Remove unused variable.

Add IANA Root TA 2024.
Signed-off-by: Loganaden Velvindron <logan at cyberstorm.mu> Signed-off-by: Jaykishan Mutkawoa <jay at cyberstorm.mu>
2024-12-19 00:36:42 +00:00 · 2024-12-18 23:58:58 +00:00 · 2024-12-18 23:51:29 +00:00 · 2024-12-17 23:50:06 +00:00 · 2024-12-17 23:34:13 +00:00 · 2024-12-17 23:17:27 +00:00
117 changed files with 37109 additions and 21003 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -7,9 +7,4 @@ src/.copts_*
 contrib/lease-tools/dhcp_lease_time
 contrib/lease-tools/dhcp_release
 contrib/lease-tools/dhcp_release6
-debian/base/
-debian/daemon/
-debian/files
-debian/substvars
-debian/utils-substvars
-debian/utils/
+
--- a/.gitmodules
+++ b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "debian"]
+	path = debian
+	url = git://thekelleys.org.uk/dnsmasq-debian.git
--- a/866
+++ b/866
@@ -1,3 +1,793 @@
+version 2.91
+	Fix spurious "resource limit exceeded messages". Thanks to 
+	Dominik Derigs for the bug report.
+
+	Fix out-of-bounds heap read in order_qsort().
+	We only need to order two server records on the ->serial field.
+	Literal address records are smaller and don't have
+	this field and don't need to be ordered on it.
+	To actually provoke this bug seems to need the same server-literal
+	to be repeated twice, eg --address=/a/1.1.1.1 --address-/a/1.1.1.1
+	which is clearly rare in the wild, but if it did exist it could
+	provoke a SIGSEV. Thanks to Daniel Rhea for fuzzing this one.
+
+	Fix buffer overflow when configured lease-change script name
+	is too long.
+	Thanks to Daniel Rhea for finding this one.
+
+	Improve behaviour in the face of non-responsive upstream TCP DNS
+	servers. Without shorter timeouts, clients are blocked for too long
+	and fail wuth their own timeouts.
+
+	Set --fast-dns-retries by default when doing DNSSEC. A single
+	downstream query can trigger many upstream queries. On an
+	unreliable network, there may not be enough downstream retries
+	to ensure that all these queries complete.
+
+	Improve behaviour in the face of truncated answers to queries
+	for DNSSEC records. Getting these answers by TCP doesn't now
+	involve a faked truncated answer to the downstream client to
+	force it to move to TCP. This improves performance and robustness
+	in the face of broken clients which can't fall back to TCP.
+
+	No longer remove data from truncated upstream answers. If an
+	upstream replies with a truncated answer, but the answer has some
+	RRs included, return those RRs, rather than returning and
+	empty answer.
+
+	Fix handling of EDNS0 UDP packet sizes.
+	When talking upstream we always add a pseudoheader, and set the
+        UDP packet size to --edns-packet-max. Answering queries from
+	downstream, we get the answer (either from upstream or local
+	data) If local data won't fit the advertised size (or 512 if
+	there's not an EDNS0 header) return truncated. If upstream
+        returns truncated, do likewise. If upstream is OK, but the
+	answer is too big for downstream, truncate the answer.
+
+	Modify the behaviour of --synth-domain for IPv6.
+	When deriving a domain name from an IPv6 address, an address
+	such as 1234:: would become 1234--.example.com, which is
+	not legal in IDNA2008. Stop using the :: compression method,
+	so 1234:: becomes
+	1234-0000-0000-0000-0000-0000-0000-0000.example.com
+
+	Fix broken dhcp-relay on *BSD. Thanks to Harold for finding
+	this problem.
+
+	Add --dhcp-option-pxe config. This acts almost exactly like
+	--dhcp-option except that the defined option is only sent when
+	replying to PXE clients. More importantly, these options are sent
+	in reply PXE clients when dnsmasq in acting in PXE proxy mode. In
+	PXE proxy mode, the set of options sent is defined by the PXE standard
+	and the normal set of options is not sent. This config allows arbitrary
+	options in PXE-proxy replies. A typical use-case is to send option
+	175 to iPXE. Thanks to Jason Berry for finding the requirement for
+	this.
+
+	Support PXE proxy-DHCP and DHCP-relay at the same time.
+        When using PXE proxy-DHCP, dnsmasq supplies PXE information to
+        the client, which also talks to another "normal" DHCP server
+        for address allocation and similar. The normal DHCP server may
+        be on the local network, but it may also be remote, and accessed via
+        a DHCP relay. This change allows dnsmasq to act as both a
+        PXE proxy-DHCP server AND a DHCP relay for the same network.
+
+	Fix erroneous "DNSSEC validated" state with non-DNSSEC
+	upstream servers.  Thanks to Dominik Derigs for the bug report.
+
+
+version 2.90
+	Fix reversion in --rev-server introduced in 2.88 which
+	caused breakage if the prefix length is not exactly divisible
+	by 8 (IPv4) or 4 (IPv6).
+
+	Fix possible SEGV when there server(s) for a particular
+	domain are configured, but no server which is not qualified
+	for a particular domain. Thanks to Daniel Danzberger for
+	spotting this bug.
+
+	Set the default maximum DNS UDP packet sice to 1232. This
+	has been the recommended value since 2020 because it's the
+	largest value that avoid fragmentation, and fragmentation
+	is just not reliable on the modern internet, especially
+	for IPv6. It's still possible to override this with
+	--edns-packet-max for special circumstances.
+
+	Add --no-dhcpv4-interface and --no-dhcpv6-interface for
+	better control over which inetrfaces are providing DHCP service.
+
+	Fix issue with stale caching: After replying with stale data,
+	dnsmasq sends the query upstream to refresh the cache asynchronously
+	and sometimes sends the wrong packet: packet length can be wrong,
+	and if an EDE marking stale data is added to the answer that can
+	end up in the query also. This bug only seems to cause problems
+	when the usptream server is a DOH/DOT proxy. Thanks to Justin He
+	for the bug report.
+
+	Add configurable caching for arbitrary RR-types.
+
+	Add --filter-rr option, to filter arbitrary RR-types.
+	--filter-rr=ANY has a special meaning: it filters the
+	answers to queries for the ANY RR-type.
+	
+	Add limits on the resources used to do DNSSEC validation.
+	DNSSEC introduces a potential CPU DoS, because a crafted domain
+	can force a validator to a large number of cryptographic
+	operations whilst attempting to do validation. When using TCP
+	transport a DNSKEY RRset contain thousands of members and any
+	RRset can have thousands of signatures. The potential number
+	of signature validations to follow the RFC for validation
+	for one RRset is the cross product of the keys and signatures,
+	so millions. In practice, the actual numbers are much lower,
+	so attacks can be mitigated by limiting the amount of
+	cryptographic "work" to a much lower amount. The actual
+	limits are number a signature validation fails per RRset(20),
+	number of signature validations and hash computations
+	per query(200), number of sub-queries  to fetch  DS and DNSKEY
+	RRsets per query(40), and the number of iterations in a
+	NSEC3 record(150). These values are sensible, but there is, as yet,
+	no standardisation on the values for a "conforming" domain, so a
+	new option --dnssec-limit is provided should they need to be altered.
+	The algorithm to validate DS records has also been altered to reduce
+	the maximum work from cross product of the number of DS records and
+	number of DNSKEYs to the cross product of the number of DS records
+	and supported DS digest types. As the number of DS digest types
+	is in single figures, this reduces the exposure.
+
+	Credit is due to Elias Heftrig, Haya Schulmann, Niklas Vogel,
+	and Michael Waidner from the German National Research Center for
+	Applied Cybersecurity ATHENE for finding this vulnerability.
+
+	CVE 2023-50387 and CVE 2023-50868 apply.
+	Note that the is a security vulnerablity only when DNSSEC validation
+	is enabled.
+	
+	Fix memory-leak when attempting to cache SRV records with zero TTL.
+	Thanks to Damian Sawicki for the bug report.
+
+	Add --max-tcp-connections option to make limit on TCP handling
+	processes configurable.  Also keep stats on how near the limit
+	we're getting, to help with tuning. Patch from Damian Sawicki.
+
+	
+version 2.89
+        Fix bug introduced in 2.88 (commit fe91134b) which can result
+	in corruption of the DNS cache internal data structures and
+	logging of "cache internal error". This has only been seen
+	in one place in the wild, and it took considerable effort
+	to even generate a test case to reproduce it, but there's
+	no way to be sure it won't strike, and the effect is to break
+	the cache badly. Installations with DNSSEC enabled are more
+	likely to see the problem, but not running DNSSEC does not
+	guarantee that it won't happen. Thanks to Timo van Roermund
+	for reporting the bug and for his great efforts in chasing
+	it down.
+
+
+version 2.88
+	Fix bug in --dynamic-host when an interface has /16 IPv4
+  	address. Thanks to Mark Dietzer for spotting this.
+
+	Add --fast-dns-retry option. This gives dnsmasq the ability
+	to originate retries for upstream DNS queries itself, rather
+	than relying on the downstream client. This is most useful
+	when doing DNSSEC over unreliable upstream networks. It comes
+	with some cost in memory usage and network bandwidth.
+
+	Add --use-stale-cache option. When set, if a DNS name exists
+	in the cache, but its time-to-live has expired, dnsmasq will
+	return the data anyway. (It attempts to refresh the
+	data with an upstream query after returning the stale data.)
+	This can improve speed and reliability. It comes
+	at the expense of sometimes returning out-of-date data and
+	less efficient cache utilisation, since old data cannot be
+	flushed when its TTL expires, so the cache becomes
+	strictly least-recently-used.
+
+	Add --port-limit option which allows tuning for robustness in
+	the face of some upstream network errors. Thanks to
+	Prashant Kumar Singh, Ravi Nagayach and Mike Danilov,
+	all of Amazon Web Services, for their efforts in developing this
+	and the stale-cache and fast-retry options.
+
+	Make --hostsdir (but NOT --dhcp-hostsdir and --dhcp-optsdir)
+	handle removal of whole files or entries within files.
+	Thanks to Dominik Derigs for the initial patches for this.
+
+	Fix bug, introduced in 2.87, which could result in DNS
+	servers being removed from the configuration when reloading
+	server configuration from DBus, or re-reading /etc/resolv.conf
+	Only servers from the same source should be replaced, but some
+	servers from other sources (i.e., hard coded or another dynamic source)
+	could mysteriously disappear. Thanks to all reporting this,
+	but especially Christopher J. Madsen who reduced the problem
+	to an easily reproducible case which saved much labour in
+	finding it.
+
+	Add --no-round-robin option.
+
+	Allow domain names as well as IP addresses when specifying
+	upstream DNS servers. There are some gotchas associated with this
+	(it will mysteriously fail to work if the dnsmasq instance
+	being started is in the path from the system resolver to the DNS),
+	and a seemingly sensible configuration like
+	--server=domain.name@1.2.3.4 is unactionable if domain.name
+	only resolves to an IPv6 address). There are, however,
+	cases where is can be useful. Thanks to Dominik Derigs for
+	the patch.
+
+	Handle DS records for unsupported crypto algorithms correctly.
+	Such a DS, as long as it is validated, should allow answers
+	in the domain it attests to be returned as unvalidated, and not
+	as a validation error.
+
+	Optimise reading large numbers of --server options. When re-reading
+	upstream servers from /etc/resolv.conf or other sources that
+	can change dnsmasq tries to avoid memory fragmentation by re-using
+	existing records that are being re-read unchanged. This involves
+	seaching all the server records for each new one installed.
+	During startup this search is pointless, and can cause long
+	start times with thousands of --server options because the work
+	needed is O(n^2). Handle this case more intelligently.
+	Thanks to Ye Zhou for spotting the problem and an initial patch.
+	
+	If we detect that a DNS reply from upstream is malformed don't
+	return it to the requestor; send a SEVFAIL rcode instead.
+
+	
+version 2.87
+        Allow arbitrary prefix lengths in --rev-server and
+	--domain=....,local
+
+	Replace --address=/#/..... functionality which got
+	missed in the 2.86 domain search rewrite.
+
+	Add --nftset option, like --ipset but for the newer nftables.
+	Thanks to Chen Zhenge for the patch.
+	
+	Add --filter-A and --filter-AAAA options, to remove IPv4 or IPv6
+	addresses from DNS answers.
+
+	Fix crash doing netbooting when --port is set to zero
+	to disable the DNS server. Thanks to Drexl Johannes
+	for the bug report.
+
+	Generalise --dhcp-relay. Sending via broadcast/multicast is
+	now supported for both IPv4 and IPv6 and the configuration
+	syntax made easier (but backwards compatible).
+	
+	Add snooping of IPv6 prefix-delegations to the DHCP-relay system.
+
+	Finesse parsing of --dhcp-remoteid and --dhcp-subscrid. To be treated
+	as hex, the pattern must consist of only hex digits AND contain
+	at least one ':'. Thanks to Bengt-Erik Sandstrom who tripped
+	over a pattern consisting of a decimal number which was interpreted
+	surprisingly.
+
+	Include client address in TFTP file-not-found error reports.
+	Thanks to Stefan Rink for the initial patch, which has been
+	re-worked by me (srk). All bugs mine.
+
+	Note in manpage the change in behaviour of -address. This behaviour
+	actually changed in v2.86, but was undocumented there. From 2.86 on,
+	(eg) --address=/example.com/1.2.3.4 ONLY applies to A queries. All other
+	types of query will be sent upstream. Pre 2.86, that would catch the
+	whole example.com domain and queries for other types would get
+	a local NODATA answer. The pre-2.86 behaviour is still available,
+	by configuring --address=/example.com/1.2.3.4 --local=/example.com/
+
+        Fix problem with binding DHCP sockets to an individual interface.
+	Despite the fact that the system call tales the interface _name_ as
+	a parameter, it actually, binds the socket to interface _index_.
+	Deleting the interface and creating a new one with the same name
+	leaves the socket bound to the old index. (Creating new sockets
+	always allocates a fresh index, they are not reused). We now
+	take this behaviour into account and keep up with changing indexes.
+
+	Add --conf-script configuration option.
+
+	Enhance --domain to accept, for instance,
+	--domain=net2.thekelleys.org.uk,eth2 so that hosts get a domain
+	which relects the interface they are attached to in a way which
+	doesn't require hard-coding addresses. Thanks to Sten Spans for
+	the idea.
+
+	Fix write-after-free error in DHCPv6 server code.
+	CVE-2022-0934 refers.
+	
+	Add the ability to specify destination port in
+	DHCP-relay mode. This change also removes a previous bug
+	where --dhcp-alternate-port would affect the port used
+	to relay _to_ as well as the port being listened on.
+	The new feature allows configuration to provide bug-for-bug
+	compatibility, if required. Thanks to Damian Kaczkowski 
+	for the feature suggestion.
+
+	Bound the value of UDP packet size in the EDNS0 header of
+	forwarded queries to the configured or default value of
+	edns-packet-max. There's no point letting a client set a larger
+	value if we're unable to return the answer. Thanks to Bertie
+	Taylor for pointing out the problem and supplying the patch.
+	
+	Fix problem with the configuration
+	
+	--server=/some.domain/# --address=/#/<ip> --server=<server_ip>
+
+	This would return <ip> for queries in some.domain, rather than
+	forwarding the query via the default server.
+
+	Tweak DHCPv6 relay code so that packets relayed towards a server
+	have source address on the server-facing network, not the
+	client facing network. Thanks to Luis Thomas for spotting this
+	and initial patch.
+
+
+version 2.86
+	Handle DHCPREBIND requests in the DHCPv6 server code.
+	Thanks to Aichun Li for spotting this omission, and the initial
+	patch.
+
+	Fix bug which caused dnsmasq to lose track of processes forked
+	to handle TCP DNS connections under heavy load. The code
+	checked that at least one free process table slot was
+	available before listening on TCP sockets, but didn't take
+	into account that more than one TCP connection could
+	arrive, so that check was not sufficient to ensure that
+	there would be slots for all new processes. It compounded
+	this error by silently failing to store the process when
+	it did run out of slots. Even when this bug is triggered,
+	all the right things happen, and answers are still returned.
+	Only under very exceptional circumstances, does the bug
+	manifest itself: see
+	https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q2/014976.html
+	Thanks to Tijs Van Buggenhout for finding the conditions under
+	which the bug manifests itself, and then working out
+	exactly what was going on.
+
+	Major rewrite of the DNS server and domain handling code.
+	This should be largely transparent, but it drastically
+	improves performance and reduces memory foot-print when
+	configuring large numbers domains of the form
+	local=/adserver.com/
+	or
+	local=/adserver.com/#
+	Lookup times now grow as log-to-base-2 of the number of domains,
+	rather than greater than linearly, as before.
+	The change makes multiple addresses associated with a domain work
+	address=/example.com/1.2.3.4
+	address=/example.com/5.6.7.8
+	It also handles multiple upstream servers for a domain better; using
+	the same try/retry algorithms as non domain-specific servers. This
+	also applies to DNSSEC-generated queries.
+	Finally, some of the oldest and gnarliest code in dnsmasq has had
+	a significant clean-up. It's far from perfect, but it _is_ better.
+
+	Revise resource handling for number of concurrent DNS queries. This
+	used to have a global limit, but that has a problem when using
+	different servers for different upstream domains. Queries which are
+	routed by domain to an upstream server which is not responding will
+	build up and trigger the limit, which breaks DNS service for
+	all other domains which could be handled by other servers. The
+	change is to make the limit per server-group, where a server group
+	is the set of servers configured for a particular domain. In the
+	common case, where only default servers are declared, there is
+	no effective change.
+
+	Improve efficiency of DNSSEC. The sharing point for DNSSEC RR data
+	used to be when it entered the cache, having been validated. After
+	that queries requiring the KEY or DS records would share the cached
+	values. There is a common case in dual-stack hosts that queries for
+	A and AAAA records for the same domain are made simultaneously.
+	If required keys were not in the cache, this would result in two
+	requests being sent upstream for the same key data (and all the
+	subsequent chain-of-trust queries.) Now we combine these requests
+	and elide the duplicates, resulting in fewer queries upstream
+	and better performance. To keep a better handle on what's
+	going on, the "extra" logging mode has been modified to associate
+	queries and answers  for DNSSEC queries in the same way as ordinary
+	queries. The requesting address and port have been removed from
+	DNSSEC logging lines, since this is no longer strictly defined.
+
+	Connection track mark based DNS query filtering. Thanks to
+	Etan Kissling for implementing this It extends query filtering
+	support beyond what is currently possible
+	with the `--ipset` configuration option, by adding support for:
+	1) Specifying allowlists on a per-client basis, based on their
+	   associated Linux connection track mark.
+	2) Dynamic configuration of allowlists via Ubus.
+	3) Reporting when a DNS query resolves or is rejected via Ubus.
+	4) DNS name patterns containing wildcards.
+	Disallowed queries are not forwarded; they are rejected
+	with a REFUSED error code.
+
+	Allow smaller than 64 prefix lengths in synth-domain, with caveats.
+	--synth-domain=1234:4567::/56,example.com is now valid.
+
+	Make domains generated by --synth-domain appear in replies
+	when in authoritative mode.
+
+	Ensure CAP_NET_ADMIN capability is available when
+	conntrack is configured. Thanks to Yick Xie for spotting
+	the lack of this.
+
+	When --dhcp-hostsfile --dhcp-optsfile and --addn-hosts are
+	given a directory as argument, define the order in which
+	files within that directory are read (alphabetical order
+	of filename). Thanks to Ed Wildgoose for the initial patch
+	and motivation for this.
+
+	Allow adding IP address to nftables set in addition to
+	ipset.
+
+	
+version 2.85
+        Fix problem with DNS retries in 2.83/2.84.
+        The new logic in 2.83/2.84 which merges distinct requests
+	for the same domain causes problems with clients which do
+	retries as distinct requests (differing IDs and/or source ports.)
+	The retries just get piggy-backed on the first, failed, request.
+        The logic is now changed so that distinct requests for repeated
+        queries still get merged into a single ID/source port, but
+	they now always trigger a re-try upstream.
+        Thanks to Nicholas Mu for his analysis.
+
+	Tweak sort order of tags in get-version. v2.84 sorts
+	before v2.83, but v2.83 sorts before v2.83rc1 and 2.83rc1
+	sorts before v2.83test1. This fixes the problem which lead
+	to 2.84 announcing itself as 2.84rc2.
+
+ 	Avoid treating a --dhcp-host which has an IPv6 address
+	as eligible for use with DHCPv4 on the grounds that it has
+	no address, and vice-versa. Thanks to Viktor Papp for
+	spotting the problem. (This bug was fixed was back in 2.67, and
+	then regressed in 2.81).
+
+	Add --dynamic-host option: A and AAAA records which take their
+	network part from the network of a local interface. Useful
+	for routers with dynamically prefixes. Thanks
+	to Fred F for the suggestion.
+
+	Teach --bogus-nxdomain and --ignore-address to take an IPv4 subnet.
+
+	Use random source ports where possible if source
+	addresses/interfaces in use.
+	CVE-2021-3448 applies. Thanks to Petr Menšík for spotting this.
+	It's possible to specify the source address or interface to be
+	used when contacting upstream name servers: server=8.8.8.8@1.2.3.4
+	or server=8.8.8.8@1.2.3.4#66 or server=8.8.8.8@eth0, and all of
+	these have, until now, used a single socket, bound to a fixed
+	port. This was originally done to allow an error (non-existent
+	interface, or non-local address) to be detected at start-up. This
+	means that any upstream servers specified in such a way don't use
+	random source ports, and are more susceptible to cache-poisoning
+	attacks.
+	We now use random ports where possible, even when the
+	source is specified, so server=8.8.8.8@1.2.3.4 or
+	server=8.8.8.8@eth0 will use random source
+	ports. server=8.8.8.8@1.2.3.4#66 or any use of --query-port will
+	use the explicitly configured port, and should only be done with
+	understanding of the security implications.
+	Note that this change changes non-existing interface, or non-local
+	source address errors from fatal to run-time. The error will be
+	logged and communication with the server not possible.
+
+	Change the method of allocation of random source ports for DNS.
+	Previously, without min-port or max-port configured, dnsmasq would
+	default to the compiled in defaults for those, which are 1024 and
+	65535. Now, when neither are configured, it defaults instead to
+	the kernel's ephemeral port range, which is typically
+	32768 to 60999 on Linux systems. This change eliminates the
+	possibility that dnsmasq may be using a registered port > 1024
+	when a long-running daemon starts up and wishes to claim it.
+	This change does likely slightly reduce the number of random ports
+	and therefore the protection from reply spoofing. The older
+	behaviour can be restored using the min-port and max-port config
+	switches should that be a concern.
+
+	Scale the size of the DNS random-port pool based on the
+	value of the --dns-forward-max configuration.
+
+	Tweak TFTP code to check sender of all received packets, as
+	specified in RFC 1350 para 4.
+
+	Support some wildcard matching of input tags to --tag-if.
+	Thanks to Geoff Back for the idea and the patch.
+
+	
+version 2.84
+	Fix a problem, introduced in 2.83, which could see DNS replies
+	being sent via the wrong socket. On machines running both
+	IPv4 and IPv6 this could result in sporadic messages of
+	the form "failed to send packet: Network is unreachable" and
+	the lost of the query. Since the error is sporadic and of
+	low probability, the client retry would normally succeed.
+
+	Change HAVE_NETTLEHASH compile-time to HAVE_CRYPTOHASH.
+
+
+version 2.83
+	Use the values of --min-port and --max-port in outgoing
+	TCP connections to upstream DNS servers.
+
+	Fix a remote buffer overflow problem in the DNSSEC code. Any
+	dnsmasq with DNSSEC compiled in and enabled is vulnerable to this,
+	referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683
+	CVE-2020-25687.
+
+	Be sure to only accept UDP DNS query replies at the address
+	from which the query was originated. This keeps as much entropy
+	in the {query-ID, random-port} tuple as possible, to help defeat
+	cache poisoning attacks. Refer: CVE-2020-25684.
+
+	Use the SHA-256 hash function to verify that DNS answers
+	received are for the questions originally asked. This replaces
+	the slightly insecure SHA-1 (when compiled with DNSSEC) or
+	the very insecure CRC32 (otherwise). Refer: CVE-2020-25685.
+
+	Handle multiple identical near simultaneous DNS queries better.
+	Previously, such queries would all be forwarded
+	independently. This is, in theory, inefficient but in practise
+	not a problem, _except_ that is means that an answer for any
+	of the forwarded queries will be accepted and cached.
+	An attacker can send a query multiple times, and for each repeat,
+	another {port, ID} becomes capable of accepting the answer he is
+	sending in the blind, to random IDs and ports. The chance of a
+	successful attack is therefore multiplied by the number of repeats
+	of the query. The new behaviour detects repeated queries and
+	merely stores the clients sending repeats so that when the
+	first query completes, the answer can be sent to all the
+	clients who asked. Refer: CVE-2020-25686.
+	
+
+version 2.82
+	Improve behaviour in the face of network interfaces which come
+	and go and change index. Thanks to Petr Mensik for the patch.
+
+	Convert hard startup failure on NETLINK_NO_ENOBUFS under qemu-user
+	to a warning.
+
+	Allow IPv6 addresses ofthe form [::ffff:1.2.3.4] in --dhcp-option.
+
+	Fix crash under heavy TCP connection load introduced in 2.81.
+	Thanks to Frank for good work chasing this down.
+
+	Change default lease time for DHCPv6 to one day.
+
+	Alter calculation of preferred and valid times in router
+	advertisements, so that these do not have a floor applied
+	of the lease time in the dhcp-range if this is not explicitly
+	specified and is merely the default.
+	Thanks to Martin-Éric Racine for suggestions on this.
+
+	
+version 2.81
+	Improve cache behaviour for TCP connections. For ease of
+	implementation, dnsmasq has always forked a new process to handle
+	each incoming TCP connection. A side-effect of this is that
+	any DNS queries answered from TCP connections are not cached:
+	when TCP connections were rare, this was not a problem.
+	With the coming of DNSSEC, it is now the case that some
+	DNSSEC queries have answers which spill to TCP, and if,
+	for instance, this applies to the keys for the root, then
+	those never get cached, and performance is very bad.
+	This fix passes cache entries back from the TCP child process to
+	the main server process, and fixes the problem.
+
+	Remove the NO_FORK compile-time option, and support for uclinux.
+	In an era where everything has an MMU, this looks like
+	an anachronism, and it adds to (Ok, multiplies!) the
+	combinatorial explosion of compile-time options. Thanks to
+	Kevin Darbyshire-Bryant for the patch.
+
+	Fix line-counting when reading /etc/hosts and friends; for
+	correct error messages. Thanks to Christian Rosentreter
+	for reporting this.
+
+	Fix bug in DNS non-terminal code, added in 2.80, which could
+	sometimes cause a NODATA rather than an NXDOMAIN reply.
+	Thanks to Norman Rasmussen, Sven Mueller and Maciej Żenczykowski
+	for spotting and diagnosing the bug and providing patches.
+
+	Support TCP-fastopen (RFC-7413) on both incoming and
+	outgoing TCP connections, if supported and enabled in the OS.
+
+	Improve kernel-capability manipulation code under Linux. Dnsmasq
+	now fails early if a required capability is not available, and
+	tries not to request capabilities not required by its
+	configuration.
+
+	Add --shared-network config. This enables allocation of addresses
+	by the DHCP server in subnets where the server (or relay) does not
+	have an interface on the network in that subnet. Many thanks to
+	kamp.de for sponsoring this feature.
+	
+	Fix broken contrib/lease_tools/dhcp_lease_time.c. A packet
+	validation check got borked in commit 2b38e382 and release 2.80.
+	Thanks to Tomasz Szajner for spotting this.
+
+	Fix compilation against nettle version 3.5 and later.
+
+	Fix spurious DNSSEC validation failures when the auth section
+	of a reply contains unsigned RRs from a signed zone, 
+	with the exception that NSEC and NSEC3 RRs must always be signed.
+        Thanks to Tore Anderson for spotting and diagnosing the bug.
+
+	Add --dhcp-ignore-clid. This disables reading of DHCP client
+	identifier option (option 61), so clients are only identified by
+	MAC addresses.
+
+	Fix a bug which stopped --dhcp-name-match from working when a hostname
+	is supplied in --dhcp-host. Thanks to James Feeney for spotting this.
+
+	Fix bug which caused very rarely caused zero-length DHCPv6 packets.
+	Thanks to Dereck Higgins for spotting this.
+
+	Add --tftp-single-port option.
+
+	Enhance --conf-dir to load files in a deterministic order. Thanks to
+	Evgenii Seliavka for the suggestion and initial patch.
+
+	In the router advert code, handle case where we have two
+	different interfaces on the same IPv6 net, and we are doing
+	RA/DHCP service on only one of them. Thanks to NIIBE Yutaka
+	for spotting this case and making the initial patch.
+
+	Support prefixed ranges of ipv6 addresses in dhcp-host.
+	This eases problems chain-netbooting, where each link in the
+	chain requests an address using a different UID. With a single
+	address, only one gets the "static" address, but with this
+	fix, enough addresses can be reserved for all the stages of the
+	boot. Many thanks to Harald Jensås for his work on this idea and
+	earlier patches.
+
+	Add filtering by tag of --dhcp-host directives. Based on a patch
+	by Harald Jensås.
+
+	Allow empty server spec in --rev-server, to match --server.
+	
+	Remove DSA signature verification from DNSSEC, as specified in
+	RFC 8624. Thanks to Loganaden Velvindron for the original patch.
+
+	Add --script-on-renewal option.
+
+	
+version 2.80
+	Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method
+	for the initial patch and motivation.
+
+	Alter the default for dnssec-check-unsigned. Versions of
+	dnsmasq prior to 2.80 defaulted to not checking unsigned
+	replies, and used --dnssec-check-unsigned to switch
+        this on. Such configurations will continue to work as before,
+        but those which used the default of no checking will need to be
+        altered to explicitly select no checking. The new default is
+        because switching off checking for unsigned replies is
+	inherently dangerous. Not only does it open the possiblity of forged
+        replies, but it allows everything to appear to be working even
+        when the upstream namesevers do not support DNSSEC, and in this
+        case no DNSSEC validation at all is occuring.
+
+        Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip
+	are set. Thanks to Daniel Miess for help with this.
+
+	Add a facilty to store DNS packets sent/recieved in a
+	pcap-format file for later debugging. The file location
+	is given by the --dumpfile option, and a bitmap controlling
+	which packets should be dumped is given by the --dumpmask
+	option.
+
+	Handle the case of both standard and constructed dhcp-ranges on the
+	same interface better. We don't now contruct a dhcp-range if there's
+	already one specified. This allows the specified interface to
+	have different parameters and avoids advertising the same
+	prefix twice. Thanks to Luis Marsano for spotting this case.
+
+	Allow zone transfer in authoritative mode if auth-peer is specified,
+	even if auth-sec-servers is not. Thanks to Raphaël Halimi for
+	the suggestion.
+
+	Fix bug which sometimes caused dnsmasq to wrongly return answers
+	without DNSSEC RRs to queries with the do-bit set, but only when
+	DNSSEC validation was not enabled.
+	Thanks to Petr Menšík for spotting this.
+
+	Fix missing fatal errors with some malformed options
+	(server, local, address, rebind-domain-ok, ipset, alias).
+	Thanks to Eugene Lozovoy for spotting the problem.
+
+	Fix crash on startup with a --synth-domain which has no prefix.
+	Introduced in 2.79. Thanks to Andreas Engel for the bug report.
+
+	Fix missing EDNS0 section in some replies generated by local
+	DNS configuration which confused systemd-resolvd. Thanks to
+	Steve Dodd for characterising the problem.
+
+	Add --dhcp-name-match config option. 
+
+	Add --caa-record config option.
+
+	Implement --address=/example.com/# as (more efficient) syntactic
+	sugar for --address=/example.com/0.0.0.0 and
+	--address=/example.com/::
+	Returning null addresses is a useful technique for ad-blocking.
+	Thanks to Peter Russell for the suggestion.
+	
+	Change anti cache-snooping behaviour with queries with the
+	recursion-desired bit unset. Instead to returning SERVFAIL, we
+	now always forward, and never answer from the cache. This
+	allows "dig +trace" command to work. 
+	
+	Include in the example config file a formulation which
+	stops DHCP clients from claiming the DNS name "wpad".
+	This is a fix for the CERT Vulnerability VU#598349.
+
+	
+version 2.79
+	Fix parsing of CNAME arguments, which are confused by extra spaces.
+	Thanks to Diego Aguirre for spotting the bug.
+
+	Where available, use IP_UNICAST_IF or IPV6_UNICAST_IF to bind
+	upstream servers to an interface, rather than SO_BINDTODEVICE.
+	Thanks to Beniamino Galvani for the patch.
+
+	Always return a SERVFAIL answer to DNS queries without the
+	recursion desired bit set, UNLESS acting as an authoritative
+	DNS server. This avoids a potential route to cache snooping.
+
+	Add support for Ed25519 signatures in DNSSEC validation.
+
+	No longer support RSA/MD5 signatures in DNSSEC validation,
+	since these are not secure. This behaviour is mandated in
+	RFC-6944.
+
+	Fix incorrect error exit code from dhcp_release6 utility.
+	Thanks Gaudenz Steinlin for the bug report.
+
+	Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC
+	time validation when --dnssec-no-timecheck is in use.
+	Note that this is an incompatible change from earlier releases.
+
+	Allow more than one --bridge-interface option to refer to an
+	interface, so that we can use
+	--bridge-interface=int1,alias1
+	--bridge-interface=int1,alias2
+	as an alternative to
+	--bridge-interface=int1,alias1,alias2
+	Thanks to Neil Jerram for work on this.
+
+	Fix for DNSSEC with wildcard-derived NSEC records.
+	It's OK for NSEC records to be expanded from wildcards,
+	but in that case, the proof of non-existence is only valid
+	starting at the wildcard name, *.<domain> NOT the name expanded
+	from the wildcard. Without this check it's possible for an
+	attacker to craft an NSEC which wrongly proves non-existence.
+	Thanks to Ralph Dolmans for finding this, and co-ordinating 
+	the vulnerability tracking and fix release.
+	CVE-2017-15107 applies.
+
+	Remove special handling of A-for-A DNS queries. These
+	are no longer a significant problem in the global DNS.
+	http://cs.northwestern.edu/~ychen/Papers/DNS_ToN15.pdf
+	Thanks to Mattias Hellström for the initial patch.
+
+	Fix failure to delete dynamically created dhcp options
+	from files in -dhcp-optsdir directories. Thanks to
+	Lindgren Fredrik for the bug report.
+
+	Add to --synth-domain the ability to create names using
+	sequential numbers, as well as encodings of IP addresses.
+	For instance,
+	--synth-domain=thekelleys.org.uk,192.168.0.50,192.168.0.70,internal-*
+	creates 21 domain names of the form
+	internal-4.thekelleys.org.uk over the address range given, with
+	internal-0.thekelleys.org.uk being 192.168.0.50 and
+	internal-20.thekelleys.org.uk being 192.168.0.70
+	Thanks to Andy Hawkins for the suggestion.
+
+	Tidy up Crypto code, removing workarounds for ancient
+	versions of libnettle. We now require libnettle 3.
+
+
 version 2.78
        Fix logic of appending ".<layer>" to PXE basename. Thanks to Chris
 	Novakovic for the patch.
@@ -13,6 +803,76 @@ version 2.78
 	ff325644c7afae2588583f935f4ea9b9694eb52e. Thanks to
 	John Fitzgibbon for the diagnosis and patch.

+        Try other servers if first returns REFUSED when
+	--strict-order active. Thanks to Hans Dedecker
+	for the patch
+
+	Fix regression in 2.77, ironically added as a security
+	improvement, which resulted in a crash when a DNS
+	query exceeded 512 bytes (or the EDNS0 packet size,
+	if different.) Thanks to Christian Kujau, Arne Woerner
+	Juan Manuel Fernandez and Kevin Darbyshire-Bryant for
+	chasing this one down.  CVE-2017-13704 applies.
+
+	Fix heap overflow in DNS code. This is a potentially serious
+	security hole. It allows an attacker who can make DNS
+	requests to dnsmasq, and who controls the contents of
+	a domain, which is thereby queried, to overflow
+	(by 2 bytes) a heap buffer and either crash, or
+	even take control of, dnsmasq.
+	CVE-2017-14491 applies.
+	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
+	Kevin Hamacher and Ron Bowes of the Google Security Team for
+	finding this.
+
+	Fix heap overflow in IPv6 router advertisement code.
+	This is a potentially serious security hole, as a
+	crafted RA request can overflow a buffer and crash or
+	control dnsmasq. Attacker must be on the local network.
+	CVE-2017-14492 applies.
+        Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
+	and Kevin Hamacher of the Google Security Team for
+	finding this.
+
+	Fix stack overflow in DHCPv6 code. An attacker who can send
+	a DHCPv6 request to dnsmasq can overflow the stack frame and
+	crash or control dnsmasq.
+	CVE-2017-14493 applies.
+	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
+	Kevin Hamacher and Ron Bowes of the Google Security Team for
+	finding this.
+
+	Fix information leak in DHCPv6. A crafted DHCPv6 packet can
+	cause dnsmasq to forward memory from outside the packet
+	buffer to a DHCPv6 server when acting as a relay.
+	CVE-2017-14494 applies.
+	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
+	Kevin Hamacher and Ron Bowes of the Google Security Team for
+	finding this.
+
+	Fix DoS in DNS. Invalid boundary checks in the
+	add_pseudoheader function allows a memcpy call with negative
+	size An attacker which can send malicious DNS queries
+	to dnsmasq can trigger a DoS remotely.
+	dnsmasq is vulnerable only if one of the following option is
+	specified: --add-mac, --add-cpe-id or --add-subnet.
+	CVE-2017-14496 applies.
+	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
+	Kevin Hamacher and Ron Bowes of the Google Security Team for
+	finding this.
+
+	Fix out-of-memory Dos vulnerability. An attacker which can
+	send malicious DNS queries to dnsmasq can trigger memory
+	allocations in the add_pseudoheader function
+	The allocated memory is never freed which leads to a DoS
+	through memory exhaustion. dnsmasq is vulnerable only
+	if one of the following option is specified:
+	--add-mac, --add-cpe-id or --add-subnet.
+	CVE-2017-14495 applies.
+	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
+	Kevin Hamacher and Ron Bowes of the Google Security Team for
+	finding this.
+

 version 2.77
 	Generate an error when configured with a CNAME loop,
@@ -1456,7 +2316,7 @@ version 2.56

 	By default, setting an IPv4 address for a domain but not
 	an IPv6 address causes dnsmasq to return
-	an NODATA reply for IPv6 (or vice-versa). So
+	a NODATA reply for IPv6 (or vice-versa). So
 	--address=/google.com/1.2.3.4 stops IPv6 queries for
 	*google.com from being forwarded. Make it possible to
 	override this behaviour by defining the semantics if the
@@ -1962,13 +2822,13 @@ version 2.47

 	Support arbitrarily encapsulated DHCP options, suggestion
 	and initial patch from Samium Gromoff. This is useful for
-	(eg) gPXE, which expect all its private options to be
+	(eg) iPXE, which expect all its private options to be
 	encapsulated inside a single option 175. So, eg, 

 	dhcp-option = encap:175, 190, "iscsi-client0"
 	dhcp-option = encap:175, 191, "iscsi-client0-secret"

-	will provide iSCSI parameters to gPXE.
+	will provide iSCSI parameters to iPXE.

 	Enhance --dhcp-match to allow testing of the contents of a
 	client-sent option, as well as its presence. This
--- a/CHANGELOG.archive
+++ b/CHANGELOG.archive
@@ -1010,7 +1010,7 @@ release 2.9
 	     but to the address of another interface were ignored
 	     unless the loopback interface was explicitly configured.
 	     2) on OpenBSD failure to configure one interface now
-	     causes a fatal error on startup rather than an huge
+	     causes a fatal error on startup rather than a huge
 	     stream of log messages. Thanks to Erik Jan Tromp for 
 	     finding that bug.

@@ -2067,7 +2067,7 @@ version 2.36
 	    kernel. Thanks to Philip Wall for the bug report.

 	    Added --dhcp-bridge option, but only to the FreeBSD
-	    build. This fixes an oddity with a a particular bridged
+	    build. This fixes an oddity with a particular bridged
 	    network configuration on FreeBSD. Thanks to Luigi Rizzo
 	    for the patch.

@@ -2273,7 +2273,7 @@ version 2.40
 	    this.

 	    Use client-id as hash-seed for DHCP address allocation
-	    with Firewire and InfiniBand, as these don't supply an MAC
+	    with Firewire and InfiniBand, as these don't supply a MAC
 	    address. 

 	    Tweaked TFTP file-open code to make it behave sensibly
@@ -2433,7 +2433,7 @@ version 2.41

 	    Add --dhcp-match flag, to check for arbitrary options in
 	    DHCP messages from clients. This enables use of dnsmasq
-	    with gPXE. Thanks to Rance Hall for the suggestion.
+	    with iPXE. Thanks to Rance Hall for the suggestion.

 	    Added --dhcp-broadcast, to force broadcast replies to DHCP
 	    clients which need them but are too dumb or too old to
--- a/43
+++ b/43
@@ -1,12 +1,12 @@
-		    GNU GENERAL PUBLIC LICENSE
-		       Version 2, June 1991
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 2, June 1991

- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.

-			    Preamble
+                            Preamble

  The licenses for most software are designed to take away your
 freedom to share and change it.  By contrast, the GNU General Public
@@ -15,7 +15,7 @@ software--to make sure the software is free for all its users.  This
 General Public License applies to most of the Free Software
 Foundation's software and to any other program whose authors commit to
 using it.  (Some other Free Software Foundation software is covered by
-the GNU Library General Public License instead.)  You can apply it to
+the GNU Lesser General Public License instead.)  You can apply it to
 your programs, too.

  When we speak of free software, we are referring to freedom, not
@@ -55,8 +55,8 @@ patent must be licensed for everyone's free use or not licensed at all.

  The precise terms and conditions for copying, distribution and
 modification follow.
-
-		    GNU GENERAL PUBLIC LICENSE
+
+                    GNU GENERAL PUBLIC LICENSE
   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

  0. This License applies to any program or other work which contains
@@ -110,7 +110,7 @@ above, provided that you also meet all of these conditions:
    License.  (Exception: if the Program itself is interactive but
    does not normally print such an announcement, your work based on
    the Program is not required to print an announcement.)
-
+
 These requirements apply to the modified work as a whole.  If
 identifiable sections of that work are not derived from the Program,
 and can be reasonably considered independent and separate works in
@@ -168,7 +168,7 @@ access to copy from a designated place, then offering equivalent
 access to copy the source code from the same place counts as
 distribution of the source code, even though third parties are not
 compelled to copy the source along with the object code.
-
+
  4. You may not copy, modify, sublicense, or distribute the Program
 except as expressly provided under this License.  Any attempt
 otherwise to copy, modify, sublicense or distribute the Program is
@@ -225,7 +225,7 @@ impose that choice.

 This section is intended to make thoroughly clear what is believed to
 be a consequence of the rest of this License.
-
+
  8. If the distribution and/or use of the Program is restricted in
 certain countries either by patents or by copyrighted interfaces, the
 original copyright holder who places the Program under this License
@@ -255,7 +255,7 @@ make exceptions for this.  Our decision will be guided by the two goals
 of preserving the free status of all derivatives of our free software and
 of promoting the sharing and reuse of software generally.

-			    NO WARRANTY
+                            NO WARRANTY

  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
 FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
@@ -277,9 +277,9 @@ YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
 PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGES.

-		     END OF TERMS AND CONDITIONS
-
-	    How to Apply These Terms to Your New Programs
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs

  If you develop a new program, and you want it to be of the greatest
 possible use to the public, the best way to achieve this is to make it
@@ -291,7 +291,7 @@ convey the exclusion of warranty; and each file should have at least
 the "copyright" line and a pointer to where the full notice is found.

    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) 19yy  <name of author>
+    Copyright (C) <year>  <name of author>

    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -303,17 +303,16 @@ the "copyright" line and a pointer to where the full notice is found.
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

-    You should have received a copy of the GNU General Public License
-    along with this program; if not, write to the Free Software
-    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
-
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

 Also add information on how to contact you by electronic and paper mail.

 If the program is interactive, make it output a short notice like this
 when it starts in an interactive mode:

-    Gnomovision version 69, Copyright (C) 19yy name of author
+    Gnomovision version 69, Copyright (C) year name of author
    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
    This is free software, and you are welcome to redistribute it
    under certain conditions; type `show c' for details.
@@ -336,5 +335,5 @@ necessary.  Here is a sample; alter the names:
 This General Public License does not permit incorporating your program into
 proprietary programs.  If your program is a subroutine library, you may
 consider it more useful to permit linking proprietary applications with the
-library.  If this is what you want to do, use the GNU Library General
+library.  If this is what you want to do, use the GNU Lesser General
 Public License instead of this License.
--- a/8
+++ b/8
@@ -9,7 +9,7 @@ A: The high ports that dnsmasq opens are for replies from the upstream
   from port 53 the replies would be _to_ port 53 and get blocked.

   This is not a security hole since dnsmasq will only accept replies to that
-   port: queries are  dropped. The replies must be to oustanding queries
+   port: queries are dropped. The replies must be to outstanding queries
   which dnsmasq has forwarded, otherwise they are dropped too.
 
   Addendum: dnsmasq now has the option "query-port" (-Q), which allows
@@ -236,7 +236,7 @@ Q: What network types are supported by the DHCP server?
 A: Ethernet (and 802.11 wireless) are supported on all platforms. On
   Linux all network types (including FireWire) are supported.

-Q: What are these strange "bind-interface" and "bind-dynamic" options?
+Q: What are these strange "bind-interfaces" and "bind-dynamic" options?

 A: Dnsmasq from v2.63 can operate in one of three different "networking
   modes". This is unfortunate as it requires users configuring dnsmasq
@@ -297,7 +297,7 @@ A: Dnsmasq from v2.63 can operate in one of three different "networking
   by dnsmasq when in --bind-interfaces mode. In wildcard or bind-dynamic
   mode, such interfaces are handled normally.

-   A --interface specification for a non-existent interface is a fatal
+   An --interface specification for a non-existent interface is a fatal
   error at start-up when in --bind-interfaces mode, by just generates a
   warning in wildcard or bind-dynamic mode.

@@ -320,7 +320,7 @@ A: Yes, new releases of dnsmasq are always announced through

 Q: What does the dhcp-authoritative option do? 

-A: The DHCP spec says that when a DHCP server recieves a renewal request
+A: The DHCP spec says that when a DHCP server receives a renewal request
   from a client it has no knowledge of, it should just ignore it.
   This is because it's supported to have more than one DHCP server
   on a network, and another DHCP server may be dealing with the client.
--- a/34
+++ b/34
@@ -1,4 +1,4 @@
-# dnsmasq is Copyright (c) 2000-2016 Simon Kelley
+# dnsmasq is Copyright (c) 2000-2024 Simon Kelley
 #
 #  This program is free software; you can redistribute it and/or modify
 #  it under the terms of the GNU General Public License as published by
@@ -29,6 +29,7 @@ LDFLAGS       =
 COPTS         = 
 RPM_OPT_FLAGS = 
 LIBS          = 
+LUA           = lua

 #################################################################

@@ -53,19 +54,22 @@ top?=$(CURDIR)

 dbus_cflags =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --cflags dbus-1` 
 dbus_libs =     `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --libs dbus-1` 
+ubus_libs =     `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_UBUS "" --copy '-lubox -lubus'`
 idn_cflags =    `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --cflags libidn` 
 idn_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --libs libidn` 
 idn2_cflags =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LIBIDN2 $(PKG_CONFIG) --cflags libidn2`
 idn2_libs =     `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LIBIDN2 $(PKG_CONFIG) --libs libidn2`
 ct_cflags =     `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --cflags libnetfilter_conntrack`
 ct_libs =       `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --libs libnetfilter_conntrack`
-lua_cflags =    `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --cflags lua5.2` 
-lua_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs lua5.2` 
-nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags nettle hogweed`
-nettle_libs =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs nettle hogweed`
+lua_cflags =    `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --cflags $(LUA)` 
+lua_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs $(LUA)` 
+nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC     $(PKG_CONFIG) --cflags 'nettle hogweed'`
+nettle_libs =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC     $(PKG_CONFIG) --libs 'nettle hogweed'`
 gmp_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC NO_GMP --copy -lgmp`
 sunos_libs =    `if uname | grep SunOS >/dev/null 2>&1; then echo -lsocket -lnsl -lposix4; fi`
-version =     -DVERSION='\"`$(top)/bld/get-version $(top)`\"'
+nft_cflags =    `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_NFTSET $(PKG_CONFIG) --cflags libnftables` 
+nft_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_NFTSET $(PKG_CONFIG) --libs libnftables`
+version =       -DVERSION='\"`$(top)/bld/get-version $(top)`\"'

 sum?=$(shell $(CC) -DDNSMASQ_COMPILE_OPTS $(COPTS) -E $(top)/$(SRC)/dnsmasq.h | ( md5sum 2>/dev/null || md5 ) | cut -f 1 -d ' ')
 sum!=$(CC) -DDNSMASQ_COMPILE_OPTS $(COPTS) -E $(top)/$(SRC)/dnsmasq.h | ( md5sum 2>/dev/null || md5 ) | cut -f 1 -d ' '
@@ -74,18 +78,19 @@ copts_conf = .copts_$(sum)
 objs = cache.o rfc1035.o util.o option.o forward.o network.o \
       dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \
       helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \
-       dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \
+       dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o pattern.o \
       domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \
-       poll.o rrfilter.o edns0.o arp.o
+       poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \
+       metrics.o domain-match.o nftset.o

 hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \
-       dns-protocol.h radv-protocol.h ip6addr.h
+       dns-protocol.h radv-protocol.h ip6addr.h metrics.h

 all : $(BUILDDIR)
 	@cd $(BUILDDIR) && $(MAKE) \
 top="$(top)" \
- build_cflags="$(version) $(dbus_cflags) $(idn2_cflags) $(idn_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags)" \
- build_libs="$(dbus_libs) $(idn2_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs)" \
+ build_cflags="$(version) $(dbus_cflags) $(idn2_cflags) $(idn_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags) $(nft_cflags)" \
+ build_libs="$(dbus_libs) $(idn2_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs) $(ubus_libs) $(nft_libs)" \
 -f $(top)/Makefile dnsmasq 

 mostly_clean :
@@ -100,7 +105,8 @@ clean : mostly_clean
 install : all install-common

 install-common :
-	$(INSTALL) -d $(DESTDIR)$(BINDIR) -d $(DESTDIR)$(MANDIR)/man8
+	$(INSTALL) -d $(DESTDIR)$(BINDIR)
+	$(INSTALL) -d $(DESTDIR)$(MANDIR)/man8
 	$(INSTALL) -m 644 $(MAN)/dnsmasq.8 $(DESTDIR)$(MANDIR)/man8 
 	$(INSTALL) -m 755 $(BUILDDIR)/dnsmasq $(DESTDIR)$(BINDIR)

@@ -108,8 +114,8 @@ all-i18n : $(BUILDDIR)
 	@cd $(BUILDDIR) && $(MAKE) \
 top="$(top)" \
 i18n=-DLOCALEDIR=\'\"$(LOCALEDIR)\"\' \
- build_cflags="$(version) $(dbus_cflags) $(idn2_cflags) $(idn_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags)" \
- build_libs="$(dbus_libs) $(idn2_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs)"  \
+ build_cflags="$(version) $(dbus_cflags) $(idn2_cflags) $(idn_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags) $(nft_cflags)" \
+ build_libs="$(dbus_libs) $(idn2_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs) $(ubus_libs) $(nft_libs)"  \
 -f $(top)/Makefile dnsmasq
 	for f in `cd $(PO); echo *.po`; do \
 		cd $(top) && cd $(BUILDDIR) && $(MAKE) top="$(top)" -f $(top)/Makefile $${f%.po}.mo; \
--- a/bld/Android.mk
+++ b/bld/Android.mk
@@ -10,13 +10,15 @@ LOCAL_SRC_FILES :=  bpf.c cache.c dbus.c dhcp.c dnsmasq.c \
 		    dhcp6.c rfc3315.c dhcp-common.c outpacket.c \
 		    radv.c slaac.c auth.c ipset.c domain.c \
 	            dnssec.c dnssec-openssl.c blockdata.c tables.c \
-		    loop.c inotify.c poll.c rrfilter.c edns0.c arp.c
+		    loop.c inotify.c poll.c rrfilter.c edns0.c arp.c \
+		    crypto.c dump.c ubus.c metrics.c \
+                    domain-match.c nftset.c

 LOCAL_MODULE := dnsmasq

 LOCAL_C_INCLUDES := external/dnsmasq/src

-LOCAL_CFLAGS := -O2 -g -W -Wall -D__ANDROID__ -DNO_IPV6 -DNO_TFTP -DNO_SCRIPT
+LOCAL_CFLAGS := -O2 -g -W -Wall -D__ANDROID__ -DNO_TFTP -DNO_SCRIPT
 LOCAL_SYSTEM_SHARED_LIBRARIES := libc libcutils

 LOCAL_LDLIBS := -L$(SYSROOT)/usr/lib -llog
--- a/bld/get-version
+++ b/bld/get-version
@@ -9,7 +9,10 @@
 # If we can find one which matches $v[0-9].* then we assume it's
 # a version-number tag, else we just use the whole string.
 # If there is more than one v[0-9].* tag, sort them and use the
-# first. This favours, eg v2.63 over 2.63rc6.
+# first. The insane arguments to the sort command are to ensure
+# that, eg v2.64 comes before v2.63, but v2.63 comes before v2.63rc1
+# and v2.63rc1 comes before v2.63test1
+

 # Change directory to the toplevel source directory.
 if test -z "$1" || ! test -d "$1" || ! cd "$1"; then
@@ -28,7 +31,7 @@ else
     vers=`cat $1/VERSION | sed 's/[(), ]/,/ g' | tr ',' '\n' | grep ^v[0-9]`

     if [ $? -eq 0 ]; then
-         echo "${vers}" | sort -r | head -n 1 | sed 's/^v//'
+         echo "${vers}" | sort -k1.2,1.5Vr -k1.6,1.6 -k1.8,1.9Vr -k1.10,1.11Vr | head -n 1 | sed 's/^v//'
     else
         cat $1/VERSION
     fi
--- a/bld/pkg-wrapper
+++ b/bld/pkg-wrapper
@@ -1,33 +1,37 @@
 #!/bin/sh

-search=$1
-shift
-pkg=$1
-shift
-op=$1
-shift
-
 in=`cat`

-if grep "^\#[[:space:]]*define[[:space:]]*$search" config.h >/dev/null 2>&1 || \
-    echo $in | grep $search >/dev/null 2>&1; then
-# Nasty, nasty, in --copy, arg 2 is another config to search for, use with NO_GMP
+search()
+{
+    grep "^\#[[:space:]]*define[[:space:]]*$1" config.h >/dev/null 2>&1 || \
+    echo $in | grep $1 >/dev/null 2>&1
+}
+
+while [ "$#" -gt 0 ]; do
+    search=$1
+    pkg=$2
+    op=$3
+    lib=$4
+    shift 4
+if search "$search"; then
+
+# Nasty, nasty, in --copy, arg 2 (if non-empty) is another config to search for, used with NO_GMP
    if [ $op = "--copy" ]; then
-	if grep "^\#[[:space:]]*define[[:space:]]*$pkg" config.h >/dev/null 2>&1 || \
-            echo $in | grep $pkg >/dev/null 2>&1; then
+	if [ -z "$pkg" ]; then
+	    pkg="$lib"
+	elif search "$pkg"; then
 	    pkg=""
 	else 
-	    pkg="$*"
+	    pkg="$lib"
 	fi
-    elif grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \
-	      echo $in | grep ${search}_STATIC >/dev/null 2>&1; then
-	pkg=`$pkg  --static $op $*`
+    elif search "${search}_STATIC"; then
+	pkg=`$pkg  --static $op $lib`
    else
-	pkg=`$pkg $op $*`
+	pkg=`$pkg $op $lib`
    fi
-
-    if grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \
-	echo $in | grep ${search}_STATIC >/dev/null 2>&1; then
+    
+    if search "${search}_STATIC"; then
 	if [ $op = "--libs" ] || [ $op = "--copy" ]; then
 	    echo "-Wl,-Bstatic $pkg -Wl,-Bdynamic"
 	else
@@ -38,3 +42,4 @@ if grep "^\#[[:space:]]*define[[:space:]]*$search" config.h >/dev/null 2>&1 || \
    fi
 fi

+done
--- a/contrib/Suse/README
+++ b/contrib/Suse/README
@@ -1,6 +0,0 @@
-This packaging is now unmaintained in the dnsmasq source: dnsmasq is
-included in Suse proper, and up-to-date packages are now available
-from 
-
-ftp://ftp.suse.com/pub/people/ug/
-
--- a/contrib/Suse/README.susefirewall
+++ b/contrib/Suse/README.susefirewall
@@ -1,27 +0,0 @@
-This is a patch against SuSEfirewall2-3.1-206 (SuSE 9.x and older)
-It fixes the dependency from the dns daemon name 'named'
-After appending the patch, the SuSEfirewall is again able to autodetect 
-the dnsmasq named service.
-This is a very old bug in the SuSEfirewall script.
-The SuSE people think the name of the dns server will always 'named'
-
-
--- /sbin/SuSEfirewall2.orig	2004-01-23 13:30:09.000000000 +0100
-+++ /sbin/SuSEfirewall2	2004-01-23 13:31:56.000000000 +0100
-@@ -764,7 +764,7 @@
-     echo 'FW_ALLOW_INCOMING_HIGHPORTS_UDP should be set to yes, if you are running a DNS server!'
- 
- test "$FW_SERVICE_AUTODETECT" = yes -o "$FW_SERVICE_AUTODETECT" = dmz -o "$FW_SERVICE_AUTODETECT" = ext && {
-    test "$FW_SERVICE_DNS" = no -a '!' "$START_NAMED" = no && check_srv named && {
-+    test "$FW_SERVICE_DNS" = no -a '!' "$START_NAMED" = no && check_srv dnsmasq && {
- 	echo -e 'Warning: detected activated named, enabling FW_SERVICE_DNS!
- You still have to allow tcp/udp port 53 on internal, dmz and/or external.'
- 	FW_SERVICE_DNS=$FW_SERVICE_AUTODETECT
-@@ -878,7 +878,7 @@
- test -e /etc/resolv.conf || echo "Warning: /etc/resolv.conf not found"
- # Get ports/IP bindings of NAMED/SQUID
- test "$FW_SERVICE_DNS" = yes -o "$FW_SERVICE_DNS" = dmz -o "$FW_SERVICE_DNS" = ext -o "$START_NAMED" = yes && DNS_PORT=`$LSOF -i -n -P | \
-    $AWK -F: '/^named .* UDP / {print $2}'| $GREP -vw 53 | $SORT -un`
-+    $AWK -F: '/^dnsmasq .* UDP / {print $2}'| $GREP -vw 53 | $SORT -un`
- test "$FW_SERVICE_SQUID" = yes -o "$FW_SERVICE_SQUID" = dmz -o "$FW_SERVICE_SQUID" = ext -o "$START_SQUID" = yes && SQUID_PORT=`$LSOF -i -n -P | \
-     $AWK -F: '/^squid .* UDP/ {print $2}'| $SORT -un`
--- a/contrib/Suse/dnsmasq-SuSE.patch
+++ b/contrib/Suse/dnsmasq-SuSE.patch
@@ -1,23 +0,0 @@
--- man/dnsmasq.8	2004-08-08 20:57:56.000000000 +0200
-+++ man/dnsmasq.8	2004-08-12 00:40:01.000000000 +0200
-@@ -69,7 +69,7 @@
- .TP
- .B \-g, --group=<groupname> 
- Specify the group which dnsmasq will run
-as. The defaults to "dip", if available, to facilitate access to
-+as. The defaults to "dialout", if available, to facilitate access to
- /etc/ppp/resolv.conf which is not normally world readable.
- .TP
- .B \-v, --version
--- src/config.h	2004-08-11 11:39:18.000000000 +0200
-+++ src/config.h	2004-08-12 00:40:01.000000000 +0200
-@@ -44,7 +44,7 @@
- #endif
- #define DEFLEASE 3600 /* default lease time, 1 hour */
- #define CHUSER "nobody"
-#define CHGRP "dip"
-+#define CHGRP "dialout"
- #define DHCP_SERVER_PORT 67
- #define DHCP_CLIENT_PORT 68
- 
-
--- a/contrib/Suse/dnsmasq-suse.spec
+++ b/contrib/Suse/dnsmasq-suse.spec
@@ -1,111 +0,0 @@
-###############################################################################
-#
-# General
-#
-###############################################################################
-
-Name: dnsmasq
-Version: 2.33
-Release: 1
-Copyright: GPL
-Group: Productivity/Networking/DNS/Servers
-Vendor: Simon Kelley
-Packager: Simon Kelley
-URL: http://www.thekelleys.org.uk/dnsmasq
-Provides: dns_daemon
-Conflicts: bind bind8 bind9
-PreReq: %fillup_prereq %insserv_prereq
-Autoreqprov: on
-Source0: %{name}-%{version}.tar.bz2
-BuildRoot: /var/tmp/%{name}-%{version}
-Summary: A lightweight caching nameserver
-
-%description
-Dnsmasq is lightweight, easy to configure DNS forwarder and DHCP server. It 
-is designed to provide DNS and, optionally, DHCP, to a small network. It can
-serve the names of local machines which are not in the global DNS. The DHCP 
-server integrates with the DNS server and allows machines with DHCP-allocated
-addresses to appear in the DNS with names configured either in each host or 
-in a central configuration file. Dnsmasq supports static and dynamic DHCP 
-leases and BOOTP for network booting of diskless machines.
-
-
-
-###############################################################################
-#
-# Build
-#
-###############################################################################
-
-%prep
-%setup -q
-patch -p0 <rpm/%{name}-SuSE.patch
-
-%build
-%{?suse_update_config:%{suse_update_config -f}}
-make all-i18n DESTDIR=$RPM_BUILD_ROOT PREFIX=/usr
-
-###############################################################################
-#
-# Install
-#
-###############################################################################
-
-%install
-rm -rf $RPM_BUILD_ROOT
-mkdir -p ${RPM_BUILD_ROOT}/etc/init.d
-make install-i18n DESTDIR=$RPM_BUILD_ROOT PREFIX=/usr
-install -o root -g root -m 755 rpm/rc.dnsmasq-suse $RPM_BUILD_ROOT/etc/init.d/dnsmasq
-install -o root -g root -m 644 dnsmasq.conf.example $RPM_BUILD_ROOT/etc/dnsmasq.conf
-strip $RPM_BUILD_ROOT/usr/sbin/dnsmasq
-ln -sf ../../etc/init.d/dnsmasq $RPM_BUILD_ROOT/usr/sbin/rcdnsmasq
-
-###############################################################################
-#
-# Clean up
-#
-###############################################################################
-
-%clean
-rm -rf $RPM_BUILD_ROOT
-
-###############################################################################
-#
-# Post-install scriptlet
-#
-###############################################################################
-
-%post
-%{fillup_and_insserv dnsmasq}
-
-###############################################################################
-#
-# Post-uninstall scriptlet
-#
-# The %postun script executes after the package has been removed. It is the
-# last chance for a package to clean up after itself.
-#
-###############################################################################
-
-%postun
-%{insserv_cleanup}
-
-###############################################################################
-#
-# File list
-#
-###############################################################################
-
-%files
-%defattr(-,root,root)
-%doc CHANGELOG COPYING FAQ doc.html setup.html UPGRADING_to_2.0 rpm/README.susefirewall
-%doc contrib
-%config /etc/init.d/dnsmasq
-%config /etc/dnsmasq.conf
-/usr/sbin/rcdnsmasq
-/usr/sbin/dnsmasq
-/usr/share/locale/*/LC_MESSAGES/*
-%doc %{_mandir}/man8/dnsmasq.8.gz
-%doc %{_mandir}/*/man8/dnsmasq.8.gz
-
-
--- a/contrib/Suse/rc.dnsmasq-suse
+++ b/contrib/Suse/rc.dnsmasq-suse
@@ -1,79 +0,0 @@
-#! /bin/sh
-#
-# init.d/dnsmasq
-#
-### BEGIN INIT INFO
-# Provides:       dnsmasq
-# Required-Start: $network $remote_fs $syslog
-# Required-Stop:
-# Default-Start:  3 5
-# Default-Stop:
-# Description:    Starts internet name service masq caching server (DNS)
-### END INIT INFO
-
-NAMED_BIN=/usr/sbin/dnsmasq
-NAMED_PID=/var/run/dnsmasq.pid
-NAMED_CONF=/etc/dnsmasq.conf
-
-if [ ! -x $NAMED_BIN ] ; then
-	echo -n "dnsmasq not installed ! "
-	exit 5
-fi
-
-. /etc/rc.status
-rc_reset
-
-case "$1" in
-    start)
-	echo -n "Starting name service masq caching server "
-        checkproc -p $NAMED_PID $NAMED_BIN
-        if [ $? -eq 0 ] ; then
-           echo -n "- Warning: dnsmasq already running ! "
-        else
-           [ -e $NAMED_PID ] && echo -n "- Warning: $NAMED_PID exists ! "
-	fi
-	startproc -p $NAMED_PID $NAMED_BIN -u nobody
-	rc_status -v
-	;;
-    stop)
-	echo -n "Shutting name service masq caching server "
-	checkproc -p $NAMED_PID $NAMED_BIN
-	[ $? -ne 0 ] && echo -n "- Warning: dnsmasq not running ! "
-	killproc -p $NAMED_PID -TERM $NAMED_BIN
-	rc_status -v
-	;;
-    try-restart)
-	$0 stop  &&  $0 start
-	rc_status
-	;;
-    restart)
-	$0 stop
-	$0 start
-	rc_status
-	;;
-    force-reload)
-	$0 reload
-	rc_status
-	;;
-    reload)
-	echo -n "Reloading name service masq caching server "
-	checkproc -p $NAMED_PID $NAMED_BIN
-	[ $? -ne 0 ] && echo -n "- Warning: dnsmasq not running ! "
-	killproc -p $NAMED_PID -HUP $NAMED_BIN
-	rc_status -v
-	;;
-    status)
-	echo -n "Checking for name service masq caching server "
-	checkproc -p $NAMED_PID $NAMED_BIN
-	rc_status -v
-	;;
-    probe)
-	test $NAMED_CONF -nt $NAMED_PID && echo reload
-	;;
-    *)
-	echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
-	exit 1
-	;;
-esac
-rc_exit
-
--- a/contrib/lease-tools/dhcp_lease_time.c
+++ b/contrib/lease-tools/dhcp_lease_time.c
@@ -83,7 +83,7 @@ static unsigned char *option_find1(unsigned char *p, unsigned char *end, int opt
          if (p >= end - 2)
            return NULL; /* malformed packet */
          opt_len = option_len(p);
-          if (p >= end - (2 + opt_len))
+          if (end - p < (2 + opt_len))
            return NULL; /* malformed packet */
          if (*p == opt && opt_len >= minsize)
            return p;
@@ -153,7 +153,11 @@ int main(int argc, char **argv)
      exit(1);
    }
 
-  lease.s_addr = inet_addr(argv[1]);
+  if (inet_pton(AF_INET, argv[1], &lease) < 1)
+    {
+      fprintf(stderr, "invalid address: %s\n", argv[1]);
+      exit(1);
+    }
   
  memset(&packet, 0, sizeof(packet));
 
@@ -176,8 +180,8 @@ int main(int argc, char **argv)
  
  *(p++) = OPTION_END;
 
-  dest.sin_family = AF_INET; 
-  dest.sin_addr.s_addr = inet_addr("127.0.0.1");
+  dest.sin_family = AF_INET;
+  (void)inet_pton(AF_INET, "127.0.0.1", &dest.sin_addr);
  dest.sin_port = ntohs(DHCP_SERVER_PORT);
  
  if (sendto(fd, &packet, sizeof(packet), 0, 
@@ -206,13 +210,13 @@ int main(int argc, char **argv)
 	{
 	  unsigned int x;
 	  if ((x = t/86400))
-	    printf("%dd", x);
+	    printf("%ud", x);
 	  if ((x = (t/3600)%24))
-	    printf("%dh", x);
+	    printf("%uh", x);
 	  if ((x = (t/60)%60))
-	    printf("%dm", x);
+	    printf("%um", x);
 	  if ((x = t%60))
-	    printf("%ds", x);
+	    printf("%us", x);
 	}
      return 0;
    }
--- a/contrib/lease-tools/dhcp_release.c
+++ b/contrib/lease-tools/dhcp_release.c
@@ -178,7 +178,7 @@ static int is_same_net(struct in_addr a, struct in_addr b, struct in_addr mask)
  return (a.s_addr & mask.s_addr) == (b.s_addr & mask.s_addr);
 }

-static struct in_addr find_interface(struct in_addr client, int fd, unsigned int index)
+static struct in_addr find_interface(struct in_addr client, int fd, unsigned int index, int ifrfd, struct ifreq *ifr)
 {
  struct sockaddr_nl addr;
  struct nlmsghdr *h;
@@ -218,7 +218,17 @@ static struct in_addr find_interface(struct in_addr client, int fd, unsigned int

      for (h = (struct nlmsghdr *)iov.iov_base; NLMSG_OK(h, (size_t)len); h = NLMSG_NEXT(h, len))
 	if (h->nlmsg_type == NLMSG_DONE)
-	  exit(0);
+          {
+	    /* No match found, return first address as src/dhcp.c code does */
+	    ifr->ifr_addr.sa_family = AF_INET;
+	    if (ioctl(ifrfd, SIOCGIFADDR, ifr) != -1)
+	      return ((struct sockaddr_in *)&ifr->ifr_addr)->sin_addr;
+	    else
+	      {
+		fprintf(stderr, "error: local IPv4 address not found\n");
+		exit(1);
+	      }
+          }
 	else if (h->nlmsg_type == RTM_NEWADDR)
          {
            struct ifaddrmsg *ifa = NLMSG_DATA(h);  
@@ -270,21 +280,22 @@ int main(int argc, char **argv)
  
  /* This voodoo fakes up a packet coming from the correct interface, which really matters for 
     a DHCP server */
-  strcpy(ifr.ifr_name, argv[1]);
+  memset(&ifr, 0, sizeof(ifr));
+  strncpy(ifr.ifr_name, argv[1], sizeof(ifr.ifr_name)-1);
+  ifr.ifr_name[sizeof(ifr.ifr_name)-1] = '\0';
  if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, &ifr, sizeof(ifr)) == -1)
    {
      perror("cannot setup interface");
      exit(1);
    }
  
-  if (inet_addr(argv[2]) == INADDR_NONE)
+  if (inet_pton(AF_INET, argv[2], &lease.s_addr) < 1)
    {
      perror("invalid ip address");
      exit(1);
    }
  
-  lease.s_addr = inet_addr(argv[2]);
-  server = find_interface(lease, nl, if_nametoindex(argv[1]));
+  server = find_interface(lease, nl, if_nametoindex(argv[1]), fd, &ifr);
  
  memset(&packet, 0, sizeof(packet));
 
--- a/contrib/lease-tools/dhcp_release6.c
+++ b/contrib/lease-tools/dhcp_release6.c
@@ -46,7 +46,8 @@ typedef unsigned char u8;
 typedef unsigned short u16;
 typedef unsigned int u32;

-enum DHCP6_TYPES{
+enum DHCP6_TYPES
+  {
    SOLICIT = 1,
    ADVERTISE = 2,
    REQUEST = 3,
@@ -61,8 +62,10 @@ enum DHCP6_TYPES{
    RELAY_FORW = 12,
    RELAY_REPL = 13
    
-};
-enum DHCP6_OPTIONS{
+  };
+
+enum DHCP6_OPTIONS
+  {
    CLIENTID = 1,
    SERVERID = 2,
    IA_NA = 3,
@@ -82,25 +85,27 @@ enum DHCP6_OPTIONS{
    INTERFACE_ID = 18,
    RECONF_MSG = 19,
    RECONF_ACCEPT = 20,
-};
+  };

-enum DHCP6_STATUSES{
+enum DHCP6_STATUSES
+  {
    SUCCESS = 0,
    UNSPEC_FAIL = 1,
    NOADDR_AVAIL=2,
    NO_BINDING  = 3,
    NOT_ON_LINK = 4,
    USE_MULTICAST =5
-};
+  };
+
 static struct option longopts[] = {
-    {"ip", required_argument, 0, 'a'},
-    {"server-id", required_argument, 0, 's'},
-    {"client-id", required_argument, 0, 'c'},
-    {"iface", required_argument, 0, 'n'},
-    {"iaid", required_argument, 0, 'i'},
-    {"dry-run", no_argument, 0, 'd'},
-    {"help", no_argument, 0, 'h'},
-    {0,     0,           0,   0}
+  {"ip", required_argument, 0, 'a' },
+  {"server-id", required_argument, 0, 's' },
+  {"client-id", required_argument, 0, 'c' },
+  {"iface", required_argument, 0, 'n' },
+  {"iaid", required_argument, 0, 'i' },
+  {"dry-run", no_argument, 0, 'd' },
+  {"help", no_argument, 0, 'h' },
+  {0,     0,           0,   0 }
 };

 const short DHCP6_CLIENT_PORT = 546;
@@ -108,338 +113,396 @@ const short DHCP6_SERVER_PORT = 547;

 const char*  DHCP6_MULTICAST_ADDRESS = "ff02::1:2";

-struct dhcp6_option{
-    uint16_t type;
-    uint16_t len;
-    char  value[1024];
+struct dhcp6_option {
+  uint16_t type;
+  uint16_t len;
+  char  value[1024];
 };

-struct dhcp6_iaaddr_option{
-    uint16_t type;
-    uint16_t len;
-    struct in6_addr ip;
-    uint32_t preferred_lifetime;
-    uint32_t valid_lifetime;
-    
-    
+struct dhcp6_iaaddr_option {
+  uint16_t type;
+  uint16_t len;
+  struct in6_addr ip;
+  uint32_t preferred_lifetime;
+  uint32_t valid_lifetime;
 };

-struct dhcp6_iana_option{
-    uint16_t type;
-    uint16_t len;
-    uint32_t iaid;
-    uint32_t t1;
-    uint32_t t2;
-    char options[1024];
+struct dhcp6_iana_option {
+  uint16_t type;
+  uint16_t len;
+  uint32_t iaid;
+  uint32_t t1;
+  uint32_t t2;
+  char options[1024];
 };


-struct dhcp6_packet{
-    size_t len;
-    char buf[2048];
-    
-} ;
+struct dhcp6_packet {
+  size_t len;
+  char buf[2048];  
+};

-size_t pack_duid(const char* str, char* dst){
-    
-    char* tmp = strdup(str);
-    char* tmp_to_free = tmp;
-    char *ptr;
-    uint8_t write_pos = 0;
-    while ((ptr = strtok (tmp, ":"))) {
-        dst[write_pos] = (uint8_t) strtol(ptr, NULL, 16);
-        write_pos += 1;
-        tmp = NULL;
-        
+size_t pack_duid(const char* str, char* dst)
+{
+  char* tmp = strdup(str);
+  char* tmp_to_free = tmp;
+  char *ptr;
+  uint8_t write_pos = 0;
+  while ((ptr = strtok (tmp, ":")))
+    {
+      dst[write_pos] = (uint8_t) strtol(ptr, NULL, 16);
+      write_pos += 1;
+      tmp = NULL;
    }
-    free(tmp_to_free);
-    return write_pos;
+  
+  free(tmp_to_free);
+  return write_pos;
 }

-struct dhcp6_option create_client_id_option(const char* duid){
-    struct dhcp6_option option;
-    option.type = htons(CLIENTID);
-    bzero(option.value, sizeof(option.value));
-    option.len  = htons(pack_duid(duid, option.value));
-    return option;
+struct dhcp6_option create_client_id_option(const char* duid)
+{
+  struct dhcp6_option option;
+  option.type = htons(CLIENTID);
+  bzero(option.value, sizeof(option.value));
+  option.len  = htons(pack_duid(duid, option.value));
+  return option;
 }

-struct dhcp6_option create_server_id_option(const char* duid){
-    struct dhcp6_option   option;
-    option.type = htons(SERVERID);
-    bzero(option.value, sizeof(option.value));
-    option.len  = htons(pack_duid(duid, option.value));
-    return option;
+struct dhcp6_option create_server_id_option(const char* duid)
+{
+  struct dhcp6_option   option;
+  option.type = htons(SERVERID);
+  bzero(option.value, sizeof(option.value));
+  option.len  = htons(pack_duid(duid, option.value));
+  return option;
 }

-struct dhcp6_iaaddr_option create_iaadr_option(const char* ip){
-    struct dhcp6_iaaddr_option result;
-    result.type =htons(IAADDR);
-    /* no suboptions needed here, so length is 24  */
-    result.len = htons(24);
-    result.preferred_lifetime = 0;
-    result.valid_lifetime = 0;
-    int s = inet_pton(AF_INET6, ip, &(result.ip));
-    if (s <= 0) {
-        if (s == 0)
-            fprintf(stderr, "Not in presentation format");
-        else
-            perror("inet_pton");
-        exit(EXIT_FAILURE);
-    }
-    return result;
-}
-struct dhcp6_iana_option  create_iana_option(const char * iaid, struct dhcp6_iaaddr_option  ia_addr){
-    struct dhcp6_iana_option  result;
-    result.type = htons(IA_NA);
-    result.iaid = htonl(atoi(iaid));
-    result.t1 = 0;
-    result.t2 = 0;
-    result.len = htons(12 + ntohs(ia_addr.len) + 2 * sizeof(uint16_t));
-    memcpy(result.options, &ia_addr, ntohs(ia_addr.len) + 2 * sizeof(uint16_t));
-    return result;
+struct dhcp6_iaaddr_option create_iaadr_option(const char* ip)
+{
+  struct dhcp6_iaaddr_option result;
+  result.type =htons(IAADDR);
+  /* no suboptions needed here, so length is 24  */
+  result.len = htons(24);
+  result.preferred_lifetime = 0;
+  result.valid_lifetime = 0;
+  int s = inet_pton(AF_INET6, ip, &(result.ip));
+  if (s <= 0) {
+    if (s == 0)
+      fprintf(stderr, "Not in presentation format");
+    else
+      perror("inet_pton");
+    exit(EXIT_FAILURE);
+  }
+
+  return result;
 }

-struct dhcp6_packet create_release_packet(const char* iaid, const char* ip, const char* client_id, const char* server_id){
-    struct dhcp6_packet result;
-    bzero(result.buf, sizeof(result.buf));
-    /* message_type */
-    result.buf[0] = RELEASE;
-    /* tx_id */
-    bzero(result.buf+1, 3);
-    
-    struct dhcp6_option client_option = create_client_id_option(client_id);
-    struct dhcp6_option server_option = create_server_id_option(server_id);
-    struct dhcp6_iaaddr_option iaaddr_option = create_iaadr_option(ip);
-    struct dhcp6_iana_option iana_option = create_iana_option(iaid, iaaddr_option);
-    int offset = 4;
-    memcpy(result.buf + offset, &client_option, ntohs(client_option.len) + 2*sizeof(uint16_t));
-    offset += (ntohs(client_option.len)+ 2 *sizeof(uint16_t) );
-    memcpy(result.buf + offset, &server_option, ntohs(server_option.len) + 2*sizeof(uint16_t) );
-    offset += (ntohs(server_option.len)+ 2* sizeof(uint16_t));
-    memcpy(result.buf + offset, &iana_option, ntohs(iana_option.len) + 2*sizeof(uint16_t) );
-    offset += (ntohs(iana_option.len)+ 2* sizeof(uint16_t));
-    result.len = offset;
-    return result;
+struct dhcp6_iana_option  create_iana_option(const char * iaid, struct dhcp6_iaaddr_option  ia_addr)
+{
+  struct dhcp6_iana_option  result;
+  result.type = htons(IA_NA);
+  result.iaid = htonl(atoi(iaid));
+  result.t1 = 0;
+  result.t2 = 0;
+  result.len = htons(12 + ntohs(ia_addr.len) + 2 * sizeof(uint16_t));
+  memcpy(result.options, &ia_addr, ntohs(ia_addr.len) + 2 * sizeof(uint16_t));
+  return result;
 }

-uint16_t parse_iana_suboption(char* buf, size_t len){
-    size_t current_pos = 0;
-    char option_value[1024];
-    while (current_pos < len) {
-        uint16_t option_type, option_len;
-        memcpy(&option_type,buf + current_pos, sizeof(uint16_t));
-        memcpy(&option_len,buf + current_pos + sizeof(uint16_t), sizeof(uint16_t));
-        option_type = ntohs(option_type);
-        option_len = ntohs(option_len);
-        current_pos += 2 * sizeof(uint16_t);
-        if (option_type == STATUS_CODE){
-            uint16_t status;
-            memcpy(&status, buf + current_pos, sizeof(uint16_t));
-            status = ntohs(status);
-            if (status != SUCCESS){
-                memcpy(option_value, buf + current_pos + sizeof(uint16_t) , option_len - sizeof(uint16_t));
-                option_value[option_len-sizeof(uint16_t)] ='\0';
-                fprintf(stderr, "Error: %s\n", option_value);
+struct dhcp6_packet create_release_packet(const char* iaid, const char* ip, const char* client_id, const char* server_id)
+{
+  struct dhcp6_packet result;
+  bzero(result.buf, sizeof(result.buf));
+  /* message_type */
+  result.buf[0] = RELEASE;
+  /* tx_id */
+  bzero(result.buf+1, 3);
+  
+  struct dhcp6_option client_option = create_client_id_option(client_id);
+  struct dhcp6_option server_option = create_server_id_option(server_id);
+  struct dhcp6_iaaddr_option iaaddr_option = create_iaadr_option(ip);
+  struct dhcp6_iana_option iana_option = create_iana_option(iaid, iaaddr_option);
+  int offset = 4;
+  memcpy(result.buf + offset, &client_option, ntohs(client_option.len) + 2*sizeof(uint16_t));
+  offset += (ntohs(client_option.len)+ 2 *sizeof(uint16_t) );
+  memcpy(result.buf + offset, &server_option, ntohs(server_option.len) + 2*sizeof(uint16_t) );
+  offset += (ntohs(server_option.len)+ 2* sizeof(uint16_t));
+  memcpy(result.buf + offset, &iana_option, ntohs(iana_option.len) + 2*sizeof(uint16_t) );
+  offset += (ntohs(iana_option.len)+ 2* sizeof(uint16_t));
+  result.len = offset;
+  return result;
+}
+
+uint16_t parse_iana_suboption(char* buf, size_t len)
+{
+  size_t current_pos = 0;
+  char option_value[1024];
+  while (current_pos < len)
+    {
+      uint16_t option_type, option_len;
+      memcpy(&option_type,buf + current_pos, sizeof(uint16_t));
+      memcpy(&option_len,buf + current_pos + sizeof(uint16_t), sizeof(uint16_t));
+      option_type = ntohs(option_type);
+      option_len = ntohs(option_len);
+      current_pos += 2 * sizeof(uint16_t);
+      if (option_type == STATUS_CODE)
+	{
+	  uint16_t status;
+	  memcpy(&status, buf + current_pos, sizeof(uint16_t));
+	  status = ntohs(status);
+	  if (status != SUCCESS)
+	    {
+	      memcpy(option_value, buf + current_pos + sizeof(uint16_t) , option_len - sizeof(uint16_t));
+	      option_value[option_len-sizeof(uint16_t)] ='\0';
+	      fprintf(stderr, "Error: %s\n", option_value);
            }
-            return status;
+	  return status;
        }
    }
-    return -2;
+
+  return -2;
 }

-int16_t parse_packet(char* buf, size_t len){
-    uint8_t type  = buf[0];
-    /*skipping tx id. you need it, uncomment following line
-        uint16_t tx_id = ntohs((buf[1] <<16) + (buf[2] <<8) + buf[3]);
-     */
-    size_t current_pos = 4;
-    if (type != REPLY ){
-        return NOT_REPLY_CODE;
-    }
-    char option_value[1024];
-    while (current_pos < len) {
-        uint16_t option_type, option_len;
-        memcpy(&option_type,buf + current_pos, sizeof(uint16_t));
-        memcpy(&option_len,buf + current_pos + sizeof(uint16_t), sizeof(uint16_t));
-        option_type = ntohs(option_type);
-        option_len = ntohs(option_len);
-        current_pos += 2 * sizeof(uint16_t);
-        if (option_type == STATUS_CODE){
-            uint16_t status;
-            memcpy(&status, buf + current_pos, sizeof(uint16_t));
-            status = ntohs(status);
-            if (status != SUCCESS){
-                memcpy(option_value, buf + current_pos +sizeof(uint16_t) , option_len -sizeof(uint16_t));
-                fprintf(stderr, "Error: %d %s\n", status, option_value);
-                return status;
-            }
-            
+int16_t parse_packet(char* buf, size_t len)
+{
+  int16_t ret = -1;
+  uint8_t type = buf[0];
+  /*skipping tx id. you need it, uncomment following line
+    uint16_t tx_id = ntohs((buf[1] <<16) + (buf[2] <<8) + buf[3]);
+  */
+  size_t current_pos = 4;
+  if (type != REPLY )
+    return NOT_REPLY_CODE;
+  
+  char option_value[1024];
+  while (current_pos < len)
+    {
+      uint16_t option_type, option_len;
+      memcpy(&option_type,buf + current_pos, sizeof(uint16_t));
+      memcpy(&option_len,buf + current_pos + sizeof(uint16_t), sizeof(uint16_t));
+      option_type = ntohs(option_type);
+      option_len = ntohs(option_len);
+      current_pos += 2 * sizeof(uint16_t);
+      if (option_type == STATUS_CODE)
+	{
+	  uint16_t status;
+	  memcpy(&status, buf + current_pos, sizeof(uint16_t));
+	  status = ntohs(status);
+	  if (status != SUCCESS)
+	    {
+	      memcpy(option_value, buf + current_pos +sizeof(uint16_t) , option_len -sizeof(uint16_t));
+	      fprintf(stderr, "Error: %d %s\n", status, option_value);
+	      return status;
+	    }
+
+	  /* Got success status, return that if there's no specific error in an IA_NA. */
+	  ret = SUCCESS;   
        }
-        if (option_type == IA_NA ){
-            uint16_t result = parse_iana_suboption(buf + current_pos +24, option_len -24);
-            if (result){
-                return result;
-            }
-        }
-        current_pos += option_len;

+      if (option_type == IA_NA )
+	{
+	  uint16_t result = parse_iana_suboption(buf + current_pos +24, option_len -24);
+	  if (result)
+	    return result;
+	}
+      
+      current_pos += option_len;
    }
-    return -1;
+
+  return ret;
 }

-void usage(const char* arg, FILE* stream){
-    const char* usage_string ="--ip IPv6 --iface IFACE --server-id SERVER_ID --client-id CLIENT_ID --iaid IAID [--dry-run] | --help";
-    fprintf (stream, "Usage: %s %s\n", arg, usage_string);
-    
+void usage(const char* arg, FILE* stream)
+{
+  const char* usage_string ="--ip IPv6 --iface IFACE --server-id SERVER_ID --client-id CLIENT_ID --iaid IAID [--dry-run] | --help";
+  fprintf (stream, "Usage: %s %s\n", arg, usage_string);   
 }

-int send_release_packet(const char* iface, struct dhcp6_packet* packet){
-    
-    struct sockaddr_in6 server_addr, client_addr;
-    char response[1400];
-    int sock = socket(PF_INET6, SOCK_DGRAM, 0);
-    int i = 0;
-    if (sock < 0) {
-        perror("creating socket");
-        return -1;
+static void fail_fatal(const char *errstr, int exitcode)
+{
+  perror(errstr);
+  exit(exitcode);
+}
+
+int send_release_packet(const char* iface, struct dhcp6_packet* packet)
+{
+  struct sockaddr_in6 server_addr, client_addr;
+  char response[1400];
+  int sock = socket(PF_INET6, SOCK_DGRAM, 0);
+  int i = 0;
+  if (sock < 0)
+    {
+      perror("creating socket");
+      return -1;
    }
-    if (setsockopt(sock, SOL_SOCKET, 25, iface, strlen(iface)) == -1)  {
+  
+    if (setsockopt(sock, SOL_SOCKET, 25, iface, strlen(iface)) == -1)
+      {
        perror("SO_BINDTODEVICE");
        close(sock);
        return -1;
-    }
+      }
+    
    memset(&server_addr, 0, sizeof(server_addr));
    server_addr.sin6_family = AF_INET6;
    client_addr.sin6_family = AF_INET6;
    client_addr.sin6_port = htons(DHCP6_CLIENT_PORT);
    client_addr.sin6_flowinfo = 0;
    client_addr.sin6_scope_id =0;
-    inet_pton(AF_INET6, "::", &client_addr.sin6_addr);
-    bind(sock, (struct sockaddr*)&client_addr, sizeof(struct sockaddr_in6));
-    inet_pton(AF_INET6, DHCP6_MULTICAST_ADDRESS, &server_addr.sin6_addr);
+    if (inet_pton(AF_INET6, "::", &client_addr.sin6_addr) <= 0)
+      fail_fatal("inet_pton", 5);
+    if (bind(sock, (struct sockaddr*)&client_addr, sizeof(struct sockaddr_in6)) != 0)
+      perror("bind"); /* continue on bind error */
+    if (inet_pton(AF_INET6, DHCP6_MULTICAST_ADDRESS, &server_addr.sin6_addr) <= 0)
+      fail_fatal("inet_pton", 5);
    server_addr.sin6_port = htons(DHCP6_SERVER_PORT);
-    int16_t recv_size = 0;
-    for (i = 0; i < 5; i++) {
-        if (sendto(sock, packet->buf, packet->len, 0,
-               (struct sockaddr *)&server_addr,
-               sizeof(server_addr)) < 0) {
-            perror("sendto failed");
-            exit(4);
-        }
+    ssize_t recv_size = 0;
+    int result;
+    for (i = 0; i < 5; i++)
+      {
+        if (sendto(sock, packet->buf, packet->len, 0, (struct sockaddr *)&server_addr, sizeof(server_addr)) < 0)
+	  fail_fatal("sendto failed", 4);
+	
        recv_size = recvfrom(sock, response, sizeof(response), MSG_DONTWAIT, NULL, 0);
-        if (recv_size == -1){
-            if (errno == EAGAIN){
-                sleep(1);
-                continue;
-            }else {
+        if (recv_size == -1)
+	  {
+            if (errno == EAGAIN)
+	      {
+		sleep(1);
+		continue;
+	      }
+	    else
+	      {
                perror("recvfrom");
-            }
-        }
-        int16_t result = parse_packet(response, recv_size);
-        if (result == NOT_REPLY_CODE){
-            sleep(1);
-            continue;
-        }
+		result = UNSPEC_FAIL;
+	      }
+	  }
+	else
+	  {
+	    result = parse_packet(response, recv_size);
+	    if (result == NOT_REPLY_CODE)
+	      {
+		sleep(1);
+		continue;
+	      }
+	  }
+        close(sock);
        return result;
-    }
+      }
+
+    close(sock);
    fprintf(stderr, "Response timed out\n");
-    return -1;
-    
+    return -1;   
 }


-int main(int argc, char *  const argv[]) {
-    const char* UNINITIALIZED = "";
-    const char* iface = UNINITIALIZED;
-    const char* ip = UNINITIALIZED;
-    const char* client_id = UNINITIALIZED;
-    const char* server_id = UNINITIALIZED;
-    const char* iaid = UNINITIALIZED;
-    int dry_run = 0;
-    while (1) {
-        int option_index = 0;
-        int c = getopt_long(argc, argv, "a:s:c:n:i:hd", longopts, &option_index);
-        if (c == -1){
-            break;
-        }
-        switch(c){
-            case 0:
-                if (longopts[option_index].flag !=0){
-                    break;
-                }
-                printf ("option %s", longopts[option_index].name);
-                if (optarg)
-                    printf (" with arg %s", optarg);
-                printf ("\n");
-                break;
-            case 'i':
-                iaid = optarg;
-                break;
-            case 'n':
-                iface = optarg;
-                break;
-            case 'a':
-                ip = optarg;
-                break;
-            case 'c':
-                client_id = optarg;
-                break;
-            case 'd':
-                dry_run = 1;
-                break;
-            case 's':
-                server_id = optarg;
-                break;
-            case 'h':
-                usage(argv[0], stdout);
-                return 0;
-            case '?':
-                usage(argv[0], stderr);
-                return -1;
-             default:
-                abort();
-                
-        }
+int main(int argc, char *  const argv[])
+{
+  const char* UNINITIALIZED = "";
+  const char* iface = UNINITIALIZED;
+  const char* ip = UNINITIALIZED;
+  const char* client_id = UNINITIALIZED;
+  const char* server_id = UNINITIALIZED;
+  const char* iaid = UNINITIALIZED;
+  int dry_run = 0;
+  while (1)
+    {
+      int option_index = 0;
+      int c = getopt_long(argc, argv, "a:s:c:n:i:hd", longopts, &option_index);
+      if (c == -1)
+	break;
        
+      switch(c)
+	{
+	case 0:
+	  if (longopts[option_index].flag !=0)
+	    break;
+	  
+	  printf ("option %s", longopts[option_index].name);
+	  if (optarg)
+	    printf (" with arg %s", optarg);
+	  printf ("\n");
+	  break;
+
+	case 'i':
+	  iaid = optarg;
+	  break;
+	case 'n':
+	  iface = optarg;
+	  break;
+	case 'a':
+	  ip = optarg;
+	  break;
+	case 'c':
+	  client_id = optarg;
+	  break;
+	case 'd':
+	  dry_run = 1;
+	  break;
+	case 's':
+	  server_id = optarg;
+	  break;
+	case 'h':
+	  usage(argv[0], stdout);
+	  return 0;
+	case '?':
+	  usage(argv[0], stderr);
+	  return -1;
+	default:
+	  abort();
+	  
+        }
    }
-    if (iaid == UNINITIALIZED){
-        fprintf(stderr, "Missing required iaid parameter\n");
-        usage(argv[0], stderr);
-        return -1;
+  
+  if (iaid == UNINITIALIZED)
+    {
+      fprintf(stderr, "Missing required iaid parameter\n");
+      usage(argv[0], stderr);
+      return -1;
    }
-    if (server_id == UNINITIALIZED){
+  
+    if (server_id == UNINITIALIZED)
+      {
        fprintf(stderr, "Missing required server-id parameter\n");
        usage(argv[0], stderr);
        return -1;
-    }
-    if (client_id == UNINITIALIZED){
+      }
+    
+    if (client_id == UNINITIALIZED)
+      {
        fprintf(stderr, "Missing required client-id parameter\n");
        usage(argv[0], stderr);
        return -1;
-    }
-    if (ip == UNINITIALIZED){
+      }
+    
+    if (ip == UNINITIALIZED)
+      {
        fprintf(stderr, "Missing required ip parameter\n");
        usage(argv[0], stderr);
        return -1;
-    }
-    if (iface == UNINITIALIZED){
-        fprintf(stderr, "Missing required iface parameter\n");
+      }
+    
+    if (iface == UNINITIALIZED)
+      {
+	fprintf(stderr, "Missing required iface parameter\n");
        usage(argv[0], stderr);
        return -1;
-    }
-
-
+      }

+    
+    
    struct dhcp6_packet packet = create_release_packet(iaid, ip, client_id, server_id);
-    if (dry_run){
+
+    if (dry_run)
+      {
        uint16_t i;
-        for(i=0;i<packet.len;i++){
-            printf("%hhx", packet.buf[i]);
-        }
+
+        for(i=0; i<packet.len; i++)
+	  printf("%hhx", packet.buf[i]);
+        
        printf("\n");
        return 0;
-    }
+      }
+
    return send_release_packet(iface, &packet);
-    
 }
--- a/contrib/mactable/macscript
+++ b/contrib/mactable/macscript
@@ -3,7 +3,7 @@
 STATUS_FILE="/tmp/dnsmasq-ip-mac.status"

 # Script for dnsmasq lease-change hook.
-# Maintains the above file with a IP address/MAC address pairs,
+# Maintains the above file with an IP address/MAC address pairs,
 # one lease per line. Works with IPv4 and IPv6 leases, file is
 # atomically updated, so no races for users of the data.

--- a/contrib/reverse-dns/README
+++ b/contrib/reverse-dns/README
@@ -14,5 +14,5 @@ log-facility=/var/log/dnsmasq.log

 in the dnsmasq configuration.

-The script runs on debian (with ash installed) and on busybox.
+The script runs on debian (with dash installed) and on busybox.

--- a/contrib/reverse-dns/reverse_replace.sh
+++ b/contrib/reverse-dns/reverse_replace.sh
@@ -1,4 +1,4 @@
-#!/bin/ash
+#!/bin/dash
 # $Id: reverse_replace.sh 18 2015-03-01 16:12:35Z jo $
 #
 # Usage e.g.: netstat -n -4 | reverse_replace.sh 
--- a/contrib/systemd/dnsmasq.service
+++ b/contrib/systemd/dnsmasq.service
@@ -1,5 +1,8 @@
 [Unit]
 Description=dnsmasq - A lightweight DHCP and caching DNS server
+After=network.target
+Before=network-online.target nss-lookup.target
+Wants=nss-lookup.target

 [Service]
 Type=dbus
--- a/contrib/try-all-ns/README-2.78
+++ b/contrib/try-all-ns/README-2.78
@@ -0,0 +1,10 @@
+Hi,
+I updated the try-all-ns patch to work with the latest version of git. Ended up implementing it on top of master, 2.78test2-7-g63437ff. As that specific if-clause has been changed in the last few commits, it's not compatible for 2.77, sadly.
+
+Find the patch attached.
+
+Regards,
+
+Rasmus Ahlberg
+Software Developer, R&D
+Electrolux Small Appliances
--- a/contrib/try-all-ns/dnsmasq-2.78xx-try-all-ns.patch
+++ b/contrib/try-all-ns/dnsmasq-2.78xx-try-all-ns.patch
@@ -0,0 +1,20 @@
+diff --git a/src/forward.c b/src/forward.c
+index e3fa94b..ecf3b98 100644
+--- a/src/forward.c
+++ b/src/forward.c
+@@ -789,9 +789,12 @@ void reply_query(int fd, int family, time_t now)
+ 
+   /* Note: if we send extra options in the EDNS0 header, we can't recreate
+      the query from the reply. */
+-  if (RCODE(header) == REFUSED &&
+-      forward->forwardall == 0 &&
+-      !(forward->flags & FREC_HAS_EXTRADATA))
+  if ((RCODE(header) == REFUSED &&
+        forward->forwardall == 0 &&
+       !(forward->flags & FREC_HAS_EXTRADATA)) ||
+      /* If strict-order is set, try next server on NXDOMAIN reply */
+      (RCODE(header) == NXDOMAIN && option_bool(OPT_ORDER) &&
+       server->next != NULL))
+     /* for broken servers, attempt to send to another one. */
+     {
+       unsigned char *pheader;
--- a/dbus/DBus-interface
+++ b/dbus/DBus-interface
@@ -44,10 +44,22 @@ SetFilterWin2KOption
 --------------------
 Takes boolean, sets or resets the --filterwin2k option.

+SetFilterA
+------------------------
+Takes boolean, sets or resets the --filter-A option.
+
+SetFilterAAAA
+------------------------
+Takes boolean, sets or resets the --filter-AAAA option.
+
 SetBogusPrivOption
 ------------------
 Takes boolean, sets or resets the --bogus-priv option.

+SetLocaliseQueriesOption
+------------------------
+Takes boolean, sets or resets the --localise-queries option.
+
 SetServers
 ----------
 Returns nothing. Takes a set of arguments representing the new
@@ -243,7 +255,20 @@ IPv4 or IPv6 address of the lease to remove.
 Note that this function will trigger the DhcpLeaseRemoved signal and the
 configured DHCP lease script will be run with the "del" action.

+GetMetrics
+----------

+Returns an array with various metrics for DNS and DHCP.
+
+GetServerMetrics
+----------------
+
+Returns per-DNS-server metrics.
+
+ClearMetrics
+------------
+
+Clear call metric counters, global and per-server.

 2. SIGNALS
 ----------
--- a/1
+++ b/1
--- a/debian/changelog
+++ b/debian/changelog
--- a/debian/conffiles
+++ b/debian/conffiles
@@ -1,5 +0,0 @@
-/etc/init.d/dnsmasq
-/etc/default/dnsmasq
-/etc/dnsmasq.conf
-/etc/resolvconf/update.d/dnsmasq
-/etc/insserv.conf.d/dnsmasq
--- a/debian/control
+++ b/debian/control
@@ -1,44 +0,0 @@
-Source: dnsmasq
-Section: net
-Priority: optional
-Build-depends: gettext, libnetfilter-conntrack-dev [linux-any],
-               libidn11-dev, libdbus-1-dev (>=0.61), libgmp-dev, 
-               nettle-dev (>=2.4-3), libbsd-dev [!linux-any]
-Maintainer: Simon Kelley <simon@thekelleys.org.uk>
-Standards-Version: 3.9.8
-
-Package: dnsmasq
-Architecture: all
-Depends: netbase, dnsmasq-base(>= ${binary:Version}),
-         init-system-helpers (>= 1.18~), lsb-base (>= 3.0-6)
-Suggests: resolvconf
-Conflicts: resolvconf (<<1.15)
-Description: Small caching DNS proxy and DHCP/TFTP server
- Dnsmasq is a lightweight, easy to configure, DNS forwarder and DHCP
- server. It is designed to provide DNS and optionally, DHCP, to a 
- small network. It can serve the names of local machines which are 
- not in the global DNS. The DHCP server integrates with the DNS 
- server and allows machines with DHCP-allocated addresses
- to appear in the DNS with names configured either in each host or
- in a central configuration file. Dnsmasq supports static and dynamic 
- DHCP leases and BOOTP/TFTP for network booting of diskless machines.
-
-Package: dnsmasq-base
-Architecture: any
-Depends: adduser, ${shlibs:Depends}
-Breaks: dnsmasq (<< 2.63-1~)
-Replaces: dnsmasq (<< 2.63-1~)
-Recommends: dns-root-data
-Description: Small caching DNS proxy and DHCP/TFTP server
- This package contains the dnsmasq executable and documentation, but
- not the infrastructure required to run it as a system daemon. For
- that, install the dnsmasq package.
-
-Package: dnsmasq-utils
-Architecture: linux-any
-Depends: ${shlibs:Depends}
-Conflicts: dnsmasq (<<2.40)
-Description: Utilities for manipulating DHCP leases
- Small utilities to query a DHCP server's lease database and
- remove leases from it. These programs are distributed with dnsmasq
- and may not work correctly with other DHCP servers.
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,21 +0,0 @@
-dnsmasq is Copyright (c) 2000-2016 Simon Kelley
-
-It was downloaded from: http://www.thekelleys.org.uk/dnsmasq/
-
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; version 2 dated June, 1991, or
-   (at your option) version 3 dated 29 June, 2007.
- 
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-
-On Debian GNU/Linux systems, the text of the GNU general public license is 
-available in the file /usr/share/common-licenses/GPL-2 or 
-/usr/share/common-licenses/GPL-3
-
-The Debian package of dnsmasq was created by Simon Kelley with assistance 
-from Lars Bahner.
-
--- a/debian/dbus.conf
+++ b/debian/dbus.conf
@@ -1,18 +0,0 @@
-<!DOCTYPE busconfig PUBLIC
- "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
- "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
-<busconfig>
-	<policy user="root">
-		<allow own="uk.org.thekelleys.dnsmasq"/>
-		<allow send_destination="uk.org.thekelleys.dnsmasq"/>
-	</policy>
-        <policy user="dnsmasq">
-                <allow own="uk.org.thekelleys.dnsmasq"/>
-                <allow send_destination="uk.org.thekelleys.dnsmasq"/>
-        </policy>
-	<policy context="default">
-                <deny own="uk.org.thekelleys.dnsmasq"/>
-                <deny send_destination="uk.org.thekelleys.dnsmasq"/>
-        </policy>
-</busconfig>
-
--- a/debian/default
+++ b/debian/default
@@ -1,33 +0,0 @@
-# This file has five functions: 
-# 1) to completely disable starting dnsmasq, 
-# 2) to set DOMAIN_SUFFIX by running `dnsdomainname` 
-# 3) to select an alternative config file
-#    by setting DNSMASQ_OPTS to --conf-file=<file>
-# 4) to tell dnsmasq to read the files in /etc/dnsmasq.d for
-#    more configuration variables.
-# 5) to stop the resolvconf package from controlling dnsmasq's
-#    idea of which upstream nameservers to use.
-# For upgraders from very old versions, all the shell variables set 
-# here in previous versions are still honored by the init script
-# so if you just keep your old version of this file nothing will break.
-
-#DOMAIN_SUFFIX=`dnsdomainname`
-#DNSMASQ_OPTS="--conf-file=/etc/dnsmasq.alt"
-
-# Whether or not to run the dnsmasq daemon; set to 0 to disable.
-ENABLED=1
-
-# By default search this drop directory for configuration options.
-# Libvirt leaves a file here to make the system dnsmasq play nice.
-# Comment out this line if you don't want this. The dpkg-* are file
-# endings which cause dnsmasq to skip that file. This avoids pulling
-# in backups made by dpkg.
-CONFIG_DIR=/etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new
-
-# If the resolvconf package is installed, dnsmasq will use its output 
-# rather than the contents of /etc/resolv.conf to find upstream 
-# nameservers. Uncommenting this line inhibits this behaviour.
-# Note that including a "resolv-file=<filename>" line in 
-# /etc/dnsmasq.conf is not enough to override resolvconf if it is
-# installed: the line below must be uncommented.
-#IGNORE_RESOLVCONF=yes
--- a/debian/dnsmasq-base.conffiles
+++ b/debian/dnsmasq-base.conffiles
@@ -1 +0,0 @@
-/etc/dbus-1/system.d/dnsmasq.conf
--- a/debian/dnsmasq-base.postinst
+++ b/debian/dnsmasq-base.postinst
@@ -1,24 +0,0 @@
-#!/bin/sh
-set -e
-
-# Create the dnsmasq user in dnsmasq-base, so that Dbus doesn't complain.
-      
-# create a user to run as (code stolen from dovecot-common)
-if [ "$1" = "configure" ]; then
-  if [ -z "`id -u dnsmasq 2> /dev/null`" ]; then
-    adduser --system  --home /var/lib/misc --gecos "dnsmasq" \
-            --no-create-home --disabled-password \
-            --quiet dnsmasq || true
-  fi
-
-  # Make the directory where we keep the pid file - this
-  # has to be owned by "dnsmasq" so that the file can be unlinked.
-  # This is only actually used by the dnsmasq binary package, not
-  # dnsmasq-base, but it's much easier to create it here so that
-  # we don't have synchronisation issues with the creation of the
-  # dnsmasq user. 
-  if [ ! -d /run/dnsmasq ]; then
-    mkdir /run/dnsmasq
-    chown dnsmasq:nogroup /run/dnsmasq
-  fi
-fi
--- a/debian/dnsmasq-base.postrm
+++ b/debian/dnsmasq-base.postrm
@@ -1,11 +0,0 @@
-#!/bin/sh
-set -e
-
-if [ purge = "$1" ]; then
-   if [ -x "$(command -v deluser)" ]; then
-     deluser --quiet --system dnsmasq > /dev/null || true
-  else
-     echo >&2 "not removing dnsmasq system account because deluser command was not found"
-  fi
-  rm -rf /run/dnsmasq
-fi
--- a/debian/init
+++ b/debian/init
@@ -1,320 +0,0 @@
-#!/bin/sh
-### BEGIN INIT INFO
-# Provides:       dnsmasq
-# Required-Start: $network $remote_fs $syslog
-# Required-Stop:  $network $remote_fs $syslog
-# Default-Start:  2 3 4 5
-# Default-Stop:   0 1 6
-# Description:    DHCP and DNS server
-### END INIT INFO
-
-# Don't exit on error status
-set +e
-
-PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
-DAEMON=/usr/sbin/dnsmasq
-NAME=dnsmasq
-DESC="DNS forwarder and DHCP server"
-
-# Most configuration options in /etc/default/dnsmasq are deprecated
-# but still honoured.
-ENABLED=1
-if [ -r /etc/default/$NAME ]; then
-	. /etc/default/$NAME
-fi
-
-# Get the system locale, so that messages are in the correct language, and the 
-# charset for IDN is correct
-if [ -r /etc/default/locale ]; then
-        . /etc/default/locale
-        export LANG
-fi
-
-# The following test ensures the dnsmasq service is not started, when the
-# package 'dnsmasq' is removed but not purged, even if the dnsmasq-base 
-# package is still in place.
-test -e /usr/share/dnsmasq/installed-marker || exit 0
- 
-test -x $DAEMON || exit 0
-
-# Provide skeleton LSB log functions for backports which don't have LSB functions.
-if [ -f /lib/lsb/init-functions ]; then
-         . /lib/lsb/init-functions
-else
-         log_warning_msg () {
-            echo "${@}."
-         }
-
-         log_success_msg () {
-            echo "${@}."
-         }
-
-         log_daemon_msg () {
-            echo -n "${1}: $2"
-         }
-
-	 log_end_msg () {
-            if [ $1 -eq 0 ]; then
-              echo "."
-            elif [ $1 -eq 255 ]; then
-              /bin/echo -e " (warning)."
-            else
-              /bin/echo -e " failed!"
-            fi
-         }
-fi
-
-# RESOLV_CONF:
-# If the resolvconf package is installed then use the resolv conf file
-# that it provides as the default.  Otherwise use /etc/resolv.conf as
-# the default.
-#
-# If IGNORE_RESOLVCONF is set in /etc/default/dnsmasq or an explicit
-# filename is set there then this inhibits the use of the resolvconf-provided
-# information.
-#
-# Note that if the resolvconf package is installed it is not possible to 
-# override it just by configuration in /etc/dnsmasq.conf, it is necessary
-# to set IGNORE_RESOLVCONF=yes in /etc/default/dnsmasq.
-
-if [ ! "$RESOLV_CONF" ] &&
-   [ "$IGNORE_RESOLVCONF" != "yes" ] &&
-   [ -x /sbin/resolvconf ]
-then
-	RESOLV_CONF=/run/dnsmasq/resolv.conf
-fi
-
-for INTERFACE in $DNSMASQ_INTERFACE; do
-	DNSMASQ_INTERFACES="$DNSMASQ_INTERFACES -i $INTERFACE"
-done
-
-for INTERFACE in $DNSMASQ_EXCEPT; do
-	DNSMASQ_INTERFACES="$DNSMASQ_INTERFACES -I $INTERFACE"
-done
-
-if [ ! "$DNSMASQ_USER" ]; then
-   DNSMASQ_USER="dnsmasq"
-fi
-
-# This tells dnsmasq to ignore DNS requests that don't come from a local network.
-# It's automatically ignored if  --interface --except-interface, --listen-address 
-# or --auth-server exist in the configuration, so for most installations, it will
-# have no effect, but for otherwise-unconfigured installations, it stops dnsmasq
-# from being vulnerable to DNS-reflection attacks.
-
-DNSMASQ_OPTS="$DNSMASQ_OPTS --local-service"
-
-# If the dns-root-data package is installed, then the trust anchors will be 
-# available in $ROOT_DS, in BIND zone-file format. Reformat as dnsmasq
-# --trust-anchor options.
-
-ROOT_DS="/usr/share/dns/root.ds"
-
-if [ -f $ROOT_DS ]; then
-    DNSMASQ_OPTS="$DNSMASQ_OPTS `sed -rne "s/^([.a-ZA-Z0-9]+)([[:space:]]+[0-9]+)*([[:space:]]+IN)*[[:space:]]+DS[[:space:]]+/--trust-anchor=\1,/;s/[[:space:]]+/,/gp" $ROOT_DS | tr '\n' ' '`"
-fi
-
-start()
-{
-        # Return
-	#   0 if daemon has been started
-	#   1 if daemon was already running
-	#   2 if daemon could not be started
-
-        # /run may be volatile, so we need to ensure that
-        # /run/dnsmasq exists here as well as in postinst
-        if [ ! -d /run/dnsmasq ]; then
-           mkdir /run/dnsmasq || return 2
-           chown dnsmasq:nogroup /run/dnsmasq || return 2
-        fi
-
-	start-stop-daemon --start --quiet --pidfile /run/dnsmasq/$NAME.pid --exec $DAEMON --test > /dev/null || return 1
-	start-stop-daemon --start --quiet --pidfile /run/dnsmasq/$NAME.pid --exec $DAEMON -- \
-		-x /run/dnsmasq/$NAME.pid \
-	        ${MAILHOSTNAME:+ -m $MAILHOSTNAME} \
-		${MAILTARGET:+ -t $MAILTARGET} \
-		${DNSMASQ_USER:+ -u $DNSMASQ_USER} \
-		${DNSMASQ_INTERFACES:+ $DNSMASQ_INTERFACES} \
-		${DHCP_LEASE:+ -l $DHCP_LEASE} \
-		${DOMAIN_SUFFIX:+ -s $DOMAIN_SUFFIX} \
-		${RESOLV_CONF:+ -r $RESOLV_CONF} \
-		${CACHESIZE:+ -c $CACHESIZE} \
-	        ${CONFIG_DIR:+ -7 $CONFIG_DIR} \
-		${DNSMASQ_OPTS:+ $DNSMASQ_OPTS} \
-		|| return 2
-}
-
-start_resolvconf()
-{
-# If interface "lo" is explicitly disabled in /etc/default/dnsmasq
-# Then dnsmasq won't be providing local DNS, so don't add it to
-# the resolvconf server set.
-	for interface in $DNSMASQ_EXCEPT
-	do
-		[ $interface = lo ] && return
-	done
-
-# Also skip this if DNS functionality is disabled in /etc/dnsmasq.conf
-	if grep -qs '^port=0' /etc/dnsmasq.conf; then
-		return
-	fi
-
-        if [ -x /sbin/resolvconf ] ; then
-		echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.$NAME
-	fi
-	return 0
-}
-
-stop()
-{
-	# Return
-	#   0 if daemon has been stopped
-	#   1 if daemon was already stopped
-	#   2 if daemon could not be stopped
-	#   other if a failure occurred
-	start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile /run/dnsmasq/$NAME.pid --name $NAME
-}
-
-stop_resolvconf()
-{
-	if [ -x /sbin/resolvconf ] ; then
-		/sbin/resolvconf -d lo.$NAME
-	fi
-	return 0
-}
-
-status()
-{
-	# Return
-	#   0 if daemon is running
-	#   1 if daemon is dead and pid file exists
-	#   3 if daemon is not running
-	#   4 if daemon status is unknown
-	start-stop-daemon --start --quiet --pidfile /run/dnsmasq/$NAME.pid --exec $DAEMON --test > /dev/null
-	case "$?" in
-		0) [ -e "/run/dnsmasq/$NAME.pid" ] && return 1 ; return 3 ;;
-		1) return 0 ;;
-		*) return 4 ;;
-	esac
-}
-
-case "$1" in
-  start)
-	test "$ENABLED" != "0" || exit 0
-	log_daemon_msg "Starting $DESC" "$NAME"
-	start
-	case "$?" in
-		0)
-			log_end_msg 0
-			start_resolvconf
-			exit 0
-			;;
-		1)
-			log_success_msg "(already running)"
-			exit 0
-			;;
-		*)
-			log_end_msg 1
-			exit 1
-			;;
-	esac
-	;;
-  stop)
-	stop_resolvconf
-	if [ "$ENABLED" != "0" ]; then
-             log_daemon_msg "Stopping $DESC" "$NAME"
-	fi
-	stop
-        RETVAL="$?"
-	if [ "$ENABLED" = "0" ]; then
-	    case "$RETVAL" in
-	       0) log_daemon_msg "Stopping $DESC" "$NAME"; log_end_msg 0 ;;
-            esac 
-	    exit 0
-	fi
-	case "$RETVAL" in
-		0) log_end_msg 0 ; exit 0 ;;
-		1) log_warning_msg "(not running)" ; exit 0 ;;
-		*) log_end_msg 1; exit 1 ;;
-	esac
-	;;
-  restart|force-reload)
-	test "$ENABLED" != "0" || exit 1
-	$DAEMON --test ${CONFIG_DIR:+ -7 $CONFIG_DIR} ${DNSMASQ_OPTS:+ $DNSMASQ_OPTS} >/dev/null 2>&1
-	if [ $? -ne 0 ]; then
-	    NAME="configuration syntax check"
-	    RETVAL="2"
-	else   
-	    stop_resolvconf
-	    stop
-	    RETVAL="$?"
-        fi
-	log_daemon_msg "Restarting $DESC" "$NAME"
-	case "$RETVAL" in
-		0|1)
-		        sleep 2
-			start
-			case "$?" in
-				0)
-					log_end_msg 0
-					start_resolvconf
-					exit 0
-					;;
-			        *)
-					log_end_msg 1
-					exit 1
-					;;
-			esac
-			;;
-		*)
-			log_end_msg 1
-			exit 1
-			;;
-	esac
-	;;
-  status)
-	log_daemon_msg "Checking $DESC" "$NAME"
-	status
-	case "$?" in
-		0) log_success_msg "(running)" ; exit 0 ;;
-		1) log_success_msg "(dead, pid file exists)" ; exit 1 ;;
-		3) log_success_msg "(not running)" ; exit 3 ;;
-		*) log_success_msg "(unknown)" ; exit 4 ;;
-	esac
-	;;
-  dump-stats)
-        kill -s USR1 `cat /run/dnsmasq/$NAME.pid`
-	;;
-  systemd-start-resolvconf)
-	start_resolvconf
-	;;
-  systemd-stop-resolvconf)
-	stop_resolvconf
-	;;
-  systemd-exec)
-# /run may be volatile, so we need to ensure that
-        # /run/dnsmasq exists here as well as in postinst
-        if [ ! -d /run/dnsmasq ]; then
-           mkdir /run/dnsmasq || return 2
-           chown dnsmasq:nogroup /run/dnsmasq || return 2
-        fi
-	exec $DAEMON -x /run/dnsmasq/$NAME.pid \
-	    ${MAILHOSTNAME:+ -m $MAILHOSTNAME} \
-	    ${MAILTARGET:+ -t $MAILTARGET} \
-	    ${DNSMASQ_USER:+ -u $DNSMASQ_USER} \
-	    ${DNSMASQ_INTERFACES:+ $DNSMASQ_INTERFACES} \
-	    ${DHCP_LEASE:+ -l $DHCP_LEASE} \
-	    ${DOMAIN_SUFFIX:+ -s $DOMAIN_SUFFIX} \
-	    ${RESOLV_CONF:+ -r $RESOLV_CONF} \
-	    ${CACHESIZE:+ -c $CACHESIZE} \
-	    ${CONFIG_DIR:+ -7 $CONFIG_DIR} \
-	    ${DNSMASQ_OPTS:+ $DNSMASQ_OPTS} 
-	;;
-  *)
-	echo "Usage: /etc/init.d/$NAME {start|stop|restart|force-reload|dump-stats|status}" >&2
-	exit 3
-	;;
-esac
-
-exit 0
-
--- a/debian/insserv
+++ b/debian/insserv
@@ -1 +0,0 @@
-$named dnsmasq
--- a/debian/installed-marker
+++ b/debian/installed-marker
@@ -1,2 +0,0 @@
-# This file indicates dnsmasq (and not just dnsmasq-base) is installed.
-# It is an implementation detail of the dnsmasq init script.
--- a/debian/postinst
+++ b/debian/postinst
@@ -1,38 +0,0 @@
-#!/bin/sh
-set -e
-
-# Code copied from dh_systemd_enable ----------------------
-# This will only remove masks created by d-s-h on package removal.
-deb-systemd-helper unmask dnsmasq.service >/dev/null || true
-
-# was-enabled defaults to true, so new installations run enable.
-if deb-systemd-helper --quiet was-enabled dnsmasq.service; then
-	# Enables the unit on first installation, creates new
-	# symlinks on upgrades if the unit file has changed.
-	deb-systemd-helper enable dnsmasq.service >/dev/null || true
-else
-	# Update the statefile to add new symlinks (if any), which need to be
-	# cleaned up on purge. Also remove old symlinks.
-	deb-systemd-helper update-state dnsmasq.service >/dev/null || true
-fi
-# End code copied from dh_systemd_enable ------------------
-
-if [ -x /etc/init.d/dnsmasq ]; then
-   update-rc.d dnsmasq defaults 15 85 >/dev/null
-
-   if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ]; then
-      if [ -e /run/dnsmasq/dnsmasq.pid ]; then
-          ACTION=restart
-      else
-          ACTION=start
-      fi
-
-      if [ -x /usr/sbin/invoke-rc.d ] ; then
-         invoke-rc.d dnsmasq $ACTION || true
-      else
-         /etc/init.d/dnsmasq $ACTION || true
-      fi
-   fi
-fi
-
-
--- a/debian/postrm
+++ b/debian/postrm
@@ -1,22 +0,0 @@
-#!/bin/sh
-set -e
-
-if [ purge = "$1" ]; then
-   update-rc.d dnsmasq remove >/dev/null
-fi
-
-# Code copied from dh_systemd_enable ----------------------
-if [ "$1" = "remove" ]; then
-	if [ -x "/usr/bin/deb-systemd-helper" ]; then
-		deb-systemd-helper mask dnsmasq.service >/dev/null
-	fi
-fi
-
-if [ "$1" = "purge" ]; then
-	if [ -x "/usr/bin/deb-systemd-helper" ]; then
-		deb-systemd-helper purge dnsmasq.service >/dev/null
-		deb-systemd-helper unmask dnsmasq.service >/dev/null
-	fi
-fi
-# End code copied from dh_systemd_enable ------------------
-
--- a/debian/prerm
+++ b/debian/prerm
@@ -1,14 +0,0 @@
-#!/bin/sh
-set -e
-
-if [ "$1" = "remove" ]; then
-  if [ -x /usr/sbin/invoke-rc.d ] ; then
-      invoke-rc.d dnsmasq stop || true
-  else
-      /etc/init.d/dnsmasq stop || true
-  fi
-fi
-
-exit 0
-
-
--- a/debian/readme
+++ b/debian/readme
@@ -1,79 +0,0 @@
-Notes on configuring dnsmasq as packaged for Debian.
-
-(1) To configure dnsmasq edit /etc/dnsmasq.conf. The file is well
-    commented; see also the dnsmasq.8 man page for explanation of
-    the options. The file /etc/default/dnsmasq also exists but it
-    shouldn't need to be touched in most cases. To set up DHCP
-    options you might need to refer to a copy of RFC 2132. This is 
-    available on Debian systems in the package doc-rfc-std as the file
-    /usr/share/doc/RFC/draft-standard/rfc2132.txt.gz .
-
-(2) Installing the dnsmasq package also creates the directory
-    /etc/dnsmasq.d which is searched by dnsmasq for configuration file
-    fragments. This behaviour can be disabled by editing 
-    /etc/default/dnsmasq.
-
-(3) If the Debian resolvconf package is installed then, regardless
-    of what interface configuration daemons are employed, the list of
-    nameservers to which dnsmasq should forward queries can be found
-    in /var/run/dnsmasq/resolv.conf; also, 127.0.0.1 is listed as the
-    first nameserver address in /etc/resolv.conf. This works using the
-    default configurations of resolvconf and dnsmasq.
-
-(4) In the absence of resolvconf, if you are using dhcpcd then
-    dnsmasq should read the list of nameservers from the automatically
-    generated file /etc/dhcpc/resolv.conf.  You should list 127.0.0.1
-    as the first nameserver address in /etc/resolv.conf.
-
-(5) In the absence of resolvconf, if you are using pppd then
-    dnsmasq should read the list of nameservers from the automatically
-    generated file /etc/ppp/resolv.conf.  You should list 127.0.0.1
-    as the first nameserver address in /etc/resolv.conf.
-
-(6) In the absence of resolvconf, dns-nameservers lines in 
-    /etc/network/interfaces are ignored. If you do not use
-    resolvconf, list 127.0.0.1 as the first nameserver address
-    in /etc/resolv.conf and configure your nameservers using
-    "server=<IP-address>" lines in /etc/dnsmasq.conf.
-
-(7) If you run multiple DNS servers on a single machine, each
-    listening on a different interface, then it is necessary to use 
-    the bind-interfaces option by uncommenting "bind-interfaces" in 
-    /etc/dnsmasq.conf. This option stops dnsmasq from binding the 
-    wildcard address and allows servers listening on port 53 on
-    interfaces not in use by dnsmasq to work. The Debian 
-    libvirt package will add a configuration file in /etc/dnsmasq.d
-    which does this so that the "system" dnsmasq and "private" dnsmasq
-    instances started by libvirt do not clash.
-
-(8) The following options are supported in DEB_BUILD_OPTIONS
-      noopt       : compile without optimisation.
-      nostrip     : don't remove symbols from binary. 
-      nodocs      : omit documentation.
-      notftp      : omit TFTP support.
-      nodhcp      : omit DHCP support.
-      nodhcp6     : omit DHCPv6 support.
-      noscript    : omit lease-change script support.
-      use_lua     : provide support for lease-change scripts written
-                    in Lua.
-      noipv6      : omit IPv6 support.
-      nodbus      : omit DBus support.
-      noconntrack : omit connection tracking support. 
-      noipset     : omit IPset support.
-      nortc       : compile alternate mode suitable for systems without an RTC.
-      noi18n      : omit translations and internationalisation support.
-      noidn       : omit international domain name support, must be
-                    combined with noi18n to be effective.
-      gitversion  : set the version of the produced packages from the
-                    git-derived versioning information on the source,
-                    rather than the debian changelog. 
-
-(9) Dnsmasq comes as three packages - dnsmasq-utils, dnsmasq-base and
-    dnsmasq. Dnsmasq-base provides the dnsmasq executable and
-    documentation (including this file). Dnsmasq, which depends on
-    dnsmasq-base, provides the init script and configuration
-    infrastructure. This file assumes that both are installed. It is
-    possible to install only dnsmasq-base and use dnsmasq as a
-    non-"system" daemon. Libvirt, for instance, does this.
-    Dnsmasq-utils provides the utilities dhcp_release and 
-    dhcp_lease_time.
--- a/debian/readme.dnsmasq.d
+++ b/debian/readme.dnsmasq.d
@@ -1,7 +0,0 @@
-# All files in this directory will be read by dnsmasq as 
-# configuration files, except if their names end in 
-# ".dpkg-dist",".dpkg-old" or ".dpkg-new"
-#
-# This can be changed by editing /etc/default/dnsmasq
-
-
--- a/debian/resolvconf
+++ b/debian/resolvconf
@@ -1,84 +0,0 @@
-#!/bin/sh
-#
-# Script to update the resolver list for dnsmasq
-#
-# N.B. Resolvconf may run us even if dnsmasq is not (yet) running.
-# If dnsmasq is installed then we go ahead and update the resolver list
-# in case dnsmasq is started later.
-#
-# Assumption: On entry, PWD contains the resolv.conf-type files.
-#
-# This file is part of the dnsmasq package.
-#
-
-set -e
-
-RUN_DIR="/run/dnsmasq"
-RSLVRLIST_FILE="${RUN_DIR}/resolv.conf"
-TMP_FILE="${RSLVRLIST_FILE}_new.$$"
-MY_NAME_FOR_RESOLVCONF="dnsmasq"
-
-[ -x /usr/sbin/dnsmasq ] || exit 0
-[ -x /lib/resolvconf/list-records ] || exit 1
-
-PATH=/bin:/sbin
-
-report_err() { echo "$0: Error: $*" >&2 ; }
-
-# Stores arguments (minus duplicates) in RSLT, separated by spaces
-# Doesn't work properly if an argument itself contains whitespace
-uniquify()
-{
-	RSLT=""
-	while [ "$1" ] ; do
-		for E in $RSLT ; do
-			[ "$1" = "$E" ] && { shift ; continue 2 ; }
-		done
-		RSLT="${RSLT:+$RSLT }$1"
-		shift
-	done
-}
-
-if [ ! -d "$RUN_DIR" ] && ! mkdir --parents --mode=0755 "$RUN_DIR" ; then
-	report_err "Failed trying to create directory $RUN_DIR"
-	exit 1
-fi
-
-RSLVCNFFILES=""
-for F in $(/lib/resolvconf/list-records --after "lo.$MY_NAME_FOR_RESOLVCONF") ; do
-	case "$F" in
-	    "lo.$MY_NAME_FOR_RESOLVCONF")
-		# Omit own record	 
-		;;
-	    lo.*)
-		# Include no more records after one for a local nameserver
-		RSLVCNFFILES="${RSLVCNFFILES:+$RSLVCNFFILES }$F"
-		break
-		;;
-	  *)
-		RSLVCNFFILES="${RSLVCNFFILES:+$RSLVCNFFILES }$F"
-		;;
-	esac
-done
-
-NMSRVRS=""
-if [ "$RSLVCNFFILES" ] ; then
-	uniquify $(sed -n -e 's/^[[:space:]]*nameserver[[:space:]]\+//p' $RSLVCNFFILES)
-	NMSRVRS="$RSLT"
-fi
-
-# Dnsmasq uses the mtime of $RSLVRLIST_FILE, with a resolution of one second,
-# to detect changes in the file. This means that if a resolvconf update occurs
-# within one second of the previous one then dnsmasq may fail to notice the
-# more recent change. To work around this problem we sleep one second here
-# if necessary in order to ensure that the new mtime is different.
-if [ -f "$RSLVRLIST_FILE" ] && [ "$(ls -go --time-style='+%s' "$RSLVRLIST_FILE" | { read p h s t n ; echo "$t" ; })" = "$(date +%s)" ] ; then
-	sleep 1
-fi
-
-clean_up() { rm -f "$TMP_FILE" ; }
-trap clean_up EXIT
-: >| "$TMP_FILE"
-for N in $NMSRVRS ; do echo "nameserver $N" >> "$TMP_FILE" ; done
-mv -f "$TMP_FILE" "$RSLVRLIST_FILE"
-
--- a/debian/resolvconf-package
+++ b/debian/resolvconf-package
@@ -1,13 +0,0 @@
-#!/bin/sh
-# Resolvconf packaging event hook script for the dnsmasq package
-restart_dnsmasq() {
-    if which invoke-rc.d >/dev/null 2>&1 ; then
-        invoke-rc.d dnsmasq restart
-    elif [ -x /etc/init.d/dnsmasq ] ; then
-        /etc/init.d/dnsmasq restart
-    fi
-}
-
-case "$1" in
-  install) restart_dnsmasq ;;
-esac
--- a/debian/rules
+++ b/debian/rules
@@ -1,247 +0,0 @@
-#!/usr/bin/make -f
-# debian/rules file - for dnsmasq.
-# Copyright 2001-2011 by Simon Kelley
-# Based on the sample in the debian hello package which carries the following:
-# Copyright 1994,1995 by Ian Jackson.
-# I hereby give you perpetual unlimited permission to copy,
-# modify and relicense this file, provided that you do not remove
-# my name from the file itself.  (I assert my moral right of
-# paternity under the Copyright, Designs and Patents Act 1988.)
-# This file may have to be extensively modified
-
-package=dnsmasq-base
-
-dpkg_buildflags := DEB_BUILD_MAINT_OPTIONS="hardening=+all,+pie,+bindnow" dpkg-buildflags
-
-CFLAGS = $(shell $(dpkg_buildflags) --get CFLAGS)
-CFLAGS += $(shell $(dpkg_buildflags) --get CPPFLAGS)
-CFLAGS += -Wall -W
-
-LDFLAGS = $(shell $(dpkg_buildflags) --get LDFLAGS)
-
-DEB_COPTS = $(COPTS)
-
-TARGET = install-i18n
-
-DEB_HOST_ARCH_OS := $(shell dpkg-architecture -qDEB_HOST_ARCH_OS)
-DEB_HOST_GNU_TYPE := $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
-DEB_BUILD_GNU_TYPE := $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
-BUILD_DATE := $(shell dpkg-parsechangelog --show-field Date)
-
-ifeq ($(origin CC),default)
-     CC = $(DEB_HOST_GNU_TYPE)-gcc
-endif
-
-# Support non-cross-builds on systems without gnu-triplet-binaries for pkg-config.
-ifeq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
-     PKG_CONFIG=pkg-config
-else
-     PKG_CONFIG=$(DEB_HOST_GNU_TYPE)-pkg-config	
-endif
-
-# Force package version based on git tags.
-ifneq (,$(filter gitversion,$(DEB_BUILD_OPTIONS)))
-     PACKAGE_VERSION = $(shell bld/get-version `pwd` |  sed 's/test/~&/; s/[a-z]/~&/;  s/-/./g; s/$$/-1/; s/^/-v/';)
-endif
-
-ifeq (,$(filter nodbus,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DHAVE_DBUS
-endif
-
-ifeq (,$(filter noidn, $(DEB_BUILD_OPTIONS)))
-	DEB_COPTS += -DHAVE_IDN
-endif
-
-ifeq (,$(filter noconntrack,$(DEB_BUILD_OPTIONS)))
-ifeq ($(DEB_HOST_ARCH_OS),linux)
-     DEB_COPTS += -DHAVE_CONNTRACK
-endif
-endif
-
-ifneq (,$(filter noipset,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DNO_IPSET
-endif
-
-ifneq (,$(filter nodhcp6,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DNO_DHCP6
-endif
-
-ifneq (,$(filter noipv6,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DNO_IPV6
-endif
-
-ifneq (,$(filter notftp,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DNO_TFTP
-endif
-
-ifneq (,$(filter nodhcp,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DNO_DHCP
-endif
-
-ifneq (,$(filter noscript,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DNO_SCRIPT
-endif
-
-ifneq (,$(filter nortc,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DHAVE_BROKEN_RTC
-endif
-
-ifneq (,$(filter noi18n,$(DEB_BUILD_OPTIONS)))
-     TARGET = install
-endif
-
-ifneq (,$(filter uselua,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DHAVE_LUASCRIPT
-endif
-
-ifeq (,$(filter nodnssec,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DHAVE_DNSSEC
-endif
-
-ifneq ($(DEB_HOST_ARCH_OS),linux)
-     # For strlcpy in FreeBSD
-     LDFLAGS += -lbsd
-endif
-
-clean:
-	$(checkdir)
-	rm -rf debian/daemon debian/base debian/utils debian/*~ debian/files debian/substvars debian/utils-substvars
-	make clean
-	make -C contrib/lease-tools clean
-
-binary-indep:	checkroot
-	$(checkdir)
-	rm -rf debian/daemon
-	install -m 755 \
-	        -d debian/daemon/DEBIAN \
-		-d debian/daemon/usr/share/doc \
-	        -d debian/daemon/etc/init.d \
-		-d debian/daemon/etc/dnsmasq.d \
-	        -d debian/daemon/etc/resolvconf/update.d \
-		-d debian/daemon/usr/lib/resolvconf/dpkg-event.d \
-		-d debian/daemon/usr/share/dnsmasq \
-	        -d debian/daemon/etc/default \
-		-d debian/daemon/lib/systemd/system \
-                -d debian/daemon/etc/insserv.conf.d
-	install -m 644 debian/conffiles debian/daemon/DEBIAN
-	install -m 755 debian/postinst debian/postrm debian/prerm debian/daemon/DEBIAN
-	install -m 755 debian/init debian/daemon/etc/init.d/dnsmasq
-	install -m 755 debian/resolvconf debian/daemon/etc/resolvconf/update.d/dnsmasq
-	install -m 755 debian/resolvconf-package debian/daemon/usr/lib/resolvconf/dpkg-event.d/dnsmasq
-	install -m 644 debian/installed-marker debian/daemon/usr/share/dnsmasq
-	install -m 644 debian/default debian/daemon/etc/default/dnsmasq
-	install -m 644 dnsmasq.conf.example debian/daemon/etc/dnsmasq.conf
-	install -m 644 debian/readme.dnsmasq.d debian/daemon/etc/dnsmasq.d/README
-	install -m 644 debian/systemd.service debian/daemon/lib/systemd/system/dnsmasq.service
-	install -m 644 debian/insserv debian/daemon/etc/insserv.conf.d/dnsmasq
-	ln -s $(package) debian/daemon/usr/share/doc/dnsmasq
-	cd debian/daemon && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | LC_ALL=C sort -z | xargs -r0 md5sum > DEBIAN/md5sums	
-	dpkg-gencontrol $(PACKAGE_VERSION) -T -pdnsmasq -Pdebian/daemon
-	find debian/daemon -depth -newermt '$(BUILD_DATE)' -print0 | xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
-	chown -R root.root debian/daemon
-	chmod -R g-ws debian/daemon
-	dpkg --build debian/daemon ..
-
-binary-arch:	checkroot 
-	$(checkdir)
-	rm -rf debian/base
-	install -m 755 \
-		-d debian/base/DEBIAN \
-		-d debian/base/etc/dbus-1/system.d \
-	        -d debian/base/usr/share/doc/$(package) \
-		-d debian/base/usr/share/doc/$(package)/examples \
-		-d debian/base/usr/share/$(package) \
-	        -d debian/base/var/lib/misc
-	make $(TARGET) PREFIX=/usr DESTDIR=`pwd`/debian/base CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" COPTS="$(DEB_COPTS)" CC=$(CC) PKG_CONFIG=$(PKG_CONFIG)
-ifeq (,$(findstring nodocs,$(DEB_BUILD_OPTIONS)))
-# Need to remove paypal links in Debian Package for policy reasons.
-	sed -e /\<H2\>Donations/Q -e /icon.png/d doc.html -e /favicon.ico/d >debian/base/usr/share/doc/$(package)/doc.html
-	echo "</BODY>" >>debian/base/usr/share/doc/$(package)/doc.html 
-	install -m 644 setup.html debian/base/usr/share/doc/$(package)/.
-	install -m 644 dnsmasq.conf.example debian/base/usr/share/doc/$(package)/examples/.
-	install -m 644 trust-anchors.conf debian/base/usr/share/$(package)/.
-	install -m 644 FAQ debian/base/usr/share/doc/$(package)/.
-	gzip -9n debian/base/usr/share/doc/$(package)/FAQ
-	install -m 644 CHANGELOG debian/base/usr/share/doc/$(package)/changelog
-	gzip -9n debian/base/usr/share/doc/$(package)/changelog
-	install -m 644 CHANGELOG.archive debian/base/usr/share/doc/$(package)/changelog.archive
-	gzip -9n debian/base/usr/share/doc/$(package)/changelog.archive
-	install -m 644 dbus/DBus-interface debian/base/usr/share/doc/$(package)/.
-	gzip -9n debian/base/usr/share/doc/$(package)/DBus-interface	
-endif
-	install -m 644 debian/dnsmasq-base.conffiles debian/base/DEBIAN/conffiles
-	install -m 755 debian/dnsmasq-base.postinst debian/base/DEBIAN/postinst
-	install -m 755 debian/dnsmasq-base.postrm  debian/base/DEBIAN/postrm
-	install -m 644 debian/changelog debian/base/usr/share/doc/$(package)/changelog.Debian
-	gzip -9n debian/base/usr/share/doc/$(package)/changelog.Debian
-	install -m 644 debian/readme debian/base/usr/share/doc/$(package)/README.Debian
-	install -m 644 debian/copyright debian/base/usr/share/doc/$(package)/copyright
-	install -m 644 debian/dbus.conf debian/base/etc/dbus-1/system.d/dnsmasq.conf
-	gzip -9n debian/base/usr/share/man/man8/dnsmasq.8
-	for f in debian/base/usr/share/man/*; do \
-		if [ -f $$f/man8/dnsmasq.8 ]; then \
-                       gzip -9n $$f/man8/dnsmasq.8 ; \
-                fi \
-	done
-ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
-	$(DEB_HOST_GNU_TYPE)-strip -R .note -R .comment debian/base/usr/sbin/dnsmasq
-endif
-	cd debian/base && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | LC_ALL=C sort -z | xargs -r0 md5sum > DEBIAN/md5sums
-	dpkg-shlibdeps --warnings=1 debian/base/usr/sbin/dnsmasq
-	dpkg-gencontrol $(PACKAGE_VERSION) -pdnsmasq-base -Pdebian/base
-	find debian/base -depth -newermt '$(BUILD_DATE)' -print0 | xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
-	chown -R root.root debian/base
-	chmod -R g-ws debian/base 
-	dpkg --build debian/base ..
-
-ifeq ($(DEB_HOST_ARCH_OS),linux)
-	rm -rf debian/utils
-	install -m 755 -d debian/utils/DEBIAN \
-                       -d debian/utils/usr/share/man/man1 \
-	               -d debian/utils/usr/bin \
-                       -d debian/utils/usr/share/doc/dnsmasq-utils
-	make -C contrib/lease-tools PREFIX=/usr DESTDIR=`pwd`/debian/utils CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" COPTS="$(DEB_COPTS)" CC=$(CC) PKG_CONFIG=$(PKG_CONFIG)
-	install -m 755 contrib/lease-tools/dhcp_release debian/utils/usr/bin/dhcp_release
-	install -m 644 contrib/lease-tools/dhcp_release.1 debian/utils/usr/share/man/man1/dhcp_release.1
-	gzip -9n debian/utils/usr/share/man/man1/dhcp_release.1
-	install -m 755 contrib/lease-tools/dhcp_release6 debian/utils/usr/bin/dhcp_release6
-	install -m 644 contrib/lease-tools/dhcp_release6.1 debian/utils/usr/share/man/man1/dhcp_release6.1
-	gzip -9n debian/utils/usr/share/man/man1/dhcp_release6.1
-	install -m 755 contrib/lease-tools/dhcp_lease_time debian/utils/usr/bin/dhcp_lease_time		
-	install -m 644 contrib/lease-tools/dhcp_lease_time.1 debian/utils/usr/share/man/man1/dhcp_lease_time.1
-	install -m 644 debian/copyright debian/utils/usr/share/doc/dnsmasq-utils/copyright
-	install -m 644 debian/changelog debian/utils/usr/share/doc/dnsmasq-utils/changelog.Debian
-	gzip -9n debian/utils/usr/share/doc/dnsmasq-utils/changelog.Debian
-	gzip -9n debian/utils/usr/share/man/man1/dhcp_lease_time.1
-ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
-	$(DEB_HOST_GNU_TYPE)-strip -R .note -R .comment debian/utils/usr/bin/dhcp_release
-	$(DEB_HOST_GNU_TYPE)-strip -R .note -R .comment debian/utils/usr/bin/dhcp_release6
-	$(DEB_HOST_GNU_TYPE)-strip -R .note -R .comment debian/utils/usr/bin/dhcp_lease_time
-endif	
-	cd debian/utils && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | LC_ALL=C sort -z | xargs -r0 md5sum > DEBIAN/md5sums
-	dpkg-shlibdeps -Tdebian/utils-substvars debian/utils/usr/bin/dhcp_release debian/utils/usr/bin/dhcp_lease_time
-	dpkg-gencontrol $(PACKAGE_VERSION) -Tdebian/utils-substvars -pdnsmasq-utils -Pdebian/utils
-	find debian/utils -depth -newermt '$(BUILD_DATE)' -print0 | xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
-	chown -R root.root debian/utils
-	chmod -R g-ws debian/utils 
-	dpkg --build debian/utils ..
-endif
-
-define checkdir
-	test -f Makefile -a -f debian/rules
-endef
-
-# Below here is fairly generic really
-
-binary:		binary-arch binary-indep
-
-build:		
-build-arch:
-build-indep:
-
-checkroot:
-	test root = "`whoami`"
-
-.PHONY: binary binary-arch binary-indep clean checkroot
-
-
--- a/debian/shlibs.local
+++ b/debian/shlibs.local
@@ -1 +0,0 @@
-libnettle 6 libnettle6 (>= 3.3)
--- a/debian/source/format
+++ b/debian/source/format
@@ -1 +0,0 @@
-1.0
--- a/debian/systemd.service
+++ b/debian/systemd.service
@@ -1,31 +0,0 @@
-[Unit]
-Description=dnsmasq - A lightweight DHCP and caching DNS server
-Requires=network.target
-Wants=nss-lookup.target
-Before=nss-lookup.target
-After=network.target
-
-[Service]
-Type=forking
-PIDFile=/run/dnsmasq/dnsmasq.pid
-
-# Test the config file and refuse starting if it is not valid.
-ExecStartPre=/usr/sbin/dnsmasq --test
-
-# We run dnsmasq via the /etc/init.d/dnsmasq script which acts as a
-# wrapper picking up extra configuration files and then execs dnsmasq
-# itself, when called with the "systemd-exec" function.
-ExecStart=/etc/init.d/dnsmasq systemd-exec
-
-# The systemd-*-resolvconf functions configure (and deconfigure)
-# resolvconf to work with the dnsmasq DNS server. They're called like
-# this to get correct error handling (ie don't start-resolvconf if the 
-# dnsmasq daemon fails to start.
-ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf
-ExecStop=/etc/init.d/dnsmasq systemd-stop-resolvconf
-
-
-ExecReload=/bin/kill -HUP $MAINPID
-
-[Install]
-WantedBy=multi-user.target
--- a/dnsmasq.conf.example
+++ b/dnsmasq.conf.example
@@ -85,12 +85,22 @@
 # subdomains to the vpn and search ipsets:
 #ipset=/yahoo.com/google.com/vpn,search

+# Add the IPs of all queries to yahoo.com, google.com, and their
+# subdomains to netfilters sets, which is equivalent to
+# 'nft add element ip test vpn { ... }; nft add element ip test search { ... }'
+#nftset=/yahoo.com/google.com/ip#test#vpn,ip#test#search
+
+# Use netfilters sets for both IPv4 and IPv6:
+# This adds all addresses in *.yahoo.com to vpn4 and vpn6 for IPv4 and IPv6 addresses.
+#nftset=/yahoo.com/4#ip#test#vpn4
+#nftset=/yahoo.com/6#ip#test#vpn6
+
 # You can control how dnsmasq talks to a server: this forces
 # queries to 10.1.2.3 to be routed via eth1
 # server=10.1.2.3@eth1

 # and this sets the source (ie local) address used to talk to
-# 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that
+# 10.1.2.3 to 192.168.1.1 port 55 (there must be an interface with that
 # IP on the machine, obviously).
 # server=10.1.2.3@192.168.1.1#55

@@ -288,7 +298,7 @@
 # Give a fixed IPv6 address and name to client with 
 # DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2
 # Note the MAC addresses CANNOT be used to identify DHCPv6 clients.
-# Note also the they [] around the IPv6 address are obligatory.
+# Note also that the [] around the IPv6 address are obligatory.
 #dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5] 

 # Ignore any clients which are not specified in dhcp-host lines
@@ -354,11 +364,11 @@

 # Set option 58 client renewal time (T1). Defaults to half of the
 # lease time if not specified. (RFC2132)
-#dhcp-option=option:T1:1m
+#dhcp-option=option:T1,1m

 # Set option 59 rebinding time (T2). Defaults to 7/8 of the
 # lease time if not specified. (RFC2132)
-#dhcp-option=option:T2:2m
+#dhcp-option=option:T2,2m

 # Set the NTP time server address to be the same machine as
 # is running dnsmasq
@@ -384,7 +394,7 @@

 # The following DHCP options set up dnsmasq in the same way as is specified
 # for the ISC dhcpcd in
-# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
+# https://web.archive.org/web/20040313070105/http://us1.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
 # adapted for a typical dnsmasq installation where the host running
 # dnsmasq is also the host running samba.
 # you may want to uncomment some or all of them if you use
@@ -436,22 +446,22 @@
 #dhcp-option-force=211,30i

 # Set the boot filename for netboot/PXE. You will only need
-# this is you want to boot machines over the network and you will need
-# a TFTP server; either dnsmasq's built in TFTP server or an
+# this if you want to boot machines over the network and you will need
+# a TFTP server; either dnsmasq's built-in TFTP server or an
 # external one. (See below for how to enable the TFTP server.)
 #dhcp-boot=pxelinux.0

 # The same as above, but use custom tftp-server instead machine running dnsmasq
 #dhcp-boot=pxelinux,server.name,192.168.1.100

-# Boot for Etherboot gPXE. The idea is to send two different
-# filenames, the first loads gPXE, and the second tells gPXE what to
-# load. The dhcp-match sets the gpxe tag for requests from gPXE.
-#dhcp-match=set:gpxe,175 # gPXE sends a 175 option.
-#dhcp-boot=tag:!gpxe,undionly.kpxe
-#dhcp-boot=mybootimage
+# Boot for iPXE. The idea is to send two different
+# filenames, the first loads iPXE, and the second tells iPXE what to
+# load. The dhcp-match sets the ipxe tag for requests from iPXE.
+#dhcp-boot=undionly.kpxe
+#dhcp-match=set:ipxe,175 # iPXE sends a 175 option.
+#dhcp-boot=tag:ipxe,http://boot.ipxe.org/demo/boot.php

-# Encapsulated options for Etherboot gPXE. All the options are
+# Encapsulated options for iPXE. All the options are
 # encapsulated within option 175
 #dhcp-option=encap:175, 1, 5b         # priority code
 #dhcp-option=encap:175, 176, 1b       # no-proxydhcp
@@ -547,6 +557,14 @@
 # http://www.isc.org/files/auth.html
 #dhcp-authoritative

+# Set the DHCP server to enable DHCPv4 Rapid Commit Option per RFC 4039.
+# In this mode it will respond to a DHCPDISCOVER message including a Rapid Commit
+# option with a DHCPACK including a Rapid Commit option and fully committed address
+# and configuration information. This must only be enabled if either the server is 
+# the only server for the subnet, or multiple servers are present and they each
+# commit a binding for all clients.
+#dhcp-rapid-commit
+
 # Run an executable when a DHCP lease is created or destroyed.
 # The arguments sent to the script are "add" or "del",
 # then the MAC address, the IP address and finally the hostname
@@ -646,7 +664,7 @@
 # Provide an alias for a "local" DNS name. Note that this _only_ works
 # for targets which are names from DHCP or /etc/hosts. Give host
 # "bert" another name, bertrand
-#cname=bertand,bert
+#cname=bertrand,bert

 # For debugging purposes, log each DNS query as it passes through
 # dnsmasq.
@@ -664,3 +682,8 @@

 # Include all files in a directory which end in .conf
 #conf-dir=/etc/dnsmasq.d/,*.conf
+
+# If a DHCP client claims that its name is "wpad", ignore that.
+# This fixes a security hole. see CERT Vulnerability VU#598349
+#dhcp-name-match=set:wpad-ignore,wpad
+#dhcp-ignore-names=tag:wpad-ignore
--- a/doc.html
+++ b/doc.html
@@ -66,6 +66,10 @@ the repo, or get a copy using git protocol with the command

 <PRE><TT>git clone git://thekelleys.org.uk/dnsmasq.git </TT></PRE>

+or
+
+<PRE><TT>git clone http://thekelleys.org.uk/git/dnsmasq.git </TT></PRE>
+
 <H2>License.</H2>
 Dnsmasq is distributed under the GPL, version 2 or version 3 at your discretion. See the files COPYING and COPYING-v3 in the distribution 
 for details.
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
--- a/man/es/dnsmasq.8
+++ b/man/es/dnsmasq.8
@@ -478,7 +478,8 @@ la traza reversa direcci
 .TP
 .B \-c, --cache-size=<tamaño de caché>
 Fijar el tamaño del caché de dnsmasq. El predeterminado es 150 nombres.
-Fijar el tamaño a cero deshabilita el caché.
+Fijar el tamaño a cero deshabilita el caché. Nota: el gran tamaño de
+caché afecta el rendimiento.
 .TP
 .B \-N, --no-negcache
 Deshabilitar caché negativo. El caché negativo le permite a dnsmasq
--- a/man/fr/dnsmasq.8
+++ b/man/fr/dnsmasq.8
@@ -10,7 +10,7 @@ est un serveur à faible empreinte mémoire faisant DNS, TFTP, PXE, annonces de
 routeurs et DHCP. Il offre à la fois les services DNS et DHCP pour un réseau
 local (LAN).
 .PP
-Dnsmasq accepte les requêtes DNS et y réponds soit en utilisant un petit cache
+Dnsmasq accepte les requêtes DNS et y répond soit en utilisant un petit cache
 local, soit en effectuant une requête à un serveur DNS récursif externe (par
 exemple celui de votre fournisseur d'accès internet). Il charge le contenu du
 fichier /etc/hosts afin que les noms locaux n'apparaissant pas dans les DNS
@@ -19,25 +19,25 @@ pour les hôtes présents dans le service DHCP. Il peut aussi agir en temps que
 serveur DNS faisant autorité pour un ou plusieurs domaines, permettant à des
 noms locaux d'apparaitre dans le DNS global.
 .PP
-Le serveur DHCP Dnsmasq DHCP supporte les définitions d'adresses statiques et les
+Le serveur DHCP de Dnsmasq supporte les définitions d'adresses statiques et les
 réseaux multiples. Il fournit par défaut un jeu raisonnable de paramètres DHCP,
 et peut être configuré pour fournir n'importe quelle option DHCP.
 Il inclut un serveur TFTP sécurisé en lecture seule permettant le démarrage via
 le réseau/PXE de clients DHCP et supporte également le protocole BOOTP. Le
 support PXE est complet, et comprend un mode proxy permettant de fournir des
-informations PXE aux clients alors que l'allocation DHCP est effectuée par un
-autre serveur.
+informations PXE aux clients alors que l'allocation d'adresse via DHCP est
+effectuée par un autre serveur.
 .PP
-Le serveur DHCPv6 de dnsmasq possède non seulement les mêmes fonctionalités
+Le serveur DHCPv6 de dnsmasq possède non seulement les mêmes fonctionnalités
 que le serveur DHCPv4, mais aussi le support des annonces de routeurs ainsi
-qu'une fonctionalité permettant l'addition de ressources AAAA pour des
+qu'une fonctionnalité permettant l'addition de ressources AAAA pour des
 clients utilisant DHCPv4 et la configuration IPv6 sans état (stateless
 autoconfiguration).
 Il inclut le support d'allocations d'adresses (à la fois en DHCPv6 et en
 annonces de routeurs - RA) pour des sous-réseaux dynamiquement délégués via
 une délégation de préfixe DHCPv6.
 .PP
-Dnsmasq est developpé pour de petits systèmes embarqués. It tends à avoir
+Dnsmasq est développé pour de petits systèmes embarqués. Il tend à avoir
 l'empreinte mémoire la plus faible possible pour les fonctions supportées,
 et permet d'exclure les fonctions inutiles du binaire compilé.
 .SH OPTIONS
@@ -46,16 +46,23 @@ Dans ce cas, la fonction correspondante sera désactivée. Par exemple
 .B --pid-file=
 (sans paramètre après le =) désactive l'écriture du fichier PID.
 Sur BSD, à moins que le logiciel ne soit compilé avec la bibliothèque GNU
-getopt, la forme longue des options ne fonctionne pas en ligne de commande; Elle
+getopt, la forme longue des options ne fonctionne pas en ligne de commande; elle
 est toujours supportée dans le fichier de configuration.
 .TP
 .B --test
-Vérifie la syntaxe du ou des fichiers de configurations. Se termine avec le
+Vérifie la syntaxe du ou des fichiers de configuration. Se termine avec le
 code de retour 0 si tout est OK, ou un code différent de 0 dans le cas
 contraire. Ne démarre pas Dnsmasq.
 .TP
+.B \-w, --help
+Affiche toutes les options de ligne de commande.
+.B --help dhcp
+affiche les options de configuration connues pour DHCPv4, et
+.B --help dhcp6
+affiche les options de configuration connues pour DHCPv6.
+.TP
 .B \-h, --no-hosts
-Ne pas charger les noms du fichier /etc/hosts.
+Ne pas charger les noms d'hôtes du fichier /etc/hosts.
 .TP
 .B \-H, --addn-hosts=<fichier>
 Fichiers d'hôtes additionnels. Lire le fichier spécifié en plus de /etc/hosts.
@@ -68,7 +75,7 @@ fichiers contenus dans ce répertoire.
 .B \-E, --expand-hosts
 Ajoute le nom de domaine aux noms simples (ne contenant pas de point dans le
 nom) contenus dans le fichier /etc/hosts, de la même façon que pour le service
-DHCP. Notez que cela ne s'applique pas au nom de domaine dans les CNAME, les
+DHCP. Notez que cela ne s'applique pas aux noms de domaine dans les CNAME, les
 enregistrements PTR, TXT, etc...
 .TP
 .B \-T, --local-ttl=<durée>
@@ -86,7 +93,7 @@ Les réponses négatives provenant des serveurs amonts contiennent normalement
 une information de durée de vie (time-to-live) dans les enregistrements SOA,
 information dont dnsmasq se sert pour mettre la réponse en cache. Si la réponse
 du serveur amont omet cette information, dnsmasq ne cache pas la réponse. Cette
-option permet de doner une valeur de durée de vie par défaut (en secondes) que
+option permet de donner une valeur de durée de vie par défaut (en secondes) que
 dnsmasq utilise pour mettre les réponses négatives dans son cache, même en
 l'absence d'enregistrement SOA.
 .TP
@@ -194,7 +201,7 @@ au dessus de la valeur spécifiée. Utile pour des systèmes derrière des dispo
 garde-barrières ("firewalls").
 .TP
 .B \-i, --interface=<nom d'interface>
-N'écouter que sur l'interface réseau spécifiée. Dnsmasq aujoute automatiquement
+N'écouter que sur l'interface réseau spécifiée. Dnsmasq ajoute automatiquement
 l'interface locale ("loopback") à la liste des interfaces lorsque l'option
 .B --interface
 est utilisée.
@@ -205,13 +212,13 @@ ou
 n'est donnée, Dnsmasq écoutera sur toutes les interfaces disponibles sauf
 celle(s) spécifiée(s) par l'option
 .B --except-interface.
-Les alias d'interfaces IP (e-g "eth1:0") ne peuvent être utilisés ni avec
+Les alias d'interfaces IP (par exemple "eth1:0") ne peuvent être utilisés ni avec
 .B --interface
 ni
 .B \--except-interface.
 Utiliser l'option 
 .B --listen-address
-à la place. Un simple joker, consistant d'un '*' final, peut-être utilisé dans
+à la place. Un simple joker, consistant en un '*' final, peut être utilisé dans
 les options
 .B \--interface 
 et
@@ -229,10 +236,10 @@ sont fournies n'importe pas, et que l'option
 .B --except-interface
 l'emporte toujours sur les autres.
 .TP
-.B --auth-server=<domaine>,<interface>|<addresse IP>
+.B --auth-server=<domaine>,<interface>|<adresse IP>
 Active le mode DNS faisant autorité pour les requêtes arrivant sur cette
 interface ou sur cette adresse. Noter que l'interface ou l'adresse n'ont
-pas besoin d'être mentionées ni dans
+pas besoin d'être mentionnées ni dans
 .B --interface
 ni dans
 .B --listen-address
@@ -253,7 +260,7 @@ Ecouter sur la ou les adresse(s) IP spécifiée(s). Les options
 .B \--interface
 et
 .B \--listen-address
-peuvent-être spécifiées simultanément, auquel cas un jeu d'interfaces et
+peuvent être spécifiées simultanément, auquel cas un jeu d'interfaces et
 d'adresses seront utilisées. Notez que si
 aucune option
 .B \--interface
@@ -265,7 +272,7 @@ nécessaire de fournir explicitement son adresse IP, 127.0.0.1 via l'option
 .B \--listen-address.
 .TP
 .B \-z, --bind-interfaces
-Sur les systèmes qui le supporte, Dnsmasq s'associe avec l'interface joker
+Sur les systèmes qui le supportent, Dnsmasq s'associe avec l'interface joker
 ("wildcard"), même lorsqu'il ne doit écouter que sur certaines interfaces. Par
 la suite, il rejette les requêtes auxquelles il ne doit pas répondre. Cette
 situation présente l'avantage de fonctionner même lorsque les interfaces vont
@@ -302,7 +309,7 @@ le réseau auquel ils sont attachés). Cette possibilité est actuellement limit
 .TP
 .B \-b, --bogus-priv
 Fausse résolution inverse pour les réseaux privés. Toutes les requêtes DNS
-inverses pour des adresses IP privées (ie 192.168.x.x, etc...) qui ne sont pas
+inverses pour des adresses IP privées (192.168.x.x, etc...) qui ne sont pas
 trouvées dans /etc/hosts ou dans le fichier de baux DHCP se voient retournées
 une réponse "pas de tel domaine" ("no such domain") au lieu d'être transmises
 aux serveurs de nom amont ("upstream server").
@@ -317,7 +324,7 @@ modifiera 1.2.3.56 en 6.7.8.56 et 1.2.3.67 en 6.7.8.67.
 Cette fonctionnalité correspond à ce que les routeurs Cisco PIX appellent
 "bidouillage DNS" ("DNS doctoring"). Si l'ancienne IP est donnée sous la forme
 d'une gamme d'adresses, alors seules les adresses dans cette gamme seront
-réecrites, et non le sous-réseau dans son ensemble. Ainsi,
+réécrites, et non le sous-réseau dans son ensemble. Ainsi,
 .B --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
 fait correspondre 192.168.0.10->192.168.0.40 à 10.0.0.10->10.0.0.40
 .TP 
@@ -380,7 +387,7 @@ effectuer ses requêtes à tous les serveurs disponibles. Le résultat renvoyé
 au client sera celui fournit par le premier serveur ayant répondu.
 .TP
 .B --stop-dns-rebind
-Rejete (et enregistre dans le journal d'activité) les adresses dans la gamme
+Rejette (et enregistre dans le journal d'activité) les adresses dans la gamme
 d'adresses IP privée (au sens RFC1918) qui pourraient être renvoyées par les
 serveurs amonts suite à une résolution de nom. Cela bloque les attaques cherchant
 à détourner de leur usage les logiciels de navigation web ('browser') en s'en
@@ -389,13 +396,13 @@ servant pour découvrir les machines situées sur le réseau local.
 .B --rebind-localhost-ok
 Exclue 127.0.0/8 des vérifications de réassociation DNS. Cette gamme d'adresses
 est retournée par les serveurs Realtime Blackhole (RBL, utilisés dans la
-lutte contre le spam), la bloquer peut entraîner des disfonctionnements de ces
+lutte contre le spam), la bloquer peut entraîner des dysfonctionnements de ces
 services.
 .TP 
 .B  --rebind-domain-ok=[<domaine>]|[[/<domaine>/[<domaine>/]
 Ne pas détecter ni bloquer les actions de type dns-rebind pour ces domaines.
 Cette option peut prendre comme valeur soit un nom de domaine soit plusieurs
-noms de domains entourés par des '/', selon une syntaxe similaire à l'option
+noms de domaine entourés par des '/', selon une syntaxe similaire à l'option
 --server, c-à-d :
 .B  --rebind-domain-ok=/domaine1/domaine2/domaine3/
 .TP
@@ -474,7 +481,7 @@ serveur de nom. Il doit s'agir d'une des adresses IP appartenant à la machine s
 laquelle tourne Dnsmasq ou sinon la ligne sera ignorée et une erreur sera
 consignée dans le journal des événements, ou alors d'un nom d'interface. Si un nom
 d'interface est donné, alors les requêtes vers le serveur de nom seront envoyées
-depuis cette interface; si une adresse ip est donnée, alors l'adresse source de
+depuis cette interface; si une adresse IP est donnée, alors l'adresse source de
 la requête sera l'adresse en question. L'option query-port est ignorée pour tous
 les serveurs ayant une adresse source spécifiée, mais il est possible de la donner
 directement dans la spécification de l'adresse source. Forcer les requêtes à être
@@ -510,7 +517,7 @@ d'IP netfilter (ipset) indiqués. Domaines et sous-domaines sont résolus de la
 même façon que pour --address. Ces groupes d'IP doivent déjà exister. Voir
 ipset(8) pour plus de détails.
 .TP
-.B \-m, --mx-host=<nom de l'hôte>[[,<nom du MX>],<préference>]
+.B \-m, --mx-host=<nom de l'hôte>[[,<nom du MX>],<préférence>]
 Spécifie un enregistrement de type MX pour <nom de l'hôte> retournant le nom
 donné dans <nom du MX> (s'il est présent), ou sinon le nom spécifié dans
 l'option
@@ -612,7 +619,7 @@ l'enregistrement est donnée dans les données hexadécimales, qui peuvent
 être de la forme 01:23:45, 01 23 45,+012345 ou n'importe quelle combinaison.
 .TP
 .B --interface-name=<nom>,<interface>
-Définit un entregistrement DNS associant le nom avec l'adresse primaire sur
+Définit un enregistrement DNS associant le nom avec l'adresse primaire sur
 l'interface donnée en argument. Cette option spécifie un enregistrement de type
 A pour le nom donné en argument de la même façon que s'il était défini par une
 ligne de /etc/hosts, sauf que l'adresse n'est pas constante mais dépendante de
@@ -638,7 +645,7 @@ IPv6 pouvant commencer par '::', mais les noms DNS ne pouvant pas commencer
 par '-', si aucun préfixe n'est donné, un zéro est ajouté en début de nom.
 Ainsi, ::1 devient 0--1.

-La plage d'adresses peut-être de la forme
+La plage d'adresses peut être de la forme
 <adresse IP>,<adresse IP> ou <adresse IP>/<masque réseau>
 .TP
 .B --add-mac
@@ -647,7 +654,7 @@ amonts. Cela peut être utilisé dans un but de filtrage DNS par les serveurs
 amonts. L'adresse MAC peut uniquement être ajoutée si le requêteur est sur le
 même sous-réseau que le serveur dnsmasq. Veuillez noter que le mécanisme
 utilisé pour effectuer cela (une option EDNS0) n'est pas encore standardisée,
-aussi cette fonctionalité doit être considérée comme expérimentale. Notez
+aussi cette fonctionnalité doit être considérée comme expérimentale. Notez
 également qu'exposer les adresses MAC de la sorte peut avoir des implications
 en termes de sécurité et de vie privée. L'avertissement donné pour --add-subnet
 s'applique également ici.
@@ -659,19 +666,20 @@ longueur du préfixe : 32 (ou 128 dans le cas d'IPv6) transmet la totalité
 de l'adresse, 0 n'en transmet aucun mais marque néanmoins la requête ce qui
 fait qu'aucun serveur amont ne rajoutera d'adresse client. La valeur par
 défaut est zéro et pour IPv4 et pour IPv6. A noter que les serveurs amonts
-peuvent-être configurés pour retourner des valeurs différentes en fonction
+peuvent être configurés pour retourner des valeurs différentes en fonction
 de cette information mais que le cache de dnsmasq n'en tient pas compte.
-Si une instance de dnsmasq est configurée de telle maniêre que des valeurs
-différentes pourraient-être rencontrés, alors le cache devrait être désactivé.
+Si une instance de dnsmasq est configurée de telle manière que des valeurs
+différentes pourraient être rencontrées, alors le cache devrait être désactivé.
 .TP
 .B \-c, --cache-size=<taille>
 Définit la taille du cache de Dnsmasq. La valeur par défaut est de 150 noms.
-Définir une valeur de zéro désactive le cache.
+Définir une valeur de zéro désactive le cache. Remarque: la taille importante
+du cache a un impact sur les performances.
 .TP
 .B \-N, --no-negcache
 Désactive le "cache négatif". Le "cache négatif" permet à Dnsmasq de se souvenir
 des réponses de type "no such domain" fournies par les serveurs DNS en amont et
-de fournir les réponses sans avoir à re-transmettre les requêtes aux serveurs
+de fournir les réponses sans avoir à retransmettre les requêtes aux serveurs
 amont.
 .TP
 .B \-0, --dns-forward-max=<nombre de requêtes>
@@ -683,17 +691,17 @@ son journal des requêtes, ce qui peut générer un nombre important de requête
 simultanées.
 .TP
 .B --proxy-dnssec
-Un resolveur sur une machine cliente peut effectuer la validation DNSSEC de
+Un résolveur sur une machine cliente peut effectuer la validation DNSSEC de
 deux façons : il peut effectuer lui-même les opérations de chiffrements sur
 la réponse reçue, ou il peut laisser le serveur récursif amont faire la
 validation et positionner un drapeau dans la réponse au cas où celle-ci est
 correcte. Dnsmasq n'est pas un validateur DNSSEC, aussi il ne peut effectuer
 la validation comme un serveur de nom récursif, cependant il peut retransmettre
 les résultats de validation de ses serveurs amonts. Cette option permet
-l'activation de cette fonctionalité. Vous ne devriez utiliser cela que si vous
+l'activation de cette fonctionnalité. Vous ne devriez utiliser cela que si vous
 faites confiance aux serveurs amonts
 .I ainsi que le réseau entre vous et eux.
-Si vous utilisez le premier mode DNSSEC, la validation par le resolveur des
+Si vous utilisez le premier mode DNSSEC, la validation par le résolveur des
 clients, cette option n'est pas requise. Dnsmasq retourne toujours toutes les
 données nécessaires par un client pour effectuer la validation lui-même.
 .TP
@@ -703,12 +711,12 @@ Définie une zone DNS pour laquelle dnsmasq agit en temps que serveur faisant
 autorité. Les enregistrements DNS définis localement et correspondant à ce
 domaine seront fournis. Les enregistrements A et AAAA doivent se situer dans
 l'un des sous-réseaux définis, ou dans un réseau correspondant à une plage DHCP
-(ce comportement peut-être désactivé par
+(ce comportement peut être désactivé par
 .B constructor-noauth:
 ). Le ou les sous-réseaux sont également utilisé(s) pour définir les domaines
 in-addr.arpa et ip6.arpa servant à l'interrogation DNS inverse. Si la longueur
 de préfixe n'est pas spécifiée, elle sera par défaut de 24 pour IPv4 et 64 pour
-IPv6. Dans le cas d'IPv4, la longueur du masque de réseau devrait-être de 8, 16
+IPv6. Dans le cas d'IPv4, la longueur du masque de réseau devrait être de 8, 16
 ou 24, sauf si en cas de mise en place d'une délégation de la zone in-addr.arpa
 conforme au RFC 2317.
 .TP
@@ -719,7 +727,7 @@ optionnel, les valeurs par défaut devant convenir à la majorité des cas.
 .TP
 .B --auth-sec-servers=<domaine>[,<domaine>[,<domaine>...]]
 Spécifie un ou plusieurs serveur de nom secondaires pour une zone pour
-laquelle dnsmasq fait autorité. Ces serveurs doivent-être configurés pour
+laquelle dnsmasq fait autorité. Ces serveurs doivent être configurés pour
 récupérer auprès de dnsmasq les informations liées à la zone au travers d'un
 transfert de zone, et répondre aux requêtes pour toutes les zones pour
 lesquelles dnsmasq fait autorité.
@@ -733,7 +741,7 @@ seront acceptées pour tous les serveurs secondaires.
 .B --conntrack
 Lis le marquage de suivi de connexion Linux associé aux requêtes DNS entrantes
 et positionne la même marque au trafic amont utilisé pour répondre à ces
-requétes. Cela permet au trafic généré par Dnsmasq d'étre associé aux requêtes
+requêtes. Cela permet au trafic généré par Dnsmasq d'être associé aux requêtes
 l'ayant déclenché, ce qui est pratique pour la gestion de la bande passante
 (accounting) et le filtrage (firewall). Dnsmasq doit pour cela être compilé
 avec le support conntrack, le noyau doit également inclure conntrack et être
@@ -742,7 +750,7 @@ configuré pour cela. Cette option ne peut pas être combinée avec
 .TP
 .B \-F, --dhcp-range=[tag:<label>[,tag:<label>],][set:<label>],]<adresse de début>[,<adresse de fin>][,<mode>][,<masque de réseau>[,<broadcast>]][,<durée de bail>]
 .TP
-.B \-F, --dhcp-range=[tag:<label>[,tag:<label>],][set:<label>],]<addresse IPv6 de début>[,<adresse IPv6 de fin>|constructor:<interface>][,<mode>][,<longueur de préfixe>][,<durée de bail>]
+.B \-F, --dhcp-range=[tag:<label>[,tag:<label>],][set:<label>],]<adresse IPv6 de début>[,<adresse IPv6 de fin>|constructor:<interface>][,<mode>][,<longueur de préfixe>][,<durée de bail>]

 Active le serveur DHCP. Les adresses seront données dans la plage comprise entre
 <adresse de début> et <adresse de fin> et à partir des adresses définies
@@ -755,7 +763,7 @@ durée indéterminée. Si aucune valeur n'est donnée, une durée de bail par d
 de une heure est appliquée. La valeur minimum pour un bail DHCP est de 2
 minutes.

-Pour les plages IPv6, la durée de bail peut-être égale au mot-clef "deprecated"
+Pour les plages IPv6, la durée de bail peut être égale au mot-clef "deprecated"
 (obsolète); Cela positionne la durée de vie préférée envoyée dans les baux DHCP
 ou les annonces routeurs à zéro, ce qui incite les clients à utiliser d'autres
 adresses autant que possible, pour toute nouvelle connexion, en préalable à
@@ -795,7 +803,7 @@ adresses assignées à l'interface. Par exemple
 provoque la recherche d'adresses de la forme <réseau>::1 sur eth0 et crée une
 plage allant de <réseau>::1 à <réseau>:400. Si une interface est assignée à
 plus d'un réseau, les plages correspondantes seront automatiquement créées,
-rendues obsolètes puis supprimées lorsque l'adress est rendue obsolète puis
+rendues obsolètes puis supprimées lorsque l'adresse est rendue obsolète puis
 supprimée. Le nom de l'interface peut être spécifié avec un caractère joker '*'
 final.

@@ -809,7 +817,7 @@ obsolètes ne conviennent pas.

 Si une plage dhcp-range est uniquement utilisée pour du DHCP sans-état
 ("stateless") ou de l'autoconfiguration sans état ("SLAAC"), alors l'adresse
-peut-être indiquée sous la forme '::'
+peut être indiquée sous la forme '::'

 .B --dhcp-range=::,constructor:eth0

@@ -851,7 +859,7 @@ et
 .B pxe-service
 pour plus de détails).

-Pour IPv6, le mode peut-être une combinaison des valeurs
+Pour IPv6, le mode peut être une combinaison des valeurs
 .B ra-only, slaac, ra-names, ra-stateless, off-link.

 .B ra-only
@@ -883,7 +891,7 @@ connectés (et non ceux pour lesquels DHCP se fait via relai), et ne
 fonctionnera pas si un hôte utilise les "extensions de vie privée"
 ("privacy extensions").
 .B ra-names
-peut-être combiné avec
+peut être combiné avec
 .B ra-stateless
 et
 .B slaac.
@@ -914,7 +922,7 @@ sous-réseau qu'une plage dhcp-range valide. Pour les sous-réseaux qui n'ont pa
 besoin d'adresses dynamiquement allouées, utiliser le mot-clef "static" dans la
 déclaration de plage d'adresses dhcp-range.

-Il est possible d'utiliser des identifiants clients (appellé "DUID client" dans
+Il est possible d'utiliser des identifiants clients (appelés "DUID client" dans
 le monde IPv6) plutôt que des adresses matérielles pour identifier les hôtes,
 en préfixant ceux-ci par 'id:'. Ainsi, 
 .B --dhcp-host=id:01:02:03:04,..... 
@@ -926,7 +934,7 @@ ceci :
 Un seul
 .B dhcp-host 
 peut contenir une adresse IPv4, une adresse IPv6, ou les deux en même temps.
-Les adresses IPv6 doivent-être mises entre crochets comme suit :
+Les adresses IPv6 doivent être mises entre crochets comme suit :
 .B --dhcp-host=laptop,[1234::56]
 Les adresses IPv6 peuvent ne contenir que la partie identifiant de client :
 .B --dhcp-host=laptop,[::56]
@@ -945,7 +953,7 @@ identifiant client mais pas les autres.
 Si un nom apparaît dans /etc/hosts, l'adresse associée peut être allouée à un
 bail DHCP mais seulement si une option
 .B --dhcp-host
-spécifiant le nom existe par ailleurs. Seul un nom d'hôte peut-être donné dans
+spécifiant le nom existe par ailleurs. Seul un nom d'hôte peut être donné dans
 une option
 .B dhcp-host
 , mais les alias sont possibles au travers de l'utilisation des CNAMEs. (Voir
@@ -973,7 +981,7 @@ Les adresses ethernet (mais pas les identifiants clients) peuvent être définie
 avec des octets joker, ainsi par exemple
 .B --dhcp-host=00:20:e0:3b:13:*,ignore 
 demande à Dnsmasq d'ignorer une gamme d'adresses matérielles. Il est  à noter
-que "*" doit-être précédé d'un caractère d'échappement ou mis entre guillemets
+que "*" doit être précédé d'un caractère d'échappement ou mis entre guillemets
 lorsque spécifié en option de ligne de commande, mais pas dans le fichier de
 configuration.

@@ -1059,14 +1067,14 @@ qu'aux réseaux dont tous les labels coïncident avec ceux de la requête.
 Un traitement spécial est effectué sur les chaînes de caractères fournies pour
 l'option 119, conformément à la RFC 3397. Les chaînes de caractères ou les
 adresses IP sous forme de 4 chiffres séparés par des points donnés en arguments
-de l'option 120 sont traités conforméments à la RFC 3361. Les adresses IP sous
+de l'option 120 sont traités conformément à la RFC 3361. Les adresses IP sous
 forme de 4 chiffres séparés par des points suivies par une barre montante "/",
-puis une taille de masque sont encodés conforméments à la RFC 3442.
+puis une taille de masque sont encodés conformément à la RFC 3442.

 Les options IPv6 sont fournies en utilisant le mot-clef
 .B option6:
 suivi par le numéro d'option ou le nom d'option. L'espace de nommage des options
-IPv6 est disjint de l'espace de nommage des options IPv4. Les adresses IPv6
+IPv6 est disjoint de l'espace de nommage des options IPv4. Les adresses IPv6
 en option doivent être entourées de crochets, comme par exemple :
 .B --dhcp-option=option6:ntp-server,[1234::56]

@@ -1075,7 +1083,7 @@ adéquat sont envoyées pour un numéro d'option donné, il est tout à fait pos
 de persuader Dnsmasq de générer des paquets DHCP illégaux par une utilisation
 incorrecte de cette option. Lorsque la valeur est un nombre décimal, Dnsmasq
 doit déterminer la taille des données. Cela est fait en examinant le numéro de
-l'option et/ou la valeur, mais peut-être évité en rajoutant un suffixe d'une
+l'option et/ou la valeur, mais peut être évité en rajoutant un suffixe d'une
 lettre comme suit :
 b = un octet, s = 2 octets, i = 4 octets. Cela sert essentiellement pour des
 options encapsulées de classes de vendeurs (voir plus bas), pour lesquelles 
@@ -1088,7 +1096,7 @@ d'une chaîne de caractères comme nom de serveur TFTP, il est nécessaire de fa
 comme suit :
 .B --dhcp-option=66,"1.2.3.4"

-Les options encapsulées de classes de vendeurs peuvent-être aussi spécifiées 
+Les options encapsulées de classes de vendeurs peuvent être aussi spécifiées
 (pour IPv4 seulement) en utilisant
 .B --dhcp-option
 : par exemple
@@ -1105,7 +1113,7 @@ par le client. Il est possible d'omettre complètement une classe de vendeur :
 .B --dhcp-option=vendor:,1,0.0.0.0
 Dans ce cas l'option encapsulée est toujours envoyée.

-En IPv4, les options peuvent-être encapsulées au sein d'autres options :
+En IPv4, les options peuvent être encapsulées au sein d'autres options :
 par exemple
 .B --dhcp-option=encap:175, 190, "iscsi-client0"
 enverra l'option 175, au sein de laquelle se trouve l'option 190.
@@ -1128,7 +1136,7 @@ une option encapsulée.
 Cela fonctionne exactement de la même façon que
 .B --dhcp-option
 sauf que cette option sera toujours envoyée, même si le client ne la demande pas
-dans la liste de paramêtres requis. Cela est parfois nécessaire, par exemple lors
+dans la liste de paramètres requis. Cela est parfois nécessaire, par exemple lors
 de la fourniture d'options à PXELinux.
 .TP
 .B --dhcp-no-override
@@ -1149,10 +1157,10 @@ Toutes les requêtes DHCP arrivant sur cette interface seront relayées au
 serveur DHCP distant correspondant à l'adresse de serveur indiquée. Il est
 possible de relayer depuis une unique adresse locale vers différents serveurs
 distant en spécifiant plusieurs fois l'option dhcp-relay avec la même adresse
-locale et différentes adresses de serveur. L'adresse de serveur doit-être
-sous forme numérique. Dans le cas de DHCPv6, l'adresse de serveur peut-être
+locale et différentes adresses de serveur. L'adresse de serveur doit être
+sous forme numérique. Dans le cas de DHCPv6, l'adresse de serveur peut être
 l'adresse de multicast ff05::1:3 correspondant à tous les serveurs DHCP. Dans
-ce cas, l'interface doit-étre spécifiée et ne peut comporter de caractère
+ce cas, l'interface doit être spécifiée et ne peut comporter de caractère
 joker. Elle sera utilisée pour indiquer l'interface à partir de laquelle le
 multicast pourra atteindre le serveur DHCP.

@@ -1181,14 +1189,14 @@ vice-versa.
 Associe une chaîne de classe de vendeur à un label. La plupart
 des clients DHCP fournissent une "classe de vendeur" ("vendor class") qui
 représente, d'une certaine façon, le type d'hôte. Cette option associe des
-classes de vendeur à des labels, de telle sorte que des options DHCP peuvent-être
-fournie de manière sélective aux différentes classes d'hôtes. Par exemple,
+classes de vendeur à des labels, de telle sorte que des options DHCP peuvent être
+fournies de manière sélective aux différentes classes d'hôtes. Par exemple,
 .B dhcp-vendorclass=set:printers,Hewlett-Packard JetDirect
 ou
 .B dhcp-vendorclass=printers,Hewlett-Packard JetDirect
 permet de n'allouer des options qu'aux imprimantes HP de la manière suivante :
 .B --dhcp-option=tag:printers,3,192.168.4.4
-La chaîne de caractères de la classe de vendeur founie en argument est cherchée
+La chaîne de caractères de la classe de vendeur fournie en argument est cherchée
 en temps que sous-chaîne de caractères au sein de la classe de vendeur fournie
 par le client, de façon à permettre la recherche d'un sous-ensemble de la chaîne
 de caractères ("fuzzy matching"). Le préfixe set: est optionnel mais autorisé
@@ -1218,7 +1226,7 @@ matérielle coïncide avec les critères définis.
 .TP
 .B --dhcp-circuitid=set:<label>,<identifiant de circuit>, --dhcp-remoteid=set:<label>,<identifiant distant>
 Associe des options de relais DHCP issus de la RFC3046 à des labels.
-Cette information peut-être fournie par des relais DHCP. L'identifiant
+Cette information peut être fournie par des relais DHCP. L'identifiant
 de circuit ou l'identifiant distant est normalement fourni sous la forme d'une
 chaîne de valeurs hexadécimales séparées par des ":", mais il est également
 possible qu'elle le soit sous la forme d'une simple chaîne de caractères. Si
@@ -1231,7 +1239,7 @@ est supporté en IPv6 (mais non dhcp-circuitid).
 (IPv4 et IPv6) Associe des options de relais DHCP issues de la RFC3993 à des
 labels.
 .TP
-.B --dhcp-proxy[=<adresse ip>]......
+.B --dhcp-proxy[=<adresse IP>]......
 (IPv4 seulement) Un agent relai DHCP normal est uniquement utilisé pour faire
 suivre les éléments initiaux de l'interaction avec le serveur DHCP. Une fois
 que le client est configuré, il communique directement avec le serveur. Cela
@@ -1252,7 +1260,7 @@ interactions avec les relais dont l'adresse est dans la liste seront affectées.
 Si aucune valeur n'est spécifiée, associe le label si le client
 envoie une option DHCP avec le numéro ou le nom spécifié. Lorsqu'une valeur est
 fournie, positionne le label seulement dans le cas où l'option est fournie et
-correspond à la valeur. La valeur peut-être de la forme "01:ff:*:02", auquel
+correspond à la valeur. La valeur peut être de la forme "01:ff:*:02", auquel
 cas le début de l'option doit correspondre (en respectant les jokers). La
 valeur peut aussi être de la même forme que dans
 .B dhcp-option
@@ -1262,14 +1270,14 @@ valeur peut aussi être de la même forme que dans
 --dhcp-match=set:efi-ia32,option:client-arch,6

 spécifie le label "efi-ia32" si le numéro 6 apparaît dnas la liste
-d'architectures envoyé par le client au sein de l'option 93. (se réferer
+d'architectures envoyé par le client au sein de l'option 93. (se référer
 au RFC 4578 pour plus de détails). Si la valeur est un chaine de caractères,
 celle-ci est recherchée (correspondance en temps que sous-chaîne).

 Pour la forme particulière vi-encap:<numéro d'entreprise>, la comparaison se
 fait avec les classes de vendeur "identifiant de vendeur" ("vendor-identifying
 vendor classes") pour l'entreprise dont le numéro est fourni en option.
-Veuillez vous réferer à la RFC 3925 pour plus de détail.
+Veuillez vous référer à la RFC 3925 pour plus de détails.
 .TP
 .B --tag-if=set:<label>[,set:<label>[,tag:<label>[,tag:<label>]]]
 Effectue une opération booléenne sur les labels. Si tous les labels
@@ -1280,7 +1288,7 @@ Si aucun tag:<label> n'est spécifié, alors tous les labels fournis par
 set:<label> sont positionnés.
 N'importe quel nombre de set: ou tag: peuvent être fournis, et l'ordre est sans
 importance.
-Les lignes tag-if sont executées dans l'ordre, ce qui fait que si un label dans
+Les lignes tag-if sont exécutées dans l'ordre, ce qui fait que si un label dans
 tag:<label> est un label positionné par une rêgle
 .B tag-if,
 la ligne qui positionne le label doit précéder celle qui le teste.
@@ -1320,17 +1328,17 @@ le cas de certains vieux clients BOOTP.
 (IPv4 seulement) Spécifie les options BOOTP devant être retournées par le
 serveur DHCP. Le nom de serveur ainsi que l'adresse sont optionnels : s'ils
 ne sont pas fournis, le nom est laissé vide et l'adresse fournie est celle de
-la machine sur laquelle s'exécute Dnsmasq. Si Dnsmasq founit un service TFTP (voir
+la machine sur laquelle s'exécute Dnsmasq. Si Dnsmasq fournit un service TFTP (voir
 .B --enable-tftp
 ), alors seul un nom de fichier est requis ici pour permettre un démarrage par
 le réseau.
 Si d'éventuels labels sont fournis, ils doivent coïncider avec
-ceux du client pour que cet élement de configuration lui soit envoyé.
+ceux du client pour que cet élément de configuration lui soit envoyé.
 Une adresse de serveur TFTP peut être spécifiée à la place de l'adresse IP,
 sous la forme d'un nom de domaine qui sera cherché dans le fichier /etc/hosts.
 Ce nom peut être associé dans /etc/hosts avec plusieurs adresses IP, auquel cas
 celles-ci seront utilisées tour à tour (algorithme round-robin).
-Cela peut-être utiliser pour équilibrer la charge tftp sur plusieurs serveurs.
+Cela peut être utilisé pour équilibrer la charge tftp sur plusieurs serveurs.
 .TP
 .B --dhcp-sequential-ip
 Dnsmasq est conçu pour choisir l'adresse IP des clients DHCP en utilisant
@@ -1346,6 +1354,13 @@ Veuillez noter que dans ce mode séquentiel, les clients qui laissent expirer
 leur bail ont beaucoup plus de chance de voir leur adresse IP changer, aussi
 cette option ne devrait pas être utilisée dans un cas général.
 .TP
+.B --dhcp-ignore-clid
+Dnsmasq lit l'option 'client identifier' (RFC 2131) envoyée par les clients
+(si disponible) afin d'identifier les clients. Cela permet de distribuer la
+même adresse IP à un client utilisant plusieurs interfaces. Activer cette option
+désactive la lecture du 'client identifier', afin de toujours identifier un client
+en utilisant l'adresse MAC.
+.TP
 .B --pxe-service=[tag:<label>,]<CSA>,<entrée de menu>[,<nom de fichier>|<type de service de démarrage>][,<adresse de serveur>|<nom de serveur>]
 La plupart des ROMS de démarrage PXE ne permettent au système PXE que la simple
 obtention d'une adresse IP, le téléchargement du fichier spécifié dans
@@ -1357,7 +1372,7 @@ Ceci spécifie l'option de démarrage qui apparaitra dans un menu de démarrage
 PXE. <CSA> est le type du système client. Seuls des types de services valides
 apparaitront dans un menu. Les types connus sont x86PC, PC98, IA64_EFI, Alpha,
 Arc_x86, Intel_Lean_Client, IA32_EFI, BC_EFI, Xscale_EFI et X86-64_EFI;
-D'autres types peuvent-être spécifiés sous la forme d'une valeur entière. Le
+D'autres types peuvent être spécifiés sous la forme d'une valeur entière. Le
 paramètre après le texte correspondant à l'entrée dans le menu peut être un nom
 de fichier, auquel cas Dnsmasq agit comme un serveur de démarrage et indique au
 client PXE qu'il faut télécharger ce fichier via TFTP, soit depuis ce serveur
@@ -1376,7 +1391,7 @@ démarrage n'est fournie (ou qu'une valeur de 0 est donnée pour le type de
 service), alors l'entrée de menu provoque l'interruption du démarrage par
 le réseau et la poursuite du démarrage sur un média local. L'adresse de serveur
 peut être donnée sous la forme de nom de domaine qui est recherché dans
-/etc/hosts. Ce nom peut-être associé à plusieurs adresses IP, qui dans ce cas
+/etc/hosts. Ce nom peut être associé à plusieurs adresses IP, qui dans ce cas
 sont utilisées à tour de rôle (en "round-robin").
 .TP
 .B --pxe-prompt=[tag:<label>,]<invite>[,<délai>]
@@ -1435,7 +1450,7 @@ Utiliser cette option avec précaution, une adresse allouée à un client BOOTP
 étant perpétuelle, et de fait n'est plus disponibles pour d'autres hôtes. Si
 aucun argument n'est donné, alors cette option permet une allocation dynamique
 dans tous les cas. Si des arguments sont spécifiés, alors l'allocation ne se
-fait que lorsque tous les identifiants coïncident. Il est possible de répeter
+fait que lorsque tous les identifiants coïncident. Il est possible de répéter
 cette option avec plusieurs jeux d'arguments.
 .TP
 .B \-5, --no-ping
@@ -1560,7 +1575,7 @@ Tous les descripteurs de fichiers sont fermés, sauf stdin, stdout et stderr qui
 sont ouverts sur /dev/null (sauf en mode déverminage).

 Le script n'est pas lancé de manière concurrente : au plus une instance du
-script est executée à la fois (dnsmasq attends qu'une instance de script se
+script est exécutée à la fois (dnsmasq attend qu'une instance de script se
 termine avant de lancer la suivante). Les changements dans la base des baux
 nécessitant le lancement du script sont placé en attente dans une queue jusqu'à
 terminaison d'une instance du script en cours. Si cette mise en queue fait que
@@ -1575,7 +1590,7 @@ le script sera invoqué avec une action "old" pour tous les baux existants.

 Il existe deux autres actions pouvant apparaître comme argument au script :
 "init" et "tftp". D'autres sont susceptibles d'être rajoutées dans le futur,
-aussi les scripts devraient-être écrits de sorte à ignorer les actions
+aussi les scripts devraient être écrits de sorte à ignorer les actions
 inconnues. "init" est décrite ci-dessous dans
 .B --leasefile-ro.
 L'action "tftp" est invoquée lorsqu'un transfert de fichier TFTP s'est
@@ -1588,7 +1603,7 @@ Spécifie un script écrit en Lua, devant être exécuté lorsque des baux sont
 créés, détruits ou modifiés. Pour utiliser cette option, dnsmasq doit être
 compilé avec avec le support de Lua. L'interpréteur Lua est initialisé une
 seule fois, lorsque dnsmasq démarre, ce qui fait que les variables globales
-persistent entre les évênements liés aux baux. Le code Lua doit définir une
+persistent entre les événements liés aux baux. Le code Lua doit définir une
 fonction
 .B lease
 et peut fournir des fonctions
@@ -1637,7 +1652,7 @@ et
 .B --dhcp-scriptuser
 Spécifie l'utilisateur sous lequel le script shell lease-change ou le script
 doivent être exécutés. La valeur par défaut correspond à l'utilisateur root
-mais peut-être changée par le biais de cette option.
+mais peut être changée par le biais de cette option.
 .TP
 .B \-9, --leasefile-ro
 Supprimer complètement l'usage du fichier servant de base de donnée pour les
@@ -1649,8 +1664,8 @@ biais de l'option
 être complètement gérée par le script sur un stockage externe. En addition aux
 actions décrites dans 
 .B  --dhcp-script,
-le script de changement d'état de bail est appellé une fois, au lancement de
-Dnsmasq, avec pour seul argument "init". Lorsqu'appellé de la sorte, le script
+le script de changement d'état de bail est appelé une fois, au lancement de
+Dnsmasq, avec pour seul argument "init". Lorsqu'appelé de la sorte, le script
 doit fournir l'état de la base de baux, dans le format de fichier de baux de
 Dnsmasq, sur sa sortie standard (stdout) et retourner un code de retour de 0.
 Positionner cette option provoque également une invocation du script de
@@ -1692,20 +1707,20 @@ positionné à la première valeur de la directive "search" du fichier
 /etc/resolv.conf (ou équivalent).

 La gamme d'adresses peut être de la forme
-<adresse ip>,<adresse ip> ou <adresse ip>/<masque de réseau> voire une simple
-<adresse ip>. Voir
+<adresse IP>,<adresse IP> ou <adresse IP>/<masque de réseau> voire une simple
+<adresse IP>. Voir
 .B --dhcp-fqdn
 qui peut changer le comportement de dnsmasq relatif aux domaines.

 Si la gamme d'adresse est fournie sous la forme
-<adresse ip>/<taille de réseau>, alors le drapeau "local" peut-être rajouté
-qui a pour effect d'ajouter --local-declarations aux requêtes DNS directes et
+<adresse IP>/<taille de réseau>, alors le drapeau "local" peut être rajouté
+qui a pour effet d'ajouter --local-declarations aux requêtes DNS directes et
 inverses. C-à-d
 .B --domain=thekelleys.org.uk,192.168.0.0/24,local
 est identique à
 .B --domain=thekelleys.org.uk,192.168.0.0/24
 --local=/thekelleys.org.uk/ --local=/0.168.192.in-addr.arpa/
-La taille de réseau doit-être de 8, 16 ou 24 pour être valide.
+La taille de réseau doit être de 8, 16 ou 24 pour être valide.
 .TP
 .B --dhcp-fqdn
 Dans le mode par défaut, dnsmasq insère les noms non-qualifiés des clients
@@ -1717,8 +1732,8 @@ ce nom est transféré au nouveau client. Si
 est spécifié, ce comportement change : les noms non qualifiés ne sont plus
 rajoutés dans le DNS, seuls les noms qualifiés le sont. Deux clients DHCP
 avec le même nom peuvent tous les deux garder le nom, pour peu que la partie
-relative au domaine soit différente (c-à-d que les noms pleinements qualifiés
-diffèrent). Pour d'assurer que tous les noms ont une partie domaine, il doit-y
+relative au domaine soit différente (c-à-d que les noms pleinement qualifiés
+diffèrent). Pour s'assurer que tous les noms ont une partie domaine, il doit y
 avoir au moins un
 .B --domain
 sans gamme d'adresses de spécifié lorsque l'option
@@ -1735,7 +1750,7 @@ Windows de la mise à jour de serveurs Active Directory. Voir la RFC 4702 pour
 plus de détails.
 .TP
 .B --enable-ra
-Active la fonctionalité d'annonces routeurs IPv6 ("IPv6 Router Advertisement").
+Active la fonctionnalité d'annonces routeurs IPv6 ("IPv6 Router Advertisement").
 DHCPv6 ne gère pas la configuration complète du réseau de la même façon que
 DHCPv4. La découverte de routeurs et la découverte (éventuelle) de préfixes pour
 la création autonome d'adresse sont gérées par un protocole différent.
@@ -1747,7 +1762,7 @@ dhcp-range et, par défaut, fournir comme valeur de routeur et de DNS récursif
 la valeur d'adresse link-local appropriée parmi celles de la machine sur
 laquelle tourne dnsmasq.
 Par défaut, les bits "managed address" sont positionnés, et le bit "use SLAAC"
-("utiliser SLAAC") est réinitialisé. Cela peut-être changé pour des
+("utiliser SLAAC") est réinitialisé. Cela peut être changé pour des
 sous-réseaux donnés par le biais du mot clef de mode décris dans
 .B --dhcp-range.
 Les paramètres DNS du RFC6106 sont inclus dans les annonces. Par défaut,
@@ -1759,16 +1774,16 @@ DNSSL.
 .B --ra-param=<interface>,[mtu:<valeur>|<interface>|off,][high,|low,]<intervalle d'annonce routeur>[,<durée de vie route>]
 Configure pour une interface donnée des valeurs pour les annonces routeurs
 différentes des valeurs par défaut. La valeur par défaut du champ priorité
-pour le routeur peut-être changée de "medium" (moyen) à "high" (haute) ou
+pour le routeur peut être changée de "medium" (moyen) à "high" (haute) ou
 "low" (basse). Par exemple :
 .B --ra-param=eth0,high,0.
-Un intervalle (en secondes) entre les annonces routeur peut-être fourni par :
+Un intervalle (en secondes) entre les annonces routeur peut être fourni par :
 .B --ra-param=eth0,60.
-La durée de vie de la route peut-être changée ou mise à zéro, auquel cas 
+La durée de vie de la route peut être changée ou mise à zéro, auquel cas
 le routeur peut annoncer les préfixes mais pas de route :
-.B --ra-parm=eth0,0,0
+.B --ra-param=eth0,0,0
 (une valeur de zéro pour l'intervalle signifie qu'il garde la valeur par défaut).
-Ces quatre paramètres peuvent-être configurés en une fois :
+Ces quatre paramètres peuvent être configurés en une fois :
 .B --ra-param=eth0,mtu:1280,low,60,1200
 La valeur pour l'interface peut inclure un caractère joker.
 .TP
@@ -1776,7 +1791,7 @@ La valeur pour l'interface peut inclure un caractère joker.
 Active la fonction serveur TFTP. Celui-ci est de manière délibérée limité aux
 fonctions nécessaires au démarrage par le réseau ("net-boot") d'un client. Seul
 un accès en lecture est possible; les extensions tsize et blksize sont supportées
-(tsize est seulement supporté en mode octet). Sans argument optionel, le service
+(tsize est seulement supportée en mode octet). Sans argument optionnel, le service
 TFTP est fourni sur les mêmes interfaces que le service DHCP. Si une liste
 d'interfaces est fournie, cela définit les interfaces sur lesquelles le
 service TFTP sera activé.
@@ -1847,9 +1862,9 @@ Un serveur TFTP écoute sur le port prédéfini 69 ("well-known port") pour
 l'initiation de la connexion, mais utilise également un port dynamiquement
 alloué pour chaque connexion. Normalement, ces ports sont alloués par
 le système d'exploitation, mais cette option permet de spécifier une gamme
-de ports à utiliser pour les transferts TFTP. Cela peut-être utile si
+de ports à utiliser pour les transferts TFTP. Cela peut être utile si
 TFTP doit traverser un dispositif garde-barrière ("firewall"). La valeur
-de début pour la plage de port ne peut-être inférieure à 1025 sauf si
+de début pour la plage de port ne peut être inférieure à 1025 sauf si
 dnsmasq tourne en temps que super-utilisateur ("root"). Le nombre de
 connexions TFTP concurrentes est limitée par la taille de la gamme de
 ports ainsi spécifiée.
@@ -1859,8 +1874,8 @@ Un serveur TFTP écoute sur un numéro de port bien connu (69) pour l'initiation
 de la connexion, et alloue dynamiquement un port pour chaque connexion. Ces
 numéros de ports sont en principe alloués par le système d'exploitation, mais
 cette option permet de spécifier une gamme de ports à utiliser pour les
-transferts TFTP. Cela peut-être utile lorsque ceux-ci doivent traverser un
-dispositif garde-barrière ("firewall"). Le début de la plage ne peut-être
+transferts TFTP. Cela peut être utile lorsque ceux-ci doivent traverser un
+dispositif garde-barrière ("firewall"). Le début de la plage ne peut être
 inférieur à 1024 à moins que Dnsmasq ne fonctionne en temps que
 super-utilisateur ("root"). Le nombre maximal de connexions TFTP concurrentes
 est limitée par la taille de la plage de ports ainsi définie. 
@@ -1895,7 +1910,7 @@ par "--". Les lignes commençant par # sont des commentaires et sont ignorées.
 Pour les options qui ne peuvent-être spécifiées qu'une seule fois, celle du
 fichier de configuration prends le pas sur celle fournie en ligne de commande.
 Il est possible d'utiliser des guillemets afin d'éviter que les ",",":","." et
-"#" ne soit interprêtés, et il est possible d'utiliser les séquences
+"#" ne soient interprétés, et il est possible d'utiliser les séquences
 d'échappement suivantes : \\\\ \\" \\t \\e \\b \\r et \\n. Elles correspondent
 respectivement à la barre oblique descendante ("anti-slash"), guillemets doubles,
 tabulation, caractère d'échappement ("escape"), suppression ("backspace"), retour ("return") et
@@ -1940,8 +1955,8 @@ traces dans un fichier (voir
 .B --log-facility
 ), alors 
 .B Dnsmasq
-ferme et re-rouvre le fichier de traces. Il faut noter que pendant cette
-opération Dnsmasq ne s'exécute pas en temps que "root". Lorsqu'il créé un
+ferme et rouvre le fichier de traces. Il faut noter que pendant cette
+opération Dnsmasq ne s'exécute pas en tant que "root". Lorsqu'il créé un
 fichier de traces pour la première fois, Dnsmasq change le propriétaire du
 fichier afin de le faire appartenir à l'utilisateur non "root" sous lequel
 Dnsmasq s'exécute. Le logiciel de rotation de fichiers de trace logrotate doit
@@ -1983,7 +1998,7 @@ qu'une connexion PPP ne soit établie. Dans ce cas, Dnsmasq vérifie régulière
 pour voir si un fichier
 .I /etc/resolv.conf 
 est créé. Dnsmasq peut être configuré pour lire plus d'un fichier resolv.conf.
-Cela est utile sur un ordinateur portable où PPP et DHCP peuvent-être utilisés :
+Cela est utile sur un ordinateur portable où PPP et DHCP peuvent être utilisés :
 Dnsmasq peut alors être configuré pour lire à la fois
 .I /etc/ppp/resolv.conf 
 et
@@ -2007,7 +2022,7 @@ ou alors en mettant leurs adresses dans un autre fichier, par exemple
 .I /etc/resolv.dnsmasq
 et en lançant Dnsmasq avec l'option
 .B \-r /etc/resolv.dnsmasq.
-Cette deuxième technique permet la mise-à-jour dynamique des addresses de
+Cette deuxième technique permet la mise-à-jour dynamique des adresses de
 serveurs DNS amont par le biais de PPP ou DHCP.
 .PP
 Les adresses dans /etc/hosts prennent le dessus sur celles fournies par le
@@ -2067,10 +2082,10 @@ et pour affecter l'option envoyée, sur la base de la plage sélectionnée.

 Ce système a évolué d'un système plus ancien et aux possibilités plus limitées,
 et pour des raisons de compatibilité "net:" peut être utilisé à la place de
-"tag:" et "set:" peut-être omis (à l'exception de
+"tag:" et "set:" peut être omis (à l'exception de
 .B dhcp-host,
-où "net:" peut-être utilisé à la place de "set:"). Pour les mêmes raisons, '#'
-peut-être utilisé à la place de '!' pour indiquer la négation.
+où "net:" peut être utilisé à la place de "set:"). Pour les mêmes raisons, '#'
+peut être utilisé à la place de '!' pour indiquer la négation.
 .PP 
 Le serveur DHCP intégré dans Dnsmasq fonctionne également en temps que serveur
 BOOTP, pour peu que l'adresse MAC et l'adresse IP des clients soient fournies,
@@ -2097,7 +2112,7 @@ scénarios de complexité croissante. Le pré-requis pour chacun de ces scénari
 est l'existence d'une adresse IP globalement disponible, d'un enregistrement de
 type A ou AAAA pointant vers cette adresse, ainsi que d'un serveur DNS externe
 capable d'effectuer la délégation de la zone en question. Pour la première
-partie de ces explications, nous allons appeller serveur.exemple.com
+partie de ces explications, nous allons appeler serveur.exemple.com
 l'enregistrement A (ou AAAA) de l'adresse globalement accessible, et
 notre.zone.com la zone pour laquelle dnsmasq fait autorité.

@@ -2138,11 +2153,11 @@ notre.zone.com            NS    our.zone.com
 .fi

 L'enregistrement A pour notre.zone.com est dorénavant un enregistrement "colle"
-qui résoud le problème de poule et d'oeuf consistant à trouver l'adresse IP
+qui résout le problème de poule et d'oeuf consistant à trouver l'adresse IP
 du serveur de nom pour notre.zone.com lorsque l'enregistrement se trouve dans
 la zone en question. Il s'agit du seul rôle de cet enregistrement : comme dnsmasq
 fait désormais autorité pour notre.zone.com, il doit également fournir cet
-enregistrement. Si l'adresse externe est statique, cela peut-être réalisé par
+enregistrement. Si l'adresse externe est statique, cela peut être réalisé par
 le biais d'une entrée dans
 .B /etc/hosts 
 ou via un
@@ -2194,7 +2209,7 @@ spécifiques, vous pouvez le faire via :
 Dnsmasq joue le rôle de serveur faisant autorité pour les domaines in-addr.arpa
 et ip6.arpa associés aux sous-réseaux définis dans la déclaration de zone
 auth-zone, ce qui fait que les requêtes DNS inversées (de l'adresse vers
-le nom) peuvent-simplement être configurées avec un enregistrement NS
+le nom) peuvent simplement être configurées avec un enregistrement NS
 adéquat. Par exemple, comme nous définissons plus haut les adresses
 1.2.3.0/24 :
 .nf
@@ -2243,7 +2258,7 @@ celui fourni par
 .B --domain.
 Si l'option
 .B --dhcp-fqdn
-est fournie, alors les noms pleinemenet qualifiés associés aux baux DHCP
+est fournie, alors les noms pleinement qualifiés associés aux baux DHCP
 sont utilisés, dès lors qu'ils correspondent au nom de domaine associé
 à la zone.

@@ -2282,7 +2297,7 @@ Dnsmasq est capable de gérer le DNS et DHCP pour au moins un millier de clients
 Pour cela, la durée des bail ne doit pas être très courte (moins d'une heure).
 La valeur de
 .B --dns-forward-max 
-peut-être augmentée : commencer par la rendre égale au nombre de clients et
+peut être augmentée : commencer par la rendre égale au nombre de clients et
 l'augmenter si le DNS semble lent. Noter que la performance du DNS dépends
 également de la performance des serveurs amonts. La taille du cache DNS peut-
 être augmentée : la limite en dur est de 10000 entrées et la valeur par défaut
@@ -2306,7 +2321,7 @@ Il est possible d'utiliser Dnsmasq pour bloquer la publicité sur la toile
 en associant des serveurs de publicité bien connus à l'adresse 127.0.0.1 ou
 0.0.0.0 par le biais du fichier
 .B /etc/hosts 
-ou d'un fichier d'hôte additionnel. Cette liste peut-être très longue, Dnsmasq
+ou d'un fichier d'hôte additionnel. Cette liste peut être très longue, Dnsmasq
 ayant été testé avec succès avec un million de noms. Cette taille de fichier
 nécessite un processeur à 1 Ghz et environ 60 Mo de RAM.

--- a/po/de.po
+++ b/po/de.po
--- a/po/es.po
+++ b/po/es.po
--- a/po/fi.po
+++ b/po/fi.po
--- a/po/fr.po
+++ b/po/fr.po
--- a/po/id.po
+++ b/po/id.po
--- a/po/it.po
+++ b/po/it.po
--- a/po/ka.po
+++ b/po/ka.po
--- a/po/no.po
+++ b/po/no.po
--- a/po/pl.po
+++ b/po/pl.po
--- a/po/pt_BR.po
+++ b/po/pt_BR.po
--- a/po/ro.po
+++ b/po/ro.po
--- a/setup.html
+++ b/setup.html
@@ -125,7 +125,7 @@ address of its ethernet card. For the former to work, a machine needs to know it
 requests a DHCP lease. For dhcpcd, the -h option specifies this. The
 names may be anything as far as DHCP is concerned, but dnsmasq adds
 some limitations. By default the names must no have a domain part, ie
-they must just be a alphanumeric name, without any dots.  This is a
+they must just be alphanumeric names, without any dots.  This is a
 security feature to stop a machine on your network telling DHCP that
 its name is "www.microsoft.com" and thereby grabbing traffic which
 shouldn't go to it. A domain part is only allowed by dnsmasq in DHCP machine names
--- a/src/arp.c
+++ b/src/arp.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2017 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -28,7 +28,7 @@ struct arp_record {
  unsigned short hwlen, status;
  int family;
  unsigned char hwaddr[DHCP_CHADDR_MAX]; 
-  struct all_addr addr;
+  union all_addr addr;
  struct arp_record *next;
 };

@@ -44,11 +44,6 @@ static int filter_mac(int family, char *addrp, char *mac, size_t maclen, void *p
  if (maclen > DHCP_CHADDR_MAX)
    return 1;

-#ifndef HAVE_IPV6
-  if (family != AF_INET)
-    return 1;
-#endif
-
  /* Look for existing entry */
  for (arp = arps; arp; arp = arp->next)
    {
@@ -57,16 +52,14 @@ static int filter_mac(int family, char *addrp, char *mac, size_t maclen, void *p
      
      if (family == AF_INET)
 	{
-	  if (arp->addr.addr.addr4.s_addr != ((struct in_addr *)addrp)->s_addr)
+	  if (arp->addr.addr4.s_addr != ((struct in_addr *)addrp)->s_addr)
 	    continue;
 	}
-#ifdef HAVE_IPV6
      else
 	{
-	  if (!IN6_ARE_ADDR_EQUAL(&arp->addr.addr.addr6, (struct in6_addr *)addrp))
+	  if (!IN6_ARE_ADDR_EQUAL(&arp->addr.addr6, (struct in6_addr *)addrp))
 	    continue;
 	}
-#endif

      if (arp->status == ARP_EMPTY)
 	{
@@ -102,11 +95,9 @@ static int filter_mac(int family, char *addrp, char *mac, size_t maclen, void *p
      arp->family = family;
      memcpy(arp->hwaddr, mac, maclen);
      if (family == AF_INET)
-	arp->addr.addr.addr4.s_addr = ((struct in_addr *)addrp)->s_addr;
-#ifdef HAVE_IPV6
+	arp->addr.addr4.s_addr = ((struct in_addr *)addrp)->s_addr;
      else
-	memcpy(&arp->addr.addr.addr6, addrp, IN6ADDRSZ);
-#endif
+	memcpy(&arp->addr.addr6, addrp, IN6ADDRSZ);
    }
  
  return 1;
@@ -133,14 +124,12 @@ int find_mac(union mysockaddr *addr, unsigned char *mac, int lazy, time_t now)
 	    continue;
 	    
 	  if (arp->family == AF_INET &&
-	      arp->addr.addr.addr4.s_addr != addr->in.sin_addr.s_addr)
+	      arp->addr.addr4.s_addr != addr->in.sin_addr.s_addr)
 	    continue;
 	    
-#ifdef HAVE_IPV6
 	  if (arp->family == AF_INET6 && 
-	      !IN6_ARE_ADDR_EQUAL(&arp->addr.addr.addr6, &addr->in6.sin6_addr))
+	      !IN6_ARE_ADDR_EQUAL(&arp->addr.addr6, &addr->in6.sin6_addr))
 	    continue;
-#endif
 	  
 	  /* Only accept positive entries unless in lazy mode. */
 	  if (arp->status != ARP_EMPTY || lazy || updated)
@@ -163,7 +152,7 @@ int find_mac(union mysockaddr *addr, unsigned char *mac, int lazy, time_t now)
 	 if (arp->status != ARP_EMPTY)
 	   arp->status = ARP_MARK;
       
-       iface_enumerate(AF_UNSPEC, NULL, filter_mac);
+       iface_enumerate(AF_UNSPEC, NULL, (callback_t){.af_unspec=filter_mac});
       
       /* Remove all unconfirmed entries to old list. */
       for (arp = arps, up = &arps; arp; arp = tmp)
@@ -202,11 +191,9 @@ int find_mac(union mysockaddr *addr, unsigned char *mac, int lazy, time_t now)
      arp->hwlen = 0;

      if (addr->sa.sa_family == AF_INET)
-	arp->addr.addr.addr4.s_addr = addr->in.sin_addr.s_addr;
-#ifdef HAVE_IPV6
+	arp->addr.addr4.s_addr = addr->in.sin_addr.s_addr;
      else
-	memcpy(&arp->addr.addr.addr6, &addr->in6.sin6_addr, IN6ADDRSZ);
-#endif
+	memcpy(&arp->addr.addr6, &addr->in6.sin6_addr, IN6ADDRSZ);
    }
 	  
   return 0;
@@ -243,5 +230,3 @@ int do_arp_script_run(void)

  return 0;
 }
-
-
--- a/src/auth.c
+++ b/src/auth.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2017 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -18,32 +18,30 @@

 #ifdef HAVE_AUTH

-static struct addrlist *find_addrlist(struct addrlist *list, int flag, struct all_addr *addr_u)
+static struct addrlist *find_addrlist(struct addrlist *list, int flag, union all_addr *addr_u)
 {
  do {
    if (!(list->flags & ADDRLIST_IPV6))
      {
-	struct in_addr netmask, addr = addr_u->addr.addr4;
+	struct in_addr netmask, addr = addr_u->addr4;
 	
 	if (!(flag & F_IPV4))
 	  continue;
 	
 	netmask.s_addr = htonl(~(in_addr_t)0 << (32 - list->prefixlen));
 	
-	if  (is_same_net(addr, list->addr.addr.addr4, netmask))
+	if  (is_same_net(addr, list->addr.addr4, netmask))
 	  return list;
      }
-#ifdef HAVE_IPV6
-    else if (is_same_net6(&(addr_u->addr.addr6), &list->addr.addr.addr6, list->prefixlen))
+    else if (is_same_net6(&(addr_u->addr6), &list->addr.addr6, list->prefixlen))
      return list;
-#endif
    
  } while ((list = list->next));
  
  return NULL;
 }

-static struct addrlist *find_subnet(struct auth_zone *zone, int flag, struct all_addr *addr_u)
+static struct addrlist *find_subnet(struct auth_zone *zone, int flag, union all_addr *addr_u)
 {
  if (!zone->subnet)
    return NULL;
@@ -51,7 +49,7 @@ static struct addrlist *find_subnet(struct auth_zone *zone, int flag, struct all
  return find_addrlist(zone->subnet, flag, addr_u);
 }

-static struct addrlist *find_exclude(struct auth_zone *zone, int flag, struct all_addr *addr_u)
+static struct addrlist *find_exclude(struct auth_zone *zone, int flag, union all_addr *addr_u)
 {
  if (!zone->exclude)
    return NULL;
@@ -59,7 +57,7 @@ static struct addrlist *find_exclude(struct auth_zone *zone, int flag, struct al
  return find_addrlist(zone->exclude, flag, addr_u);
 }

-static int filter_zone(struct auth_zone *zone, int flag, struct all_addr *addr_u)
+static int filter_zone(struct auth_zone *zone, int flag, union all_addr *addr_u)
 {
  if (find_exclude(zone, flag, addr_u))
    return 0;
@@ -98,16 +96,16 @@ int in_zone(struct auth_zone *zone, char *name, char **cut)
 }


-size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t now, union mysockaddr *peer_addr, 
-		   int local_query, int do_bit, int have_pseudoheader) 
+size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t now,
+		   union mysockaddr *peer_addr, int local_query) 
 {
  char *name = daemon->namebuff;
  unsigned char *p, *ansp;
-  int qtype, qclass;
+  int qtype, qclass, rc;
  int nameoffset, axfroffset = 0;
  int q, anscount = 0, authcount = 0;
  struct crec *crecp;
-  int  auth = !local_query, trunc = 0, nxdomain = 1, soa = 0, ns = 0, axfr = 0;
+  int  auth = !local_query, trunc = 0, nxdomain = 1, soa = 0, ns = 0, axfr = 0, out_of_zone = 0;
  struct auth_zone *zone = NULL;
  struct addrlist *subnet = NULL;
  char *cut;
@@ -115,15 +113,10 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
  struct txt_record *txt;
  struct interface_name *intr;
  struct naptr *na;
-  struct all_addr addr;
+  union all_addr addr;
  struct cname *a, *candidate;
  unsigned int wclen;
  
-  /* Clear buffer beyond request to avoid risk of
-     information disclosure. */
-  memset(((char *)header) + qlen, 0, 
-	 (limit - ((char *)header)) - qlen);
-  
  if (ntohs(header->qdcount) == 0 || OPCODE(header) != QUERY )
    return 0;

@@ -136,7 +129,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n

  for (q = ntohs(header->qdcount); q != 0; q--)
    {
-      unsigned short flag = 0;
+      unsigned int flag = 0;
      int found = 0;
      int cname_wildcard = 0;
  
@@ -153,6 +146,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
      if (qclass != C_IN)
 	{
 	  auth = 0;
+	  out_of_zone = 1;
 	  continue;
 	}

@@ -166,6 +160,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	  
 	  if (!zone)
 	    {
+	      out_of_zone = 1;
 	      auth = 0;
 	      continue;
 	    }
@@ -185,7 +180,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		struct addrlist *addrlist;
 		
 		for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)
-		  if (!(addrlist->flags & ADDRLIST_IPV6) && addr.addr.addr4.s_addr == addrlist->addr.addr.addr4.s_addr)
+		  if (!(addrlist->flags & ADDRLIST_IPV6) && addr.addr4.s_addr == addrlist->addr.addr4.s_addr)
 		    break;
 		
 		if (addrlist)
@@ -194,14 +189,13 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		  while (intr->next && strcmp(intr->intr, intr->next->intr) == 0)
 		    intr = intr->next;
 	      }
-#ifdef HAVE_IPV6
 	  else if (flag == F_IPV6)
 	    for (intr = daemon->int_names; intr; intr = intr->next)
 	      {
 		struct addrlist *addrlist;
 		
 		for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)
-		  if ((addrlist->flags & ADDRLIST_IPV6) && IN6_ARE_ADDR_EQUAL(&addr.addr.addr6, &addrlist->addr.addr.addr6))
+		  if ((addrlist->flags & ADDRLIST_IPV6) && IN6_ARE_ADDR_EQUAL(&addr.addr6, &addrlist->addr.addr6))
 		    break;
 		
 		if (addrlist)
@@ -210,14 +204,13 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		  while (intr->next && strcmp(intr->intr, intr->next->intr) == 0)
 		    intr = intr->next;
 	      }
-#endif
 	  
 	  if (intr)
 	    {
 	      if (local_query || in_zone(zone, intr->name, NULL))
 		{	
 		  found = 1;
-		  log_query(flag | F_REVERSE | F_CONFIG, intr->name, &addr, NULL);
+		  log_query(flag | F_REVERSE | F_CONFIG, intr->name, &addr, NULL, 0);
 		  if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 					  daemon->auth_ttl, NULL,
 					  T_PTR, C_IN, "d", intr->name))
@@ -241,7 +234,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		      strcat(name, ".");
 		      strcat(name, zone->domain);
 		    }
-		  log_query(flag | F_DHCP | F_REVERSE, name, &addr, record_source(crecp->uid));
+		  log_query(flag | F_DHCP | F_REVERSE, name, &addr, record_source(crecp->uid), 0);
 		  found = 1;
 		  if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 					  daemon->auth_ttl, NULL,
@@ -250,7 +243,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		}
 	      else if (crecp->flags & (F_DHCP | F_HOSTS) && (local_query || in_zone(zone, name, NULL)))
 		{
-		  log_query(crecp->flags & ~F_FORWARD, name, &addr, record_source(crecp->uid));
+		  log_query(crecp->flags & ~F_FORWARD, name, &addr, record_source(crecp->uid), 0);
 		  found = 1;
 		  if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 					  daemon->auth_ttl, NULL,
@@ -262,10 +255,21 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		    
 	    } while ((crecp = cache_find_by_addr(crecp, &addr, now, flag)));

+	  if (!found && is_rev_synth(flag, &addr, name) && (local_query || in_zone(zone, name, NULL)))
+	    {
+	      log_query(F_CONFIG | F_REVERSE | flag, name, &addr, NULL, 0);
+	      found = 1;
+	      
+	      if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
+				      daemon->auth_ttl, NULL,
+				      T_PTR, C_IN, "d", name))
+		anscount++;
+	    }
+
 	  if (found)
 	    nxdomain = 0;
 	  else
-	    log_query(flag | F_NEG | F_NXDOMAIN | F_REVERSE | (auth ? F_AUTH : 0), NULL, &addr, NULL);
+	    log_query(flag | F_NEG | F_NXDOMAIN | F_REVERSE | (auth ? F_AUTH : 0), NULL, &addr, NULL, 0);

 	  continue;
 	}
@@ -282,20 +286,21 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	  
 	  if (!zone)
 	    {
+	      out_of_zone = 1;
 	      auth = 0;
 	      continue;
 	    }
 	}

      for (rec = daemon->mxnames; rec; rec = rec->next)
-	if (!rec->issrv && hostname_isequal(name, rec->name))
+	if (!rec->issrv && (rc = hostname_issubdomain(name, rec->name)))
 	  {
 	    nxdomain = 0;
 	         
-	    if (qtype == T_MX)
+	    if (rc == 2 && qtype == T_MX)
 	      {
 		found = 1;
-		log_query(F_CONFIG | F_RRNAME, name, NULL, "<MX>"); 
+		log_query(F_CONFIG | F_RRNAME, name, NULL, "<MX>", 0);
 		if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl,
 					NULL, T_MX, C_IN, "sd", rec->weight, rec->target))
 		  anscount++;
@@ -303,14 +308,14 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	  }
      
      for (move = NULL, up = &daemon->mxnames, rec = daemon->mxnames; rec; rec = rec->next)
-	if (rec->issrv && hostname_isequal(name, rec->name))
+	if (rec->issrv && (rc = hostname_issubdomain(name, rec->name)))
 	  {
 	    nxdomain = 0;
 	    
-	    if (qtype == T_SRV)
+	    if (rc == 2 && qtype == T_SRV)
 	      {
 		found = 1;
-		log_query(F_CONFIG | F_RRNAME, name, NULL, "<SRV>"); 
+		log_query(F_CONFIG | F_RRNAME, name, NULL, "<SRV>", 0);
 		if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl,
 					NULL, T_SRV, C_IN, "sssd", 
 					rec->priority, rec->weight, rec->srvport, rec->target))
@@ -338,13 +343,13 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	}

      for (txt = daemon->rr; txt; txt = txt->next)
-	if (hostname_isequal(name, txt->name))
+	if ((rc = hostname_issubdomain(name, txt->name)))
 	  {
 	    nxdomain = 0;
-	    if (txt->class == qtype)
+	    if (rc == 2 && txt->class == qtype)
 	      {
 		found = 1;
-		log_query(F_CONFIG | F_RRNAME, name, NULL, "<RR>"); 
+		log_query(F_CONFIG | F_RRNAME, name, NULL, NULL, txt->class);
 		if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl,
 					NULL, txt->class, C_IN, "t", txt->len, txt->txt))
 		  anscount++;
@@ -352,13 +357,13 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	  }
      
      for (txt = daemon->txt; txt; txt = txt->next)
-	if (txt->class == C_IN && hostname_isequal(name, txt->name))
+	if (txt->class == C_IN && (rc = hostname_issubdomain(name, txt->name)))
 	  {
 	    nxdomain = 0;
-	    if (qtype == T_TXT)
+	    if (rc == 2 && qtype == T_TXT)
 	      {
 		found = 1;
-		log_query(F_CONFIG | F_RRNAME, name, NULL, "<TXT>"); 
+		log_query(F_CONFIG | F_RRNAME, name, NULL, "<TXT>", 0);
 		if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl,
 					NULL, T_TXT, C_IN, "t", txt->len, txt->txt))
 		  anscount++;
@@ -366,13 +371,13 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	  }

       for (na = daemon->naptr; na; na = na->next)
-	 if (hostname_isequal(name, na->name))
+	 if ((rc = hostname_issubdomain(name, na->name)))
 	   {
 	     nxdomain = 0;
-	     if (qtype == T_NAPTR)
+	     if (rc == 2 && qtype == T_NAPTR)
 	       {
 		 found = 1;
-		 log_query(F_CONFIG | F_RRNAME, name, NULL, "<NAPTR>");
+		 log_query(F_CONFIG | F_RRNAME, name, NULL, "<NAPTR>", 0);
 		 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl, 
 					 NULL, T_NAPTR, C_IN, "sszzzd", 
 					 na->order, na->pref, na->flags, na->services, na->regexp, na->replace))
@@ -383,35 +388,42 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
       if (qtype == T_A)
 	 flag = F_IPV4;
       
-#ifdef HAVE_IPV6
       if (qtype == T_AAAA)
 	 flag = F_IPV6;
-#endif
       
       for (intr = daemon->int_names; intr; intr = intr->next)
-	 if (hostname_isequal(name, intr->name))
+	 if ((rc = hostname_issubdomain(name, intr->name)))
 	   {
 	     struct addrlist *addrlist;
 	     
 	     nxdomain = 0;
 	     
-	     if (flag)
+	     if (rc == 2 && flag)
 	       for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)  
 		 if (((addrlist->flags & ADDRLIST_IPV6)  ? T_AAAA : T_A) == qtype &&
 		     (local_query || filter_zone(zone, flag, &addrlist->addr)))
 		   {
-#ifdef HAVE_IPV6
 		     if (addrlist->flags & ADDRLIST_REVONLY)
 		       continue;
-#endif
+
 		     found = 1;
-		     log_query(F_FORWARD | F_CONFIG | flag, name, &addrlist->addr, NULL);
+		     log_query(F_FORWARD | F_CONFIG | flag, name, &addrlist->addr, NULL, 0);
 		     if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 					     daemon->auth_ttl, NULL, qtype, C_IN, 
 					     qtype == T_A ? "4" : "6", &addrlist->addr))
 		       anscount++;
 		   }
 	     }
+
+       if (!found && is_name_synthetic(flag, name, &addr) )
+	 {
+	   nxdomain = 0;
+	   
+	   log_query(F_FORWARD | F_CONFIG | flag, name, &addr, NULL, 0);
+	   if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
+				   daemon->auth_ttl, NULL, qtype, C_IN, qtype == T_A ? "4" : "6", &addr))
+	     anscount++;
+	 }
       
      if (!cut)
 	{
@@ -420,8 +432,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	  if (qtype == T_SOA)
 	    {
 	      auth = soa = 1; /* inhibits auth section */
-	      found = 1;
-	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<SOA>");
+	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<SOA>", 0);
 	    }
      	  else if (qtype == T_AXFR)
 	    {
@@ -429,27 +440,24 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	      
 	      if (peer_addr->sa.sa_family == AF_INET)
 		peer_addr->in.sin_port = 0;
-#ifdef HAVE_IPV6
 	      else
 		{
 		  peer_addr->in6.sin6_port = 0; 
 		  peer_addr->in6.sin6_scope_id = 0;
 		}
-#endif
 	      
 	      for (peers = daemon->auth_peers; peers; peers = peers->next)
 		if (sockaddr_isequal(peer_addr, &peers->addr))
 		  break;
 	      
-	      /* Refuse all AXFR unless --auth-sec-servers is set */
-	      if ((!peers && daemon->auth_peers) || !daemon->secondary_forward_server)
+	      /* Refuse all AXFR unless --auth-sec-servers or auth-peers is set */
+	      if ((!daemon->secondary_forward_server && !daemon->auth_peers) ||
+		  (daemon->auth_peers && !peers)) 
 		{
 		  if (peer_addr->sa.sa_family == AF_INET)
 		    inet_ntop(AF_INET, &peer_addr->in.sin_addr, daemon->addrbuff, ADDRSTRLEN);
-#ifdef HAVE_IPV6
 		  else
 		    inet_ntop(AF_INET6, &peer_addr->in6.sin6_addr, daemon->addrbuff, ADDRSTRLEN); 
-#endif
 		  
 		  my_syslog(LOG_WARNING, _("ignoring zone transfer request from %s"), daemon->addrbuff);
 		  return 0;
@@ -459,16 +467,14 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	      soa = 1; /* inhibits auth section */
 	      ns = 1; /* ensure we include NS records! */
 	      axfr = 1;
-	      found = 1;
 	      axfroffset = nameoffset;
-	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<AXFR>");
+	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<AXFR>", 0);
 	    }
      	  else if (qtype == T_NS)
 	    {
 	      auth = 1;
 	      ns = 1; /* inhibits auth section */
-	      found = 1;
-	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<NS>"); 
+	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<NS>", 0);
 	    }
 	}
      
@@ -483,12 +489,11 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		  { 
 		    nxdomain = 0;
 		    if ((crecp->flags & flag) && 
-			(local_query || filter_zone(zone, flag, &(crecp->addr.addr))))
+			(local_query || filter_zone(zone, flag, &(crecp->addr))))
 		      {
 			*cut = '.'; /* restore domain part */
-			log_query(crecp->flags, name, &crecp->addr.addr, record_source(crecp->uid));
+			log_query(crecp->flags, name, &crecp->addr, record_source(crecp->uid), 0);
 			*cut  = 0; /* remove domain part */
-			found = 1;
 			if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 						daemon->auth_ttl, NULL, qtype, C_IN, 
 						qtype == T_A ? "4" : "6", &crecp->addr))
@@ -506,10 +511,9 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	    do
 	      { 
 		 nxdomain = 0;
-		 if ((crecp->flags & flag) && (local_query || filter_zone(zone, flag, &(crecp->addr.addr))))
+		 if ((crecp->flags & flag) && (local_query || filter_zone(zone, flag, &(crecp->addr))))
 		   {
-		     log_query(crecp->flags, name, &crecp->addr.addr, record_source(crecp->uid));
-		     found = 1;
+		     log_query(crecp->flags, name, &crecp->addr, record_source(crecp->uid), 0);
 		     if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 					     daemon->auth_ttl, NULL, qtype, C_IN, 
 					     qtype == T_A ? "4" : "6", &crecp->addr))
@@ -556,7 +560,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	  
 	  if (candidate)
 	    {
-	      log_query(F_CONFIG | F_CNAME, name, NULL, NULL);
+	      log_query(F_CONFIG | F_CNAME, name, NULL, NULL, 0);
 	      strcpy(name, candidate->target);
 	      if (!strchr(name, '.'))
 		{
@@ -571,8 +575,10 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	      
 	      goto cname_restart;
 	    }
+	  else if (cache_find_non_terminal(name, now))
+	    nxdomain = 0;

-	  log_query(flag | F_NEG | (nxdomain ? F_NXDOMAIN : 0) | F_FORWARD | F_AUTH, name, NULL, NULL);
+	  log_query(flag | F_NEG | (nxdomain ? F_NXDOMAIN : 0) | F_FORWARD | F_AUTH, name, NULL, NULL, 0);
 	}
      
    }
@@ -593,19 +599,18 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n

 	  if (!(subnet->flags & ADDRLIST_IPV6))
 	    {
-	      in_addr_t a = ntohl(subnet->addr.addr.addr4.s_addr) >> 8;
+	      in_addr_t a = ntohl(subnet->addr.addr4.s_addr) >> 8;
 	      char *p = name;
 	      
 	      if (subnet->prefixlen >= 24)
-		p += sprintf(p, "%d.", a & 0xff);
+		p += sprintf(p, "%u.", a & 0xff);
 	      a = a >> 8;
 	      if (subnet->prefixlen >= 16 )
-		p += sprintf(p, "%d.", a & 0xff);
+		p += sprintf(p, "%u.", a & 0xff);
 	      a = a >> 8;
-	      p += sprintf(p, "%d.in-addr.arpa", a & 0xff);
+	      sprintf(p, "%u.in-addr.arpa", a & 0xff);
 	      
 	    }
-#ifdef HAVE_IPV6
 	  else
 	    {
 	      char *p = name;
@@ -613,13 +618,12 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	      
 	      for (i = subnet->prefixlen-1; i >= 0; i -= 4)
 		{ 
-		  int dig = ((unsigned char *)&subnet->addr.addr.addr6)[i>>3];
+		  int dig = ((unsigned char *)&subnet->addr.addr6)[i>>3];
 		  p += sprintf(p, "%.1x.", (i>>2) & 1 ? dig & 15 : dig >> 4);
 		}
-	      p += sprintf(p, "ip6.arpa");
+	      sprintf(p, "ip6.arpa");
 	      
 	    }
-#endif
 	}
      
      /* handle NS and SOA in auth section or for explicit queries */
@@ -643,16 +647,20 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	{
 	  struct name_list *secondary;
 	  
-	  newoffset = ansp - (unsigned char *)header;
-	  if (add_resource_record(header, limit, &trunc, -offset, &ansp, 
-				  daemon->auth_ttl, NULL, T_NS, C_IN, "d", offset == 0 ? authname : NULL, daemon->authserver))
+	  /* Only include the machine running dnsmasq if it's acting as an auth server */
+	  if (daemon->authinterface)
 	    {
-	      if (offset == 0) 
-		offset = newoffset;
-	      if (ns) 
-		anscount++;
-	      else
-		authcount++;
+	      newoffset = ansp - (unsigned char *)header;
+	      if (add_resource_record(header, limit, &trunc, -offset, &ansp, 
+				      daemon->auth_ttl, NULL, T_NS, C_IN, "d", offset == 0 ? authname : NULL, daemon->authserver))
+		{
+		  if (offset == 0) 
+		    offset = newoffset;
+		  if (ns) 
+		    anscount++;
+		  else
+		    authcount++;
+		}
 	    }

 	  if (!subnet)
@@ -756,14 +764,12 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 					  daemon->auth_ttl, NULL, T_A, C_IN, "4", cut ? intr->name : NULL, &addrlist->addr))
 		    anscount++;
 		
-#ifdef HAVE_IPV6
 		for (addrlist = intr->addr; addrlist; addrlist = addrlist->next) 
 		  if ((addrlist->flags & ADDRLIST_IPV6) && 
 		      (local_query || filter_zone(zone, F_IPV6, &addrlist->addr)) &&
 		      add_resource_record(header, limit, &trunc, -axfroffset, &ansp, 
 					  daemon->auth_ttl, NULL, T_AAAA, C_IN, "6", cut ? intr->name : NULL, &addrlist->addr))
 		    anscount++;
-#endif		    
 		
 		/* restore config data */
 		if (cut)
@@ -800,38 +806,26 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		    {
 		      char *cache_name = cache_get_name(crecp);
 		      if (!strchr(cache_name, '.') && 
-			  (local_query || filter_zone(zone, (crecp->flags & (F_IPV6 | F_IPV4)), &(crecp->addr.addr))))
-			{
-			  qtype = T_A;
-#ifdef HAVE_IPV6
-			  if (crecp->flags & F_IPV6)
-			    qtype = T_AAAA;
-#endif
-			  if (add_resource_record(header, limit, &trunc, -axfroffset, &ansp, 
-						  daemon->auth_ttl, NULL, qtype, C_IN, 
-						  (crecp->flags & F_IPV4) ? "4" : "6", cache_name, &crecp->addr))
-			    anscount++;
-			}
+			  (local_query || filter_zone(zone, (crecp->flags & (F_IPV6 | F_IPV4)), &(crecp->addr))) &&
+			  add_resource_record(header, limit, &trunc, -axfroffset, &ansp, 
+					      daemon->auth_ttl, NULL, (crecp->flags & F_IPV6) ? T_AAAA : T_A, C_IN, 
+					      (crecp->flags & F_IPV4) ? "4" : "6", cache_name, &crecp->addr))
+			anscount++;
 		    }
 		  
 		  if ((crecp->flags & F_HOSTS) || (((crecp->flags & F_DHCP) && option_bool(OPT_DHCP_FQDN))))
 		    {
 		      strcpy(name, cache_get_name(crecp));
 		      if (in_zone(zone, name, &cut) && 
-			  (local_query || filter_zone(zone, (crecp->flags & (F_IPV6 | F_IPV4)), &(crecp->addr.addr))))
+			  (local_query || filter_zone(zone, (crecp->flags & (F_IPV6 | F_IPV4)), &(crecp->addr))))
 			{
-			  qtype = T_A;
-#ifdef HAVE_IPV6
-			  if (crecp->flags & F_IPV6)
-			    qtype = T_AAAA;
-#endif
-			   if (cut)
-			     *cut = 0;
+			  if (cut)
+			    *cut = 0;

-			   if (add_resource_record(header, limit, &trunc, -axfroffset, &ansp, 
-						   daemon->auth_ttl, NULL, qtype, C_IN, 
-						   (crecp->flags & F_IPV4) ? "4" : "6", cut ? name : NULL, &crecp->addr))
-			     anscount++;
+			  if (add_resource_record(header, limit, &trunc, -axfroffset, &ansp, 
+						  daemon->auth_ttl, NULL, (crecp->flags & F_IPV6) ? T_AAAA : T_A, C_IN, 
+						  (crecp->flags & F_IPV4) ? "4" : "6", cut ? name : NULL, &crecp->addr))
+			    anscount++;
 			}
 		    }
 		}
@@ -865,30 +859,44 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
      header->hb4 &= ~HB4_RA;
    }

+  /* data is never DNSSEC signed. */
+  header->hb4 &= ~HB4_AD;
+
  /* authoritative */
  if (auth)
    header->hb3 |= HB3_AA;
  
  /* truncation */
  if (trunc)
-    header->hb3 |= HB3_TC;
+    {
+      header->hb3 |= HB3_TC;
+      if (!(ansp = skip_questions(header, qlen)))
+	return 0; /* bad packet */
+      anscount = authcount = 0;
+      log_query(F_AUTH, "reply", NULL, "truncated", 0);
+    }
  
  if ((auth || local_query) && nxdomain)
    SET_RCODE(header, NXDOMAIN);
  else
    SET_RCODE(header, NOERROR); /* no error */
+  
  header->ancount = htons(anscount);
  header->nscount = htons(authcount);
  header->arcount = htons(0);

-  /* Advertise our packet size limit in our reply */
-  if (have_pseudoheader)
-    return add_pseudoheader(header,  ansp - (unsigned char *)header, (unsigned char *)limit, daemon->edns_pktsz, 0, NULL, 0, do_bit, 0);
-
+  if (!local_query && out_of_zone)
+    {
+      SET_RCODE(header, REFUSED); 
+      header->ancount = htons(0);
+      header->nscount = htons(0);
+      addr.log.rcode = REFUSED;
+      addr.log.ede = EDE_NOT_AUTH;
+      log_query(F_UPSTREAM | F_RCODE, "error", &addr, NULL, 0);
+      return resize_packet(header,  ansp - (unsigned char *)header, NULL, 0);
+    }
+  
  return ansp - (unsigned char *)header;
 }
  
 #endif  
-  
-
-
--- a/src/blockdata.c
+++ b/src/blockdata.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2017 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -16,16 +16,14 @@

 #include "dnsmasq.h"

-#ifdef HAVE_DNSSEC
-
 static struct blockdata *keyblock_free;
 static unsigned int blockdata_count, blockdata_hwm, blockdata_alloced;

-static void blockdata_expand(int n)
+static void add_blocks(int n)
 {
  struct blockdata *new = whine_malloc(n * sizeof(struct blockdata));
  
-  if (n > 0 && new)
+  if (new)
    {
      int i;
      
@@ -49,57 +47,133 @@ void blockdata_init(void)

  /* Note that daemon->cachesize is enforced to have non-zero size if OPT_DNSSEC_VALID is set */  
  if (option_bool(OPT_DNSSEC_VALID))
-    blockdata_expand((daemon->cachesize * 100) / sizeof(struct blockdata));
+    add_blocks(daemon->cachesize);
 }

 void blockdata_report(void)
 {
-  if (option_bool(OPT_DNSSEC_VALID))
-    my_syslog(LOG_INFO, _("DNSSEC memory in use %u, max %u, allocated %u"), 
-	      blockdata_count * sizeof(struct blockdata),  
-	      blockdata_hwm * sizeof(struct blockdata),  
-	      blockdata_alloced * sizeof(struct blockdata));
+  my_syslog(LOG_INFO, _("pool memory in use %zu, max %zu, allocated %zu"), 
+	    blockdata_count * sizeof(struct blockdata),  
+	    blockdata_hwm * sizeof(struct blockdata),  
+	    blockdata_alloced * sizeof(struct blockdata));
 } 

-struct blockdata *blockdata_alloc(char *data, size_t len)
+static struct blockdata *new_block(void)
+{
+  struct blockdata *block;
+
+  if (!keyblock_free)
+    add_blocks(50);
+  
+  if (keyblock_free)
+    {
+      block = keyblock_free;
+      keyblock_free = block->next;
+      blockdata_count++;
+      if (blockdata_hwm < blockdata_count)
+	blockdata_hwm = blockdata_count;
+      block->next = NULL;
+      return block;
+    }
+  
+  return NULL;
+}
+
+static struct blockdata *blockdata_alloc_real(int fd, char *data, size_t len)
 {
  struct blockdata *block, *ret = NULL;
  struct blockdata **prev = &ret;
  size_t blen;

-  while (len > 0)
+  do
    {
-      if (!keyblock_free)
-	blockdata_expand(50);
-      
-      if (keyblock_free)
-	{
-	  block = keyblock_free;
-	  keyblock_free = block->next;
-	  blockdata_count++; 
-	}
-      else
+      if (!(block = new_block()))
 	{
 	  /* failed to alloc, free partial chain */
 	  blockdata_free(ret);
 	  return NULL;
 	}
-       
-      if (blockdata_hwm < blockdata_count)
-	blockdata_hwm = blockdata_count; 
+
+      if ((blen = len > KEYBLOCK_LEN ? KEYBLOCK_LEN : len) > 0)
+	{
+	  if (data)
+	    {
+	      memcpy(block->key, data, blen);
+	      data += blen;
+	    }
+	  else if (!read_write(fd, block->key, blen, RW_READ))
+	    {
+	      /* failed read free partial chain */
+	      blockdata_free(ret);
+	      return NULL;
+	    }
+	}
      
-      blen = len > KEYBLOCK_LEN ? KEYBLOCK_LEN : len;
-      memcpy(block->key, data, blen);
-      data += blen;
      len -= blen;
      *prev = block;
      prev = &block->next;
-      block->next = NULL;
-    }
+    } while (len != 0);
  
  return ret;
 }

+struct blockdata *blockdata_alloc(char *data, size_t len)
+{
+  return blockdata_alloc_real(0, data, len);
+}
+
+/* Add data to the end of the block. 
+   newlen is length of new data, NOT total new length. 
+   Use blockdata_alloc(NULL, 0) to make empty block to add to. */
+int blockdata_expand(struct blockdata *block, size_t oldlen, char *data, size_t newlen)
+{
+  struct blockdata *b;
+  
+  /* find size of current final block */
+  for (b = block; oldlen > KEYBLOCK_LEN && b;  b = b->next, oldlen -= KEYBLOCK_LEN);
+
+  /* chain to short for length, something is broken */
+  if (oldlen > KEYBLOCK_LEN)
+    {
+      blockdata_free(block);
+      return 0;
+    }
+
+  while (1)
+    {
+      struct blockdata *new;
+      size_t blocksize = KEYBLOCK_LEN - oldlen;
+      size_t size = (newlen <= blocksize) ? newlen : blocksize;
+      
+      if (size != 0)
+	{
+	  memcpy(&b->key[oldlen], data, size);
+	  data += size;
+	  newlen -= size;
+	}
+      
+      /* full blocks from now on. */
+      oldlen = 0;
+
+      if (newlen == 0)
+	break;
+
+      if ((new = new_block()))
+	{
+	  b->next = new;
+	  b = new;
+	}
+      else
+	{
+	  /* failed to alloc, free partial chain */
+	  blockdata_free(block);
+	  return 0;
+	}
+    }
+
+  return 1;
+}
+
 void blockdata_free(struct blockdata *blocks)
 {
  struct blockdata *tmp;
@@ -147,5 +221,19 @@ void *blockdata_retrieve(struct blockdata *block, size_t len, void *data)

  return data;
 }
- 
-#endif
+
+
+void blockdata_write(struct blockdata *block, size_t len, int fd)
+{
+  for (; len > 0 && block; block = block->next)
+    {
+      size_t blen = len > KEYBLOCK_LEN ? KEYBLOCK_LEN : len;
+      read_write(fd, block->key, blen, RW_WRITE);
+      len -= blen;
+    }
+}
+
+struct blockdata *blockdata_read(int fd, size_t len)
+{
+  return blockdata_alloc_real(fd, NULL, len);
+}
--- a/src/bpf.c
+++ b/src/bpf.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2017 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -31,9 +31,7 @@
 #  include <net/if_var.h> 
 #endif
 #include <netinet/in_var.h>
-#ifdef HAVE_IPV6
-#  include <netinet6/in6_var.h>
-#endif
+#include <netinet6/in6_var.h>

 #ifndef SA_SIZE
 #define SA_SIZE(sa)                                             \
@@ -44,12 +42,12 @@

 #ifdef HAVE_BSD_NETWORK
 static int del_family = 0;
-static struct all_addr del_addr;
+static union all_addr del_addr;
 #endif

 #if defined(HAVE_BSD_NETWORK) && !defined(__APPLE__)

-int arp_enumerate(void *parm, int (*callback)())
+int arp_enumerate(void *parm, callback_t callback)
 {
  int mib[6];
  size_t needed;
@@ -93,7 +91,7 @@ int arp_enumerate(void *parm, int (*callback)())
      rtm = (struct rt_msghdr *)next;
      sin2 = (struct sockaddr_inarp *)(rtm + 1);
      sdl = (struct sockaddr_dl *)((char *)sin2 + SA_SIZE(sin2));
-      if (!(*callback)(AF_INET, &sin2->sin_addr, LLADDR(sdl), sdl->sdl_alen, parm))
+      if (!callback.af_unspec(AF_INET, &sin2->sin_addr, LLADDR(sdl), sdl->sdl_alen, parm))
 	return 0;
    }

@@ -109,7 +107,7 @@ int iface_enumerate(int family, void *parm, int (*callback)())

  if (family == AF_UNSPEC)
 #if defined(HAVE_BSD_NETWORK) && !defined(__APPLE__)
-    return  arp_enumerate(parm, callback);
+    return  arp_enumerate(parm, callback.af_unspec);
 #else
  return 0; /* need code for Solaris and MacOS*/
 #endif
@@ -121,7 +119,7 @@ int iface_enumerate(int family, void *parm, int (*callback)())
  if (getifaddrs(&head) == -1)
    return 0;

-#if defined(HAVE_BSD_NETWORK) && defined(HAVE_IPV6)
+#if defined(HAVE_BSD_NETWORK)
  if (family == AF_INET6)
    fd = socket(PF_INET6, SOCK_DGRAM, 0);
 #endif
@@ -141,7 +139,7 @@ int iface_enumerate(int family, void *parm, int (*callback)())
 	      struct in_addr addr, netmask, broadcast;
 	      addr = ((struct sockaddr_in *) addrs->ifa_addr)->sin_addr;
 #ifdef HAVE_BSD_NETWORK
-	      if (del_family == AF_INET && del_addr.addr.addr4.s_addr == addr.s_addr)
+	      if (del_family == AF_INET && del_addr.addr4.s_addr == addr.s_addr)
 		continue;
 #endif
 	      netmask = ((struct sockaddr_in *) addrs->ifa_netmask)->sin_addr;
@@ -149,10 +147,9 @@ int iface_enumerate(int family, void *parm, int (*callback)())
 		broadcast = ((struct sockaddr_in *) addrs->ifa_broadaddr)->sin_addr; 
 	      else 
 		broadcast.s_addr = 0;	      
-	      if (!((*callback)(addr, iface_index, NULL, netmask, broadcast, parm)))
+	      if (!callback.af_inet(addr, iface_index, NULL, netmask, broadcast, parm))
 		goto err;
 	    }
-#ifdef HAVE_IPV6
 	  else if (family == AF_INET6)
 	    {
 	      struct in6_addr *addr = &((struct sockaddr_in6 *) addrs->ifa_addr)->sin6_addr;
@@ -162,14 +159,14 @@ int iface_enumerate(int family, void *parm, int (*callback)())
 	      u32 valid = 0xffffffff, preferred = 0xffffffff;
 	      int flags = 0;
 #ifdef HAVE_BSD_NETWORK
-	      if (del_family == AF_INET6 && IN6_ARE_ADDR_EQUAL(&del_addr.addr.addr6, addr))
+	      if (del_family == AF_INET6 && IN6_ARE_ADDR_EQUAL(&del_addr.addr6, addr))
 		continue;
 #endif
 #if defined(HAVE_BSD_NETWORK) && !defined(__APPLE__)
 	      struct in6_ifreq ifr6;

 	      memset(&ifr6, 0, sizeof(ifr6));
-	      strncpy(ifr6.ifr_name, addrs->ifa_name, sizeof(ifr6.ifr_name));
+	      safe_strncpy(ifr6.ifr_name, addrs->ifa_name, sizeof(ifr6.ifr_name));
 	      
 	      ifr6.ifr_addr = *((struct sockaddr_in6 *) addrs->ifa_addr);
 	      if (fd != -1 && ioctl(fd, SIOCGIFAFLAG_IN6, &ifr6) != -1)
@@ -215,11 +212,10 @@ int iface_enumerate(int family, void *parm, int (*callback)())
 		  addr->s6_addr[3] = 0;
 		} 
 	     
-	      if (!((*callback)(addr, prefix, scope_id, iface_index, flags,
-				(int) preferred, (int)valid, parm)))
+	      if (!callback.af_inet6(addr, prefix, scope_id, iface_index, flags,
+				(unsigned int) preferred, (unsigned int)valid, parm))
 		goto err;	      
 	    }
-#endif /* HAVE_IPV6 */

 #ifdef HAVE_DHCP6      
 	  else if (family == AF_LINK)
@@ -227,7 +223,7 @@ int iface_enumerate(int family, void *parm, int (*callback)())
 	      /* Assume ethernet again here */
 	      struct sockaddr_dl *sdl = (struct sockaddr_dl *) addrs->ifa_addr;
 	      if (sdl->sdl_alen != 0 && 
-		  !((*callback)(iface_index, ARPHRD_ETHER, LLADDR(sdl), sdl->sdl_alen, parm)))
+		  !callback.af_local(iface_index, ARPHRD_ETHER, LLADDR(sdl), sdl->sdl_alen, parm))
 		goto err;
 	    }
 #endif 
@@ -426,11 +422,9 @@ void route_sock(void)
 	       {
 		 del_family = sa->sa_family;
 		 if (del_family == AF_INET)
-		   del_addr.addr.addr4 = ((struct sockaddr_in *)sa)->sin_addr;
-#ifdef HAVE_IPV6
+		   del_addr.addr4 = ((struct sockaddr_in *)sa)->sin_addr;
 		 else if (del_family == AF_INET6)
-		   del_addr.addr.addr6 = ((struct sockaddr_in6 *)sa)->sin6_addr;
-#endif
+		   del_addr.addr6 = ((struct sockaddr_in6 *)sa)->sin6_addr;
 		 else
 		   del_family = 0;
 	       }
@@ -446,5 +440,3 @@ void route_sock(void)
 }

 #endif /* HAVE_BSD_NETWORK */
-
-
--- a/src/cache.c
+++ b/src/cache.c
--- a/src/config.h
+++ b/src/config.h
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2017 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -15,20 +15,24 @@
 */

 #define FTABSIZ 150 /* max number of outstanding requests (default) */
-#define MAX_PROCS 20 /* max no children for TCP requests */
+#define MAX_PROCS 20 /* default max no children for TCP requests */
 #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */
 #define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */
+#define TCP_TIMEOUT 5 /* timeout waiting to connect to an upstream server - double this for answer */
 #define TCP_BACKLOG 32  /* kernel backlog limit for TCP connections */
-#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */
-#define SAFE_PKTSZ 1280 /* "go anywhere" UDP packet size */
+#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from  /dnsflagday.net/2020 */
 #define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */
-#define DNSSEC_WORK 50 /* Max number of queries to validate one question */
-#define TIMEOUT 10 /* drop UDP queries after TIMEOUT seconds */
+#define DNSSEC_LIMIT_WORK 40 /* Max number of queries to validate one question */
+#define DNSSEC_LIMIT_SIG_FAIL 20 /* Number of signature that can fail to validate in one answer */
+#define DNSSEC_LIMIT_CRYPTO 200 /* max no. of crypto operations to validate one query. */
+#define DNSSEC_LIMIT_NSEC3_ITERS 150 /* Max. number if iterations allowed in NSEC3 record. */
+#define TIMEOUT 10     /* drop UDP queries after TIMEOUT seconds */
+#define SMALL_PORT_RANGE 30 /* If DNS port range is smaller than this, use different allocation. */
 #define FORWARD_TEST 50 /* try all servers every 50 queries */
 #define FORWARD_TIME 20 /* or 20 seconds */
+#define UDP_TEST_TIME 60 /* How often to reset our idea of max packet size. */
 #define SERVERS_LOGGED 30 /* Only log this many servers when logging state */
 #define LOCALS_LOGGED 8 /* Only log this many local addresses when logging state */
-#define RANDOM_SOCKS 64 /* max simultaneous random ports */
 #define LEASE_RETRY 60 /* on error, retry writing leasefile after LEASE_RETRY seconds */
 #define CACHESIZ 150 /* default cache size */
 #define TTL_FLOOR_LIMIT 3600 /* don't allow --min-cache-ttl to raise TTL above this under any circumstances */
@@ -39,9 +43,11 @@
 #define DHCP_PACKET_MAX 16384 /* hard limit on DHCP packet size */
 #define SMALLDNAME 50 /* most domain names are smaller than this */
 #define CNAME_CHAIN 10 /* chains longer than this atr dropped for loop protection */
+#define DNSSEC_MIN_TTL 60 /* DNSKEY and DS records in cache last at least this long */
 #define HOSTSFILE "/etc/hosts"
 #define ETHERSFILE "/etc/ethers"
-#define DEFLEASE 3600 /* default lease time, 1 hour */
+#define DEFLEASE 3600 /* default DHCPv4 lease time, one hour */
+#define DEFLEASE6 (3600*24) /* default lease time for DHCPv6. One day. */
 #define CHUSER "nobody"
 #define CHGRP "dip"
 #define TFTP_MAX_CONNECTIONS 50 /* max simultaneous connections */
@@ -49,12 +55,15 @@
 #define RANDFILE "/dev/urandom"
 #define DNSMASQ_SERVICE "uk.org.thekelleys.dnsmasq" /* Default - may be overridden by config */
 #define DNSMASQ_PATH "/uk/org/thekelleys/dnsmasq"
+#define DNSMASQ_UBUS_NAME "dnsmasq" /* Default - may be overridden by config */
 #define AUTH_TTL 600 /* default TTL for auth DNS */
 #define SOA_REFRESH 1200 /* SOA refresh default */
 #define SOA_RETRY 180 /* SOA retry default */
 #define SOA_EXPIRY 1209600 /* SOA expiry default */
 #define LOOP_TEST_DOMAIN "test" /* domain for loop testing, "test" is reserved by RFC 2606 and won't therefore clash */
 #define LOOP_TEST_TYPE T_TXT
+#define DEFAULT_FAST_RETRY 1000 /* ms, default delay before fast retry */
+#define STALE_CACHE_EXPIRY 86400 /* 1 day in secs, default maximum expiry time for stale cache data */
 
 /* compile-time options: uncomment below to enable or do eg.
   make COPTS=-DHAVE_BROKEN_RTC
@@ -93,6 +102,9 @@ HAVE_DBUS
   support some methods to allow (re)configuration of the upstream DNS 
   servers via DBus.

+HAVE_UBUS
+   define this if you want to link against libubus
+
 HAVE_IDN
   define this if you want international domain name 2003 support.
   
@@ -109,6 +121,10 @@ HAVE_IPSET
    define this to include the ability to selectively add resolved ip addresses
    to given ipsets.

+HAVE_NFTSET
+    define this to include the ability to selectively add resolved ip addresses
+    to given nftables sets.
+
 HAVE_AUTH
   define this to include the facility to act as an authoritative DNS
   server for one or more zones.
@@ -116,6 +132,9 @@ HAVE_AUTH
 HAVE_DNSSEC
   include DNSSEC validator.

+HAVE_DUMPFILE
+   include code to dump packets to a libpcap-format file for debugging.
+
 HAVE_LOOP
   include functionality to probe for and remove DNS forwarding loops.

@@ -124,21 +143,19 @@ HAVE_INOTIFY

 NO_ID
   Don't report *.bind CHAOS info to clients, forward such requests upstream instead.
-NO_IPV6
 NO_TFTP
 NO_DHCP
 NO_DHCP6
 NO_SCRIPT
 NO_LARGEFILE
 NO_AUTH
+NO_DUMPFILE
+NO_LOOP
 NO_INOTIFY
   these are available to explicitly disable compile time options which would 
-   otherwise be enabled automatically (HAVE_IPV6, >2Gb file sizes) or 
-   which are enabled  by default in the distributed source tree. Building dnsmasq
+   otherwise be enabled automatically or which are enabled  by default 
+   in the distributed source tree. Building dnsmasq
   with something like "make COPTS=-DNO_SCRIPT" will do the trick.
-
-NO_NETTLE_ECC
-   Don't include the ECDSA cypher in DNSSEC validation. Needed for older Nettle versions.
 NO_GMP
   Don't use and link against libgmp, Useful if nettle is built with --enable-mini-gmp.

@@ -166,6 +183,7 @@ RESOLVFILE
 #define HAVE_AUTH
 #define HAVE_IPSET 
 #define HAVE_LOOP
+#define HAVE_DUMPFILE

 /* Build options which require external libraries.
   
@@ -180,7 +198,7 @@ RESOLVFILE
 /* #define HAVE_LIBIDN2 */
 /* #define HAVE_CONNTRACK */
 /* #define HAVE_DNSSEC */
-
+/* #define HAVE_NFTSET */

 /* Default locations for important system files. */

@@ -234,27 +252,13 @@ HAVE_SOCKADDR_SA_LEN
   defined if struct sockaddr has sa_len field (*BSD) 
 */

-/* Must precede __linux__ since uClinux defines __linux__ too. */
-#if defined(__uClinux__)
-#define HAVE_LINUX_NETWORK
-#define HAVE_GETOPT_LONG
-#undef HAVE_SOCKADDR_SA_LEN
-/* Never use fork() on uClinux. Note that this is subtly different from the
-   --keep-in-foreground option, since it also  suppresses forking new 
-   processes for TCP connections and disables the call-a-script on leasechange
-   system. It's intended for use on MMU-less kernels. */
-#define NO_FORK
-
-#elif defined(__UCLIBC__)
+#if defined(__UCLIBC__)
 #define HAVE_LINUX_NETWORK
 #if defined(__UCLIBC_HAS_GNU_GETOPT__) || \
   ((__UCLIBC_MAJOR__==0) && (__UCLIBC_MINOR__==9) && (__UCLIBC_SUBLEVEL__<21))
 #    define HAVE_GETOPT_LONG
 #endif
 #undef HAVE_SOCKADDR_SA_LEN
-#if !defined(__ARCH_HAS_MMU__) && !defined(__UCLIBC_HAS_MMU__)
-#  define NO_FORK
-#endif
 #if defined(__UCLIBC_HAS_IPV6__)
 #  ifndef IPV6_V6ONLY
 #    define IPV6_V6ONLY 26
@@ -282,11 +286,16 @@ HAVE_SOCKADDR_SA_LEN
 #define HAVE_BSD_NETWORK
 #define HAVE_GETOPT_LONG
 #define HAVE_SOCKADDR_SA_LEN
+#define NO_IPSET
 /* Define before sys/socket.h is included so we get socklen_t */
 #define _BSD_SOCKLEN_T_
 /* Select the RFC_3542 version of the IPv6 socket API. 
   Define before netinet6/in6.h is included. */
-#define __APPLE_USE_RFC_3542 
+#define __APPLE_USE_RFC_3542
+/* Required for Mojave. */
+#ifndef SOL_TCP
+#  define SOL_TCP IPPROTO_TCP
+#endif
 #define NO_IPSET

 #elif defined(__NetBSD__)
@@ -302,29 +311,9 @@ HAVE_SOCKADDR_SA_LEN
 
 #endif

-/* Decide if we're going to support IPv6 */
-/* We assume that systems which don't have IPv6
-   headers don't have ntop and pton either */
-
-#if defined(INET6_ADDRSTRLEN) && defined(IPV6_V6ONLY)
-#  define HAVE_IPV6
-#  define ADDRSTRLEN INET6_ADDRSTRLEN
-#else
-#  if !defined(INET_ADDRSTRLEN)
-#      define INET_ADDRSTRLEN 16 /* 4*3 + 3 dots + NULL */
-#  endif
-#  undef HAVE_IPV6
-#  define ADDRSTRLEN INET_ADDRSTRLEN
-#endif
-
-
 /* rules to implement compile-time option dependencies and 
   the NO_XXX flags */

-#ifdef NO_IPV6
-#undef HAVE_IPV6
-#endif
-
 #ifdef NO_TFTP
 #undef HAVE_TFTP
 #endif
@@ -334,7 +323,7 @@ HAVE_SOCKADDR_SA_LEN
 #undef HAVE_DHCP6
 #endif

-#if defined(NO_DHCP6) || !defined(HAVE_IPV6)
+#if defined(NO_DHCP6)
 #undef HAVE_DHCP6
 #endif

@@ -343,7 +332,7 @@ HAVE_SOCKADDR_SA_LEN
 #define HAVE_DHCP
 #endif

-#if defined(NO_SCRIPT) || defined(NO_FORK)
+#if defined(NO_SCRIPT)
 #undef HAVE_SCRIPT
 #undef HAVE_LUASCRIPT
 #endif
@@ -365,6 +354,10 @@ HAVE_SOCKADDR_SA_LEN
 #undef HAVE_LOOP
 #endif

+#ifdef NO_DUMPFILE
+#undef HAVE_DUMPFILE
+#endif
+
 #if defined (HAVE_LINUX_NETWORK) && !defined(NO_INOTIFY)
 #define HAVE_INOTIFY
 #endif
@@ -375,9 +368,6 @@ HAVE_SOCKADDR_SA_LEN
 #ifdef DNSMASQ_COMPILE_OPTS

 static char *compile_opts = 
-#ifndef HAVE_IPV6
-"no-"
-#endif
 "IPv6 "
 #ifndef HAVE_GETOPT_LONG
 "no-"
@@ -386,13 +376,14 @@ static char *compile_opts =
 #ifdef HAVE_BROKEN_RTC
 "no-RTC "
 #endif
-#ifdef NO_FORK
-"no-MMU "
-#endif
 #ifndef HAVE_DBUS
 "no-"
 #endif
 "DBus "
+#ifndef HAVE_UBUS
+"no-"
+#endif
+"UBus "
 #ifndef LOCALEDIR
 "no-"
 #endif
@@ -435,6 +426,10 @@ static char *compile_opts =
 "no-"
 #endif
 "ipset "
+#ifndef HAVE_NFTSET
+"no-"
+#endif
+"nftset "
 #ifndef HAVE_AUTH
 "no-"
 #endif
@@ -453,10 +448,10 @@ static char *compile_opts =
 #ifndef HAVE_INOTIFY
 "no-"
 #endif
-"inotify";
-
-
+"inotify "
+#ifndef HAVE_DUMPFILE
+"no-"
 #endif
+"dumpfile";

-
-
+#endif /* defined(HAVE_DHCP) */
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2017 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -24,7 +24,7 @@ static int gotit = 0; /* yuck */

 static int callback(enum nf_conntrack_msg_type type, struct nf_conntrack *ct, void *data);

-int get_incoming_mark(union mysockaddr *peer_addr, struct all_addr *local_addr, int istcp, unsigned int *markp)
+int get_incoming_mark(union mysockaddr *peer_addr, union all_addr *local_addr, int istcp, unsigned int *markp)
 {
  struct nf_conntrack *ct;
  struct nfct_handle *h;
@@ -36,21 +36,19 @@ int get_incoming_mark(union mysockaddr *peer_addr, struct all_addr *local_addr,
      nfct_set_attr_u8(ct, ATTR_L4PROTO, istcp ? IPPROTO_TCP : IPPROTO_UDP);
      nfct_set_attr_u16(ct, ATTR_PORT_DST, htons(daemon->port));
      
-#ifdef HAVE_IPV6
      if (peer_addr->sa.sa_family == AF_INET6)
 	{
 	  nfct_set_attr_u8(ct, ATTR_L3PROTO, AF_INET6);
 	  nfct_set_attr(ct, ATTR_IPV6_SRC, peer_addr->in6.sin6_addr.s6_addr);
 	  nfct_set_attr_u16(ct, ATTR_PORT_SRC, peer_addr->in6.sin6_port);
-	  nfct_set_attr(ct, ATTR_IPV6_DST, local_addr->addr.addr6.s6_addr);
+	  nfct_set_attr(ct, ATTR_IPV6_DST, local_addr->addr6.s6_addr);
 	}
      else
-#endif
 	{
 	  nfct_set_attr_u8(ct, ATTR_L3PROTO, AF_INET);
 	  nfct_set_attr_u32(ct, ATTR_IPV4_SRC, peer_addr->in.sin_addr.s_addr);
 	  nfct_set_attr_u16(ct, ATTR_PORT_SRC, peer_addr->in.sin_port);
-	  nfct_set_attr_u32(ct, ATTR_IPV4_DST, local_addr->addr.addr4.s_addr);
+	  nfct_set_attr_u32(ct, ATTR_IPV4_DST, local_addr->addr4.s_addr);
 	}
      
      
@@ -84,7 +82,4 @@ static int callback(enum nf_conntrack_msg_type type, struct nf_conntrack *ct, vo
  return NFCT_CB_CONTINUE;
 }

-#endif
-  
-
-
+#endif /* HAVE_CONNTRACK */
--- a/src/crypto.c
+++ b/src/crypto.c
@@ -0,0 +1,506 @@
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+     
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "dnsmasq.h"
+
+#if defined(HAVE_DNSSEC)
+
+/* Minimal version of nettle */
+
+/* bignum.h includes version.h and works on
+   earlier releases of nettle which don't have version.h */
+#include <nettle/bignum.h>
+#if !defined(NETTLE_VERSION_MAJOR)
+#  define NETTLE_VERSION_MAJOR 2
+#  define NETTLE_VERSION_MINOR 0
+#endif
+#define MIN_VERSION(major, minor) ((NETTLE_VERSION_MAJOR == (major) && NETTLE_VERSION_MINOR >= (minor)) || \
+				   (NETTLE_VERSION_MAJOR > (major)))
+
+#include <nettle/rsa.h>
+#include <nettle/ecdsa.h>
+#include <nettle/ecc-curve.h>
+#if MIN_VERSION(3, 1)
+#include <nettle/eddsa.h>
+#endif
+#if MIN_VERSION(3, 6)
+#  include <nettle/gostdsa.h>
+#endif
+
+#if MIN_VERSION(3, 1)
+/* Implement a "hash-function" to the nettle API, which simply returns
+   the input data, concatenated into a single, statically maintained, buffer.
+
+   Used for the EdDSA sigs, which operate on the whole message, rather 
+   than a digest. */
+
+struct null_hash_digest
+{
+  uint8_t *buff;
+  size_t len;
+};
+
+struct null_hash_ctx
+{
+  size_t len;
+};
+
+static size_t null_hash_buff_sz = 0;
+static uint8_t *null_hash_buff = NULL;
+#define BUFF_INCR 128
+
+static void null_hash_init(void *ctx)
+{
+  ((struct null_hash_ctx *)ctx)->len = 0;
+}
+
+static void null_hash_update(void *ctxv, size_t length, const uint8_t *src)
+{
+  struct null_hash_ctx *ctx = ctxv;
+  size_t new_len = ctx->len + length;
+  
+  if (new_len > null_hash_buff_sz)
+    {
+      uint8_t *new;
+      
+      if (!(new = whine_malloc(new_len + BUFF_INCR)))
+	return;
+
+      if (null_hash_buff)
+	{
+	  if (ctx->len != 0)
+	    memcpy(new, null_hash_buff, ctx->len);
+	  free(null_hash_buff);
+	}
+      
+      null_hash_buff_sz = new_len + BUFF_INCR;
+      null_hash_buff = new;
+    }
+
+  memcpy(null_hash_buff + ctx->len, src, length);
+  ctx->len += length;
+}
+ 
+static void null_hash_digest(void *ctx, size_t length, uint8_t *dst)
+{
+  (void)length;
+  
+  ((struct null_hash_digest *)dst)->buff = null_hash_buff;
+  ((struct null_hash_digest *)dst)->len = ((struct null_hash_ctx *)ctx)->len;
+}
+
+static struct nettle_hash null_hash = {
+  "null_hash",
+  sizeof(struct null_hash_ctx),
+  sizeof(struct null_hash_digest),
+  0,
+  (nettle_hash_init_func *) null_hash_init,
+  (nettle_hash_update_func *) null_hash_update,
+  (nettle_hash_digest_func *) null_hash_digest
+};
+
+#endif /* MIN_VERSION(3, 1) */
+
+/* expand ctx and digest memory allocations if necessary and init hash function */
+int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char **digestp)
+{
+  static void *ctx = NULL;
+  static unsigned char *digest = NULL;
+  static unsigned int ctx_sz = 0;
+  static unsigned int digest_sz = 0;
+
+  void *new;
+
+  if (ctx_sz < hash->context_size)
+    {
+      if (!(new = whine_malloc(hash->context_size)))
+	return 0;
+      if (ctx)
+	free(ctx);
+      ctx = new;
+      ctx_sz = hash->context_size;
+    }
+  
+  if (digest_sz < hash->digest_size)
+    {
+      if (!(new = whine_malloc(hash->digest_size)))
+	return 0;
+      if (digest)
+	free(digest);
+      digest = new;
+      digest_sz = hash->digest_size;
+    }
+
+  *ctxp = ctx;
+  *digestp = digest;
+
+  hash->init(ctx);
+
+  return 1;
+}
+
+static int dnsmasq_rsa_verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
+			      unsigned char *digest, size_t digest_len, int algo)
+{
+  unsigned char *p;
+  size_t exp_len;
+  
+  static struct rsa_public_key *key = NULL;
+  static mpz_t sig_mpz;
+
+  (void)digest_len;
+  
+  if (key == NULL)
+    {
+      if (!(key = whine_malloc(sizeof(struct rsa_public_key))))
+	return 0;
+      
+      nettle_rsa_public_key_init(key);
+      mpz_init(sig_mpz);
+    }
+  
+  if ((key_len < 3) || !(p = blockdata_retrieve(key_data, key_len, NULL)))
+    return 0;
+  
+  key_len--;
+  if ((exp_len = *p++) == 0)
+    {
+      GETSHORT(exp_len, p);
+      key_len -= 2;
+    }
+  
+  if (exp_len >= key_len)
+    return 0;
+  
+  key->size =  key_len - exp_len;
+  mpz_import(key->e, exp_len, 1, 1, 0, 0, p);
+  mpz_import(key->n, key->size, 1, 1, 0, 0, p + exp_len);
+
+  mpz_import(sig_mpz, sig_len, 1, 1, 0, 0, sig);
+  
+  switch (algo)
+    {
+    case 5: case 7:
+      return nettle_rsa_sha1_verify_digest(key, digest, sig_mpz);
+    case 8:
+      return nettle_rsa_sha256_verify_digest(key, digest, sig_mpz);
+    case 10:
+      return nettle_rsa_sha512_verify_digest(key, digest, sig_mpz);
+    }
+
+  return 0;
+}  
+
+static int dnsmasq_ecdsa_verify(struct blockdata *key_data, unsigned int key_len, 
+				unsigned char *sig, size_t sig_len,
+				unsigned char *digest, size_t digest_len, int algo)
+{
+  unsigned char *p;
+  unsigned int t;
+  struct ecc_point *key;
+
+  static struct ecc_point *key_256 = NULL, *key_384 = NULL;
+  static mpz_t x, y;
+  static struct dsa_signature *sig_struct;
+#if !MIN_VERSION(3, 4)
+#define nettle_get_secp_256r1() (&nettle_secp_256r1)
+#define nettle_get_secp_384r1() (&nettle_secp_384r1)
+#endif
+  
+  if (!sig_struct)
+    {
+      if (!(sig_struct = whine_malloc(sizeof(struct dsa_signature))))
+	return 0;
+      
+      nettle_dsa_signature_init(sig_struct);
+      mpz_init(x);
+      mpz_init(y);
+    }
+  
+  switch (algo)
+    {
+    case 13:
+      if (!key_256)
+	{
+	  if (!(key_256 = whine_malloc(sizeof(struct ecc_point))))
+	    return 0;
+	  
+	  nettle_ecc_point_init(key_256, nettle_get_secp_256r1());
+	}
+      
+      key = key_256;
+      t = 32;
+      break;
+      
+    case 14:
+      if (!key_384)
+	{
+	  if (!(key_384 = whine_malloc(sizeof(struct ecc_point))))
+	    return 0;
+	  
+	  nettle_ecc_point_init(key_384, nettle_get_secp_384r1());
+	}
+      
+      key = key_384;
+      t = 48;
+      break;
+        
+    default:
+      return 0;
+    }
+  
+  if (sig_len != 2*t || key_len != 2*t ||
+      !(p = blockdata_retrieve(key_data, key_len, NULL)))
+    return 0;
+  
+  mpz_import(x, t , 1, 1, 0, 0, p);
+  mpz_import(y, t , 1, 1, 0, 0, p + t);
+
+  if (!ecc_point_set(key, x, y))
+    return 0;
+  
+  mpz_import(sig_struct->r, t, 1, 1, 0, 0, sig);
+  mpz_import(sig_struct->s, t, 1, 1, 0, 0, sig + t);
+  
+  return nettle_ecdsa_verify(key, digest_len, digest, sig_struct);
+}
+
+#if MIN_VERSION(3, 6)
+static int dnsmasq_gostdsa_verify(struct blockdata *key_data, unsigned int key_len, 
+				  unsigned char *sig, size_t sig_len,
+				  unsigned char *digest, size_t digest_len, int algo)
+{
+  unsigned char *p;
+  
+  static struct ecc_point *gost_key = NULL;
+  static mpz_t x, y;
+  static struct dsa_signature *sig_struct;
+
+  if (algo != 12 ||
+      sig_len != 64 || key_len != 64 ||
+      !(p = blockdata_retrieve(key_data, key_len, NULL)))
+    return 0;
+  
+  if (!sig_struct)
+    {
+      if (!(sig_struct = whine_malloc(sizeof(struct dsa_signature))) ||
+	  !(gost_key = whine_malloc(sizeof(struct ecc_point))))
+	return 0;
+      
+      nettle_dsa_signature_init(sig_struct);
+      nettle_ecc_point_init(gost_key, nettle_get_gost_gc256b());
+      mpz_init(x);
+      mpz_init(y);
+    }
+    
+  mpz_import(x, 32, -1, 1, 0, 0, p);
+  mpz_import(y, 32, -1, 1, 0, 0, p + 32);
+
+  if (!ecc_point_set(gost_key, x, y))
+    return 0; 
+  
+  mpz_import(sig_struct->s, 32, 1, 1, 0, 0, sig);
+  mpz_import(sig_struct->r, 32, 1, 1, 0, 0, sig + 32);
+  
+  return nettle_gostdsa_verify(gost_key, digest_len, digest, sig_struct);
+}
+#endif
+
+#if MIN_VERSION(3, 1)
+static int dnsmasq_eddsa_verify(struct blockdata *key_data, unsigned int key_len, 
+				unsigned char *sig, size_t sig_len,
+				unsigned char *digest, size_t digest_len, int algo)
+{
+  unsigned char *p;
+   
+  if (digest_len != sizeof(struct null_hash_digest) ||
+      !(p = blockdata_retrieve(key_data, key_len, NULL)))
+    return 0;
+  
+  /* The "digest" returned by the null_hash function is simply a struct null_hash_digest
+     which has a pointer to the actual data and a length, because the buffer
+     may need to be extended during "hashing". */
+  
+  switch (algo)
+    {
+    case 15:
+      if (key_len != ED25519_KEY_SIZE ||
+	  sig_len != ED25519_SIGNATURE_SIZE)
+	return 0;
+
+      return ed25519_sha512_verify(p,
+				   ((struct null_hash_digest *)digest)->len,
+				   ((struct null_hash_digest *)digest)->buff,
+				   sig);
+      
+#if MIN_VERSION(3, 6)
+    case 16:
+      if (key_len != ED448_KEY_SIZE ||
+	  sig_len != ED448_SIGNATURE_SIZE)
+	return 0;
+
+      return ed448_shake256_verify(p,
+				   ((struct null_hash_digest *)digest)->len,
+				   ((struct null_hash_digest *)digest)->buff,
+				   sig);
+#endif
+
+    }
+
+  return 0;
+}
+#endif
+
+static int (*verify_func(int algo))(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
+			     unsigned char *digest, size_t digest_len, int algo)
+{
+    
+  /* Ensure at runtime that we have support for this digest */
+  if (!hash_find(algo_digest_name(algo)))
+    return NULL;
+  
+  /* This switch defines which sig algorithms we support, can't introspect Nettle for that. */
+  switch (algo)
+    {
+    case 5: case 7: case 8: case 10:
+      return dnsmasq_rsa_verify;
+
+#if MIN_VERSION(3, 6)
+    case 12:
+      return dnsmasq_gostdsa_verify;
+#endif
+      
+    case 13: case 14:
+      return dnsmasq_ecdsa_verify;
+      
+#if MIN_VERSION(3, 1)
+    case 15:
+      return dnsmasq_eddsa_verify;
+#endif
+
+#if MIN_VERSION(3, 6)
+    case 16:
+      return dnsmasq_eddsa_verify;
+#endif
+    }
+  
+  return NULL;
+}
+
+int verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
+	   unsigned char *digest, size_t digest_len, int algo)
+{
+
+  int (*func)(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
+	      unsigned char *digest, size_t digest_len, int algo);
+  
+  func = verify_func(algo);
+  
+  if (!func)
+    return 0;
+
+  return (*func)(key_data, key_len, sig, sig_len, digest, digest_len, algo);
+}
+
+/* Note the ds_digest_name(), algo_digest_name() and nsec3_digest_name()
+   define which algo numbers we support. If algo_digest_name() returns
+   non-NULL for an algorithm number, we assume that algorithm is 
+   supported by verify(). */
+
+/* http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml */
+char *ds_digest_name(int digest)
+{
+  switch (digest)
+    {
+    case 1: return "sha1";
+    case 2: return "sha256";
+#if MIN_VERSION(3, 6)
+    case 3: return "gosthash94cp";
+#endif
+    case 4: return "sha384";
+    default: return NULL;
+    }
+}
+ 
+/* http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml */
+char *algo_digest_name(int algo)
+{
+  switch (algo)
+    {
+    case 1: return NULL;          /* RSA/MD5 - Must Not Implement.  RFC 6944 para 2.3. */
+    case 2: return NULL;          /* Diffie-Hellman */
+    case 3: return NULL; ;        /* DSA/SHA1 - Must Not Implement. RFC 8624 section 3.1 */ 
+    case 5: return "sha1";        /* RSA/SHA1 */
+    case 6: return NULL;          /* DSA-NSEC3-SHA1 - Must Not Implement. RFC 8624 section 3.1 */
+    case 7: return "sha1";        /* RSASHA1-NSEC3-SHA1 */
+    case 8: return "sha256";      /* RSA/SHA-256 */
+    case 10: return "sha512";     /* RSA/SHA-512 */
+#if MIN_VERSION(3, 6)
+    case 12: return "gosthash94cp"; /* ECC-GOST */ 
+#endif
+    case 13: return "sha256";     /* ECDSAP256SHA256 */
+    case 14: return "sha384";     /* ECDSAP384SHA384 */ 	
+#if MIN_VERSION(3, 1)
+    case 15: return "null_hash";  /* ED25519 */
+#  if MIN_VERSION(3, 6)
+    case 16: return "null_hash";  /* ED448 */
+#  endif
+#endif
+    default: return NULL;
+    }
+}
+  
+/* http://www.iana.org/assignments/dnssec-nsec3-parameters/dnssec-nsec3-parameters.xhtml */
+char *nsec3_digest_name(int digest)
+{
+  switch (digest)
+    {
+    case 1: return "sha1";
+    default: return NULL;
+    }
+}
+
+/* Find pointer to correct hash function in nettle library */
+const struct nettle_hash *hash_find(char *name)
+{
+  if (!name)
+    return NULL;
+  
+#if MIN_VERSION(3,1) && defined(HAVE_DNSSEC)
+  /* We provide a "null" hash which returns the input data as digest. */
+  if (strcmp(null_hash.name, name) == 0)
+    return &null_hash;
+#endif
+  
+  /* libnettle >= 3.4 provides nettle_lookup_hash() which avoids nasty ABI
+     incompatibilities if sizeof(nettle_hashes) changes between library
+     versions. */
+#if MIN_VERSION(3, 4)
+  return nettle_lookup_hash(name);
+#else
+  {
+    int i;
+
+    for (i = 0; nettle_hashes[i]; i++)
+      if (strcmp(nettle_hashes[i]->name, name) == 0)
+	return nettle_hashes[i];
+  }
+  
+  return NULL;
+#endif
+}
+
+#endif /* defined(HAVE_DNSSEC) */
--- a/src/dbus.c
+++ b/src/dbus.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2017 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -52,6 +52,15 @@ const char* introspection_xml_template =
 "    <method name=\"SetFilterWin2KOption\">\n"
 "      <arg name=\"filterwin2k\" direction=\"in\" type=\"b\"/>\n"
 "    </method>\n"
+"    <method name=\"SetFilterA\">\n"
+"      <arg name=\"filter-a\" direction=\"in\" type=\"b\"/>\n"
+"    </method>\n"
+"    <method name=\"SetFilterAAAA\">\n"
+"      <arg name=\"filter-aaaa\" direction=\"in\" type=\"b\"/>\n"
+"    </method>\n"
+"    <method name=\"SetLocaliseQueriesOption\">\n"
+"      <arg name=\"localise-queries\" direction=\"in\" type=\"b\"/>\n"
+"    </method>\n"
 "    <method name=\"SetBogusPrivOption\">\n"
 "      <arg name=\"boguspriv\" direction=\"in\" type=\"b\"/>\n"
 "    </method>\n"
@@ -85,10 +94,19 @@ const char* introspection_xml_template =
 "       <arg name=\"success\" type=\"b\" direction=\"out\"/>\n"
 "    </method>\n"
 #endif
+"    <method name=\"GetMetrics\">\n"
+"      <arg name=\"metrics\" direction=\"out\" type=\"a{su}\"/>\n"
+"    </method>\n"
+"    <method name=\"GetServerMetrics\">\n"
+"      <arg name=\"metrics\" direction=\"out\" type=\"a{ss}\"/>\n"
+"    </method>\n"
+"    <method name=\"ClearMetrics\">\n"
+"    </method>\n"
 "  </interface>\n"
 "</node>\n";

 static char *introspection_xml = NULL;
+static int watches_modified = 0;

 struct watch {
  DBusWatch *watch;      
@@ -110,14 +128,15 @@ static dbus_bool_t add_watch(DBusWatch *watch, void *data)
  w->watch = watch;
  w->next = daemon->watches;
  daemon->watches = w;
+  watches_modified++;

-  w = data; /* no warning */
+  (void)data; /* no warning */
  return TRUE;
 }

 static void remove_watch(DBusWatch *watch, void *data)
 {
-  struct watch **up, *w, *tmp;  
+  struct watch **up, *w, *tmp;
  
  for (up = &(daemon->watches), w = daemon->watches; w; w = tmp)
    {
@@ -126,21 +145,26 @@ static void remove_watch(DBusWatch *watch, void *data)
 	{
 	  *up = tmp;
 	  free(w);
+	  watches_modified++;
 	}
      else
 	up = &(w->next);
    }

-  w = data; /* no warning */
+  (void)data; /* no warning */
 }

-static void dbus_read_servers(DBusMessage *message)
+static DBusMessage* dbus_read_servers(DBusMessage *message)
 {
  DBusMessageIter iter;
  union  mysockaddr addr, source_addr;
  char *domain;
  
-  dbus_message_iter_init(message, &iter);
+  if (!dbus_message_iter_init(message, &iter))
+    {
+      return dbus_message_new_error(message, DBUS_ERROR_INVALID_ARGS,
+                                    "Failed to initialize dbus message iter");
+    }

  mark_servers(SERV_FROM_DBUS);
  
@@ -182,9 +206,6 @@ static void dbus_read_servers(DBusMessage *message)
 		}
 	    }

-#ifndef HAVE_IPV6
-	  my_syslog(LOG_WARNING, _("attempt to set an IPv6 server address via DBus - no IPv6 support"));
-#else
 	  if (i == sizeof(struct in6_addr))
 	    {
 	      memcpy(&addr.in6.sin6_addr, p, sizeof(struct in6_addr));
@@ -199,7 +220,6 @@ static void dbus_read_servers(DBusMessage *message)
              source_addr.in6.sin6_port = htons(daemon->query_port);
 	      skip = 0;
 	    }
-#endif
 	}
      else
 	/* At the end */
@@ -216,13 +236,14 @@ static void dbus_read_servers(DBusMessage *message)
 	  domain = NULL;
 	
 	if (!skip)
-	  add_update_server(SERV_FROM_DBUS, &addr, &source_addr, NULL, domain);
+	  add_update_server(SERV_FROM_DBUS, &addr, &source_addr, NULL, domain, NULL);
     
      } while (dbus_message_iter_get_arg_type(&iter) == DBUS_TYPE_STRING); 
    }
   
  /* unlink and free anything still marked. */
  cleanup_servers();
+  return NULL;
 }

 #ifdef HAVE_LOOP
@@ -238,7 +259,7 @@ static DBusMessage *dbus_reply_server_loop(DBusMessage *message)
  for (serv = daemon->servers; serv; serv = serv->next)
    if (serv->flags & SERV_LOOP)
      {
-	prettyprint_addr(&serv->addr, daemon->addrbuff);
+	(void)prettyprint_addr(&serv->addr, daemon->addrbuff);
 	dbus_message_iter_append_basic (&args_iter, DBUS_TYPE_STRING, &daemon->addrbuff);
      }
  
@@ -277,9 +298,14 @@ static DBusMessage* dbus_read_servers_ex(DBusMessage *message, int strings)
    {
      const char *str = NULL;
      union  mysockaddr addr, source_addr;
-      int flags = 0;
+      u16 flags = 0;
      char interface[IF_NAMESIZE];
      char *str_addr, *str_domain = NULL;
+      struct server_details sdetails = { 0 };
+      sdetails.addr = &addr;
+      sdetails.source_addr = &source_addr;
+      sdetails.interface = interface;
+      sdetails.flags = &flags;

      if (strings)
 	{
@@ -362,24 +388,6 @@ static DBusMessage* dbus_read_servers_ex(DBusMessage *message, int strings)
 	  strcpy(str_addr, str);
 	}

-      memset(&addr, 0, sizeof(addr));
-      memset(&source_addr, 0, sizeof(source_addr));
-      memset(&interface, 0, sizeof(interface));
-
-      /* parse the IP address */
-      if ((addr_err = parse_server(str_addr, &addr, &source_addr, (char *) &interface, &flags)))
-	{
-          error = dbus_message_new_error_printf(message, DBUS_ERROR_INVALID_ARGS,
-                                                "Invalid IP address '%s': %s",
-                                                str, addr_err);
-          break;
-        }
-      
-      /* 0.0.0.0 for server address == NULL, for Dbus */
-      if (addr.in.sin_family == AF_INET &&
-          addr.in.sin_addr.s_addr == 0)
-        flags |= SERV_NO_ADDR;
-      
      if (strings)
 	{
 	  char *p;
@@ -393,7 +401,31 @@ static DBusMessage* dbus_read_servers_ex(DBusMessage *message, int strings)
 	    else 
 	      p = NULL;
 	    
-	    add_update_server(flags | SERV_FROM_DBUS, &addr, &source_addr, interface, str_domain);
+	     if (strings && strlen(str_addr) == 0)
+	       add_update_server(SERV_LITERAL_ADDRESS | SERV_FROM_DBUS, &addr, &source_addr, interface, str_domain, NULL);
+	     else
+	       {
+		 if ((addr_err = parse_server(str_addr, &sdetails)))
+		   {
+		     error = dbus_message_new_error_printf(message, DBUS_ERROR_INVALID_ARGS,
+							   "Invalid IP address '%s': %s",
+							   str, addr_err);
+		     break;
+		   }
+		 
+		 while (parse_server_next(&sdetails))
+		   {
+		     if ((addr_err = parse_server_addr(&sdetails)))
+		       {
+			 error = dbus_message_new_error_printf(message, DBUS_ERROR_INVALID_ARGS,
+							       "Invalid IP address '%s': %s",
+							       str, addr_err);
+			 break;
+		       }
+		     
+		     add_update_server(flags | SERV_FROM_DBUS, &addr, &source_addr, interface, str_domain, NULL);
+		   }
+	       }
 	  } while ((str_domain = p));
 	}
      else
@@ -407,45 +439,83 @@ static DBusMessage* dbus_read_servers_ex(DBusMessage *message, int strings)
 	    if (dbus_message_iter_get_arg_type(&string_iter) == DBUS_TYPE_STRING)
 	      dbus_message_iter_get_basic(&string_iter, &str);
 	    dbus_message_iter_next (&string_iter);
+
+	    if ((addr_err = parse_server(str_addr, &sdetails)))
+	      {
+		error = dbus_message_new_error_printf(message, DBUS_ERROR_INVALID_ARGS,
+						      "Invalid IP address '%s': %s",
+						      str, addr_err);
+		break;
+	      }
 	    
-	    add_update_server(flags | SERV_FROM_DBUS, &addr, &source_addr, interface, str);
+	    while (parse_server_next(&sdetails))
+	      {
+		if ((addr_err = parse_server_addr(&sdetails)))
+		  {
+		    error = dbus_message_new_error_printf(message, DBUS_ERROR_INVALID_ARGS,
+							  "Invalid IP address '%s': %s",
+							  str, addr_err);
+		    break;
+		  }
+		
+		/* 0.0.0.0 for server address == NULL, for Dbus */
+		if (addr.in.sin_family == AF_INET &&
+		    addr.in.sin_addr.s_addr == 0)
+		  flags |= SERV_LITERAL_ADDRESS;
+		else
+		  flags &= ~SERV_LITERAL_ADDRESS;
+		
+		add_update_server(flags | SERV_FROM_DBUS, &addr, &source_addr, interface, str, NULL);
+	      }
 	  } while (dbus_message_iter_get_arg_type(&string_iter) == DBUS_TYPE_STRING);
 	}
-	 
+      
+      if (sdetails.orig_hostinfo)
+	freeaddrinfo(sdetails.orig_hostinfo);
+      
      /* jump to next element in outer array */
      dbus_message_iter_next(&array_iter);
    }

  cleanup_servers();
-
+    
  if (dup)
    free(dup);

  return error;
 }

-static DBusMessage *dbus_set_bool(DBusMessage *message, int flag, char *name)
+static DBusMessage *dbus_get_bool(DBusMessage *message, dbus_bool_t *enabled, char *name)
 {
  DBusMessageIter iter;
-  dbus_bool_t enabled;

  if (!dbus_message_iter_init(message, &iter) || dbus_message_iter_get_arg_type(&iter) != DBUS_TYPE_BOOLEAN)
    return dbus_message_new_error(message, DBUS_ERROR_INVALID_ARGS, "Expected boolean argument");
  
-  dbus_message_iter_get_basic(&iter, &enabled);
-
-  if (enabled)
-    { 
-      my_syslog(LOG_INFO, _("Enabling --%s option from D-Bus"), name);
-      set_option_bool(flag);
-    }
+  dbus_message_iter_get_basic(&iter, enabled);
+  
+  if (*enabled)
+    my_syslog(LOG_INFO, _("Enabling --%s option from D-Bus"), name);
  else
+    my_syslog(LOG_INFO, _("Disabling --%s option from D-Bus"), name);
+  
+  return NULL;
+}
+
+static DBusMessage *dbus_set_bool(DBusMessage *message, int flag, char *name)
+{
+  dbus_bool_t val;
+  DBusMessage *reply = dbus_get_bool(message, &val, name);
+  
+  if (!reply)
    {
-      my_syslog(LOG_INFO, _("Disabling --%s option from D-Bus"), name);
-      reset_option_bool(flag);
+      if (val)
+	set_option_bool(flag);
+      else
+	reset_option_bool(flag);
    }

-  return NULL;
+  return reply;
 }

 #ifdef HAVE_DHCP
@@ -457,7 +527,7 @@ static DBusMessage *dbus_add_lease(DBusMessage* message)
  int clid_len, hostname_len, hw_len, hw_type;
  dbus_uint32_t expires, ia_id;
  dbus_bool_t is_temporary;
-  struct all_addr addr;
+  union all_addr addr;
  time_t now = dnsmasq_time();
  unsigned char dhcp_chaddr[DHCP_CHADDR_MAX];

@@ -527,20 +597,20 @@ static DBusMessage *dbus_add_lease(DBusMessage* message)

  dbus_message_iter_get_basic(&iter, &is_temporary);

-  if (inet_pton(AF_INET, ipaddr, &addr.addr.addr4))
+  if (inet_pton(AF_INET, ipaddr, &addr.addr4))
    {
      if (ia_id != 0 || is_temporary)
 	return dbus_message_new_error(message, DBUS_ERROR_INVALID_ARGS,
 				      "ia_id and is_temporary must be zero for IPv4 lease");
      
-      if (!(lease = lease_find_by_addr(addr.addr.addr4)))
-    	lease = lease4_allocate(addr.addr.addr4);
+      if (!(lease = lease_find_by_addr(addr.addr4)))
+    	lease = lease4_allocate(addr.addr4);
    }
 #ifdef HAVE_DHCP6
-  else if (inet_pton(AF_INET6, ipaddr, &addr.addr.addr6))
+  else if (inet_pton(AF_INET6, ipaddr, &addr.addr6))
    {
-      if (!(lease = lease6_find_by_addr(&addr.addr.addr6, 128, 0)))
-	lease = lease6_allocate(&addr.addr.addr6,
+      if (!(lease = lease6_find_by_addr(&addr.addr6, 128, 0)))
+	lease = lease6_allocate(&addr.addr6,
 				is_temporary ? LEASE_TA : LEASE_NA);
      lease_set_iaid(lease, ia_id);
    }
@@ -550,6 +620,10 @@ static DBusMessage *dbus_add_lease(DBusMessage* message)
 					 "Invalid IP address '%s'", ipaddr);
   
  hw_len = parse_hex((char*)hwaddr, dhcp_chaddr, DHCP_CHADDR_MAX, NULL, &hw_type);
+  if (hw_len < 0)
+    return dbus_message_new_error_printf(message, DBUS_ERROR_INVALID_ARGS,
+					 "Invalid HW address '%s'", hwaddr);
+
  if (hw_type == 0 && hw_len != 0)
    hw_type = ARPHRD_ETHER;
  
@@ -571,7 +645,7 @@ static DBusMessage *dbus_del_lease(DBusMessage* message)
  DBusMessageIter iter;
  const char *ipaddr;
  DBusMessage *reply;
-  struct all_addr addr;
+  union all_addr addr;
  dbus_bool_t ret = 1;
  time_t now = dnsmasq_time();

@@ -585,11 +659,11 @@ static DBusMessage *dbus_del_lease(DBusMessage* message)
   
  dbus_message_iter_get_basic(&iter, &ipaddr);

-  if (inet_pton(AF_INET, ipaddr, &addr.addr.addr4))
-    lease = lease_find_by_addr(addr.addr.addr4);
+  if (inet_pton(AF_INET, ipaddr, &addr.addr4))
+    lease = lease_find_by_addr(addr.addr4);
 #ifdef HAVE_DHCP6
-  else if (inet_pton(AF_INET6, ipaddr, &addr.addr.addr6))
-    lease = lease6_find_by_addr(&addr.addr.addr6, 128, 0);
+  else if (inet_pton(AF_INET6, ipaddr, &addr.addr6))
+    lease = lease6_find_by_addr(&addr.addr6, 128, 0);
 #endif
  else
    return dbus_message_new_error_printf(message, DBUS_ERROR_INVALID_ARGS,
@@ -613,6 +687,101 @@ static DBusMessage *dbus_del_lease(DBusMessage* message)
 }
 #endif

+static DBusMessage *dbus_get_metrics(DBusMessage* message)
+{
+  DBusMessage *reply = dbus_message_new_method_return(message);
+  DBusMessageIter array, dict, iter;
+  int i;
+
+  dbus_message_iter_init_append(reply, &iter);
+  dbus_message_iter_open_container(&iter, DBUS_TYPE_ARRAY, "{su}", &array);
+
+  for (i = 0; i < __METRIC_MAX; i++) {
+    const char *key     = get_metric_name(i);
+    dbus_uint32_t value = daemon->metrics[i];
+
+    dbus_message_iter_open_container(&array, DBUS_TYPE_DICT_ENTRY, NULL, &dict);
+    dbus_message_iter_append_basic(&dict, DBUS_TYPE_STRING, &key);
+    dbus_message_iter_append_basic(&dict, DBUS_TYPE_UINT32, &value);
+    dbus_message_iter_close_container(&array, &dict);
+  }
+
+  dbus_message_iter_close_container(&iter, &array);
+
+  return reply;
+}
+
+static void add_dict_entry(DBusMessageIter *container, const char *key, const char *val)
+{
+  DBusMessageIter dict;
+
+  dbus_message_iter_open_container(container, DBUS_TYPE_DICT_ENTRY, NULL, &dict);
+  dbus_message_iter_append_basic(&dict, DBUS_TYPE_STRING, &key);
+  dbus_message_iter_append_basic(&dict, DBUS_TYPE_STRING, &val);
+  dbus_message_iter_close_container(container, &dict);
+}
+
+static void add_dict_int(DBusMessageIter *container, const char *key, const unsigned int val)
+{
+  snprintf(daemon->namebuff, MAXDNAME, "%u", val);
+  
+  add_dict_entry(container, key, daemon->namebuff);
+}
+
+static DBusMessage *dbus_get_server_metrics(DBusMessage* message)
+{
+  DBusMessage *reply = dbus_message_new_method_return(message);
+  DBusMessageIter server_array, dict_array, server_iter;
+  struct server *serv;
+  
+  dbus_message_iter_init_append(reply, &server_iter);
+  dbus_message_iter_open_container(&server_iter, DBUS_TYPE_ARRAY, "a{ss}", &server_array);
+
+  /* sum counts from different records for same server */
+  for (serv = daemon->servers; serv; serv = serv->next)
+    serv->flags &= ~SERV_MARK;
+  
+  for (serv = daemon->servers; serv; serv = serv->next)
+    if (!(serv->flags & SERV_MARK))
+      {
+	unsigned int port;
+	unsigned int queries = 0, failed_queries = 0, nxdomain_replies = 0, retrys = 0;
+	unsigned int sigma_latency = 0, count_latency = 0;
+	
+	struct server *serv1;
+
+	for (serv1 = serv; serv1; serv1 = serv1->next)
+	  if (!(serv1->flags & SERV_MARK) && sockaddr_isequal(&serv->addr, &serv1->addr))
+	    {
+	      serv1->flags |= SERV_MARK;
+	      queries += serv1->queries;
+	      failed_queries += serv1->failed_queries;
+	      nxdomain_replies += serv1->nxdomain_replies;
+	      retrys += serv1->retrys;
+	      sigma_latency += serv1->query_latency;
+	      count_latency++;
+	    }
+	
+	dbus_message_iter_open_container(&server_array, DBUS_TYPE_ARRAY, "{ss}", &dict_array);
+	
+	port = prettyprint_addr(&serv->addr, daemon->namebuff);
+	add_dict_entry(&dict_array, "address", daemon->namebuff);
+	
+	add_dict_int(&dict_array, "port", port);
+	add_dict_int(&dict_array, "queries", serv->queries);
+	add_dict_int(&dict_array, "failed_queries", serv->failed_queries);
+	add_dict_int(&dict_array, "nxdomain", serv->nxdomain_replies);
+	add_dict_int(&dict_array, "retries", serv->retrys);
+	add_dict_int(&dict_array, "latency", sigma_latency/count_latency);
+	
+	dbus_message_iter_close_container(&server_array, &dict_array);
+      }
+  
+  dbus_message_iter_close_container(&server_iter, &server_array);
+  
+  return reply;
+}
+
 DBusHandlerResult message_handler(DBusConnection *connection, 
 				  DBusMessage *message, 
 				  void *user_data)
@@ -649,7 +818,7 @@ DBusHandlerResult message_handler(DBusConnection *connection,
 #endif
  else if (strcmp(method, "SetServers") == 0)
    {
-      dbus_read_servers(message);
+      reply = dbus_read_servers(message);
      new_servers = 1;
    }
  else if (strcmp(method, "SetServersEx") == 0)
@@ -666,6 +835,46 @@ DBusHandlerResult message_handler(DBusConnection *connection,
    {
      reply = dbus_set_bool(message, OPT_FILTER, "filterwin2k");
    }
+  else if (strcmp(method, "SetFilterA") == 0)
+    {
+      static int done = 0;
+      static struct rrlist list = { 0, NULL };
+      dbus_bool_t enabled;
+
+      if (!(reply = dbus_get_bool(message, &enabled, "filter-A")))
+	{
+	  if (!done)
+	    {
+	      done = 1;
+	      list.next = daemon->filter_rr;
+	      daemon->filter_rr = &list;
+	    }
+
+	  list.rr = enabled ? T_A : 0;
+	}
+    }
+  else if (strcmp(method, "SetFilterAAAA") == 0)
+    {
+      static int done = 0;
+      static struct rrlist list = { 0, NULL };
+      dbus_bool_t enabled;
+      
+      if (!(reply = dbus_get_bool(message, &enabled, "filter-AAAA")))
+	{
+	  if (!done)
+	    {
+	      done = 1;
+	      list.next = daemon->filter_rr;
+	      daemon->filter_rr = &list;
+	    }
+	  
+	  list.rr = enabled ? T_AAAA : 0;
+	}
+    }
+  else if (strcmp(method, "SetLocaliseQueriesOption") == 0)
+    {
+      reply = dbus_set_bool(message, OPT_LOCALISE, "localise-queries");
+    }
  else if (strcmp(method, "SetBogusPrivOption") == 0)
    {
      reply = dbus_set_bool(message, OPT_BOGUSPRIV, "bogus-priv");
@@ -680,6 +889,18 @@ DBusHandlerResult message_handler(DBusConnection *connection,
      reply = dbus_del_lease(message);
    }
 #endif
+  else if (strcmp(method, "GetMetrics") == 0)
+    {
+      reply = dbus_get_metrics(message);
+    }
+  else if (strcmp(method, "GetServerMetrics") == 0)
+    {
+      reply = dbus_get_server_metrics(message);
+    }
+  else if (strcmp(method, "ClearMetrics") == 0)
+    {
+      clear_metrics();
+    }
  else if (strcmp(method, "ClearCache") == 0)
    clear_cache = 1;
  else
@@ -688,7 +909,7 @@ DBusHandlerResult message_handler(DBusConnection *connection,
  if (new_servers)
    {
      my_syslog(LOG_INFO, _("setting upstream servers from DBus"));
-      check_servers();
+      check_servers(0);
      if (option_bool(OPT_RELOAD))
 	clear_cache = 1;
    }
@@ -696,7 +917,7 @@ DBusHandlerResult message_handler(DBusConnection *connection,
  if (clear_cache)
    clear_cache_and_reload(dnsmasq_time());
  
-  method = user_data; /* no warning */
+  (void)user_data; /* no warning */

  /* If no reply or no error, return nothing */
  if (!reply)
@@ -722,8 +943,11 @@ char *dbus_init(void)

  dbus_error_init (&dbus_error);
  if (!(connection = dbus_bus_get (DBUS_BUS_SYSTEM, &dbus_error)))
-    return NULL;
-    
+    {
+      dbus_error_free(&dbus_error);
+      return NULL;
+    }
+  
  dbus_connection_set_exit_on_disconnect(connection, FALSE);
  dbus_connection_set_watch_functions(connection, add_watch, remove_watch, 
 				      NULL, NULL, NULL);
@@ -757,41 +981,53 @@ void set_dbus_listeners(void)
      {
 	unsigned int flags = dbus_watch_get_flags(w->watch);
 	int fd = dbus_watch_get_unix_fd(w->watch);
+	int poll_flags = POLLERR;
 	
 	if (flags & DBUS_WATCH_READABLE)
-	  poll_listen(fd, POLLIN);
-	
+	  poll_flags |= POLLIN;
 	if (flags & DBUS_WATCH_WRITABLE)
-	  poll_listen(fd, POLLOUT);
+	  poll_flags |= POLLOUT;
 	
-	poll_listen(fd, POLLERR);
+	poll_listen(fd, poll_flags);
      }
 }

-void check_dbus_listeners()
+static int check_dbus_watches()
 {
-  DBusConnection *connection = (DBusConnection *)daemon->dbus;
  struct watch *w;

+  watches_modified = 0;
  for (w = daemon->watches; w; w = w->next)
    if (dbus_watch_get_enabled(w->watch))
      {
 	unsigned int flags = 0;
 	int fd = dbus_watch_get_unix_fd(w->watch);
-	
-	if (poll_check(fd, POLLIN))
+	int poll_flags = poll_check(fd, POLLIN|POLLOUT|POLLERR);
+
+	if ((poll_flags & POLLIN) != 0)
 	  flags |= DBUS_WATCH_READABLE;
-	
-	if (poll_check(fd, POLLOUT))
+	if ((poll_flags & POLLOUT) != 0)
 	  flags |= DBUS_WATCH_WRITABLE;
-	
-	if (poll_check(fd, POLLERR))
+	if ((poll_flags & POLLERR) != 0)
 	  flags |= DBUS_WATCH_ERROR;

 	if (flags != 0)
-	  dbus_watch_handle(w->watch, flags);
+	  {
+	    dbus_watch_handle(w->watch, flags);
+	    if (watches_modified)
+	      return 0;
+	  }
      }

+  return 1;
+}
+
+void check_dbus_listeners()
+{
+  DBusConnection *connection = (DBusConnection *)daemon->dbus;
+
+  while (!check_dbus_watches()) ;
+
  if (connection)
    {
      dbus_connection_ref (connection);
--- a/src/dhcp-common.c
+++ b/src/dhcp-common.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2017 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -38,7 +38,7 @@ void dhcp_common_init(void)

 ssize_t recv_dhcp_packet(int fd, struct msghdr *msg)
 {  
-  ssize_t sz;
+  ssize_t sz, new_sz;
 
  while (1)
    {
@@ -65,9 +65,48 @@ ssize_t recv_dhcp_packet(int fd, struct msghdr *msg)
 	}
    }
  
-  while ((sz = recvmsg(fd, msg, 0)) == -1 && errno == EINTR);
+  while ((new_sz = recvmsg(fd, msg, 0)) == -1 && errno == EINTR);
+
+  /* Some kernels seem to ignore MSG_PEEK, and dequeue the packet anyway. 
+     If that happens we get EAGAIN here because the socket is non-blocking.
+     Use the result of the original testing recvmsg as long as the buffer
+     was big enough. There's a small race here that may lose the odd packet,
+     but it's UDP anyway. */
  
-  return (msg->msg_flags & MSG_TRUNC) ? -1 : sz;
+  if (new_sz == -1 && (errno == EWOULDBLOCK || errno == EAGAIN))
+    new_sz = sz;
+  
+  return (msg->msg_flags & MSG_TRUNC) ? -1 : new_sz;
+}
+
+/* like match_netid() except that the check can have a trailing * for wildcard */
+/* started as a direct copy of match_netid() */
+int match_netid_wild(struct dhcp_netid *check, struct dhcp_netid *pool)
+{
+  struct dhcp_netid *tmp1;
+  
+  for (; check; check = check->next)
+    {
+      const int check_len = strlen(check->net);
+      const int is_wc = (check_len > 0 && check->net[check_len - 1] == '*');
+      
+      /* '#' for not is for backwards compat. */
+      if (check->net[0] != '!' && check->net[0] != '#')
+	{
+	  for (tmp1 = pool; tmp1; tmp1 = tmp1->next)
+	    if (is_wc ? (strncmp(check->net, tmp1->net, check_len-1) == 0) :
+		(strcmp(check->net, tmp1->net) == 0))
+	      break;
+	  if (!tmp1)
+	    return 0;
+	}
+      else
+	for (tmp1 = pool; tmp1; tmp1 = tmp1->next)
+	  if (is_wc ? (strncmp((check->net)+1, tmp1->net, check_len-2) == 0) :
+	      (strcmp((check->net)+1, tmp1->net) == 0))
+	    return 0;
+    }
+  return 1;
 }

 struct dhcp_netid *run_tag_if(struct dhcp_netid *tags)
@@ -75,8 +114,11 @@ struct dhcp_netid *run_tag_if(struct dhcp_netid *tags)
  struct tag_if *exprs;
  struct dhcp_netid_list *list;

+  /* this now uses match_netid_wild() above so that tag_if can
+   * be used to set a 'group of interfaces' tag.
+   */
  for (exprs = daemon->tag_if; exprs; exprs = exprs->next)
-    if (match_netid(exprs->tag, tags, 1))
+    if (match_netid_wild(exprs->tag, tags))
      for (list = exprs->set; list; list = list->next)
 	{
 	  list->list->next = tags;
@@ -86,22 +128,41 @@ struct dhcp_netid *run_tag_if(struct dhcp_netid *tags)
  return tags;
 }

+/* pxemode == 0 -> don't include dhcp-option-pxe options.
+   pxemode == 1 -> do include dhcp-option-pxe options.
+   pxemode == 2 -> include ONLY dhcp-option-pxe options. */
+int pxe_ok(struct dhcp_opt *opt, int pxemode)
+{
+  if (opt->flags & DHOPT_PXE_OPT)
+    {
+      if (pxemode != 0)
+	return 1;
+    }
+  else
+    {
+      if (pxemode != 2)
+	return 1;
+    }
+  
+  return 0;
+}

-struct dhcp_netid *option_filter(struct dhcp_netid *tags, struct dhcp_netid *context_tags, struct dhcp_opt *opts)
+struct dhcp_netid *option_filter(struct dhcp_netid *tags, struct dhcp_netid *context_tags, struct dhcp_opt *opts, int pxemode)
 {
  struct dhcp_netid *tagif = run_tag_if(tags);
  struct dhcp_opt *opt;
  struct dhcp_opt *tmp;  
-
+  
  /* flag options which are valid with the current tag set (sans context tags) */
  for (opt = opts; opt; opt = opt->next)
    {
      opt->flags &= ~DHOPT_TAGOK;
      if (!(opt->flags & (DHOPT_ENCAPSULATE | DHOPT_VENDOR | DHOPT_RFC3925)) &&
-	  match_netid(opt->netid, tagif, 0))
+	  match_netid(opt->netid, tagif, 0) &&
+	  pxe_ok(opt, pxemode))
 	opt->flags |= DHOPT_TAGOK;
    }
-
+  
  /* now flag options which are valid, including the context tags,
     otherwise valid options are inhibited if we found a higher priority one above */
  if (context_tags)
@@ -121,7 +182,8 @@ struct dhcp_netid *option_filter(struct dhcp_netid *tags, struct dhcp_netid *con

      for (opt = opts; opt; opt = opt->next)
 	if (!(opt->flags & (DHOPT_ENCAPSULATE | DHOPT_VENDOR | DHOPT_RFC3925 | DHOPT_TAGOK)) &&
-	    match_netid(opt->netid, tagif, 0))
+	    match_netid(opt->netid, tagif, 0) &&
+	    pxe_ok(opt, pxemode))
 	  {
 	    struct dhcp_opt *tmp;  
 	    for (tmp = opts; tmp; tmp = tmp->next) 
@@ -134,7 +196,9 @@ struct dhcp_netid *option_filter(struct dhcp_netid *tags, struct dhcp_netid *con
  
  /* now flag untagged options which are not overridden by tagged ones */
  for (opt = opts; opt; opt = opt->next)
-    if (!(opt->flags & (DHOPT_ENCAPSULATE | DHOPT_VENDOR | DHOPT_RFC3925 | DHOPT_TAGOK)) && !opt->netid)
+    if (!(opt->flags & (DHOPT_ENCAPSULATE | DHOPT_VENDOR | DHOPT_RFC3925 | DHOPT_TAGOK)) &&
+	!opt->netid &&
+	pxe_ok(opt, pxemode))
      {
 	for (tmp = opts; tmp; tmp = tmp->next) 
 	  if (tmp->opt == opt->opt && (tmp->flags & DHOPT_TAGOK))
@@ -144,7 +208,7 @@ struct dhcp_netid *option_filter(struct dhcp_netid *tags, struct dhcp_netid *con
 	else if (!tmp->netid)
 	  my_syslog(MS_DHCP | LOG_WARNING, _("Ignoring duplicate dhcp-option %d"), tmp->opt); 
      }
-
+  
  /* Finally, eliminate duplicate options later in the chain, and therefore earlier in the config file. */
  for (opt = opts; opt; opt = opt->next)
    if (opt->flags & DHOPT_TAGOK)
@@ -276,30 +340,38 @@ static int is_config_in_context(struct dhcp_context *context, struct dhcp_config
    return 1;
  
 #ifdef HAVE_DHCP6
-  if ((context->flags & CONTEXT_V6) && (config->flags & CONFIG_WILDCARD))
-    return 1;
-#endif
+  if (context->flags & CONTEXT_V6)
+    {
+       struct addrlist *addr_list;

-  for (; context; context = context->current)
-#ifdef HAVE_DHCP6
-    if (context->flags & CONTEXT_V6) 
-      {
-	if ((config->flags & CONFIG_ADDR6) && is_same_net6(&config->addr6, &context->start6, context->prefix))
-	  return 1;
-      }
-    else 
+       if (config->flags & CONFIG_ADDR6)
+	 for (; context; context = context->current)
+	   for (addr_list = config->addr6; addr_list; addr_list = addr_list->next)
+	     {
+	       if ((addr_list->flags & ADDRLIST_WILDCARD) && context->prefix == 64)
+		 return 1;
+	       
+	       if (is_same_net6(&addr_list->addr.addr6, &context->start6, context->prefix))
+		 return 1;
+	     }
+    }
+  else
 #endif
-      if ((config->flags & CONFIG_ADDR) && is_same_net(config->addr, context->start, context->netmask))
-	return 1;
+    {
+      for (; context; context = context->current)
+	if ((config->flags & CONFIG_ADDR) && is_same_net(config->addr, context->start, context->netmask))
+	  return 1;
+    }

  return 0;
 }

-struct dhcp_config *find_config(struct dhcp_config *configs,
-				struct dhcp_context *context,
-				unsigned char *clid, int clid_len,
-				unsigned char *hwaddr, int hw_len, 
-				int hw_type, char *hostname)
+static struct dhcp_config *find_config_match(struct dhcp_config *configs,
+					     struct dhcp_context *context,
+					     unsigned char *clid, int clid_len,
+					     unsigned char *hwaddr, int hw_len, 
+					     int hw_type, char *hostname,
+					     struct dhcp_netid *tags, int tag_not_needed)
 {
  int count, new;
  struct dhcp_config *config, *candidate; 
@@ -311,7 +383,9 @@ struct dhcp_config *find_config(struct dhcp_config *configs,
 	{
 	  if (config->clid_len == clid_len && 
 	      memcmp(config->clid, clid, clid_len) == 0 &&
-	      is_config_in_context(context, config))
+	      is_config_in_context(context, config) &&
+	      match_netid(config->filter, tags, tag_not_needed))
+	    
 	    return config;
 	  
 	  /* dhcpcd prefixes ASCII client IDs by zero which is wrong, but we try and
@@ -319,7 +393,8 @@ struct dhcp_config *find_config(struct dhcp_config *configs,
 	     see lease_update_from_configs() */
 	  if ((!context || !(context->flags & CONTEXT_V6)) && *clid == 0 && config->clid_len == clid_len-1  &&
 	      memcmp(config->clid, clid+1, clid_len-1) == 0 &&
-	      is_config_in_context(context, config))
+	      is_config_in_context(context, config) &&
+	      match_netid(config->filter, tags, tag_not_needed))
 	    return config;
 	}
  
@@ -327,14 +402,16 @@ struct dhcp_config *find_config(struct dhcp_config *configs,
  if (hwaddr)
    for (config = configs; config; config = config->next)
      if (config_has_mac(config, hwaddr, hw_len, hw_type) &&
-	  is_config_in_context(context, config))
+	  is_config_in_context(context, config) &&
+	  match_netid(config->filter, tags, tag_not_needed))
 	return config;
  
  if (hostname && context)
    for (config = configs; config; config = config->next)
      if ((config->flags & CONFIG_NAME) && 
 	  hostname_isequal(config->hostname, hostname) &&
-	  is_config_in_context(context, config))
+	  is_config_in_context(context, config) &&
+	  match_netid(config->filter, tags, tag_not_needed))
 	return config;

  
@@ -343,7 +420,8 @@ struct dhcp_config *find_config(struct dhcp_config *configs,

  /* use match with fewest wildcard octets */
  for (candidate = NULL, count = 0, config = configs; config; config = config->next)
-    if (is_config_in_context(context, config))
+    if (is_config_in_context(context, config) &&
+	match_netid(config->filter, tags, tag_not_needed))
      for (conf_addr = config->hwaddr; conf_addr; conf_addr = conf_addr->next)
 	if (conf_addr->wildcard_mask != 0 &&
 	    conf_addr->hwaddr_len == hw_len &&	
@@ -357,6 +435,21 @@ struct dhcp_config *find_config(struct dhcp_config *configs,
  return candidate;
 }

+/* Find tagged configs first. */
+struct dhcp_config *find_config(struct dhcp_config *configs,
+				struct dhcp_context *context,
+				unsigned char *clid, int clid_len,
+				unsigned char *hwaddr, int hw_len, 
+				int hw_type, char *hostname, struct dhcp_netid *tags)
+{
+  struct dhcp_config *ret = find_config_match(configs, context, clid, clid_len, hwaddr, hw_len, hw_type, hostname, tags, 0);
+
+  if (!ret)
+    ret = find_config_match(configs, context, clid, clid_len, hwaddr, hw_len, hw_type, hostname, tags, 1);
+
+  return ret;
+}
+
 void dhcp_update_configs(struct dhcp_config *configs)
 {
  /* Some people like to keep all static IP addresses in /etc/hosts.
@@ -371,8 +464,14 @@ void dhcp_update_configs(struct dhcp_config *configs)
  int prot = AF_INET;

  for (config = configs; config; config = config->next)
+  {
    if (config->flags & CONFIG_ADDR_HOSTS)
-      config->flags &= ~(CONFIG_ADDR | CONFIG_ADDR6 | CONFIG_ADDR_HOSTS);
+      config->flags &= ~(CONFIG_ADDR | CONFIG_ADDR_HOSTS);
+#ifdef HAVE_DHCP6
+    if (config->flags & CONFIG_ADDR6_HOSTS)
+      config->flags &= ~(CONFIG_ADDR6 | CONFIG_ADDR6_HOSTS);
+#endif
+  }

 #ifdef HAVE_DHCP6 
 again:  
@@ -403,30 +502,41 @@ void dhcp_update_configs(struct dhcp_config *configs)
 		  crec = cache_find_by_name(crec, config->hostname, 0, cacheflags);
 		if (!crec)
 		  continue; /* should be never */
-		inet_ntop(prot, &crec->addr.addr, daemon->addrbuff, ADDRSTRLEN);
+		inet_ntop(prot, &crec->addr, daemon->addrbuff, ADDRSTRLEN);
 		my_syslog(MS_DHCP | LOG_WARNING, _("%s has more than one address in hostsfile, using %s for DHCP"), 
 			  config->hostname, daemon->addrbuff);
 	      }
 	    
 	    if (prot == AF_INET && 
-		(!(conf_tmp = config_find_by_address(configs, crec->addr.addr.addr.addr4)) || conf_tmp == config))
+		(!(conf_tmp = config_find_by_address(configs, crec->addr.addr4)) || conf_tmp == config))
 	      {
-		config->addr = crec->addr.addr.addr.addr4;
+		config->addr = crec->addr.addr4;
 		config->flags |= CONFIG_ADDR | CONFIG_ADDR_HOSTS;
 		continue;
 	      }

 #ifdef HAVE_DHCP6
 	    if (prot == AF_INET6 && 
-		(!(conf_tmp = config_find_by_address6(configs, &crec->addr.addr.addr.addr6, 128, 0)) || conf_tmp == config))
+		(!(conf_tmp = config_find_by_address6(configs, NULL, 0, &crec->addr.addr6)) || conf_tmp == config))
 	      {
-		memcpy(&config->addr6, &crec->addr.addr.addr.addr6, IN6ADDRSZ);
-		config->flags |= CONFIG_ADDR6 | CONFIG_ADDR_HOSTS;
+		/* host must have exactly one address if comming from /etc/hosts. */
+		if (!config->addr6 && (config->addr6 = whine_malloc(sizeof(struct addrlist))))
+		  {
+		    config->addr6->next = NULL;
+		    config->addr6->flags = 0;
+		  }
+
+		if (config->addr6 && !config->addr6->next && !(config->addr6->flags & (ADDRLIST_WILDCARD|ADDRLIST_PREFIX)))
+		  {
+		    memcpy(&config->addr6->addr.addr6, &crec->addr.addr6, IN6ADDRSZ);
+		    config->flags |= CONFIG_ADDR6 | CONFIG_ADDR6_HOSTS;
+		  }
+	    
 		continue;
 	      }
 #endif

-	    inet_ntop(prot, &crec->addr.addr, daemon->addrbuff, ADDRSTRLEN);
+	    inet_ntop(prot, &crec->addr, daemon->addrbuff, ADDRSTRLEN);
 	    my_syslog(MS_DHCP | LOG_WARNING, _("duplicate IP address %s (%s) in dhcp-config directive"), 
 		      daemon->addrbuff, config->hostname);
 	    
@@ -465,11 +575,11 @@ char *whichdevice(void)
    return NULL;
  
  for (if_tmp = daemon->if_names; if_tmp; if_tmp = if_tmp->next)
-    if (if_tmp->name && (!if_tmp->used || strchr(if_tmp->name, '*')))
+    if (if_tmp->name && (!(if_tmp->flags & INAME_USED) || strchr(if_tmp->name, '*')))
      return NULL;

  for (found = NULL, iface = daemon->interfaces; iface; iface = iface->next)
-    if (iface->dhcp_ok)
+    if (iface->dhcp4_ok || iface->dhcp6_ok)
      {
 	if (!found)
 	  found = iface;
@@ -478,20 +588,50 @@ char *whichdevice(void)
      }

  if (found)
-    return found->name;
-
+    {
+      char *ret = safe_malloc(strlen(found->name)+1);
+      strcpy(ret, found->name);
+      return ret;
+    }
+  
  return NULL;
 }
 
-void  bindtodevice(char *device, int fd)
+static int bindtodevice(char *device, int fd)
 {
-  struct ifreq ifr;
-  
-  strcpy(ifr.ifr_name, device);
+  size_t len = strlen(device)+1;
+  if (len > IFNAMSIZ)
+    len = IFNAMSIZ;
  /* only allowed by root. */
-  if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, (void *)&ifr, sizeof(ifr)) == -1 &&
+  if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, device, len) == -1 &&
      errno != EPERM)
-    die(_("failed to set SO_BINDTODEVICE on DHCP socket: %s"), NULL, EC_BADNET);
+    return 2;
+  
+  return 1;
+}
+
+int bind_dhcp_devices(char *bound_device)
+{
+  int ret = 0;
+
+  if (bound_device)
+    {
+      if (daemon->dhcp)
+	{
+	  if (!daemon->relay4)
+	    ret |= bindtodevice(bound_device, daemon->dhcpfd);
+	  
+	  if (daemon->enable_pxe && daemon->pxefd != -1)
+	    ret |= bindtodevice(bound_device, daemon->pxefd);
+	}
+      
+#if defined(HAVE_DHCP6)
+      if (daemon->doing_dhcp6 && !daemon->relay6)
+	ret |= bindtodevice(bound_device, daemon->dhcp6fd);
+#endif
+    }
+  
+  return ret;
 }
 #endif

@@ -559,16 +699,21 @@ static const struct opttab_t {
  { "nntp-server", 71, OT_ADDR_LIST }, 
  { "irc-server", 74, OT_ADDR_LIST }, 
  { "user-class", 77, 0 },
+  { "rapid-commit", 80, 0 },
  { "FQDN", 81, OT_INTERNAL },
  { "agent-id", 82, OT_INTERNAL },
  { "client-arch", 93, 2 | OT_DEC },
  { "client-interface-id", 94, 0 },
  { "client-machine-id", 97, 0 },
+  { "posix-timezone", 100, OT_NAME }, /* RFC 4833, Sec. 2 */
+  { "tzdb-timezone", 101, OT_NAME }, /* RFC 4833, Sec. 2 */
+  { "ipv6-only", 108, 4 | OT_DEC },  /* RFC 8925 */ 
  { "subnet-select", 118, OT_INTERNAL },
  { "domain-search", 119, OT_RFC1035_NAME },
  { "sip-server", 120, 0 },
  { "classless-static-route", 121, 0 },
  { "vendor-id-encap", 125, 0 },
+  { "tftp-server-address", 150, OT_ADDR_LIST },
  { "server-ip-address", 255, OT_ADDR_LIST }, /* special, internal only, sets siaddr */
  { NULL, 0, 0 }
 };
@@ -599,7 +744,9 @@ static const struct opttab_t opttab6[] = {
  { "sntp-server", 31,  OT_ADDR_LIST },
  { "information-refresh-time", 32, OT_TIME },
  { "FQDN", 39, OT_INTERNAL | OT_RFC1035_NAME },
-  { "ntp-server", 56,  0 },
+  { "posix-timezone", 41, OT_NAME }, /* RFC 4833, Sec. 3 */
+  { "tzdb-timezone", 42, OT_NAME }, /* RFC 4833, Sec. 3 */
+  { "ntp-server", 56, 0 /* OT_ADDR_LIST | OT_RFC1035_NAME */ },
  { "bootfile-url", 59, OT_NAME },
  { "bootfile-param", 60, OT_CSTRING },
  { NULL, 0, 0 }
@@ -692,7 +839,7 @@ char *option_string(int prot, unsigned int opt, unsigned char *val, int opt_len,
 	    
 	    if (ot[o].size & OT_ADDR_LIST) 
 	      {
-		struct all_addr addr;
+		union all_addr addr;
 		int addr_len = INADDRSZ;

 #ifdef HAVE_DHCP6
@@ -713,7 +860,7 @@ char *option_string(int prot, unsigned int opt, unsigned char *val, int opt_len,
 		for (i = 0, j = 0; i < opt_len && j < buf_len ; i++)
 		  {
 		    char c = val[i];
-		    if (isprint((int)c))
+		    if (isprint((unsigned char)c))
 		      buf[j++] = c;
 		  }
 #ifdef HAVE_DHCP6
@@ -727,7 +874,7 @@ char *option_string(int prot, unsigned int opt, unsigned char *val, int opt_len,
 		    for (k = i + 1; k < opt_len && k < l && j < buf_len ; k++)
 		     {
 		       char c = val[k];
-		       if (isprint((int)c))
+		       if (isprint((unsigned char)c))
 			 buf[j++] = c;
 		     }
 		    i = l;
@@ -748,7 +895,7 @@ char *option_string(int prot, unsigned int opt, unsigned char *val, int opt_len,
 		    for (k = 0; k < len && j < buf_len; k++)
 		      {
 		       char c = *p++;
-		       if (isprint((int)c))
+		       if (isprint((unsigned char)c))
 			 buf[j++] = c;
 		     }
 		    i += len +2;
@@ -893,11 +1040,34 @@ void log_context(int family, struct dhcp_context *context)

 void log_relay(int family, struct dhcp_relay *relay)
 {
+  int broadcast = relay->server.addr4.s_addr == 0;
  inet_ntop(family, &relay->local, daemon->addrbuff, ADDRSTRLEN);
-  inet_ntop(family, &relay->server, daemon->namebuff, ADDRSTRLEN); 
+  inet_ntop(family, &relay->server, daemon->namebuff, ADDRSTRLEN);

+  if (family == AF_INET && relay->port != DHCP_SERVER_PORT)
+    sprintf(daemon->namebuff + strlen(daemon->namebuff), "#%u", relay->port);
+
+#ifdef HAVE_DHCP6
+  struct in6_addr multicast;
+
+  inet_pton(AF_INET6, ALL_SERVERS, &multicast);
+
+  if (family == AF_INET6)
+    {
+      broadcast = IN6_ARE_ADDR_EQUAL(&relay->server.addr6, &multicast);
+      if (relay->port != DHCPV6_SERVER_PORT)
+	sprintf(daemon->namebuff + strlen(daemon->namebuff), "#%u", relay->port);
+    }
+#endif
+  
+  
  if (relay->interface)
-    my_syslog(MS_DHCP | LOG_INFO, _("DHCP relay from %s to %s via %s"), daemon->addrbuff, daemon->namebuff, relay->interface);
+    {
+      if (broadcast)
+	my_syslog(MS_DHCP | LOG_INFO, _("DHCP relay from %s via %s"), daemon->addrbuff, relay->interface);
+      else
+	my_syslog(MS_DHCP | LOG_INFO, _("DHCP relay from %s to %s via %s"), daemon->addrbuff, daemon->namebuff, relay->interface);
+    }
  else
    my_syslog(MS_DHCP | LOG_INFO, _("DHCP relay from %s to %s"), daemon->addrbuff, daemon->namebuff);
 }
--- a/src/dhcp-protocol.h
+++ b/src/dhcp-protocol.h
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2017 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -54,6 +54,7 @@
 #define OPTION_SNAME             66
 #define OPTION_FILENAME          67
 #define OPTION_USER_CLASS        77
+#define OPTION_RAPID_COMMIT      80
 #define OPTION_CLIENT_FQDN       81
 #define OPTION_AGENT_ID          82
 #define OPTION_ARCH              93
@@ -63,6 +64,7 @@
 #define OPTION_SIP_SERVER        120
 #define OPTION_VENDOR_IDENT      124
 #define OPTION_VENDOR_IDENT_OPT  125
+#define OPTION_MUD_URL_V4        161
 #define OPTION_END               255

 #define SUBOPT_CIRCUIT_ID        1
--- a/src/dhcp.c
+++ b/src/dhcp.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2017 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -20,8 +20,6 @@

 struct iface_param {
  struct dhcp_context *current;
-  struct dhcp_relay *relay;
-  struct in_addr relay_local;
  int ind;
 };

@@ -34,7 +32,7 @@ static int complete_context(struct in_addr local, int if_index, char *label,
 			    struct in_addr netmask, struct in_addr broadcast, void *vparam);
 static int check_listen_addrs(struct in_addr local, int if_index, char *label,
 			      struct in_addr netmask, struct in_addr broadcast, void *vparam);
-static int relay_upstream4(struct dhcp_relay *relay, struct dhcp_packet *mess, size_t sz, int iface_index);
+static void relay_upstream4(int iface_index, struct dhcp_packet *mess, size_t sz);
 static struct dhcp_relay *relay_reply4(struct dhcp_packet *mess, char *arrival_interface);

 static int make_fd(int port)
@@ -177,11 +175,15 @@ void dhcp_packet(time_t now, int pxe_fd)
  if ((sz = recv_dhcp_packet(fd, &msg)) == -1 || 
      (sz < (ssize_t)(sizeof(*mess) - sizeof(mess->options)))) 
    return;
-    
-  #if defined (HAVE_LINUX_NETWORK)
+  
+#ifdef HAVE_DUMPFILE
+  dump_packet_udp(DUMP_DHCP, (void *)daemon->dhcp_packet.iov_base, sz, (union mysockaddr *)&dest, NULL, fd);
+#endif
+  
+#if defined (HAVE_LINUX_NETWORK)
  if (ioctl(fd, SIOCGSTAMP, &tv) == 0)
    recvtime = tv.tv_sec;
-
+  
  if (msg.msg_controllen >= sizeof(struct cmsghdr))
    for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
      if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
@@ -232,7 +234,7 @@ void dhcp_packet(time_t now, int pxe_fd)
  
 #ifdef HAVE_LINUX_NETWORK
  /* ARP fiddling uses original interface even if we pretend to use a different one. */
-  strncpy(arp_req.arp_dev, ifr.ifr_name, 16);
+  safe_strncpy(arp_req.arp_dev, ifr.ifr_name, sizeof(arp_req.arp_dev));
 #endif 

  /* If the interface on which the DHCP request was received is an
@@ -255,7 +257,7 @@ void dhcp_packet(time_t now, int pxe_fd)
 	      }
 	    else 
 	      {
-		strncpy(ifr.ifr_name,  bridge->iface, IF_NAMESIZE);
+		safe_strncpy(ifr.ifr_name,  bridge->iface, sizeof(ifr.ifr_name));
 		break;
 	      }
 	  }
@@ -279,7 +281,7 @@ void dhcp_packet(time_t now, int pxe_fd)
      is_relay_reply = 1; 
      iov.iov_len = sz;
 #ifdef HAVE_LINUX_NETWORK
-      strncpy(arp_req.arp_dev, ifr.ifr_name, 16);
+      safe_strncpy(arp_req.arp_dev, ifr.ifr_name, sizeof(arp_req.arp_dev));
 #endif 
    }
  else
@@ -295,22 +297,17 @@ void dhcp_packet(time_t now, int pxe_fd)
 	}
      
      for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
-	if (tmp->name && wildcard_match(tmp->name, ifr.ifr_name))
+	if (tmp->name && (tmp->flags & INAME_4) && wildcard_match(tmp->name, ifr.ifr_name))
 	  return;
      
      /* unlinked contexts/relays are marked by context->current == context */
      for (context = daemon->dhcp; context; context = context->next)
 	context->current = context;
      
-      for (relay = daemon->relay4; relay; relay = relay->next)
-	relay->current = relay;
-      
      parm.current = NULL;
-      parm.relay = NULL;
-      parm.relay_local.s_addr = 0;
      parm.ind = iface_index;
      
-      if (!iface_check(AF_INET, (struct all_addr *)&iface_addr, ifr.ifr_name, NULL))
+      if (!iface_check(AF_INET, (union all_addr *)&iface_addr, ifr.ifr_name, NULL))
 	{
 	  /* If we failed to match the primary address of the interface, see if we've got a --listen-address
 	     for a secondary */
@@ -320,7 +317,7 @@ void dhcp_packet(time_t now, int pxe_fd)
 	  match.ind = iface_index;
 	  
 	  if (!daemon->if_addrs ||
-	      !iface_enumerate(AF_INET, &match, check_listen_addrs) ||
+	      !iface_enumerate(AF_INET, &match, (callback_t){.af_inet=check_listen_addrs}) ||
 	      !match.matched)
 	    return;
 	  
@@ -329,15 +326,12 @@ void dhcp_packet(time_t now, int pxe_fd)
 	     there is more than one address on the interface in the same subnet */
 	  complete_context(match.addr, iface_index, NULL, match.netmask, match.broadcast, &parm);
 	}    
-      
-      if (!iface_enumerate(AF_INET, &parm, complete_context))
-	return;
-
-      /* We're relaying this request */
-      if  (parm.relay_local.s_addr != 0 &&
-	   relay_upstream4(parm.relay, mess, (size_t)sz, iface_index))
+            
+      if (!iface_enumerate(AF_INET, &parm, (callback_t){.af_inet=complete_context}))
 	return;

+      relay_upstream4(iface_index, mess, (size_t)sz);
+       
      /* May have configured relay, but not DHCP server */
      if (!daemon->dhcp)
 	return;
@@ -397,11 +391,16 @@ void dhcp_packet(time_t now, int pxe_fd)
      struct in_pktinfo *pkt;
      msg.msg_control = control_u.control;
      msg.msg_controllen = sizeof(control_u);
+
+      /* alignment padding passed to the kernel should not be uninitialised. */
+      memset(&control_u, 0, sizeof(control_u));
+
      cmptr = CMSG_FIRSTHDR(&msg);
      pkt = (struct in_pktinfo *)CMSG_DATA(cmptr);
      pkt->ipi_ifindex = rcvd_iface_index;
      pkt->ipi_spec_dst.s_addr = 0;
-      msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
+      msg.msg_controllen = CMSG_SPACE(sizeof(struct in_pktinfo));
+      cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
      cmptr->cmsg_level = IPPROTO_IP;
      cmptr->cmsg_type = IP_PKTINFO;

@@ -454,6 +453,17 @@ void dhcp_packet(time_t now, int pxe_fd)
 #elif defined(HAVE_BSD_NETWORK)
  else 
    {
+#ifdef HAVE_DUMPFILE
+      if (ntohs(mess->flags) & 0x8000)
+        dest.sin_addr.s_addr = INADDR_BROADCAST;
+      else
+        dest.sin_addr = mess->yiaddr;
+      dest.sin_port = htons(daemon->dhcp_client_port);
+      
+      dump_packet_udp(DUMP_DHCP, (void *)iov.iov_base, iov.iov_len, NULL,
+		      (union mysockaddr *)&dest, fd);
+#endif
+      
      send_via_bpf(mess, iov.iov_len, iface_addr, &ifr);
      return;
    }
@@ -462,13 +472,21 @@ void dhcp_packet(time_t now, int pxe_fd)
 #ifdef HAVE_SOLARIS_NETWORK
  setsockopt(fd, IPPROTO_IP, IP_BOUND_IF, &iface_index, sizeof(iface_index));
 #endif
+
+#ifdef HAVE_DUMPFILE
+  dump_packet_udp(DUMP_DHCP, (void *)iov.iov_base, iov.iov_len, NULL,
+		  (union mysockaddr *)&dest, fd);
+#endif
  
  while(retry_send(sendmsg(fd, &msg, 0)));

  /* This can fail when, eg, iptables DROPS destination 255.255.255.255 */
  if (errno != 0)
-    my_syslog(MS_DHCP | LOG_WARNING, _("Error sending DHCP packet to %s: %s"),
-	      inet_ntoa(dest.sin_addr), strerror(errno));
+    {
+      inet_ntop(AF_INET, &dest.sin_addr, daemon->addrbuff, ADDRSTRLEN);
+      my_syslog(MS_DHCP | LOG_WARNING, _("Error sending DHCP packet to %s: %s"),
+		daemon->addrbuff, strerror(errno));
+    }
 }

 /* check against secondary interface addresses */
@@ -507,33 +525,84 @@ static int check_listen_addrs(struct in_addr local, int if_index, char *label,

   Note that the current chain may be superseded later for configured hosts or those coming via gateways. */

+static void guess_range_netmask(struct in_addr addr, struct in_addr netmask)
+{
+  struct dhcp_context *context;
+
+  for (context = daemon->dhcp; context; context = context->next)
+    if (!(context->flags & CONTEXT_NETMASK) &&
+	(is_same_net(addr, context->start, netmask) ||
+	 is_same_net(addr, context->end, netmask)))
+      { 
+	if (context->netmask.s_addr != netmask.s_addr &&
+	    !(is_same_net(addr, context->start, netmask) &&
+	      is_same_net(addr, context->end, netmask)))
+	  {
+	    inet_ntop(AF_INET, &context->start, daemon->dhcp_buff, DHCP_BUFF_SZ);
+	    inet_ntop(AF_INET, &context->end, daemon->dhcp_buff2, DHCP_BUFF_SZ);
+	    inet_ntop(AF_INET, &netmask, daemon->addrbuff, ADDRSTRLEN);
+	    my_syslog(MS_DHCP | LOG_WARNING, _("DHCP range %s -- %s is not consistent with netmask %s"),
+		      daemon->dhcp_buff, daemon->dhcp_buff2, daemon->addrbuff);
+	  }	
+	context->netmask = netmask;
+      }
+}
+
 static int complete_context(struct in_addr local, int if_index, char *label,
 			    struct in_addr netmask, struct in_addr broadcast, void *vparam)
 {
  struct dhcp_context *context;
  struct dhcp_relay *relay;
  struct iface_param *param = vparam;
-
+  struct shared_network *share;
+  
  (void)label;
+
+  for (share = daemon->shared_networks; share; share = share->next)
+    {
+      
+#ifdef HAVE_DHCP6
+      if (share->shared_addr.s_addr == 0)
+	continue;
+#endif
+      
+      if (share->if_index != 0)
+	{
+	  if (share->if_index != if_index)
+	    continue;
+	}
+      else
+	{
+	  if (share->match_addr.s_addr != local.s_addr)
+	    continue;
+	}
+
+      for (context = daemon->dhcp; context; context = context->next)
+	{
+	  if (context->netmask.s_addr != 0 &&
+	      is_same_net(share->shared_addr, context->start, context->netmask) &&
+	      is_same_net(share->shared_addr, context->end, context->netmask))
+	    {
+	      /* link it onto the current chain if we've not seen it before */
+	      if (context->current == context)
+		{
+		  /* For a shared network, we have no way to guess what the default route should be. */
+		  context->router.s_addr = 0;
+		  context->local = local; /* Use configured address for Server Identifier */
+		  context->current = param->current;
+		  param->current = context;
+		}
+	      
+	      if (!(context->flags & CONTEXT_BRDCAST))
+		context->broadcast.s_addr  = context->start.s_addr | ~context->netmask.s_addr;
+	    }		
+	}
+    }
+
+  guess_range_netmask(local, netmask);
  
  for (context = daemon->dhcp; context; context = context->next)
    {
-      if (!(context->flags & CONTEXT_NETMASK) &&
-	  (is_same_net(local, context->start, netmask) ||
-	   is_same_net(local, context->end, netmask)))
-      { 
-	if (context->netmask.s_addr != netmask.s_addr &&
-	    !(is_same_net(local, context->start, netmask) &&
-	      is_same_net(local, context->end, netmask)))
-	  {
-	    strcpy(daemon->dhcp_buff, inet_ntoa(context->start));
-	    strcpy(daemon->dhcp_buff2, inet_ntoa(context->end));
-	    my_syslog(MS_DHCP | LOG_WARNING, _("DHCP range %s -- %s is not consistent with netmask %s"),
-		      daemon->dhcp_buff, daemon->dhcp_buff2, inet_ntoa(netmask));
-	  }	
- 	context->netmask = netmask;
-      }
-      
      if (context->netmask.s_addr != 0 &&
 	  is_same_net(local, context->start, context->netmask) &&
 	  is_same_net(local, context->end, context->netmask))
@@ -558,14 +627,9 @@ static int complete_context(struct in_addr local, int if_index, char *label,
    }

  for (relay = daemon->relay4; relay; relay = relay->next)
-    if (if_index == param->ind && relay->local.addr.addr4.s_addr == local.s_addr && relay->current == relay &&
-	(param->relay_local.s_addr == 0 || param->relay_local.s_addr == local.s_addr))
-      {
-	relay->current = param->relay;
-	param->relay = relay;
-	param->relay_local = local;	
-      }
-
+    if (relay->local.addr4.s_addr == local.s_addr)
+      relay->iface_index = if_index;
+  
  return 1;
 }
 	  
@@ -678,7 +742,7 @@ struct ping_result *do_icmp_ping(time_t now, struct in_addr addr, unsigned int h
  if ((count >= max) || option_bool(OPT_NO_PING) || loopback)
    {
      /* overloaded, or configured not to check, loopback interface, return "not in use" */
-      dummy.hash = 0;
+      dummy.hash = hash;
      return &dummy;
    }
  else if (icmp_ping(addr))
@@ -765,24 +829,33 @@ int address_allocate(struct dhcp_context *context,
 		(!IN_CLASSC(ntohl(addr.s_addr)) || 
 		 ((ntohl(addr.s_addr) & 0xff) != 0xff && ((ntohl(addr.s_addr) & 0xff) != 0x0))))
 	      {
-		struct ping_result *r;
-		
-		if ((r = do_icmp_ping(now, addr, j, loopback)))
- 		  {
-		    /* consec-ip mode: we offered this address for another client
-		       (different hash) recently, don't offer it to this one. */
-		    if (!option_bool(OPT_CONSEC_ADDR) || r->hash == j)
-		      {
-			*addrp = addr;
-			return 1;
-		      }
-		  }
+		/* in consec-ip mode, skip addresses equal to
+		   the number of addresses rejected by clients. This
+		   should avoid the same client being offered the same
+		   address after it has rjected it. */
+		if (option_bool(OPT_CONSEC_ADDR) && c->addr_epoch)
+		  c->addr_epoch--;
 		else
 		  {
-		    /* address in use: perturb address selection so that we are
-		       less likely to try this address again. */
-		    if (!option_bool(OPT_CONSEC_ADDR))
-		      c->addr_epoch++;
+		    struct ping_result *r;
+		    
+		    if ((r = do_icmp_ping(now, addr, j, loopback)))
+		      {
+			/* consec-ip mode: we offered this address for another client
+			   (different hash) recently, don't offer it to this one. */
+			if (!option_bool(OPT_CONSEC_ADDR) || r->hash == j)
+			  {
+			    *addrp = addr;
+			    return 1;
+			  }
+		      }
+		    else
+		      {
+			/* address in use: perturb address selection so that we are
+			   less likely to try this address again. */
+			if (!option_bool(OPT_CONSEC_ADDR))
+			  c->addr_epoch++;
+		      }
 		  }
 	      }
 	    
@@ -840,14 +913,14 @@ void dhcp_read_ethers(void)
      
      lineno++;
      
-      while (strlen(buff) > 0 && isspace((int)buff[strlen(buff)-1]))
+      while (strlen(buff) > 0 && isspace((unsigned char)buff[strlen(buff)-1]))
 	buff[strlen(buff)-1] = 0;
      
      if ((*buff == '#') || (*buff == '+') || (*buff == 0))
 	continue;
      
-      for (ip = buff; *ip && !isspace((int)*ip); ip++);
-      for(; *ip && isspace((int)*ip); ip++)
+      for (ip = buff; *ip && !isspace((unsigned char)*ip); ip++);
+      for(; *ip && isspace((unsigned char)*ip); ip++)
 	*ip = 0;
      if (!*ip || parse_hex(buff, hwaddr, ETHER_ADDR_LEN, NULL, NULL) != ETHER_ADDR_LEN)
 	{
@@ -862,7 +935,7 @@ void dhcp_read_ethers(void)
      
      if (!*cp)
 	{
-	  if ((addr.s_addr = inet_addr(ip)) == (in_addr_t)-1)
+	  if (inet_pton(AF_INET, ip, &addr.s_addr) < 1)
 	    {
 	      my_syslog(MS_DHCP | LOG_ERR, _("bad address at %s line %d"), ETHERSFILE, lineno); 
 	      continue;
@@ -971,7 +1044,7 @@ char *host_from_dns(struct in_addr addr)
  if (daemon->port == 0)
    return NULL; /* DNS disabled. */
  
-  lookup = cache_find_by_addr(NULL, (struct all_addr *)&addr, 0, F_IPV4);
+  lookup = cache_find_by_addr(NULL, (union all_addr *)&addr, 0, F_IPV4);

  if (lookup && (lookup->flags & F_HOSTS))
    {
@@ -988,8 +1061,7 @@ char *host_from_dns(struct in_addr addr)
      if (!legal_hostname(hostname))
 	return NULL;
      
-      strncpy(daemon->dhcp_buff, hostname, 256);
-      daemon->dhcp_buff[255] = 0;
+      safe_strncpy(daemon->dhcp_buff, hostname, 256);
      strip_hostname(daemon->dhcp_buff);

      return daemon->dhcp_buff;
@@ -998,54 +1070,102 @@ char *host_from_dns(struct in_addr addr)
  return NULL;
 }

-static int  relay_upstream4(struct dhcp_relay *relay, struct dhcp_packet *mess, size_t sz, int iface_index)
+static void relay_upstream4(int iface_index, struct dhcp_packet *mess, size_t sz)
 {
-  /* ->local is same value for all relays on ->current chain */
-  struct all_addr from;
-  
+  struct in_addr giaddr = mess->giaddr;
+  u8 hops = mess->hops;
+  struct dhcp_relay *relay;
+
  if (mess->op != BOOTREQUEST)
-    return 0;
+    return;

-  /* source address == relay address */
-  from.addr.addr4 = relay->local.addr.addr4;
+  for (relay = daemon->relay4; relay; relay = relay->next)
+    if (relay->iface_index != 0 && relay->iface_index == iface_index)
+      break;
+
+  /* No relay config. */
+  if (!relay)
+    return;
  
-  /* already gatewayed ? */
-  if (mess->giaddr.s_addr)
-    {
-      /* if so check if by us, to stomp on loops. */
-      if (mess->giaddr.s_addr == relay->local.addr.addr4.s_addr)
-	return 1;
-    }
-  else
-    {
-      /* plug in our address */
-      mess->giaddr.s_addr = relay->local.addr.addr4.s_addr;
-    }
+  for (; relay; relay = relay->next)
+    if (relay->iface_index != 0 && relay->iface_index == iface_index)
+      {
+	union mysockaddr to;
+	union all_addr from;

-  if ((mess->hops++) > 20)
-    return 1;
+	mess->hops = hops;
+	mess->giaddr = giaddr;
+	
+	if ((mess->hops++) > 20)
+	  continue;
+	
+	/* source address == relay address */
+	from.addr4 = relay->local.addr4;

-  for (; relay; relay = relay->current)
-    {
-      union mysockaddr to;
-      
-      to.sa.sa_family = AF_INET;
-      to.in.sin_addr = relay->server.addr.addr4;
-      to.in.sin_port = htons(daemon->dhcp_server_port);
-      
-      send_from(daemon->dhcpfd, 0, (char *)mess, sz, &to, &from, 0);
-      
-      if (option_bool(OPT_LOG_OPTS))
+	/* already gatewayed ? */
+	if (giaddr.s_addr)
+	  {
+	    /* if so check if by us, to stomp on loops. */
+	    if (giaddr.s_addr == relay->local.addr4.s_addr)
+	      continue;
+	  }
+	else
+	  {
+	    /* plug in our address */
+	    mess->giaddr.s_addr = relay->local.addr4.s_addr;
+	  }
+	
+	to.sa.sa_family = AF_INET;
+	to.in.sin_addr = relay->server.addr4;
+	to.in.sin_port = htons(relay->port);
+#ifdef HAVE_SOCKADDR_SA_LEN
+	to.in.sin_len = sizeof(struct sockaddr_in);
+#endif
+	
+	/* Broadcasting to server. */
+	if (relay->server.addr4.s_addr == 0)
+	  {
+	    struct ifreq ifr;
+	    
+	    if (relay->interface)
+	      safe_strncpy(ifr.ifr_name, relay->interface, IF_NAMESIZE);
+	    
+	    if (!relay->interface || strchr(relay->interface, '*') ||
+		ioctl(daemon->dhcpfd, SIOCGIFBRDADDR, &ifr) == -1)
+	      {
+		my_syslog(MS_DHCP | LOG_ERR, _("Cannot broadcast DHCP relay via interface %s"), relay->interface);
+		continue;
+	      }
+	    
+	    to.in.sin_addr = ((struct sockaddr_in *) &ifr.ifr_addr)->sin_addr;
+	  }
+	
+#ifdef HAVE_DUMPFILE
 	{
-	  inet_ntop(AF_INET, &relay->local, daemon->addrbuff, ADDRSTRLEN);
-	  my_syslog(MS_DHCP | LOG_INFO, _("DHCP relay %s -> %s"), daemon->addrbuff, inet_ntoa(relay->server.addr.addr4));
+	  union mysockaddr fromsock;
+	  fromsock.in.sin_port = htons(daemon->dhcp_server_port);
+	  fromsock.in.sin_addr = from.addr4;
+	  fromsock.sa.sa_family = AF_INET;
+
+	  dump_packet_udp(DUMP_DHCP, (void *)mess, sz, &fromsock, &to, -1);
 	}
-      
-      /* Save this for replies */
-      relay->iface_index = iface_index;
-    }
+#endif
+	
+	 send_from(daemon->dhcpfd, 0, (char *)mess, sz, &to, &from, 0);
+	 
+	 if (option_bool(OPT_LOG_OPTS))
+	   {
+	     inet_ntop(AF_INET, &relay->local, daemon->addrbuff, ADDRSTRLEN);
+	     if (relay->server.addr4.s_addr == 0)
+	       snprintf(daemon->dhcp_buff2, DHCP_BUFF_SZ, _("broadcast via %s"), relay->interface);
+	     else
+	       inet_ntop(AF_INET, &relay->server.addr4, daemon->dhcp_buff2, DHCP_BUFF_SZ);
+	     my_syslog(MS_DHCP | LOG_INFO, _("DHCP relay at %s -> %s"), daemon->addrbuff, daemon->dhcp_buff2);
+	   }
+      }
  
-  return 1;
+  /* restore in case of a local reply. */
+  mess->giaddr = giaddr;
 }


@@ -1058,7 +1178,7 @@ static struct dhcp_relay *relay_reply4(struct dhcp_packet *mess, char *arrival_i

  for (relay = daemon->relay4; relay; relay = relay->next)
    {
-      if (mess->giaddr.s_addr == relay->local.addr.addr4.s_addr)
+      if (mess->giaddr.s_addr == relay->local.addr4.s_addr)
 	{
 	  if (!relay->interface || wildcard_match(relay->interface, arrival_interface))
 	    return relay->iface_index != 0 ? relay : NULL;
--- a/src/dhcp6-protocol.h
+++ b/src/dhcp6-protocol.h
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2017 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -55,16 +55,19 @@
 #define OPTION6_RECONF_ACCEPT   20
 #define OPTION6_DNS_SERVER      23
 #define OPTION6_DOMAIN_SEARCH   24
+#define OPTION6_IA_PD           25
+#define OPTION6_IAPREFIX        26
 #define OPTION6_REFRESH_TIME    32
 #define OPTION6_REMOTE_ID       37
 #define OPTION6_SUBSCRIBER_ID   38
 #define OPTION6_FQDN            39
+#define OPTION6_NTP_SERVER      56
 #define OPTION6_CLIENT_MAC      79
+#define OPTION6_MUD_URL         112

-/* replace this with the real number when allocated.
-   defining this also enables the relevant code. */ 
-/* #define OPTION6_PREFIX_CLASS    99 */
-
+#define NTP_SUBOPTION_SRV_ADDR  1
+#define NTP_SUBOPTION_MC_ADDR   2
+#define NTP_SUBOPTION_SRV_FQDN  3

 #define DHCP6SUCCESS     0
 #define DHCP6UNSPEC      1
@@ -72,4 +75,3 @@
 #define DHCP6NOBINDING   3
 #define DHCP6NOTONLINK   4
 #define DHCP6USEMULTI    5
-
--- a/src/dhcp6.c
+++ b/src/dhcp6.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2017 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -22,8 +22,7 @@

 struct iface_param {
  struct dhcp_context *current;
-  struct dhcp_relay *relay;
-  struct in6_addr fallback, relay_local, ll_addr, ula_addr;
+  struct in6_addr fallback, ll_addr, ula_addr;
  int ind, addr_match;
 };

@@ -90,11 +89,10 @@ void dhcp6_init(void)
 void dhcp6_packet(time_t now)
 {
  struct dhcp_context *context;
-  struct dhcp_relay *relay;
  struct iface_param parm;
  struct cmsghdr *cmptr;
  struct msghdr msg;
-  int if_index = 0;
+  uint32_t if_index = 0;
  union {
    struct cmsghdr align; /* this ensures alignment */
    char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
@@ -105,7 +103,8 @@ void dhcp6_packet(time_t now)
  struct iname *tmp;
  unsigned short port;
  struct in6_addr dst_addr;
-
+  struct in6_addr all_servers;
+  
  memset(&dst_addr, 0, sizeof(dst_addr));

  msg.msg_control = control_u.control6;
@@ -134,28 +133,66 @@ void dhcp6_packet(time_t now)

  if (!indextoname(daemon->dhcp6fd, if_index, ifr.ifr_name))
    return;
+  
+#ifdef HAVE_LINUX_NETWORK
+  /* This works around a possible Linux kernel bug when using interfaces
+     enslaved to a VRF. The scope_id in the source address gets set
+     to the index of the VRF interface, not the slave. Fortunately,
+     the interface index returned by packetinfo is correct so we use
+     that instead. Log this once, so if it triggers in other circumstances
+     we've not anticipated and breaks things, we get some clues. */
+  if (from.sin6_scope_id != if_index)
+    {
+      static int logged = 0;
+      
+      if (!logged)
+	{
+	  my_syslog(MS_DHCP | LOG_WARNING,
+		    _("Working around kernel bug: faulty source address scope for VRF slave %s"),
+		    ifr.ifr_name);
+	  logged = 1;
+	}
+      
+      from.sin6_scope_id = if_index;
+    }
+#endif

-  if ((port = relay_reply6(&from, sz, ifr.ifr_name)) == 0)
+#ifdef HAVE_DUMPFILE
+  dump_packet_udp(DUMP_DHCPV6, (void *)daemon->dhcp_packet.iov_base, sz,
+		  (union mysockaddr *)&from, NULL, daemon->dhcp6fd);
+#endif
+
+  if (relay_reply6(&from, sz, ifr.ifr_name))
+    {
+#ifdef HAVE_DUMPFILE
+      dump_packet_udp(DUMP_DHCPV6, (void *)daemon->outpacket.iov_base, save_counter(-1), NULL,
+		      (union mysockaddr *)&from, daemon->dhcp6fd);
+#endif
+      
+      while (retry_send(sendto(daemon->dhcp6fd, daemon->outpacket.iov_base, 
+			       save_counter(-1), 0, (struct sockaddr *)&from, 
+			       sizeof(from))));
+    }
+  else
    {
      struct dhcp_bridge *bridge, *alias;
-
+      
      for (tmp = daemon->if_except; tmp; tmp = tmp->next)
 	if (tmp->name && wildcard_match(tmp->name, ifr.ifr_name))
 	  return;
      
      for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
-	if (tmp->name && wildcard_match(tmp->name, ifr.ifr_name))
+	if (tmp->name && (tmp->flags & INAME_6) &&
+	    wildcard_match(tmp->name, ifr.ifr_name))
 	  return;
      
      parm.current = NULL;
-      parm.relay = NULL;
-      memset(&parm.relay_local, 0, IN6ADDRSZ);
      parm.ind = if_index;
      parm.addr_match = 0;
      memset(&parm.fallback, 0, IN6ADDRSZ);
      memset(&parm.ll_addr, 0, IN6ADDRSZ);
      memset(&parm.ula_addr, 0, IN6ADDRSZ);
-
+      
      /* If the interface on which the DHCPv6 request was received is
         an alias of some other interface (as specified by the
         --bridge-interface option), change parm.ind so that we look
@@ -193,13 +230,25 @@ void dhcp6_packet(time_t now)
 	    context->current = context;
 	    memset(&context->local6, 0, IN6ADDRSZ);
 	  }
-
-      for (relay = daemon->relay6; relay; relay = relay->next)
-	relay->current = relay;
      
-      if (!iface_enumerate(AF_INET6, &parm, complete_context6))
+      /* Ignore requests sent to the ALL_SERVERS multicast address for relay when
+	 we're listening there for DHCPv6 server reasons. */
+      inet_pton(AF_INET6, ALL_SERVERS, &all_servers);
+      
+      if (!IN6_ARE_ADDR_EQUAL(&dst_addr, &all_servers) &&
+	  relay_upstream6(if_index, (size_t)sz, &from.sin6_addr, from.sin6_scope_id, now))
 	return;
-
+      
+      if (!iface_enumerate(AF_INET6, &parm, (callback_t){.af_inet6=complete_context6}))
+	return;
+      
+      /* Check for a relay again after iface_enumerate/complete_context has had
+	 chance to fill in relay->iface_index fields. This handles first time through
+	 and any changes in interface config. */
+      if (!IN6_ARE_ADDR_EQUAL(&dst_addr, &all_servers) &&
+	  relay_upstream6(if_index, (size_t)sz, &from.sin6_addr, from.sin6_scope_id, now))
+	return;
+      
      if (daemon->if_names || daemon->if_addrs)
 	{
 	  
@@ -211,43 +260,37 @@ void dhcp6_packet(time_t now)
 	    return;
 	}
      
-      if (parm.relay)
-	{
-	  /* Ignore requests sent to the ALL_SERVERS multicast address for relay when
-	     we're listening there for DHCPv6 server reasons. */
-	  struct in6_addr all_servers;
-	  
-	  inet_pton(AF_INET6, ALL_SERVERS, &all_servers);
-	  
-	  if (!IN6_ARE_ADDR_EQUAL(&dst_addr, &all_servers))
-	    relay_upstream6(parm.relay, sz, &from.sin6_addr, from.sin6_scope_id, now);
-	  return;
-	}
-      
      /* May have configured relay, but not DHCP server */
      if (!daemon->doing_dhcp6)
 	return;
-
+      
      lease_prune(NULL, now); /* lose any expired leases */
      
      port = dhcp6_reply(parm.current, if_index, ifr.ifr_name, &parm.fallback, 
 			 &parm.ll_addr, &parm.ula_addr, sz, &from.sin6_addr, now);
      
+      /* The port in the source address of the original request should
+	 be correct, but at least once client sends from the server port,
+	 so we explicitly send to the client port to a client, and the
+	 server port to a relay. */
+      if (port != 0)
+	{
+	  from.sin6_port = htons(port);
+	  
+#ifdef HAVE_DUMPFILE
+	  dump_packet_udp(DUMP_DHCPV6, (void *)daemon->outpacket.iov_base, save_counter(-1),
+			  NULL, (union mysockaddr *)&from, daemon->dhcp6fd);
+#endif 
+	  
+	  while (retry_send(sendto(daemon->dhcp6fd, daemon->outpacket.iov_base,
+				   save_counter(-1), 0, (struct sockaddr *)&from, sizeof(from))));
+	}
+      
+      /* These need to be called _after_ we send DHCPv6 packet, since lease_update_file()
+	 may trigger sending an RA packet, which overwrites our buffer. */
      lease_update_file(now);
      lease_update_dns(0);
    }
-			  
-  /* The port in the source address of the original request should
-     be correct, but at least once client sends from the server port,
-     so we explicitly send to the client port to a client, and the
-     server port to a relay. */
-  if (port != 0)
-    {
-      from.sin6_port = htons(port);
-      while (retry_send(sendto(daemon->dhcp6fd, daemon->outpacket.iov_base, 
-			       save_counter(0), 0, (struct sockaddr *)&from, 
-			       sizeof(from))));
-    }
 }

 void get_client_mac(struct in6_addr *client, int iface, unsigned char *mac, unsigned int *maclenp, unsigned int *mactypep, time_t now)
@@ -283,7 +326,7 @@ void get_client_mac(struct in6_addr *client, int iface, unsigned char *mac, unsi
      if ((maclen = find_mac(&addr, mac, 0, now)) != 0)
 	break;
 	  
-      sendto(daemon->icmp6fd, &neigh, sizeof(neigh), 0, &addr.sa, sizeof(addr));
+      while(retry_send(sendto(daemon->icmp6fd, &neigh, sizeof(neigh), 0, &addr.sa, sizeof(addr))));
      
      ts.tv_sec = 0;
      ts.tv_nsec = 100000000; /* 100ms */
@@ -299,106 +342,133 @@ static int complete_context6(struct in6_addr *local,  int prefix,
 			     unsigned int valid, void *vparam)
 {
  struct dhcp_context *context;
+  struct shared_network *share;
  struct dhcp_relay *relay;
  struct iface_param *param = vparam;
  struct iname *tmp;
+  int match = !daemon->if_addrs;
 
  (void)scope; /* warning */
  
-  if (if_index == param->ind)
-    {
-      if (IN6_IS_ADDR_LINKLOCAL(local))
-	param->ll_addr = *local;
-      else if (IN6_IS_ADDR_ULA(local))
-	param->ula_addr = *local;
-
-      if (!IN6_IS_ADDR_LOOPBACK(local) &&
-	  !IN6_IS_ADDR_LINKLOCAL(local) &&
-	  !IN6_IS_ADDR_MULTICAST(local))
-	{
-	  /* if we have --listen-address config, see if the 
-	     arrival interface has a matching address. */
-	  for (tmp = daemon->if_addrs; tmp; tmp = tmp->next)
-	    if (tmp->addr.sa.sa_family == AF_INET6 &&
-		IN6_ARE_ADDR_EQUAL(&tmp->addr.in6.sin6_addr, local))
-	      param->addr_match = 1;
-	  
-	  /* Determine a globally address on the arrival interface, even
-	     if we have no matching dhcp-context, because we're only
-	     allocating on remote subnets via relays. This
-	     is used as a default for the DNS server option. */
-	  param->fallback = *local;
-	  
-	  for (context = daemon->dhcp6; context; context = context->next)
-	    {
-	      if ((context->flags & CONTEXT_DHCP) &&
-		  !(context->flags & (CONTEXT_TEMPLATE | CONTEXT_OLD)) &&
-		  prefix <= context->prefix &&
-		  is_same_net6(local, &context->start6, context->prefix) &&
-		  is_same_net6(local, &context->end6, context->prefix))
-		{
-		  
-		  
-		  /* link it onto the current chain if we've not seen it before */
-		  if (context->current == context)
-		    {
-		      struct dhcp_context *tmp, **up;
-		      
-		      /* use interface values only for constructed contexts */
-		      if (!(context->flags & CONTEXT_CONSTRUCTED))
-			preferred = valid = 0xffffffff;
-		      else if (flags & IFACE_DEPRECATED)
-			preferred = 0;
-		      
-		      if (context->flags & CONTEXT_DEPRECATE)
-			preferred = 0;
-		      
-		      /* order chain, longest preferred time first */
-		      for (up = &param->current, tmp = param->current; tmp; tmp = tmp->current)
-			if (tmp->preferred <= preferred)
-			  break;
-			else
-			  up = &tmp->current;
-		      
-		      context->current = *up;
-		      *up = context;
-		      context->local6 = *local;
-		      context->preferred = preferred;
-		      context->valid = valid;
-		    }
-		}
-	    }
-	}
-
-      for (relay = daemon->relay6; relay; relay = relay->next)
-	if (IN6_ARE_ADDR_EQUAL(local, &relay->local.addr.addr6) && relay->current == relay &&
-	    (IN6_IS_ADDR_UNSPECIFIED(&param->relay_local) || IN6_ARE_ADDR_EQUAL(local, &param->relay_local)))
-	  {
-	    relay->current = param->relay;
-	    param->relay = relay;
-	    param->relay_local = *local;
-	  }
+  if (if_index != param->ind)
+    return 1;
+  
+  if (IN6_IS_ADDR_LINKLOCAL(local))
+    param->ll_addr = *local;
+  else if (IN6_IS_ADDR_ULA(local))
+    param->ula_addr = *local;
      
-    }          
- 
- return 1;
+  if (IN6_IS_ADDR_LOOPBACK(local) ||
+      IN6_IS_ADDR_LINKLOCAL(local) ||
+      IN6_IS_ADDR_MULTICAST(local))
+    return 1;
+  
+  /* if we have --listen-address config, see if the 
+     arrival interface has a matching address. */
+  for (tmp = daemon->if_addrs; tmp; tmp = tmp->next)
+    if (tmp->addr.sa.sa_family == AF_INET6 &&
+	IN6_ARE_ADDR_EQUAL(&tmp->addr.in6.sin6_addr, local))
+      match = param->addr_match = 1;
+  
+  /* Determine a globally address on the arrival interface, even
+     if we have no matching dhcp-context, because we're only
+     allocating on remote subnets via relays. This
+     is used as a default for the DNS server option. */
+  param->fallback = *local;
+  
+  for (context = daemon->dhcp6; context; context = context->next)
+    if ((context->flags & CONTEXT_DHCP) &&
+	!(context->flags & (CONTEXT_TEMPLATE | CONTEXT_OLD)) &&
+	prefix <= context->prefix &&
+	context->current == context)
+      {
+	if (is_same_net6(local, &context->start6, context->prefix) &&
+	    is_same_net6(local, &context->end6, context->prefix))
+	  {
+	    struct dhcp_context *tmp, **up;
+	    
+	    /* use interface values only for constructed contexts */
+	    if (!(context->flags & CONTEXT_CONSTRUCTED))
+	      preferred = valid = 0xffffffff;
+	    else if (flags & IFACE_DEPRECATED)
+	      preferred = 0;
+		    
+	    if (context->flags & CONTEXT_DEPRECATE)
+	      preferred = 0;
+	    
+	    /* order chain, longest preferred time first */
+	    for (up = &param->current, tmp = param->current; tmp; tmp = tmp->current)
+	      if (tmp->preferred <= preferred)
+		break;
+	      else
+		up = &tmp->current;
+	    
+	    context->current = *up;
+	    *up = context;
+	    context->local6 = *local;
+	    context->preferred = preferred;
+	    context->valid = valid;
+	  }
+	else
+	  {
+	    for (share = daemon->shared_networks; share; share = share->next)
+	      {
+		/* IPv4 shared_address - ignore */
+		if (share->shared_addr.s_addr != 0)
+		  continue;
+			
+		if (share->if_index != 0)
+		  {
+		    if (share->if_index != if_index)
+		      continue;
+		  }
+		else
+		  {
+		    if (!IN6_ARE_ADDR_EQUAL(&share->match_addr6, local))
+		      continue;
+		  }
+		
+		if (is_same_net6(&share->shared_addr6, &context->start6, context->prefix) &&
+		    is_same_net6(&share->shared_addr6, &context->end6, context->prefix))
+		  {
+		    context->current = param->current;
+		    param->current = context;
+		    context->local6 = *local;
+		    context->preferred = context->flags & CONTEXT_DEPRECATE ? 0 :0xffffffff;
+		    context->valid = 0xffffffff;
+		  }
+	      }
+	  }      
+      }
+  
+  if (match)
+    for (relay = daemon->relay6; relay; relay = relay->next)
+      if (IN6_ARE_ADDR_EQUAL(local, &relay->local.addr6))
+	relay->iface_index = if_index;
+  
+  return 1;
 }

-struct dhcp_config *config_find_by_address6(struct dhcp_config *configs, struct in6_addr *net, int prefix, u64 addr)
+struct dhcp_config *config_find_by_address6(struct dhcp_config *configs, struct in6_addr *net, int prefix,  struct in6_addr *addr)
 {
  struct dhcp_config *config;
  
  for (config = configs; config; config = config->next)
-    if ((config->flags & CONFIG_ADDR6) &&
-	is_same_net6(&config->addr6, net, prefix) &&
-	(prefix == 128 || addr6part(&config->addr6) == addr))
-      return config;
+    if (config->flags & CONFIG_ADDR6)
+      {
+	struct addrlist *addr_list;
+	
+	for (addr_list = config->addr6; addr_list; addr_list = addr_list->next)
+	  if ((!net || is_same_net6(&addr_list->addr.addr6, net, prefix) || ((addr_list->flags & ADDRLIST_WILDCARD) && prefix == 64)) &&
+	      is_same_net6(&addr_list->addr.addr6, addr, (addr_list->flags & ADDRLIST_PREFIX) ? addr_list->prefixlen : 128))
+	    return config;
+      }
  
  return NULL;
 }

 struct dhcp_context *address6_allocate(struct dhcp_context *context,  unsigned char *clid, int clid_len, int temp_addr,
-				       int iaid, int serial, struct dhcp_netid *netids, int plain_range, struct in6_addr *ans)   
+				       unsigned int iaid, int serial, struct dhcp_netid *netids, int plain_range, struct in6_addr *ans)
 {
  /* Find a free address: exclude anything in use and anything allocated to
     a particular hwaddr/clientid/hostname in our configuration.
@@ -431,8 +501,15 @@ struct dhcp_context *address6_allocate(struct dhcp_context *context,  unsigned c
      else
 	{ 
 	  if (!temp_addr && option_bool(OPT_CONSEC_ADDR))
-	    /* seed is largest extant lease addr in this context */
-	    start = lease_find_max_addr6(c) + serial;
+	    {
+	      /* seed is largest extant lease addr in this context,
+		 skip addresses equal to the number of addresses rejected
+		 by clients. This should avoid the same client being offered the same
+		 address after it has rjected it. */
+	      start = lease_find_max_addr6(c) + 1 + serial + c->addr_epoch;
+	      if (c->addr_epoch)
+		c->addr_epoch--;
+	    }
 	  else
 	    {
 	      u64 range = 1 + addr6part(&c->end6) - addr6part(&c->start6);
@@ -453,16 +530,15 @@ struct dhcp_context *address6_allocate(struct dhcp_context *context,  unsigned c
 	    for (d = context; d; d = d->current)
 	      if (addr == addr6part(&d->local6))
 		break;
+	    
+	    *ans = c->start6;
+	    setaddr6part (ans, addr);

 	    if (!d &&
 		!lease6_find_by_addr(&c->start6, c->prefix, addr) && 
-		!config_find_by_address6(daemon->dhcp_conf, &c->start6, c->prefix, addr))
-	      {
-		*ans = c->start6;
-		setaddr6part (ans, addr);
-		return c;
-	      }
-	
+		!config_find_by_address6(daemon->dhcp_conf, &c->start6, c->prefix, ans))
+	      return c;
+	    
 	    addr++;
 	    
 	    if (addr  == addr6part(&c->end6) + 1)
@@ -516,27 +592,6 @@ struct dhcp_context *address6_valid(struct dhcp_context *context,
  return NULL;
 }

-int config_valid(struct dhcp_config *config, struct dhcp_context *context, struct in6_addr *addr)
-{
-  if (!config || !(config->flags & CONFIG_ADDR6))
-    return 0;
-
-  if ((config->flags & CONFIG_WILDCARD) && context->prefix == 64)
-    {
-      *addr = context->start6;
-      setaddr6part(addr, addr6part(&config->addr6));
-      return 1;
-    }
-  
-  if (is_same_net6(&context->start6, &config->addr6, context->prefix))
-    {
-      *addr = config->addr6;
-      return 1;
-    }
-  
-  return 0;
-}
-
 void make_duid(time_t now)
 {
  (void)now;
@@ -562,7 +617,7 @@ void make_duid(time_t now)
 	newnow = now - 946684800;
 #endif      
      
-      iface_enumerate(AF_LOCAL, &newnow, make_duid1);
+      iface_enumerate(AF_LOCAL, &newnow, (callback_t){.af_local=make_duid1});
      
      if(!daemon->duid)
 	die("Cannot create DHCPv6 server DUID: %s", NULL, EC_MISC);
@@ -612,12 +667,13 @@ struct cparam {

 static int construct_worker(struct in6_addr *local, int prefix, 
 			    int scope, int if_index, int flags, 
-			    int preferred, int valid, void *vparam)
+			    unsigned int preferred, unsigned int valid, void *vparam)
 {
  char ifrn_name[IFNAMSIZ];
  struct in6_addr start6, end6;
  struct dhcp_context *template, *context;
-
+  struct iname *tmp;
+  
  (void)scope;
  (void)flags;
  (void)valid;
@@ -636,17 +692,30 @@ static int construct_worker(struct in6_addr *local, int prefix,
  if (flags & IFACE_DEPRECATED)
    return 1;

-  if (!indextoname(daemon->icmp6fd, if_index, ifrn_name))
-    return 0;
+  /* Ignore interfaces where we're not doing RA/DHCP6 */
+  if (!indextoname(daemon->icmp6fd, if_index, ifrn_name) ||
+      !iface_check(AF_LOCAL, NULL, ifrn_name, NULL))
+    return 1;
  
+  for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
+    if (tmp->name && wildcard_match(tmp->name, ifrn_name))
+      return 1;
+
  for (template = daemon->dhcp6; template; template = template->next)
-    if (!(template->flags & CONTEXT_TEMPLATE))
+    if (!(template->flags & (CONTEXT_TEMPLATE | CONTEXT_CONSTRUCTED)))
      {
 	/* non-template entries, just fill in interface and local addresses */
 	if (prefix <= template->prefix &&
 	    is_same_net6(local, &template->start6, template->prefix) &&
 	    is_same_net6(local, &template->end6, template->prefix))
 	  {
+	    /* First time found, do fast RA. */
+	    if (template->if_index == 0)
+	      {
+		ra_start_unsolicited(param->now, template);
+		param->newone = 1;
+	      }
+	    
 	    template->if_index = if_index;
 	    template->local6 = *local;
 	  }
@@ -661,24 +730,33 @@ static int construct_worker(struct in6_addr *local, int prefix,
 	setaddr6part(&end6, addr6part(&template->end6));
 	
 	for (context = daemon->dhcp6; context; context = context->next)
-	  if ((context->flags & CONTEXT_CONSTRUCTED) &&
+	  if (!(context->flags & CONTEXT_TEMPLATE) &&
 	      IN6_ARE_ADDR_EQUAL(&start6, &context->start6) &&
 	      IN6_ARE_ADDR_EQUAL(&end6, &context->end6))
 	    {
-	      int flags = context->flags;
-	      context->flags &= ~(CONTEXT_GC | CONTEXT_OLD);
-	      if (flags & CONTEXT_OLD)
+	      /* If there's an absolute address context covering this address
+		 then don't construct one as well. */
+	      if (!(context->flags & CONTEXT_CONSTRUCTED))
+		break;
+	      
+	      if (context->if_index == if_index)
 		{
-		  /* address went, now it's back */
-		  log_context(AF_INET6, context); 
-		  /* fast RAs for a while */
-		  ra_start_unsolicited(param->now, context);
-		  param->newone = 1; 
-		  /* Add address to name again */
-		  if (context->flags & CONTEXT_RA_NAME)
-		    param->newname = 1;
+		  int cflags = context->flags;
+		  context->flags &= ~(CONTEXT_GC | CONTEXT_OLD);
+		  if (cflags & CONTEXT_OLD)
+		    {
+		      /* address went, now it's back, and on the same interface */
+		      log_context(AF_INET6, context); 
+		      /* fast RAs for a while */
+		      ra_start_unsolicited(param->now, context);
+		      param->newone = 1; 
+		      /* Add address to name again */
+		      if (context->flags & CONTEXT_RA_NAME)
+			param->newname = 1;
+		    
+		    }
+		  break;
 		}
-	      break;
 	    }
 	
 	if (!context && (context = whine_malloc(sizeof (struct dhcp_context))))
@@ -723,7 +801,7 @@ void dhcp_construct_contexts(time_t now)
    if (context->flags & CONTEXT_CONSTRUCTED)
      context->flags |= CONTEXT_GC;
   
-  iface_enumerate(AF_INET6, &param, construct_worker);
+  iface_enumerate(AF_INET6, &param, (callback_t){.af_inet6=construct_worker});

  for (up = &daemon->dhcp6, context = daemon->dhcp6; context; context = tmp)
    {
@@ -778,6 +856,4 @@ void dhcp_construct_contexts(time_t now)
    }
 }

-#endif
-
-
+#endif /* HAVE_DHCP6 */
--- a/src/dns-protocol.h
+++ b/src/dns-protocol.h
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2017 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -16,6 +16,7 @@

 #define NAMESERVER_PORT 53
 #define TFTP_PORT       69
+#define MIN_PORT        1024           /* first non-reserved port */
 #define MAX_PORT        65535u

 #define IN6ADDRSZ       16
@@ -75,11 +76,48 @@
 #define T_AXFR          252
 #define T_MAILB		253	
 #define T_ANY		255
+#define T_CAA           257

 #define EDNS0_OPTION_MAC            65001 /* dyndns.org temporary assignment */
 #define EDNS0_OPTION_CLIENT_SUBNET  8     /* IANA */
+#define EDNS0_OPTION_EDE            15    /* IANA - RFC 8914 */
 #define EDNS0_OPTION_NOMDEVICEID    65073 /* Nominum temporary assignment */
 #define EDNS0_OPTION_NOMCPEID       65074 /* Nominum temporary assignment */
+#define EDNS0_OPTION_UMBRELLA       20292 /* Cisco Umbrella temporary assignment */
+
+/* RFC-8914 extended errors, negative values are our definitions */
+#define EDE_UNSET          -1  /* No extended DNS error available */
+#define EDE_OTHER           0  /* Other */
+#define EDE_USUPDNSKEY      1  /* Unsupported DNSKEY algo */
+#define EDE_USUPDS          2  /* Unsupported DS Digest */
+#define EDE_STALE           3  /* Stale answer */
+#define EDE_FORGED          4  /* Forged answer */
+#define EDE_DNSSEC_IND      5  /* DNSSEC Indeterminate  */
+#define EDE_DNSSEC_BOGUS    6  /* DNSSEC Bogus */
+#define EDE_SIG_EXP         7  /* Signature Expired */
+#define EDE_SIG_NYV         8  /* Signature Not Yet Valid  */
+#define EDE_NO_DNSKEY       9  /* DNSKEY missing */
+#define EDE_NO_RRSIG       10  /* RRSIGs missing */
+#define EDE_NO_ZONEKEY     11  /* No Zone Key Bit Set */
+#define EDE_NO_NSEC        12  /* NSEC Missing  */
+#define EDE_CACHED_ERR     13  /* Cached Error */
+#define EDE_NOT_READY      14  /* Not Ready */
+#define EDE_BLOCKED        15  /* Blocked */
+#define EDE_CENSORED       16  /* Censored */
+#define EDE_FILTERED       17  /* Filtered */
+#define EDE_PROHIBITED     18  /* Prohibited */
+#define EDE_STALE_NXD      19  /* Stale NXDOMAIN */
+#define EDE_NOT_AUTH       20  /* Not Authoritative */
+#define EDE_NOT_SUP        21  /* Not Supported */
+#define EDE_NO_AUTH        22  /* No Reachable Authority */
+#define EDE_NETERR         23  /* Network error */
+#define EDE_INVALID_DATA   24  /* Invalid Data */
+#define EDE_SIG_E_B_V      25  /* Signature Expired before Valid */
+#define EDE_TOO_EARLY      26  /* To Early */
+#define EDE_UNS_NS3_ITER   27  /* Unsupported NSEC3 Iterations Value */
+#define EDE_UNABLE_POLICY  28  /* Unable to conform to policy */
+#define EDE_SYNTHESIZED    29  /* Synthesized */
+

 struct dns_header {
  u16 id;
@@ -104,15 +142,15 @@ struct dns_header {
 #define RCODE(x)           ((x)->hb4 & HB4_RCODE)
 #define SET_RCODE(x, code) (x)->hb4 = ((x)->hb4 & ~HB4_RCODE) | code
  
-#define GETSHORT(s, cp) { \
+#define GETSHORT(s, cp) do { \
 	unsigned char *t_cp = (unsigned char *)(cp); \
 	(s) = ((u16)t_cp[0] << 8) \
 	    | ((u16)t_cp[1]) \
 	    ; \
 	(cp) += 2; \
-}
+  } while(0)

-#define GETLONG(l, cp) { \
+#define GETLONG(l, cp) do { \
 	unsigned char *t_cp = (unsigned char *)(cp); \
 	(l) = ((u32)t_cp[0] << 24) \
 	    | ((u32)t_cp[1] << 16) \
@@ -120,17 +158,17 @@ struct dns_header {
 	    | ((u32)t_cp[3]) \
 	    ; \
 	(cp) += 4; \
-}
+  } while (0)

-#define PUTSHORT(s, cp) { \
+#define PUTSHORT(s, cp) do { \
 	u16 t_s = (u16)(s); \
 	unsigned char *t_cp = (unsigned char *)(cp); \
 	*t_cp++ = t_s >> 8; \
 	*t_cp   = t_s; \
 	(cp) += 2; \
-}
+  } while(0)

-#define PUTLONG(l, cp) { \
+#define PUTLONG(l, cp) do { \
 	u32 t_l = (u32)(l); \
 	unsigned char *t_cp = (unsigned char *)(cp); \
 	*t_cp++ = t_l >> 24; \
@@ -138,7 +176,7 @@ struct dns_header {
 	*t_cp++ = t_l >> 8; \
 	*t_cp   = t_l; \
 	(cp) += 4; \
-}
+  } while (0)

 #define CHECK_LEN(header, pp, plen, len) \
    ((size_t)((pp) - (unsigned char *)(header) + (len)) <= (plen))
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
--- a/src/dnssec.c
+++ b/src/dnssec.c
--- a/src/domain-match.c
+++ b/src/domain-match.c
@@ -0,0 +1,766 @@
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+     
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "dnsmasq.h"
+
+static int order(char *qdomain, size_t qlen, struct server *serv);
+static int order_qsort(const void *a, const void *b);
+static int order_servers(struct server *s, struct server *s2);
+
+/* If the server is USE_RESOLV or LITERAL_ADDRES, it lives on the local_domains chain. */
+#define SERV_IS_LOCAL (SERV_USE_RESOLV | SERV_LITERAL_ADDRESS)
+
+void build_server_array(void)
+{
+  struct server *serv;
+  int count = 0;
+  
+  for (serv = daemon->servers; serv; serv = serv->next)
+#ifdef HAVE_LOOP
+    if (!(serv->flags & SERV_LOOP))
+#endif
+      {
+	count++;
+	if (serv->flags & SERV_WILDCARD)
+	  daemon->server_has_wildcard = 1;
+      }
+  
+  for (serv = daemon->local_domains; serv; serv = serv->next)
+    {
+      count++;
+      if (serv->flags & SERV_WILDCARD)
+	daemon->server_has_wildcard = 1;
+    }
+  
+  daemon->serverarraysz = count;
+
+  if (count > daemon->serverarrayhwm)
+    {
+      struct server **new;
+
+      count += 10; /* A few extra without re-allocating. */
+
+      if ((new = whine_malloc(count * sizeof(struct server *))))
+	{
+	  if (daemon->serverarray)
+	    free(daemon->serverarray);
+	  
+	  daemon->serverarray = new;
+	  daemon->serverarrayhwm = count;
+	}
+    }
+
+  count = 0;
+  
+  for (serv = daemon->servers; serv; serv = serv->next)
+#ifdef HAVE_LOOP
+    if (!(serv->flags & SERV_LOOP))
+#endif
+      {
+	daemon->serverarray[count] = serv;
+	serv->serial = count;
+	serv->last_server = -1;
+	count++;
+      }
+  
+  for (serv = daemon->local_domains; serv; serv = serv->next, count++)
+    daemon->serverarray[count] = serv;
+  
+  qsort(daemon->serverarray, daemon->serverarraysz, sizeof(struct server *), order_qsort);
+  
+  /* servers need the location in the array to find all the whole
+     set of equivalent servers from a pointer to a single one. */
+  for (count = 0; count < daemon->serverarraysz; count++)
+    if (!(daemon->serverarray[count]->flags & SERV_IS_LOCAL))
+      daemon->serverarray[count]->arrayposn = count;
+}
+
+/* we're looking for the server whose domain is the longest exact match
+   to the RH end of qdomain, or a local address if the flags match.
+   Add '.' to the LHS of the query string so
+   server=/.example.com/ works.
+
+   A flag of F_SERVER returns an upstream server only.
+   A flag of F_DNSSECOK returns a DNSSEC capable server only and
+   also disables NODOTS servers from consideration.
+   A flag of F_DOMAINSRV returns a domain-specific server only.
+   A flag of F_CONFIG returns anything that generates a local
+   reply of IPv4 or IPV6.
+   return 0 if nothing found, 1 otherwise.
+*/
+int lookup_domain(char *domain, int flags, int *lowout, int *highout)
+{
+  int rc, crop_query, nodots;
+  ssize_t qlen;
+  int try, high, low = 0;
+  int nlow = 0, nhigh = 0;
+  char *cp, *qdomain = domain;
+
+  /* may be no configured servers. */
+  if (daemon->serverarraysz == 0)
+    return 0;
+  
+  /* find query length and presence of '.' */
+  for (cp = qdomain, nodots = 1, qlen = 0; *cp; qlen++, cp++)
+    if (*cp == '.')
+      nodots = 0;
+
+  /* Handle empty name, and searches for DNSSEC queries without
+     diverting to NODOTS servers. */
+  if (qlen == 0 || flags & F_DNSSECOK)
+    nodots = 0;
+
+  /* Search shorter and shorter RHS substrings for a match */
+  while (qlen >= 0)
+    {
+      /* Note that when we chop off a label, all the possible matches
+	 MUST be at a larger index than the nearest failing match with one more
+	 character, since the array is sorted longest to smallest. Hence 
+	 we don't reset low to zero here, we can go further below and crop the 
+	 search string to the size of the largest remaining server
+	 when this match fails. */
+      high = daemon->serverarraysz;
+      crop_query = 1;
+      
+      /* binary search */
+      while (1) 
+	{
+	  try = (low + high)/2;
+
+	  if ((rc = order(qdomain, qlen, daemon->serverarray[try])) == 0)
+	    break;
+	  
+	  if (rc < 0)
+	    {
+	      if (high == try)
+		{
+		  /* qdomain is longer or same length as longest domain, and try == 0 
+		     crop the query to the longest domain. */
+		  crop_query = qlen - daemon->serverarray[try]->domain_len;
+		  break;
+		}
+	      high = try;
+	    }
+	  else
+	    {
+	      if (low == try)
+		{
+		  /* try now points to the last domain that sorts before the query, so 
+		     we know that a substring of the query shorter than it is required to match, so
+		     find the largest domain that's shorter than try. Note that just going to
+		     try+1 is not optimal, consider searching bbb in (aaa,ccc,bb). try will point
+		     to aaa, since ccc sorts after bbb, but the first domain that has a chance to 
+		     match is bb. So find the length of the first domain later than try which is
+		     is shorter than it. 
+		     There's a nasty edge case when qdomain sorts before _any_ of the 
+		     server domains, where try _doesn't point_ to the last domain that sorts
+		     before the query, since no such domain exists. In that case, the loop 
+		     exits via the rc < 0 && high == try path above and this code is
+		     not executed. */
+		  ssize_t len, old = daemon->serverarray[try]->domain_len;
+		  while (++try != daemon->serverarraysz)
+		    {
+		      if (old != (len = daemon->serverarray[try]->domain_len))
+			{
+			  crop_query = qlen - len;
+			  break;
+			}
+		    }
+		  break;
+		}
+	      low = try;
+	    }
+	};
+      
+      if (rc == 0)
+	{
+	  int found = 1;
+
+	  if (daemon->server_has_wildcard)
+	    {
+	      /* if we have example.com and *example.com we need to check against *example.com, 
+		 but the binary search may have found either. Use the fact that example.com is sorted before *example.com
+		 We favour example.com in the case that both match (ie www.example.com) */
+	      while (try != 0 && order(qdomain, qlen, daemon->serverarray[try-1]) == 0)
+		try--;
+	      
+	      if (!(qdomain == domain || *qdomain == 0 || *(qdomain-1) == '.'))
+		{
+		  while (try < daemon->serverarraysz-1 && order(qdomain, qlen, daemon->serverarray[try+1]) == 0)
+		    try++;
+		  
+		  if (!(daemon->serverarray[try]->flags & SERV_WILDCARD))
+		     found = 0;
+		}
+	    }
+	  
+	  if (found && filter_servers(try, flags, &nlow, &nhigh))
+	    /* We have a match, but it may only be (say) an IPv6 address, and
+	       if the query wasn't for an AAAA record, it's no good, and we need
+	       to continue generalising */
+	    {
+	      /* We've matched a setting which says to use servers without a domain.
+		 Continue the search with empty query. We set the F_SERVER flag
+		 so that --address=/#/... doesn't match. */
+	      if (daemon->serverarray[nlow]->flags & SERV_USE_RESOLV)
+		{
+		  crop_query = qlen;
+		  flags |= F_SERVER;
+		}
+	      else
+		break;
+	    }
+	}
+      
+      /* crop_query must be at least one always. */
+      if (crop_query == 0)
+	crop_query = 1;
+
+      /* strip chars off the query based on the largest possible remaining match,
+	 then continue to the start of the next label unless we have a wildcard
+	 domain somewhere, in which case we have to go one at a time. */
+      qlen -= crop_query;
+      qdomain += crop_query;
+      if (!daemon->server_has_wildcard)
+	while (qlen > 0 &&  (*(qdomain-1) != '.'))
+	  qlen--, qdomain++;
+    }
+
+  /* domain has no dots, and we have at least one server configured to handle such,
+     These servers always sort to the very end of the array. 
+     A configured server eg server=/lan/ will take precdence. */
+  if (nodots &&
+      (daemon->serverarray[daemon->serverarraysz-1]->flags & SERV_FOR_NODOTS) &&
+      (nlow == nhigh || daemon->serverarray[nlow]->domain_len == 0))
+    filter_servers(daemon->serverarraysz-1, flags, &nlow, &nhigh);
+  
+  if (lowout)
+    *lowout = nlow;
+  
+  if (highout)
+    *highout = nhigh;
+
+  /* qlen == -1 when we failed to match even an empty query, if there are no default servers. */
+  if (nlow == nhigh || qlen == -1)
+    return 0;
+  
+  return 1;
+}
+
+/* Return first server in group of equivalent servers; this is the "master" record. */
+int server_samegroup(struct server *a, struct server *b)
+{
+  return order_servers(a, b) == 0;
+}
+
+int filter_servers(int seed, int flags, int *lowout, int *highout)
+{
+  int nlow = seed, nhigh = seed;
+  int i;
+  
+  /* expand nlow and nhigh to cover all the records with the same domain 
+     nlow is the first, nhigh - 1 is the last. nlow=nhigh means no servers,
+     which can happen below. */
+  while (nlow > 0 && order_servers(daemon->serverarray[nlow-1], daemon->serverarray[nlow]) == 0)
+    nlow--;
+  
+  while (nhigh < daemon->serverarraysz-1 && order_servers(daemon->serverarray[nhigh], daemon->serverarray[nhigh+1]) == 0)
+    nhigh++;
+  
+  nhigh++;
+  
+#define SERV_LOCAL_ADDRESS (SERV_6ADDR | SERV_4ADDR | SERV_ALL_ZEROS)
+  
+  if (flags & F_CONFIG)
+    {
+      /* We're just lookin for any matches that return an RR. */
+      for (i = nlow; i < nhigh; i++)
+	if (daemon->serverarray[i]->flags & SERV_LOCAL_ADDRESS)
+	  break;
+      
+      /* failed, return failure. */
+      if (i == nhigh)
+	nhigh = nlow;
+    }
+  else
+    {
+      /* Now the servers are on order between low and high, in the order
+	 IPv6 addr, IPv4 addr, return zero for both, resolvconf servers, send upstream, no-data return.
+	 
+	 See which of those match our query in that priority order and narrow (low, high) */
+      
+      for (i = nlow; i < nhigh && (daemon->serverarray[i]->flags & SERV_6ADDR); i++);
+      
+      if (!(flags & F_SERVER) && i != nlow && (flags & F_IPV6))
+	nhigh = i;
+      else
+	{
+	  nlow = i;
+	  
+	  for (i = nlow; i < nhigh && (daemon->serverarray[i]->flags & SERV_4ADDR); i++);
+	  
+	  if (!(flags & F_SERVER) && i != nlow && (flags & F_IPV4))
+	    nhigh = i;
+	  else
+	    {
+	      nlow = i;
+	      
+	      for (i = nlow; i < nhigh && (daemon->serverarray[i]->flags & SERV_ALL_ZEROS); i++);
+	      
+	      if (!(flags & F_SERVER) && i != nlow && (flags & (F_IPV4 | F_IPV6)))
+		nhigh = i;
+	      else
+		{
+		  nlow = i;
+		  
+		  /* Short to resolv.conf servers */
+		  for (i = nlow; i < nhigh && (daemon->serverarray[i]->flags & SERV_USE_RESOLV); i++);
+		  
+		  if (i != nlow)
+		    nhigh = i;
+		  else
+		    {
+		      /* now look for a server */
+		      for (i = nlow; i < nhigh && !(daemon->serverarray[i]->flags & SERV_LITERAL_ADDRESS); i++);
+		      
+		      if (i != nlow)
+			{
+			  /* If we want a server that can do DNSSEC, and this one can't, 
+			     return nothing, similarly if were looking only for a server
+			     for a particular domain. */
+			  if ((flags & F_DNSSECOK) && !(daemon->serverarray[nlow]->flags & SERV_DO_DNSSEC))
+			    nlow = nhigh;
+			  else if ((flags & F_DOMAINSRV) && daemon->serverarray[nlow]->domain_len == 0)
+			    nlow = nhigh;
+			  else
+			    nhigh = i;
+			}
+		      else
+			{
+			  /* --local=/domain/, only return if we don't need a server. */
+			  if (flags & (F_DNSSECOK | F_DOMAINSRV | F_SERVER))
+			    nhigh = i;
+			}
+		    }
+		}
+	    }
+	}
+    }
+
+  *lowout = nlow;
+  *highout = nhigh;
+  
+  return (nlow != nhigh);
+}
+
+int is_local_answer(time_t now, int first, char *name)
+{
+  int flags = 0;
+  int rc = 0;
+  
+  if ((flags = daemon->serverarray[first]->flags) & SERV_LITERAL_ADDRESS)
+    {
+      if (flags & SERV_4ADDR)
+	rc = F_IPV4;
+      else if (flags & SERV_6ADDR)
+	rc = F_IPV6;
+      else if (flags & SERV_ALL_ZEROS)
+	rc = F_IPV4 | F_IPV6;
+      else
+	{
+	  /* argument first is the first struct server which matches the query type;
+	     now roll back to the server which is just the same domain, to check if that 
+	     provides an answer of a different type. */
+
+	  for (;first > 0 && order_servers(daemon->serverarray[first-1], daemon->serverarray[first]) == 0; first--);
+	  
+	  if ((daemon->serverarray[first]->flags & SERV_LOCAL_ADDRESS) ||
+	      check_for_local_domain(name, now))
+	    rc = F_NOERR;
+	  else
+	    rc = F_NXDOMAIN;
+	}
+    }
+
+  return rc;
+}
+
+size_t make_local_answer(int flags, int gotname, size_t size, struct dns_header *header, char *name, char *limit, int first, int last, int ede)
+{
+  int trunc = 0, anscount = 0;
+  unsigned char *p;
+  int start;
+  union all_addr addr;
+  
+  setup_reply(header, flags, ede);
+
+  if (flags & (F_NXDOMAIN | F_NOERR))
+    log_query(flags | gotname | F_NEG | F_CONFIG | F_FORWARD, name, NULL, NULL, 0);
+
+  if (flags & F_RCODE)
+     {
+       union all_addr a;
+       a.log.rcode = RCODE(header);
+       a.log.ede = ede;
+       log_query(F_UPSTREAM | F_RCODE, "opcode", &a, NULL, 0);
+     }
+  
+  if (!(p = skip_questions(header, size)))
+    return 0;
+	  
+  if (flags & gotname & F_IPV4)
+    for (start = first; start != last; start++)
+      {
+	struct serv_addr4 *srv = (struct serv_addr4 *)daemon->serverarray[start];
+
+	if (srv->flags & SERV_ALL_ZEROS)
+	  memset(&addr, 0, sizeof(addr));
+	else
+	  addr.addr4 = srv->addr;
+	
+	if (add_resource_record(header, limit, &trunc, sizeof(struct dns_header), &p, daemon->local_ttl, NULL, T_A, C_IN, "4", &addr))
+	  anscount++;
+	log_query((flags | F_CONFIG | F_FORWARD) & ~F_IPV6, name, (union all_addr *)&addr, NULL, 0);
+      }
+  
+  if (flags & gotname & F_IPV6)
+    for (start = first; start != last; start++)
+      {
+	struct serv_addr6 *srv = (struct serv_addr6 *)daemon->serverarray[start];
+
+	if (srv->flags & SERV_ALL_ZEROS)
+	  memset(&addr, 0, sizeof(addr));
+	else
+	  addr.addr6 = srv->addr;
+	
+	if (add_resource_record(header, limit, &trunc, sizeof(struct dns_header), &p, daemon->local_ttl, NULL, T_AAAA, C_IN, "6", &addr))
+	  anscount++;
+	log_query((flags | F_CONFIG | F_FORWARD) & ~F_IPV4, name, (union all_addr *)&addr, NULL, 0);
+      }
+
+  if (trunc)
+    {
+      header->hb3 |= HB3_TC;
+      if (!(p = skip_questions(header, size)))
+	return 0; /* bad packet */
+      anscount  = 0;
+    }
+  
+  header->ancount = htons(anscount);
+  
+  return p - (unsigned char *)header;
+}
+
+#ifdef HAVE_DNSSEC
+int dnssec_server(struct server *server, char *keyname, int *firstp, int *lastp)
+{
+  int first, last, index;
+
+  /* Find server to send DNSSEC query to. This will normally be the 
+     same as for the original query, but may be another if
+     servers for domains are involved. */		      
+  if (!lookup_domain(keyname, F_DNSSECOK, &first, &last))
+    return -1;
+
+  for (index = first; index != last; index++)
+    if (daemon->serverarray[index] == server)
+      break;
+	      
+  /* No match to server used for original query.
+     Use newly looked up set. */
+  if (index == last)
+    index =  daemon->serverarray[first]->last_server == -1 ?
+      first : daemon->serverarray[first]->last_server;
+
+  if (firstp)
+    *firstp = first;
+
+  if (lastp)
+    *lastp = last;
+   
+  return index;
+}
+#endif
+
+/* order by size, then by dictionary order */
+static int order(char *qdomain, size_t qlen, struct server *serv)
+{
+  size_t dlen = 0;
+    
+  /* servers for dotless names always sort last 
+     searched for name is never dotless. */
+  if (serv->flags & SERV_FOR_NODOTS)
+    return -1;
+
+  dlen = serv->domain_len;
+  
+  if (qlen < dlen)
+    return 1;
+  
+  if (qlen > dlen)
+    return -1;
+
+  return hostname_order(qdomain, serv->domain);
+}
+
+static int order_servers(struct server *s1, struct server *s2)
+{
+  int rc;
+
+  /* need full comparison of dotless servers in 
+     order_qsort() and filter_servers() */
+
+  if (s1->flags & SERV_FOR_NODOTS)
+     return (s2->flags & SERV_FOR_NODOTS) ? 0 : 1;
+   
+  if ((rc = order(s1->domain, s1->domain_len, s2)) != 0)
+    return rc;
+
+  /* For identical domains, sort wildcard ones first */
+  if (s1->flags & SERV_WILDCARD)
+    return (s2->flags & SERV_WILDCARD) ? 0 : 1;
+
+  return (s2->flags & SERV_WILDCARD) ? -1 : 0;
+}
+  
+static int order_qsort(const void *a, const void *b)
+{
+  int rc;
+  
+  struct server *s1 = *((struct server **)a);
+  struct server *s2 = *((struct server **)b);
+  
+  rc = order_servers(s1, s2);
+
+  /* Sort all literal NODATA and local IPV4 or IPV6 responses together,
+     in a very specific order. We flip the SERV_LITERAL_ADDRESS bit
+     so the order is IPv6 literal, IPv4 literal, all-zero literal, 
+     unqualified servers, upstream server, NXDOMAIN literal. */
+  if (rc == 0)
+    rc = ((s2->flags & (SERV_LITERAL_ADDRESS | SERV_4ADDR | SERV_6ADDR | SERV_USE_RESOLV | SERV_ALL_ZEROS)) ^ SERV_LITERAL_ADDRESS) -
+      ((s1->flags & (SERV_LITERAL_ADDRESS | SERV_4ADDR | SERV_6ADDR | SERV_USE_RESOLV | SERV_ALL_ZEROS)) ^ SERV_LITERAL_ADDRESS);
+
+  /* Finally, order by appearance in /etc/resolv.conf etc, for --strict-order */
+  if (rc == 0)
+    if (!(s1->flags & SERV_IS_LOCAL) && !(s2->flags & SERV_IS_LOCAL))
+      rc = s1->serial - s2->serial;
+  
+  return rc;
+}
+
+
+/* When loading large numbers of server=.... lines during startup,
+   there's no possibility that there will be server records that can be reused, but
+   searching a long list for each server added grows as O(n^2) and slows things down.
+   This flag is set only if is known there may be free server records that can be reused.
+   There's a call to mark_servers(0) in read_opts() to reset the flag before
+   main config read. */
+
+static int maybe_free_servers = 0;
+
+/* Must be called before  add_update_server() to set daemon->servers_tail */
+void mark_servers(int flag)
+{
+  struct server *serv, *next, **up;
+
+  maybe_free_servers = !!flag;
+  
+  daemon->servers_tail = NULL;
+  
+  /* mark everything with argument flag */
+  for (serv = daemon->servers; serv; serv = serv->next)
+    {
+      if (serv->flags & flag)
+	serv->flags |= SERV_MARK;
+      else
+	serv->flags &= ~SERV_MARK;
+
+      daemon->servers_tail = serv;
+    }
+  
+  /* --address etc is different: since they are expected to be 
+     1) numerous and 2) not reloaded often. We just delete 
+     and recreate. */
+  if (flag)
+    for (serv = daemon->local_domains, up = &daemon->local_domains; serv; serv = next)
+      {
+	next = serv->next;
+
+	if (serv->flags & flag)
+	  {
+	    *up = next;
+	    free(serv->domain);
+	    free(serv);
+	  }
+	else 
+	  up = &serv->next;
+      }
+}
+
+void cleanup_servers(void)
+{
+  struct server *serv, *tmp, **up;
+
+  /* unlink and free anything still marked. */
+  for (serv = daemon->servers, up = &daemon->servers, daemon->servers_tail = NULL; serv; serv = tmp) 
+    {
+      tmp = serv->next;
+      if (serv->flags & SERV_MARK)
+       {
+         server_gone(serv);
+         *up = serv->next;
+	 free(serv->domain);
+	 free(serv);
+       }
+      else 
+	{
+	  up = &serv->next;
+	  daemon->servers_tail = serv;
+	}
+    }
+}
+
+int add_update_server(int flags,
+		      union mysockaddr *addr,
+		      union mysockaddr *source_addr,
+		      const char *interface,
+		      const char *domain,
+		      union all_addr *local_addr)
+{
+  struct server *serv = NULL;
+  char *alloc_domain;
+  
+  if (!domain)
+    domain = "";
+
+  /* .domain == domain, for historical reasons. */
+  if (*domain == '.')
+    while (*domain == '.') domain++;
+  else if (*domain == '*')
+    {
+      domain++;
+      if (*domain != 0)
+	flags |= SERV_WILDCARD;
+    }
+  
+  if (*domain == 0)
+    alloc_domain = whine_malloc(1);
+  else
+    alloc_domain = canonicalise((char *)domain, NULL);
+
+  if (!alloc_domain)
+    return 0;
+
+  if (flags & SERV_IS_LOCAL)
+    {
+      size_t size;
+      
+      if (flags & SERV_6ADDR)
+	size = sizeof(struct serv_addr6);
+      else if (flags & SERV_4ADDR)
+	size = sizeof(struct serv_addr4);
+      else
+	size = sizeof(struct serv_local);
+      
+      if (!(serv = whine_malloc(size)))
+	{
+	  free(alloc_domain);
+	  return 0;
+	}
+      
+      serv->next = daemon->local_domains;
+      daemon->local_domains = serv;
+      
+      if (flags & SERV_4ADDR)
+	((struct serv_addr4*)serv)->addr = local_addr->addr4;
+      
+      if (flags & SERV_6ADDR)
+	((struct serv_addr6*)serv)->addr = local_addr->addr6;
+    }
+  else
+    { 
+      /* Upstream servers. See if there is a suitable candidate, if so unmark
+	 and move to the end of the list, for order. The entry found may already
+	 be at the end. */
+      struct server **up, *tmp;
+
+      serv = NULL;
+      
+      if (maybe_free_servers)
+	for (serv = daemon->servers, up = &daemon->servers; serv; serv = tmp)
+	  {
+	    tmp = serv->next;
+	    if ((serv->flags & SERV_MARK) &&
+		hostname_isequal(alloc_domain, serv->domain))
+	      {
+		/* Need to move down? */
+		if (serv->next)
+		  {
+		    *up = serv->next;
+		    daemon->servers_tail->next = serv;
+		    daemon->servers_tail = serv;
+		    serv->next = NULL;
+		  }
+		break;
+	      }
+	    else
+	      up = &serv->next;
+	  }
+      
+      if (serv)
+	{
+	  free(alloc_domain);
+	  alloc_domain = serv->domain;
+	}
+      else
+	{
+	  if (!(serv = whine_malloc(sizeof(struct server))))
+	    {
+	      free(alloc_domain);
+	      return 0;
+	    }
+	  
+	  memset(serv, 0, sizeof(struct server));
+	  
+	  /* Add to the end of the chain, for order */
+	  if (daemon->servers_tail)
+	    daemon->servers_tail->next = serv;
+	  else
+	    daemon->servers = serv;
+	  daemon->servers_tail = serv;
+	}
+      
+#ifdef HAVE_LOOP
+      serv->uid = rand32();
+#endif      
+	  
+      if (interface)
+	safe_strncpy(serv->interface, interface, sizeof(serv->interface));
+      if (addr)
+	serv->addr = *addr;
+      if (source_addr)
+	serv->source_addr = *source_addr;
+
+      serv->tcpfd = -1;
+    }
+    
+  serv->flags = flags;
+  serv->domain = alloc_domain;
+  serv->domain_len = strlen(alloc_domain);
+    
+  return 1;
+}
+
--- a/src/domain.c
+++ b/src/domain.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2017 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -18,22 +18,17 @@


 static struct cond_domain *search_domain(struct in_addr addr, struct cond_domain *c);
-#ifdef HAVE_IPV6
+static int match_domain(struct in_addr addr, struct cond_domain *c);
 static struct cond_domain *search_domain6(struct in6_addr *addr, struct cond_domain *c);
-#endif
+static int match_domain6(struct in6_addr *addr, struct cond_domain *c);

-
-int is_name_synthetic(int flags, char *name, struct all_addr *addr)
+int is_name_synthetic(int flags, char *name, union all_addr *addrp)
 {
  char *p;
  struct cond_domain *c = NULL;
-  int prot = AF_INET;
-
-#ifdef HAVE_IPV6
-  if (flags & F_IPV6)
-    prot = AF_INET6;
-#endif
-
+  int prot = (flags & F_IPV6) ? AF_INET6 : AF_INET;
+  union all_addr addr;
+  
  for (c = daemon->synth_domains; c; c = c->next)
    {
      int found = 0;
@@ -55,74 +50,83 @@ int is_name_synthetic(int flags, char *name, struct all_addr *addr)
      
      if (pref && *pref != 0)
 	continue; /* prefix match fail */
-      
-      /* NB, must not alter name if we return zero */
-      for (p = tail; *p; p++)
+
+      if (c->indexed)
 	{
-	  char c = *p;
+	  for (p = tail; *p; p++)
+	    {
+	      char c = *p;
+	      
+	      if (c < '0' || c > '9')
+		break;
+	    }
 	  
-	  if ((c >='0' && c <= '9') || c == '-')
+	  if (*p != '.')
 	    continue;
 	  
-#ifdef HAVE_IPV6
-	  if (prot == AF_INET6 && ((c >='A' && c <= 'F') || (c >='a' && c <= 'f'))) 
-	    continue;
-#endif
+	  *p = 0;
 	  
-	  break;
-	}
-      
-      if (*p != '.')
-	continue;
-      
-      *p = 0;	
-      
- #ifdef HAVE_IPV6
-      if (prot == AF_INET6 && strstr(tail, "--ffff-") == tail)
-	{
-	  /* special hack for v4-mapped. */
-	  memcpy(tail, "::ffff:", 7);
-	  for (p = tail + 7; *p; p++)
-	    if (*p == '-')
-	      *p = '.';
+	  if (hostname_isequal(c->domain, p+1))
+	    {
+	      if (prot == AF_INET)
+		{
+		  unsigned int index = atoi(tail);
+
+		   if (!c->is6 &&
+		      index <= ntohl(c->end.s_addr) - ntohl(c->start.s_addr))
+		    {
+		      addr.addr4.s_addr = htonl(ntohl(c->start.s_addr) + index);
+		      found = 1;
+		    }
+		} 
+	      else
+		{
+		  u64 index = atoll(tail);
+		  
+		  if (c->is6 &&
+		      index <= addr6part(&c->end6) - addr6part(&c->start6))
+		    {
+		      u64 start = addr6part(&c->start6);
+		      addr.addr6 = c->start6;
+		      setaddr6part(&addr.addr6, start + index);
+		      found = 1;
+		    }
+		}
+	    }
 	}
      else
-#endif
 	{
+	  /* NB, must not alter name if we return zero */
+	  for (p = tail; *p; p++)
+	    {
+	      char c = *p;
+	      
+	      if ((c >='0' && c <= '9') || c == '-')
+		continue;
+	      
+	      if (prot == AF_INET6 && ((c >='A' && c <= 'F') || (c >='a' && c <= 'f'))) 
+		continue;
+	      
+	      break;
+	    }
+	  
+	  if (*p != '.')
+	    continue;
+	  
+	  *p = 0;	
+	  
 	  /* swap . or : for - */
 	  for (p = tail; *p; p++)
 	    if (*p == '-')
 	      {
 		if (prot == AF_INET)
 		  *p = '.';
-#ifdef HAVE_IPV6
 		else
 		  *p = ':';
-#endif
 	      }
-	}
-
-      if (hostname_isequal(c->domain, p+1) && inet_pton(prot, tail, addr))
-	{
-	  if (prot == AF_INET)
-	    {
-	      if (!c->is6 &&
-		  ntohl(addr->addr.addr4.s_addr) >= ntohl(c->start.s_addr) &&
-		  ntohl(addr->addr.addr4.s_addr) <= ntohl(c->end.s_addr))
-		found = 1;
-	    }
-#ifdef HAVE_IPV6
-	  else
-	    {
-	      u64 addrpart = addr6part(&addr->addr.addr6);
-	      
-	      if (c->is6 &&
-		  is_same_net6(&addr->addr.addr6, &c->start6, 64) &&
-		  addrpart >= addr6part(&c->start6) &&
-		  addrpart <= addr6part(&c->end6))
-		found = 1;
-	    }
-#endif
+	  
+	  if (hostname_isequal(c->domain, p+1) && inet_pton(prot, tail, &addr))
+	    found = (prot == AF_INET) ? match_domain(addr.addr4, c) : match_domain6(&addr.addr6, c);
 	}
      
      /* restore name */
@@ -131,81 +135,110 @@ int is_name_synthetic(int flags, char *name, struct all_addr *addr)
 	  *p = '-';
      
      *p = '.';
-
+      
+      
      if (found)
-	return 1;
+	{
+	  if (addrp)
+	    *addrp = addr;
+	  
+	  return 1;
+	}
    }
  
  return 0;
 }


-int is_rev_synth(int flag, struct all_addr *addr, char *name)
+int is_rev_synth(int flag, union all_addr *addr, char *name)
 {
   struct cond_domain *c;

-   if (flag & F_IPV4 && (c = search_domain(addr->addr.addr4, daemon->synth_domains))) 
+   if (flag & F_IPV4 && (c = search_domain(addr->addr4, daemon->synth_domains))) 
     {
       char *p;
       
       *name = 0;
-       if (c->prefix)
-	 strncpy(name, c->prefix, MAXDNAME - ADDRSTRLEN);
+       if (c->indexed)
+	 {
+	   unsigned int index = ntohl(addr->addr4.s_addr) - ntohl(c->start.s_addr);
+	   snprintf(name, MAXDNAME, "%s%u", c->prefix ? c->prefix : "", index);
+	 }
+       else
+	 {
+	   if (c->prefix)
+	     strncpy(name, c->prefix, MAXDNAME - ADDRSTRLEN);
+       
+       	   inet_ntop(AF_INET, &addr->addr4, name + strlen(name), ADDRSTRLEN);
+	   for (p = name; *p; p++)
+	     if (*p == '.')
+	       *p = '-';
+	 }
       
-       inet_ntop(AF_INET, &addr->addr.addr4, name + strlen(name), ADDRSTRLEN);
-       for (p = name; *p; p++)
-	 if (*p == '.')
-	   *p = '-';
-
       strncat(name, ".", MAXDNAME);
       strncat(name, c->domain, MAXDNAME);

       return 1;
     }

-#ifdef HAVE_IPV6
-   if (flag & F_IPV6 && (c = search_domain6(&addr->addr.addr6, daemon->synth_domains))) 
+   if ((flag & F_IPV6) && (c = search_domain6(&addr->addr6, daemon->synth_domains))) 
     {
-       char *p;
-       
       *name = 0;
-       if (c->prefix)
-	 strncpy(name, c->prefix, MAXDNAME - ADDRSTRLEN);
-       
-       inet_ntop(AF_INET6, &addr->addr.addr6, name + strlen(name), ADDRSTRLEN);

-       /* IPv6 presentation address can start with ":", but valid domain names
-	  cannot start with "-" so prepend a zero in that case. */
-       if (!c->prefix && *name == ':')
+       if (c->indexed)
 	 {
-	   *name = '0';
-	   inet_ntop(AF_INET6, &addr->addr.addr6, name+1, ADDRSTRLEN);
+	   u64 index = addr6part(&addr->addr6) - addr6part(&c->start6);
+	   snprintf(name, MAXDNAME, "%s%llu", c->prefix ? c->prefix : "", index);
+	 }
+       else
+	 {
+	   int i;
+	   char frag[6];
+
+	   if (c->prefix)
+	     strncpy(name, c->prefix, MAXDNAME);
+	   
+	   for (i = 0; i < 16; i += 2)
+	     {
+	       sprintf(frag, "%s%02x%02x",  i == 0 ? "" : "-", addr->addr6.s6_addr[i], addr->addr6.s6_addr[i+1]);
+	       strncat(name, frag, MAXDNAME);
+	     }
 	 }

-       /* V4-mapped have periods.... */
-       for (p = name; *p; p++)
-	 if (*p == ':' || *p == '.')
-	   *p = '-';
-
       strncat(name, ".", MAXDNAME);
       strncat(name, c->domain, MAXDNAME);
       
       return 1;
     }
-#endif
   
   return 0;
 }


+static int match_domain(struct in_addr addr, struct cond_domain *c)
+{
+  if (c->interface)
+    {
+      struct addrlist *al;
+      for (al = c->al; al; al = al->next)
+	if (!(al->flags & ADDRLIST_IPV6) &&
+	    is_same_net_prefix(addr, al->addr.addr4, al->prefixlen))
+	  return 1;
+    }
+  else if (!c->is6 &&
+	   ntohl(addr.s_addr) >= ntohl(c->start.s_addr) &&
+	   ntohl(addr.s_addr) <= ntohl(c->end.s_addr))
+    return 1;
+
+  return 0;
+}
+
 static struct cond_domain *search_domain(struct in_addr addr, struct cond_domain *c)
 {
  for (; c; c = c->next)
-    if (!c->is6 &&
-	ntohl(addr.s_addr) >= ntohl(c->start.s_addr) &&
-        ntohl(addr.s_addr) <= ntohl(c->end.s_addr))
+    if (match_domain(addr, c))
      return c;
-
+  
  return NULL;
 }

@@ -219,16 +252,39 @@ char *get_domain(struct in_addr addr)
  return daemon->domain_suffix;
 } 

-#ifdef HAVE_IPV6
+static int match_domain6(struct in6_addr *addr, struct cond_domain *c)
+{
+    
+  /* subnet from interface address. */
+  if (c->interface)
+    {
+      struct addrlist *al;
+      for (al = c->al; al; al = al->next)
+	if (al->flags & ADDRLIST_IPV6 &&
+	    is_same_net6(addr, &al->addr.addr6, al->prefixlen))
+	  return 1;
+    }
+  else if (c->is6)
+    {
+      if (c->prefixlen >= 64)
+	{
+	  u64 addrpart = addr6part(addr);
+	  if (is_same_net6(addr, &c->start6, 64) &&
+	      addrpart >= addr6part(&c->start6) &&
+	      addrpart <= addr6part(&c->end6))
+	    return 1;
+	}
+      else if (is_same_net6(addr, &c->start6, c->prefixlen))
+	return 1;
+    }
+    
+  return 0;
+}
+
 static struct cond_domain *search_domain6(struct in6_addr *addr, struct cond_domain *c)
 {
-  u64 addrpart = addr6part(addr);
-  
  for (; c; c = c->next)
-    if (c->is6 &&
-	is_same_net6(addr, &c->start6, 64) &&
-	addrpart >= addr6part(&c->start6) &&
-        addrpart <= addr6part(&c->end6))
+    if (match_domain6(addr, c))
      return c;
  
  return NULL;
@@ -243,4 +299,3 @@ char *get_domain6(struct in6_addr *addr)

  return daemon->domain_suffix;
 } 
-#endif
--- a/src/dump.c
+++ b/src/dump.c
@@ -0,0 +1,303 @@
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+     
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "dnsmasq.h"
+
+#ifdef HAVE_DUMPFILE
+
+#include <netinet/icmp6.h>
+
+static u32 packet_count;
+static void do_dump_packet(int mask, void *packet, size_t len,
+			   union mysockaddr *src, union mysockaddr *dst, int port, int proto);
+
+/* https://wiki.wireshark.org/Development/LibpcapFileFormat */
+struct pcap_hdr_s {
+        u32 magic_number;   /* magic number */
+        u16 version_major;  /* major version number */
+        u16 version_minor;  /* minor version number */
+        u32 thiszone;       /* GMT to local correction */
+        u32 sigfigs;        /* accuracy of timestamps */
+        u32 snaplen;        /* max length of captured packets, in octets */
+        u32 network;        /* data link type */
+};
+
+struct pcaprec_hdr_s {
+        u32 ts_sec;         /* timestamp seconds */
+        u32 ts_usec;        /* timestamp microseconds */
+        u32 incl_len;       /* number of octets of packet saved in file */
+        u32 orig_len;       /* actual length of packet */
+};
+
+
+void dump_init(void)
+{
+  struct stat buf;
+  struct pcap_hdr_s header;
+  struct pcaprec_hdr_s pcap_header;
+
+  packet_count = 0;
+  
+  header.magic_number = 0xa1b2c3d4;
+  header.version_major = 2;
+  header.version_minor = 4;
+  header.thiszone = 0;
+  header.sigfigs = 0;
+  header.snaplen = daemon->edns_pktsz + 200; /* slop for IP/UDP headers */
+  header.network = 101; /* DLT_RAW http://www.tcpdump.org/linktypes.html */
+
+  if (stat(daemon->dump_file, &buf) == -1)
+    {
+      /* doesn't exist, create and add header */
+      if (errno != ENOENT ||
+	  (daemon->dumpfd = creat(daemon->dump_file, S_IRUSR | S_IWUSR)) == -1 ||
+	  !read_write(daemon->dumpfd, (void *)&header, sizeof(header), RW_WRITE))
+	die(_("cannot create %s: %s"), daemon->dump_file, EC_FILE);
+    }
+  else if (S_ISFIFO(buf.st_mode))
+    {
+      /* File is named pipe (with wireshark on the other end, probably.)
+	 Send header. */
+      if  ((daemon->dumpfd = open(daemon->dump_file, O_APPEND | O_RDWR)) == -1 ||
+	   !read_write(daemon->dumpfd, (void *)&header, sizeof(header), RW_WRITE))
+	die(_("cannot open pipe %s: %s"), daemon->dump_file, EC_FILE);
+    }
+  else if ((daemon->dumpfd = open(daemon->dump_file, O_APPEND | O_RDWR)) == -1 ||
+	   !read_write(daemon->dumpfd, (void *)&header, sizeof(header), RW_READ))
+    die(_("cannot access %s: %s"), daemon->dump_file, EC_FILE);
+  else if (header.magic_number != 0xa1b2c3d4)
+    die(_("bad header in %s"), daemon->dump_file, EC_FILE);
+  else
+    {
+      /* count existing records */
+      while (read_write(daemon->dumpfd, (void *)&pcap_header, sizeof(pcap_header), RW_READ))
+	{
+	  lseek(daemon->dumpfd, pcap_header.incl_len, SEEK_CUR);
+	  packet_count++;
+	}
+    }
+}
+
+void dump_packet_udp(int mask, void *packet, size_t len,
+		     union mysockaddr *src, union mysockaddr *dst, int fd)
+{
+  union mysockaddr fd_addr;
+  socklen_t addr_len = sizeof(fd_addr);
+
+  if (daemon->dumpfd != -1 && (mask & daemon->dump_mask))
+     {
+       /* if fd is negative it carries a port number (negated) 
+	  which we use as a source or destination when not otherwise
+	  specified so wireshark can ID the packet. 
+	  If both src and dst are specified, set this to -1 to avoid
+	  a spurious getsockname() call. */
+       int port = (fd < 0) ? -fd : -1;
+       
+       /* fd >= 0 is a file descriptor and the address of that file descriptor is used
+	  in place of a NULL src or dst. */
+       if (fd >= 0 && getsockname(fd, (struct sockaddr *)&fd_addr, &addr_len) != -1)
+	 {
+	   if (!src)
+	     src = &fd_addr;
+	   
+	   if (!dst)
+	     dst = &fd_addr;
+	 }
+       
+       do_dump_packet(mask, packet, len, src, dst, port, IPPROTO_UDP);
+     }
+}
+
+void dump_packet_icmp(int mask, void *packet, size_t len,
+		      union mysockaddr *src, union mysockaddr *dst)
+{
+  if (daemon->dumpfd != -1 && (mask & daemon->dump_mask))
+    do_dump_packet(mask, packet, len, src, dst, -1, IPPROTO_ICMP);
+}
+
+static void do_dump_packet(int mask, void *packet, size_t len,
+			   union mysockaddr *src, union mysockaddr *dst, int port, int proto)
+{
+  struct ip ip;
+  struct ip6_hdr ip6;
+  int family;
+  struct udphdr {
+    u16 uh_sport;               /* source port */
+    u16 uh_dport;               /* destination port */
+    u16 uh_ulen;                /* udp length */
+    u16 uh_sum;                 /* udp checksum */
+  } udp;
+  struct pcaprec_hdr_s pcap_header;
+  struct timeval time;
+  u32 i, sum;
+  void *iphdr;
+  size_t ipsz;
+  int rc;
+     
+  /* if port != -1 it carries a port number 
+     which we use as a source or destination when not otherwise
+     specified so wireshark can ID the packet. 
+     If both src and dst are specified, set this to -1 to avoid
+     a spurious getsockname() call. */
+  udp.uh_sport = udp.uh_dport = htons(port < 0 ? 0 : port);
+  
+  if (src)
+    family = src->sa.sa_family;
+  else
+    family = dst->sa.sa_family;
+
+  if (family == AF_INET6)
+    {
+      iphdr = &ip6;
+      ipsz = sizeof(ip6);
+      memset(&ip6, 0, sizeof(ip6));
+      
+      ip6.ip6_vfc = 6 << 4;
+      ip6.ip6_hops = 64;
+
+      if ((ip6.ip6_nxt = proto) == IPPROTO_UDP)
+	ip6.ip6_plen = htons(sizeof(struct udphdr) + len);
+      else
+	{
+	  proto = ip6.ip6_nxt = IPPROTO_ICMPV6;
+	  ip6.ip6_plen = htons(len);
+	}
+      
+      if (src)
+	{
+	  memcpy(&ip6.ip6_src, &src->in6.sin6_addr, IN6ADDRSZ);
+	  udp.uh_sport = src->in6.sin6_port;
+	}
+      
+      if (dst)
+	{
+	  memcpy(&ip6.ip6_dst, &dst->in6.sin6_addr, IN6ADDRSZ);
+	  udp.uh_dport = dst->in6.sin6_port;
+	}
+            
+      /* start UDP checksum */
+      for (sum = 0, i = 0; i < IN6ADDRSZ; i+=2)
+	{
+	  sum += ntohs((ip6.ip6_src.s6_addr[i] << 8) + (ip6.ip6_src.s6_addr[i+1])) ;
+	  sum += ntohs((ip6.ip6_dst.s6_addr[i] << 8) + (ip6.ip6_dst.s6_addr[i+1])) ; 
+	}
+    }
+  else
+    {
+      iphdr = &ip;
+      ipsz = sizeof(ip);
+      memset(&ip, 0, sizeof(ip));
+      
+      ip.ip_v = IPVERSION;
+      ip.ip_hl = sizeof(struct ip) / 4;
+      ip.ip_ttl = IPDEFTTL;
+
+      if ((ip.ip_p = proto) == IPPROTO_UDP)
+	ip.ip_len = htons(sizeof(struct ip) + sizeof(struct udphdr) + len);
+      else
+	{
+	  ip.ip_len = htons(sizeof(struct ip) + len);
+	  proto = ip.ip_p = IPPROTO_ICMP;
+	}
+      
+      if (src)
+	{
+	  ip.ip_src = src->in.sin_addr;
+	  udp.uh_sport = src->in.sin_port;
+	}
+
+      if (dst)
+	{
+	  ip.ip_dst = dst->in.sin_addr;
+	  udp.uh_dport = dst->in.sin_port;
+	}
+      
+      ip.ip_sum = 0;
+      for (sum = 0, i = 0; i < sizeof(struct ip) / 2; i++)
+	sum += ((u16 *)&ip)[i];
+      while (sum >> 16)
+	sum = (sum & 0xffff) + (sum >> 16);  
+      ip.ip_sum = (sum == 0xffff) ? sum : ~sum;
+      
+      /* start UDP/ICMP checksum */
+      sum = ip.ip_src.s_addr & 0xffff;
+      sum += (ip.ip_src.s_addr >> 16) & 0xffff;
+      sum += ip.ip_dst.s_addr & 0xffff;
+      sum += (ip.ip_dst.s_addr >> 16) & 0xffff;
+    }
+  
+  if (len & 1)
+    ((unsigned char *)packet)[len] = 0; /* for checksum, in case length is odd. */
+
+  if (proto == IPPROTO_UDP)
+    {
+      /* Add Remaining part of the pseudoheader. Note that though the
+	 IPv6 pseudoheader is very different to the IPv4 one, the 
+	 net result of this calculation is correct as long as the 
+	 packet length is less than 65536, which is fine for us. */
+      sum += htons(IPPROTO_UDP);
+      sum += htons(sizeof(struct udphdr) + len);
+      
+      udp.uh_sum = 0;
+      udp.uh_ulen = htons(sizeof(struct udphdr) + len);
+      
+      for (i = 0; i < sizeof(struct udphdr)/2; i++)
+	sum += ((u16 *)&udp)[i];
+      for (i = 0; i < (len + 1) / 2; i++)
+	sum += ((u16 *)packet)[i];
+      while (sum >> 16)
+	sum = (sum & 0xffff) + (sum >> 16);
+      udp.uh_sum = (sum == 0xffff) ? sum : ~sum;
+
+      pcap_header.incl_len = pcap_header.orig_len = ipsz + sizeof(udp) + len;
+    }
+  else
+    {
+      /* ICMP - ICMPv6 packet is a superset of ICMP */
+      struct icmp6_hdr *icmp = packet;
+      
+      /* See comment in UDP code above. */
+      sum += htons(proto);
+      sum += htons(len);
+      
+      icmp->icmp6_cksum = 0;
+      for (i = 0; i < (len + 1) / 2; i++)
+	sum += ((u16 *)packet)[i];
+      while (sum >> 16)
+	sum = (sum & 0xffff) + (sum >> 16);
+      icmp->icmp6_cksum = (sum == 0xffff) ? sum : ~sum;
+
+      pcap_header.incl_len = pcap_header.orig_len = ipsz + len;
+    }
+    
+  rc = gettimeofday(&time, NULL);
+  pcap_header.ts_sec = time.tv_sec;
+  pcap_header.ts_usec = time.tv_usec;
+  
+  if (rc == -1 ||
+      !read_write(daemon->dumpfd, (void *)&pcap_header, sizeof(pcap_header), RW_WRITE) ||
+      !read_write(daemon->dumpfd, iphdr, ipsz, RW_WRITE) ||
+      (proto == IPPROTO_UDP && !read_write(daemon->dumpfd, (void *)&udp, sizeof(udp), RW_WRITE)) ||
+      !read_write(daemon->dumpfd, (void *)packet, len, RW_WRITE))
+    my_syslog(LOG_ERR, _("failed to write packet dump"));
+  else if (option_bool(OPT_EXTRALOG) && (mask & 0x00ff))
+    my_syslog(LOG_INFO, _("%u dumping packet %u mask 0x%04x"),  daemon->log_display_id, ++packet_count, mask);
+  else
+    my_syslog(LOG_INFO, _("dumping packet %u mask 0x%04x"), ++packet_count, mask);
+
+}
+
+#endif
--- a/src/edns0.c
+++ b/src/edns0.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2017 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -96,9 +96,12 @@ unsigned char *find_pseudoheader(struct dns_header *header, size_t plen, size_t
 }
 

-/* replace == 2 ->delete existing option only. */
+/* replace == 0 ->don't replace existing option
+   replace == 1 ->replace existing or add option
+   replace == 2 ->relpace existing option only.
+*/
 size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *limit, 
-			unsigned short udp_sz, int optno, unsigned char *opt, size_t optlen, int set_do, int replace)
+			int optno, unsigned char *opt, size_t optlen, int set_do, int replace)
 { 
  unsigned char *lenp, *datap, *p, *udp_len, *buff = NULL;
  int rdlen = 0, is_sign, is_last;
@@ -114,9 +117,10 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
      /* Existing header */
      int i;
      unsigned short code, len;
-
+      
      p = udp_len;
-      GETSHORT(udp_sz, p);
+
+      PUTSHORT(daemon->edns_pktsz, p);
      GETSHORT(rcode, p);
      GETSHORT(flags, p);

@@ -144,7 +148,7 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
 	  GETSHORT(len, p);
 	  
 	  /* malformed option, delete the whole OPT RR and start again. */
-	  if (i + len > rdlen)
+	  if (i + 4 + len > rdlen)
 	    {
 	      rdlen = 0;
 	      is_last = 0;
@@ -159,7 +163,7 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
 	      /* delete option if we're to replace it. */
 	      p -= 4;
 	      rdlen -= len + 4;
-	      memcpy(p, p+len+4, rdlen - i);
+	      memmove(p, p+len+4, rdlen - i);
 	      PUTSHORT(rdlen, lenp);
 	      lenp -= 2;
 	    }
@@ -178,7 +182,7 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
 	    memcpy(buff, datap, rdlen);	      
 	  
 	  /* now, delete OPT RR */
-	  plen = rrfilter(header, plen, 0);
+	  rrfilter(header, &plen, RRFILTER_EDNS0);
 	  
 	  /* Now, force addition of a new one */
 	  p = NULL;	  
@@ -191,24 +195,37 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
      if (!(p = skip_questions(header, plen)) ||
 	  !(p = skip_section(p, 
 			     ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount), 
-			     header, plen)))
-	return plen;
+			     header, plen)) ||
+	  p + 11 > limit)
+	{
+	  free(buff);
+	  return plen; /* bad packet */
+	}
+
      *p++ = 0; /* empty name */
      PUTSHORT(T_OPT, p);
-      PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */
-      PUTSHORT(rcode, p);    /* extended RCODE and version */
-      PUTSHORT(flags, p); /* DO flag */
+      PUTSHORT(daemon->edns_pktsz, p); /* max packet length, 512 if not given in EDNS0 header */
+      PUTSHORT(rcode, p);  /* extended RCODE and version */
+      PUTSHORT(flags, p);  /* DO flag */
      lenp = p;
      PUTSHORT(rdlen, p);    /* RDLEN */
      datap = p;
      /* Copy back any options */
      if (buff)
 	{
+          if (p + rdlen > limit)
+          {
+            free(buff);
+            return plen; /* Too big */
+          }
 	  memcpy(p, buff, rdlen);
 	  free(buff);
 	  p += rdlen;
 	}
-      header->arcount = htons(ntohs(header->arcount) + 1);
+      
+      /* Only bump arcount if RR is going to fit */ 
+      if (((ssize_t)optlen) <= (limit - (p + 4)))
+	header->arcount = htons(ntohs(header->arcount) + 1);
    }
  
  if (((ssize_t)optlen) > (limit - (p + 4)))
@@ -217,8 +234,12 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
  /* Add new option */
  if (optno != 0 && replace != 2)
    {
+      if (p + 4 > limit)
+       return plen; /* Too big */
      PUTSHORT(optno, p);
      PUTSHORT(optlen, p);
+      if (p + optlen > limit)
+       return plen; /* Too big */
      memcpy(p, opt, optlen);
      p += optlen;  
      PUTSHORT(p - datap, lenp);
@@ -228,7 +249,7 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l

 size_t add_do_bit(struct dns_header *header, size_t plen, unsigned char *limit)
 {
-  return add_pseudoheader(header, plen, (unsigned char *)limit, PACKETSZ, 0, NULL, 0, 1, 0);
+  return add_pseudoheader(header, plen, (unsigned char *)limit, 0, NULL, 0, 1, 0);
 }

 static unsigned char char64(unsigned char c)
@@ -244,73 +265,91 @@ static void encoder(unsigned char *in, char *out)
  out[3] = char64(in[2]);
 }

-static size_t add_dns_client(struct dns_header *header, size_t plen, unsigned char *limit, union mysockaddr *l3, time_t now)
+/* OPT_ADD_MAC = MAC is added (if available)
+   OPT_ADD_MAC + OPT_STRIP_MAC = MAC is replaced, if not available, it is only removed
+   OPT_STRIP_MAC = MAC is removed */
+static size_t add_dns_client(struct dns_header *header, size_t plen, unsigned char *limit,
+			     union mysockaddr *l3, time_t now, int *cacheablep)
 {
-  int maclen, replace = 2; /* can't get mac address, just delete any incoming. */
+  int replace = 0, maclen = 0;
  unsigned char mac[DHCP_CHADDR_MAX];
-  char encode[18]; /* handle 6 byte MACs */
+  char encode[18]; /* handle 6 byte MACs ONLY */

-  if ((maclen = find_mac(l3, mac, 1, now)) == 6)
+  if ((option_bool(OPT_MAC_B64) || option_bool(OPT_MAC_HEX)) && (maclen = find_mac(l3, mac, 1, now)) == 6)
    {
-      replace = 1;
-
-      if (option_bool(OPT_MAC_HEX))
-	print_mac(encode, mac, maclen);
-      else
-	{
-	  encoder(mac, encode);
-	  encoder(mac+3, encode+4);
-	  encode[8] = 0;
-	}
+      if (option_bool(OPT_STRIP_MAC))
+	 replace = 1;
+       *cacheablep = 0;
+    
+       if (option_bool(OPT_MAC_HEX))
+	 print_mac(encode, mac, maclen);
+       else
+	 {
+	   encoder(mac, encode);
+	   encoder(mac+3, encode+4);
+	   encode[8] = 0;
+	 }
    }
+  else if (option_bool(OPT_STRIP_MAC))
+    replace = 2;

-  return add_pseudoheader(header, plen, limit, PACKETSZ, EDNS0_OPTION_NOMDEVICEID, (unsigned char *)encode, strlen(encode), 0, replace); 
+  if (replace != 0 || maclen == 6)
+    plen = add_pseudoheader(header, plen, limit, EDNS0_OPTION_NOMDEVICEID, (unsigned char *)encode, strlen(encode), 0, replace);
+
+  return plen;
 }


-static size_t add_mac(struct dns_header *header, size_t plen, unsigned char *limit, union mysockaddr *l3, time_t now)
+/* OPT_ADD_MAC = MAC is added (if available)
+   OPT_ADD_MAC + OPT_STRIP_MAC = MAC is replaced, if not available, it is only removed
+   OPT_STRIP_MAC = MAC is removed */
+static size_t add_mac(struct dns_header *header, size_t plen, unsigned char *limit,
+		      union mysockaddr *l3, time_t now, int *cacheablep)
 {
-  int maclen;
+  int maclen = 0, replace = 0;
  unsigned char mac[DHCP_CHADDR_MAX];
-
-  if ((maclen = find_mac(l3, mac, 1, now)) != 0)
-    plen = add_pseudoheader(header, plen, limit, PACKETSZ, EDNS0_OPTION_MAC, mac, maclen, 0, 0); 
    
+  if (option_bool(OPT_ADD_MAC) && (maclen = find_mac(l3, mac, 1, now)) != 0)
+    {
+      *cacheablep = 0;
+      if (option_bool(OPT_STRIP_MAC))
+	replace = 1;
+    }
+  else if (option_bool(OPT_STRIP_MAC))
+    replace = 2;
+  
+  if (replace != 0 || maclen != 0)
+    plen = add_pseudoheader(header, plen, limit, EDNS0_OPTION_MAC, mac, maclen, 0, replace);
+
  return plen; 
 }

 struct subnet_opt {
  u16 family;
-  u8 source_netmask, scope_netmask;
-#ifdef HAVE_IPV6 
+  u8 source_netmask, scope_netmask; 
  u8 addr[IN6ADDRSZ];
-#else
-  u8 addr[INADDRSZ];
-#endif
 };

 static void *get_addrp(union mysockaddr *addr, const short family) 
 {
-#ifdef HAVE_IPV6
  if (family == AF_INET6)
    return &addr->in6.sin6_addr;
-#endif

  return &addr->in.sin_addr;
 }

-static size_t calc_subnet_opt(struct subnet_opt *opt, union mysockaddr *source)
+static size_t calc_subnet_opt(struct subnet_opt *opt, union mysockaddr *source, int *cacheablep)
 {
  /* http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02 */
  
  int len;
  void *addrp = NULL;
  int sa_family = source->sa.sa_family;
-
+  int cacheable = 0;
+  
  opt->source_netmask = 0;
  opt->scope_netmask = 0;
-
-#ifdef HAVE_IPV6
+    
  if (source->sa.sa_family == AF_INET6 && daemon->add_subnet6)
    {
      opt->source_netmask = daemon->add_subnet6->mask;
@@ -318,11 +357,11 @@ static size_t calc_subnet_opt(struct subnet_opt *opt, union mysockaddr *source)
 	{
 	  sa_family = daemon->add_subnet6->addr.sa.sa_family;
 	  addrp = get_addrp(&daemon->add_subnet6->addr, sa_family);
+	  cacheable = 1;
 	} 
      else 
 	addrp = &source->in6.sin6_addr;
    }
-#endif

  if (source->sa.sa_family == AF_INET && daemon->add_subnet4)
    {
@@ -331,18 +370,13 @@ static size_t calc_subnet_opt(struct subnet_opt *opt, union mysockaddr *source)
 	{
 	  sa_family = daemon->add_subnet4->addr.sa.sa_family;
 	  addrp = get_addrp(&daemon->add_subnet4->addr, sa_family);
+	  cacheable = 1; /* Address is constant */
 	} 
 	else 
 	  addrp = &source->in.sin_addr;
    }
  
-#ifdef HAVE_IPV6
  opt->family = htons(sa_family == AF_INET6 ? 2 : 1);
-#else
-  opt->family = htons(1);
-#endif
-  
-  len = 0;
  
  if (addrp && opt->source_netmask != 0)
    {
@@ -351,19 +385,41 @@ static size_t calc_subnet_opt(struct subnet_opt *opt, union mysockaddr *source)
      if (opt->source_netmask & 7)
 	opt->addr[len-1] &= 0xff << (8 - (opt->source_netmask & 7));
    }
+  else
+    {
+      cacheable = 1; /* No address ever supplied. */
+      len = 0;
+    }
+
+  if (cacheablep)
+    *cacheablep = cacheable;
  
  return len + 4;
 }
 
-static size_t add_source_addr(struct dns_header *header, size_t plen, unsigned char *limit, union mysockaddr *source)
+/* OPT_CLIENT_SUBNET = client subnet is added
+   OPT_CLIENT_SUBNET + OPT_STRIP_ECS = client subnet is replaced
+   OPT_STRIP_ECS = client subnet is removed */
+static size_t add_source_addr(struct dns_header *header, size_t plen, unsigned char *limit,
+			      union mysockaddr *source, int *cacheable)
 {
  /* http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02 */
  
-  int len;
+  int replace = 0, len = 0;
  struct subnet_opt opt;
  
-  len = calc_subnet_opt(&opt, source);
-  return add_pseudoheader(header, plen, (unsigned char *)limit, PACKETSZ, EDNS0_OPTION_CLIENT_SUBNET, (unsigned char *)&opt, len, 0, 0);
+  if (option_bool(OPT_CLIENT_SUBNET))
+    {
+      if (option_bool(OPT_STRIP_ECS))
+	replace = 1;
+      len = calc_subnet_opt(&opt, source, cacheable);
+    }
+  else if (option_bool(OPT_STRIP_ECS))
+    replace = 2;
+  else
+    return plen;
+
+  return add_pseudoheader(header, plen, (unsigned char *)limit, EDNS0_OPTION_CLIENT_SUBNET, (unsigned char *)&opt, len, 0, replace);
 }

 int check_source(struct dns_header *header, size_t plen, unsigned char *pseudoheader, union mysockaddr *peer)
@@ -375,18 +431,18 @@ int check_source(struct dns_header *header, size_t plen, unsigned char *pseudohe
  unsigned char *p;
  int code, i, rdlen;
  
-   calc_len = calc_subnet_opt(&opt, peer);
+  calc_len = calc_subnet_opt(&opt, peer, NULL);
   
-   if (!(p = skip_name(pseudoheader, header, plen, 10)))
-     return 1;
-   
-   p += 8; /* skip UDP length and RCODE */
-   
-   GETSHORT(rdlen, p);
-   if (!CHECK_LEN(header, p, plen, rdlen))
-     return 1; /* bad packet */
-   
-   /* check if option there */
+  if (!(p = skip_name(pseudoheader, header, plen, 10)))
+    return 1;
+  
+  p += 8; /* skip UDP length and RCODE */
+  
+  GETSHORT(rdlen, p);
+  if (!CHECK_LEN(header, p, plen, rdlen))
+    return 1; /* bad packet */
+  
+  /* check if option there */
   for (i = 0; i + 4 < rdlen; i += len + 4)
     {
       GETSHORT(code, p);
@@ -404,26 +460,87 @@ int check_source(struct dns_header *header, size_t plen, unsigned char *pseudohe
   return 1;
 }

-size_t add_edns0_config(struct dns_header *header, size_t plen, unsigned char *limit, 
-			union mysockaddr *source, time_t now, int *check_subnet)    
+/* See https://docs.umbrella.com/umbrella-api/docs/identifying-dns-traffic for
+ * detailed information on packet formating.
+ */
+#define UMBRELLA_VERSION    1
+#define UMBRELLA_TYPESZ     2
+
+#define UMBRELLA_ASSET      0x0004
+#define UMBRELLA_ASSETSZ    sizeof(daemon->umbrella_asset)
+#define UMBRELLA_ORG        0x0008
+#define UMBRELLA_ORGSZ      sizeof(daemon->umbrella_org)
+#define UMBRELLA_IPV4       0x0010
+#define UMBRELLA_IPV6       0x0020
+#define UMBRELLA_DEVICE     0x0040
+#define UMBRELLA_DEVICESZ   sizeof(daemon->umbrella_device)
+
+struct umbrella_opt {
+  u8 magic[4];
+  u8 version;
+  u8 flags;
+  /* We have 4 possible fields since we'll never send both IPv4 and
+   * IPv6, so using the larger of the two to calculate max buffer size.
+   * Each field also has a type header.  So the following accounts for
+   * the type headers and each field size to get a max buffer size.
+   */
+  u8 fields[4 * UMBRELLA_TYPESZ + UMBRELLA_ORGSZ + IN6ADDRSZ + UMBRELLA_DEVICESZ + UMBRELLA_ASSETSZ];
+};
+
+static size_t add_umbrella_opt(struct dns_header *header, size_t plen, unsigned char *limit, union mysockaddr *source, int *cacheable)
 {
-  *check_subnet = 0;
+  *cacheable = 0;

-  if (option_bool(OPT_ADD_MAC))
-    plen  = add_mac(header, plen, limit, source, now);
-  
-  if (option_bool(OPT_MAC_B64) || option_bool(OPT_MAC_HEX))
-    plen = add_dns_client(header, plen, limit, source, now);
+  struct umbrella_opt opt = {{"ODNS"}, UMBRELLA_VERSION, 0, {}};
+  u8 *u = &opt.fields[0];
+  int family = source->sa.sa_family;
+  int size = family == AF_INET ? INADDRSZ : IN6ADDRSZ;

-  if (daemon->dns_client_id)
-    plen = add_pseudoheader(header, plen, limit, PACKETSZ, EDNS0_OPTION_NOMCPEID, 
-			    (unsigned char *)daemon->dns_client_id, strlen(daemon->dns_client_id), 0, 1);
-  
-  if (option_bool(OPT_CLIENT_SUBNET))
+  if (daemon->umbrella_org)
    {
-      plen = add_source_addr(header, plen, limit, source); 
-      *check_subnet = 1;
+      PUTSHORT(UMBRELLA_ORG, u);
+      PUTLONG(daemon->umbrella_org, u);
    }
-	  
+  
+  PUTSHORT(family == AF_INET ? UMBRELLA_IPV4 : UMBRELLA_IPV6, u);
+  memcpy(u, get_addrp(source, family), size);
+  u += size;
+  
+  if (option_bool(OPT_UMBRELLA_DEVID))
+    {
+      PUTSHORT(UMBRELLA_DEVICE, u);
+      memcpy(u, (char *)&daemon->umbrella_device, UMBRELLA_DEVICESZ);
+      u += UMBRELLA_DEVICESZ;
+    }
+
+  if (daemon->umbrella_asset)
+    {
+      PUTSHORT(UMBRELLA_ASSET, u);
+      PUTLONG(daemon->umbrella_asset, u);
+    }
+  
+  return add_pseudoheader(header, plen, (unsigned char *)limit, EDNS0_OPTION_UMBRELLA, (unsigned char *)&opt, u - (u8 *)&opt, 0, 1);
+}
+
+/* Set *check_subnet if we add a client subnet option, which needs to checked 
+   in the reply. Set *cacheable to zero if we add an option which the answer
+   may depend on. */
+size_t add_edns0_config(struct dns_header *header, size_t plen, unsigned char *limit, 
+			union mysockaddr *source, time_t now, int *cacheable)    
+{
+  *cacheable = 1;
+  
+  plen  = add_mac(header, plen, limit, source, now, cacheable);
+  plen = add_dns_client(header, plen, limit, source, now, cacheable);
+  
+  if (daemon->dns_client_id)
+    plen = add_pseudoheader(header, plen, limit, EDNS0_OPTION_NOMCPEID, 
+			    (unsigned char *)daemon->dns_client_id, strlen(daemon->dns_client_id), 0, 1);
+
+  if (option_bool(OPT_UMBRELLA))
+    plen = add_umbrella_opt(header, plen, limit, source, cacheable);
+  
+  plen = add_source_addr(header, plen, limit, source, cacheable);
+  	  
  return plen;
 }
--- a/src/forward.c
+++ b/src/forward.c
--- a/src/helper.c
+++ b/src/helper.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2017 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -14,7 +14,6 @@
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */

-#include <stdio.h>
 #include "dnsmasq.h"

 #ifdef HAVE_SCRIPT
@@ -65,11 +64,10 @@ struct script_data
 #ifdef HAVE_TFTP
  off_t file_len;
 #endif
-#ifdef HAVE_IPV6
  struct in6_addr addr6;
-#endif
 #ifdef HAVE_DHCP6
-  int iaid, vendorclass_count;
+  int vendorclass_count;
+  unsigned int iaid;
 #endif
  unsigned char hwaddr[DHCP_CHADDR_MAX];
  char interface[IF_NAMESIZE];
@@ -83,7 +81,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
  pid_t pid;
  int i, pipefd[2];
  struct sigaction sigact;
-
+  unsigned char *alloc_buff = NULL;
+  
  /* create the pipe through which the main program sends us commands,
     then fork our process. */
  if (pipe(pipefd) == -1 || !fix_fd(pipefd[1]) || (pid = fork()) == -1)
@@ -98,13 +97,14 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
      return pipefd[1];
    }

-  /* ignore SIGTERM, so that we can clean up when the main process gets hit
+  /* ignore SIGTERM and SIGINT, so that we can clean up when the main process gets hit
     and SIGALRM so that we can use sleep() */
  sigact.sa_handler = SIG_IGN;
  sigact.sa_flags = 0;
  sigemptyset(&sigact.sa_mask);
  sigaction(SIGTERM, &sigact, NULL);
  sigaction(SIGALRM, &sigact, NULL);
+  sigaction(SIGINT, &sigact, NULL);

  if (!option_bool(OPT_DEBUG) && uid != 0)
    {
@@ -131,12 +131,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
     Don't close err_fd, in case the lua-init fails.
     Note that we have to do this before lua init
     so we don't close any lua fds. */
-  for (max_fd--; max_fd >= 0; max_fd--)
-    if (max_fd != STDOUT_FILENO && max_fd != STDERR_FILENO && 
-	max_fd != STDIN_FILENO && max_fd != pipefd[0] && 
-	max_fd != event_fd && max_fd != err_fd)
-      close(max_fd);
-
+  close_fds(max_fd, pipefd[0], event_fd, err_fd);
+  
 #ifdef HAVE_LUASCRIPT
  if (daemon->luascript)
    {
@@ -188,14 +184,19 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
      struct script_data data;
      char *p, *action_str, *hostname = NULL, *domain = NULL;
      unsigned char *buf = (unsigned char *)daemon->namebuff;
-      unsigned char *end, *extradata, *alloc_buff = NULL;
+      unsigned char *end, *extradata;
      int is6, err = 0;
      int pipeout[2];

-      free(alloc_buff);
+      /* Free rarely-allocated memory from previous iteration. */
+      if (alloc_buff)
+	{
+	  free(alloc_buff);
+	  alloc_buff = NULL;
+	}
      
      /* we read zero bytes when pipe closed: this is our signal to exit */ 
-      if (!read_write(pipefd[0], (unsigned char *)&data, sizeof(data), 1))
+      if (!read_write(pipefd[0], (unsigned char *)&data, sizeof(data), RW_READ))
 	{
 #ifdef HAVE_LUASCRIPT
 	  if (daemon->luascript)
@@ -232,9 +233,13 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
 	  is6 = (data.flags != AF_INET);
 	  data.action = ACTION_ARP;
 	}
-       else 
-	continue;
-
+       else if (data.action == ACTION_RELAY_SNOOP)
+	 {
+	   is6 = 1;
+	   action_str = "relay-snoop";
+	 }
+       else
+	 continue;
      	
      /* stringify MAC into dhcp_buff */
      p = daemon->dhcp_buff;
@@ -253,7 +258,7 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
 	continue;
      
      if (!read_write(pipefd[0], buf, 
-		      data.hostname_len + data.ed_len + data.clid_len, 1))
+		      data.hostname_len + data.ed_len + data.clid_len, RW_READ))
 	continue;

      /* CLID into packet */
@@ -286,7 +291,7 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
 	  char *dot;
 	  hostname = (char *)buf;
 	  hostname[data.hostname_len - 1] = 0;
-	  if (data.action != ACTION_TFTP)
+	  if (data.action != ACTION_TFTP && data.action != ACTION_RELAY_SNOOP)
 	    {
 	      if (!legal_hostname(hostname))
 		hostname = NULL;
@@ -302,10 +307,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
    
      if (!is6)
 	inet_ntop(AF_INET, &data.addr, daemon->addrbuff, ADDRSTRLEN);
-#ifdef HAVE_IPV6
      else
 	inet_ntop(AF_INET6, &data.addr6, daemon->addrbuff, ADDRSTRLEN);
-#endif

 #ifdef HAVE_TFTP
      /* file length */
@@ -334,6 +337,24 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
 		  lua_call(lua, 2, 0);	/* pass 2 values, expect 0 */
 		}
 	    }
+	  else if (data.action == ACTION_RELAY_SNOOP)
+	    {
+	      lua_getglobal(lua, "snoop"); 
+	      if (lua_type(lua, -1) != LUA_TFUNCTION)
+		lua_pop(lua, 1); /* tftp function optional */
+	      else
+		{
+		  lua_pushstring(lua, action_str); /* arg1 - action */
+		  lua_newtable(lua);               /* arg2 - data table */
+		  lua_pushstring(lua, daemon->addrbuff);
+		  lua_setfield(lua, -2, "client_address");
+		  lua_pushstring(lua, hostname);
+		  lua_setfield(lua, -2, "prefix"); 
+		  lua_pushstring(lua, data.interface);
+		  lua_setfield(lua, -2, "client_interface");
+		  lua_call(lua, 2, 0);	/* pass 2 values, expect 0 */
+		}
+	    }
 	  else if (data.action == ACTION_ARP)
 	    {
 	      lua_getglobal(lua, "arp"); 
@@ -400,6 +421,9 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
 	      
 	      end = extradata + data.ed_len;
 	      buf = extradata;
+
+	      lua_pushnumber(lua, data.ed_len == 0 ? 1 : 0);
+	      lua_setfield(lua, -2, "data_missing");
 	      
 	      if (!is6)
 		buf = grab_extradata_lua(buf, end, "vendor_class");
@@ -427,14 +451,17 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
 		  buf = grab_extradata_lua(buf, end, "subscriber_id");
 		  buf = grab_extradata_lua(buf, end, "remote_id");
 		}
-	      
+
+	      buf = grab_extradata_lua(buf, end, "requested_options");
+	      buf = grab_extradata_lua(buf, end, "mud_url");
 	      buf = grab_extradata_lua(buf, end, "tags");
 	      
 	      if (is6)
 		buf = grab_extradata_lua(buf, end, "relay_address");
 	      else if (data.giaddr.s_addr != 0)
 		{
-		  lua_pushstring(lua, inet_ntoa(data.giaddr));
+		  inet_ntop(AF_INET, &data.giaddr, daemon->dhcp_buff2, ADDRSTRLEN);
+		  lua_pushstring(lua, daemon->dhcp_buff2);
 		  lua_setfield(lua, -2, "relay_address");
 		}
 	      
@@ -554,7 +581,7 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
 	  close(pipeout[1]);
 	}
      
-      if (data.action != ACTION_TFTP && data.action != ACTION_ARP)
+      if (data.action != ACTION_TFTP && data.action != ACTION_ARP && data.action != ACTION_RELAY_SNOOP)
 	{
 #ifdef HAVE_DHCP6
 	  my_setenv("DNSMASQ_IAID", is6 ? daemon->dhcp_buff3 : NULL, &err);
@@ -577,6 +604,9 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
 	  
 	  end = extradata + data.ed_len;
 	  buf = extradata;
+
+	  if (data.ed_len == 0)
+	    my_setenv("DNSMASQ_DATA_MISSING", "1", &err);
 	  
 	  if (!is6)
 	    buf = grab_extradata(buf, end, "DNSMASQ_VENDOR_CLASS", &err);
@@ -605,15 +635,21 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
 	      buf = grab_extradata(buf, end, "DNSMASQ_CIRCUIT_ID", &err);
 	      buf = grab_extradata(buf, end, "DNSMASQ_SUBSCRIBER_ID", &err);
 	      buf = grab_extradata(buf, end, "DNSMASQ_REMOTE_ID", &err);
-	      buf = grab_extradata(buf, end, "DNSMASQ_REQUESTED_OPTIONS", &err);
 	    }
 	  
+	  buf = grab_extradata(buf, end, "DNSMASQ_REQUESTED_OPTIONS", &err);
+	  buf = grab_extradata(buf, end, "DNSMASQ_MUD_URL", &err);
 	  buf = grab_extradata(buf, end, "DNSMASQ_TAGS", &err);
-
+	  	  
 	  if (is6)
 	    buf = grab_extradata(buf, end, "DNSMASQ_RELAY_ADDRESS", &err);
-	  else 
-	    my_setenv("DNSMASQ_RELAY_ADDRESS", data.giaddr.s_addr != 0 ? inet_ntoa(data.giaddr) : NULL, &err); 
+	  else
+	    {
+	      const char *giaddr = NULL;
+	      if (data.giaddr.s_addr != 0)
+		  giaddr = inet_ntop(AF_INET, &data.giaddr, daemon->dhcp_buff2, ADDRSTRLEN);
+	      my_setenv("DNSMASQ_RELAY_ADDRESS", giaddr, &err);
+	    }
 	  
 	  for (i = 0; buf; i++)
 	    {
@@ -636,6 +672,9 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
 	fcntl(event_fd, F_SETFD, i | FD_CLOEXEC);
      close(pipefd[0]);

+      if (data.action == ACTION_RELAY_SNOOP)
+	strcpy(daemon->packet, data.interface);
+      
      p =  strrchr(daemon->lease_change_command, '/');
      if (err == 0)
 	{
@@ -806,6 +845,29 @@ void queue_script(int action, struct dhcp_lease *lease, char *hostname, time_t n
  bytes_in_buf = p - (unsigned char *)buf;
 }

+#ifdef HAVE_DHCP6
+void queue_relay_snoop(struct in6_addr *client, int if_index, struct in6_addr *prefix, int prefix_len)
+{
+  /* no script */
+  if (daemon->helperfd == -1)
+    return;
+  
+  inet_ntop(AF_INET6, prefix, daemon->addrbuff, ADDRSTRLEN);
+
+  /* 5 for /nnn and zero on the end of the prefix. */
+  buff_alloc(sizeof(struct script_data) + ADDRSTRLEN + 5);
+  memset(buf, 0, sizeof(struct script_data));
+
+  buf->action = ACTION_RELAY_SNOOP;
+  buf->addr6 = *client;
+  buf->hostname_len = sprintf((char *)(buf+1), "%s/%u", daemon->addrbuff, prefix_len) + 1;
+  
+  indextoname(daemon->dhcp6fd, if_index, buf->interface);
+
+  bytes_in_buf = sizeof(struct script_data) + buf->hostname_len;
+}
+#endif
+
 #ifdef HAVE_TFTP
 /* This nastily re-uses DHCP-fields for TFTP stuff */
 void queue_tftp(off_t file_len, char *filename, union mysockaddr *peer)
@@ -826,10 +888,8 @@ void queue_tftp(off_t file_len, char *filename, union mysockaddr *peer)

  if ((buf->flags = peer->sa.sa_family) == AF_INET)
    buf->addr = peer->in.sin_addr;
-#ifdef HAVE_IPV6
  else
    buf->addr6 = peer->in6.sin6_addr;
-#endif

  memcpy((unsigned char *)(buf+1), filename, filename_len);
  
@@ -837,7 +897,7 @@ void queue_tftp(off_t file_len, char *filename, union mysockaddr *peer)
 }
 #endif

-void queue_arp(int action, unsigned char *mac, int maclen, int family, struct all_addr *addr)
+void queue_arp(int action, unsigned char *mac, int maclen, int family, union all_addr *addr)
 {
  /* no script */
  if (daemon->helperfd == -1)
@@ -850,11 +910,9 @@ void queue_arp(int action, unsigned char *mac, int maclen, int family, struct al
  buf->hwaddr_len = maclen;
  buf->hwaddr_type =  ARPHRD_ETHER; 
  if ((buf->flags = family) == AF_INET)
-    buf->addr = addr->addr.addr4;
-#ifdef HAVE_IPV6
+    buf->addr = addr->addr4;
  else
-    buf->addr6 = addr->addr.addr6;
-#endif
+    buf->addr6 = addr->addr6;
  
  memcpy(buf->hwaddr, mac, maclen);
  
@@ -887,7 +945,4 @@ void helper_write(void)
    }
 }

-#endif
-
-
-
+#endif /* HAVE_SCRIPT */
--- a/src/inotify.c
+++ b/src/inotify.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2017 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -20,7 +20,7 @@
 #include <sys/inotify.h>
 #include <sys/param.h> /* For MAXSYMLINKS */

-/* the strategy is to set a inotify on the directories containing
+/* the strategy is to set an inotify on the directories containing
   resolv files, for any files in the directory which are close-write 
   or moved into the directory.
   
@@ -94,7 +94,7 @@ void inotify_dnsmasq_init()
  if (daemon->inotifyfd == -1)
    die(_("failed to create inotify: %s"), NULL, EC_MISC);

-  if (option_bool(OPT_NO_RESOLV))
+  if (daemon->port == 0 || option_bool(OPT_NO_RESOLV))
    return;
  
  for (res = daemon->resolv_files; res; res = res->next)
@@ -133,74 +133,112 @@ void inotify_dnsmasq_init()
    }
 }

+static struct hostsfile *dyndir_addhosts(struct dyndir *dd, char *path)
+{
+  /* Check if this file is already known in dd->files */
+  struct hostsfile *ah = NULL;
+  for(ah = dd->files; ah; ah = ah->next)
+    if(ah && ah->fname && strcmp(path, ah->fname) == 0)
+      return ah;
+
+  /* Not known, create new hostsfile record for this dyndir */
+  struct hostsfile *newah = NULL;
+  if(!(newah = whine_malloc(sizeof(struct hostsfile))))
+    return NULL;
+
+  /* Add this file to the tip of the linked list */
+  newah->next = dd->files;
+  dd->files = newah;
+
+  /* Copy flags, set index and the full file path */
+  newah->flags = dd->flags;
+  newah->index = daemon->host_index++;
+  newah->fname = path;
+
+  return newah;
+}
+

 /* initialisation for dynamic-dir. Set inotify watch for each directory, and read pre-existing files */
 void set_dynamic_inotify(int flag, int total_size, struct crec **rhash, int revhashsz)
 {
-  struct hostsfile *ah;
-  
-  for (ah = daemon->dynamic_dirs; ah; ah = ah->next)
+  struct dyndir *dd;
+
+  for (dd = daemon->dynamic_dirs; dd; dd = dd->next)
    {
      DIR *dir_stream = NULL;
      struct dirent *ent;
      struct stat buf;
-     
-      if (!(ah->flags & flag))
+
+      if (!(dd->flags & flag))
 	continue;
- 
-      if (stat(ah->fname, &buf) == -1 || !(S_ISDIR(buf.st_mode)))
+
+      if (stat(dd->dname, &buf) == -1)
 	{
 	  my_syslog(LOG_ERR, _("bad dynamic directory %s: %s"), 
-		    ah->fname, strerror(errno));
+		    dd->dname, strerror(errno));
 	  continue;
 	}
-      
-       if (!(ah->flags & AH_WD_DONE))
+
+      if (!(S_ISDIR(buf.st_mode)))
+	{
+	  my_syslog(LOG_ERR, _("bad dynamic directory %s: %s"), 
+		    dd->dname, _("not a directory"));
+	  continue;
+	}
+
+       if (!(dd->flags & AH_WD_DONE))
 	 {
-	   ah->wd = inotify_add_watch(daemon->inotifyfd, ah->fname, IN_CLOSE_WRITE | IN_MOVED_TO);
-	   ah->flags |= AH_WD_DONE;
+	   dd->wd = inotify_add_watch(daemon->inotifyfd, dd->dname, IN_CLOSE_WRITE | IN_MOVED_TO | IN_DELETE);
+	   dd->flags |= AH_WD_DONE;
 	 }

       /* Read contents of dir _after_ calling add_watch, in the hope of avoiding
 	  a race which misses files being added as we start */
-       if (ah->wd == -1 || !(dir_stream = opendir(ah->fname)))
+       if (dd->wd == -1 || !(dir_stream = opendir(dd->dname)))
 	 {
 	   my_syslog(LOG_ERR, _("failed to create inotify for %s: %s"),
-		     ah->fname, strerror(errno));
+		     dd->dname, strerror(errno));
 	   continue;
 	 }

       while ((ent = readdir(dir_stream)))
 	 {
-	   size_t lendir = strlen(ah->fname);
+	   size_t lendir = strlen(dd->dname);
 	   size_t lenfile = strlen(ent->d_name);
 	   char *path;
-	   
+
 	   /* ignore emacs backups and dotfiles */
 	   if (lenfile == 0 || 
 	       ent->d_name[lenfile - 1] == '~' ||
 	       (ent->d_name[0] == '#' && ent->d_name[lenfile - 1] == '#') ||
 	       ent->d_name[0] == '.')
 	     continue;
-	   
+
 	   if ((path = whine_malloc(lendir + lenfile + 2)))
 	     {
-	       strcpy(path, ah->fname);
+	       struct hostsfile *ah;
+
+	       strcpy(path, dd->dname);
 	       strcat(path, "/");
 	       strcat(path, ent->d_name);
+
+	       if (!(ah = dyndir_addhosts(dd, path)))
+		 {
+		   free(path);
+		   continue;
+		 }
 	       
 	       /* ignore non-regular files */
 	       if (stat(path, &buf) != -1 && S_ISREG(buf.st_mode))
 		 {
-		   if (ah->flags & AH_HOSTS)
+		   if (dd->flags & AH_HOSTS)
 		     total_size = read_hostsfile(path, ah->index, total_size, rhash, revhashsz);
 #ifdef HAVE_DHCP
-		   else if (ah->flags & (AH_DHCP_HST | AH_DHCP_OPT))
-		     option_read_dynfile(path, ah->flags);
+		   else if (dd->flags & (AH_DHCP_HST | AH_DHCP_OPT))
+		     option_read_dynfile(path, dd->flags);
 #endif		   
 		 }
-
-	       free(path);
 	     }
 	 }

@@ -211,7 +249,7 @@ void set_dynamic_inotify(int flag, int total_size, struct crec **rhash, int revh
 int inotify_check(time_t now)
 {
  int hit = 0;
-  struct hostsfile *ah;
+  struct dyndir *dd;

  while (1)
    {
@@ -227,49 +265,66 @@ int inotify_check(time_t now)
      
      for (p = inotify_buffer; rc - (p - inotify_buffer) >= (int)sizeof(struct inotify_event); p += sizeof(struct inotify_event) + in->len) 
 	{
+	  size_t namelen;
+
 	  in = (struct inotify_event*)p;
 	  
-	  for (res = daemon->resolv_files; res; res = res->next)
-	    if (res->wd == in->wd && in->len != 0 && strcmp(res->file, in->name) == 0)
-	      hit = 1;
-
 	  /* ignore emacs backups and dotfiles */
-	  if (in->len == 0 || 
-	      in->name[in->len - 1] == '~' ||
-	      (in->name[0] == '#' && in->name[in->len - 1] == '#') ||
+	  if (in->len == 0 || (namelen = strlen(in->name)) == 0 ||
+	      in->name[namelen - 1] == '~' ||
+	      (in->name[0] == '#' && in->name[namelen - 1] == '#') ||
 	      in->name[0] == '.')
 	    continue;
-	  
-	  for (ah = daemon->dynamic_dirs; ah; ah = ah->next)
-	    if (ah->wd == in->wd)
+
+	  for (res = daemon->resolv_files; res; res = res->next)
+	    if (res->wd == in->wd && strcmp(res->file, in->name) == 0)
+	      hit = 1;
+
+	  for (dd = daemon->dynamic_dirs; dd; dd = dd->next)
+	    if (dd->wd == in->wd)
 	      {
-		size_t lendir = strlen(ah->fname);
+		size_t lendir = strlen(dd->dname);
 		char *path;
-		
+				
 		if ((path = whine_malloc(lendir + in->len + 2)))
 		  {
-		    strcpy(path, ah->fname);
+		    struct hostsfile *ah = NULL;
+
+		    strcpy(path, dd->dname);
 		    strcat(path, "/");
 		    strcat(path, in->name);
-		     
-		    my_syslog(LOG_INFO, _("inotify, new or changed file %s"), path);

-		    if (ah->flags & AH_HOSTS)
+		    /* Is this is a deletion event? */
+		    if (in->mask & IN_DELETE)
+		      my_syslog(LOG_INFO, _("inotify: %s removed"), path);
+		    else 
+		      my_syslog(LOG_INFO, _("inotify: %s new or modified"), path);
+
+		    if (dd->flags & AH_HOSTS)
 		      {
-			read_hostsfile(path, ah->index, 0, NULL, 0);
-#ifdef HAVE_DHCP
-			if (daemon->dhcp || daemon->doing_dhcp6) 
+			if ((ah = dyndir_addhosts(dd, path)))
 			  {
-			    /* Propagate the consequences of loading a new dhcp-host */
-			    dhcp_update_configs(daemon->dhcp_conf);
-			    lease_update_from_configs(); 
-			    lease_update_file(now); 
-			    lease_update_dns(1);
-			  }
+			    const unsigned int removed = cache_remove_uid(ah->index);
+			    if (removed > 0)
+			      my_syslog(LOG_INFO, _("inotify: flushed %u names read from %s"), removed, path);
+
+			    /* (Re-)load hostsfile only if this event isn't triggered by deletion */
+			    if (!(in->mask & IN_DELETE))
+			      read_hostsfile(path, ah->index, 0, NULL, 0);
+#ifdef HAVE_DHCP
+			    if (daemon->dhcp || daemon->doing_dhcp6) 
+			      {
+				/* Propagate the consequences of loading a new dhcp-host */
+				dhcp_update_configs(daemon->dhcp_conf);
+				lease_update_from_configs(); 
+				lease_update_file(now); 
+				lease_update_dns(1);
+			      }
 #endif
+			  }
 		      }
 #ifdef HAVE_DHCP
-		    else if (ah->flags & AH_DHCP_HST)
+		    else if (dd->flags & AH_DHCP_HST)
 		      {
 			if (option_read_dynfile(path, AH_DHCP_HST))
 			  {
@@ -280,11 +335,12 @@ int inotify_check(time_t now)
 			    lease_update_dns(1);
 			  }
 		      }
-		    else if (ah->flags & AH_DHCP_OPT)
+		    else if (dd->flags & AH_DHCP_OPT)
 		      option_read_dynfile(path, AH_DHCP_OPT);
 #endif
 		    
-		    free(path);
+		    if (!ah)
+		      free(path);
 		  }
 	      }
 	}
@@ -293,4 +349,3 @@ int inotify_check(time_t now)
 }

 #endif  /* INOTIFY */
-  
--- a/src/ip6addr.h
+++ b/src/ip6addr.h
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2017 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -31,4 +31,3 @@
         && ((__const uint32_t *) (a))[1] == 0                                \
         && ((__const uint32_t *) (a))[2] == 0                                \
         && ((__const uint32_t *) (a))[3] == 0)
-
--- a/src/ipset.c
+++ b/src/ipset.c
@@ -22,9 +22,7 @@
 #include <errno.h>
 #include <sys/types.h>
 #include <sys/socket.h>
-#include <sys/utsname.h>
 #include <arpa/inet.h>
-#include <linux/version.h>
 #include <linux/netlink.h>

 /* We want to be able to compile against old header files
@@ -87,20 +85,7 @@ static inline void add_attr(struct nlmsghdr *nlh, uint16_t type, size_t len, con

 void ipset_init(void)
 {
-  struct utsname utsname;
-  int version;
-  char *split;
-  
-  if (uname(&utsname) < 0)
-    die(_("failed to find kernel version: %s"), NULL, EC_MISC);
-  
-  split = strtok(utsname.release, ".");
-  version = (split ? atoi(split) : 0);
-  split = strtok(NULL, ".");
-  version = version * 256 + (split ? atoi(split) : 0);
-  split = strtok(NULL, ".");
-  version = version * 256 + (split ? atoi(split) : 0);
-  old_kernel = (version < KERNEL_VERSION(2,6,32));
+  old_kernel = (daemon->kernel_version < KERNEL_VERSION(2,6,32));
  
  if (old_kernel && (ipset_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) != -1)
    return;
@@ -114,19 +99,14 @@ void ipset_init(void)
  die (_("failed to create IPset control socket: %s"), NULL, EC_MISC);
 }

-static int new_add_to_ipset(const char *setname, const struct all_addr *ipaddr, int af, int remove)
+static int new_add_to_ipset(const char *setname, const union all_addr *ipaddr, int af, int remove)
 {
  struct nlmsghdr *nlh;
  struct my_nfgenmsg *nfg;
  struct my_nlattr *nested[2];
  uint8_t proto;
-  int addrsz = INADDRSZ;
+  int addrsz = (af == AF_INET6) ? IN6ADDRSZ : INADDRSZ;

-#ifdef HAVE_IPV6
-  if (af == AF_INET6)
-    addrsz = IN6ADDRSZ;
-#endif
-    
  if (strlen(setname) >= IPSET_MAXNAMELEN) 
    {
      errno = ENAMETOOLONG;
@@ -157,7 +137,7 @@ static int new_add_to_ipset(const char *setname, const struct all_addr *ipaddr,
  nested[1]->nla_type = NLA_F_NESTED | IPSET_ATTR_IP;
  add_attr(nlh, 
 	   (af == AF_INET ? IPSET_ATTR_IPADDR_IPV4 : IPSET_ATTR_IPADDR_IPV6) | NLA_F_NET_BYTEORDER,
-	   addrsz, &ipaddr->addr);
+	   addrsz, ipaddr);
  nested[1]->nla_len = (void *)buffer + NL_ALIGN(nlh->nlmsg_len) - (void *)nested[1];
  nested[0]->nla_len = (void *)buffer + NL_ALIGN(nlh->nlmsg_len) - (void *)nested[0];
 	
@@ -168,7 +148,7 @@ static int new_add_to_ipset(const char *setname, const struct all_addr *ipaddr,
 }


-static int old_add_to_ipset(const char *setname, const struct all_addr *ipaddr, int remove)
+static int old_add_to_ipset(const char *setname, const union all_addr *ipaddr, int remove)
 {
  socklen_t size;
  struct ip_set_req_adt_get {
@@ -200,7 +180,7 @@ static int old_add_to_ipset(const char *setname, const struct all_addr *ipaddr,
    return -1;
  req_adt.op = remove ? 0x102 : 0x101;
  req_adt.index = req_adt_get.set.index;
-  req_adt.ip = ntohl(ipaddr->addr.addr4.s_addr);
+  req_adt.ip = ntohl(ipaddr->addr4.s_addr);
  if (setsockopt(ipset_sock, SOL_IP, 83, &req_adt, sizeof(req_adt)) < 0)
    return -1;
  
@@ -209,11 +189,10 @@ static int old_add_to_ipset(const char *setname, const struct all_addr *ipaddr,



-int add_to_ipset(const char *setname, const struct all_addr *ipaddr, int flags, int remove)
+int add_to_ipset(const char *setname, const union all_addr *ipaddr, int flags, int remove)
 {
  int ret = 0, af = AF_INET;

-#ifdef HAVE_IPV6
  if (flags & F_IPV6)
    {
      af = AF_INET6;
@@ -224,7 +203,6 @@ int add_to_ipset(const char *setname, const struct all_addr *ipaddr, int flags,
 	  ret = -1;
 	}
    }
-#endif
  
  if (ret != -1) 
    ret = old_kernel ? old_add_to_ipset(setname, ipaddr, remove) : new_add_to_ipset(setname, ipaddr, af, remove);
--- a/src/lease.c
+++ b/src/lease.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2017 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -15,7 +15,6 @@
 */

 #include "dnsmasq.h"
-
 #ifdef HAVE_DHCP

 static struct dhcp_lease *leases = NULL, *old_leases = NULL;
@@ -24,12 +23,11 @@ static int dns_dirty, file_dirty, leases_left;
 static int read_leases(time_t now, FILE *leasestream)
 {
  unsigned long ei;
-  struct all_addr addr;
+  union all_addr addr;
  struct dhcp_lease *lease;
  int clid_len, hw_len, hw_type;
  int items;
-  char *domain = NULL;
-
+ 
  *daemon->dhcp_buff3 = *daemon->dhcp_buff2 = '\0';

  /* client-id max length is 255 which is 255*2 digits + 254 colons
@@ -60,12 +58,17 @@ static int read_leases(time_t now, FILE *leasestream)
 	
 	if (fscanf(leasestream, " %64s %255s %764s",
 		   daemon->namebuff, daemon->dhcp_buff, daemon->packet) != 3)
-	  return 0;
-	
-	if (inet_pton(AF_INET, daemon->namebuff, &addr.addr.addr4))
 	  {
-	    if ((lease = lease4_allocate(addr.addr.addr4)))
-	      domain = get_domain(lease->addr);
+	    my_syslog(MS_DHCP | LOG_WARNING, _("ignoring invalid line in lease database: %s %s %s %s ..."),
+		      daemon->dhcp_buff3, daemon->dhcp_buff2,
+		      daemon->namebuff, daemon->dhcp_buff);
+	    continue;
+	  }
+		
+	if (inet_pton(AF_INET, daemon->namebuff, &addr.addr4))
+	  {
+	    lease = lease4_allocate(addr.addr4);
+	    
 	    
 	    hw_len = parse_hex(daemon->dhcp_buff2, (unsigned char *)daemon->dhcp_buff2, DHCP_CHADDR_MAX, NULL, &hw_type);
 	    /* For backwards compatibility, no explicit MAC address type means ether. */
@@ -73,7 +76,7 @@ static int read_leases(time_t now, FILE *leasestream)
 	      hw_type = ARPHRD_ETHER; 
 	  }
 #ifdef HAVE_DHCP6
-	else if (inet_pton(AF_INET6, daemon->namebuff, &addr.addr.addr6))
+	else if (inet_pton(AF_INET6, daemon->namebuff, &addr.addr6))
 	  {
 	    char *s = daemon->dhcp_buff2;
 	    int lease_type = LEASE_NA;
@@ -84,15 +87,17 @@ static int read_leases(time_t now, FILE *leasestream)
 		s++;
 	      }
 	    
-	    if ((lease = lease6_allocate(&addr.addr.addr6, lease_type)))
-	      {
-		lease_set_iaid(lease, strtoul(s, NULL, 10));
-		domain = get_domain6((struct in6_addr *)lease->hwaddr);
-	      }
+	    if ((lease = lease6_allocate(&addr.addr6, lease_type)))
+	      lease_set_iaid(lease, strtoul(s, NULL, 10));
 	  }
 #endif
 	else
-	  return 0;
+	  {
+	    my_syslog(MS_DHCP | LOG_WARNING, _("ignoring invalid line in lease database, bad address: %s"),
+		      daemon->namebuff);
+	    continue;
+	  }
+	

 	if (!lease)
 	  die (_("too many stored leases"), NULL, EC_MISC);
@@ -104,7 +109,7 @@ static int read_leases(time_t now, FILE *leasestream)
 			 hw_len, hw_type, clid_len, now, 0);
 	
 	if (strcmp(daemon->dhcp_buff, "*") !=  0)
-	  lease_set_hostname(lease, daemon->dhcp_buff, 0, domain, NULL);
+	  lease_set_hostname(lease, daemon->dhcp_buff, 0, NULL, NULL);

 	ei = atol(daemon->dhcp_buff3);

@@ -145,6 +150,10 @@ void lease_init(time_t now)
 #ifdef HAVE_SCRIPT
      if (daemon->lease_change_command)
 	{
+	  /* 6 == strlen(" init") plus terminator */
+	  if (strlen(daemon->lease_change_command) + 6 > DHCP_BUFF_SZ)
+	    die(_("lease-change script name is too long"), NULL, EC_FILE);
+	  
 	  strcpy(daemon->dhcp_buff, daemon->lease_change_command);
 	  strcat(daemon->dhcp_buff, " init");
 	  leasestream = popen(daemon->dhcp_buff, "r");
@@ -172,10 +181,8 @@ void lease_init(time_t now)
  if (leasestream)
    {
      if (!read_leases(now, leasestream))
-	my_syslog(MS_DHCP | LOG_ERR, _("failed to parse lease database, invalid line: %s %s %s %s ..."),
-		  daemon->dhcp_buff3, daemon->dhcp_buff2,
-		  daemon->namebuff, daemon->dhcp_buff);
-
+	my_syslog(MS_DHCP | LOG_ERR, _("failed to parse lease database cleanly"));
+      
      if (ferror(leasestream))
 	die(_("failed to read lease file %s: %s"), daemon->lease_file, EC_FILE);
    }
@@ -222,14 +229,14 @@ void lease_update_from_configs(void)
    if (lease->flags & (LEASE_TA | LEASE_NA))
      continue;
    else if ((config = find_config(daemon->dhcp_conf, NULL, lease->clid, lease->clid_len, 
-				   lease->hwaddr, lease->hwaddr_len, lease->hwaddr_type, NULL)) && 
+				   lease->hwaddr, lease->hwaddr_len, lease->hwaddr_type, NULL, NULL)) && 
 	     (config->flags & CONFIG_NAME) &&
 	     (!(config->flags & CONFIG_ADDR) || config->addr.s_addr == lease->addr.s_addr))
      lease_set_hostname(lease, config->hostname, 1, get_domain(lease->addr), NULL);
    else if ((name = host_from_dns(lease->addr)))
      lease_set_hostname(lease, name, 1, get_domain(lease->addr), NULL); /* updates auth flag only */
 }
- 
+
 static void ourprintf(int *errp, char *format, ...)
 {
  va_list ap;
@@ -370,7 +377,7 @@ void lease_update_file(time_t now)
      if (next_event == 0 || difftime(next_event, LEASE_RETRY + now) > 0.0)
 	next_event = LEASE_RETRY + now;
      
-      my_syslog(MS_DHCP | LOG_ERR, _("failed to write %s: %s (retry in %us)"), 
+      my_syslog(MS_DHCP | LOG_ERR, _("failed to write %s: %s (retry in %u s)"), 
 		daemon->lease_file, strerror(err),
 		(unsigned int)difftime(next_event, now));
    }
@@ -404,7 +411,7 @@ static int find_interface_v4(struct in_addr local, int if_index, char *label,
 #ifdef HAVE_DHCP6
 static int find_interface_v6(struct in6_addr *local,  int prefix,
 			     int scope, int if_index, int flags, 
-			     int preferred, int valid, void *vparam)
+			     unsigned int preferred, unsigned int valid, void *vparam)
 {
  struct dhcp_lease *lease;

@@ -461,9 +468,9 @@ void lease_find_interfaces(time_t now)
  for (lease = leases; lease; lease = lease->next)
    lease->new_prefixlen = lease->new_interface = 0;

-  iface_enumerate(AF_INET, &now, find_interface_v4);
+  iface_enumerate(AF_INET, &now, (callback_t){.af_inet=find_interface_v4});
 #ifdef HAVE_DHCP6
-  iface_enumerate(AF_INET6, &now, find_interface_v6);
+  iface_enumerate(AF_INET6, &now, (callback_t){.af_inet6=find_interface_v6});
 #endif

  for (lease = leases; lease; lease = lease->next)
@@ -514,28 +521,28 @@ void lease_update_dns(int force)
 		if (slaac->backoff == 0)
 		  {
 		    if (lease->fqdn)
-		      cache_add_dhcp_entry(lease->fqdn, AF_INET6, (struct all_addr *)&slaac->addr, lease->expires);
+		      cache_add_dhcp_entry(lease->fqdn, AF_INET6, (union all_addr *)&slaac->addr, lease->expires);
 		    if (!option_bool(OPT_DHCP_FQDN) && lease->hostname)
-		      cache_add_dhcp_entry(lease->hostname, AF_INET6, (struct all_addr *)&slaac->addr, lease->expires);
+		      cache_add_dhcp_entry(lease->hostname, AF_INET6, (union all_addr *)&slaac->addr, lease->expires);
 		  }
 	    }
 	  
 	  if (lease->fqdn)
 	    cache_add_dhcp_entry(lease->fqdn, prot, 
-				 prot == AF_INET ? (struct all_addr *)&lease->addr : (struct all_addr *)&lease->addr6,
+				 prot == AF_INET ? (union all_addr *)&lease->addr : (union all_addr *)&lease->addr6,
 				 lease->expires);
 	     
 	  if (!option_bool(OPT_DHCP_FQDN) && lease->hostname)
 	    cache_add_dhcp_entry(lease->hostname, prot, 
-				 prot == AF_INET ? (struct all_addr *)&lease->addr : (struct all_addr *)&lease->addr6, 
+				 prot == AF_INET ? (union all_addr *)&lease->addr : (union all_addr *)&lease->addr6, 
 				 lease->expires);
       
 #else
 	  if (lease->fqdn)
-	    cache_add_dhcp_entry(lease->fqdn, prot, (struct all_addr *)&lease->addr, lease->expires);
+	    cache_add_dhcp_entry(lease->fqdn, prot, (union all_addr *)&lease->addr, lease->expires);
 	  
 	  if (!option_bool(OPT_DHCP_FQDN) && lease->hostname)
-	    cache_add_dhcp_entry(lease->hostname, prot, (struct all_addr *)&lease->addr, lease->expires);
+	    cache_add_dhcp_entry(lease->hostname, prot, (union all_addr *)&lease->addr, lease->expires);
 #endif
 	}
      
@@ -550,12 +557,14 @@ void lease_prune(struct dhcp_lease *target, time_t now)
  for (lease = leases, up = &leases; lease; lease = tmp)
    {
      tmp = lease->next;
-      if ((lease->expires != 0 && difftime(now, lease->expires) > 0) || lease == target)
+      if ((lease->expires != 0 && difftime(now, lease->expires) >= 0) || lease == target)
 	{
 	  file_dirty = 1;
 	  if (lease->hostname)
 	    dns_dirty = 1;
-	  
+
+	  daemon->metrics[lease->addr.s_addr ? METRIC_LEASES_PRUNED_4 : METRIC_LEASES_PRUNED_6]++;
+
 	  *up = lease->next; /* unlink */
 	  
 	  /* Put on old_leases list 'till we
@@ -625,7 +634,8 @@ struct dhcp_lease *lease_find_by_addr(struct in_addr addr)
 #ifdef HAVE_DHCP6
 /* find address for {CLID, IAID, address} */
 struct dhcp_lease *lease6_find(unsigned char *clid, int clid_len, 
-			       int lease_type, int iaid, struct in6_addr *addr)
+			       int lease_type, unsigned int iaid,
+			       struct in6_addr *addr)
 {
  struct dhcp_lease *lease;
  
@@ -657,7 +667,9 @@ void lease6_reset(void)
 }

 /* enumerate all leases belonging to {CLID, IAID} */
-struct dhcp_lease *lease6_find_by_client(struct dhcp_lease *first, int lease_type, unsigned char *clid, int clid_len, int iaid)
+struct dhcp_lease *lease6_find_by_client(struct dhcp_lease *first, int lease_type,
+					 unsigned char *clid, int clid_len,
+					 unsigned int iaid)
 {
  struct dhcp_lease *lease;

@@ -773,7 +785,10 @@ struct dhcp_lease *lease4_allocate(struct in_addr addr)
 {
  struct dhcp_lease *lease = lease_allocate();
  if (lease)
-    lease->addr = addr;
+    {
+      lease->addr = addr;
+      daemon->metrics[METRIC_LEASES_ALLOCATED_4]++;
+    }
  
  return lease;
 }
@@ -788,6 +803,8 @@ struct dhcp_lease *lease6_allocate(struct in6_addr *addrp, int lease_type)
      lease->addr6 = *addrp;
      lease->flags |= lease_type;
      lease->iaid = 0;
+
+      daemon->metrics[METRIC_LEASES_ALLOCATED_6]++;
    }

  return lease;
@@ -818,7 +835,7 @@ void lease_set_expires(struct dhcp_lease *lease, unsigned int len, time_t now)
      dns_dirty = 1;
      lease->expires = exp;
 #ifndef HAVE_BROKEN_RTC
-      lease->flags |= LEASE_AUX_CHANGED;
+      lease->flags |= LEASE_AUX_CHANGED | LEASE_EXP_CHANGED;
      file_dirty = 1;
 #endif
    }
@@ -834,7 +851,7 @@ void lease_set_expires(struct dhcp_lease *lease, unsigned int len, time_t now)
 } 

 #ifdef HAVE_DHCP6
-void lease_set_iaid(struct dhcp_lease *lease, int iaid)
+void lease_set_iaid(struct dhcp_lease *lease, unsigned int iaid)
 {
  if (lease->iaid != iaid)
    {
@@ -928,6 +945,36 @@ static void kill_name(struct dhcp_lease *lease)
  lease->hostname = lease->fqdn = NULL;
 }

+void lease_calc_fqdns(void)
+{
+  struct dhcp_lease *lease;
+  
+  for (lease = leases; lease; lease = lease->next)
+    {
+      char *domain;
+
+      if (lease->hostname)
+	{
+#ifdef HAVE_DHCP6
+	  if (lease->flags & (LEASE_TA | LEASE_NA))
+	    domain = get_domain6(&lease->addr6);
+	  else
+#endif
+	    domain = get_domain(lease->addr);
+	  
+	  if (domain)
+	    {
+	      /* This is called only during startup, before forking, hence safe_malloc() */
+	      lease->fqdn = safe_malloc(strlen(lease->hostname) + strlen(domain) + 2);
+	      
+	      strcpy(lease->fqdn, lease->hostname);
+	      strcat(lease->fqdn, ".");
+	      strcat(lease->fqdn, domain);
+	    }
+	}
+    }
+}
+	  
 void lease_set_hostname(struct dhcp_lease *lease, const char *name, int auth, char *domain, char *config_domain)
 {
  struct dhcp_lease *lease_tmp;
@@ -1003,6 +1050,7 @@ void lease_set_hostname(struct dhcp_lease *lease, const char *name, int auth, ch
 	    }
 	
 	  kill_name(lease_tmp);
+	  lease_tmp->flags |= LEASE_CHANGED; /* run script on change */
 	  break;
 	}
    }
@@ -1118,7 +1166,8 @@ int do_script_run(time_t now)
  
  for (lease = leases; lease; lease = lease->next)
    if ((lease->flags & (LEASE_NEW | LEASE_CHANGED)) || 
-	((lease->flags & LEASE_AUX_CHANGED) && option_bool(OPT_LEASE_RO)))
+	((lease->flags & LEASE_AUX_CHANGED) && option_bool(OPT_LEASE_RO)) ||
+	((lease->flags & LEASE_EXP_CHANGED) && option_bool(OPT_LEASE_RENEW)))
      {
 #ifdef HAVE_SCRIPT
 	queue_script((lease->flags & LEASE_NEW) ? ACTION_ADD : ACTION_OLD, lease, 
@@ -1128,7 +1177,7 @@ int do_script_run(time_t now)
 	emit_dbus_signal((lease->flags & LEASE_NEW) ? ACTION_ADD : ACTION_OLD, lease,
 			 lease->fqdn ? lease->fqdn : lease->hostname);
 #endif
-	lease->flags &= ~(LEASE_NEW | LEASE_CHANGED | LEASE_AUX_CHANGED);
+	lease->flags &= ~(LEASE_NEW | LEASE_CHANGED | LEASE_AUX_CHANGED | LEASE_EXP_CHANGED);
 	
 	/* this is used for the "add" call, then junked, since they're not in the database */
 	free(lease->extradata);
@@ -1160,17 +1209,11 @@ void lease_add_extradata(struct dhcp_lease *lease, unsigned char *data, unsigned
  if ((lease->extradata_size - lease->extradata_len) < (len + 1))
    {
      size_t newsz = lease->extradata_len + len + 100;
-      unsigned char *new = whine_malloc(newsz);
+      unsigned char *new = whine_realloc(lease->extradata, newsz);
  
      if (!new)
 	return;
      
-      if (lease->extradata)
-	{
-	  memcpy(new, lease->extradata, lease->extradata_len);
-	  free(lease->extradata);
-	}
-
      lease->extradata = new;
      lease->extradata_size = newsz;
    }
@@ -1182,8 +1225,4 @@ void lease_add_extradata(struct dhcp_lease *lease, unsigned char *data, unsigned
 }
 #endif

-#endif
-	  
-
-      
-
+#endif /* HAVE_DHCP */
--- a/src/log.c
+++ b/src/log.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2017 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -100,10 +100,23 @@ int log_start(struct passwd *ent_pw, int errfd)
  /* If we're running as root and going to change uid later,
     change the ownership here so that the file is always owned by
     the dnsmasq user. Then logrotate can just copy the owner.
-     Failure of the chown call is OK, (for instance when started as non-root) */
-  if (log_to_file && !log_stderr && ent_pw && ent_pw->pw_uid != 0 && 
-      fchown(log_fd, ent_pw->pw_uid, -1) != 0)
-    ret = errno;
+     Failure of the chown call is OK, (for instance when started as non-root).
+     
+     If we've created a file with group-id root, we also make
+     the file group-writable. This gives processes in the root group
+     write access to the file and avoids the problem that on some systems,
+     once the file is owned by the dnsmasq user, it can't be written
+     whilst dnsmasq is running as root during startup.
+ */
+  if (log_to_file && !log_stderr && ent_pw && ent_pw->pw_uid != 0)
+    {
+      struct stat ls;
+      if (getgid() == 0 && fstat(log_fd, &ls) == 0 && ls.st_gid == 0 &&
+	  (ls.st_mode & S_IWGRP) == 0)
+	(void)fchmod(log_fd, S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP);
+      if (fchown(log_fd, ent_pw->pw_uid, -1) != 0)
+	ret = errno;
+    }

  return ret;
 }
@@ -118,7 +131,7 @@ int log_reopen(char *log_file)
      /* NOTE: umask is set to 022 by the time this gets called */
      
      if (log_file)
-	log_fd = open(log_file, O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR|S_IRGRP);      
+	log_fd = open(log_file, O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR|S_IRGRP);
      else
 	{
 #if defined(HAVE_SOLARIS_NETWORK) || defined(__ANDROID__)
@@ -232,7 +245,7 @@ static void log_write(void)
 	      logaddr.sun_len = sizeof(logaddr) - sizeof(logaddr.sun_path) + strlen(_PATH_LOG) + 1; 
 #endif
 	      logaddr.sun_family = AF_UNIX;
-	      strncpy(logaddr.sun_path, _PATH_LOG, sizeof(logaddr.sun_path));
+	      safe_strncpy(logaddr.sun_path, _PATH_LOG, sizeof(logaddr.sun_path));
 	      
 	      /* Got connection back? try again. */
 	      if (connect(log_fd, (struct sockaddr *)&logaddr, sizeof(logaddr)) != -1)
@@ -273,7 +286,7 @@ static void log_write(void)
 /* priority is one of LOG_DEBUG, LOG_INFO, LOG_NOTICE, etc. See sys/syslog.h.
   OR'd to priority can be MS_TFTP, MS_DHCP, ... to be able to do log separation between
   DNS, DHCP and TFTP services.
-*/
+   If OR'd with MS_DEBUG, the messages are suppressed unless --log-debug is set. */
 void my_syslog(int priority, const char *format, ...)
 {
  va_list ap;
@@ -290,7 +303,13 @@ void my_syslog(int priority, const char *format, ...)
    func = "-dhcp";
  else if ((LOG_FACMASK & priority) == MS_SCRIPT)
    func = "-script";
-	    
+  else if ((LOG_FACMASK & priority) == MS_DEBUG)
+    {
+      if (!option_bool(OPT_LOG_DEBUG))
+	return;
+      func = "-debug";
+    }
+  
 #ifdef LOG_PRI
  priority = LOG_PRI(priority);
 #else
--- a/src/loop.c
+++ b/src/loop.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2017 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -22,6 +22,7 @@ static ssize_t loop_make_probe(u32 uid);
 void loop_send_probes()
 {
   struct server *serv;
+   struct randfd_list *rfds = NULL;
   
   if (!option_bool(OPT_LOOP_DETECT))
     return;
@@ -29,34 +30,29 @@ void loop_send_probes()
   /* Loop through all upstream servers not for particular domains, and send a query to that server which is
      identifiable, via the uid. If we see that query back again, then the server is looping, and we should not use it. */
   for (serv = daemon->servers; serv; serv = serv->next)
-     if (!(serv->flags & 
-	   (SERV_LITERAL_ADDRESS | SERV_NO_ADDR | SERV_USE_RESOLV | SERV_NO_REBIND | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_LOOP)))
+     if (strlen(serv->domain) == 0 &&
+	 !(serv->flags & (SERV_FOR_NODOTS)))
       {
 	 ssize_t len = loop_make_probe(serv->uid);
 	 int fd;
-	 struct randfd *rfd = NULL;
 	 
-	 if (serv->sfd)
-	   fd = serv->sfd->fd;
-	 else 
-	   {
-	     if (!(rfd = allocate_rfd(serv->addr.sa.sa_family)))
-	       continue;
-	     fd = rfd->fd;
-	   }
+	 serv->flags &= ~SERV_LOOP;

+	 if ((fd = allocate_rfd(&rfds, serv)) == -1)
+	   continue;
+	 
 	 while (retry_send(sendto(fd, daemon->packet, len, 0, 
 				  &serv->addr.sa, sa_len(&serv->addr))));
-	 
-	 free_rfd(rfd);
       }
+
+   free_rfds(&rfds);
 }
  
 static ssize_t loop_make_probe(u32 uid)
 {
  struct dns_header *header = (struct dns_header *)daemon->packet;
  unsigned char *p = (unsigned char *)(header+1);
-
+  
  /* packet buffer overwritten */
  daemon->srv_save = NULL;
  
@@ -96,21 +92,21 @@ int detect_loop(char *query, int type)
    return 0;

  for (i = 0; i < 8; i++)
-    if (!isxdigit(query[i]))
+    if (!isxdigit((unsigned char)query[i]))
      return 0;

  uid = strtol(query, NULL, 16);

  for (serv = daemon->servers; serv; serv = serv->next)
-     if (!(serv->flags & 
-	   (SERV_LITERAL_ADDRESS | SERV_NO_ADDR | SERV_USE_RESOLV | SERV_NO_REBIND | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_LOOP)) &&
-	 uid == serv->uid)
-       {
-	 serv->flags |= SERV_LOOP;
-	 check_servers(); /* log new state */
-	 return 1;
-       }
-
+    if (strlen(serv->domain) == 0 &&
+	!(serv->flags & SERV_LOOP) &&
+	uid == serv->uid)
+      {
+	serv->flags |= SERV_LOOP;
+	check_servers(1); /* log new state - don't send more probes. */
+	return 1;
+      }
+  
  return 0;
 }

--- a/src/metrics.c
+++ b/src/metrics.c
@@ -0,0 +1,70 @@
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "dnsmasq.h"
+
+const char * metric_names[] = {
+    "dns_cache_inserted",
+    "dns_cache_live_freed",
+    "dns_queries_forwarded",
+    "dns_auth_answered",
+    "dns_local_answered",
+    "dns_stale_answered",
+    "dns_unanswered",
+    "dnssec_max_crypto_use",
+    "dnssec_max_sig_fail",
+    "dnssec_max_work",
+    "bootp",
+    "pxe",
+    "dhcp_ack",
+    "dhcp_decline",
+    "dhcp_discover",
+    "dhcp_inform",
+    "dhcp_nak",
+    "dhcp_offer",
+    "dhcp_release",
+    "dhcp_request",
+    "noanswer",
+    "leases_allocated_4",
+    "leases_pruned_4",
+    "leases_allocated_6",
+    "leases_pruned_6",
+    "tcp_connections",
+};
+
+const char* get_metric_name(int i) {
+    return metric_names[i];
+}
+
+void clear_metrics(void)
+{
+  int i;
+  struct server *serv;
+  
+  for (i = 0; i < __METRIC_MAX; i++)
+    daemon->metrics[i] = 0;
+
+  for (serv = daemon->servers; serv; serv = serv->next)
+    {
+      serv->queries = 0;
+      serv->failed_queries = 0;
+      serv->failed_queries = 0;
+      serv->retrys = 0;
+      serv->nxdomain_replies = 0;
+      serv->query_latency = 0;
+    }
+}
+	
--- a/src/metrics.h
+++ b/src/metrics.h
@@ -0,0 +1,50 @@
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/* If you modify this list, please keep the labels in metrics.c in sync. */
+enum {
+  METRIC_DNS_CACHE_INSERTED,
+  METRIC_DNS_CACHE_LIVE_FREED,
+  METRIC_DNS_QUERIES_FORWARDED,
+  METRIC_DNS_AUTH_ANSWERED,
+  METRIC_DNS_LOCAL_ANSWERED,
+  METRIC_DNS_STALE_ANSWERED,
+  METRIC_DNS_UNANSWERED_QUERY,
+  METRIC_CRYPTO_HWM,
+  METRIC_SIG_FAIL_HWM,
+  METRIC_WORK_HWM,
+  METRIC_BOOTP,
+  METRIC_PXE,
+  METRIC_DHCPACK,
+  METRIC_DHCPDECLINE,
+  METRIC_DHCPDISCOVER,
+  METRIC_DHCPINFORM,
+  METRIC_DHCPNAK,
+  METRIC_DHCPOFFER,
+  METRIC_DHCPRELEASE,
+  METRIC_DHCPREQUEST,
+  METRIC_NOANSWER,
+  METRIC_LEASES_ALLOCATED_4,
+  METRIC_LEASES_PRUNED_4,
+  METRIC_LEASES_ALLOCATED_6,
+  METRIC_LEASES_PRUNED_6,
+  METRIC_TCP_CONNECTIONS,
+  
+  __METRIC_MAX,
+};
+
+const char* get_metric_name(int);
+void clear_metrics(void);
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2017 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -22,6 +22,15 @@
 #include <linux/netlink.h>
 #include <linux/rtnetlink.h>

+/* Blergh. Radv does this, so that's our excuse. */
+#ifndef SOL_NETLINK
+#define SOL_NETLINK 270
+#endif
+
+#ifndef NETLINK_NO_ENOBUFS
+#define NETLINK_NO_ENOBUFS 5
+#endif
+
 /* linux 2.6.19 buggers up the headers, patch it up here. */ 
 #ifndef IFA_RTA
 #  define IFA_RTA(r)  \
@@ -32,15 +41,23 @@

 #ifndef NDA_RTA
 #  define NDA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ndmsg)))) 
-#endif 
+#endif
+
+/* Used to request refresh of addresses or routes just once,
+ * when multiple changes might be announced. */
+enum async_states {
+  STATE_NEWADDR = (1 << 0),
+  STATE_NEWROUTE = (1 << 1),
+};


 static struct iovec iov;
 static u32 netlink_pid;

-static void nl_async(struct nlmsghdr *h);
+static unsigned nl_async(struct nlmsghdr *h, unsigned state);
+static void nl_multicast_state(unsigned state);

-void netlink_init(void)
+char *netlink_init(void)
 {
  struct sockaddr_nl addr;
  socklen_t slen = sizeof(addr);
@@ -49,18 +66,10 @@ void netlink_init(void)
  addr.nl_pad = 0;
  addr.nl_pid = 0; /* autobind */
  addr.nl_groups = RTMGRP_IPV4_ROUTE;
-  if (option_bool(OPT_CLEVERBIND))
-    addr.nl_groups |= RTMGRP_IPV4_IFADDR;  
-#ifdef HAVE_IPV6
+  addr.nl_groups |= RTMGRP_IPV4_IFADDR;  
  addr.nl_groups |= RTMGRP_IPV6_ROUTE;
-  if (option_bool(OPT_CLEVERBIND))
-    addr.nl_groups |= RTMGRP_IPV6_IFADDR;
-#endif
-#ifdef HAVE_DHCP6
-  if (daemon->doing_ra || daemon->doing_dhcp6)
-    addr.nl_groups |= RTMGRP_IPV6_IFADDR;
-#endif
-  
+  addr.nl_groups |= RTMGRP_IPV6_IFADDR;
+
  /* May not be able to have permission to set multicast groups don't die in that case */
  if ((daemon->netlinkfd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE)) != -1)
    {
@@ -75,15 +84,18 @@ void netlink_init(void)
  if (daemon->netlinkfd == -1 || 
      getsockname(daemon->netlinkfd, (struct sockaddr *)&addr, &slen) == -1)
    die(_("cannot create netlink socket: %s"), NULL, EC_MISC);
-   
+  
+  
  /* save pid assigned by bind() and retrieved by getsockname() */ 
  netlink_pid = addr.nl_pid;
  
  iov.iov_len = 100;
  iov.iov_base = safe_malloc(iov.iov_len);
+  
+  return NULL;
 }

-static ssize_t netlink_recv(void)
+static ssize_t netlink_recv(int flags)
 {
  struct msghdr msg;
  struct sockaddr_nl nladdr;
@@ -99,7 +111,8 @@ static ssize_t netlink_recv(void)
      msg.msg_iovlen = 1;
      msg.msg_flags = 0;
      
-      while ((rc = recvmsg(daemon->netlinkfd, &msg, MSG_PEEK | MSG_TRUNC)) == -1 && errno == EINTR);
+      while ((rc = recvmsg(daemon->netlinkfd, &msg, flags | MSG_PEEK | MSG_TRUNC)) == -1 &&
+	     errno == EINTR);
      
      /* make buffer big enough */
      if (rc != -1 && (msg.msg_flags & MSG_TRUNC))
@@ -116,7 +129,7 @@ static ssize_t netlink_recv(void)

      /* read it for real */
      msg.msg_flags = 0;
-      while ((rc = recvmsg(daemon->netlinkfd, &msg, 0)) == -1 && errno == EINTR);
+      while ((rc = recvmsg(daemon->netlinkfd, &msg, flags)) == -1 && errno == EINTR);
      
      /* Make sure this is from the kernel */
      if (rc == -1 || nladdr.nl_pid == 0)
@@ -135,26 +148,28 @@ static ssize_t netlink_recv(void)
  

 /* family = AF_UNSPEC finds ARP table entries.
-   family = AF_LOCAL finds MAC addresses. */
-int iface_enumerate(int family, void *parm, int (*callback)())
+   family = AF_LOCAL finds MAC addresses.
+   returns 0 on failure, 1 on success, -1 when restart is required
+*/
+int iface_enumerate(int family, void *parm, callback_t callback)
 {
  struct sockaddr_nl addr;
  struct nlmsghdr *h;
  ssize_t len;
  static unsigned int seq = 0;
  int callback_ok = 1;
+  unsigned state = 0;

  struct {
    struct nlmsghdr nlh;
    struct rtgenmsg g; 
  } req;

+  memset(&req, 0, sizeof(req));
+  memset(&addr, 0, sizeof(addr));
+
  addr.nl_family = AF_NETLINK;
-  addr.nl_pad = 0;
-  addr.nl_groups = 0;
-  addr.nl_pid = 0; /* address to kernel */
 
- again: 
  if (family == AF_UNSPEC)
    req.nlh.nlmsg_type = RTM_GETNEIGH;
  else if (family == AF_LOCAL)
@@ -177,12 +192,12 @@ int iface_enumerate(int family, void *parm, int (*callback)())
    
  while (1)
    {
-      if ((len = netlink_recv()) == -1)
+      if ((len = netlink_recv(0)) == -1)
 	{
 	  if (errno == ENOBUFS)
 	    {
-	      sleep(1);
-	      goto again;
+	      nl_multicast_state(state);
+	      return -1;
 	    }
 	  return 0;
 	}
@@ -191,7 +206,7 @@ int iface_enumerate(int family, void *parm, int (*callback)())
 	if (h->nlmsg_pid != netlink_pid || h->nlmsg_type == NLMSG_ERROR)
 	  {
 	    /* May be multicast arriving async */
-	    nl_async(h);
+	    state = nl_async(h, state);
 	  }
 	else if (h->nlmsg_seq != seq)
 	  {
@@ -232,10 +247,9 @@ int iface_enumerate(int family, void *parm, int (*callback)())
 		      }
 		    
 		    if (addr.s_addr && callback_ok)
-		      if (!((*callback)(addr, ifa->ifa_index, label,  netmask, broadcast, parm)))
+		      if (!callback.af_inet(addr, ifa->ifa_index, label,  netmask, broadcast, parm))
 			callback_ok = 0;
 		  }
-#ifdef HAVE_IPV6
 		else if (ifa->ifa_family == AF_INET6)
 		  {
 		    struct in6_addr *addrp = NULL;
@@ -244,7 +258,16 @@ int iface_enumerate(int family, void *parm, int (*callback)())
 		    
 		    while (RTA_OK(rta, len1))
 		      {
-			if (rta->rta_type == IFA_ADDRESS)
+			/*
+			 * Important comment: (from if_addr.h)
+			 * IFA_ADDRESS is prefix address, rather than local interface address.
+			 * It makes no difference for normally configured broadcast interfaces,
+			 * but for point-to-point IFA_ADDRESS is DESTINATION address,
+			 * local address is supplied in IFA_LOCAL attribute.
+			 */
+			if (rta->rta_type == IFA_LOCAL)
+			  addrp = ((struct in6_addr *)(rta+1));
+			else if (rta->rta_type == IFA_ADDRESS && !addrp)
 			  addrp = ((struct in6_addr *)(rta+1)); 
 			else if (rta->rta_type == IFA_CACHEINFO)
 			  {
@@ -265,12 +288,11 @@ int iface_enumerate(int family, void *parm, int (*callback)())
 		      flags |= IFACE_PERMANENT;
    		    
 		    if (addrp && callback_ok)
-		      if (!((*callback)(addrp, (int)(ifa->ifa_prefixlen), (int)(ifa->ifa_scope), 
+		      if (!callback.af_inet6(addrp, (int)(ifa->ifa_prefixlen), (int)(ifa->ifa_scope), 
 					(int)(ifa->ifa_index), flags, 
-					(int) preferred, (int)valid, parm)))
+					(unsigned int)preferred, (unsigned int)valid, parm))
 			callback_ok = 0;
 		  }
-#endif
 	      }
 	  }
 	else if (h->nlmsg_type == RTM_NEWNEIGH && family == AF_UNSPEC)
@@ -296,7 +318,7 @@ int iface_enumerate(int family, void *parm, int (*callback)())

 	    if (!(neigh->ndm_state & (NUD_NOARP | NUD_INCOMPLETE | NUD_FAILED)) &&
 		inaddr && mac && callback_ok)
-	      if (!((*callback)(neigh->ndm_family, inaddr, mac, maclen, parm)))
+	      if (!callback.af_unspec(neigh->ndm_family, inaddr, mac, maclen, parm))
 		callback_ok = 0;
 	  }
 #ifdef HAVE_DHCP6
@@ -320,33 +342,35 @@ int iface_enumerate(int family, void *parm, int (*callback)())
 	      }

 	    if (mac && callback_ok && !((link->ifi_flags & (IFF_LOOPBACK | IFF_POINTOPOINT))) && 
-		!((*callback)((int)link->ifi_index, (unsigned int)link->ifi_type, mac, maclen, parm)))
+		!callback.af_local((int)link->ifi_index, (unsigned int)link->ifi_type, mac, maclen, parm))
 	      callback_ok = 0;
 	  }
 #endif
    }
 }

-void netlink_multicast(void)
+static void nl_multicast_state(unsigned state)
 {
  ssize_t len;
  struct nlmsghdr *h;
-  int flags;
+
+  do {
+    /* don't risk blocking reading netlink messages here. */
+    while ((len = netlink_recv(MSG_DONTWAIT)) != -1)
  
-  /* don't risk blocking reading netlink messages here. */
-  if ((flags = fcntl(daemon->netlinkfd, F_GETFL)) == -1 ||
-      fcntl(daemon->netlinkfd, F_SETFL, flags | O_NONBLOCK) == -1) 
-    return;
-  
-  if ((len = netlink_recv()) != -1)
-    for (h = (struct nlmsghdr *)iov.iov_base; NLMSG_OK(h, (size_t)len); h = NLMSG_NEXT(h, len))
-      nl_async(h);
-  
-  /* restore non-blocking status */
-  fcntl(daemon->netlinkfd, F_SETFL, flags);
+      for (h = (struct nlmsghdr *)iov.iov_base; NLMSG_OK(h, (size_t)len); h = NLMSG_NEXT(h, len))
+	state = nl_async(h, state);
+  } while (errno == ENOBUFS);
 }

-static void nl_async(struct nlmsghdr *h)
+void netlink_multicast(void)
+{
+  unsigned state = 0;
+  nl_multicast_state(state);
+}
+
+
+static unsigned nl_async(struct nlmsghdr *h, unsigned state)
 {
  if (h->nlmsg_type == NLMSG_ERROR)
    {
@@ -354,7 +378,8 @@ static void nl_async(struct nlmsghdr *h)
      if (err->error != 0)
 	my_syslog(LOG_ERR, _("netlink returns error: %s"), strerror(-(err->error)));
    }
-  else if (h->nlmsg_pid == 0 && h->nlmsg_type == RTM_NEWROUTE) 
+  else if (h->nlmsg_pid == 0 && h->nlmsg_type == RTM_NEWROUTE &&
+	   (state & STATE_NEWROUTE)==0)
    {
      /* We arrange to receive netlink multicast messages whenever the network route is added.
 	 If this happens and we still have a DNS packet in the buffer, we re-send it.
@@ -363,12 +388,20 @@ static void nl_async(struct nlmsghdr *h)
 	 failing. */ 
      struct rtmsg *rtm = NLMSG_DATA(h);
      
-      if (rtm->rtm_type == RTN_UNICAST && rtm->rtm_scope == RT_SCOPE_LINK)
-	queue_event(EVENT_NEWROUTE);
+      if (rtm->rtm_type == RTN_UNICAST && rtm->rtm_scope == RT_SCOPE_LINK &&
+	  (rtm->rtm_table == RT_TABLE_MAIN ||
+	   rtm->rtm_table == RT_TABLE_LOCAL))
+	{
+	  queue_event(EVENT_NEWROUTE);
+	  state |= STATE_NEWROUTE;
+	}
    }
-  else if (h->nlmsg_type == RTM_NEWADDR || h->nlmsg_type == RTM_DELADDR) 
-    queue_event(EVENT_NEWADDR);
+  else if ((h->nlmsg_type == RTM_NEWADDR || h->nlmsg_type == RTM_DELADDR) &&
+	   (state & STATE_NEWADDR)==0)
+    {
+      queue_event(EVENT_NEWADDR);
+      state |= STATE_NEWADDR;
+    }
+  return state;
 }
-#endif
-
-      
+#endif /* HAVE_LINUX_NETWORK */
--- a/src/network.c
+++ b/src/network.c
--- a/Show More
+++ b/Show More