Update German translations.

Description: Fix some issues, some causing lintian warnings
 Pointless quotation marks which get displayed in the rendered manual page.
 groff-message troff:<standard input>:868: warning:
  macro 'Om' not defined
  [usr/share/man/sv/man8/dnsmasq.8.gz:1]
 groff-message troff:<standard input>:2846: warning:
  macro 'SH-FILER' not defined (possibly missing space after 'SH')
  [usr/share/man/sv/man8/dnsmasq.8.gz:2]
Author: Sven Geuer <sge@debian.org>
Forwarded: no
Last-Update: 2025-12-04

.gitignore

@@ -7,15 +7,4 @@ src/.copts_*
 contrib/lease-tools/dhcp_lease_time
 contrib/lease-tools/dhcp_release
 contrib/lease-tools/dhcp_release6
-debian/.debhelper
-debian/auto-build
-debian/debhelper-build-stamp
-debian/files
-debian/*.substvars
-debian/*.debhelper
-debian/*.log
-debian/dnsmasq-base-lua/
-debian/dnsmasq-base/
-debian/dnsmasq-utils/
-debian/dnsmasq/
-debian/tmp
+

.gitmodules

@@ -0,0 +1,6 @@
+[submodule "debian"]
+	path = debian
+	url = git://thekelleys.org.uk/dnsmasq-debian.git
+[submodule "submodules/dnsmasq-debian"]
+	path = submodules/dnsmasq-debian
+	url = https://thekelleys.org.uk/git/dnsmasq-debian

CHANGELOG

@@ -1,3 +1,211 @@
+version 2.92
+        Redesign the interaction between DNSSEC validation and per-domain
+	servers, specified as --server=/<domain>/<ip-address>. This should
+	just work in all cases now. If the normal chain-of-trust exists into
+	the delegated domain then whether the domain is signed or not, DNSSEC
+	validation will function normally. In the case the delegated domain
+	is an "overlay" on top of the global DNS and no NS and/or DS records
+	exist connecting it to the global dns, then if the domain is
+	unsigned the situation will be handled by synthesising a
+	proof-of-non-existence-of-DS for the domain and queries will be
+	answered unvalidated; this action will be logged. A signed domain
+	without chain-of-trust can be validated if a suitable trust-anchor
+	is provided using --trust-anchor. This change should be backwards
+	compatible for all existing working configurations; it extends the
+	space of possible configurations which are functional.
+
+	Fix a couple of problems with DNSSEC validation and DNAME. One
+	could cause validation failure on correct domains, and the other
+	would fail to spot an invalid domain. Thanks to Graham Clinch
+	for spotting the problem.
+
+	Add --log-queries=auth option to only log replies from the auth DNS
+	facility.
+
+	Fix some edge-cases with domains and --address and --server. There
+	has been some regressions with this in previous releases. This change
+	fixes the priority order from lower to highest as:
+	--address with a IPv4 or IPv6 address (as long as the query matches the type)
+        --address with # for all-zeros, as long as the query is A or AAAA)
+        --address with no address, which returns NXDOMAIN or NOERROR for all types.
+        --server with address set to # to use the unqualified servers.
+        --server with matching domain.
+        --server without domain or from /etc/resolv.conf.
+
+	Fix problems with ipset or nftset and TCP DNS transport. Previously
+	this was racy, and insertion of addresses could fail on a busy server
+	when DNS-over-TCP transport was involved.
+
+	DNSSEC validation change for reverse lookups in RFC-1918 ranges and friends.
+    	The large public DNS services seem not to return proof-of-nonexistence
+	for DS records at the start of RFC-1918 in-addr.arpa domains and the their
+	IPv6 equivalents. 10.in-addr.arpa, 168.192.in-addr.arpa etc.
+	Since dnsmasq already has an option which instructs it not bother
+	upstream servers with pointless queries about these address ranges,
+	namely --bogus-priv, we extend that to enable behaviour which allows
+	dnsmasq to assume that insecure NXDOMAIN replies for these domains
+	are expected and to assume that the domains are legitimately unsigned.
+	This behaviour only matters when some address range is directed to
+	another upstream server using --rev-server. In that case it allows
+	replies from that server to pass DNSSEC validation. Without such a
+	server configured, queries are never sent upstream so they are never
+	validated and the new behaviour is moot.
+
+	Add support for leasequery to the dnsmasq DHCPv4 server.
+	This has to be specifically enabled with the --leasequery option.
+	Many thanks to JAXPORT, Jacksonville Port Authority for sponsoring
+	this enhancement to dnsmasq.
+
+	Fix failure to cache PTR RRs when a reply contains more than one answer.
+	Thanks to Dmitry for spotting this.
+
+	Add TFTP options windowsize (RFC 7440) and timeout (RFC 2349).
+	
+	Change the behaviour of the DHCPv6 server when a REBIND message
+	is received but no lease exists. Under these circumstances a new
+	lease is created _only_ when the --dhcp-authoritative option is
+	set. This matches the behavior of the DHCPv4 server.
+
+	Add --dhcp-split-relay option. This makes a DHCPv4 relay which
+	is functional when client and server networks aren't mutually
+	route-able.
+
+	Fix failure to add client MAC address to queries in TCP mode.
+	The options which cause	dnsmasq	to decorate a DNS query	with the MAC
+	address	on the originating client can fail when the query is sent
+	using TCP. Thanks to Bruno Ravara for spotting and
+	characterising this bug.
+
+	
+version 2.91
+	Fix spurious "resource limit exceeded messages". Thanks to 
+	Dominik Derigs for the bug report.
+
+	Fix out-of-bounds heap read in order_qsort().
+	We only need to order two server records on the ->serial field.
+	Literal address records are smaller and don't have
+	this field and don't need to be ordered on it.
+	To actually provoke this bug seems to need the same server-literal
+	to be repeated twice, e.g., --address=/a/1.1.1.1 --address-/a/1.1.1.1
+	which is clearly rare in the wild, but if it did exist it could
+	provoke a SIGSEGV. Thanks to Daniel Rhea for fuzzing this one.
+
+	Fix buffer overflow when configured lease-change script name
+	is too long.
+	Thanks to Daniel Rhea for finding this one.
+
+	Improve behaviour in the face of non-responsive upstream TCP DNS
+	servers. Without shorter timeouts, clients are blocked for too long
+	and fail with their own timeouts.
+
+	Set --fast-dns-retries by default when doing DNSSEC. A single
+	downstream query can trigger many upstream queries. On an
+	unreliable network, there may not be enough downstream retries
+	to ensure that all these queries complete.
+
+	Improve behaviour in the face of truncated answers to queries
+	for DNSSEC records. Getting these answers by TCP doesn't now
+	involve a faked truncated answer to the downstream client to
+	force it to move to TCP. This improves performance and robustness
+	in the face of broken clients which can't fall back to TCP.
+
+	No longer remove data from truncated upstream answers. If an
+	upstream replies with a truncated answer, but the answer has some
+	RRs included, return those RRs, rather than returning and
+	empty answer.
+
+	Fix handling of EDNS0 UDP packet sizes.
+	When talking upstream we always add a pseudo header, and set the
+        UDP packet size to --edns-packet-max. Answering queries from
+	downstream, we get the answer (either from upstream or local
+	data) If local data won't fit the advertised size (or 512 if
+	there's not an EDNS0 header) return truncated. If upstream
+        returns truncated, do likewise. If upstream is OK, but the
+	answer is too big for downstream, truncate the answer.
+
+	Modify the behaviour of --synth-domain for IPv6.
+	When deriving a domain name from an IPv6 address, an address
+	such as 1234:: would become 1234--.example.com, which is
+	not legal in IDNA2008. Stop using the :: compression method,
+	so 1234:: becomes
+	1234-0000-0000-0000-0000-0000-0000-0000.example.com
+
+	Fix broken dhcp-relay on *BSD. Thanks to Harold for finding
+	this problem.
+
+	Add --dhcp-option-pxe config. This acts almost exactly like
+	--dhcp-option except that the defined option is only sent when
+	replying to PXE clients. More importantly, these options are sent
+	in reply PXE clients when dnsmasq in acting in PXE proxy mode. In
+	PXE proxy mode, the set of options sent is defined by the PXE standard
+	and the normal set of options is not sent. This config allows arbitrary
+	options in PXE-proxy replies. A typical use-case is to send option
+	175 to iPXE. Thanks to Jason Berry for finding the requirement for
+	this.
+
+	Support PXE proxy-DHCP and DHCP-relay at the same time.
+        When using PXE proxy-DHCP, dnsmasq supplies PXE information to
+        the client, which also talks to another "normal" DHCP server
+        for address allocation and similar. The normal DHCP server may
+        be on the local network, but it may also be remote, and accessed via
+        a DHCP relay. This change allows dnsmasq to act as both a
+        PXE proxy-DHCP server AND a DHCP relay for the same network.
+
+	Fix erroneous "DNSSEC validated" state with non-DNSSEC
+	upstream servers.  Thanks to Dominik Derigs for the bug report.
+
+	Handle queries with EDNS client subnet fields better. If dnsmasq
+	is configured to add an EDNS client subnet to a query, it is careful
+	to suppress use of the cache, since a cached answer may not be valid
+	for a query with a different client subnet. Extend this behaviour
+	to queries which arrive a dnsmasq already carrying an EDNS client
+	subnet.
+
+	Handle DS queries to auth zones. When dnsmasq is configured to
+	act as an authoritative server and has an authoritative zone
+	configured, and receives a query for that zone _as_forwarder_
+	it answers the query directly rather than forwarding it. This
+	doesn't affect the answer, but it saves dnsmasq forwarding the
+	query to the recursor upstream, which then bounces it back to dnsmasq
+	in auth mode. The exception should be when the query is for the root
+	of zone, for a DS RR. The answer to that has to come from the parent,
+	via the recursor, and will typically be a proof-of-non-existence
+	since dnsmasq doesn't support signed zones. This patch suppresses
+	local answers and forces forwarding to the upstream recursor for such
+	queries. It stops breakage when a DNSSEC validating client makes
+	queries to dnsmasq acting as forwarder for a zone for which it is
+	authoritative.
+
+	Implement "DNS-0x20 encoding", for extra protection against
+	reply-spoof attacks. Since DNS queries are case-insensitive,
+	it's possible to randomly flip the case of letters in a query
+	and still get the correct answer back.
+	This adds an extra dimension for a cache-poisoning attacker
+	to guess when sending replies in-the-blind since it's expected
+	that the legitimate answer will have the same  pattern of upper
+	and lower case as the query, so any replies which don't can be
+	ignored as malicious. The amount of extra entropy clearly depends
+	on the number of a-z and A-Z characters in the query, and this
+	implementation puts a hard limit of 32 bits to make resource
+	allocation easy. This about doubles entropy over the standard
+	random ID and random port combination. This technique can interact
+	badly with rare broken DNS servers which don't preserve the case
+	of the query in their reply. The first time a reply is returned
+	which matches the query in all respects except case, a warning
+	will be logged. In this release, 0x020-encoding is default-off
+	and must be explicitly enabled with --do-0x20-encoding. In future
+	releases it may default on. You can avoid a future release
+	changing the behaviour of an installation with --no-x20-encode.
+	
+	Fix a long-standing problem when two queries which are identical
+	in every respect _except_ case, get combined by dnsmasq. If
+	dnsmasq gets eg, two queries for example.com and Example.com
+	in quick succession it will get the answer for example.com from
+	upstream and send that answer to both requestors. This means that
+	the query for Example.com will get an answer for example.com, and
+	in the modern DNS, that answer may not be accepted.
+
+	
 version 2.90
 	Fix reversion in --rev-server introduced in 2.88 which
 	caused breakage if the prefix length is not exactly divisible
@@ -8,7 +216,7 @@ version 2.90
 	for a particular domain. Thanks to Daniel Danzberger for
 	spotting this bug.
 
-	Set the default maximum DNS UDP packet sice to 1232. This
+	Set the default maximum DNS UDP packet size to 1232. This
 	has been the recommended value since 2020 because it's the
 	largest value that avoid fragmentation, and fragmentation
 	is just not reliable on the modern internet, especially
@@ -16,16 +224,61 @@ version 2.90
 	--edns-packet-max for special circumstances.
 
 	Add --no-dhcpv4-interface and --no-dhcpv6-interface for
-	better control over which inetrfaces are providing DHCP service.
+	better control over which interfaces are providing DHCP service.
 
 	Fix issue with stale caching: After replying with stale data,
 	dnsmasq sends the query upstream to refresh the cache asynchronously
 	and sometimes sends the wrong packet: packet length can be wrong,
 	and if an EDE marking stale data is added to the answer that can
 	end up in the query also. This bug only seems to cause problems
-	when the usptream server is a DOH/DOT proxy. Thanks to Justin He
+	when the upstream server is a DOH/DOT proxy. Thanks to Justin He
 	for the bug report.
+
+	Add configurable caching for arbitrary RR-types.
+
+	Add --filter-rr option, to filter arbitrary RR-types.
+	--filter-rr=ANY has a special meaning: it filters the
+	answers to queries for the ANY RR-type.
 	
+	Add limits on the resources used to do DNSSEC validation.
+	DNSSEC introduces a potential CPU DoS, because a crafted domain
+	can force a validator to a large number of cryptographic
+	operations whilst attempting to do validation. When using TCP
+	transport a DNSKEY RRset contain thousands of members and any
+	RRset can have thousands of signatures. The potential number
+	of signature validations to follow the RFC for validation
+	for one RRset is the cross product of the keys and signatures,
+	so millions. In practice, the actual numbers are much lower,
+	so attacks can be mitigated by limiting the amount of
+	cryptographic "work" to a much lower amount. The actual
+	limits are number a signature validation fails per RRset(20),
+	number of signature validations and hash computations
+	per query(200), number of sub-queries  to fetch  DS and DNSKEY
+	RRsets per query(40), and the number of iterations in a
+	NSEC3 record(150). These values are sensible, but there is, as yet,
+	no standardisation on the values for a "conforming" domain, so a
+	new option --dnssec-limit is provided should they need to be altered.
+	The algorithm to validate DS records has also been altered to reduce
+	the maximum work from cross product of the number of DS records and
+	number of DNSKEYs to the cross product of the number of DS records
+	and supported DS digest types. As the number of DS digest types
+	is in single figures, this reduces the exposure.
+
+	Credit is due to Elias Heftrig, Haya Schulmann, Niklas Vogel,
+	and Michael Waidner from the German National Research Center for
+	Applied Cybersecurity ATHENE for finding this vulnerability.
+
+	CVE 2023-50387 and CVE 2023-50868 apply.
+	Note that this a security vulnerability only when DNSSEC validation
+	is enabled.
+	
+	Fix memory-leak when attempting to cache SRV records with zero TTL.
+	Thanks to Damian Sawicki for the bug report.
+
+	Add --max-tcp-connections option to make limit on TCP handling
+	processes configurable.  Also keep stats on how near the limit
+	we're getting, to help with tuning. Patch from Damian Sawicki.
+
 	
 version 2.89
         Fix bug introduced in 2.88 (commit fe91134b) which can result
@@ -102,7 +355,7 @@ version 2.88
 	upstream servers from /etc/resolv.conf or other sources that
 	can change dnsmasq tries to avoid memory fragmentation by re-using
 	existing records that are being re-read unchanged. This involves
-	seaching all the server records for each new one installed.
+	searching all the server records for each new one installed.
 	During startup this search is pointless, and can cause long
 	start times with thousands of --server options because the work
 	needed is O(n^2). Handle this case more intelligently.
@@ -165,7 +418,7 @@ version 2.87
 
 	Enhance --domain to accept, for instance,
 	--domain=net2.thekelleys.org.uk,eth2 so that hosts get a domain
-	which relects the interface they are attached to in a way which
+	which reflects the interface they are attached to in a way which
 	doesn't require hard-coding addresses. Thanks to Sten Spans for
 	the idea.
 
@@ -539,22 +792,22 @@ version 2.80
         but those which used the default of no checking will need to be
         altered to explicitly select no checking. The new default is
         because switching off checking for unsigned replies is
-	inherently dangerous. Not only does it open the possiblity of forged
+	inherently dangerous. Not only does it open the possibility of forged
         replies, but it allows everything to appear to be working even
         when the upstream namesevers do not support DNSSEC, and in this
-        case no DNSSEC validation at all is occuring.
+        case no DNSSEC validation at all is occurring.
 
         Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip
 	are set. Thanks to Daniel Miess for help with this.
 
-	Add a facilty to store DNS packets sent/recieved in a
+	Add a facility to store DNS packets sent/received in a
 	pcap-format file for later debugging. The file location
 	is given by the --dumpfile option, and a bitmap controlling
 	which packets should be dumped is given by the --dumpmask
 	option.
 
 	Handle the case of both standard and constructed dhcp-ranges on the
-	same interface better. We don't now contruct a dhcp-range if there's
+	same interface better. We don't now construct a dhcp-range if there's
 	already one specified. This allows the specified interface to
 	have different parameters and avoids advertising the same
 	prefix twice. Thanks to Luis Marsano for spotting this case.
@@ -1024,7 +1277,7 @@ version 2.73
 
 	Use inotify for checking on updates to /etc/resolv.conf and
 	friends under Linux. This fixes race conditions when the files are 
-	updated rapidly and saves CPU by noy polling. To build
+	updated rapidly and saves CPU by not polling. To build
 	a binary that runs on old Linux kernels without inotify,
 	use make COPTS=-DNO_INOTIFY
 
@@ -1364,7 +1617,7 @@ version 2.68
 	are dynamic and works much better than the previous
 	work-around which exempted constructed DHCP ranges from the
 	IP address filtering. As a consequence, that work-around
-	is removed. Under certain circumstances, this change wil
+	is removed. Under certain circumstances, this change will
 	break existing configuration: if you're relying on the
 	constructed-range exception, you need to change --auth-zone
 	to specify the same interface as is used to construct your
@@ -1821,7 +2074,7 @@ version 2.61
 
 	Set the environment variable DNSMASQ_LOG_DHCP when running
 	the script id --log-dhcp is in effect, so that script can
-	taylor their logging verbosity. Suggestion from Malte
+	tailor their logging verbosity. Suggestion from Malte
 	Forkel.
 
 	Arrange that addresses specified with --listen-address

Makefile

@@ -1,4 +1,4 @@
-# dnsmasq is Copyright (c) 2000-2024 Simon Kelley
+# dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 #
 #  This program is free software; you can redistribute it and/or modify
 #  it under the terms of the GNU General Public License as published by
@@ -63,20 +63,16 @@ ct_cflags =     `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CON
 ct_libs =       `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --libs libnetfilter_conntrack`
 lua_cflags =    `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --cflags $(LUA)` 
 lua_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs $(LUA)` 
-nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC     $(PKG_CONFIG) --cflags 'nettle hogweed' \
-                                                        HAVE_CRYPTOHASH $(PKG_CONFIG) --cflags nettle \
-                                                        HAVE_NETTLEHASH $(PKG_CONFIG) --cflags nettle`
-nettle_libs =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC     $(PKG_CONFIG) --libs 'nettle hogweed' \
-                                                        HAVE_CRYPTOHASH $(PKG_CONFIG) --libs nettle \
-                                                        HAVE_NETTLEHASH $(PKG_CONFIG) --libs nettle`
+nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC     $(PKG_CONFIG) --cflags 'nettle hogweed'`
+nettle_libs =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC     $(PKG_CONFIG) --libs 'nettle hogweed'`
 gmp_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC NO_GMP --copy -lgmp`
 sunos_libs =    `if uname | grep SunOS >/dev/null 2>&1; then echo -lsocket -lnsl -lposix4; fi`
 nft_cflags =    `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_NFTSET $(PKG_CONFIG) --cflags libnftables` 
 nft_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_NFTSET $(PKG_CONFIG) --libs libnftables`
 version =       -DVERSION='\"`$(top)/bld/get-version $(top)`\"'
 
-sum?=$(shell $(CC) -DDNSMASQ_COMPILE_OPTS $(COPTS) -E $(top)/$(SRC)/dnsmasq.h | ( md5sum 2>/dev/null || md5 ) | cut -f 1 -d ' ')
-sum!=$(CC) -DDNSMASQ_COMPILE_OPTS $(COPTS) -E $(top)/$(SRC)/dnsmasq.h | ( md5sum 2>/dev/null || md5 ) | cut -f 1 -d ' '
+sum?=$(shell echo $(CC) -DDNSMASQ_COMPILE_FLAGS="$(CFLAGS)" -DDNSMASQ_COMPILE_OPTS $(COPTS) -E $(top)/$(SRC)/dnsmasq.h | ( md5sum 2>/dev/null || md5 ) | cut -f 1 -d ' ')
+sum!=echo $(CC) -DDNSMASQ_COMPILE_FLAGS="$(CFLAGS)" -DDNSMASQ_COMPILE_OPTS $(COPTS) -E $(top)/$(SRC)/dnsmasq.h | ( md5sum 2>/dev/null || md5 ) | cut -f 1 -d ' '
 copts_conf = .copts_$(sum)
 
 objs = cache.o rfc1035.o util.o option.o forward.o network.o \
@@ -85,7 +81,7 @@ objs = cache.o rfc1035.o util.o option.o forward.o network.o \
        dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o pattern.o \
        domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \
        poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \
-       metrics.o hash-questions.o domain-match.o nftset.o
+       metrics.o domain-match.o nftset.o
 
 hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \
        dns-protocol.h radv-protocol.h ip6addr.h metrics.h
@@ -106,9 +102,7 @@ clean : mostly_clean
 	rm -f core */core
 	rm -f *~ contrib/*/*~ */*~
 
-install : all install-common
-
-install-common :
+install : all
 	$(INSTALL) -d $(DESTDIR)$(BINDIR)
 	$(INSTALL) -d $(DESTDIR)$(MANDIR)/man8
 	$(INSTALL) -m 644 $(MAN)/dnsmasq.8 $(DESTDIR)$(MANDIR)/man8 
@@ -125,7 +119,11 @@ all-i18n : $(BUILDDIR)
 		cd $(top) && cd $(BUILDDIR) && $(MAKE) top="$(top)" -f $(top)/Makefile $${f%.po}.mo; \
 	done
 
-install-i18n : all-i18n install-common
+install-i18n : all-i18n
+	$(INSTALL) -d $(DESTDIR)$(BINDIR)
+	$(INSTALL) -d $(DESTDIR)$(MANDIR)/man8
+	$(INSTALL) -m 644 $(MAN)/dnsmasq.8 $(DESTDIR)$(MANDIR)/man8 
+	$(INSTALL) -m 755 $(BUILDDIR)/dnsmasq $(DESTDIR)$(BINDIR)
 	cd $(BUILDDIR); $(top)/bld/install-mo $(DESTDIR)$(LOCALEDIR) $(INSTALL)
 	cd $(MAN); ../bld/install-man $(DESTDIR)$(MANDIR) $(INSTALL)
 

bld/Android.mk

@@ -11,14 +11,14 @@ LOCAL_SRC_FILES :=  bpf.c cache.c dbus.c dhcp.c dnsmasq.c \
 		    radv.c slaac.c auth.c ipset.c domain.c \
 	            dnssec.c dnssec-openssl.c blockdata.c tables.c \
 		    loop.c inotify.c poll.c rrfilter.c edns0.c arp.c \
-		    crypto.c dump.c ubus.c metrics.c hash-questions.c \
-                    domain-match.c
+		    crypto.c dump.c ubus.c metrics.c \
+                    domain-match.c nftset.c
 
 LOCAL_MODULE := dnsmasq
 
 LOCAL_C_INCLUDES := external/dnsmasq/src
 
-LOCAL_CFLAGS := -O2 -g -W -Wall -D__ANDROID__ -DNO_IPV6 -DNO_TFTP -DNO_SCRIPT
+LOCAL_CFLAGS := -O2 -g -W -Wall -D__ANDROID__ -DNO_TFTP -DNO_SCRIPT
 LOCAL_SYSTEM_SHARED_LIBRARIES := libc libcutils
 
 LOCAL_LDLIBS := -L$(SYSROOT)/usr/lib -llog

contrib/leasequery/leasequery.c

@@ -0,0 +1,695 @@
+/* leasequery is Copyright (c) 2025 Simon Kelley
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/* Author's email: simon@thekelleys.org.uk */
+
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <sys/select.h>
+#include <sys/time.h>
+#include <sys/stat.h>
+#include <limits.h>
+#include <net/if.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <time.h>
+#include <errno.h>
+#include <pwd.h>
+#include <grp.h>
+#include <netdb.h>
+#include <linux/types.h>
+#include <linux/capability.h>
+#include <arpa/inet.h>
+#include <ctype.h>
+
+typedef unsigned char u8;
+typedef unsigned short u16;
+typedef unsigned int u32;
+typedef unsigned long long u64;
+
+#define INADDRSZ        4
+#define ADDRSTRLEN      46
+
+#define option_len(opt) ((int)(((unsigned char *)(opt))[1]))
+#define option_ptr(opt, i) ((void *)&(((unsigned char *)(opt))[2u+(unsigned int)(i)]))
+
+#define DHCP_CHADDR_MAX  16
+#define DHCP_SERVER_PORT 67
+#define DHCP_CLIENT_PORT 68
+#define BOOTREQUEST      1
+#define BOOTREPLY        2
+
+#define DHCP_COOKIE              0x63825363
+
+#define DHCPLEASEQUERY          10
+#define DHCPLEASEUNASSIGNED     11
+#define DHCPLEASEUNKNOWN        12
+#define DHCPLEASEACTIVE         13
+
+#define OPTION_END               255
+#define OPTION_ROUTER            3
+#define OPTION_VENDOR_CLASS_OPT  43
+#define OPTION_LEASE_TIME        51
+#define OPTION_MESSAGE_TYPE      53
+#define OPTION_SERVER_IDENTIFIER 54
+#define OPTION_REQUESTED_OPTIONS 55
+#define OPTION_VENDOR_ID         60
+#define OPTION_CLIENT_ID         61
+
+/* flags in top of length field for DHCP-option tables */
+#define OT_ADDR_LIST    0x8000
+#define OT_RFC1035_NAME 0x4000
+#define OT_INTERNAL     0x2000
+#define OT_NAME         0x1000
+#define OT_CSTRING      0x0800
+#define OT_DEC          0x0400 
+#define OT_TIME         0x0200
+
+#define GETSHORT(s, cp) do { \
+	unsigned char *t_cp = (unsigned char *)(cp); \
+	(s) = ((u16)t_cp[0] << 8) \
+	    | ((u16)t_cp[1]) \
+	    ; \
+	(cp) += 2; \
+  } while(0)
+
+#define GETLONG(l, cp) do { \
+	unsigned char *t_cp = (unsigned char *)(cp); \
+	(l) = ((u32)t_cp[0] << 24) \
+	    | ((u32)t_cp[1] << 16) \
+	    | ((u32)t_cp[2] << 8) \
+	    | ((u32)t_cp[3]) \
+	    ; \
+	(cp) += 4; \
+  } while (0)
+
+#define PUTSHORT(s, cp) do { \
+	u16 t_s = (u16)(s); \
+	unsigned char *t_cp = (unsigned char *)(cp); \
+	*t_cp++ = t_s >> 8; \
+	*t_cp   = t_s; \
+	(cp) += 2; \
+  } while(0)
+
+#define PUTLONG(l, cp) do { \
+	u32 t_l = (u32)(l); \
+	unsigned char *t_cp = (unsigned char *)(cp); \
+	*t_cp++ = t_l >> 24; \
+	*t_cp++ = t_l >> 16; \
+	*t_cp++ = t_l >> 8; \
+	*t_cp   = t_l; \
+	(cp) += 4; \
+  } while (0)
+
+union all_addr {
+  struct in_addr addr4;
+  struct in6_addr addr6;
+};
+  
+struct dhcp_packet_with_opts{
+  struct dhcp_packet {
+    unsigned char op, htype, hlen, hops;
+    unsigned int xid;
+    unsigned short secs, flags;
+    struct in_addr ciaddr, yiaddr, siaddr, giaddr;
+    unsigned char chaddr[DHCP_CHADDR_MAX], sname[64], file[128];
+  } header;
+  unsigned char options[312];
+};
+
+static const struct opttab_t {
+  char *name;
+  u16 val, size;
+} opttab[] = {
+  { "netmask", 1, OT_ADDR_LIST },
+  { "time-offset", 2, 4 },
+  { "router", 3, OT_ADDR_LIST  },
+  { "dns-server", 6, OT_ADDR_LIST },
+  { "log-server", 7, OT_ADDR_LIST },
+  { "lpr-server", 9, OT_ADDR_LIST },
+  { "hostname", 12, OT_INTERNAL | OT_NAME },
+  { "boot-file-size", 13, 2 | OT_DEC },
+  { "domain-name", 15, OT_NAME },
+  { "swap-server", 16, OT_ADDR_LIST },
+  { "root-path", 17, OT_NAME },
+  { "extension-path", 18, OT_NAME },
+  { "ip-forward-enable", 19, 1 },
+  { "non-local-source-routing", 20, 1 },
+  { "policy-filter", 21, OT_ADDR_LIST },
+  { "max-datagram-reassembly", 22, 2 | OT_DEC },
+  { "default-ttl", 23, 1 | OT_DEC },
+  { "mtu", 26, 2 | OT_DEC },
+  { "all-subnets-local", 27, 1 },
+  { "broadcast", 28, OT_INTERNAL | OT_ADDR_LIST },
+  { "router-discovery", 31, 1 },
+  { "router-solicitation", 32, OT_ADDR_LIST },
+  { "static-route", 33, OT_ADDR_LIST },
+  { "trailer-encapsulation", 34, 1 },
+  { "arp-timeout", 35, 4 | OT_DEC },
+  { "ethernet-encap", 36, 1 },
+  { "tcp-ttl", 37, 1 },
+  { "tcp-keepalive", 38, 4 | OT_DEC },
+  { "nis-domain", 40, OT_NAME },
+  { "nis-server", 41, OT_ADDR_LIST },
+  { "ntp-server", 42, OT_ADDR_LIST },
+  { "vendor-encap", 43, OT_INTERNAL },
+  { "netbios-ns", 44, OT_ADDR_LIST },
+  { "netbios-dd", 45, OT_ADDR_LIST },
+  { "netbios-nodetype", 46, 1 },
+  { "netbios-scope", 47, 0 },
+  { "x-windows-fs", 48, OT_ADDR_LIST },
+  { "x-windows-dm", 49, OT_ADDR_LIST },
+  { "requested-address", 50, OT_INTERNAL | OT_ADDR_LIST },
+  { "lease-time", 51, OT_INTERNAL | OT_TIME },
+  { "option-overload", 52, OT_INTERNAL },
+  { "message-type", 53, OT_INTERNAL | OT_DEC },
+  { "server-identifier", 54, OT_INTERNAL | OT_ADDR_LIST },
+  { "parameter-request", 55, OT_INTERNAL },
+  { "message", 56, OT_INTERNAL },
+  { "max-message-size", 57, OT_INTERNAL },
+  { "T1", 58, OT_TIME},
+  { "T2", 59, OT_TIME},
+  { "vendor-class", 60, OT_NAME },
+  { "client-id", 61, OT_INTERNAL },
+  { "nis+-domain", 64, OT_NAME },
+  { "nis+-server", 65, OT_ADDR_LIST },
+  { "tftp-server", 66, OT_NAME },
+  { "bootfile-name", 67, OT_NAME },
+  { "mobile-ip-home", 68, OT_ADDR_LIST }, 
+  { "smtp-server", 69, OT_ADDR_LIST }, 
+  { "pop3-server", 70, OT_ADDR_LIST }, 
+  { "nntp-server", 71, OT_ADDR_LIST }, 
+  { "irc-server", 74, OT_ADDR_LIST }, 
+  { "user-class", 77, 0 },
+  { "rapid-commit", 80, 0 },
+  { "FQDN", 81, OT_INTERNAL },
+  { "agent-info", 82, OT_INTERNAL },
+  { "last-transaction", 91, 4 | OT_TIME },
+  { "associated-ip", 92, OT_ADDR_LIST },
+  { "client-arch", 93, 2 | OT_DEC },
+  { "client-interface-id", 94, 0 },
+  { "client-machine-id", 97, 0 },
+  { "posix-timezone", 100, OT_NAME }, /* RFC 4833, Sec. 2 */
+  { "tzdb-timezone", 101, OT_NAME }, /* RFC 4833, Sec. 2 */
+  { "ipv6-only", 108, 4 | OT_DEC },  /* RFC 8925 */ 
+  { "subnet-select", 118, OT_INTERNAL },
+  { "domain-search", 119, OT_RFC1035_NAME },
+  { "sip-server", 120, 0 },
+  { "classless-static-route", 121, 0 },
+  { "vendor-id-encap", 125, 0 },
+  { "tftp-server-address", 150, OT_ADDR_LIST },
+  { "server-ip-address", 255, OT_ADDR_LIST }, /* special, internal only, sets siaddr */
+  { NULL, 0, 0 }
+};
+
+static void prettyprint_time(char *buf, unsigned int t);
+static char *print_mac(char *buff, unsigned char *mac, int len);
+
+int lookup_dhcp_opt(char *name)
+{
+  const struct opttab_t *t = opttab;
+  int i;
+
+  for (i = 0; t[i].name; i++)
+    if (strcasecmp(t[i].name, name) == 0)
+      return t[i].val;
+  
+  return -1;
+}
+
+char *option_string(unsigned int opt, unsigned char *val, int opt_len, char *buf, int buf_len)
+{
+  int o, i, j, nodecode = 0;
+  const struct opttab_t *ot = opttab;
+  char addrbuff[ADDRSTRLEN];
+  
+  for (o = 0; ot[o].name; o++)
+    if (ot[o].val == opt)
+      {
+	if (buf)
+	  {
+	    memset(buf, 0, buf_len);
+	    
+	    if (ot[o].size & OT_ADDR_LIST) 
+	      {
+		union all_addr addr;
+		int addr_len = INADDRSZ;
+
+		for (buf[0]= 0, i = 0; i <= opt_len - addr_len; i += addr_len) 
+		  {
+		    if (i != 0)
+		      strncat(buf, ", ", buf_len - strlen(buf));
+		    /* align */
+		    memcpy(&addr, &val[i], addr_len); 
+		    inet_ntop(AF_INET, &val[i], addrbuff, ADDRSTRLEN);
+		    strncat(buf, addrbuff, buf_len - strlen(buf));
+		  }
+	      }
+	    else if (ot[o].size & OT_NAME)
+		for (i = 0, j = 0; i < opt_len && j < buf_len ; i++)
+		  {
+		    char c = val[i];
+		    if (isprint((unsigned char)c))
+		      buf[j++] = c;
+		  }
+	    else if ((ot[o].size & (OT_DEC | OT_TIME)) && opt_len != 0)
+	      {
+		unsigned int dec = 0;
+		
+		for (i = 0; i < opt_len; i++)
+		  dec = (dec << 8) | val[i]; 
+
+		if (ot[o].size & OT_TIME)
+		  prettyprint_time(buf, dec);
+		else
+		  sprintf(buf, "%u", dec);
+	      }
+	    else
+	      nodecode = 1;
+	  }
+	break;
+      }
+
+  if (opt_len != 0 && buf && (!ot[o].name || nodecode))
+    {
+      int trunc  = 0;
+      if (opt_len > 14)
+	{
+	  trunc = 1;
+	  opt_len = 14;
+	}
+      print_mac(buf, val, opt_len);
+      if (trunc)
+	strncat(buf, "...", buf_len - strlen(buf));
+    
+
+    }
+
+  return ot[o].name ? ot[o].name : "";
+
+}
+
+static void prettyprint_time(char *buf, unsigned int t)
+{
+  if (t == 0xffffffff)
+    sprintf(buf, "infinite");
+  else
+    {
+      unsigned int x, p = 0;
+       if ((x = t/86400))
+	p += sprintf(&buf[p], "%ud", x);
+       if ((x = (t/3600)%24))
+	p += sprintf(&buf[p], "%uh", x);
+      if ((x = (t/60)%60))
+	p += sprintf(&buf[p], "%um", x);
+      if ((x = t%60))
+	sprintf(&buf[p], "%us", x);
+    }
+}
+
+static char *print_mac(char *buff, unsigned char *mac, int len)
+{
+  char *p = buff;
+  int i;
+   
+  if (len == 0)
+    sprintf(p, "<null>");
+  else
+    for (i = 0; i < len; i++)
+      p += sprintf(p, "%.2x%s", mac[i], (i == len - 1) ? "" : ":");
+  
+  return buff;
+}
+
+static unsigned char *dhcp_skip_opts(struct dhcp_packet_with_opts *pktp)
+{
+  unsigned char *start = (unsigned char *)(((unsigned int *)&pktp->options[0]) + 1);
+  while (*start != 0)
+    start += start[1] + 2;
+  return start;
+}
+
+static unsigned char *dhcp_find_opt(struct dhcp_packet_with_opts *pktp, int optno)
+{
+  unsigned char *start = (unsigned char *)(((unsigned int *)&pktp->options[0]) + 1);
+  while (*start != OPTION_END)
+    {
+      if (*start == optno)
+	return start;
+      start += start[1] + 2;
+    }
+
+  return NULL;
+}
+
+static void option_put(struct dhcp_packet_with_opts *pktp, int opt, int len, unsigned int val)
+{
+  int i;
+  unsigned char *p = dhcp_skip_opts(pktp);
+  
+  if (p) 
+    {
+      *p++ = opt;
+      *p++ = len;
+      for (i = 0; i < len; i++)
+      *(p++) = val >> (8 * (len - (i + 1)));
+    }
+}
+
+static void option_put_string(struct dhcp_packet_with_opts *pktp, int opt, 
+			      const char *string, int null_term)
+{
+  unsigned char *p;
+  size_t len = strlen(string);
+
+  if (null_term && len != 255)
+    len++;
+
+  if ((p = dhcp_skip_opts(pktp)))
+    {
+      *p++ = opt;
+      *p++ = len;
+      memcpy(p, string, len);
+    }
+}
+
+
+/* in may equal out, when maxlen may be -1 (No max len). 
+   Return -1 for extraneous no-hex chars found. */
+int parse_hex(char *in, unsigned char *out, int maxlen, 
+	      unsigned int *wildcard_mask, int *mac_type)
+{
+  int done = 0, mask = 0, i = 0;
+  char *r;
+    
+  if (mac_type)
+    *mac_type = 0;
+  
+  while (!done && (maxlen == -1 || i < maxlen))
+    {
+      for (r = in; *r != 0 && *r != ':' && *r != '-' && *r != ' '; r++)
+	if (*r != '*' && !isxdigit((unsigned char)*r))
+	  return -1;
+      
+      if (*r == 0)
+	done = 1;
+      
+      if (r != in )
+	{
+	  if (*r == '-' && i == 0 && mac_type)
+	   {
+	      *r = 0;
+	      *mac_type = strtol(in, NULL, 16);
+	      mac_type = NULL;
+	   }
+	  else
+	    {
+	      *r = 0;
+	      if (strcmp(in, "*") == 0)
+		{
+		  mask = (mask << 1) | 1;
+		  i++;
+		}
+	      else
+		{
+		  int j, bytes = (1 + (r - in))/2;
+		  for (j = 0; j < bytes; j++)
+		    { 
+		      char sav;
+		      if (j < bytes - 1)
+			{
+			  sav = in[(j+1)*2];
+			  in[(j+1)*2] = 0;
+			}
+		      /* checks above allow mix of hexdigit and *, which
+			 is illegal. */
+		      if (strchr(&in[j*2], '*'))
+			return -1;
+		      out[i] = strtol(&in[j*2], NULL, 16);
+		      mask = mask << 1;
+		      if (++i == maxlen)
+			break; 
+		      if (j < bytes - 1)
+			in[(j+1)*2] = sav;
+		    }
+		}
+	    }
+	}
+      in = r+1;
+    }
+  
+  if (wildcard_mask)
+    *wildcard_mask = mask;
+
+  return i;
+}
+
+static char *split_chr(char *s, char c)
+{
+  char *comma, *p;
+
+  if (!s || !(comma = strchr(s, c)))
+    return NULL;
+  
+  p = comma;
+  *comma = ' ';
+  
+  for (; *comma == ' '; comma++);
+  
+  for (; (p >= s) && *p == ' '; p--)
+    *p = 0;
+  
+  return comma;
+}
+
+static char *split(char *s)
+{
+  return split_chr(s, ',');
+}
+
+
+int main(int argc, char **argv)
+{
+  int fd;
+  struct ifreq ifr;
+  struct in_addr iface_addr, server_addr, lease_addr;
+  struct dhcp_packet_with_opts pkt;
+  struct sockaddr_in saddr;
+  unsigned char *p;
+  ssize_t sz;
+  unsigned char mac[DHCP_CHADDR_MAX], clid[256], req_options[256];
+  char buff[500];
+  int clid_len = 0, mac_len = 0, mac_type = 0, opts_len = 0;
+  unsigned short port = DHCP_SERVER_PORT;
+  unsigned int xid;
+  struct timeval tv;
+  
+  gettimeofday(&tv, NULL);
+  srand(tv.tv_usec);
+  xid = rand();
+  server_addr.s_addr = lease_addr.s_addr = iface_addr.s_addr = 0;
+  
+  if ((fd = socket(PF_INET, SOCK_DGRAM, 0)) == -1)
+    {
+      perror("leasequery: cannot create socket");
+      exit(1);
+    }
+  
+  while (1)
+    {
+      int option = getopt(argc, argv, "i:s:l:m:c:p:r:");
+
+      if (option == -1)
+	break;
+      
+      switch (option) 
+	{
+	default:
+	  fprintf(stderr,
+		  "-p <port>             port on DHCP server.\n"
+		  "-i <interface>        exit interface to DHCP server.\n"
+		  "-s <inet-addr>        DHCP server address.\n"
+		  "-l <inet-addr>        Query lease by IP address.\n"
+		  "-m <MAC-addr>         Query lease by MAC address.\n"
+		  "-c <hex>              Query lease by client-id.\n"
+		  "-r <name>|<int>[,...] List of options to return.\n");
+	  exit(1);
+		  		  
+	case 'p':
+	  port = atoi(optarg);
+	  break;
+	  
+	case 'i':
+	  strncpy(ifr.ifr_name, optarg, IF_NAMESIZE);
+	   ifr.ifr_addr.sa_family = AF_INET;
+	   if (ioctl(fd, SIOCGIFADDR, &ifr) == -1)
+	    {
+	      perror("leasequery: cannot get interface address");
+	      exit(1);
+	    }
+
+	  iface_addr = ((struct sockaddr_in *) &ifr.ifr_addr)->sin_addr;
+	  break;
+
+	case 's':
+	  if (inet_pton(AF_INET, optarg, &server_addr) <= 0)
+	    {
+	      fprintf(stderr, "leasequery: bad server address\n");
+	      exit(1);
+	    }
+	  break;
+
+	case 'l':
+	  if (inet_pton(AF_INET, optarg, &lease_addr) <= 0)
+	    {
+	      fprintf(stderr, "leasequery: bad lease address\n");
+	      exit(1);
+	    }
+	  break;
+
+	case 'm':
+	  mac_type = 1; /* default ethernet */
+	  mac_len = parse_hex(optarg, mac, DHCP_CHADDR_MAX, NULL, &mac_type);
+	  if (!mac_type)
+	    mac_type  = 1; /* default ethernet */
+	  break;
+
+	case 'c':
+	  clid_len = parse_hex(optarg, clid, 256, NULL, NULL);
+	  break;
+
+	case 'r':
+	  {
+	    char *comma;
+	    int opt;
+	    
+	    while (optarg)
+	      {
+		comma = split(optarg);
+		
+		if ((opt = lookup_dhcp_opt(optarg)) != -1 || (opt = atoi(optarg)) != 0) 
+		  req_options[opts_len++] = opt;
+		
+		optarg = comma;
+	      }
+	    
+	    break;
+	  }
+	}
+    }
+
+  if (!server_addr.s_addr)
+    {
+      fprintf(stderr, "leasequery: no server address\n");
+      exit(1);
+    }
+    
+  memset(&pkt, 0, sizeof pkt);
+  pkt.header.op = BOOTREQUEST;
+  pkt.header.xid = xid;
+  pkt.header.ciaddr = lease_addr;
+  pkt.header.hlen = mac_len;
+  pkt.header.htype = mac_type;
+  memcpy(pkt.header.chaddr, mac, mac_len);
+  *((unsigned int *)&pkt.options[0]) = htonl(DHCP_COOKIE);
+
+  /* Dnsmasq extension. */
+  pkt.header.giaddr.s_addr = iface_addr.s_addr ? iface_addr.s_addr : INADDR_BROADCAST;
+    
+  option_put(&pkt, OPTION_MESSAGE_TYPE, 1, DHCPLEASEQUERY);
+  
+  if (clid_len != 0)
+    {
+      p = dhcp_skip_opts(&pkt);
+      *p++ = OPTION_CLIENT_ID;
+      *p++ = clid_len;
+      memcpy(p, clid, clid_len);
+    }
+  
+  if (opts_len != 0)
+    {
+      p = dhcp_skip_opts(&pkt); 
+      *p++ = OPTION_REQUESTED_OPTIONS;
+      *p++ = opts_len;
+      memcpy(p, req_options, opts_len);
+    }
+  
+  if (iface_addr.s_addr)
+    {
+      saddr.sin_family = AF_INET;
+      saddr.sin_port = htons(port);
+      saddr.sin_addr.s_addr = iface_addr.s_addr;
+      
+      if (bind(fd, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in)))
+	{
+	  perror("leasequery: cannot bind DHCP server socket");
+	  exit(1);
+	}
+    }
+	  
+  saddr.sin_family = AF_INET;
+  saddr.sin_port = htons(port);
+  saddr.sin_addr = server_addr;
+
+  while((sz = sendto(fd, &pkt, dhcp_skip_opts(&pkt) - ((unsigned char *)&pkt), 0, (struct sockaddr *)&saddr, sizeof(saddr))) == -1 &&
+	errno == EINTR);
+
+  if (sz == -1)
+    {
+      perror("leasequery: sendto()");
+      exit(1);
+    }
+  
+  sz = recv(fd, &pkt, sizeof(pkt), 0);
+
+  if (sz == -1)
+    {
+      perror("leasequery: recv()");
+      exit(1);
+    }
+  
+  if (sz >= sizeof(pkt.header) &&
+      pkt.header.op == BOOTREPLY &&
+      (p = dhcp_find_opt(&pkt, OPTION_MESSAGE_TYPE)) &&
+      pkt.header.xid == xid)
+    {
+      if (p[2] == DHCPLEASEUNASSIGNED)
+	printf("UNASSIGNED\n");
+      else if (p[2] == DHCPLEASEUNKNOWN)
+	printf("UNKNOWN\n");
+      else if (p[2] == DHCPLEASEACTIVE)
+	{
+	  print_mac(buff, pkt.header.chaddr, pkt.header.hlen);
+	  printf("ACTIVE %s %s\n", inet_ntoa(pkt.header.ciaddr), buff);
+      
+	  p = (unsigned char *)(((unsigned int *)&pkt.options[0]) + 1);
+	  
+	  while (*p != OPTION_END)
+	    {
+	      if (*p != OPTION_MESSAGE_TYPE)
+		{
+		  char *optname = option_string(p[0], option_ptr(p, 0), option_len(p), buff, 500);
+		  
+		  printf("size:%3d option:%3d %s  %s\n", option_len(p), p[0], optname, buff);
+		}
+	      p += p[1] + 2;
+	    }
+	}
+    }
+}

debian

@@ -0,0 +1 @@
+submodules/dnsmasq-debian/debian

debian/control

@@ -1,68 +0,0 @@
-Source: dnsmasq
-Section: net
-Priority: optional
-Build-Depends: dh-exec, gettext, libnetfilter-conntrack-dev [linux-any],
-               libidn2-dev, libdbus-1-dev (>=0.61), libgmp-dev,
-               nettle-dev (>=2.4-3), libbsd-dev [kfreebsd-any],
-	       liblua5.4-dev, dh-runit, debhelper-compat (= 13),
-               pkg-config, libnftables-dev
-Maintainer: Simon Kelley <simon@thekelleys.org.uk>
-Homepage: https://www.thekelleys.org.uk/dnsmasq/doc.html
-Vcs-Git: https://thekelleys.org.uk/git/dnsmasq.git
-Vcs-Browser: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git
-Standards-Version: 4.6.2
-Rules-Requires-Root: no
-
-Package: dnsmasq
-Architecture: all
-Pre-Depends: ${misc:Pre-Depends}
-Depends: netbase, dnsmasq-base,
-         ${misc:Depends}
-Suggests: resolvconf
-Breaks: ${runit:Breaks}
-Conflicts: resolvconf (<<1.15), ${runit:Conflicts}
-Description: Small caching DNS proxy and DHCP/TFTP server - system daemon
- Dnsmasq is a lightweight, easy to configure, DNS forwarder and DHCP
- server. It is designed to provide DNS and optionally, DHCP, to a
- small network. It can serve the names of local machines which are
- not in the global DNS. The DHCP server integrates with the DNS
- server and allows machines with DHCP-allocated addresses
- to appear in the DNS with names configured either in each host or
- in a central configuration file. Dnsmasq supports static and dynamic
- DHCP leases and BOOTP/TFTP for network booting of diskless machines.
-
-Package: dnsmasq-base
-Architecture: any
-Depends: ${misc:Depends}, ${shlibs:Depends}
-Breaks: dnsmasq (<< 2.63-1~)
-Replaces: dnsmasq (<< 2.63-1~), dnsmasq-base
-Recommends: dns-root-data
-Provides: dnsmasq-base
-Conflicts: dnsmasq-base-lua
-Description: Small caching DNS proxy and DHCP/TFTP server - executable
- This package contains the dnsmasq executable and documentation, but
- not the infrastructure required to run it as a system daemon. For
- that, install the dnsmasq package.
-
-Package: dnsmasq-base-lua
-Architecture: any
-Depends: ${misc:Depends}, ${shlibs:Depends}
-Breaks: dnsmasq (<< 2.63-1~)
-Replaces: dnsmasq (<< 2.63-1~), dnsmasq-base
-Recommends: dns-root-data
-Provides: dnsmasq-base
-Conflicts: dnsmasq-base
-Description: Small caching DNS proxy and DHCP/TFTP server - executable, Lua-enabled
- This package contains the dnsmasq executable and documentation, but
- not the infrastructure required to run it as a system daemon. For
- that, install the dnsmasq package. This package is an alternative
- to dnsmasq-base which includes the Lua interpreter.
-
-Package: dnsmasq-utils
-Architecture: linux-any
-Depends: ${misc:Depends}, ${shlibs:Depends}
-Conflicts: dnsmasq (<<2.40)
-Description: Utilities for manipulating DHCP leases
- Small utilities to query a DHCP server's lease database and
- remove leases from it. These programs are distributed with dnsmasq
- and may not work correctly with other DHCP servers.

debian/copyright

@@ -1,58 +0,0 @@
-Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
-Upstream-Name: dnsmasq
-Upstream-Contact: Simon Kelley <simon@thekelleys.org.uk>
-Source: https://thekelleys.org.uk/dnsmasq/
-
-Files: *
-Copyright: 2000-2024 Simon Kelley <simon@thekelleys.org.uk>
-License: GPL-2 or GPL-3
-
-Files: src/dnssec.c
-Copyright: 2012-2024 Simon Kelley <simon@thekelleys.org.uk>
-           2012      Giovanni Bajo <rasky@develer.com>
-
-Files: debian/*
-Copyright: 2004-2024 Simon Kelley <simon@thekelleys.org.uk>
-           2012      Lars Bahner <bahner@debian.org>
-           2024      Sven Geuer <debmaint@g-e-u-e-r.de>
-License: GPL-2 or GPL-3
-
-License: GPL-2
- This program is free software; you can redistribute it
- and/or modify it under the terms of the GNU General Public
- License as published by the Free Software Foundation;
- version 2 dated June, 1991.
- .
- This program is distributed in the hope that it will be
- useful, but WITHOUT ANY WARRANTY; without even the implied
- warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
- PURPOSE.  See the GNU General Public License for more
- details.
- .
- You should have received a copy of the GNU General Public
- License along with this program.  If not, see
- <https://www.gnu.org/licenses/gpl-2.0>.
- .
- On Debian systems, the full text of the GNU General Public
- License can be found in the file
- `/usr/share/common-licenses/GPL-2'.
-
-License: GPL-3
- This program is free software; you can redistribute it
- and/or modify it under the terms of the GNU General Public
- License as published by the Free Software Foundation;
- version 3 dated 29 June, 2007.
- .
- This program is distributed in the hope that it will be
- useful, but WITHOUT ANY WARRANTY; without even the implied
- warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
- PURPOSE.  See the GNU General Public License for more
- details.
- .
- You should have received a copy of the GNU General Public
- License along with this program.  If not, see
- <https://www.gnu.org/licenses/gpl-3.0>.
- .
- On Debian systems, the full text of the GNU General Public
- License can be found in the file
- `/usr/share/common-licenses/GPL-3'.

debian/dbus.conf

@@ -1,18 +0,0 @@
-<!DOCTYPE busconfig PUBLIC
- "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
- "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
-<busconfig>
-	<policy user="root">
-		<allow own="uk.org.thekelleys.dnsmasq"/>
-		<allow send_destination="uk.org.thekelleys.dnsmasq"/>
-	</policy>
-        <policy user="dnsmasq">
-                <allow own="uk.org.thekelleys.dnsmasq"/>
-                <allow send_destination="uk.org.thekelleys.dnsmasq"/>
-        </policy>
-	<policy context="default">
-                <deny own="uk.org.thekelleys.dnsmasq"/>
-                <deny send_destination="uk.org.thekelleys.dnsmasq"/>
-        </policy>
-</busconfig>
-

debian/dnsmasq-base-lua.dirs

@@ -1 +0,0 @@
-dnsmasq-base.dirs

debian/dnsmasq-base-lua.docs

@@ -1 +0,0 @@
-dnsmasq-base.docs

debian/dnsmasq-base-lua.install

@@ -1,3 +0,0 @@
-#!/usr/bin/dh-exec
-debian/dbus.conf => /usr/share/dbus-1/system.d/dnsmasq.conf
-trust-anchors.conf /usr/share/dnsmasq-base-lua

debian/dnsmasq-base-lua.links

@@ -1,2 +0,0 @@
-usr/share/dnsmasq-base-lua usr/share/dnsmasq-base
-usr/share/doc/dnsmasq-base-lua usr/share/doc/dnsmasq-base

debian/dnsmasq-base-lua.maintscript

@@ -1,9 +0,0 @@
-# With the use of debhelper /usr/share/doc/dnsmasq-base-lua has become a
-# directory as required in
-# https://www.debian.org/doc/debian-policy/ch-docs.html#additional-documentation
-# thus /usr/share/doc/dnsmasq-base will be a link from now onwards.
-symlink_to_dir /usr/share/doc/dnsmasq-base-lua /usr/share/doc/dnsmasq-base 2.89-1.1~ dnsmasq-base-lua
-dir_to_symlink /usr/share/doc/dnsmasq-base /usr/share/doc/dnsmasq-base-lua 2.89-1.1~ dnsmasq-base-lua
-# Due to lintian warning dbus-policy-in-etc this file has been moved to
-# /usr/share/dbus-1/system.d/dnsmasq.conf and thus is not a conffile any more.
-rm_conffile /etc/dbus-1/system.d/dnsmasq.conf 2.89-1.1~ dnsmasq-base-lua

debian/dnsmasq-base-lua.postinst

@@ -1 +0,0 @@
-dnsmasq-base.postinst

debian/dnsmasq-base-lua.postrm

@@ -1 +0,0 @@
-dnsmasq-base.postrm

debian/dnsmasq-base.dirs

@@ -1 +0,0 @@
-/var/lib/misc

debian/dnsmasq-base.docs

@@ -1,8 +0,0 @@
-doc.html
-setup.html
-dnsmasq.conf.example
-FAQ
-CHANGELOG.archive
-dbus/DBus-interface
-debian/systemd_howto
-debian/readme

debian/dnsmasq-base.install

@@ -1,3 +0,0 @@
-#!/usr/bin/dh-exec
-debian/dbus.conf => /usr/share/dbus-1/system.d/dnsmasq.conf
-trust-anchors.conf /usr/share/dnsmasq-base

debian/dnsmasq-base.maintscript

@@ -1,3 +0,0 @@
-# Due to lintian warning dbus-policy-in-etc this file has been moved to
-# /usr/share/dbus-1/system.d/dnsmasq.conf and thus is not a conffile any more.
-rm_conffile /etc/dbus-1/system.d/dnsmasq.conf 2.89-1.1~ dnsmasq-base

debian/dnsmasq-base.postinst

@@ -1,30 +0,0 @@
-#!/bin/sh
-set -e
-
-# Create the dnsmasq user in dnsmasq-base, so that Dbus doesn't complain.
-
-if [ "$1" = "configure" ]; then
-  # Create the user to run as.
-  if [ -z "`id -u dnsmasq 2> /dev/null`" ]; then
-    useradd --system \
-            --gid nogroup \
-            --comment dnsmasq \
-            --home-dir /var/lib/misc --no-create-home \
-            --shell /usr/sbin/nologin \
-            dnsmasq
-  fi
-
-  # Make the directory where we keep the pid file - this
-  # has to be owned by "dnsmasq" so that the file can be unlinked.
-  # This is only actually used by the dnsmasq binary package, not
-  # dnsmasq-base, but it's much easier to create it here so that
-  # we don't have synchronisation issues with the creation of the
-  # dnsmasq user.
-  if [ ! -d /run/dnsmasq ]; then
-    mkdir /run/dnsmasq
-    chown dnsmasq:nogroup /run/dnsmasq
-  fi
-fi
-
-#DEBHELPER#
-

debian/dnsmasq-base.postrm

@@ -1,10 +0,0 @@
-#!/bin/sh
-set -e
-
-if [ purge = "$1" ]; then
-  userdel dnsmasq
-  rm -rf /run/dnsmasq
-fi
-
-#DEBHELPER#
-

debian/dnsmasq-utils.install

@@ -1,3 +0,0 @@
-dhcp_lease_time	/usr/bin
-dhcp_release	/usr/bin
-dhcp_release6	/usr/bin

debian/dnsmasq-utils.manpages

@@ -1,3 +0,0 @@
-dhcp_lease_time.1
-dhcp_release.1
-dhcp_release6.1

debian/dnsmasq.default

@@ -1,42 +0,0 @@
-# This file has six functions:
-# 1) to completely disable starting this dnsmasq instance
-# 2) to set DOMAIN_SUFFIX by running `dnsdomainname`
-# 3) to select an alternative config file
-#    by setting DNSMASQ_OPTS to --conf-file=<file>
-# 4) to tell dnsmasq to read the files in /etc/dnsmasq.d for
-#    more configuration variables.
-# 5) to stop the resolvconf package from controlling dnsmasq's
-#    idea of which upstream nameservers to use.
-# 6) to avoid using this dnsmasq instance as the system's default resolver
-#    by setting DNSMASQ_EXCEPT="lo"
-# For upgraders from very old versions, all the shell variables set
-# here in previous versions are still honored by the init script
-# so if you just keep your old version of this file nothing will break.
-
-#DOMAIN_SUFFIX=`dnsdomainname`
-#DNSMASQ_OPTS="--conf-file=/etc/dnsmasq.alt"
-
-# The dnsmasq daemon is run by default conforming to the Debian Policy.
-# To disable the service,
-# for SYSV init, use "update-rc.d dnsmasq disable",
-# for systemd, use "systemctl disable dnsmasq".
-
-# By default search this drop directory for configuration options.
-# Libvirt leaves a file here to make the system dnsmasq play nice.
-# Comment out this line if you don't want this. The dpkg-* are file
-# endings which cause dnsmasq to skip that file. This avoids pulling
-# in backups made by dpkg.
-CONFIG_DIR=/etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new
-
-# If the resolvconf package is installed, dnsmasq will use its output
-# rather than the contents of /etc/resolv.conf to find upstream
-# nameservers. Uncommenting this line inhibits this behaviour.
-# Note that including a "resolv-file=<filename>" line in
-# /etc/dnsmasq.conf is not enough to override resolvconf if it is
-# installed: the line below must be uncommented.
-#IGNORE_RESOLVCONF=yes
-
-# If the resolvconf package is installed, dnsmasq will tell resolvconf
-# to use dnsmasq under 127.0.0.1 as the system's default resolver.
-# Uncommenting this line inhibits this behaviour.
-#DNSMASQ_EXCEPT="lo"

debian/dnsmasq.init

@@ -1,170 +0,0 @@
-#!/bin/sh
-### BEGIN INIT INFO
-# Provides:       dnsmasq
-# Required-Start: $network $remote_fs $syslog
-# Required-Stop:  $network $remote_fs $syslog
-# Default-Start:  2 3 4 5
-# Default-Stop:   0 1 6
-# Description:    DHCP and DNS server
-### END INIT INFO
-
-# Don't exit on error status
-set +e
-
-# The following test ensures the dnsmasq service is not started, when the
-# package 'dnsmasq' is removed but not purged, even if the dnsmasq-base
-# package is still in place.
-if [ -r /usr/share/dnsmasq/init-system-common ]; then
-    # 'dnsmasq' is installed: source initial code used also with systemd.
-    . /usr/share/dnsmasq/init-system-common
-else
-    # 'dnsmasq' is removed but not purged, or damaged: do nothing.
-    exit 0
-fi
-
-# Double-check 'dnsmasq-base' or 'dnsmasq-base-lua' is installed.
-test -x ${DAEMON} || exit 0
-
-# Source the SysV init-functions which should always be available.
-. /lib/lsb/init-functions || exit 0
-
-start()
-{
-    # Return
-    #   0 if daemon has been started
-    #   1 if daemon was already running
-    #   2 if daemon could not be started
-
-    # /run may be volatile, so we need to ensure that
-    # /run/dnsmasq exists here as well as in postinst
-    if [ ! -d /run/dnsmasq ]; then
-        mkdir /run/dnsmasq || { [ -d /run/dnsmasq ] || return 2 ; }
-        chown dnsmasq:nogroup /run/dnsmasq || return 2
-    fi
-    [ -x /sbin/restorecon ] && /sbin/restorecon /run/dnsmasq
-
-    start-stop-daemon --start --quiet --pidfile /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid --exec ${DAEMON} --test > /dev/null || return 1
-    start-stop-daemon --start --quiet --pidfile /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid --exec ${DAEMON} -- \
-        -x /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid \
-        ${MAILHOSTNAME:+ -m ${MAILHOSTNAME}} \
-        ${MAILTARGET:+ -t ${MAILTARGET}} \
-        ${DNSMASQ_USER:+ -u ${DNSMASQ_USER}} \
-        ${DNSMASQ_INTERFACES:+ ${DNSMASQ_INTERFACES}} \
-        ${DHCP_LEASE:+ -l ${DHCP_LEASE}} \
-        ${DOMAIN_SUFFIX:+ -s ${DOMAIN_SUFFIX}} \
-        ${RESOLV_CONF:+ -r ${RESOLV_CONF}} \
-        ${CACHESIZE:+ -c ${CACHESIZE}} \
-        ${CONFIG_DIR:+ -7 ${CONFIG_DIR}} \
-        ${DNSMASQ_OPTS:+ ${DNSMASQ_OPTS}} \
-        || return 2
-}
-
-stop()
-{
-    # Return
-    #   0 if daemon has been stopped
-    #   1 if daemon was already stopped
-    #   2 if daemon could not be stopped
-    #   other if a failure occurred
-    start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid --name ${NAME}
-}
-
-status()
-{
-    # Return
-    #   0 if daemon is running
-    #   1 if daemon is dead and pid file exists
-    #   3 if daemon is not running
-    #   4 if daemon status is unknown
-    start-stop-daemon --start --quiet --pidfile /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid --exec ${DAEMON} --test > /dev/null
-    case "${?}" in
-      0) [ -e "/run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid" ] && return 1 ; return 3 ;;
-      1) return 0 ;;
-      *) return 4 ;;
-    esac
-}
-
-case "${1}" in
-  start)
-    log_daemon_msg "Starting ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"
-    start
-    case "${?}" in
-      0)
-        log_end_msg 0
-        start_resolvconf
-        exit 0
-        ;;
-      1)
-        log_success_msg "(already running)"
-        exit 0
-        ;;
-      *)
-        log_end_msg 1
-        exit 1
-        ;;
-    esac
-    ;;
-  stop)
-    stop_resolvconf
-    log_daemon_msg "Stopping ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"
-    stop
-    RETVAL="${?}"
-    case "${RETVAL}" in
-      0) log_end_msg 0 ; exit 0 ;;
-      1) log_warning_msg "(not running)" ; exit 0 ;;
-      *) log_end_msg 1; exit 1 ;;
-    esac
-    ;;
-  restart|force-reload)
-    checkconfig
-    if [ ${?} -ne 0 ]; then
-        NAME="configuration syntax check"
-        RETVAL="2"
-    else
-        stop_resolvconf
-        stop
-        RETVAL="${?}"
-    fi
-    log_daemon_msg "Restarting ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"
-    case "${RETVAL}" in
-      0|1)
-        sleep 2
-        start
-        case "${?}" in
-          0)
-            log_end_msg 0
-            start_resolvconf
-            exit 0
-            ;;
-          *)
-            log_end_msg 1
-            exit 1
-            ;;
-        esac
-        ;;
-      *)
-        log_end_msg 1
-        exit 1
-        ;;
-    esac
-    ;;
-  status)
-    log_daemon_msg "Checking ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"
-    status
-    case "${?}" in
-      0) log_success_msg "(running)" ; exit 0 ;;
-      1) log_success_msg "(dead, pid file exists)" ; exit 1 ;;
-      3) log_success_msg "(not running)" ; exit 3 ;;
-      *) log_success_msg "(unknown)" ; exit 4 ;;
-    esac
-    ;;
-  dump-stats)
-    kill -s USR1 `cat /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid`
-    ;;
-  *)
-    echo "Usage: /etc/init.d/${NAME} {start|stop|restart|force-reload|dump-stats|status}" >&2
-    exit 3
-    ;;
-esac
-
-exit 0

debian/dnsmasq.install

@@ -1,8 +0,0 @@
-#!/usr/bin/dh-exec
-debian/resolvconf => /etc/resolvconf/update.d/dnsmasq
-debian/resolvconf-package => /usr/lib/resolvconf/dpkg-event.d/dnsmasq
-debian/init-system-common => /usr/share/dnsmasq/init-system-common
-debian/systemd-helper => /usr/share/dnsmasq/systemd-helper
-dnsmasq.conf.example => /etc/dnsmasq.conf
-debian/readme.dnsmasq.d => /etc/dnsmasq.d/README
-debian/insserv => /etc/insserv.conf.d/dnsmasq

debian/dnsmasq.links

@@ -1 +0,0 @@
-usr/share/dnsmasq-base/trust-anchors.conf usr/share/dnsmasq/trust-anchors.conf

debian/dnsmasq.maintscript

@@ -1,2 +0,0 @@
-# /usr/share/doc/dnsmasq was a symlink in versions < 2.81-1 (see #985282)
-symlink_to_dir /usr/share/doc/dnsmasq dnsmasq-base 2.84-1.2~ dnsmasq

debian/dnsmasq.runit

@@ -1 +0,0 @@
-debian/dnsmasq.runscript name=dnsmasq,logscript,presubj

debian/dnsmasq.runscript/finish

@@ -1,5 +0,0 @@
-#!/bin/sh -eu
-if [ -x /sbin/resolvconf ] ; then
-	/sbin/resolvconf -d lo.dnsmasq
-fi
-

debian/dnsmasq.runscript/run

@@ -1,43 +0,0 @@
-#!/lib/runit/invoke-run
-
-readonly name=dnsmasq
-readonly daemon=/usr/sbin/dnsmasq
-readonly marker=/usr/share/dnsmasq/installed-marker
-
-test -e "${marker}" || exec sv down "${name}"
-test -x "${daemon}" || exec sv down "${name}"
-
-if [ ! "${RESOLV_CONF:-}" ] &&
-   [ "${IGNORE_RESOLVCONF:-}" != "yes" ] &&
-   [ -x /sbin/resolvconf ]
-then
-	RESOLV_CONF=/run/dnsmasq/resolv.conf
-fi
-
-# This tells dnsmasq to ignore DNS requests that don't come from a local network.
-# It's automatically ignored if  --interface --except-interface, --listen-address
-# or --auth-server exist in the configuration, so for most installations, it will
-# have no effect, but for otherwise-unconfigured installations, it stops dnsmasq
-# from being vulnerable to DNS-reflection attacks.
-
-DNSMASQ_OPTS="${DNSMASQ_OPTS:-} --local-service"
-
-# If the dns-root-data package is installed, then the trust anchors will be
-# available in $ROOT_DS, in BIND zone-file format. Reformat as dnsmasq
-# --trust-anchor options.
-
-ROOT_DS="/usr/share/dns/root.ds"
-
-if [ -f $ROOT_DS ]; then
-    DNSMASQ_OPTS="$DNSMASQ_OPTS `env LC_ALL=C sed -rne "s/^([.a-zA-Z0-9]+)([[:space:]]+[0-9]+)*([[:space:]]+IN)*[[:space:]]+DS[[:space:]]+/--trust-anchor=\1,/;s/[[:space:]]+/,/gp" $ROOT_DS | tr '\n' ' '`"
-fi
-
-mkdir -p /run/dnsmasq
-chown dnsmasq:nogroup /run/dnsmasq
-[ -x /sbin/restorecon ] && /sbin/restorecon /run/dnsmasq
-exec "${daemon}" \
-	--keep-in-foreground \
-	--log-facility=/dev/stdout \
-	${RESOLV_CONF:+ -r $RESOLV_CONF} \
-	${DNSMASQ_OPTS} \
-	-u dnsmasq

debian/dnsmasq.service

@@ -1,31 +0,0 @@
-[Unit]
-Description=dnsmasq - A lightweight DHCP and caching DNS server
-Requires=network.target
-Wants=nss-lookup.target
-Before=nss-lookup.target
-After=network.target
-
-[Service]
-Type=forking
-PIDFile=/run/dnsmasq/dnsmasq.pid
-
-# Test the config file and refuse starting if it is not valid.
-ExecStartPre=/usr/share/dnsmasq/systemd-helper checkconfig
-
-# We run dnsmasq via the /usr/share/dnsmasq/systemd-helper script which acts
-# as a wrapper picking up extra configuration files and then execs dnsmasq
-# itself, when called with the "exec" function.
-ExecStart=/usr/share/dnsmasq/systemd-helper exec
-
-# The *-resolvconf functions configure (and deconfigure)
-# resolvconf to work with the dnsmasq DNS server. They're called like
-# this to get correct error handling (ie don't start-resolvconf if the
-# dnsmasq daemon fails to start).
-ExecStartPost=/usr/share/dnsmasq/systemd-helper start-resolvconf
-ExecStop=/usr/share/dnsmasq/systemd-helper stop-resolvconf
-
-
-ExecReload=/bin/kill -HUP $MAINPID
-
-[Install]
-WantedBy=multi-user.target

debian/dnsmasq.tmpfiles

@@ -1 +0,0 @@
-d /run/dnsmasq 755 dnsmasq nogroup

debian/dnsmasq@.service

@@ -1,31 +0,0 @@
-[Unit]
-Description=dnsmasq (%i) - A lightweight DHCP and caching DNS server
-Requires=network.target
-Wants=nss-lookup.target
-Before=nss-lookup.target
-After=network.target
-
-[Service]
-Type=forking
-PIDFile=/run/dnsmasq/dnsmasq.%i.pid
-
-# Test the config file and refuse starting if it is not valid.
-ExecStartPre=/usr/share/dnsmasq/systemd-helper checkconfig "%i"
-
-# We run dnsmasq via the /usr/share/dnsmasq/systemd-helper script which acts
-# as a wrapper picking up extra configuration files and then execs dnsmasq
-# itself, when called with the "exec" function.
-ExecStart=/usr/share/dnsmasq/systemd-helper exec "%i"
-
-# The *-resolvconf functions configure (and deconfigure)
-# resolvconf to work with the dnsmasq DNS server. They're called like
-# this to get correct error handling (ie don't start-resolvconf if the
-# dnsmasq daemon fails to start).
-ExecStartPost=/usr/share/dnsmasq/systemd-helper start-resolvconf "%i"
-ExecStop=/usr/share/dnsmasq/systemd-helper stop-resolvconf "%i"
-
-
-ExecReload=/bin/kill -HUP $MAINPID
-
-[Install]
-WantedBy=multi-user.target

debian/init-system-common

@@ -1,102 +0,0 @@
-# -*- shell-script -*-
-PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
-DAEMON=/usr/sbin/dnsmasq
-NAME=dnsmasq
-DESC="DNS forwarder and DHCP server"
-INSTANCE="${2}"
-
-# Most configuration options in /etc/default/dnsmasq are deprecated
-# but still honoured.
-if [ -r /etc/default/${NAME}${INSTANCE:+.${INSTANCE}} ]; then
-    . /etc/default/${NAME}${INSTANCE:+.${INSTANCE}}
-fi
-
-# Get the system locale, so that messages are in the correct language, and the
-# charset for IDN is correct
-if [ -r /etc/default/locale ]; then
-    . /etc/default/locale
-    export LANG
-fi
-
-# RESOLV_CONF:
-# If the resolvconf package is installed then use the resolv conf file
-# that it provides as the default.  Otherwise use /etc/resolv.conf as
-# the default.
-#
-# If IGNORE_RESOLVCONF is set in /etc/default/dnsmasq or an explicit
-# filename is set there then this inhibits the use of the resolvconf-provided
-# information.
-#
-# Note that if the resolvconf package is installed it is not possible to
-# override it just by configuration in /etc/dnsmasq.conf, it is necessary
-# to set IGNORE_RESOLVCONF=yes in /etc/default/dnsmasq.
-
-if [ ! "${RESOLV_CONF}" ] &&
-   [ "${IGNORE_RESOLVCONF}" != "yes" ] &&
-   [ -x /sbin/resolvconf ]
-then
-    RESOLV_CONF=/run/dnsmasq/resolv.conf
-fi
-
-for INTERFACE in ${DNSMASQ_INTERFACE}; do
-    DNSMASQ_INTERFACES="${DNSMASQ_INTERFACES} -i ${INTERFACE}"
-done
-
-for INTERFACE in ${DNSMASQ_EXCEPT}; do
-    DNSMASQ_INTERFACES="${DNSMASQ_INTERFACES} -I ${INTERFACE}"
-done
-
-if [ ! "${DNSMASQ_USER}" ]; then
-    DNSMASQ_USER="dnsmasq"
-fi
-
-# This tells dnsmasq to ignore DNS requests that don't come from a local network.
-# It's automatically ignored if --interface --except-interface, --listen-address
-# or --auth-server exist in the configuration, so for most installations, it will
-# have no effect, but for otherwise-unconfigured installations, it stops dnsmasq
-# from being vulnerable to DNS-reflection attacks.
-
-DNSMASQ_OPTS="${DNSMASQ_OPTS} --local-service"
-
-# If the dns-root-data package is installed, then the trust anchors will be
-# available in ROOT_DS, in BIND zone-file format. Reformat as dnsmasq
-# --trust-anchor options.
-
-ROOT_DS="/usr/share/dns/root.ds"
-
-if [ -f ${ROOT_DS} ]; then
-    DNSMASQ_OPTS="$DNSMASQ_OPTS `env LC_ALL=C sed -rne "s/^([.a-zA-Z0-9]+)([[:space:]]+[0-9]+)*([[:space:]]+IN)*[[:space:]]+DS[[:space:]]+/--trust-anchor=\1,/;s/[[:space:]]+/,/gp" $ROOT_DS | tr '\n' ' '`"
-fi
-
-checkconfig()
-{
-    ${DAEMON} --test ${CONFIG_DIR:+ -7 ${CONFIG_DIR}} ${DNSMASQ_OPTS:+ ${DNSMASQ_OPTS}} >/dev/null 2>&1
-}
-
-start_resolvconf()
-{
-# If interface "lo" is explicitly disabled in /etc/default/dnsmasq
-# Then dnsmasq won't be providing local DNS, so don't add it to
-# the resolvconf server set.
-    for interface in ${DNSMASQ_EXCEPT}; do
-        [ ${interface} = lo ] && return
-    done
-
-    # Also skip this if DNS functionality is disabled in /etc/dnsmasq.conf
-    if grep -qs '^port=0' /etc/dnsmasq.conf; then
-        return
-    fi
-
-    if [ -x /sbin/resolvconf ] ; then
-        echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.${NAME}${INSTANCE:+.${INSTANCE}}
-    fi
-    return 0
-}
-
-stop_resolvconf()
-{
-    if [ -x /sbin/resolvconf ] ; then
-        /sbin/resolvconf -d lo.${NAME}${INSTANCE:+.${INSTANCE}}
-    fi
-    return 0
-}

debian/insserv

@@ -1 +0,0 @@
-$named dnsmasq

debian/patches/eliminate-privacy-breaches.patch

@@ -1,40 +0,0 @@
-Description: Remove or replace privacy breaching logos and forms
- Lintian complains about these by issuing the tags privacy-breach-logo and
- privacy-breach-donation.
-Forwarded: not-needed
-Author: Sven Geuer <debmaint@g-e-u-e-r.de>
-Last-Update: 2023-11-18
-
---- a/doc.html
-+++ b/doc.html
-@@ -1,14 +1,11 @@
- <HTML>
- <HEAD>
- <TITLE> Dnsmasq - network services for small networks.</TITLE>
--<link rel="icon" href="http://www.thekelleys.org.uk/dnsmasq/images/favicon.ico">
- </HEAD>
- <BODY BGCOLOR="WHITE"> 
- <table width="100%" border="0" cellpadding="0" cellspacing="0">
- <tr>
--<td align="left" valign="middle"><img border="0" src="http://www.thekelleys.org.uk/dnsmasq/images/icon.png" /></td>
- <td align="middle" valign="middle"><h1>Dnsmasq</h1></td>
--<td align="right" valign="middle"><img border="0" src="http://www.thekelleys.org.uk/dnsmasq/images/icon.png" /></td></tr>
- </table>
- Dnsmasq provides network infrastructure for small networks: DNS, DHCP, router advertisement and network boot. It is designed to be 
- lightweight and have a small footprint, suitable for resource constrained routers and firewalls. It has also been widely used 
-@@ -88,14 +85,6 @@
- Dnsmasq is mainly written and maintained by Simon Kelley. For most of its life, dnsmasq has been a spare-time project. 
- These days I'm working on it as my main activity. 
- I don't have an employer or anyone who pays me regularly to work on dnsmasq. If you'd like to make 
--a contribution towards my expenses, please use the donation button below.
--<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top">
--<input type="hidden" name="cmd" value="_s-xclick">
--<input type="hidden" name="hosted_button_id" value="V3X9GVW5GX6DA">
--<input type="image" src="https://www.paypalobjects.com/en_US/GB/i/btn/btn_donateCC_LG.gif" border="0" name="submit" alt="PayPal – The safer, easier way to pay online.">
--<img alt="" border="0" src="https://www.paypalobjects.com/en_GB/i/scr/pixel.gif" width="1" height="1">
--</form>
--
--
-+a contribution towards my expenses, please use the donation button at <A HREF="https://www.thekelleys.org.uk/dnsmasq/doc.html">the project's home page</A>.
- </BODY>
- 

debian/patches/series

@@ -1 +0,0 @@
-eliminate-privacy-breaches.patch

debian/readme

@@ -1,80 +0,0 @@
-Notes on configuring dnsmasq as packaged for Debian.
-
-(1) To configure dnsmasq edit /etc/dnsmasq.conf. The file is well
-    commented; see also the dnsmasq.8 man page for explanation of
-    the options. The file /etc/default/dnsmasq also exists but it
-    shouldn't need to be touched in most cases. To set up DHCP
-    options you might need to refer to a copy of RFC 2132. This is
-    available on Debian systems in the package doc-rfc-std as the file
-    /usr/share/doc/RFC/draft-standard/rfc2132.txt.gz .
-
-(2) Installing the dnsmasq package also creates the directory
-    /etc/dnsmasq.d which is searched by dnsmasq for configuration file
-    fragments. This behaviour can be disabled by editing
-    /etc/default/dnsmasq.
-
-(3) If the Debian resolvconf package is installed then, regardless
-    of what interface configuration daemons are employed, the list of
-    nameservers to which dnsmasq should forward queries can be found
-    in /var/run/dnsmasq/resolv.conf; also, 127.0.0.1 is listed as the
-    first nameserver address in /etc/resolv.conf. This works using the
-    default configurations of resolvconf and dnsmasq.
-
-(4) In the absence of resolvconf, if you are using dhcpcd then
-    dnsmasq should read the list of nameservers from the automatically
-    generated file /etc/dhcpc/resolv.conf.  You should list 127.0.0.1
-    as the first nameserver address in /etc/resolv.conf.
-
-(5) In the absence of resolvconf, if you are using pppd then
-    dnsmasq should read the list of nameservers from the automatically
-    generated file /etc/ppp/resolv.conf.  You should list 127.0.0.1
-    as the first nameserver address in /etc/resolv.conf.
-
-(6) In the absence of resolvconf, dns-nameservers lines in
-    /etc/network/interfaces are ignored. If you do not use
-    resolvconf, list 127.0.0.1 as the first nameserver address
-    in /etc/resolv.conf and configure your nameservers using
-    "server=<IP-address>" lines in /etc/dnsmasq.conf.
-
-(7) If you run multiple DNS servers on a single machine, each
-    listening on a different interface, then it is necessary to use
-    the bind-interfaces option by uncommenting "bind-interfaces" in
-    /etc/dnsmasq.conf. This option stops dnsmasq from binding the
-    wildcard address and allows servers listening on port 53 on
-    interfaces not in use by dnsmasq to work. The Debian
-    libvirt package will add a configuration file in /etc/dnsmasq.d
-    which does this so that the "system" dnsmasq and "private" dnsmasq
-    instances started by libvirt do not clash.
-
-(8) The following options are supported in DEB_BUILD_OPTIONS
-      noopt       : compile without optimisation.
-      nostrip     : don't remove symbols from binary.
-      nodocs      : omit documentation.
-      notftp      : omit TFTP support.
-      nodhcp      : omit DHCP support.
-      nodhcp6     : omit DHCPv6 support.
-      noscript    : omit lease-change script support.
-      uselua      : provide support for lease-change scripts written
-                    in Lua.
-      noipv6      : omit IPv6 support.
-      nodbus      : omit DBus support.
-      noconntrack : omit connection tracking support.
-      noipset     : omit IPset support.
-      nonftset    : omit nftset support.
-      nortc       : compile alternate mode suitable for systems without an RTC.
-      noi18n      : omit translations and internationalisation support.
-      noidn       : omit international domain name support, must be
-                    combined with noi18n to be effective.
-      gitversion  : set the version of the produced packages from the
-                    git-derived versioning information on the source,
-                    rather than the debian changelog.
-
-(9) Dnsmasq comes as three packages - dnsmasq-utils, dnsmasq-base and
-    dnsmasq. Dnsmasq-base provides the dnsmasq executable and
-    documentation (including this file). Dnsmasq, which depends on
-    dnsmasq-base, provides the init script and configuration
-    infrastructure. This file assumes that both are installed. It is
-    possible to install only dnsmasq-base and use dnsmasq as a
-    non-"system" daemon. Libvirt, for instance, does this.
-    Dnsmasq-utils provides the utilities dhcp_release and
-    dhcp_lease_time.

debian/readme.dnsmasq.d

@@ -1,7 +0,0 @@
-# All files in this directory will be read by dnsmasq as 
-# configuration files, except if their names end in 
-# ".dpkg-dist",".dpkg-old" or ".dpkg-new"
-#
-# This can be changed by editing /etc/default/dnsmasq
-
-

debian/resolvconf

@@ -1,84 +0,0 @@
-#!/bin/sh
-#
-# Script to update the resolver list for dnsmasq
-#
-# N.B. Resolvconf may run us even if dnsmasq is not (yet) running.
-# If dnsmasq is installed then we go ahead and update the resolver list
-# in case dnsmasq is started later.
-#
-# Assumption: On entry, PWD contains the resolv.conf-type files.
-#
-# This file is part of the dnsmasq package.
-#
-
-set -e
-
-RUN_DIR="/run/dnsmasq"
-RSLVRLIST_FILE="${RUN_DIR}/resolv.conf"
-TMP_FILE="${RSLVRLIST_FILE}_new.$$"
-MY_NAME_FOR_RESOLVCONF="dnsmasq"
-
-[ -x /usr/sbin/dnsmasq ] || exit 0
-[ -x /lib/resolvconf/list-records ] || exit 1
-
-PATH=/bin:/sbin
-
-report_err() { echo "$0: Error: $*" >&2 ; }
-
-# Stores arguments (minus duplicates) in RSLT, separated by spaces
-# Doesn't work properly if an argument itself contains whitespace
-uniquify()
-{
-	RSLT=""
-	while [ "$1" ] ; do
-		for E in $RSLT ; do
-			[ "$1" = "$E" ] && { shift ; continue 2 ; }
-		done
-		RSLT="${RSLT:+$RSLT }$1"
-		shift
-	done
-}
-
-if [ ! -d "$RUN_DIR" ] && ! mkdir --parents --mode=0755 "$RUN_DIR" ; then
-	report_err "Failed trying to create directory $RUN_DIR"
-	exit 1
-fi
-
-RSLVCNFFILES=""
-for F in $(/lib/resolvconf/list-records --after "lo.$MY_NAME_FOR_RESOLVCONF") ; do
-	case "$F" in
-	    "lo.$MY_NAME_FOR_RESOLVCONF")
-		# Omit own record
-		;;
-	    lo.*)
-		# Include no more records after one for a local nameserver
-		RSLVCNFFILES="${RSLVCNFFILES:+$RSLVCNFFILES }$F"
-		break
-		;;
-	  *)
-		RSLVCNFFILES="${RSLVCNFFILES:+$RSLVCNFFILES }$F"
-		;;
-	esac
-done
-
-NMSRVRS=""
-if [ "$RSLVCNFFILES" ] ; then
-	uniquify $(sed -n -e 's/^[[:space:]]*nameserver[[:space:]]\+//p' $RSLVCNFFILES)
-	NMSRVRS="$RSLT"
-fi
-
-# Dnsmasq uses the mtime of $RSLVRLIST_FILE, with a resolution of one second,
-# to detect changes in the file. This means that if a resolvconf update occurs
-# within one second of the previous one then dnsmasq may fail to notice the
-# more recent change. To work around this problem we sleep one second here
-# if necessary in order to ensure that the new mtime is different.
-if [ -f "$RSLVRLIST_FILE" ] && [ "$(ls -go --time-style='+%s' "$RSLVRLIST_FILE" | { read p h s t n ; echo "$t" ; })" = "$(date +%s)" ] ; then
-	sleep 1
-fi
-
-clean_up() { rm -f "$TMP_FILE" ; }
-trap clean_up EXIT
-: >| "$TMP_FILE"
-for N in $NMSRVRS ; do echo "nameserver $N" >> "$TMP_FILE" ; done
-mv -f "$TMP_FILE" "$RSLVRLIST_FILE"
-

debian/resolvconf-package

@@ -1,13 +0,0 @@
-#!/bin/sh
-# Resolvconf packaging event hook script for the dnsmasq package
-restart_dnsmasq() {
-    if which invoke-rc.d >/dev/null 2>&1 ; then
-        invoke-rc.d dnsmasq restart
-    elif [ -x /etc/init.d/dnsmasq ] ; then
-        /etc/init.d/dnsmasq restart
-    fi
-}
-
-case "$1" in
-  install) restart_dnsmasq ;;
-esac

debian/rules

@@ -1,127 +0,0 @@
-#!/usr/bin/make -f
-# -*- makefile -*-
-
-# Uncomment this to turn on verbose mode.
-export DH_VERBOSE=1
-
-# Make sure lintian does not complain about missing hardenings.
-export DEB_BUILD_MAINT_OPTIONS = hardening=+all
-
-include /usr/share/dpkg/architecture.mk
-
-PREFIX = /usr
-# Upstream does not handle CPPFLAGS, so we add it to CFLAGS here.
-CFLAGS += $(CPPFLAGS)
-COPTS =
-
-ifeq (,$(filter nodbus,$(DEB_BUILD_OPTIONS)))
-	COPTS += -DHAVE_DBUS
-endif
-
-ifeq (,$(filter noidn, $(DEB_BUILD_OPTIONS)))
-	COPTS += -DHAVE_LIBIDN2
-endif
-
-ifeq (,$(filter nonftset, $(DEB_BUILD_OPTIONS)))
-	COPTS += -DHAVE_NFTSET
-endif
-
-ifeq (,$(filter noconntrack,$(DEB_BUILD_OPTIONS)))
-ifeq ($(DEB_HOST_ARCH_OS),linux)
-	COPTS += -DHAVE_CONNTRACK
-endif
-endif
-
-ifneq (,$(filter noipset,$(DEB_BUILD_OPTIONS)))
-	COPTS += -DNO_IPSET
-endif
-
-ifneq (,$(filter nodhcp6,$(DEB_BUILD_OPTIONS)))
-	COPTS += -DNO_DHCP6
-endif
-
-ifneq (,$(filter noipv6,$(DEB_BUILD_OPTIONS)))
-	COPTS += -DNO_IPV6
-endif
-
-ifneq (,$(filter notftp,$(DEB_BUILD_OPTIONS)))
-	COPTS += -DNO_TFTP
-endif
-
-ifneq (,$(filter nodhcp,$(DEB_BUILD_OPTIONS)))
-	COPTS += -DNO_DHCP
-endif
-
-ifneq (,$(filter noscript,$(DEB_BUILD_OPTIONS)))
-	COPTS += -DNO_SCRIPT
-endif
-
-ifneq (,$(filter nortc,$(DEB_BUILD_OPTIONS)))
-	COPTS += -DHAVE_BROKEN_RTC
-endif
-
-ifeq (,$(filter nodnssec,$(DEB_BUILD_OPTIONS)))
-	COPTS += -DHAVE_DNSSEC
-endif
-
-
-%:
-	# Ubuntu and derivates do not support runit, see
-	# https://bugs.debian.org/960401 for details.
-	if dpkg-vendor --derives-from Ubuntu; then \
-		dh $@; \
-	else \
-		dh $@ --with runit; \
-	fi
-
-# Upstream builds and installs in one go, so do we.
-override_dh_auto_build:
-
-override_dh_auto_install:
-	dh_auto_build -p dnsmasq-base --no-parallel -- install-i18n \
-		BUILDDIR=debian/auto-build/dnsmasq-base \
-		DESTDIR=$(CURDIR)/debian/dnsmasq-base \
-		PREFIX=$(PREFIX) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \
-		COPTS="$(COPTS)"
-	dh_auto_build -p dnsmasq-base-lua --no-parallel -- install-i18n \
-		BUILDDIR=debian/auto-build/dnsmasq-base-lua \
-		DESTDIR=$(CURDIR)/debian/dnsmasq-base-lua \
-		PREFIX=$(PREFIX) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \
-		LUA=lua5.4 COPTS="$(COPTS) -DHAVE_LUASCRIPT"
-	dh_auto_build -p dnsmasq-utils -D contrib/lease-tools
-
-override_dh_auto_clean:
-	dh_auto_clean -p dnsmasq-base -- \
-		BUILDDIR=debian/auto-build/dnsmasq-base
-	dh_auto_clean -p dnsmasq-base-lua -- \
-		BUILDDIR=debian/auto-build/dnsmasq-base-lua
-	rm -rf debian/auto-build
-	dh_auto_clean -p dnsmasq-utils -D contrib/lease-tools
-
-override_dh_install:
-	dh_install -p dnsmasq-utils --sourcedir=contrib/lease-tools
-	dh_install --remaining-packages
-
-# If 'nodoc' is absent from DEB_BUILD_OPTIONS, Correct name or location of
-# some doc files.
-# We would prefer do this via dh-exec if it would support dh_installdocs.
-ifeq (,$(findstring nodoc,$(DEB_BUILD_OPTIONS)))
-execute_after_dh_installdocs:
-	for d in $(CURDIR)/debian/dnsmasq-base*/usr/share/doc/dnsmasq-base*; do \
-		cd $$d; \
-		mv readme README.Debian; \
-		mv CHANGELOG.archive changelog.archive; \
-		mkdir examples; \
-		mv dnsmasq.conf.example examples/; \
-	done
-endif
-
-# If 'nodoc' is present in DEB_BUILD_OPTIONS, drop the man pages already
-# installed by the upstream build script. Then, let dh_installman do what
-# else needs doing.
-override_dh_installman:
-ifneq (,$(findstring nodoc,$(DEB_BUILD_OPTIONS)))
-	rm -rf debian/dnsmasq-base*/usr/share/man
-endif
-	dh_installman -p dnsmasq-utils --sourcedir=contrib/lease-tools
-	dh_installman --remaining-packages

debian/source/format

@@ -1 +0,0 @@
-3.0 (quilt)

debian/systemd-helper

@@ -1,34 +0,0 @@
-#!/bin/sh
-
-. /usr/share/dnsmasq/init-system-common
-
-case "$1" in
-	checkconfig)
-		checkconfig
-		;;
-	start-resolvconf)
-		start_resolvconf
-		;;
-	stop-resolvconf)
-		stop_resolvconf
-		;;
-	exec)
-		# /run may be volatile, so we need to ensure that
-		# /run/dnsmasq exists here as well as in postinst
-		if [ ! -d /run/dnsmasq ]; then
-			mkdir /run/dnsmasq || { [ -d /run/dnsmasq ] || exit 2 ; }
-			chown dnsmasq:nogroup /run/dnsmasq || exit 2
-		fi
-		exec ${DAEMON} -x /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid \
-			${MAILHOSTNAME:+ -m ${MAILHOSTNAME}} \
-			${MAILTARGET:+ -t ${MAILTARGET}} \
-			${DNSMASQ_USER:+ -u ${DNSMASQ_USER}} \
-			${DNSMASQ_INTERFACES:+ ${DNSMASQ_INTERFACES}} \
-			${DHCP_LEASE:+ -l ${DHCP_LEASE}} \
-			${DOMAIN_SUFFIX:+ -s ${DOMAIN_SUFFIX}} \
-			${RESOLV_CONF:+ -r ${RESOLV_CONF}} \
-			${CACHESIZE:+ -c ${CACHESIZE}} \
-			${CONFIG_DIR:+ -7 ${CONFIG_DIR}} \
-			${DNSMASQ_OPTS:+ ${DNSMASQ_OPTS}}
-		;;
-esac

debian/systemd_howto

@@ -1,41 +0,0 @@
-HOWTO
-=====
-dnsmasq comes with the possibility to run multiple systemd service instances on the same machine.
-There is the main service which is enabled by default via `systemctl enable dnsmasq.service` and uses the configuration from `/etc/default/dnsmasq`.
-
-Additional service instances can be enabled via `systemctl enable dnsmasq@<instance name>.service` that use the configuration from `/etc/default/dnsmasq.<instance name>`.
-It is recommended to use a separate configuration file and directory for each instance.
-Additionally make sure that all instances use either different ports and/or ip addresses to avoid binding collisions.
-
-Example setup for an instance called "alt"
-#1 File `/etc/dnsmasq.alt.conf` copied from `/etc/dnsmasq.conf`
-#2 Directory `/etc/dnsmasq.alt.d`
-#3 File `/etc/default/dnsmasq.alt` copied from `/etc/default/dnsmasq` with following adaptions:
-   * The options DNSMASQ_OPTS and CONFIG_DIR point to the correct configuration file and directory.
-     DNSMASQ_OPTS="... --conf-file=/etc/dnsmasq.alt.conf ..."
-     CONFIG_DIR=/etc/dnsmasq.alt.d,.dpkg-dist,.dpkg-old,.dpkg-new
-   * The option DNSMASQ_EXCEPT must contain "lo" to avoid that an instance becomes the machine's DNS resolver.
-     DNSMASQ_EXCEPT="lo"
-  * If the additional instance should bind to all IP addresses of a specific interface, e.g. "dnsalt01", then the following addition could be used:
-    DNSMASQ_OPTS="... --bind-dynamic --interface=dnsalt01 ..."
-    Additionally the main instance must be stopped from binding to interfaces that are used by other instances:
-    DNSMASQ_OPTS="... --bind-dynamic --except-interface=dnsalt* ..."
-  * If the additional instance should not use the machine's DNS resolver, normally that's the dnsmasq main instance, as upstream server, then the following addition could be used:
-    IGNORE_RESOLVCONF=yes
-#4 Enable additional instance via `systemctl enable dnsmasq@alt.service`
-#5 Start additional instance without reboot via `systemctl start dnsmasq@alt.service`
-
-
-
-TODO
-====
-#1 - Found shortcoming on 2019-03-10
-Only the option DNSMASQ_EXCEPT="lo" avoids that an DNS instance will be set as the machine's DNS resolver.
-This may interfere with the wish to run an additional instance on a different port on the localhost addresses.
-My suggestion in the initial Debian report [1] was to specify an explicit variable for this.
-
-[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914305#5
-
-
-#2 - Preferred configuration way
-Should the variables DNSMASQ_INTERFACE and DNSMASQ_EXCEPT be used instead of --interface and --except-interface?  (while "lo" still has to be in DNSMASQ_EXCEPT as of now)

debian/tests/compile-time-options

@@ -1,7 +0,0 @@
-#!/bin/sh
-
-set -e
-
-. debian/tests/functions
-
-check_compile_time_options

debian/tests/compile-time-options+lua

@@ -1,7 +0,0 @@
-#!/bin/sh
-
-set -e
-
-. debian/tests/functions
-
-check_compile_time_options +lua

debian/tests/control

@@ -1,39 +0,0 @@
-Tests: compile-time-options
-Depends: dnsmasq,
-         dnsmasq-base,
-Restrictions: needs-root,
-              isolation-container,
-
-Tests: compile-time-options+lua
-Depends: dnsmasq,
-         dnsmasq-base-lua,
-Restrictions: needs-root,
-              isolation-container,
-
-Tests: get-address+query-dns+check-utils
-Depends: bind9,
-         bind9-dnsutils,
-         dnsmasq,
-         dnsmasq-base,
-         dnsmasq-utils,
-Restrictions: needs-root,
-              allow-stderr,
-              isolation-container,
-
-Tests: get-address+query-dns+lua+alt
-Depends: bind9,
-         bind9-dnsutils,
-         dnsmasq,
-         dnsmasq-base-lua,
-Restrictions: needs-root,
-              allow-stderr,
-              isolation-container,
-
-Tests: get-address+query-dns+sysv+alt
-Depends: bind9,
-         bind9-dnsutils,
-         dnsmasq,
-         dnsmasq-base,
-Restrictions: needs-root,
-              allow-stderr,
-              isolation-container,

debian/tests/functions

@@ -1,151 +0,0 @@
-# -*- shell-script -*-
-
-FUNCTIONS_DIR="debian/tests/functions.d"
-
-match_or_exit () {
-	file_to_match="$1"
-	pattern_file="$2"
-
-	while read line_to_match <&3 && read pattern_line <&4 ; do
-		if [ "${line_to_match##$pattern_line}" ]; then
-			echo '!!! MISMATCH !!!' >&2
-			echo "Line:    ${line_to_match}" >&2
-			echo "Pattern: ${pattern_line}" >&2
-			exit 1
-		fi;
-	done 3<"${file_to_match}" 4<"${pattern_file}"
-}
-
-linecount () {
-	wc -l $1 | cut -d' ' -f1
-}
-
-error_exit () {
-	echo "ERROR: $1"
-	exit 1
-}
-
-stop_dnsmasq_bind_networking () {
-	systemctl stop dnsmasq.service
-	systemctl stop named.service
-	systemctl stop networking.service
-}
-
-configure_and_start_networking () {
-	#Add interfaces needed for the test
-	cat ${FUNCTIONS_DIR}/add-to.interfaces >> /etc/network/interfaces
-	systemctl start networking.service
-}
-
-configure_and_start_bind () {
-	cp ${FUNCTIONS_DIR}/db.autopkg.test /etc/bind/
-	cat ${FUNCTIONS_DIR}/add-to.named.conf.local >> /etc/bind/named.conf.local
-	cp ${FUNCTIONS_DIR}/named.conf.options /etc/bind/named.conf.options
-	systemctl start named.service
-}
-
-configure_and_start_dnsmasq () {
-	alt_mode=0
-	lua_mode=0
-	sysv_mode=0
-	service='dnsmasq.service'
-	sysv_param2=''
-	conf_dir='/etc/dnsmasq.d'
-
-	while [ -n "$1" ]; do
-		case "$1" in
-			alt|lua|sysv) eval ${1}_mode=1 ;;
-			*) error_exit "configure_and_start_dnsmasq(): invalid flag '$1'"
-		esac
-		shift
-	done
-
-	if [ ${alt_mode} -eq 1 ]; then
-		cp ${FUNCTIONS_DIR}/dnsmasq.alt-autopkgtest.default /etc/default/dnsmasq.alt
-		cp /etc/dnsmasq.conf /etc/dnsmasq.alt.conf
-		mkdir /etc/dnsmasq.alt.d
-		service='dnsmasq@alt.service'
-		sysv_param2='alt'
-		conf_dir='/etc/dnsmasq.alt.d'
-	fi
-
-	cp ${FUNCTIONS_DIR}/dnsmasq-autopkgtest.conf "${conf_dir}"
-
-	if [ ${lua_mode} -eq 1 ]; then
-		mkdir -p /usr/local/share/dnsmasq
-		cp ${FUNCTIONS_DIR}/log.lua /usr/local/share/dnsmasq/
-		echo "dhcp-luascript=/usr/local/share/dnsmasq/log.lua\n" \
-			>>"${conf_dir}"/dnsmasq-autopkgtest.conf
-	fi
-
-	if [ ${sysv_mode} -eq 1 ]; then
-		SYSTEMCTL_SKIP_REDIRECT=1 /etc/init.d/dnsmasq start "${sysv_param2}"
-	else
-		systemctl enable "${service}"
-		systemctl start "${service}"
-	fi
-}
-
-check_compile_time_options () {
-	journalctl -b -u dnsmasq
-	echo ~~~ Check compile time options...
-	journalctl -b -u dnsmasq -g '[a-z]+: ' --output cat >options.msg
-	cat options.msg
-	match_or_exit options.msg ${FUNCTIONS_DIR}/options${1}.patterns
-}
-
-get_address_on_veth1_and_check_the_result () {
-	echo ~~~ Get an address on veth1 and check the result...
-	ip netns exec clientnet ifup veth1
-	ip netns exec clientnet ip addr show dev veth1 >ip-addr.out 2>&1
-	cat ip-addr.out
-	match_or_exit ip-addr.out ${FUNCTIONS_DIR}/ip-addr.patterns
-}
-
-query_test_zone_records_and_check_the_result () {
-	echo ~~~ Query some test zone records and check the result...
-	ip netns exec clientnet dig +short SOA autopkg.test >dig.out 2>&1
-	ip netns exec clientnet dig +short NS autopkg.test >>dig.out 2>&1
-	ip netns exec clientnet dig +short A ns.autopkg.test >>dig.out 2>&1
-	ip netns exec clientnet dig +short A dhcp3.autopkg.test >>dig.out 2>&1
-	cat dig.out
-	if [ `linecount dig.out` -ne `linecount ${FUNCTIONS_DIR}/dig.patterns` ] ; then
-		error_exit 'empty or unexpected output'
-	fi
-	match_or_exit dig.out ${FUNCTIONS_DIR}/dig.patterns
-}
-
-check_utils () {
-	#Test dhcp_lease_time and dhcp_release
-	leases_file='/var/lib/misc/dnsmasq.leases'
-	client_ip_address=`cut -d' ' -f3 $leases_file`
-	client_mac_address=`cut -d' ' -f2 $leases_file`
-	echo ~~~ Test dhcp_lease_time...
-	if ! dhcp_lease_time $client_ip_address; then
-		error_exit "'dhcp_lease_time $client_ip_address' failed with return code $?"
-	else
-		#Add \n to dhcp_lease_time's output
-		echo ''
-	fi
-	echo ~~~ Test dhcp_release...
-	cat $leases_file
-	if ! dhcp_release veth0 $client_ip_address 1-$client_mac_address; then
-		error_exit "'dhcp_release veth0 $client_ip_address 1-$client_mac_address' failed with return code $?0"
-	fi
-	if [ -n "`cat $leases_file`" ]; then
-		cat $leases_file
-		error_exit "$leases_file is not empty"
-	fi
-}
-
-check_lua_log () {
-	log_file='/var/log/dnsmasq-lua.log'
-	echo ~~~ Check log file generated by lua script
-	ls -l ${log_file}
-	if [ -s ${log_file} ]; then
-		cat ${log_file}
-		match_or_exit ${log_file} ${FUNCTIONS_DIR}/log.patterns
-	else
-		error_exit "${log_file} is empty"
-	fi
-}

debian/tests/functions.d/add-to.interfaces

@@ -1,18 +0,0 @@
-
-auto dummy0
-iface dummy0 inet static
-    pre-up ip link add dummy0 type dummy
-    address 192.168.141.1
-    netmask 255.255.255.248
-    post-down ip link del dummy0
-
-auto veth0
-iface veth0 inet static
-    pre-up ip netns add clientnet
-    pre-up ip link add veth0 type veth peer veth1 netns clientnet
-    address 192.168.142.1
-    netmask 255.255.255.248
-    post-down ip link del veth0
-    post-down ip netns del clientnet
-
-iface veth1 inet dhcp

debian/tests/functions.d/add-to.named.conf.local

@@ -1,2 +0,0 @@
-zone "autopkg.test"      { type master; file "/etc/bind/db.autopkg.test"; };
-

debian/tests/functions.d/db.autopkg.test

@@ -1,18 +0,0 @@
-$TTL    604800
-@       IN      SOA     ns.autopkg.test. hostmaster.autopkg.test. (
-                              2         ; Serial
-                         604800         ; Refresh
-                          86400         ; Retry
-                        2419200         ; Expire
-                            300 )       ; Negative Cache TTL
-;
-@	IN	NS	ns
-ns	IN	A	192.168.141.1
-host	IN	A	192.168.142.1
-dhcp0	IN	A	192.168.142.2
-dhcp1	IN	A	192.168.142.3
-dhcp2	IN	A	192.168.142.4
-dhcp3	IN	A	192.168.142.5
-dhcp4	IN	A	192.168.142.6
-brdcst	IN	A	192.168.142.7
-

debian/tests/functions.d/dig.patterns

@@ -1,4 +0,0 @@
-ns.autopkg.test. hostmaster.autopkg.test. 2 604800 86400 2419200 300
-ns.autopkg.test.
-192.168.141.1
-192.168.142.5

debian/tests/functions.d/dnsmasq-autopkgtest.conf

@@ -1,6 +0,0 @@
-no-resolv
-server=/autopkg.test/192.168.141.1
-listen-address=192.168.142.1,127.0.0.1
-bind-interfaces
-dhcp-range=192.168.142.2,192.168.142.6
-dhcp-authoritative

debian/tests/functions.d/dnsmasq.alt-autopkgtest.default

@@ -1,42 +0,0 @@
-# This file has six functions:
-# 1) to completely disable starting this dnsmasq instance
-# 2) to set DOMAIN_SUFFIX by running `dnsdomainname`
-# 3) to select an alternative config file
-#    by setting DNSMASQ_OPTS to --conf-file=<file>
-# 4) to tell dnsmasq to read the files in /etc/dnsmasq.d for
-#    more configuration variables.
-# 5) to stop the resolvconf package from controlling dnsmasq's
-#    idea of which upstream nameservers to use.
-# 6) to avoid using this dnsmasq instance as the system's default resolver
-#    by setting DNSMASQ_EXCEPT="lo"
-# For upgraders from very old versions, all the shell variables set
-# here in previous versions are still honored by the init script
-# so if you just keep your old version of this file nothing will break.
-
-#DOMAIN_SUFFIX=`dnsdomainname`
-DNSMASQ_OPTS="--conf-file=/etc/dnsmasq.alt.conf"
-
-# The dnsmasq daemon is run by default conforming to the Debian Policy.
-# To disable the service,
-# for SYSV init, use "update-rc.d dnsmasq disable",
-# for systemd, use "systemctl disable dnsmasq".
-
-# By default search this drop directory for configuration options.
-# Libvirt leaves a file here to make the system dnsmasq play nice.
-# Comment out this line if you don't want this. The dpkg-* are file
-# endings which cause dnsmasq to skip that file. This avoids pulling
-# in backups made by dpkg.
-CONFIG_DIR=/etc/dnsmasq.alt.d,.dpkg-dist,.dpkg-old,.dpkg-new
-
-# If the resolvconf package is installed, dnsmasq will use its output
-# rather than the contents of /etc/resolv.conf to find upstream
-# nameservers. Uncommenting this line inhibits this behaviour.
-# Note that including a "resolv-file=<filename>" line in
-# /etc/dnsmasq.conf is not enough to override resolvconf if it is
-# installed: the line below must be uncommented.
-#IGNORE_RESOLVCONF=yes
-
-# If the resolvconf package is installed, dnsmasq will tell resolvconf
-# to use dnsmasq under 127.0.0.1 as the system's default resolver.
-# Uncommenting this line inhibits this behaviour.
-#DNSMASQ_EXCEPT="lo"

debian/tests/functions.d/ip-addr.patterns

@@ -1,6 +0,0 @@
-?: veth1@if?: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
-    link/ether ??:??:??:??:??:?? brd ff:ff:ff:ff:ff:ff link-netnsid 0
-    inet 192.168.142.?/29 brd 192.168.142.7 scope global dynamic veth1
-       valid_lft 3[56][0-9][0-9]sec preferred_lft 3[56][0-9][0-9]sec
-    inet6 fe80::*:*:*:*/64 scope link*
-       valid_lft forever preferred_lft forever

debian/tests/functions.d/log.lua

@@ -1,40 +0,0 @@
--- Lua script logging calls from dnsmasq
-
--- Open the log file in append mode 
-logfile = assert(io.open("/var/log/dnsmasq-lua.log", "a"))
-
--- Prepend date and time to a string and write the result to the log file
-function __log(str)
-	logfile:write(os.date("!%FT%TZ ")..str.."\n")
-end
-
--- flush the log file
-function __flush_log()
-	logfile:flush()
-end
-
--- Log a call to init()
-function init()
-	__log("initialising")
-	__flush_log()
-end
-
--- Log a call to shutdown()
-function shutdown()
-	__log("shutting down")
-	__flush_log()
-end
-
--- Log a call to lease() including all arguments
-function lease(operation, params)
-	local lines = {}
-	__log(operation.." lease")
-	for key,value in pairs(params) do
-		table.insert(lines, key..": "..value)
-	end
-	table.sort(lines)
-	for index,line in ipairs(lines) do
-		__log("\t"..line)
-	end
-	__flush_log()
-end

debian/tests/functions.d/log.patterns

@@ -1,10 +0,0 @@
-????-??-??T??:??:??Z initialising
-????-??-??T??:??:??Z add lease
-????-??-??T??:??:??Z 	client_id: ??:??:??:??:??:??:??:??:??:??:??:??:??:??:??:??:??:??:??
-????-??-??T??:??:??Z 	data_missing: 1.0
-????-??-??T??:??:??Z 	hostname: ?*
-????-??-??T??:??:??Z 	interface: veth0
-????-??-??T??:??:??Z 	ip_address: 192.168.142.[2-6]
-????-??-??T??:??:??Z 	lease_expires: [1-9]*
-????-??-??T??:??:??Z 	mac_address: ??:??:??:??:??:??
-????-??-??T??:??:??Z 	time_remaining: 3600.0

debian/tests/functions.d/named.conf.options

@@ -1,6 +0,0 @@
-options {
-        directory "/var/cache/bind";
-        listen-on { 192.168.141.1; };
-        recursion no;
-};
-

debian/tests/functions.d/options+lua.patterns

@@ -1 +0,0 @@
-*: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 Lua TFTP conntrack ipset nftset auth cryptohash DNSSEC loop-detect inotify dumpfile

debian/tests/functions.d/options.patterns

@@ -1 +0,0 @@
-*: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset nftset auth cryptohash DNSSEC loop-detect inotify dumpfile

debian/tests/get-address+query-dns+check-utils

@@ -1,19 +0,0 @@
-#!/bin/sh
-
-set -e
-
-. debian/tests/functions
-
-stop_dnsmasq_bind_networking
-configure_and_start_networking
-configure_and_start_bind
-configure_and_start_dnsmasq
-
-get_address_on_veth1_and_check_the_result
-
-query_test_zone_records_and_check_the_result
-
-check_utils
-
-#Done
-echo Looks good.

debian/tests/get-address+query-dns+lua+alt

@@ -1,19 +0,0 @@
-#!/bin/sh
-
-set -e
-
-. debian/tests/functions
-
-stop_dnsmasq_bind_networking
-configure_and_start_networking
-configure_and_start_bind
-configure_and_start_dnsmasq lua alt
-
-get_address_on_veth1_and_check_the_result
-
-query_test_zone_records_and_check_the_result
-
-check_lua_log
-
-#Done
-echo Looks good.

debian/tests/get-address+query-dns+sysv+alt

@@ -1,18 +0,0 @@
-#!/bin/sh
-
-set -e
-
-. debian/tests/functions
-
-stop_dnsmasq_bind_networking
-configure_and_start_networking
-configure_and_start_bind
-configure_and_start_dnsmasq sysv alt
-
-get_address_on_veth1_and_check_the_result
-
-query_test_zone_records_and_check_the_result
-
-#Done
-echo Looks good.
-SYSTEMCTL_SKIP_REDIRECT=1 /etc/init.d/dnsmasq stop alt

debian/upstream/metadata

@@ -1,9 +0,0 @@
-Cite-As: dnsmasq
-Contact: simon@thekelleys.org.uk
-Security-Contact: https://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
-Repository: https://thekelleys.org.uk/git/dnsmasq.git
-Repository-Browse: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=summary
-Changelog: https://thekelleys.org.uk/dnsmasq/CHANGELOG
-Documentation: https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html
-FAQ: https://thekelleys.org.uk/dnsmasq/docs/FAQ
-Bug-Submit: https://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

debian/upstream/signing-key.asc

@@ -1,63 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQINBFMbjUMBEACsU1Xk8+uu/EsGVJTh9Tn31C2e0ycd0voBVT7cTdtXpzeiNR+o
-/zUAi95ds7FiecpZJp1nRO4vNzvaaAPZhFsFVLzZYyIVABgTXsskT88xbZvzb4W5
-KKRWVhoTQxVDgj1+dXLUXULTB6rg02WEhqnix/qf/zFdM9I4/3pRHJn9k+3XKygR
-on+nYtljfn3AKBelCo1y28istC6wCncoH11b/qdQtlfxVXaJY4HF27V0MqFFmDMg
-cuhOHR7DnhymeDh7GmLfTHJ4LUFG+TecqCjiYhyWcuv2wuSb0EPXUKHJQVViQ8qg
-KyPm1ly6uFP0CYdVavO7/oJwKFBIChECrj7BQ4GsImMHeuSzfWno7qy6Fxoxx2+g
-0F9cdXWvcxFDGPQsL5vXp8KYNwBrzmijRzQ2ZAnrbG+ilFCkJCbxXcrhzpd4tKwE
-0dgcyPL1Ma/lrznhL4ZuOzjVMgLNne7WiPpBNRqI1GoT0pUn6as4pU3En8B+K7zy
-MLVfHvI1+iH45fP5bZwYSbXCa85v4+xqljYrzs9giaROEsXe/tsXvuc6JPCcmJXk
-CUO3c3QVxqDFt9OYuTHIR8hqehDPLgFgzKqVuoAwMkhTf/zZNGlsy4jvKXQNcZ50
-uD4mWO3e+gykNW/OH+88IoCR0rgjQ6trMLOceZFnrtvxwRL//lMndGCTYQARAQAB
-tB1TaW1vbiBLZWxsZXkgPHNya0BkZWJpYW4ub3JnPokCNwQTAQgAIQUCUyDDdAIb
-AwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRAVzdpq4ZE1oqFGD/9LkbZFigc1
-jbZ5zIbmGkGvfniWp1mJhEcpgKNfb2MMiu1lKULccIvfVyIY5WDrrpoPnHLnhYA9
-OXHcwVADGBayoVOQgIePrMV0V24uYjUh9+9zGRwQrCLo0rl/l07GKH0S1dxDUeyh
-JRYZGYEqW2+3XDJqIbfsDzSmPNCyjVvqSvkkt0YyuNbH0+cVEoJ1Q2HmfEhvgd4L
-lHZDyhMVqKlKmlnCa8DmhwK+EyzJgLKITqjxBO3NOqPmYZlp8irLXyHAH1sDafaB
-wRjV9cNX2TLTwn3wDdUmoAwMz1jopi/61A0kEglENYaa+NH/UnqfWOo7riXuZNwG
-VP/F/KlMV+JdXMY34fcSIQMWk9cpxzhpuOJjwhoK7g/yq8q9578QXv4VR6ndH+Le
-HDRrm2Ftnih/Ut8unqqDteMJnd3YxSK3Ep78WgVBL9y2Qo3CyKY6VSXlshWZokwy
-rwVS8uLqIGAUzLwsKTYi1nmsDb7mQZqUbPBxYN2mrroD7Pr1/XAV8oNxw6l84nzf
-zObEKvNZLFtWctNpFJXhWhtm/AeQBdkYKcMyTrwQt9Q0XMYKUGE05U+oAdtTvgCR
-JLltqzmt5yMpTPncNmXVoA5YvEVdCU6/Gxpn3Aea8ckBmIqxxQY1QFdEr2nvxPNA
-SbkvHDNDr9XUlKQDqjherurKBIBEiKCMnLQmU2ltb24gS2VsbGV5IDxzaW1vbkB0
-aGVrZWxsZXlzLm9yZy51az6JAjoEEwEIACQCGwMFCwkIBwMFFQoJCAsFFgIDAQAC
-HgECF4AFAlMgw44CGQEACgkQFc3aauGRNaLaZg/+PR41J3P7omGv6XD+TiAXfJQo
-R5RfzQoeLNUQEnir/XBulg45203cYHEurchEhSTn2f4WVtFgxJrgId7XGYdf8oIZ
-IjBd82fpwdMwhbfcv/6iqzWL0+2vaPmBqE7iwDTatI888q5TyXppGe8L5/VjX0aB
-vmVIPyEE9BFQas+vv5byUkU542FxPApGsv0W0P1pKabLl0F7ItPFPuaD0+K1kwBr
-WbuGhBKMV9jGHB4qdX/21FBczgAf3J9yJ22vm6orCwwhptxde+DSn7vqZNjDtHGr
-kUWDzKAQBy1g4BmTl6IoVgYKZXAVBGMtYUjS+80VV+QE9meVqmtX1aJJEnf0/BRd
-v9CeD46hZArwXwi/AWFs300pEfzwcC+9T5xc3jlSdYdWxeQDV7XwK2VCOhxjFqTm
-+ehP2Gh14Wfpc34jN9jMJ3OowxzN5iZxGYzkHLFhM+0IKEeWEjxRWOoJgV5PmNvG
-7IBbzt8O9xo550h7JmXZVsfSpkFpzJPy0Puz1JeyH/niCeDwKkhEHXQTk/4O+EOD
-RxruJbwIYGeO2lNfPn2Hcb1aHvSclx7GGOYDzI4jN0UcYroJpvHZU+0X2ClpCTAW
-5IshgHkOkdUQ1c7S+5zPTeLbW+pxTlbWClA0NYMbSn68//i/DMstyBEwtTWYJLmg
-5V3HWzRd/6BwKZfDSuu5Ag0EUyDDoQEQAMfQfa2tw3+OJFGMQEzLJSoXYN8/HnZE
-gKNlcMuYzhheQLgu/MfcQJ7mnCIdn6xdPaalfLmYx63tM47/NGEM1+MSEvovPiRG
-0OLxzSgwei9DiGeNEgsPTLXSZ5EVSXCM1+e9mT1ExT9aGLNnpCd6kIyWIcKCVMot
-+XC70R9prWLeyKSh0FAZ0Pwv9i23osJVGOtJjND+WZ0uCeN29ocfN0b64yF4nPRc
-9IbcmYIDgNU3RybK2Z/dupbthTisRjHRI3iX3/tiymXF3J0sSvsCluWIJWmyltS3
-Xyk/wfKVJz6OouiJjTj5utXVnCGptCDw+DCcj89vx1N0+0Dhm1cQcNZvXjMbVDTs
-uU+eVpJbxU6y8N+nXpAXjEw4jMi3zNpqKtkyv2YpoqY5HhGLybgrY0zwSQOyMNf9
-lZ5J7znq5gEmiMXnG9OPEw7PPSvm6QfbHPY/jAOgxsu7Fme7k303D5KkyGkkbzQi
-YyEtMZvbOMH/uECi2uHGB72qiGpEYjMtHhihaRCBl+0bY8sH83He690qNQHSdStj
-aKXcecduE/v5iO0mOYIHdsEHhKlWsE1GXXVLofBr68UBhYV6/AGXko4Pr+dXLzau
-N4kALDx6WltFu3qUvoD+uEoLq7IXULMo5Pyd7bO4qGQMKykaXTb5o6dqdu4GzWIU
-w1fr9kLEmo29ABEBAAGJAh8EGAEIAAkFAlMgw6ECGwwACgkQFc3aauGRNaIjqA/+
-PXuaM6JHuudLycmB0iKAwyB5csOFGpF3b9FgMR68TC4jzi5J5hJZASl0cO/e0ytQ
-srDUBbH74y+WaA4ldwBVYr0j/2hqzIjrnGMtgWeHFPLV3sKw8DGuNx1/cOoljJXz
-i1WWSHIwDvaj3uZ9CwHt+4/abR7kdvMcnFhQVA4zuzZWFqpp+CDkkJNVwB9zxtAQ
-wGTGF4cQ0IvTkhCo6DQhZZVTeyn+nBKxzzWijniWc0LyRsum03MxZ6E7UVIInCTj
-dXTalnO8wColwIx5FV4nTMxdsKKgnIXmLexBdd03bW9TkowWf2C2XfDN+pDS8X3M
-zO6zAyogqJhAiBFjnRzkOw0cw1VTL00o8uiWdMeu7OKOKeQbUilMAn4MweKB57mc
-582kjeGmwdZgWFA4BJ2eiH7HwjxiynwMdZwQEBdOTNLbggHk3/mScF8U1KcJhjAF
-f7Ne+Z0feG/8GgKl5aj3ucl821+dfpzB79lLo+kmd1qkDyDiUR5yN6P8l8k6IAUJ
-z2KUe0BjtO6VFFw0xni05dkrXdfo7IO79ictHmEn+g3QO8ZLUGRwdtZ1cMhTkm7F
-hH8Bdby0y4SoqluvHbri++cC91i1I3a92kHi/8O45rnLhVt+sOfxY1QnSIYh5OFw
-GMqMCNDTEL7ESiFaFhSXkmzzVntlyvOBMlgz3IGh2hA=
-=otES
------END PGP PUBLIC KEY BLOCK-----

debian/watch

@@ -1,5 +0,0 @@
-version=4
-opts=\
-pgpmode=auto \
-https://thekelleys.org.uk/dnsmasq/ \
-dnsmasq-([\d.]+)@ARCHIVE_EXT@

dnsmasq.conf.example

@@ -27,8 +27,8 @@
 
 # Replies which are not DNSSEC signed may be legitimate, because the domain
 # is unsigned, or may be forgeries. Setting this option tells dnsmasq to
-# check that an unsigned reply is OK, by finding a secure proof that a DS 
-# record somewhere between the root and the domain does not exist. 
+# check that an unsigned reply is OK, by finding a secure proof that a DS
+# record somewhere between the root and the domain does not exist.
 # The cost of setting this is that even queries in unsigned domains will need
 # one or more extra DNS queries to verify.
 #dnssec-check-unsigned
@@ -193,11 +193,11 @@
 #dhcp-range=1234::2, 1234::500, 64, 12h
 
 # Do Router Advertisements, BUT NOT DHCP for this subnet.
-#dhcp-range=1234::, ra-only 
+#dhcp-range=1234::, ra-only
 
 # Do Router Advertisements, BUT NOT DHCP for this subnet, also try and
-# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack 
-# hosts. Use the DHCPv4 lease to derive the name, network segment and 
+# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack
+# hosts. Use the DHCPv4 lease to derive the name, network segment and
 # MAC address and assume that the host will also have an
 # IPv6 address calculated using the SLAAC algorithm.
 #dhcp-range=1234::, ra-names
@@ -220,9 +220,9 @@
 #dhcp-range=1234::, ra-stateless, ra-names
 
 # Do router advertisements for all subnets where we're doing DHCPv6
-# Unless overridden by ra-stateless, ra-names, et al, the router 
+# Unless overridden by ra-stateless, ra-names, et al, the router
 # advertisements will have the M and O bits set, so that the clients
-# get addresses and configuration from DHCPv6, and the A bit reset, so the 
+# get addresses and configuration from DHCPv6, and the A bit reset, so the
 # clients don't use SLAAC addresses.
 #enable-ra
 
@@ -295,11 +295,11 @@
 # any machine with Ethernet address starting 11:22:33:
 #dhcp-host=11:22:33:*:*:*,set:red
 
-# Give a fixed IPv6 address and name to client with 
+# Give a fixed IPv6 address and name to client with
 # DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2
 # Note the MAC addresses CANNOT be used to identify DHCPv6 clients.
 # Note also that the [] around the IPv6 address are obligatory.
-#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5] 
+#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5]
 
 # Ignore any clients which are not specified in dhcp-host lines
 # or /etc/ethers. Equivalent to ISC "deny unknown-clients".
@@ -355,7 +355,7 @@
 # Send DHCPv6 option. Note [] around IPv6 addresses.
 #dhcp-option=option6:dns-server,[1234::77],[1234::88]
 
-# Send DHCPv6 option for namservers as the machine running 
+# Send DHCPv6 option for namservers as the machine running
 # dnsmasq and another.
 #dhcp-option=option6:dns-server,[::],[1234::88]
 
@@ -560,7 +560,7 @@
 # Set the DHCP server to enable DHCPv4 Rapid Commit Option per RFC 4039.
 # In this mode it will respond to a DHCPDISCOVER message including a Rapid Commit
 # option with a DHCPACK including a Rapid Commit option and fully committed address
-# and configuration information. This must only be enabled if either the server is 
+# and configuration information. This must only be enabled if either the server is
 # the only server for the subnet, or multiple servers are present and they each
 # commit a binding for all clients.
 #dhcp-rapid-commit

doc.html

@@ -95,7 +95,5 @@ a contribution towards my expenses, please use the donation button below.
 <input type="image" src="https://www.paypalobjects.com/en_US/GB/i/btn/btn_donateCC_LG.gif" border="0" name="submit" alt="PayPal – The safer, easier way to pay online.">
 <img alt="" border="0" src="https://www.paypalobjects.com/en_GB/i/scr/pixel.gif" width="1" height="1">
 </form>
-
-
 </BODY>
-
+</HTML>

man/dnsmasq.8

@@ -1,4 +1,4 @@
-.TH DNSMASQ 8 2021-08-16
+.TH DNSMASQ 8 2025-02-05
 .SH NAME
 dnsmasq \- A lightweight DHCP and caching DNS server.
 .SH SYNOPSIS
@@ -114,7 +114,8 @@ which defaults to 1000ms. If the second parameter is given this controls
 how long the retries will continue for
 otherwise this defaults to 10000ms. Retries are repeated with exponential
 backoff. Using this option increases memory usage and
-network bandwidth.
+network bandwidth. If not otherwise configured, this option is activated
+with the default parameters when \fB--dnssec\fP is set.
 .TP
 .B \-k, --keep-in-foreground
 Do not go into the background at startup but otherwise run as
@@ -133,7 +134,8 @@ only, to stop dnsmasq daemonising in production, use
 Log the results of DNS queries handled by dnsmasq. Enable a full cache dump on receipt of SIGUSR1. If the argument "extra" is supplied, ie
 .B --log-queries=extra
 then the log has extra information at the start of each line.
-This consists of a serial number which ties together the log lines associated with an individual query, and the IP address of the requestor.
+This consists of a serial number which ties together the log lines associated with an individual query, and the IP address of the requestor. If the argument "proto" is supplied, this shows everything that "extra" does and also the network protocol used to communicate the queries. Logging of only queries to the authoritative server can be configured with
+.B --log-queries=auth
 .TP
 .B \-8, --log-facility=<facility>
 Set the facility to which dnsmasq will send syslog entries, this
@@ -344,6 +346,10 @@ Bogus private reverse lookups. All reverse lookups for private IP ranges (ie 192
 which are not found in /etc/hosts or the DHCP leases file are answered
 with "no such domain" rather than being forwarded upstream. The 
 set of prefixes affected is the list given in RFC6303, for IPv4 and IPv6.
+Enabling this also subtly alters DNSSEC validation for reverse lookups in the
+private ranges such that a non-secure DS record is accepted as proof that
+the range is not signed. This works around behaviour by the public DNS services
+which seem not to return validated proof-of-non-existence for DS records in these domains.
 .TP
 .B \-V, --alias=[<old-ip>]|[<start-ip>-<end-ip>],<new-ip>[,<mask>]
 Modify IPv4 addresses returned from upstream nameservers; old-ip is
@@ -386,7 +392,11 @@ Remove A records from answers. No IPv4 addresses will be returned.
 Remove AAAA records from answers. No IPv6 addresses will be returned.
 .TP
 .B --filter-rr=<rrtype>[,<rrtype>...]
-Remove records of the specified type(s) from answers.
+Remove records of the specified type(s) from answers. The otherwise-nonsensical --filter-rr=ANY has
+a special meaning: it filters replies to queries for type ANY. Everything other than A, AAAA, MX and CNAME
+records are removed. Since ANY queries with forged source addresses can be used in DNS amplification attacks
+(replies to ANY queries can be large) this defangs such attacks, whilst still supporting the
+one remaining possible use of ANY queries. See RFC 8482 para 4.3 for details.
 .TP
 .B --cache-rr=<rrtype>[,<rrtype>...]
 By default, dnsmasq caches A, AAAA, CNAME and SRV DNS record types.
@@ -493,10 +503,7 @@ xxx.internal.thekelleys.org.uk at 192.168.1.1 then giving  the flag
 .B --server=/internal.thekelleys.org.uk/192.168.1.1
 will send all queries for
 internal machines to that nameserver, everything else will go to the
-servers in /etc/resolv.conf. DNSSEC validation is turned off for such
-private nameservers, UNLESS a
-.B --trust-anchor
-is specified for the domain in question. An empty domain specification,
+servers in /etc/resolv.conf. An empty domain specification,
 .B // 
 has the special meaning of "unqualified names only" ie names without any
 dots in them. A non-standard port may be specified as 
@@ -666,7 +673,7 @@ machine on which dnsmasq is running) for each
 local machine. Local machines are those in /etc/hosts or with DHCP
 leases.
 .TP
-.B \-W, --srv-host=<_service>.<_prot>.[<domain>],[<target>[,<port>[,<priority>[,<weight>]]]]
+.B \-W, --srv-host=<_service>.<_prot>[.<domain>],[<target>[,<port>[,<priority>[,<weight>]]]]
 Return a SRV DNS record. See RFC2782 for details. If not supplied, the
 domain defaults to that given by
 .B --domain.
@@ -764,19 +771,18 @@ results in the name internal-0.thekelleys.org.uk. returning 192.168.0.50, intern
 Second, 
 .B --synth-domain=thekelleys.org.uk,192.168.0.0/24,internal- (no *)
 will result in a query for internal-192-168-0-56.thekelleys.org.uk returning
-192.168.0.56 and a reverse query vice versa. The same applies to IPv6,
-but IPv6 addresses may start with '::'
-but DNS labels may not start with '-' so in this case if no prefix is
-configured a zero is added in front of the label. ::1 becomes 0--1.
-
-V4 mapped IPv6 addresses, which have a representation like ::ffff:1.2.3.4 are handled specially, and become like 0--ffff-1-2-3-4
+192.168.0.56 and a reverse query vice versa. The same applies to IPv6;
+the representation doesn't use the :: compression feature or
+the special representation of V4 mapped IPv6 addresses as these
+can generate illegal domain names, so all domains are of the form
+internal-1000-0000-0000-0000-0000-0000-0000-0008.example.com
 
 The address range can be of the form
 <start address>,<end address> or <ip address>/<prefix-length> in both forms of the option. For IPv6 the start and end addresses
 must fall in the same /64 network, or prefix-length must be greater than or equal to 64 except that shorter prefix lengths than 64 are allowed only if non-sequential names are in use.
 .TP
 .B --dumpfile=<path/to/file>
-Specify the location of a pcap-format file which dnsmasq uses to dump copies of network packets for debugging purposes. If the file exists when dnsmasq starts, it is not deleted; new packets are added to the end.
+Specify the location of a pcap-format file which dnsmasq uses to dump copies of network packets for debugging purposes. If the file exists when dnsmasq starts, it is not deleted; new packets are added to the end. The file may be a named-pipe which Wireshark is listening to.
 .TP
 .B --dumpmask=<mask>
 Specify which types of packets should be added to the dumpfile. The argument should be the OR of the bitmasks for each type of packet to be dumped: it can be specified in hex by preceding the number with 0x in  the normal way. Each time a packet is written to the dumpfile, dnsmasq logs the packet sequence and the mask
@@ -848,6 +854,18 @@ name on successive queries, for load-balancing. This turns off that
 behaviour, so that the records are always returned in the order
 that they are received from upstream.
 .TP
+.B --do-0x20-encode, --no-0x20-encode
+Dnsmasq can scramble the case of letters in DNS queries it sends upstream as a security feature.
+This technique can interact badly with rare broken DNS servers which don't preserve the case
+of the query in their reply. The first time a reply is returned
+which matches the query in all respects except case, a warning
+will be logged. If this coincides with DNS not functioning, it
+is necessary to disable the feature. As at version 2.91, 0x20 encoding
+is disabled by default, and must be enabled with --do-0x20-encode. The default
+may change in the future, so to be sure of its status after an upgrade, set --do-0x20-encode
+or --no-0x20-encode in your config. --no-0x20-encode overrides --do-x20-encode or a future default
+0x20-encode enable.
+.TP
 .B --use-stale-cache[=<max TTL excess in s>]
 When set, if a DNS name exists in the cache, but its time-to-live has expired, dnsmasq will return the data anyway. (It attempts to refresh the
 data with an upstream query after returning the stale data.) This can improve speed and reliability. It comes at the expense
@@ -860,7 +878,7 @@ Set the maximum number of concurrent DNS queries. The default value is
 150, which should be fine for most setups. The only known situation
 where this needs to be increased is when using web-server log file
 resolvers, which can generate large numbers of concurrent queries. This
-parameter actually controls the number of concurrent queries per server group, where a server group is the set of server(s) associated with a single domain. So if a domain has it's own server via --server=/example.com/1.2.3.4 and 1.2.3.4 is not responding, but queries for *.example.com cannot go elsewhere, then other queries will not be affected. On configurations with many such server groups and tight resources, this value may need to be reduced.
+parameter actually controls the number of concurrent queries per server group, where a server group is the set of server(s) associated with a single domain. So if a domain has its own server via --server=/example.com/1.2.3.4 and 1.2.3.4 is not responding, but queries for *.example.com cannot go elsewhere, then other queries will not be affected. On configurations with many such server groups and tight resources, this value may need to be reduced.
 .TP
 .B --dnssec
 Validate DNS replies and cache DNSSEC data. When forwarding DNS queries, dnsmasq requests the 
@@ -878,12 +896,15 @@ ie capable of returning DNSSEC records with data. If they are not,
 then dnsmasq will not be able to determine the trusted status of
 answers and this means that DNS service will be entirely broken.
 .TP
-.B --trust-anchor=[<class>],<domain>,<key-tag>,<algorithm>,<digest-type>,<digest>
+.B --trust-anchor=<domain>,[<class>,][<key-tag>,<algorithm>,<digest-type>,<digest>]
 Provide DS records to act a trust anchors for DNSSEC
-validation. Typically these will be the DS record(s) for Key Signing
+validation. The class defaults to IN. Typically these will be the DS record(s) for Key Signing
 key(s) (KSK) of the root zone,
-but trust anchors for limited domains are also possible. The current
-root-zone trust anchors may be downloaded from https://data.iana.org/root-anchors/root-anchors.xml 
+but trust anchors for limited domains are also possible.
+A negative trust anchor (ie. proof that a DS record doesn't exist) may be configured be specifying
+only the name or only the name and class. This can be useful for forcing dnsmasq to treat zones delegated
+using \fB--server=/<domain>/<ip-address>\fP as unsigned. The current
+root-zone trust anchors may be downloaded from https://data.iana.org/root-anchors/root-anchors.xml
 .TP
 .B --dnssec-check-unsigned[=no]
 As a default, dnsmasq checks that unsigned DNS replies are
@@ -897,7 +918,7 @@ fast.
 
 Versions of dnsmasq prior to 2.80 defaulted to not checking unsigned replies, and used 
 .B --dnssec-check-unsigned
-to switch this on. Such configurations will continue to work as before, but those which used the default of no checking will need to be altered to explicitly select no checking. The new default is because switching off checking for unsigned replies is inherently dangerous. Not only does it open the possiblity of forged replies, but it allows everything to appear to be working even when the upstream namesevers do not support DNSSEC, and in this case no DNSSEC validation at all is occurring.
+to switch this on. Such configurations will continue to work as before, but those which used the default of no checking will need to be altered to explicitly select no checking. The new default is because switching off checking for unsigned replies is inherently dangerous. Not only does it open the possibility of forged replies, but it allows everything to appear to be working even when the upstream namesevers do not support DNSSEC, and in this case no DNSSEC validation at all is occurring.
 .TP
 .B --dnssec-no-timecheck
 DNSSEC signatures are only valid for specified time windows, and should be rejected outside those windows. This generates an
@@ -927,6 +948,15 @@ Authenticated Data bit correctly in all cases is not technically possible. If th
 when using this option, then the cache should be disabled using --cache-size=0. In most cases, enabling DNSSEC validation
 within dnsmasq is a better option. See --dnssec for details.
 .TP
+.B --dnssec-limits=<limit>[,<limit>.......]
+Override the default resource limits applied to DNSSEC validation. Cryptographic operations are expensive and crafted domains
+can DoS a DNSSEC validator by forcing it to do hundreds of thousands of such operations. To avoid this, the dnsmasq validation code
+applies limits on how much work will be expended in validation. If any of the limits are exceeded, the validation will fail and the
+domain treated as BOGUS. There are four limits, in order(default values in parens): number a signature validation fails per RRset(20), number of signature validations and
+hash computations per query(200), number of sub-queries to fetch DS and DNSKEY RRsets per query(40), and the number of iterations in a NSEC3 record(150).
+The maximum values reached during validation are stored, and dumped as part of the stats generated by SIGUSR1. Supplying a limit value of 0 leaves the default in place, so
+\fB--dnssec-limits=0,0,20\fP sets the number of sub-queries to 20 whilst leaving the other limits at default values.
+.TP
 .B --dnssec-debug
 Set debugging mode for the DNSSEC validation, set the Checking Disabled bit on upstream queries, 
 and don't convert replies which do not validate to responses with
@@ -1167,7 +1197,7 @@ the appropriate network part inserted. For IPv6, an address may include a prefix
 which (in this case) specifies four addresses, 1234::50 to 1234::53. This (an the ability
 to specify multiple addresses) is useful
 when a host presents either a consistent name or hardware-ID, but varying DUIDs, since it allows
-dnsmasq to honour the static address allocation but assign a different adddress for each DUID. This
+dnsmasq to honour the static address allocation but assign a different address for each DUID. This
 typically occurs when chain netbooting, as each stage of the chain gets in turn allocates an address.
 
 Note that in IPv6 DHCP, the hardware address may not be
@@ -1175,7 +1205,7 @@ available, though it normally is for direct-connected clients, or
 clients using DHCP relays which support RFC 6939.
 
 
-For DHCPv4, the  special option id:* means "ignore any client-id 
+For DHCPv4, the special option \fBid:*\fP means "ignore any client-id 
 and use MAC addresses only." This is useful when a client presents a client-id sometimes 
 but not others.
 
@@ -1203,36 +1233,34 @@ the result is undefined. A corollary to this is that the name associated with a
 does not appear in the DNS until the host obtains a DHCP lease.
 
 
-The special keyword "ignore"
-tells dnsmasq to never offer a DHCP lease to a machine. The machine
-can be specified by hardware address, client ID or hostname, for
-instance
-.B --dhcp-host=00:20:e0:3b:13:af,ignore
-This is
-useful when there is another DHCP server on the network which should
+The special keyword \fBignore\fP tells dnsmasq never to offer a DHCP lease
+to a machine. The machine
+can be specified by hardware address, client ID or hostname. For
+example: \fB--dhcp-host=00:20:e0:3b:13:af,ignore\fP. 
+This can be useful when there is another DHCP server on the network which should
 be used by some machines.
 
-The set:<tag> construct sets the tag
+The \fBset:<tag>\fP construct sets the tag
 whenever this \fB--dhcp-host\fP directive is in use. This can be used to
 selectively send DHCP options just for this host. More than one tag
 can be set in a \fB--dhcp-host\fP directive (but not in other places where
-"set:<tag>" is allowed). When a host matches any
+\fBset:<tag>\fP is allowed). When a host matches any
 \fB--dhcp-host\fP directive (or one implied by /etc/ethers) then the special
-tag "known" is set. This allows dnsmasq to be configured to
+tag \fBknown\fP is set. This allows dnsmasq to be configured to
 ignore requests from unknown machines using
-.B --dhcp-ignore=tag:!known
+\fB--dhcp-ignore=tag:!known\fP.
 If the host matches only a \fB--dhcp-host\fP directive which cannot
-be used because it specifies an address on different subnet, the tag "known-othernet" is set.
+be used because it specifies an address on a different subnet, the tag \fBknown-othernet\fP is set.
 
-The tag:<tag> construct filters which dhcp-host directives are used; more than
-one can be provided, in this case the request must match all of them. Tagged
+The \fBtag:<tag>\fP construct filters which dhcp-host directives are used. More than
+one tag can be provided. In this case, the request must match all tags. Tagged
 directives are used in preference to untagged ones. Note that one of <hwaddr>,
-<client_id> or <hostname> still needs to be specified (can be a wildcard).
+<client_id> or <hostname> still must be specified (can be a wildcard).
 
 Ethernet addresses (but not client-ids) may have
 wildcard bytes, so for example 
 .B --dhcp-host=00:20:e0:3b:13:*,ignore 
-will cause dnsmasq to ignore a range of hardware addresses. Note that
+will cause dnsmasq to ignore the given range of hardware addresses. Note that
 the "*" will need to be escaped or quoted on a command line, but not
 in the configuration file.
 
@@ -1246,11 +1274,11 @@ is 6.
 
 As a special case, in DHCPv4, it is possible to include more than one
 hardware address. eg:
-.B --dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.2
+\fB--dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.2\fP.
 This allows an IP address to be associated with
 multiple hardware addresses, and gives dnsmasq permission to abandon a
 DHCP lease to one of the hardware addresses when another one asks for
-a lease. Beware that this is a dangerous thing to do, it will only
+a lease. Beware that this is a dangerous thing to do: it will only
 work reliably if only one of the hardware addresses is active at any
 time and there is no way for dnsmasq to enforce this. It is, for instance,
 useful to allocate a stable IP address to a laptop which
@@ -1297,31 +1325,29 @@ options containing the same information. /etc/ethers is re-read when
 dnsmasq receives SIGHUP. IPv6 addresses are NOT read from /etc/ethers.
 .TP
 .B \-O, --dhcp-option=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap:<enterprise>,][vendor:[<vendor-class>],][<opt>|option:<opt-name>|option6:<opt>|option6:<opt-name>],[<value>[,<value>]]
-Specify different or extra options to DHCP clients. By default,
+Send various extra options to DHCP clients. By default,
 dnsmasq sends some standard options to DHCP clients, the netmask and
 broadcast address are set to the same as the host running dnsmasq, and
 the DNS server and default route are set to the address of the machine
 running dnsmasq. (Equivalent rules apply for IPv6.) If the domain name option has been set, that is sent.
 This configuration allows these defaults to be overridden,
-or other options specified. The option, to be sent may be given as a
-decimal number or as "option:<option-name>" The option numbers are
+or other options specified. The option to be sent may be given as a
+decimal number or as \fBoption:<option-name>\fP. 
+
+Option numbers are
 specified in RFC2132 and subsequent RFCs. The set of option-names
-known by dnsmasq can be discovered by running "dnsmasq --help dhcp".
-For example, to set the default route option to 
-192.168.4.4, do 
-.B --dhcp-option=3,192.168.4.4 
-or
-.B --dhcp-option = option:router, 192.168.4.4
-and to set the time-server address to 192.168.0.4, do
-.B --dhcp-option = 42,192.168.0.4 
-or 
-.B --dhcp-option = option:ntp-server, 192.168.0.4
-The special address 0.0.0.0 is taken to mean "the address of the
-machine running dnsmasq".
+known by dnsmasq can be discovered by running \fBdnsmasq --help dhcp\fP.
+For example, to set the default route option to 192.168.4.4, use 
+\fB--dhcp-option=3,192.168.4.4\fP or 
+\fB--dhcp-option=option:router,192.168.4.4\fP 
+and to set the time-server address to 192.168.0.4, use
+\fB--dhcp-option=42,192.168.0.4\fP or
+\fB--dhcp-option=option:ntp-server,192.168.0.4\fP.
+The special address 0.0.0.0 means "the address of the system running dnsmasq".
 
 An option without data is valid, and includes just the option without data.
 (There is only one option with a zero length data field currently defined for DHCPv4, 80:rapid commit, so this feature is not very useful in practice). Options for which dnsmasq normally
-provides default values can be ommitted by defining the option with no data. These are
+provides default values can be omitted by defining the option with no data. These are
 netmask, broadcast, router, DNS server, domainname and hostname. Thus, for DHCPv4
 .B --dhcp-option = option:router
 will result in no router option being sent, rather than the default of the host on which dnsmasq is running. For DHCPv6, the same is true of the options DNS server and refresh time.
@@ -1338,30 +1364,29 @@ to option 120 are handled as per RFC 3361. Dotted-quad IP addresses
 which are followed by a slash and then a netmask size are encoded as
 described in RFC 3442.
 
-IPv6 options are specified using the 
-.B option6:
+IPv6 options are specified using the \fBoption6:\fP
 keyword, followed by the option number or option name. The IPv6 option
 name space is disjoint from the IPv4 option name space. IPv6 addresses
 in options must be bracketed with square brackets, eg. 
-.B --dhcp-option=option6:ntp-server,[1234::56]
+\fB --dhcp-option=option6:ntp-server,[1234::56]\fP. 
 For IPv6, [::] means "the global address of
 the machine running dnsmasq", whilst [fd00::] is replaced with the
 ULA, if it exists, and [fe80::] with the link-local address.
 
-Be careful: no checking is done that the correct type of data for the
-option number is sent, it is quite possible to
-persuade dnsmasq to generate illegal DHCP packets with injudicious use
-of this flag. When the value is a decimal number, dnsmasq must determine how 
+Be careful: data-type suitability for the option number sent is not checked.
+It is quite possible to persuade dnsmasq to generate illegal DHCP packets with
+injudicious use of this flag. 
+When the value is a decimal number, dnsmasq must determine how 
 large the data item is. It does this by examining the option number and/or the
 value, but can be overridden by appending a single letter flag as follows:
 b = one byte, s = two bytes, i = four bytes. This is mainly useful with 
 encapsulated vendor class options (see below) where dnsmasq cannot
-determine data size from the  option number. Option data which
+determine data size from the option number. Option data which
 consists solely of periods and digits will be interpreted by dnsmasq
 as an IP address, and inserted into an option as such. To force a
 literal string, use quotes. For instance when using option 66 to send
-a literal IP address as TFTP server name, it is necessary to do
-.B --dhcp-option=66,"1.2.3.4"
+a literal IP address as TFTP server name, it is necessary to do 
+\fB--dhcp-option=66,"1.2.3.4"\fP.
 
 Encapsulated Vendor-class options may also be specified (IPv4 only) using
 \fB--dhcp-option\fP: for instance
@@ -1382,7 +1407,7 @@ Options may be encapsulated (IPv4 only) within other options: for instance
 will send option 175, within which is the option 190. If multiple
 options are given which are encapsulated with the same option number
 then they will be correctly combined into one encapsulated option.
-encap: and vendor: are may not both be set in the same \fB--dhcp-option\fP.
+encap: and vendor: may not both be set in the same \fB--dhcp-option\fP.
 
 The final variant on encapsulated options is "Vendor-Identifying
 Vendor Options" as specified by RFC3925. These are denoted like this: 
@@ -1390,7 +1415,7 @@ Vendor Options" as specified by RFC3925. These are denoted like this:
 The number in the vi-encap: section is the IANA enterprise number
 used to identify this option. This form of encapsulation is supported
 in IPv6.
- 
+
 The address 0.0.0.0 is not treated specially in
 encapsulated options.
 .TP
@@ -1401,6 +1426,10 @@ except that the option will always be sent, even if the client does
 not ask for it in the parameter request list. This is sometimes
 needed, for example when sending options to PXELinux.
 .TP
+.B --dhcp-option-pxe=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap:<enterprise>,]<opt>,[<value>[,<value>]]
+A variant of --dhcp-option which defines options only sent in reply to PXE clients. In addition, such options are
+sent in reply to PXE clients when dnsmasq is acting as a PXE proxy, unlike other options. A typical use-case is option 175, sent to iPXE.
+.TP
 .B --dhcp-no-override
 (IPv4 only) Disable re-use of the DHCP servername and filename fields as extra
 option space. If it can, dnsmasq moves the boot server and filename
@@ -1409,10 +1438,22 @@ DHCP options. This make extra space available in the DHCP packet for
 options but can, rarely, confuse old or broken clients. This flag
 forces "simple and safe" behaviour to avoid problems in such a case.
 .TP
+.B --leasequery[=<addr>[/<prefix>]]
+Enable RFC 4388 leasequery. The dnsmasq DHCP server will answer LEASEQUERY messages from DHCP relays
+when this option is given. If an address or subnet is given, only queries from a relay at that source are allowed. Repeat
+the --leasequery option to specify multiple allowed sources.
+To correctly answer lease queries it is necessary to store extra data in
+the lease database, and this is also enabled by the \fB--leasequery\fP option. The extra fields
+(agent-info and vendorclass) are stored in the leases file in a somewhat backwards compatible manner.
+Enabling and then disabling leasequery will not cause problems; the extra information will be aged
+out of the database. However, enabling leasequery in release 2.92 or later, storing leases
+which come via DHCP relays which add option-82 agent-info data, and then moving back to a pre-2.92 dnsmasq
+binary may cause problems reading the leases file. As of release 2.92, leasequery is only supported for DHCPv4.
+.TP
 .B --dhcp-relay=<local address>[,<server address>[#<server port>]][,<interface]
 Configure dnsmasq to do DHCP relay. The local address is an address
 allocated to an interface on the host running dnsmasq. All DHCP
-requests arriving on that interface will we relayed to a remote DHCP
+requests arriving on that interface will be relayed to a remote DHCP
 server at the server address. It is possible to relay from a single local
 address to multiple remote servers by using multiple \fB--dhcp-relay\fP
 configs with the same local address and different server
@@ -1446,7 +1487,31 @@ DHCPv4 to a DHCPv6 server or vice-versa.
 The DHCP relay function for IPv6 includes the ability to snoop
 prefix-delegation from relayed DHCP transactions. See
 .B --dhcp-script
-for details. 
+for details.
+.TP
+.B --dhcp-split-relay=<local address>,[<server address>[#<server port>]],<server-facing-interface>|<server-facing-address>
+A usefully enhanced version of DHCPv4 relay. IPv4 DHCP normally uses a single address
+for two functions; it is used by the DHCP server to determine which network to allocate
+an address on, and it is used as the address of the relay to which the server sends packets.
+
+This version of DHCP relay splits these functions. It uses the address of the server-facing relay
+interface or a directly-specified address as the address that the server talks to. The address of the client-facing interface
+(the first item in the config) is used as to determine the client's subnet. The
+local address is also used as server-ID override so that the client always sends requests
+via the relay. The effect of this is that server doesn't require
+a route to the client network and the clients don't require a route to the server.
+
+The third parameter is mandatory. If it is an interface name it cannot be a wildcard and the same filtering as described in
+--dhcp-relay applies; answers from the server must arrve via the specified interface. If the third parameter
+is an IP address it must be an address of a local interface which is routable from the server; In this case no filtering
+is done, the reply packets can arrive via any route.
+
+If setting up a network where the client networks have limited routing, be careful
+about configuring the DHCP server. Dnsmasq, as DHCP server, will set the default route to the
+client-facing relay interface unless explicitly configured: that is a sensible default.
+The normal default DNS server (the same address as the DHCP server)
+will not be appropriate when there is no route bewteen the
+two, so this will have to be explicitly configured. 
 .TP
 .B \-U, --dhcp-vendorclass=set:<tag>,[enterprise:<IANA-enterprise number>,]<vendor-class>
 Map from a vendor-class string to a tag. Most DHCP clients provide a 
@@ -1512,45 +1577,47 @@ via relays. If a list of IP addresses is given, only interactions via
 relays at those addresses are affected.
 .TP
 .B --dhcp-match=set:<tag>,<option number>|option:<option name>|vi-encap:<enterprise>[,<value>]
-Without a value, set the tag if the client sends a DHCP
-option of the given number or name. When a value is given, set the tag only if
-the option is sent and matches the value. The value may be of the form
+Without \fB<value>\fP, set \fB<tag>\fP if the client sends a DHCP
+\fBoption\fP of the given number or name. With \fB<value>\fP, set \fB<tag>\fP only if
+the client sends the \fBoption\fP matching or containing \fB<value>\fP. 
+
+The value may be of the form
 "01:ff:*:02" in which case the value must match (apart from wildcards)
 but the option sent may have unmatched data past the end of the
 value. The value may also be of the same form as in 
 .B --dhcp-option
 in which case the option sent is treated as an array, and one element
-must match, so
+must match.
 .B --dhcp-match=set:efi-ia32,option:client-arch,6
-will set the tag "efi-ia32" if the the number 6 appears in the list of
+sets the tag \fBefi-ia32\fP if the number \fB6\fP appears in the list of
 architectures sent by the client in option 93. (See RFC 4578 for
-details.)  If the value is a string, substring matching is used.
+details.) If the value is a string, substring matching is used.
 
 The special form with vi-encap:<enterprise number> matches against
 vendor-identifying vendor classes for the specified enterprise. Please
 see RFC 3925 for more details of these rare and interesting beasts.
 .TP
 .B --dhcp-name-match=set:<tag>,<name>[*]
-Set the tag if the given name is supplied by a DHCP client. There may be a single trailing wildcard *, which has the usual meaning. Combined with dhcp-ignore or dhcp-ignore-names this gives the ability to ignore certain clients by name, or disallow certain hostnames from being claimed by a client.
+Set a \fB<tag>\fP if the given \fB<name>\fP is supplied by a DHCP client. There may be a single trailing wildcard *, with a glob meaning. Combined with \fBdhcp-ignore\fP or \fBdhcp-ignore-names\fP this gives the ability to ignore certain clients by name, or disallow certain hostnames from being claimed by a client.
 .TP
 .B --tag-if=set:<tag>[,set:<tag>[,tag:<tag>[,tag:<tag>]]]
-Perform boolean operations on tags. Any tag appearing as set:<tag> is set if
-all the tags which appear as tag:<tag> are set, (or unset when tag:!<tag> is used)
-If no tag:<tag> appears set:<tag> tags are set unconditionally.
-Any number of set: and tag: forms may appear, in any order. 
-\fB--tag-if\fP lines are executed in order, so if the tag in tag:<tag> is a
+Perform boolean operations on tags. All \fBset:<tag>\fP tags are set if
+all \fBtag:<tag>\fP are already set, (or unset when \fBtag:!<tag>\fP is used).
+If no \fBtag:<tag>\fP appears, \fBset:<tag>\fP tags are set unconditionally.
+Any number of \fBset:\fP and \fBtag:\fP forms may appear, in any order. 
+\fB--tag-if\fP lines are executed in order, so if the tag in \fBtag:<tag>\fP is a
 tag set by another
 .B --tag-if,
-the line which sets the tag must precede the one which tests it.
+the line which sets the tag must precede the line which tests it.
 
-As an extension, the tag:<tag> clauses support limited wildcard matching,
-similar to the matching in the \fB--interface\fP directive.  This allows, for
-example, using \fB--tag-if=set:ppp,tag:ppp*\fP to set the tag 'ppp' for all requests
-received on any matching interface (ppp0, ppp1, etc).  This can be used in conjunction
-with the tag:!<tag> format meaning that no tag matching the wildcard may be set.
+As an extension, the \fBtag:<tag>\fP clauses support limited wildcard matching,
+similar to the matching in the \fB--interface\fP directive. This allows the
+example \fB--tag-if=set:ppp,tag:ppp*\fP to set the tag 'ppp' for all requests
+received on any matching interface (ppp0, ppp1, etc). This can be used in conjunction
+with the \fBtag:!<tag>\fP format meaning that no tag matching the wildcard may be set.
 .TP
 .B \-J, --dhcp-ignore=tag:<tag>[,tag:<tag>]
-When all the given tags appear in the tag set ignore the host and do
+When all the given tags appear in the tag set, ignore the host and do
 not allocate it a DHCP lease.
 .TP
 .B --dhcp-ignore-names[=tag:<tag>[,tag:<tag>]]
@@ -1605,7 +1672,7 @@ likely to move IP address; for this reason it should not be generally used.
 .TP
 .B --dhcp-ignore-clid
 Dnsmasq is reading 'client identifier' (RFC 2131) option sent by clients
-(if available) to identify clients. This allow to serve same IP address
+(if available) to identify clients. This allow one to serve same IP address
 for a host using several interfaces. Use this option to disable 'client identifier'
 reading, i.e. to always identify a host using the MAC address.
 .TP
@@ -1663,6 +1730,11 @@ to allow netbooting. This mode is enabled using the
 .B proxy
 keyword in
 .B --dhcp-range.
+If the "other" DHCP server is on a remote network, it is
+possible, and useful, to configure dnsmasq as both a PXE proxy-DHCP server
+and a DHCP relay to the remote DHCP server. See
+.B --dhcp-relay
+for details. PXE is only supported over IPv4 at this time.
 .TP
 .B --dhcp-pxe-vendor=<vendor>[,...]
 According to UEFI and PXE specifications, DHCP packets between PXE clients and
@@ -1691,7 +1763,9 @@ For DHCPv4, it changes the behaviour from strict RFC compliance so that DHCP req
 unknown leases from unknown hosts are not ignored. This allows new hosts
 to get a lease without a tedious timeout under all circumstances. It also 
 allows dnsmasq to rebuild its lease database without each client needing to 
-reacquire a lease, if the database is lost. For DHCPv6 it sets the
+reacquire a lease, if the database is lost. For DHCPv6 it controls the same
+behaviour as DHCPv4 with missing leases (except for the RFC uncompliance - the
+DHCPv6 RFCs allow this behaviour if configured). It also sets the
 priority in replies to 255 (the maximum) instead of 0 (the minimum).
 .TP
 .B --dhcp-rapid-commit
@@ -1879,7 +1953,7 @@ was sent, and the complete pathname of the file.
 
 The "relay-snoop" action is invoked when dnsmasq is configured as a DHCP
 relay for DHCPv6 and it relays a prefx delegation to a client. The arguments
-are the name of the interface where the client is conected, its (link-local)
+are the name of the interface where the client is connected, its (link-local)
 address on that interface and the delegated prefix. This information is
 sufficient to install routes to the delegated prefix of a router. See
 .B --dhcp-relay
@@ -2230,7 +2304,7 @@ therein is updated when dnsmasq receives SIGHUP.
 .B \--conf-script=<file>[ <arg]
 Execute <file>, and treat what it emits to stdout as the contents of a configuration file.
 If the script exits with a non-zero exit code, dnsmasq treats this as a fatal error.
-The script can be passed arguments, space seperated from the filename and each other so, for instance
+The script can be passed arguments, space separated from the filename and each other so, for instance
 .B --conf-dir="/etc/dnsmasq-uncompress-ads /share/ads-domains.gz"
 
 with /etc/dnsmasq-uncompress-ads containing 
@@ -2394,48 +2468,67 @@ the CNAME. To work around this, add the CNAME to /etc/hosts so that
 the CNAME is shadowed too.
 
 .PP
-The tag system works as follows: For each DHCP request, dnsmasq
-collects a set of valid tags from active configuration lines which
-include set:<tag>, including one from the 
-.B --dhcp-range
-used to allocate the address, one from any matching 
-.B --dhcp-host
-(and "known" or "known-othernet" if a \fB--dhcp-host\fP matches)
-The tag "bootp" is set for BOOTP requests, and a tag whose name is the 
-name of the interface on which the request arrived is also set.
+The tag system works as follows: dnsmasq tags each DHCP request
+with tags from applicable configuration lines containing \fBset:<tag>\fP i.e. 
 
-Any configuration lines which include one or more tag:<tag> constructs
-will only be valid if all that tags are matched in the set derived
-above. Typically this is \fB--dhcp-option\fP.
-.B --dhcp-option
-which has tags will be used in preference  to an untagged 
-.B --dhcp-option,
-provided that _all_ the tags match somewhere in the
-set collected as described above. The prefix '!' on a tag means 'not'
-so \fB--dhcp-option=tag:!purple,3,1.2.3.4\fP sends the option when the
-tag purple is not in the set of valid tags. (If using this in a
-command line rather than a configuration file, be sure to escape !,
-which is a shell metacharacter)
+\fBset:<tag>\fP from the \fB--dhcp-range\fP used to allocate the address;
+
+\fBset:<tag>\fP from any matching \fB--dhcp-host\fP (plus the tag \fBknown\fP or 
+\fBknown-othernet\fP).
+
+BOOTP requests are tagged \fBbootp\fP. Each request is also tagged with the name of  
+the interface on which the request arrived.
+
+Each configuration line containing one or more \fBtag:<tag>\fP constructs
+applies when all its tags exist on the request. That is:
+
+Configuration tag:A applies to a request set:tagged A.
+
+Configuration tag:B applies to a request set:tagged B.
+
+Configuration tag:A+B doesn't apply to a request set:tagged A.
+
+Configuration tag:A+B doesn't apply to a request set:tagged B.
+
+Configurations tag:A+B, tag:A, tag:B apply to a request set:tagged A+B.
+
+\fBset:<tag>\fP constructs in \fB--dhcp-range\fP and \fB--dhcp-host\fP tag requests.
+
+Use \fBtag:<tag>\fPs in \fB--dhcp-option\fPs to match \fBset:<tag>\fP and apply configurations.
+
+A \fB--dhcp-option\fP with \fBtag:<tag>\fP is preferred over an untagged 
+\fB--dhcp-option\fP, provided that \fBall\fP its tags match somewhere in the
+set gathered above. 
+
+The tag prefix '!' means 'not'.
+\fB--dhcp-option=tag:!purple,3,1.2.3.4\fP sends the option when the request 
+is not tagged with purple. (The shell metacharacter '!' must be escaped on the
+command line but not in a configuration file).
+
+When selecting \fB--dhcp-option\fPs, a \fB--dhcp-range\fP tag is second class 
+to other tags, to make it easy to override options for
+individual hosts, so:
 
-When selecting \fB--dhcp-options\fP, a tag from \fB--dhcp-range\fP is second class
-relative to other tags, to make it easy to override options for
-individual hosts, so 
 .B --dhcp-range=set:interface1,......
+
 .B --dhcp-host=set:myhost,.....
+
 .B --dhcp-option=tag:interface1,option:nis-domain,"domain1"
+
 .B --dhcp-option=tag:myhost,option:nis-domain,"domain2"
-will set the NIS-domain to domain1 for hosts in the range, but
-override that to domain2 for a particular host.
+
+sets the NIS-domain to domain1 for hosts in the range, but
+to domain2 for a particular host that may or may not fall in the range.
 
 .PP
-Note that for 
-.B --dhcp-range
-both tag:<tag> and set:<tag> are allowed, to both select the range in
+Note that for \fB--dhcp-range\fP both 
+\fBtag:<tag>\fP and 
+\fBset:<tag>\fP are possible, in order to both select the range in
 use based on (eg) \fB--dhcp-host\fP, and to affect the options sent, based on
 the range selected.
 
-This system evolved from an earlier, more limited one and for backward
-compatibility "net:" may be used instead of "tag:" and "set:" may be
+The tag system evolved from an earlier, more limited system. For backward
+compatibility, "net:" may be used instead of "tag:" and "set:" may be
 omitted. (Except in 
 .B --dhcp-host,
 where "net:" may be used instead of "set:".) For the same reason, '#'
@@ -2453,7 +2546,7 @@ configuration option is present to activate the DHCP server
 on a particular network. (Setting \fB--bootp-dynamic\fP removes the need for
 static address mappings.) The filename
 parameter in a BOOTP request is used as a tag,
-as is the tag "bootp", allowing some control over the options returned to
+as is the tag \fBbootp\fP, allowing some control over the options returned to
 different classes of hosts.
 
 .SH AUTHORITATIVE CONFIGURATION

setup.html

@@ -229,3 +229,5 @@ contents of the cache to the syslog.
 
 <P>For a complete listing of options please take a look at the manpage
 dnsmasq(8).
+</BODY>
+</HTML>

src/arp.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -35,7 +35,7 @@ struct arp_record {
 static struct arp_record *arps = NULL, *old = NULL, *freelist = NULL;
 static time_t last = 0;
 
-static int filter_mac(int family, char *addrp, char *mac, size_t maclen, void *parmv)
+static int filter_mac(int family, void *addrp, char *mac, size_t maclen, void *parmv)
 {
   struct arp_record *arp;
 
@@ -111,22 +111,26 @@ int find_mac(union mysockaddr *addr, unsigned char *mac, int lazy, time_t now)
 
  again:
   
-  /* If the database is less then INTERVAL old, look in there */
-  if (difftime(now, last) < INTERVAL)
+  /* If the database is less then INTERVAL old, look in there.
+     
+     If we're a child process, we always rely on the existing cache we
+     inherited from the parent, since we don't have a netlink socket.
+  */
+  if (difftime(now, last) < INTERVAL || daemon->pipe_to_parent != -1)
     {
       /* addr == NULL -> just make cache up-to-date */
       if (!addr)
 	return 0;
-
+	
       for (arp = arps; arp; arp = arp->next)
 	{
 	  if (addr->sa.sa_family != arp->family)
 	    continue;
-	    
+	  
 	  if (arp->family == AF_INET &&
 	      arp->addr.addr4.s_addr != addr->in.sin_addr.s_addr)
 	    continue;
-	    
+	  
 	  if (arp->family == AF_INET6 && 
 	      !IN6_ARE_ADDR_EQUAL(&arp->addr.addr6, &addr->in6.sin6_addr))
 	    continue;
@@ -141,6 +145,10 @@ int find_mac(union mysockaddr *addr, unsigned char *mac, int lazy, time_t now)
 	}
     }
 
+  /* Not in cache in child, no go. */
+  if (daemon->pipe_to_parent != -1)
+    return 0;
+  
   /* Not found, try the kernel */
   if (!updated)
      {
@@ -152,7 +160,7 @@ int find_mac(union mysockaddr *addr, unsigned char *mac, int lazy, time_t now)
 	 if (arp->status != ARP_EMPTY)
 	   arp->status = ARP_MARK;
        
-       iface_enumerate(AF_UNSPEC, NULL, filter_mac);
+       iface_enumerate(AF_UNSPEC, NULL, (callback_t){.af_unspec=filter_mac});
        
        /* Remove all unconfirmed entries to old list. */
        for (arp = arps, up = &arps; arp; arp = tmp)

src/auth.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -96,16 +96,16 @@ int in_zone(struct auth_zone *zone, char *name, char **cut)
 }
 
 
-size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t now, union mysockaddr *peer_addr, 
-		   int local_query, int do_bit, int have_pseudoheader) 
+size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t now,
+		   union mysockaddr *peer_addr, int local_query) 
 {
   char *name = daemon->namebuff;
   unsigned char *p, *ansp;
   int qtype, qclass, rc;
   int nameoffset, axfroffset = 0;
-  int q, anscount = 0, authcount = 0;
+  int anscount = 0, authcount = 0;
   struct crec *crecp;
-  int  auth = !local_query, trunc = 0, nxdomain = 1, soa = 0, ns = 0, axfr = 0, out_of_zone = 0;
+  int  auth = !local_query, trunc = 0, nxdomain = 1, soa = 0, ns = 0, axfr = 0, out_of_zone = 0, notimp = 0;
   struct auth_zone *zone = NULL;
   struct addrlist *subnet = NULL;
   char *cut;
@@ -116,18 +116,20 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
   union all_addr addr;
   struct cname *a, *candidate;
   unsigned int wclen;
+  unsigned int log_flags = local_query ? 0 : F_NOERR;
   
-  if (ntohs(header->qdcount) == 0 || OPCODE(header) != QUERY )
+  if (ntohs(header->qdcount) != 1)
     return 0;
 
   /* determine end of question section (we put answers there) */
   if (!(ansp = skip_questions(header, qlen)))
     return 0; /* bad packet */
   
-  /* now process each question, answers go in RRs after the question */
   p = (unsigned char *)(header+1);
 
-  for (q = ntohs(header->qdcount); q != 0; q--)
+  if (OPCODE(header) != QUERY)
+    notimp = 1;
+  else
     {
       unsigned int flag = 0;
       int found = 0;
@@ -137,7 +139,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
       nameoffset = p - (unsigned char *)header;
 
       /* now extract name as .-concatenated string into name */
-      if (!extract_name(header, qlen, &p, name, 1, 4))
+      if (!extract_name(header, qlen, &p, name, EXTR_NAME_EXTRACT, 4))
 	return 0; /* bad packet */
  
       GETSHORT(qtype, p); 
@@ -147,7 +149,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	{
 	  auth = 0;
 	  out_of_zone = 1;
-	  continue;
+	  goto done;
 	}
 
       if ((qtype == T_PTR || qtype == T_SOA || qtype == T_NS) &&
@@ -162,7 +164,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	    {
 	      out_of_zone = 1;
 	      auth = 0;
-	      continue;
+	      goto done;
 	    }
 	  else if (qtype == T_SOA)
 	    soa = 1, found = 1;
@@ -210,7 +212,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	      if (local_query || in_zone(zone, intr->name, NULL))
 		{	
 		  found = 1;
-		  log_query(flag | F_REVERSE | F_CONFIG, intr->name, &addr, NULL, 0);
+		  log_query(log_flags | flag | F_REVERSE | F_CONFIG, intr->name, &addr, NULL, 0);
 		  if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 					  daemon->auth_ttl, NULL,
 					  T_PTR, C_IN, "d", intr->name))
@@ -234,7 +236,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		      strcat(name, ".");
 		      strcat(name, zone->domain);
 		    }
-		  log_query(flag | F_DHCP | F_REVERSE, name, &addr, record_source(crecp->uid), 0);
+		  log_query(log_flags | flag | F_DHCP | F_REVERSE, name, &addr, record_source(crecp->uid), 0);
 		  found = 1;
 		  if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 					  daemon->auth_ttl, NULL,
@@ -243,7 +245,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		}
 	      else if (crecp->flags & (F_DHCP | F_HOSTS) && (local_query || in_zone(zone, name, NULL)))
 		{
-		  log_query(crecp->flags & ~F_FORWARD, name, &addr, record_source(crecp->uid), 0);
+		  log_query(log_flags | (crecp->flags & ~F_FORWARD), name, &addr, record_source(crecp->uid), 0);
 		  found = 1;
 		  if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 					  daemon->auth_ttl, NULL,
@@ -257,7 +259,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 
 	  if (!found && is_rev_synth(flag, &addr, name) && (local_query || in_zone(zone, name, NULL)))
 	    {
-	      log_query(F_CONFIG | F_REVERSE | flag, name, &addr, NULL, 0);
+	      log_query(log_flags | F_CONFIG | F_REVERSE | flag, name, &addr, NULL, 0);
 	      found = 1;
 	      
 	      if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
@@ -269,9 +271,9 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	  if (found)
 	    nxdomain = 0;
 	  else
-	    log_query(flag | F_NEG | F_NXDOMAIN | F_REVERSE | (auth ? F_AUTH : 0), NULL, &addr, NULL, 0);
+	    log_query(log_flags | flag | F_NEG | F_NXDOMAIN | F_REVERSE | (auth ? F_AUTH : 0), NULL, &addr, NULL, 0);
 
-	  continue;
+	  goto done;
 	}
       
     cname_restart:
@@ -288,7 +290,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	    {
 	      out_of_zone = 1;
 	      auth = 0;
-	      continue;
+	      goto done;
 	    }
 	}
 
@@ -300,7 +302,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	    if (rc == 2 && qtype == T_MX)
 	      {
 		found = 1;
-		log_query(F_CONFIG | F_RRNAME, name, NULL, "<MX>", 0);
+		log_query(log_flags | F_CONFIG | F_RRNAME, name, NULL, "<MX>", 0);
 		if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl,
 					NULL, T_MX, C_IN, "sd", rec->weight, rec->target))
 		  anscount++;
@@ -315,7 +317,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	    if (rc == 2 && qtype == T_SRV)
 	      {
 		found = 1;
-		log_query(F_CONFIG | F_RRNAME, name, NULL, "<SRV>", 0);
+		log_query(log_flags | F_CONFIG | F_RRNAME, name, NULL, "<SRV>", 0);
 		if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl,
 					NULL, T_SRV, C_IN, "sssd", 
 					rec->priority, rec->weight, rec->srvport, rec->target))
@@ -349,7 +351,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	    if (rc == 2 && txt->class == qtype)
 	      {
 		found = 1;
-		log_query(F_CONFIG | F_RRNAME, name, NULL, NULL, txt->class);
+		log_query(log_flags | F_CONFIG | F_RRNAME, name, NULL, NULL, txt->class);
 		if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl,
 					NULL, txt->class, C_IN, "t", txt->len, txt->txt))
 		  anscount++;
@@ -363,7 +365,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	    if (rc == 2 && qtype == T_TXT)
 	      {
 		found = 1;
-		log_query(F_CONFIG | F_RRNAME, name, NULL, "<TXT>", 0);
+		log_query(log_flags | F_CONFIG | F_RRNAME, name, NULL, "<TXT>", 0);
 		if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl,
 					NULL, T_TXT, C_IN, "t", txt->len, txt->txt))
 		  anscount++;
@@ -377,7 +379,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	     if (rc == 2 && qtype == T_NAPTR)
 	       {
 		 found = 1;
-		 log_query(F_CONFIG | F_RRNAME, name, NULL, "<NAPTR>", 0);
+		 log_query(log_flags | F_CONFIG | F_RRNAME, name, NULL, "<NAPTR>", 0);
 		 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl, 
 					 NULL, T_NAPTR, C_IN, "sszzzd", 
 					 na->order, na->pref, na->flags, na->services, na->regexp, na->replace))
@@ -407,7 +409,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		       continue;
 
 		     found = 1;
-		     log_query(F_FORWARD | F_CONFIG | flag, name, &addrlist->addr, NULL, 0);
+		     log_query(log_flags | F_FORWARD | F_CONFIG | flag, name, &addrlist->addr, NULL, 0);
 		     if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 					     daemon->auth_ttl, NULL, qtype, C_IN, 
 					     qtype == T_A ? "4" : "6", &addrlist->addr))
@@ -419,7 +421,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	 {
 	   nxdomain = 0;
 	   
-	   log_query(F_FORWARD | F_CONFIG | flag, name, &addr, NULL, 0);
+	   log_query(log_flags | F_FORWARD | F_CONFIG | flag, name, &addr, NULL, 0);
 	   if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 				   daemon->auth_ttl, NULL, qtype, C_IN, qtype == T_A ? "4" : "6", &addr))
 	     anscount++;
@@ -432,7 +434,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	  if (qtype == T_SOA)
 	    {
 	      auth = soa = 1; /* inhibits auth section */
-	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<SOA>", 0);
+	      log_query(log_flags | F_RRNAME | F_AUTH, zone->domain, NULL, "<SOA>", 0);
 	    }
       	  else if (qtype == T_AXFR)
 	    {
@@ -468,13 +470,13 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	      ns = 1; /* ensure we include NS records! */
 	      axfr = 1;
 	      axfroffset = nameoffset;
-	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<AXFR>", 0);
+	      log_query(log_flags | F_RRNAME | F_AUTH, zone->domain, NULL, "<AXFR>", 0);
 	    }
       	  else if (qtype == T_NS)
 	    {
 	      auth = 1;
 	      ns = 1; /* inhibits auth section */
-	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<NS>", 0);
+	      log_query(log_flags | F_RRNAME | F_AUTH, zone->domain, NULL, "<NS>", 0);
 	    }
 	}
       
@@ -492,7 +494,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 			(local_query || filter_zone(zone, flag, &(crecp->addr))))
 		      {
 			*cut = '.'; /* restore domain part */
-			log_query(crecp->flags, name, &crecp->addr, record_source(crecp->uid), 0);
+			log_query(log_flags | crecp->flags, name, &crecp->addr, record_source(crecp->uid), 0);
 			*cut  = 0; /* remove domain part */
 			if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 						daemon->auth_ttl, NULL, qtype, C_IN, 
@@ -513,7 +515,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		 nxdomain = 0;
 		 if ((crecp->flags & flag) && (local_query || filter_zone(zone, flag, &(crecp->addr))))
 		   {
-		     log_query(crecp->flags, name, &crecp->addr, record_source(crecp->uid), 0);
+		     log_query(log_flags | (crecp->flags & ~F_REVERSE), name, &crecp->addr, record_source(crecp->uid), 0);
 		     if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 					     daemon->auth_ttl, NULL, qtype, C_IN, 
 					     qtype == T_A ? "4" : "6", &crecp->addr))
@@ -560,7 +562,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	  
 	  if (candidate)
 	    {
-	      log_query(F_CONFIG | F_CNAME, name, NULL, NULL, 0);
+	      log_query(log_flags | F_CONFIG | F_CNAME, name, NULL, NULL, 0);
 	      strcpy(name, candidate->target);
 	      if (!strchr(name, '.'))
 		{
@@ -578,10 +580,12 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	  else if (cache_find_non_terminal(name, now))
 	    nxdomain = 0;
 
-	  log_query(flag | F_NEG | (nxdomain ? F_NXDOMAIN : 0) | F_FORWARD | F_AUTH, name, NULL, NULL, 0);
+	  log_query(log_flags | flag | F_NEG | (nxdomain ? F_NXDOMAIN : 0) | F_FORWARD | F_AUTH, name, NULL, NULL, 0);
 	}
       
     }
+
+ done:
   
   /* Add auth section */
   if (auth && zone)
@@ -868,7 +872,13 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
   
   /* truncation */
   if (trunc)
-    header->hb3 |= HB3_TC;
+    {
+      header->hb3 |= HB3_TC;
+      if (!(ansp = skip_questions(header, qlen)))
+	return 0; /* bad packet */
+      anscount = authcount = 0;
+      log_query(log_flags | F_AUTH, "reply", NULL, "truncated", 0);
+    }
   
   if ((auth || local_query) && nxdomain)
     SET_RCODE(header, NXDOMAIN);
@@ -879,21 +889,26 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
   header->nscount = htons(authcount);
   header->arcount = htons(0);
 
-  if (!local_query && out_of_zone)
+  if ((!local_query && out_of_zone) || notimp)
     {
-      SET_RCODE(header, REFUSED); 
+      if (out_of_zone)
+	{
+	  addr.log.rcode = REFUSED;
+	  addr.log.ede = EDE_NOT_AUTH;
+	}
+      else
+	{
+	  addr.log.rcode = NOTIMP;
+	  addr.log.ede = EDE_UNSET;
+	}
+
+      SET_RCODE(header, addr.log.rcode); 
       header->ancount = htons(0);
       header->nscount = htons(0);
-      addr.log.rcode = REFUSED;
-      addr.log.ede = EDE_NOT_AUTH;
-      log_query(F_UPSTREAM | F_RCODE, "error", &addr, NULL, 0);
+      log_query(log_flags | F_UPSTREAM | F_RCODE, "error", &addr, NULL, 0);
       return resize_packet(header,  ansp - (unsigned char *)header, NULL, 0);
     }
   
-  /* Advertise our packet size limit in our reply */
-  if (have_pseudoheader)
-    return add_pseudoheader(header,  ansp - (unsigned char *)header, (unsigned char *)limit, daemon->edns_pktsz, 0, NULL, 0, do_bit, 0);
-
   return ansp - (unsigned char *)header;
 }
   

src/blockdata.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -101,7 +101,7 @@ static struct blockdata *blockdata_alloc_real(int fd, char *data, size_t len)
 	      memcpy(block->key, data, blen);
 	      data += blen;
 	    }
-	  else if (!read_write(fd, block->key, blen, 1))
+	  else if (!read_write(fd, block->key, blen, RW_READ))
 	    {
 	      /* failed read free partial chain */
 	      blockdata_free(ret);
@@ -193,7 +193,7 @@ void *blockdata_retrieve(struct blockdata *block, size_t len, void *data)
 {
   size_t blen;
   struct  blockdata *b;
-  void *new, *d;
+  uint8_t *new, *d;
   
   static unsigned int buff_len = 0;
   static unsigned char *buff = NULL;
@@ -228,7 +228,7 @@ void blockdata_write(struct blockdata *block, size_t len, int fd)
   for (; len > 0 && block; block = block->next)
     {
       size_t blen = len > KEYBLOCK_LEN ? KEYBLOCK_LEN : len;
-      read_write(fd, block->key, blen, 0);
+      read_write(fd, block->key, blen, RW_WRITE);
       len -= blen;
     }
 }

src/bpf.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -47,7 +47,7 @@ static union all_addr del_addr;
 
 #if defined(HAVE_BSD_NETWORK) && !defined(__APPLE__)
 
-int arp_enumerate(void *parm, int (*callback)())
+int arp_enumerate(void *parm, callback_t callback)
 {
   int mib[6];
   size_t needed;
@@ -91,7 +91,7 @@ int arp_enumerate(void *parm, int (*callback)())
       rtm = (struct rt_msghdr *)next;
       sin2 = (struct sockaddr_inarp *)(rtm + 1);
       sdl = (struct sockaddr_dl *)((char *)sin2 + SA_SIZE(sin2));
-      if (!(*callback)(AF_INET, &sin2->sin_addr, LLADDR(sdl), sdl->sdl_alen, parm))
+      if (!callback.af_unspec(AF_INET, &sin2->sin_addr, LLADDR(sdl), sdl->sdl_alen, parm))
 	return 0;
     }
 
@@ -100,7 +100,7 @@ int arp_enumerate(void *parm, int (*callback)())
 #endif /* defined(HAVE_BSD_NETWORK) && !defined(__APPLE__) */
 
 
-int iface_enumerate(int family, void *parm, int (*callback)())
+int iface_enumerate(int family, void *parm, callback_t callback)
 {
   struct ifaddrs *head, *addrs;
   int errsave, fd = -1, ret = 0;
@@ -126,112 +126,110 @@ int iface_enumerate(int family, void *parm, int (*callback)())
   
   for (addrs = head; addrs; addrs = addrs->ifa_next)
     {
-      if (addrs->ifa_addr->sa_family == family)
+      int iface_index = if_nametoindex(addrs->ifa_name);
+      
+      if (iface_index == 0 || !addrs->ifa_addr || 
+	  addrs->ifa_addr->sa_family != family ||
+	  (!addrs->ifa_netmask && family != AF_LINK))
+	continue;
+      
+      if (family == AF_INET)
 	{
-	  int iface_index = if_nametoindex(addrs->ifa_name);
-
-	  if (iface_index == 0 || !addrs->ifa_addr || 
-	      (!addrs->ifa_netmask && family != AF_LINK))
+	  struct in_addr addr, netmask, broadcast;
+	  addr = ((struct sockaddr_in *) addrs->ifa_addr)->sin_addr;
+#ifdef HAVE_BSD_NETWORK
+	  if (del_family == AF_INET && del_addr.addr4.s_addr == addr.s_addr)
 	    continue;
-
-	  if (family == AF_INET)
-	    {
-	      struct in_addr addr, netmask, broadcast;
-	      addr = ((struct sockaddr_in *) addrs->ifa_addr)->sin_addr;
-#ifdef HAVE_BSD_NETWORK
-	      if (del_family == AF_INET && del_addr.addr4.s_addr == addr.s_addr)
-		continue;
 #endif
-	      netmask = ((struct sockaddr_in *) addrs->ifa_netmask)->sin_addr;
-	      if (addrs->ifa_broadaddr)
-		broadcast = ((struct sockaddr_in *) addrs->ifa_broadaddr)->sin_addr; 
-	      else 
-		broadcast.s_addr = 0;	      
-	      if (!((*callback)(addr, iface_index, NULL, netmask, broadcast, parm)))
-		goto err;
-	    }
-	  else if (family == AF_INET6)
-	    {
-	      struct in6_addr *addr = &((struct sockaddr_in6 *) addrs->ifa_addr)->sin6_addr;
-	      unsigned char *netmask = (unsigned char *) &((struct sockaddr_in6 *) addrs->ifa_netmask)->sin6_addr;
-	      int scope_id = ((struct sockaddr_in6 *) addrs->ifa_addr)->sin6_scope_id;
-	      int i, j, prefix = 0;
-	      u32 valid = 0xffffffff, preferred = 0xffffffff;
-	      int flags = 0;
+	  netmask = ((struct sockaddr_in *) addrs->ifa_netmask)->sin_addr;
+	  if (addrs->ifa_broadaddr)
+	    broadcast = ((struct sockaddr_in *) addrs->ifa_broadaddr)->sin_addr; 
+	  else 
+	    broadcast.s_addr = 0;	      
+	  if (!callback.af_inet(addr, iface_index, NULL, netmask, broadcast, parm))
+	    goto err;
+	}
+      else if (family == AF_INET6)
+	{
+	  struct in6_addr *addr = &((struct sockaddr_in6 *) addrs->ifa_addr)->sin6_addr;
+	  unsigned char *netmask = (unsigned char *) &((struct sockaddr_in6 *) addrs->ifa_netmask)->sin6_addr;
+	  int scope_id = ((struct sockaddr_in6 *) addrs->ifa_addr)->sin6_scope_id;
+	  int i, j, prefix = 0;
+	  u32 valid = 0xffffffff, preferred = 0xffffffff;
+	  int flags = 0;
 #ifdef HAVE_BSD_NETWORK
-	      if (del_family == AF_INET6 && IN6_ARE_ADDR_EQUAL(&del_addr.addr6, addr))
-		continue;
+	  if (del_family == AF_INET6 && IN6_ARE_ADDR_EQUAL(&del_addr.addr6, addr))
+	    continue;
 #endif
 #if defined(HAVE_BSD_NETWORK) && !defined(__APPLE__)
-	      struct in6_ifreq ifr6;
-
-	      memset(&ifr6, 0, sizeof(ifr6));
-	      safe_strncpy(ifr6.ifr_name, addrs->ifa_name, sizeof(ifr6.ifr_name));
+	  struct in6_ifreq ifr6;
+	  
+	  memset(&ifr6, 0, sizeof(ifr6));
+	  safe_strncpy(ifr6.ifr_name, addrs->ifa_name, sizeof(ifr6.ifr_name));
+	  
+	  ifr6.ifr_addr = *((struct sockaddr_in6 *) addrs->ifa_addr);
+	  if (fd != -1 && ioctl(fd, SIOCGIFAFLAG_IN6, &ifr6) != -1)
+	    {
+	      if (ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_TENTATIVE)
+		flags |= IFACE_TENTATIVE;
+	      
+	      if (ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_DEPRECATED)
+		flags |= IFACE_DEPRECATED;
 	      
-	      ifr6.ifr_addr = *((struct sockaddr_in6 *) addrs->ifa_addr);
-	      if (fd != -1 && ioctl(fd, SIOCGIFAFLAG_IN6, &ifr6) != -1)
-		{
-		  if (ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_TENTATIVE)
-		    flags |= IFACE_TENTATIVE;
-		  
-		  if (ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_DEPRECATED)
-		    flags |= IFACE_DEPRECATED;
-
 #ifdef IN6_IFF_TEMPORARY
-		  if (!(ifr6.ifr_ifru.ifru_flags6 & (IN6_IFF_AUTOCONF | IN6_IFF_TEMPORARY)))
-		    flags |= IFACE_PERMANENT;
+	      if (!(ifr6.ifr_ifru.ifru_flags6 & (IN6_IFF_AUTOCONF | IN6_IFF_TEMPORARY)))
+		flags |= IFACE_PERMANENT;
 #endif
-
+	      
 #ifdef IN6_IFF_PRIVACY
-		  if (!(ifr6.ifr_ifru.ifru_flags6 & (IN6_IFF_AUTOCONF | IN6_IFF_PRIVACY)))
-		    flags |= IFACE_PERMANENT;
+	      if (!(ifr6.ifr_ifru.ifru_flags6 & (IN6_IFF_AUTOCONF | IN6_IFF_PRIVACY)))
+		flags |= IFACE_PERMANENT;
 #endif
-		}
-	      
-	      ifr6.ifr_addr = *((struct sockaddr_in6 *) addrs->ifa_addr);
-	      if (fd != -1 && ioctl(fd, SIOCGIFALIFETIME_IN6, &ifr6) != -1)
-		{
-		  valid = ifr6.ifr_ifru.ifru_lifetime.ia6t_vltime;
-		  preferred = ifr6.ifr_ifru.ifru_lifetime.ia6t_pltime;
-		}
+	    }
+	  
+	  ifr6.ifr_addr = *((struct sockaddr_in6 *) addrs->ifa_addr);
+	  if (fd != -1 && ioctl(fd, SIOCGIFALIFETIME_IN6, &ifr6) != -1)
+	    {
+	      valid = ifr6.ifr_ifru.ifru_lifetime.ia6t_vltime;
+	      preferred = ifr6.ifr_ifru.ifru_lifetime.ia6t_pltime;
+	    }
 #endif
-	      	      
-	      for (i = 0; i < IN6ADDRSZ; i++, prefix += 8) 
-                if (netmask[i] != 0xff)
-		  break;
-	      
-	      if (i != IN6ADDRSZ && netmask[i]) 
-                for (j = 7; j > 0; j--, prefix++) 
-		  if ((netmask[i] & (1 << j)) == 0)
-		    break;
-	      
-	      /* voodoo to clear interface field in address */
-	      if (!option_bool(OPT_NOWILD) && IN6_IS_ADDR_LINKLOCAL(addr))
-		{
-		  addr->s6_addr[2] = 0;
-		  addr->s6_addr[3] = 0;
-		} 
-	     
-	      if (!((*callback)(addr, prefix, scope_id, iface_index, flags,
-				(int) preferred, (int)valid, parm)))
-		goto err;	      
-	    }
-
-#ifdef HAVE_DHCP6      
-	  else if (family == AF_LINK)
-	    { 
-	      /* Assume ethernet again here */
-	      struct sockaddr_dl *sdl = (struct sockaddr_dl *) addrs->ifa_addr;
-	      if (sdl->sdl_alen != 0 && 
-		  !((*callback)(iface_index, ARPHRD_ETHER, LLADDR(sdl), sdl->sdl_alen, parm)))
-		goto err;
-	    }
-#endif 
+	  
+	  for (i = 0; i < IN6ADDRSZ; i++, prefix += 8) 
+	    if (netmask[i] != 0xff)
+	      break;
+	  
+	  if (i != IN6ADDRSZ && netmask[i]) 
+	    for (j = 7; j > 0; j--, prefix++) 
+	      if ((netmask[i] & (1 << j)) == 0)
+		break;
+	  
+	  /* voodoo to clear interface field in address */
+	  if (!option_bool(OPT_NOWILD) && IN6_IS_ADDR_LINKLOCAL(addr))
+	    {
+	      addr->s6_addr[2] = 0;
+	      addr->s6_addr[3] = 0;
+	    } 
+	  
+	  if (!callback.af_inet6(addr, prefix, scope_id, iface_index, flags,
+				 (unsigned int) preferred, (unsigned int)valid, parm))
+	    goto err;	      
 	}
+      
+#ifdef HAVE_DHCP6      
+      else if (family == AF_LINK)
+	{ 
+	  /* Assume ethernet again here */
+	  struct sockaddr_dl *sdl = (struct sockaddr_dl *) addrs->ifa_addr;
+	  if (sdl->sdl_alen != 0 && 
+	      !callback.af_local(iface_index, ARPHRD_ETHER, LLADDR(sdl), sdl->sdl_alen, parm))
+	    goto err;
+	}
+#endif 
     }
   
   ret = 1;
-
+  
  err:
   errsave = errno;
   freeifaddrs(head); 

src/cache.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -101,6 +101,9 @@ static const struct {
   { 63,  "ZONEMD" }, /* Message Digest Over Zone Data [RFC8976] ZONEMD/zonemd-completed-template 2018-12-12*/
   { 64,  "SVCB" }, /* Service Binding [draft-ietf-dnsop-svcb-https-00] SVCB/svcb-completed-template 2020-06-30*/
   { 65,  "HTTPS" }, /* HTTPS Binding [draft-ietf-dnsop-svcb-https-00] HTTPS/https-completed-template 2020-06-30*/
+  { 66,  "DSYNC" }, /* Endpoint discovery for delegation synchronization [draft-ietf-dnsop-generalized-notify-03] DSYNC/dsync-completed-template 2024-12-10 */
+  { 67,  "HHIT" }, /* [draft-ietf-drip-registries-28] */
+  { 68,  "BRID" }, /* [draft-ietf-drip-registries-28] */
   { 99,  "SPF" }, /* [RFC7208] */
   { 100, "UINFO" }, /* [IANA-Reserved] */
   { 101, "UID" }, /* [IANA-Reserved] */
@@ -112,6 +115,7 @@ static const struct {
   { 107, "LP" }, /* [RFC6742] ILNP/lp-completed-template */
   { 108, "EUI48" }, /* an EUI-48 address [RFC7043] EUI48/eui48-completed-template 2013-03-27*/
   { 109, "EUI64" }, /* an EUI-64 address [RFC7043] EUI64/eui64-completed-template 2013-03-27*/
+  { 128, "NXNAME" }, /* NXDOMAIN indicator for Compact Denial of Existence https://www.iana.org/go/draft-ietf-dnsop-compact-denial-of-existence-04 */
   { 249, "TKEY" }, /* Transaction Key [RFC2930] */
   { 250, "TSIG" }, /* Transaction Signature [RFC8945] */
   { 251, "IXFR" }, /* incremental transfer [RFC1995] */
@@ -125,6 +129,9 @@ static const struct {
   { 259, "DOA" }, /* Digital Object Architecture [draft-durand-doa-over-dns] DOA/doa-completed-template 2017-08-30*/
   { 260, "AMTRELAY" }, /* Automatic Multicast Tunneling Relay [RFC8777] AMTRELAY/amtrelay-completed-template 2019-02-06*/
   { 261, "RESINFO" }, /* Resolver Information as Key/Value Pairs https://datatracker.ietf.org/doc/draft-ietf-add-resolver-info/06/ */
+  { 262, "WALLET" }, /* Public wallet address https://www.iana.org/assignments/dns-parameters/WALLET/wallet-completed-template */
+  { 263, "CLA" }, /*  BP Convergence Layer Adapter https://www.iana.org/go/draft-johnson-dns-ipn-cla-07 */
+  { 264, "IPN" }, /* BP Node Number https://www.iana.org/go/draft-johnson-dns-ipn-cla-07 */
   { 32768,  "TA" }, /* DNSSEC Trust Authorities [Sam_Weiler][http://cameo.library.cmu.edu/][ Deploying DNSSEC Without a Signed Root. Technical Report 1999-19, Information Networking Institute, Carnegie Mellon University, April 2004.] 2005-12-13*/
   { 32769,  "DLV" }, /* DNSSEC Lookaside Validation (OBSOLETE) [RFC8749][RFC4431] */
 };
@@ -474,7 +481,7 @@ static struct crec *cache_scan_free(char *name, union all_addr *addr, unsigned s
 	  if ((crecp->flags & F_FORWARD) && hostname_isequal(cache_get_name(crecp), name))
 	    {
 	      int rrmatch = 0;
-	      if (crecp->flags & flags & F_RR)
+	      if (addr && (crecp->flags & flags & F_RR))
 		{
 		  unsigned short rrc = (crecp->flags & F_KEYTAG) ? crecp->addr.rrblock.rrtype : crecp->addr.rrdata.rrtype;
 		  unsigned short rra = (flags & F_KEYTAG) ? addr->rrblock.rrtype : addr->rrdata.rrtype;
@@ -774,7 +781,14 @@ void cache_end_insert(void)
 {
   if (insert_error)
     return;
-  
+
+  /* signal start of cache insert transaction to master process */
+  if (daemon->pipe_to_parent != -1)
+    {
+      unsigned char op = PIPE_OP_INSERT;
+      read_write(daemon->pipe_to_parent, &op, sizeof(op), RW_WRITE);
+    }
+
   while (new_chain)
     { 
       struct crec *tmp = new_chain->next;
@@ -798,36 +812,32 @@ void cache_end_insert(void)
 	      u16 class = new_chain->uid;
 #endif
 	      
-	      read_write(daemon->pipe_to_parent, (unsigned char *)&m, sizeof(m), 0);
-	      read_write(daemon->pipe_to_parent, (unsigned char *)name, m, 0);
-	      read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->ttd, sizeof(new_chain->ttd), 0);
-	      read_write(daemon->pipe_to_parent, (unsigned  char *)&flags, sizeof(flags), 0);
-
-	      if (flags & (F_IPV4 | F_IPV6 | F_DNSKEY | F_DS | F_RR))
+	      read_write(daemon->pipe_to_parent, (unsigned char *)&m, sizeof(m), RW_WRITE);
+	      read_write(daemon->pipe_to_parent, (unsigned char *)name, m, RW_WRITE);
+	      read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->ttd, sizeof(new_chain->ttd), RW_WRITE);
+	      read_write(daemon->pipe_to_parent, (unsigned char *)&flags, sizeof(flags), RW_WRITE);
+	      read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->addr, sizeof(new_chain->addr), RW_WRITE);
+	      
+	      if (flags & F_RR)
 		{
-		  read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->addr, sizeof(new_chain->addr), 0);
-
-		  if (flags & F_RR)
-		    {
-		      /* A negative RR entry is possible and has no data, obviously. */
-		      if (!(flags & F_NEG) && (flags & F_KEYTAG))
-			blockdata_write(new_chain->addr.rrblock.rrdata, new_chain->addr.rrblock.datalen, daemon->pipe_to_parent);
-		    }
-#ifdef HAVE_DNSSEC
-		  if (flags & F_DNSKEY)
-		    {
-		      read_write(daemon->pipe_to_parent, (unsigned char *)&class, sizeof(class), 0);
-		      blockdata_write(new_chain->addr.key.keydata, new_chain->addr.key.keylen, daemon->pipe_to_parent);
-		    }
-		  else if (flags & F_DS)
-		    {
-		      read_write(daemon->pipe_to_parent, (unsigned char *)&class, sizeof(class), 0);
-		      /* A negative DS entry is possible and has no data, obviously. */
-		      if (!(flags & F_NEG))
-			blockdata_write(new_chain->addr.ds.keydata, new_chain->addr.ds.keylen, daemon->pipe_to_parent);
-		    }
-#endif
+		  /* A negative RR entry is possible and has no data, obviously. */
+		  if (!(flags & F_NEG) && (flags & F_KEYTAG))
+		    blockdata_write(new_chain->addr.rrblock.rrdata, new_chain->addr.rrblock.datalen, daemon->pipe_to_parent);
 		}
+#ifdef HAVE_DNSSEC
+	      else if (flags & F_DNSKEY)
+		{
+		  read_write(daemon->pipe_to_parent, (unsigned char *)&class, sizeof(class), RW_WRITE);
+		  blockdata_write(new_chain->addr.key.keydata, new_chain->addr.key.keylen, daemon->pipe_to_parent);
+		}
+	      else if (flags & F_DS)
+		{
+		  read_write(daemon->pipe_to_parent, (unsigned char *)&class, sizeof(class), RW_WRITE);
+		  /* A negative DS entry is possible and has no data, obviously. */
+		  if (!(flags & F_NEG))
+		    blockdata_write(new_chain->addr.ds.keydata, new_chain->addr.ds.keylen, daemon->pipe_to_parent);
+		}
+#endif
 	    }
 	}
       
@@ -838,97 +848,236 @@ void cache_end_insert(void)
   if (daemon->pipe_to_parent != -1)
     {
       ssize_t m = -1;
-      read_write(daemon->pipe_to_parent, (unsigned char *)&m, sizeof(m), 0);
+      read_write(daemon->pipe_to_parent, (unsigned char *)&m, sizeof(m), RW_WRITE);
     }
-      
-  new_chain = NULL;
 }
 
+#ifdef HAVE_DNSSEC
+void cache_update_hwm(void)
+{
+  /* Sneak out possibly updated crypto HWM values. */
+  unsigned char op = PIPE_OP_STATS;
 
-/* A marshalled cache entry arrives on fd, read, unmarshall and insert into cache of master process. */
+  read_write(daemon->pipe_to_parent, &op, sizeof(op), RW_WRITE);
+  read_write(daemon->pipe_to_parent,
+	     (unsigned char *)&daemon->metrics[METRIC_CRYPTO_HWM],
+	     sizeof(daemon->metrics[METRIC_CRYPTO_HWM]), RW_WRITE);
+  read_write(daemon->pipe_to_parent,
+	     (unsigned char *)&daemon->metrics[METRIC_SIG_FAIL_HWM],
+	     sizeof(daemon->metrics[METRIC_SIG_FAIL_HWM]), RW_WRITE);
+  read_write(daemon->pipe_to_parent,
+	     (unsigned char *)&daemon->metrics[METRIC_WORK_HWM],
+	     sizeof(daemon->metrics[METRIC_WORK_HWM]), RW_WRITE);
+}
+#endif
+
+#if defined(HAVE_IPSET) || defined(HAVE_NFTSET)
+void cache_send_ipset(unsigned char op, struct ipsets *sets, int flags, union all_addr *addr)
+{
+  read_write(daemon->pipe_to_parent, &op, sizeof(op), RW_WRITE);
+  read_write(daemon->pipe_to_parent, (unsigned char *)&sets, sizeof(sets), RW_WRITE);
+  read_write(daemon->pipe_to_parent, (unsigned char *)&flags, sizeof(flags), RW_WRITE);
+  read_write(daemon->pipe_to_parent, (unsigned char *)addr, sizeof(*addr), RW_WRITE);
+}
+#endif
+
+/* Retrieve and handle a result from child TCP-handler.
+   Return 0 when pipe is closed by far end. */
 int cache_recv_insert(time_t now, int fd)
 {
-  ssize_t m;
-  union all_addr addr;
-  unsigned long ttl;
-  time_t ttd;
-  unsigned int flags;
-  struct crec *crecp = NULL;
+  unsigned char op;
   
-  cache_start_insert();
+  if (!read_write(fd, &op, sizeof(op), RW_READ))
+    return 0;
   
-  while(1)
+  switch (op)
     {
- 
-      if (!read_write(fd, (unsigned char *)&m, sizeof(m), 1))
-	return 0;
-      
-      if (m == -1)
-	{
-	  cache_end_insert();
-	  return 1;
-	}
+    case PIPE_OP_INSERT:
+      {
+	/* A marshalled set if cache entries arrives on fd, read, unmarshall and insert into cache of master process. */
+	ssize_t m;
+	union all_addr addr;
+	unsigned long ttl;
+	time_t ttd;
+	unsigned int flags;
+	struct crec *crecp = NULL;
 
-      if (!read_write(fd, (unsigned char *)daemon->namebuff, m, 1) ||
-	  !read_write(fd, (unsigned char *)&ttd, sizeof(ttd), 1) ||
-	  !read_write(fd, (unsigned char *)&flags, sizeof(flags), 1))
-	return 0;
+	cache_start_insert();
+	
+	/* loop reading RRs, since we don't want to go back to the poll() loop
+	   and start processing other queries which might pollute the insertion
+	   chain. The child will never block between the first OP_RR and the
+	   minus-one length marking the end. */
+	while (1)
+	  {
+	    if (!read_write(fd, (unsigned char *)&m, sizeof(m), RW_READ))
+	      return 0;
+	    
+	    if (m == -1)
+	      {
+		cache_end_insert();
+		return 1;
+	      }
+	    
+	    if (!read_write(fd, (unsigned char *)daemon->namebuff, m, RW_READ) ||
+		!read_write(fd, (unsigned char *)&ttd, sizeof(ttd), RW_READ) ||
+		!read_write(fd, (unsigned char *)&flags, sizeof(flags), RW_READ) ||
+		!read_write(fd, (unsigned char *)&addr, sizeof(addr), RW_READ))
+	      return 0;
+	    
+	    daemon->namebuff[m] = 0;
+	    
+	    ttl = difftime(ttd, now);
+	    
+	    if (flags & F_CNAME)
+	      {
+		struct crec *newc = really_insert(daemon->namebuff, NULL, C_IN, now, ttl, flags);
+		/* This relies on the fact that the target of a CNAME immediately precedes
+		   it because of the order of extraction in extract_addresses, and
+		   the order reversal on the new_chain. */
+		if (newc)
+		  {
+		    newc->addr.cname.is_name_ptr = 0;
+		    newc->addr.cname.target.cache = crecp;
+		    
+		    if (crecp)
+		      {
+			next_uid(crecp);
+			newc->addr.cname.uid = crecp->uid;
+		      }
+		    crecp = newc;
+		  }
+	      }
+	    else
+	      {
+		unsigned short class = C_IN;
+		struct blockdata *block = NULL;
 
-      daemon->namebuff[m] = 0;
-
-      ttl = difftime(ttd, now);
-      
-      if (flags & F_CNAME)
-	{
-	  struct crec *newc = really_insert(daemon->namebuff, NULL, C_IN, now, ttl, flags);
-	  /* This relies on the fact that the target of a CNAME immediately precedes
-	     it because of the order of extraction in extract_addresses, and
-	     the order reversal on the new_chain. */
-	  if (newc)
-	    {
-	      newc->addr.cname.is_name_ptr = 0;
-	      
-	      if (!crecp)
-		newc->addr.cname.target.cache = NULL;
-	      else
-		{
-		  next_uid(crecp);
-		  newc->addr.cname.target.cache = crecp;
-		  newc->addr.cname.uid = crecp->uid;
-		}
-	    }
-	}
-      else
-	{
-	  unsigned short class = C_IN;
-
-	  if (flags & (F_IPV4 | F_IPV6 | F_DNSKEY | F_DS | F_RR))
-	    {
-	      if (!read_write(fd, (unsigned char *)&addr, sizeof(addr), 1))
-		return 0;
-	      
-	      if ((flags & F_RR) && !(flags & F_NEG) && (flags & F_KEYTAG)
-		  && !(addr.rrblock.rrdata = blockdata_read(fd, addr.rrblock.datalen)))
-		return 0;
+		if ((flags & F_RR) && !(flags & F_NEG) && (flags & F_KEYTAG)
+		    && !(block = addr.rrblock.rrdata = blockdata_read(fd, addr.rrblock.datalen)))
+		  continue;
 #ifdef HAVE_DNSSEC
-	      if (flags & F_DNSKEY)
-		{
-		  if (!read_write(fd, (unsigned char *)&class, sizeof(class), 1) ||
-		      !(addr.key.keydata = blockdata_read(fd, addr.key.keylen)))
-		    return 0;
-		}
-	      else  if (flags & F_DS)
-		{
-		  if (!read_write(fd, (unsigned char *)&class, sizeof(class), 1) ||
-		      (!(flags & F_NEG) && !(addr.key.keydata = blockdata_read(fd, addr.key.keylen))))
-		    return 0;
-		}
+		else if (flags & F_DNSKEY)
+		  {
+		    if (!read_write(fd, (unsigned char *)&class, sizeof(class), RW_READ))
+		      return 0;
+		    if (!(block = addr.key.keydata = blockdata_read(fd, addr.key.keylen)))
+		      continue;
+		  }
+		else  if (flags & F_DS)
+		  {
+		    if (!read_write(fd, (unsigned char *)&class, sizeof(class), RW_READ))
+		      return 0;
+		    if (!(flags & F_NEG) && !(block = addr.ds.keydata = blockdata_read(fd, addr.ds.keylen)))
+		      continue;
+		  }
 #endif
-	    }
-	  
-	  crecp = really_insert(daemon->namebuff, &addr, class, now, ttl, flags);
-	}
+		if (!(crecp = really_insert(daemon->namebuff, &addr, class, now, ttl, flags)))
+		  blockdata_free(block);
+	      }
+	  }
+      }
+      
+#ifdef HAVE_DNSSEC
+    case PIPE_OP_STATS:
+      {
+	/* Sneak in possibly updated crypto HWM. */
+	unsigned int val;
+	
+	if (!read_write(fd, (unsigned char *)&val, sizeof(val), RW_READ))
+	  return 0;
+	if (val > daemon->metrics[METRIC_CRYPTO_HWM])
+	  daemon->metrics[METRIC_CRYPTO_HWM] = val;
+	if (!read_write(fd, (unsigned char *)&val, sizeof(val), RW_READ))
+	  return 0;
+	if (val > daemon->metrics[METRIC_SIG_FAIL_HWM])
+	  daemon->metrics[METRIC_SIG_FAIL_HWM] = val;
+	if (!read_write(fd, (unsigned char *)&val, sizeof(val), RW_READ))
+	  return 0;
+	if (val > daemon->metrics[METRIC_WORK_HWM])
+	  daemon->metrics[METRIC_WORK_HWM] = val;
+	return 1;
+      }
+      
+    case PIPE_OP_RESULT:
+      {
+	/* UDP validation moved to TCP to avoid truncation. 
+	   Restart UDP validation process with the returned result. */
+	int status, uid, keycount, validatecount;
+	int *keycountp, *validatecountp;
+	size_t ret_len;
+	
+	struct frec *forward;
+	
+	if (!read_write(fd, (unsigned char *)&status, sizeof(status), RW_READ) ||
+	    !read_write(fd, (unsigned char *)&ret_len, sizeof(ret_len), RW_READ) ||
+	    !read_write(fd, (unsigned char *)daemon->packet, ret_len, RW_READ) ||
+	    !read_write(fd, (unsigned char *)&forward, sizeof(forward), RW_READ) ||
+	    !read_write(fd, (unsigned char *)&uid, sizeof(uid), RW_READ) ||
+	    !read_write(fd, (unsigned char *)&keycount, sizeof(keycount), RW_READ) ||
+	    !read_write(fd, (unsigned char *)&keycountp, sizeof(keycountp), RW_READ) ||
+	    !read_write(fd, (unsigned char *)&validatecount, sizeof(validatecount), RW_READ) ||
+	    !read_write(fd, (unsigned char *)&validatecountp, sizeof(validatecountp), RW_READ))
+	  return 0;
+	
+	/* There's a tiny chance that the frec may have been freed 
+	   and reused before the TCP process returns. Detect that with
+	   the uid field which is unique modulo 2^32 for each use. */
+	if (uid == forward->uid)
+	  {
+	    /* repatriate the work counters from the child process. */
+	    *keycountp = keycount;
+	    *validatecountp = validatecount;
+	    
+	    if (!forward->dependent)
+	      return_reply(now, forward, (struct dns_header *)daemon->packet, ret_len, status);
+	    else
+	      pop_and_retry_query(forward, status, now);
+	  }
+	
+	return 1;
+      }
+#endif
+      
+#if defined(HAVE_IPSET) || defined(HAVE_NFTSET)
+    case PIPE_OP_IPSET:
+    case PIPE_OP_NFTSET:
+      {
+	struct ipsets *sets;
+	char **sets_cur;
+	unsigned int flags;
+	union all_addr addr;
+	
+	if (!read_write(fd, (unsigned char *)&sets, sizeof(sets), RW_READ) ||
+	    !read_write(fd, (unsigned char *)&flags, sizeof(flags), RW_READ) ||
+	    !read_write(fd, (unsigned char *)&addr, sizeof(addr), RW_READ))
+	  return 0;
+	
+	for (sets_cur = sets->sets; *sets_cur; sets_cur++)
+	  {
+	    int rc = -1;
+	    
+#ifdef HAVE_IPSET
+	    if (op == PIPE_OP_IPSET)
+	      rc = add_to_ipset(*sets_cur, &addr, flags, 0);
+#endif
+	    
+#ifdef HAVE_NFTSET		  
+	    if (op == PIPE_OP_NFTSET)
+	      rc = add_to_nftset(*sets_cur, &addr, flags, 0);
+#endif
+	    
+	    if (rc == 0)
+	      log_query((flags & (F_IPV4 | F_IPV6)) | F_IPSET, sets->domain, &addr, *sets_cur, op == PIPE_OP_IPSET);
+	  }
+	
+	return 1;
+      }
+#endif
+      
     }
+
+  return 0;
 }
 	
 int cache_find_non_terminal(char *name, time_t now)
@@ -1378,11 +1527,17 @@ void cache_reload(void)
 	cache->flags = F_FORWARD | F_IMMORTAL | F_DS | F_CONFIG | F_NAMEP;
 	cache->ttd = daemon->local_ttl;
 	cache->name.namep = ds->name;
-	cache->addr.ds.keylen = ds->digestlen;
-	cache->addr.ds.algo = ds->algo;
-	cache->addr.ds.keytag = ds->keytag;
-	cache->addr.ds.digest = ds->digest_type;
 	cache->uid = ds->class;
+	if (ds->digestlen != 0)
+	  {
+	    cache->addr.ds.keylen = ds->digestlen;
+	    cache->addr.ds.algo = ds->algo;
+	    cache->addr.ds.keytag = ds->keytag;
+	    cache->addr.ds.digest = ds->digest_type;
+	  }
+	else
+	  cache->flags |= F_NEG | F_DNSSECOK | F_NO_RR;
+	
 	cache_hash(cache);
 	make_non_terminals(cache);
       }
@@ -1782,15 +1937,31 @@ int cache_make_stat(struct txt_record *t)
 #endif
 
 /* There can be names in the cache containing control chars, don't 
-   mess up logging or open security holes. */
+   mess up logging or open security holes. Also convert to all-LC
+   so that 0x20-encoding doesn't make logs look like ransom notes
+   made out of letters cut from a newspaper.
+   Overwrites daemon->workspacename */
 static char *sanitise(char *name)
 {
-  unsigned char *r;
+  unsigned char *r = (unsigned char *)name;
+  
   if (name)
-    for (r = (unsigned char *)name; *r; r++)
-      if (!isprint((int)*r))
-	return "<name unprintable>";
-
+    {
+      char *d = name = daemon->workspacename;
+      
+      for (; *r; r++, d++)
+	if (!isprint((int)*r))
+	  return "<name unprintable>";
+	else
+	  {
+	    unsigned char c = *r;
+	    
+	    *d = (char)((c >= 'A' && c <= 'Z') ? c + 'a' - 'A' : c);
+	  }
+      
+      *d = 0;
+    }
+  
   return name;
 }
 
@@ -1809,8 +1980,18 @@ static void dump_cache_entry(struct crec *cache, time_t now)
   p = buff;
   
   *a = 0;
-  if (strlen(n) == 0 && !(cache->flags & F_REVERSE))
-    n = "<Root>";
+
+  if (cache->flags & F_REVERSE)
+    {
+      if ((cache->flags & F_NEG))
+	n = "";
+    }
+  else
+    {
+      if (strlen(n) == 0)
+	n = "<Root>";
+    }
+  
   p += sprintf(p, "%-30.30s ", sanitise(n));
   if ((cache->flags & F_CNAME) && !is_outdated_cname_pointer(cache))
     a = sanitise(cache_get_cname_target(cache));
@@ -1893,6 +2074,11 @@ void dump_cache(time_t now)
 #ifdef HAVE_AUTH
   my_syslog(LOG_INFO, _("queries for authoritative zones %u"), daemon->metrics[METRIC_DNS_AUTH_ANSWERED]);
 #endif
+#ifdef HAVE_DNSSEC
+  my_syslog(LOG_INFO, _("DNSSEC per-query subqueries HWM %u"), daemon->metrics[METRIC_WORK_HWM]);
+  my_syslog(LOG_INFO, _("DNSSEC per-query crypto work HWM %u"), daemon->metrics[METRIC_CRYPTO_HWM]);
+  my_syslog(LOG_INFO, _("DNSSEC per-RRSet signature fails HWM %u"), daemon->metrics[METRIC_SIG_FAIL_HWM]);
+#endif
 
   blockdata_report();
   my_syslog(LOG_INFO, _("child processes for TCP requests: in use %zu, highest since last SIGUSR1 %zu, max allowed %zu."),
@@ -2052,6 +2238,11 @@ static char *edestr(int ede)
     case EDE_NO_AUTH:                     return "no reachable authority";
     case EDE_NETERR:                      return "network error";
     case EDE_INVALID_DATA:                return "invalid data";
+    case EDE_SIG_E_B_V:                   return "signature expired before valid";
+    case EDE_TOO_EARLY:                   return "too early";
+    case EDE_UNS_NS3_ITER:                return "unsupported NSEC3 iterations value";
+    case EDE_UNABLE_POLICY:               return "uanble to conform to policy";
+    case EDE_SYNTHESIZED:                 return "synthesized";
     default:                              return "unknown";
     }
 }
@@ -2063,12 +2254,17 @@ void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg,
   char *extra = "";
   char *gap = " ";
   char portstring[7]; /* space for #<portnum> */
-  
+  char opcodestring[3]; /* maximum is 15 */
+
   if (!option_bool(OPT_LOG))
     return;
 
+  /* F_NOERR is reused here to indicate logs arrising from auth queries */ 
+  if (!(flags & F_NOERR) && option_bool(OPT_AUTH_LOG))
+    return;
+
   /* build query type string if requested */
-  if (!(flags & (F_SERVER | F_IPSET)) && type > 0)
+  if (!(flags & (F_SERVER | F_IPSET | F_QUERY)) && type > 0)
     arg = querystr(arg, type);
 
   dest = arg;
@@ -2101,6 +2297,8 @@ void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg,
 	    dest = "SERVFAIL";
 	  else if (rcode == REFUSED)
 	    dest = "REFUSED";
+	  else if (rcode == FORMERR)
+	    dest = "FORMERR";
 	  else if (rcode == NOTIMP)
 	    dest = "not implemented";
 	  else
@@ -2159,6 +2357,10 @@ void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg,
     source = arg;
   else if (flags & F_UPSTREAM)
     source = "reply";
+  else if (flags & F_AUTH)
+    source = "auth";
+  else if (flags & F_QUERY)
+    source = "query";
   else if (flags & F_SECSTAT)
     {
       if (addr && addr->log.ede != EDE_UNSET && option_bool(OPT_EXTRALOG))
@@ -2169,23 +2371,16 @@ void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg,
       source = "validation";
       dest = arg;
     }
-  else if (flags & F_AUTH)
-    source = "auth";
-   else if (flags & F_DNSSEC)
+  else if (flags & F_DNSSEC)
     {
       source = arg;
       verb = "to";
     }
-   else if (flags & F_SERVER)
+  else if (flags & F_SERVER)
     {
       source = "forwarded";
       verb = "to";
     }
-  else if (flags & F_QUERY)
-    {
-      source = arg;
-      verb = "from";
-    }
   else if (flags & F_IPSET)
     {
       source = type ? "ipset add" : "nftset add";
@@ -2197,7 +2392,21 @@ void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg,
     source = "cached-stale";
   else
     source = "cached";
-  
+
+  if (flags & F_QUERY)
+    {
+      if (flags & F_CONFIG)
+	{
+	  sprintf(opcodestring, "%u", type & 0xf);
+	  source = "non-query opcode";
+	  name = opcodestring;
+	}
+      else if (type > 0)
+	source = querystr(source, type);
+      
+      verb = "from";
+    }
+
   if (!name)
     gap = name = "";
   else if (!name[0])
@@ -2205,12 +2414,21 @@ void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg,
   
   if (option_bool(OPT_EXTRALOG))
     {
-      if (flags & F_NOEXTRA)
-	my_syslog(LOG_INFO, "%u %s %s%s%s %s%s", daemon->log_display_id, source, name, gap, verb, dest, extra);
+      int display_id = daemon->log_display_id;
+      char *proto = "";
+
+      if (option_bool(OPT_LOG_PROTO))
+	proto = (display_id < 0) ? "TCP " : "UDP ";
+      
+      if (display_id < 0)
+	display_id = -display_id;
+      
+      if (flags & F_NOEXTRA || !daemon->log_source_addr)
+	my_syslog(LOG_INFO, "%s%u %s %s%s%s %s%s", proto, display_id, source, name, gap, verb, dest, extra);
       else
 	{
 	   int port = prettyprint_addr(daemon->log_source_addr, daemon->addrbuff2);
-	   my_syslog(LOG_INFO, "%u %s/%u %s %s%s%s %s%s", daemon->log_display_id, daemon->addrbuff2, port, source, name, gap, verb, dest, extra);
+	   my_syslog(LOG_INFO, "%s%u %s/%u %s %s%s%s %s%s", proto, display_id, daemon->addrbuff2, port, source, name, gap, verb, dest, extra);
 	}
     }
   else

src/config.h

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -18,11 +18,15 @@
 #define MAX_PROCS 20 /* default max no children for TCP requests */
 #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */
 #define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */
+#define TCP_TIMEOUT 5 /* timeout waiting to connect to an upstream server - double this for answer */
 #define TCP_BACKLOG 32  /* kernel backlog limit for TCP connections */
 #define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from  /dnsflagday.net/2020 */
-#define SAFE_PKTSZ 1232 /* "go anywhere" UDP packet size, see https://dnsflagday.net/2020/ */
 #define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */
-#define DNSSEC_WORK 50 /* Max number of queries to validate one question */
+#define DNSSEC_LIMIT_WORK 40 /* Max number of queries to validate one question */
+#define DNSSEC_LIMIT_SIG_FAIL 20 /* Number of signature that can fail to validate in one answer */
+#define DNSSEC_LIMIT_CRYPTO 200 /* max no. of crypto operations to validate one query. */
+#define DNSSEC_LIMIT_NSEC3_ITERS 150 /* Max. number if iterations allowed in NSEC3 record. */
+#define DNSSEC_ASSUMED_DS_TTL 3600 /* TTL for negative DS records implied by server=/domain/ */
 #define TIMEOUT 10     /* drop UDP queries after TIMEOUT seconds */
 #define SMALL_PORT_RANGE 30 /* If DNS port range is smaller than this, use different allocation. */
 #define FORWARD_TEST 50 /* try all servers every 50 queries */
@@ -48,6 +52,8 @@
 #define CHUSER "nobody"
 #define CHGRP "dip"
 #define TFTP_MAX_CONNECTIONS 50 /* max simultaneous connections */
+#define TFTP_MAX_WINDOW 32 /* max window size to negotiate */
+#define TFTP_TRANSFER_TIME 120 /* Abandon TFTP transfers after this long. Two mins. */
 #define LOG_MAX 5 /* log-queue length */
 #define RANDFILE "/dev/urandom"
 #define DNSMASQ_SERVICE "uk.org.thekelleys.dnsmasq" /* Default - may be overridden by config */
@@ -126,9 +132,6 @@ HAVE_AUTH
    define this to include the facility to act as an authoritative DNS
    server for one or more zones.
 
-HAVE_CRYPTOHASH
-   include just hash function from crypto library, but no DNSSEC.
-
 HAVE_DNSSEC
    include DNSSEC validator.
 
@@ -152,6 +155,7 @@ NO_AUTH
 NO_DUMPFILE
 NO_LOOP
 NO_INOTIFY
+NO_IPSET
    these are available to explicitly disable compile time options which would 
    otherwise be enabled automatically or which are enabled  by default 
    in the distributed source tree. Building dnsmasq
@@ -197,7 +201,6 @@ RESOLVFILE
 /* #define HAVE_IDN */
 /* #define HAVE_LIBIDN2 */
 /* #define HAVE_CONNTRACK */
-/* #define HAVE_CRYPTOHASH */
 /* #define HAVE_DNSSEC */
 /* #define HAVE_NFTSET */
 
@@ -297,7 +300,6 @@ HAVE_SOCKADDR_SA_LEN
 #ifndef SOL_TCP
 #  define SOL_TCP IPPROTO_TCP
 #endif
-#define NO_IPSET
 
 #elif defined(__NetBSD__)
 #define HAVE_BSD_NETWORK
@@ -347,10 +349,24 @@ HAVE_SOCKADDR_SA_LEN
 #undef HAVE_AUTH
 #endif
 
+#if !defined(HAVE_LINUX_NETWORK)
+#undef HAVE_NFTSET
+#endif
+
 #if defined(NO_IPSET)
 #undef HAVE_IPSET
 #endif
 
+#if defined(HAVE_IPSET)
+#  if defined(HAVE_LINUX_NETWORK)
+#    define HAVE_LINUX_IPSET
+#  elif defined(HAVE_BSD_NETWORK)
+#    define HAVE_BSD_IPSET
+#  else
+#    undef HAVE_IPSET
+#  endif
+#endif
+
 #ifdef NO_LOOP
 #undef HAVE_LOOP
 #endif
@@ -363,6 +379,11 @@ HAVE_SOCKADDR_SA_LEN
 #define HAVE_INOTIFY
 #endif
 
+/* This never compiles code, it's only used by the makefile to fingerprint builds. */
+#ifdef DNSMASQ_COMPILE_FLAGS
+static char *compile_flags = DNSMASQ_COMPILE_FLAGS;
+#endif
+
 /* Define a string indicating which options are in use.
    DNSMASQ_COMPILE_OPTS is only defined in dnsmasq.c */
 
@@ -435,10 +456,6 @@ static char *compile_opts =
 "no-"
 #endif
 "auth "
-#if !defined(HAVE_CRYPTOHASH) && !defined(HAVE_DNSSEC)
-"no-"
-#endif
-"cryptohash "
 #ifndef HAVE_DNSSEC
 "no-"
 #endif
@@ -459,4 +476,4 @@ static char *compile_opts =
 #endif
 "dumpfile";
 
-#endif /* defined(HAVE_DHCP) */
+#endif /* defined(DNSMASQ_COMPILE_OPTS) */

src/conntrack.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by

src/crypto.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -16,7 +16,7 @@
 
 #include "dnsmasq.h"
 
-#if defined(HAVE_DNSSEC) || defined(HAVE_CRYPTOHASH)
+#if defined(HAVE_DNSSEC)
 
 /* Minimal version of nettle */
 
@@ -30,9 +30,6 @@
 #define MIN_VERSION(major, minor) ((NETTLE_VERSION_MAJOR == (major) && NETTLE_VERSION_MINOR >= (minor)) || \
 				   (NETTLE_VERSION_MAJOR > (major)))
 
-#endif /* defined(HAVE_DNSSEC) || defined(HAVE_CRYPTOHASH) */
-
-#if defined(HAVE_DNSSEC)
 #include <nettle/rsa.h>
 #include <nettle/ecdsa.h>
 #include <nettle/ecc-curve.h>
@@ -476,9 +473,6 @@ char *nsec3_digest_name(int digest)
     }
 }
 
-#endif /* defined(HAVE_DNSSEC) */
-
-#if defined(HAVE_DNSSEC) || defined(HAVE_CRYPTOHASH)
 /* Find pointer to correct hash function in nettle library */
 const struct nettle_hash *hash_find(char *name)
 {
@@ -509,4 +503,4 @@ const struct nettle_hash *hash_find(char *name)
 #endif
 }
 
-#endif /* defined(HAVE_DNSSEC) || defined(HAVE_CRYPTOHASH) */
+#endif /* defined(HAVE_DNSSEC) */

src/dbus.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -485,28 +485,37 @@ static DBusMessage* dbus_read_servers_ex(DBusMessage *message, int strings)
   return error;
 }
 
-static DBusMessage *dbus_set_bool(DBusMessage *message, int flag, char *name)
+static DBusMessage *dbus_get_bool(DBusMessage *message, dbus_bool_t *enabled, char *name)
 {
   DBusMessageIter iter;
-  dbus_bool_t enabled;
 
   if (!dbus_message_iter_init(message, &iter) || dbus_message_iter_get_arg_type(&iter) != DBUS_TYPE_BOOLEAN)
     return dbus_message_new_error(message, DBUS_ERROR_INVALID_ARGS, "Expected boolean argument");
   
-  dbus_message_iter_get_basic(&iter, &enabled);
-
-  if (enabled)
-    { 
-      my_syslog(LOG_INFO, _("Enabling --%s option from D-Bus"), name);
-      set_option_bool(flag);
-    }
+  dbus_message_iter_get_basic(&iter, enabled);
+  
+  if (*enabled)
+    my_syslog(LOG_INFO, _("Enabling --%s option from D-Bus"), name);
   else
+    my_syslog(LOG_INFO, _("Disabling --%s option from D-Bus"), name);
+  
+  return NULL;
+}
+
+static DBusMessage *dbus_set_bool(DBusMessage *message, int flag, char *name)
+{
+  dbus_bool_t val;
+  DBusMessage *reply = dbus_get_bool(message, &val, name);
+  
+  if (!reply)
     {
-      my_syslog(LOG_INFO, _("Disabling --%s option from D-Bus"), name);
-      reset_option_bool(flag);
+      if (val)
+	set_option_bool(flag);
+      else
+	reset_option_bool(flag);
     }
 
-  return NULL;
+  return reply;
 }
 
 #ifdef HAVE_DHCP
@@ -521,8 +530,8 @@ static DBusMessage *dbus_add_lease(DBusMessage* message)
   union all_addr addr;
   time_t now = dnsmasq_time();
   unsigned char dhcp_chaddr[DHCP_CHADDR_MAX];
-
   DBusMessageIter iter, array_iter;
+
   if (!dbus_message_iter_init(message, &iter))
     return dbus_message_new_error(message, DBUS_ERROR_INVALID_ARGS,
 				  "Failed to initialize dbus message iter");
@@ -590,6 +599,10 @@ static DBusMessage *dbus_add_lease(DBusMessage* message)
 
   if (inet_pton(AF_INET, ipaddr, &addr.addr4))
     {
+      if (!daemon->dhcp)
+	return dbus_message_new_error(message, DBUS_ERROR_INVALID_ARGS,
+				      "DHCPv4 not configured");
+      
       if (ia_id != 0 || is_temporary)
 	return dbus_message_new_error(message, DBUS_ERROR_INVALID_ARGS,
 				      "ia_id and is_temporary must be zero for IPv4 lease");
@@ -600,16 +613,25 @@ static DBusMessage *dbus_add_lease(DBusMessage* message)
 #ifdef HAVE_DHCP6
   else if (inet_pton(AF_INET6, ipaddr, &addr.addr6))
     {
+      if (!daemon->doing_dhcp6)
+	return dbus_message_new_error(message, DBUS_ERROR_INVALID_ARGS,
+				      "DHCPv6 not configured");
+      
       if (!(lease = lease6_find_by_addr(&addr.addr6, 128, 0)))
 	lease = lease6_allocate(&addr.addr6,
 				is_temporary ? LEASE_TA : LEASE_NA);
-      lease_set_iaid(lease, ia_id);
+      if (lease)
+	lease_set_iaid(lease, ia_id);
     }
 #endif
   else
     return dbus_message_new_error_printf(message, DBUS_ERROR_INVALID_ARGS,
 					 "Invalid IP address '%s'", ipaddr);
-   
+
+  if (!lease) 
+    return dbus_message_new_error_printf(message, DBUS_ERROR_INVALID_ARGS,
+					 "unable to allocate lease for IP address '%s'", ipaddr);
+  
   hw_len = parse_hex((char*)hwaddr, dhcp_chaddr, DHCP_CHADDR_MAX, NULL, &hw_type);
   if (hw_len < 0)
     return dbus_message_new_error_printf(message, DBUS_ERROR_INVALID_ARGS,
@@ -632,7 +654,7 @@ static DBusMessage *dbus_add_lease(DBusMessage* message)
 
 static DBusMessage *dbus_del_lease(DBusMessage* message)
 {
-  struct dhcp_lease *lease;
+  struct dhcp_lease *lease = NULL;
   DBusMessageIter iter;
   const char *ipaddr;
   DBusMessage *reply;
@@ -650,10 +672,10 @@ static DBusMessage *dbus_del_lease(DBusMessage* message)
    
   dbus_message_iter_get_basic(&iter, &ipaddr);
 
-  if (inet_pton(AF_INET, ipaddr, &addr.addr4))
+  if (inet_pton(AF_INET, ipaddr, &addr.addr4) && daemon->dhcp)
     lease = lease_find_by_addr(addr.addr4);
 #ifdef HAVE_DHCP6
-  else if (inet_pton(AF_INET6, ipaddr, &addr.addr6))
+  else if (inet_pton(AF_INET6, ipaddr, &addr.addr6) && daemon->doing_dhcp6)
     lease = lease6_find_by_addr(&addr.addr6, 128, 0);
 #endif
   else
@@ -759,10 +781,10 @@ static DBusMessage *dbus_get_server_metrics(DBusMessage* message)
 	add_dict_entry(&dict_array, "address", daemon->namebuff);
 	
 	add_dict_int(&dict_array, "port", port);
-	add_dict_int(&dict_array, "queries", serv->queries);
-	add_dict_int(&dict_array, "failed_queries", serv->failed_queries);
-	add_dict_int(&dict_array, "nxdomain", serv->nxdomain_replies);
-	add_dict_int(&dict_array, "retries", serv->retrys);
+	add_dict_int(&dict_array, "queries", queries);
+	add_dict_int(&dict_array, "failed_queries", failed_queries);
+	add_dict_int(&dict_array, "nxdomain", nxdomain_replies);
+	add_dict_int(&dict_array, "retries", retrys);
 	add_dict_int(&dict_array, "latency", sigma_latency/count_latency);
 	
 	dbus_message_iter_close_container(&server_array, &dict_array);
@@ -829,23 +851,37 @@ DBusHandlerResult message_handler(DBusConnection *connection,
   else if (strcmp(method, "SetFilterA") == 0)
     {
       static int done = 0;
-      static struct rrlist list = { T_A, NULL };
+      static struct rrlist list = { 0, NULL };
+      dbus_bool_t enabled;
 
-      if (!done)
+      if (!(reply = dbus_get_bool(message, &enabled, "filter-A")))
 	{
-	  list.next = daemon->filter_rr;
-	  daemon->filter_rr = &list;
+	  if (!done)
+	    {
+	      done = 1;
+	      list.next = daemon->filter_rr;
+	      daemon->filter_rr = &list;
+	    }
+
+	  list.rr = enabled ? T_A : 0;
 	}
     }
   else if (strcmp(method, "SetFilterAAAA") == 0)
     {
       static int done = 0;
-      static struct rrlist list = { T_AAAA, NULL };
-
-      if (!done)
+      static struct rrlist list = { 0, NULL };
+      dbus_bool_t enabled;
+      
+      if (!(reply = dbus_get_bool(message, &enabled, "filter-AAAA")))
 	{
-	  list.next = daemon->filter_rr;
-	  daemon->filter_rr = &list;
+	  if (!done)
+	    {
+	      done = 1;
+	      list.next = daemon->filter_rr;
+	      daemon->filter_rr = &list;
+	    }
+	  
+	  list.rr = enabled ? T_AAAA : 0;
 	}
     }
   else if (strcmp(method, "SetLocaliseQueriesOption") == 0)

src/dhcp-common.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -128,22 +128,41 @@ struct dhcp_netid *run_tag_if(struct dhcp_netid *tags)
   return tags;
 }
 
+/* pxemode == 0 -> don't include dhcp-option-pxe options.
+   pxemode == 1 -> do include dhcp-option-pxe options.
+   pxemode == 2 -> include ONLY dhcp-option-pxe options. */
+int pxe_ok(struct dhcp_opt *opt, int pxemode)
+{
+  if (opt->flags & DHOPT_PXE_OPT)
+    {
+      if (pxemode != 0)
+	return 1;
+    }
+  else
+    {
+      if (pxemode != 2)
+	return 1;
+    }
+  
+  return 0;
+}
 
-struct dhcp_netid *option_filter(struct dhcp_netid *tags, struct dhcp_netid *context_tags, struct dhcp_opt *opts)
+struct dhcp_netid *option_filter(struct dhcp_netid *tags, struct dhcp_netid *context_tags, struct dhcp_opt *opts, int pxemode)
 {
   struct dhcp_netid *tagif = run_tag_if(tags);
   struct dhcp_opt *opt;
   struct dhcp_opt *tmp;  
-
+  
   /* flag options which are valid with the current tag set (sans context tags) */
   for (opt = opts; opt; opt = opt->next)
     {
       opt->flags &= ~DHOPT_TAGOK;
       if (!(opt->flags & (DHOPT_ENCAPSULATE | DHOPT_VENDOR | DHOPT_RFC3925)) &&
-	  match_netid(opt->netid, tagif, 0))
+	  match_netid(opt->netid, tagif, 0) &&
+	  pxe_ok(opt, pxemode))
 	opt->flags |= DHOPT_TAGOK;
     }
-
+  
   /* now flag options which are valid, including the context tags,
      otherwise valid options are inhibited if we found a higher priority one above */
   if (context_tags)
@@ -163,7 +182,8 @@ struct dhcp_netid *option_filter(struct dhcp_netid *tags, struct dhcp_netid *con
 
       for (opt = opts; opt; opt = opt->next)
 	if (!(opt->flags & (DHOPT_ENCAPSULATE | DHOPT_VENDOR | DHOPT_RFC3925 | DHOPT_TAGOK)) &&
-	    match_netid(opt->netid, tagif, 0))
+	    match_netid(opt->netid, tagif, 0) &&
+	    pxe_ok(opt, pxemode))
 	  {
 	    struct dhcp_opt *tmp;  
 	    for (tmp = opts; tmp; tmp = tmp->next) 
@@ -176,7 +196,9 @@ struct dhcp_netid *option_filter(struct dhcp_netid *tags, struct dhcp_netid *con
   
   /* now flag untagged options which are not overridden by tagged ones */
   for (opt = opts; opt; opt = opt->next)
-    if (!(opt->flags & (DHOPT_ENCAPSULATE | DHOPT_VENDOR | DHOPT_RFC3925 | DHOPT_TAGOK)) && !opt->netid)
+    if (!(opt->flags & (DHOPT_ENCAPSULATE | DHOPT_VENDOR | DHOPT_RFC3925 | DHOPT_TAGOK)) &&
+	!opt->netid &&
+	pxe_ok(opt, pxemode))
       {
 	for (tmp = opts; tmp; tmp = tmp->next) 
 	  if (tmp->opt == opt->opt && (tmp->flags & DHOPT_TAGOK))
@@ -186,7 +208,7 @@ struct dhcp_netid *option_filter(struct dhcp_netid *tags, struct dhcp_netid *con
 	else if (!tmp->netid)
 	  my_syslog(MS_DHCP | LOG_WARNING, _("Ignoring duplicate dhcp-option %d"), tmp->opt); 
       }
-
+  
   /* Finally, eliminate duplicate options later in the chain, and therefore earlier in the config file. */
   for (opt = opts; opt; opt = opt->next)
     if (opt->flags & DHOPT_TAGOK)
@@ -679,13 +701,16 @@ static const struct opttab_t {
   { "user-class", 77, 0 },
   { "rapid-commit", 80, 0 },
   { "FQDN", 81, OT_INTERNAL },
-  { "agent-id", 82, OT_INTERNAL },
+  { "agent-info", 82, OT_INTERNAL },
+  { "last-transaction", 91, 4 | OT_TIME },
+  { "associated-ip", 92, OT_ADDR_LIST },
   { "client-arch", 93, 2 | OT_DEC },
   { "client-interface-id", 94, 0 },
   { "client-machine-id", 97, 0 },
   { "posix-timezone", 100, OT_NAME }, /* RFC 4833, Sec. 2 */
   { "tzdb-timezone", 101, OT_NAME }, /* RFC 4833, Sec. 2 */
-  { "ipv6-only", 108, 4 | OT_DEC },  /* RFC 8925 */ 
+  { "ipv6-only", 108, 4 | OT_DEC },  /* RFC 8925 */
+  { "captive-portal", 114, OT_NAME },  /* RFC 8910 */
   { "subnet-select", 118, OT_INTERNAL },
   { "domain-search", 119, OT_RFC1035_NAME },
   { "sip-server", 120, 0 },
@@ -727,6 +752,7 @@ static const struct opttab_t opttab6[] = {
   { "ntp-server", 56, 0 /* OT_ADDR_LIST | OT_RFC1035_NAME */ },
   { "bootfile-url", 59, OT_NAME },
   { "bootfile-param", 60, OT_CSTRING },
+  { "captive-portal", 103, OT_NAME },  /* RFC 8910 */
   { NULL, 0, 0 }
 };
 #endif
@@ -1043,10 +1069,12 @@ void log_relay(int family, struct dhcp_relay *relay)
     {
       if (broadcast)
 	my_syslog(MS_DHCP | LOG_INFO, _("DHCP relay from %s via %s"), daemon->addrbuff, relay->interface);
+      else if (relay->split_mode)
+	my_syslog(MS_DHCP | LOG_INFO, _("DHCP split-relay from %s to %s via %s"), daemon->addrbuff, daemon->namebuff, relay->interface);
       else
 	my_syslog(MS_DHCP | LOG_INFO, _("DHCP relay from %s to %s via %s"), daemon->addrbuff, daemon->namebuff, relay->interface);
     }
-  else
+  else 
     my_syslog(MS_DHCP | LOG_INFO, _("DHCP relay from %s to %s"), daemon->addrbuff, daemon->namebuff);
 }
    

src/dhcp-protocol.h

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -57,6 +57,8 @@
 #define OPTION_RAPID_COMMIT      80
 #define OPTION_CLIENT_FQDN       81
 #define OPTION_AGENT_ID          82
+#define OPTION_LAST_TRANSACTION  91
+#define OPTION_ASSOCIATED_IP     92
 #define OPTION_ARCH              93
 #define OPTION_PXE_UUID          97
 #define OPTION_SUBNET_SELECT     118
@@ -71,6 +73,7 @@
 #define SUBOPT_REMOTE_ID         2
 #define SUBOPT_SUBNET_SELECT     5     /* RFC 3527 */
 #define SUBOPT_SUBSCR_ID         6     /* RFC 3393 */
+#define SUBOPT_FLAGS             10    /* RFC 5010 */
 #define SUBOPT_SERVER_OR         11    /* RFC 5107 */
 
 #define SUBOPT_PXE_BOOT_ITEM     71    /* PXE standard */
@@ -87,6 +90,11 @@
 #define DHCPNAK                  6
 #define DHCPRELEASE              7
 #define DHCPINFORM               8
+#define DHCPFORCERENEW           9
+#define DHCPLEASEQUERY          10
+#define DHCPLEASEUNASSIGNED     11
+#define DHCPLEASEUNKNOWN        12
+#define DHCPLEASEACTIVE         13
 
 #define BRDBAND_FORUM_IANA       3561 /* Broadband forum IANA enterprise */
 

src/dhcp.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -32,8 +32,6 @@ static int complete_context(struct in_addr local, int if_index, char *label,
 			    struct in_addr netmask, struct in_addr broadcast, void *vparam);
 static int check_listen_addrs(struct in_addr local, int if_index, char *label,
 			      struct in_addr netmask, struct in_addr broadcast, void *vparam);
-static int relay_upstream4(int iface_index, struct dhcp_packet *mess, size_t sz);
-static struct dhcp_relay *relay_reply4(struct dhcp_packet *mess, char *arrival_interface);
 
 static int make_fd(int port)
 {
@@ -135,7 +133,7 @@ void dhcp_packet(time_t now, int pxe_fd)
   struct dhcp_packet *mess;
   struct dhcp_context *context;
   struct dhcp_relay *relay;
-  int is_relay_reply = 0;
+  int is_relay_reply = 0, is_relay_use_source = 0;
   struct iname *tmp;
   struct ifreq ifr;
   struct msghdr msg;
@@ -144,13 +142,14 @@ void dhcp_packet(time_t now, int pxe_fd)
   struct iovec iov;
   ssize_t sz; 
   int iface_index = 0, unicast_dest = 0, is_inform = 0, loopback = 0;
-  int rcvd_iface_index;
+  int rcvd_iface_index, relay_index;
   struct in_addr iface_addr;
   struct iface_param parm;
   time_t recvtime = now;
 #ifdef HAVE_LINUX_NETWORK
   struct arpreq arp_req;
   struct timeval tv;
+  struct in_addr dst_addr;
 #endif
   
   union {
@@ -176,13 +175,11 @@ void dhcp_packet(time_t now, int pxe_fd)
       (sz < (ssize_t)(sizeof(*mess) - sizeof(mess->options)))) 
     return;
   
-#ifdef HAVE_DUMPFILE
-  dump_packet_udp(DUMP_DHCP, (void *)daemon->dhcp_packet.iov_base, sz, (union mysockaddr *)&dest, NULL, fd);
-#endif
-  
 #if defined (HAVE_LINUX_NETWORK)
   if (ioctl(fd, SIOCGSTAMP, &tv) == 0)
     recvtime = tv.tv_sec;
+
+  dst_addr.s_addr = 0;
   
   if (msg.msg_controllen >= sizeof(struct cmsghdr))
     for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
@@ -194,7 +191,8 @@ void dhcp_packet(time_t now, int pxe_fd)
 	  } p;
 	  p.c = CMSG_DATA(cmptr);
 	  iface_index = p.p->ipi_ifindex;
-	  if (p.p->ipi_addr.s_addr != INADDR_BROADCAST)
+	  dst_addr = p.p->ipi_addr; 
+	  if (dst_addr.s_addr != INADDR_BROADCAST)
 	    unicast_dest = 1;
 	}
 
@@ -224,12 +222,44 @@ void dhcp_packet(time_t now, int pxe_fd)
 	  iface_index = *(p.i);
 	}
 #endif
-	
+
+#ifdef HAVE_DUMPFILE
+  union mysockaddr *sockp = NULL;
+  
+#  ifdef HAVE_LINUX_NETWORK
+  union mysockaddr tosock;
+  
+  sockp = &tosock;
+  tosock.in.sin_port = htons(daemon->dhcp_server_port);
+  tosock.in.sin_addr = dst_addr;
+  tosock.sa.sa_family = AF_INET;
+#    ifdef HAVE_SOCKADDR_SA_LEN
+  tosock.in.sin_len = sizeof(struct sockaddr_in);
+#    endif
+#  endif
+  
+  dump_packet_udp(DUMP_DHCP, (void *)daemon->dhcp_packet.iov_base, sz, (union mysockaddr *)&dest, sockp, -1);
+#endif
+  	
   if (!indextoname(daemon->dhcpfd, iface_index, ifr.ifr_name) ||
       ioctl(daemon->dhcpfd, SIOCGIFFLAGS, &ifr) != 0)
     return;
   
   mess = (struct dhcp_packet *)daemon->dhcp_packet.iov_base;
+  
+  /* Non-standard extension:
+     If giaddr == 255.255.255.255 we reply to the source
+     address in the request packet header. This makes
+     stand-alone leasequery clients easier, as they
+     can leave source address determination to the kernel.
+     In this case, set a flag and clear giaddr here,
+     to avoid massive relay confusion. */
+  if (mess->giaddr.s_addr == INADDR_BROADCAST)
+    {
+      mess->giaddr.s_addr = 0;
+      is_relay_use_source = 1;
+    }
+  
   loopback = !mess->giaddr.s_addr && (ifr.ifr_flags & IFF_LOOPBACK);
   
 #ifdef HAVE_LINUX_NETWORK
@@ -272,10 +302,10 @@ void dhcp_packet(time_t now, int pxe_fd)
     unicast_dest = 1;
 #endif
   
-  if ((relay = relay_reply4((struct dhcp_packet *)daemon->dhcp_packet.iov_base, ifr.ifr_name)))
+  if ((relay_index = relay_reply4((struct dhcp_packet *)daemon->dhcp_packet.iov_base, (size_t)sz, ifr.ifr_name)))
     {
       /* Reply from server, using us as relay. */
-      rcvd_iface_index = relay->iface_index;
+      rcvd_iface_index = relay_index;
       if (!indextoname(daemon->dhcpfd, rcvd_iface_index, ifr.ifr_name))
 	return;
       is_relay_reply = 1; 
@@ -300,9 +330,12 @@ void dhcp_packet(time_t now, int pxe_fd)
 	if (tmp->name && (tmp->flags & INAME_4) && wildcard_match(tmp->name, ifr.ifr_name))
 	  return;
       
-      /* unlinked contexts/relays are marked by context->current == context */
+      /* unlinked contexts are marked by context->current == context */
       for (context = daemon->dhcp; context; context = context->next)
 	context->current = context;
+
+      for (relay = daemon->relay4; relay; relay = relay->next)
+	relay->matchcount = 0;
       
       parm.current = NULL;
       parm.ind = iface_index;
@@ -317,7 +350,7 @@ void dhcp_packet(time_t now, int pxe_fd)
 	  match.ind = iface_index;
 	  
 	  if (!daemon->if_addrs ||
-	      !iface_enumerate(AF_INET, &match, check_listen_addrs) ||
+	      !iface_enumerate(AF_INET, &match, (callback_t){.af_inet=check_listen_addrs}) ||
 	      !match.matched)
 	    return;
 	  
@@ -327,25 +360,19 @@ void dhcp_packet(time_t now, int pxe_fd)
 	  complete_context(match.addr, iface_index, NULL, match.netmask, match.broadcast, &parm);
 	}    
             
-      if (relay_upstream4(iface_index, mess, (size_t)sz))
-	return;
-      
-      if (!iface_enumerate(AF_INET, &parm, complete_context))
+      if (!iface_enumerate(AF_INET, &parm, (callback_t){.af_inet=complete_context}))
 	return;
 
-      /* Check for a relay again after iface_enumerate/complete_context has had
-	 chance to fill in relay->iface_index fields. This handles first time through
-	 and any changes in interface config. */
-       if (relay_upstream4(iface_index, mess, (size_t)sz))
-	return;
+      relay_upstream4(iface_addr, iface_index, mess, (size_t)sz, unicast_dest);
        
       /* May have configured relay, but not DHCP server */
       if (!daemon->dhcp)
 	return;
 
       lease_prune(NULL, now); /* lose any expired leases */
-      iov.iov_len = dhcp_reply(parm.current, ifr.ifr_name, iface_index, (size_t)sz, 
-			       now, unicast_dest, loopback, &is_inform, pxe_fd, iface_addr, recvtime);
+      iov.iov_len = dhcp_reply(parm.current, ifr.ifr_name, iface_index, (size_t)sz, now, unicast_dest,
+			       loopback, &is_inform, pxe_fd, iface_addr, recvtime,
+			       is_relay_use_source ? dest.sin_addr : mess->giaddr);
       lease_update_file(now);
       lease_update_dns(0);
       
@@ -372,11 +399,17 @@ void dhcp_packet(time_t now, int pxe_fd)
       if (mess->ciaddr.s_addr != 0)
 	dest.sin_addr = mess->ciaddr;
     }
-  else if (mess->giaddr.s_addr && !is_relay_reply)
+  if ((is_relay_use_source || mess->giaddr.s_addr) && !is_relay_reply)
     {
-      /* Send to BOOTP relay  */
-      dest.sin_port = htons(daemon->dhcp_server_port);
-      dest.sin_addr = mess->giaddr; 
+      /* Send to BOOTP relay. */
+      if (is_relay_use_source)
+	/* restore as-received value */
+	mess->giaddr.s_addr = INADDR_BROADCAST;
+      else
+	{
+	  dest.sin_addr = mess->giaddr;
+	  dest.sin_port = htons(daemon->dhcp_server_port);
+	}
     }
   else if (mess->ciaddr.s_addr)
     {
@@ -398,6 +431,10 @@ void dhcp_packet(time_t now, int pxe_fd)
       struct in_pktinfo *pkt;
       msg.msg_control = control_u.control;
       msg.msg_controllen = sizeof(control_u);
+
+      /* alignment padding passed to the kernel should not be uninitialised. */
+      memset(&control_u, 0, sizeof(control_u));
+
       cmptr = CMSG_FIRSTHDR(&msg);
       pkt = (struct in_pktinfo *)CMSG_DATA(cmptr);
       pkt->ipi_ifindex = rcvd_iface_index;
@@ -630,8 +667,19 @@ static int complete_context(struct in_addr local, int if_index, char *label,
     }
 
   for (relay = daemon->relay4; relay; relay = relay->next)
-    if (relay->local.addr4.s_addr == local.s_addr)
-      relay->iface_index = if_index;
+    if (!relay->split_mode && relay->local.addr4.s_addr == local.s_addr)
+      {
+	if (if_index == param->ind)
+	  relay->iface_index = if_index;
+	
+	/* More than one interface with the relay address breaks things. */
+	if (relay->matchcount++ == 1 && !relay->warned)
+	  {
+	    relay->warned = 1;
+	    inet_ntop(AF_INET, &local, daemon->addrbuff, ADDRSTRLEN);
+	    my_syslog(MS_DHCP | LOG_WARNING, _("DHCP relay address %s appears on more than one interface"), daemon->addrbuff);
+	  }
+      }
   
   return 1;
 }
@@ -648,7 +696,7 @@ struct dhcp_context *address_available(struct dhcp_context *context,
   struct dhcp_context *tmp;
 
   for (tmp = context; tmp; tmp = tmp->current)
-    if (taddr.s_addr == context->router.s_addr)
+    if (taddr.s_addr == tmp->router.s_addr)
       return NULL;
   
   for (tmp = context; tmp; tmp = tmp->current)
@@ -1073,118 +1121,4 @@ char *host_from_dns(struct in_addr addr)
   return NULL;
 }
 
-static int relay_upstream4(int iface_index, struct dhcp_packet *mess, size_t sz)
-{
-  struct in_addr giaddr = mess->giaddr;
-  u8 hops = mess->hops;
-  struct dhcp_relay *relay;
-
-  if (mess->op != BOOTREQUEST)
-    return 0;
-
-  for (relay = daemon->relay4; relay; relay = relay->next)
-    if (relay->iface_index != 0 && relay->iface_index == iface_index)
-      break;
-
-  /* No relay config. */
-  if (!relay)
-    return 0;
-  
-  for (; relay; relay = relay->next)
-    if (relay->iface_index != 0 && relay->iface_index == iface_index)
-      {
-	union mysockaddr to;
-	union all_addr from;
-
-	mess->hops = hops;
-	mess->giaddr = giaddr;
-	
-	if ((mess->hops++) > 20)
-	  continue;
-	
-	/* source address == relay address */
-	from.addr4 = relay->local.addr4;
-
-	/* already gatewayed ? */
-	if (giaddr.s_addr)
-	  {
-	    /* if so check if by us, to stomp on loops. */
-	    if (giaddr.s_addr == relay->local.addr4.s_addr)
-	      continue;
-	  }
-	else
-	  {
-	    /* plug in our address */
-	    mess->giaddr.s_addr = relay->local.addr4.s_addr;
-	  }
-	
-	to.sa.sa_family = AF_INET;
-	to.in.sin_addr = relay->server.addr4;
-	to.in.sin_port = htons(relay->port);
-	
-	/* Broadcasting to server. */
-	if (relay->server.addr4.s_addr == 0)
-	  {
-	    struct ifreq ifr;
-	    
-	    if (relay->interface)
-	      safe_strncpy(ifr.ifr_name, relay->interface, IF_NAMESIZE);
-	    
-	    if (!relay->interface || strchr(relay->interface, '*') ||
-		ioctl(daemon->dhcpfd, SIOCGIFBRDADDR, &ifr) == -1)
-	      {
-		my_syslog(MS_DHCP | LOG_ERR, _("Cannot broadcast DHCP relay via interface %s"), relay->interface);
-		continue;
-	      }
-	    
-	    to.in.sin_addr = ((struct sockaddr_in *) &ifr.ifr_addr)->sin_addr;
-	  }
-	
-#ifdef HAVE_DUMPFILE
-	{
-	  union mysockaddr fromsock;
-	  fromsock.in.sin_port = htons(daemon->dhcp_server_port);
-	  fromsock.in.sin_addr = from.addr4;
-	  fromsock.sa.sa_family = AF_INET;
-
-	  dump_packet_udp(DUMP_DHCP, (void *)mess, sz, &fromsock, &to, -1);
-	}
-#endif
-	
-	 send_from(daemon->dhcpfd, 0, (char *)mess, sz, &to, &from, 0);
-	 
-	 if (option_bool(OPT_LOG_OPTS))
-	   {
-	     inet_ntop(AF_INET, &relay->local, daemon->addrbuff, ADDRSTRLEN);
-	     if (relay->server.addr4.s_addr == 0)
-	       snprintf(daemon->dhcp_buff2, DHCP_BUFF_SZ, _("broadcast via %s"), relay->interface);
-	     else
-	       inet_ntop(AF_INET, &relay->server.addr4, daemon->dhcp_buff2, DHCP_BUFF_SZ);
-	     my_syslog(MS_DHCP | LOG_INFO, _("DHCP relay at %s -> %s"), daemon->addrbuff, daemon->dhcp_buff2);
-	   }
-      }
-  
-  return 1;
-}
-
-
-static struct dhcp_relay *relay_reply4(struct dhcp_packet *mess, char *arrival_interface)
-{
-  struct dhcp_relay *relay;
-
-  if (mess->giaddr.s_addr == 0 || mess->op != BOOTREPLY)
-    return NULL;
-
-  for (relay = daemon->relay4; relay; relay = relay->next)
-    {
-      if (mess->giaddr.s_addr == relay->local.addr4.s_addr)
-	{
-	  if (!relay->interface || wildcard_match(relay->interface, arrival_interface))
-	    return relay->iface_index != 0 ? relay : NULL;
-	}
-    }
-  
-  return NULL;	 
-}     
-
 #endif