0x000000ff;
+      hash[i + 12] = (ctx->state[3] >> (24 - i * 8)) & 0x000000ff;
+      hash[i + 16] = (ctx->state[4] >> (24 - i * 8)) & 0x000000ff;
+      hash[i + 20] = (ctx->state[5] >> (24 - i * 8)) & 0x000000ff;
+      hash[i + 24] = (ctx->state[6] >> (24 - i * 8)) & 0x000000ff;
+      hash[i + 28] = (ctx->state[7] >> (24 - i * 8)) & 0x000000ff;
+    }
+}
+
+#endif

src/helper.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -18,7 +18,7 @@
 
 #ifdef HAVE_SCRIPT
 
-/* This file has code to fork a helper process which recieves data via a pipe 
+/* This file has code to fork a helper process which receives data via a pipe 
    shared with the main process and which is responsible for calling a script when
    DHCP leases change.
 
@@ -64,11 +64,10 @@ struct script_data
 #ifdef HAVE_TFTP
   off_t file_len;
 #endif
-#ifdef HAVE_IPV6
   struct in6_addr addr6;
-#endif
 #ifdef HAVE_DHCP6
-  int iaid, vendorclass_count;
+  int vendorclass_count;
+  unsigned int iaid;
 #endif
   unsigned char hwaddr[DHCP_CHADDR_MAX];
   char interface[IF_NAMESIZE];
@@ -82,6 +81,7 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
   pid_t pid;
   int i, pipefd[2];
   struct sigaction sigact;
+  unsigned char *alloc_buff = NULL;
   
   /* create the pipe through which the main program sends us commands,
      then fork our process. */
@@ -97,13 +97,14 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
       return pipefd[1];
     }
 
-  /* ignore SIGTERM, so that we can clean up when the main process gets hit
+  /* ignore SIGTERM and SIGINT, so that we can clean up when the main process gets hit
      and SIGALRM so that we can use sleep() */
   sigact.sa_handler = SIG_IGN;
   sigact.sa_flags = 0;
   sigemptyset(&sigact.sa_mask);
   sigaction(SIGTERM, &sigact, NULL);
   sigaction(SIGALRM, &sigact, NULL);
+  sigaction(SIGINT, &sigact, NULL);
 
   if (!option_bool(OPT_DEBUG) && uid != 0)
     {
@@ -130,11 +131,7 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
      Don't close err_fd, in case the lua-init fails.
      Note that we have to do this before lua init
      so we don't close any lua fds. */
-  for (max_fd--; max_fd >= 0; max_fd--)
-    if (max_fd != STDOUT_FILENO && max_fd != STDERR_FILENO && 
-	max_fd != STDIN_FILENO && max_fd != pipefd[0] && 
-	max_fd != event_fd && max_fd != err_fd)
-      close(max_fd);
+  close_fds(max_fd, pipefd[0], event_fd, err_fd);
   
 #ifdef HAVE_LUASCRIPT
   if (daemon->luascript)
@@ -187,10 +184,16 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
       struct script_data data;
       char *p, *action_str, *hostname = NULL, *domain = NULL;
       unsigned char *buf = (unsigned char *)daemon->namebuff;
-      unsigned char *end, *extradata, *alloc_buff = NULL;
+      unsigned char *end, *extradata;
       int is6, err = 0;
+      int pipeout[2];
 
+      /* Free rarely-allocated memory from previous iteration. */
+      if (alloc_buff)
+	{
 	  free(alloc_buff);
+	  alloc_buff = NULL;
+	}
       
       /* we read zero bytes when pipe closed: this is our signal to exit */ 
       if (!read_write(pipefd[0], (unsigned char *)&data, sizeof(data), 1))
@@ -219,6 +222,17 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
 	  action_str = "tftp";
 	  is6 = (data.flags != AF_INET);
 	}
+      else if (data.action == ACTION_ARP)
+	{
+	  action_str = "arp-add";
+	  is6 = (data.flags != AF_INET);
+	}
+       else if (data.action == ACTION_ARP_DEL)
+	{
+	  action_str = "arp-del";
+	  is6 = (data.flags != AF_INET);
+	  data.action = ACTION_ARP;
+	}
        else 
 	continue;
 
@@ -289,10 +303,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
     
       if (!is6)
 	inet_ntop(AF_INET, &data.addr, daemon->addrbuff, ADDRSTRLEN);
-#ifdef HAVE_DHCP6
       else
 	inet_ntop(AF_INET6, &data.addr6, daemon->addrbuff, ADDRSTRLEN);
-#endif
 
 #ifdef HAVE_TFTP
       /* file length */
@@ -321,6 +333,22 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
 		  lua_call(lua, 2, 0);	/* pass 2 values, expect 0 */
 		}
 	    }
+	  else if (data.action == ACTION_ARP)
+	    {
+	      lua_getglobal(lua, "arp"); 
+	      if (lua_type(lua, -1) != LUA_TFUNCTION)
+		lua_pop(lua, 1); /* arp function optional */
+	      else
+		{
+		  lua_pushstring(lua, action_str); /* arg1 - action */
+		  lua_newtable(lua);               /* arg2 - data table */
+		  lua_pushstring(lua, daemon->addrbuff);
+		  lua_setfield(lua, -2, "client_address");
+		  lua_pushstring(lua, daemon->dhcp_buff);
+		  lua_setfield(lua, -2, "mac_address");
+		  lua_call(lua, 2, 0);	/* pass 2 values, expect 0 */
+		}
+	    }
 	  else
 	    {
 	      lua_getglobal(lua, "lease");     /* function to call */
@@ -445,16 +473,54 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
       if (!daemon->lease_change_command)
 	continue;
 
+      /* Pipe to capture stdout and stderr from script */
+      if (!option_bool(OPT_DEBUG) && pipe(pipeout) == -1)
+	continue;
+      
       /* possible fork errors are all temporary resource problems */
       while ((pid = fork()) == -1 && (errno == EAGAIN || errno == ENOMEM))
 	sleep(2);
 
       if (pid == -1)
+        {
+	  if (!option_bool(OPT_DEBUG))
+	    {
+	      close(pipeout[0]);
+	      close(pipeout[1]);
+	    }
 	  continue;
+        }
       
       /* wait for child to complete */
       if (pid != 0)
 	{
+	  if (!option_bool(OPT_DEBUG))
+	    {
+	      FILE *fp;
+	  
+	      close(pipeout[1]);
+	      
+	      /* Read lines sent to stdout/err by the script and pass them back to be logged */
+	      if (!(fp = fdopen(pipeout[0], "r")))
+		close(pipeout[0]);
+	      else
+		{
+		  while (fgets(daemon->packet, daemon->packet_buff_sz, fp))
+		    {
+		      /* do not include new lines, log will append them */
+		      size_t len = strlen(daemon->packet);
+		      if (len > 0)
+			{
+			  --len;
+			  if (daemon->packet[len] == '\n')
+			    daemon->packet[len] = 0;
+			}
+		      send_event(event_fd, EVENT_SCRIPT_LOG, 0, daemon->packet);
+		    }
+		  fclose(fp);
+		}
+	    }
+	  
 	  /* reap our children's children, if necessary */
 	  while (1)
 	    {
@@ -478,7 +544,16 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
 	  continue;
 	}
 
-      if (data.action != ACTION_TFTP)
+      if (!option_bool(OPT_DEBUG))
+	{
+	  /* map stdout/stderr of script to pipeout */
+	  close(pipeout[0]);
+	  dup2(pipeout[1], STDOUT_FILENO);
+	  dup2(pipeout[1], STDERR_FILENO);
+	  close(pipeout[1]);
+	}
+      
+      if (data.action != ACTION_TFTP && data.action != ACTION_ARP)
 	{
 #ifdef HAVE_DHCP6
 	  my_setenv("DNSMASQ_IAID", is6 ? daemon->dhcp_buff3 : NULL, &err);
@@ -529,6 +604,7 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
 	      buf = grab_extradata(buf, end, "DNSMASQ_CIRCUIT_ID", &err);
 	      buf = grab_extradata(buf, end, "DNSMASQ_SUBSCRIBER_ID", &err);
 	      buf = grab_extradata(buf, end, "DNSMASQ_REMOTE_ID", &err);
+	      buf = grab_extradata(buf, end, "DNSMASQ_REQUESTED_OPTIONS", &err);
 	    }
 	  
 	  buf = grab_extradata(buf, end, "DNSMASQ_TAGS", &err);
@@ -550,9 +626,9 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
 	  my_setenv("DNSMASQ_OLD_HOSTNAME", data.action == ACTION_OLD_HOSTNAME ? hostname : NULL, &err);
 	  if (data.action == ACTION_OLD_HOSTNAME)
 	    hostname = NULL;
-	}
 	  
 	  my_setenv("DNSMASQ_LOG_DHCP", option_bool(OPT_LOG_OPTS) ? "1" : NULL, &err);
+	}
       
       /* we need to have the event_fd around if exec fails */
       if ((i = fcntl(event_fd, F_GETFD)) != -1)
@@ -563,8 +639,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
       if (err == 0)
 	{
 	  execl(daemon->lease_change_command, 
-		p ? p+1 : daemon->lease_change_command,
-		action_str, is6 ? daemon->packet : daemon->dhcp_buff, 
+		p ? p+1 : daemon->lease_change_command, action_str, 
+		(is6 && data.action != ACTION_ARP) ? daemon->packet : daemon->dhcp_buff, 
 		daemon->addrbuff, hostname, (char*)NULL);
 	  err = errno;
 	}
@@ -749,10 +825,8 @@ void queue_tftp(off_t file_len, char *filename, union mysockaddr *peer)
 
   if ((buf->flags = peer->sa.sa_family) == AF_INET)
     buf->addr = peer->in.sin_addr;
-#ifdef HAVE_IPV6
   else
     buf->addr6 = peer->in6.sin6_addr;
-#endif
 
   memcpy((unsigned char *)(buf+1), filename, filename_len);
   
@@ -760,6 +834,28 @@ void queue_tftp(off_t file_len, char *filename, union mysockaddr *peer)
 }
 #endif
 
+void queue_arp(int action, unsigned char *mac, int maclen, int family, union all_addr *addr)
+{
+  /* no script */
+  if (daemon->helperfd == -1)
+    return;
+  
+  buff_alloc(sizeof(struct script_data));
+  memset(buf, 0, sizeof(struct script_data));
+
+  buf->action = action;
+  buf->hwaddr_len = maclen;
+  buf->hwaddr_type =  ARPHRD_ETHER; 
+  if ((buf->flags = family) == AF_INET)
+    buf->addr = addr->addr4;
+  else
+    buf->addr6 = addr->addr6;
+  
+  memcpy(buf->hwaddr, mac, maclen);
+  
+  bytes_in_buf = sizeof(struct script_data);
+}
+
 int helper_buf_empty(void)
 {
   return bytes_in_buf == 0;

src/inotify.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley
  
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -20,7 +20,7 @@
 #include <sys/inotify.h>
 #include <sys/param.h> /* For MAXSYMLINKS */
 
-/* the strategy is to set a inotify on the directories containing
+/* the strategy is to set an inotify on the directories containing
    resolv files, for any files in the directory which are close-write 
    or moved into the directory.
    
@@ -54,7 +54,10 @@ static char *my_readlink(char *path)
 	{
 	  /* Not link or doesn't exist. */
 	  if (errno == EINVAL || errno == ENOENT)
+	    {
+	      free(buf);
 	      return NULL;
+	    }
 	  else
 	    die(_("cannot access path %s: %s"), path, EC_MISC);
 	}
@@ -91,6 +94,9 @@ void inotify_dnsmasq_init()
   if (daemon->inotifyfd == -1)
     die(_("failed to create inotify: %s"), NULL, EC_MISC);
 
+  if (option_bool(OPT_NO_RESOLV))
+    return;
+  
   for (res = daemon->resolv_files; res; res = res->next)
     {
       char *d, *new_path, *path = safe_malloc(strlen(res->name) + 1);
@@ -98,7 +104,7 @@ void inotify_dnsmasq_init()
 
       strcpy(path, res->name);
 
-      /* Follow symlinks until we reach a non-symlink, or a non-existant file. */
+      /* Follow symlinks until we reach a non-symlink, or a non-existent file. */
       while ((new_path = my_readlink(path)))
 	{
 	  if (links-- == 0)
@@ -197,6 +203,8 @@ void set_dynamic_inotify(int flag, int total_size, struct crec **rhash, int revh
 	       free(path);
 	     }
 	 }
+
+       closedir(dir_stream);
     }
 }
 
@@ -219,19 +227,21 @@ int inotify_check(time_t now)
       
       for (p = inotify_buffer; rc - (p - inotify_buffer) >= (int)sizeof(struct inotify_event); p += sizeof(struct inotify_event) + in->len) 
 	{
+	  size_t namelen;
+
 	  in = (struct inotify_event*)p;
 	  
-	  for (res = daemon->resolv_files; res; res = res->next)
-	    if (res->wd == in->wd && in->len != 0 && strcmp(res->file, in->name) == 0)
-	      hit = 1;
-
 	  /* ignore emacs backups and dotfiles */
-	  if (in->len == 0 || 
-	      in->name[in->len - 1] == '~' ||
-	      (in->name[0] == '#' && in->name[in->len - 1] == '#') ||
+	  if (in->len == 0 || (namelen = strlen(in->name)) == 0 ||
+	      in->name[namelen - 1] == '~' ||
+	      (in->name[0] == '#' && in->name[namelen - 1] == '#') ||
 	      in->name[0] == '.')
 	    continue;
 
+	  for (res = daemon->resolv_files; res; res = res->next)
+	    if (res->wd == in->wd && strcmp(res->file, in->name) == 0)
+	      hit = 1;
+
 	  for (ah = daemon->dynamic_dirs; ah; ah = ah->next)
 	    if (ah->wd == in->wd)
 	      {
@@ -252,7 +262,7 @@ int inotify_check(time_t now)
 #ifdef HAVE_DHCP
 			if (daemon->dhcp || daemon->doing_dhcp6) 
 			  {
-			    /* Propogate the consequences of loading a new dhcp-host */
+			    /* Propagate the consequences of loading a new dhcp-host */
 			    dhcp_update_configs(daemon->dhcp_conf);
 			    lease_update_from_configs(); 
 			    lease_update_file(now); 
@@ -265,7 +275,7 @@ int inotify_check(time_t now)
 		      {
 			if (option_read_dynfile(path, AH_DHCP_HST))
 			  {
-			    /* Propogate the consequences of loading a new dhcp-host */
+			    /* Propagate the consequences of loading a new dhcp-host */
 			    dhcp_update_configs(daemon->dhcp_conf);
 			    lease_update_from_configs(); 
 			    lease_update_file(now); 

src/ip6addr.h

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by

src/ipset.c

@@ -22,9 +22,7 @@
 #include <errno.h>
 #include <sys/types.h>
 #include <sys/socket.h>
-#include <sys/utsname.h>
 #include <arpa/inet.h>
-#include <linux/version.h>
 #include <linux/netlink.h>
 
 /* We want to be able to compile against old header files
@@ -87,20 +85,7 @@ static inline void add_attr(struct nlmsghdr *nlh, uint16_t type, size_t len, con
 
 void ipset_init(void)
 {
-  struct utsname utsname;
-  int version;
-  char *split;
-  
-  if (uname(&utsname) < 0)
-    die(_("failed to find kernel version: %s"), NULL, EC_MISC);
-  
-  split = strtok(utsname.release, ".");
-  version = (split ? atoi(split) : 0);
-  split = strtok(NULL, ".");
-  version = version * 256 + (split ? atoi(split) : 0);
-  split = strtok(NULL, ".");
-  version = version * 256 + (split ? atoi(split) : 0);
-  old_kernel = (version < KERNEL_VERSION(2,6,32));
+  old_kernel = (daemon->kernel_version < KERNEL_VERSION(2,6,32));
   
   if (old_kernel && (ipset_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) != -1)
     return;
@@ -114,18 +99,13 @@ void ipset_init(void)
   die (_("failed to create IPset control socket: %s"), NULL, EC_MISC);
 }
 
-static int new_add_to_ipset(const char *setname, const struct all_addr *ipaddr, int af, int remove)
+static int new_add_to_ipset(const char *setname, const union all_addr *ipaddr, int af, int remove)
 {
   struct nlmsghdr *nlh;
   struct my_nfgenmsg *nfg;
   struct my_nlattr *nested[2];
   uint8_t proto;
-  int addrsz = INADDRSZ;
-
-#ifdef HAVE_IPV6
-  if (af == AF_INET6)
-    addrsz = IN6ADDRSZ;
-#endif
+  int addrsz = (af == AF_INET6) ? IN6ADDRSZ : INADDRSZ;
 
   if (strlen(setname) >= IPSET_MAXNAMELEN) 
     {
@@ -157,7 +137,7 @@ static int new_add_to_ipset(const char *setname, const struct all_addr *ipaddr,
   nested[1]->nla_type = NLA_F_NESTED | IPSET_ATTR_IP;
   add_attr(nlh, 
 	   (af == AF_INET ? IPSET_ATTR_IPADDR_IPV4 : IPSET_ATTR_IPADDR_IPV6) | NLA_F_NET_BYTEORDER,
-	   addrsz, &ipaddr->addr);
+	   addrsz, ipaddr);
   nested[1]->nla_len = (void *)buffer + NL_ALIGN(nlh->nlmsg_len) - (void *)nested[1];
   nested[0]->nla_len = (void *)buffer + NL_ALIGN(nlh->nlmsg_len) - (void *)nested[0];
 	
@@ -168,7 +148,7 @@ static int new_add_to_ipset(const char *setname, const struct all_addr *ipaddr,
 }
 
 
-static int old_add_to_ipset(const char *setname, const struct all_addr *ipaddr, int remove)
+static int old_add_to_ipset(const char *setname, const union all_addr *ipaddr, int remove)
 {
   socklen_t size;
   struct ip_set_req_adt_get {
@@ -200,7 +180,7 @@ static int old_add_to_ipset(const char *setname, const struct all_addr *ipaddr,
     return -1;
   req_adt.op = remove ? 0x102 : 0x101;
   req_adt.index = req_adt_get.set.index;
-  req_adt.ip = ntohl(ipaddr->addr.addr4.s_addr);
+  req_adt.ip = ntohl(ipaddr->addr4.s_addr);
   if (setsockopt(ipset_sock, SOL_IP, 83, &req_adt, sizeof(req_adt)) < 0)
     return -1;
   
@@ -209,21 +189,28 @@ static int old_add_to_ipset(const char *setname, const struct all_addr *ipaddr,
 
 
 
-int add_to_ipset(const char *setname, const struct all_addr *ipaddr, int flags, int remove)
+int add_to_ipset(const char *setname, const union all_addr *ipaddr, int flags, int remove)
 {
-  int af = AF_INET;
+  int ret = 0, af = AF_INET;
 
-#ifdef HAVE_IPV6
   if (flags & F_IPV6)
     {
       af = AF_INET6;
       /* old method only supports IPv4 */
       if (old_kernel)
-	return -1;
+	{
+	  errno = EAFNOSUPPORT ;
+	  ret = -1;
+	}
     }
-#endif
   
-  return old_kernel ? old_add_to_ipset(setname, ipaddr, remove) : new_add_to_ipset(setname, ipaddr, af, remove);
+  if (ret != -1) 
+    ret = old_kernel ? old_add_to_ipset(setname, ipaddr, remove) : new_add_to_ipset(setname, ipaddr, af, remove);
+
+  if (ret == -1)
+     my_syslog(LOG_ERR, _("failed to update ipset %s: %s"), setname, strerror(errno));
+
+  return ret;
 }
 
 #endif

src/lease.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -21,12 +21,127 @@
 static struct dhcp_lease *leases = NULL, *old_leases = NULL;
 static int dns_dirty, file_dirty, leases_left;
 
-void lease_init(time_t now)
+static int read_leases(time_t now, FILE *leasestream)
 {
   unsigned long ei;
-  struct all_addr addr;
+  union all_addr addr;
   struct dhcp_lease *lease;
   int clid_len, hw_len, hw_type;
+  int items;
+  char *domain = NULL;
+
+  *daemon->dhcp_buff3 = *daemon->dhcp_buff2 = '\0';
+
+  /* client-id max length is 255 which is 255*2 digits + 254 colons
+     borrow DNS packet buffer which is always larger than 1000 bytes
+
+     Check various buffers are big enough for the code below */
+
+#if (DHCP_BUFF_SZ < 255) || (MAXDNAME < 64) || (PACKETSZ+MAXDNAME+RRFIXEDSZ  < 764)
+# error Buffer size breakage in leasefile parsing.
+#endif
+
+    while ((items=fscanf(leasestream, "%255s %255s", daemon->dhcp_buff3, daemon->dhcp_buff2)) == 2)
+      {
+	*daemon->namebuff = *daemon->dhcp_buff = *daemon->packet = '\0';
+	hw_len = hw_type = clid_len = 0;
+	
+#ifdef HAVE_DHCP6
+	if (strcmp(daemon->dhcp_buff3, "duid") == 0)
+	  {
+	    daemon->duid_len = parse_hex(daemon->dhcp_buff2, (unsigned char *)daemon->dhcp_buff2, 130, NULL, NULL);
+	    if (daemon->duid_len < 0)
+	      return 0;
+	    daemon->duid = safe_malloc(daemon->duid_len);
+	    memcpy(daemon->duid, daemon->dhcp_buff2, daemon->duid_len);
+	    continue;
+	  }
+#endif
+	
+	if (fscanf(leasestream, " %64s %255s %764s",
+		   daemon->namebuff, daemon->dhcp_buff, daemon->packet) != 3)
+	  {
+	    my_syslog(MS_DHCP | LOG_WARNING, _("ignoring invalid line in lease database: %s %s %s %s ..."),
+		      daemon->dhcp_buff3, daemon->dhcp_buff2,
+		      daemon->namebuff, daemon->dhcp_buff);
+	    continue;
+	  }
+		
+	if (inet_pton(AF_INET, daemon->namebuff, &addr.addr4))
+	  {
+	    if ((lease = lease4_allocate(addr.addr4)))
+	      domain = get_domain(lease->addr);
+	    
+	    hw_len = parse_hex(daemon->dhcp_buff2, (unsigned char *)daemon->dhcp_buff2, DHCP_CHADDR_MAX, NULL, &hw_type);
+	    /* For backwards compatibility, no explicit MAC address type means ether. */
+	    if (hw_type == 0 && hw_len != 0)
+	      hw_type = ARPHRD_ETHER; 
+	  }
+#ifdef HAVE_DHCP6
+	else if (inet_pton(AF_INET6, daemon->namebuff, &addr.addr6))
+	  {
+	    char *s = daemon->dhcp_buff2;
+	    int lease_type = LEASE_NA;
+
+	    if (s[0] == 'T')
+	      {
+		lease_type = LEASE_TA;
+		s++;
+	      }
+	    
+	    if ((lease = lease6_allocate(&addr.addr6, lease_type)))
+	      {
+		lease_set_iaid(lease, strtoul(s, NULL, 10));
+		domain = get_domain6(&lease->addr6);
+	      }
+	  }
+#endif
+	else
+	  {
+	    my_syslog(MS_DHCP | LOG_WARNING, _("ignoring invalid line in lease database, bad address: %s"),
+		      daemon->namebuff);
+	    continue;
+	  }
+	
+
+	if (!lease)
+	  die (_("too many stored leases"), NULL, EC_MISC);
+
+	if (strcmp(daemon->packet, "*") != 0)
+	  clid_len = parse_hex(daemon->packet, (unsigned char *)daemon->packet, 255, NULL, NULL);
+	
+	lease_set_hwaddr(lease, (unsigned char *)daemon->dhcp_buff2, (unsigned char *)daemon->packet, 
+			 hw_len, hw_type, clid_len, now, 0);
+	
+	if (strcmp(daemon->dhcp_buff, "*") !=  0)
+	  lease_set_hostname(lease, daemon->dhcp_buff, 0, domain, NULL);
+
+	ei = atol(daemon->dhcp_buff3);
+
+#ifdef HAVE_BROKEN_RTC
+	if (ei != 0)
+	  lease->expires = (time_t)ei + now;
+	else
+	  lease->expires = (time_t)0;
+	lease->length = ei;
+#else
+	/* strictly time_t is opaque, but this hack should work on all sane systems,
+	   even when sizeof(time_t) == 8 */
+	lease->expires = (time_t)ei;
+#endif
+	
+	/* set these correctly: the "old" events are generated later from
+	   the startup synthesised SIGHUP. */
+	lease->flags &= ~(LEASE_NEW | LEASE_CHANGED);
+	
+	*daemon->dhcp_buff3 = *daemon->dhcp_buff2 = '\0';
+      }
+    
+    return (items == 0 || items == EOF);
+}
+
+void lease_init(time_t now)
+{
   FILE *leasestream;
 
   leases_left = daemon->dhcp_max;
@@ -64,90 +179,13 @@ void lease_init(time_t now)
       rewind(leasestream);
     }
 
-  /* client-id max length is 255 which is 255*2 digits + 254 colons 
-     borrow DNS packet buffer which is always larger than 1000 bytes */
   if (leasestream)
-    while (fscanf(leasestream, "%255s %255s", daemon->dhcp_buff3, daemon->dhcp_buff2) == 2)
     {
-#ifdef HAVE_DHCP6
-	if (strcmp(daemon->dhcp_buff3, "duid") == 0)
-	  {
-	    daemon->duid_len = parse_hex(daemon->dhcp_buff2, (unsigned char *)daemon->dhcp_buff2, 130, NULL, NULL);
-	    daemon->duid = safe_malloc(daemon->duid_len);
-	    memcpy(daemon->duid, daemon->dhcp_buff2, daemon->duid_len);
-	    continue;
-	  }
-#endif
+      if (!read_leases(now, leasestream))
+	my_syslog(MS_DHCP | LOG_ERR, _("failed to parse lease database cleanly"));
       
-	ei = atol(daemon->dhcp_buff3);
-	
-	if (fscanf(leasestream, " %64s %255s %764s",
-		   daemon->namebuff, daemon->dhcp_buff, daemon->packet) != 3)
-	  break;
-	
-	clid_len = 0;
-	if (strcmp(daemon->packet, "*") != 0)
-	  clid_len = parse_hex(daemon->packet, (unsigned char *)daemon->packet, 255, NULL, NULL);
-	
-	if (inet_pton(AF_INET, daemon->namebuff, &addr.addr.addr4) &&
-	    (lease = lease4_allocate(addr.addr.addr4)))
-	  {
-	    hw_len = parse_hex(daemon->dhcp_buff2, (unsigned char *)daemon->dhcp_buff2, DHCP_CHADDR_MAX, NULL, &hw_type);
-	    /* For backwards compatibility, no explict MAC address type means ether. */
-	    if (hw_type == 0 && hw_len != 0)
-	      hw_type = ARPHRD_ETHER; 
-
-	    lease_set_hwaddr(lease, (unsigned char *)daemon->dhcp_buff2, (unsigned char *)daemon->packet, 
-			     hw_len, hw_type, clid_len, now, 0);
-	    
-	    if (strcmp(daemon->dhcp_buff, "*") !=  0)
-	      lease_set_hostname(lease, daemon->dhcp_buff, 0, get_domain(lease->addr), NULL);
-	  }
-#ifdef HAVE_DHCP6
-	else if (inet_pton(AF_INET6, daemon->namebuff, &addr.addr.addr6))
-	  {
-	    char *s = daemon->dhcp_buff2;
-	    int lease_type = LEASE_NA;
-	    int iaid;
-
-	    if (s[0] == 'T')
-	      {
-		lease_type = LEASE_TA;
-		s++;
-	      }
-	    
-	    iaid = strtoul(s, NULL, 10);
-	    
-	    if ((lease = lease6_allocate(&addr.addr.addr6, lease_type)))
-	      {
-		lease_set_hwaddr(lease, NULL, (unsigned char *)daemon->packet, 0, 0, clid_len, now, 0);
-		lease_set_iaid(lease, iaid);
-		if (strcmp(daemon->dhcp_buff, "*") !=  0)
-		  lease_set_hostname(lease, daemon->dhcp_buff, 0, get_domain6((struct in6_addr *)lease->hwaddr), NULL);
-	      }
-	  }
-#endif
-	else
-	  break;
-
-	if (!lease)
-	  die (_("too many stored leases"), NULL, EC_MISC);
-       	
-#ifdef HAVE_BROKEN_RTC
-	if (ei != 0)
-	  lease->expires = (time_t)ei + now;
-	else
-	  lease->expires = (time_t)0;
-	lease->length = ei;
-#else
-	/* strictly time_t is opaque, but this hack should work on all sane systems,
-	   even when sizeof(time_t) == 8 */
-	lease->expires = (time_t)ei;
-#endif
-	
-	/* set these correctly: the "old" events are generated later from
-	   the startup synthesised SIGHUP. */
-	lease->flags &= ~(LEASE_NEW | LEASE_CHANGED);
+      if (ferror(leasestream))
+	die(_("failed to read lease file %s: %s"), daemon->lease_file, EC_FILE);
     }
   
 #ifdef HAVE_SCRIPT
@@ -162,6 +200,7 @@ void lease_init(time_t now)
 	    errno = ENOENT;
 	  else if (WEXITSTATUS(rc) == 126)
 	    errno = EACCES;
+
 	  die(_("cannot run lease-init script %s: %s"), daemon->lease_change_command, EC_FILE);
 	}
       
@@ -191,7 +230,7 @@ void lease_update_from_configs(void)
     if (lease->flags & (LEASE_TA | LEASE_NA))
       continue;
     else if ((config = find_config(daemon->dhcp_conf, NULL, lease->clid, lease->clid_len, 
-				   lease->hwaddr, lease->hwaddr_len, lease->hwaddr_type, NULL)) && 
+				   lease->hwaddr, lease->hwaddr_len, lease->hwaddr_type, NULL, NULL)) && 
 	     (config->flags & CONFIG_NAME) &&
 	     (!(config->flags & CONFIG_ADDR) || config->addr.s_addr == lease->addr.s_addr))
       lease_set_hostname(lease, config->hostname, 1, get_domain(lease->addr), NULL);
@@ -406,7 +445,7 @@ void lease_ping_reply(struct in6_addr *sender, unsigned char *packet, char *inte
 
 void lease_update_slaac(time_t now)
 {
-  /* Called when we contruct a new RA-names context, to add putative
+  /* Called when we construct a new RA-names context, to add putative
      new SLAAC addresses to existing leases. */
 
   struct dhcp_lease *lease;
@@ -483,28 +522,28 @@ void lease_update_dns(int force)
 		if (slaac->backoff == 0)
 		  {
 		    if (lease->fqdn)
-		      cache_add_dhcp_entry(lease->fqdn, AF_INET6, (struct all_addr *)&slaac->addr, lease->expires);
+		      cache_add_dhcp_entry(lease->fqdn, AF_INET6, (union all_addr *)&slaac->addr, lease->expires);
 		    if (!option_bool(OPT_DHCP_FQDN) && lease->hostname)
-		      cache_add_dhcp_entry(lease->hostname, AF_INET6, (struct all_addr *)&slaac->addr, lease->expires);
+		      cache_add_dhcp_entry(lease->hostname, AF_INET6, (union all_addr *)&slaac->addr, lease->expires);
 		  }
 	    }
 	  
 	  if (lease->fqdn)
 	    cache_add_dhcp_entry(lease->fqdn, prot, 
-				 prot == AF_INET ? (struct all_addr *)&lease->addr : (struct all_addr *)&lease->addr6,
+				 prot == AF_INET ? (union all_addr *)&lease->addr : (union all_addr *)&lease->addr6,
 				 lease->expires);
 	     
 	  if (!option_bool(OPT_DHCP_FQDN) && lease->hostname)
 	    cache_add_dhcp_entry(lease->hostname, prot, 
-				 prot == AF_INET ? (struct all_addr *)&lease->addr : (struct all_addr *)&lease->addr6, 
+				 prot == AF_INET ? (union all_addr *)&lease->addr : (union all_addr *)&lease->addr6, 
 				 lease->expires);
        
 #else
 	  if (lease->fqdn)
-	    cache_add_dhcp_entry(lease->fqdn, prot, (struct all_addr *)&lease->addr, lease->expires);
+	    cache_add_dhcp_entry(lease->fqdn, prot, (union all_addr *)&lease->addr, lease->expires);
 	  
 	  if (!option_bool(OPT_DHCP_FQDN) && lease->hostname)
-	    cache_add_dhcp_entry(lease->hostname, prot, (struct all_addr *)&lease->addr, lease->expires);
+	    cache_add_dhcp_entry(lease->hostname, prot, (union all_addr *)&lease->addr, lease->expires);
 #endif
 	}
       
@@ -519,12 +558,14 @@ void lease_prune(struct dhcp_lease *target, time_t now)
   for (lease = leases, up = &leases; lease; lease = tmp)
     {
       tmp = lease->next;
-      if ((lease->expires != 0 && difftime(now, lease->expires) > 0) || lease == target)
+      if ((lease->expires != 0 && difftime(now, lease->expires) >= 0) || lease == target)
 	{
 	  file_dirty = 1;
 	  if (lease->hostname)
 	    dns_dirty = 1;
 
+	  daemon->metrics[lease->addr.s_addr ? METRIC_LEASES_PRUNED_4 : METRIC_LEASES_PRUNED_6]++;
+
  	  *up = lease->next; /* unlink */
 	  
 	  /* Put on old_leases list 'till we
@@ -594,7 +635,8 @@ struct dhcp_lease *lease_find_by_addr(struct in_addr addr)
 #ifdef HAVE_DHCP6
 /* find address for {CLID, IAID, address} */
 struct dhcp_lease *lease6_find(unsigned char *clid, int clid_len, 
-			       int lease_type, int iaid, struct in6_addr *addr)
+			       int lease_type, unsigned int iaid,
+			       struct in6_addr *addr)
 {
   struct dhcp_lease *lease;
   
@@ -626,7 +668,9 @@ void lease6_reset(void)
 }
 
 /* enumerate all leases belonging to {CLID, IAID} */
-struct dhcp_lease *lease6_find_by_client(struct dhcp_lease *first, int lease_type, unsigned char *clid, int clid_len, int iaid)
+struct dhcp_lease *lease6_find_by_client(struct dhcp_lease *first, int lease_type,
+					 unsigned char *clid, int clid_len,
+					 unsigned int iaid)
 {
   struct dhcp_lease *lease;
 
@@ -742,7 +786,10 @@ struct dhcp_lease *lease4_allocate(struct in_addr addr)
 {
   struct dhcp_lease *lease = lease_allocate();
   if (lease)
+    {
       lease->addr = addr;
+      daemon->metrics[METRIC_LEASES_ALLOCATED_4]++;
+    }
   
   return lease;
 }
@@ -757,6 +804,8 @@ struct dhcp_lease *lease6_allocate(struct in6_addr *addrp, int lease_type)
       lease->addr6 = *addrp;
       lease->flags |= lease_type;
       lease->iaid = 0;
+
+      daemon->metrics[METRIC_LEASES_ALLOCATED_6]++;
     }
 
   return lease;
@@ -776,7 +825,7 @@ void lease_set_expires(struct dhcp_lease *lease, unsigned int len, time_t now)
     {
       exp = now + (time_t)len;
       /* Check for 2038 overflow. Make the lease
-	 inifinite in that case, as the least disruptive
+	 infinite in that case, as the least disruptive
 	 thing we can do. */
       if (difftime(exp, now) <= 0.0)
 	exp = 0;
@@ -787,7 +836,7 @@ void lease_set_expires(struct dhcp_lease *lease, unsigned int len, time_t now)
       dns_dirty = 1;
       lease->expires = exp;
 #ifndef HAVE_BROKEN_RTC
-      lease->flags |= LEASE_AUX_CHANGED;
+      lease->flags |= LEASE_AUX_CHANGED | LEASE_EXP_CHANGED;
       file_dirty = 1;
 #endif
     }
@@ -803,7 +852,7 @@ void lease_set_expires(struct dhcp_lease *lease, unsigned int len, time_t now)
 } 
 
 #ifdef HAVE_DHCP6
-void lease_set_iaid(struct dhcp_lease *lease, int iaid)
+void lease_set_iaid(struct dhcp_lease *lease, unsigned int iaid)
 {
   if (lease->iaid != iaid)
     {
@@ -1087,7 +1136,8 @@ int do_script_run(time_t now)
   
   for (lease = leases; lease; lease = lease->next)
     if ((lease->flags & (LEASE_NEW | LEASE_CHANGED)) || 
-	((lease->flags & LEASE_AUX_CHANGED) && option_bool(OPT_LEASE_RO)))
+	((lease->flags & LEASE_AUX_CHANGED) && option_bool(OPT_LEASE_RO)) ||
+	((lease->flags & LEASE_EXP_CHANGED) && option_bool(OPT_LEASE_RENEW)))
       {
 #ifdef HAVE_SCRIPT
 	queue_script((lease->flags & LEASE_NEW) ? ACTION_ADD : ACTION_OLD, lease, 
@@ -1097,7 +1147,7 @@ int do_script_run(time_t now)
 	emit_dbus_signal((lease->flags & LEASE_NEW) ? ACTION_ADD : ACTION_OLD, lease,
 			 lease->fqdn ? lease->fqdn : lease->hostname);
 #endif
-	lease->flags &= ~(LEASE_NEW | LEASE_CHANGED | LEASE_AUX_CHANGED);
+	lease->flags &= ~(LEASE_NEW | LEASE_CHANGED | LEASE_AUX_CHANGED | LEASE_EXP_CHANGED);
 	
 	/* this is used for the "add" call, then junked, since they're not in the database */
 	free(lease->extradata);
@@ -1110,11 +1160,15 @@ int do_script_run(time_t now)
 }
 
 #ifdef HAVE_SCRIPT
+/* delim == -1 -> delim = 0, but embedded 0s, creating extra records, are OK. */
 void lease_add_extradata(struct dhcp_lease *lease, unsigned char *data, unsigned int len, int delim)
 {
   unsigned int i;
   
-  /* check for embeded NULLs */
+  if (delim == -1)
+    delim = 0;
+  else
+    /* check for embedded NULLs */
     for (i = 0; i < len; i++)
       if (data[i] == 0)
 	{

src/log.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -154,7 +154,7 @@ static void log_write(void)
    
   while (entries)
     {
-      /* The data in the payoad is written with a terminating zero character 
+      /* The data in the payload is written with a terminating zero character 
 	 and the length reflects this. For a stream connection we need to 
 	 send the zero as a record terminator, but this isn't done for a 
 	 datagram connection, so treat the length as one less than reality 
@@ -232,7 +232,7 @@ static void log_write(void)
 	      logaddr.sun_len = sizeof(logaddr) - sizeof(logaddr.sun_path) + strlen(_PATH_LOG) + 1; 
 #endif
 	      logaddr.sun_family = AF_UNIX;
-	      strncpy(logaddr.sun_path, _PATH_LOG, sizeof(logaddr.sun_path));
+	      safe_strncpy(logaddr.sun_path, _PATH_LOG, sizeof(logaddr.sun_path));
 	      
 	      /* Got connection back? try again. */
 	      if (connect(log_fd, (struct sockaddr *)&logaddr, sizeof(logaddr)) != -1)
@@ -288,6 +288,8 @@ void my_syslog(int priority, const char *format, ...)
     func = "-tftp";
   else if ((LOG_FACMASK & priority) == MS_DHCP)
     func = "-dhcp";
+  else if ((LOG_FACMASK & priority) == MS_SCRIPT)
+    func = "-script";
 	    
 #ifdef LOG_PRI
   priority = LOG_PRI(priority);
@@ -436,7 +438,7 @@ void check_log_writer(int force)
 void flush_log(void)
 {
   /* write until queue empty, but don't loop forever if there's
-   no connection to the syslog in existance */
+   no connection to the syslog in existence */
   while (log_fd != -1)
     {
       struct timespec waiter;

src/loop.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by

src/metrics.c

@@ -0,0 +1,44 @@
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "dnsmasq.h"
+
+const char * metric_names[] = {
+    "dns_cache_inserted",
+    "dns_cache_live_freed",
+    "dns_queries_forwarded",
+    "dns_auth_answered",
+    "dns_local_answered",
+    "bootp",
+    "pxe",
+    "dhcp_ack",
+    "dhcp_decline",
+    "dhcp_discover",
+    "dhcp_inform",
+    "dhcp_nak",
+    "dhcp_offer",
+    "dhcp_release",
+    "dhcp_request",
+    "noanswer",
+    "leases_allocated_4",
+    "leases_pruned_4",
+    "leases_allocated_6",
+    "leases_pruned_6",
+};
+
+const char* get_metric_name(int i) {
+    return metric_names[i];
+}

src/metrics.h

@@ -0,0 +1,43 @@
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/* If you modify this list, please keep the labels in metrics.c in sync. */
+enum {
+  METRIC_DNS_CACHE_INSERTED,
+  METRIC_DNS_CACHE_LIVE_FREED,
+  METRIC_DNS_QUERIES_FORWARDED,
+  METRIC_DNS_AUTH_ANSWERED,
+  METRIC_DNS_LOCAL_ANSWERED,
+  METRIC_BOOTP,
+  METRIC_PXE,
+  METRIC_DHCPACK,
+  METRIC_DHCPDECLINE,
+  METRIC_DHCPDISCOVER,
+  METRIC_DHCPINFORM,
+  METRIC_DHCPNAK,
+  METRIC_DHCPOFFER,
+  METRIC_DHCPRELEASE,
+  METRIC_DHCPREQUEST,
+  METRIC_NOANSWER,
+  METRIC_LEASES_ALLOCATED_4,
+  METRIC_LEASES_PRUNED_4,
+  METRIC_LEASES_ALLOCATED_6,
+  METRIC_LEASES_PRUNED_6,
+  
+  __METRIC_MAX,
+};
+
+const char* get_metric_name(int);