Close debian bug.

Thanks to Dominik Derigs for an earlier patch which inspired this.

.gitignore

@@ -7,8 +7,15 @@ src/.copts_*
 contrib/lease-tools/dhcp_lease_time
 contrib/lease-tools/dhcp_release
 contrib/lease-tools/dhcp_release6
+debian/.debhelper
+debian/auto-build
+debian/debhelper-build-stamp
 debian/files
-debian/substvars
-debian/utils-substvars
-debian/trees/
-debian/build/
+debian/*.substvars
+debian/*.debhelper
+debian/*.log
+debian/dnsmasq-base-lua/
+debian/dnsmasq-base/
+debian/dnsmasq-utils/
+debian/dnsmasq/
+debian/tmp

CHANGELOG

@@ -1,3 +1,393 @@
+version 2.90
+	Fix reversion in --rev-server introduced in 2.88 which
+	caused breakage if the prefix length is not exactly divisible
+	by 8 (IPv4) or 4 (IPv6).
+
+	Fix possible SEGV when there server(s) for a particular
+	domain are configured, but no server which is not qualified
+	for a particular domain. Thanks to Daniel Danzberger for
+	spotting this bug.
+
+	Set the default maximum DNS UDP packet sice to 1232. This
+	has been the recommended value since 2020 because it's the
+	largest value that avoid fragmentation, and fragmentation
+	is just not reliable on the modern internet, especially
+	for IPv6. It's still possible to override this with
+	--edns-packet-max for special circumstances.
+
+	Add --no-dhcpv4-interface and --no-dhcpv6-interface for
+	better control over which inetrfaces are providing DHCP service.
+
+	Fix issue with stale caching: After replying with stale data,
+	dnsmasq sends the query upstream to refresh the cache asynchronously
+	and sometimes sends the wrong packet: packet length can be wrong,
+	and if an EDE marking stale data is added to the answer that can
+	end up in the query also. This bug only seems to cause problems
+	when the usptream server is a DOH/DOT proxy. Thanks to Justin He
+	for the bug report.
+
+	Add configurable caching for arbitrary RR-types.
+
+	Add --filter-rr option, to filter arbitrary RR-types.
+	--filter-rr=ANY has a special meaning: it filters the
+	answers to queries for the ANY RR-type.
+	
+	
+version 2.89
+        Fix bug introduced in 2.88 (commit fe91134b) which can result
+	in corruption of the DNS cache internal data structures and
+	logging of "cache internal error". This has only been seen
+	in one place in the wild, and it took considerable effort
+	to even generate a test case to reproduce it, but there's
+	no way to be sure it won't strike, and the effect is to break
+	the cache badly. Installations with DNSSEC enabled are more
+	likely to see the problem, but not running DNSSEC does not
+	guarantee that it won't happen. Thanks to Timo van Roermund
+	for reporting the bug and for his great efforts in chasing
+	it down.
+
+
+version 2.88
+	Fix bug in --dynamic-host when an interface has /16 IPv4
+  	address. Thanks to Mark Dietzer for spotting this.
+
+	Add --fast-dns-retry option. This gives dnsmasq the ability
+	to originate retries for upstream DNS queries itself, rather
+	than relying on the downstream client. This is most useful
+	when doing DNSSEC over unreliable upstream networks. It comes
+	with some cost in memory usage and network bandwidth.
+
+	Add --use-stale-cache option. When set, if a DNS name exists
+	in the cache, but its time-to-live has expired, dnsmasq will
+	return the data anyway. (It attempts to refresh the
+	data with an upstream query after returning the stale data.)
+	This can improve speed and reliability. It comes
+	at the expense of sometimes returning out-of-date data and
+	less efficient cache utilisation, since old data cannot be
+	flushed when its TTL expires, so the cache becomes
+	strictly least-recently-used.
+
+	Add --port-limit option which allows tuning for robustness in
+	the face of some upstream network errors. Thanks to
+	Prashant Kumar Singh, Ravi Nagayach and Mike Danilov,
+	all of Amazon Web Services, for their efforts in developing this
+	and the stale-cache and fast-retry options.
+
+	Make --hostsdir (but NOT --dhcp-hostsdir and --dhcp-optsdir)
+	handle removal of whole files or entries within files.
+	Thanks to Dominik Derigs for the initial patches for this.
+
+	Fix bug, introduced in 2.87, which could result in DNS
+	servers being removed from the configuration when reloading
+	server configuration from DBus, or re-reading /etc/resolv.conf
+	Only servers from the same source should be replaced, but some
+	servers from other sources (i.e., hard coded or another dynamic source)
+	could mysteriously disappear. Thanks to all reporting this,
+	but especially Christopher J. Madsen who reduced the problem
+	to an easily reproducible case which saved much labour in
+	finding it.
+
+	Add --no-round-robin option.
+
+	Allow domain names as well as IP addresses when specifying
+	upstream DNS servers. There are some gotchas associated with this
+	(it will mysteriously fail to work if the dnsmasq instance
+	being started is in the path from the system resolver to the DNS),
+	and a seemingly sensible configuration like
+	--server=domain.name@1.2.3.4 is unactionable if domain.name
+	only resolves to an IPv6 address). There are, however,
+	cases where is can be useful. Thanks to Dominik Derigs for
+	the patch.
+
+	Handle DS records for unsupported crypto algorithms correctly.
+	Such a DS, as long as it is validated, should allow answers
+	in the domain it attests to be returned as unvalidated, and not
+	as a validation error.
+
+	Optimise reading large numbers of --server options. When re-reading
+	upstream servers from /etc/resolv.conf or other sources that
+	can change dnsmasq tries to avoid memory fragmentation by re-using
+	existing records that are being re-read unchanged. This involves
+	seaching all the server records for each new one installed.
+	During startup this search is pointless, and can cause long
+	start times with thousands of --server options because the work
+	needed is O(n^2). Handle this case more intelligently.
+	Thanks to Ye Zhou for spotting the problem and an initial patch.
+	
+	If we detect that a DNS reply from upstream is malformed don't
+	return it to the requestor; send a SEVFAIL rcode instead.
+
+	
+version 2.87
+        Allow arbitrary prefix lengths in --rev-server and
+	--domain=....,local
+
+	Replace --address=/#/..... functionality which got
+	missed in the 2.86 domain search rewrite.
+
+	Add --nftset option, like --ipset but for the newer nftables.
+	Thanks to Chen Zhenge for the patch.
+	
+	Add --filter-A and --filter-AAAA options, to remove IPv4 or IPv6
+	addresses from DNS answers.
+
+	Fix crash doing netbooting when --port is set to zero
+	to disable the DNS server. Thanks to Drexl Johannes
+	for the bug report.
+
+	Generalise --dhcp-relay. Sending via broadcast/multicast is
+	now supported for both IPv4 and IPv6 and the configuration
+	syntax made easier (but backwards compatible).
+	
+	Add snooping of IPv6 prefix-delegations to the DHCP-relay system.
+
+	Finesse parsing of --dhcp-remoteid and --dhcp-subscrid. To be treated
+	as hex, the pattern must consist of only hex digits AND contain
+	at least one ':'. Thanks to Bengt-Erik Sandstrom who tripped
+	over a pattern consisting of a decimal number which was interpreted
+	surprisingly.
+
+	Include client address in TFTP file-not-found error reports.
+	Thanks to Stefan Rink for the initial patch, which has been
+	re-worked by me (srk). All bugs mine.
+
+	Note in manpage the change in behaviour of -address. This behaviour
+	actually changed in v2.86, but was undocumented there. From 2.86 on,
+	(eg) --address=/example.com/1.2.3.4 ONLY applies to A queries. All other
+	types of query will be sent upstream. Pre 2.86, that would catch the
+	whole example.com domain and queries for other types would get
+	a local NODATA answer. The pre-2.86 behaviour is still available,
+	by configuring --address=/example.com/1.2.3.4 --local=/example.com/
+
+        Fix problem with binding DHCP sockets to an individual interface.
+	Despite the fact that the system call tales the interface _name_ as
+	a parameter, it actually, binds the socket to interface _index_.
+	Deleting the interface and creating a new one with the same name
+	leaves the socket bound to the old index. (Creating new sockets
+	always allocates a fresh index, they are not reused). We now
+	take this behaviour into account and keep up with changing indexes.
+
+	Add --conf-script configuration option.
+
+	Enhance --domain to accept, for instance,
+	--domain=net2.thekelleys.org.uk,eth2 so that hosts get a domain
+	which relects the interface they are attached to in a way which
+	doesn't require hard-coding addresses. Thanks to Sten Spans for
+	the idea.
+
+	Fix write-after-free error in DHCPv6 server code.
+	CVE-2022-0934 refers.
+	
+	Add the ability to specify destination port in
+	DHCP-relay mode. This change also removes a previous bug
+	where --dhcp-alternate-port would affect the port used
+	to relay _to_ as well as the port being listened on.
+	The new feature allows configuration to provide bug-for-bug
+	compatibility, if required. Thanks to Damian Kaczkowski 
+	for the feature suggestion.
+
+	Bound the value of UDP packet size in the EDNS0 header of
+	forwarded queries to the configured or default value of
+	edns-packet-max. There's no point letting a client set a larger
+	value if we're unable to return the answer. Thanks to Bertie
+	Taylor for pointing out the problem and supplying the patch.
+	
+	Fix problem with the configuration
+	
+	--server=/some.domain/# --address=/#/<ip> --server=<server_ip>
+
+	This would return <ip> for queries in some.domain, rather than
+	forwarding the query via the default server.
+
+	Tweak DHCPv6 relay code so that packets relayed towards a server
+	have source address on the server-facing network, not the
+	client facing network. Thanks to Luis Thomas for spotting this
+	and initial patch.
+
+
+version 2.86
+	Handle DHCPREBIND requests in the DHCPv6 server code.
+	Thanks to Aichun Li for spotting this omission, and the initial
+	patch.
+
+	Fix bug which caused dnsmasq to lose track of processes forked
+	to handle TCP DNS connections under heavy load. The code
+	checked that at least one free process table slot was
+	available before listening on TCP sockets, but didn't take
+	into account that more than one TCP connection could
+	arrive, so that check was not sufficient to ensure that
+	there would be slots for all new processes. It compounded
+	this error by silently failing to store the process when
+	it did run out of slots. Even when this bug is triggered,
+	all the right things happen, and answers are still returned.
+	Only under very exceptional circumstances, does the bug
+	manifest itself: see
+	https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q2/014976.html
+	Thanks to Tijs Van Buggenhout for finding the conditions under
+	which the bug manifests itself, and then working out
+	exactly what was going on.
+
+	Major rewrite of the DNS server and domain handling code.
+	This should be largely transparent, but it drastically
+	improves performance and reduces memory foot-print when
+	configuring large numbers domains of the form
+	local=/adserver.com/
+	or
+	local=/adserver.com/#
+	Lookup times now grow as log-to-base-2 of the number of domains,
+	rather than greater than linearly, as before.
+	The change makes multiple addresses associated with a domain work
+	address=/example.com/1.2.3.4
+	address=/example.com/5.6.7.8
+	It also handles multiple upstream servers for a domain better; using
+	the same try/retry algorithms as non domain-specific servers. This
+	also applies to DNSSEC-generated queries.
+	Finally, some of the oldest and gnarliest code in dnsmasq has had
+	a significant clean-up. It's far from perfect, but it _is_ better.
+
+	Revise resource handling for number of concurrent DNS queries. This
+	used to have a global limit, but that has a problem when using
+	different servers for different upstream domains. Queries which are
+	routed by domain to an upstream server which is not responding will
+	build up and trigger the limit, which breaks DNS service for
+	all other domains which could be handled by other servers. The
+	change is to make the limit per server-group, where a server group
+	is the set of servers configured for a particular domain. In the
+	common case, where only default servers are declared, there is
+	no effective change.
+
+	Improve efficiency of DNSSEC. The sharing point for DNSSEC RR data
+	used to be when it entered the cache, having been validated. After
+	that queries requiring the KEY or DS records would share the cached
+	values. There is a common case in dual-stack hosts that queries for
+	A and AAAA records for the same domain are made simultaneously.
+	If required keys were not in the cache, this would result in two
+	requests being sent upstream for the same key data (and all the
+	subsequent chain-of-trust queries.) Now we combine these requests
+	and elide the duplicates, resulting in fewer queries upstream
+	and better performance. To keep a better handle on what's
+	going on, the "extra" logging mode has been modified to associate
+	queries and answers  for DNSSEC queries in the same way as ordinary
+	queries. The requesting address and port have been removed from
+	DNSSEC logging lines, since this is no longer strictly defined.
+
+	Connection track mark based DNS query filtering. Thanks to
+	Etan Kissling for implementing this It extends query filtering
+	support beyond what is currently possible
+	with the `--ipset` configuration option, by adding support for:
+	1) Specifying allowlists on a per-client basis, based on their
+	   associated Linux connection track mark.
+	2) Dynamic configuration of allowlists via Ubus.
+	3) Reporting when a DNS query resolves or is rejected via Ubus.
+	4) DNS name patterns containing wildcards.
+	Disallowed queries are not forwarded; they are rejected
+	with a REFUSED error code.
+
+	Allow smaller than 64 prefix lengths in synth-domain, with caveats.
+	--synth-domain=1234:4567::/56,example.com is now valid.
+
+	Make domains generated by --synth-domain appear in replies
+	when in authoritative mode.
+
+	Ensure CAP_NET_ADMIN capability is available when
+	conntrack is configured. Thanks to Yick Xie for spotting
+	the lack of this.
+
+	When --dhcp-hostsfile --dhcp-optsfile and --addn-hosts are
+	given a directory as argument, define the order in which
+	files within that directory are read (alphabetical order
+	of filename). Thanks to Ed Wildgoose for the initial patch
+	and motivation for this.
+
+	Allow adding IP address to nftables set in addition to
+	ipset.
+
+	
+version 2.85
+        Fix problem with DNS retries in 2.83/2.84.
+        The new logic in 2.83/2.84 which merges distinct requests
+	for the same domain causes problems with clients which do
+	retries as distinct requests (differing IDs and/or source ports.)
+	The retries just get piggy-backed on the first, failed, request.
+        The logic is now changed so that distinct requests for repeated
+        queries still get merged into a single ID/source port, but
+	they now always trigger a re-try upstream.
+        Thanks to Nicholas Mu for his analysis.
+
+	Tweak sort order of tags in get-version. v2.84 sorts
+	before v2.83, but v2.83 sorts before v2.83rc1 and 2.83rc1
+	sorts before v2.83test1. This fixes the problem which lead
+	to 2.84 announcing itself as 2.84rc2.
+
+ 	Avoid treating a --dhcp-host which has an IPv6 address
+	as eligible for use with DHCPv4 on the grounds that it has
+	no address, and vice-versa. Thanks to Viktor Papp for
+	spotting the problem. (This bug was fixed was back in 2.67, and
+	then regressed in 2.81).
+
+	Add --dynamic-host option: A and AAAA records which take their
+	network part from the network of a local interface. Useful
+	for routers with dynamically prefixes. Thanks
+	to Fred F for the suggestion.
+
+	Teach --bogus-nxdomain and --ignore-address to take an IPv4 subnet.
+
+	Use random source ports where possible if source
+	addresses/interfaces in use.
+	CVE-2021-3448 applies. Thanks to Petr Menšík for spotting this.
+	It's possible to specify the source address or interface to be
+	used when contacting upstream name servers: server=8.8.8.8@1.2.3.4
+	or server=8.8.8.8@1.2.3.4#66 or server=8.8.8.8@eth0, and all of
+	these have, until now, used a single socket, bound to a fixed
+	port. This was originally done to allow an error (non-existent
+	interface, or non-local address) to be detected at start-up. This
+	means that any upstream servers specified in such a way don't use
+	random source ports, and are more susceptible to cache-poisoning
+	attacks.
+	We now use random ports where possible, even when the
+	source is specified, so server=8.8.8.8@1.2.3.4 or
+	server=8.8.8.8@eth0 will use random source
+	ports. server=8.8.8.8@1.2.3.4#66 or any use of --query-port will
+	use the explicitly configured port, and should only be done with
+	understanding of the security implications.
+	Note that this change changes non-existing interface, or non-local
+	source address errors from fatal to run-time. The error will be
+	logged and communication with the server not possible.
+
+	Change the method of allocation of random source ports for DNS.
+	Previously, without min-port or max-port configured, dnsmasq would
+	default to the compiled in defaults for those, which are 1024 and
+	65535. Now, when neither are configured, it defaults instead to
+	the kernel's ephemeral port range, which is typically
+	32768 to 60999 on Linux systems. This change eliminates the
+	possibility that dnsmasq may be using a registered port > 1024
+	when a long-running daemon starts up and wishes to claim it.
+	This change does likely slightly reduce the number of random ports
+	and therefore the protection from reply spoofing. The older
+	behaviour can be restored using the min-port and max-port config
+	switches should that be a concern.
+
+	Scale the size of the DNS random-port pool based on the
+	value of the --dns-forward-max configuration.
+
+	Tweak TFTP code to check sender of all received packets, as
+	specified in RFC 1350 para 4.
+
+	Support some wildcard matching of input tags to --tag-if.
+	Thanks to Geoff Back for the idea and the patch.
+
+	
+version 2.84
+	Fix a problem, introduced in 2.83, which could see DNS replies
+	being sent via the wrong socket. On machines running both
+	IPv4 and IPv6 this could result in sporadic messages of
+	the form "failed to send packet: Network is unreachable" and
+	the lost of the query. Since the error is sporadic and of
+	low probability, the client retry would normally succeed.
+
+	Change HAVE_NETTLEHASH compile-time to HAVE_CRYPTOHASH.
+
+
 version 2.83
 	Use the values of --min-port and --max-port in outgoing
 	TCP connections to upstream DNS servers.
@@ -19,13 +409,13 @@ version 2.83
 
 	Handle multiple identical near simultaneous DNS queries better.
 	Previously, such queries would all be forwarded
-	independently. This is, in theory, inefficent but in practise
+	independently. This is, in theory, inefficient but in practise
 	not a problem, _except_ that is means that an answer for any
 	of the forwarded queries will be accepted and cached.
 	An attacker can send a query multiple times, and for each repeat,
 	another {port, ID} becomes capable of accepting the answer he is
 	sending in the blind, to random IDs and ports. The chance of a
-	succesful attack is therefore multiplied by the number of repeats
+	successful attack is therefore multiplied by the number of repeats
 	of the query. The new behaviour detects repeated queries and
 	merely stores the clients sending repeats so that when the
 	first query completes, the answer can be sent to all the

COPYING

@@ -1,12 +1,12 @@
-		    GNU GENERAL PUBLIC LICENSE
-		       Version 2, June 1991
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 2, June 1991
 
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  Everyone is permitted to copy and distribute verbatim copies
  of this license document, but changing it is not allowed.
 
-			    Preamble
+                            Preamble
 
   The licenses for most software are designed to take away your
 freedom to share and change it.  By contrast, the GNU General Public
@@ -15,7 +15,7 @@ software--to make sure the software is free for all its users.  This
 General Public License applies to most of the Free Software
 Foundation's software and to any other program whose authors commit to
 using it.  (Some other Free Software Foundation software is covered by
-the GNU Library General Public License instead.)  You can apply it to
+the GNU Lesser General Public License instead.)  You can apply it to
 your programs, too.
 
   When we speak of free software, we are referring to freedom, not
@@ -55,8 +55,8 @@ patent must be licensed for everyone's free use or not licensed at all.
 
   The precise terms and conditions for copying, distribution and
 modification follow.
-
-		    GNU GENERAL PUBLIC LICENSE
+
+                    GNU GENERAL PUBLIC LICENSE
    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
 
   0. This License applies to any program or other work which contains
@@ -110,7 +110,7 @@ above, provided that you also meet all of these conditions:
     License.  (Exception: if the Program itself is interactive but
     does not normally print such an announcement, your work based on
     the Program is not required to print an announcement.)
-
+
 These requirements apply to the modified work as a whole.  If
 identifiable sections of that work are not derived from the Program,
 and can be reasonably considered independent and separate works in
@@ -168,7 +168,7 @@ access to copy from a designated place, then offering equivalent
 access to copy the source code from the same place counts as
 distribution of the source code, even though third parties are not
 compelled to copy the source along with the object code.
-
+
   4. You may not copy, modify, sublicense, or distribute the Program
 except as expressly provided under this License.  Any attempt
 otherwise to copy, modify, sublicense or distribute the Program is
@@ -225,7 +225,7 @@ impose that choice.
 
 This section is intended to make thoroughly clear what is believed to
 be a consequence of the rest of this License.
-
+
   8. If the distribution and/or use of the Program is restricted in
 certain countries either by patents or by copyrighted interfaces, the
 original copyright holder who places the Program under this License
@@ -255,7 +255,7 @@ make exceptions for this.  Our decision will be guided by the two goals
 of preserving the free status of all derivatives of our free software and
 of promoting the sharing and reuse of software generally.
 
-			    NO WARRANTY
+                            NO WARRANTY
 
   11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
 FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
@@ -277,9 +277,9 @@ YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
 PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGES.
 
-		     END OF TERMS AND CONDITIONS
-
-	    How to Apply These Terms to Your New Programs
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
 
   If you develop a new program, and you want it to be of the greatest
 possible use to the public, the best way to achieve this is to make it
@@ -291,7 +291,7 @@ convey the exclusion of warranty; and each file should have at least
 the "copyright" line and a pointer to where the full notice is found.
 
     <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) 19yy  <name of author>
+    Copyright (C) <year>  <name of author>
 
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -303,17 +303,16 @@ the "copyright" line and a pointer to where the full notice is found.
     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     GNU General Public License for more details.
 
-    You should have received a copy of the GNU General Public License
-    along with this program; if not, write to the Free Software
-    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
-
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 
 Also add information on how to contact you by electronic and paper mail.
 
 If the program is interactive, make it output a short notice like this
 when it starts in an interactive mode:
 
-    Gnomovision version 69, Copyright (C) 19yy name of author
+    Gnomovision version 69, Copyright (C) year name of author
     Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
     This is free software, and you are welcome to redistribute it
     under certain conditions; type `show c' for details.
@@ -336,5 +335,5 @@ necessary.  Here is a sample; alter the names:
 This General Public License does not permit incorporating your program into
 proprietary programs.  If your program is a subroutine library, you may
 consider it more useful to permit linking proprietary applications with the
-library.  If this is what you want to do, use the GNU Library General
+library.  If this is what you want to do, use the GNU Lesser General
 Public License instead of this License.

FAQ

@@ -236,7 +236,7 @@ Q: What network types are supported by the DHCP server?
 A: Ethernet (and 802.11 wireless) are supported on all platforms. On
    Linux all network types (including FireWire) are supported.
 
-Q: What are these strange "bind-interface" and "bind-dynamic" options?
+Q: What are these strange "bind-interfaces" and "bind-dynamic" options?
 
 A: Dnsmasq from v2.63 can operate in one of three different "networking
    modes". This is unfortunate as it requires users configuring dnsmasq

Makefile

@@ -1,4 +1,4 @@
-# dnsmasq is Copyright (c) 2000-2016 Simon Kelley
+# dnsmasq is Copyright (c) 2000-2024 Simon Kelley
 #
 #  This program is free software; you can redistribute it and/or modify
 #  it under the terms of the GNU General Public License as published by
@@ -29,6 +29,7 @@ LDFLAGS       =
 COPTS         = 
 RPM_OPT_FLAGS = 
 LIBS          = 
+LUA           = lua
 
 #################################################################
 
@@ -60,15 +61,19 @@ idn2_cflags =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LIBIDN2 $(PKG_CONFI
 idn2_libs =     `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LIBIDN2 $(PKG_CONFIG) --libs libidn2`
 ct_cflags =     `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --cflags libnetfilter_conntrack`
 ct_libs =       `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --libs libnetfilter_conntrack`
-lua_cflags =    `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --cflags lua5.2` 
-lua_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs lua5.2` 
+lua_cflags =    `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --cflags $(LUA)` 
+lua_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs $(LUA)` 
 nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC     $(PKG_CONFIG) --cflags 'nettle hogweed' \
+                                                        HAVE_CRYPTOHASH $(PKG_CONFIG) --cflags nettle \
                                                         HAVE_NETTLEHASH $(PKG_CONFIG) --cflags nettle`
 nettle_libs =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC     $(PKG_CONFIG) --libs 'nettle hogweed' \
+                                                        HAVE_CRYPTOHASH $(PKG_CONFIG) --libs nettle \
                                                         HAVE_NETTLEHASH $(PKG_CONFIG) --libs nettle`
 gmp_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC NO_GMP --copy -lgmp`
 sunos_libs =    `if uname | grep SunOS >/dev/null 2>&1; then echo -lsocket -lnsl -lposix4; fi`
-version =     -DVERSION='\"`$(top)/bld/get-version $(top)`\"'
+nft_cflags =    `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_NFTSET $(PKG_CONFIG) --cflags libnftables` 
+nft_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_NFTSET $(PKG_CONFIG) --libs libnftables`
+version =       -DVERSION='\"`$(top)/bld/get-version $(top)`\"'
 
 sum?=$(shell $(CC) -DDNSMASQ_COMPILE_OPTS $(COPTS) -E $(top)/$(SRC)/dnsmasq.h | ( md5sum 2>/dev/null || md5 ) | cut -f 1 -d ' ')
 sum!=$(CC) -DDNSMASQ_COMPILE_OPTS $(COPTS) -E $(top)/$(SRC)/dnsmasq.h | ( md5sum 2>/dev/null || md5 ) | cut -f 1 -d ' '
@@ -77,10 +82,10 @@ copts_conf = .copts_$(sum)
 objs = cache.o rfc1035.o util.o option.o forward.o network.o \
        dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \
        helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \
-       dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \
+       dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o pattern.o \
        domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \
        poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \
-       metrics.o hash_questions.o
+       metrics.o hash-questions.o domain-match.o nftset.o
 
 hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \
        dns-protocol.h radv-protocol.h ip6addr.h metrics.h
@@ -88,8 +93,8 @@ hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \
 all : $(BUILDDIR)
 	@cd $(BUILDDIR) && $(MAKE) \
  top="$(top)" \
- build_cflags="$(version) $(dbus_cflags) $(idn2_cflags) $(idn_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags)" \
- build_libs="$(dbus_libs) $(idn2_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs) $(ubus_libs)" \
+ build_cflags="$(version) $(dbus_cflags) $(idn2_cflags) $(idn_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags) $(nft_cflags)" \
+ build_libs="$(dbus_libs) $(idn2_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs) $(ubus_libs) $(nft_libs)" \
  -f $(top)/Makefile dnsmasq 
 
 mostly_clean :
@@ -113,8 +118,8 @@ all-i18n : $(BUILDDIR)
 	@cd $(BUILDDIR) && $(MAKE) \
  top="$(top)" \
  i18n=-DLOCALEDIR=\'\"$(LOCALEDIR)\"\' \
- build_cflags="$(version) $(dbus_cflags) $(idn2_cflags) $(idn_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags)" \
- build_libs="$(dbus_libs) $(idn2_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs) $(ubus_libs)"  \
+ build_cflags="$(version) $(dbus_cflags) $(idn2_cflags) $(idn_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags) $(nft_cflags)" \
+ build_libs="$(dbus_libs) $(idn2_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs) $(ubus_libs) $(nft_libs)"  \
  -f $(top)/Makefile dnsmasq
 	for f in `cd $(PO); echo *.po`; do \
 		cd $(top) && cd $(BUILDDIR) && $(MAKE) top="$(top)" -f $(top)/Makefile $${f%.po}.mo; \

bld/Android.mk

@@ -11,7 +11,8 @@ LOCAL_SRC_FILES :=  bpf.c cache.c dbus.c dhcp.c dnsmasq.c \
 		    radv.c slaac.c auth.c ipset.c domain.c \
 	            dnssec.c dnssec-openssl.c blockdata.c tables.c \
 		    loop.c inotify.c poll.c rrfilter.c edns0.c arp.c \
-		    crypto.c dump.c ubus.c metrics.c hash_questions.c
+		    crypto.c dump.c ubus.c metrics.c hash-questions.c \
+                    domain-match.c
 
 LOCAL_MODULE := dnsmasq
 

bld/get-version

@@ -9,7 +9,10 @@
 # If we can find one which matches $v[0-9].* then we assume it's
 # a version-number tag, else we just use the whole string.
 # If there is more than one v[0-9].* tag, sort them and use the
-# first. This favours, eg v2.63 over 2.63rc6.
+# first. The insane arguments to the sort command are to ensure
+# that, eg v2.64 comes before v2.63, but v2.63 comes before v2.63rc1
+# and v2.63rc1 comes before v2.63test1
+
 
 # Change directory to the toplevel source directory.
 if test -z "$1" || ! test -d "$1" || ! cd "$1"; then
@@ -28,7 +31,7 @@ else
      vers=`cat $1/VERSION | sed 's/[(), ]/,/ g' | tr ',' '\n' | grep ^v[0-9]`
 
      if [ $? -eq 0 ]; then
-         echo "${vers}" | sort -r | head -n 1 | sed 's/^v//'
+         echo "${vers}" | sort -k1.2,1.5Vr -k1.6,1.6 -k1.8,1.9Vr -k1.10,1.11Vr | head -n 1 | sed 's/^v//'
      else
          cat $1/VERSION
      fi

contrib/Suse/README

@@ -1,6 +0,0 @@
-This packaging is now unmaintained in the dnsmasq source: dnsmasq is
-included in Suse proper, and up-to-date packages are now available
-from 
-
-ftp://ftp.suse.com/pub/people/ug/
-

contrib/Suse/README.susefirewall

@@ -1,27 +0,0 @@
-This is a patch against SuSEfirewall2-3.1-206 (SuSE 9.x and older)
-It fixes the dependency from the dns daemon name 'named'
-After appending the patch, the SuSEfirewall is again able to autodetect 
-the dnsmasq named service.
-This is a very old bug in the SuSEfirewall script.
-The SuSE people think the name of the dns server will always 'named'
-
-
---- /sbin/SuSEfirewall2.orig	2004-01-23 13:30:09.000000000 +0100
-+++ /sbin/SuSEfirewall2	2004-01-23 13:31:56.000000000 +0100
-@@ -764,7 +764,7 @@
-     echo 'FW_ALLOW_INCOMING_HIGHPORTS_UDP should be set to yes, if you are running a DNS server!'
- 
- test "$FW_SERVICE_AUTODETECT" = yes -o "$FW_SERVICE_AUTODETECT" = dmz -o "$FW_SERVICE_AUTODETECT" = ext && {
--    test "$FW_SERVICE_DNS" = no -a '!' "$START_NAMED" = no && check_srv named && {
-+    test "$FW_SERVICE_DNS" = no -a '!' "$START_NAMED" = no && check_srv dnsmasq && {
- 	echo -e 'Warning: detected activated named, enabling FW_SERVICE_DNS!
- You still have to allow tcp/udp port 53 on internal, dmz and/or external.'
- 	FW_SERVICE_DNS=$FW_SERVICE_AUTODETECT
-@@ -878,7 +878,7 @@
- test -e /etc/resolv.conf || echo "Warning: /etc/resolv.conf not found"
- # Get ports/IP bindings of NAMED/SQUID
- test "$FW_SERVICE_DNS" = yes -o "$FW_SERVICE_DNS" = dmz -o "$FW_SERVICE_DNS" = ext -o "$START_NAMED" = yes && DNS_PORT=`$LSOF -i -n -P | \
--    $AWK -F: '/^named .* UDP / {print $2}'| $GREP -vw 53 | $SORT -un`
-+    $AWK -F: '/^dnsmasq .* UDP / {print $2}'| $GREP -vw 53 | $SORT -un`
- test "$FW_SERVICE_SQUID" = yes -o "$FW_SERVICE_SQUID" = dmz -o "$FW_SERVICE_SQUID" = ext -o "$START_SQUID" = yes && SQUID_PORT=`$LSOF -i -n -P | \
-     $AWK -F: '/^squid .* UDP/ {print $2}'| $SORT -un`

contrib/Suse/dnsmasq-SuSE.patch

@@ -1,23 +0,0 @@
---- man/dnsmasq.8	2004-08-08 20:57:56.000000000 +0200
-+++ man/dnsmasq.8	2004-08-12 00:40:01.000000000 +0200
-@@ -69,7 +69,7 @@
- .TP
- .B \-g, --group=<groupname> 
- Specify the group which dnsmasq will run
--as. The defaults to "dip", if available, to facilitate access to
-+as. The defaults to "dialout", if available, to facilitate access to
- /etc/ppp/resolv.conf which is not normally world readable.
- .TP
- .B \-v, --version
---- src/config.h	2004-08-11 11:39:18.000000000 +0200
-+++ src/config.h	2004-08-12 00:40:01.000000000 +0200
-@@ -44,7 +44,7 @@
- #endif
- #define DEFLEASE 3600 /* default lease time, 1 hour */
- #define CHUSER "nobody"
--#define CHGRP "dip"
-+#define CHGRP "dialout"
- #define DHCP_SERVER_PORT 67
- #define DHCP_CLIENT_PORT 68
- 
-

contrib/Suse/dnsmasq-suse.spec

@@ -1,111 +0,0 @@
-###############################################################################
-#
-# General
-#
-###############################################################################
-
-Name: dnsmasq
-Version: 2.33
-Release: 1
-Copyright: GPL
-Group: Productivity/Networking/DNS/Servers
-Vendor: Simon Kelley
-Packager: Simon Kelley
-URL: http://www.thekelleys.org.uk/dnsmasq
-Provides: dns_daemon
-Conflicts: bind bind8 bind9
-PreReq: %fillup_prereq %insserv_prereq
-Autoreqprov: on
-Source0: %{name}-%{version}.tar.bz2
-BuildRoot: /var/tmp/%{name}-%{version}
-Summary: A lightweight caching nameserver
-
-%description
-Dnsmasq is lightweight, easy to configure DNS forwarder and DHCP server. It 
-is designed to provide DNS and, optionally, DHCP, to a small network. It can
-serve the names of local machines which are not in the global DNS. The DHCP 
-server integrates with the DNS server and allows machines with DHCP-allocated
-addresses to appear in the DNS with names configured either in each host or 
-in a central configuration file. Dnsmasq supports static and dynamic DHCP 
-leases and BOOTP for network booting of diskless machines.
-
-
-
-###############################################################################
-#
-# Build
-#
-###############################################################################
-
-%prep
-%setup -q
-patch -p0 <rpm/%{name}-SuSE.patch
-
-%build
-%{?suse_update_config:%{suse_update_config -f}}
-make all-i18n DESTDIR=$RPM_BUILD_ROOT PREFIX=/usr
-
-###############################################################################
-#
-# Install
-#
-###############################################################################
-
-%install
-rm -rf $RPM_BUILD_ROOT
-mkdir -p ${RPM_BUILD_ROOT}/etc/init.d
-make install-i18n DESTDIR=$RPM_BUILD_ROOT PREFIX=/usr
-install -o root -g root -m 755 rpm/rc.dnsmasq-suse $RPM_BUILD_ROOT/etc/init.d/dnsmasq
-install -o root -g root -m 644 dnsmasq.conf.example $RPM_BUILD_ROOT/etc/dnsmasq.conf
-strip $RPM_BUILD_ROOT/usr/sbin/dnsmasq
-ln -sf ../../etc/init.d/dnsmasq $RPM_BUILD_ROOT/usr/sbin/rcdnsmasq
-
-###############################################################################
-#
-# Clean up
-#
-###############################################################################
-
-%clean
-rm -rf $RPM_BUILD_ROOT
-
-###############################################################################
-#
-# Post-install scriptlet
-#
-###############################################################################
-
-%post
-%{fillup_and_insserv dnsmasq}
-
-###############################################################################
-#
-# Post-uninstall scriptlet
-#
-# The %postun script executes after the package has been removed. It is the
-# last chance for a package to clean up after itself.
-#
-###############################################################################
-
-%postun
-%{insserv_cleanup}
-
-###############################################################################
-#
-# File list
-#
-###############################################################################
-
-%files
-%defattr(-,root,root)
-%doc CHANGELOG COPYING FAQ doc.html setup.html UPGRADING_to_2.0 rpm/README.susefirewall
-%doc contrib
-%config /etc/init.d/dnsmasq
-%config /etc/dnsmasq.conf
-/usr/sbin/rcdnsmasq
-/usr/sbin/dnsmasq
-/usr/share/locale/*/LC_MESSAGES/*
-%doc %{_mandir}/man8/dnsmasq.8.gz
-%doc %{_mandir}/*/man8/dnsmasq.8.gz
-
-

contrib/Suse/rc.dnsmasq-suse

@@ -1,79 +0,0 @@
-#! /bin/sh
-#
-# init.d/dnsmasq
-#
-### BEGIN INIT INFO
-# Provides:       dnsmasq
-# Required-Start: $network $remote_fs $syslog
-# Required-Stop:
-# Default-Start:  3 5
-# Default-Stop:
-# Description:    Starts internet name service masq caching server (DNS)
-### END INIT INFO
-
-NAMED_BIN=/usr/sbin/dnsmasq
-NAMED_PID=/var/run/dnsmasq.pid
-NAMED_CONF=/etc/dnsmasq.conf
-
-if [ ! -x $NAMED_BIN ] ; then
-	echo -n "dnsmasq not installed ! "
-	exit 5
-fi
-
-. /etc/rc.status
-rc_reset
-
-case "$1" in
-    start)
-	echo -n "Starting name service masq caching server "
-        checkproc -p $NAMED_PID $NAMED_BIN
-        if [ $? -eq 0 ] ; then
-           echo -n "- Warning: dnsmasq already running ! "
-        else
-           [ -e $NAMED_PID ] && echo -n "- Warning: $NAMED_PID exists ! "
-	fi
-	startproc -p $NAMED_PID $NAMED_BIN -u nobody
-	rc_status -v
-	;;
-    stop)
-	echo -n "Shutting name service masq caching server "
-	checkproc -p $NAMED_PID $NAMED_BIN
-	[ $? -ne 0 ] && echo -n "- Warning: dnsmasq not running ! "
-	killproc -p $NAMED_PID -TERM $NAMED_BIN
-	rc_status -v
-	;;
-    try-restart)
-	$0 stop  &&  $0 start
-	rc_status
-	;;
-    restart)
-	$0 stop
-	$0 start
-	rc_status
-	;;
-    force-reload)
-	$0 reload
-	rc_status
-	;;
-    reload)
-	echo -n "Reloading name service masq caching server "
-	checkproc -p $NAMED_PID $NAMED_BIN
-	[ $? -ne 0 ] && echo -n "- Warning: dnsmasq not running ! "
-	killproc -p $NAMED_PID -HUP $NAMED_BIN
-	rc_status -v
-	;;
-    status)
-	echo -n "Checking for name service masq caching server "
-	checkproc -p $NAMED_PID $NAMED_BIN
-	rc_status -v
-	;;
-    probe)
-	test $NAMED_CONF -nt $NAMED_PID && echo reload
-	;;
-    *)
-	echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
-	exit 1
-	;;
-esac
-rc_exit
-

contrib/lease-tools/dhcp_lease_time.c

@@ -153,7 +153,11 @@ int main(int argc, char **argv)
       exit(1);
     }
  
-  lease.s_addr = inet_addr(argv[1]);
+  if (inet_pton(AF_INET, argv[1], &lease) < 1)
+    {
+      fprintf(stderr, "invalid address: %s\n", argv[1]);
+      exit(1);
+    }
    
   memset(&packet, 0, sizeof(packet));
  
@@ -176,8 +180,8 @@ int main(int argc, char **argv)
   
   *(p++) = OPTION_END;
  
-  dest.sin_family = AF_INET; 
-  dest.sin_addr.s_addr = inet_addr("127.0.0.1");
+  dest.sin_family = AF_INET;
+  (void)inet_pton(AF_INET, "127.0.0.1", &dest.sin_addr);
   dest.sin_port = ntohs(DHCP_SERVER_PORT);
   
   if (sendto(fd, &packet, sizeof(packet), 0, 

contrib/lease-tools/dhcp_release.c

@@ -280,6 +280,7 @@ int main(int argc, char **argv)
   
   /* This voodoo fakes up a packet coming from the correct interface, which really matters for 
      a DHCP server */
+  memset(&ifr, 0, sizeof(ifr));
   strncpy(ifr.ifr_name, argv[1], sizeof(ifr.ifr_name)-1);
   ifr.ifr_name[sizeof(ifr.ifr_name)-1] = '\0';
   if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, &ifr, sizeof(ifr)) == -1)
@@ -288,13 +289,12 @@ int main(int argc, char **argv)
       exit(1);
     }
   
-  if (inet_addr(argv[2]) == INADDR_NONE)
+  if (inet_pton(AF_INET, argv[2], &lease.s_addr) < 1)
     {
       perror("invalid ip address");
       exit(1);
     }
   
-  lease.s_addr = inet_addr(argv[2]);
   server = find_interface(lease, nl, if_nametoindex(argv[1]), fd, &ifr);
   
   memset(&packet, 0, sizeof(packet));

contrib/lease-tools/dhcp_release6.c

@@ -318,6 +318,12 @@ void usage(const char* arg, FILE* stream)
   fprintf (stream, "Usage: %s %s\n", arg, usage_string);   
 }
 
+static void fail_fatal(const char *errstr, int exitcode)
+{
+  perror(errstr);
+  exit(exitcode);
+}
+
 int send_release_packet(const char* iface, struct dhcp6_packet* packet)
 {
   struct sockaddr_in6 server_addr, client_addr;
@@ -343,18 +349,19 @@ int send_release_packet(const char* iface, struct dhcp6_packet* packet)
     client_addr.sin6_port = htons(DHCP6_CLIENT_PORT);
     client_addr.sin6_flowinfo = 0;
     client_addr.sin6_scope_id =0;
-    inet_pton(AF_INET6, "::", &client_addr.sin6_addr);
-    bind(sock, (struct sockaddr*)&client_addr, sizeof(struct sockaddr_in6));
-    inet_pton(AF_INET6, DHCP6_MULTICAST_ADDRESS, &server_addr.sin6_addr);
+    if (inet_pton(AF_INET6, "::", &client_addr.sin6_addr) <= 0)
+      fail_fatal("inet_pton", 5);
+    if (bind(sock, (struct sockaddr*)&client_addr, sizeof(struct sockaddr_in6)) != 0)
+      perror("bind"); /* continue on bind error */
+    if (inet_pton(AF_INET6, DHCP6_MULTICAST_ADDRESS, &server_addr.sin6_addr) <= 0)
+      fail_fatal("inet_pton", 5);
     server_addr.sin6_port = htons(DHCP6_SERVER_PORT);
-    int16_t recv_size = 0;
+    ssize_t recv_size = 0;
+    int result;
     for (i = 0; i < 5; i++)
       {
         if (sendto(sock, packet->buf, packet->len, 0, (struct sockaddr *)&server_addr, sizeof(server_addr)) < 0)
-	  {
-	    perror("sendto failed");
-            exit(4);
-	  }
+	  fail_fatal("sendto failed", 4);
 	
         recv_size = recvfrom(sock, response, sizeof(response), MSG_DONTWAIT, NULL, 0);
         if (recv_size == -1)
@@ -367,16 +374,18 @@ int send_release_packet(const char* iface, struct dhcp6_packet* packet)
 	    else
 	      {
                 perror("recvfrom");
+		result = UNSPEC_FAIL;
 	      }
 	  }
-	
-        int16_t result = parse_packet(response, recv_size);
-        if (result == NOT_REPLY_CODE)
+	else
 	  {
-            sleep(1);
-            continue;
+	    result = parse_packet(response, recv_size);
+	    if (result == NOT_REPLY_CODE)
+	      {
+		sleep(1);
+		continue;
+	      }
 	  }
-
         close(sock);
         return result;
       }

dbus/DBus-interface

@@ -44,10 +44,22 @@ SetFilterWin2KOption
 --------------------
 Takes boolean, sets or resets the --filterwin2k option.
 
+SetFilterA
+------------------------
+Takes boolean, sets or resets the --filter-A option.
+
+SetFilterAAAA
+------------------------
+Takes boolean, sets or resets the --filter-AAAA option.
+
 SetBogusPrivOption
 ------------------
 Takes boolean, sets or resets the --bogus-priv option.
 
+SetLocaliseQueriesOption
+------------------------
+Takes boolean, sets or resets the --localise-queries option.
+
 SetServers
 ----------
 Returns nothing. Takes a set of arguments representing the new
@@ -248,6 +260,15 @@ GetMetrics
 
 Returns an array with various metrics for DNS and DHCP.
 
+GetServerMetrics
+----------------
+
+Returns per-DNS-server metrics.
+
+ClearMetrics
+------------
+
+Clear call metric counters, global and per-server.
 
 2. SIGNALS
 ----------

debian/conffiles

@@ -1,5 +0,0 @@
-/etc/init.d/dnsmasq
-/etc/default/dnsmasq
-/etc/dnsmasq.conf
-/etc/resolvconf/update.d/dnsmasq
-/etc/insserv.conf.d/dnsmasq

debian/control

@@ -1,64 +1,66 @@
 Source: dnsmasq
 Section: net
 Priority: optional
-Build-depends: gettext, libnetfilter-conntrack-dev [linux-any],
-               libidn2-dev, libdbus-1-dev (>=0.61), libgmp-dev, 
+Build-Depends: dh-exec, gettext, libnetfilter-conntrack-dev [linux-any],
+               libidn2-dev, libdbus-1-dev (>=0.61), libgmp-dev,
                nettle-dev (>=2.4-3), libbsd-dev [kfreebsd-any],
-	       liblua5.2-dev, dh-runit, debhelper-compat (= 10),
-               pkg-config
+	       liblua5.4-dev, dh-runit, debhelper-compat (= 13),
+               pkg-config, libnftables-dev
 Maintainer: Simon Kelley <simon@thekelleys.org.uk>
-Homepage: http://www.thekelleys.org.uk/dnsmasq/doc.html
-Vcs-Git: http://thekelleys.org.uk/git/dnsmasq.git
-Vcs-Browser: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git
-Standards-Version: 3.9.8
+Homepage: https://www.thekelleys.org.uk/dnsmasq/doc.html
+Vcs-Git: https://thekelleys.org.uk/git/dnsmasq.git
+Vcs-Browser: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git
+Standards-Version: 4.6.2
+Rules-Requires-Root: no
 
 Package: dnsmasq
 Architecture: all
+Pre-Depends: ${misc:Pre-Depends}
 Depends: netbase, dnsmasq-base,
-         init-system-helpers (>= 1.18~), lsb-base (>= 3.0-6), ${misc:Depends}
+         ${misc:Depends}
 Suggests: resolvconf
 Breaks: ${runit:Breaks}
 Conflicts: resolvconf (<<1.15), ${runit:Conflicts}
-Description: Small caching DNS proxy and DHCP/TFTP server
+Description: Small caching DNS proxy and DHCP/TFTP server - system daemon
  Dnsmasq is a lightweight, easy to configure, DNS forwarder and DHCP
- server. It is designed to provide DNS and optionally, DHCP, to a 
- small network. It can serve the names of local machines which are 
- not in the global DNS. The DHCP server integrates with the DNS 
+ server. It is designed to provide DNS and optionally, DHCP, to a
+ small network. It can serve the names of local machines which are
+ not in the global DNS. The DHCP server integrates with the DNS
  server and allows machines with DHCP-allocated addresses
  to appear in the DNS with names configured either in each host or
- in a central configuration file. Dnsmasq supports static and dynamic 
+ in a central configuration file. Dnsmasq supports static and dynamic
  DHCP leases and BOOTP/TFTP for network booting of diskless machines.
 
 Package: dnsmasq-base
 Architecture: any
-Depends: adduser, ${shlibs:Depends}
+Depends: ${misc:Depends}, ${shlibs:Depends}
 Breaks: dnsmasq (<< 2.63-1~)
 Replaces: dnsmasq (<< 2.63-1~), dnsmasq-base
 Recommends: dns-root-data
 Provides: dnsmasq-base
 Conflicts: dnsmasq-base-lua
-Description: Small caching DNS proxy and DHCP/TFTP server
+Description: Small caching DNS proxy and DHCP/TFTP server - executable
  This package contains the dnsmasq executable and documentation, but
  not the infrastructure required to run it as a system daemon. For
  that, install the dnsmasq package.
 
 Package: dnsmasq-base-lua
 Architecture: any
-Depends: adduser, ${shlibs:Depends}
+Depends: ${misc:Depends}, ${shlibs:Depends}
 Breaks: dnsmasq (<< 2.63-1~)
 Replaces: dnsmasq (<< 2.63-1~), dnsmasq-base
 Recommends: dns-root-data
 Provides: dnsmasq-base
 Conflicts: dnsmasq-base
-Description: Small caching DNS proxy and DHCP/TFTP server
+Description: Small caching DNS proxy and DHCP/TFTP server - executable, Lua-enabled
  This package contains the dnsmasq executable and documentation, but
  not the infrastructure required to run it as a system daemon. For
  that, install the dnsmasq package. This package is an alternative
- to dnsmasq-base which includes the LUA interpreter.
- 
+ to dnsmasq-base which includes the Lua interpreter.
+
 Package: dnsmasq-utils
 Architecture: linux-any
-Depends: ${shlibs:Depends}
+Depends: ${misc:Depends}, ${shlibs:Depends}
 Conflicts: dnsmasq (<<2.40)
 Description: Utilities for manipulating DHCP leases
  Small utilities to query a DHCP server's lease database and

debian/copyright

@@ -1,21 +1,58 @@
-dnsmasq is Copyright (c) 2000-2020 Simon Kelley
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: dnsmasq
+Upstream-Contact: Simon Kelley <simon@thekelleys.org.uk>
+Source: https://thekelleys.org.uk/dnsmasq/
 
-It was downloaded from: http://www.thekelleys.org.uk/dnsmasq/
+Files: *
+Copyright: 2000-2024 Simon Kelley <simon@thekelleys.org.uk>
+License: GPL-2 or GPL-3
 
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; version 2 dated June, 1991, or
-   (at your option) version 3 dated 29 June, 2007.
- 
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
+Files: src/dnssec.c
+Copyright: 2012-2024 Simon Kelley <simon@thekelleys.org.uk>
+           2012      Giovanni Bajo <rasky@develer.com>
 
-On Debian GNU/Linux systems, the text of the GNU general public license is 
-available in the file /usr/share/common-licenses/GPL-2 or 
-/usr/share/common-licenses/GPL-3
+Files: debian/*
+Copyright: 2004-2024 Simon Kelley <simon@thekelleys.org.uk>
+           2012      Lars Bahner <bahner@debian.org>
+           2024      Sven Geuer <debmaint@g-e-u-e-r.de>
+License: GPL-2 or GPL-3
 
-The Debian package of dnsmasq was created by Simon Kelley with assistance 
-from Lars Bahner.
+License: GPL-2
+ This program is free software; you can redistribute it
+ and/or modify it under the terms of the GNU General Public
+ License as published by the Free Software Foundation;
+ version 2 dated June, 1991.
+ .
+ This program is distributed in the hope that it will be
+ useful, but WITHOUT ANY WARRANTY; without even the implied
+ warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ PURPOSE.  See the GNU General Public License for more
+ details.
+ .
+ You should have received a copy of the GNU General Public
+ License along with this program.  If not, see
+ <https://www.gnu.org/licenses/gpl-2.0>.
+ .
+ On Debian systems, the full text of the GNU General Public
+ License can be found in the file
+ `/usr/share/common-licenses/GPL-2'.
 
+License: GPL-3
+ This program is free software; you can redistribute it
+ and/or modify it under the terms of the GNU General Public
+ License as published by the Free Software Foundation;
+ version 3 dated 29 June, 2007.
+ .
+ This program is distributed in the hope that it will be
+ useful, but WITHOUT ANY WARRANTY; without even the implied
+ warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ PURPOSE.  See the GNU General Public License for more
+ details.
+ .
+ You should have received a copy of the GNU General Public
+ License along with this program.  If not, see
+ <https://www.gnu.org/licenses/gpl-3.0>.
+ .
+ On Debian systems, the full text of the GNU General Public
+ License can be found in the file
+ `/usr/share/common-licenses/GPL-3'.

debian/dnsmasq-base-lua.dirs

@@ -0,0 +1 @@
+dnsmasq-base.dirs

debian/dnsmasq-base-lua.docs

@@ -0,0 +1 @@
+dnsmasq-base.docs

debian/dnsmasq-base-lua.install

@@ -0,0 +1,3 @@
+#!/usr/bin/dh-exec
+debian/dbus.conf => /usr/share/dbus-1/system.d/dnsmasq.conf
+trust-anchors.conf /usr/share/dnsmasq-base-lua

debian/dnsmasq-base-lua.links

@@ -0,0 +1,2 @@
+usr/share/dnsmasq-base-lua usr/share/dnsmasq-base
+usr/share/doc/dnsmasq-base-lua usr/share/doc/dnsmasq-base

debian/dnsmasq-base-lua.maintscript

@@ -0,0 +1,9 @@
+# With the use of debhelper /usr/share/doc/dnsmasq-base-lua has become a
+# directory as required in
+# https://www.debian.org/doc/debian-policy/ch-docs.html#additional-documentation
+# thus /usr/share/doc/dnsmasq-base will be a link from now onwards.
+symlink_to_dir /usr/share/doc/dnsmasq-base-lua /usr/share/doc/dnsmasq-base 2.89-1.1~ dnsmasq-base-lua
+dir_to_symlink /usr/share/doc/dnsmasq-base /usr/share/doc/dnsmasq-base-lua 2.89-1.1~ dnsmasq-base-lua
+# Due to lintian warning dbus-policy-in-etc this file has been moved to
+# /usr/share/dbus-1/system.d/dnsmasq.conf and thus is not a conffile any more.
+rm_conffile /etc/dbus-1/system.d/dnsmasq.conf 2.89-1.1~ dnsmasq-base-lua

debian/dnsmasq-base-lua.postinst

@@ -0,0 +1 @@
+dnsmasq-base.postinst

debian/dnsmasq-base-lua.postrm

@@ -0,0 +1 @@
+dnsmasq-base.postrm

debian/dnsmasq-base.conffiles

@@ -1 +0,0 @@
-/etc/dbus-1/system.d/dnsmasq.conf

debian/dnsmasq-base.dirs

@@ -0,0 +1 @@
+/var/lib/misc

debian/dnsmasq-base.docs

@@ -0,0 +1,8 @@
+doc.html
+setup.html
+dnsmasq.conf.example
+FAQ
+CHANGELOG.archive
+dbus/DBus-interface
+debian/systemd_howto
+debian/readme

debian/dnsmasq-base.install

@@ -0,0 +1,3 @@
+#!/usr/bin/dh-exec
+debian/dbus.conf => /usr/share/dbus-1/system.d/dnsmasq.conf
+trust-anchors.conf /usr/share/dnsmasq-base

debian/dnsmasq-base.maintscript

@@ -0,0 +1,3 @@
+# Due to lintian warning dbus-policy-in-etc this file has been moved to
+# /usr/share/dbus-1/system.d/dnsmasq.conf and thus is not a conffile any more.
+rm_conffile /etc/dbus-1/system.d/dnsmasq.conf 2.89-1.1~ dnsmasq-base

debian/dnsmasq-base.postinst

@@ -2,13 +2,16 @@
 set -e
 
 # Create the dnsmasq user in dnsmasq-base, so that Dbus doesn't complain.
-      
-# create a user to run as (code stolen from dovecot-common)
+
 if [ "$1" = "configure" ]; then
+  # Create the user to run as.
   if [ -z "`id -u dnsmasq 2> /dev/null`" ]; then
-    adduser --system  --home /var/lib/misc --gecos "dnsmasq" \
-            --no-create-home --disabled-password \
-            --quiet dnsmasq || true
+    useradd --system \
+            --gid nogroup \
+            --comment dnsmasq \
+            --home-dir /var/lib/misc --no-create-home \
+            --shell /usr/sbin/nologin \
+            dnsmasq
   fi
 
   # Make the directory where we keep the pid file - this
@@ -16,9 +19,12 @@ if [ "$1" = "configure" ]; then
   # This is only actually used by the dnsmasq binary package, not
   # dnsmasq-base, but it's much easier to create it here so that
   # we don't have synchronisation issues with the creation of the
-  # dnsmasq user. 
+  # dnsmasq user.
   if [ ! -d /run/dnsmasq ]; then
     mkdir /run/dnsmasq
     chown dnsmasq:nogroup /run/dnsmasq
   fi
 fi
+
+#DEBHELPER#
+

debian/dnsmasq-base.postrm

@@ -2,10 +2,9 @@
 set -e
 
 if [ purge = "$1" ]; then
-   if [ -x "$(command -v deluser)" ]; then
-     deluser --quiet --system dnsmasq > /dev/null || true
-  else
-     echo >&2 "not removing dnsmasq system account because deluser command was not found"
-  fi
+  userdel dnsmasq
   rm -rf /run/dnsmasq
 fi
+
+#DEBHELPER#
+

debian/dnsmasq-utils.install

@@ -0,0 +1,3 @@
+dhcp_lease_time	/usr/bin
+dhcp_release	/usr/bin
+dhcp_release6	/usr/bin

debian/dnsmasq-utils.manpages

@@ -0,0 +1,3 @@
+dhcp_lease_time.1
+dhcp_release.1
+dhcp_release6.1

debian/dnsmasq.default

@@ -16,10 +16,10 @@
 #DOMAIN_SUFFIX=`dnsdomainname`
 #DNSMASQ_OPTS="--conf-file=/etc/dnsmasq.alt"
 
-# Whether or not to run the dnsmasq daemon; set to 0 to disable.
-# Note that this is only valid when using SYSV init. For systemd,
-# use "systemctl disable dnsmasq"
-ENABLED=1
+# The dnsmasq daemon is run by default conforming to the Debian Policy.
+# To disable the service,
+# for SYSV init, use "update-rc.d dnsmasq disable",
+# for systemd, use "systemctl disable dnsmasq".
 
 # By default search this drop directory for configuration options.
 # Libvirt leaves a file here to make the system dnsmasq play nice.

debian/dnsmasq.init

@@ -0,0 +1,170 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:       dnsmasq
+# Required-Start: $network $remote_fs $syslog
+# Required-Stop:  $network $remote_fs $syslog
+# Default-Start:  2 3 4 5
+# Default-Stop:   0 1 6
+# Description:    DHCP and DNS server
+### END INIT INFO
+
+# Don't exit on error status
+set +e
+
+# The following test ensures the dnsmasq service is not started, when the
+# package 'dnsmasq' is removed but not purged, even if the dnsmasq-base
+# package is still in place.
+if [ -r /usr/share/dnsmasq/init-system-common ]; then
+    # 'dnsmasq' is installed: source initial code used also with systemd.
+    . /usr/share/dnsmasq/init-system-common
+else
+    # 'dnsmasq' is removed but not purged, or damaged: do nothing.
+    exit 0
+fi
+
+# Double-check 'dnsmasq-base' or 'dnsmasq-base-lua' is installed.
+test -x ${DAEMON} || exit 0
+
+# Source the SysV init-functions which should always be available.
+. /lib/lsb/init-functions || exit 0
+
+start()
+{
+    # Return
+    #   0 if daemon has been started
+    #   1 if daemon was already running
+    #   2 if daemon could not be started
+
+    # /run may be volatile, so we need to ensure that
+    # /run/dnsmasq exists here as well as in postinst
+    if [ ! -d /run/dnsmasq ]; then
+        mkdir /run/dnsmasq || { [ -d /run/dnsmasq ] || return 2 ; }
+        chown dnsmasq:nogroup /run/dnsmasq || return 2
+    fi
+    [ -x /sbin/restorecon ] && /sbin/restorecon /run/dnsmasq
+
+    start-stop-daemon --start --quiet --pidfile /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid --exec ${DAEMON} --test > /dev/null || return 1
+    start-stop-daemon --start --quiet --pidfile /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid --exec ${DAEMON} -- \
+        -x /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid \
+        ${MAILHOSTNAME:+ -m ${MAILHOSTNAME}} \
+        ${MAILTARGET:+ -t ${MAILTARGET}} \
+        ${DNSMASQ_USER:+ -u ${DNSMASQ_USER}} \
+        ${DNSMASQ_INTERFACES:+ ${DNSMASQ_INTERFACES}} \
+        ${DHCP_LEASE:+ -l ${DHCP_LEASE}} \
+        ${DOMAIN_SUFFIX:+ -s ${DOMAIN_SUFFIX}} \
+        ${RESOLV_CONF:+ -r ${RESOLV_CONF}} \
+        ${CACHESIZE:+ -c ${CACHESIZE}} \
+        ${CONFIG_DIR:+ -7 ${CONFIG_DIR}} \
+        ${DNSMASQ_OPTS:+ ${DNSMASQ_OPTS}} \
+        || return 2
+}
+
+stop()
+{
+    # Return
+    #   0 if daemon has been stopped
+    #   1 if daemon was already stopped
+    #   2 if daemon could not be stopped
+    #   other if a failure occurred
+    start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid --name ${NAME}
+}
+
+status()
+{
+    # Return
+    #   0 if daemon is running
+    #   1 if daemon is dead and pid file exists
+    #   3 if daemon is not running
+    #   4 if daemon status is unknown
+    start-stop-daemon --start --quiet --pidfile /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid --exec ${DAEMON} --test > /dev/null
+    case "${?}" in
+      0) [ -e "/run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid" ] && return 1 ; return 3 ;;
+      1) return 0 ;;
+      *) return 4 ;;
+    esac
+}
+
+case "${1}" in
+  start)
+    log_daemon_msg "Starting ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"
+    start
+    case "${?}" in
+      0)
+        log_end_msg 0
+        start_resolvconf
+        exit 0
+        ;;
+      1)
+        log_success_msg "(already running)"
+        exit 0
+        ;;
+      *)
+        log_end_msg 1
+        exit 1
+        ;;
+    esac
+    ;;
+  stop)
+    stop_resolvconf
+    log_daemon_msg "Stopping ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"
+    stop
+    RETVAL="${?}"
+    case "${RETVAL}" in
+      0) log_end_msg 0 ; exit 0 ;;
+      1) log_warning_msg "(not running)" ; exit 0 ;;
+      *) log_end_msg 1; exit 1 ;;
+    esac
+    ;;
+  restart|force-reload)
+    checkconfig
+    if [ ${?} -ne 0 ]; then
+        NAME="configuration syntax check"
+        RETVAL="2"
+    else
+        stop_resolvconf
+        stop
+        RETVAL="${?}"
+    fi
+    log_daemon_msg "Restarting ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"
+    case "${RETVAL}" in
+      0|1)
+        sleep 2
+        start
+        case "${?}" in
+          0)
+            log_end_msg 0
+            start_resolvconf
+            exit 0
+            ;;
+          *)
+            log_end_msg 1
+            exit 1
+            ;;
+        esac
+        ;;
+      *)
+        log_end_msg 1
+        exit 1
+        ;;
+    esac
+    ;;
+  status)
+    log_daemon_msg "Checking ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"
+    status
+    case "${?}" in
+      0) log_success_msg "(running)" ; exit 0 ;;
+      1) log_success_msg "(dead, pid file exists)" ; exit 1 ;;
+      3) log_success_msg "(not running)" ; exit 3 ;;
+      *) log_success_msg "(unknown)" ; exit 4 ;;
+    esac
+    ;;
+  dump-stats)
+    kill -s USR1 `cat /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid`
+    ;;
+  *)
+    echo "Usage: /etc/init.d/${NAME} {start|stop|restart|force-reload|dump-stats|status}" >&2
+    exit 3
+    ;;
+esac
+
+exit 0

debian/dnsmasq.install

@@ -0,0 +1,8 @@
+#!/usr/bin/dh-exec
+debian/resolvconf => /etc/resolvconf/update.d/dnsmasq
+debian/resolvconf-package => /usr/lib/resolvconf/dpkg-event.d/dnsmasq
+debian/init-system-common => /usr/share/dnsmasq/init-system-common
+debian/systemd-helper => /usr/share/dnsmasq/systemd-helper
+dnsmasq.conf.example => /etc/dnsmasq.conf
+debian/readme.dnsmasq.d => /etc/dnsmasq.d/README
+debian/insserv => /etc/insserv.conf.d/dnsmasq

debian/dnsmasq.links

@@ -0,0 +1 @@
+usr/share/dnsmasq-base/trust-anchors.conf usr/share/dnsmasq/trust-anchors.conf

debian/dnsmasq.maintscript

@@ -0,0 +1,2 @@
+# /usr/share/doc/dnsmasq was a symlink in versions < 2.81-1 (see #985282)
+symlink_to_dir /usr/share/doc/dnsmasq dnsmasq-base 2.84-1.2~ dnsmasq

debian/dnsmasq.runscript/run

@@ -15,14 +15,14 @@ then
 fi
 
 # This tells dnsmasq to ignore DNS requests that don't come from a local network.
-# It's automatically ignored if  --interface --except-interface, --listen-address 
+# It's automatically ignored if  --interface --except-interface, --listen-address
 # or --auth-server exist in the configuration, so for most installations, it will
 # have no effect, but for otherwise-unconfigured installations, it stops dnsmasq
 # from being vulnerable to DNS-reflection attacks.
 
 DNSMASQ_OPTS="${DNSMASQ_OPTS:-} --local-service"
 
-# If the dns-root-data package is installed, then the trust anchors will be 
+# If the dns-root-data package is installed, then the trust anchors will be
 # available in $ROOT_DS, in BIND zone-file format. Reformat as dnsmasq
 # --trust-anchor options.
 

debian/dnsmasq.service

@@ -10,19 +10,19 @@ Type=forking
 PIDFile=/run/dnsmasq/dnsmasq.pid
 
 # Test the config file and refuse starting if it is not valid.
-ExecStartPre=/etc/init.d/dnsmasq checkconfig
+ExecStartPre=/usr/share/dnsmasq/systemd-helper checkconfig
 
-# We run dnsmasq via the /etc/init.d/dnsmasq script which acts as a
-# wrapper picking up extra configuration files and then execs dnsmasq
-# itself, when called with the "systemd-exec" function.
-ExecStart=/etc/init.d/dnsmasq systemd-exec
+# We run dnsmasq via the /usr/share/dnsmasq/systemd-helper script which acts
+# as a wrapper picking up extra configuration files and then execs dnsmasq
+# itself, when called with the "exec" function.
+ExecStart=/usr/share/dnsmasq/systemd-helper exec
 
-# The systemd-*-resolvconf functions configure (and deconfigure)
+# The *-resolvconf functions configure (and deconfigure)
 # resolvconf to work with the dnsmasq DNS server. They're called like
 # this to get correct error handling (ie don't start-resolvconf if the
 # dnsmasq daemon fails to start).
-ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf
-ExecStop=/etc/init.d/dnsmasq systemd-stop-resolvconf
+ExecStartPost=/usr/share/dnsmasq/systemd-helper start-resolvconf
+ExecStop=/usr/share/dnsmasq/systemd-helper stop-resolvconf
 
 
 ExecReload=/bin/kill -HUP $MAINPID

debian/dnsmasq@.service

@@ -10,19 +10,19 @@ Type=forking
 PIDFile=/run/dnsmasq/dnsmasq.%i.pid
 
 # Test the config file and refuse starting if it is not valid.
-ExecStartPre=/etc/init.d/dnsmasq checkconfig "%i"
+ExecStartPre=/usr/share/dnsmasq/systemd-helper checkconfig "%i"
 
-# We run dnsmasq via the /etc/init.d/dnsmasq script which acts as a
-# wrapper picking up extra configuration files and then execs dnsmasq
-# itself, when called with the "systemd-exec" function.
-ExecStart=/etc/init.d/dnsmasq systemd-exec "%i"
+# We run dnsmasq via the /usr/share/dnsmasq/systemd-helper script which acts
+# as a wrapper picking up extra configuration files and then execs dnsmasq
+# itself, when called with the "exec" function.
+ExecStart=/usr/share/dnsmasq/systemd-helper exec "%i"
 
-# The systemd-*-resolvconf functions configure (and deconfigure)
+# The *-resolvconf functions configure (and deconfigure)
 # resolvconf to work with the dnsmasq DNS server. They're called like
 # this to get correct error handling (ie don't start-resolvconf if the
 # dnsmasq daemon fails to start).
-ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf "%i"
-ExecStop=/etc/init.d/dnsmasq systemd-stop-resolvconf "%i"
+ExecStartPost=/usr/share/dnsmasq/systemd-helper start-resolvconf "%i"
+ExecStop=/usr/share/dnsmasq/systemd-helper stop-resolvconf "%i"
 
 
 ExecReload=/bin/kill -HUP $MAINPID

debian/init

@@ -1,325 +0,0 @@
-#!/bin/sh
-### BEGIN INIT INFO
-# Provides:       dnsmasq
-# Required-Start: $network $remote_fs $syslog
-# Required-Stop:  $network $remote_fs $syslog
-# Default-Start:  2 3 4 5
-# Default-Stop:   0 1 6
-# Description:    DHCP and DNS server
-### END INIT INFO
-
-# Don't exit on error status
-set +e
-
-PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
-DAEMON=/usr/sbin/dnsmasq
-NAME=dnsmasq
-DESC="DNS forwarder and DHCP server"
-INSTANCE="${2}"
-
-# Most configuration options in /etc/default/dnsmasq are deprecated
-# but still honoured.
-ENABLED=1
-if [ -r /etc/default/${NAME}${INSTANCE:+.${INSTANCE}} ]; then
-    . /etc/default/${NAME}${INSTANCE:+.${INSTANCE}}
-fi
-
-# Get the system locale, so that messages are in the correct language, and the
-# charset for IDN is correct
-if [ -r /etc/default/locale ]; then
-    . /etc/default/locale
-    export LANG
-fi
-
-# The following test ensures the dnsmasq service is not started, when the
-# package 'dnsmasq' is removed but not purged, even if the dnsmasq-base
-# package is still in place.
-test -e /usr/share/dnsmasq/installed-marker || exit 0
-
-test -x ${DAEMON} || exit 0
-
-# Provide skeleton LSB log functions for backports which don't have LSB functions.
-if [ -f /lib/lsb/init-functions ]; then
-    . /lib/lsb/init-functions
-else
-    log_warning_msg () {
-        echo "${@}."
-    }
-
-    log_success_msg () {
-        echo "${@}."
-    }
-
-    log_daemon_msg () {
-        echo -n "${1}: ${2}"
-    }
-
-    log_end_msg () {
-        if [ "${1}" -eq 0 ]; then
-            echo "."
-        elif [ "${1}" -eq 255 ]; then
-            /bin/echo -e " (warning)."
-        else
-            /bin/echo -e " failed!"
-        fi
-    }
-fi
-
-# RESOLV_CONF:
-# If the resolvconf package is installed then use the resolv conf file
-# that it provides as the default.  Otherwise use /etc/resolv.conf as
-# the default.
-#
-# If IGNORE_RESOLVCONF is set in /etc/default/dnsmasq or an explicit
-# filename is set there then this inhibits the use of the resolvconf-provided
-# information.
-#
-# Note that if the resolvconf package is installed it is not possible to
-# override it just by configuration in /etc/dnsmasq.conf, it is necessary
-# to set IGNORE_RESOLVCONF=yes in /etc/default/dnsmasq.
-
-if [ ! "${RESOLV_CONF}" ] &&
-   [ "${IGNORE_RESOLVCONF}" != "yes" ] &&
-   [ -x /sbin/resolvconf ]
-then
-    RESOLV_CONF=/run/dnsmasq/resolv.conf
-fi
-
-for INTERFACE in ${DNSMASQ_INTERFACE}; do
-    DNSMASQ_INTERFACES="${DNSMASQ_INTERFACES} -i ${INTERFACE}"
-done
-
-for INTERFACE in ${DNSMASQ_EXCEPT}; do
-    DNSMASQ_INTERFACES="${DNSMASQ_INTERFACES} -I ${INTERFACE}"
-done
-
-if [ ! "${DNSMASQ_USER}" ]; then
-   DNSMASQ_USER="dnsmasq"
-fi
-
-# This tells dnsmasq to ignore DNS requests that don't come from a local network.
-# It's automatically ignored if --interface --except-interface, --listen-address
-# or --auth-server exist in the configuration, so for most installations, it will
-# have no effect, but for otherwise-unconfigured installations, it stops dnsmasq
-# from being vulnerable to DNS-reflection attacks.
-
-DNSMASQ_OPTS="${DNSMASQ_OPTS} --local-service"
-
-# If the dns-root-data package is installed, then the trust anchors will be
-# available in ROOT_DS, in BIND zone-file format. Reformat as dnsmasq
-# --trust-anchor options.
-
-ROOT_DS="/usr/share/dns/root.ds"
-
-if [ -f ${ROOT_DS} ]; then
-    DNSMASQ_OPTS="$DNSMASQ_OPTS `env LC_ALL=C sed -rne "s/^([.a-zA-Z0-9]+)([[:space:]]+[0-9]+)*([[:space:]]+IN)*[[:space:]]+DS[[:space:]]+/--trust-anchor=\1,/;s/[[:space:]]+/,/gp" $ROOT_DS | tr '\n' ' '`"
-fi
-
-start()
-{
-    # Return
-    #   0 if daemon has been started
-    #   1 if daemon was already running
-    #   2 if daemon could not be started
-
-    # /run may be volatile, so we need to ensure that
-    # /run/dnsmasq exists here as well as in postinst
-    if [ ! -d /run/dnsmasq ]; then
-        mkdir /run/dnsmasq || { [ -d /run/dnsmasq ] || return 2 ; }
-        chown dnsmasq:nogroup /run/dnsmasq || return 2
-    fi
-    [ -x /sbin/restorecon ] && /sbin/restorecon /run/dnsmasq
-
-    start-stop-daemon --start --quiet --pidfile /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid --exec ${DAEMON} --test > /dev/null || return 1
-    start-stop-daemon --start --quiet --pidfile /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid --exec ${DAEMON} -- \
-        -x /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid \
-        ${MAILHOSTNAME:+ -m ${MAILHOSTNAME}} \
-        ${MAILTARGET:+ -t ${MAILTARGET}} \
-        ${DNSMASQ_USER:+ -u ${DNSMASQ_USER}} \
-        ${DNSMASQ_INTERFACES:+ ${DNSMASQ_INTERFACES}} \
-        ${DHCP_LEASE:+ -l ${DHCP_LEASE}} \
-        ${DOMAIN_SUFFIX:+ -s ${DOMAIN_SUFFIX}} \
-        ${RESOLV_CONF:+ -r ${RESOLV_CONF}} \
-        ${CACHESIZE:+ -c ${CACHESIZE}} \
-        ${CONFIG_DIR:+ -7 ${CONFIG_DIR}} \
-        ${DNSMASQ_OPTS:+ ${DNSMASQ_OPTS}} \
-        || return 2
-}
-
-start_resolvconf()
-{
-# If interface "lo" is explicitly disabled in /etc/default/dnsmasq
-# Then dnsmasq won't be providing local DNS, so don't add it to
-# the resolvconf server set.
-    for interface in ${DNSMASQ_EXCEPT}; do
-        [ ${interface} = lo ] && return
-    done
-
-    # Also skip this if DNS functionality is disabled in /etc/dnsmasq.conf
-    if grep -qs '^port=0' /etc/dnsmasq.conf; then
-        return
-    fi
-
-    if [ -x /sbin/resolvconf ] ; then
-        echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.${NAME}${INSTANCE:+.${INSTANCE}}
-    fi
-    return 0
-}
-
-stop()
-{
-    # Return
-    #   0 if daemon has been stopped
-    #   1 if daemon was already stopped
-    #   2 if daemon could not be stopped
-    #   other if a failure occurred
-    start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid --name ${NAME}
-}
-
-stop_resolvconf()
-{
-    if [ -x /sbin/resolvconf ] ; then
-        /sbin/resolvconf -d lo.${NAME}${INSTANCE:+.${INSTANCE}}
-    fi
-    return 0
-}
-
-status()
-{
-    # Return
-    #   0 if daemon is running
-    #   1 if daemon is dead and pid file exists
-    #   3 if daemon is not running
-    #   4 if daemon status is unknown
-    start-stop-daemon --start --quiet --pidfile /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid --exec ${DAEMON} --test > /dev/null
-    case "${?}" in
-      0) [ -e "/run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid" ] && return 1 ; return 3 ;;
-      1) return 0 ;;
-      *) return 4 ;;
-    esac
-}
-
-case "${1}" in
-  start)
-    test "${ENABLED}" != "0" || exit 0
-    log_daemon_msg "Starting ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"
-    start
-    case "${?}" in
-      0)
-        log_end_msg 0
-        start_resolvconf
-        exit 0
-        ;;
-      1)
-        log_success_msg "(already running)"
-        exit 0
-        ;;
-      *)
-        log_end_msg 1
-        exit 1
-        ;;
-    esac
-    ;;
-  stop)
-    stop_resolvconf
-    if [ "${ENABLED}" != "0" ]; then
-        log_daemon_msg "Stopping ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"
-    fi
-    stop
-    RETVAL="${?}"
-    if [ "${ENABLED}" = "0" ]; then
-        case "${RETVAL}" in
-          0) log_daemon_msg "Stopping ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"; log_end_msg 0 ;;
-        esac
-        exit 0
-    fi
-    case "${RETVAL}" in
-      0) log_end_msg 0 ; exit 0 ;;
-      1) log_warning_msg "(not running)" ; exit 0 ;;
-      *) log_end_msg 1; exit 1 ;;
-    esac
-    ;;
-  checkconfig)
-    ${DAEMON} --test ${CONFIG_DIR:+ -7 ${CONFIG_DIR}} ${DNSMASQ_OPTS:+ ${DNSMASQ_OPTS}} >/dev/null 2>&1
-    RETVAL="${?}"
-    exit ${RETVAL}
-    ;;
-  restart|force-reload)
-    test "${ENABLED}" != "0" || exit 1
-    ${DAEMON} --test ${CONFIG_DIR:+ -7 ${CONFIG_DIR}} ${DNSMASQ_OPTS:+ ${DNSMASQ_OPTS}} >/dev/null 2>&1
-    if [ ${?} -ne 0 ]; then
-        NAME="configuration syntax check"
-        RETVAL="2"
-    else
-        stop_resolvconf
-        stop
-        RETVAL="${?}"
-    fi
-    log_daemon_msg "Restarting ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"
-    case "${RETVAL}" in
-      0|1)
-        sleep 2
-        start
-        case "${?}" in
-          0)
-            log_end_msg 0
-            start_resolvconf
-            exit 0
-            ;;
-          *)
-            log_end_msg 1
-            exit 1
-            ;;
-        esac
-        ;;
-      *)
-        log_end_msg 1
-        exit 1
-        ;;
-    esac
-    ;;
-  status)
-    log_daemon_msg "Checking ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"
-    status
-    case "${?}" in
-      0) log_success_msg "(running)" ; exit 0 ;;
-      1) log_success_msg "(dead, pid file exists)" ; exit 1 ;;
-      3) log_success_msg "(not running)" ; exit 3 ;;
-      *) log_success_msg "(unknown)" ; exit 4 ;;
-    esac
-    ;;
-  dump-stats)
-    kill -s USR1 `cat /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid`
-    ;;
-  systemd-start-resolvconf)
-    start_resolvconf
-    ;;
-  systemd-stop-resolvconf)
-    stop_resolvconf
-    ;;
-  systemd-exec)
-    # /run may be volatile, so we need to ensure that
-    # /run/dnsmasq exists here as well as in postinst
-    if [ ! -d /run/dnsmasq ]; then
-        mkdir /run/dnsmasq || { [ -d /run/dnsmasq ] || return 2 ; }
-        chown dnsmasq:nogroup /run/dnsmasq || return 2
-    fi
-    exec ${DAEMON} -x /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid \
-        ${MAILHOSTNAME:+ -m ${MAILHOSTNAME}} \
-        ${MAILTARGET:+ -t ${MAILTARGET}} \
-        ${DNSMASQ_USER:+ -u ${DNSMASQ_USER}} \
-        ${DNSMASQ_INTERFACES:+ ${DNSMASQ_INTERFACES}} \
-        ${DHCP_LEASE:+ -l ${DHCP_LEASE}} \
-        ${DOMAIN_SUFFIX:+ -s ${DOMAIN_SUFFIX}} \
-        ${RESOLV_CONF:+ -r ${RESOLV_CONF}} \
-        ${CACHESIZE:+ -c ${CACHESIZE}} \
-        ${CONFIG_DIR:+ -7 ${CONFIG_DIR}} \
-        ${DNSMASQ_OPTS:+ ${DNSMASQ_OPTS}}
-    ;;
-  *)
-    echo "Usage: /etc/init.d/${NAME} {start|stop|restart|force-reload|dump-stats|status}" >&2
-    exit 3
-    ;;
-esac
-
-exit 0

debian/init-system-common

@@ -0,0 +1,102 @@
+# -*- shell-script -*-
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+DAEMON=/usr/sbin/dnsmasq
+NAME=dnsmasq
+DESC="DNS forwarder and DHCP server"
+INSTANCE="${2}"
+
+# Most configuration options in /etc/default/dnsmasq are deprecated
+# but still honoured.
+if [ -r /etc/default/${NAME}${INSTANCE:+.${INSTANCE}} ]; then
+    . /etc/default/${NAME}${INSTANCE:+.${INSTANCE}}
+fi
+
+# Get the system locale, so that messages are in the correct language, and the
+# charset for IDN is correct
+if [ -r /etc/default/locale ]; then
+    . /etc/default/locale
+    export LANG
+fi
+
+# RESOLV_CONF:
+# If the resolvconf package is installed then use the resolv conf file
+# that it provides as the default.  Otherwise use /etc/resolv.conf as
+# the default.
+#
+# If IGNORE_RESOLVCONF is set in /etc/default/dnsmasq or an explicit
+# filename is set there then this inhibits the use of the resolvconf-provided
+# information.
+#
+# Note that if the resolvconf package is installed it is not possible to
+# override it just by configuration in /etc/dnsmasq.conf, it is necessary
+# to set IGNORE_RESOLVCONF=yes in /etc/default/dnsmasq.
+
+if [ ! "${RESOLV_CONF}" ] &&
+   [ "${IGNORE_RESOLVCONF}" != "yes" ] &&
+   [ -x /sbin/resolvconf ]
+then
+    RESOLV_CONF=/run/dnsmasq/resolv.conf
+fi
+
+for INTERFACE in ${DNSMASQ_INTERFACE}; do
+    DNSMASQ_INTERFACES="${DNSMASQ_INTERFACES} -i ${INTERFACE}"
+done
+
+for INTERFACE in ${DNSMASQ_EXCEPT}; do
+    DNSMASQ_INTERFACES="${DNSMASQ_INTERFACES} -I ${INTERFACE}"
+done
+
+if [ ! "${DNSMASQ_USER}" ]; then
+    DNSMASQ_USER="dnsmasq"
+fi
+
+# This tells dnsmasq to ignore DNS requests that don't come from a local network.
+# It's automatically ignored if --interface --except-interface, --listen-address
+# or --auth-server exist in the configuration, so for most installations, it will
+# have no effect, but for otherwise-unconfigured installations, it stops dnsmasq
+# from being vulnerable to DNS-reflection attacks.
+
+DNSMASQ_OPTS="${DNSMASQ_OPTS} --local-service"
+
+# If the dns-root-data package is installed, then the trust anchors will be
+# available in ROOT_DS, in BIND zone-file format. Reformat as dnsmasq
+# --trust-anchor options.
+
+ROOT_DS="/usr/share/dns/root.ds"
+
+if [ -f ${ROOT_DS} ]; then
+    DNSMASQ_OPTS="$DNSMASQ_OPTS `env LC_ALL=C sed -rne "s/^([.a-zA-Z0-9]+)([[:space:]]+[0-9]+)*([[:space:]]+IN)*[[:space:]]+DS[[:space:]]+/--trust-anchor=\1,/;s/[[:space:]]+/,/gp" $ROOT_DS | tr '\n' ' '`"
+fi
+
+checkconfig()
+{
+    ${DAEMON} --test ${CONFIG_DIR:+ -7 ${CONFIG_DIR}} ${DNSMASQ_OPTS:+ ${DNSMASQ_OPTS}} >/dev/null 2>&1
+}
+
+start_resolvconf()
+{
+# If interface "lo" is explicitly disabled in /etc/default/dnsmasq
+# Then dnsmasq won't be providing local DNS, so don't add it to
+# the resolvconf server set.
+    for interface in ${DNSMASQ_EXCEPT}; do
+        [ ${interface} = lo ] && return
+    done
+
+    # Also skip this if DNS functionality is disabled in /etc/dnsmasq.conf
+    if grep -qs '^port=0' /etc/dnsmasq.conf; then
+        return
+    fi
+
+    if [ -x /sbin/resolvconf ] ; then
+        echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.${NAME}${INSTANCE:+.${INSTANCE}}
+    fi
+    return 0
+}
+
+stop_resolvconf()
+{
+    if [ -x /sbin/resolvconf ] ; then
+        /sbin/resolvconf -d lo.${NAME}${INSTANCE:+.${INSTANCE}}
+    fi
+    return 0
+}

debian/installed-marker

@@ -1,2 +0,0 @@
-# This file indicates dnsmasq (and not just dnsmasq-base) is installed.
-# It is an implementation detail of the dnsmasq init script.

debian/lintian-override

@@ -1,3 +0,0 @@
-# dnsmasq-base and dnsmasq-base-lua are mutually exclusive and both
-# provide /usr/share/doc/dnsmasq-base
-dnsmasq-base-lua binary: usr-share-doc-symlink-without-dependency dnsmasq-base

debian/patches/eliminate-privacy-breaches.patch

@@ -0,0 +1,40 @@
+Description: Remove or replace privacy breaching logos and forms
+ Lintian complains about these by issuing the tags privacy-breach-logo and
+ privacy-breach-donation.
+Forwarded: not-needed
+Author: Sven Geuer <debmaint@g-e-u-e-r.de>
+Last-Update: 2023-11-18
+
+--- a/doc.html
++++ b/doc.html
+@@ -1,14 +1,11 @@
+ <HTML>
+ <HEAD>
+ <TITLE> Dnsmasq - network services for small networks.</TITLE>
+-<link rel="icon" href="http://www.thekelleys.org.uk/dnsmasq/images/favicon.ico">
+ </HEAD>
+ <BODY BGCOLOR="WHITE"> 
+ <table width="100%" border="0" cellpadding="0" cellspacing="0">
+ <tr>
+-<td align="left" valign="middle"><img border="0" src="http://www.thekelleys.org.uk/dnsmasq/images/icon.png" /></td>
+ <td align="middle" valign="middle"><h1>Dnsmasq</h1></td>
+-<td align="right" valign="middle"><img border="0" src="http://www.thekelleys.org.uk/dnsmasq/images/icon.png" /></td></tr>
+ </table>
+ Dnsmasq provides network infrastructure for small networks: DNS, DHCP, router advertisement and network boot. It is designed to be 
+ lightweight and have a small footprint, suitable for resource constrained routers and firewalls. It has also been widely used 
+@@ -88,14 +85,6 @@
+ Dnsmasq is mainly written and maintained by Simon Kelley. For most of its life, dnsmasq has been a spare-time project. 
+ These days I'm working on it as my main activity. 
+ I don't have an employer or anyone who pays me regularly to work on dnsmasq. If you'd like to make 
+-a contribution towards my expenses, please use the donation button below.
+-<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top">
+-<input type="hidden" name="cmd" value="_s-xclick">
+-<input type="hidden" name="hosted_button_id" value="V3X9GVW5GX6DA">
+-<input type="image" src="https://www.paypalobjects.com/en_US/GB/i/btn/btn_donateCC_LG.gif" border="0" name="submit" alt="PayPal – The safer, easier way to pay online.">
+-<img alt="" border="0" src="https://www.paypalobjects.com/en_GB/i/scr/pixel.gif" width="1" height="1">
+-</form>
+-
+-
++a contribution towards my expenses, please use the donation button at <A HREF="https://www.thekelleys.org.uk/dnsmasq/doc.html">the project's home page</A>.
+ </BODY>
+ 

debian/patches/series

@@ -0,0 +1 @@
+eliminate-privacy-breaches.patch

debian/postinst

@@ -1,38 +0,0 @@
-#!/bin/sh
-set -e
-
-# Code copied from dh_systemd_enable ----------------------
-# This will only remove masks created by d-s-h on package removal.
-deb-systemd-helper unmask dnsmasq.service >/dev/null || true
-
-# was-enabled defaults to true, so new installations run enable.
-if deb-systemd-helper --quiet was-enabled dnsmasq.service; then
-	# Enables the unit on first installation, creates new
-	# symlinks on upgrades if the unit file has changed.
-	deb-systemd-helper enable dnsmasq.service >/dev/null || true
-else
-	# Update the statefile to add new symlinks (if any), which need to be
-	# cleaned up on purge. Also remove old symlinks.
-	deb-systemd-helper update-state dnsmasq.service >/dev/null || true
-fi
-# End code copied from dh_systemd_enable ------------------
-
-if [ -x /etc/init.d/dnsmasq ]; then
-   update-rc.d dnsmasq defaults 15 85 >/dev/null
-
-   if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ]; then
-      if [ -e /run/dnsmasq/dnsmasq.pid ]; then
-          ACTION=restart
-      else
-          ACTION=start
-      fi
-
-      if [ -x /usr/sbin/invoke-rc.d ] ; then
-         invoke-rc.d dnsmasq $ACTION || true
-      else
-         /etc/init.d/dnsmasq $ACTION || true
-      fi
-   fi
-fi
-
-

debian/postrm

@@ -1,22 +0,0 @@
-#!/bin/sh
-set -e
-
-if [ purge = "$1" ]; then
-   update-rc.d dnsmasq remove >/dev/null
-fi
-
-# Code copied from dh_systemd_enable ----------------------
-if [ "$1" = "remove" ]; then
-	if [ -x "/usr/bin/deb-systemd-helper" ]; then
-		deb-systemd-helper mask dnsmasq.service >/dev/null
-	fi
-fi
-
-if [ "$1" = "purge" ]; then
-	if [ -x "/usr/bin/deb-systemd-helper" ]; then
-		deb-systemd-helper purge dnsmasq.service >/dev/null
-		deb-systemd-helper unmask dnsmasq.service >/dev/null
-	fi
-fi
-# End code copied from dh_systemd_enable ------------------
-

debian/prerm

@@ -1,14 +0,0 @@
-#!/bin/sh
-set -e
-
-if [ "$1" = "remove" ]; then
-  if [ -x /usr/sbin/invoke-rc.d ] ; then
-      invoke-rc.d dnsmasq stop || true
-  else
-      /etc/init.d/dnsmasq stop || true
-  fi
-fi
-
-exit 0
-
-

debian/readme

@@ -4,13 +4,13 @@ Notes on configuring dnsmasq as packaged for Debian.
     commented; see also the dnsmasq.8 man page for explanation of
     the options. The file /etc/default/dnsmasq also exists but it
     shouldn't need to be touched in most cases. To set up DHCP
-    options you might need to refer to a copy of RFC 2132. This is 
+    options you might need to refer to a copy of RFC 2132. This is
     available on Debian systems in the package doc-rfc-std as the file
     /usr/share/doc/RFC/draft-standard/rfc2132.txt.gz .
 
 (2) Installing the dnsmasq package also creates the directory
     /etc/dnsmasq.d which is searched by dnsmasq for configuration file
-    fragments. This behaviour can be disabled by editing 
+    fragments. This behaviour can be disabled by editing
     /etc/default/dnsmasq.
 
 (3) If the Debian resolvconf package is installed then, regardless
@@ -30,25 +30,25 @@ Notes on configuring dnsmasq as packaged for Debian.
     generated file /etc/ppp/resolv.conf.  You should list 127.0.0.1
     as the first nameserver address in /etc/resolv.conf.
 
-(6) In the absence of resolvconf, dns-nameservers lines in 
+(6) In the absence of resolvconf, dns-nameservers lines in
     /etc/network/interfaces are ignored. If you do not use
     resolvconf, list 127.0.0.1 as the first nameserver address
     in /etc/resolv.conf and configure your nameservers using
     "server=<IP-address>" lines in /etc/dnsmasq.conf.
 
 (7) If you run multiple DNS servers on a single machine, each
-    listening on a different interface, then it is necessary to use 
-    the bind-interfaces option by uncommenting "bind-interfaces" in 
-    /etc/dnsmasq.conf. This option stops dnsmasq from binding the 
+    listening on a different interface, then it is necessary to use
+    the bind-interfaces option by uncommenting "bind-interfaces" in
+    /etc/dnsmasq.conf. This option stops dnsmasq from binding the
     wildcard address and allows servers listening on port 53 on
-    interfaces not in use by dnsmasq to work. The Debian 
+    interfaces not in use by dnsmasq to work. The Debian
     libvirt package will add a configuration file in /etc/dnsmasq.d
     which does this so that the "system" dnsmasq and "private" dnsmasq
     instances started by libvirt do not clash.
 
 (8) The following options are supported in DEB_BUILD_OPTIONS
       noopt       : compile without optimisation.
-      nostrip     : don't remove symbols from binary. 
+      nostrip     : don't remove symbols from binary.
       nodocs      : omit documentation.
       notftp      : omit TFTP support.
       nodhcp      : omit DHCP support.
@@ -58,15 +58,16 @@ Notes on configuring dnsmasq as packaged for Debian.
                     in Lua.
       noipv6      : omit IPv6 support.
       nodbus      : omit DBus support.
-      noconntrack : omit connection tracking support. 
+      noconntrack : omit connection tracking support.
       noipset     : omit IPset support.
+      nonftset    : omit nftset support.
       nortc       : compile alternate mode suitable for systems without an RTC.
       noi18n      : omit translations and internationalisation support.
       noidn       : omit international domain name support, must be
                     combined with noi18n to be effective.
       gitversion  : set the version of the produced packages from the
                     git-derived versioning information on the source,
-                    rather than the debian changelog. 
+                    rather than the debian changelog.
 
 (9) Dnsmasq comes as three packages - dnsmasq-utils, dnsmasq-base and
     dnsmasq. Dnsmasq-base provides the dnsmasq executable and
@@ -75,5 +76,5 @@ Notes on configuring dnsmasq as packaged for Debian.
     infrastructure. This file assumes that both are installed. It is
     possible to install only dnsmasq-base and use dnsmasq as a
     non-"system" daemon. Libvirt, for instance, does this.
-    Dnsmasq-utils provides the utilities dhcp_release and 
+    Dnsmasq-utils provides the utilities dhcp_release and
     dhcp_lease_time.

debian/resolvconf

@@ -48,7 +48,7 @@ RSLVCNFFILES=""
 for F in $(/lib/resolvconf/list-records --after "lo.$MY_NAME_FOR_RESOLVCONF") ; do
 	case "$F" in
 	    "lo.$MY_NAME_FOR_RESOLVCONF")
-		# Omit own record	 
+		# Omit own record
 		;;
 	    lo.*)
 		# Include no more records after one for a local nameserver

debian/rules

@@ -1,305 +1,127 @@
 #!/usr/bin/make -f
-# debian/rules file - for dnsmasq.
-# Copyright 2001-2020 by Simon Kelley
-# Based on the sample in the debian hello package which carries the following:
-# Copyright 1994,1995 by Ian Jackson.
-# I hereby give you perpetual unlimited permission to copy,
-# modify and relicense this file, provided that you do not remove
-# my name from the file itself.  (I assert my moral right of
-# paternity under the Copyright, Designs and Patents Act 1988.)
-# This file may have to be extensively modified
+# -*- makefile -*-
 
-package=dnsmasq-base
+# Uncomment this to turn on verbose mode.
+export DH_VERBOSE=1
 
-dpkg_buildflags := DEB_BUILD_MAINT_OPTIONS="hardening=+all,+pie,+bindnow" dpkg-buildflags
+# Make sure lintian does not complain about missing hardenings.
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
 
-CFLAGS = $(shell $(dpkg_buildflags) --get CFLAGS)
-CFLAGS += $(shell $(dpkg_buildflags) --get CPPFLAGS)
-CFLAGS += -Wall -W
+include /usr/share/dpkg/architecture.mk
 
-LDFLAGS = $(shell $(dpkg_buildflags) --get LDFLAGS)
-
-DEB_COPTS = $(COPTS)
-
-TARGET = install-i18n
-
-DEB_HOST_ARCH_OS := $(shell dpkg-architecture -qDEB_HOST_ARCH_OS)
-DEB_HOST_GNU_TYPE := $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
-DEB_BUILD_GNU_TYPE := $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
-BUILD_DATE := $(shell dpkg-parsechangelog --show-field Date)
-
-ifeq ($(origin CC),default)
-     CC = $(DEB_HOST_GNU_TYPE)-gcc
-endif
-
-# Support non-cross-builds on systems without gnu-triplet-binaries for pkg-config.
-ifeq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
-     PKG_CONFIG=pkg-config
-else
-     PKG_CONFIG=$(DEB_HOST_GNU_TYPE)-pkg-config	
-endif
-
-# Force package version based on git tags.
-ifneq (,$(filter gitversion,$(DEB_BUILD_OPTIONS)))
-     PACKAGE_VERSION = $(shell bld/get-version `pwd` |  sed 's/test/~&/; s/[a-z]/~&/;  s/-/./g; s/$$/-1/; s/^/-v/';)
-endif
+PREFIX = /usr
+# Upstream does not handle CPPFLAGS, so we add it to CFLAGS here.
+CFLAGS += $(CPPFLAGS)
+COPTS =
 
 ifeq (,$(filter nodbus,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DHAVE_DBUS
+	COPTS += -DHAVE_DBUS
 endif
 
 ifeq (,$(filter noidn, $(DEB_BUILD_OPTIONS)))
-	DEB_COPTS += -DHAVE_LIBIDN2
+	COPTS += -DHAVE_LIBIDN2
+endif
+
+ifeq (,$(filter nonftset, $(DEB_BUILD_OPTIONS)))
+	COPTS += -DHAVE_NFTSET
 endif
 
 ifeq (,$(filter noconntrack,$(DEB_BUILD_OPTIONS)))
 ifeq ($(DEB_HOST_ARCH_OS),linux)
-     DEB_COPTS += -DHAVE_CONNTRACK
+	COPTS += -DHAVE_CONNTRACK
 endif
 endif
 
 ifneq (,$(filter noipset,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DNO_IPSET
+	COPTS += -DNO_IPSET
 endif
 
 ifneq (,$(filter nodhcp6,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DNO_DHCP6
+	COPTS += -DNO_DHCP6
 endif
 
 ifneq (,$(filter noipv6,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DNO_IPV6
+	COPTS += -DNO_IPV6
 endif
 
 ifneq (,$(filter notftp,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DNO_TFTP
+	COPTS += -DNO_TFTP
 endif
 
 ifneq (,$(filter nodhcp,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DNO_DHCP
+	COPTS += -DNO_DHCP
 endif
 
 ifneq (,$(filter noscript,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DNO_SCRIPT
+	COPTS += -DNO_SCRIPT
 endif
 
 ifneq (,$(filter nortc,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DHAVE_BROKEN_RTC
-endif
-
-ifneq (,$(filter noi18n,$(DEB_BUILD_OPTIONS)))
-     TARGET = install
-endif
-
-ifneq (,$(filter uselua,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DHAVE_LUASCRIPT
+	COPTS += -DHAVE_BROKEN_RTC
 endif
 
 ifeq (,$(filter nodnssec,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DHAVE_DNSSEC
+	COPTS += -DHAVE_DNSSEC
 endif
 
-ifeq ($(DEB_HOST_ARCH_OS),kfreebsd)
-     # For strlcpy in FreeBSD
-     LIBS += $(shell ${PKG_CONFIG} --libs libbsd-overlay)
-     CFLAGS += $(shell ${PKG_CONFIG} --cflags libbsd-overlay)
-endif
 
-define build_tree
-	rm -rf $1
-	install -m 755 \
-		-d $1/DEBIAN \
-		-d $1/etc/dbus-1/system.d \
-	        -d $1/usr/share/doc/$(package) \
-		-d $1/usr/share/doc/$(package)/examples \
-		-d $1/usr/share/$(package) \
-	        -d $1/var/lib/misc
-
-endef
-
-define add_docs
-# Need to remove paypal links in Debian Package for policy reasons.
-	sed -e /\<H2\>Donations/Q -e /icon.png/d doc.html -e /favicon.ico/d >$1/usr/share/doc/$(package)/doc.html
-	echo "</BODY>" >>$1/usr/share/doc/$(package)/doc.html 
-	install -m 644 setup.html $1/usr/share/doc/$(package)/.
-	install -m 644 dnsmasq.conf.example $1/usr/share/doc/$(package)/examples/.
-	install -m 644 FAQ $1/usr/share/doc/$(package)/.
-	gzip -9n $1/usr/share/doc/$(package)/FAQ
-	install -m 644 CHANGELOG $1/usr/share/doc/$(package)/changelog
-	gzip -9n $1/usr/share/doc/$(package)/changelog
-	install -m 644 CHANGELOG.archive $1/usr/share/doc/$(package)/changelog.archive
-	gzip -9n $1/usr/share/doc/$(package)/changelog.archive
-	install -m 644 dbus/DBus-interface $1/usr/share/doc/$(package)/.
-	gzip -9n $1/usr/share/doc/$(package)/DBus-interface	
-	install -m 644 debian/systemd_howto $1/usr/share/doc/$(package)/.
-	gzip -9n $1/usr/share/doc/$(package)/systemd_howto
-	gzip -9n $1/usr/share/man/man8/dnsmasq.8
-	for f in $1/usr/share/man/*; do \
-		if [ -f $$f/man8/dnsmasq.8 ]; then \
-                       gzip -9n $$f/man8/dnsmasq.8 ; \
-                fi \
-	done
-endef
-
-define add_files
-	install -m 644 trust-anchors.conf $1/usr/share/$(package)/.
-	install -m 644 debian/dnsmasq-base.conffiles $1/DEBIAN/conffiles
-	install -m 755 debian/dnsmasq-base.postinst $1/DEBIAN/postinst
-	install -m 755 debian/dnsmasq-base.postrm  $1/DEBIAN/postrm
-	install -m 644 debian/changelog $1/usr/share/doc/$(package)/changelog.Debian
-	gzip -9n $1/usr/share/doc/$(package)/changelog.Debian
-	install -m 644 debian/readme $1/usr/share/doc/$(package)/README.Debian
-	install -m 644 debian/copyright $1/usr/share/doc/$(package)/copyright
-	install -m 644 debian/dbus.conf $1/etc/dbus-1/system.d/dnsmasq.conf
-endef
-
-clean:
-	$(checkdir)
-	make BUILDDIR=debian/build/no-lua clean
-	make BUILDDIR=debian/build/lua clean
-	make -C contrib/lease-tools clean
-	rm -rf debian/build debian/trees debian/*~ debian/files debian/substvars debian/utils-substvars
-
-binary-indep:	checkroot
-	$(checkdir)
-	rm -rf debian/trees/daemon
-	install -m 755 \
-	        -d debian/trees/daemon/DEBIAN \
-		-d debian/trees/daemon/usr/share/doc/dnsmasq \
-	        -d debian/trees/daemon/etc/init.d \
-		-d debian/trees/daemon/etc/dnsmasq.d \
-	        -d debian/trees/daemon/etc/resolvconf/update.d \
-		-d debian/trees/daemon/usr/lib/resolvconf/dpkg-event.d \
-		-d debian/trees/daemon/usr/share/dnsmasq \
-		-d debian/trees/daemon/usr/share/doc/dnsmasq \
-	        -d debian/trees/daemon/etc/default \
-		-d debian/trees/daemon/lib/systemd/system \
-		-d debian/trees/daemon/usr/lib/tmpfiles.d \
-                -d debian/trees/daemon/etc/insserv.conf.d
-	install -m 644 debian/conffiles debian/trees/daemon/DEBIAN
-	install -m 755 debian/postinst debian/postrm debian/prerm debian/trees/daemon/DEBIAN
-	if ! dpkg-vendor --derives-from Ubuntu; then \
-                rm -f debian/dnsmasq.postinst.debhelper debian/dnsmasq.postrm.debhelper; \
-	      	dh_runit -pdnsmasq -Pdebian/trees/daemon; \
-		cat debian/dnsmasq.postinst.debhelper >> debian/trees/daemon/DEBIAN/postinst; \
-		cat debian/dnsmasq.postrm.debhelper   >> debian/trees/daemon/DEBIAN/postrm; \
-		cd debian/trees/daemon && find etc/sv -type f -printf '/%p\n' >>DEBIAN/conffiles; \
+%:
+	# Ubuntu and derivates do not support runit, see
+	# https://bugs.debian.org/960401 for details.
+	if dpkg-vendor --derives-from Ubuntu; then \
+		dh $@; \
+	else \
+		dh $@ --with runit; \
 	fi
-	install -m 755 debian/init debian/trees/daemon/etc/init.d/dnsmasq
-	install -m 755 debian/resolvconf debian/trees/daemon/etc/resolvconf/update.d/dnsmasq
-	install -m 755 debian/resolvconf-package debian/trees/daemon/usr/lib/resolvconf/dpkg-event.d/dnsmasq
-	install -m 644 debian/installed-marker debian/trees/daemon/usr/share/dnsmasq
-	install -m 644 debian/default debian/trees/daemon/etc/default/dnsmasq
-	install -m 644 dnsmasq.conf.example debian/trees/daemon/etc/dnsmasq.conf
-	install -m 644 debian/readme.dnsmasq.d debian/trees/daemon/etc/dnsmasq.d/README
-	install -m 644 debian/systemd.service debian/trees/daemon/lib/systemd/system/dnsmasq.service
-	install -m 644 debian/systemd@.service debian/trees/daemon/lib/systemd/system/dnsmasq@.service
-	install -m 644 debian/tmpfiles.conf debian/trees/daemon/usr/lib/tmpfiles.d/dnsmasq.conf
-	install -m 644 debian/insserv debian/trees/daemon/etc/insserv.conf.d/dnsmasq
-	install -m 644 debian/copyright debian/trees/daemon/usr/share/doc/dnsmasq/copyright
-	install -m 644 debian/changelog debian/trees/daemon/usr/share/doc/dnsmasq/changelog.Debian
-	gzip -9n debian/trees/daemon/usr/share/doc/dnsmasq/changelog.Debian
-	cd debian/trees/daemon && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | LC_ALL=C sort -z | xargs -r0 md5sum > DEBIAN/md5sums	
-	dpkg-gencontrol $(PACKAGE_VERSION) -Tdebian/dnsmasq.substvars -pdnsmasq -Pdebian/trees/daemon
-	find debian/trees/daemon -depth -newermt '$(BUILD_DATE)' -print0 | xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
-	chown -R root.root debian/trees/daemon
-	chmod -R g-ws debian/trees/daemon
-	dpkg --build debian/trees/daemon ..
 
-binary-arch:	checkroot 
-	$(call build_tree,debian/trees/base)
-	make $(TARGET) BUILDDIR=debian/build/no-lua PREFIX=/usr DESTDIR=`pwd`/debian/trees/base CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" COPTS="$(DEB_COPTS)" CC=$(CC) PKG_CONFIG=$(PKG_CONFIG) LIBS="$(LIBS)"
+# Upstream builds and installs in one go, so do we.
+override_dh_auto_build:
+
+override_dh_auto_install:
+	dh_auto_build -p dnsmasq-base --no-parallel -- install-i18n \
+		BUILDDIR=debian/auto-build/dnsmasq-base \
+		DESTDIR=$(CURDIR)/debian/dnsmasq-base \
+		PREFIX=$(PREFIX) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \
+		COPTS="$(COPTS)"
+	dh_auto_build -p dnsmasq-base-lua --no-parallel -- install-i18n \
+		BUILDDIR=debian/auto-build/dnsmasq-base-lua \
+		DESTDIR=$(CURDIR)/debian/dnsmasq-base-lua \
+		PREFIX=$(PREFIX) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \
+		LUA=lua5.4 COPTS="$(COPTS) -DHAVE_LUASCRIPT"
+	dh_auto_build -p dnsmasq-utils -D contrib/lease-tools
+
+override_dh_auto_clean:
+	dh_auto_clean -p dnsmasq-base -- \
+		BUILDDIR=debian/auto-build/dnsmasq-base
+	dh_auto_clean -p dnsmasq-base-lua -- \
+		BUILDDIR=debian/auto-build/dnsmasq-base-lua
+	rm -rf debian/auto-build
+	dh_auto_clean -p dnsmasq-utils -D contrib/lease-tools
+
+override_dh_install:
+	dh_install -p dnsmasq-utils --sourcedir=contrib/lease-tools
+	dh_install --remaining-packages
+
+# If 'nodoc' is absent from DEB_BUILD_OPTIONS, Correct name or location of
+# some doc files.
+# We would prefer do this via dh-exec if it would support dh_installdocs.
 ifeq (,$(findstring nodoc,$(DEB_BUILD_OPTIONS)))
-	$(call add_docs,debian/trees/base)
-else	
-	rm -rf debian/trees/base/usr/share/man
-endif
-	$(call add_files,debian/trees/base)
-ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
-	$(DEB_HOST_GNU_TYPE)-strip -R .note -R .comment debian/trees/base/usr/sbin/dnsmasq
-endif
-	cd debian/trees/base && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | LC_ALL=C sort -z | xargs -r0 md5sum > DEBIAN/md5sums
-	dpkg-shlibdeps --warnings=1 debian/trees/base/usr/sbin/dnsmasq
-	dpkg-gencontrol $(PACKAGE_VERSION) -pdnsmasq-base -Pdebian/trees/base
-	find debian/trees/base -depth -newermt '$(BUILD_DATE)' -print0 | xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
-	chown -R root.root debian/trees/base
-	chmod -R g-ws debian/trees/base 
-	dpkg --build debian/trees/base ..
-
-	$(call build_tree,debian/trees/lua-base)
-	make $(TARGET) BUILDDIR=debian/build/lua PREFIX=/usr DESTDIR=`pwd`/debian/trees/lua-base CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" COPTS="-DHAVE_LUASCRIPT $(DEB_COPTS)" CC=$(CC) PKG_CONFIG=$(PKG_CONFIG) LIBS="$(LIBS)"
-ifeq (,$(findstring nodoc,$(DEB_BUILD_OPTIONS)))
-	$(call add_docs,debian/trees/lua-base)
-else	
-	rm -rf debian/trees/lua-base/usr/share/man
-endif
-	$(call add_files,debian/trees/lua-base)
-	install -m 755 -d debian/trees/lua-base/usr/share/lintian/overrides
-	install -m 644 debian/lintian-override debian/trees/lua-base/usr/share/lintian/overrides/dnsmasq-base-lua
-ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
-	$(DEB_HOST_GNU_TYPE)-strip -R .note -R .comment debian/trees/lua-base/usr/sbin/dnsmasq
-endif
-	ln -s $(package) debian/trees/lua-base/usr/share/doc/dnsmasq-base-lua
-	cd debian/trees/lua-base && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | LC_ALL=C sort -z | xargs -r0 md5sum > DEBIAN/md5sums
-	dpkg-shlibdeps --warnings=1 debian/trees/lua-base/usr/sbin/dnsmasq
-	dpkg-gencontrol $(PACKAGE_VERSION) -pdnsmasq-base-lua -Pdebian/trees/lua-base
-	find debian/trees/lua-base -depth -newermt '$(BUILD_DATE)' -print0 | xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
-	chown -R root.root debian/trees/lua-base
-	chmod -R g-ws debian/trees/lua-base 
-	dpkg --build debian/trees/lua-base ..
-
-
-ifeq ($(DEB_HOST_ARCH_OS),linux)
-	rm -rf debian/trees/utils
-	install -m 755 -d debian/trees/utils/DEBIAN \
-	               -d debian/trees/utils/usr/bin \
-                       -d debian/trees/utils/usr/share/doc/dnsmasq-utils
-ifeq (,$(findstring nodoc,$(DEB_BUILD_OPTIONS)))
-	install -m 755 -d debian/trees/utils/usr/share/man/man1
-endif
-	make -C contrib/lease-tools PREFIX=/usr DESTDIR=`pwd`/debian/trees/utils CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" COPTS="$(DEB_COPTS)" CC=$(CC) PKG_CONFIG=$(PKG_CONFIG) LIBS="$(LIBS)"
-	install -m 755 contrib/lease-tools/dhcp_release debian/trees/utils/usr/bin/dhcp_release
-	install -m 755 contrib/lease-tools/dhcp_release6 debian/trees/utils/usr/bin/dhcp_release6
-	install -m 755 contrib/lease-tools/dhcp_lease_time debian/trees/utils/usr/bin/dhcp_lease_time
-ifeq (,$(findstring nodoc,$(DEB_BUILD_OPTIONS)))
-	install -m 644 contrib/lease-tools/dhcp_release.1 debian/trees/utils/usr/share/man/man1/dhcp_release.1
-	gzip -9n debian/trees/utils/usr/share/man/man1/dhcp_release.1
-	install -m 644 contrib/lease-tools/dhcp_release6.1 debian/trees/utils/usr/share/man/man1/dhcp_release6.1
-	gzip -9n debian/trees/utils/usr/share/man/man1/dhcp_release6.1
-	install -m 644 contrib/lease-tools/dhcp_lease_time.1 debian/trees/utils/usr/share/man/man1/dhcp_lease_time.1
-	gzip -9n debian/trees/utils/usr/share/man/man1/dhcp_lease_time.1
-endif
-	install -m 644 debian/copyright debian/trees/utils/usr/share/doc/dnsmasq-utils/copyright
-	install -m 644 debian/changelog debian/trees/utils/usr/share/doc/dnsmasq-utils/changelog.Debian
-	gzip -9n debian/trees/utils/usr/share/doc/dnsmasq-utils/changelog.Debian
-ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
-	$(DEB_HOST_GNU_TYPE)-strip -R .note -R .comment debian/trees/utils/usr/bin/dhcp_release
-	$(DEB_HOST_GNU_TYPE)-strip -R .note -R .comment debian/trees/utils/usr/bin/dhcp_release6
-	$(DEB_HOST_GNU_TYPE)-strip -R .note -R .comment debian/trees/utils/usr/bin/dhcp_lease_time
-endif	
-	cd debian/trees/utils && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | LC_ALL=C sort -z | xargs -r0 md5sum > DEBIAN/md5sums
-	dpkg-shlibdeps -Tdebian/utils-substvars debian/trees/utils/usr/bin/dhcp_release debian/trees/utils/usr/bin/dhcp_release6 debian/trees/utils/usr/bin/dhcp_lease_time 
-	dpkg-gencontrol $(PACKAGE_VERSION) -Tdebian/utils-substvars -pdnsmasq-utils -Pdebian/trees/utils
-	find debian/trees/utils -depth -newermt '$(BUILD_DATE)' -print0 | xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
-	chown -R root.root debian/trees/utils
-	chmod -R g-ws debian/trees/utils 
-	dpkg --build debian/trees/utils ..
+execute_after_dh_installdocs:
+	for d in $(CURDIR)/debian/dnsmasq-base*/usr/share/doc/dnsmasq-base*; do \
+		cd $$d; \
+		mv readme README.Debian; \
+		mv CHANGELOG.archive changelog.archive; \
+		mkdir examples; \
+		mv dnsmasq.conf.example examples/; \
+	done
 endif
 
-define checkdir
-	test -f Makefile -a -f debian/rules
-endef
-
-# Below here is fairly generic really
-
-binary:		binary-arch binary-indep
-
-build:		
-build-arch:
-build-indep:
-
-checkroot:
-	test root = "`whoami`"
-
-.PHONY: binary binary-arch binary-indep clean checkroot
-
-
+# If 'nodoc' is present in DEB_BUILD_OPTIONS, drop the man pages already
+# installed by the upstream build script. Then, let dh_installman do what
+# else needs doing.
+override_dh_installman:
+ifneq (,$(findstring nodoc,$(DEB_BUILD_OPTIONS)))
+	rm -rf debian/dnsmasq-base*/usr/share/man
+endif
+	dh_installman -p dnsmasq-utils --sourcedir=contrib/lease-tools
+	dh_installman --remaining-packages

debian/source/format

@@ -1 +1 @@
-1.0
+3.0 (quilt)

debian/systemd-helper

@@ -0,0 +1,34 @@
+#!/bin/sh
+
+. /usr/share/dnsmasq/init-system-common
+
+case "$1" in
+	checkconfig)
+		checkconfig
+		;;
+	start-resolvconf)
+		start_resolvconf
+		;;
+	stop-resolvconf)
+		stop_resolvconf
+		;;
+	exec)
+		# /run may be volatile, so we need to ensure that
+		# /run/dnsmasq exists here as well as in postinst
+		if [ ! -d /run/dnsmasq ]; then
+			mkdir /run/dnsmasq || { [ -d /run/dnsmasq ] || exit 2 ; }
+			chown dnsmasq:nogroup /run/dnsmasq || exit 2
+		fi
+		exec ${DAEMON} -x /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid \
+			${MAILHOSTNAME:+ -m ${MAILHOSTNAME}} \
+			${MAILTARGET:+ -t ${MAILTARGET}} \
+			${DNSMASQ_USER:+ -u ${DNSMASQ_USER}} \
+			${DNSMASQ_INTERFACES:+ ${DNSMASQ_INTERFACES}} \
+			${DHCP_LEASE:+ -l ${DHCP_LEASE}} \
+			${DOMAIN_SUFFIX:+ -s ${DOMAIN_SUFFIX}} \
+			${RESOLV_CONF:+ -r ${RESOLV_CONF}} \
+			${CACHESIZE:+ -c ${CACHESIZE}} \
+			${CONFIG_DIR:+ -7 ${CONFIG_DIR}} \
+			${DNSMASQ_OPTS:+ ${DNSMASQ_OPTS}}
+		;;
+esac

debian/tests/compile-time-options

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -e
+
+. debian/tests/functions
+
+check_compile_time_options

debian/tests/compile-time-options+lua

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -e
+
+. debian/tests/functions
+
+check_compile_time_options +lua

debian/tests/control

@@ -0,0 +1,39 @@
+Tests: compile-time-options
+Depends: dnsmasq,
+         dnsmasq-base,
+Restrictions: needs-root,
+              isolation-container,
+
+Tests: compile-time-options+lua
+Depends: dnsmasq,
+         dnsmasq-base-lua,
+Restrictions: needs-root,
+              isolation-container,
+
+Tests: get-address+query-dns+check-utils
+Depends: bind9,
+         bind9-dnsutils,
+         dnsmasq,
+         dnsmasq-base,
+         dnsmasq-utils,
+Restrictions: needs-root,
+              allow-stderr,
+              isolation-container,
+
+Tests: get-address+query-dns+lua+alt
+Depends: bind9,
+         bind9-dnsutils,
+         dnsmasq,
+         dnsmasq-base-lua,
+Restrictions: needs-root,
+              allow-stderr,
+              isolation-container,
+
+Tests: get-address+query-dns+sysv+alt
+Depends: bind9,
+         bind9-dnsutils,
+         dnsmasq,
+         dnsmasq-base,
+Restrictions: needs-root,
+              allow-stderr,
+              isolation-container,

debian/tests/functions

@@ -0,0 +1,151 @@
+# -*- shell-script -*-
+
+FUNCTIONS_DIR="debian/tests/functions.d"
+
+match_or_exit () {
+	file_to_match="$1"
+	pattern_file="$2"
+
+	while read line_to_match <&3 && read pattern_line <&4 ; do
+		if [ "${line_to_match##$pattern_line}" ]; then
+			echo '!!! MISMATCH !!!' >&2
+			echo "Line:    ${line_to_match}" >&2
+			echo "Pattern: ${pattern_line}" >&2
+			exit 1
+		fi;
+	done 3<"${file_to_match}" 4<"${pattern_file}"
+}
+
+linecount () {
+	wc -l $1 | cut -d' ' -f1
+}
+
+error_exit () {
+	echo "ERROR: $1"
+	exit 1
+}
+
+stop_dnsmasq_bind_networking () {
+	systemctl stop dnsmasq.service
+	systemctl stop named.service
+	systemctl stop networking.service
+}
+
+configure_and_start_networking () {
+	#Add interfaces needed for the test
+	cat ${FUNCTIONS_DIR}/add-to.interfaces >> /etc/network/interfaces
+	systemctl start networking.service
+}
+
+configure_and_start_bind () {
+	cp ${FUNCTIONS_DIR}/db.autopkg.test /etc/bind/
+	cat ${FUNCTIONS_DIR}/add-to.named.conf.local >> /etc/bind/named.conf.local
+	cp ${FUNCTIONS_DIR}/named.conf.options /etc/bind/named.conf.options
+	systemctl start named.service
+}
+
+configure_and_start_dnsmasq () {
+	alt_mode=0
+	lua_mode=0
+	sysv_mode=0
+	service='dnsmasq.service'
+	sysv_param2=''
+	conf_dir='/etc/dnsmasq.d'
+
+	while [ -n "$1" ]; do
+		case "$1" in
+			alt|lua|sysv) eval ${1}_mode=1 ;;
+			*) error_exit "configure_and_start_dnsmasq(): invalid flag '$1'"
+		esac
+		shift
+	done
+
+	if [ ${alt_mode} -eq 1 ]; then
+		cp ${FUNCTIONS_DIR}/dnsmasq.alt-autopkgtest.default /etc/default/dnsmasq.alt
+		cp /etc/dnsmasq.conf /etc/dnsmasq.alt.conf
+		mkdir /etc/dnsmasq.alt.d
+		service='dnsmasq@alt.service'
+		sysv_param2='alt'
+		conf_dir='/etc/dnsmasq.alt.d'
+	fi
+
+	cp ${FUNCTIONS_DIR}/dnsmasq-autopkgtest.conf "${conf_dir}"
+
+	if [ ${lua_mode} -eq 1 ]; then
+		mkdir -p /usr/local/share/dnsmasq
+		cp ${FUNCTIONS_DIR}/log.lua /usr/local/share/dnsmasq/
+		echo "dhcp-luascript=/usr/local/share/dnsmasq/log.lua\n" \
+			>>"${conf_dir}"/dnsmasq-autopkgtest.conf
+	fi
+
+	if [ ${sysv_mode} -eq 1 ]; then
+		SYSTEMCTL_SKIP_REDIRECT=1 /etc/init.d/dnsmasq start "${sysv_param2}"
+	else
+		systemctl enable "${service}"
+		systemctl start "${service}"
+	fi
+}
+
+check_compile_time_options () {
+	journalctl -b -u dnsmasq
+	echo ~~~ Check compile time options...
+	journalctl -b -u dnsmasq -g '[a-z]+: ' --output cat >options.msg
+	cat options.msg
+	match_or_exit options.msg ${FUNCTIONS_DIR}/options${1}.patterns
+}
+
+get_address_on_veth1_and_check_the_result () {
+	echo ~~~ Get an address on veth1 and check the result...
+	ip netns exec clientnet ifup veth1
+	ip netns exec clientnet ip addr show dev veth1 >ip-addr.out 2>&1
+	cat ip-addr.out
+	match_or_exit ip-addr.out ${FUNCTIONS_DIR}/ip-addr.patterns
+}
+
+query_test_zone_records_and_check_the_result () {
+	echo ~~~ Query some test zone records and check the result...
+	ip netns exec clientnet dig +short SOA autopkg.test >dig.out 2>&1
+	ip netns exec clientnet dig +short NS autopkg.test >>dig.out 2>&1
+	ip netns exec clientnet dig +short A ns.autopkg.test >>dig.out 2>&1
+	ip netns exec clientnet dig +short A dhcp3.autopkg.test >>dig.out 2>&1
+	cat dig.out
+	if [ `linecount dig.out` -ne `linecount ${FUNCTIONS_DIR}/dig.patterns` ] ; then
+		error_exit 'empty or unexpected output'
+	fi
+	match_or_exit dig.out ${FUNCTIONS_DIR}/dig.patterns
+}
+
+check_utils () {
+	#Test dhcp_lease_time and dhcp_release
+	leases_file='/var/lib/misc/dnsmasq.leases'
+	client_ip_address=`cut -d' ' -f3 $leases_file`
+	client_mac_address=`cut -d' ' -f2 $leases_file`
+	echo ~~~ Test dhcp_lease_time...
+	if ! dhcp_lease_time $client_ip_address; then
+		error_exit "'dhcp_lease_time $client_ip_address' failed with return code $?"
+	else
+		#Add \n to dhcp_lease_time's output
+		echo ''
+	fi
+	echo ~~~ Test dhcp_release...
+	cat $leases_file
+	if ! dhcp_release veth0 $client_ip_address 1-$client_mac_address; then
+		error_exit "'dhcp_release veth0 $client_ip_address 1-$client_mac_address' failed with return code $?0"
+	fi
+	if [ -n "`cat $leases_file`" ]; then
+		cat $leases_file
+		error_exit "$leases_file is not empty"
+	fi
+}
+
+check_lua_log () {
+	log_file='/var/log/dnsmasq-lua.log'
+	echo ~~~ Check log file generated by lua script
+	ls -l ${log_file}
+	if [ -s ${log_file} ]; then
+		cat ${log_file}
+		match_or_exit ${log_file} ${FUNCTIONS_DIR}/log.patterns
+	else
+		error_exit "${log_file} is empty"
+	fi
+}

debian/tests/functions.d/add-to.interfaces

@@ -0,0 +1,18 @@
+
+auto dummy0
+iface dummy0 inet static
+    pre-up ip link add dummy0 type dummy
+    address 192.168.141.1
+    netmask 255.255.255.248
+    post-down ip link del dummy0
+
+auto veth0
+iface veth0 inet static
+    pre-up ip netns add clientnet
+    pre-up ip link add veth0 type veth peer veth1 netns clientnet
+    address 192.168.142.1
+    netmask 255.255.255.248
+    post-down ip link del veth0
+    post-down ip netns del clientnet
+
+iface veth1 inet dhcp

debian/tests/functions.d/add-to.named.conf.local

@@ -0,0 +1,2 @@
+zone "autopkg.test"      { type master; file "/etc/bind/db.autopkg.test"; };
+

debian/tests/functions.d/db.autopkg.test

@@ -0,0 +1,18 @@
+$TTL    604800
+@       IN      SOA     ns.autopkg.test. hostmaster.autopkg.test. (
+                              2         ; Serial
+                         604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                            300 )       ; Negative Cache TTL
+;
+@	IN	NS	ns
+ns	IN	A	192.168.141.1
+host	IN	A	192.168.142.1
+dhcp0	IN	A	192.168.142.2
+dhcp1	IN	A	192.168.142.3
+dhcp2	IN	A	192.168.142.4
+dhcp3	IN	A	192.168.142.5
+dhcp4	IN	A	192.168.142.6
+brdcst	IN	A	192.168.142.7
+

debian/tests/functions.d/dig.patterns

@@ -0,0 +1,4 @@
+ns.autopkg.test. hostmaster.autopkg.test. 2 604800 86400 2419200 300
+ns.autopkg.test.
+192.168.141.1
+192.168.142.5

debian/tests/functions.d/dnsmasq-autopkgtest.conf

@@ -0,0 +1,6 @@
+no-resolv
+server=/autopkg.test/192.168.141.1
+listen-address=192.168.142.1,127.0.0.1
+bind-interfaces
+dhcp-range=192.168.142.2,192.168.142.6
+dhcp-authoritative

debian/tests/functions.d/dnsmasq.alt-autopkgtest.default

@@ -0,0 +1,42 @@
+# This file has six functions:
+# 1) to completely disable starting this dnsmasq instance
+# 2) to set DOMAIN_SUFFIX by running `dnsdomainname`
+# 3) to select an alternative config file
+#    by setting DNSMASQ_OPTS to --conf-file=<file>
+# 4) to tell dnsmasq to read the files in /etc/dnsmasq.d for
+#    more configuration variables.
+# 5) to stop the resolvconf package from controlling dnsmasq's
+#    idea of which upstream nameservers to use.
+# 6) to avoid using this dnsmasq instance as the system's default resolver
+#    by setting DNSMASQ_EXCEPT="lo"
+# For upgraders from very old versions, all the shell variables set
+# here in previous versions are still honored by the init script
+# so if you just keep your old version of this file nothing will break.
+
+#DOMAIN_SUFFIX=`dnsdomainname`
+DNSMASQ_OPTS="--conf-file=/etc/dnsmasq.alt.conf"
+
+# The dnsmasq daemon is run by default conforming to the Debian Policy.
+# To disable the service,
+# for SYSV init, use "update-rc.d dnsmasq disable",
+# for systemd, use "systemctl disable dnsmasq".
+
+# By default search this drop directory for configuration options.
+# Libvirt leaves a file here to make the system dnsmasq play nice.
+# Comment out this line if you don't want this. The dpkg-* are file
+# endings which cause dnsmasq to skip that file. This avoids pulling
+# in backups made by dpkg.
+CONFIG_DIR=/etc/dnsmasq.alt.d,.dpkg-dist,.dpkg-old,.dpkg-new
+
+# If the resolvconf package is installed, dnsmasq will use its output
+# rather than the contents of /etc/resolv.conf to find upstream
+# nameservers. Uncommenting this line inhibits this behaviour.
+# Note that including a "resolv-file=<filename>" line in
+# /etc/dnsmasq.conf is not enough to override resolvconf if it is
+# installed: the line below must be uncommented.
+#IGNORE_RESOLVCONF=yes
+
+# If the resolvconf package is installed, dnsmasq will tell resolvconf
+# to use dnsmasq under 127.0.0.1 as the system's default resolver.
+# Uncommenting this line inhibits this behaviour.
+#DNSMASQ_EXCEPT="lo"

debian/tests/functions.d/ip-addr.patterns

@@ -0,0 +1,6 @@
+?: veth1@if?: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
+    link/ether ??:??:??:??:??:?? brd ff:ff:ff:ff:ff:ff link-netnsid 0
+    inet 192.168.142.?/29 brd 192.168.142.7 scope global dynamic veth1
+       valid_lft 3[56][0-9][0-9]sec preferred_lft 3[56][0-9][0-9]sec
+    inet6 fe80::*:*:*:*/64 scope link*
+       valid_lft forever preferred_lft forever

debian/tests/functions.d/log.lua

@@ -0,0 +1,40 @@
+-- Lua script logging calls from dnsmasq
+
+-- Open the log file in append mode 
+logfile = assert(io.open("/var/log/dnsmasq-lua.log", "a"))
+
+-- Prepend date and time to a string and write the result to the log file
+function __log(str)
+	logfile:write(os.date("!%FT%TZ ")..str.."\n")
+end
+
+-- flush the log file
+function __flush_log()
+	logfile:flush()
+end
+
+-- Log a call to init()
+function init()
+	__log("initialising")
+	__flush_log()
+end
+
+-- Log a call to shutdown()
+function shutdown()
+	__log("shutting down")
+	__flush_log()
+end
+
+-- Log a call to lease() including all arguments
+function lease(operation, params)
+	local lines = {}
+	__log(operation.." lease")
+	for key,value in pairs(params) do
+		table.insert(lines, key..": "..value)
+	end
+	table.sort(lines)
+	for index,line in ipairs(lines) do
+		__log("\t"..line)
+	end
+	__flush_log()
+end

debian/tests/functions.d/log.patterns

@@ -0,0 +1,10 @@
+????-??-??T??:??:??Z initialising
+????-??-??T??:??:??Z add lease
+????-??-??T??:??:??Z 	client_id: ??:??:??:??:??:??:??:??:??:??:??:??:??:??:??:??:??:??:??
+????-??-??T??:??:??Z 	data_missing: 1.0
+????-??-??T??:??:??Z 	hostname: ?*
+????-??-??T??:??:??Z 	interface: veth0
+????-??-??T??:??:??Z 	ip_address: 192.168.142.[2-6]
+????-??-??T??:??:??Z 	lease_expires: [1-9]*
+????-??-??T??:??:??Z 	mac_address: ??:??:??:??:??:??
+????-??-??T??:??:??Z 	time_remaining: 3600.0

debian/tests/functions.d/named.conf.options

@@ -0,0 +1,6 @@
+options {
+        directory "/var/cache/bind";
+        listen-on { 192.168.141.1; };
+        recursion no;
+};
+

debian/tests/functions.d/options+lua.patterns

@@ -0,0 +1 @@
+*: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 Lua TFTP conntrack ipset nftset auth cryptohash DNSSEC loop-detect inotify dumpfile

debian/tests/functions.d/options.patterns

@@ -0,0 +1 @@
+*: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset nftset auth cryptohash DNSSEC loop-detect inotify dumpfile

debian/tests/get-address+query-dns+check-utils

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+set -e
+
+. debian/tests/functions
+
+stop_dnsmasq_bind_networking
+configure_and_start_networking
+configure_and_start_bind
+configure_and_start_dnsmasq
+
+get_address_on_veth1_and_check_the_result
+
+query_test_zone_records_and_check_the_result
+
+check_utils
+
+#Done
+echo Looks good.

debian/tests/get-address+query-dns+lua+alt

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+set -e
+
+. debian/tests/functions
+
+stop_dnsmasq_bind_networking
+configure_and_start_networking
+configure_and_start_bind
+configure_and_start_dnsmasq lua alt
+
+get_address_on_veth1_and_check_the_result
+
+query_test_zone_records_and_check_the_result
+
+check_lua_log
+
+#Done
+echo Looks good.

debian/tests/get-address+query-dns+sysv+alt

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+set -e
+
+. debian/tests/functions
+
+stop_dnsmasq_bind_networking
+configure_and_start_networking
+configure_and_start_bind
+configure_and_start_dnsmasq sysv alt
+
+get_address_on_veth1_and_check_the_result
+
+query_test_zone_records_and_check_the_result
+
+#Done
+echo Looks good.
+SYSTEMCTL_SKIP_REDIRECT=1 /etc/init.d/dnsmasq stop alt

debian/upstream/metadata

@@ -0,0 +1,9 @@
+Cite-As: dnsmasq
+Contact: simon@thekelleys.org.uk
+Security-Contact: https://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
+Repository: https://thekelleys.org.uk/git/dnsmasq.git
+Repository-Browse: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=summary
+Changelog: https://thekelleys.org.uk/dnsmasq/CHANGELOG
+Documentation: https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html
+FAQ: https://thekelleys.org.uk/dnsmasq/docs/FAQ
+Bug-Submit: https://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

debian/upstream/signing-key.asc

@@ -0,0 +1,63 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFMbjUMBEACsU1Xk8+uu/EsGVJTh9Tn31C2e0ycd0voBVT7cTdtXpzeiNR+o
+/zUAi95ds7FiecpZJp1nRO4vNzvaaAPZhFsFVLzZYyIVABgTXsskT88xbZvzb4W5
+KKRWVhoTQxVDgj1+dXLUXULTB6rg02WEhqnix/qf/zFdM9I4/3pRHJn9k+3XKygR
+on+nYtljfn3AKBelCo1y28istC6wCncoH11b/qdQtlfxVXaJY4HF27V0MqFFmDMg
+cuhOHR7DnhymeDh7GmLfTHJ4LUFG+TecqCjiYhyWcuv2wuSb0EPXUKHJQVViQ8qg
+KyPm1ly6uFP0CYdVavO7/oJwKFBIChECrj7BQ4GsImMHeuSzfWno7qy6Fxoxx2+g
+0F9cdXWvcxFDGPQsL5vXp8KYNwBrzmijRzQ2ZAnrbG+ilFCkJCbxXcrhzpd4tKwE
+0dgcyPL1Ma/lrznhL4ZuOzjVMgLNne7WiPpBNRqI1GoT0pUn6as4pU3En8B+K7zy
+MLVfHvI1+iH45fP5bZwYSbXCa85v4+xqljYrzs9giaROEsXe/tsXvuc6JPCcmJXk
+CUO3c3QVxqDFt9OYuTHIR8hqehDPLgFgzKqVuoAwMkhTf/zZNGlsy4jvKXQNcZ50
+uD4mWO3e+gykNW/OH+88IoCR0rgjQ6trMLOceZFnrtvxwRL//lMndGCTYQARAQAB
+tB1TaW1vbiBLZWxsZXkgPHNya0BkZWJpYW4ub3JnPokCNwQTAQgAIQUCUyDDdAIb
+AwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRAVzdpq4ZE1oqFGD/9LkbZFigc1
+jbZ5zIbmGkGvfniWp1mJhEcpgKNfb2MMiu1lKULccIvfVyIY5WDrrpoPnHLnhYA9
+OXHcwVADGBayoVOQgIePrMV0V24uYjUh9+9zGRwQrCLo0rl/l07GKH0S1dxDUeyh
+JRYZGYEqW2+3XDJqIbfsDzSmPNCyjVvqSvkkt0YyuNbH0+cVEoJ1Q2HmfEhvgd4L
+lHZDyhMVqKlKmlnCa8DmhwK+EyzJgLKITqjxBO3NOqPmYZlp8irLXyHAH1sDafaB
+wRjV9cNX2TLTwn3wDdUmoAwMz1jopi/61A0kEglENYaa+NH/UnqfWOo7riXuZNwG
+VP/F/KlMV+JdXMY34fcSIQMWk9cpxzhpuOJjwhoK7g/yq8q9578QXv4VR6ndH+Le
+HDRrm2Ftnih/Ut8unqqDteMJnd3YxSK3Ep78WgVBL9y2Qo3CyKY6VSXlshWZokwy
+rwVS8uLqIGAUzLwsKTYi1nmsDb7mQZqUbPBxYN2mrroD7Pr1/XAV8oNxw6l84nzf
+zObEKvNZLFtWctNpFJXhWhtm/AeQBdkYKcMyTrwQt9Q0XMYKUGE05U+oAdtTvgCR
+JLltqzmt5yMpTPncNmXVoA5YvEVdCU6/Gxpn3Aea8ckBmIqxxQY1QFdEr2nvxPNA
+SbkvHDNDr9XUlKQDqjherurKBIBEiKCMnLQmU2ltb24gS2VsbGV5IDxzaW1vbkB0
+aGVrZWxsZXlzLm9yZy51az6JAjoEEwEIACQCGwMFCwkIBwMFFQoJCAsFFgIDAQAC
+HgECF4AFAlMgw44CGQEACgkQFc3aauGRNaLaZg/+PR41J3P7omGv6XD+TiAXfJQo
+R5RfzQoeLNUQEnir/XBulg45203cYHEurchEhSTn2f4WVtFgxJrgId7XGYdf8oIZ
+IjBd82fpwdMwhbfcv/6iqzWL0+2vaPmBqE7iwDTatI888q5TyXppGe8L5/VjX0aB
+vmVIPyEE9BFQas+vv5byUkU542FxPApGsv0W0P1pKabLl0F7ItPFPuaD0+K1kwBr
+WbuGhBKMV9jGHB4qdX/21FBczgAf3J9yJ22vm6orCwwhptxde+DSn7vqZNjDtHGr
+kUWDzKAQBy1g4BmTl6IoVgYKZXAVBGMtYUjS+80VV+QE9meVqmtX1aJJEnf0/BRd
+v9CeD46hZArwXwi/AWFs300pEfzwcC+9T5xc3jlSdYdWxeQDV7XwK2VCOhxjFqTm
++ehP2Gh14Wfpc34jN9jMJ3OowxzN5iZxGYzkHLFhM+0IKEeWEjxRWOoJgV5PmNvG
+7IBbzt8O9xo550h7JmXZVsfSpkFpzJPy0Puz1JeyH/niCeDwKkhEHXQTk/4O+EOD
+RxruJbwIYGeO2lNfPn2Hcb1aHvSclx7GGOYDzI4jN0UcYroJpvHZU+0X2ClpCTAW
+5IshgHkOkdUQ1c7S+5zPTeLbW+pxTlbWClA0NYMbSn68//i/DMstyBEwtTWYJLmg
+5V3HWzRd/6BwKZfDSuu5Ag0EUyDDoQEQAMfQfa2tw3+OJFGMQEzLJSoXYN8/HnZE
+gKNlcMuYzhheQLgu/MfcQJ7mnCIdn6xdPaalfLmYx63tM47/NGEM1+MSEvovPiRG
+0OLxzSgwei9DiGeNEgsPTLXSZ5EVSXCM1+e9mT1ExT9aGLNnpCd6kIyWIcKCVMot
++XC70R9prWLeyKSh0FAZ0Pwv9i23osJVGOtJjND+WZ0uCeN29ocfN0b64yF4nPRc
+9IbcmYIDgNU3RybK2Z/dupbthTisRjHRI3iX3/tiymXF3J0sSvsCluWIJWmyltS3
+Xyk/wfKVJz6OouiJjTj5utXVnCGptCDw+DCcj89vx1N0+0Dhm1cQcNZvXjMbVDTs
+uU+eVpJbxU6y8N+nXpAXjEw4jMi3zNpqKtkyv2YpoqY5HhGLybgrY0zwSQOyMNf9
+lZ5J7znq5gEmiMXnG9OPEw7PPSvm6QfbHPY/jAOgxsu7Fme7k303D5KkyGkkbzQi
+YyEtMZvbOMH/uECi2uHGB72qiGpEYjMtHhihaRCBl+0bY8sH83He690qNQHSdStj
+aKXcecduE/v5iO0mOYIHdsEHhKlWsE1GXXVLofBr68UBhYV6/AGXko4Pr+dXLzau
+N4kALDx6WltFu3qUvoD+uEoLq7IXULMo5Pyd7bO4qGQMKykaXTb5o6dqdu4GzWIU
+w1fr9kLEmo29ABEBAAGJAh8EGAEIAAkFAlMgw6ECGwwACgkQFc3aauGRNaIjqA/+
+PXuaM6JHuudLycmB0iKAwyB5csOFGpF3b9FgMR68TC4jzi5J5hJZASl0cO/e0ytQ
+srDUBbH74y+WaA4ldwBVYr0j/2hqzIjrnGMtgWeHFPLV3sKw8DGuNx1/cOoljJXz
+i1WWSHIwDvaj3uZ9CwHt+4/abR7kdvMcnFhQVA4zuzZWFqpp+CDkkJNVwB9zxtAQ
+wGTGF4cQ0IvTkhCo6DQhZZVTeyn+nBKxzzWijniWc0LyRsum03MxZ6E7UVIInCTj
+dXTalnO8wColwIx5FV4nTMxdsKKgnIXmLexBdd03bW9TkowWf2C2XfDN+pDS8X3M
+zO6zAyogqJhAiBFjnRzkOw0cw1VTL00o8uiWdMeu7OKOKeQbUilMAn4MweKB57mc
+582kjeGmwdZgWFA4BJ2eiH7HwjxiynwMdZwQEBdOTNLbggHk3/mScF8U1KcJhjAF
+f7Ne+Z0feG/8GgKl5aj3ucl821+dfpzB79lLo+kmd1qkDyDiUR5yN6P8l8k6IAUJ
+z2KUe0BjtO6VFFw0xni05dkrXdfo7IO79ictHmEn+g3QO8ZLUGRwdtZ1cMhTkm7F
+hH8Bdby0y4SoqluvHbri++cC91i1I3a92kHi/8O45rnLhVt+sOfxY1QnSIYh5OFw
+GMqMCNDTEL7ESiFaFhSXkmzzVntlyvOBMlgz3IGh2hA=
+=otES
+-----END PGP PUBLIC KEY BLOCK-----

debian/watch

@@ -0,0 +1,5 @@
+version=4
+opts=\
+pgpmode=auto \
+https://thekelleys.org.uk/dnsmasq/ \
+dnsmasq-([\d.]+)@ARCHIVE_EXT@

dnsmasq.conf.example

@@ -85,6 +85,16 @@
 # subdomains to the vpn and search ipsets:
 #ipset=/yahoo.com/google.com/vpn,search
 
+# Add the IPs of all queries to yahoo.com, google.com, and their
+# subdomains to netfilters sets, which is equivalent to
+# 'nft add element ip test vpn { ... }; nft add element ip test search { ... }'
+#nftset=/yahoo.com/google.com/ip#test#vpn,ip#test#search
+
+# Use netfilters sets for both IPv4 and IPv6:
+# This adds all addresses in *.yahoo.com to vpn4 and vpn6 for IPv4 and IPv6 addresses.
+#nftset=/yahoo.com/4#ip#test#vpn4
+#nftset=/yahoo.com/6#ip#test#vpn6
+
 # You can control how dnsmasq talks to a server: this forces
 # queries to 10.1.2.3 to be routed via eth1
 # server=10.1.2.3@eth1
@@ -384,7 +394,7 @@
 
 # The following DHCP options set up dnsmasq in the same way as is specified
 # for the ISC dhcpcd in
-# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
+# https://web.archive.org/web/20040313070105/http://us1.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
 # adapted for a typical dnsmasq installation where the host running
 # dnsmasq is also the host running samba.
 # you may want to uncomment some or all of them if you use
@@ -654,7 +664,7 @@
 # Provide an alias for a "local" DNS name. Note that this _only_ works
 # for targets which are names from DHCP or /etc/hosts. Give host
 # "bert" another name, bertrand
-#cname=bertand,bert
+#cname=bertrand,bert
 
 # For debugging purposes, log each DNS query as it passes through
 # dnsmasq.

man/dnsmasq.8

@@ -1,4 +1,4 @@
-.TH DNSMASQ 8 2020-04-05
+.TH DNSMASQ 8 2021-08-16
 .SH NAME
 dnsmasq \- A lightweight DHCP and caching DNS server.
 .SH SYNOPSIS
@@ -55,11 +55,13 @@ Don't read the hostnames in /etc/hosts.
 .B \-H, --addn-hosts=<file>
 Additional hosts file. Read the specified file as well as /etc/hosts. If \fB--no-hosts\fP is given, read
 only the specified file. This option may be repeated for more than one
-additional hosts file. If a directory is given, then read all the files contained in that directory. 
+additional hosts file. If a directory is given, then read all the files contained in that directory
+in alphabetical order.
 .TP
 .B --hostsdir=<path>
 Read all the hosts files contained in the directory. New or changed files
-are read automatically. See \fB--dhcp-hostsdir\fP for details.
+are read automatically and modified and deleted files have removed records
+automatically deleted.
 .TP
 .B \-E, --expand-hosts
 Add the domain to simple names (without a period) in /etc/hosts
@@ -104,6 +106,16 @@ Dnsmasq limits the value of this option to one hour, unless recompiled.
 .B --auth-ttl=<time>
 Set the TTL value returned in answers from the authoritative server.
 .TP
+.B --fast-dns-retry=[<initial retry delay in ms>[,<time to continue retries in ms>]]
+Under normal circumstances, dnsmasq relies on DNS clients to do retries; it
+does not generate timeouts itself. Setting this option
+instructs dnsmasq to generate its own retries starting after a delay
+which defaults to 1000ms. If the second parameter is given this controls
+how long the retries will continue for
+otherwise this defaults to 10000ms. Retries are repeated with exponential
+backoff. Using this option increases memory usage and
+network bandwidth.
+.TP
 .B \-k, --keep-in-foreground
 Do not go into the background at startup but otherwise run as
 normal. This is intended for use when dnsmasq is run under daemontools
@@ -135,6 +147,9 @@ running, will go exclusively to the file.) When logging to a file,
 dnsmasq will close and reopen the file when it receives SIGUSR2. This 
 allows the log file to be rotated without stopping dnsmasq.
 .TP
+.B --log-debug
+Enable extra logging intended for debugging rather than information.
+.TP
 .B --log-async[=<lines>]
 Enable asynchronous logging and optionally set the limit on the
 number of lines
@@ -168,7 +183,8 @@ to zero completely disables DNS function, leaving only DHCP and/or TFTP.
 .TP
 .B \-P, --edns-packet-max=<size>
 Specify the largest EDNS.0 UDP packet which is supported by the DNS
-forwarder. Defaults to 4096, which is the RFC5625-recommended size.
+forwarder. Defaults to 1232, which is the recommended size following the
+DNS flag day in 2020. Only increase if you know what you are doing.
 .TP
 .B \-Q, --query-port=<query_port>
 Send outbound DNS queries from, and listen for their replies on, the
@@ -176,12 +192,20 @@ specific UDP port <query_port> instead of using random ports. NOTE
 that using this option will make dnsmasq less secure against DNS
 spoofing attacks but it may be faster and use less resources.  Setting this option
 to zero makes dnsmasq use a single port allocated to it by the
-OS: this was the default behaviour in versions prior to 2.43. 
+OS: this was the default behaviour in versions prior to 2.43.
+.TP
+.B --port-limit=<#ports>
+By default, when sending a query via random ports to multiple upstream servers or
+retrying a query dnsmasq will use a single random port for all the tries/retries.
+This option allows a larger number of ports to be used, which can increase robustness
+in certain network configurations. Note that increasing this to more than
+two or three can have security and resource implications and should only
+be done with understanding of those.
 .TP
 .B --min-port=<port>
 Do not use ports less than that given as source for outbound DNS
 queries. Dnsmasq picks random ports as source for outbound queries:
-when this option is given, the ports used will always to larger
+when this option is given, the ports used will always be larger
 than that specified. Useful for systems behind firewalls. If not specified,
 defaults to 1024.
 .TP
@@ -246,16 +270,25 @@ the address dnsmasq is listening on. When an interface is specified,
 it may be qualified with "/4" or "/6" to specify only the IPv4 or IPv6
 addresses associated with the interface. Since any defined authoritative zones are also available as part of the normal recusive DNS service supplied by dnsmasq, it can make sense to have an --auth-server declaration with no interfaces or address, but simply specifying the primary external nameserver.
 .TP
-.B --local-service
+.B --local-service[=net|host]
+Without parameter or with net parameter, restricts service to connected network.
 Accept DNS queries only from hosts whose address is on a local subnet,
-ie a subnet for which an interface exists on the server. This option
+ie a subnet for which an interface exists on the server. With host parameter, listens
+only on lo interface and accepts queries from localhost only. This option
 only has effect if there are no \fB--interface\fP, \fB--except-interface\fP,
 \fB--listen-address\fP or \fB--auth-server\fP options. It is intended to be set as
 a default on installation, to allow unconfigured installations to be
 useful but also safe from being used for DNS amplification attacks.
-.TP 
+.TP
 .B \-2, --no-dhcp-interface=<interface name>
-Do not provide DHCP or TFTP on the specified interface, but do provide DNS service.
+Do not provide DHCP, TFTP or router advertisement on the specified interface, but do provide DNS service.
+.TP
+.B --no-dhcpv4-interface=<interface name>
+Disable only IPv4 DHCP on the specified interface.
+.TP
+.B 
+--no-dhcpv6-interface=<interface name>
+Disable IPv6 DHCP and router advertisement on the specified interface.
 .TP
 .B \-a, --listen-address=<ipaddr>
 Listen on the given IP address(es). Both 
@@ -296,11 +329,12 @@ option requires non-standard networking APIs and it is only available
 under Linux. On other platforms it falls-back to \fB--bind-interfaces\fP mode.
 .TP
 .B \-y, --localise-queries
-Return answers to DNS queries from /etc/hosts and \fB--interface-name\fP which depend on the interface over which the query was
+Return answers to DNS queries from /etc/hosts and \fB--interface-name\fP and \fB--dynamic-host\fP which depend on the interface over which the query was
 received. If a name has more than one address associated with
 it, and at least one of those addresses is on the same subnet as the
 interface to which the query was sent, then return only the
-address(es) on that subnet. This allows for a server  to have multiple
+address(es) on that subnet and return all the available addresses otherwise.
+This allows for a server  to have multiple
 addresses in /etc/hosts corresponding to each of its interfaces, and
 hosts will get the correct address based on which network they are
 attached to. Currently this facility is limited to IPv4.
@@ -323,17 +357,17 @@ are re-written. So
 .B --alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
 maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
 .TP 
-.B \-B, --bogus-nxdomain=<ipaddr>
-Transform replies which contain the IP address given into "No such
-domain" replies. This is intended to counteract a devious move made by
+.B \-B, --bogus-nxdomain=<ipaddr>[/prefix]
+Transform replies which contain the specified address or subnet into "No such
+domain" replies. IPv4 and IPv6 are supported. This is intended to counteract a devious move made by
 Verisign in September 2003 when they started returning the address of
 an advertising web page in response to queries for unregistered names,
 instead of the correct NXDOMAIN response. This option tells dnsmasq to
 fake the correct response when it sees this behaviour. As at Sept 2003
 the IP address being returned by Verisign is 64.94.110.11
 .TP 
-.B --ignore-address=<ipaddr>
-Ignore replies to A-record queries which include the specified address. 
+.B --ignore-address=<ipaddr>[/prefix]
+Ignore replies to A or AAAA queries which include the specified address or subnet. 
 No error is generated, dnsmasq simply continues to listen for another reply. 
 This is useful to defeat blocking strategies which rely on quickly supplying a
 forged answer to a DNS request for certain domain, before the correct answer can arrive.
@@ -341,8 +375,29 @@ forged answer to a DNS request for certain domain, before the correct answer can
 .B \-f, --filterwin2k
 Later versions of windows make periodic DNS requests which don't get sensible answers from
 the public DNS and can cause problems by triggering dial-on-demand links. This flag turns on an option
-to filter such requests. The requests blocked are for records of types SOA and SRV, and type ANY where the 
-requested name has underscores, to catch LDAP requests.
+to filter such requests. The requests blocked are for records of type ANY
+where the requested name has underscores, to catch LDAP requests, and for
+\fBall\fP records of types SOA and SRV.
+.TP
+.B --filter-A
+Remove A records from answers. No IPv4 addresses will be returned.
+.TP
+.B --filter-AAAA
+Remove AAAA records from answers. No IPv6 addresses will be returned.
+.TP
+.B --filter-rr=<rrtype>[,<rrtype>...]
+Remove records of the specified type(s) from answers. The otherwise-nonsensical --filter-rr=ANY has
+a special meaning: it filters replies to queries for type ANY. Everything other than A, AAAA, MX and CNAME
+records are removed. Since ANY queries with forged source addresses can be used in DNS amplification attacks
+(replies to ANY queries can be large) this defangs such attacks, whilst still supporting the
+one remaining possible use of ANY queries. See RFC 8482 para 4.3 for details.
+.TP
+.B --cache-rr=<rrtype>[,<rrtype>...]
+By default, dnsmasq caches A, AAAA, CNAME and SRV DNS record types.
+This option adds other record types to the cache. The RR-type can be given
+as a name such as TXT or MX or a decimal number. A single --cache-rr option
+can take a comma-separated list of RR-types and more than one --cache-rr option
+is allowed. Use --cache-rr=ANY to enable caching for all RR-types.
 .TP
 .B \-r, --resolv-file=<file>
 Read the IP addresses of the upstream nameservers from <file>, instead of
@@ -368,7 +423,10 @@ provides service at that name, rather than the default which is
 .TP 
 .B --enable-ubus[=<service-name>]
 Enable dnsmasq UBus interface. It sends notifications via UBus on
-DHCPACK and DHCPRELEASE events. Furthermore it offers metrics.
+DHCPACK and DHCPRELEASE events. Furthermore it offers metrics
+and allows configuration of Linux connection track mark based filtering.
+When DNS query filtering based on Linux connection track marks is enabled
+UBus notifications are generated for each resolved or filtered DNS query.
 Requires that dnsmasq has been built with UBus support. If the service
 name is given, dnsmasq provides service at that namespace, rather than
 the default which is
@@ -428,8 +486,8 @@ Tells dnsmasq to never forward A or AAAA queries for plain names, without dots
 or domain parts, to upstream nameservers. If the name is not known
 from /etc/hosts or DHCP then a "not found" answer is returned.
 .TP
-.B \-S, --local, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>]][@<source-ip>|<interface>[#<port>]]
-Specify IP address of upstream servers directly. Setting this flag does
+.B \-S, --local, --server=[/[<domain>]/[domain/]][<server>[#<port>]][@<interface>][@<source-ip>[#<port>]]
+Specify upstream servers directly. Setting this flag does
 not suppress reading of /etc/resolv.conf, use \fB--no-resolv\fP to do that. If one or more
 optional domains are given, that server is used only for those domains
 and they are queried only using the specified server. This is
@@ -454,13 +512,22 @@ repeated domain or ipaddr parts as required.
 More specific domains take precedence over less specific domains, so:
 .B --server=/google.com/1.2.3.4
 .B --server=/www.google.com/2.3.4.5
-will send queries for *.google.com to 1.2.3.4, except *www.google.com,
-which will go to 2.3.4.5
+will send queries for google.com and gmail.google.com to 1.2.3.4, but www.google.com
+will go to 2.3.4.5
+
+Matching of domains is normally done on complete labels, so /google.com/ matches google.com and www.google.com
+but NOT supergoogle.com. This can be overridden with a * at the start of a pattern only: /*google.com/
+will match google.com and www.google.com AND supergoogle.com. The non-wildcard form has priority, so
+if /google.com/ and /*google.com/ are both specified then google.com and www.google.com will match /google.com/
+and /*google.com/ will only match supergoogle.com.
+
+For historical reasons, the pattern /.google.com/ is equivalent to /google.com/ if you wish to match any subdomain
+of google.com but NOT google.com itself, use /*.google.com/
 
 The special server address '#' means, "use the standard servers", so
 .B --server=/google.com/1.2.3.4
 .B --server=/www.google.com/#
-will send queries for *.google.com to 1.2.3.4, except *www.google.com which will
+will send queries for google.com and its subdomains to 1.2.3.4, except www.google.com (and its subdomains) which will
 be forwarded as usual.
 
 Also permitted is a -S
@@ -488,26 +555,31 @@ The query-port flag is ignored for any servers which have a
 source address specified but the port may be specified directly as
 part of the source address. Forcing queries to an interface is not
 implemented on all platforms supported by dnsmasq.
+
+Upstream servers may be specified with a hostname rather than an IP address.
+In this case, dnsmasq will try to use the system resolver to get the IP address
+of a server during startup. If name resolution fails, starting dnsmasq fails, too.
+If the system's configuration is such that the system resolver sends DNS queries
+through the dnsmasq instance which is starting up then this will time-out and fail.
 .TP
-.B --rev-server=<ip-address>/<prefix-len>[,<ipaddr>][#<port>][@<source-ip>|<interface>[#<port>]]
+.B --rev-server=<ip-address>[/<prefix-len>][,<server>][#<port>][@<interface>][@<source-ip>[#<port>]]
 This is functionally the same as 
 .B --server, 
 but provides some syntactic sugar to make specifying address-to-name queries easier. For example
 .B --rev-server=1.2.3.0/24,192.168.0.1
 is exactly equivalent to 
 .B --server=/3.2.1.in-addr.arpa/192.168.0.1
+Allowed prefix lengths are 1-32 (IPv4) and 1-128 (IPv6). If the prefix length is omitted, dnsmasq substitutes either 32 (IPv4) or 128 (IPv6).
 .TP
 .B \-A, --address=/<domain>[/<domain>...]/[<ipaddr>]
 Specify an IP address to return for any host in the given domains.
-Queries in the domains are never forwarded and always replied to
+A (or AAAA) queries in the domains are never forwarded and always replied to
 with the specified IP address which may be IPv4 or IPv6. To give
-both IPv4 and IPv6 addresses for a domain, use repeated \fB--address\fP flags.
-To include multiple IP addresses for a single query, use
-\fB--addn-hosts=<path>\fP instead.
+multiple addresses or both IPv4 and IPv6 addresses for a domain, use repeated \fB--address\fP flags.
 Note that /etc/hosts and DHCP leases override this for individual
 names. A common use of this is to redirect the entire doubleclick.net
 domain to some friendly local web server to avoid banner ads. The
-domain specification works in the same was as for \fB--server\fP, with
+domain specification works in the same way as for \fB--server\fP, with
 the additional facility that \fB/#/\fP matches any domain. Thus
 \fB--address=/#/1.2.3.4\fP will always return \fB1.2.3.4\fP for any
 query not answered from \fB/etc/hosts\fP or DHCP and not sent to an
@@ -521,6 +593,11 @@ address of 0.0.0.0 and its IPv6 equivalent of :: so
 its subdomains. This is partly syntactic sugar for \fB--address=/example.com/0.0.0.0\fP
 and \fB--address=/example.com/::\fP but is also more efficient than including both
 as separate configuration lines. Note that NULL addresses normally work in the same way as localhost, so beware that clients looking up these names are likely to end up talking to themselves.
+
+Note that the behaviour for queries which don't match the specified address literal changed in version 2.86.
+Previous versions, configured with (eg) --address=/example.com/1.2.3.4 and then queried for a RR type other than
+A would return a NoData answer. From  2.86, the query is sent upstream. To restore the pre-2.86 behaviour,
+use the configuration --address=/example.com/1.2.3.4 --local=/example.com/
 .TP
 .B --ipset=/<domain>[/<domain>...]/<ipset>[,<ipset>...]
 Places the resolved IP addresses of queries for one or more domains in
@@ -533,6 +610,41 @@ These IP sets must already exist. See
 .BR ipset (8)
 for more details.
 .TP
+.B --nftset=/<domain>[/<domain>...]/[(6|4)#[<family>#]<table>#<set>[,[(6|4)#[<family>#]<table>#<set>]...]
+Similar to the \fB--ipset\fP option, but accepts one or more nftables 
+sets to add IP addresses into.
+These sets must already exist. See
+.BR nft (8)
+for more details. The family, table and set are passed directly to the nft. If the spec starts with 4# or 6# then
+only A or AAAA records respectively are added to the set. Since an nftset can hold only IPv4 or IPv6 addresses, this
+avoids errors being logged for addresses of the wrong type.
+.TP
+.B --connmark-allowlist-enable[=<mask>]
+Enables filtering of incoming DNS queries with associated Linux connection track marks
+according to individual allowlists configured via a series of \fB--connmark-allowlist\fP
+options. Disallowed queries are not forwarded; they are rejected with a REFUSED error code.
+DNS queries are only allowed if they do not have an associated Linux connection
+track mark, or if the queried domains match the configured DNS patterns for the
+associated Linux connection track mark. If no allowlist is configured for a
+Linux connection track mark, all DNS queries associated with that mark are rejected.
+If a mask is specified, Linux connection track marks are first bitwise ANDed
+with the given mask before being processed.
+.TP
+.B --connmark-allowlist=<connmark>[/<mask>][,<pattern>[/<pattern>...]]
+Configures the DNS patterns that are allowed in DNS queries associated with
+the given Linux connection track mark.
+If a mask is specified, Linux connection track marks are first bitwise ANDed
+with the given mask before they are compared to the given connection track mark.
+Patterns follow the syntax of DNS names, but additionally allow the wildcard
+character "*" to be used up to twice per label to match 0 or more characters
+within that label. Note that the wildcard never matches a dot (e.g., "*.example.com"
+matches "api.example.com" but not "api.us.example.com"). Patterns must be
+fully qualified, i.e., consist of at least two labels. The final label must not be
+fully numeric, and must not be the "local" pseudo-TLD. A pattern must end with at least
+two literal (non-wildcard) labels.
+Instead of a pattern, "*" can be specified to disable allowlist filtering
+for a given Linux connection track mark entirely.
+.TP
 .B \-m, --mx-host=<mx name>[[,<hostname>],<preference>]
 Return an MX record named <mx name> pointing to the given hostname (if
 given), or
@@ -591,6 +703,12 @@ If the time-to-live is given, it overrides the default, which is zero
 or the value of \fB--local-ttl\fP. The value is a positive integer and gives
 the time-to-live in seconds.
 .TP
+.B --dynamic-host=<name>,[IPv4-address],[IPv6-address],<interface>
+Add A, AAAA and PTR records to the DNS in the same subnet as the specified interface. The address is derived from the network part of each address associated with the interface, and the host part from the specified address. For example
+.B --dynamic-host=example.com,0.0.0.8,eth0
+will, when eth0 has the address 192.168.78.x and netmask 255.255.255.0 give the
+name example.com an A record for 192.168.78.8. The same principle applies to IPv6 addresses. Note that if an interface has more than one address, more than one A or AAAA record will be created. The TTL of the records is always zero, and any changes to interface addresses will be immediately reflected in them.
+.TP
 .B \-Y, --txt-record=<name>[[,<text>],<text>]
 Return a TXT DNS record. The value of TXT record is a set of strings,
 so  any number may be included, delimited by commas; use quotes to put
@@ -658,14 +776,15 @@ configured a zero is added in front of the label. ::1 becomes 0--1.
 V4 mapped IPv6 addresses, which have a representation like ::ffff:1.2.3.4 are handled specially, and become like 0--ffff-1-2-3-4
 
 The address range can be of the form
-<ip address>,<ip address> or <ip address>/<netmask> in both forms of the option.
+<start address>,<end address> or <ip address>/<prefix-length> in both forms of the option. For IPv6 the start and end addresses
+must fall in the same /64 network, or prefix-length must be greater than or equal to 64 except that shorter prefix lengths than 64 are allowed only if non-sequential names are in use.
 .TP
 .B --dumpfile=<path/to/file>
 Specify the location of a pcap-format file which dnsmasq uses to dump copies of network packets for debugging purposes. If the file exists when dnsmasq starts, it is not deleted; new packets are added to the end.
 .TP
 .B --dumpmask=<mask>
 Specify which types of packets should be added to the dumpfile. The argument should be the OR of the bitmasks for each type of packet to be dumped: it can be specified in hex by preceding the number with 0x in  the normal way. Each time a packet is written to the dumpfile, dnsmasq logs the packet sequence and the mask
-representing its type. The current types are: 0x0001 - DNS queries from clients 0x0002 DNS replies to clients 0x0004 - DNS queries to upstream 0x0008 - DNS replies from upstream 0x0010 - queries send upstream for DNSSEC validation 0x0020 - replies to queries for DNSSEC validation 0x0040 - replies to client queries which fail DNSSEC validation 0x0080 replies to queries for DNSSEC validation which fail validation.
+representing its type. The current types are: 0x0001 - DNS queries from clients, 0x0002 DNS replies to clients, 0x0004 - DNS queries to upstream, 0x0008 - DNS replies from upstream, 0x0010 - queries send upstream for DNSSEC validation, 0x0020 - replies to queries for DNSSEC validation, 0x0040 - replies to client queries which fail DNSSEC validation, 0x0080 replies to queries for DNSSEC validation which fail validation, 0x1000 - DHCPv4, 0x2000 - DHCPv6, 0x4000 - Router advertisement, 0x8000 - TFTP.
 .TP
 .B --add-mac[=base64|text]
 Add the MAC address of the requestor to DNS queries which are
@@ -678,6 +797,9 @@ have security and privacy implications. The warning about caching
 given for \fB--add-subnet\fP applies to \fB--add-mac\fP too. An alternative encoding of the
 MAC, as base64, is enabled by adding the "base64" parameter and a human-readable encoding of hex-and-colons is enabled by added the "text" parameter.
 .TP
+.B --strip-mac
+Remove any MAC address information already in downstream queries before forwarding upstream.  
+.TP
 .B --add-cpe-id=<string>
 Add an arbitrary identifying string to DNS queries which are
 forwarded upstream.
@@ -702,7 +824,19 @@ will add the /24 and /96 subnets of the requestor for IPv4 and IPv6 requestors,
 will add 1.2.3.0/24 for IPv4 requestors and ::/0 for IPv6 requestors.
 .B --add-subnet=1.2.3.4/24,1.2.3.4/24
 will add 1.2.3.0/24 for both IPv4 and IPv6 requestors.
-
+.TP
+.B --strip-subnet
+Remove any subnet address already present in a downstream query before forwarding it upstream. If --add-subnet is set this also
+ensures that any downstream-provided subnet is replaced by the one added by dnsmasq. Otherwise, dnsmasq will NOT replace an
+existing subnet in the query.
+.TP
+.B --umbrella[=[deviceid:<deviceid>][,orgid:<orgid>][,assetid:<id>]]
+Embeds the requestor's IP address in DNS queries forwarded upstream.
+If device id or, asset id or organization id are specified, the information is
+included in the forwarded queries and may be able to be used in
+filtering policies and reporting. The order of the id
+attributes is irrelevant, but they must be separated by a comma. Deviceid is
+a sixteen digit hexadecimal number, org and asset ids are decimal numbers.
 .TP
 .B \-c, --cache-size=<cachesize>
 Set the size of dnsmasq's cache. The default is 150 names. Setting the cache size to zero disables caching. Note: huge cache size impacts performance.
@@ -712,11 +846,25 @@ Disable negative caching. Negative caching allows dnsmasq to remember
 "no such domain" answers from upstream nameservers and answer
 identical queries without forwarding them again. 
 .TP
+.B --no-round-robin
+Dnsmasq normally permutes the order of A or AAAA records for the same
+name on successive queries, for load-balancing. This turns off that
+behaviour, so that the records are always returned in the order
+that they are received from upstream.
+.TP
+.B --use-stale-cache[=<max TTL excess in s>]
+When set, if a DNS name exists in the cache, but its time-to-live has expired, dnsmasq will return the data anyway. (It attempts to refresh the
+data with an upstream query after returning the stale data.) This can improve speed and reliability. It comes at the expense
+of sometimes returning out-of-date data and less efficient cache utilisation, since old data cannot be flushed when its TTL expires, so the cache becomes
+mostly least-recently-used. To mitigate issues caused by massively outdated DNS replies, the maximum overaging of cached records can be specified in seconds
+(defaulting to not serve anything older than one day). Setting the TTL excess time to zero will serve stale cache data regardless how long it has expired.
+.TP
 .B \-0, --dns-forward-max=<queries>
 Set the maximum number of concurrent DNS queries. The default value is
 150, which should be fine for most setups. The only known situation
 where this needs to be increased is when using web-server log file
-resolvers, which can generate large numbers of concurrent queries.
+resolvers, which can generate large numbers of concurrent queries. This
+parameter actually controls the number of concurrent queries per server group, where a server group is the set of server(s) associated with a single domain. So if a domain has it's own server via --server=/example.com/1.2.3.4 and 1.2.3.4 is not responding, but queries for *.example.com cannot go elsewhere, then other queries will not be affected. On configurations with many such server groups and tight resources, this value may need to be reduced.
 .TP
 .B --dnssec
 Validate DNS replies and cache DNSSEC data. When forwarding DNS queries, dnsmasq requests the 
@@ -850,7 +998,7 @@ compiled in and the kernel must have conntrack support
 included and configured. This option cannot be combined with
 .B --query-port.
 .TP
-.B \-F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-addr>[,<end-addr>|<mode>][,<netmask>[,<broadcast>]][,<lease time>]
+.B \-F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-addr>[,<end-addr>|<mode>[,<netmask>[,<broadcast>]]][,<lease time>]
 .TP
 .B \-F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-IPv6addr>[,<end-IPv6addr>|constructor:<interface>][,<mode>][,<prefix-len>][,<lease time>]
 
@@ -860,7 +1008,7 @@ in
 .B --dhcp-host
 options. If the lease time is given, then leases
 will be given for that length of time. The lease time is in seconds,
-or minutes (eg 45m) or hours (eg 1h) or "infinite". If not given,
+or minutes (eg 45m) or hours (eg 1h) or days (2d) or weeks (1w) or "infinite". If not given,
 the default lease time is one hour for IPv4 and one day for IPv6. The
 minimum lease time is two minutes. For IPv6 ranges, the lease time
 maybe "deprecated"; this sets the preferred lifetime sent in a DHCP
@@ -980,7 +1128,7 @@ is also included, as described in RFC-3775 section 7.3.
 tells dnsmasq to advertise the prefix without the on-link (aka L) bit set.
 
 .TP
-.B \-G, --dhcp-host=[<hwaddr>][,id:<client_id>|*][,set:<tag>][tag:<tag>][,<ipaddr>][,<hostname>][,<lease_time>][,ignore]
+.B \-G, --dhcp-host=[<hwaddr>][,id:<client_id>|*][,set:<tag>][,tag:<tag>][,<ipaddr>][,<hostname>][,<lease_time>][,ignore]
 Specify per host parameters for the DHCP server. This allows a machine
 with a particular hardware address to be always allocated the same
 hostname, IP address and lease time. A hostname specified like this
@@ -1043,7 +1191,21 @@ given in a
 .B --dhcp-host
 option, but aliases are possible by using CNAMEs. (See 
 .B --cname
-).
+). Note that /etc/hosts is NOT used when the DNS server side of dnsmasq
+is disabled by setting the DNS server port to zero.
+
+More than one
+.B --dhcp-host
+can be associated (by name, hardware address or UID) with a host. Which one is used
+(and therefore which address is allocated by DHCP and appears in the DNS) depends
+on the subnet on which the host last obtained a DHCP lease:
+the
+.B --dhcp-host
+with an address within the subnet is used. If more than one address is within the subnet,
+the result is undefined. A corollary to this is that the name associated with a host using
+.B --dhcp-host
+does not appear in the DNS until the host obtains a DHCP lease.
+
 
 The special keyword "ignore"
 tells dnsmasq to never offer a DHCP lease to a machine. The machine
@@ -1066,7 +1228,10 @@ ignore requests from unknown machines using
 If the host matches only a \fB--dhcp-host\fP directive which cannot
 be used because it specifies an address on different subnet, the tag "known-othernet" is set.
 
-The tag:<tag> construct filters which dhcp-host directives are used. Tagged directives are used in preference to untagged ones.
+The tag:<tag> construct filters which dhcp-host directives are used; more than
+one can be provided, in this case the request must match all of them. Tagged
+directives are used in preference to untagged ones. Note that one of <hwaddr>,
+<client_id> or <hostname> still needs to be specified (can be a wildcard).
 
 Ethernet addresses (but not client-ids) may have
 wildcard bytes, so for example 
@@ -1097,7 +1262,7 @@ has both wired and wireless interfaces.
 .TP
 .B --dhcp-hostsfile=<path>
 Read DHCP host information from the specified file. If a directory
-is given, then read all the files contained in that directory. The file contains 
+is given, then read all the files contained in that directory in alphabetical order. The file contains 
 information about one host per line. The format of a line is the same
 as text to the right of '=' in \fB--dhcp-host\fP. The advantage of storing DHCP host information
 in this file is that it can be changed without re-starting dnsmasq:
@@ -1105,7 +1270,7 @@ the file will be re-read when dnsmasq receives SIGHUP.
 .TP
 .B --dhcp-optsfile=<path>
 Read DHCP option information from the specified file.  If a directory
-is given, then read all the files contained in that directory. The advantage of 
+is given, then read all the files contained in that directory in alphabetical order. The advantage of 
 using this option is the same as for \fB--dhcp-hostsfile\fP: the
 \fB--dhcp-optsfile\fP will be re-read when dnsmasq receives SIGHUP. Note that
 it is possible to encode the information in a
@@ -1120,7 +1285,8 @@ directory, and not an individual file. Changed or new files within
 the directory are read automatically, without the need to send SIGHUP.
 If a file is deleted or changed after it has been read by dnsmasq, then the
 host record it contained will remain until dnsmasq receives a SIGHUP, or 
-is restarted; ie host records are only added dynamically.
+is restarted; ie host records are only added dynamically. The order in which the
+files in a directory are read is not defined.
 .TP
 .B --dhcp-optsdir=<path>
 This is equivalent to \fB--dhcp-optsfile\fP, with the differences noted for \fB--dhcp-hostsdir\fP.
@@ -1155,7 +1321,15 @@ and to set the time-server address to 192.168.0.4, do
 or 
 .B --dhcp-option = option:ntp-server, 192.168.0.4
 The special address 0.0.0.0 is taken to mean "the address of the
-machine running dnsmasq". 
+machine running dnsmasq".
+
+An option without data is valid, and includes just the option without data.
+(There is only one option with a zero length data field currently defined for DHCPv4, 80:rapid commit, so this feature is not very useful in practice). Options for which dnsmasq normally
+provides default values can be ommitted by defining the option with no data. These are
+netmask, broadcast, router, DNS server, domainname and hostname. Thus, for DHCPv4
+.B --dhcp-option = option:router
+will result in no router option being sent, rather than the default of the host on which dnsmasq is running. For DHCPv6, the same is true of the options DNS server and refresh time.
+
 
 Data types allowed are comma separated
 dotted-quad IPv4 addresses, []-wrapped IPv6 addresses, a decimal number, colon-separated hex digits
@@ -1239,7 +1413,7 @@ DHCP options. This make extra space available in the DHCP packet for
 options but can, rarely, confuse old or broken clients. This flag
 forces "simple and safe" behaviour to avoid problems in such a case.
 .TP
-.B --dhcp-relay=<local address>,<server address>[,<interface]
+.B --dhcp-relay=<local address>[,<server address>[#<server port>]][,<interface]
 Configure dnsmasq to do DHCP relay. The local address is an address
 allocated to an interface on the host running dnsmasq. All DHCP
 requests arriving on that interface will we relayed to a remote DHCP
@@ -1247,10 +1421,12 @@ server at the server address. It is possible to relay from a single local
 address to multiple remote servers by using multiple \fB--dhcp-relay\fP
 configs with the same local address and different server
 addresses. A server address must be an IP literal address, not a
-domain name. In the case of DHCPv6, the server address may be the
-ALL_SERVERS multicast address, ff05::1:3. In this case the interface
-must be given, not be wildcard, and is used to direct the multicast to the
-correct interface to reach the DHCP server. 
+domain name. If the server address is omitted, the request will be
+forwarded by broadcast (IPv4) or multicast (IPv6). In this case the interface
+must be given and not be wildcard. The server address may specify a non-standard
+port to relay to. If this is used then \fB--dhcp-proxy\fP should likely also be set,
+otherwise parts of the DHCP conversation which do not pass through the relay
+will be delivered to the wrong port.
 
 Access control for DHCP clients has the same rules as for the DHCP
 server, see \fB--interface\fP, \fB--except-interface\fP, etc. The optional
@@ -1270,6 +1446,11 @@ supported: the relay function will take precedence.
 
 Both DHCPv4 and DHCPv6 relay is supported. It's not possible to relay
 DHCPv4 to a DHCPv6 server or vice-versa.
+
+The DHCP relay function for IPv6 includes the ability to snoop
+prefix-delegation from relayed DHCP transactions. See
+.B --dhcp-script
+for details. 
 .TP
 .B \-U, --dhcp-vendorclass=set:<tag>,[enterprise:<IANA-enterprise number>,]<vendor-class>
 Map from a vendor-class string to a tag. Most DHCP clients provide a 
@@ -1365,6 +1546,12 @@ Any number of set: and tag: forms may appear, in any order.
 tag set by another
 .B --tag-if,
 the line which sets the tag must precede the one which tests it.
+
+As an extension, the tag:<tag> clauses support limited wildcard matching,
+similar to the matching in the \fB--interface\fP directive.  This allows, for
+example, using \fB--tag-if=set:ppp,tag:ppp*\fP to set the tag 'ppp' for all requests
+received on any matching interface (ppp0, ppp1, etc).  This can be used in conjunction
+with the tag:!<tag> format meaning that no tag matching the wildcard may be set.
 .TP
 .B \-J, --dhcp-ignore=tag:<tag>[,tag:<tag>]
 When all the given tags appear in the tag set ignore the host and do
@@ -1436,7 +1623,7 @@ functions when supported by a suitable DHCP server.
 This specifies a boot option which may appear in a PXE boot menu. <CSA> is
 client system type, only services of the correct type will appear in a
 menu. The known types are x86PC, PC98, IA64_EFI, Alpha, Arc_x86,
-Intel_Lean_Client, IA32_EFI,  X86-64_EFI, Xscale_EFI, BC_EFI, ARM32_EFI and ARM64_EFI; an
+Intel_Lean_Client, IA32_EFI,  x86-64_EFI, Xscale_EFI, BC_EFI, ARM32_EFI and ARM64_EFI; an
 integer may be used for other types. The
 parameter after the menu text may be a file name, in which case dnsmasq acts as a
 boot server and directs the PXE client to download the file by TFTP,
@@ -1495,7 +1682,6 @@ instance
 will enable dnsmasq to also provide proxy PXE service to those PXE clients with
 .I HW-Client
 in as their identifier.
->>>>>>> 907def3... pxe: support pxe clients with custom vendor-class
 .TP  
 .B \-X, --dhcp-lease-max=<number>
 Limits dnsmasq to the specified maximum number of DHCP leases. The
@@ -1546,10 +1732,11 @@ tried. This flag disables this check. Use with caution.
 Extra logging for DHCP: log all the options sent to DHCP clients and
 the tags used to determine them.
 .TP
-.B --quiet-dhcp, --quiet-dhcp6, --quiet-ra
+.B --quiet-dhcp, --quiet-dhcp6, --quiet-ra, --quiet-tftp
 Suppress logging of the routine operation of these protocols. Errors and
-problems will still be logged. \fB--quiet-dhcp\fP and quiet-dhcp6 are
-over-ridden by \fB--log-dhcp\fP.
+problems will still be logged. \fB--quiet-tftp\fP does not consider file not
+found to be an error. \fB--quiet-dhcp\fP and quiet-dhcp6 are over-ridden by
+\fB--log-dhcp\fP.
 .TP
 .B \-l, --dhcp-leasefile=<path>
 Use the specified file to store DHCP lease information.
@@ -1599,7 +1786,13 @@ If dnsmasq was compiled with HAVE_BROKEN_RTC, then
 the length of the lease (in seconds) is stored in
 DNSMASQ_LEASE_LENGTH, otherwise the time of lease expiry is stored in
 DNSMASQ_LEASE_EXPIRES. The number of seconds until lease expiry is
-always stored in DNSMASQ_TIME_REMAINING. 
+always stored in DNSMASQ_TIME_REMAINING.
+
+DNSMASQ_DATA_MISSING is set to "1" during "old" events for existing
+leases generated at startup to indicate that data not stored in the
+persistent lease database will not be present. This comprises everything
+other than IP address, hostname, MAC address, DUID, IAID and lease length
+or expiry time.
 
 If a lease used to have a hostname, which is
 removed, an "old" event is generated with the new state of the lease, 
@@ -1621,6 +1814,11 @@ DNSMASQ_LOG_DHCP is set if
 .B --log-dhcp
 is in effect.
 
+DNSMASQ_REQUESTED_OPTIONS a string containing the decimal values in the Parameter Request List option, comma separated, if the parameter request list option is provided by the client.
+
+DNSMASQ_MUD_URL the Manufacturer Usage Description URL if provided by the client. (See RFC8520 for details.)
+
+
 For IPv4 only:
 
 DNSMASQ_CLIENT_ID if the host provided a client-id.
@@ -1630,8 +1828,6 @@ DHCP relay-agent added any of these options.
  
 If the client provides vendor-class, DNSMASQ_VENDOR_CLASS.
 
-DNSMASQ_REQUESTED_OPTIONS a string containing the decimal values in the Parameter Request List option, comma separated, if the parameter request list option is provided by the client.
-
 For IPv6 only:
 
 If the client provides vendor-class, DNSMASQ_VENDOR_CLASS_ID,
@@ -1674,15 +1870,25 @@ receives a HUP signal, the script will be invoked for existing leases
 with an "old" event.
 
 
-There are four further actions which may appear as the first argument
-to the script, "init", "arp-add", "arp-del" and "tftp". More may be added in the future, so
+There are five further actions which may appear as the first argument
+to the script, "init", "arp-add", "arp-del", "relay-snoop" and "tftp".
+More may be added in the future, so
 scripts should be written to ignore unknown actions. "init" is
 described below in 
 .B --leasefile-ro
+
 The "tftp" action is invoked when a TFTP file transfer completes: the
 arguments are the file size in bytes, the address to which the file
 was sent, and the complete pathname of the file.
- 
+
+The "relay-snoop" action is invoked when dnsmasq is configured as a DHCP
+relay for DHCPv6 and it relays a prefx delegation to a client. The arguments
+are the name of the interface where the client is conected, its (link-local)
+address on that interface and the delegated prefix. This information is
+sufficient to install routes to the delegated prefix of a router. See
+.B --dhcp-relay
+for more details on configuring DHCP relay.
+
 The "arp-add" and "arp-del" actions are only called if enabled with
 .B --script-arp
 They are are supplied with a MAC address and IP address as arguments. "arp-add" indicates
@@ -1813,7 +2019,7 @@ is the address of the relay and the second, as before, specifies an extra subnet
 addresses may be allocated from.
 
 .TP
-.B \-s, --domain=<domain>[,<address range>[,local]]
+.B \-s, --domain=<domain>[[,<address range>[,local]]|<interface>]
 Specifies DNS domains for the DHCP server. Domains may be be given 
 unconditionally (without the IP range) or for limited IP ranges. This has two effects;
 firstly it causes the DHCP server to return the domain to any hosts
@@ -1847,7 +2053,11 @@ additional flag "local" may be supplied which has the effect of adding
 is identical to
 .B --domain=thekelleys.org.uk,192.168.0.0/24
 .B --local=/thekelleys.org.uk/ --local=/0.168.192.in-addr.arpa/
-The network size must be 8, 16 or 24 for this to be legal.
+
+The address range can also be given as a network interface name, in which case
+all of the subnets currently assigned to the interface are used in matching the
+address. This allows hosts on different physical subnets to be given different
+domains in a way which updates automatically as the interface addresses change.
 .TP
 .B --dhcp-fqdn
 In the default mode, dnsmasq inserts the unqualified names of
@@ -2020,6 +2230,41 @@ A special case of
 which differs in two respects. Firstly, only \fB--server\fP and \fB--rev-server\fP are allowed
 in the configuration file included. Secondly, the file is re-read and the configuration
 therein is updated when dnsmasq receives SIGHUP.
+.TP
+.B \--conf-script=<file>[ <arg]
+Execute <file>, and treat what it emits to stdout as the contents of a configuration file.
+If the script exits with a non-zero exit code, dnsmasq treats this as a fatal error.
+The script can be passed arguments, space seperated from the filename and each other so, for instance
+.B --conf-dir="/etc/dnsmasq-uncompress-ads /share/ads-domains.gz"
+
+with /etc/dnsmasq-uncompress-ads containing 
+
+set -e
+
+zcat ${1} | sed -e "s:^:address=/:" -e "s:$:/:" 
+
+exit 0
+
+and /share/ads-domains.gz containing a compressed
+list of ad server domains will save disk space with large ad-server blocklists.
+.TP
+.B --no-ident
+Do not respond to class CHAOS and type TXT in domain bind queries.
+
+Without this option being set, the cache statistics are also available in the
+DNS as answers to queries of class CHAOS and type TXT in domain bind. The domain
+names are cachesize.bind, insertions.bind, evictions.bind, misses.bind,
+hits.bind, auth.bind and servers.bind unless disabled at compile-time. An
+example command to query this, using the
+.B dig
+utility would be
+
+dig +short chaos txt cachesize.bind
+.TP
+.B --max-tcp-connections=<number>
+The maximum number of concurrent TCP connections. The application forks to
+handle each TCP request. The default maximum is 20.
+
 .SH CONFIG FILE
 At startup, dnsmasq reads
 .I /etc/dnsmasq.conf,
@@ -2064,20 +2309,11 @@ they expired in order to make room for new names and the total number
 of names that have been inserted into the cache. The number of cache hits and 
 misses and the number of authoritative queries answered are also given. For each upstream
 server it gives the number of queries sent, and the number which
-resulted in an error. In 
+resulted in an error. It also gives information on the number of forks for TCP connections. In
 .B --no-daemon
 mode or when full logging is enabled (\fB--log-queries\fP), a complete dump of the
 contents of the cache is made. 
 
-The cache statistics are also available in the DNS as answers to 
-queries of class CHAOS and type TXT in domain bind. The domain names are cachesize.bind, insertions.bind, evictions.bind, 
-misses.bind, hits.bind, auth.bind and servers.bind. An example command to query this, using the 
-.B dig
-utility would be
-
-dig +short chaos txt cachesize.bind
-
-.PP 
 When it receives SIGUSR2 and it is logging direct to a file (see
 .B --log-facility
 ) 
@@ -2351,6 +2587,10 @@ following data is used to populate the authoritative zone.
 .B --mx-host, --srv-host, --dns-rr, --txt-record, --naptr-record, --caa-record,
 as long as the record names are in the authoritative domain.
 .PP
+.B --synth-domain
+as long as the domain is in the authoritative zone and, for
+reverse (PTR) queries, the address is in the relevant subnet.
+.PP
 .B --cname
 as long as the record name is in  the authoritative domain. If the
 target of the CNAME is unqualified, then it  is qualified with the
@@ -2367,6 +2607,8 @@ IPv4 and IPv6 addresses from /etc/hosts (and
 .B --host-record
 and 
 .B --interface-name
+and
+.B ---dynamic-host
 provided the address falls into one of the subnets specified in the
 .B --auth-zone.
 .PP
@@ -2410,7 +2652,9 @@ file/directory, permissions).
 5 - Other miscellaneous problem.
 .PP
 11 or greater - a non zero return code was received from the
-lease-script process "init" call. The exit code from dnsmasq is the
+lease-script process "init" call or a
+.B \--conf-script
+file. The exit code from dnsmasq is the
 script's exit code with 10 added. 
 
 .SH LIMITS

src/arp.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -230,5 +230,3 @@ int do_arp_script_run(void)
 
   return 0;
 }
-
-

src/auth.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -105,7 +105,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
   int nameoffset, axfroffset = 0;
   int q, anscount = 0, authcount = 0;
   struct crec *crecp;
-  int  auth = !local_query, trunc = 0, nxdomain = 1, soa = 0, ns = 0, axfr = 0;
+  int  auth = !local_query, trunc = 0, nxdomain = 1, soa = 0, ns = 0, axfr = 0, out_of_zone = 0;
   struct auth_zone *zone = NULL;
   struct addrlist *subnet = NULL;
   char *cut;
@@ -146,6 +146,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
       if (qclass != C_IN)
 	{
 	  auth = 0;
+	  out_of_zone = 1;
 	  continue;
 	}
 
@@ -159,6 +160,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	  
 	  if (!zone)
 	    {
+	      out_of_zone = 1;
 	      auth = 0;
 	      continue;
 	    }
@@ -208,7 +210,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	      if (local_query || in_zone(zone, intr->name, NULL))
 		{	
 		  found = 1;
-		  log_query(flag | F_REVERSE | F_CONFIG, intr->name, &addr, NULL);
+		  log_query(flag | F_REVERSE | F_CONFIG, intr->name, &addr, NULL, 0);
 		  if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 					  daemon->auth_ttl, NULL,
 					  T_PTR, C_IN, "d", intr->name))
@@ -232,7 +234,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		      strcat(name, ".");
 		      strcat(name, zone->domain);
 		    }
-		  log_query(flag | F_DHCP | F_REVERSE, name, &addr, record_source(crecp->uid));
+		  log_query(flag | F_DHCP | F_REVERSE, name, &addr, record_source(crecp->uid), 0);
 		  found = 1;
 		  if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 					  daemon->auth_ttl, NULL,
@@ -241,7 +243,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		}
 	      else if (crecp->flags & (F_DHCP | F_HOSTS) && (local_query || in_zone(zone, name, NULL)))
 		{
-		  log_query(crecp->flags & ~F_FORWARD, name, &addr, record_source(crecp->uid));
+		  log_query(crecp->flags & ~F_FORWARD, name, &addr, record_source(crecp->uid), 0);
 		  found = 1;
 		  if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 					  daemon->auth_ttl, NULL,
@@ -253,10 +255,21 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		    
 	    } while ((crecp = cache_find_by_addr(crecp, &addr, now, flag)));
 
+	  if (!found && is_rev_synth(flag, &addr, name) && (local_query || in_zone(zone, name, NULL)))
+	    {
+	      log_query(F_CONFIG | F_REVERSE | flag, name, &addr, NULL, 0);
+	      found = 1;
+	      
+	      if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
+				      daemon->auth_ttl, NULL,
+				      T_PTR, C_IN, "d", name))
+		anscount++;
+	    }
+
 	  if (found)
 	    nxdomain = 0;
 	  else
-	    log_query(flag | F_NEG | F_NXDOMAIN | F_REVERSE | (auth ? F_AUTH : 0), NULL, &addr, NULL);
+	    log_query(flag | F_NEG | F_NXDOMAIN | F_REVERSE | (auth ? F_AUTH : 0), NULL, &addr, NULL, 0);
 
 	  continue;
 	}
@@ -273,6 +286,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	  
 	  if (!zone)
 	    {
+	      out_of_zone = 1;
 	      auth = 0;
 	      continue;
 	    }
@@ -286,7 +300,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	    if (rc == 2 && qtype == T_MX)
 	      {
 		found = 1;
-		log_query(F_CONFIG | F_RRNAME, name, NULL, "<MX>"); 
+		log_query(F_CONFIG | F_RRNAME, name, NULL, "<MX>", 0);
 		if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl,
 					NULL, T_MX, C_IN, "sd", rec->weight, rec->target))
 		  anscount++;
@@ -301,7 +315,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	    if (rc == 2 && qtype == T_SRV)
 	      {
 		found = 1;
-		log_query(F_CONFIG | F_RRNAME, name, NULL, "<SRV>"); 
+		log_query(F_CONFIG | F_RRNAME, name, NULL, "<SRV>", 0);
 		if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl,
 					NULL, T_SRV, C_IN, "sssd", 
 					rec->priority, rec->weight, rec->srvport, rec->target))
@@ -335,7 +349,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	    if (rc == 2 && txt->class == qtype)
 	      {
 		found = 1;
-		log_query(F_CONFIG | F_RRNAME, name, NULL, querystr(NULL, txt->class)); 
+		log_query(F_CONFIG | F_RRNAME, name, NULL, NULL, txt->class);
 		if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl,
 					NULL, txt->class, C_IN, "t", txt->len, txt->txt))
 		  anscount++;
@@ -349,7 +363,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	    if (rc == 2 && qtype == T_TXT)
 	      {
 		found = 1;
-		log_query(F_CONFIG | F_RRNAME, name, NULL, "<TXT>"); 
+		log_query(F_CONFIG | F_RRNAME, name, NULL, "<TXT>", 0);
 		if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl,
 					NULL, T_TXT, C_IN, "t", txt->len, txt->txt))
 		  anscount++;
@@ -363,7 +377,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	     if (rc == 2 && qtype == T_NAPTR)
 	       {
 		 found = 1;
-		 log_query(F_CONFIG | F_RRNAME, name, NULL, "<NAPTR>");
+		 log_query(F_CONFIG | F_RRNAME, name, NULL, "<NAPTR>", 0);
 		 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl, 
 					 NULL, T_NAPTR, C_IN, "sszzzd", 
 					 na->order, na->pref, na->flags, na->services, na->regexp, na->replace))
@@ -393,13 +407,23 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		       continue;
 
 		     found = 1;
-		     log_query(F_FORWARD | F_CONFIG | flag, name, &addrlist->addr, NULL);
+		     log_query(F_FORWARD | F_CONFIG | flag, name, &addrlist->addr, NULL, 0);
 		     if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 					     daemon->auth_ttl, NULL, qtype, C_IN, 
 					     qtype == T_A ? "4" : "6", &addrlist->addr))
 		       anscount++;
 		   }
 	     }
+
+       if (!found && is_name_synthetic(flag, name, &addr) )
+	 {
+	   nxdomain = 0;
+	   
+	   log_query(F_FORWARD | F_CONFIG | flag, name, &addr, NULL, 0);
+	   if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
+				   daemon->auth_ttl, NULL, qtype, C_IN, qtype == T_A ? "4" : "6", &addr))
+	     anscount++;
+	 }
        
       if (!cut)
 	{
@@ -408,8 +432,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	  if (qtype == T_SOA)
 	    {
 	      auth = soa = 1; /* inhibits auth section */
-	      found = 1;
-	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<SOA>");
+	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<SOA>", 0);
 	    }
       	  else if (qtype == T_AXFR)
 	    {
@@ -444,16 +467,14 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	      soa = 1; /* inhibits auth section */
 	      ns = 1; /* ensure we include NS records! */
 	      axfr = 1;
-	      found = 1;
 	      axfroffset = nameoffset;
-	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<AXFR>");
+	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<AXFR>", 0);
 	    }
       	  else if (qtype == T_NS)
 	    {
 	      auth = 1;
 	      ns = 1; /* inhibits auth section */
-	      found = 1;
-	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<NS>"); 
+	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<NS>", 0);
 	    }
 	}
       
@@ -471,9 +492,8 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 			(local_query || filter_zone(zone, flag, &(crecp->addr))))
 		      {
 			*cut = '.'; /* restore domain part */
-			log_query(crecp->flags, name, &crecp->addr, record_source(crecp->uid));
+			log_query(crecp->flags, name, &crecp->addr, record_source(crecp->uid), 0);
 			*cut  = 0; /* remove domain part */
-			found = 1;
 			if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 						daemon->auth_ttl, NULL, qtype, C_IN, 
 						qtype == T_A ? "4" : "6", &crecp->addr))
@@ -493,8 +513,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		 nxdomain = 0;
 		 if ((crecp->flags & flag) && (local_query || filter_zone(zone, flag, &(crecp->addr))))
 		   {
-		     log_query(crecp->flags, name, &crecp->addr, record_source(crecp->uid));
-		     found = 1;
+		     log_query(crecp->flags, name, &crecp->addr, record_source(crecp->uid), 0);
 		     if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 					     daemon->auth_ttl, NULL, qtype, C_IN, 
 					     qtype == T_A ? "4" : "6", &crecp->addr))
@@ -541,7 +560,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	  
 	  if (candidate)
 	    {
-	      log_query(F_CONFIG | F_CNAME, name, NULL, NULL);
+	      log_query(F_CONFIG | F_CNAME, name, NULL, NULL, 0);
 	      strcpy(name, candidate->target);
 	      if (!strchr(name, '.'))
 		{
@@ -559,7 +578,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	  else if (cache_find_non_terminal(name, now))
 	    nxdomain = 0;
 
-	  log_query(flag | F_NEG | (nxdomain ? F_NXDOMAIN : 0) | F_FORWARD | F_AUTH, name, NULL, NULL);
+	  log_query(flag | F_NEG | (nxdomain ? F_NXDOMAIN : 0) | F_FORWARD | F_AUTH, name, NULL, NULL, 0);
 	}
       
     }
@@ -589,7 +608,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	      if (subnet->prefixlen >= 16 )
 		p += sprintf(p, "%u.", a & 0xff);
 	      a = a >> 8;
-	      p += sprintf(p, "%u.in-addr.arpa", a & 0xff);
+	      sprintf(p, "%u.in-addr.arpa", a & 0xff);
 	      
 	    }
 	  else
@@ -602,7 +621,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		  int dig = ((unsigned char *)&subnet->addr.addr6)[i>>3];
 		  p += sprintf(p, "%.1x.", (i>>2) & 1 ? dig & 15 : dig >> 4);
 		}
-	      p += sprintf(p, "ip6.arpa");
+	      sprintf(p, "ip6.arpa");
 	      
 	    }
 	}
@@ -855,10 +874,22 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
     SET_RCODE(header, NXDOMAIN);
   else
     SET_RCODE(header, NOERROR); /* no error */
+  
   header->ancount = htons(anscount);
   header->nscount = htons(authcount);
   header->arcount = htons(0);
 
+  if (!local_query && out_of_zone)
+    {
+      SET_RCODE(header, REFUSED); 
+      header->ancount = htons(0);
+      header->nscount = htons(0);
+      addr.log.rcode = REFUSED;
+      addr.log.ede = EDE_NOT_AUTH;
+      log_query(F_UPSTREAM | F_RCODE, "error", &addr, NULL, 0);
+      return resize_packet(header,  ansp - (unsigned char *)header, NULL, 0);
+    }
+  
   /* Advertise our packet size limit in our reply */
   if (have_pseudoheader)
     return add_pseudoheader(header,  ansp - (unsigned char *)header, (unsigned char *)limit, daemon->edns_pktsz, 0, NULL, 0, do_bit, 0);
@@ -867,6 +898,3 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 }
   
 #endif  
-  
-
-

src/blockdata.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -19,7 +19,7 @@
 static struct blockdata *keyblock_free;
 static unsigned int blockdata_count, blockdata_hwm, blockdata_alloced;
 
-static void blockdata_expand(int n)
+static void add_blocks(int n)
 {
   struct blockdata *new = whine_malloc(n * sizeof(struct blockdata));
   
@@ -47,61 +47,72 @@ void blockdata_init(void)
 
   /* Note that daemon->cachesize is enforced to have non-zero size if OPT_DNSSEC_VALID is set */  
   if (option_bool(OPT_DNSSEC_VALID))
-    blockdata_expand(daemon->cachesize);
+    add_blocks(daemon->cachesize);
 }
 
 void blockdata_report(void)
 {
-  my_syslog(LOG_INFO, _("pool memory in use %u, max %u, allocated %u"), 
+  my_syslog(LOG_INFO, _("pool memory in use %zu, max %zu, allocated %zu"), 
 	    blockdata_count * sizeof(struct blockdata),  
 	    blockdata_hwm * sizeof(struct blockdata),  
 	    blockdata_alloced * sizeof(struct blockdata));
 } 
 
+static struct blockdata *new_block(void)
+{
+  struct blockdata *block;
+
+  if (!keyblock_free)
+    add_blocks(50);
+  
+  if (keyblock_free)
+    {
+      block = keyblock_free;
+      keyblock_free = block->next;
+      blockdata_count++;
+      if (blockdata_hwm < blockdata_count)
+	blockdata_hwm = blockdata_count;
+      block->next = NULL;
+      return block;
+    }
+  
+  return NULL;
+}
+
 static struct blockdata *blockdata_alloc_real(int fd, char *data, size_t len)
 {
   struct blockdata *block, *ret = NULL;
   struct blockdata **prev = &ret;
   size_t blen;
 
-  while (len > 0)
+  do
     {
-      if (!keyblock_free)
-	blockdata_expand(50);
-      
-      if (keyblock_free)
-	{
-	  block = keyblock_free;
-	  keyblock_free = block->next;
-	  blockdata_count++; 
-	}
-      else
+      if (!(block = new_block()))
 	{
 	  /* failed to alloc, free partial chain */
 	  blockdata_free(ret);
 	  return NULL;
 	}
-       
-      if (blockdata_hwm < blockdata_count)
-	blockdata_hwm = blockdata_count; 
+
+      if ((blen = len > KEYBLOCK_LEN ? KEYBLOCK_LEN : len) > 0)
+	{
+	  if (data)
+	    {
+	      memcpy(block->key, data, blen);
+	      data += blen;
+	    }
+	  else if (!read_write(fd, block->key, blen, 1))
+	    {
+	      /* failed read free partial chain */
+	      blockdata_free(ret);
+	      return NULL;
+	    }
+	}
       
-      blen = len > KEYBLOCK_LEN ? KEYBLOCK_LEN : len;
-      if (data)
-	{
-	  memcpy(block->key, data, blen);
-	  data += blen;
-	}
-      else if (!read_write(fd, block->key, blen, 1))
-	{
-	  /* failed read free partial chain */
-	  blockdata_free(ret);
-	  return NULL;
-	}
       len -= blen;
       *prev = block;
       prev = &block->next;
-      block->next = NULL;
-    }
+    } while (len != 0);
   
   return ret;
 }
@@ -111,6 +122,58 @@ struct blockdata *blockdata_alloc(char *data, size_t len)
   return blockdata_alloc_real(0, data, len);
 }
 
+/* Add data to the end of the block. 
+   newlen is length of new data, NOT total new length. 
+   Use blockdata_alloc(NULL, 0) to make empty block to add to. */
+int blockdata_expand(struct blockdata *block, size_t oldlen, char *data, size_t newlen)
+{
+  struct blockdata *b;
+  
+  /* find size of current final block */
+  for (b = block; oldlen > KEYBLOCK_LEN && b;  b = b->next, oldlen -= KEYBLOCK_LEN);
+
+  /* chain to short for length, something is broken */
+  if (oldlen > KEYBLOCK_LEN)
+    {
+      blockdata_free(block);
+      return 0;
+    }
+
+  while (1)
+    {
+      struct blockdata *new;
+      size_t blocksize = KEYBLOCK_LEN - oldlen;
+      size_t size = (newlen <= blocksize) ? newlen : blocksize;
+      
+      if (size != 0)
+	{
+	  memcpy(&b->key[oldlen], data, size);
+	  data += size;
+	  newlen -= size;
+	}
+      
+      /* full blocks from now on. */
+      oldlen = 0;
+
+      if (newlen == 0)
+	break;
+
+      if ((new = new_block()))
+	{
+	  b->next = new;
+	  b = new;
+	}
+      else
+	{
+	  /* failed to alloc, free partial chain */
+	  blockdata_free(block);
+	  return 0;
+	}
+    }
+
+  return 1;
+}
+
 void blockdata_free(struct blockdata *blocks)
 {
   struct blockdata *tmp;
@@ -174,4 +237,3 @@ struct blockdata *blockdata_read(int fd, size_t len)
 {
   return blockdata_alloc_real(fd, NULL, len);
 }
-

src/bpf.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -440,5 +440,3 @@ void route_sock(void)
 }
 
 #endif /* HAVE_BSD_NETWORK */
-
-