Update German translations.

Merge OOB memory read fix. CVE-2025-54318
Fix some issues with the swedish manual page, some causing lintian warnings
2025-12-07 13:44:40 +00:00 · 2025-12-06 14:04:23 +00:00 · 2025-12-05 15:13:54 +00:00 · 2025-12-05 15:13:45 +00:00 · 2025-12-05 15:12:28 +00:00 · 2025-12-05 15:10:31 +00:00
47 changed files with 17356 additions and 7768 deletions
--- a/57
+++ b/57
@@ -19,6 +19,63 @@ version 2.92
 	would fail to spot an invalid domain. Thanks to Graham Clinch
 	for spotting the problem.

+	Add --log-queries=auth option to only log replies from the auth DNS
+	facility.
+
+	Fix some edge-cases with domains and --address and --server. There
+	has been some regressions with this in previous releases. This change
+	fixes the priority order from lower to highest as:
+	--address with a IPv4 or IPv6 address (as long as the query matches the type)
+        --address with # for all-zeros, as long as the query is A or AAAA)
+        --address with no address, which returns NXDOMAIN or NOERROR for all types.
+        --server with address set to # to use the unqualified servers.
+        --server with matching domain.
+        --server without domain or from /etc/resolv.conf.
+
+	Fix problems with ipset or nftset and TCP DNS transport. Previously
+	this was racy, and insertion of addresses could fail on a busy server
+	when DNS-over-TCP transport was involved.
+
+	DNSSEC validation change for reverse lookups in RFC-1918 ranges and friends.
+    	The large public DNS services seem not to return proof-of-nonexistence
+	for DS records at the start of RFC-1918 in-addr.arpa domains and the their
+	IPv6 equivalents. 10.in-addr.arpa, 168.192.in-addr.arpa etc.
+	Since dnsmasq already has an option which instructs it not bother
+	upstream servers with pointless queries about these address ranges,
+	namely --bogus-priv, we extend that to enable behaviour which allows
+	dnsmasq to assume that insecure NXDOMAIN replies for these domains
+	are expected and to assume that the domains are legitimately unsigned.
+	This behaviour only matters when some address range is directed to
+	another upstream server using --rev-server. In that case it allows
+	replies from that server to pass DNSSEC validation. Without such a
+	server configured, queries are never sent upstream so they are never
+	validated and the new behaviour is moot.
+
+	Add support for leasequery to the dnsmasq DHCPv4 server.
+	This has to be specifically enabled with the --leasequery option.
+	Many thanks to JAXPORT, Jacksonville Port Authority for sponsoring
+	this enhancement to dnsmasq.
+
+	Fix failure to cache PTR RRs when a reply contains more than one answer.
+	Thanks to Dmitry for spotting this.
+
+	Add TFTP options windowsize (RFC 7440) and timeout (RFC 2349).
+	
+	Change the behaviour of the DHCPv6 server when a REBIND message
+	is received but no lease exists. Under these circumstances a new
+	lease is created _only_ when the --dhcp-authoritative option is
+	set. This matches the behavior of the DHCPv4 server.
+
+	Add --dhcp-split-relay option. This makes a DHCPv4 relay which
+	is functional when client and server networks aren't mutually
+	route-able.
+
+	Fix failure to add client MAC address to queries in TCP mode.
+	The options which cause	dnsmasq	to decorate a DNS query	with the MAC
+	address	on the originating client can fail when the query is sent
+	using TCP. Thanks to Bruno Ravara for spotting and
+	characterising this bug.
+
 	
 version 2.91
 	Fix spurious "resource limit exceeded messages". Thanks to 
--- a/contrib/leasequery/leasequery.c
+++ b/contrib/leasequery/leasequery.c
@@ -0,0 +1,695 @@
+/* leasequery is Copyright (c) 2025 Simon Kelley
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/* Author's email: simon@thekelleys.org.uk */
+
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <sys/select.h>
+#include <sys/time.h>
+#include <sys/stat.h>
+#include <limits.h>
+#include <net/if.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <time.h>
+#include <errno.h>
+#include <pwd.h>
+#include <grp.h>
+#include <netdb.h>
+#include <linux/types.h>
+#include <linux/capability.h>
+#include <arpa/inet.h>
+#include <ctype.h>
+
+typedef unsigned char u8;
+typedef unsigned short u16;
+typedef unsigned int u32;
+typedef unsigned long long u64;
+
+#define INADDRSZ        4
+#define ADDRSTRLEN      46
+
+#define option_len(opt) ((int)(((unsigned char *)(opt))[1]))
+#define option_ptr(opt, i) ((void *)&(((unsigned char *)(opt))[2u+(unsigned int)(i)]))
+
+#define DHCP_CHADDR_MAX  16
+#define DHCP_SERVER_PORT 67
+#define DHCP_CLIENT_PORT 68
+#define BOOTREQUEST      1
+#define BOOTREPLY        2
+
+#define DHCP_COOKIE              0x63825363
+
+#define DHCPLEASEQUERY          10
+#define DHCPLEASEUNASSIGNED     11
+#define DHCPLEASEUNKNOWN        12
+#define DHCPLEASEACTIVE         13
+
+#define OPTION_END               255
+#define OPTION_ROUTER            3
+#define OPTION_VENDOR_CLASS_OPT  43
+#define OPTION_LEASE_TIME        51
+#define OPTION_MESSAGE_TYPE      53
+#define OPTION_SERVER_IDENTIFIER 54
+#define OPTION_REQUESTED_OPTIONS 55
+#define OPTION_VENDOR_ID         60
+#define OPTION_CLIENT_ID         61
+
+/* flags in top of length field for DHCP-option tables */
+#define OT_ADDR_LIST    0x8000
+#define OT_RFC1035_NAME 0x4000
+#define OT_INTERNAL     0x2000
+#define OT_NAME         0x1000
+#define OT_CSTRING      0x0800
+#define OT_DEC          0x0400 
+#define OT_TIME         0x0200
+
+#define GETSHORT(s, cp) do { \
+	unsigned char *t_cp = (unsigned char *)(cp); \
+	(s) = ((u16)t_cp[0] << 8) \
+	    | ((u16)t_cp[1]) \
+	    ; \
+	(cp) += 2; \
+  } while(0)
+
+#define GETLONG(l, cp) do { \
+	unsigned char *t_cp = (unsigned char *)(cp); \
+	(l) = ((u32)t_cp[0] << 24) \
+	    | ((u32)t_cp[1] << 16) \
+	    | ((u32)t_cp[2] << 8) \
+	    | ((u32)t_cp[3]) \
+	    ; \
+	(cp) += 4; \
+  } while (0)
+
+#define PUTSHORT(s, cp) do { \
+	u16 t_s = (u16)(s); \
+	unsigned char *t_cp = (unsigned char *)(cp); \
+	*t_cp++ = t_s >> 8; \
+	*t_cp   = t_s; \
+	(cp) += 2; \
+  } while(0)
+
+#define PUTLONG(l, cp) do { \
+	u32 t_l = (u32)(l); \
+	unsigned char *t_cp = (unsigned char *)(cp); \
+	*t_cp++ = t_l >> 24; \
+	*t_cp++ = t_l >> 16; \
+	*t_cp++ = t_l >> 8; \
+	*t_cp   = t_l; \
+	(cp) += 4; \
+  } while (0)
+
+union all_addr {
+  struct in_addr addr4;
+  struct in6_addr addr6;
+};
+  
+struct dhcp_packet_with_opts{
+  struct dhcp_packet {
+    unsigned char op, htype, hlen, hops;
+    unsigned int xid;
+    unsigned short secs, flags;
+    struct in_addr ciaddr, yiaddr, siaddr, giaddr;
+    unsigned char chaddr[DHCP_CHADDR_MAX], sname[64], file[128];
+  } header;
+  unsigned char options[312];
+};
+
+static const struct opttab_t {
+  char *name;
+  u16 val, size;
+} opttab[] = {
+  { "netmask", 1, OT_ADDR_LIST },
+  { "time-offset", 2, 4 },
+  { "router", 3, OT_ADDR_LIST  },
+  { "dns-server", 6, OT_ADDR_LIST },
+  { "log-server", 7, OT_ADDR_LIST },
+  { "lpr-server", 9, OT_ADDR_LIST },
+  { "hostname", 12, OT_INTERNAL | OT_NAME },
+  { "boot-file-size", 13, 2 | OT_DEC },
+  { "domain-name", 15, OT_NAME },
+  { "swap-server", 16, OT_ADDR_LIST },
+  { "root-path", 17, OT_NAME },
+  { "extension-path", 18, OT_NAME },
+  { "ip-forward-enable", 19, 1 },
+  { "non-local-source-routing", 20, 1 },
+  { "policy-filter", 21, OT_ADDR_LIST },
+  { "max-datagram-reassembly", 22, 2 | OT_DEC },
+  { "default-ttl", 23, 1 | OT_DEC },
+  { "mtu", 26, 2 | OT_DEC },
+  { "all-subnets-local", 27, 1 },
+  { "broadcast", 28, OT_INTERNAL | OT_ADDR_LIST },
+  { "router-discovery", 31, 1 },
+  { "router-solicitation", 32, OT_ADDR_LIST },
+  { "static-route", 33, OT_ADDR_LIST },
+  { "trailer-encapsulation", 34, 1 },
+  { "arp-timeout", 35, 4 | OT_DEC },
+  { "ethernet-encap", 36, 1 },
+  { "tcp-ttl", 37, 1 },
+  { "tcp-keepalive", 38, 4 | OT_DEC },
+  { "nis-domain", 40, OT_NAME },
+  { "nis-server", 41, OT_ADDR_LIST },
+  { "ntp-server", 42, OT_ADDR_LIST },
+  { "vendor-encap", 43, OT_INTERNAL },
+  { "netbios-ns", 44, OT_ADDR_LIST },
+  { "netbios-dd", 45, OT_ADDR_LIST },
+  { "netbios-nodetype", 46, 1 },
+  { "netbios-scope", 47, 0 },
+  { "x-windows-fs", 48, OT_ADDR_LIST },
+  { "x-windows-dm", 49, OT_ADDR_LIST },
+  { "requested-address", 50, OT_INTERNAL | OT_ADDR_LIST },
+  { "lease-time", 51, OT_INTERNAL | OT_TIME },
+  { "option-overload", 52, OT_INTERNAL },
+  { "message-type", 53, OT_INTERNAL | OT_DEC },
+  { "server-identifier", 54, OT_INTERNAL | OT_ADDR_LIST },
+  { "parameter-request", 55, OT_INTERNAL },
+  { "message", 56, OT_INTERNAL },
+  { "max-message-size", 57, OT_INTERNAL },
+  { "T1", 58, OT_TIME},
+  { "T2", 59, OT_TIME},
+  { "vendor-class", 60, OT_NAME },
+  { "client-id", 61, OT_INTERNAL },
+  { "nis+-domain", 64, OT_NAME },
+  { "nis+-server", 65, OT_ADDR_LIST },
+  { "tftp-server", 66, OT_NAME },
+  { "bootfile-name", 67, OT_NAME },
+  { "mobile-ip-home", 68, OT_ADDR_LIST }, 
+  { "smtp-server", 69, OT_ADDR_LIST }, 
+  { "pop3-server", 70, OT_ADDR_LIST }, 
+  { "nntp-server", 71, OT_ADDR_LIST }, 
+  { "irc-server", 74, OT_ADDR_LIST }, 
+  { "user-class", 77, 0 },
+  { "rapid-commit", 80, 0 },
+  { "FQDN", 81, OT_INTERNAL },
+  { "agent-info", 82, OT_INTERNAL },
+  { "last-transaction", 91, 4 | OT_TIME },
+  { "associated-ip", 92, OT_ADDR_LIST },
+  { "client-arch", 93, 2 | OT_DEC },
+  { "client-interface-id", 94, 0 },
+  { "client-machine-id", 97, 0 },
+  { "posix-timezone", 100, OT_NAME }, /* RFC 4833, Sec. 2 */
+  { "tzdb-timezone", 101, OT_NAME }, /* RFC 4833, Sec. 2 */
+  { "ipv6-only", 108, 4 | OT_DEC },  /* RFC 8925 */ 
+  { "subnet-select", 118, OT_INTERNAL },
+  { "domain-search", 119, OT_RFC1035_NAME },
+  { "sip-server", 120, 0 },
+  { "classless-static-route", 121, 0 },
+  { "vendor-id-encap", 125, 0 },
+  { "tftp-server-address", 150, OT_ADDR_LIST },
+  { "server-ip-address", 255, OT_ADDR_LIST }, /* special, internal only, sets siaddr */
+  { NULL, 0, 0 }
+};
+
+static void prettyprint_time(char *buf, unsigned int t);
+static char *print_mac(char *buff, unsigned char *mac, int len);
+
+int lookup_dhcp_opt(char *name)
+{
+  const struct opttab_t *t = opttab;
+  int i;
+
+  for (i = 0; t[i].name; i++)
+    if (strcasecmp(t[i].name, name) == 0)
+      return t[i].val;
+  
+  return -1;
+}
+
+char *option_string(unsigned int opt, unsigned char *val, int opt_len, char *buf, int buf_len)
+{
+  int o, i, j, nodecode = 0;
+  const struct opttab_t *ot = opttab;
+  char addrbuff[ADDRSTRLEN];
+  
+  for (o = 0; ot[o].name; o++)
+    if (ot[o].val == opt)
+      {
+	if (buf)
+	  {
+	    memset(buf, 0, buf_len);
+	    
+	    if (ot[o].size & OT_ADDR_LIST) 
+	      {
+		union all_addr addr;
+		int addr_len = INADDRSZ;
+
+		for (buf[0]= 0, i = 0; i <= opt_len - addr_len; i += addr_len) 
+		  {
+		    if (i != 0)
+		      strncat(buf, ", ", buf_len - strlen(buf));
+		    /* align */
+		    memcpy(&addr, &val[i], addr_len); 
+		    inet_ntop(AF_INET, &val[i], addrbuff, ADDRSTRLEN);
+		    strncat(buf, addrbuff, buf_len - strlen(buf));
+		  }
+	      }
+	    else if (ot[o].size & OT_NAME)
+		for (i = 0, j = 0; i < opt_len && j < buf_len ; i++)
+		  {
+		    char c = val[i];
+		    if (isprint((unsigned char)c))
+		      buf[j++] = c;
+		  }
+	    else if ((ot[o].size & (OT_DEC | OT_TIME)) && opt_len != 0)
+	      {
+		unsigned int dec = 0;
+		
+		for (i = 0; i < opt_len; i++)
+		  dec = (dec << 8) | val[i]; 
+
+		if (ot[o].size & OT_TIME)
+		  prettyprint_time(buf, dec);
+		else
+		  sprintf(buf, "%u", dec);
+	      }
+	    else
+	      nodecode = 1;
+	  }
+	break;
+      }
+
+  if (opt_len != 0 && buf && (!ot[o].name || nodecode))
+    {
+      int trunc  = 0;
+      if (opt_len > 14)
+	{
+	  trunc = 1;
+	  opt_len = 14;
+	}
+      print_mac(buf, val, opt_len);
+      if (trunc)
+	strncat(buf, "...", buf_len - strlen(buf));
+    
+
+    }
+
+  return ot[o].name ? ot[o].name : "";
+
+}
+
+static void prettyprint_time(char *buf, unsigned int t)
+{
+  if (t == 0xffffffff)
+    sprintf(buf, "infinite");
+  else
+    {
+      unsigned int x, p = 0;
+       if ((x = t/86400))
+	p += sprintf(&buf[p], "%ud", x);
+       if ((x = (t/3600)%24))
+	p += sprintf(&buf[p], "%uh", x);
+      if ((x = (t/60)%60))
+	p += sprintf(&buf[p], "%um", x);
+      if ((x = t%60))
+	sprintf(&buf[p], "%us", x);
+    }
+}
+
+static char *print_mac(char *buff, unsigned char *mac, int len)
+{
+  char *p = buff;
+  int i;
+   
+  if (len == 0)
+    sprintf(p, "<null>");
+  else
+    for (i = 0; i < len; i++)
+      p += sprintf(p, "%.2x%s", mac[i], (i == len - 1) ? "" : ":");
+  
+  return buff;
+}
+
+static unsigned char *dhcp_skip_opts(struct dhcp_packet_with_opts *pktp)
+{
+  unsigned char *start = (unsigned char *)(((unsigned int *)&pktp->options[0]) + 1);
+  while (*start != 0)
+    start += start[1] + 2;
+  return start;
+}
+
+static unsigned char *dhcp_find_opt(struct dhcp_packet_with_opts *pktp, int optno)
+{
+  unsigned char *start = (unsigned char *)(((unsigned int *)&pktp->options[0]) + 1);
+  while (*start != OPTION_END)
+    {
+      if (*start == optno)
+	return start;
+      start += start[1] + 2;
+    }
+
+  return NULL;
+}
+
+static void option_put(struct dhcp_packet_with_opts *pktp, int opt, int len, unsigned int val)
+{
+  int i;
+  unsigned char *p = dhcp_skip_opts(pktp);
+  
+  if (p) 
+    {
+      *p++ = opt;
+      *p++ = len;
+      for (i = 0; i < len; i++)
+      *(p++) = val >> (8 * (len - (i + 1)));
+    }
+}
+
+static void option_put_string(struct dhcp_packet_with_opts *pktp, int opt, 
+			      const char *string, int null_term)
+{
+  unsigned char *p;
+  size_t len = strlen(string);
+
+  if (null_term && len != 255)
+    len++;
+
+  if ((p = dhcp_skip_opts(pktp)))
+    {
+      *p++ = opt;
+      *p++ = len;
+      memcpy(p, string, len);
+    }
+}
+
+
+/* in may equal out, when maxlen may be -1 (No max len). 
+   Return -1 for extraneous no-hex chars found. */
+int parse_hex(char *in, unsigned char *out, int maxlen, 
+	      unsigned int *wildcard_mask, int *mac_type)
+{
+  int done = 0, mask = 0, i = 0;
+  char *r;
+    
+  if (mac_type)
+    *mac_type = 0;
+  
+  while (!done && (maxlen == -1 || i < maxlen))
+    {
+      for (r = in; *r != 0 && *r != ':' && *r != '-' && *r != ' '; r++)
+	if (*r != '*' && !isxdigit((unsigned char)*r))
+	  return -1;
+      
+      if (*r == 0)
+	done = 1;
+      
+      if (r != in )
+	{
+	  if (*r == '-' && i == 0 && mac_type)
+	   {
+	      *r = 0;
+	      *mac_type = strtol(in, NULL, 16);
+	      mac_type = NULL;
+	   }
+	  else
+	    {
+	      *r = 0;
+	      if (strcmp(in, "*") == 0)
+		{
+		  mask = (mask << 1) | 1;
+		  i++;
+		}
+	      else
+		{
+		  int j, bytes = (1 + (r - in))/2;
+		  for (j = 0; j < bytes; j++)
+		    { 
+		      char sav;
+		      if (j < bytes - 1)
+			{
+			  sav = in[(j+1)*2];
+			  in[(j+1)*2] = 0;
+			}
+		      /* checks above allow mix of hexdigit and *, which
+			 is illegal. */
+		      if (strchr(&in[j*2], '*'))
+			return -1;
+		      out[i] = strtol(&in[j*2], NULL, 16);
+		      mask = mask << 1;
+		      if (++i == maxlen)
+			break; 
+		      if (j < bytes - 1)
+			in[(j+1)*2] = sav;
+		    }
+		}
+	    }
+	}
+      in = r+1;
+    }
+  
+  if (wildcard_mask)
+    *wildcard_mask = mask;
+
+  return i;
+}
+
+static char *split_chr(char *s, char c)
+{
+  char *comma, *p;
+
+  if (!s || !(comma = strchr(s, c)))
+    return NULL;
+  
+  p = comma;
+  *comma = ' ';
+  
+  for (; *comma == ' '; comma++);
+  
+  for (; (p >= s) && *p == ' '; p--)
+    *p = 0;
+  
+  return comma;
+}
+
+static char *split(char *s)
+{
+  return split_chr(s, ',');
+}
+
+
+int main(int argc, char **argv)
+{
+  int fd;
+  struct ifreq ifr;
+  struct in_addr iface_addr, server_addr, lease_addr;
+  struct dhcp_packet_with_opts pkt;
+  struct sockaddr_in saddr;
+  unsigned char *p;
+  ssize_t sz;
+  unsigned char mac[DHCP_CHADDR_MAX], clid[256], req_options[256];
+  char buff[500];
+  int clid_len = 0, mac_len = 0, mac_type = 0, opts_len = 0;
+  unsigned short port = DHCP_SERVER_PORT;
+  unsigned int xid;
+  struct timeval tv;
+  
+  gettimeofday(&tv, NULL);
+  srand(tv.tv_usec);
+  xid = rand();
+  server_addr.s_addr = lease_addr.s_addr = iface_addr.s_addr = 0;
+  
+  if ((fd = socket(PF_INET, SOCK_DGRAM, 0)) == -1)
+    {
+      perror("leasequery: cannot create socket");
+      exit(1);
+    }
+  
+  while (1)
+    {
+      int option = getopt(argc, argv, "i:s:l:m:c:p:r:");
+
+      if (option == -1)
+	break;
+      
+      switch (option) 
+	{
+	default:
+	  fprintf(stderr,
+		  "-p <port>             port on DHCP server.\n"
+		  "-i <interface>        exit interface to DHCP server.\n"
+		  "-s <inet-addr>        DHCP server address.\n"
+		  "-l <inet-addr>        Query lease by IP address.\n"
+		  "-m <MAC-addr>         Query lease by MAC address.\n"
+		  "-c <hex>              Query lease by client-id.\n"
+		  "-r <name>|<int>[,...] List of options to return.\n");
+	  exit(1);
+		  		  
+	case 'p':
+	  port = atoi(optarg);
+	  break;
+	  
+	case 'i':
+	  strncpy(ifr.ifr_name, optarg, IF_NAMESIZE);
+	   ifr.ifr_addr.sa_family = AF_INET;
+	   if (ioctl(fd, SIOCGIFADDR, &ifr) == -1)
+	    {
+	      perror("leasequery: cannot get interface address");
+	      exit(1);
+	    }
+
+	  iface_addr = ((struct sockaddr_in *) &ifr.ifr_addr)->sin_addr;
+	  break;
+
+	case 's':
+	  if (inet_pton(AF_INET, optarg, &server_addr) <= 0)
+	    {
+	      fprintf(stderr, "leasequery: bad server address\n");
+	      exit(1);
+	    }
+	  break;
+
+	case 'l':
+	  if (inet_pton(AF_INET, optarg, &lease_addr) <= 0)
+	    {
+	      fprintf(stderr, "leasequery: bad lease address\n");
+	      exit(1);
+	    }
+	  break;
+
+	case 'm':
+	  mac_type = 1; /* default ethernet */
+	  mac_len = parse_hex(optarg, mac, DHCP_CHADDR_MAX, NULL, &mac_type);
+	  if (!mac_type)
+	    mac_type  = 1; /* default ethernet */
+	  break;
+
+	case 'c':
+	  clid_len = parse_hex(optarg, clid, 256, NULL, NULL);
+	  break;
+
+	case 'r':
+	  {
+	    char *comma;
+	    int opt;
+	    
+	    while (optarg)
+	      {
+		comma = split(optarg);
+		
+		if ((opt = lookup_dhcp_opt(optarg)) != -1 || (opt = atoi(optarg)) != 0) 
+		  req_options[opts_len++] = opt;
+		
+		optarg = comma;
+	      }
+	    
+	    break;
+	  }
+	}
+    }
+
+  if (!server_addr.s_addr)
+    {
+      fprintf(stderr, "leasequery: no server address\n");
+      exit(1);
+    }
+    
+  memset(&pkt, 0, sizeof pkt);
+  pkt.header.op = BOOTREQUEST;
+  pkt.header.xid = xid;
+  pkt.header.ciaddr = lease_addr;
+  pkt.header.hlen = mac_len;
+  pkt.header.htype = mac_type;
+  memcpy(pkt.header.chaddr, mac, mac_len);
+  *((unsigned int *)&pkt.options[0]) = htonl(DHCP_COOKIE);
+
+  /* Dnsmasq extension. */
+  pkt.header.giaddr.s_addr = iface_addr.s_addr ? iface_addr.s_addr : INADDR_BROADCAST;
+    
+  option_put(&pkt, OPTION_MESSAGE_TYPE, 1, DHCPLEASEQUERY);
+  
+  if (clid_len != 0)
+    {
+      p = dhcp_skip_opts(&pkt);
+      *p++ = OPTION_CLIENT_ID;
+      *p++ = clid_len;
+      memcpy(p, clid, clid_len);
+    }
+  
+  if (opts_len != 0)
+    {
+      p = dhcp_skip_opts(&pkt); 
+      *p++ = OPTION_REQUESTED_OPTIONS;
+      *p++ = opts_len;
+      memcpy(p, req_options, opts_len);
+    }
+  
+  if (iface_addr.s_addr)
+    {
+      saddr.sin_family = AF_INET;
+      saddr.sin_port = htons(port);
+      saddr.sin_addr.s_addr = iface_addr.s_addr;
+      
+      if (bind(fd, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in)))
+	{
+	  perror("leasequery: cannot bind DHCP server socket");
+	  exit(1);
+	}
+    }
+	  
+  saddr.sin_family = AF_INET;
+  saddr.sin_port = htons(port);
+  saddr.sin_addr = server_addr;
+
+  while((sz = sendto(fd, &pkt, dhcp_skip_opts(&pkt) - ((unsigned char *)&pkt), 0, (struct sockaddr *)&saddr, sizeof(saddr))) == -1 &&
+	errno == EINTR);
+
+  if (sz == -1)
+    {
+      perror("leasequery: sendto()");
+      exit(1);
+    }
+  
+  sz = recv(fd, &pkt, sizeof(pkt), 0);
+
+  if (sz == -1)
+    {
+      perror("leasequery: recv()");
+      exit(1);
+    }
+  
+  if (sz >= sizeof(pkt.header) &&
+      pkt.header.op == BOOTREPLY &&
+      (p = dhcp_find_opt(&pkt, OPTION_MESSAGE_TYPE)) &&
+      pkt.header.xid == xid)
+    {
+      if (p[2] == DHCPLEASEUNASSIGNED)
+	printf("UNASSIGNED\n");
+      else if (p[2] == DHCPLEASEUNKNOWN)
+	printf("UNKNOWN\n");
+      else if (p[2] == DHCPLEASEACTIVE)
+	{
+	  print_mac(buff, pkt.header.chaddr, pkt.header.hlen);
+	  printf("ACTIVE %s %s\n", inet_ntoa(pkt.header.ciaddr), buff);
+      
+	  p = (unsigned char *)(((unsigned int *)&pkt.options[0]) + 1);
+	  
+	  while (*p != OPTION_END)
+	    {
+	      if (*p != OPTION_MESSAGE_TYPE)
+		{
+		  char *optname = option_string(p[0], option_ptr(p, 0), option_len(p), buff, 500);
+		  
+		  printf("size:%3d option:%3d %s  %s\n", option_len(p), p[0], optname, buff);
+		}
+	      p += p[1] + 2;
+	    }
+	}
+    }
+}
--- a/dnsmasq.conf.example
+++ b/dnsmasq.conf.example
@@ -27,8 +27,8 @@

 # Replies which are not DNSSEC signed may be legitimate, because the domain
 # is unsigned, or may be forgeries. Setting this option tells dnsmasq to
-# check that an unsigned reply is OK, by finding a secure proof that a DS 
-# record somewhere between the root and the domain does not exist. 
+# check that an unsigned reply is OK, by finding a secure proof that a DS
+# record somewhere between the root and the domain does not exist.
 # The cost of setting this is that even queries in unsigned domains will need
 # one or more extra DNS queries to verify.
 #dnssec-check-unsigned
@@ -193,11 +193,11 @@
 #dhcp-range=1234::2, 1234::500, 64, 12h

 # Do Router Advertisements, BUT NOT DHCP for this subnet.
-#dhcp-range=1234::, ra-only 
+#dhcp-range=1234::, ra-only

 # Do Router Advertisements, BUT NOT DHCP for this subnet, also try and
-# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack 
-# hosts. Use the DHCPv4 lease to derive the name, network segment and 
+# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack
+# hosts. Use the DHCPv4 lease to derive the name, network segment and
 # MAC address and assume that the host will also have an
 # IPv6 address calculated using the SLAAC algorithm.
 #dhcp-range=1234::, ra-names
@@ -220,9 +220,9 @@
 #dhcp-range=1234::, ra-stateless, ra-names

 # Do router advertisements for all subnets where we're doing DHCPv6
-# Unless overridden by ra-stateless, ra-names, et al, the router 
+# Unless overridden by ra-stateless, ra-names, et al, the router
 # advertisements will have the M and O bits set, so that the clients
-# get addresses and configuration from DHCPv6, and the A bit reset, so the 
+# get addresses and configuration from DHCPv6, and the A bit reset, so the
 # clients don't use SLAAC addresses.
 #enable-ra

@@ -295,11 +295,11 @@
 # any machine with Ethernet address starting 11:22:33:
 #dhcp-host=11:22:33:*:*:*,set:red

-# Give a fixed IPv6 address and name to client with 
+# Give a fixed IPv6 address and name to client with
 # DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2
 # Note the MAC addresses CANNOT be used to identify DHCPv6 clients.
 # Note also that the [] around the IPv6 address are obligatory.
-#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5] 
+#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5]

 # Ignore any clients which are not specified in dhcp-host lines
 # or /etc/ethers. Equivalent to ISC "deny unknown-clients".
@@ -355,7 +355,7 @@
 # Send DHCPv6 option. Note [] around IPv6 addresses.
 #dhcp-option=option6:dns-server,[1234::77],[1234::88]

-# Send DHCPv6 option for namservers as the machine running 
+# Send DHCPv6 option for namservers as the machine running
 # dnsmasq and another.
 #dhcp-option=option6:dns-server,[::],[1234::88]

@@ -560,7 +560,7 @@
 # Set the DHCP server to enable DHCPv4 Rapid Commit Option per RFC 4039.
 # In this mode it will respond to a DHCPDISCOVER message including a Rapid Commit
 # option with a DHCPACK including a Rapid Commit option and fully committed address
-# and configuration information. This must only be enabled if either the server is 
+# and configuration information. This must only be enabled if either the server is
 # the only server for the subnet, or multiple servers are present and they each
 # commit a binding for all clients.
 #dhcp-rapid-commit
--- a/doc.html
+++ b/doc.html
@@ -95,7 +95,5 @@ a contribution towards my expenses, please use the donation button below.
 <input type="image" src="https://www.paypalobjects.com/en_US/GB/i/btn/btn_donateCC_LG.gif" border="0" name="submit" alt="PayPal – The safer, easier way to pay online.">
 <img alt="" border="0" src="https://www.paypalobjects.com/en_GB/i/scr/pixel.gif" width="1" height="1">
 </form>
-
-
 </BODY>
-
+</HTML>
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -673,7 +673,7 @@ machine on which dnsmasq is running) for each
 local machine. Local machines are those in /etc/hosts or with DHCP
 leases.
 .TP
-.B \-W, --srv-host=<_service>.<_prot>.[<domain>],[<target>[,<port>[,<priority>[,<weight>]]]]
+.B \-W, --srv-host=<_service>.<_prot>[.<domain>],[<target>[,<port>[,<priority>[,<weight>]]]]
 Return a SRV DNS record. See RFC2782 for details. If not supplied, the
 domain defaults to that given by
 .B --domain.
@@ -918,7 +918,7 @@ fast.

 Versions of dnsmasq prior to 2.80 defaulted to not checking unsigned replies, and used 
 .B --dnssec-check-unsigned
-to switch this on. Such configurations will continue to work as before, but those which used the default of no checking will need to be altered to explicitly select no checking. The new default is because switching off checking for unsigned replies is inherently dangerous. Not only does it open the possiblity of forged replies, but it allows everything to appear to be working even when the upstream namesevers do not support DNSSEC, and in this case no DNSSEC validation at all is occurring.
+to switch this on. Such configurations will continue to work as before, but those which used the default of no checking will need to be altered to explicitly select no checking. The new default is because switching off checking for unsigned replies is inherently dangerous. Not only does it open the possibility of forged replies, but it allows everything to appear to be working even when the upstream namesevers do not support DNSSEC, and in this case no DNSSEC validation at all is occurring.
 .TP
 .B --dnssec-no-timecheck
 DNSSEC signatures are only valid for specified time windows, and should be rejected outside those windows. This generates an
@@ -1197,7 +1197,7 @@ the appropriate network part inserted. For IPv6, an address may include a prefix
 which (in this case) specifies four addresses, 1234::50 to 1234::53. This (an the ability
 to specify multiple addresses) is useful
 when a host presents either a consistent name or hardware-ID, but varying DUIDs, since it allows
-dnsmasq to honour the static address allocation but assign a different adddress for each DUID. This
+dnsmasq to honour the static address allocation but assign a different address for each DUID. This
 typically occurs when chain netbooting, as each stage of the chain gets in turn allocates an address.

 Note that in IPv6 DHCP, the hardware address may not be
@@ -1347,7 +1347,7 @@ The special address 0.0.0.0 means "the address of the system running dnsmasq".

 An option without data is valid, and includes just the option without data.
 (There is only one option with a zero length data field currently defined for DHCPv4, 80:rapid commit, so this feature is not very useful in practice). Options for which dnsmasq normally
-provides default values can be ommitted by defining the option with no data. These are
+provides default values can be omitted by defining the option with no data. These are
 netmask, broadcast, router, DNS server, domainname and hostname. Thus, for DHCPv4
 .B --dhcp-option = option:router
 will result in no router option being sent, rather than the default of the host on which dnsmasq is running. For DHCPv6, the same is true of the options DNS server and refresh time.
@@ -1438,6 +1438,18 @@ DHCP options. This make extra space available in the DHCP packet for
 options but can, rarely, confuse old or broken clients. This flag
 forces "simple and safe" behaviour to avoid problems in such a case.
 .TP
+.B --leasequery[=<addr>[/<prefix>]]
+Enable RFC 4388 leasequery. The dnsmasq DHCP server will answer LEASEQUERY messages from DHCP relays
+when this option is given. If an address or subnet is given, only queries from a relay at that source are allowed. Repeat
+the --leasequery option to specify multiple allowed sources.
+To correctly answer lease queries it is necessary to store extra data in
+the lease database, and this is also enabled by the \fB--leasequery\fP option. The extra fields
+(agent-info and vendorclass) are stored in the leases file in a somewhat backwards compatible manner.
+Enabling and then disabling leasequery will not cause problems; the extra information will be aged
+out of the database. However, enabling leasequery in release 2.92 or later, storing leases
+which come via DHCP relays which add option-82 agent-info data, and then moving back to a pre-2.92 dnsmasq
+binary may cause problems reading the leases file. As of release 2.92, leasequery is only supported for DHCPv4.
+.TP
 .B --dhcp-relay=<local address>[,<server address>[#<server port>]][,<interface]
 Configure dnsmasq to do DHCP relay. The local address is an address
 allocated to an interface on the host running dnsmasq. All DHCP
@@ -1475,7 +1487,31 @@ DHCPv4 to a DHCPv6 server or vice-versa.
 The DHCP relay function for IPv6 includes the ability to snoop
 prefix-delegation from relayed DHCP transactions. See
 .B --dhcp-script
-for details. 
+for details.
+.TP
+.B --dhcp-split-relay=<local address>,[<server address>[#<server port>]],<server-facing-interface>|<server-facing-address>
+A usefully enhanced version of DHCPv4 relay. IPv4 DHCP normally uses a single address
+for two functions; it is used by the DHCP server to determine which network to allocate
+an address on, and it is used as the address of the relay to which the server sends packets.
+
+This version of DHCP relay splits these functions. It uses the address of the server-facing relay
+interface or a directly-specified address as the address that the server talks to. The address of the client-facing interface
+(the first item in the config) is used as to determine the client's subnet. The
+local address is also used as server-ID override so that the client always sends requests
+via the relay. The effect of this is that server doesn't require
+a route to the client network and the clients don't require a route to the server.
+
+The third parameter is mandatory. If it is an interface name it cannot be a wildcard and the same filtering as described in
+--dhcp-relay applies; answers from the server must arrve via the specified interface. If the third parameter
+is an IP address it must be an address of a local interface which is routable from the server; In this case no filtering
+is done, the reply packets can arrive via any route.
+
+If setting up a network where the client networks have limited routing, be careful
+about configuring the DHCP server. Dnsmasq, as DHCP server, will set the default route to the
+client-facing relay interface unless explicitly configured: that is a sensible default.
+The normal default DNS server (the same address as the DHCP server)
+will not be appropriate when there is no route bewteen the
+two, so this will have to be explicitly configured. 
 .TP
 .B \-U, --dhcp-vendorclass=set:<tag>,[enterprise:<IANA-enterprise number>,]<vendor-class>
 Map from a vendor-class string to a tag. Most DHCP clients provide a 
@@ -1636,7 +1672,7 @@ likely to move IP address; for this reason it should not be generally used.
 .TP
 .B --dhcp-ignore-clid
 Dnsmasq is reading 'client identifier' (RFC 2131) option sent by clients
-(if available) to identify clients. This allow to serve same IP address
+(if available) to identify clients. This allow one to serve same IP address
 for a host using several interfaces. Use this option to disable 'client identifier'
 reading, i.e. to always identify a host using the MAC address.
 .TP
@@ -1727,7 +1763,9 @@ For DHCPv4, it changes the behaviour from strict RFC compliance so that DHCP req
 unknown leases from unknown hosts are not ignored. This allows new hosts
 to get a lease without a tedious timeout under all circumstances. It also 
 allows dnsmasq to rebuild its lease database without each client needing to 
-reacquire a lease, if the database is lost. For DHCPv6 it sets the
+reacquire a lease, if the database is lost. For DHCPv6 it controls the same
+behaviour as DHCPv4 with missing leases (except for the RFC uncompliance - the
+DHCPv6 RFCs allow this behaviour if configured). It also sets the
 priority in replies to 255 (the maximum) instead of 0 (the minimum).
 .TP
 .B --dhcp-rapid-commit
@@ -1915,7 +1953,7 @@ was sent, and the complete pathname of the file.

 The "relay-snoop" action is invoked when dnsmasq is configured as a DHCP
 relay for DHCPv6 and it relays a prefx delegation to a client. The arguments
-are the name of the interface where the client is conected, its (link-local)
+are the name of the interface where the client is connected, its (link-local)
 address on that interface and the delegated prefix. This information is
 sufficient to install routes to the delegated prefix of a router. See
 .B --dhcp-relay
@@ -2266,7 +2304,7 @@ therein is updated when dnsmasq receives SIGHUP.
 .B \--conf-script=<file>[ <arg]
 Execute <file>, and treat what it emits to stdout as the contents of a configuration file.
 If the script exits with a non-zero exit code, dnsmasq treats this as a fatal error.
-The script can be passed arguments, space seperated from the filename and each other so, for instance
+The script can be passed arguments, space separated from the filename and each other so, for instance
 .B --conf-dir="/etc/dnsmasq-uncompress-ads /share/ads-domains.gz"

 with /etc/dnsmasq-uncompress-ads containing 
--- a/man/sv/dnsmasq.8
+++ b/man/sv/dnsmasq.8
--- a/po/de.po
+++ b/po/de.po
--- a/po/es.po
+++ b/po/es.po
--- a/po/fi.po
+++ b/po/fi.po
--- a/po/fr.po
+++ b/po/fr.po
--- a/po/id.po
+++ b/po/id.po
--- a/po/it.po
+++ b/po/it.po
--- a/po/ka.po
+++ b/po/ka.po
--- a/po/no.po
+++ b/po/no.po
--- a/po/pl.po
+++ b/po/pl.po
--- a/po/pt_BR.po
+++ b/po/pt_BR.po
--- a/po/ro.po
+++ b/po/ro.po
--- a/po/sv.po
+++ b/po/sv.po
--- a/setup.html
+++ b/setup.html
@@ -229,3 +229,5 @@ contents of the cache to the syslog.

 <P>For a complete listing of options please take a look at the manpage
 dnsmasq(8).
+</BODY>
+</HTML>
--- a/src/arp.c
+++ b/src/arp.c
@@ -111,22 +111,26 @@ int find_mac(union mysockaddr *addr, unsigned char *mac, int lazy, time_t now)

 again:
  
-  /* If the database is less then INTERVAL old, look in there */
-  if (difftime(now, last) < INTERVAL)
+  /* If the database is less then INTERVAL old, look in there.
+     
+     If we're a child process, we always rely on the existing cache we
+     inherited from the parent, since we don't have a netlink socket.
+  */
+  if (difftime(now, last) < INTERVAL || daemon->pipe_to_parent != -1)
    {
      /* addr == NULL -> just make cache up-to-date */
      if (!addr)
 	return 0;
-
+	
      for (arp = arps; arp; arp = arp->next)
 	{
 	  if (addr->sa.sa_family != arp->family)
 	    continue;
-	    
+	  
 	  if (arp->family == AF_INET &&
 	      arp->addr.addr4.s_addr != addr->in.sin_addr.s_addr)
 	    continue;
-	    
+	  
 	  if (arp->family == AF_INET6 && 
 	      !IN6_ARE_ADDR_EQUAL(&arp->addr.addr6, &addr->in6.sin6_addr))
 	    continue;
@@ -141,6 +145,10 @@ int find_mac(union mysockaddr *addr, unsigned char *mac, int lazy, time_t now)
 	}
    }

+  /* Not in cache in child, no go. */
+  if (daemon->pipe_to_parent != -1)
+    return 0;
+  
  /* Not found, try the kernel */
  if (!updated)
     {
--- a/src/cache.c
+++ b/src/cache.c
@@ -102,6 +102,8 @@ static const struct {
  { 64,  "SVCB" }, /* Service Binding [draft-ietf-dnsop-svcb-https-00] SVCB/svcb-completed-template 2020-06-30*/
  { 65,  "HTTPS" }, /* HTTPS Binding [draft-ietf-dnsop-svcb-https-00] HTTPS/https-completed-template 2020-06-30*/
  { 66,  "DSYNC" }, /* Endpoint discovery for delegation synchronization [draft-ietf-dnsop-generalized-notify-03] DSYNC/dsync-completed-template 2024-12-10 */
+  { 67,  "HHIT" }, /* [draft-ietf-drip-registries-28] */
+  { 68,  "BRID" }, /* [draft-ietf-drip-registries-28] */
  { 99,  "SPF" }, /* [RFC7208] */
  { 100, "UINFO" }, /* [IANA-Reserved] */
  { 101, "UID" }, /* [IANA-Reserved] */
@@ -936,15 +938,14 @@ int cache_recv_insert(time_t now, int fd)
 		if (newc)
 		  {
 		    newc->addr.cname.is_name_ptr = 0;
+		    newc->addr.cname.target.cache = crecp;
 		    
-		    if (!crecp)
-		      newc->addr.cname.target.cache = NULL;
-		    else
+		    if (crecp)
 		      {
 			next_uid(crecp);
-			newc->addr.cname.target.cache = crecp;
 			newc->addr.cname.uid = crecp->uid;
 		      }
+		    crecp = newc;
 		  }
 	      }
 	    else
@@ -2358,6 +2359,8 @@ void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg,
    source = "reply";
  else if (flags & F_AUTH)
    source = "auth";
+  else if (flags & F_QUERY)
+    source = "query";
  else if (flags & F_SECSTAT)
    {
      if (addr && addr->log.ede != EDE_UNSET && option_bool(OPT_EXTRALOG))
@@ -2398,8 +2401,8 @@ void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg,
 	  source = "non-query opcode";
 	  name = opcodestring;
 	}
-      else if (!(flags & F_AUTH))
-	source = "query";
+      else if (type > 0)
+	source = querystr(source, type);
      
      verb = "from";
    }
--- a/src/config.h
+++ b/src/config.h
@@ -52,6 +52,8 @@
 #define CHUSER "nobody"
 #define CHGRP "dip"
 #define TFTP_MAX_CONNECTIONS 50 /* max simultaneous connections */
+#define TFTP_MAX_WINDOW 32 /* max window size to negotiate */
+#define TFTP_TRANSFER_TIME 120 /* Abandon TFTP transfers after this long. Two mins. */
 #define LOG_MAX 5 /* log-queue length */
 #define RANDFILE "/dev/urandom"
 #define DNSMASQ_SERVICE "uk.org.thekelleys.dnsmasq" /* Default - may be overridden by config */
@@ -288,6 +290,7 @@ HAVE_SOCKADDR_SA_LEN
 #define HAVE_BSD_NETWORK
 #define HAVE_GETOPT_LONG
 #define HAVE_SOCKADDR_SA_LEN
+#define NO_IPSET
 /* Define before sys/socket.h is included so we get socklen_t */
 #define _BSD_SOCKLEN_T_
 /* Select the RFC_3542 version of the IPv6 socket API. 
@@ -347,7 +350,6 @@ HAVE_SOCKADDR_SA_LEN
 #endif

 #if !defined(HAVE_LINUX_NETWORK)
-#undef HAVE_IPSET
 #undef HAVE_NFTSET
 #endif

@@ -355,6 +357,16 @@ HAVE_SOCKADDR_SA_LEN
 #undef HAVE_IPSET
 #endif

+#if defined(HAVE_IPSET)
+#  if defined(HAVE_LINUX_NETWORK)
+#    define HAVE_LINUX_IPSET
+#  elif defined(HAVE_BSD_NETWORK)
+#    define HAVE_BSD_IPSET
+#  else
+#    undef HAVE_IPSET
+#  endif
+#endif
+
 #ifdef NO_LOOP
 #undef HAVE_LOOP
 #endif
--- a/src/dbus.c
+++ b/src/dbus.c
@@ -530,8 +530,8 @@ static DBusMessage *dbus_add_lease(DBusMessage* message)
  union all_addr addr;
  time_t now = dnsmasq_time();
  unsigned char dhcp_chaddr[DHCP_CHADDR_MAX];
-
  DBusMessageIter iter, array_iter;
+
  if (!dbus_message_iter_init(message, &iter))
    return dbus_message_new_error(message, DBUS_ERROR_INVALID_ARGS,
 				  "Failed to initialize dbus message iter");
@@ -599,6 +599,10 @@ static DBusMessage *dbus_add_lease(DBusMessage* message)

  if (inet_pton(AF_INET, ipaddr, &addr.addr4))
    {
+      if (!daemon->dhcp)
+	return dbus_message_new_error(message, DBUS_ERROR_INVALID_ARGS,
+				      "DHCPv4 not configured");
+      
      if (ia_id != 0 || is_temporary)
 	return dbus_message_new_error(message, DBUS_ERROR_INVALID_ARGS,
 				      "ia_id and is_temporary must be zero for IPv4 lease");
@@ -609,16 +613,25 @@ static DBusMessage *dbus_add_lease(DBusMessage* message)
 #ifdef HAVE_DHCP6
  else if (inet_pton(AF_INET6, ipaddr, &addr.addr6))
    {
+      if (!daemon->doing_dhcp6)
+	return dbus_message_new_error(message, DBUS_ERROR_INVALID_ARGS,
+				      "DHCPv6 not configured");
+      
      if (!(lease = lease6_find_by_addr(&addr.addr6, 128, 0)))
 	lease = lease6_allocate(&addr.addr6,
 				is_temporary ? LEASE_TA : LEASE_NA);
-      lease_set_iaid(lease, ia_id);
+      if (lease)
+	lease_set_iaid(lease, ia_id);
    }
 #endif
  else
    return dbus_message_new_error_printf(message, DBUS_ERROR_INVALID_ARGS,
 					 "Invalid IP address '%s'", ipaddr);
-   
+
+  if (!lease) 
+    return dbus_message_new_error_printf(message, DBUS_ERROR_INVALID_ARGS,
+					 "unable to allocate lease for IP address '%s'", ipaddr);
+  
  hw_len = parse_hex((char*)hwaddr, dhcp_chaddr, DHCP_CHADDR_MAX, NULL, &hw_type);
  if (hw_len < 0)
    return dbus_message_new_error_printf(message, DBUS_ERROR_INVALID_ARGS,
@@ -641,7 +654,7 @@ static DBusMessage *dbus_add_lease(DBusMessage* message)

 static DBusMessage *dbus_del_lease(DBusMessage* message)
 {
-  struct dhcp_lease *lease;
+  struct dhcp_lease *lease = NULL;
  DBusMessageIter iter;
  const char *ipaddr;
  DBusMessage *reply;
@@ -659,10 +672,10 @@ static DBusMessage *dbus_del_lease(DBusMessage* message)
   
  dbus_message_iter_get_basic(&iter, &ipaddr);

-  if (inet_pton(AF_INET, ipaddr, &addr.addr4))
+  if (inet_pton(AF_INET, ipaddr, &addr.addr4) && daemon->dhcp)
    lease = lease_find_by_addr(addr.addr4);
 #ifdef HAVE_DHCP6
-  else if (inet_pton(AF_INET6, ipaddr, &addr.addr6))
+  else if (inet_pton(AF_INET6, ipaddr, &addr.addr6) && daemon->doing_dhcp6)
    lease = lease6_find_by_addr(&addr.addr6, 128, 0);
 #endif
  else
--- a/src/dhcp-common.c
+++ b/src/dhcp-common.c
@@ -701,13 +701,16 @@ static const struct opttab_t {
  { "user-class", 77, 0 },
  { "rapid-commit", 80, 0 },
  { "FQDN", 81, OT_INTERNAL },
-  { "agent-id", 82, OT_INTERNAL },
+  { "agent-info", 82, OT_INTERNAL },
+  { "last-transaction", 91, 4 | OT_TIME },
+  { "associated-ip", 92, OT_ADDR_LIST },
  { "client-arch", 93, 2 | OT_DEC },
  { "client-interface-id", 94, 0 },
  { "client-machine-id", 97, 0 },
  { "posix-timezone", 100, OT_NAME }, /* RFC 4833, Sec. 2 */
  { "tzdb-timezone", 101, OT_NAME }, /* RFC 4833, Sec. 2 */
-  { "ipv6-only", 108, 4 | OT_DEC },  /* RFC 8925 */ 
+  { "ipv6-only", 108, 4 | OT_DEC },  /* RFC 8925 */
+  { "captive-portal", 114, OT_NAME },  /* RFC 8910 */
  { "subnet-select", 118, OT_INTERNAL },
  { "domain-search", 119, OT_RFC1035_NAME },
  { "sip-server", 120, 0 },
@@ -749,6 +752,7 @@ static const struct opttab_t opttab6[] = {
  { "ntp-server", 56, 0 /* OT_ADDR_LIST | OT_RFC1035_NAME */ },
  { "bootfile-url", 59, OT_NAME },
  { "bootfile-param", 60, OT_CSTRING },
+  { "captive-portal", 103, OT_NAME },  /* RFC 8910 */
  { NULL, 0, 0 }
 };
 #endif
@@ -1065,10 +1069,12 @@ void log_relay(int family, struct dhcp_relay *relay)
    {
      if (broadcast)
 	my_syslog(MS_DHCP | LOG_INFO, _("DHCP relay from %s via %s"), daemon->addrbuff, relay->interface);
+      else if (relay->split_mode)
+	my_syslog(MS_DHCP | LOG_INFO, _("DHCP split-relay from %s to %s via %s"), daemon->addrbuff, daemon->namebuff, relay->interface);
      else
 	my_syslog(MS_DHCP | LOG_INFO, _("DHCP relay from %s to %s via %s"), daemon->addrbuff, daemon->namebuff, relay->interface);
    }
-  else
+  else 
    my_syslog(MS_DHCP | LOG_INFO, _("DHCP relay from %s to %s"), daemon->addrbuff, daemon->namebuff);
 }
   
--- a/src/dhcp-protocol.h
+++ b/src/dhcp-protocol.h
@@ -57,6 +57,8 @@
 #define OPTION_RAPID_COMMIT      80
 #define OPTION_CLIENT_FQDN       81
 #define OPTION_AGENT_ID          82
+#define OPTION_LAST_TRANSACTION  91
+#define OPTION_ASSOCIATED_IP     92
 #define OPTION_ARCH              93
 #define OPTION_PXE_UUID          97
 #define OPTION_SUBNET_SELECT     118
@@ -71,6 +73,7 @@
 #define SUBOPT_REMOTE_ID         2
 #define SUBOPT_SUBNET_SELECT     5     /* RFC 3527 */
 #define SUBOPT_SUBSCR_ID         6     /* RFC 3393 */
+#define SUBOPT_FLAGS             10    /* RFC 5010 */
 #define SUBOPT_SERVER_OR         11    /* RFC 5107 */

 #define SUBOPT_PXE_BOOT_ITEM     71    /* PXE standard */
@@ -87,6 +90,11 @@
 #define DHCPNAK                  6
 #define DHCPRELEASE              7
 #define DHCPINFORM               8
+#define DHCPFORCERENEW           9
+#define DHCPLEASEQUERY          10
+#define DHCPLEASEUNASSIGNED     11
+#define DHCPLEASEUNKNOWN        12
+#define DHCPLEASEACTIVE         13

 #define BRDBAND_FORUM_IANA       3561 /* Broadband forum IANA enterprise */

--- a/src/dhcp.c
+++ b/src/dhcp.c
@@ -32,8 +32,6 @@ static int complete_context(struct in_addr local, int if_index, char *label,
 			    struct in_addr netmask, struct in_addr broadcast, void *vparam);
 static int check_listen_addrs(struct in_addr local, int if_index, char *label,
 			      struct in_addr netmask, struct in_addr broadcast, void *vparam);
-static void relay_upstream4(int iface_index, struct dhcp_packet *mess, size_t sz);
-static struct dhcp_relay *relay_reply4(struct dhcp_packet *mess, char *arrival_interface);

 static int make_fd(int port)
 {
@@ -135,7 +133,7 @@ void dhcp_packet(time_t now, int pxe_fd)
  struct dhcp_packet *mess;
  struct dhcp_context *context;
  struct dhcp_relay *relay;
-  int is_relay_reply = 0;
+  int is_relay_reply = 0, is_relay_use_source = 0;
  struct iname *tmp;
  struct ifreq ifr;
  struct msghdr msg;
@@ -144,13 +142,14 @@ void dhcp_packet(time_t now, int pxe_fd)
  struct iovec iov;
  ssize_t sz; 
  int iface_index = 0, unicast_dest = 0, is_inform = 0, loopback = 0;
-  int rcvd_iface_index;
+  int rcvd_iface_index, relay_index;
  struct in_addr iface_addr;
  struct iface_param parm;
  time_t recvtime = now;
 #ifdef HAVE_LINUX_NETWORK
  struct arpreq arp_req;
  struct timeval tv;
+  struct in_addr dst_addr;
 #endif
  
  union {
@@ -176,13 +175,11 @@ void dhcp_packet(time_t now, int pxe_fd)
      (sz < (ssize_t)(sizeof(*mess) - sizeof(mess->options)))) 
    return;
  
-#ifdef HAVE_DUMPFILE
-  dump_packet_udp(DUMP_DHCP, (void *)daemon->dhcp_packet.iov_base, sz, (union mysockaddr *)&dest, NULL, fd);
-#endif
-  
 #if defined (HAVE_LINUX_NETWORK)
  if (ioctl(fd, SIOCGSTAMP, &tv) == 0)
    recvtime = tv.tv_sec;
+
+  dst_addr.s_addr = 0;
  
  if (msg.msg_controllen >= sizeof(struct cmsghdr))
    for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
@@ -194,7 +191,8 @@ void dhcp_packet(time_t now, int pxe_fd)
 	  } p;
 	  p.c = CMSG_DATA(cmptr);
 	  iface_index = p.p->ipi_ifindex;
-	  if (p.p->ipi_addr.s_addr != INADDR_BROADCAST)
+	  dst_addr = p.p->ipi_addr; 
+	  if (dst_addr.s_addr != INADDR_BROADCAST)
 	    unicast_dest = 1;
 	}

@@ -224,12 +222,44 @@ void dhcp_packet(time_t now, int pxe_fd)
 	  iface_index = *(p.i);
 	}
 #endif
-	
+
+#ifdef HAVE_DUMPFILE
+  union mysockaddr *sockp = NULL;
+  
+#  ifdef HAVE_LINUX_NETWORK
+  union mysockaddr tosock;
+  
+  sockp = &tosock;
+  tosock.in.sin_port = htons(daemon->dhcp_server_port);
+  tosock.in.sin_addr = dst_addr;
+  tosock.sa.sa_family = AF_INET;
+#    ifdef HAVE_SOCKADDR_SA_LEN
+  tosock.in.sin_len = sizeof(struct sockaddr_in);
+#    endif
+#  endif
+  
+  dump_packet_udp(DUMP_DHCP, (void *)daemon->dhcp_packet.iov_base, sz, (union mysockaddr *)&dest, sockp, -1);
+#endif
+  	
  if (!indextoname(daemon->dhcpfd, iface_index, ifr.ifr_name) ||
      ioctl(daemon->dhcpfd, SIOCGIFFLAGS, &ifr) != 0)
    return;
  
  mess = (struct dhcp_packet *)daemon->dhcp_packet.iov_base;
+  
+  /* Non-standard extension:
+     If giaddr == 255.255.255.255 we reply to the source
+     address in the request packet header. This makes
+     stand-alone leasequery clients easier, as they
+     can leave source address determination to the kernel.
+     In this case, set a flag and clear giaddr here,
+     to avoid massive relay confusion. */
+  if (mess->giaddr.s_addr == INADDR_BROADCAST)
+    {
+      mess->giaddr.s_addr = 0;
+      is_relay_use_source = 1;
+    }
+  
  loopback = !mess->giaddr.s_addr && (ifr.ifr_flags & IFF_LOOPBACK);
  
 #ifdef HAVE_LINUX_NETWORK
@@ -272,10 +302,10 @@ void dhcp_packet(time_t now, int pxe_fd)
    unicast_dest = 1;
 #endif
  
-  if ((relay = relay_reply4((struct dhcp_packet *)daemon->dhcp_packet.iov_base, ifr.ifr_name)))
+  if ((relay_index = relay_reply4((struct dhcp_packet *)daemon->dhcp_packet.iov_base, (size_t)sz, ifr.ifr_name)))
    {
      /* Reply from server, using us as relay. */
-      rcvd_iface_index = relay->iface_index;
+      rcvd_iface_index = relay_index;
      if (!indextoname(daemon->dhcpfd, rcvd_iface_index, ifr.ifr_name))
 	return;
      is_relay_reply = 1; 
@@ -300,9 +330,12 @@ void dhcp_packet(time_t now, int pxe_fd)
 	if (tmp->name && (tmp->flags & INAME_4) && wildcard_match(tmp->name, ifr.ifr_name))
 	  return;
      
-      /* unlinked contexts/relays are marked by context->current == context */
+      /* unlinked contexts are marked by context->current == context */
      for (context = daemon->dhcp; context; context = context->next)
 	context->current = context;
+
+      for (relay = daemon->relay4; relay; relay = relay->next)
+	relay->matchcount = 0;
      
      parm.current = NULL;
      parm.ind = iface_index;
@@ -330,15 +363,16 @@ void dhcp_packet(time_t now, int pxe_fd)
      if (!iface_enumerate(AF_INET, &parm, (callback_t){.af_inet=complete_context}))
 	return;

-      relay_upstream4(iface_index, mess, (size_t)sz);
+      relay_upstream4(iface_addr, iface_index, mess, (size_t)sz, unicast_dest);
       
      /* May have configured relay, but not DHCP server */
      if (!daemon->dhcp)
 	return;

      lease_prune(NULL, now); /* lose any expired leases */
-      iov.iov_len = dhcp_reply(parm.current, ifr.ifr_name, iface_index, (size_t)sz, 
-			       now, unicast_dest, loopback, &is_inform, pxe_fd, iface_addr, recvtime);
+      iov.iov_len = dhcp_reply(parm.current, ifr.ifr_name, iface_index, (size_t)sz, now, unicast_dest,
+			       loopback, &is_inform, pxe_fd, iface_addr, recvtime,
+			       is_relay_use_source ? dest.sin_addr : mess->giaddr);
      lease_update_file(now);
      lease_update_dns(0);
      
@@ -365,11 +399,17 @@ void dhcp_packet(time_t now, int pxe_fd)
      if (mess->ciaddr.s_addr != 0)
 	dest.sin_addr = mess->ciaddr;
    }
-  else if (mess->giaddr.s_addr && !is_relay_reply)
+  if ((is_relay_use_source || mess->giaddr.s_addr) && !is_relay_reply)
    {
-      /* Send to BOOTP relay  */
-      dest.sin_port = htons(daemon->dhcp_server_port);
-      dest.sin_addr = mess->giaddr; 
+      /* Send to BOOTP relay. */
+      if (is_relay_use_source)
+	/* restore as-received value */
+	mess->giaddr.s_addr = INADDR_BROADCAST;
+      else
+	{
+	  dest.sin_addr = mess->giaddr;
+	  dest.sin_port = htons(daemon->dhcp_server_port);
+	}
    }
  else if (mess->ciaddr.s_addr)
    {
@@ -627,8 +667,19 @@ static int complete_context(struct in_addr local, int if_index, char *label,
    }

  for (relay = daemon->relay4; relay; relay = relay->next)
-    if (relay->local.addr4.s_addr == local.s_addr)
-      relay->iface_index = if_index;
+    if (!relay->split_mode && relay->local.addr4.s_addr == local.s_addr)
+      {
+	if (if_index == param->ind)
+	  relay->iface_index = if_index;
+	
+	/* More than one interface with the relay address breaks things. */
+	if (relay->matchcount++ == 1 && !relay->warned)
+	  {
+	    relay->warned = 1;
+	    inet_ntop(AF_INET, &local, daemon->addrbuff, ADDRSTRLEN);
+	    my_syslog(MS_DHCP | LOG_WARNING, _("DHCP relay address %s appears on more than one interface"), daemon->addrbuff);
+	  }
+      }
  
  return 1;
 }
@@ -645,7 +696,7 @@ struct dhcp_context *address_available(struct dhcp_context *context,
  struct dhcp_context *tmp;

  for (tmp = context; tmp; tmp = tmp->current)
-    if (taddr.s_addr == context->router.s_addr)
+    if (taddr.s_addr == tmp->router.s_addr)
      return NULL;
  
  for (tmp = context; tmp; tmp = tmp->current)
@@ -1070,122 +1121,4 @@ char *host_from_dns(struct in_addr addr)
  return NULL;
 }

-static void relay_upstream4(int iface_index, struct dhcp_packet *mess, size_t sz)
-{
-  struct in_addr giaddr = mess->giaddr;
-  u8 hops = mess->hops;
-  struct dhcp_relay *relay;
-
-  if (mess->op != BOOTREQUEST)
-    return;
-
-  for (relay = daemon->relay4; relay; relay = relay->next)
-    if (relay->iface_index != 0 && relay->iface_index == iface_index)
-      break;
-
-  /* No relay config. */
-  if (!relay)
-    return;
-  
-  for (; relay; relay = relay->next)
-    if (relay->iface_index != 0 && relay->iface_index == iface_index)
-      {
-	union mysockaddr to;
-	union all_addr from;
-
-	mess->hops = hops;
-	mess->giaddr = giaddr;
-	
-	if ((mess->hops++) > 20)
-	  continue;
-	
-	/* source address == relay address */
-	from.addr4 = relay->local.addr4;
-
-	/* already gatewayed ? */
-	if (giaddr.s_addr)
-	  {
-	    /* if so check if by us, to stomp on loops. */
-	    if (giaddr.s_addr == relay->local.addr4.s_addr)
-	      continue;
-	  }
-	else
-	  {
-	    /* plug in our address */
-	    mess->giaddr.s_addr = relay->local.addr4.s_addr;
-	  }
-	
-	to.sa.sa_family = AF_INET;
-	to.in.sin_addr = relay->server.addr4;
-	to.in.sin_port = htons(relay->port);
-#ifdef HAVE_SOCKADDR_SA_LEN
-	to.in.sin_len = sizeof(struct sockaddr_in);
-#endif
-	
-	/* Broadcasting to server. */
-	if (relay->server.addr4.s_addr == 0)
-	  {
-	    struct ifreq ifr;
-	    
-	    if (relay->interface)
-	      safe_strncpy(ifr.ifr_name, relay->interface, IF_NAMESIZE);
-	    
-	    if (!relay->interface || strchr(relay->interface, '*') ||
-		ioctl(daemon->dhcpfd, SIOCGIFBRDADDR, &ifr) == -1)
-	      {
-		my_syslog(MS_DHCP | LOG_ERR, _("Cannot broadcast DHCP relay via interface %s"), relay->interface);
-		continue;
-	      }
-	    
-	    to.in.sin_addr = ((struct sockaddr_in *) &ifr.ifr_addr)->sin_addr;
-	  }
-	
-#ifdef HAVE_DUMPFILE
-	{
-	  union mysockaddr fromsock;
-	  fromsock.in.sin_port = htons(daemon->dhcp_server_port);
-	  fromsock.in.sin_addr = from.addr4;
-	  fromsock.sa.sa_family = AF_INET;
-
-	  dump_packet_udp(DUMP_DHCP, (void *)mess, sz, &fromsock, &to, -1);
-	}
-#endif
-	
-	 send_from(daemon->dhcpfd, 0, (char *)mess, sz, &to, &from, 0);
-	 
-	 if (option_bool(OPT_LOG_OPTS))
-	   {
-	     inet_ntop(AF_INET, &relay->local, daemon->addrbuff, ADDRSTRLEN);
-	     if (relay->server.addr4.s_addr == 0)
-	       snprintf(daemon->dhcp_buff2, DHCP_BUFF_SZ, _("broadcast via %s"), relay->interface);
-	     else
-	       inet_ntop(AF_INET, &relay->server.addr4, daemon->dhcp_buff2, DHCP_BUFF_SZ);
-	     my_syslog(MS_DHCP | LOG_INFO, _("DHCP relay at %s -> %s"), daemon->addrbuff, daemon->dhcp_buff2);
-	   }
-      }
-  
-  /* restore in case of a local reply. */
-  mess->giaddr = giaddr;
-}
-
-
-static struct dhcp_relay *relay_reply4(struct dhcp_packet *mess, char *arrival_interface)
-{
-  struct dhcp_relay *relay;
-
-  if (mess->giaddr.s_addr == 0 || mess->op != BOOTREPLY)
-    return NULL;
-
-  for (relay = daemon->relay4; relay; relay = relay->next)
-    {
-      if (mess->giaddr.s_addr == relay->local.addr4.s_addr)
-	{
-	  if (!relay->interface || wildcard_match(relay->interface, arrival_interface))
-	    return relay->iface_index != 0 ? relay : NULL;
-	}
-    }
-  
-  return NULL;	 
-}     
-
 #endif
--- a/src/dhcp6.c
+++ b/src/dhcp6.c
@@ -89,6 +89,7 @@ void dhcp6_init(void)
 void dhcp6_packet(time_t now)
 {
  struct dhcp_context *context;
+  struct dhcp_relay *relay;
  struct iface_param parm;
  struct cmsghdr *cmptr;
  struct msghdr msg;
@@ -176,6 +177,7 @@ void dhcp6_packet(time_t now)
  else
    {
      struct dhcp_bridge *bridge, *alias;
+      int multicast_dest = 0;
      
      for (tmp = daemon->if_except; tmp; tmp = tmp->next)
 	if (tmp->name && wildcard_match(tmp->name, ifr.ifr_name))
@@ -230,14 +232,24 @@ void dhcp6_packet(time_t now)
 	    context->current = context;
 	    memset(&context->local6, 0, IN6ADDRSZ);
 	  }
+
+      for (relay = daemon->relay6; relay; relay = relay->next)
+	relay->matchcount = 0;
+
+      inet_pton(AF_INET6, ALL_RELAY_AGENTS_AND_SERVERS, &all_servers);
+      if (IN6_ARE_ADDR_EQUAL(&dst_addr, &all_servers))
+	multicast_dest = 1;
      
-      /* Ignore requests sent to the ALL_SERVERS multicast address for relay when
-	 we're listening there for DHCPv6 server reasons. */
      inet_pton(AF_INET6, ALL_SERVERS, &all_servers);
-      
-      if (!IN6_ARE_ADDR_EQUAL(&dst_addr, &all_servers) &&
-	  relay_upstream6(if_index, (size_t)sz, &from.sin6_addr, from.sin6_scope_id, now))
-	return;
+      if (IN6_ARE_ADDR_EQUAL(&dst_addr, &all_servers))
+	multicast_dest = 1;
+      else
+	{
+	  /* Ignore requests sent to the ALL_SERVERS multicast address for relay when
+	     we're listening there for DHCPv6 server reasons. */
+	  if (relay_upstream6(if_index, (size_t)sz, &from.sin6_addr, from.sin6_scope_id, now))
+	    return;
+	}
      
      if (!iface_enumerate(AF_INET6, &parm, (callback_t){.af_inet6=complete_context6}))
 	return;
@@ -266,7 +278,7 @@ void dhcp6_packet(time_t now)
      
      lease_prune(NULL, now); /* lose any expired leases */
      
-      port = dhcp6_reply(parm.current, if_index, ifr.ifr_name, &parm.fallback, 
+      port = dhcp6_reply(parm.current, multicast_dest, if_index, ifr.ifr_name, &parm.fallback, 
 			 &parm.ll_addr, &parm.ula_addr, sz, &from.sin6_addr, now);
      
      /* The port in the source address of the original request should
@@ -444,7 +456,17 @@ static int complete_context6(struct in6_addr *local,  int prefix,
  if (match)
    for (relay = daemon->relay6; relay; relay = relay->next)
      if (IN6_ARE_ADDR_EQUAL(local, &relay->local.addr6))
-	relay->iface_index = if_index;
+	{
+	  relay->iface_index = if_index;
+
+	  /* More than one interface with the relay address breaks things. */
+	  if (relay->matchcount++ == 1 && !relay->warned)
+	    {
+	      relay->warned = 1;
+	      inet_ntop(AF_INET6, &local, daemon->addrbuff, ADDRSTRLEN);
+	      my_syslog(MS_DHCP | LOG_WARNING, _("DHCP relay address %s appears on more than one interface"), daemon->addrbuff);
+	    }
+	}
  
  return 1;
 }
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -30,7 +30,9 @@ static volatile pid_t pid = 0;
 static volatile int pipewrite;

 static void set_dns_listeners(void);
+#ifdef HAVE_TFTP
 static void set_tftp_listeners(void);
+#endif
 static void check_dns_listeners(time_t now);
 static void do_tcp_connection(struct listener *listener, time_t now, int slot);
 static void sig_handler(int sig);
@@ -62,14 +64,16 @@ int main (int argc, char **argv)
  int need_cap_net_raw = 0;
  int need_cap_net_bind_service = 0;
  int have_cap_chown = 0;
+#  ifdef HAVE_DHCP
  char *bound_device = NULL;
  int did_bind = 0;
+#  endif
  struct server *serv;
  char *netlink_warn;
 #else
  int bind_fallback = 0;
 #endif 
-#if defined(HAVE_DHCP) || defined(HAVE_DHCP6)
+#if defined(HAVE_DHCP)
  struct dhcp_context *context;
  struct dhcp_relay *relay;
 #endif
@@ -77,6 +81,10 @@ int main (int argc, char **argv)
  int tftp_prefix_missing = 0;
 #endif

+#ifdef HAVE_LINUX_NETWORK
+  (void)netlink_warn;
+#endif
+  
 #if defined(HAVE_IDN) || defined(HAVE_LIBIDN2) || defined(LOCALEDIR)
  setlocale(LC_ALL, "");
 #endif
@@ -119,6 +127,7 @@ int main (int argc, char **argv)
     This might be increased is EDNS packet size if greater than the minimum. */ 
  daemon->packet_buff_sz = daemon->edns_pktsz + MAXDNAME + RRFIXEDSZ;
  daemon->packet = safe_malloc(daemon->packet_buff_sz);
+  daemon->pipe_to_parent = -1;
  
  if (option_bool(OPT_EXTRALOG))
    daemon->addrbuff2 = safe_malloc(ADDRSTRLEN);
@@ -1072,8 +1081,6 @@ int main (int argc, char **argv)
  
  pid = getpid();

-  daemon->pipe_to_parent = -1;
-
 #ifdef HAVE_INOTIFY
  /* Using inotify, have to select a resolv file at startup */
  poll_resolv(1, 0, now);
@@ -1769,9 +1776,9 @@ void clear_cache_and_reload(time_t now)
 #ifdef HAVE_DHCP
  if (daemon->dhcp || daemon->doing_dhcp6)
    {
+      reread_dhcp();
      if (option_bool(OPT_ETHERS))
 	dhcp_read_ethers();
-      reread_dhcp();
      dhcp_update_configs(daemon->dhcp_conf);
      lease_update_from_configs(); 
      lease_update_file(now); 
@@ -1939,11 +1946,14 @@ static void do_tcp_connection(struct listener *listener, time_t now, int slot)
  pid_t p;
  union mysockaddr tcp_addr;
  socklen_t tcp_len = sizeof(union mysockaddr);
-  unsigned char a = 0, *buff;
+  unsigned char *buff;
  struct server *s; 
  int flags, auth_dns;
  struct in_addr netmask;
  int pipefd[2];
+#ifdef HAVE_LINUX_NETWORK
+  unsigned char a = 0;
+#endif

  while ((confd = accept(listener->tcpfd, NULL, NULL)) == -1 && errno == EINTR);
  
@@ -2022,9 +2032,24 @@ static void do_tcp_connection(struct listener *listener, time_t now, int slot)
  
  if (!option_bool(OPT_DEBUG))
    {
+      /* The code in edns0.c qthat decorates queries with the source MAC address depends
+	 on the code in arp.c, which populates a cache with the contents of the ARP table
+	 using netlink. Since the child process can't use netlink, we pre-populate
+	 the cache with the ARP table entry for our source here, including a negative entry
+	 if there is nothing for our address in the ARP table.
+	 
+	 When the edns0 code calls find_mac() in the child process, it will
+	 get the correct answer from the cache inherited from the parent
+	 without having to use netlink to consult the kernel ARP table.
+
+	 edns0_needs_mac() simply calls find_mac if any EDNS0 options
+	 which need a MAC address are enabled. */
+      
+      edns0_needs_mac(&tcp_addr, now);
+
      if (pipe(pipefd) == -1)
 	goto closeconandreturn; /* pipe failed */
-            
+
      if ((p = fork()) == -1)
 	{
 	  /* fork failed */
@@ -2052,7 +2077,7 @@ static void do_tcp_connection(struct listener *listener, time_t now, int slot)
 	     single byte comes back up the pipe, which
 	     is sent by the child after it has closed the
 	     netlink socket. */
-	  
+
 	  read_write(pipefd[0], &a, 1, RW_READ);
 #endif
 	  
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -48,6 +48,12 @@
 #define ATTRIBUTE_NORETURN
 #endif

+#if __GNUC__ + 0 >= 8 // clang 20.1.0 does not yet support this
+#define ATTRIBUTE_NONSTRING __attribute__ ((nonstring))
+#else
+#define ATTRIBUTE_NONSTRING
+#endif
+
 /* get these before config.h  for IPv6 stuff... */
 #include <sys/types.h> 
 #include <sys/socket.h>
@@ -282,7 +288,8 @@ struct event_desc {
 #define OPT_NO_0x20        74
 #define OPT_DO_0x20        75
 #define OPT_AUTH_LOG       76
-#define OPT_LAST           77
+#define OPT_LEASEQUERY     77
+#define OPT_LAST           78

 #define OPTION_BITS (sizeof(unsigned int)*8)
 #define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) )
@@ -864,6 +871,8 @@ struct dhcp_lease {
  int last_interface;
  int new_interface;     /* save possible originated interface */
  int new_prefixlen;     /* and its prefix length */
+  unsigned char *agent_id, *vendorclass;
+  int agent_id_len, vendorclass_len;
 #ifdef HAVE_DHCP6
  struct in6_addr addr6;
  unsigned int iaid;
@@ -1100,7 +1109,7 @@ struct ping_result {

 struct tftp_file {
  int refcount, fd;
-  off_t size;
+  off_t size, posn;
  dev_t dev;
  ino_t inode;
  char filename[];
@@ -1108,14 +1117,14 @@ struct tftp_file {

 struct tftp_transfer {
  int sockfd;
-  time_t timeout;
-  int backoff;
-  unsigned int block, blocksize, expansion;
+  u16 block_hi, ackprev;
+  time_t retransmit, start;
+  unsigned int lastack, block, blocksize, windowsize, timeout, expansion;
  off_t offset;
  union mysockaddr peer;
  union all_addr source;
  int if_index;
-  char opt_blocksize, opt_transize, netascii, carrylf;
+  unsigned char opt_blocksize, opt_transize, opt_windowsize, opt_timeout, netascii, carrylf, lastcarrylf, backoff;
  struct tftp_file *file;
  struct tftp_transfer *next;
 };
@@ -1136,10 +1145,12 @@ struct dhcp_relay {
  union {
    struct in_addr addr4;
    struct in6_addr addr6;
-  } local, server;
+  } local, server, uplink;
  char *interface; /* Allowable interface for replies from server, and dest for IPv6 multicast */
  int iface_index; /* working - interface in which requests arrived, for return */
  int port;        /* Port of relay we forward to. */
+  int split_mode;  /* Split address allocation and relay address. */
+  int warned, matchcount;
 #ifdef HAVE_SCRIPT
  struct snoop_record {
    struct in6_addr client, prefix;
@@ -1183,7 +1194,7 @@ extern struct daemon {
  char *runfile; 
  char *lease_change_command;
  struct iname *if_names, *if_addrs, *if_except, *dhcp_except, *auth_peers, *tftp_interfaces;
-  struct bogus_addr *bogus_addr, *ignore_addr;
+  struct bogus_addr *bogus_addr, *ignore_addr, *leasequery_addr;
  struct server *servers, *servers_tail, *local_domains, **serverarray;
  struct rebind_domain *no_rebind;
  int server_has_wildcard;
@@ -1267,7 +1278,7 @@ extern struct daemon {
  struct serverfd *sfds;
  struct irec *interfaces;
  struct listener *listeners;
-  struct server *srv_save; /* Used for resend on DoD */
+  void *srv_save;      /* Used for resend on DoD and tftp prefetch */
  size_t packet_len;       /*      "        "        */
  int    fd_save;          /*      "        "        */
  pid_t *tcp_pids;
@@ -1410,7 +1421,7 @@ unsigned int extract_request(struct dns_header *header, size_t qlen, char *name,
 			     unsigned short *typep, unsigned short *classp);
 void setup_reply(struct dns_header *header, unsigned int flags, int ede);
 int extract_addresses(struct dns_header *header, size_t qlen, char *name,
-		      time_t now, struct ipsets *ipsets, struct ipsets *nftsets, int is_sign,
+		      time_t now, struct ipsets *ipsets, struct ipsets *nftsets,
                      int check_rebind, int no_cache_dnssec, int secure);
 #if defined(HAVE_CONNTRACK) && defined(HAVE_UBUS)
 void report_addresses(struct dns_header *header, size_t len, u32 mark);
@@ -1619,6 +1630,7 @@ void lease6_reset(void);
 struct dhcp_lease *lease6_find_by_client(struct dhcp_lease *first, int lease_type,
 					 unsigned char *clid, int clid_len, unsigned int iaid);
 struct dhcp_lease *lease6_find_by_addr(struct in6_addr *net, int prefix, u64 addr);
+struct dhcp_lease *lease6_find_by_plain_addr(struct in6_addr *addr);
 u64 lease_find_max_addr6(struct dhcp_context *context);
 void lease_ping_reply(struct in6_addr *sender, unsigned char *packet, char *interface);
 void lease_update_slaac(time_t now);
@@ -1631,6 +1643,8 @@ void lease_set_hwaddr(struct dhcp_lease *lease, const unsigned char *hwaddr,
 void lease_set_hostname(struct dhcp_lease *lease, const char *name, int auth, char *domain, char *config_domain);
 void lease_set_expires(struct dhcp_lease *lease, unsigned int len, time_t now);
 void lease_set_interface(struct dhcp_lease *lease, int interface, time_t now);
+void lease_set_agent_id(struct dhcp_lease *lease, unsigned char *new, int len);
+void lease_set_vendorclass(struct dhcp_lease *lease, unsigned char *new, int len);
 struct dhcp_lease *lease_find_by_client(unsigned char *hwaddr, int hw_len, int hw_type,  
 					unsigned char *clid, int clid_len);
 struct dhcp_lease *lease_find_by_addr(struct in_addr addr);
@@ -1651,9 +1665,13 @@ void lease_add_extradata(struct dhcp_lease *lease, unsigned char *data,
 #ifdef HAVE_DHCP
 size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 		  size_t sz, time_t now, int unicast_dest, int loopback,
-		  int *is_inform, int pxe, struct in_addr fallback, time_t recvtime);
+		  int *is_inform, int pxe, struct in_addr fallback,
+		  time_t recvtime, struct in_addr leasequery_source);
 unsigned char *extended_hwaddr(int hwtype, int hwlen, unsigned char *hwaddr, 
 			       int clid_len, unsigned char *clid, int *len_out);
+void relay_upstream4(struct in_addr iface_addr, int iface_index,
+		     struct dhcp_packet *mess, size_t sz, int unicast);
+unsigned int relay_reply4(struct dhcp_packet *mess, size_t sz, char *arrival_interface);
 #endif

 /* dnsmasq.c */
@@ -1755,7 +1773,6 @@ void queue_relay_snoop(struct in6_addr *client, int if_index, struct in6_addr *p

 /* tftp.c */
 #ifdef HAVE_TFTP
-void tftp_request(struct listener *listen, time_t now);
 void check_tftp_listeners(time_t now);
 int do_tftp_script_run(void);
 #endif
@@ -1790,7 +1807,7 @@ void get_client_mac(struct in6_addr *client, int iface, unsigned char *mac,
  
 /* rfc3315.c */
 #ifdef HAVE_DHCP6
-unsigned short dhcp6_reply(struct dhcp_context *context, int interface, char *iface_name,  
+unsigned short dhcp6_reply(struct dhcp_context *context, int multicast_dest, int interface, char *iface_name,  
 			   struct in6_addr *fallback, struct in6_addr *ll_addr, struct in6_addr *ula_addr,
 			   size_t sz, struct in6_addr *client_addr, time_t now);
 int relay_upstream6(int iface_index, ssize_t sz, struct in6_addr *peer_address, 
@@ -1901,6 +1918,7 @@ unsigned char *find_pseudoheader(struct dns_header *header, size_t plen,
 size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *limit, 
 			int optno, unsigned char *opt, size_t optlen, int set_do, int replace);
 size_t add_do_bit(struct dns_header *header, size_t plen, unsigned char *limit);
+void edns0_needs_mac(union mysockaddr *addr, time_t now);
 size_t add_edns0_config(struct dns_header *header, size_t plen, unsigned char *limit, 
 			union mysockaddr *source, time_t now, int *cacheable);
 int check_source(struct dns_header *header, size_t plen, unsigned char *pseudoheader, union mysockaddr *peer);
@@ -1927,7 +1945,7 @@ size_t make_local_answer(int flags, int gotname, size_t size, struct dns_header
 			 char *name, char *limit, int first, int last, int ede);
 int server_samegroup(struct server *a, struct server *b);
 #ifdef HAVE_DNSSEC
-int dnssec_server(struct server *server, char *keyname, int *firstp, int *lastp);
+int dnssec_server(struct server *server, char *keyname, int is_ds, int *firstp, int *lastp);
 #endif
 void mark_servers(int flag);
 void cleanup_servers(void);
--- a/src/domain-match.c
+++ b/src/domain-match.c
@@ -95,6 +95,7 @@ void build_server_array(void)

   A flag of F_SERVER returns an upstream server only.
   A flag of F_DNSSECOK disables NODOTS servers from consideration.
+   A flag of F_DS returns parent domain server.
   A flag of F_DOMAINSRV returns a domain-specific server only.
   A flag of F_CONFIG returns anything that generates a local
   reply of IPv4 or IPV6.
@@ -106,12 +107,23 @@ int lookup_domain(char *domain, int flags, int *lowout, int *highout)
  ssize_t qlen;
  int try, high, low = 0;
  int nlow = 0, nhigh = 0;
-  char *cp, *qdomain = domain;
-
+  char *cp, *qdomain;
+  
  /* may be no configured servers. */
  if (daemon->serverarraysz == 0)
    return 0;
+
+  /* DS records should come from the parent domain. */
+  if (flags & F_DS)
+    {
+      if ((cp = strchr(domain, '.')))
+	domain = cp+1;
+      else
+	domain = "";
+    }
  
+  qdomain = domain;
+
  /* find query length and presence of '.' */
  for (cp = qdomain, nodots = 1, qlen = 0; *cp; qlen++, cp++)
    if (*cp == '.')
@@ -244,7 +256,10 @@ int lookup_domain(char *domain, int flags, int *lowout, int *highout)
  if (nodots &&
      (daemon->serverarray[daemon->serverarraysz-1]->flags & SERV_FOR_NODOTS) &&
      (nlow == nhigh || daemon->serverarray[nlow]->domain_len == 0))
-    filter_servers(daemon->serverarraysz-1, flags, &nlow, &nhigh);
+    {
+      filter_servers(daemon->serverarraysz-1, flags, &nlow, &nhigh);
+      qlen = 0;
+    }
  
  if (lowout)
    *lowout = nlow;
@@ -343,10 +358,9 @@ int filter_servers(int seed, int flags, int *lowout, int *highout)
 		      else
 			{
 			  /* If we want a server for a particular domain, and this one isn't, return nothing. */
-			  if ((flags & F_DOMAINSRV) && daemon->serverarray[nlow]->domain_len == 0)
+			  if (nlow < daemon->serverarraysz && nlow != nhigh && (flags & F_DOMAINSRV) &&
+			      daemon->serverarray[nlow]->domain_len == 0 && !(daemon->serverarray[nlow]->flags & SERV_FOR_NODOTS))
 			    nlow = nhigh;
-			  else
-			    nlow = i;
 			}
 		    }
 		}
@@ -401,7 +415,7 @@ size_t make_local_answer(int flags, int gotname, size_t size, struct dns_header
  
  setup_reply(header, flags, ede);

-  gotname &= ~F_QUERY;
+  gotname &= ~(F_QUERY | F_DS);
  
  if (flags & (F_NXDOMAIN | F_NOERR))
    log_query(flags | gotname | F_NEG | F_CONFIG | F_FORWARD, name, NULL, NULL, 0);
@@ -461,14 +475,14 @@ size_t make_local_answer(int flags, int gotname, size_t size, struct dns_header
 }

 #ifdef HAVE_DNSSEC
-int dnssec_server(struct server *server, char *keyname, int *firstp, int *lastp)
+int dnssec_server(struct server *server, char *keyname, int is_ds, int *firstp, int *lastp)
 {
  int first, last, index;
-
+  
  /* Find server to send DNSSEC query to. This will normally be the 
     same as for the original query, but may be another if
     servers for domains are involved. */		      
-  if (!lookup_domain(keyname, F_SERVER | F_DNSSECOK, &first, &last))
+  if (!lookup_domain(keyname, F_SERVER | F_DNSSECOK | (is_ds ? F_DS : 0), &first, &last))
    return -1;

  for (index = first; index != last; index++)
--- a/src/edns0.c
+++ b/src/edns0.c
@@ -265,6 +265,15 @@ static void encoder(unsigned char *in, char *out)
  out[3] = char64(in[2]);
 }

+/* This function needs to call find_mac if any option which requires a MAC address is enabled
+   and used below. If you add a new MAC consumer, modify this, otherwise your
+   new EDNS0 option won't work in TCP mode. */
+void edns0_needs_mac(union mysockaddr *addr, time_t now)
+{
+  if (option_bool(OPT_MAC_B64) || option_bool(OPT_MAC_HEX) || option_bool(OPT_ADD_MAC))
+    find_mac(addr, NULL, 0, now);
+}
+
 /* OPT_ADD_MAC = MAC is added (if available)
   OPT_ADD_MAC + OPT_STRIP_MAC = MAC is replaced, if not available, it is only removed
   OPT_STRIP_MAC = MAC is removed */
@@ -494,7 +503,7 @@ int check_source(struct dns_header *header, size_t plen, unsigned char *pseudohe
 #define UMBRELLA_DEVICESZ   sizeof(daemon->umbrella_device)

 struct umbrella_opt {
-  u8 magic[4];
+  u8 magic[4] ATTRIBUTE_NONSTRING;
  u8 version;
  u8 flags;
  /* We have 4 possible fields since we'll never send both IPv4 and
@@ -562,3 +571,4 @@ size_t add_edns0_config(struct dns_header *header, size_t plen, unsigned char *l

  return plen;
 }
+
--- a/src/forward.c
+++ b/src/forward.c
@@ -17,7 +17,7 @@
 #include "dnsmasq.h"

 static struct frec *get_new_frec(time_t now, struct server *serv, int force);
-static struct frec *lookup_frec(char *target, int class, int rrtype, int id, int flags, int flagmask);
+static struct frec *lookup_frec(time_t now, char *target, int class, int rrtype, int id, int flags, int flagmask);
 #ifdef HAVE_DNSSEC
 static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n, 
 			   int class, char *name, char *keyname, struct server *server, 
@@ -192,7 +192,7 @@ static void forward_query(int udpfd, union mysockaddr *udpaddr,
      old_reply = 1;
      fwd_flags = forward->flags;
    }
-  else if (gotname && (forward = lookup_frec(daemon->namebuff, (int)rrclass, (int)rrtype, -1, fwd_flags,
+  else if (gotname && (forward = lookup_frec(now, daemon->namebuff, (int)rrclass, (int)rrtype, -1, fwd_flags,
 					     FREC_CHECKING_DISABLED | FREC_AD_QUESTION | FREC_DO_QUESTION |
 					     FREC_HAS_PHEADER | FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_NO_CACHE)))
    {
@@ -670,6 +670,7 @@ int fast_retry(time_t now)
  return ret;
 }

+#if defined(HAVE_IPSET) || defined(HAVE_NFTSET)
 static struct ipsets *domain_find_sets(struct ipsets *setlist, const char *domain) {
  /* Similar algorithm to search_servers. */
  struct ipsets *ipset_pos, *ret = NULL;
@@ -690,6 +691,7 @@ static struct ipsets *domain_find_sets(struct ipsets *setlist, const char *domai

  return ret;
 }
+#endif

 static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind, 
 			    int no_cache, int cache_secure, int bogusanswer, int ad_reqd, int do_bit, int added_pheader, 
@@ -761,6 +763,16 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
  if (!is_sign && !option_bool(OPT_DNSSEC_PROXY))
     header->hb4 &= ~HB4_AD;

+  /* Complain loudly if the upstream server is non-recursive. */
+  if (!(header->hb4 & HB4_RA) && rcode == NOERROR &&
+      server && !(server->flags & SERV_WARNED_RECURSIVE))
+    {
+      (void)prettyprint_addr(&server->addr, daemon->namebuff);
+      my_syslog(LOG_WARNING, _("nameserver %s refused to do a recursive query"), daemon->namebuff);
+      if (!option_bool(OPT_LOG))
+	server->flags |= SERV_WARNED_RECURSIVE;
+    }  
+
  header->hb4 |= HB4_RA; /* recursion if available */

  if (OPCODE(header) != QUERY)
@@ -776,16 +788,6 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
      return resize_packet(header, n, pheader, plen);
    }
  
-  /* Complain loudly if the upstream server is non-recursive. */
-  if (!(header->hb4 & HB4_RA) && rcode == NOERROR &&
-      server && !(server->flags & SERV_WARNED_RECURSIVE))
-    {
-      (void)prettyprint_addr(&server->addr, daemon->namebuff);
-      my_syslog(LOG_WARNING, _("nameserver %s refused to do a recursive query"), daemon->namebuff);
-      if (!option_bool(OPT_LOG))
-	server->flags |= SERV_WARNED_RECURSIVE;
-    }  
-
  if (header->hb3 & HB3_TC)
    log_query(F_UPSTREAM, NULL, NULL, "truncated", 0);
  else if (!bogusanswer || (header->hb4 & HB4_CD))
@@ -819,7 +821,7 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
 	}
      else
 	{
-	  int rc = extract_addresses(header, n, daemon->namebuff, now, ipsets, nftsets, is_sign, check_rebind, no_cache, cache_secure);
+	  int rc = extract_addresses(header, n, daemon->namebuff, now, ipsets, nftsets, check_rebind, no_cache, cache_secure);

 	  if (rc != 0)
 	    {
@@ -978,7 +980,7 @@ static void dnssec_validate(struct frec *forward, struct dns_header *header,
 	  unsigned int flags = STAT_ISEQUAL(status, STAT_NEED_KEY) ? FREC_DNSKEY_QUERY : FREC_DS_QUERY;
 	  struct frec *old;
 	  
-	  if ((old = lookup_frec(daemon->keyname, forward->class, -1, -1, flags, flags)))
+	  if ((old = lookup_frec(now, daemon->keyname, forward->class, -1, -1, flags, flags)))
 	    {
 	      /* This is tricky; it detects loops in the dependency
 		 graph for DNSSEC validation, say validating A requires DS B
@@ -1022,7 +1024,7 @@ static void dnssec_validate(struct frec *forward, struct dns_header *header,
 	     	      
 	      /* Make sure we don't expire and free the orig frec during the
 		 allocation of a new one: third arg of get_new_frec() does that. */
-	      if ((serverind = dnssec_server(forward->sentto, daemon->keyname, NULL, NULL)) != -1 &&
+	      if ((serverind = dnssec_server(forward->sentto, daemon->keyname, STAT_ISEQUAL(status, STAT_NEED_DS), NULL, NULL)) != -1 &&
 		  (server = daemon->serverarray[serverind]) &&
 		  (nn = dnssec_generate_query(header, ((unsigned char *) header) + daemon->edns_pktsz,
 					      daemon->keyname, forward->class, get_id(),
@@ -1168,7 +1170,7 @@ void reply_query(int fd, time_t now)
  GETSHORT(rrtype, p); 
  GETSHORT(class, p);

-  if (!(forward = lookup_frec(daemon->namebuff, class, rrtype, ntohs(header->id), FREC_ANSWER, 0)))
+  if (!(forward = lookup_frec(now, daemon->namebuff, class, rrtype, ntohs(header->id), FREC_ANSWER, 0)))
    return;

  filter_servers(forward->sentto->arrayposn, F_SERVER, &first, &last);
@@ -2197,7 +2199,7 @@ int tcp_from_udp(time_t now, int status, struct dns_header *header, ssize_t *ple
  first = start = server->arrayposn;
  last = first + 1;
  
-  if (!STAT_ISEQUAL(status, STAT_OK) && (start = dnssec_server(server, name, &first, &last)) == -1)
+  if (!STAT_ISEQUAL(status, STAT_OK) && (start = dnssec_server(server, name, STAT_ISEQUAL(status, STAT_NEED_DS), &first, &last)) == -1)
    new_status = STAT_ABANDONED;
  else
    {
@@ -2305,7 +2307,7 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
      m = dnssec_generate_query(new_header, ((unsigned char *) new_header) + 65536, keyname, class, 0,
 				STAT_ISEQUAL(new_status, STAT_NEED_KEY) ? T_DNSKEY : T_DS);
      
-      if ((start = dnssec_server(server, keyname, &first, &last)) == -1)
+      if ((start = dnssec_server(server, keyname, STAT_ISEQUAL(new_status, STAT_NEED_DS), &first, &last)) == -1)
 	{
 	  new_status = STAT_ABANDONED;
 	  break;
@@ -3104,7 +3106,7 @@ static void free_frec(struct frec *f)
 /* Impose an absolute
   limit of 4*TIMEOUT before we wipe things (for random sockets).
   If force is set, always return a result, even if we have
-   to allocate above the limit, and don'y free any records.
+   to allocate above the limit, and don't free any records.
   This is set when allocating for DNSSEC to avoid cutting off
   the branch we are sitting on. */
 static struct frec *get_new_frec(time_t now, struct server *master, int force)
@@ -3126,36 +3128,40 @@ static struct frec *get_new_frec(time_t now, struct server *master, int force)
 	  /* Don't free DNSSEC sub-queries here, as we may end up with
 	     dangling references to them. They'll go when their "real" query 
 	     is freed. */
-	  if (!f->dependent && !force)
+	  if (!f->dependent)
 #endif
-	    {
-	      if (difftime(now, f->time) >= 4*TIMEOUT)
-		{
-		  daemon->metrics[METRIC_DNS_UNANSWERED_QUERY]++;
-		  free_frec(f);
-		  target = f;
-		}
-	      else if (!oldest || difftime(f->time, oldest->time) <= 0)
-		oldest = f;
-	    }
+	    if (!force)
+	      {
+		if (difftime(now, f->time) >= 4*TIMEOUT)
+		  {
+		    daemon->metrics[METRIC_DNS_UNANSWERED_QUERY]++;
+		    free_frec(f);
+		    target = f;
+		  }
+		else if (!oldest || difftime(f->time, oldest->time) <= 0)
+		  oldest = f;
+	      }
 	}
      
      if (f->sentto && ((int)difftime(now, f->time)) < TIMEOUT && server_samegroup(f->sentto, master))
 	count++;
    }
-
-  if (!force && count >= daemon->ftabsize)
-    {
-      query_full(now, master->domain);
-      return NULL;
-    }
  
-  if (!target && oldest && ((int)difftime(now, oldest->time)) >= TIMEOUT)
-    { 
-      /* can't find empty one, use oldest if there is one and it's older than timeout */
-      daemon->metrics[METRIC_DNS_UNANSWERED_QUERY]++;
-      free_frec(oldest);
-      target = oldest;
+  if (!force)
+    {
+      if (count >= daemon->ftabsize)
+	{
+	  query_full(now, master->domain);
+	  return NULL;
+	}
+      
+      if (!target && oldest && ((int)difftime(now, oldest->time)) >= TIMEOUT)
+	{ 
+	  /* can't find empty one, use oldest if there is one and it's older than timeout */
+	  daemon->metrics[METRIC_DNS_UNANSWERED_QUERY]++;
+	  free_frec(oldest);
+	  target = oldest;
+	}      
    }
  
  if (!target && (target = (struct frec *)whine_malloc(sizeof(struct frec))))
@@ -3190,7 +3196,7 @@ static void query_full(time_t now, char *domain)
    }
 }

-static struct frec *lookup_frec(char *target, int class, int rrtype, int id, int flags, int flagmask)
+static struct frec *lookup_frec(time_t now, char *target, int class, int rrtype, int id, int flags, int flagmask)
 {
  struct frec *f;
  struct dns_header *header;
@@ -3240,7 +3246,14 @@ static struct frec *lookup_frec(char *target, int class, int rrtype, int id, int
 	    
 	    continue;
 	  }
-		
+
+	/* frecs older than this will get garbage-collected in
+	   get_new_frec(), so don't return them here, so we have
+	   consistent behaviour from an idle dnsmasq which
+	   is not calling get_new_frec() often. */
+	if (difftime(now, f->time) >= 4*TIMEOUT)
+	  return NULL;
+	
 	return f;
      }
  
--- a/src/inotify.c
+++ b/src/inotify.c
@@ -133,29 +133,44 @@ void inotify_dnsmasq_init()
    }
 }

-static struct hostsfile *dyndir_addhosts(struct dyndir *dd, char *path)
+static struct hostsfile *dyndir_addhosts(struct dyndir *dd, char *file)
 {
  /* Check if this file is already known in dd->files */
-  struct hostsfile *ah = NULL;
-  for(ah = dd->files; ah; ah = ah->next)
-    if(ah && ah->fname && strcmp(path, ah->fname) == 0)
+  struct hostsfile *ah;
+  size_t dirlen = strlen(dd->dname);
+  
+  /* ah->fname always starts with the string in dd->dname */
+  for (ah = dd->files; ah; ah = ah->next)
+    if (ah->fname[dirlen] == '/' &&
+        strcmp(&ah->fname[dirlen+1], file) == 0)
      return ah;
-
+        
  /* Not known, create new hostsfile record for this dyndir */
-  struct hostsfile *newah = NULL;
-  if(!(newah = whine_malloc(sizeof(struct hostsfile))))
-    return NULL;
+  if ((ah = whine_malloc(sizeof(struct hostsfile))))
+    {
+      char *path;

-  /* Add this file to the tip of the linked list */
-  newah->next = dd->files;
-  dd->files = newah;
-
-  /* Copy flags, set index and the full file path */
-  newah->flags = dd->flags;
-  newah->index = daemon->host_index++;
-  newah->fname = path;
-
-  return newah;
+      if (!(path = whine_malloc(dirlen + strlen(file) + 2)))
+	{
+	  free(ah);
+	  return NULL;
+	}
+      
+      strcpy(path, dd->dname);
+      strcat(path, "/");
+      strcat(path, file);
+      
+      /* Add this file to the tip of the linked list */
+      ah->next = dd->files;
+      dd->files = ah;
+      
+      /* Copy flags, set index and the full file path */
+      ah->flags = dd->flags;
+      ah->index = daemon->host_index++;
+      ah->fname = path;
+    }
+  
+  return ah;
 }


@@ -204,10 +219,8 @@ void set_dynamic_inotify(int flag, int total_size, struct crec **rhash, int revh

       while ((ent = readdir(dir_stream)))
 	 {
-	   size_t lendir = strlen(dd->dname);
 	   size_t lenfile = strlen(ent->d_name);
-	   char *path;
-
+	   	   
 	   /* ignore emacs backups and dotfiles */
 	   if (lenfile == 0 || 
 	       ent->d_name[lenfile - 1] == '~' ||
@@ -215,33 +228,36 @@ void set_dynamic_inotify(int flag, int total_size, struct crec **rhash, int revh
 	       ent->d_name[0] == '.')
 	     continue;

-	   if ((path = whine_malloc(lendir + lenfile + 2)))
+	   if (dd->flags & AH_HOSTS)
 	     {
 	       struct hostsfile *ah;

-	       strcpy(path, dd->dname);
-	       strcat(path, "/");
-	       strcat(path, ent->d_name);
-
-	       if (!(ah = dyndir_addhosts(dd, path)))
-		 {
-		   free(path);
-		   continue;
-		 }
-	       
 	       /* ignore non-regular files */
-	       if (stat(path, &buf) != -1 && S_ISREG(buf.st_mode))
-		 {
-		   if (dd->flags & AH_HOSTS)
-		     total_size = read_hostsfile(path, ah->index, total_size, rhash, revhashsz);
+	       if ((ah = dyndir_addhosts(dd, ent->d_name)) &&
+		   stat(ah->fname, &buf) != -1 && S_ISREG(buf.st_mode))
+		 total_size = read_hostsfile(ah->fname, ah->index, total_size, rhash, revhashsz);
+	     }
 #ifdef HAVE_DHCP
-		   else if (dd->flags & (AH_DHCP_HST | AH_DHCP_OPT))
+	   else if (dd->flags & (AH_DHCP_HST | AH_DHCP_OPT))
+	     {
+	       char *path;
+	       
+	       if ((path = whine_malloc(strlen(dd->dname) + lenfile + 2)))
+		 {
+		   strcpy(path, dd->dname);
+		   strcat(path, "/");
+		   strcat(path, ent->d_name);
+		   
+		   /* ignore non-regular files */
+		   if (stat(path, &buf) != -1 && S_ISREG(buf.st_mode))
 		     option_read_dynfile(path, dd->flags);
-#endif		   
+		   
+		   free(path);
 		 }
 	     }
+#endif		   
 	 }
-
+       
       closedir(dir_stream);
    }
 }
@@ -251,6 +267,8 @@ int inotify_check(time_t now)
  int hit = 0;
  struct dyndir *dd;

+  (void)now;
+  
  while (1)
    {
      int rc;
@@ -283,50 +301,27 @@ int inotify_check(time_t now)
 	  for (dd = daemon->dynamic_dirs; dd; dd = dd->next)
 	    if (dd->wd == in->wd)
 	      {
-		size_t lendir = strlen(dd->dname);
-		char *path;
-				
-		if ((path = whine_malloc(lendir + in->len + 2)))
+		if (dd->flags & AH_HOSTS)
 		  {
-		    struct hostsfile *ah = NULL;
-
-		    strcpy(path, dd->dname);
-		    strcat(path, "/");
-		    strcat(path, in->name);
-
-		    /* Is this is a deletion event? */
-		    if (in->mask & IN_DELETE)
-		      my_syslog(LOG_INFO, _("inotify: %s removed"), path);
-		    else 
-		      my_syslog(LOG_INFO, _("inotify: %s new or modified"), path);
-
-		    if (dd->flags & AH_HOSTS)
+		    struct hostsfile *ah;
+		    if ((ah = dyndir_addhosts(dd, in->name)))
 		      {
-			if ((ah = dyndir_addhosts(dd, path)))
-			  {
-			    const unsigned int removed = cache_remove_uid(ah->index);
-			    if (removed > 0)
-			      my_syslog(LOG_INFO, _("inotify: flushed %u names read from %s"), removed, path);
+			const unsigned int removed = cache_remove_uid(ah->index);

-			    /* (Re-)load hostsfile only if this event isn't triggered by deletion */
-			    if (!(in->mask & IN_DELETE))
-			      read_hostsfile(path, ah->index, 0, NULL, 0);
+			/* Is this is a deletion event? */
+			if (in->mask & IN_DELETE)
+			  my_syslog(LOG_INFO, _("inotify: %s removed"), ah->fname);
+			else 
+			  my_syslog(LOG_INFO, _("inotify: %s new or modified"), ah->fname);
+
+			if (removed > 0)
+			  my_syslog(LOG_INFO, _("inotify: flushed %u names read from %s"), removed, ah->fname);
+			
+			/* (Re-)load hostsfile only if this event isn't triggered by deletion */
+			if (!(in->mask & IN_DELETE))
+			  read_hostsfile(ah->fname, ah->index, 0, NULL, 0);
 #ifdef HAVE_DHCP
-			    if (daemon->dhcp || daemon->doing_dhcp6) 
-			      {
-				/* Propagate the consequences of loading a new dhcp-host */
-				dhcp_update_configs(daemon->dhcp_conf);
-				lease_update_from_configs(); 
-				lease_update_file(now); 
-				lease_update_dns(1);
-			      }
-#endif
-			  }
-		      }
-#ifdef HAVE_DHCP
-		    else if (dd->flags & AH_DHCP_HST)
-		      {
-			if (option_read_dynfile(path, AH_DHCP_HST))
+			if (daemon->dhcp || daemon->doing_dhcp6) 
 			  {
 			    /* Propagate the consequences of loading a new dhcp-host */
 			    dhcp_update_configs(daemon->dhcp_conf);
@@ -334,17 +329,43 @@ int inotify_check(time_t now)
 			    lease_update_file(now); 
 			    lease_update_dns(1);
 			  }
-		      }
-		    else if (dd->flags & AH_DHCP_OPT)
-		      option_read_dynfile(path, AH_DHCP_OPT);
 #endif
-		    
-		    if (!ah)
-		      free(path);
+		      }
 		  }
+#ifdef HAVE_DHCP
+		else if (!(in->mask & IN_DELETE))
+		  {
+		    char *path;
+
+		    if ((path = whine_malloc(strlen(dd->dname) + in->len + 2)))
+		      {
+			strcpy(path, dd->dname);
+			strcat(path, "/");
+			strcat(path, in->name);
+			
+			my_syslog(LOG_INFO, _("inotify: %s new or modified"), path);
+
+			if ((dd->flags & AH_DHCP_HST) && option_read_dynfile(path, AH_DHCP_HST))
+			  {
+			    /* Propagate the consequences of loading a new dhcp-host */
+			    dhcp_update_configs(daemon->dhcp_conf);
+			    lease_update_from_configs(); 
+			    lease_update_file(now); 
+			    lease_update_dns(1);
+			  }
+			
+			if (dd->flags & AH_DHCP_OPT)
+			  option_read_dynfile(path, AH_DHCP_OPT);
+		    
+			free(path);
+		      }
+		  }
+#endif
+		
 	      }
 	}
    }
+  
  return hit;
 }

--- a/src/ipset.c
+++ b/src/ipset.c
@@ -16,7 +16,7 @@

 #include "dnsmasq.h"

-#if defined(HAVE_IPSET)
+#if defined(HAVE_LINUX_IPSET)

 #include <string.h>
 #include <errno.h>
--- a/src/lease.c
+++ b/src/lease.c
@@ -25,7 +25,7 @@ static int read_leases(time_t now, FILE *leasestream)
  unsigned long ei;
  union all_addr addr;
  struct dhcp_lease *lease;
-  int clid_len, hw_len, hw_type;
+  int opt_len, clid_len, hw_len, hw_type;
  int items;
 
  *daemon->dhcp_buff3 = *daemon->dhcp_buff2 = '\0';
@@ -55,6 +55,34 @@ static int read_leases(time_t now, FILE *leasestream)
 	    continue;
 	  }
 #endif
+
+	/* Weird backwards compatible way of adding extra fields to leases */
+	if ((strcmp(daemon->dhcp_buff3, "vendorclass") == 0 || strcmp(daemon->dhcp_buff3, "agent-info") == 0))
+	  {
+	    if (fscanf(leasestream, " %764s", daemon->packet) == 1)
+	      {
+		if (inet_pton(AF_INET, daemon->dhcp_buff2, &addr.addr4))
+		  lease = lease_find_by_addr(addr.addr4);
+#ifdef HAVE_DHCP6
+		else if (inet_pton(AF_INET6, daemon->dhcp_buff2, &addr.addr6))
+		  lease = lease6_find_by_plain_addr(&addr.addr6);
+#endif
+		else
+		  continue;
+		
+		if (lease)
+		  {
+		    opt_len = parse_hex(daemon->packet, (unsigned char *)daemon->packet, 255, NULL, NULL);
+		    
+		    if (strcmp(daemon->dhcp_buff3, "vendorclass") == 0)
+		      lease_set_vendorclass(lease, (unsigned char *)daemon->packet, opt_len);
+		    else if (strcmp(daemon->dhcp_buff3, "agent-info") == 0)
+		      lease_set_agent_id(lease, (unsigned char *)daemon->packet, opt_len);
+		  }
+	      }
+
+	    continue;
+	  }
 	
 	if (fscanf(leasestream, " %64s %255s %764s",
 		   daemon->namebuff, daemon->dhcp_buff, daemon->packet) != 3)
@@ -251,8 +279,8 @@ void lease_update_file(time_t now)
 {
  struct dhcp_lease *lease;
  time_t next_event;
-  int i, err = 0;
-
+  int i, err = 0, extras;
+  
  if (file_dirty != 0 && daemon->lease_stream)
    {
      errno = 0;
@@ -260,9 +288,11 @@ void lease_update_file(time_t now)
      if (errno != 0 || ftruncate(fileno(daemon->lease_stream), 0) != 0)
 	err = errno;
      
-      for (lease = leases; lease; lease = lease->next)
+      for (extras = 0, lease = leases; lease; lease = lease->next)
 	{
-
+	  if (lease->agent_id || lease->vendorclass)
+	    extras = 1;
+	  
 #ifdef HAVE_DHCP6
 	  if (lease->flags & (LEASE_TA | LEASE_NA))
 	    continue;
@@ -335,7 +365,37 @@ void lease_update_file(time_t now)
 	    }
 	}
 #endif      
-	  
+
+      if (extras)
+	{
+	  /* Dump this at the end for least confusion with older parsing code. */
+	  for (lease = leases; lease; lease = lease->next)
+	    {
+#ifdef HAVE_DHCP6
+	      if (lease->flags & (LEASE_TA | LEASE_NA))
+		inet_ntop(AF_INET6, &lease->addr6, daemon->addrbuff, ADDRSTRLEN);
+	      else
+#endif
+		inet_ntop(AF_INET, &lease->addr, daemon->addrbuff, ADDRSTRLEN);
+	      
+	      if (lease->agent_id)
+		{
+		  ourprintf(&err, "agent-info %s ", daemon->addrbuff);
+		  for (i = 0; i < lease->agent_id_len - 1; i++)
+		    ourprintf(&err, "%.2x:", lease->agent_id[i]);
+		  ourprintf(&err, "%.2x\n", lease->agent_id[i]);
+		}
+	      
+	      if (lease->vendorclass)
+		{
+		  ourprintf(&err, "vendorclass %s ", daemon->addrbuff);
+		  for (i = 0; i < lease->vendorclass_len - 1; i++)
+		    ourprintf(&err, "%.2x:", lease->vendorclass[i]);
+		  ourprintf(&err, "%.2x\n", lease->vendorclass[i]);
+		}
+	    }
+	}
+      
      if (fflush(daemon->lease_stream) != 0 ||
 	  fsync(fileno(daemon->lease_stream)) < 0)
 	err = errno;
@@ -713,6 +773,22 @@ struct dhcp_lease *lease6_find_by_addr(struct in6_addr *net, int prefix, u64 add
  return NULL;
 } 

+struct dhcp_lease *lease6_find_by_plain_addr(struct in6_addr *addr)
+{
+  struct dhcp_lease *lease;
+    
+  for (lease = leases; lease; lease = lease->next)
+    {
+      if (!(lease->flags & (LEASE_TA | LEASE_NA)))
+	continue;
+      
+      if (IN6_ARE_ADDR_EQUAL(&lease->addr6, addr))
+	return lease;
+    }
+  
+  return NULL;
+}
+
 /* Find largest assigned address in context */
 u64 lease_find_max_addr6(struct dhcp_context *context)
 {
@@ -1084,6 +1160,46 @@ void lease_set_interface(struct dhcp_lease *lease, int interface, time_t now)
 #endif
 }

+void lease_set_agent_id(struct dhcp_lease *lease, unsigned char *new, int len)
+{
+
+  if (!lease->agent_id && !new)
+    return;
+  
+  if (lease->agent_id && new && lease->agent_id_len == len && memcmp(lease->agent_id, new, len) == 0)
+    return;
+
+  file_dirty = 1;
+  free(lease->agent_id);
+  lease->agent_id = NULL;
+  
+  if (new && (lease->agent_id = whine_malloc(len)))
+    {
+      memcpy(lease->agent_id, new, len);
+      lease->agent_id_len = len;
+    }
+}
+
+void lease_set_vendorclass(struct dhcp_lease *lease, unsigned char *new, int len)
+{
+  if (!lease->vendorclass && !new)
+    return;
+
+  if (lease->vendorclass && new && lease->vendorclass_len == len && memcmp(lease->vendorclass, new, len) == 0)
+    return;
+
+  file_dirty = 1;
+  free(lease->vendorclass);
+  lease->vendorclass = NULL;
+  
+  if (new && (lease->vendorclass = whine_malloc(len)))
+    {
+      memcpy(lease->vendorclass, new, len);
+      lease->vendorclass_len = len;
+    }
+}
+       
+
 void rerun_scripts(void)
 {
  struct dhcp_lease *lease;
@@ -1143,9 +1259,11 @@ int do_script_run(time_t now)
 #endif
 	  old_leases = lease->next;
 	  
-	  free(lease->old_hostname); 
+	  free(lease->hostname); 
 	  free(lease->clid);
 	  free(lease->extradata);
+	  free(lease->agent_id);
+	  free(lease->vendorclass);
 	  free(lease);
 	    
 	  return 1; 
--- a/src/metrics.c
+++ b/src/metrics.c
@@ -43,6 +43,10 @@ const char * metric_names[] = {
    "leases_allocated_6",
    "leases_pruned_6",
    "tcp_connections",
+    "dhcp_leasequery",
+    "dhcp_lease_unassigned",
+    "dhcp_lease_actve",
+    "dhcp_lease_unknown"
 };

 const char* get_metric_name(int i) {
--- a/src/metrics.h
+++ b/src/metrics.h
@@ -42,6 +42,10 @@ enum {
  METRIC_LEASES_ALLOCATED_6,
  METRIC_LEASES_PRUNED_6,
  METRIC_TCP_CONNECTIONS,
+  METRIC_DHCPLEASEQUERY,
+  METRIC_DHCPLEASEUNASSIGNED,
+  METRIC_DHCPLEASEACTIVE,
+  METRIC_DHCPLEASEUNKNOWN,
  
  __METRIC_MAX,
 };
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -165,6 +165,13 @@ int iface_enumerate(int family, void *parm, callback_t callback)
    struct rtgenmsg g; 
  } req;

+  /* The netlink socket is not available in child processes. */
+  if (daemon->pipe_to_parent != -1)
+    {
+      my_syslog(LOG_ERR, _("BUG: called iface_enumerate() in child process"));
+      return 0;
+    }
+  
  memset(&req, 0, sizeof(req));
  memset(&addr, 0, sizeof(addr));

--- a/src/network.c
+++ b/src/network.c
@@ -1568,6 +1568,8 @@ void check_servers(int no_loop_check)
  struct serverfd *sfd, *tmp, **up;
  int port = 0, count;
  int locals = 0;
+
+  (void)no_loop_check;
  
 #ifdef HAVE_LOOP
  if (!no_loop_check)
@@ -1775,8 +1777,10 @@ int reload_servers(char *fname)
 /* Called when addresses are added or deleted from an interface */
 void newaddress(time_t now)
 {
+#ifdef HAVE_DHCP
  struct dhcp_relay *relay;
-
+#endif
+  
  (void)now;
  
  if (option_bool(OPT_CLEVERBIND) || option_bool(OPT_LOCAL_SERVICE) ||
--- a/src/option.c
+++ b/src/option.c
@@ -195,6 +195,8 @@ struct myoption {
 #define LOPT_PXE_OPT       386
 #define LOPT_NO_ENCODE     387
 #define LOPT_DO_ENCODE     388
+#define LOPT_LEASEQUERY    389
+#define LOPT_SPLIT_RELAY   390

 #ifdef HAVE_GETOPT_LONG
 static const struct option opts[] =  
@@ -373,6 +375,7 @@ static const struct myoption opts[] =
    { "dnssec-timestamp", 1, 0, LOPT_DNSSEC_STAMP },
    { "dnssec-limits", 1, 0, LOPT_DNSSEC_LIMITS },
    { "dhcp-relay", 1, 0, LOPT_RELAY },
+    { "dhcp-split-relay", 1, 0, LOPT_SPLIT_RELAY },
    { "ra-param", 1, 0, LOPT_RA_PARAM },
    { "quiet-dhcp", 0, 0, LOPT_QUIET_DHCP },
    { "quiet-dhcp6", 0, 0, LOPT_QUIET_DHCP6 },
@@ -394,6 +397,7 @@ static const struct myoption opts[] =
    { "use-stale-cache", 2, 0 , LOPT_STALE_CACHE },
    { "no-ident", 0, 0, LOPT_NO_IDENT },
    { "max-tcp-connections", 1, 0, LOPT_MAX_PROCS },
+    { "leasequery", 2, 0, LOPT_LEASEQUERY },
    { NULL, 0, 0, 0 }
  };

@@ -499,6 +503,7 @@ static struct {
  { '4', ARG_DUP, "set:<tag>,<mac address>", gettext_noop("Map MAC address (with wildcards) to option set."), NULL },
  { LOPT_BRIDGE, ARG_DUP, "<iface>,<alias>..", gettext_noop("Treat DHCP requests on aliases as arriving from interface."), NULL },
  { LOPT_SHARED_NET, ARG_DUP, "<iface>|<addr>,<addr>", gettext_noop("Specify extra networks sharing a broadcast domain for DHCP"), NULL},
+  { LOPT_LEASEQUERY, ARG_DUP, "[<addr>[/prefix>]]", gettext_noop("Enable RFC 4388 leasequery functions for DHCPv4"), NULL },
  { '5', OPT_NO_PING, NULL, gettext_noop("Disable ICMP echo address checking in the DHCP server."), NULL },
  { '6', ARG_ONE, "<path>", gettext_noop("Shell script to run on DHCP lease creation and destruction."), NULL },
  { LOPT_LUASCRIPT, ARG_DUP, "path", gettext_noop("Lua script to run on DHCP lease creation and destruction."), NULL },
@@ -539,6 +544,7 @@ static struct {
  { LOPT_GEN_NAMES, ARG_DUP, "[=tag:<tag>]", gettext_noop("Generate hostnames based on MAC address for nameless clients."), NULL},
  { LOPT_PROXY, ARG_DUP, "[=<ipaddr>]...", gettext_noop("Use these DHCP relays as full proxies."), NULL },
  { LOPT_RELAY, ARG_DUP, "<local-addr>,<server>[,<iface>]", gettext_noop("Relay DHCP requests to a remote server"), NULL},
+  { LOPT_SPLIT_RELAY, ARG_DUP, "<local-addr>,<server>,<iface>", gettext_noop("Relay DHCP requests to a remote server"), NULL},
  { LOPT_CNAME, ARG_DUP, "<alias>,<target>[,<ttl>]", gettext_noop("Specify alias name for LOCAL DNS name."), NULL },
  { LOPT_PXE_PROMT, ARG_DUP, "<prompt>,[<timeout>]", gettext_noop("Prompt to send to PXE clients."), NULL },
  { LOPT_PXE_SERV, ARG_DUP, "<service>", gettext_noop("Boot service for PXE menu."), NULL },
@@ -2912,7 +2918,20 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
 	arg = comma;
      } while (arg);
      break;
-      
+
+#ifdef HAVE_DHCP
+# if defined(__GNUC__) && (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 6))
+# pragma GCC diagnostic push
+# pragma GCC diagnostic ignored "-Wimplicit-fallthrough"
+# endif
+    case LOPT_LEASEQUERY:
+      set_option_bool(OPT_LEASEQUERY);
+      if (!arg)
+	break;
+# if defined(__GNUC__) && (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 6))
+# pragma GCC diagnostic pop
+# endif
+#endif
    case 'B':  /* --bogus-nxdomain */
    case LOPT_IGNORE_ADDR: /* --ignore-address */
     {
@@ -2948,6 +2967,13 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
 	    baddr->next = daemon->bogus_addr;
 	    daemon->bogus_addr = baddr;
 	  }
+#ifdef HAVE_DHCP
+	else if (option == LOPT_LEASEQUERY)
+	  {
+	    baddr->next = daemon->leasequery_addr;
+	    daemon->leasequery_addr = baddr;
+	  }
+#endif
 	else
 	  {
 	    baddr->next = daemon->ignore_addr;
@@ -4693,11 +4719,21 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
      break;
      
    case LOPT_RELAY: /* --dhcp-relay */
+    case LOPT_SPLIT_RELAY: /* --dhcp-splt-relay */
      {
 	struct dhcp_relay *new = opt_malloc(sizeof(struct dhcp_relay));
 	char *two = split(arg);
 	char *three = split(two);
-	
+
+	if (option == LOPT_SPLIT_RELAY)
+	  {
+	    new->split_mode = 1;
+	    
+	    /* split mode must have two addresses and a non-wildcard interface name. */
+	    if (!three || strchr(three, '*'))
+	      two = NULL;
+	  }
+		    
 	new->iface_index = 0;

 	if (two)
@@ -4720,12 +4756,15 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
 		    else
 		      three = two;
 		  }
+		else if (new->split_mode && inet_pton(AF_INET, three, &new->uplink))
+		  /* Third arg in split mode can be an address. */
+		  three = NULL;
 		
 		new->next = daemon->relay4;
 		daemon->relay4 = new;
 	      }
 #ifdef HAVE_DHCP6
-	    else if (inet_pton(AF_INET6, arg, &new->local))
+	    else if (inet_pton(AF_INET6, arg, &new->local) && !new->split_mode)
 	      {
 		char *hash = split_chr(two, '#');

@@ -4746,7 +4785,9 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
 		daemon->relay6 = new;
 	      }
 #endif
-
+	    else
+	      two = NULL;
+	    
 	    new->interface = opt_string_alloc(three);
 	  }
 	
@@ -6239,6 +6280,8 @@ void read_opts(int argc, char **argv, char *compile_opts)
 	    strchr(srv->name, '.') && 
 	    strchr(srv->name, '.') == strrchr(srv->name, '.'))
 	  {
+	    if (strlen(srv->name) + 1 + strlen(daemon->domain_suffix) > MAXDNAME)
+	      die(_("srv-host name %s too long after domain appended"), srv->name, EC_MISC);
 	    strcpy(buff, srv->name);
 	    strcat(buff, ".");
 	    strcat(buff, daemon->domain_suffix);
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -415,6 +415,7 @@ int private_net(struct in_addr addr, int ban_localhost)
    (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost)  /* 127.0.0.0/8    (loopback) */ ||
    (((ip_addr & 0xFF000000) == 0x00000000) && ban_localhost) /* RFC 5735 section 3. "here" network */ ||
    ((ip_addr & 0xFF000000) == 0x0A000000)  /* 10.0.0.0/8     (private)  */ ||
+    ((ip_addr & 0xFFC00000) == 0x64400000)  /* 100.64.0.0/10  (CG-NAT) RFC6598/RFC7793*/ ||
    ((ip_addr & 0xFFF00000) == 0xAC100000)  /* 172.16.0.0/12  (private)  */ ||
    ((ip_addr & 0xFFFF0000) == 0xC0A80000)  /* 192.168.0.0/16 (private)  */ ||
    ((ip_addr & 0xFFFF0000) == 0xA9FE0000)  /* 169.254.0.0/16 (zeroconf) */ ||
@@ -515,7 +516,7 @@ int do_doctor(struct dns_header *header, size_t qlen, char *namebuff)
   Cache said SOA and return the difference in length between name and the name of the 
   SOA RR so we can look it up again.
 */
-static int find_soa(struct dns_header *header, size_t qlen, char *name, int *substring, unsigned long *ttlp, int no_cache, time_t now)
+static int find_soa(struct dns_header *header, size_t qlen, char *name, int *substring, unsigned long *ttlp, int cache, time_t now)
 {
  unsigned char *p, *psave;
  int qtype, qclass, rdlen;
@@ -555,7 +556,7 @@ static int find_soa(struct dns_header *header, size_t qlen, char *name, int *sub
 	    {
 	      int prefix = name_len - soa_len;
 	      
-	      if (!no_cache)
+	      if (cache)
 		{
 		  if (!(addr.rrblock.rrdata = blockdata_alloc(NULL, 0)))
 		    return 0;
@@ -567,12 +568,12 @@ static int find_soa(struct dns_header *header, size_t qlen, char *name, int *sub
 		{
 		  if (!extract_name(header, qlen, &p, daemon->workspacename, EXTR_NAME_EXTRACT, 0))
 		    {
-		      if (!no_cache)
+		      if (cache)
 			blockdata_free(addr.rrblock.rrdata);
 		      return 0;
 		    }
 		  
-		  if (!no_cache)
+		  if (cache)
 		    {
 		      len = to_wire(daemon->workspacename);
 		      if (!blockdata_expand(addr.rrblock.rrdata, addr.rrblock.datalen, daemon->workspacename, len))
@@ -587,13 +588,13 @@ static int find_soa(struct dns_header *header, size_t qlen, char *name, int *sub

 	      if (!CHECK_LEN(header, p, qlen, 20))
 		{
-		  if (!no_cache)
+		  if (cache)
 		    blockdata_free(addr.rrblock.rrdata);
 		  return 0;
 		}
 	      
 	      /* rest of RR */
-	      if (!no_cache)
+	      if (cache)
 		{
 		  int secflag = 0;

@@ -687,12 +688,12 @@ static int log_txt(char *name, unsigned char *p, const int ardlen, int flag)
   Return 2 if the packet is malformed.
 */
 int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t now, 
-		      struct ipsets *ipsets, struct ipsets *nftsets, int is_sign, int check_rebind,
+		      struct ipsets *ipsets, struct ipsets *nftsets, int check_rebind,
 		      int no_cache_dnssec, int secure)
 {
  unsigned char *p, *p1, *endrr, *namep;
  int j, qtype, qclass, aqtype, aqclass, ardlen, res;
-  unsigned long ttl = 0;
+  unsigned long ttl;
  union all_addr addr;
 #ifdef HAVE_IPSET
  char **ipsets_cur;
@@ -704,13 +705,8 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
 #else
  (void)nftsets; /* unused */
 #endif
-  int found = 0, cname_count = CNAME_CHAIN;
-  struct crec *cpp = NULL;
+  int name_encoding, found = 0, ptr = 0;
  int flags = RCODE(header) == NXDOMAIN ? F_NXDOMAIN : 0;
-#ifdef HAVE_DNSSEC
-  int cname_short = 0;
-#endif
-  unsigned long cttl = ULONG_MAX, attl;

  cache_start_insert();

@@ -724,125 +720,73 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
  
  if (qclass != C_IN)
    return 0;
-  
-  /* PTRs: we chase CNAMEs here, since we have no way to 
-     represent them in the cache. */
-  if (qtype == T_PTR)
+
+  /* If the PTR record encodes an address, store using a name/address record with F_REVERSE set.
+     Otherwise, it gets stored as an arbitrary RR below. If the query is answerable with
+     a CNAME, also take the arbitrary-RR route, since the cache can't represent a CNAME
+     whose target is stored in a F_REVERSE record. */
+  if (qtype == T_PTR && !(flags & F_NXDOMAIN) && (name_encoding = in_arpa_name_2_addr(name, &addr)))
    { 
-      int insert = 1, name_encoding = in_arpa_name_2_addr(name, &addr);
+      ptr = 1;
      
-      if (!(flags & F_NXDOMAIN))
+      if (!(p1 = skip_questions(header, qlen)))
+	return 2;
+      
+      for (j = 0; j < ntohs(header->ancount); j++) 
 	{
-	cname_loop:
-	  if (!(p1 = skip_questions(header, qlen)))
-	    return 2;
+	  int secflag = 0;
+	  if (!(res = extract_name(header, qlen, &p1, name, EXTR_NAME_COMPARE, 10)))
+	    return 2; /* bad packet */
 	  
-	  for (j = 0; j < ntohs(header->ancount); j++) 
+	  GETSHORT(aqtype, p1); 
+	  GETSHORT(aqclass, p1);
+	  p = p1;
+	  GETLONG(ttl, p1);
+	  GETSHORT(ardlen, p1);
+	  endrr = p1+ardlen;
+	  
+	  if (aqclass == C_IN && res == 1 && aqtype == T_PTR)
 	    {
-	      int secflag = 0;
-	      if (!(res = extract_name(header, qlen, &p1, name, EXTR_NAME_COMPARE, 10)))
-		return 2; /* bad packet */
+	      found = 1;
+
+	      if ((daemon->max_ttl != 0) && (ttl > daemon->max_ttl))
+		ttl = daemon->max_ttl;
 	      
-	      GETSHORT(aqtype, p1); 
-	      GETSHORT(aqclass, p1);
-	      GETLONG(attl, p1);
-	      
-	      if ((daemon->max_ttl != 0) && (attl > daemon->max_ttl) && !is_sign)
-		{
-		  (p1) -= 4;
-		  PUTLONG(daemon->max_ttl, p1);
-		}
-	      GETSHORT(ardlen, p1);
-	      endrr = p1+ardlen;
-	      
-	      /* TTL of record is minimum of CNAMES and PTR */
-	      if (attl < cttl)
-		cttl = attl;
-	      
-	      if (aqclass == C_IN && res != 2 && (aqtype == T_CNAME || aqtype == T_PTR))
-		{
 #ifdef HAVE_DNSSEC
-		  if (option_bool(OPT_DNSSEC_VALID) && j < daemon->rr_status_sz && daemon->rr_status[j] != 0)
-		    {
-		      /* validated RR anywhere in CNAME chain, don't cache. */
-		      if (cname_short || aqtype == T_CNAME)
-			insert = 0;
-		      
-		      secflag = F_DNSSECOK;
-		      /* limit TTL based on signature. */
-		      if (daemon->rr_status[j] < cttl)
-			cttl = daemon->rr_status[j];
-		    }
-#endif
-
-		  if (aqtype == T_CNAME)
-		    log_query(secflag | F_CNAME | F_FORWARD | F_UPSTREAM, name, NULL, NULL, 0);
-		  
-		  if (!extract_name(header, qlen, &p1, name, EXTR_NAME_EXTRACT, 0))
-		    return 2;
-		  
-		  if (aqtype == T_CNAME)
-		    {
-		      if (!cname_count--)
-			return 0; /* looped CNAMES, we can't cache. */
-#ifdef HAVE_DNSSEC
-		      cname_short = 1;
-#endif
-		      goto cname_loop;
-		    }
-		  
-		  found = 1; 
-		  
-		  if (!name_encoding)
-		    log_query(secflag | F_FORWARD | F_UPSTREAM, name, NULL, NULL, aqtype);
-		  else
-		    {
-		      log_query(name_encoding | secflag | F_REVERSE | F_UPSTREAM, name, &addr, NULL, 0);
-		      if (insert)
-			cache_insert(name, &addr, C_IN, now, cttl, name_encoding | secflag | F_REVERSE);
-		    }
-		}
-
-	      p1 = endrr;
-	      if (!CHECK_LEN(header, p1, qlen, 0))
-		return 2; /* bad packet */
-	    }
-	}
-      
-      if (!found)
-	{
-	  flags |= F_NEG | (secure ?  F_DNSSECOK : 0);
-
-	  if (name_encoding)
-	    flags |= F_REVERSE | name_encoding;
-
-	  log_query(flags | F_UPSTREAM, name, &addr, NULL, 0);
-
-	  if (name_encoding && !option_bool(OPT_NO_NEG))
-	    {
-	      /* For reverse records, we use the name field to store the SOA name. */
-	      int substring, have_soa = find_soa(header, qlen, name, &substring, &ttl, no_cache_dnssec, now);
-
-	      if (have_soa || daemon->neg_ttl)
+	      if (option_bool(OPT_DNSSEC_VALID) && j < daemon->rr_status_sz && daemon->rr_status[j] != 0)
 		{
-		  /* If daemon->neg_ttl is set, we can cache even without an SOA. */
-		  if (!have_soa)
-		    {
-		      flags |= F_NO_RR; /* Marks no SOA found. */
-		      ttl = daemon->neg_ttl;
-		    }
-		  
-		  cache_insert(name + substring, &addr, C_IN, now, ttl, flags);
+		  secflag = F_DNSSECOK;
+		  /* limit TTL based on signature. */
+		  if (daemon->rr_status[j] < ttl)
+		    ttl = daemon->rr_status[j];
 		}
+#endif
+	      
+	      PUTLONG(ttl, p);
+
+	      if (!extract_name(header, qlen, &p1, name, EXTR_NAME_EXTRACT, 0))
+		return 2;
+	      log_query(name_encoding | secflag | F_REVERSE | F_UPSTREAM, name, &addr, NULL, 0);
+	      cache_insert(name, &addr, C_IN, now, ttl, name_encoding | secflag | F_REVERSE);
+	      
+	      /* restore query into name */
+	      p1 = namep;
+	      if (!extract_name(header, qlen, &p1, name, EXTR_NAME_EXTRACT, 0))
+		return 2;
 	    }
+	  
+	  p1 = endrr;
+	  if (!CHECK_LEN(header, p1, qlen, 0))
+	    return 2; /* bad packet */
 	}
    }
-  else
+
+  if (!ptr || !found)
    {
      /* everything other than PTR */
-      struct crec *newc;
-      int addrlen = 0, insert = 1;
-      
+      struct crec *newc, *cpp = NULL;
+      int cname_count = CNAME_CHAIN, addrlen = 0, insert = 1;
+            
      if (qtype == T_A)
 	{
 	  addrlen = INADDRSZ;
@@ -854,12 +798,12 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
 	  flags |= F_IPV6;
 	}
      else if (qtype != T_CNAME &&
-	       (qtype == T_SRV || rr_on_list(daemon->cache_rr, qtype) || rr_on_list(daemon->cache_rr, T_ANY)))
+	       (qtype == T_SRV || qtype == T_PTR || rr_on_list(daemon->cache_rr, qtype) || rr_on_list(daemon->cache_rr, T_ANY)))
 	flags |= F_RR;
      else
 	insert = 0; /* NOTE: do not cache data from CNAME queries. */
      
-    cname_loop1:
+    cname_loop:
      if (!(p1 = skip_questions(header, qlen)))
 	return 2;
      
@@ -872,12 +816,8 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
 	  
 	  GETSHORT(aqtype, p1); 
 	  GETSHORT(aqclass, p1);
-	  GETLONG(attl, p1);
-	  if ((daemon->max_ttl != 0) && (attl > daemon->max_ttl) && !is_sign)
-	    {
-	      (p1) -= 4;
-	      PUTLONG(daemon->max_ttl, p1);
-	    }
+	  p = p1;
+	  GETLONG(ttl, p1);
 	  GETSHORT(ardlen, p1);
 	  endrr = p1+ardlen;

@@ -890,6 +830,9 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
 	      p1 = endrr;
 	      continue;
 	    }
+
+	  if ((daemon->max_ttl != 0) && (ttl > daemon->max_ttl))
+	    ttl = daemon->max_ttl;
 	  
 #ifdef HAVE_DNSSEC
 	  if (option_bool(OPT_DNSSEC_VALID) && j < daemon->rr_status_sz && daemon->rr_status[j] != 0)
@@ -897,10 +840,12 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
 	      secflag = F_DNSSECOK;
 	      
 	      /* limit TTl based on sig. */
-	      if (daemon->rr_status[j] < attl)
-		attl = daemon->rr_status[j];
+	      if (daemon->rr_status[j] < ttl)
+		ttl = daemon->rr_status[j];
 	    }
 #endif	  
+
+	  PUTLONG(ttl, p);
 	  
 	  if (aqtype == T_CNAME)
 	    {
@@ -911,7 +856,7 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
 	      
 	      if (insert)
 		{
-		  if ((newc = cache_insert(name, NULL, C_IN, now, attl, F_CNAME | F_FORWARD | secflag)))
+		  if ((newc = cache_insert(name, NULL, C_IN, now, ttl, F_CNAME | F_FORWARD | secflag)))
 		    {
 		      newc->addr.cname.target.cache = NULL;
 		      newc->addr.cname.is_name_ptr = 0; 
@@ -924,16 +869,15 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
 		    }
 		  
 		  cpp = newc;
-		  if (attl < cttl)
-		    cttl = attl;
 		}
 	      
+	      /* Set the query to the CNAME target and go again unless the query was just for a CNAME. */
 	      namep = p1;
 	      if (!extract_name(header, qlen, &p1, name, EXTR_NAME_EXTRACT, 0))
 		return 2;
 	      
 	      if (qtype != T_CNAME)
-		goto cname_loop1;
+		goto cname_loop;

 	      found = 1;
 	    }
@@ -1089,7 +1033,7 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
 	      
 	      if (insert)
 		{
-		  newc = cache_insert(name, &addr, C_IN, now, attl, flags | F_FORWARD | secflag);
+		  newc = cache_insert(name, &addr, C_IN, now, ttl, flags | F_FORWARD | secflag);
 		  if (newc && cpp)
 		    {
 		      next_uid(newc);
@@ -1135,7 +1079,17 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
 	  
 	  if (insert && !option_bool(OPT_NO_NEG))
 	    {
-	      int substring, have_soa = find_soa(header, qlen, name, &substring, &ttl, no_cache_dnssec, now);
+	      /* The order of records going into the cache matters (see  cache_recv_insert()).
+		 The target of a CNAME must immediately follow the CNAME.
+		 (CNAME has already gone into the cache at this point)
+		 Here we call find_soa to get the ttl and substring, but
+		 we DON'T LET IT INSERT the SOA into the cache if our negative record is a CNAME target
+		 so that the SOA doesn't come before the CNAME target.
+
+		 We call find_soa() again after inserting the CNAME target to insert the SOA
+		 if necessary. */
+
+	      int substring, have_soa = find_soa(header, qlen, name, &substring, &ttl, cpp == NULL, now);
 	      
 	      if (have_soa || daemon->neg_ttl)
 		{		  
@@ -1157,6 +1111,10 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
 		      next_uid(newc);
 		      cpp->addr.cname.target.cache = newc;
 		      cpp->addr.cname.uid = newc->uid;
+		    
+		      /* we didn't insert the SOA before a CNAME target above, do it now. */
+		      if (have_soa)
+			find_soa(header, qlen, name, NULL, NULL, 1, now);
 		    }
 		}
 	    }
@@ -1301,12 +1259,10 @@ unsigned int extract_request(struct dns_header *header, size_t qlen, char *name,
 	return  F_IPV4 | F_IPV6;
    }

-#ifdef HAVE_DNSSEC
  /* Make the behaviour for DS and DNSKEY queries we forward the same
     as for DS and DNSKEY queries we originate. */
-  if (option_bool(OPT_DNSSEC_VALID) && (qtype == T_DS || qtype == T_DNSKEY))
-    return F_DNSSECOK;
-#endif
+  if (qtype == T_DS || qtype == T_DNSKEY)
+    return F_DNSSECOK | (qtype == T_DS ? F_DS : 0);
  
  return F_QUERY;
 }
@@ -1668,7 +1624,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
  int rd_bit = (header->hb3 & HB3_RD);
  int count = 255; /* catch loops */

-  /* Suppress cached answers of no_cache set. */
+  /* Suppress cached answers if no_cache set. */
  if (no_cache)
    rd_bit = 0;
  
@@ -1678,14 +1634,12 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
  if (filtered)
    *filtered = 0;
  
-  /* never answer queries with RD unset, to avoid cache snooping. */
-  if ( ntohs(header->qdcount) != 1 ||
-       ntohs(header->ancount) != 0 ||
+  if (ntohs(header->qdcount) != 1 ||
+      ntohs(header->ancount) != 0 ||
      ntohs(header->nscount) != 0 ||
-      ntohs(header->qdcount) == 0 ||
      OPCODE(header) != QUERY )
    return 0;
-
+  
  /* Don't return AD set if checking disabled. */
  if (header->hb4 & HB4_CD)
    sec_data = 0;
@@ -2348,14 +2302,11 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
     
     For FORWARD NEG records, the addr.rrdata.datalen field of the othewise
     empty addr is used to held an offset in to the name which yields the SOA
-     name. For REVERSE NEG records, the otherwise empty name field holds the
-     SOA name. If soa_name has zero length, then no SOA is known. soa_lookup
-     MUST be a neg record here.
-     
+     name.
     If the F_NO_RR flag is set, there was no SOA record supplied with the RR.  */
  if (soa_lookup && !(soa_lookup->flags & F_NO_RR))
    {
-      char *soa_name = soa_lookup->flags & F_REVERSE ? cache_get_name(soa_lookup) : name + soa_lookup->addr.rrdata.datalen;
+      char *soa_name = name + soa_lookup->addr.rrdata.datalen;
      
      crecp = NULL;
      while ((crecp = cache_find_by_name(crecp, soa_name, now, F_RR)))
--- a/src/rfc2131.c
+++ b/src/rfc2131.c
@@ -56,7 +56,8 @@ static void do_options(struct dhcp_context *context,
 		       time_t now,
 		       unsigned int lease_time,
 		       unsigned short fuzz,
-		       const char *pxevendor);
+		       const char *pxevendor,
+		       int leasequery);


 static void match_vendor_opts(unsigned char *opt, struct dhcp_opt *dopt); 
@@ -73,7 +74,7 @@ static void handle_encap(struct dhcp_packet *mess, unsigned char *end, unsigned

 size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 		  size_t sz, time_t now, int unicast_dest, int loopback,
-		  int *is_inform, int pxe, struct in_addr fallback, time_t recvtime)
+		  int *is_inform, int pxe, struct in_addr fallback, time_t recvtime, struct in_addr leasequery_source)
 {
  unsigned char *opt, *clid = NULL;
  struct dhcp_lease *ltmp, *lease = NULL;
@@ -108,7 +109,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 #endif

  subnet_addr.s_addr = override.s_addr = 0;
-
+          
  /* set tag with name == interface */
  iface_id.net = iface_name;
  iface_id.next = NULL;
@@ -185,7 +186,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 	    }
 	}
      
-      if ((opt = option_find(mess, sz, OPTION_AGENT_ID, 1)))
+      if (mess_type != DHCPLEASEQUERY && (opt = option_find(mess, sz, OPTION_AGENT_ID, 1)))
 	{
 	  /* Any agent-id needs to be copied back out, verbatim, as the last option
 	     in the packet. Here, we shift it to the very end of the buffer, if it doesn't
@@ -203,6 +204,10 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 	      memcpy(agent_id, opt, total);
 	    }

+	  /* look for RFC5010 flags sub-option */
+	  if ((sopt = option_find1(option_ptr(opt, 0), option_ptr(opt, option_len(opt)), SUBOPT_FLAGS, INADDRSZ)))
+	    unicast_dest = !!(option_uint(opt, 0, 1) & 0x80);
+	      
 	  /* look for RFC3527 Link selection sub-option */
 	  if ((sopt = option_find1(option_ptr(opt, 0), option_ptr(opt, option_len(opt)), SUBOPT_SUBNET_SELECT, INADDRSZ)))
 	    subnet_addr = option_addr(sopt);
@@ -211,7 +216,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 	  if ((sopt = option_find1(option_ptr(opt, 0), option_ptr(opt, option_len(opt)), SUBOPT_SERVER_OR, INADDRSZ)))
 	    override = option_addr(sopt);
 	  
-	  /* if a circuit-id or remote-is option is provided, exact-match to options. */ 
+	  /* if a circuit-id or remote-is option is provided, exact-match to options. */
 	  for (vendor = daemon->dhcp_vendors; vendor; vendor = vendor->next)
 	    {
 	      int search;
@@ -224,7 +229,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 		search = SUBOPT_SUBSCR_ID;
 	      else 
 		continue;
-
+	      
 	      if ((sopt = option_find1(option_ptr(opt, 0), option_ptr(opt, option_len(opt)), search, 1)) &&
 		  vendor->len == option_len(sopt) &&
 		  memcmp(option_ptr(sopt, 0), vendor->data, vendor->len) == 0)
@@ -234,7 +239,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 		} 
 	    }
 	}
-
+      
      /* Check for RFC3011 subnet selector - only if RFC3527 one not present */
      if (subnet_addr.s_addr == 0 && (opt = option_find(mess, sz, OPTION_SUBNET_SELECT, INADDRSZ)))
 	subnet_addr = option_addr(opt);
@@ -288,6 +293,8 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 	{
 	  addr = subnet_addr;
 	  force = 1;
+	  if (mess->giaddr.s_addr)
+	    via_relay = 1;
 	}
      else if (mess->giaddr.s_addr)
 	{
@@ -356,7 +363,12 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 		  if (context_tmp->local.s_addr == 0)
 		    context_tmp->local = fallback;
 		  if (context_tmp->router.s_addr == 0 && !share)
-		    context_tmp->router = mess->giaddr;
+		    {
+		      if (override.s_addr)
+			context_tmp->router = override;
+		      else
+			context_tmp->router = mess->giaddr;
+		    }
 		  
 		  /* fill in missing broadcast addresses for relayed ranges */
 		  if (!(context_tmp->flags & CONTEXT_BRDCAST) && context_tmp->broadcast.s_addr == 0 )
@@ -373,44 +385,47 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 	context = context_new; 
    }
  
-  if (!context)
+  if (mess_type != DHCPLEASEQUERY)
    {
-      const char *via;
-      if (subnet_addr.s_addr)
+      if  (!context)
 	{
-	  via = _("with subnet selector");
-	  inet_ntop(AF_INET, &subnet_addr, daemon->addrbuff, ADDRSTRLEN);
-	}
-      else
-	{
-	  via = _("via");
-	  if (mess->giaddr.s_addr)
-	    inet_ntop(AF_INET, &mess->giaddr, daemon->addrbuff, ADDRSTRLEN);
-	  else
-	    safe_strncpy(daemon->addrbuff, iface_name, ADDRSTRLEN);
-	}
-      my_syslog(MS_DHCP | LOG_WARNING, _("no address range available for DHCP request %s %s"),
-		via, daemon->addrbuff);
-      return 0;
-    }
-
-  if (option_bool(OPT_LOG_OPTS))
-    {
-      struct dhcp_context *context_tmp;
-      for (context_tmp = context; context_tmp; context_tmp = context_tmp->current)
-	{
-	  inet_ntop(AF_INET, &context_tmp->start, daemon->namebuff, MAXDNAME);
-	  if (context_tmp->flags & (CONTEXT_STATIC | CONTEXT_PROXY))
+	  const char *via;
+	  if (subnet_addr.s_addr)
 	    {
-	      inet_ntop(AF_INET, &context_tmp->netmask, daemon->addrbuff, ADDRSTRLEN);
-	      my_syslog(MS_DHCP | LOG_INFO, _("%u available DHCP subnet: %s/%s"),
-			ntohl(mess->xid), daemon->namebuff, daemon->addrbuff);
+	      via = _("with subnet selector");
+	      inet_ntop(AF_INET, &subnet_addr, daemon->addrbuff, ADDRSTRLEN);
 	    }
 	  else
 	    {
-	      inet_ntop(AF_INET, &context_tmp->end, daemon->addrbuff, ADDRSTRLEN);
-	      my_syslog(MS_DHCP | LOG_INFO, _("%u available DHCP range: %s -- %s"),
-			ntohl(mess->xid), daemon->namebuff, daemon->addrbuff);
+	      via = _("via");
+	      if (mess->giaddr.s_addr)
+		inet_ntop(AF_INET, &mess->giaddr, daemon->addrbuff, ADDRSTRLEN);
+	      else
+		safe_strncpy(daemon->addrbuff, iface_name, ADDRSTRLEN);
+	    }
+	  my_syslog(MS_DHCP | LOG_WARNING, _("no address range available for DHCP request %s %s"),
+		    via, daemon->addrbuff);
+	  return 0;
+	}
+      
+      if (option_bool(OPT_LOG_OPTS))
+	{
+	  struct dhcp_context *context_tmp;
+	  for (context_tmp = context; context_tmp; context_tmp = context_tmp->current)
+	    {
+	      inet_ntop(AF_INET, &context_tmp->start, daemon->namebuff, MAXDNAME);
+	      if (context_tmp->flags & (CONTEXT_STATIC | CONTEXT_PROXY))
+		{
+		  inet_ntop(AF_INET, &context_tmp->netmask, daemon->addrbuff, ADDRSTRLEN);
+		  my_syslog(MS_DHCP | LOG_INFO, _("%u available DHCP subnet: %s/%s"),
+			    ntohl(mess->xid), daemon->namebuff, daemon->addrbuff);
+		}
+	      else
+		{
+		  inet_ntop(AF_INET, &context_tmp->end, daemon->addrbuff, ADDRSTRLEN);
+		  my_syslog(MS_DHCP | LOG_INFO, _("%u available DHCP range: %s -- %s"),
+			    ntohl(mess->xid), daemon->namebuff, daemon->addrbuff);
+		}
 	    }
 	}
    }
@@ -672,7 +687,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 	      
 	      clear_packet(mess, end);
 	      do_options(context, mess, end, NULL, hostname, get_domain(mess->yiaddr), 
-			 netid, subnet_addr, 0, 0, -1, NULL, vendor_class_len, now, 0xffffffff, 0, NULL);
+			 netid, subnet_addr, 0, 0, -1, NULL, vendor_class_len, now, 0xffffffff, 0, NULL, 0);
 	    }
 	}
      
@@ -818,8 +833,8 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 	    }
 	}
    }
-  
-  if (config)
+
+  if (mess_type != DHCPLEASEQUERY && config)
    {
      struct dhcp_netid_list *list;
      
@@ -860,7 +875,8 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
    clid = NULL;
          
  /* Check if client is PXE client. */
-  if (daemon->enable_pxe &&
+  if (mess_type != DHCPLEASEQUERY &&
+      daemon->enable_pxe &&
      is_pxe_client(mess, sz, &pxevendor))
    {
      if ((opt = option_find(mess, sz, OPTION_PXE_UUID, 17)))
@@ -1035,7 +1051,8 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
    }

  /* if we're just a proxy server, go no further */
-  if ((context->flags & CONTEXT_PROXY) || pxe)
+  if (mess_type != DHCPLEASEQUERY &&
+      ((context->flags & CONTEXT_PROXY) || pxe))
    return 0;
  
  if ((opt = option_find(mess, sz, OPTION_REQUESTED_OPTIONS, 0)))
@@ -1047,6 +1064,176 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
  
  switch (mess_type)
    {
+    case DHCPLEASEQUERY:
+      mess_type = DHCPLEASEUNKNOWN;
+      
+      if (!option_bool(OPT_LEASEQUERY))
+	return 0;
+      
+      if (leasequery_source.s_addr == 0)
+	return 0;
+
+      inet_ntop(AF_INET, &leasequery_source, daemon->workspacename, ADDRSTRLEN);
+
+      if (daemon->leasequery_addr)
+	{
+	  struct bogus_addr *baddrp;
+
+	  for (baddrp = daemon->leasequery_addr; baddrp; baddrp = baddrp->next)
+	    if (!baddrp->is6 && is_same_net_prefix(leasequery_source, baddrp->addr.addr4, baddrp->prefix))
+	      break;
+	  
+	  if (!baddrp)
+	    {
+	      my_syslog(MS_DHCP | LOG_WARNING, _("leasequery from %s not permitted"), daemon->workspacename);
+	      return 0;
+	    }
+	}
+      
+      daemon->metrics[METRIC_DHCPLEASEQUERY]++;
+      log_packet("DHCPLEASEQUERY", mess->ciaddr.s_addr ? &mess->ciaddr : NULL, emac_len != 0 ? emac : NULL, emac_len,
+		 iface_name, "from ", daemon->workspacename, mess->xid);
+
+      /* Put all the contexts on the ->current list for the next stages. */
+      for (context = daemon->dhcp; context; context = context->next)
+	context->current = context->next;
+      
+      /* Have maybe already found the lease by MAC or clid. */
+      if (mess->ciaddr.s_addr != 0 &&
+	  !(lease = lease_find_by_addr(mess->ciaddr)) &&
+	  address_available(daemon->dhcp, mess->ciaddr, tagif_netid))
+	{
+	  mess_type = DHCPLEASEUNASSIGNED;
+	  daemon->metrics[METRIC_DHCPLEASEUNASSIGNED]++;
+	}
+      
+      if (lease)
+	{
+	  /* RFC4388 para 6.4.2 */
+	  if (lease->agent_id)
+	    {
+	      unsigned char *sopt ;
+	      
+	      for (vendor = daemon->dhcp_vendors; vendor; vendor = vendor->next)
+		{
+		  int search;
+		  
+		  if (vendor->match_type == MATCH_CIRCUIT)
+		    search = SUBOPT_CIRCUIT_ID;
+		  else if (vendor->match_type == MATCH_REMOTE)
+		    search = SUBOPT_REMOTE_ID;
+		  else if (vendor->match_type == MATCH_SUBSCRIBER)
+		    search = SUBOPT_SUBSCR_ID;
+		  else 
+		    continue;
+		  
+		  if ((sopt = option_find1(lease->agent_id, lease->agent_id + lease->agent_id_len, search, 1)) &&
+		      vendor->len == option_len(sopt) &&
+		      memcmp(option_ptr(sopt, 0), vendor->data, vendor->len) == 0)
+		    {
+		      vendor->netid.next = netid;
+		      netid = &vendor->netid;
+		    }
+		}
+	      
+	      tagif_netid = run_tag_if(netid);
+	    }
+	  
+	  /* Now find the context for this lease and config for this host. */
+	  if ((context = narrow_context(daemon->dhcp, lease->addr, tagif_netid)))
+	    {
+	      if ((config = find_config(daemon->dhcp_conf, context, lease->clid, lease->clid_len, 
+					lease->hwaddr, lease->hwaddr_len, lease->hwaddr_type, lease->hostname, tagif_netid)))
+		{
+		  struct dhcp_netid_list *list;
+		  
+		  for (list = config->netid; list; list = list->next)
+		    {
+		      list->list->next = netid;
+		      netid = list->list;
+		    }
+
+		  tagif_netid = run_tag_if(netid);
+		}
+	      
+	      if (context->netid.net)
+		{
+		  context->netid.next = netid;
+		  tagif_netid = run_tag_if(&context->netid);
+		}
+
+	      log_tags(tagif_netid, ntohl(mess->xid));
+	      emac = extended_hwaddr(lease->hwaddr_type, lease->hwaddr_len, lease->hwaddr, lease->clid_len, lease->clid, &emac_len);
+	      mess_type = DHCPLEASEACTIVE;
+	      daemon->metrics[METRIC_DHCPLEASEACTIVE]++;
+	    }
+	}
+      
+      log_packet(mess_type == DHCPLEASEACTIVE ? "DHCPLEASEACTIVE" : (mess_type == DHCPLEASEUNASSIGNED ? "DHCPLEASEUNASSIGNED" : "DHCPLEASEUNKNOWN"),
+		 mess_type == DHCPLEASEACTIVE ? &lease->addr : (mess->ciaddr.s_addr != 0 ? &mess->ciaddr : NULL),
+		 emac_len != 0 ? emac : NULL, emac_len,
+		 iface_name, mess_type == DHCPLEASEACTIVE ? lease->hostname : NULL, NULL, mess->xid);
+      
+      clear_packet(mess, end);
+      option_put(mess, end, OPTION_MESSAGE_TYPE, 1, mess_type);
+      
+      if (mess_type == DHCPLEASEUNKNOWN)
+	{
+	  daemon->metrics[METRIC_DHCPLEASEUNKNOWN]++;
+	  mess->ciaddr.s_addr = 0;
+	}
+      
+      if (mess_type == DHCPLEASEACTIVE)
+	{
+	  unsigned char *p;
+	  
+	  mess->ciaddr = lease->addr;
+	  mess->hlen = lease->hwaddr_len;
+	  mess->htype = lease->hwaddr_type;
+	  memcpy(mess->chaddr, lease->hwaddr, lease->hwaddr_len);
+	  
+	  if (lease->clid && in_list(req_options, OPTION_CLIENT_ID) &&
+	      (p = free_space(mess, end, OPTION_CLIENT_ID, lease->clid_len)))
+	    memcpy(p, lease->clid, lease->clid_len);
+	  
+	  if (in_list(req_options, OPTION_LEASE_TIME))
+	    {
+	      if (lease->expires == 0) /* infinite lease */
+		option_put(mess, end, OPTION_LEASE_TIME, 4, 0xffffffff);
+	      else
+		option_put(mess, end, OPTION_LEASE_TIME, 4, (unsigned int)(lease->expires - now));
+	    }
+	  
+	  if (lease->expires != 0)
+	    {
+	      time = calc_time(context, config, NULL);
+
+	      if (in_list(req_options, OPTION_T1) && (lease->expires - now) > time/2)
+		option_put(mess, end, OPTION_T1, 4, ((unsigned int)(lease->expires - now)) - time/2);
+	      if (in_list(req_options, OPTION_T2) && (lease->expires - now) > time/8)
+		option_put(mess, end, OPTION_T2, 4, ((unsigned int)(lease->expires - now)) - time/8);
+	      if (in_list(req_options, OPTION_LAST_TRANSACTION) && (lease->expires - now) < time)
+		option_put(mess, end, OPTION_LAST_TRANSACTION, 4, time - ((unsigned int)(lease->expires - now)));
+	    }
+	  
+	  if (lease->vendorclass)
+	    {
+	      memcpy(daemon->dhcp_buff3, lease->vendorclass, lease->vendorclass_len);
+	      vendor_class_len = lease->vendorclass_len;
+	    }
+	  
+	  subnet_addr.s_addr = 0;
+	  do_options(context, mess, end, req_options, lease->hostname, get_domain(lease->addr), netid, subnet_addr,
+		     0, 0, -1, NULL, vendor_class_len, now, 0xffffffff, 0, NULL, 1);
+	  
+	  /* Does this have to be last for leasequery replies also? RFC 4388 is silent on the subject. */
+	  if (lease->agent_id && in_list(req_options, OPTION_AGENT_ID) &&
+	      (p = free_space(mess, end, OPTION_AGENT_ID, lease->agent_id_len)))
+	    memcpy(p, lease->agent_id, lease->agent_id_len);
+	}
+      
+      return dhcp_packet_size(mess, NULL, real_end);
+            
    case DHCPDECLINE:
      if (!(opt = option_find(mess, sz, OPTION_SERVER_IDENTIFIER, INADDRSZ)) ||
 	  option_addr(opt).s_addr != server_id(context, override, fallback).s_addr)
@@ -1197,7 +1384,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
      option_put(mess, end, OPTION_LEASE_TIME, 4, time);
      /* T1 and T2 are required in DHCPOFFER by HP's wacky Jetdirect client. */
      do_options(context, mess, end, req_options, offer_hostname, get_domain(mess->yiaddr), 
-		 netid, subnet_addr, fqdn_flags, borken_opt, pxearch, uuid, vendor_class_len, now, time, fuzz, pxevendor);
+		 netid, subnet_addr, fqdn_flags, borken_opt, pxearch, uuid, vendor_class_len, now, time, fuzz, pxevendor, 0);
      
      return dhcp_packet_size(mess, agent_id, real_end);
 	
@@ -1528,7 +1715,21 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 	  
 	  lease_set_expires(lease, time, now);
 	  lease_set_interface(lease, int_index, now);
-
+	  
+	  if (option_bool(OPT_LEASEQUERY))
+	    {
+	      if (agent_id)
+		lease_set_agent_id(lease, option_ptr(agent_id, 0), option_len(agent_id));
+	      if (vendor_class_len != 0)
+		lease_set_vendorclass(lease, (unsigned char *)daemon->dhcp_buff3, vendor_class_len);
+	    }
+	  else
+	    {
+	      /* if leasequery no longer enabled, remove stuff that may have been stored when it was. */
+	      lease_set_agent_id(lease, NULL, 0);
+	      lease_set_vendorclass(lease, NULL, 0);
+	    }
+	  
 	  if (override.s_addr != 0)
 	    lease->override = override;
 	  else
@@ -1544,7 +1745,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 	  if (rapid_commit)
 	     option_put(mess, end, OPTION_RAPID_COMMIT, 0, 0);
 	   do_options(context, mess, end, req_options, hostname, get_domain(mess->yiaddr), 
-		     netid, subnet_addr, fqdn_flags, borken_opt, pxearch, uuid, vendor_class_len, now, time, fuzz, pxevendor);
+		      netid, subnet_addr, fqdn_flags, borken_opt, pxearch, uuid, vendor_class_len, now, time, fuzz, pxevendor, 0);
 	}

      return dhcp_packet_size(mess, agent_id, real_end); 
@@ -1611,7 +1812,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 	}

      do_options(context, mess, end, req_options, hostname, get_domain(mess->ciaddr),
-		 netid, subnet_addr, fqdn_flags, borken_opt, pxearch, uuid, vendor_class_len, now, 0xffffffff, 0, pxevendor);
+		 netid, subnet_addr, fqdn_flags, borken_opt, pxearch, uuid, vendor_class_len, now, 0xffffffff, 0, pxevendor, 0);
      
      *is_inform = 1; /* handle reply differently */
      return dhcp_packet_size(mess, agent_id, real_end); 
@@ -1720,29 +1921,33 @@ static void log_packet(char *type, void *addr, unsigned char *ext_mac,
  if (!err && !option_bool(OPT_LOG_OPTS) && option_bool(OPT_QUIET_DHCP))
    return;
  
-  daemon->addrbuff[0] = 0;
+  daemon->addrbuff[0] = daemon->namebuff[0] = 0;
+  
  if (addr)
    inet_ntop(AF_INET, addr, daemon->addrbuff, ADDRSTRLEN);
  
-  print_mac(daemon->namebuff, ext_mac, mac_len);
+  if (ext_mac)
+    print_mac(daemon->namebuff, ext_mac, mac_len);
  
  if (option_bool(OPT_LOG_OPTS))
-    my_syslog(MS_DHCP | LOG_INFO, "%u %s(%s) %s%s%s %s%s",
+    my_syslog(MS_DHCP | LOG_INFO, "%u %s(%s) %s%s%s%s%s%s",
 	      ntohl(xid), 
 	      type,
 	      interface, 
 	      daemon->addrbuff,
 	      addr ? " " : "",
 	      daemon->namebuff,
+	      ext_mac ? " " : "",
 	      string ? string : "",
 	      err ? err : "");
  else
-    my_syslog(MS_DHCP | LOG_INFO, "%s(%s) %s%s%s %s%s",
+    my_syslog(MS_DHCP | LOG_INFO, "%s(%s) %s%s%s%s%s%s",
 	      type,
 	      interface, 
 	      daemon->addrbuff,
 	      addr ? " " : "",
 	      daemon->namebuff,
+	      ext_mac ? " " : "",
 	      string ? string : "",
 	      err ? err : "");
  
@@ -2412,7 +2617,8 @@ static void do_options(struct dhcp_context *context,
 		       time_t now,
 		       unsigned int lease_time,
 		       unsigned short fuzz,
-		       const char *pxevendor)
+		       const char *pxevendor,
+		       int leasequery)
 {
  struct dhcp_opt *opt, *config_opts = daemon->dhcp_opts;
  struct dhcp_boot *boot;
@@ -2450,70 +2656,73 @@ static void do_options(struct dhcp_context *context,
 	}
    }
      
-  for (id_list = daemon->force_broadcast; id_list; id_list = id_list->next)
-    if ((!id_list->list) || match_netid(id_list->list, netid, 0))
-      break;
-  if (id_list)
-    mess->flags |= htons(0x8000); /* force broadcast */
-  
-  if (context)
-    mess->siaddr = context->local;
-  
-  /* See if we can send the boot stuff as options.
-     To do this we need a requested option list, BOOTP
-     and very old DHCP clients won't have this, we also 
-     provide a manual option to disable it.
-     Some PXE ROMs have bugs (surprise!) and need zero-terminated 
-     names, so we always send those.  */
-  if ((boot = find_boot(tagif)))
+  if (!leasequery)
    {
-      if (boot->sname)
-	{	  
-	  if (!option_bool(OPT_NO_OVERRIDE) &&
-	      req_options && 
-	      in_list(req_options, OPTION_SNAME))
-	    option_put_string(mess, end, OPTION_SNAME, boot->sname, 1);
-	  else
-	    safe_strncpy((char *)mess->sname, boot->sname, sizeof(mess->sname));
-	}
+      for (id_list = daemon->force_broadcast; id_list; id_list = id_list->next)
+	if ((!id_list->list) || match_netid(id_list->list, netid, 0))
+	  break;
+      if (id_list)
+	mess->flags |= htons(0x8000); /* force broadcast */
      
-      if (boot->file)
+      if (context)
+	mess->siaddr = context->local;
+     
+      /* See if we can send the boot stuff as options.
+	 To do this we need a requested option list, BOOTP
+	 and very old DHCP clients won't have this, we also 
+	 provide a manual option to disable it.
+	 Some PXE ROMs have bugs (surprise!) and need zero-terminated 
+	 names, so we always send those.  */
+      if ((boot = find_boot(tagif)))
 	{
-	  if (!option_bool(OPT_NO_OVERRIDE) &&
-	      req_options && 
-	      in_list(req_options, OPTION_FILENAME))
-	    option_put_string(mess, end, OPTION_FILENAME, boot->file, 1);
-	  else
-	    safe_strncpy((char *)mess->file, boot->file, sizeof(mess->file));
+	  if (boot->sname)
+	    {	  
+	      if (!option_bool(OPT_NO_OVERRIDE) &&
+		  req_options && 
+		  in_list(req_options, OPTION_SNAME))
+		option_put_string(mess, end, OPTION_SNAME, boot->sname, 1);
+	      else
+		safe_strncpy((char *)mess->sname, boot->sname, sizeof(mess->sname));
+	    }
+	  
+	  if (boot->file)
+	    {
+	      if (!option_bool(OPT_NO_OVERRIDE) &&
+		  req_options && 
+		  in_list(req_options, OPTION_FILENAME))
+		option_put_string(mess, end, OPTION_FILENAME, boot->file, 1);
+	      else
+		safe_strncpy((char *)mess->file, boot->file, sizeof(mess->file));
+	    }
+	  
+	  if (boot->next_server.s_addr) 
+	    mess->siaddr = boot->next_server;
+	  else if (boot->tftp_sname)
+	    mess->siaddr = a_record_from_hosts(boot->tftp_sname, now);
 	}
-      
-      if (boot->next_server.s_addr) 
-	mess->siaddr = boot->next_server;
-      else if (boot->tftp_sname)
-	mess->siaddr = a_record_from_hosts(boot->tftp_sname, now);
-    }
-  else
-    /* Use the values of the relevant options if no dhcp-boot given and
-       they're not explicitly asked for as options. OPTION_END is used
-       as an internal way to specify siaddr without using dhcp-boot, for use in
-       dhcp-optsfile. */
-    {
-      if ((!req_options || !in_list(req_options, OPTION_FILENAME)) &&
-	  (opt = option_find2(OPTION_FILENAME)) && !(opt->flags & DHOPT_FORCE))
+      else
+	/* Use the values of the relevant options if no dhcp-boot given and
+	   they're not explicitly asked for as options. OPTION_END is used
+	   as an internal way to specify siaddr without using dhcp-boot, for use in
+	   dhcp-optsfile. */
 	{
-	  safe_strncpy((char *)mess->file, (char *)opt->val, sizeof(mess->file));
-	  done_file = 1;
+	  if ((!req_options || !in_list(req_options, OPTION_FILENAME)) &&
+	      (opt = option_find2(OPTION_FILENAME)) && !(opt->flags & DHOPT_FORCE))
+	    {
+	      safe_strncpy((char *)mess->file, (char *)opt->val, sizeof(mess->file));
+	      done_file = 1;
+	    }
+	  
+	  if ((!req_options || !in_list(req_options, OPTION_SNAME)) &&
+	      (opt = option_find2(OPTION_SNAME)) && !(opt->flags & DHOPT_FORCE))
+	    {
+	      safe_strncpy((char *)mess->sname, (char *)opt->val, sizeof(mess->sname));
+	      done_server = 1;
+	    }
+	  
+	  if ((opt = option_find2(OPTION_END)))
+	    mess->siaddr.s_addr = ((struct in_addr *)opt->val)->s_addr;	
 	}
-      
-      if ((!req_options || !in_list(req_options, OPTION_SNAME)) &&
-	  (opt = option_find2(OPTION_SNAME)) && !(opt->flags & DHOPT_FORCE))
-	{
-	  safe_strncpy((char *)mess->sname, (char *)opt->val, sizeof(mess->sname));
-	  done_server = 1;
-	}
-      
-      if ((opt = option_find2(OPTION_END)))
-	mess->siaddr.s_addr = ((struct in_addr *)opt->val)->s_addr;	
    }
        
  /* We don't want to do option-overload for BOOTP, so make the file and sname
@@ -2534,7 +2743,7 @@ static void do_options(struct dhcp_context *context,
    end -= 3;

  /* rfc3011 says this doesn't need to be in the requested options list. */
-  if (subnet_addr.s_addr)
+  if (!leasequery && subnet_addr.s_addr)
    option_put(mess, end, OPTION_SUBNET_SELECT, INADDRSZ, ntohl(subnet_addr.s_addr));
   
  if (lease_time != 0xffffffff)
@@ -2575,14 +2784,17 @@ static void do_options(struct dhcp_context *context,
  /* replies to DHCPINFORM may not have a valid context */
  if (context)
    {
-      if (!option_find2(OPTION_NETMASK))
+      /* Netmask and broadcast always sent, except leasequery. */
+      if (!option_find2(OPTION_NETMASK) &&
+	  (!leasequery || in_list(req_options, OPTION_NETMASK)))
 	option_put(mess, end, OPTION_NETMASK, INADDRSZ, ntohl(context->netmask.s_addr));
-  
+      
      /* May not have a "guessed" broadcast address if we got no packets via a relay
 	 from this net yet (ie just unicast renewals after a restart */
      if (context->broadcast.s_addr &&
-	  !option_find2(OPTION_BROADCAST))
-	option_put(mess, end, OPTION_BROADCAST, INADDRSZ, ntohl(context->broadcast.s_addr));
+	  !option_find2(OPTION_BROADCAST) &&
+	  (!leasequery || in_list(req_options, OPTION_BROADCAST)))
+    	option_put(mess, end, OPTION_BROADCAST, INADDRSZ, ntohl(context->broadcast.s_addr));
      
      /* Same comments as broadcast apply, and also may not be able to get a sensible
 	 default when using subnet select.  User must configure by steam in that case. */
@@ -2663,7 +2875,7 @@ static void do_options(struct dhcp_context *context,
 	continue;
      
      /* was it asked for, or are we sending it anyway? */
-      if (!(opt->flags & DHOPT_FORCE) && !in_list(req_options, optno))
+      if ((!(opt->flags & DHOPT_FORCE) || leasequery) && !in_list(req_options, optno))
 	continue;
      
      /* prohibit some used-internally options. T1 and T2 already handled. */
@@ -2721,7 +2933,7 @@ static void do_options(struct dhcp_context *context,
  handle_encap(mess, end, req_options, null_term, tagif, pxe_arch != 1);
  
  force_encap = prune_vendor_opts(tagif);
-  
+    
  if (context && pxe_arch != -1)
    {
      pxe_misc(mess, end, uuid, pxevendor);
@@ -2729,8 +2941,8 @@ static void do_options(struct dhcp_context *context,
 	config_opts = pxe_opts(pxe_arch, tagif, context->local, now);
    }

-  if ((force_encap || in_list(req_options, OPTION_VENDOR_CLASS_OPT)) &&
-      do_encap_opts(config_opts, OPTION_VENDOR_CLASS_OPT, DHOPT_VENDOR_MATCH, mess, end, null_term) && 
+  if ((force_encap || in_list(req_options, OPTION_VENDOR_CLASS_OPT) || in_list(req_options, OPTION_VENDOR_ID)) &&
+      (leasequery || do_encap_opts(config_opts, OPTION_VENDOR_CLASS_OPT, DHOPT_VENDOR_MATCH, mess, end, null_term)) && 
      pxe_arch == -1 && !done_vendor_class && vendor_class_len != 0 &&
      (p = free_space(mess, end, OPTION_VENDOR_ID, vendor_class_len)))
    /* If we send vendor encapsulated options, and haven't already sent option 60,
@@ -2843,4 +3055,211 @@ static void apply_delay(u32 xid, time_t recvtime, struct dhcp_netid *netid)
    }
 }

+void relay_upstream4(struct in_addr iface_addr, int iface_index, struct dhcp_packet *mess, size_t sz, int unicast)
+{
+  struct in_addr giaddr = mess->giaddr;
+  u8 hops = mess->hops;
+  struct dhcp_relay *relay;
+  size_t orig_sz = sz;
+  unsigned char *endopt = NULL;
+    
+  if (mess->op != BOOTREQUEST || (mess->hops++) > 20)
+    return;
+  
+  for (relay = daemon->relay4; relay; relay = relay->next)
+    {
+      union mysockaddr to;
+      union all_addr from;
+      struct ifreq ifr;
+
+      /* restore orig packet */
+      mess->giaddr = giaddr;
+      if (endopt)
+	*endopt = OPTION_END;
+      sz = orig_sz;
+
+      if (relay->interface)
+	{
+	  safe_strncpy(ifr.ifr_name, relay->interface, IF_NAMESIZE);
+	  ifr.ifr_addr.sa_family = AF_INET;
+	}
+      
+      if (!relay->split_mode && relay->iface_index && relay->iface_index == iface_index)
+	{
+	  /* already gatewayed ? */
+	  if (giaddr.s_addr)
+	    {
+	      /* if so check if by us, to stomp on loops. */
+	      if (giaddr.s_addr == relay->local.addr4.s_addr)
+		continue;
+	    }
+	  else
+	    /* plug in our address */
+	    mess->giaddr = relay->local.addr4;
+	  
+	  from.addr4 = relay->local.addr4;
+	}
+      else if (relay->split_mode && relay->local.addr4.s_addr == iface_addr.s_addr)
+	{
+	  /* Split mode. We put our address on the server-facing interface
+	     or a directly specified third address into giaddr for the server to talk back to us on.
+	     
+	     Our address on client-facing interface goes into agent-id subnet-selector subopt,
+	     so that the server allocates the correct address. We also send a
+	     remote-id with the interface on which the request arrived,
+	     so that we can send the reply back the same way. */
+	  unsigned int net_index = htonl(iface_index);
+	  
+	  if (relay->interface)
+	    {
+	      /* get our address on the server-facing interface. */
+	      if (ioctl(daemon->dhcpfd, SIOCGIFADDR, &ifr) == -1)
+		{
+		  my_syslog(MS_DHCP | LOG_ERR, _("Cannot send to server via interface %s: %s"), relay->interface, strerror(errno));
+		  continue;
+		}
+	      
+	      relay->uplink.addr4 = ((struct sockaddr_in *) &ifr.ifr_addr)->sin_addr;
+	    }
+	  
+	  /* already gatewayed ? */
+	  if (giaddr.s_addr)
+	    {
+	      /* if so check if by us, to stomp on loops. */
+	      if (giaddr.s_addr == relay->uplink.addr4.s_addr)
+		continue;
+	    }
+	  else
+	    {
+	      /* giaddr is our address on the outgoing interface in split mode. */
+	      mess->giaddr = relay->uplink.addr4;
+	      
+	      if (!endopt)
+		{
+		  /* Add an RFC3026 relay agent information option (2 bytes) at the very end of the options.
+		     Said option to contain a RFC 3527 link selection sub option (6 bytes) and
+		     RFC 5017 serverid-override option (6 bytes) and RFC5010 flags (3 bytes) and
+		     an RFC3046 remote-id which holds an interface index (6 bytes)
+		     
+		     New END option is a 24th byte, so we need 24 bytes free.
+		     We only need to do this once, and poke the address/interface/flags into the same place each time. */
+		  
+		  if (!(endopt = option_find1((&mess->options[0] + sizeof(u32)), ((unsigned char *)mess) + sz, OPTION_END, 0)) ||
+		      (endopt + 24 > (unsigned char *)(mess + 1)))
+		    continue;
+		  
+		  endopt[1] = 21; /* length */
+		  endopt[2] = SUBOPT_SUBNET_SELECT;
+		  endopt[3] = 4; /* length */
+		  endopt[8] = SUBOPT_SERVER_OR;
+		  endopt[9] = 4;
+		  endopt[14] = SUBOPT_FLAGS;
+		  endopt[15] = 1; /* length */
+		  endopt[17] = SUBOPT_REMOTE_ID;
+		  endopt[18] = 4; /* length */
+		  endopt[23] = OPTION_END;
+		  sz = (endopt - (unsigned char *)mess) + 24;
+		}
+	      
+	      /* IP address is already in network byte order */
+	      memcpy(&endopt[4], &relay->local.addr4.s_addr, INADDRSZ);
+	      memcpy(&endopt[10], &relay->local.addr4.s_addr, INADDRSZ);
+	      endopt[16] = unicast ? 0x80 : 0x00;
+	      memcpy(&endopt[19], &net_index, 4);
+	      endopt[0] = OPTION_AGENT_ID;
+	    }
+	  
+	  from.addr4 = relay->uplink.addr4;
+	}
+      else
+	continue;
+	
+      to.sa.sa_family = AF_INET;
+      to.in.sin_addr = relay->server.addr4;
+      to.in.sin_port = htons(relay->port);
+#ifdef HAVE_SOCKADDR_SA_LEN
+      to.in.sin_len = sizeof(struct sockaddr_in);
+#endif
+      
+      /* Broadcasting to server. */
+      if (relay->server.addr4.s_addr == 0)
+	{
+	  if (ioctl(daemon->dhcpfd, SIOCGIFBRDADDR, &ifr) == -1)
+	    {
+	      my_syslog(MS_DHCP | LOG_ERR, _("Cannot broadcast DHCP relay via interface %s: %s"), relay->interface, strerror(errno));
+	      continue;
+	    }
+	  
+	  to.in.sin_addr = ((struct sockaddr_in *) &ifr.ifr_addr)->sin_addr;
+	}
+      
+#ifdef HAVE_DUMPFILE
+      {
+	union mysockaddr fromsock;
+	fromsock.in.sin_port = htons(daemon->dhcp_server_port);
+	fromsock.in.sin_addr = from.addr4;
+	fromsock.sa.sa_family = AF_INET;
+	
+	dump_packet_udp(DUMP_DHCP, (void *)mess, sz, &fromsock, &to, -1);
+      }
+#endif
+      
+      send_from(daemon->dhcpfd, 0, (char *)mess, sz, &to, &from, 0);
+      
+      if (option_bool(OPT_LOG_OPTS))
+	{
+	  inet_ntop(AF_INET, &relay->local, daemon->addrbuff, ADDRSTRLEN);
+	  if (relay->server.addr4.s_addr == 0)
+	    snprintf(daemon->dhcp_buff2, DHCP_BUFF_SZ, _("broadcast via %s"), relay->interface);
+	  else
+	    inet_ntop(AF_INET, &relay->server.addr4, daemon->dhcp_buff2, DHCP_BUFF_SZ);
+	  my_syslog(MS_DHCP | LOG_INFO, _("DHCP relay at %s -> %s"), daemon->addrbuff, daemon->dhcp_buff2);
+	}
+    }
+  
+  /* restore in case of a local reply. */
+  mess->hops = hops;
+  mess->giaddr = giaddr;
+  if (endopt)
+    *endopt = OPTION_END;
+}
+
+unsigned int relay_reply4(struct dhcp_packet *mess, size_t sz, char *arrival_interface)
+{
+  struct dhcp_relay *relay;
+    
+  if (mess->giaddr.s_addr == 0 || mess->op != BOOTREPLY)
+    return 0;
+
+  for (relay = daemon->relay4; relay; relay = relay->next)
+    {
+      unsigned int return_iface = 0;
+
+      if (relay->split_mode)
+	{
+	  unsigned char *opt, *sopt;
+	  
+	  /* giaddr is our address on the returning interface in split mode. */
+	  if (mess->giaddr.s_addr == relay->uplink.addr4.s_addr &&
+	      (opt = option_find(mess, sz, OPTION_AGENT_ID, 1)))
+	    {
+	      if ((sopt = option_find1(option_ptr(opt, 0), option_ptr(opt, option_len(opt)), SUBOPT_REMOTE_ID, sizeof(unsigned int))))
+		return_iface = option_uint(sopt, 0, sizeof(unsigned int));
+
+	      /* delete agent info before return RFC 3046 para 2.1 */
+	      *opt = OPTION_END;
+	      memset(opt + 1, 0, option_len(opt) + 2);
+	    }
+	}
+      else if (mess->giaddr.s_addr == relay->local.addr4.s_addr)
+	return_iface = relay->iface_index;
+      
+      if (return_iface && (!relay->interface || wildcard_match(relay->interface, arrival_interface)))
+	return return_iface;
+    }
+  
+  return 0;	 
+}     
+
+
 #endif /* HAVE_DHCP */
--- a/src/rfc3315.c
+++ b/src/rfc3315.c
@@ -21,7 +21,7 @@

 struct state {
  unsigned char *clid;
-  int clid_len, ia_type, interface, hostname_auth, lease_allocate;
+  int multicast_dest, clid_len, ia_type, interface, hostname_auth, lease_allocate;
  char *client_hostname, *hostname, *domain, *send_domain;
  struct dhcp_context *context;
  struct in6_addr *link_address, *fallback, *ll_addr, *ula_addr;
@@ -68,7 +68,7 @@ static void calculate_times(struct dhcp_context *context, unsigned int *min_time
 #define opt6_user_vendor_next(opt, end) (opt6_next(((uint8_t *) opt) - 2, end))
 

-unsigned short dhcp6_reply(struct dhcp_context *context, int interface, char *iface_name,
+unsigned short dhcp6_reply(struct dhcp_context *context, int multicast_dest, int interface, char *iface_name,
 			   struct in6_addr *fallback,  struct in6_addr *ll_addr, struct in6_addr *ula_addr,
 			   size_t sz, struct in6_addr *client_addr, time_t now)
 {
@@ -87,6 +87,7 @@ unsigned short dhcp6_reply(struct dhcp_context *context, int interface, char *if
  
  reset_counter();
  state.context = context;
+  state.multicast_dest = multicast_dest;
  state.interface = interface;
  state.iface_name = iface_name;
  state.fallback = fallback;
@@ -244,7 +245,11 @@ static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t
 	      struct in6_addr align;
 	      /* the packet data is unaligned, copy to aligned storage */
 	      memcpy(&align, inbuff + 2, IN6ADDRSZ); 
-	      state->link_address = &align;
+
+
+	      /* RFC6221 para 4 */
+	      if (!IN6_IS_ADDR_UNSPECIFIED(&align))
+		state->link_address = &align;
 	      /* zero is_unicast since that is now known to refer to the 
 		 relayed packet, not the original sent by the client */
 	      if (!dhcp6_maybe_relay(state, opt6_ptr(opt, 0), opt6_len(opt), client_addr, 0, now))
@@ -333,20 +338,24 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu
  else if (msg_type != DHCP6IREQ)
    return 0;

-  /* server-id must match except for SOLICIT, CONFIRM and REBIND messages, which MUST NOT
-     have a server-id.  3315 para 15.x */
  opt = opt6_find(state->packet_options, state->end, OPTION6_SERVER_ID, 1);
-
-  if (msg_type == DHCP6SOLICIT || msg_type == DHCP6CONFIRM || msg_type == DHCP6REBIND)
+  
+  if (msg_type == DHCP6SOLICIT || msg_type == DHCP6CONFIRM || msg_type == DHCP6REBIND || msg_type == DHCP6IREQ)
    {
-      if (opt)
+      /* Above message types must be multicast 3315 Section 15. */
+      if (!state->multicast_dest)
 	return 0;
-    }
-  else if (msg_type == DHCP6IREQ)
-    {
-      /* If server-id provided, it must match. */
-      if (opt && (opt6_len(opt) != daemon->duid_len ||
-		  memcmp(opt6_ptr(opt, 0), daemon->duid, daemon->duid_len) != 0))
+
+      /* server-id must match except for SOLICIT, CONFIRM and REBIND messages, which MUST NOT
+	 have a server-id.  3315 para 15.x */
+      if (msg_type == DHCP6IREQ)
+	{
+	  /* If server-id provided in IREQ, it must match. */
+	  if (opt && (opt6_len(opt) != daemon->duid_len ||
+		      memcmp(opt6_ptr(opt, 0), daemon->duid, daemon->duid_len) != 0))
+	    return 0;
+	}
+      else if (opt) 
 	return 0;
    }
  else
@@ -634,7 +643,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu
      
    case DHCP6SOLICIT:
      {
-      	int address_assigned = 0;
+      	int address_assigned;
 	/* tags without all prefix-class tags */
 	struct dhcp_netid *solicit_tags;
 	struct dhcp_context *c;
@@ -653,6 +662,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu

      request_no_address:
 	solicit_tags = tagif;
+	address_assigned = 0;
 	
 	if (ignore)
 	  return 0;
@@ -764,15 +774,6 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu
 	    
 	    if (address_assigned != 1)
 	      {
-		/* If the server will not assign any addresses to any IAs in a
-		   subsequent Request from the client, the server MUST send an Advertise
-		   message to the client that doesn't include any IA options. */
-		if (!state->lease_allocate)
-		  {
-		    save_counter(o);
-		    continue;
-		  }
-		
 		/* If the server cannot assign any addresses to an IA in the message
 		   from the client, the server MUST include the IA in the Reply message
 		   with no addresses in the IA and a Status Code option in the IA
@@ -799,7 +800,6 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu
 	    o = new_opt6(OPTION6_PREFERENCE);
 	    put_opt6_char(option_bool(OPT_AUTHORITATIVE) ? 255 : 0);
 	    end_opt6(o);
-	    tagif = add_options(state, 0);
 	  }
 	else
 	  { 
@@ -819,7 +819,8 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu
 		  break;
 		}
 	  }
-
+	
+	tagif = add_options(state, 0);
 	break;
      }
      
@@ -977,8 +978,10 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu
 		  {
 		    if (msg_type == DHCP6REBIND)
 		      {
-			/* When rebinding, we can create a lease if it doesn't exist. */
-			lease = lease6_allocate(&req_addr, state->ia_type == OPTION6_IA_NA ? LEASE_NA : LEASE_TA);
+			/* When rebinding, we can create a lease if it doesn't exist, as long
+			   as --dhcp-authoritative is set. */
+			if (option_bool(OPT_AUTHORITATIVE))
+			  lease = lease6_allocate(&req_addr, state->ia_type == OPTION6_IA_NA ? LEASE_NA : LEASE_TA);
 			if (lease)
 			  lease_set_iaid(lease, state->iaid);
 			else
@@ -1593,9 +1596,14 @@ static void get_context_tag(struct state *state, struct dhcp_context *context)

 static int check_ia(struct state *state, void *opt, void **endp, void **ia_option)
 {
-  state->ia_type = opt6_type(opt);
  *ia_option = NULL;

+  /* must be a minimal option to check without stepping outside received packet. */
+  if (opt6_ptr(opt, 4) > state->end)
+    return 0;
+  
+  state->ia_type = opt6_type(opt);
+  
  if (state->ia_type != OPTION6_IA_NA && state->ia_type != OPTION6_IA_TA)
    return 0;
  
@@ -1605,7 +1613,10 @@ static int check_ia(struct state *state, void *opt, void **endp, void **ia_optio
  if (state->ia_type == OPTION6_IA_TA && opt6_len(opt) < 4)
    return 0;
  
-  *endp = opt6_ptr(opt, opt6_len(opt));
+  /* Check we don't overflow the received packet. */
+  if ((*endp = opt6_ptr(opt, opt6_len(opt))) > state->end)
+    return 0;
+  
  state->iaid = opt6_uint(opt, 0, 4);
  *ia_option = opt6_find(opt6_ptr(opt, state->ia_type == OPTION6_IA_NA ? 12 : 4), *endp, OPTION6_IAADDR, 24);

@@ -2276,64 +2287,61 @@ int relay_reply6(struct sockaddr_in6 *peer, ssize_t sz, char *arrival_interface)
    {
      void *opt, *opts = inbuff + 34;
      void *end = inbuff + sz;
-      for (opt = opts; opt; opt = opt6_next(opt, end))
-	if (opt6_type(opt) == OPTION6_RELAY_MSG && opt6_len(opt) > 0)
-	  {
-	    int encap_type = *((unsigned char *)opt6_ptr(opt, 0));
-	    put_opt6(opt6_ptr(opt, 0), opt6_len(opt));
-	    memcpy(&peer->sin6_addr, &inbuff[18], IN6ADDRSZ); 
-	    peer->sin6_scope_id = relay->iface_index;
-
-	    if (encap_type == DHCP6RELAYREPL)
-	      {
-		peer->sin6_port = ntohs(DHCPV6_SERVER_PORT);
-		return 1;
-	      }
-
-	    peer->sin6_port = ntohs(DHCPV6_CLIENT_PORT);
-	    
-#ifdef HAVE_SCRIPT
-	    if (daemon->lease_change_command && encap_type == DHCP6REPLY)
-	      {
-		/* decapsulate relayed message */
-		opts = opt6_ptr(opt, 4);
-		end = opt6_ptr(opt, opt6_len(opt));
-
-		for (opt = opts; opt; opt = opt6_next(opt, end))
-		  if (opt6_type(opt) == OPTION6_IA_PD && opt6_len(opt) > 12) 
-		    {
-		      void *ia_opts = opt6_ptr(opt, 12);
-		      void *ia_end = opt6_ptr(opt, opt6_len(opt));
-		      void *ia_opt;
-		      
-		      for (ia_opt = ia_opts; ia_opt; ia_opt = opt6_next(ia_opt, ia_end))
-			/* valid lifetime must not be zero. */
-			if (opt6_type(ia_opt) == OPTION6_IAPREFIX && opt6_len(ia_opt) >= 25 && opt6_uint(ia_opt, 4, 4) != 0)
-			  {
-			    if (daemon->free_snoops ||
-				(daemon->free_snoops = whine_malloc(sizeof(struct snoop_record))))
-			      {
-				struct snoop_record *snoop = daemon->free_snoops;
-				
-				daemon->free_snoops = snoop->next;
-				snoop->client = peer->sin6_addr;
-				snoop->prefix_len = opt6_uint(ia_opt, 8, 1); 
-				memcpy(&snoop->prefix, opt6_ptr(ia_opt, 9), IN6ADDRSZ); 
-				snoop->next = relay->snoop_records;
-				relay->snoop_records = snoop;
-			      }
-			  }
-		    }
-	      }
-#endif		
-	    return 1;
-	  }
      
+      if ((opt = opt6_find(opts, end, OPTION6_RELAY_MSG, 4)))
+	{
+	  int encap_type = opt6_uint(opt, 0, 1);
+	  put_opt6(opt6_ptr(opt, 0), opt6_len(opt));
+	  memcpy(&peer->sin6_addr, &inbuff[18], IN6ADDRSZ); 
+	  peer->sin6_scope_id = relay->iface_index;
+
+	  if (encap_type == DHCP6RELAYREPL)
+	    {
+	      peer->sin6_port = ntohs(DHCPV6_SERVER_PORT);
+	      return 1;
+	    }
+	  
+	  peer->sin6_port = ntohs(DHCPV6_CLIENT_PORT);
+	  
+#ifdef HAVE_SCRIPT
+	  if (daemon->lease_change_command && encap_type == DHCP6REPLY)
+	    {
+	      /* skip over message type and transaction-id. to get to options. */
+	      opts = opt6_ptr(opt, 4);
+	      end = opt6_ptr(opt, opt6_len(opt));
+
+	      if ((opt = opt6_find(opts, end, OPTION6_IA_PD, 12)))
+		{
+		  opts = opt6_ptr(opt, 12);
+		  end = opt6_ptr(opt, opt6_len(opt));
+		  
+		  for (opt = opt6_find(opts, end, OPTION6_IAPREFIX, 25); opt; opt = opt6_find(opt6_next(opt, end), end, OPTION6_IAPREFIX, 25))
+		    /* valid lifetime must not be zero. */
+		    if (opt6_uint(opt, 4, 4) != 0)
+		      {
+			if (daemon->free_snoops ||
+			    (daemon->free_snoops = whine_malloc(sizeof(struct snoop_record))))
+			  {
+			    struct snoop_record *snoop = daemon->free_snoops;
+			    
+			    daemon->free_snoops = snoop->next;
+			    snoop->client = peer->sin6_addr;
+			    snoop->prefix_len = opt6_uint(opt, 8, 1); 
+			    memcpy(&snoop->prefix, opt6_ptr(opt, 9), IN6ADDRSZ); 
+			    snoop->next = relay->snoop_records;
+			    relay->snoop_records = snoop;
+			  }
+		      }
+		}	      
+	    }
+#endif
+	  return 1;
+	}
    }
  
  return 0;
 }
-
+  
 #ifdef HAVE_SCRIPT
 int do_snoop_script_run(void)
 {
--- a/src/tables.c
+++ b/src/tables.c
@@ -18,7 +18,7 @@

 #include "dnsmasq.h"

-#if defined(HAVE_IPSET) && defined(HAVE_BSD_NETWORK)
+#if defined(HAVE_BSD_IPSET)

 #include <string.h>

--- a/src/tftp.c
+++ b/src/tftp.c
@@ -18,12 +18,12 @@

 #ifdef HAVE_TFTP

-static void handle_tftp(time_t now, struct tftp_transfer *transfer, ssize_t len);
-static struct tftp_file *check_tftp_fileperm(ssize_t *len, char *prefix, char *client);
+static void handle_tftp(char *packet, time_t now, struct tftp_transfer *transfer, ssize_t len);
+static struct tftp_file *check_tftp_fileperm(char *packet, ssize_t *len, char *prefix, char *client);
 static void free_transfer(struct tftp_transfer *transfer);
 static ssize_t tftp_err(int err, char *packet, char *message, char *file, char *arg2);
 static ssize_t tftp_err_oops(char *packet, const char *file);
-static ssize_t get_block(char *packet, struct tftp_transfer *transfer);
+static ssize_t get_block(struct tftp_transfer *transfer);
 static char *next(char **p, char *end);
 static void sanitise(char *buf);

@@ -41,11 +41,10 @@ static void sanitise(char *buf);
 #define ERR_ILL    4
 #define ERR_TID    5

-void tftp_request(struct listener *listen, time_t now)
+static void tftp_request(char *packet, ssize_t plen, struct listener *listen, time_t now)
 {
  ssize_t len;
-  char *packet = daemon->packet;
-  char *filename, *mode, *p, *end, *opt;
+  char *filename, *mode, *p, *end;
  union mysockaddr addr, peer;
  struct msghdr msg;
  struct iovec iov;
@@ -87,12 +86,10 @@ void tftp_request(struct listener *listen, time_t now)
  msg.msg_iov = &iov;
  msg.msg_iovlen = 1;

+  /* packet buff is DNS name workspace. */
  iov.iov_base = packet;
-  iov.iov_len = daemon->packet_buff_sz;
-
-  /* we overwrote the buffer... */
-  daemon->srv_save = NULL;
-
+  iov.iov_len = plen;
+  
  if ((len = recvmsg(listen->tftpfd, &msg, 0)) < 2)
    return;

@@ -198,11 +195,11 @@ void tftp_request(struct listener *listen, time_t now)

      name = namebuff;
      
-      addra.addr4 = addr.in.sin_addr;
-
      if (family == AF_INET6)
 	addra.addr6 = addr.in6.sin6_addr;
-
+      else
+	addra.addr4 = addr.in.sin_addr;
+      
      if (daemon->tftp_interfaces)
 	{
 	  /* dedicated tftp interface list */
@@ -267,7 +264,7 @@ void tftp_request(struct listener *listen, time_t now)
 		}
 	      else
 		{
-		  handle_tftp(now, transfer, len);
+		  handle_tftp(packet, now, transfer, len);
 		  return;
 		}
 	    }
@@ -308,7 +305,9 @@ void tftp_request(struct listener *listen, time_t now)
  /* May reuse struct transfer from abandoned transfer in single port mode. */
  if (!transfer && !(transfer = whine_malloc(sizeof(struct tftp_transfer))))
    return;
-  
+
+  memset(transfer, 0, sizeof(struct tftp_transfer));
+	 
  if (option_bool(OPT_SINGLE_PORT))
    transfer->sockfd = listen->tftpfd;
  else if ((transfer->sockfd = socket(family, SOCK_DGRAM, 0)) == -1)
@@ -320,15 +319,15 @@ void tftp_request(struct listener *listen, time_t now)
  transfer->peer = peer;
  transfer->source = addra;
  transfer->if_index = if_index;
-  transfer->timeout = now + 2;
+  transfer->timeout = 2;
+  transfer->start = now;
  transfer->backoff = 1;
  transfer->block = 1;
+  transfer->ackprev = 0;
+  transfer->block_hi = 0;
  transfer->blocksize = 512;
-  transfer->offset = 0;
-  transfer->file = NULL;
-  transfer->opt_blocksize = transfer->opt_transize = 0;
-  transfer->netascii = transfer->carrylf = 0;
- 
+  transfer->windowsize = 1;
+  
  (void)prettyprint_addr(&peer, daemon->addrbuff);
  
  /* if we have a nailed-down range, iterate until we find a free one. */
@@ -361,136 +360,171 @@ void tftp_request(struct listener *listen, time_t now)
  
  p = packet + 2;
  end = packet + len;
+
+  len = 0;
  
-  if (ntohs(*((unsigned short *)packet)) != OP_RRQ ||
-      !(filename = next(&p, end)) ||
-      !(mode = next(&p, end)) ||
-      (strcasecmp(mode, "octet") != 0 && strcasecmp(mode, "netascii") != 0))
+  if (ntohs(*((unsigned short *)packet)) == OP_WRQ)
+    len = tftp_err(ERR_ILL, packet, _("unsupported write request from %s"),daemon->addrbuff, NULL);
+  else if (ntohs(*((unsigned short *)packet)) == OP_RRQ)
    {
-      len = tftp_err(ERR_ILL, packet, _("unsupported request from %s"), daemon->addrbuff, NULL);
-      is_err = 1;
-    }
-  else
-    {
-      if (strcasecmp(mode, "netascii") == 0)
-	transfer->netascii = 1;
-      
-      while ((opt = next(&p, end)))
+      if (!(filename = next(&p, end)))
+	len = tftp_err(ERR_ILL, packet, _("empty filename in request from %s"), daemon->addrbuff, NULL);
+      else if (!(mode = next(&p, end)) || (strcasecmp(mode, "octet") != 0 && strcasecmp(mode, "netascii") != 0))
+	len = tftp_err(ERR_ILL, packet, _("unsupported request from %s"),daemon->addrbuff, NULL);
+      else
 	{
-	  if (strcasecmp(opt, "blksize") == 0)
+	  char *opt, *arg;
+	  
+	  if (strcasecmp(mode, "netascii") == 0)
+	    transfer->netascii = 1;
+	  
+	  while ((opt = next(&p, end)) && (arg = next(&p, end)))
 	    {
-	      if ((opt = next(&p, end)) && !option_bool(OPT_TFTP_NOBLOCK))
+	      unsigned int val = atoi(arg);
+	      
+	      if (strcasecmp(opt, "blksize") == 0 && !option_bool(OPT_TFTP_NOBLOCK))
 		{
 		  /* 32 bytes for IP, UDP and TFTP headers, 52 bytes for IPv6 */
 		  int overhead = (family == AF_INET) ? 32 : 52;
-		  transfer->blocksize = atoi(opt);
-		  if (transfer->blocksize < 1)
-		    transfer->blocksize = 1;
-		  if (transfer->blocksize > (unsigned)daemon->packet_buff_sz - 4)
-		    transfer->blocksize = (unsigned)daemon->packet_buff_sz - 4;
-		  if (mtu != 0 && transfer->blocksize > (unsigned)mtu - overhead)
-		    transfer->blocksize = (unsigned)mtu - overhead;
+		  if (val < 1)
+		    val  = 1;
+		  if (val > (unsigned)daemon->packet_buff_sz - 4)
+		    val  = (unsigned)daemon->packet_buff_sz - 4;
+		  if (mtu != 0 && val > (unsigned)mtu - overhead)
+		    val  = (unsigned)mtu - overhead;
+		  transfer->blocksize = val;
 		  transfer->opt_blocksize = 1;
 		  transfer->block = 0;
 		}
-	    }
-	  else if (strcasecmp(opt, "tsize") == 0 && next(&p, end) && !transfer->netascii)
-	    {
-	      transfer->opt_transize = 1;
-	      transfer->block = 0;
-	    }
-	}
-
-      /* cope with backslashes from windows boxen. */
-      for (p = filename; *p; p++)
-	if (*p == '\\')
-	  *p = '/';
-	else if (option_bool(OPT_TFTP_LC))
-	  *p = tolower((unsigned char)*p);
-		
-      strcpy(daemon->namebuff, "/");
-      if (prefix)
-	{
-	  if (prefix[0] == '/')
-	    daemon->namebuff[0] = 0;
-	  strncat(daemon->namebuff, prefix, (MAXDNAME-1) - strlen(daemon->namebuff));
-	  if (prefix[strlen(prefix)-1] != '/')
-	    strncat(daemon->namebuff, "/", (MAXDNAME-1) - strlen(daemon->namebuff));
-
-	  if (option_bool(OPT_TFTP_APREF_IP))
-	    {
-	      size_t oldlen = strlen(daemon->namebuff);
-	      struct stat statbuf;
-	      
-	      strncat(daemon->namebuff, daemon->addrbuff, (MAXDNAME-1) - strlen(daemon->namebuff));
-	      strncat(daemon->namebuff, "/", (MAXDNAME-1) - strlen(daemon->namebuff));
-	      
-	      /* remove unique-directory if it doesn't exist */
-	      if (stat(daemon->namebuff, &statbuf) == -1 || !S_ISDIR(statbuf.st_mode))
-		daemon->namebuff[oldlen] = 0;
+	      else if (strcasecmp(opt, "tsize") == 0 && !transfer->netascii)
+		{
+		  transfer->opt_transize = 1;
+		  transfer->block = 0;
+		}
+	      else if (strcasecmp(opt, "timeout") == 0)
+		{
+		  if (val > 255)
+		    val = 255;
+		  transfer->timeout = val;
+		  transfer->opt_timeout = 1;
+		  transfer->block = 0;
+		}
+	      else if (strcasecmp(opt, "windowsize") == 0 && !transfer->netascii)
+		{
+		  /* windowsize option only supported for binary transfers. */
+		  if (val < 1)
+		    val = 1;
+		  if (val > TFTP_MAX_WINDOW)
+		    val = TFTP_MAX_WINDOW;
+		  transfer->windowsize = val;
+		  transfer->opt_windowsize = 1;
+		  transfer->block = 0;
+		}
 	    }
 	  
-	  if (option_bool(OPT_TFTP_APREF_MAC))
+	  /* cope with backslashes from windows boxen. */
+	  for (p = filename; *p; p++)
+	    if (*p == '\\')
+	      *p = '/';
+	    else if (option_bool(OPT_TFTP_LC))
+	      *p = tolower((unsigned char)*p);
+	  
+	  strcpy(daemon->namebuff, "/");
+	  if (prefix)
 	    {
-	      unsigned char *macaddr = NULL;
-	      unsigned char macbuf[DHCP_CHADDR_MAX];
+	      if (prefix[0] == '/')
+		daemon->namebuff[0] = 0;
+	      strncat(daemon->namebuff, prefix, (MAXDNAME-1) - strlen(daemon->namebuff));
+	      if (prefix[strlen(prefix)-1] != '/')
+		strncat(daemon->namebuff, "/", (MAXDNAME-1) - strlen(daemon->namebuff));
 	      
-#ifdef HAVE_DHCP
-	      if (daemon->dhcp && peer.sa.sa_family == AF_INET)
-	        {
-		  /* Check if the client IP is in our lease database */
-		  struct dhcp_lease *lease = lease_find_by_addr(peer.in.sin_addr);
-		  if (lease && lease->hwaddr_type == ARPHRD_ETHER && lease->hwaddr_len == ETHER_ADDR_LEN)
-		    macaddr = lease->hwaddr;
-		}
-#endif
-	      
-	      /* If no luck, try to find in ARP table. This only works if client is in same (V)LAN */
-	      if (!macaddr && find_mac(&peer, macbuf, 1, now) > 0)
-		macaddr = macbuf;
-	      
-	      if (macaddr)
-	        {
+	      if (option_bool(OPT_TFTP_APREF_IP))
+		{
 		  size_t oldlen = strlen(daemon->namebuff);
 		  struct stat statbuf;
-
-		  snprintf(daemon->namebuff + oldlen, (MAXDNAME-1) - oldlen, "%.2x-%.2x-%.2x-%.2x-%.2x-%.2x/",
-			   macaddr[0], macaddr[1], macaddr[2], macaddr[3], macaddr[4], macaddr[5]);
+		  
+		  strncat(daemon->namebuff, daemon->addrbuff, (MAXDNAME-1) - strlen(daemon->namebuff));
+		  strncat(daemon->namebuff, "/", (MAXDNAME-1) - strlen(daemon->namebuff));
 		  
 		  /* remove unique-directory if it doesn't exist */
 		  if (stat(daemon->namebuff, &statbuf) == -1 || !S_ISDIR(statbuf.st_mode))
 		    daemon->namebuff[oldlen] = 0;
 		}
+	      
+	      if (option_bool(OPT_TFTP_APREF_MAC))
+		{
+		  unsigned char *macaddr = NULL;
+		  unsigned char macbuf[DHCP_CHADDR_MAX];
+		  
+#ifdef HAVE_DHCP
+		  if (daemon->dhcp && peer.sa.sa_family == AF_INET)
+		    {
+		      /* Check if the client IP is in our lease database */
+		      struct dhcp_lease *lease = lease_find_by_addr(peer.in.sin_addr);
+		      if (lease && lease->hwaddr_type == ARPHRD_ETHER && lease->hwaddr_len == ETHER_ADDR_LEN)
+			macaddr = lease->hwaddr;
+		    }
+#endif
+		  
+		  /* If no luck, try to find in ARP table. This only works if client is in same (V)LAN */
+		  if (!macaddr && find_mac(&peer, macbuf, 1, now) > 0)
+		    macaddr = macbuf;
+		  
+		  if (macaddr)
+		    {
+		      size_t oldlen = strlen(daemon->namebuff);
+		      struct stat statbuf;
+		      
+		      snprintf(daemon->namebuff + oldlen, (MAXDNAME-1) - oldlen, "%.2x-%.2x-%.2x-%.2x-%.2x-%.2x/",
+			       macaddr[0], macaddr[1], macaddr[2], macaddr[3], macaddr[4], macaddr[5]);
+		      
+		      /* remove unique-directory if it doesn't exist */
+		      if (stat(daemon->namebuff, &statbuf) == -1 || !S_ISDIR(statbuf.st_mode))
+			daemon->namebuff[oldlen] = 0;
+		    }
+		}
+	      
+	      /* Absolute pathnames OK if they match prefix */
+	      if (filename[0] == '/')
+		{
+		  if (strstr(filename, daemon->namebuff) == filename)
+		    daemon->namebuff[0] = 0;
+		  else
+		    filename++;
+		}
 	    }
+	  else if (filename[0] == '/')
+	    daemon->namebuff[0] = 0;
+	  strncat(daemon->namebuff, filename, (MAXDNAME-1) - strlen(daemon->namebuff));
 	  
-	  /* Absolute pathnames OK if they match prefix */
-	  if (filename[0] == '/')
+	  /* check permissions and open file */
+	  if ((transfer->file = check_tftp_fileperm(packet, &len, prefix, daemon->addrbuff)))
 	    {
-	      if (strstr(filename, daemon->namebuff) == filename)
-		daemon->namebuff[0] = 0;
+	      transfer->lastack = transfer->block;
+	      transfer->retransmit = now + transfer->timeout;
+	      /* This packet is may be the first data packet, but only if windowsize == 1
+		 To get windowsize greater then one requires an option negotiation,
+		 in which case this packet is the OACK. */
+	      if ((len = get_block(transfer)) == -1)
+		len = tftp_err_oops(packet, daemon->namebuff);
 	      else
-		filename++;
+		{
+		  is_err = 0;
+		  /* get_block put the packet to send in a different buffer. */
+		  packet = daemon->packet;
+		}
 	    }
 	}
-      else if (filename[0] == '/')
-	daemon->namebuff[0] = 0;
-      strncat(daemon->namebuff, filename, (MAXDNAME-1) - strlen(daemon->namebuff));
-      
-      /* check permissions and open file */
-      if ((transfer->file = check_tftp_fileperm(&len, prefix, daemon->addrbuff)))
-	{
-	  if ((len = get_block(packet, transfer)) == -1)
-	    len = tftp_err_oops(packet, daemon->namebuff);
-	  else
-	    is_err = 0;
-	}
    }
-
-  send_from(transfer->sockfd, !option_bool(OPT_SINGLE_PORT), packet, len, &peer, &addra, if_index);
-
+  
+  if (len)
+    {
+      send_from(transfer->sockfd, !option_bool(OPT_SINGLE_PORT), packet, len, &peer, &addra, if_index);
+      
 #ifdef HAVE_DUMPFILE
-  dump_packet_udp(DUMP_TFTP, (void *)packet, len, NULL, (union mysockaddr *)&peer, transfer->sockfd);
+      dump_packet_udp(DUMP_TFTP, (void *)packet, len, NULL, (union mysockaddr *)&peer, transfer->sockfd);
 #endif
+    }
  
  if (is_err)
    free_transfer(transfer);
@@ -501,9 +535,9 @@ void tftp_request(struct listener *listen, time_t now)
    }
 }
 
-static struct tftp_file *check_tftp_fileperm(ssize_t *len, char *prefix, char *client)
+static struct tftp_file *check_tftp_fileperm(char *packet, ssize_t *len, char *prefix, char *client)
 {
-  char *packet = daemon->packet, *namebuff = daemon->namebuff;
+  char *namebuff = daemon->namebuff;
  struct tftp_file *file;
  struct tftp_transfer *t;
  uid_t uid = geteuid();
@@ -566,6 +600,7 @@ static struct tftp_file *check_tftp_fileperm(ssize_t *len, char *prefix, char *c
  file->size = statbuf.st_size;
  file->dev = statbuf.st_dev;
  file->inode = statbuf.st_ino;
+  file->posn = 0;
  file->refcount = 1;
  strcpy(file->filename, namebuff);
  return file;
@@ -585,12 +620,15 @@ static struct tftp_file *check_tftp_fileperm(ssize_t *len, char *prefix, char *c

 void check_tftp_listeners(time_t now)
 {
+  /* Use workspace to receive (small) request/ACK, to avoid overwriting precomputed reply */
+  char *packet = daemon->workspacename;
+  ssize_t plen = MAXDNAME * 2;
  struct listener *listener;
  struct tftp_transfer *transfer, *tmp, **up;
  
  for (listener = daemon->listeners; listener; listener = listener->next)
    if (listener->tftpfd != -1 && poll_check(listener->tftpfd, POLLIN))
-      tftp_request(listener, now);
+      tftp_request(packet, plen, listener, now);
    
  /* In single port mode, all packets come via port 69 and tftp_request() */
  if (!option_bool(OPT_SINGLE_PORT))
@@ -601,22 +639,23 @@ void check_tftp_listeners(time_t now)
 	  socklen_t addr_len = sizeof(union mysockaddr);
 	  ssize_t len;
 	  
-	  /* we overwrote the buffer... */
-	  daemon->srv_save = NULL;
-
-	  if ((len = recvfrom(transfer->sockfd, daemon->packet, daemon->packet_buff_sz, 0, &peer.sa, &addr_len)) > 0)
+	  if ((len = recvfrom(transfer->sockfd, packet, plen, 0, &peer.sa, &addr_len)) > 0)
 	    {
+#ifdef HAVE_DUMPFILE
+	      dump_packet_udp(DUMP_TFTP, (void *)packet, len, (union mysockaddr *)&peer, NULL, transfer->sockfd);
+#endif	      
+
 	      if (sockaddr_isequal(&peer, &transfer->peer)) 
-		handle_tftp(now, transfer, len);
+		handle_tftp(packet, now, transfer, len);
 	      else
 		{
 		  /* Wrong source address. See rfc1350 para 4. */
 		  prettyprint_addr(&peer, daemon->addrbuff);
-		  len = tftp_err(ERR_TID, daemon->packet, _("ignoring packet from %s (TID mismatch)"), daemon->addrbuff, NULL);
-		  while(retry_send(sendto(transfer->sockfd, daemon->packet, len, 0, &peer.sa, sa_len(&peer))));
+		  len = tftp_err(ERR_TID, packet, _("ignoring packet from %s (TID mismatch)"), daemon->addrbuff, NULL);
+		  while(retry_send(sendto(transfer->sockfd, packet, len, 0, &peer.sa, sa_len(&peer))));

 #ifdef HAVE_DUMPFILE
-		  dump_packet_udp(DUMP_TFTP, (void *)daemon->packet, len, NULL, (union mysockaddr *)&peer, transfer->sockfd);
+		  dump_packet_udp(DUMP_TFTP, (void *)packet, len, NULL, (union mysockaddr *)&peer, transfer->sockfd);
 #endif
 		}
 	    }
@@ -624,35 +663,52 @@ void check_tftp_listeners(time_t now)
 	  
  for (transfer = daemon->tftp_trans, up = &daemon->tftp_trans; transfer; transfer = tmp)
    {
-      tmp = transfer->next;
+      int endcon = 0, error = 0, timeout = 0;
      
-      if (difftime(now, transfer->timeout) >= 0.0)
+      tmp = transfer->next;
+            
+      /* ->start set to zero in handle_tftp() when we recv an error packet. */
+      if (transfer->start == 0)
+	endcon = error = 1;
+      else if (difftime(now, transfer->start) > TFTP_TRANSFER_TIME)  
 	{
-	  int endcon = 0;
+	  endcon = 1;
+	  /* don't complain about timeout when we're awaiting the last
+	     ACK, some clients never send it */
+	  if (get_block(transfer) > 0)
+	    error = timeout = 1;
+	}
+      else if (difftime(now, transfer->retransmit) >= 0.0)
+	{
+	  /* Do transmission or re-transmission. When we get an ACK, the call to handle_tftp()
+	     bumps transfer->lastack and trips the retransmit timer so that we send the next block(s)
+	     here. */
 	  ssize_t len;
-
-	  /* timeout, retransmit */
-	  transfer->timeout += 1 + (1<<(transfer->backoff/2));
-	  	  
-	  /* we overwrote the buffer... */
-	  daemon->srv_save = NULL;
-
-	  if ((len = get_block(daemon->packet, transfer)) == -1)
+	  unsigned int i, winsize;
+	  
+	  transfer->retransmit += transfer->timeout + (1<<(transfer->backoff/2));
+	  transfer->backoff++;
+	  transfer->block = transfer->lastack;
+	  
+	  /* send a window'a worth of blocks unless we're retransmitting OACK */
+	  winsize = transfer->block ? transfer->windowsize : 1;
+	  
+	  for (i = 0; i < winsize; i++, transfer->block++)
 	    {
-	      len = tftp_err_oops(daemon->packet, transfer->file->filename);
-	      endcon = 1;
-	    }
-	  else if (++transfer->backoff > 7)
-	    {
-	      /* don't complain about timeout when we're awaiting the last
-		 ACK, some clients never send it */
-	      if ((unsigned)len == transfer->blocksize + 4)
-		endcon = 1;
-	      len = 0;
-	    }
+	      if ((len = get_block(transfer)) == 0)
+		{
+		  if (i == 0)
+		    endcon = 1; /* got last ACK */

-	  if (len != 0)
-	    {
+		  break;
+		}
+	      
+	      if (len == -1)
+		{
+		  len = tftp_err_oops(daemon->packet, transfer->file->filename);
+		  endcon = error = 1;
+		}
+	      
 	      send_from(transfer->sockfd, !option_bool(OPT_SINGLE_PORT), daemon->packet, len,
 			&transfer->peer, &transfer->source, transfer->if_index);
 #ifdef HAVE_DUMPFILE
@@ -660,51 +716,93 @@ void check_tftp_listeners(time_t now)
 #endif
 	    }
 	  
-	  if (endcon || len == 0)
+	  /* prefetch the block we'll probably need when we get an ACK. */
+	  if (!endcon)
+	    get_block(transfer);
+	}
+		      
+      if (endcon)
+	{
+	  strcpy(daemon->namebuff, transfer->file->filename);
+	  sanitise(daemon->namebuff);
+	  (void)prettyprint_addr(&transfer->peer, daemon->addrbuff);
+	  if (timeout)
+	    my_syslog(MS_TFTP | LOG_ERR, _("timeout sending %s to %s"), daemon->namebuff, daemon->addrbuff);
+	  else if (error)
+	    my_syslog(MS_TFTP | LOG_ERR, _("failed sending %s to %s"), daemon->namebuff, daemon->addrbuff);
+	  else
+	    my_syslog(MS_TFTP | LOG_INFO, _("sent %s to %s"), daemon->namebuff, daemon->addrbuff);
+	  
+	  /* unlink */
+	  *up = tmp;
+	  if (error)
+	    free_transfer(transfer);
+	  else
 	    {
-	      strcpy(daemon->namebuff, transfer->file->filename);
-	      sanitise(daemon->namebuff);
-	      (void)prettyprint_addr(&transfer->peer, daemon->addrbuff);
-	      my_syslog(MS_TFTP | LOG_INFO, endcon ? _("failed sending %s to %s") : _("sent %s to %s"), daemon->namebuff, daemon->addrbuff);
-	      /* unlink */
-	      *up = tmp;
-	      if (endcon)
-		free_transfer(transfer);
-	      else
-		{
-		  /* put on queue to be sent to script and deleted */
-		  transfer->next = daemon->tftp_done_trans;
-		  daemon->tftp_done_trans = transfer;
-		}
-	      continue;
+	      /* put on queue to be sent to script and deleted */
+	      transfer->next = daemon->tftp_done_trans;
+	      daemon->tftp_done_trans = transfer;
 	    }
 	}
-
-      up = &transfer->next;
-    }    
+      else
+	up = &transfer->next;
+    }
 }
-	  
-/* packet in daemon->packet as this is called. */
-static void handle_tftp(time_t now, struct tftp_transfer *transfer, ssize_t len)
+
+static void handle_tftp(char *packet, time_t now, struct tftp_transfer *transfer, ssize_t len)
 {
  struct ack {
    unsigned short op, block;
-  } *mess = (struct ack *)daemon->packet;
+  } *mess = (struct ack *)packet;
  
  if (len >= (ssize_t)sizeof(struct ack))
    {
-      if (ntohs(mess->op) == OP_ACK && ntohs(mess->block) == (unsigned short)transfer->block) 
+      if (ntohs(mess->op) == OP_ACK)
 	{
-	  /* Got ack, ensure we take the (re)transmit path */
-	  transfer->timeout = now;
-	  transfer->backoff = 0;
-	  if (transfer->block++ != 0)
-	    transfer->offset += transfer->blocksize - transfer->expansion;
+	  /* Handle 16-bit block number wrap-around. */
+	  u16 new = ntohs(mess->block);
+	  u32 block;
+
+	  /* If the last ack received was in the top quarter of a 64k block
+	     and this one is in the bottom quarter, assume it has wrapped.
+	     
+	     Since this is UDP and an old packet can in theory wander in we may also
+	     need to drop back to a previous segment. Such an ACK is ignored below;
+	     here we're just getting the most likely 32 bit value from the
+	     16 bits that we have. */
+	  if (new <= 0x4000 && transfer->ackprev >= 0xc000)
+	    transfer->block_hi++;
+	  else if (new >= 0xc000 && transfer->ackprev <= 0x4000 && transfer->block_hi != 0)
+	    transfer->block_hi--;
+
+	  transfer->ackprev = new;
+	  block = (((u32)transfer->block_hi) << 16) + (u32)new;
+
+	  /* Ignore duplicate ACKs and ACKs for blocks we've not yet sent. */
+	  if (block >= transfer->lastack &&
+	      block <= transfer->block) 
+	    {
+	      /* Got ack, move forward and ensure we take the (re)transmit path */
+	      transfer->retransmit = transfer->start = now;
+	      transfer->backoff = 0;
+	      transfer->lastack = block + 1;
+
+	      /* We have no easy function from block no. to file offset when
+		 expanding line breaks in netascii mode, so we update the offset here
+		 as each block is acknowledged. This explains why the window size must be
+		 one for a netascii transfer; to avoid  the block no. doing anything
+		 other than incrementing by one. */
+	      if (transfer->netascii && block != 0)
+		{
+		  transfer->offset +=  (off_t)transfer->blocksize - (off_t)transfer->expansion;
+		  transfer->lastcarrylf = transfer->carrylf;
+		}
+	    }
 	}
      else if (ntohs(mess->op) == OP_ERR)
 	{
-	  char *p = daemon->packet + sizeof(struct ack);
-	  char *end = daemon->packet + len;
+	  char *p = packet + sizeof(struct ack);
+	  char *end = packet + len;
 	  char *err = next(&p, end);
 	  
 	  (void)prettyprint_addr(&transfer->peer, daemon->addrbuff);
@@ -720,8 +818,7 @@ static void handle_tftp(time_t now, struct tftp_transfer *transfer, ssize_t len)
 		    daemon->addrbuff);	
 	  
 	  /* Got err, ensure we take abort */
-	  transfer->timeout = now;
-	  transfer->backoff = 100;
+	  transfer->start = 0;
 	}
    }
 }
@@ -755,14 +852,22 @@ static char *next(char **p, char *end)
  return ret;
 }

+/* If we don't do anything, don't write the the input/ouptut
+   buffer. This allows us to pass in safe read-only strings constants. */
 static void sanitise(char *buf)
 {
  unsigned char *q, *r;
+
  for (q = r = (unsigned char *)buf; *r; r++)
    if (isprint((int)*r))
-      *(q++) = *r;
-  *q = 0;
-
+      {
+	if (q != r)
+	  *q = *r;
+	q++;
+      }
+  
+  if (q != r)
+    *q = 0;
 }

 #define MAXMESSAGE 500 /* limit to make packet < 512 bytes and definitely smaller than buffer */ 
@@ -773,8 +878,7 @@ static ssize_t tftp_err(int err, char *packet, char *message, char *file, char *
    char message[];
  } *mess = (struct errmess *)packet;
  ssize_t len, ret = 4;
-    
-  memset(packet, 0, daemon->packet_buff_sz);
+
  if (file)
    sanitise(file);
  
@@ -798,10 +902,11 @@ static ssize_t tftp_err_oops(char *packet, const char *file)
 }

 /* return -1 for error, zero for done. */
-static ssize_t get_block(char *packet, struct tftp_transfer *transfer)
+static ssize_t get_block(struct tftp_transfer *transfer)
 {
-  memset(packet, 0, daemon->packet_buff_sz);
-  
+  static off_t saved_offset = 0;
+  static ssize_t saved_len = 0;
+
  if (transfer->block == 0)
    {
      /* send OACK */
@@ -809,8 +914,12 @@ static ssize_t get_block(char *packet, struct tftp_transfer *transfer)
      struct oackmess {
 	unsigned short op;
 	char data[];
-      } *mess = (struct oackmess *)packet;
-      
+      } *mess = (struct oackmess *)daemon->packet;
+
+      /* we overwrote the buffer... */
+      daemon->srv_save = NULL;
+      memset(daemon->packet, 0, daemon->packet_buff_sz);
+            
      p = mess->data;
      mess->op = htons(OP_OACK);
      if (transfer->opt_blocksize)
@@ -823,8 +932,18 @@ static ssize_t get_block(char *packet, struct tftp_transfer *transfer)
 	  p += (sprintf(p,"tsize") + 1);
 	  p += (sprintf(p, "%u", (unsigned int)transfer->file->size) + 1);
 	}
-
-      return p - packet;
+      if (transfer->opt_timeout)
+	{
+	  p += (sprintf(p,"timeout") + 1);
+	  p += (sprintf(p, "%u", transfer->timeout) + 1);
+	}
+      if (transfer->opt_windowsize)
+	{
+	  p += (sprintf(p,"windowsize") + 1);
+	  p += (sprintf(p, "%u", (unsigned int)transfer->windowsize) + 1);
+	}
+ 
+      return p - daemon->packet;
    }
  else
    {
@@ -832,40 +951,58 @@ static ssize_t get_block(char *packet, struct tftp_transfer *transfer)
      struct datamess {
 	unsigned short op, block;
 	unsigned char data[];
-      } *mess = (struct datamess *)packet;
+      } *mess = (struct datamess *)daemon->packet;
      
-      size_t size = transfer->file->size - transfer->offset; 
+      size_t size;
+      
+      if (!transfer->netascii)
+	transfer->offset = (off_t)(transfer->block - 1) * (off_t)transfer->blocksize;
      
      if (transfer->offset > transfer->file->size)
 	return 0; /* finished */
-      
-      if (size > transfer->blocksize)
-	size = transfer->blocksize;
+
+      /* We may have a prefetched block already in the buffer. */
+      if (daemon->srv_save == transfer && saved_offset == transfer->offset)
+	return saved_len;
+	
+      /* we overwrote the buffer... */
+      daemon->srv_save = NULL;
+
+      if ((size = transfer->file->size - transfer->offset) > (size_t)transfer->blocksize)
+	size = (size_t)transfer->blocksize;
      
      mess->op = htons(OP_DATA);
      mess->block = htons((unsigned short)(transfer->block));
-      
-      if (lseek(transfer->file->fd, transfer->offset, SEEK_SET) == (off_t)-1 ||
-	  !read_write(transfer->file->fd, mess->data, size, RW_READ))
-	return -1;
-      
-      transfer->expansion = 0;
-      
+
+      if (size != 0)
+	{
+	  if (transfer->file->posn != transfer->offset &&
+	      lseek(transfer->file->fd, transfer->offset, SEEK_SET) == (off_t)-1)
+	    return -1;
+
+	  if (!read_write(transfer->file->fd, mess->data, size, RW_READ))
+	    return -1;
+
+	  transfer->file->posn = transfer->offset + size;
+	}
+
      /* Map '\n' to CR-LF in netascii mode */
      if (transfer->netascii)
 	{
 	  size_t i;
-	  int newcarrylf;
-
-	  for (i = 0, newcarrylf = 0; i < size; i++)
-	    if (mess->data[i] == '\n' && ( i != 0 || !transfer->carrylf))
+	  	  
+	  /* Map '\n' to CR-LF in netascii mode */
+	  transfer->expansion = transfer->carrylf = 0;
+	  
+	  for (i = 0; i < size; i++)
+	    if (mess->data[i] == '\n' && (i != 0 || !transfer->lastcarrylf))
 	      {
 		transfer->expansion++;

 		if (size != transfer->blocksize)
 		  size++; /* room in this block */
 		else  if (i == size - 1)
-		  newcarrylf = 1; /* don't expand LF again if it moves to the next block */
+		  transfer->carrylf = 1; /* don't expand LF again if it moves to the next block */
 		  
 		/* make space and insert CR */
 		memmove(&mess->data[i+1], &mess->data[i], size - (i + 1));
@@ -873,11 +1010,13 @@ static ssize_t get_block(char *packet, struct tftp_transfer *transfer)
 		
 		i++;
 	      }
-	  transfer->carrylf = newcarrylf;
-	  
 	}

-      return size + 4;
+      daemon->srv_save = transfer;
+      saved_offset = transfer->offset;
+      saved_len = size + 4;
+
+      return saved_len;
    }
 }

--- a/src/ubus.c
+++ b/src/ubus.c
@@ -213,6 +213,11 @@ static int ubus_handle_set_connmark_allowlist(struct ubus_context *ctx, struct u
  size_t num_patterns = 0;
  struct blob_attr *tb[policy_len];
  struct blob_attr *attr;
+
+  (void)ctx;
+  (void)obj;
+  (void)req;
+  (void)method;
  
  if (blobmsg_parse(policy, policy_len, tb, blob_data(msg), blob_len(msg)))
    return UBUS_STATUS_INVALID_ARGUMENT;
--- a/src/util.c
+++ b/src/util.c
@@ -34,6 +34,10 @@
 #include <sys/utsname.h>
 #endif

+#ifdef HAVE_BSD_NETWORK
+#include <libgen.h>
+#endif
+
 /* SURF random number generator */

 static u32 seed[32];
@@ -831,9 +835,34 @@ void close_fds(long max_fd, int spare1, int spare2, int spare3)
 #endif

 #ifdef FDESCFS
-  DIR *d;
+  DIR *d = NULL;
  
-  if ((d = opendir(FDESCFS)))
+#  ifdef HAVE_BSD_NETWORK
+  dev_t dirdev = 0;
+  char fdescfs[] = FDESCFS; /* string must be writable */
+  struct stat statbuf;
+
+  /* On BSD, fdescfs is normally mounted at /dev/fd. However
+     if it is NOT mounted, devfs creates a directory at /dev/fd
+     which contains (only) the file descriptors 0,1 and 2.
+
+     Under these conditions, opendir() will succeed, and
+     if we proceed we will fail to close extant
+     file descriptors which should be closed.
+     
+     Check that there is a filesystem mounted at /dev/fd
+     by checking that the device changes between /dev/fd
+     and /dev. If if doesn't, fall back to the dumb path. */
+  
+  if (stat(fdescfs, &statbuf) != -1)
+    dirdev = statbuf.st_dev;
+
+  if (stat(dirname(fdescfs), &statbuf) != -1 &&
+      dirdev != statbuf.st_dev)
+#  endif
+    d = opendir(FDESCFS);
+      
+  if (d)
    {
      struct dirent *de;

@@ -855,9 +884,9 @@ void close_fds(long max_fd, int spare1, int spare2, int spare3)
      
      closedir(d);
      return;
-  }
+    }
 #endif
-
+  
  /* fallback, dumb code. */
  for (max_fd--; max_fd >= 0; max_fd--)
    if (max_fd != STDOUT_FILENO && max_fd != STDERR_FILENO && max_fd != STDIN_FILENO &&
Author	SHA1	Message	Date
Conrad Kostecki	d8f66f4fda	Update German translations.	2025-12-07 13:44:40 +00:00
Simon Kelley	629107bd6d	Merge OOB memory read fix. CVE-2025-54318	2025-12-06 14:04:23 +00:00
Sven Geuer	05464a173b	Fix some issues with the swedish manual page, some causing lintian warnings Description: Fix some issues, some causing lintian warnings Pointless quotation marks which get displayed in the rendered manual page. groff-message troff:<standard input>:868: warning: macro 'Om' not defined [usr/share/man/sv/man8/dnsmasq.8.gz:1] groff-message troff:<standard input>:2846: warning: macro 'SH-FILER' not defined (possibly missing space after 'SH') [usr/share/man/sv/man8/dnsmasq.8.gz:2] Author: Sven Geuer <sge@debian.org> Forwarded: no Last-Update: 2025-12-04	2025-12-05 15:13:54 +00:00
Sven Geuer	ae3d3d971e	Fix typos in the english manual page Description: Fix typos in the english manual page These typos were reported by Debian's lint tool. Author: Sven Geuer <sge@debian.org> Forwarded: no Last-Update: 2025-12-04	2025-12-05 15:13:45 +00:00
Sven Geuer	d1845782d6	Remove trailing white space from dnsmasq.conf.example Description: Remove trailing white space For now only the file reported in bug #1022706 is handled by this patch while upstream has been informed about all existing cases. Bug-Debian: https://bugs.debian.org/1022706 Forwarded: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q4/017826.html Author: Sven Geuer <sge@debian.org> Last-Update: 2024-11-23	2025-12-05 15:12:28 +00:00
Matthias Andree	edb5f85fd1	CHANGELOG: Fix two typos	2025-12-05 15:10:31 +00:00
Simon Kelley	cef74423e2	Log error if we try and use netlink in a child process. Child processes to handle TCP connections don't have an open netlink socket. If they call iface_enumerate() that's a bug.	2025-12-01 09:52:51 +00:00
Simon Kelley	959dead673	More fixes for DHCP ops in Dbus when DHCP not configured. Following `eb60168382`	2025-11-30 22:59:27 +00:00
Simon Kelley	eb60168382	Fix SEGV in Dbus code. A 'AddDhcpLease' DBus message which fails to allocate a DHCP lease will cause dnsmasq to dereference a NULL pointer and crash. Allocation failure can happen if the particular flavour (IPv4 pr IPv6) of DHCP is not configured in this dnsmasq instance, or if the configured limit on DHCP leases is reached or (unlikley) if dnsmasq cannot allocate memory. This patch provides error returns for all these situations. This patch is inspired by a patch from Stefan Hanreich <s.hanreich@proxmox.com> which was prompted by a bug report from Lou Lécrivain.	2025-11-28 16:10:37 +00:00
Simon Kelley	57a2f5778c	Fix confusion in address checking code. This was supposed to disallow addresses which are in use by the DHCP server, and the code works fine when only dhcp-range is defined per broadcast domain. It's confused when there are multiple dhcp-ranges which are valid for a particular request.	2025-11-28 15:14:09 +00:00
Simon Kelley	7d5fbe7da3	Fix failure to add client MAC address to queries in TCP mode. The options which cause dnsmasq to decorate a DNS query with the MAC address on the originating client can fail when the query is sent using TCP. In TCP mode, dnsmasq spawns a new process to handle each TCP connection. These child processes do not have an open netlink socket, which is needed to read the kernel ARP table, so the process of adding the client's MAC address as an EDNS0 option silently fails. This is fixed by this patch by updating dnsmasq's ARP cache in the main process just before forking the TCP-handler child process. This ensures that the copy of the ARP cache inherited by the TCP-handler contains the information required without the need to read the kernel ARP table. Thanks to Bruno Ravara for spotting and characterising this bug.	2025-11-26 21:54:59 +00:00
Petr Menšík	ded935be37	Add captive-portal name support for DHCP options Adds support into DHCP and DHCPv6 record. Useful for announcing URL for captive portal API URI. https://www.rfc-editor.org/rfc/rfc8910.html	2025-11-18 22:41:15 +00:00
Simon Kelley	aa9b71c681	Merge translated strings.	2025-11-18 22:20:42 +00:00
Daniel Nylander	e497f3f2c8	Add Swedish translation. Thanks to Daniel Nylander.	2025-11-18 22:18:02 +00:00
Simon Kelley	ee09f0655c	Optimise tftp. This change attempts to optimse TFTP perfomance. It reads the next block immediately after sending a block, in order to reduce latency between receiving an ACK and sending the next block. Is also suppresses lseek() calls when reading successive blocks. This improves performance when doing transfers without windowing and when only a single transfer is in progress at one time.	2025-09-01 22:35:02 +01:00
Simon Kelley	1e83316e06	Formatting.	2025-08-21 22:13:43 +01:00
Simon Kelley	9a566c0913	Tweak recently altered TFTP code.	2025-08-21 16:19:58 +01:00
Simon Kelley	06e2d479c9	Stop lookup_frec() returning old records. get_new_frec() garbage collects struct frec when they are (by default) 40s old. This means that in an active dnsmasq which is getting new queries, answers to old queries start to be ignored soon after they hit 40s old. If there are no new queries, get_new_frec() doesn't get called, and answers to old queries will still be accepted for longer. This patch stops lookup_frec() from returning old frecs which are ready for GC. This helps avoid yet another variation on the birthday attack, which is no particularly relevant, given the need for an idle server.	2025-08-21 14:17:01 +01:00
Simon Kelley	b52d1d2017	Tweak get_new_frec() behaviour in "force" mode. get_new_frec() is not supposed to ever free an frec when the force arg is set. Make this so. In theory, this fixes a bug, but it's practically impossible to provoke and I have no evidence that it has ever happened IRL.	2025-08-21 13:21:27 +01:00
Simon Kelley	18195e7bb2	Useful error logging in dhcp-split-relay code.	2025-08-21 13:05:24 +01:00
Simon Kelley	d81b1d76a0	Fix TFTP problems with large files. TFTP fails with a timeout when the transfer exceeds 128K blocks. The block field in an ACK packet is 16 bits, so large transfers need to deal with this field wrapping. Testing failure meant that it worked for the first wrap, but not for subsequent ones. Having fixed the block number problem, file size calculations accidentally being done in 32 bits not 64 bits then broke transfers larger than 2G or maybe 4G. The first problem was probably introduced in commit `ebef27f321` and has not appeared in a stable release. The second appears to have been there forever. Clearly, nobody is mad enough to transfer multi-gigabyte files over TFTP. Thanks to Jean-François JUBLIN for spotting this and supplying useful packet dumps that made it easy to diagnose.	2025-08-21 12:49:09 +01:00
Simon Kelley	1677c6e10b	More development on dhcp-split-relay.	2025-08-20 12:36:03 +01:00
Simon Kelley	ff30fa4b91	Fix caching bug with negative records. To provoke this bug, at least the following must be true. A reply must be a CNAME. The target of the CNAME must not exist for the queried RR (a No Data reply). The No Data reply must include an SOA record in the NS section. The query must take place over TCP. The result is the caching of a CNAME whose target is the name of the SOA record, instead of the No data record. If there is a RR at this target, then a subsequent query for that RRtype will get a qrong reply. Thanks to the testers extraordinaire at Pi-Hole for spotting this and providing enough information to chase it down.	2025-08-11 16:53:40 +01:00
Simon Kelley	c91c66ee63	Get destination address of received DHCPv4 packets right in dumpfile.	2025-07-27 16:23:59 +01:00
Simon Kelley	fc9f6985ab	Add --dhcp-split-relay option. This makes a DHCPv4 relay which is functional when client and server networks aren't mutually route-able.	2025-07-27 15:27:40 +01:00
Simon Kelley	ea5b0e64e2	Make DHCP6ADVERTISE messages RFC 8415 compliant. Include IA_* options even if no addresses are allocated, and always return options specified in ORO.	2025-07-23 21:05:40 +01:00
Simon Kelley	e775264539	Fix wrong status in reply to DHCP6REQUEST. If we jump to label request_no_address, address_assigned has an undefined value, and maybe the wrong status is returned.	2025-07-23 21:04:06 +01:00
Simon Kelley	d976d94e3d	Implement RFC 6221 para 4. If the link address in a relayed DHCPv6 message is zero, don't use it for addresss selection.	2025-07-22 22:09:49 +01:00
Simon Kelley	3034746748	Allow --dhcp-authoritative to control recreation of missing leases in DHCPv6. Change the behaviour of the DHVPv6 server when a REBIND message is received but no lease exists. Under these circumstances a new lease is created _only_ when the --dhcp-authoritative option is set. This matches the behavior of the DHCPv4 server.	2025-07-22 21:51:47 +01:00
Simon Kelley	3ceea9e755	Fix packet validation in DHCPv6. Some messages must be sent as multicast.	2025-07-22 20:43:52 +01:00
Geert Stappers	dfcef19fb4	Added a tail to .hmtl files HTML-files `doc.html` and `setup.html` were missing closing tags. Also some empty lines removed. Signed-off-by: Geert Stappers <stappers@stappers.nl>	2025-07-20 15:29:43 +01:00
Simon Kelley	052aa0fcf3	Fix bounds checking in check_ia() A malformed DHCP request can cause out-bounds memory reads, and probably SEGV.	2025-07-15 15:18:12 +01:00
Simon Kelley	f74b74e521	Refactor relay_reply6(). Traverse the nested data structures more efficiently, more understandably, and with watertight checking of buffer boundaries.	2025-07-15 15:17:46 +01:00
Simon Kelley	c9342cb556	Check for constructed name in --srv-host exceeding length limit. Thanks to Mikhail Dmitrichenko for spotting this.	2025-07-15 15:15:32 +01:00
Simon Kelley	2b844b8c83	Fix BNF from --srv-host in manpage.	2025-07-14 15:15:26 +01:00
Simon Kelley	65e9a8957c	Fix order of reads dhcp-hostsfile and /etc/ethers. Reading /etc/ethers assumes that dhcp-host cofig has already been read, and that is the case for dhcp-host, but for unknown reasons, the analogous congiguration is dhcp-hostfile was being read after /etc/ethers. Swap the order. Thanks to Andreas Kuropka for spotting the problem.	2025-07-10 10:58:14 +01:00
Simon Kelley	da868a2fbe	Restore bit-rotted warning about non-recursive upstreams.	2025-07-08 16:18:03 +01:00
Simon Kelley	bceb5287b9	Fix FTBFS on MacOS. Fallout from `98189ff988` Thanks to Travis Rayan for the bug report.	2025-07-07 17:58:41 +01:00
Simon Kelley	84445dec26	Fix server selection for DS queries. This was mainly done in `57e582492b` This commit extends the new behaviour to cases where DNSSEC validation is not compiled-in or not enabled.	2025-07-07 17:16:32 +01:00
Rob Gill via Dnsmasq-discuss	c70b92b2a4	Add CG-NAT range to non-globally routed IP space per RFC7793 The Shared address space (100.64.0.0/10) used by CG-NAT, defined in RFC6598 should not have reverse DNS queries sent to global DNS infrastructure. Confirmed in RFC7793 and listed on https://www.iana.org/assignments/locally-served-dns-zones/locally-served-dns-zones.xhtml Signed-off-by: Rob Gill <rrobgill@protonmail.com>	2025-06-26 13:10:48 +01:00
Simon Kelley	57e582492b	Fix to `57f0489f38` When choosing a server to send a DS query to take account of the need for DS records for a domain to come from the parent of that domain.	2025-06-25 15:02:47 +01:00
Simon Kelley	ec8f3e65c1	Tweak domain-specific servers and DNSSEC code to treat servers for plain names (server=//1.2.3.4) as domain-specific. This means that if we fail to get a DS record for such a query, it gets given the benefit of the doubt. Updates `57f0489f38`	2025-06-23 21:48:29 +01:00
Simon Kelley	15841f187d	Fix issue with fast file-descriptor close on *BSD. This fixes a problem introduced in `8a5fe8ce6b` On BSD, fdescfs is normally mounted at /dev/fd. However if it is NOT mounted, devfs creates a directory at /dev/fd which contains (only) the file descriptors 0,1 and 2. Under these conditions, opendir() will succeed, and if we proceed we will fail to close extant file descriptors which should be closed. Check that there is a filesystem mounted at /dev/fd by checking that the device changes between /dev/fd and /dev. If if doesn't, fall back to the dumb path. Thanks to Roman Bogorodskiy for spotting the problem and helping with diagnosis.	2025-06-22 23:04:36 +01:00
Simon Kelley	ade97495e6	Trvial formatting fix.	2025-06-20 17:12:32 +01:00
Simon Kelley	2b19285724	Fix breakage of ipset on *BSD. Regression introduced in `98189ff988` Thanks to Harper Andrews for spotting this.	2025-06-20 15:48:47 +01:00
Simon Kelley	a444715bf0	Fix FTBFS on Jurassic gcc versions.	2025-06-20 15:27:43 +01:00
Simon Kelley	14e81b6976	Additional sanity check in filter_servers().	2025-06-06 23:33:25 +01:00
Simon Kelley	6ce7f2d55a	Fix regression in `9e67099ce7` Logging queries lost the RRtype. Revert to e.g. query[A] example.com	2025-06-06 23:29:31 +01:00
Simon Kelley	287d6bc88d	Fix `5846f749e5` Not sure how that bug got in there. Very (un)lucky choice of test data, or last-minute "it'll be fine" modification I guess. It was late, I can't remember. Thanks to Dominik Derrigs for spotting the problem.	2025-06-03 22:16:50 +01:00
Simon Kelley	c378d2c1de	Fix crash in filter_servers(). The bug occurs when we ask lookup_domain() for a server for a domain which is not a general upstream server, by setting F_DOMAINSRV in the flags. If there are no possible servers, because there are no upstream servers defined (for instance, at startup) then the code steps off the end of an array and SEGVs. The bug has been latent for some time, but `3e659bd4ec` added a new call to lookup_domain() which can actually trigger the bug if DNSSEC is enabled and a certain amount of bad luck ensues. Thanks to the testers extraordinaire at PiHole for reporting this.	2025-06-02 22:37:08 +01:00
Simon Kelley	5846f749e5	Rewrite chunks of inotify.c to remove a memory leak. The code is much easier to follow now, this shouldn't happen again.	2025-05-29 22:44:15 +01:00
Matthias Andree	c9a4240ec4	Unbreak compilation on non-Linux systems (FreeBSD) and put the void cast of netlink_warn under the same preprocessor condition as its definition, #ifdef HAVE_LINUX_NETWORK.	2025-05-25 21:15:41 +01:00
Simon Kelley	e7b87dee85	Tftp code tweaks.	2025-05-24 21:15:02 +01:00
Simon Kelley	90b248582c	Remove compiler warnings for obscure combinations of build options.	2025-05-24 15:09:53 +01:00
Simon Kelley	ebef27f321	Add TFTP options windowsize (RFC 7440) and timeout (RFC 2349).	2025-05-24 14:41:40 +01:00
Matthias Andree	1861a881eb	Only define variable "a" if we HAVE_LINUX_NETWORK Variable unsigned char a is defined unconditionally, but it is only used if HAVE_LINUX_NETWORK is defined. This triggers compiler warnings on, say, FreeBSD. Fix by wrapping the definition in proper #ifdef.	2025-05-21 19:48:39 +01:00
Matthias Andree	96bdb42d40	Fix GCC's -Wunterminated-string-initialization warning in edns0.c. GCC complains that writing the five-character "ODNS\0" string into a four-element char magic[4] array truncates the NUL character. The warning's rationale is that this is incompatible with C++, or maybe non-intentional. GCC 8 has added a nonstring variable attribute, clang 20.1 does not yet support this, but clang's Git head does. Add an ATTRIBUTE_NONSTRING macro, currently only defined on GCC >= 8 as __attribute__ ((nonstring)). This successfully suppresses the warning on Fedora Linux 42's default compiler. The alternative would be to replace the "ODNS" literal by {0} and instead memcpy(opt.magic, "ODNS", sizeof(opt.magic)); on the next line, which is correct, C++ compatible, but also less concise.	2025-05-21 15:06:27 +01:00
Simon Kelley	c7a909ad65	Add RRtypes HHIT and BRID to the table.	2025-05-21 15:03:51 +01:00
Simon Kelley	baf3c57af5	Fix compiler warnings.	2025-05-18 18:22:48 +01:00
Simon Kelley	e48a2af4f5	Overhaul extract_addresses() function. The proximate cause for doing this is to fix a bug that causes replies to PTR queries with more than one answer to have the second and subsequent answers ignored. The fix turned into a small re-write which removed a very old hack. When caching reponses which include CNAME records, the cache system stores the CNAME with a link to the record representing the target of the CNAME. This isn't possible for PTR records representing IP addresses since the name stored is the target of the PTR, record and its name is inferred from the address in the cache record. Such cache records have the F_REVERSE flag set. To get around this, long ago, the code which stores such records elided the CNAME entirely, so 4.3.2.1.in-addr.arpa CNAME 18/3.2.1.in-addr.arpa 18/3.2.1.in-addr.arpa PTR myhost.example.com would be stored as 4.3.2.1.in-addr.arpa PTR myhost.example.com and returned from the cache to subsequent requestor in that form. Since that hack was committed, dnsmasq has learned to cache arbitrary RRs. So now we can store the PTR records for all the no-trivial cases. The means the CNAME chains ending in PTR records don't get mangled, and we can store PTR records whose name in not w.x.y.x.in-addr.arpa or the IPv6 equivalent.	2025-05-18 17:24:41 +01:00
Simon Kelley	91b800cc62	CHANGELOG update.	2025-05-14 22:38:14 +01:00
Simon Kelley	075e4a56b7	--leasequery can now take a subnet argument.	2025-05-14 22:36:03 +01:00
Simon Kelley	48658ebc54	Add address filtering for leasequery.	2025-05-14 22:36:03 +01:00
Simon Kelley	692ed0dd32	Log source address of leasequeries.	2025-05-14 22:36:03 +01:00
Simon Kelley	43805c1859	Omit message type from leasequery.c option dump.	2025-05-14 22:36:03 +01:00
Simon Kelley	4fbe1add95	Implement RFC-4388 DHCPv4 leasequery.	2025-05-14 22:35:51 +01:00
Simon Kelley	57c7ae8fc0	CHANGELOG update.	2025-05-14 22:33:44 +01:00
Simon Kelley	d1008215dc	Better error message when rejecting a TFTP transfer.	2025-05-14 21:15:17 +01:00