dnsmasq.h has to be included first as it sources config.h

Signed-off-by: DL6ER <dl6er@dl6er.de>

Makefile

@@ -70,8 +70,9 @@ nettle_libs =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC     $(PKG_CO
                                                         HAVE_NETTLEHASH $(PKG_CONFIG) --libs nettle`
 gmp_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC NO_GMP --copy -lgmp`
 sunos_libs =    `if uname | grep SunOS >/dev/null 2>&1; then echo -lsocket -lnsl -lposix4; fi`
-nft_libs =     `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_NFTSET $(PKG_CONFIG) --libs libnftables` 
-version =     -DVERSION='\"`$(top)/bld/get-version $(top)`\"'
+nft_cflags =    `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_NFTSET $(PKG_CONFIG) --cflags libnftables` 
+nft_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_NFTSET $(PKG_CONFIG) --libs libnftables`
+version =       -DVERSION='\"`$(top)/bld/get-version $(top)`\"'
 
 sum?=$(shell $(CC) -DDNSMASQ_COMPILE_OPTS $(COPTS) -E $(top)/$(SRC)/dnsmasq.h | ( md5sum 2>/dev/null || md5 ) | cut -f 1 -d ' ')
 sum!=$(CC) -DDNSMASQ_COMPILE_OPTS $(COPTS) -E $(top)/$(SRC)/dnsmasq.h | ( md5sum 2>/dev/null || md5 ) | cut -f 1 -d ' '
@@ -91,7 +92,7 @@ hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \
 all : $(BUILDDIR)
 	@cd $(BUILDDIR) && $(MAKE) \
  top="$(top)" \
- build_cflags="$(version) $(dbus_cflags) $(idn2_cflags) $(idn_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags)" \
+ build_cflags="$(version) $(dbus_cflags) $(idn2_cflags) $(idn_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags) $(nft_cflags)" \
  build_libs="$(dbus_libs) $(idn2_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs) $(ubus_libs) $(nft_libs)" \
  -f $(top)/Makefile dnsmasq 
 
@@ -116,7 +117,7 @@ all-i18n : $(BUILDDIR)
 	@cd $(BUILDDIR) && $(MAKE) \
  top="$(top)" \
  i18n=-DLOCALEDIR=\'\"$(LOCALEDIR)\"\' \
- build_cflags="$(version) $(dbus_cflags) $(idn2_cflags) $(idn_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags)" \
+ build_cflags="$(version) $(dbus_cflags) $(idn2_cflags) $(idn_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags) $(nft_cflags)" \
  build_libs="$(dbus_libs) $(idn2_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs) $(ubus_libs) $(nft_libs)"  \
  -f $(top)/Makefile dnsmasq
 	for f in `cd $(PO); echo *.po`; do \

contrib/Suse/README

@@ -1,6 +0,0 @@
-This packaging is now unmaintained in the dnsmasq source: dnsmasq is
-included in Suse proper, and up-to-date packages are now available
-from 
-
-ftp://ftp.suse.com/pub/people/ug/
-

contrib/Suse/README.susefirewall

@@ -1,27 +0,0 @@
-This is a patch against SuSEfirewall2-3.1-206 (SuSE 9.x and older)
-It fixes the dependency from the dns daemon name 'named'
-After appending the patch, the SuSEfirewall is again able to autodetect 
-the dnsmasq named service.
-This is a very old bug in the SuSEfirewall script.
-The SuSE people think the name of the dns server will always 'named'
-
-
---- /sbin/SuSEfirewall2.orig	2004-01-23 13:30:09.000000000 +0100
-+++ /sbin/SuSEfirewall2	2004-01-23 13:31:56.000000000 +0100
-@@ -764,7 +764,7 @@
-     echo 'FW_ALLOW_INCOMING_HIGHPORTS_UDP should be set to yes, if you are running a DNS server!'
- 
- test "$FW_SERVICE_AUTODETECT" = yes -o "$FW_SERVICE_AUTODETECT" = dmz -o "$FW_SERVICE_AUTODETECT" = ext && {
--    test "$FW_SERVICE_DNS" = no -a '!' "$START_NAMED" = no && check_srv named && {
-+    test "$FW_SERVICE_DNS" = no -a '!' "$START_NAMED" = no && check_srv dnsmasq && {
- 	echo -e 'Warning: detected activated named, enabling FW_SERVICE_DNS!
- You still have to allow tcp/udp port 53 on internal, dmz and/or external.'
- 	FW_SERVICE_DNS=$FW_SERVICE_AUTODETECT
-@@ -878,7 +878,7 @@
- test -e /etc/resolv.conf || echo "Warning: /etc/resolv.conf not found"
- # Get ports/IP bindings of NAMED/SQUID
- test "$FW_SERVICE_DNS" = yes -o "$FW_SERVICE_DNS" = dmz -o "$FW_SERVICE_DNS" = ext -o "$START_NAMED" = yes && DNS_PORT=`$LSOF -i -n -P | \
--    $AWK -F: '/^named .* UDP / {print $2}'| $GREP -vw 53 | $SORT -un`
-+    $AWK -F: '/^dnsmasq .* UDP / {print $2}'| $GREP -vw 53 | $SORT -un`
- test "$FW_SERVICE_SQUID" = yes -o "$FW_SERVICE_SQUID" = dmz -o "$FW_SERVICE_SQUID" = ext -o "$START_SQUID" = yes && SQUID_PORT=`$LSOF -i -n -P | \
-     $AWK -F: '/^squid .* UDP/ {print $2}'| $SORT -un`

contrib/Suse/dnsmasq-SuSE.patch

@@ -1,23 +0,0 @@
---- man/dnsmasq.8	2004-08-08 20:57:56.000000000 +0200
-+++ man/dnsmasq.8	2004-08-12 00:40:01.000000000 +0200
-@@ -69,7 +69,7 @@
- .TP
- .B \-g, --group=<groupname> 
- Specify the group which dnsmasq will run
--as. The defaults to "dip", if available, to facilitate access to
-+as. The defaults to "dialout", if available, to facilitate access to
- /etc/ppp/resolv.conf which is not normally world readable.
- .TP
- .B \-v, --version
---- src/config.h	2004-08-11 11:39:18.000000000 +0200
-+++ src/config.h	2004-08-12 00:40:01.000000000 +0200
-@@ -44,7 +44,7 @@
- #endif
- #define DEFLEASE 3600 /* default lease time, 1 hour */
- #define CHUSER "nobody"
--#define CHGRP "dip"
-+#define CHGRP "dialout"
- #define DHCP_SERVER_PORT 67
- #define DHCP_CLIENT_PORT 68
- 
-

contrib/Suse/dnsmasq-suse.spec

@@ -1,111 +0,0 @@
-###############################################################################
-#
-# General
-#
-###############################################################################
-
-Name: dnsmasq
-Version: 2.33
-Release: 1
-Copyright: GPL
-Group: Productivity/Networking/DNS/Servers
-Vendor: Simon Kelley
-Packager: Simon Kelley
-URL: http://www.thekelleys.org.uk/dnsmasq
-Provides: dns_daemon
-Conflicts: bind bind8 bind9
-PreReq: %fillup_prereq %insserv_prereq
-Autoreqprov: on
-Source0: %{name}-%{version}.tar.bz2
-BuildRoot: /var/tmp/%{name}-%{version}
-Summary: A lightweight caching nameserver
-
-%description
-Dnsmasq is lightweight, easy to configure DNS forwarder and DHCP server. It 
-is designed to provide DNS and, optionally, DHCP, to a small network. It can
-serve the names of local machines which are not in the global DNS. The DHCP 
-server integrates with the DNS server and allows machines with DHCP-allocated
-addresses to appear in the DNS with names configured either in each host or 
-in a central configuration file. Dnsmasq supports static and dynamic DHCP 
-leases and BOOTP for network booting of diskless machines.
-
-
-
-###############################################################################
-#
-# Build
-#
-###############################################################################
-
-%prep
-%setup -q
-patch -p0 <rpm/%{name}-SuSE.patch
-
-%build
-%{?suse_update_config:%{suse_update_config -f}}
-make all-i18n DESTDIR=$RPM_BUILD_ROOT PREFIX=/usr
-
-###############################################################################
-#
-# Install
-#
-###############################################################################
-
-%install
-rm -rf $RPM_BUILD_ROOT
-mkdir -p ${RPM_BUILD_ROOT}/etc/init.d
-make install-i18n DESTDIR=$RPM_BUILD_ROOT PREFIX=/usr
-install -o root -g root -m 755 rpm/rc.dnsmasq-suse $RPM_BUILD_ROOT/etc/init.d/dnsmasq
-install -o root -g root -m 644 dnsmasq.conf.example $RPM_BUILD_ROOT/etc/dnsmasq.conf
-strip $RPM_BUILD_ROOT/usr/sbin/dnsmasq
-ln -sf ../../etc/init.d/dnsmasq $RPM_BUILD_ROOT/usr/sbin/rcdnsmasq
-
-###############################################################################
-#
-# Clean up
-#
-###############################################################################
-
-%clean
-rm -rf $RPM_BUILD_ROOT
-
-###############################################################################
-#
-# Post-install scriptlet
-#
-###############################################################################
-
-%post
-%{fillup_and_insserv dnsmasq}
-
-###############################################################################
-#
-# Post-uninstall scriptlet
-#
-# The %postun script executes after the package has been removed. It is the
-# last chance for a package to clean up after itself.
-#
-###############################################################################
-
-%postun
-%{insserv_cleanup}
-
-###############################################################################
-#
-# File list
-#
-###############################################################################
-
-%files
-%defattr(-,root,root)
-%doc CHANGELOG COPYING FAQ doc.html setup.html UPGRADING_to_2.0 rpm/README.susefirewall
-%doc contrib
-%config /etc/init.d/dnsmasq
-%config /etc/dnsmasq.conf
-/usr/sbin/rcdnsmasq
-/usr/sbin/dnsmasq
-/usr/share/locale/*/LC_MESSAGES/*
-%doc %{_mandir}/man8/dnsmasq.8.gz
-%doc %{_mandir}/*/man8/dnsmasq.8.gz
-
-

contrib/Suse/rc.dnsmasq-suse

@@ -1,79 +0,0 @@
-#! /bin/sh
-#
-# init.d/dnsmasq
-#
-### BEGIN INIT INFO
-# Provides:       dnsmasq
-# Required-Start: $network $remote_fs $syslog
-# Required-Stop:
-# Default-Start:  3 5
-# Default-Stop:
-# Description:    Starts internet name service masq caching server (DNS)
-### END INIT INFO
-
-NAMED_BIN=/usr/sbin/dnsmasq
-NAMED_PID=/var/run/dnsmasq.pid
-NAMED_CONF=/etc/dnsmasq.conf
-
-if [ ! -x $NAMED_BIN ] ; then
-	echo -n "dnsmasq not installed ! "
-	exit 5
-fi
-
-. /etc/rc.status
-rc_reset
-
-case "$1" in
-    start)
-	echo -n "Starting name service masq caching server "
-        checkproc -p $NAMED_PID $NAMED_BIN
-        if [ $? -eq 0 ] ; then
-           echo -n "- Warning: dnsmasq already running ! "
-        else
-           [ -e $NAMED_PID ] && echo -n "- Warning: $NAMED_PID exists ! "
-	fi
-	startproc -p $NAMED_PID $NAMED_BIN -u nobody
-	rc_status -v
-	;;
-    stop)
-	echo -n "Shutting name service masq caching server "
-	checkproc -p $NAMED_PID $NAMED_BIN
-	[ $? -ne 0 ] && echo -n "- Warning: dnsmasq not running ! "
-	killproc -p $NAMED_PID -TERM $NAMED_BIN
-	rc_status -v
-	;;
-    try-restart)
-	$0 stop  &&  $0 start
-	rc_status
-	;;
-    restart)
-	$0 stop
-	$0 start
-	rc_status
-	;;
-    force-reload)
-	$0 reload
-	rc_status
-	;;
-    reload)
-	echo -n "Reloading name service masq caching server "
-	checkproc -p $NAMED_PID $NAMED_BIN
-	[ $? -ne 0 ] && echo -n "- Warning: dnsmasq not running ! "
-	killproc -p $NAMED_PID -HUP $NAMED_BIN
-	rc_status -v
-	;;
-    status)
-	echo -n "Checking for name service masq caching server "
-	checkproc -p $NAMED_PID $NAMED_BIN
-	rc_status -v
-	;;
-    probe)
-	test $NAMED_CONF -nt $NAMED_PID && echo reload
-	;;
-    *)
-	echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
-	exit 1
-	;;
-esac
-rc_exit
-

debian/changelog

@@ -1,6 +1,7 @@
 dnsmasq (2.87-1) unstable; urgency=low
 
    * New upstream.
+   * Include new NFTset support in the build.  	
 
  -- Simon Kelley <simon@thekelleys.org.uk>  Wed, 08 Sep 2021 23:11:25 +0000
 

debian/control

@@ -5,7 +5,7 @@ Build-depends: gettext, libnetfilter-conntrack-dev [linux-any],
                libidn2-dev, libdbus-1-dev (>=0.61), libgmp-dev, 
                nettle-dev (>=2.4-3), libbsd-dev [kfreebsd-any],
 	       liblua5.2-dev, dh-runit, debhelper-compat (= 10),
-               pkg-config
+               pkg-config, libnftables-dev
 Maintainer: Simon Kelley <simon@thekelleys.org.uk>
 Homepage: http://www.thekelleys.org.uk/dnsmasq/doc.html
 Vcs-Git: http://thekelleys.org.uk/git/dnsmasq.git

debian/readme

@@ -60,6 +60,7 @@ Notes on configuring dnsmasq as packaged for Debian.
       nodbus      : omit DBus support.
       noconntrack : omit connection tracking support. 
       noipset     : omit IPset support.
+      nonftset    : omit nftset support.
       nortc       : compile alternate mode suitable for systems without an RTC.
       noi18n      : omit translations and internationalisation support.
       noidn       : omit international domain name support, must be

debian/rules

@@ -52,6 +52,10 @@ ifeq (,$(filter noidn, $(DEB_BUILD_OPTIONS)))
 	DEB_COPTS += -DHAVE_LIBIDN2
 endif
 
+ifeq (,$(filter nonftset, $(DEB_BUILD_OPTIONS)))
+	DEB_COPTS += -DHAVE_NFTSET
+endif
+
 ifeq (,$(filter noconntrack,$(DEB_BUILD_OPTIONS)))
 ifeq ($(DEB_HOST_ARCH_OS),linux)
      DEB_COPTS += -DHAVE_CONNTRACK

man/dnsmasq.8

@@ -518,9 +518,7 @@ Allowed prefix lengths are 1-32 (IPv4) and 1-128 (IPv6). If the prefix length is
 Specify an IP address to return for any host in the given domains.
 Queries in the domains are never forwarded and always replied to
 with the specified IP address which may be IPv4 or IPv6. To give
-both IPv4 and IPv6 addresses for a domain, use repeated \fB--address\fP flags.
-To include multiple IP addresses for a single query, use
-\fB--addn-hosts=<path>\fP instead.
+multiple addresses or both IPv4 and IPv6 addresses for a domain, use repeated \fB--address\fP flags.
 Note that /etc/hosts and DHCP leases override this for individual
 names. A common use of this is to redirect the entire doubleclick.net
 domain to some friendly local web server to avoid banner ads. The

src/dnsmasq.c

@@ -17,8 +17,13 @@
 /* Declare static char *compiler_opts  in config.h */
 #define DNSMASQ_COMPILE_OPTS
 
+/* dnsmasq.h has to be included first as it sources config.h */
 #include "dnsmasq.h"
 
+#if defined(HAVE_IDN) || defined(HAVE_LIBIDN2) || defined(LOCALEDIR)
+#include <locale.h>
+#endif
+
 struct daemon *daemon;
 
 static volatile pid_t pid = 0;
@@ -69,8 +74,10 @@ int main (int argc, char **argv)
   int tftp_prefix_missing = 0;
 #endif
 
-#ifdef LOCALEDIR
+#if defined(HAVE_IDN) || defined(HAVE_LIBIDN2) || defined(LOCALEDIR)
   setlocale(LC_ALL, "");
+#endif
+#ifdef LOCALEDIR
   bindtextdomain("dnsmasq", LOCALEDIR); 
   textdomain("dnsmasq");
 #endif
@@ -1682,6 +1689,11 @@ static void poll_resolv(int force, int do_reload, time_t now)
 	}
       else 
 	{
+	  /* If we're delaying things, we don't call check_servers(), but 
+	     reload_servers() may have deleted some servers, rendering the server_array
+	     invalid, so just rebuild that here. Once reload_servers() succeeds,
+	     we call check_servers() above, which calls build_server_array itself. */
+	  build_server_array();
 	  latest->mtime = 0;
 	  if (!warned)
 	    {

src/dnsmasq.h

@@ -1173,9 +1173,12 @@ extern struct daemon {
   char *packet; /* packet buffer */
   int packet_buff_sz; /* size of above */
   char *namebuff; /* MAXDNAME size buffer */
+#if (defined(HAVE_CONNTRACK) && defined(HAVE_UBUS)) || defined(HAVE_DNSSEC)
+  /* CONNTRACK UBUS code uses this buffer, as well as DNSSEC code. */
+  char *workspacename;
+#endif
 #ifdef HAVE_DNSSEC
   char *keyname; /* MAXDNAME size buffer */
-  char *workspacename; /* ditto */
   unsigned long *rr_status; /* ceiling in TTL from DNSSEC or zero for insecure */
   int rr_status_sz;
   int dnssec_no_time_check;

src/domain-match.c

@@ -395,7 +395,7 @@ int is_local_answer(time_t now, int first, char *name)
 
 size_t make_local_answer(int flags, int gotname, size_t size, struct dns_header *header, char *name, char *limit, int first, int last, int ede)
 {
-  int trunc = 0;
+  int trunc = 0, anscount = 0;
   unsigned char *p;
   int start;
   union all_addr addr;
@@ -418,9 +418,8 @@ size_t make_local_answer(int flags, int gotname, size_t size, struct dns_header
 	else
 	  addr.addr4 = srv->addr;
 	
-	header->ancount = htons(ntohs(header->ancount) + 1);
-	if (!add_resource_record(header, limit, &trunc, sizeof(struct dns_header), &p, daemon->local_ttl, NULL, T_A, C_IN, "4", &addr))
-	  return 0;
+	if (add_resource_record(header, limit, &trunc, sizeof(struct dns_header), &p, daemon->local_ttl, NULL, T_A, C_IN, "4", &addr))
+	  anscount++;
 	log_query((flags | F_CONFIG | F_FORWARD) & ~F_IPV6, name, (union all_addr *)&addr, NULL, 0);
       }
   
@@ -434,14 +433,15 @@ size_t make_local_answer(int flags, int gotname, size_t size, struct dns_header
 	else
 	  addr.addr6 = srv->addr;
 	
-	header->ancount = htons(ntohs(header->ancount) + 1);
-	add_resource_record(header, limit, &trunc, sizeof(struct dns_header), &p, daemon->local_ttl, NULL, T_AAAA, C_IN, "6", &addr);
+	if (add_resource_record(header, limit, &trunc, sizeof(struct dns_header), &p, daemon->local_ttl, NULL, T_AAAA, C_IN, "6", &addr))
+	  anscount++;
 	log_query((flags | F_CONFIG | F_FORWARD) & ~F_IPV4, name, (union all_addr *)&addr, NULL, 0);
       }
 
   if (trunc)
     header->hb3 |= HB3_TC;
-
+  header->ancount = htons(anscount);
+  
   return p - (unsigned char *)header;
 }
 
@@ -630,7 +630,7 @@ int add_update_server(int flags,
   /* See if there is a suitable candidate, and unmark
      only do this for forwarding servers, not 
      address or local, to avoid delays on large numbers. */
-  if (flags & SERV_IS_LOCAL)
+  if (!(flags & SERV_IS_LOCAL))
     for (serv = daemon->servers; serv; serv = serv->next)
       if ((serv->flags & SERV_MARK) &&
 	  hostname_isequal(alloc_domain, serv->domain))

src/forward.c

@@ -173,7 +173,7 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
   unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
   void *hash = hash_questions(header, plen, daemon->namebuff);
   unsigned char *oph = find_pseudoheader(header, plen, NULL, NULL, NULL, NULL);
-  int old_src = 0;
+  int old_src = 0, old_reply = 0;
   int first, last, start = 0;
   int subnet, cacheable, forwarded = 0;
   size_t edns0_len;
@@ -199,7 +199,10 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
      Similarly FREC_NO_CACHE is never set in flags, so a query which is
      contigent on a particular source address EDNS0 option will never be matched. */
   if (forward)
-    old_src = 1;
+    {
+      old_src = 1;
+      old_reply = 1;
+    }
   else if ((forward = lookup_frec_by_query(hash, fwd_flags,
 					   FREC_CHECKING_DISABLED | FREC_AD_QUESTION | FREC_DO_QUESTION |
 					   FREC_HAS_PHEADER | FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_NO_CACHE)))
@@ -376,9 +379,18 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
 		  /* In strict order mode, there must be a server later in the list
 		     left to send to, otherwise without the forwardall mechanism,
 		     code further on will cycle around the list forwever if they
-		     all return REFUSED. If at the last, give up. */
+		     all return REFUSED. If at the last, give up.
+		     Note that we can get here EITHER because a client retried,
+		     or an upstream server returned REFUSED. The above only
+		     applied in the later case. For client retries,
+		     keep tyring the last server.. */
 		  if (++start == last)
-		    goto reply;
+		    {
+		      if (old_reply)
+			goto reply;
+		      else
+			start--;
+		    }
 		}
 	    }	  
 	}

src/option.c

@@ -963,13 +963,9 @@ static char *domain_rev4(int from_file, char *server, struct in_addr *addr4, int
   
   if (size > 32 || size < 1)
     return _("bad IPv4 prefix length");
-  
-  for (i = 0; i < addrbytes; i++)
-    if (((u8 *)addr4)[3-i] != 0)
-      break;
-  
-  if (i != addrbytes || (((u8 *)addr4)[3-addrbytes] & ((1 << addrbits) - 1)) != 0)
-    return _("address part not zero");
+
+  /* Zero out last address bits according to CIDR mask */
+  ((u8 *)addr4)[3-addrbytes] &= ~((1 << addrbits)-1);
   
   size = size & ~0x7;
   
@@ -1026,13 +1022,9 @@ static char *domain_rev6(int from_file, char *server, struct in6_addr *addr6, in
   
   if (size > 128 || size < 1)
     return _("bad IPv6 prefix length");
-
-  for (i = 0; i < addrbytes; i++)
-    if (addr6->s6_addr[15-i] != 0)
-      break;
   
-  if (i != addrbytes || (addr6->s6_addr[15-addrbytes] & ((1 << addrbits) - 1)) != 0)
-    return _("address part not zero");
+  /* Zero out last address bits according to CIDR mask */
+  addr6->s6_addr[15-addrbytes] &= ~((1 << addrbits) - 1);
   
   size = size & ~0x3;
   
@@ -2235,8 +2227,10 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
 	comma = split(arg);
 		
 	new = opt_malloc(sizeof(struct auth_zone));
-	new->domain = opt_string_alloc(arg);
-	new->subnet = NULL;
+	new->domain = canonicalise_opt(arg);
+	if (!new->domain)
+	  ret_err_free(_("invalid auth-zone"), new);
+ 	new->subnet = NULL;
 	new->exclude = NULL;
 	new->interface_names = NULL;
 	new->next = daemon->auth_zones;
@@ -2766,7 +2760,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
 	
 	if (!arg || !*arg)
 	  flags = SERV_LITERAL_ADDRESS;
-	else if (option != 'S')
+	else if (option == 'A')
 	  {
 	    /* # as literal address means return zero address for 4 and 6 */
 	    if (strcmp(arg, "#") == 0)
@@ -2798,7 +2792,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
 		  flags &= ~SERV_FOR_NODOTS;
 
 		/* address=/#/ matches the same as without domain */
-		if (option != 'S' && domain[0] == '#' && domain[1] == 0)
+		if (option == 'A' && domain[0] == '#' && domain[1] == 0)
 		  domain[0] = 0;
 	      }
 	    

src/util.c

@@ -233,8 +233,6 @@ char *canonicalise(char *in, int *nomem)
     {
 #  ifdef HAVE_LIBIDN2
       rc = idn2_to_ascii_lz(in, &ret, IDN2_NONTRANSITIONAL);
-      if (rc == IDN2_DISALLOWED)
-	rc = idn2_to_ascii_lz(in, &ret, IDN2_TRANSITIONAL);
 #  else
       rc = idna_to_ascii_lz(in, &ret, 0);
 #  endif
@@ -430,13 +428,12 @@ int hostname_issubdomain(char *a, char *b)
 time_t dnsmasq_time(void)
 {
 #ifdef HAVE_BROKEN_RTC
-  struct tms dummy;
-  static long tps = 0;
+  struct timespec ts;
 
-  if (tps == 0)
-    tps = sysconf(_SC_CLK_TCK);
+  if (clock_gettime(CLOCK_MONOTONIC, &ts) < 0)
+    die(_("cannot read monotonic clock: %s"), NULL, EC_MISC);
 
-  return (time_t)(times(&dummy)/tps);
+  return ts.tv_sec;
 #else
   return time(NULL);
 #endif