Re: [Dnsmasq-discuss] stop-dns-rebind and IPv6

[Jan 'RedBully'; Seiffert]

2010/9/10 Mark Cross :
[snip]
>    BEHAVE          64:ff9b::/96  "Well Known Prefix"

Oh, drafts are also OK?

Then i have this nice comment here in my code:
//TODO: add DS-Lite well known addresses
/*
 * When the draft gets to standard:
 * 192.0.0.0/29 is reserved for the p2p tunnel link between
 * B4 & AFTR (CPE and Carrier NAT).
 * These should not show up in the internet.
 */

http://tools.ietf.org/html/draft-ietf-softwire-dual-stack-lite-05#section-5.7

[snip]
>
> --
> Mark Cross
>
Greetings
Jan

-- 
Murphy's Law of Combat
Rule #3: "Never forget that your weapon was manufactured by the
lowest bidder"

Re: [Dnsmasq-discuss] stop-dns-rebind and IPv6

[Jan 'RedBully'; Seiffert]

2010/9/8 Simon Kelley :
> dnsm...@flyingout.name wrote:
[snip - IPv6 rebind filter failing]
>
> What IPv6 ranges need to be blocked? the IPv4-mapped ones obviously, but
> ::1 also?

Sure, it's the equivalent to 127.0.0.1

> What about the fe80:: link-local addresses.

I would say yes.
An attacker could see a/the mac address in a/the global IPv6 address,
and then try a rebind to the linklocal + mac.

sitelocal are deprecated (but better safe then sorry?), hmmm, what's
with unique local?

I have some code for my software here, but it's more a bogon filter:

bool combo_addr_is_public(const union combo_addr *addr)
{
in_addr_t a;

// TODO: when IPv6 is common, change it
if(unlikely(AF_INET6 == addr->s.fam))
{
const struct in6_addr *a6 = &addr->in6.sin6_addr;
if(unlikely(IN6_IS_ADDR_UNSPECIFIED(a6)))
return false;
if(unlikely(IN6_IS_ADDR_LOOPBACK(a6)))
return false;
if(unlikely(IN6_IS_ADDR_MULTICAST(a6)))
return false;
if(unlikely(IN6_IS_ADDR_LINKLOCAL(a6)))
return false;
if(unlikely(IN6_IS_ADDR_SITELOCAL(a6)))
return false;
if(unlikely(IN6_IS_ADDR_UNIQUELOCAL_A(a6)))
return false;
if(unlikely(IN6_IS_ADDR_UNIQUELOCAL_B(a6)))
return false;
if(unlikely(IN6_IS_ADDR_DOCU(a6)))
return false;
/* keep test for v4 last */
if(IN6_IS_ADDR_V4MAPPED(a6) ||
   IN6_IS_ADDR_V4COMPAT(a6))
a = a6->s6_addr32[3];
else
goto out;
}
else
a = addr->in.sin_addr.s_addr;

/* according to RFC 3330 & RFC 5735 */
if(IP_CMP(a, 0x, SLASH32)) /* 255.255.255.255/32  Broadcast */
return false;

 rest of ipv4 part here ...

out:
return true;
}


>
> Cheers,
>
> Simon.
>
>

Greetings
Jan

-- 
Murphy's Law of Combat
Rule #3: "Never forget that your weapon was manufactured by the
lowest bidder"

Re: [Dnsmasq-discuss] Stateless DHCPv6 Server

[Jan 'RedBully'; Seiffert]

Simon Kelley schrieb:
> François-Xavier Le Bail wrote:
>> Hello,
>>
[snip]
>> Is there current plans to support in DNSmasq a stateless DHCPv6
>> server ?
> 
> Not currently. Would there be any advantage to having this as part of
> dnsmasq, rather than a stand-alone daemon?
> 

1) One config.
2) Getting over the IPv6-how-to-config bump by _not_ needing another program
3) Getting the "IPv6, and it didn't even hurt" ball rolling by support of a
widely deployed programm

> Cheers,
> 
> Simon.
> 
Greetings
Jan

-- 
Have you heard about the new Cray? It's so fast, it requires TWO halt
instructions to stop it!

Re: [Dnsmasq-discuss] TFTP for IPv6

[Jan 'RedBully'; Seiffert]

Jan 'RedBully' Seiffert schrieb:
> Jan 'RedBully' Seiffert schrieb:
>> Simon Kelley schrieb:
>>> Adding IPv6 support would be fairly simple: the DNS part of dnsmasq does
>>> do IPv6, so all the bits are already in place, there just need to be an
>>> IPv6 socket listening as well as an IPv4 one, and a couple of address
>>> fields in structures need to be extended to hold IPv6 addresses.
>>>
>>
>> step one:
>> widen the addresses used in tftp.c for use with IPv4 & IPv6
>>
>>
> 
> step two:
> tell the udpfromto copy how to deal with ipv6
> 

and the final stepp three:
Add tftp IPv6 listener, a little bit C&P, but...

And then a little cleanup of things i saw for myself.

only compile tested

Greetings
Jan

-- 
Every bug you find is the last one.
=== modified file 'src/network.c'
--- upstream/src/network.c  2010-06-18 16:34:34 +
+++ ipv6_tftp/src/network.c 2010-06-18 17:41:40 +
@@ -400,7 +400,8 @@
   !fix_fd(tcpfd) ||
   bind(tcpfd, (struct sockaddr *)&addr, sa_len(&addr)) == -1 ||
   listen(tcpfd, 5) == -1 ||
-  bind(fd, (struct sockaddr *)&addr, sa_len(&addr)) == -1) 
+  bind(fd, (struct sockaddr *)&addr, sa_len(&addr)) == -1)
+// TODO: we leak fd & tcpfd here
 return 0;
 
   /* The API changed around Linux 2.6.14 but the old ABI is still supported:
@@ -437,6 +438,80 @@
   
   return 1;
 }
+
+/* c&p ... bad */
+static int create_ipv6_listener_tftp(struct listener **link, int port)
+{
+  union mysockaddr addr;
+  int fd;
+  struct listener *l;
+  int opt = 1;
+
+  memset(&addr, 0, sizeof(addr));
+  addr.in6.sin6_family = AF_INET6;
+  addr.in6.sin6_addr = in6addr_any;
+  addr.in6.sin6_port = htons(port);
+#ifdef HAVE_SOCKADDR_SA_LEN
+  addr.in6.sin6_len = sizeof(addr.in6);
+#endif
+
+  /* No error of the kernel doesn't support IPv6 */
+  if ((fd = socket(AF_INET6, SOCK_DGRAM, 0)) == -1)
+return (errno == EPROTONOSUPPORT ||
+   errno == EAFNOSUPPORT ||
+   errno == EINVAL);
+
+  if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)) == -1 ||
+  setsockopt(fd, IPV6_LEVEL, IPV6_V6ONLY, &opt, sizeof(opt)) == -1 ||
+  !fix_fd(fd) ||
+  bind(fd, (struct sockaddr *)&addr, sa_len(&addr)) == -1)
+{
+  close(fd);
+  return 0;
+}
+
+  /* The API changed around Linux 2.6.14 but the old ABI is still supported:
+ handle all combinations of headers and kernel.
+ OpenWrt note that this fixes the problem addressed by your very broken 
patch. */
+
+  daemon->v6pktinfo = IPV6_PKTINFO;
+
+#ifdef IPV6_RECVPKTINFO
+#  ifdef IPV6_2292PKTINFO
+  if (setsockopt(fd, IPV6_LEVEL, IPV6_RECVPKTINFO, &opt, sizeof(opt)) == -1)
+{
+  if (errno == ENOPROTOOPT && setsockopt(fd, IPV6_LEVEL, IPV6_2292PKTINFO, 
&opt, sizeof(opt)) != -1)
+   daemon->v6pktinfo = IPV6_2292PKTINFO;
+  else
+   return 0;
+}
+#  else
+  if (setsockopt(fd, IPV6_LEVEL, IPV6_RECVPKTINFO, &opt, sizeof(opt)) == -1)
+return 0;
+#  endif
+#else
+  if (setsockopt(fd, IPV6_LEVEL, IPV6_PKTINFO, &opt, sizeof(opt)) == -1)
+return 0;
+#endif
+
+  if(*link)
+{
+  l = *link;
+  l->tftpfd = fd;
+}
+  else
+{
+  l = safe_malloc(sizeof(struct listener));
+  l->fd = -1;
+  l->tcpfd = -1;
+  l->tftpfd = fd;
+  l->family = AF_INET6;
+  l->next = NULL;
+  *link = l;
+}
+
+  return 1;
+}
 #endif
 
 struct listener *create_wildcard_listeners(void)
@@ -456,11 +531,11 @@
 
   if (daemon->port != 0)
 {
-  
+
   if ((fd = socket(AF_INET, SOCK_DGRAM, 0)) == -1 ||
  (tcpfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
return NULL;
-  
+
   if (setsockopt(tcpfd, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)) == -1 
||
  bind(tcpfd, (struct sockaddr *)&addr, sa_len(&addr)) == -1 ||
  listen(tcpfd, 5) == -1 ||
@@ -475,30 +550,33 @@
 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
  setsockopt(fd, IPPROTO_IP, IP_RECVDSTADDR, &opt, sizeof(opt)) == -1 ||
  setsockopt(fd, IPPROTO_IP, IP_RECVIF, &opt, sizeof(opt)) == -1 ||
-#endif 
+#endif
  bind(fd, (struct sockaddr *)&addr, sa_len(&addr)) == -1)
return NULL;
 }
-  
+
 #ifdef HAVE_TFTP
   if (daemon->tftp_unlimited || daemon->tftp_interfaces)
 {
   addr.in.sin_port = htons(TFTP_PORT);
   if ((tftpfd = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
return NULL;
-  
+
   if (!fix_fd(tftpfd) ||
+#ifdef HAVE_IPV6
+ !create_ipv6_listener_tftp(&l6, TFTP_PORT) ||
+#endif
 #if defined(HAVE_LINUX_NETWORK) 
  setsockopt(tftpfd, SOL_IP, IP_PKTINFO, &opt, sizeof(opt)) == -1 ||
 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
  setsockopt(tftpfd,

Re: [Dnsmasq-discuss] TFTP for IPv6

[Jan 'RedBully'; Seiffert]

Jan 'RedBully' Seiffert schrieb:
> Simon Kelley schrieb:
>> Adding IPv6 support would be fairly simple: the DNS part of dnsmasq does
>> do IPv6, so all the bits are already in place, there just need to be an
>> IPv6 socket listening as well as an IPv4 one, and a couple of address
>> fields in structures need to be extended to hold IPv6 addresses.
>>
> 
> step one:
> widen the addresses used in tftp.c for use with IPv4 & IPv6
> 
> 

step two:
tell the udpfromto copy how to deal with ipv6

> only compile tested, i do not have any netboot stuff.

same, but i tested code like that in another project of mine, so should work,
minus bugs...

Greetings
Jan

-- 
Every program in development at MIT expands until it can read mail.
=== modified file 'src/tftp.c'
--- upstream/src/tftp.c 2010-06-18 16:34:34 +
+++ ipv6_tftp/src/tftp.c2010-06-18 17:09:35 +
@@ -90,15 +90,9 @@
   if ((len = recvmsg(listen->tftpfd, &msg, 0)) < 2)
 return;
 
-  memset(&addr, 0, sizeof(addr));
-// TODO: get proper address family
-  addr.sa.sa_family = AF_INET;
-#ifdef HAVE_SOCKADDR_SA_LEN
-  addr.sa.sa_len = sizeof(addr);
-#endif
   if (daemon->options & OPT_NOWILD)
 {
-  addr.in = listen->iface->addr.in;
+  addr = listen->iface->addr;
   mtu = listen->iface->mtu;
   name = listen->iface->name;
 }
@@ -108,8 +102,13 @@
   int check;
   struct interface_list *ir;
 
+  memset(&addr, 0, sizeof(addr));
+#ifdef HAVE_SOCKADDR_SA_LEN
+  addr.sa.sa_len = sizeof(addr);
+#endif
+  addr.sa.sa_family = AF_INET;
+
 // TODO: this looks like recvfromto
-  /* and needs to be pimped for IPv6 */
 #if defined(HAVE_LINUX_NETWORK)
   for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, 
cmptr))
if (cmptr->cmsg_level == SOL_IP && cmptr->cmsg_type == IP_PKTINFO)
@@ -122,6 +121,19 @@
addr.in.sin_addr = p.p->ipi_spec_dst;
if_index = p.p->ipi_ifindex;
  }
+#ifdef HAVE_IPV6
+   else if (cmptr->cmsg_level == SOL_IPV6 && cmptr->cmsg_type == 
daemon->v6pktinfo)
+ {
+   union {
+ unsigned char *c;
+ struct in6_pktinfo *p;
+   } p;
+   p.c = CMSG_DATA(cmptr);
+   addr.in6.sin6_family = AF_INET6;
+   memcpy(&addr.in6.sin6_addr, &p.p->ipi6_addr, 
sizeof(addr.in6.sin6_addr));
+   if_index = p.p->ipi6_ifindex;
+ }
+#endif
 
 #elif defined(HAVE_SOLARIS_NETWORK)
   for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, 
cmptr))
@@ -136,6 +148,14 @@
addr.in.sin_addr = *(p.a);
  else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == 
IP_RECVIF)
if_index = *(p.i);
+#ifdef HAVE_IPV6
+ /* Solaris does not have IPV6_RECVDSTADDR AFAIK, */
+ else if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == 
IP_RECVIF)
+   {
+ addr.in6.sin6_family = AF_INET6;
+ if_index = p.s->sdl_index;
+   }
+#endif
}
 
 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
@@ -144,6 +164,9 @@
  union {
unsigned char *c;
struct in_addr *a;
+#ifdef HAVE_IPV6
+   struct in6_addr *b;
+#endif
struct sockaddr_dl *s;
  } p;
  p.c = CMSG_DATA(cmptr);
@@ -151,6 +174,18 @@
addr.in.sin_addr = *(p.a);
  else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == 
IP_RECVIF)
if_index = p.s->sdl_index;
+#ifdef HAVE_IPV6
+ else if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == 
IPV6_RECVDSTADDR)
+   {
+ addr.in6.sin6_family = AF_INET6;
+ memcpy(&addr.in6.sin6_addr, p.b, sizeof(addr.in6.sin6_addr));
+   }
+ else if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == 
IP_RECVIF)
+   {
+ addr.in6.sin6_family = AF_INET6;
+ if_index = p.s->sdl_index;
+   }
+#endif
}
 
 #endif
@@ -172,13 +207,13 @@
   for (ir = daemon->tftp_interfaces; ir; ir = ir->next)
if (strcmp(ir->interface, name) == 0)
  break;
-   
+
   if (!ir)
{
  if (!daemon->tftp_unlimited || !check)
return;
- 
-#ifdef HAVE_DHCP  
+
+#ifdef HAVE_DHCP
  /* allowed interfaces are the same as for DHCP */
  for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
if (tmp->name && (strcmp(tmp->name, name) == 0))

Re: [Dnsmasq-discuss] TFTP for IPv6

[Jan 'RedBully'; Seiffert]

Simon Kelley schrieb:
> Adding IPv6 support would be fairly simple: the DNS part of dnsmasq does
> do IPv6, so all the bits are already in place, there just need to be an
> IPv6 socket listening as well as an IPv4 one, and a couple of address
> fields in structures need to be extended to hold IPv6 addresses.
> 

step one:
widen the addresses used in tftp.c for use with IPv4 & IPv6

only compile tested, i do not have any netboot stuff.

> Cheers,
> 
> Simon.
> 

Greetings
Jan

-- 
// Replaces with spaces the braces in cases where
// braces in places cause stasis
   $str = str_replace(array("\{","\}")," ",$str);
=== modified file 'src/dnsmasq.h'
--- upstream/src/dnsmasq.h  2010-05-21 10:12:20 +
+++ ipv6_tftp/src/dnsmasq.h 2010-06-18 16:23:46 +
@@ -601,7 +601,7 @@
   int backoff;
   unsigned int block, blocksize, expansion;
   off_t offset;
-  struct sockaddr_in peer;
+  union mysockaddr peer;
   char opt_blocksize, opt_transize, netascii, carrylf;
   struct tftp_file *file;
   struct tftp_transfer *next;
@@ -790,6 +790,7 @@
 char *print_mac(char *buff, unsigned char *mac, int len);
 void bump_maxfd(int fd, int *max);
 int read_write(int fd, unsigned char *packet, int size, int rw);
+const char *mysockaddr_print(const union mysockaddr *src, char *dst, unsigned 
cnt);
 
 /* log.c */
 void die(char *message, char *arg1, int exit_code);
@@ -824,6 +825,7 @@
 struct listener *create_wildcard_listeners(void);
 struct listener *create_bound_listeners(void);
 int iface_check(int family, struct all_addr *addr, char *name, int *indexp);
+int iface_check_mysockaddr(union mysockaddr *addr, char *name, int *indexp);
 int fix_fd(int fd);
 struct in_addr get_ifaddr(char *intr);
 

=== modified file 'src/network.c'
--- upstream/src/network.c  2010-06-18 14:22:05 +
+++ ipv6_tftp/src/network.c 2010-06-18 16:23:49 +
@@ -186,6 +186,17 @@
   
   return ret; 
 }
+
+int iface_check_mysockaddr(union mysockaddr *addr, char *name, int *indexp)
+{
+  if (AF_INET == addr->sa.sa_family)
+return iface_check(addr->sa.sa_family, (struct all_addr 
*)&addr->in.sin_addr, name, indexp);
+#ifdef HAVE_IPV6
+  else if (AF_INET6 == addr->sa.sa_family)
+return iface_check(addr->sa.sa_family, (struct all_addr 
*)&addr->in6.sin6_addr, name, indexp);
+#endif
+  return 0;
+}
   
 static int iface_allowed(struct irec **irecp, int if_index, 
 union mysockaddr *addr, struct in_addr netmask) 

=== modified file 'src/tftp.c'
--- upstream/src/tftp.c 2010-05-21 10:10:06 +
+++ ipv6_tftp/src/tftp.c2010-06-18 16:33:32 +
@@ -20,7 +20,7 @@
 
 static struct tftp_file *check_tftp_fileperm(ssize_t *len, char *prefix, int 
special);
 static void free_transfer(struct tftp_transfer *transfer);
-static ssize_t tftp_err(int err, char *packet, char *mess, char *file);
+static ssize_t tftp_err(int err, char *packet, const char *mess, const char 
*file);
 static ssize_t tftp_err_oops(char *packet, char *file);
 static ssize_t get_block(char *packet, struct tftp_transfer *transfer);
 static char *next(char **p, char *end);
@@ -43,7 +43,7 @@
   ssize_t len;
   char *packet = daemon->packet;
   char *filename, *mode, *p, *end, *opt;
-  struct sockaddr_in addr, peer;
+  union mysockaddr addr, peer;
   struct msghdr msg;
   struct iovec iov;
   struct ifreq ifr;
@@ -89,10 +89,16 @@
 
   if ((len = recvmsg(listen->tftpfd, &msg, 0)) < 2)
 return;
-  
+
+  memset(&addr, 0, sizeof(addr));
+// TODO: get proper address family
+  addr.sa.sa_family = AF_INET;
+#ifdef HAVE_SOCKADDR_SA_LEN
+  addr.sa.sa_len = sizeof(addr);
+#endif
   if (daemon->options & OPT_NOWILD)
 {
-  addr = listen->iface->addr.in;
+  addr.in = listen->iface->addr.in;
   mtu = listen->iface->mtu;
   name = listen->iface->name;
 }
@@ -102,8 +108,8 @@
   int check;
   struct interface_list *ir;
 
-  addr.sin_addr.s_addr = 0;
-  
+// TODO: this looks like recvfromto
+  /* and needs to be pimped for IPv6 */
 #if defined(HAVE_LINUX_NETWORK)
   for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, 
cmptr))
if (cmptr->cmsg_level == SOL_IP && cmptr->cmsg_type == IP_PKTINFO)
@@ -113,10 +119,10 @@
  struct in_pktinfo *p;
} p;
p.c = CMSG_DATA(cmptr);
-   addr.sin_addr = p.p->ipi_spec_dst;
+   addr.in.sin_addr = p.p->ipi_spec_dst;
if_index = p.p->ipi_ifindex;
  }
-  
+
 #elif defined(HAVE_SOLARIS_NETWORK)
   for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, 
cmptr))
{
@@ -127,7 +133,7 @@
  } p;
  p.c = CMSG_DATA(cmptr);
  if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == 
IP_RECVDSTADDR)
-   addr.sin_addr = *(p.a);
+   addr.in.sin_addr = *(p.a);
  else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == 
IP_RECVIF)
if_index = *(p.i);
}
@@ -142,19 +148,25 @@
  } p;
  p

Re: [Dnsmasq-discuss] "next server" and "vendor encapsulated"

[Jan 'RedBully'; Seiffert]

Helmut Hullen schrieb:
[snip]
> 
> My first trial:
> Dnsmasq version 2.52
> 
> -
> 
> dhcp-mac = set:fog, 11.22.33.44.55.66
> # beliebig oft zu wiederholen
> 
> pxe-service = tag:fog,x86PC,"fog",192.168.0.5
> pxe-service = tag:!fog,x86PC,"Arktur",192.168.0.1
> #
> 
> -
> 
> But that produces an error message in the "pxe-service" line(s).
> 
> What is still wrong?
> 

The dnsmasq version, the tagging system is new in 2.53 aka 2.54

> 
> Viele Gruesse!
> Helmut
> 

Greetings
Jan

-- 
// Replaces with spaces the braces in cases where
// braces in places cause stasis
   $str = str_replace(array("\{","\}")," ",$str);

Re: [Dnsmasq-discuss] segfault - Re: No dnsmasq after starting openVPN?!

[Jan 'RedBully'; Seiffert]

Arno Wald schrieb:
> On 06.06.2010 12:06, Arno Wald wrote:
>> I did not enter anything but just started openvpn. The dnsmasq process
>> did not disappear. In gdb I entered "c" and after this "bt" and "q":
> 
> I did the same with a self compiled dnsmasq package following this guide
> http://jameswestby.net/tips/tips/compiling-debian-package-for-debug.html
> 
> and the result is this:
> 
> (gdb) c
> Continuing.
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x08067156 in netlink_multicast () at netlink.c:249
> 249   for (h = (struct nlmsghdr *)iov.iov_base; NLMSG_OK(h, 
> (size_t)len); h = NLMSG_NEXT(h, len))
> (gdb) bt
> #0  0x08067156 in netlink_multicast () at netlink.c:249
> #1  0x0805cea5 in main (argc=9, argv=0xbfff3554) at dnsmasq.c:662
> 
> 
> Does this help?
> 

I'm not Simon, but from a quick look:
Kind of...
Looks like when openvpn creates it's interfaces (or route or whatever), the
netlink message send to dnsmasq to inform dnsmasq of the new interface crashes
dnsmasq.
But i still do not grok that code there...
Opaque binary structures *sigh*, some printf would be nice.

Can you try again with gdb typing in:
bt full
info frame
info registers
disass $pc
list

Hmmm, and maybe smuggle a "-g3" into the CFLAGS used to compile dnsmasq would be
nice.

> Greetings,
> Arno
> 

Thanks for your time testing this

Greetings
Jan

-- 
"If you give someone a program, you will frustrate them for a day;
if you teach them how to program, you will frustrate them for a lifetime."
— Anonymous

Re: [Dnsmasq-discuss] Iterative queries (Re: "NS" records)

[Jan 'RedBully'; Seiffert]

clemens fischer schrieb:
[snip]
> When testing the recent testing version with the "rebind-domain-ok"
> option (2.53test25) I noticed that dnsmasq doesn't do iterative queries,
> "only" recursive ones.

Yes, and that is the way it is intendet.

> This means dnsmasq forwards queries to an ISP's resolver

Or another fully recursing resolver.

[snip]
> On a related note, I'm reluctant to use dnsmasq as the only DNS resolver
> because of this, because of the "recent" discoveries about cache
> poisoning attacks.

dnsmasq has masures against this.

> I cannot be sure that my provider has its act together

Sure, the upstream server also has to be "clean".

> and does everything to thwart them.  Moreover, my provider
> (kabel-deutschland.de) takes part in censoring the 'net after IMO
> misguided legislation against child pornography[1].  Please, I don't want
> any big discussion on this list about this particular point

No big discusion?
Forward your dnsmasq to a local _standalone_ recursor. Can run on the same 
machine.
Examples of standalone recursor are the powerdns recursor, or the recursor part
from djbdns.
They ONLY recurse (ok, plus cache), and that is what they do well.
Set their listen address to 127.0.0.1:2525, only allowed from 127.0.0.1, set
dnsmasqs upstream server to 127.0.0.1:2525, you can then also switch off
dnsmasqs port randomization.

> but so far my life was peaceful and simple by using resolvers doing 
> top down iterative queries.
> 
> Is it much work to fit dnsmasq with iterative query support, considering
> that all the code is practically there?

Yes, because dnsmasq has all the code to "handle DNS" (and dhcp, and tftp), but
its structure and control flow is quite simple (which makes the whole program
lean and mean), it only has minimal transient state for a query (and anything 
else).
For full recursion, you have to "keep on working" on a query, till it is fully
resolved (Send query here, answer or timeout, send query there...). This makes
full recursor "complicated". dnsmasq is more a simple pipeline: Receive query,
do we have it in cache? No -> dump it upstream (kind of fire and forget).

What makes dnsmasq often so sexy is the swiss army knife you additionally get in
the collectors box edition. Unfortunatly the knife starts to outgrow the box... 
;)

>  If so, dnsmasq would surely be the most compact program with all its 
> features!
> 

Simply par it with a standalone recursor.

> 
> clemens
> 

Greetings
Jan


-- 
Miksch's Law:
If a string has one end, then it has another end.

Re: [Dnsmasq-discuss] Why is dnsmasq handing out the same IP to different MACs?

[Jan 'RedBully'; Seiffert]

Paul Smith schrieb:
> On Mon, 2010-04-12 at 20:51 +0100, Simon Kelley wrote:
[snip]
>> You are seeing problems because you are running lots of hosts through
>> the address-aquisition process simultaneously and their MAC addresses
>> are all very similar because they have the same manufacturer. This is
>> causing the rather unsophisticated hash function to generate lots of
>> collisions.
> 
> Would it be better to give the lower octets in the MAC more impact on
> the hash, on the assumption they will be "more random" in general than
> the higher octets which are vendor-based?
> 

Hmm, maybe i'm missing something here, but what you suggest is "the most
natural" thing in the world.
For a good hash one always wants that a single bit change generates a big
difference in result, and esp. for "hashtable" hashes (thats what basically
happens here) uniform distribution.

So i'm a little supprised Simon reinvented the wheel.

Since this does not look like the most performance critical code, whats wrong
with something like the Jenkins hash. Just to through a name out there. Pick one
of the "tested" (tests like
). And no, i would not
recommend murmur for dnsmasq, because it will not work well with the embedded
mips and arm cpus without hardware multiplication.

Greetings
Jan


-- 
class WindowsVista extends WindowsXP implements nothing
{}

Re: [Dnsmasq-discuss] wildcard in address switch

[Jan 'RedBully'; Seiffert]

simon stenning schrieb:
> Hi
> 
> I would like to implement wildcards in the address switch, along the lines
> of
> 
[snip]
> Is this possible? Is there a wildcard character to be added ie
> 
> address=/%domain%/127.0.0.1/
> 

Besides of '#', which will match any domain, no, no wildcard character.

But are regex good enough?
Last version of my patch is at:
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2010q1/003643.html

with it you can write:
address=/:domain:/127.0.0.1/
or
address=/:[td]omain\.(org|com|net):/127.0.0.1/

> Thanks in advance
> 
> Simon
> 
Greetings
Jan

-- 
class WindowsVista extends WindowsXP implements nothing
{}

Re: [Dnsmasq-discuss] Add address file option

[Jan 'RedBully'; Seiffert]

Perette Barella schrieb:

Was this mail also ment to go to the list?

> On 2010年03月05日, at 12:16, Jan 'RedBully' Seiffert wrote:
[snip]
> As far as coming up with a way to handle restarting dnsmasq without
> hiccups... I tend to agree with Brad... if you need 100% uptime, a better
> solution is a secondary DNS server rather than complexifying the heck out of
> dnsmasq.
> 

Maybe my babbling was a little bit confusing:
Simon asked a question, and i _tried_ to give an answer, and i even talked a
little bit further on _theoretical_ solutions. I must confess i am a little bit
fascinated by this solution, that one can write a software which does such a
thing, because it's like changing your tires, while still driving...
Cool down guys (and girls), i didn't demand that, and as i already said, that
would be overkill.
I do _not_ even need that. I can life with "/etc/init.d/exim stop" my mailserver
and yelling over to the others they should click nothing for the next seconds.
"Timber!"

Still, reconfiguring certain aspects, also in "busy hours", on the fly can be
neat. I am happy with the possibilities as they are right now, but others seem
to have some unscratched itches...

> Perette
> 
> 
Greetings
Jan

-- 
The only problem with troubleshooting is that sometimes,
trouble shoots back.

Re: [Dnsmasq-discuss] Add address file option

[Jan 'RedBully'; Seiffert]

Simon Kelley schrieb:
[snip]
>> I'd be rather more inclined to extend the DBus interface, which allows
>>> dynamic setting of servers (but not source ports)
>>>
>>> I'm still bewildered why people are so allergic to restarting dnsmasq:
>>> it takes almost no time, doesn't disrupt existing connections and the
>>> only state lost is the cache, which is quickly and transparently
>>> replaced.
>>>
> Can anybody answer this?
> 

I think its:
Even if it's fast, it's not fast enough.
If a query comes in exactly during this blib, it will fail and you have to deal
with users which are not that firm with computers going "the internet is down".
It's even enough that some other service may barf a little bit louder because
one name query failed (dumb example: your mail server wants to resolve in that
very moment, couldn't and now rejects the mail).
And there is always the risk the new dnsmasq will not come up, because you made
a silly typo in the config, or something like that. Depending on how fast you
can rectify the situation, now you have a real window where you are without name
resolution.
If one can avoid that, he will avoid that.

To really make the "restart will be fine"-option workable, dnsmasq needs some
kind of "continuous service"-feature. Which means: Implement a special take-over
restart.
The old dnsmasq gets signaled by a socket somewhere in /var/run that a new
instance is starting, it will finish it's in flight actions, but not start new
actions and than pass "important" fd's over the socket to the new dnsmasq
instance when it signals "all systems go". This way no packet is lost and
service is not disrupted by a restart.
(And this doesn't work if the admin changes something on listen-address,
interface, except-interface, bind-interfaces...)

And that is overkill for dnsmasq, you do something like that if you do not want
to drop VoIP-calls or something like that, so back to the "avoid restart" 
scheme...

> Cheers,
> 
> Simon.
> 

Greetings
Jan

-- 
Networking? That is for fishermen.

Re: [Dnsmasq-discuss] IP address based on switch port number (option 82)

[Jan 'RedBully'; Seiffert]

Simon Kelley schrieb:
> Jan 'RedBully' Seiffert wrote:
> 
>> I see where this will all lead to ... a tag construction tool with dnf
>> generation and Quine–McCluskey minimizer.
> 
> Perfect! I look forward to the patch. My non-backpropagating tag-if
> evaluator took 11 lines of code. I'll give you an allowance of double
> that :-)
> 

Me and my big mouth...
Maybe i didn't express myself right. I didn't thought of that as a runtime
component of dnsmasq.
dnsmasq would simply evaluate what it finds in its config, no fancy whatsoever.

This DNF evaluation is nice and correct, but very "raw" (at times) and a nice
brain jogging for the average admin. Simple cases are still easy (would mean no
need to change a thing for the majority of setups), but it can get complex to
achieve "involved" logic. It is like a GAL or a CD4019. Infinite in possability,
but at some point you better can show some millimeter of "digital guru beard"
(for the analog equivalent see Bob Pease).

What i meant in this little comment was more like an external tool where someone
can specify it's matching needs in a more practical/natural manner and klicks
"make it so", and it would throw out some lines of "tag-if", one can c&p in his
config. Ideally you can klick your needs, some kind of GUI. This can be written
in some scripting language, evaluation time is unimportant, some seconds is fast
enough. This could even be a webpage either with scripting on the server or 
JS-foo.
@Helmut: Yes, sure, but from the above, it is better than nothing, "simple",
maybe readily available (don't know, some "import from logic.quine" in some of
those fancy languages?).

ATM i'm more interrested at seeing the evaluation code, i have some thoughts
going around my head how to make such an DNF evaluation efficient (with
bitfields), and get in some kind of edge triggered back propagation.

After i get this to_base32 code fast...

> Cheers,
> 
> Simon
> 
> 
> 
Greetings
Jan

-- 
If you're sending someone Styrofoam, what do you pack it in?

Re: [Dnsmasq-discuss] IP address based on switch port number (option 82)

[Jan 'RedBully'; Seiffert]

richardvo...@gmail.com schrieb:
> On Wed, Feb 17, 2010 at 3:05 PM, Simon Kelley  wrote:
>> richardvo...@gmail.com wrote:
>>
[snip]
> Actually, instead of prohibiting use of tags set by tag-if for further
> tag-if, I think it's more reasonable to execute the lines in order and
> generate a warning if there's any attempted backpropagation.

Hmmm, backpropagation is fun, this way one could build flip-flops, state 
machines...

Let me think. All you need i clock gated logic.
You have an array of input states, you evalute the logic equations generating an
output state. When you are done with all equations, your output state becomes
your next input state:

 STeval ST'
| a |  | a'|
| b |  | b'|
| c |  --> | c'|
| d |  | d'|

memcpy(ST, ST', sizeof(ST)); /* or swizzle the pointer */

if(ST[tag_asked_for]) {
/* whatever */
}

But this could get a little confusing for those not used to logic circuity...

I see where this will all lead to ... a tag construction tool with dnf
generation and Quine–McCluskey minimizer.

Greetings
Jan

-- 
programmer, n:
A red eyed, mumbling mammal capable of conversing with inanimate
monsters.

Re: [Dnsmasq-discuss] forwarding-loop mitigation.

[Jan 'RedBully'; Seiffert]

Simon Kelley schrieb:
> Alberto's query got me thinking: If dnsmasq were to read the value of 
> the IP hop-count on incoming queries, and decrement it when forwarding, 
> loops would be squashed in the same way as IP layer-three forwarding.
> 
> Can anyone see a problem with this?
> 

If i'm not mistaken, IP hop-count is always "reset" since the packet reached its
destination (it is received) even if you or the other end "forwards the query"(
you do so on a higher protocol level, DNS).
And DNS has no Hop Count AFAIKS.

But maybe i don't get it...
This means you AND the remote and have to fudge with low level IP protocol 
stuff.
If the other end of the loop does not do the same thing, you gained nothing?

Nearby: getting to that info (the HopCount on reception) is ... ugly. But since
you already have to deal with IP_PKTINFO, IP_RECVHOPLIMIT is only an additional
pain.
But this also means you also have to set the hop count on send.

> Simon.
> 

Greetings
Jan

-- 
/home
sweet
/home

[Dnsmasq-discuss] Extra Extra: regex patch buggy

[Jan 'RedBully'; Seiffert]

dnsmasq received SIGSEGV!
Jan screwed up!
Simon says: `fortune`
New patch in attachment

reproducer:
set up a line like: server=/somedomain/$some_ip
add an regex address match
query for somedomain

Depending on order of config statements &&/|| if $some_ip could be reached
dnsmasq dies in forward.c because that part is not "regex ready" (NULL deref,
because regex do not have a domain string).
Jepp, i have totally overseen this interaction (like prop. many other).

Solution:
Let's also match server lines with a regex!

I also changed the order in which an "if" is evaluated, after a little run in my
brains logic evaluator this should be a NOP (besides doing a cheap flag test
before an expensive string compare/regex compare), but i could be wrong...
Regex matches on "server" do not try to find the longest match, this could give
you some funky problems if you use very elaborate matching rules.
Maybe i will take that server match out again, it's enough if dnsmasq does not
crash in that place...

Nearby, do never ever set a regex on "local", dragons be there...
Which reminds me to state:
Patch is only lightly tested in my small environment, there are prop. a million
bugs left (as before), this is just a quick fix for the problem at hand.
Take this incident is a friendly little remainder that this change is a deep
poke into dnsmasq's internals.

I better do not touch any source code ever again...

New patch against 2.52 attached. Apply with -p1.
Also with conditional compilation, so don't forget to set HAVE_REGEX to you
COPTS like:
make COPTS=-DHAVE_REGEX
or uncomment it in config.h

Greetings
Jan

-- 
John encountered the following Zen-like line in his generated XML:
<>There is no phenotype
He was enlightened.
=== modified file 'Makefile'
--- upstream/Makefile	2010-01-23 19:48:37 +
+++ regex/Makefile	2010-01-23 19:49:07 +
@@ -32,8 +32,9 @@
 PO = po
 MAN = man
 
-DNSMASQ_CFLAGS=`echo $(COPTS) | ../bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --cflags dbus-1` 
-DNSMASQ_LIBS=  `echo $(COPTS) | ../bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --libs dbus-1` 
+DNSMASQ_CFLAGS=`echo $(COPTS) | ../bld/pkg-wrapper HAVE_DBUS  $(PKG_CONFIG) --cflags dbus-1` 
+DNSMASQ_LIBS=  `echo $(COPTS) | ../bld/pkg-wrapper HAVE_DBUS  $(PKG_CONFIG) --libs dbus-1` 
+DNSMASQ_LIBS +=`echo $(COPTS) | ../bld/pkg-wrapper HAVE_REGEX $(PKG_CONFIG) --libs libpcre`
 SUNOS_LIBS= `if uname | grep SunOS 2>&1 >/dev/null; then echo -lsocket -lnsl -lposix4; fi`
 
 OBJS = cache.o rfc1035.o util.o option.o forward.o network.o \

=== modified file 'src/config.h'
--- upstream/src/config.h	2010-01-23 19:48:37 +
+++ regex/src/config.h	2010-01-23 19:49:07 +
@@ -147,6 +147,10 @@
define some methods to allow (re)configuration of the upstream DNS 
servers via DBus.
 
+HAVE_REGEX
+   Define this if you want to link against lib pcre to get regex
+   support in "address=" matches
+
 NOTES:
For Linux you should define 
   HAVE_LINUX_NETWORK
@@ -171,6 +175,7 @@
 #define HAVE_SCRIPT
 /* #define HAVE_BROKEN_RTC */
 /* #define HAVE_DBUS */
+/* #define HAVE_REGEX */
 
 /* Allow TFTP to be disabled with COPTS=-DNO_TFTP */
 #ifdef NO_TFTP

=== modified file 'src/dnsmasq.c'
--- upstream/src/dnsmasq.c	2010-01-23 19:48:37 +
+++ regex/src/dnsmasq.c	2010-01-23 19:49:08 +
@@ -37,6 +37,10 @@
 "no-"
 #endif
 "DBus "
+#ifndef HAVE_REGEX
+"no-"
+#endif
+"regex "
 #ifndef LOCALEDIR
 "no-"
 #endif

=== modified file 'src/dnsmasq.h'
--- upstream/src/dnsmasq.h	2010-01-23 19:48:37 +
+++ regex/src/dnsmasq.h	2010-01-23 19:49:08 +
@@ -120,6 +120,10 @@
 #include 
 #endif
 
+#ifdef HAVE_REGEX
+#  include 
+#endif
+
 /* daemon is function in the C library */
 #define daemon dnsmasq_daemon
 
@@ -319,6 +323,7 @@
 #define SERV_MARK256  /* for mark-and-delete */
 #define SERV_TYPE(SERV_HAS_DOMAIN | SERV_FOR_NODOTS)
 #define SERV_COUNTED 512  /* workspace for log code */
+#define SERV_IS_REGEX   1024  /* server entry is a regex */
 
 struct serverfd {
   int fd;
@@ -337,6 +342,10 @@
   char interface[IF_NAMESIZE+1];
   struct serverfd *sfd; 
   char *domain; /* set if this server only handles a domain. */ 
+#ifdef HAVE_REGEX
+  pcre *regex;
+  pcre_extra *pextra;
+#endif
   int flags, tcpfd;
   unsigned int queries, failed_queries;
   struct server *next; 

=== modified file 'src/forward.c'
--- upstream/src/forward.c	2010-01-23 19:48:37 +
+++ regex/src/forward.c	2010-02-04 14:39:20 +
@@ -149,12 +149,38 @@
   }
 else if (serv->flags & SERV_HAS_DOMAIN)
   {
-	unsigned int domainlen = strlen(serv->domain);
-	char *matchstart = qdomain + namelen - domainlen;
-	if (namelen >= domainlen &&
-	hostname_isequal(matchstart, serv->domain) &&
-	domainlen >= matchlen &&
-	(domainlen == 0 || namelen == domainlen || *(serv->domain) == '.' || *(matchstart-1) == '.' ))
+	unsigned int domainlen = matchlen;
+	int serverhit = 0;
+
+#ifdef HAVE_REGEX
+	if (serv->flags & SERV_IS_REGEX)
+	  {
+	int captc

Re: [Dnsmasq-discuss] Announce: dnsmasq-2.52

[Jan 'RedBully'; Seiffert]

Simon Kelley schrieb:
> Dnsmasq 2.52 is now available for download from
> 
[snip]

For those interrested, my regex patch rediffed against 2.52.
Now new and improved, with the powerful conditional compilation formula!

So don't forget to set HAVE_REGEX to you COPTS like:
make COPTS=-DHAVE_REGEX
or unkomment it in config.h

> 
> Cheers,
> 
> Simon.
> 
Greetings
Jan

[snip]

-- 
"...by all means, do not use a hammer."
(from an IBM dokumentation, ca. 1920)
=== modified file 'Makefile'
--- old/Makefile	2010-01-23 19:48:37 +
+++ new/Makefile	2010-01-23 19:49:07 +
@@ -32,8 +32,9 @@
 PO = po
 MAN = man
 
-DNSMASQ_CFLAGS=`echo $(COPTS) | ../bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --cflags dbus-1` 
-DNSMASQ_LIBS=  `echo $(COPTS) | ../bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --libs dbus-1` 
+DNSMASQ_CFLAGS=`echo $(COPTS) | ../bld/pkg-wrapper HAVE_DBUS  $(PKG_CONFIG) --cflags dbus-1` 
+DNSMASQ_LIBS=  `echo $(COPTS) | ../bld/pkg-wrapper HAVE_DBUS  $(PKG_CONFIG) --libs dbus-1` 
+DNSMASQ_LIBS +=`echo $(COPTS) | ../bld/pkg-wrapper HAVE_REGEX $(PKG_CONFIG) --libs libpcre`
 SUNOS_LIBS= `if uname | grep SunOS 2>&1 >/dev/null; then echo -lsocket -lnsl -lposix4; fi`
 
 OBJS = cache.o rfc1035.o util.o option.o forward.o network.o \

=== modified file 'src/config.h'
--- old/src/config.h	2010-01-23 19:48:37 +
+++ new/src/config.h	2010-01-23 19:49:07 +
@@ -147,6 +147,10 @@
define some methods to allow (re)configuration of the upstream DNS 
servers via DBus.
 
+HAVE_REGEX
+   Define this if you want to link against lib pcre to get regex
+   support in "address=" matches
+
 NOTES:
For Linux you should define 
   HAVE_LINUX_NETWORK
@@ -171,6 +175,7 @@
 #define HAVE_SCRIPT
 /* #define HAVE_BROKEN_RTC */
 /* #define HAVE_DBUS */
+/* #define HAVE_REGEX */
 
 /* Allow TFTP to be disabled with COPTS=-DNO_TFTP */
 #ifdef NO_TFTP

=== modified file 'src/dnsmasq.c'
--- old/src/dnsmasq.c	2010-01-23 19:48:37 +
+++ new/src/dnsmasq.c	2010-01-23 19:49:08 +
@@ -37,6 +37,10 @@
 "no-"
 #endif
 "DBus "
+#ifndef HAVE_REGEX
+"no-"
+#endif
+"regex "
 #ifndef LOCALEDIR
 "no-"
 #endif

=== modified file 'src/dnsmasq.h'
--- old/src/dnsmasq.h	2010-01-23 19:48:37 +
+++ new/src/dnsmasq.h	2010-01-23 19:49:08 +
@@ -120,6 +120,10 @@
 #include 
 #endif
 
+#ifdef HAVE_REGEX
+#  include 
+#endif
+
 /* daemon is function in the C library */
 #define daemon dnsmasq_daemon
 
@@ -319,6 +323,7 @@
 #define SERV_MARK256  /* for mark-and-delete */
 #define SERV_TYPE(SERV_HAS_DOMAIN | SERV_FOR_NODOTS)
 #define SERV_COUNTED 512  /* workspace for log code */
+#define SERV_IS_REGEX   1024  /* server entry is a regex */
 
 struct serverfd {
   int fd;
@@ -337,6 +342,10 @@
   char interface[IF_NAMESIZE+1];
   struct serverfd *sfd; 
   char *domain; /* set if this server only handles a domain. */ 
+#ifdef HAVE_REGEX
+  pcre *regex;
+  pcre_extra *pextra;
+#endif
   int flags, tcpfd;
   unsigned int queries, failed_queries;
   struct server *next; 

=== modified file 'src/forward.c'
--- old/src/forward.c	2010-01-23 19:48:37 +
+++ new/src/forward.c	2010-01-23 19:49:08 +
@@ -149,12 +149,38 @@
   }
 else if (serv->flags & SERV_HAS_DOMAIN)
   {
-	unsigned int domainlen = strlen(serv->domain);
-	char *matchstart = qdomain + namelen - domainlen;
-	if (namelen >= domainlen &&
-	hostname_isequal(matchstart, serv->domain) &&
-	domainlen >= matchlen &&
-	(domainlen == 0 || namelen == domainlen || *(serv->domain) == '.' || *(matchstart-1) == '.' ))
+	unsigned int domainlen = matchlen;
+	int serverhit = 0;
+
+#ifdef HAVE_REGEX
+	if (serv->flags & SERV_IS_REGEX)
+	  {
+	int captcount = 0;
+	if (pcre_fullinfo(serv->regex, serv->pextra, PCRE_INFO_CAPTURECOUNT, &captcount) == 0)
+	  {
+		/* C99 dyn-array, or alloca must be used */
+		int ovect[(captcount + 1) * 3];
+		if (pcre_exec(serv->regex, serv->pextra, qdomain, namelen, 0, 0, ovect, (captcount + 1) * 3) > 0)
+		  {
+		domainlen = (unsigned int) (ovect[1] - ovect[0]);
+		if (domainlen >= matchlen)
+		  serverhit = 1;
+		  }
+	  }
+	  }
+	else
+#endif
+	  {
+	domainlen = strlen(serv->domain);
+	char *matchstart = qdomain + namelen - domainlen;
+	if (namelen >= domainlen &&
+	hostname_isequal(matchstart, serv->domain) &&
+	domainlen >= matchlen &&
+	(domainlen == 0 || namelen == domainlen || *(serv->domain) == '.' || *(matchstart-1) == '.' ))
+	   serverhit = 1;
+	  }
+
+	if (serverhit)
 	  {
 	unsigned short sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
 	*type = SERV_HAS_DOMAIN;

=== modified file 'src/network.c'
--- old/src/network.c	2010-01-23 19:48:37 +
+++ new/src/network.c	2010-01-23 19:49:08 +
@@ -741,7 +741,7 @@
 	  char *s1, *s2;
 	  if (!(new->flags & SERV_HAS_DOMAIN))
 	s1 = _("unqualified"), s2 = _("names");
-	  else if (strlen(new->domain) == 0)
+	  else if (new->domain && strlen(new->domain) == 0)
 	s1 = _

Re: [Dnsmasq-discuss] how to add regex matching ?

[Jan 'RedBully'; Seiffert]

Jan 'RedBully' Seiffert schrieb:
[snip]
> 
> Looks, my regex patch does not apply to 2.51, so i imported 2.51 into my VCS,
> merged it and regenerated the patch.
> 

And while at it, rediff against dnsmasq-2.52test12

> Apply with:
> cd dnsmasq-2.52test12
> patch -p1 < patchfile_name.patch
> 
> Only compile tested.
> No warranty it won't eat your kitten.
> 
Greetings
Jan

-- 
Networking? That is for fishermen.
=== modified file 'Makefile'
--- upstream/Makefile	2009-12-21 21:54:17 +
+++ regex/Makefile	2009-12-21 21:57:01 +
@@ -35,6 +35,7 @@
 DNSMASQ_CFLAGS=`echo $(COPTS) | ../bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --cflags dbus-1` 
 DNSMASQ_LIBS=  `echo $(COPTS) | ../bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --libs dbus-1` 
 SUNOS_LIBS= `if uname | grep SunOS 2>&1 >/dev/null; then echo -lsocket -lnsl -lposix4; fi`
+DNSMASQ_LIBS +=`$(PKG_CONFIG) --libs libpcre`
 
 OBJS = cache.o rfc1035.o util.o option.o forward.o network.o \
dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \

=== modified file 'src/dnsmasq.h'
--- upstream/src/dnsmasq.h	2009-12-21 21:54:17 +
+++ regex/src/dnsmasq.h	2009-12-21 21:57:02 +
@@ -120,6 +120,8 @@
 #include 
 #endif
 
+#include 
+
 /* daemon is function in the C library */
 #define daemon dnsmasq_daemon
 
@@ -319,6 +321,7 @@
 #define SERV_MARK256  /* for mark-and-delete */
 #define SERV_TYPE(SERV_HAS_DOMAIN | SERV_FOR_NODOTS)
 #define SERV_COUNTED 512  /* workspace for log code */
+#define SERV_IS_REGEX   1024  /* server entry is a regex */
 
 struct serverfd {
   int fd;
@@ -337,6 +340,8 @@
   char interface[IF_NAMESIZE+1];
   struct serverfd *sfd; 
   char *domain; /* set if this server only handles a domain. */ 
+  pcre *regex;
+  pcre_extra *pextra;
   int flags, tcpfd;
   unsigned int queries, failed_queries;
   struct server *next; 

=== modified file 'src/forward.c'
--- upstream/src/forward.c	2009-12-21 20:04:59 +
+++ regex/src/forward.c	2009-12-21 21:57:02 +
@@ -149,12 +149,36 @@
   }
 else if (serv->flags & SERV_HAS_DOMAIN)
   {
-	unsigned int domainlen = strlen(serv->domain);
-	char *matchstart = qdomain + namelen - domainlen;
-	if (namelen >= domainlen &&
-	hostname_isequal(matchstart, serv->domain) &&
-	domainlen >= matchlen &&
-	(domainlen == 0 || namelen == domainlen || *(serv->domain) == '.' || *(matchstart-1) == '.' ))
+	unsigned int domainlen = matchlen;
+	int serverhit = 0;
+
+	if (!(serv->flags & SERV_IS_REGEX))
+	  {
+	domainlen = strlen(serv->domain);
+	char *matchstart = qdomain + namelen - domainlen;
+	if (namelen >= domainlen &&
+	hostname_isequal(matchstart, serv->domain) &&
+	domainlen >= matchlen &&
+	(domainlen == 0 || namelen == domainlen || *(serv->domain) == '.' || *(matchstart-1) == '.' ))
+	   serverhit = 1;
+	  }
+	else
+	  {
+	int captcount = 0;
+	if (pcre_fullinfo(serv->regex, serv->pextra, PCRE_INFO_CAPTURECOUNT, &captcount) == 0)
+	  {
+		/* C99 dyn-array, or alloca must be used */
+		int ovect[(captcount + 1) * 3];
+		if (pcre_exec(serv->regex, serv->pextra, qdomain, namelen, 0, 0, ovect, (captcount + 1) * 3) > 0)
+		  {
+		domainlen = (unsigned int) (ovect[1] - ovect[0]);
+		if (domainlen >= matchlen)
+		  serverhit = 1;
+		  }
+	  }
+	  }
+
+	if (serverhit)
 	  {
 	unsigned short sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
 	*type = SERV_HAS_DOMAIN;

=== modified file 'src/network.c'
--- upstream/src/network.c	2009-12-21 20:58:05 +
+++ regex/src/network.c	2009-12-21 21:57:02 +
@@ -741,7 +741,7 @@
 	  char *s1, *s2;
 	  if (!(new->flags & SERV_HAS_DOMAIN))
 	s1 = _("unqualified"), s2 = _("names");
-	  else if (strlen(new->domain) == 0)
+	  else if (new->domain && strlen(new->domain) == 0)
 	s1 = _("default"), s2 = "";
 	  else
 	s1 = _("domain"), s2 = new->domain;

=== modified file 'src/option.c'
--- upstream/src/option.c	2009-12-21 21:54:17 +
+++ regex/src/option.c	2009-12-21 21:57:02 +
@@ -1399,10 +1399,16 @@
 	arg++;
 	while ((end = split_chr(arg, '/')))
 	  {
-		char *domain = NULL;
+		char *domain = NULL, *regex = NULL;
+		char *real_end = arg + strlen(arg);
 		/* # matches everything and becomes a zero length domain string */
 		if (strcmp(arg, "#") == 0)
 		  domain = "";
+		else if (*arg == ':' && *(real_end - 1) == ':')
+		  {
+		 *(real_end - 1) = '\0';
+		 regex = arg + 1;
+		  }
 		else if (strlen (arg) != 0 && !(domain = canonicalise_opt(arg)))
 		  option = '?'

Re: [Dnsmasq-discuss] how to add regex matching ?

[Jan 'RedBully'; Seiffert]

pulle...@web.de schrieb:
> hi,
> gibt es deinen patch auch für die 2.51 ?
> 
> bin kein coder
> 
> :~/dnsmasq-2.51# patch  < attachment-0001.bin
> patching file Makefile
> Hunk #1 FAILED at 27.
> Hunk #2 FAILED at 36.
> Hunk #3 FAILED at 56.
> 3 out of 3 hunks FAILED -- saving rejects to file Makefile.rej
> patching file Makefile
> Hunk #1 FAILED at 8.
> 1 out of 1 hunk FAILED -- saving rejects to file Makefile.rej
> can't find file to patch at input line 45
> Perhaps you should have used the -p or --strip option?
> The text leading up to this was:
> --
> |
> |=== modified file 'src/dnsmasq.h'
> |--- old/src/dnsmasq.h  2009-09-10 23:32:18 +
> |+++ new/src/dnsmasq.h  2009-09-10 23:41:19 +
> --

Looks, my regex patch does not apply to 2.51, so i imported 2.51 into my VCS,
merged it and regenerated the patch.

Apply with:
cd dnsmasq-2.51
patch -p1 < patchfile_name.patch

Only compile tested.
No warranty it won't eat your kitten.

[snip]
 
 hi all,


 running 2.5.1 I would like to reply with 0.0.0.0 for something like ^ad\.*
 I found a hint in early 2007 that a patch exists, unfortunately I can't 
 find it.
 any pointers appreciated.

 thanks
 pulle
[snip]

Greetings
Jan

-- 
assert(!"The excrement has collided with the air circulation device");
=== modified file 'Makefile'
--- upstream/Makefile	2009-12-21 19:01:26 +
+++ regex/Makefile	2009-12-21 19:15:12 +
@@ -33,6 +33,7 @@
 DNSMASQ_CFLAGS=`echo $(COPTS) | ../bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --cflags dbus-1` 
 DNSMASQ_LIBS=  `echo $(COPTS) | ../bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --libs dbus-1` 
 SUNOS_LIBS= `if uname | grep SunOS 2>&1 >/dev/null; then echo -lsocket -lnsl -lposix4; fi`
+DNSMASQ_LIBS +=`$(PKG_CONFIG) --libs libpcre`
 
 all :   dnsmasq
 

=== modified file 'src/dnsmasq.h'
--- upstream/src/dnsmasq.h	2009-12-21 19:06:28 +
+++ regex/src/dnsmasq.h	2009-12-21 19:09:21 +
@@ -110,6 +110,8 @@
 #include 
 #endif
 
+#include 
+
 /* daemon is function in the C library */
 #define daemon dnsmasq_daemon
 
@@ -309,6 +311,7 @@
 #define SERV_MARK256  /* for mark-and-delete */
 #define SERV_TYPE(SERV_HAS_DOMAIN | SERV_FOR_NODOTS)
 #define SERV_COUNTED 512  /* workspace for log code */
+#define SERV_IS_REGEX   1024  /* server entry is a regex */
 
 struct serverfd {
   int fd;
@@ -327,6 +330,8 @@
   char interface[IF_NAMESIZE+1];
   struct serverfd *sfd; 
   char *domain; /* set if this server only handles a domain. */ 
+  pcre *regex;
+  pcre_extra *pextra;
   int flags, tcpfd;
   unsigned int queries, failed_queries;
   struct server *next; 

=== modified file 'src/forward.c'
--- upstream/src/forward.c	2009-12-21 19:01:26 +
+++ regex/src/forward.c	2009-12-21 19:09:21 +
@@ -149,12 +149,36 @@
   }
 else if (serv->flags & SERV_HAS_DOMAIN)
   {
-	unsigned int domainlen = strlen(serv->domain);
-	char *matchstart = qdomain + namelen - domainlen;
-	if (namelen >= domainlen &&
-	hostname_isequal(matchstart, serv->domain) &&
-	domainlen >= matchlen &&
-	(domainlen == 0 || namelen == domainlen || *(serv->domain) == '.' || *(matchstart-1) == '.' ))
+	unsigned int domainlen = matchlen;
+	int serverhit = 0;
+
+	if (!(serv->flags & SERV_IS_REGEX))
+	  {
+	domainlen = strlen(serv->domain);
+	char *matchstart = qdomain + namelen - domainlen;
+	if (namelen >= domainlen &&
+	hostname_isequal(matchstart, serv->domain) &&
+	domainlen >= matchlen &&
+	(domainlen == 0 || namelen == domainlen || *(serv->domain) == '.' || *(matchstart-1) == '.' ))
+	   serverhit = 1;
+	  }
+	else
+	  {
+	int captcount = 0;
+	if (pcre_fullinfo(serv->regex, serv->pextra, PCRE_INFO_CAPTURECOUNT, &captcount) == 0)
+	  {
+		/* C99 dyn-array, or alloca must be used */
+		int ovect[(captcount + 1) * 3];
+		if (pcre_exec(serv->regex, serv->pextra, qdomain, namelen, 0, 0, ovect, (captcount + 1) * 3) > 0)
+		  {
+		domainlen = (unsigned int) (ovect[1] - ovect[0]);
+		if (domainlen >= matchlen)
+		  serverhit = 1;
+		  }
+	  }
+	  }
+
+	if (serverhit)
 	  {
 	unsigned short sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
 	*type = SERV_HAS_DOMAIN;

=== modified file 'src/network.c'
--- upstream/src/network.c	2009-12-21 19:01:26 +
+++ regex/src/network.c	2009-12-21 19:09:21 +
@@ -718,7 +718,7 @@
 	  char *s1, *s2;
 	  if (!(new->flags & SERV_HAS_DOMAIN))
 	s1 = _("unqualified"), s2 = _("names");
-	  else if (strlen(new->domain) == 0)
+	  else if (new->domain && strlen(new->domain) == 0)
 	s1 = _("default"), s2 = "";
 	  else
 	s1 = _("domain"), s2 = new->domain;

=== modified file 'src/option.c'
--- upstream/src/option.c	2009-12-21 19:01:26 +
+++ regex/src/option.c	2009-12-21 19:22:18 +
@@ -1391,10 +1391,16 @@
 	arg++;
 	while ((end = split_chr(arg, '/')))
 	  {
-		char *domain = NULL;

Re: [Dnsmasq-discuss] DNS pattern response

[Jan 'RedBully'; Seiffert]

Simon Kelley schrieb:
> Eric Laganowski wrote:
>> I guess I am not communicating this well. The desired dnsmasq
>> behavior would be to reply, say, with 192.168.1.1 to any request
>> starting with "wpad.", not just local domain, so if, say my domain is
>> domain.local, dnsmasq responds with 192.168.1.1 to both
>> wpad.domain.local and wpad.google.com
>>
>> -Eric
> 
> That's not possible. If one wanted to implement it, the logical way 
> would be to do full regexp pattern matching on the domains. That has 
> been suggested in the past, but I've always resisted it on the grounds 
> that it's overkill.
> 

But doesn't mean there is no patch.
I have this laying around for some time, here for dnsmasq 2.50.

This way one can write:
address=/:^wpad\..*:/192.168.0.1
or something like that...

Note: This patch is not that well tested...

[snip]
> 
> Simon.
> 

Greetings
Jan

-- 
Miksch's Law:
If a string has one end, then it has another end.
=== modified file 'Makefile'
--- old/Makefile	2009-09-10 23:32:18 +
+++ new/Makefile	2009-09-10 23:44:45 +
@@ -27,6 +27,7 @@
 
 DBUS_CFLAGS="`echo $(COPTS) | ../bld/pkg-wrapper $(PKG_CONFIG) --cflags dbus-1`" 
 DBUS_LIBS="  `echo $(COPTS) | ../bld/pkg-wrapper $(PKG_CONFIG) --libs dbus-1`" 
+PCRE_LIBS="  `$(PKG_CONFIG) --libs libpcre`"
 SUNOS_LIBS=" `if uname | grep SunOS 2>&1 >/dev/null; then echo -lsocket -lnsl -lposix4; fi `"
 
 all :   dnsmasq
@@ -35,6 +36,7 @@
 	cd $(SRC) && $(MAKE) \
  DBUS_CFLAGS=$(DBUS_CFLAGS) \
  DBUS_LIBS=$(DBUS_LIBS) \
+ PCRE_LIBS=$(PCRE_LIBS) \
  SUNOS_LIBS=$(SUNOS_LIBS) \
  -f ../bld/Makefile dnsmasq 
 
@@ -54,6 +56,7 @@
  I18N=-DLOCALEDIR='\"$(LOCALEDIR)\"' \
  DBUS_CFLAGS=$(DBUS_CFLAGS) \
  DBUS_LIBS=$(DBUS_LIBS) \
+ PCRE_LIBS=$(PCRE_LIBS) \
  SUNOS_LIBS=$(SUNOS_LIBS) \
  -f ../bld/Makefile dnsmasq 
 	cd $(PO); for f in *.po; do \

=== modified file 'bld/Makefile'
--- old/bld/Makefile	2008-08-08 08:21:20 +
+++ new/bld/Makefile	2009-05-06 20:47:33 +
@@ -8,7 +8,7 @@
 	$(CC) $(CFLAGS) $(COPTS) $(DBUS_MINOR) $(I18N) $(DBUS_CFLAGS) $(SUNOS_VER) $(RPM_OPT_FLAGS) -c $<
 
 dnsmasq : $(OBJS)
-	$(CC) $(LDFLAGS) -o $@  $(OBJS) $(DBUS_LIBS) $(SUNOS_LIBS) $(LIBS) 
+	$(CC) $(LDFLAGS) -o $@  $(OBJS) $(DBUS_LIBS) $(SUNOS_LIBS) $(PCRE_LIBS) $(LIBS) 
  
 dnsmasq.pot : $(OBJS:.o=.c) dnsmasq.h config.h
 	xgettext -d dnsmasq --foreign-user --keyword=_ -o dnsmasq.pot -i $(OBJS:.o=.c)

=== modified file 'src/dnsmasq.h'
--- old/src/dnsmasq.h	2009-09-10 23:32:18 +
+++ new/src/dnsmasq.h	2009-09-10 23:41:19 +
@@ -110,6 +110,8 @@
 #include 
 #endif
 
+#include 
+
 /* daemon is function in the C library */
 #define daemon dnsmasq_daemon
 
@@ -309,6 +311,7 @@
 #define SERV_MARK256  /* for mark-and-delete */
 #define SERV_TYPE(SERV_HAS_DOMAIN | SERV_FOR_NODOTS)
 #define SERV_COUNTED 512  /* workspace for log code */
+#define SERV_IS_REGEX   1024  /* server entry is a regex */
 
 struct serverfd {
   int fd;
@@ -327,6 +330,8 @@
   char interface[IF_NAMESIZE+1];
   struct serverfd *sfd; 
   char *domain; /* set if this server only handles a domain. */ 
+  pcre *regex;
+  pcre_extra *pextra;
   int flags, tcpfd;
   unsigned int queries, failed_queries;
   struct server *next; 

=== modified file 'src/forward.c'
--- old/src/forward.c	2009-09-10 23:32:18 +
+++ new/src/forward.c	2009-09-10 23:41:19 +
@@ -149,12 +149,36 @@
   }
 else if (serv->flags & SERV_HAS_DOMAIN)
   {
-	unsigned int domainlen = strlen(serv->domain);
-	char *matchstart = qdomain + namelen - domainlen;
-	if (namelen >= domainlen &&
-	hostname_isequal(matchstart, serv->domain) &&
-	domainlen >= matchlen &&
-	(domainlen == 0 || namelen == domainlen || *(serv->domain) == '.' || *(matchstart-1) == '.' ))
+	unsigned int domainlen = matchlen;
+	int serverhit = 0;
+
+	if (!(serv->flags & SERV_IS_REGEX))
+	  {
+	domainlen = strlen(serv->domain);
+	char *matchstart = qdomain + namelen - domainlen;
+	if (namelen >= domainlen &&
+	hostname_isequal(matchstart, serv->domain) &&
+	domainlen >= matchlen &&
+	(domainlen == 0 || namelen == domainlen || *(serv->domain) == '.' || *(matchstart-1) == '.' ))
+	   serverhit = 1;
+	  }
+	else
+	  {
+	int captcount = 0;
+	if (pcre_fullinfo(serv->regex, serv->pextra, PCRE_INFO_CAPTURECOUNT, &captcount) == 0)
+	  {
+		/* C99 dyn-array, or alloca must be used */
+		int ovect[(captcount + 1) * 3];
+		if (pcre_exec(serv->regex, serv->pextra, qdomain, namelen, 0, 0, ovect, (captcount + 1) * 3) > 0)
+		  {
+		domainlen = (unsigned int) (ovect[1] - ovect[0]);
+		if (domainlen >= matchlen)
+		  serverhit = 1;
+		  }
+	  }
+	  }
+
+	if (serverhit)
 	  {
 	unsigned short sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
 	*type = SERV_HAS_DOMAIN;

=== modified file 'src/network.c'
--- old/src/network.c	2009-09-10 23:32:18 +
+++ new/src/network.c	2009-09-10 23:41:19 +
@@ -712,7 +712,7 @@
 	  char *s1, *s2

Re: [Dnsmasq-discuss] Custom DNS Order

[Jan 'RedBully'; Seiffert]

Xavier Kerestesy wrote:
> Does anyone have an idea on how I can accomplish this?
> 
> 

Hmmm, it is still a little confusing what you are trying to achive, but i guess
you want dnsmasq to query different DNS-Server based on the client MAC-Address.
This is AFAIK not possible.

But there are "workarounds"
1) client side lookup
If you categorize your clients into net-tags ("Guest", "known", etc.) you can
send every tag a different set of DNS-Servers by DHCP. This way you loose the
cacheing ability of dnsmasq, but basically get what you want.
2) multi-dnsmasq
You set up several dnsmasq. You can do this on one mashine by giving one
interface several IPs and bind every dnsmasq instance to one IP. Only one dnmasq
instance does dhcp, it points your clients again by net-tag to the other
dnsmasq-IPs with DHCP, the other dnsmasq instances only do DNS-caching.

> Thank you,
> 

HTH
greetings
Jan

> 
> Xavier
> 
> 
> 
> Xavier Kerestesy wrote:
>> So by default everyone points to the dnsmasq for all dns queries.  
>> Then by default, dnsmasq points to opendns1, opendns2, ISPDNS1.  We
>> would like to add an option to use ISPDNS1, opendns2, opendns1 based
>> on an IP or via MAC address for authorized users.  Another option
>> might be, to check the local records, then fail and not use the other
>> DNS servers.  This would force the PC to use the next one which could
>> be configured to ISPDNS1.
>>
>> Hopefully, this isn't too confusing.
>>
>> Thank you!
>>
>>
>> Xavier
>>
[snip]

-- 
John encountered the following Zen-like line in his generated XML:
<>There is no phenotype
He was enlightened.

Re: [Dnsmasq-discuss] Multiple Resolv Files?

[Jan 'RedBully'; Seiffert]

Petri Savilahti wrote:
> Hallo Helmut,
> 
> Danke schoen fuer deine Hilfe!
> 
> What if the primary link (/etc/resolv.conf) goes down? Dnsmasq will
> not get any replies using nameservers from this file. Does dnsmasq
> automatically read then the /etc/ppp/resolv.conf?
> 

dnsmask reads all specified files on startup, creates a list of upstream dns
servers, then chooses the one which "works best" (first querys go round robin,
to measure). If this choosen server goes down, it reelects another one from its
list. Additionally, if any resolvfile gets rewritten while dnsmask is running,
it rereads the file and updates its list.

Its simple as this, but it is not simple to say which server dnsmask will 
choose ;)


> - Petri
> 

Greetings
Jan

[snip]

-- 
Fun things to slip into your budged:
Traffic shaping on the loopback interface

Re: [Dnsmasq-discuss] Re: using DHCP to set clients' MTU

[Jan 'RedBully'; Seiffert]

Peter wrote:
> Apologies for digging up this thread, but its exactly my issue, and
> after nearly 12 hours researching it, im jaded to the point of madness.
> 
> Same deal, theres a modem running off a pppoa dsl link (NZ), and the
> modem has a pppoe - pppoa pass through feature ( Draytek Vigor series)
> quite innovative actually, not like the half bridge hack implementations
> floating around the pppoa world.
> 

No, this translation is your problem!
Your actual "line-limit" is the pppoa size, but with this translation
your...

> Anyway, the gateway/firewall box is debian etch and is running kernal
> mode pppoe to log into the modem.

... router/firewall only sees a pppoe limit.
And this autotranslation is br0ken (What else to expect from an embedded box).
This explains...

> A typical XP client will be able to ping packet sizes up to 1464 bytes
> OK, but those sized between 1465 and 1472 will time out, and those 1473
> and over will return Needs fragment but DF set.
> 
... this funny "blackhole" between 1465 and 1472.

> The actual rule installed under /etc/ppp/ip-up.d/0clampmss is:
> 
> iptables -t mangle -o "$PPP_IFACE" --insert FORWARD 1 -p tcp  \
>  --tcp-flags SYN,RST SYN -m tcpmss --mss 1412 -j TCPMSS --clamp-mss-to-pmtu
> 

Is this the rule, to the letter?
Then it is wrong!

You are matching on an mss of EXACTLY 1412 to decide to clamp the mss. Why oh
why? Totally ... . Makes this whole rule a "no operation" (NOP). Maybe the
intention was to match a range? This needs two values.

And you are only applying it to your outgoing packets, ok, now the server sees
it should not send you packets bigger than N, but you are not applying it to the
SYN coming back from the Server, so your clients do not know not to send packets
bigger than N (you have problem uploading data, right?).
This rule should be in your case (since the router can not see the pppoa link):
iptables -t mangle -I FORWARD 1 -p tcp --tcp-flags SYN,RST SYN \
-j TCPMSS --set-mss 1444

mss value is a guess. Since the outgoing router cannot see the pppoa link you
have to use the "--set-mss" option. Maybe you want to think about using a Kernel
very recent. Older kernel not only lowered the mss like "clamp" does, but maybe
raised the mss (i patch that out of 2.6.23 myself) with the "--set-mss" option,
newer kernel don't do this (2.6.26 was fine).

[snip]
> So ill give this a go, but if either of you cracked the pppoe mss
> clamping problem, id be happy to hear about it.
> 

Maybe i spotted it, test carefully, not to confuse cause and effect.

HTH

> I was really excited to get hold of one of these modems, because the
> only other option to us here in NZ (sim to UK) is half bridge
> implementations which arent totally stable.

hmmm, tell me more about it. Half bridged? The Modem always deencapsulte the
traffic, so needs ppp config and may also screw the mss?

> I feel im getting close, and sure as heck know more about TCP than i did 
> yesterday morning ;-)
> 
> Regards
> 
> Peter
> 

Greetings
Jan

-- 
John encountered the following Zen-like line in his generated XML:
<>There is no phenotype
He was enlightened.

Re: [Dnsmasq-discuss] using DHCP to set clients' MTU

[Jan 'RedBully'; Seiffert]

Adam Hardy wrote:

Jan 'RedBully' Seiffert on 11/09/08 21:17, wrote:

[snip]


Hmmm, a mtu of 1430 looks a bit strange, but propably depends on your 
link.
Some kind of VPN or PPPoA on your side? Or are you saying paypal has 
some kind of Tunnel/Route/Whatever which limits THEIR mtu?


In an ideal World you would not need to fiddle with your mtu, because 
a thing

 called "path mtu discovery" should catch this. Your kernel sends packets
with the "Don't Fragment"-Bit (DF) set, and every router on the way to 
the

target should sent you a packet back when your packet is to big, so your
kernel can lower the pmtu, till it fits. Unfortunatly, this does not 
always

work, either because the setup is so complex (vpn over a tunnel over
dailup...) that errors are not properly propagated, or, and this is more
anoing, because some Admins block ICMP, which is needed for this to 
work. In
their view ICMP is "evil" and a 1337 H4x0r protocol, neglegting that 
it is a

needed part for {TCP|UDP}/IP to work. A big german freemail provider was
notoriously known for this braindamage for years.

But before you lower your clients mtu, do you know where the mtu 
bottleneck
is and/or is your router by chance a Linux box? (such things can 
shurely also

be done with other gear, but i don't know how)

Because there are two other and maybe more interresting solutions:

1) Linux knows an iptables target named TCPMSS. It adjusts the tcp 
mss, so it
 won't help you on UDP, but "fixes" the most commen case, that tcp 
connection
 hang. But only if your router sees the mtu bottleneck (PPPoE or 
something
similar). Look at your iptables man-page, it comes with an example 
command. Most SOHO-router-in-a-box implement this, maybe it it 
switched off? This also

fixes problems with other sites, until their pmtu is lower than yours and
they do the braindamaged stuff...

2) You can try setting the pmtu early (so icmp messages reach the 
client) by setting up a route with the right mtu on your router. Hmmm, 
you can even set

it on the clients. Example:


Hi Jan,

I really appreciate the feedback - although I think your option (2) is 
slightly beyond what I want to get into for the sake of network admin 
here!


Yeah, it is a possible workaround for a "one oddball" situation, but if your 
link is the permanent bottleneck, you will hit this problem again and again...


I must admit that I set up the iptables firewall on my gateway 
machine, and I need to look at it to check whether I inadvertantly 
blocked this ICMP business.




Oh, initially i wasn't even talking about you, but problems on the remote end 
where you have no control how they configure their stuff. Then you are forced 
to employ ugly workarounds on your side.
If you check your firewall rules, make sure there is a path for 
icmp-fragmentation-needed packets.

(iptables  -p icmp --icmp-type fragmentation-needed -j ACCEPT)

The gateway has a NIC connected to a DSL modem and that has no firewall, 
it's just my machine and BT on the other side.




I read a little on BT, seems they use PPPoA, and this is terminated on the 
modem...
Hmmm, ATM equipment for PCs is rare, so your router has normal ethernet to the 
modem and "sees" an mtu of 1500, while the true mtu is hidden in the modem. And 
i thought one of the benefits of pppoa was, that the mtu is kept at 1500.
Any chance your new hosting service has a funny uplink? (should not, a big site 
should have a "real" connection and not a dsl line...)

/me is tottaly confused
Gnarf, seems this is even a bigger PITA than PPPoE ...

Searching for the right mtu turned up a lot of values, does someone know the 
true mtu of a BT PPPoA link? (note: first and foremost you better find the real 
mtu of the link, to get a grip on the problem, then one can think about 
adjusting/tuning it to better match the ATM-part of the connection)


The modem faced interface of your router needs the MTU set to the true value. 
This way your router should not send packets to big (or fragment them), your 
clients should get an fragmentation-needed when they try to.


But this still leaves problems with the path back to you when the remote side is 
blocking icmp (a bottleneck has two sides ;). Lowering the mtu of your clients 
is a cheap trick to repair this: the clients set "the right" tcpmss when they 
start a connection (you can only set it at the start, but the first packet (the 
SYN, approx. 60 bytes) doesn't trigger the pmtu...), so the remote end will not 
run into trouble on the path back. In effect you are doing their work (But this 
will not help for UDP)


This is where the:
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
 -j TCPMSS --clamp-mss-to-pmtu
comes into play. Your router now hopefully knows the pmtu, and will lower the 
tcpmss set by the clients as a band aid, the connection will be (hopefully) the

Re: [Dnsmasq-discuss] using DHCP to set clients' MTU

[Jan 'RedBully'; Seiffert]

Adam Hardy wrote:

Steven Jan Springl on 11/09/08 15:20, wrote:

On Thursday 11 September 2008 14:08, Adam Hardy wrote:

Hi,

searched the archives and the net and was surprised not to see any hits
for MTU except its generic appearance in log statements.

I had to change my MTU on my workstations to1430 to get SMTP and some
websites to work (e.g. paypal).

Can I tell dnsmasq to send the MTU setting with the DHCP information?

My attempts to hack it into the config haven't worked.


Thanks
Adam


Adam

I use the following statement to set the mtu size to 1492 for clients 
connected to eth0:


dhcp-option=eth0,26,1492


Steve, thanks for the info!

For anyone else looking at this in future, there's a good doc here:

http://www.faqs.org/rfcs/rfc2132.html



Hmmm, a mtu of 1430 looks a bit strange, but propably depends on your link. Some
kind of VPN or PPPoA on your side? Or are you saying paypal has some kind of
Tunnel/Route/Whatever which limits THEIR mtu?

In an ideal World you would not need to fiddle with your mtu, because a thing
called "path mtu discovery" should catch this.
Your kernel sends packets with the "Don't Fragment"-Bit (DF) set, and every
router on the way to the target should sent you a packet back when your packet
is to big, so your kernel can lower the pmtu, till it fits.
Unfortunatly, this does not always work, either because the setup is so complex
(vpn over a tunnel over dailup...) that errors are not properly propagated, or,
and this is more anoing, because some Admins block ICMP, which is needed for
this to work. In their view ICMP is "evil" and a 1337 H4x0r protocol, neglegting
that it is a needed part for {TCP|UDP}/IP to work. A big german freemail
provider was notoriously known for this braindamage for years.

But before you lower your clients mtu, do you know where the mtu bottleneck is
and/or is your router by chance a Linux box? (such things can shurely also be
done with other gear, but i don't know how)

Because there are two other and maybe more interresting solutions:

1) Linux knows an iptables target named TCPMSS. It adjusts the tcp mss, so it
won't help you on UDP, but "fixes" the most commen case, that tcp connection
hang. But only if your router sees the mtu bottleneck (PPPoE or something 
similar).
Look at your iptables man-page, it comes with an example command.
Most SOHO-router-in-a-box implement this, maybe it it switched off?
This also fixes problems with other sites, until their pmtu is lower than yours
and they do the braindamaged stuff...

2) You can try setting the pmtu early (so icmp messages reach the client) by
setting up a route with the right mtu on your router. Hmmm, you can even set it
 on the clients. Example:

$ dig paypal.com MX
[snip]
;; QUESTION SECTION:
;paypal.com.IN  MX

;; ANSWER SECTION:
paypal.com. 461 IN  MX  10 data.ebay.com.
[snip]
;; ADDITIONAL SECTION:
lore.ebay.com.  3462IN  A   66.135.195.181

$ whois 66.135.195.181

OrgName:eBay, Inc
[snip]

NetRange:   66.135.192.0 - 66.135.223.255
CIDR:   66.135.192.0/19
NetName:EBAY-1

# ip route add to 66.135.192.0/19 via  mtu 1430

$ tracepath 66.135.195.181
 1:  my_box.lan (192.168.0.2)0.224ms pmtu 1430
 1:  my_gateway.lan (192.168.0.254)  0.286ms
[snip]

Problem is, you would have to set this up for every pmtu blackhole...

HTH


All the best
Adam



Greetings
Jan


--
Murphy's Law of Combat
Rule #3: "Never forget that your weapon was manufactured by the
lowest bidder"

Re: [Dnsmasq-discuss] Question about DNS vunlerabiltiy in dnsmasq

[Jan 'RedBully'; Seiffert]

Simon Kelley wrote:

A C wrote:
I'm running dnsmasq 2.35 but it's on an embedded system and the 
package manager hasn't created a new version yet.  I wanted to know 
how vulnerable I was to the recent security alert regarding DNS and 
whether there's a potential workaround that I could put in place for now.




"How vulnerable" is a difficult question. AFAIK, the attack hasn't been 
seen in the wild, and it's assumed that the Bad Guys don't know it, so 
you're absolutely safe until Dan Kaminsky spills the beans (August?)




*cough*
to late...
http://www.heise-online.co.uk/news/DNS-security-problem-details-released--/45




Does that give you enough time to get a new version in place?

Simon.


Greetings
Jan

--
"Der Kopf ist rund, damit das Denken die Richtung wechseln kann."
Francis Picabi

Re: [Dnsmasq-discuss] Build on ancient gcc

[Jan 'RedBully'; Seiffert]

RevRagnarok wrote:

I have a virtual machine that I am trying to put the latest DNSMasq (2.43)
onto. It currently has 1.14 installed from RPM (yes, its base install is
from the PREVIOUS time there was a Red Hat 7). The gcc on it is ancient,
2.96.

Anyway, I am getting an error "dnsmasq.h:545: array size is missing in
'filename'"



struct tftp_file {
  int refcount, fd;
  off_t size;
  dev_t dev;
  ino_t inode;
  char filename[];
};

This?
This is a C99 "variable-size-array"
GCC 2.96 doesn't fully support C99, but it can be worked around. These 
early gcc had an extension which basicaly does the same, only little 
different syntax. Put a zero between the two square brackets, like this:


struct tftp_file {
  int refcount, fd;
  off_t size;
  dev_t dev;
  ino_t inode;
  char filename[0];
};

maybe you also have to add "-std=gnu9x" to the CFLAGS.


Has anybody seen this before? I checked the subjects of the most recent two
archives. I know I need to upgrade that machine, but was hoping this
wouldn't be hopeless. Thanks!



Greeting
Jan

--
Theres only 2 requirements in life, WD40 and Duck Tape.
If if doesnt move and it should use the WD40
If it moves and it shouldnt use the Duck Tape

Re: [Dnsmasq-discuss] dnsmasq rc5 segfault

[Jan 'RedBully'; Seiffert]

Carlos Carvalho wrote:

Today dnsmasq died. It was the first time since I use it :-(

In its log there's no sign of problems. The last entry is for a
DHCPNAK; it's the only such record with 2.43. The kernel log says

Jul 11 14:27:38 hoggar dnsmasq[11797]: segfault at 10 ip 08061e91 sp bfffe770 
error 4 in dnsmasq[8048000+22000]

The kernel is compiled with several PAX protections, in particular
non-executable pages.

Any ideas on how to debug this? All I can imagine demand a significant
amount of work here :-(



How long did it run before crashing?
Anything special at that time? (like begin of work in the morning or 
such thing)

With significant amount you mean? So no chance for a core-file?

I could dig up some code to get a backtrace on crash, but its dead ugly 
code and dangerous with additional risk of not getting a usable backtrace.
And yeah, dnsmasq has to crash first and you have to capture the output 
somehow (no, will not reach the logs).


Greetings
Jan


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss




--
C++ : an octopus made by nailing extra legs onto a dog.

Re: [Dnsmasq-discuss] Re: DHCP: different IPs for same same MAC

[Jan 'RedBully'; Seiffert]

Sven Köhler wrote:

 here's the leases file from a currently running dnsmasq installation:
 86400 00:12:f0:a1:81:7d 10.1.2.233 bert 01:00:12:f0:a1:81:7d
 86400 00:12:f0:a1:81:7d 10.1.2.22 *
ff:65:74:68:31:00:01:00:01:0e:91:06:82:00:00:f0:7a:14:04

 How can that be? Same MAC-addresses, but different IPs?

 Well, if i boot Linux on this comuter, it get's the 10.1.2.22.
 If i boot Windows, then it get's the 10.1.2.233. Why is that?
 (BTW: if i delete the leases file, restart dnsmasq, and boot windows 
first,

then windows get's the 22 and linux get's the 233).


One is sending a client ID and one is not.  The fact that switching
them reverses it seems odd to me, since I would have a possible
explanation if it didn't...


My guess is, that the two DHCP-requests by the two OS differ - and 
dnsmasq compares them, and then says: oh, different DHCP request, so 
let's give him a different IP (which seems completely beyond the idea of 
DHCP to me, since leases-file should only be a MAC->IP mapping).




In dnsmasq, client-ID overrides MAC-Address, and thats the difference 
between the two requests.
I was bitten by this when my linux-distro updated the dhcpc, now sending 
a random id, when sending none before...


so you want to change in your dnsmasq.conf:
dhcp-host=00:00:F0:7A:14:04  ,  10.1.2.21 #bert
to
dhcp-host=00:00:F0:7A:14:04  , id:* , 10.1.2.21 #bert

Greetings
Jan

--
The Theorem Theorem: If If, Then Then.

Re: [Dnsmasq-discuss] setting up dynamic DNS?

[Jan 'RedBully'; Seiffert]

Adam Hardy wrote:
[snip]
> Yes you did say that previously but I was unsure about the requirement
> of the slashes front and back, so I left it unchanged.
> 
> So I changed the dnsmasq.conf again in this way and now the logging
> gives me the following:
> 
> isengard dnsmasq[8120]: reading /etc/resolv.conf
> isengard dnsmasq[8120]: using nameserver 194.74.65.69#53
> isengard dnsmasq[8120]: ignoring nameserver 127.0.0.1 - local interface
> isengard dnsmasq[8120]: using local addresses only for domain
> localdomain.net
> isengard dnsmasq[8120]: query[] pop.1und1.com from 192.168.0.234
> isengard dnsmasq[8120]: forwarded pop.1und1.com to 194.74.65.69
> isengard dnsmasq[8120]: reply pop.1und1.com is -IPv6

client 192.168.0.234 asks for IPv6 1und1.com
dnsmasq asks upstream
Upstream answer "no ipv6"

> isengard dnsmasq[8120]: query[] pop.1und1.com.localdomain.net from
> 192.168.0.234
> isengard dnsmasq[8120]: config pop.1und1.com.localdomain.net is
> -IPv6

client asks for IPv6 1und1.com.localdomain.net
dnsmasq sees from it's config - no

> isengard dnsmasq[8120]: query[A] pop.1und1.com from 192.168.0.234
> isengard dnsmasq[8120]: forwarded pop.1und1.com to 194.74.65.69
> isengard dnsmasq[8120]: reply pop.1und1.com is 212.227.15.177
> isengard dnsmasq[8120]: reply pop.1und1.com is 212.227.15.161
> 

finally the client asks the right questions ;)

> On the eighth line: query[] pop.1und1.com.localdomain.net 
> 
> Is this normal - or another misconfiguration?

I wouldn't call it normal, but it's no misconfiguration *AFAIK*.

> Why would dnsmasq think it might have the localdomain.net suffix?

No, the client, or its system resolver libraries.
Since it is an IPv6 enabled client, it tries IPv6 first.
The answer is negativ, so it tries what its /etc/resolv.conf says:
"search localdomain.net"

On the other hand this way the client makes from "gondor" ->
"gondor.localdomain.net".

Maybe you can change the order the client tries IPv6 & IPv4.
OTOH, ISPs should see more IPv6 queries, so we may finally get IPv6 ;)

I would leave it this way, dnsmasq caching abilities and the fact that
these queries are made on a local link with almost no latency makes this
a "don't worry".

> I can imagine it may be dnsmasq
> trying out the name with the local domain appended - just in case it may
> have been an actual simple local hostname without the localdomain.net
> suffix.
> 
Hmmm, that comes into play with the expand-hosts option


> Thank you very much for the help by the way - everyone included.
> 
> Regards
> Adam
> 
> 
Grettings
Jan

-- 
"...by all means, do not use a hammer."
(from an IBM documentation ca. 1920)

Re: [Dnsmasq-discuss] setting up dynamic DNS?

[Jan 'RedBully'; Seiffert]

Adam Hardy wrote:
> It's the fqdn.fqdn line that causes the problem! I took that out of the
> dhclient.conf on the clients and now have just
> 
> send host-name gondor;
> 
> which works (massive grin!) - thanks!
> 

fine ^-^

> But there is one more niggle: it looks as though dnsmasq on isengard is
> asking the internet name-server where isengard is when another machine
> asks it to resolve its hostname.
> 
> isengard dnsmasq[2716]: query[] isengard.localdomain.net from
> 192.168.0.234
> isengard dnsmasq[2716]: forwarded isengard.localdomain.net to 194.74.65.69
> isengard dnsmasq[2716]: forwarded isengard.localdomain.net to 194.74.65.69
> isengard dnsmasq[2716]: query[] isengard.localdomain.net from
> 192.168.0.234
> isengard dnsmasq[2716]: forwarded isengard.localdomain.net to
> 194.74.65.69

The "problem" is, your client requests the  record, or in other
words the IPv6 address of isengard, which dnsmasq seems not to know (not
in /etc/hosts or somewhere else)
Because ...

> isengard dnsmasq[2716]: query[A] isengard.localdomain.net from
> 192.168.0.234
> isengard dnsmasq[2716]: /etc/hosts isengard.localdomain.net is 192.168.0.2

... when your client asks for the A record, the IPv4 address, it is
served directly from /etc/hosts

But as said in the last mail, if you want to stop dnsmasq for calling
upstream for things which are local, you may add
local=/localdomain.net/
to your dnsmasq.conf.

HTH

Greetings
Jan

[snip]

-- 
ACPI - Another Crap Proposal Intel

Re: [Dnsmasq-discuss] setting up dynamic DNS?

[Jan 'RedBully'; Seiffert]

Adam Hardy wrote:
> Thanks again for the help. Config files appended at bottom for reference.
> 
> Jan 'RedBully' Seiffert on 10/09/07 16:45, wrote:
>> Adam Hardy wrote:
> adam@gondor:~$ cat /etc/resolv.conf
> search localdomain.net
> nameserver 192.168.0.2

Ok, looks good.


>> Is their default gateway set to isengard? (route -n should say so)
> 
> Yes
> 

Ok, so this works.

>> What's printed to isengards system logs when a client gets an IP?
> 
> isengard dnsmasq[26803]: reading /etc/resolv.conf
> isengard dnsmasq[26803]: using nameserver 194.74.65.69#53
> isengard dnsmasq[26803]: ignoring nameserver 127.0.0.1 - local interface
> isengard dnsmasq[26803]: Ignoring DHCP host name arnor.localdomain
> because it has an illegal domain part

^^^

here is the problem

[snip]
> /var/lib/misc/dnsmasq.leases has no hostnames in it.
> 
> Hmmm. Doesn't look good does it? :(

No no, all working within it's spec IMHO ;)

> What do you think could be wrong
> with it? There seems to be something wrong with the hostname I'm sending
> it ('illegal domain name part')

dnsmasq is basicaly fine with the hostname, it does not like the domain
you're client is sending.
It tries to protect you from forgery.
If a client would record itself as www.google.com, and dnsmasq would
believe this, it would forward all your LAN machines for www.google.com
to this machine.

Somehow the "domain=localdomain.net" doesn't do the trick.

But when looking again, arnor (and maybe the other machines) is sending
"$HOSTNAME.localdomain" as hostname?

the final ".net" seems to get eaten...

May you can remove all the references to your domain from your
dhclient.conf, for a test.

> adam@gondor:~$ cat /etc/dhcp3/dhclient.conf |grep -v ^#
>
> send host-name "gondor.localdomain.net";

This should be the hostname only, or?

> send dhcp-lease-time 3600;
> supersede domain-name "localdomain.net";

drop this, dnsmasq should give out the right domain

> request subnet-mask, broadcast-address, time-offset, routers,
> domain-name, domain-name-servers, host-name,
> netbios-name-servers, netbios-scope, interface-mtu;

> send fqdn.fqdn "gondor.localdomain.net";
> send fqdn.encoded on;
> send fqdn.server-update off;
>

drop all this fqdn stuff for a test

Which version of dnsmasq is this?

> and it also seems to be forwarding the
> query for arnor.localdomain.net up to the internet nameserver.
> 

Thats because dnsmasq could not find an entry in it's own db, and thinks
maybe the upstream server know something about it.

To tell dnsmasq that localdomain.net is local, and it should not ask
upstream about it, you may want to add:
local=/localdomain.net/
to your dnsmasq.conf


> 
> Adam
> 

Grettings
Jan

> PS here are the files for reference if they help:
> 
[snip]
> isengard:~# cat /etc/dnsmasq.conf |grep -v ^# |grep -e ^[[:alnum:]]
> domain-needed
> bogus-priv
> filterwin2k
> domain=localdomain.net
> dhcp-range=192.168.0.3,192.168.0.254,12h
> dhcp-option=1,255.255.255.0


> dhcp-option=3,192.168.0.2
> dhcp-option=6,192.168.0.2
normally you should be able to put 0.0.0.0 in here, so dnsmasq will
automatically fill in the right value for your interface

> log-queries

-- 
Fun things to slip into your budged:
Traffic shaping on the loopback interface

Re: [Dnsmasq-discuss] setting up dynamic DNS?

[Jan 'RedBully'; Seiffert]

Adam Hardy wrote:
[snip]
> 
> Thanks for the responses, I've just tried again, but didn't succeed. I
> get 'name or service unknown' response from ssh, ping etc.
> 
Hmmm, on which machine? Isengard?

> I put in the "send host-name" option, as well as explicitly defining the
> defaults for dhcp-option 1, 3 and 6.
> 
Ok.
And on your clients?
Do they get an IP over dhcp?
Is their DNS-Server set to isengard? (view in /etc/resolv.conf)
Is their default gateway set to isengard? (route -n should say so)

What's printed to isengards system logs when a client gets an IP?

> Presumably if dnsmasq is meant to resolve/name-serve my clients, it will
> put their hostnames in isengard's /etc/resolv.conf?
> 
No, hosts name <-> IP associations are generally not saved in
/etc/resolv.conf, the IP addresses of the machines DNS servers are
stored there (in your case, your ISP DNS server).
Dnsmasq saves dynamically generated associations in its lease file
(/var/lib/misc/dnsmasq.leases).
You can have static associations in /etc/hosts.

dnsmasq will read all three files unless otherwise configured:
/etc/resolv.conf - to get the upstream DNS server
/etc/hosts - to serve static host name <-> IP assignments you made
the lease file - to serve entries generated from leases after a restart

> I am probably totally wide of the mark here, but isn't dhclient3
> constantly rewriting /etc/resolv.conf on isengard (gateway / dnsmasq
> server) to set up eth2 on the internet?
> 
If you are not using pppoe (or something similar) and are getting your
Internet-address by simply doing dhcp on the interface connected to the
modem, then yes. (normally scripts like adsl-connect also rewrite your
/etc/resolv.conf, as i said, i patched mine to stop this...)
But thats ok, this way /etc/resolv.conf will always contain "fresh"
entries of the upstream DNS servers.
Normally dnmasq will poll /etc/resolv.conf for changes, so it doesn't
miss when the upstream DNS server change.

This configuration is fine, but then you will not be able to query
dnsmasq from the machine isengard itself (or not easily), because the
system also uses /etc/resolv.conf to decide who to ask for hostname <->
IP, and your ISP servers will know nothing about your mappings.

The machines inside your LAN, if proper configured (look at their
/etc/resolv.conf, should be isengards IP), will query dnsmasq and should
work.

To fix this on isengard, instruct dhcp-client not to overwrite
/etc/resolv.conf but instead to dump the resolv-info it gathered from
your ISP to another file.
Now you say dnsmasq to use this other file as resolv-file, and in the
system /etc/resolv.conf, you put 127.0.0.1 (on which dnsmasq should also
listen to...).
If this is possible with dhcp-client, i don't know, but it looks like
its very configurable.


> I am using the example dnsmasq.conf that came with the package, but I
> just parsed out the comments. And unlike Jan, I'm not using pppoe so I'm
> not sure what approach to take.
> 
> Thanks and regards
> Adam
> 
Greetings
Jan

-- 
Have you ever noticed that the Klingons are all speaking unix?
"Grep ls awk chmod."   "Mknod ksh tar imap."
"Wall fsck yacc!" (that last is obviously a curse of some sort)
-- Gandalf  Parker

Re: [Dnsmasq-discuss] setting up dynamic DNS?

[Jan 'RedBully'; Seiffert]

Adam Hardy wrote:
> Hi DNSmasq List
> 
> I have a small network with a slightly different setup for the internet
> broadband from usual. I'm having problems working out how to set up a
> DHCP service with dnsmasq to provide workstations with permanent host
> names.
> 
> Instead of the usual router providing DHCP and DNS services, I just have
> a simple DSL modem attached to eth2 on my gateway server (isengard).
> Using dhclient3, isengard grabs itself a public ip for eth2 via DHCP on
> the modem.
> 

Thats IMHO a typical setup, i also just use a dsl modem and a full-blown
linux box as router, because the config capabilities of those
router-in-a-box won't cut my needs (multihomed router, fancy traffic
shaping, some servers, etc.).

> isengard also runs dnsmasq on eth1 for the internal network, and I run
> iptables as my firewall to protect it. I gave eth1 the IP 192.168.0.2
> 
[snip]
> 
> I've reached the point where dnsmasq tells every client to use
> 192.168.0.2 as the nameserver. These clients run dhclient3 (and windows
> and the mac are happy too)
> 
> But this naive approach obviously doesn't cut the mustard. Can I
> instruct dnsmasq to be nameserver of all my hosts for each other?
> 

> isengard /etc/dnsmasq.conf:
>
> domain-needed
> bogus-priv
> filterwin2k
> dhcp-range=192.168.0.3,192.168.0.254,12h

If this is your complete dnsmasq.conf, you will need some more entries.

First, you need to set some dhcp-options, the client needs to requst
(but normaly does if everthing is set to "recive stuff over dhcp")

dhcp-option=1,255.255.255.0 # subnet mask
dhcp-option=3,0.0.0.0 # default gateway
dhcp-option=6,0.0.0.0 # dns-server

0.0.0.0 denotes the IP dnsmasq is listening to (in your case 192.168.0.2)
When your Samba comes in to play, you maybe also want
dhcp-option=44,0.0.0.0 # set WINS

Didn't you recieve a dnsmasq example config file?
(/usr/share/doc/dnsmasq* ?)

Second, to assign some hosts a permanent IP-address, even if recieved by
dhcp, you need some dchp-host lines
dhcp-host=mac-address,name,ip,leasetime
ex:
dhcp-host=01:23:45:67:89:AB,gondor,192.168.0.3,infinite

You may want to shorten your dynamic range to make room for those static
entries.

As soon as this lease is given to the client, you should be able to ping
it by name (if you have isengard as dns-server in your resolv.conf), and
if its switched off (lease returned) you should get 'host unknown' (this
is the nice part of dnsmasq beeing both, dns and dhcp server).

Finaly you may want to split the resolv.conf for the machine isengard,
and the dns servers dnsmasq uses (upstream).
Since i have to use PPPoE, i changed the DSL-Scripts not to overwrite
/etc/resolv.conf and said my dnsmasq to use the resolv.conf always
generated by pppd:
resolv-file=/etc/ppp/resolv.conf

and then set /etc/resolv.conf to
nameserver 127.0.0.1

But how to achive this depends on the way you connect to upstream.

HTH

> Thanks and regards
> Adam Hardy
> 

Greetings
Jan

-- 
Ever notice how fast Windows runs? Neither did I.

Re: [Dnsmasq-discuss] Multicast dns

[Jan 'RedBully'; Seiffert]

Simon Kelley wrote:
> Tom Fanning wrote:
>>> OK, my understanding (which might be wrong) is this:
>> 
>>
>>> On the other hand, just editing /etc/nsswitch.conf to remove the mDNS
>>> resolver would do the same thing.
>> ... the vital remaining part of the puzzle that I couldn't find. Thank you.
>>
>>> Hmm, difficult.
>>>
>> Point taken, I'll go away now. It was very late last night when I posted.
>> Sorry for the noise.
>>
> 
> Not at all, It's a reasonable suggestion that dnsmasq should be
> configurable to listen for mDNS and reply to everything: Even with the
> nsswitch.conf fix, that has to be fixed on every new Ubuntu Feisty
> install,
It's not only Ubunty...
More than half a year ago my brother visited me. I also had the TLD
.local . He plugged his laptop in, dnsmasq served him "his" dhcp entry
and *poof* his network was dead. Or no, he was sending his DNS-Queries
via multicast.
What happened? Before he came to me, he updated his Debian testing to
the latest versions and got mDNS/zeroconf/avahy behind his back.

So he deinstalled that avahi-stuff, and *plop* network worked again :).

Since then i switched my TLD to .lan. (Was a PITA. Services not running
anymore because you configured them to connect to foo.bar.local, the IP
would have been more stable...)

On Gentoo there was also a time, when they installed mDNS for you by
default (with glibc), now it is an extra package, you have to install
manually...

> a dnsmasq configuration tweak would do it for  a whole network
> and if mDNS was not otherwise in use, nothing is lost.
> 
My problem was, which really made me mad, that suddenly ALL DNS queries
seemed to go over mDNS, not only those local zeroconf foo.
But i had no "for outer World DNS"-mDNS-server on the multicast address,
even with dnsmasq, the little swiss army knife (and i don't wanted to
blow up my router setup with adding a mDNS server).

> OTOH, against doing this is that it breaks "real mDNS" so it's  a bug to
> fix another bug.
But could be an interresting feature:
If my memorie serves me right, there are special request types in the
sense of "give me the network default printer" or "who answers DNS
queries here" (service discovery) and at least the last should be
answered by dnsmasq (or registering on avahi? how does this deamon
interact with this?). Thats how these zeroconf networks (ip 169) are
suposed to work.
With the possiblity to add maunal entries into the dnsamsq conf one
could for example redirect "Got Printer?"-queries to his cups (until
cups grows this feature itself)

> Also it's possibly bloat for dnsmasq
Yup, hmmm.
Basically it's just another socket, hmmm, but some "special parsing", if
i'm correct.

But with a nice ./configure-option?

> and of minor real
> world use for most people.
Mac-users?
IMHO it's an emerging thing, all those network-appliances grow this
feature (Net-Printer, NAS, Media-streaming boxes, VoIP-Phones?? (again,
service discovery)), and "Out-Of-The-Box"-Distros seem to enable it (and
again, service discovery, so Joe Average gets a nice "local Printers in
range" tab in his printing dialog).
Oh, and i think in IPv6-land there are some basic services (DHCP?)
changed to multicast, so maybe dnsmasq needs a multicast socket anyway.

> A judgement call, like most possible
> enhancements.
> 
I personly wouldn't need it (nor have any testcase, since i notoriously
disable auto-foobar), and would label it as "nice to have when you need
it" thing.
So, personal POV: hacking away on some mDNS code ASAP, no (some more
thoughts/research first).
Some mDNS awareness ( Simon reads some RFC's and enlightens us :D
) esp. not how does the packet look like, but what could be done
with it and has to be done about it, in FAQ, Manual, HOWTOs (code?),
maybe yes.

> Cheers,
> 
> Simon.

Greetings
Jan

-- 
Fun things to slip into your budged:
Traffic shaping on the loopback interface.

Re: [Dnsmasq-discuss] (no subject)

[Jan 'RedBully'; Seiffert]

Simon Kelley wrote:
> Jan 'RedBully' Seiffert wrote:
> 
>> hmmm, or not? Rules of implicit type conversion...
>> Is the difftime result casted to an int or the int casted to a double:
>> Good?
>>
>>> ./src/rfc2131.c:976:  else if (lease && lease->expires != 0 &&
>>> difftime(lease->expires, now) > 0.0)
>>
>> Bad?
>>
>>> ./src/lease.c:251:  if ((lease->expires != 0 && difftime(now,
>>> lease->expires) > 0) || lease == target)
>>
>>
>> Simon?
> 
> My understanding  is that both of those work to determine which of the
> tho timevals is larger. I don't think you can be sure to eliminate all
> FP operations in either case by wrapping difftime. All of this is just a
> portable way to find the order of two time_t variables.

Oh, i was not asking you to eliminate the FP, I'm "fine" with it, this
solution was just a hint for mmarkk.

I was just asking myself, if the implicit type conversion in:
difftime(now, lease->expires) > 0
(note the int to the right) would do the right thing. But i think so. 1
sec. difference will lead to 1.0 (according to the man page), which
gives us 1 > 0 (0.99 would become 0 > 0 == false).

I'm with you on the portability point here. difftime is the API they
give us, so let's use it, since it is clearly stated, time_t don't have
to be an arithmetic type, maybe a struct/union/something (opaque).
So i was _not_ asking to change that, 64 Bit time_t will come, sooner or
later.

Pro: portability
Con: FP-bloat
Stick to the API, recompile, be happy.
Portability wins

Only mentioned it as a hack to get things going, you know, sometimes you
have to be pragmatic and make a compromise. (But leave a comment for the
next one! ;)

> It's a pity there isn't a way to do that portably without involving FP.
> 
Hmmm, sigh, yes, there's cleanly a gap (i mean, that's a quite common
task and a double for this??...). On the other hand, what return type
should a standard choose given that time_t can be complex/large...


> 
> Cheers,
> 
> Simon.
> 
> 
Greetings
Jan

-- 
error compiling committee.c: too many arguments to function

Re: [Dnsmasq-discuss] dhcp doesn't work

[Jan 'RedBully'; Seiffert]

Johannes Graumann wrote:
> Hello,
> 
Hi,

[snip]
> option time-servers 192.168.0.1;

You may want to translate this to
dhcp-option=42,192.168.0.1

0.0.0.0 for the machine dnsmasq runs on also works.

You may also want to take a look at the dnmasq.conf.example in the
source distribution (maybe available in /usr/share/doc/dnsmasq?), it is
a packed with examples, good documented, never ending stream of
inspiration what could be done.

[snip]
> Thanks, Joh
> 
Greetings
Jan


-- 
"...by all means, do not use a hammer."
(from a IBM handbook ca. 1920)

Re: [Dnsmasq-discuss] (no subject)

[Jan 'RedBully'; Seiffert]

mmarkk wrote:
> 
> Il giorno 13/feb/07, alle ore 10:58, Simon Kelley ha scritto:
> 
> 
> 
>> There's no way to increase verbosity which would be useful here, since
>> you can build new binaries, I guess adding old-fashioned printf is the
>> way to debug. The code you are interested in in src/dnsmasq.c, lines
>> 521-570.
> 
> ok, I realized that the problem depend in some way from difftime function.
> Without changes, the function seems not to return a number (it returns
> nan), and the resolv.conf file is not read
> 
> I have made this change:
> 
> (int)difftime(now, last)
> 
> and also
> 
> int intdiff;
> intdiff=difftime(...);
> 

Casting the NaN representation to int wouldn't work. (or you're looking
at garbage, since the ABI is messed up)
H, ugly hack alarm, directly from the man page:

> NAME
>difftime - calculate time difference
...
> CONFORMING TO
>SVr4, 4.3BSD, C99
> 
> NOTES
>On a POSIX system, time_t is an arithmetic type, and one could just 
> define
> 
>   #define difftime(t1,t0) (double)(t1 - t0)
> 
>when  the  possible  overflow  in the subtraction is not a concern.  
> On other systems, the data type time_t might use
>some other encoding where subtraction doesn't work directly.

So, dropping the cast to double, you can maybe get away with this.
(besides you also have to change the comparisons against floating point
types)

hmmm, or not? Rules of implicit type conversion...
Is the difftime result casted to an int or the int casted to a double:
Good?
> ./src/rfc2131.c:976:  else if (lease && lease->expires != 0 && 
> difftime(lease->expires, now) > 0.0)
Bad?
> ./src/lease.c:251:  if ((lease->expires != 0 && difftime(now, 
> lease->expires) > 0) || lease == target)

Simon?

[snip]
> 
> maybe all of this is because my processor does not handle floating point?
> 
In this case, you should have some soft-float, as Simon mentioned, on
the compiler line (and better compiled your libc and system this way),
to ensure that the ABI matches. If everything is "done right", you
shouldn't have to bother (besides that it is slow, because the compiler
will inserts emulation code). Your compiler should have something like
that in it's spec-file (assuming it's gcc), so this setting becomes the
default.
On the other hand your cpu should signal (to the OS, finaly to you,
sigill, sigsegv, sigfpe etc.) if there's no fpu and it runs about
fpu-instructions. (Or there's OS-level fpu-emulation)


> 
> cheers
> 
> mmarkk
> 
Greetings
Jan


-- 
H.323 has much in common with other ITU-T standards - it features a
complex binary wire protocol, a nightmarish implementation, and a bulk
that can be used to fell medium-to-large predatory animals.
-- Anthony Baxter

Re: [Dnsmasq-discuss] Announce: dnsmasq-2.38

[Jan 'RedBully'; Seiffert]

Simon Kelley wrote:
> Dennis Veatch wrote:
>> On Monday 12 February 2007 03:50:07 pm Simon Kelley wrote:
>>
>>> In an attempt to increase the average release-rate after the long gap
>>> over christmas, I've released dnsmasq 2.38. :-)
>>>
>>> Seriously, this fixes a problem introduced in 2.37 which can cause
>>> dnsmasq to hang, using 100% CPU. It's not clear how likely it is for
>>> this bug to occur in reality: I've had exactly one report. I think that
>>> at least one infinite-time DHCP lease must exist before the problem
>>> occurs, and I suspect that other conditions are also required.
>>>
>>
>>
>> Ohhh, so that's what I have been experiencing. :)
>> I wondered what the heck was going on cause nothing was showing up in
>> the logs.
>>
> 
> Correction: I've had exactly two reports!
> 
> 
> For giggles, the faulty code was:
> 
> if (crecp->flags & F_IMMORTAL)
> while (*up && (!(*up)->flags & F_IMMORTAL))
>   up = &((*up)->hash_next);
> 
> which should, (of course) have been:
> 
> if (crecp->flags & F_IMMORTAL)
> while (*up && !((*up)->flags & F_IMMORTAL))
>   up = &((*up)->hash_next);
> 

/me blinks
Ouch
/me wonders why i don't hit this, i have mostly unlimited leases..

C: You shoot yourself in the foot

Just to enlighten me a little bit:

> @@ -282,9 +282,7 @@ static int cache_scan_free(char *name, s
> 
>if (flags & F_FORWARD)
>  {
> -  for (up = hash_bucket(name), crecp = *up;
> -  crecp && ((crecp->flags & F_REVERSE) || !(crecp->flags & 
> F_IMMORTAL));
> -  crecp = crecp->hash_next)
> +  for (up = hash_bucket(name), crecp = *up; crecp; crecp = 
> crecp->hash_next)
> if (is_expired(now, crecp) || is_outdated_cname_pointer(crecp))
>   {
> *up = crecp->hash_next;

Hmmm, ok, when scanning for F_FORWARD entries testing for F_REVERSE is,
uhm, wrong.

But with the F_IMMORTAL, is an unlimited dhcp-lease also immortal and
not at the end of a chain? So we can't stop scanning when seeing
immortals, which we cannot free, because there are still scan-/free-able
entries behind it? Hmmm, probably, its F_REVERSE and at the front.
/me needs to send some SIGUSR1...

> Cheers,
> 
> Simon.
> 
Greetings
Jan


-- 
Live proud, live free - code in C

Re: [Dnsmasq-discuss] (no subject)

[Jan 'RedBully'; Seiffert]

mmarkk wrote:
> 
> I have some problems building dnsmasq for mipsel-uclibc target. The
> problem is the 2 calls to function "prctl" that are in dnsmasq.c . While
> compiling, I get these errors from ld:
> 
> dnsmasq.o: In function 'main':
> dnsmasq.o (.text+0xae0): undefined reference to 'prctl'
> dnsmasq.o (.text+0xb90): undefined reference to 'prctl'
> 
> What prctl() is used for? Which library or include file contains it?
> 

from my man prctl:

> NAME
>prctl - operations on a process
...
> CONFORMING TO
>This call is Linux-specific.  IRIX has a prctl() system call (also 
> introduced in Linux 2.1.44 as  irix_prctl  on  the
>MIPS architecture), with prototype
> 
>ptrdiff_t prctl(int option, int arg2, int arg3);

dnsmasq seems to adjust two things:
1) Adjust the POSIX capabilities (unfortunately they never became a
standard, but Linux implements them), for ex.: you can open a priviliged
Port while not being root.
2) Enable core dumps

Both can be "ignored" (modulo that 1) deals with permissions)

So maybe some #ifdef __LINUX__ or something like that may help.

> mmarkk
> 
Greetings
Jan


-- 
ACPI - Another Crap Proposal Intel

Re: [Dnsmasq-discuss] resolver options

[Jan 'RedBully'; Seiffert]

AJ Weber wrote:
> If I use a "different" resolv.conf file (i.e. I use a
> resolv-file=/etc/resolv.dnsmasq), will an "option" have the same
> effect it normally would?
> 
Looking at the source (network.c, reload_servers()@536), i would say no.

> For example, I'm considering changing timeout to 2 (instead of the
> default of 5), because I've had some issues with my ISP's DNS servers
> recently and don't want to wait too long for the timeout.  With the
> broadband connection, any of the nameservers in my list consistenly
> returns in < 1 sec (when they're up, of course).
> 
> Will this have the desired effect?  Any comments or concerns with
> that change in general?  Am I misunderstanding the purpose of the
> "options timeout:" ?
> 
H, must read up on this...


> ALSO...(DIFFERENT TOPIC) : Is there no way to tell dnsmasq to dump
> it's current lease-info to a file that could be read on restart so it
> knows about all outstanding DHCP leases?  It's rare that I have to
> restart dnsmasq or the linux box it's on, but when I do, it forces me
> to restart a lot of client machines in case I'd get a dhcp/IP address
> mix-up (where dnsmasq doesn't know an IP Address is already leased to
> a running client, and a new client requests a lease so it hands-out
> the same address).
> 
Huh?
/me scratches his head.
Normaly you don't need any dump-file-flag, because dnsmasq maintains a
lease-file (there is even a special option for these WRT SOHO router, to
keep it in battery backed RAM, because the FS is ro).

Mine is placed in /var/lib/misc/dnsmasq.leases and works(TM).

Maybe there is a problem with file permissions and such things.
You may want to take a look at the "dhcp-leasefile"-option (-l on the
cmd-line). It's also possible that either you have set "leasefile-ro"
(-9 on the cmd-line) or the isc-leasefile code interference with it.

> Thanks in advance, AJ
> 
Greetings
Jan

-- 
pod* a;
pott* b;
a = (pod *)b;
a real pod cast :-D

Re: [Dnsmasq-discuss] Two dnsmasq servers connected by a VPN

[Jan 'RedBully'; Seiffert]

Pedro Côrte-Real wrote:
> I have a VPN permanently connected between two sites. It's a routed
> one, so each network has its own subnet. There's a dnsmasq server on
> each side doing DNS and DHCP. The problem is that I want laptops to
> have the same network name independent of which side they're in. I
> have two main options:
> 
> - Make the VPN bridged and have both sides use the same subnet. I
> would then still run two dnsmasq servers (so that when the VPN is down
> both sides still get DNS/DHCP) but since the laptop IP's are the same
> on both sides it just works. I'd have to block DHCP packets on the
> firewalls so that on each side the remote server doesn't respond as
> well.
> 

I think this could work, but you need the same entries on both sides, so
on both sides the answer is right (so you need some kind of sync). But i
would share your performance concerns (from the traffic POV, not dnsmasq).
You need to put explicit entrys for every wandering host into /etc/hosts
(or an addn-hosts-file), because dnsmasq is clever enough to say "host
unknown" if it did not give out the lease. But then you would always get
an answer even if the host is not up in any net.

> - Maintain the current routed VPN and the laptops get different IP's
> on the two sides. Have dnsmasq somehow point DNS to the other side's
> IP when the laptop isn't registered using DHCP. Is there any way to do
> this?
> 

This would not work IMHO, because dnsmasq only has "one view" of
upstream (sure, you can configure special upstream server for special
domains, but it would not fit you simplicity approach). But maybe i need
to sleep longer with the man-page of dnsmasq under my pillow, and it can
be solved chaining the right options the right way.

After thinking two days about it, it would propose this
guerrilla-approach (which would need some coding):
- hook up a script on the new "run-script-on-dhcp-action"-facility
- this script maintains a db with the local leases (or uses dnmasqs
lease-file)
- it now tries to sync the local entries with the remote dnsmasq, for
example in an addn-hosts=/etc/dnsmasq.d/remote-lease, transported with
ssh (take a look at private/public-key auth bound to a specific command)

just to sketch things...

> This is probably not possible and I'll have to use bridging. I was
> avoiding that because of performance concerns.
> 

Basically thats a request for some kind of
dnsmasq-failover-cluster-protocol (could this be done with some
rudimentary (zone)transfer support?).
As long as all nodes are up, they act as one, maintaining the ability to
still handle requests locally if interconnects fail. This is the second
time i hear a need for this, and always was a VPN involved (the
"distributed networks act as one, with fail over scheme"-problem).

Sigh, if it wouldn't be so complicated (how to resync after reconnect,
what to do in case of collision, only two things which come to my mind
in seconds), and error prone (esp. security wise), addn. the code-bloat...
All in all a enterprisy feature. (And cool, but worth the hassle?)

I'm not that deep into "real" DNS server, but i think this is best
solved with them. They can do most of what dnsmasq can do (only are
bigger, need an external dhcpd and are harder to grasp IMHO), plus
things like zone transfers and such things, which may help you in this
situation. But i don't know for sure.

> Thanks,
> 
> Pedro.
> 
Greeting
Jan

-- 
If it's relevant, you need it redundant

Re: [Dnsmasq-discuss] goto's to the middle of if's in tftp.c...

[Jan 'RedBully'; Seiffert]

Simon Kelley wrote:
> Carlos Carvalho wrote:
>> There are some goto's to the middle of if's and else's in tftp.c. Such
>> jumps could perhaps be changed to a place less susceptible to
>> confusion... Since it's a new piece of code it might still be open to
>> small revisions. It may cost some extra if's but it won't make a
>> difference in performance.
> 
> If anyone can come up with a nicer solution, I'd be happy to take it,
> but I think that's a good use for gotos. The code identifies a couple of
> error conditions and the way to handle them, so it's obvious what's
> going on. When the same error conditions are encountered later, they are
> handled by gotos to the previously defined error handling code - it's a
> standard programming practise.
> 
I also "like" to handle such error cascades with gotos.
But maybe with another subfunction (so other checks could be cleanly
added) and only jumping forward is a little cleaner. So hear goes my
suggestion.
Only compile tested, and... be carefull, was at the dentist today, lost
2 wisdom theeth, so...

> Cheers,
> 
> Simon.
> 
Greetings
Jan


-- 
public enum BOOL
{
  TRUE,
  FALSE,
  NOT_TRUE_OR_FALSE
}
diff -Nrup dnsmasq-2.36.orig/src/tftp.c dnsmasq-2.36.tftp/src/tftp.c
--- dnsmasq-2.36.orig/src/tftp.c	2007-01-20 16:22:58.0 +0100
+++ dnsmasq-2.36.tftp/src/tftp.c	2007-02-01 20:08:54.0 +0100
@@ -14,8 +14,11 @@
 
 #ifdef HAVE_TFTP
 
+static struct tftp_file *check_tftp_fileperm(struct daemon *daemon, ssize_t *len);
 static void free_transfer(struct tftp_transfer *transfer);
 static ssize_t tftp_err(int err, char *packet, char *mess, char *file);
+static ssize_t tftp_err_perm(char *packet, char *file);
+static ssize_t tftp_err_oops(char *packet, char *file);
 static ssize_t get_block(char *packet, struct tftp_transfer *transfer);
 static char *next(char **p, char *end);
 
@@ -37,7 +40,6 @@ void tftp_request(struct listener *liste
   ssize_t len;
   char *packet = daemon->packet;
   char *filename, *mode, *p, *end, *opt;
-  struct stat statbuf;
   struct sockaddr_in addr, peer;
   struct msghdr msg;
   struct cmsghdr *cmptr;
@@ -46,7 +48,6 @@ void tftp_request(struct listener *liste
   int is_err = 1, if_index = 0;
   struct iname *tmp;
   struct tftp_transfer *transfer, *t;
-  struct tftp_file *file;
 
   union {
 struct cmsghdr align; /* this ensures alignment */
@@ -205,81 +206,17 @@ void tftp_request(struct listener *liste
 	  /* file already open */
 	  transfer->file = t->file;
 	  transfer->file->refcount++;
-	  if ((len = get_block(packet, transfer)) == -1)
-	goto oops;
-	  is_err = 0;
 	}
-  else
-	{
-	  /* check permissions and open file */
-	  
-	  /* trick to ban moving out of the subtree */
-	  if (daemon->tftp_prefix && strstr(daemon->namebuff, "/../"))
-	{
-	  errno =  EACCES;
-	  goto perm;
-	}
-	  
-	  if (stat(daemon->namebuff, &statbuf) == -1)
-	{
-	  if (errno == ENOENT || errno == ENOTDIR)
-		len = tftp_err(ERR_FNF, packet, _("file %s not found"), daemon->namebuff);
-	  else if (errno == EACCES)
-		{
-		perm:
-		  len = tftp_err(ERR_PERM, packet, _("cannot access %s: %s"), daemon->namebuff);
-		}
-	  else
-		{
-		oops:
-		  len = tftp_err(ERR_NOTDEF, packet, _("cannot read %s: %s"), daemon->namebuff);
-		}
-	}
-	  else 
-	{ 
-	  uid_t uid = geteuid();
-	  /* running as root, must be world-readable */
-	  if (uid == 0)
-		{
-		  if (!(statbuf.st_mode & S_IROTH))
-		{
-		  errno = EACCES;
-		  goto perm;
-		}
-		}
-	  /* in secure mode, must be owned by user running dnsmasq */
-	  else if ((daemon->options & OPT_TFTP_SECURE) && uid != statbuf.st_uid)
-		{
-		  errno = EACCES;
-		  goto perm;
-		}
-	  
-	  if (!(file = malloc(sizeof(struct tftp_file) + strlen(daemon->namebuff) + 1)))
-		{
-		  errno = ENOMEM;
-		  goto oops;
-		}
+	/* check permissions and open file */
+  else if ((transfer->file = check_tftp_fileperm(daemon, &len)))
+	transfer->file->refcount = 1;
 
-	  if ((file->fd = open(daemon->namebuff, O_RDONLY)) == -1)
-		{
-		  free(file);
-		  
-		  if (errno == EACCES || errno == EISDIR)
-		goto perm;
-		  else
-		goto oops;
-		}
-	  else
-		{
-		  transfer->file = file;
-		  file->refcount = 1;
-		  file->size = statbuf.st_size;
-		  strcpy(file->filename, daemon->namebuff); 
-		  if ((len = get_block(packet, transfer)) == -1)
-		goto oops;
-		  is_err = 0;
-		}
-	}
+  if(transfer->file)
+	{
+	  if ((len = get_block(packet, transfer)) == -1)
+	len = tftp_err_oops(packet, daemon->namebuff);
+	  else
+	is_err = 0;
 	}
 }
   
@@ -295,7 +232,77 @@ void tftp_request(struct listener *liste
   daemon->tftp_trans = transfer;
 }
 }
-  
+ 
+static struct tftp_file *check_tftp_fileperm(struct daemon *daemon, ssize_t *len)
+{
+  char *packet = daemon->packet, *namebuff = daemon->namebuff;
+  struct tftp_file *file;
+  uid_t uid = geteuid();
+  struct stat statbuf;
+
+  /* trick to

Re: [Dnsmasq-discuss] Dnsmasq with Gigantic hosts file

[Jan 'RedBully'; Seiffert]

Simon Kelley wrote:
> Jan 'RedBully' Seiffert wrote:
>> Simon Kelley wrote:
[snip]
>>> I've not tested this yet, but I think the following patch should be enough.
>> [snip - patch]
>>
>> But doesn't this sorting clash with the resorting of cache_find_by_name
>> (according to line 487)?
> 
> The cache entries are on two different linked lists, the
> least-recently-used one doubly-linked on ->next and ->prev and the
> hash-list, linked on ->hash_next. You are thinking about the LRU list
> but I'm talking about the hash-list.
> 
*plop* *large light bulb appears over head*
Ahhh, now i see. Ok, i simply didn't grasp that there are too listed
which get maintained. I thought the LRU thing is within the hash bucket...

> This code has evolved slowly over a long time and has all sorts of scary
> stuff like that. I'd do it very differently from scratch but what's
> there 1) works well and fast. 2) had the bugs shaken out long ago. so I
> don't feel inclined to toss it.
> 
No prob. I'm with you on this, because thats also what i saw the last
two years using dnsmasq: "It simply works"(TM)

[snip - insert cost]
>> I will also test it, time to update to the last version...
>>
> 
> Thanks. 2.36 didn't change cache.c, AFAIR, so the patch should apply to
> 2.35 or 2.36.
> 
OK, i tried to test it, but it fails in so far, that i didn't get any
entries into the cache besides those from /etc/hosts and dhcp.
After i sprinkled some printf in the code, i think i found a genuine bug.
The compiler would call it: "the variable is_sign might get used
uninitialized".

forward.c, process_reply@351 && 358:
is_sign is declared, but not initialized, and then passed "by reference"
to find_pseudoheader
rfc1035.c find_pseudoheader@434 && 475:
under special circumstances is_sign gets a value, otherwise it is left
'as is'
forward.c, process_reply@358 && 368:
is_sign is checked == 0, but may contain total garbage from the stack:
dnsmasq: forward.c process_reply
dnsmasq: forward.c process_reply before test, is_sign -1208760160
dnsmasq: forward.c process_reply
dnsmasq: forward.c process_reply before test, is_sign 134615120

This problem may also exist in other places.

I made a little patch, but maybe its wiser to set is_sign to zero in
find_pseudoheader, i don't know.

With this patch, i will go back to testing...

[snip - patch approach]
> (but I need to worry on concurrent access, coding on dnsmasq is
>> mind relaxing in this regard ;)
> 
> a select-loop is a wonderful thing ;-)
> 
I prefer epoll(7)-loops ;-)
Still i deliberately choose to split it up in some main threads to help
scalability, because i want to handle $BIGNUM longstanding simultaneous
connections with UDP-Traffic intermixed. But even if wisely chosen where
to split things up, somewhere you need concurrent access...

> Cheers,
> 
> Simon.
> 
> 
> 
Greetings
Jan

-- 
H.323 has much in common with other ITU-T standards - it features a
complex binary wire protocol, a nightmarish implementation, and a bulk
that can be used to fell medium-to-large predatory animals.
-- Anthony Baxter
diff -Npur dnsmasq-2.36.orig/src/forward.c dnsmasq-2.36.fix/src/forward.c
--- dnsmasq-2.36.orig/src/forward.c	2006-12-30 14:50:16.0 +0100
+++ dnsmasq-2.36.fix/src/forward.c	2007-01-30 23:46:33.0 +0100
@@ -240,7 +240,7 @@ static void forward_query(struct daemon 
   if (forward)
 	{
 	  /* force unchanging id for signed packets */
-	  int is_sign;
+	  int is_sign = 0;
 	  find_pseudoheader(header, plen, NULL, NULL, &is_sign);
 	  
 	  forward->source = *udpaddr;
@@ -348,7 +348,7 @@ static size_t process_reply(struct daemo
 			struct server *server, size_t n)
 {
   unsigned char *pheader, *sizep;
-  int munged = 0, is_sign;
+  int munged = 0, is_sign = 0;
   size_t plen; 
 
   /* If upstream is advertising a larger UDP packet size
@@ -452,7 +452,7 @@ void reply_query(struct serverfd *sfd, s
 	{
 	  unsigned char *pheader;
 	  size_t plen;
-	  int is_sign;
+	  int is_sign = 0;
 	  
 	  /* recreate query from reply */
 	  pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign);
diff -Npur dnsmasq-2.36.orig/src/rfc1035.c dnsmasq-2.36.fix/src/rfc1035.c
--- dnsmasq-2.36.orig/src/rfc1035.c	2006-12-31 12:28:44.0 +0100
+++ dnsmasq-2.36.fix/src/rfc1035.c	2007-01-30 23:44:16.0 +0100
@@ -1015,7 +1015,7 @@ size_t answer_request(HEADER *header, ch
   int qdcount = ntohs(header->qdcount); 
   int q, ans, anscount = 0, addncount = 0;
   int dryrun = 0, sec_reqd = 0;
-  int is_sign;
+  int is_sign = 0;
   struct crec *crecp;
   int nxdomain = 0, auth = 1, trunc = 0;
   struct mx_srv_record *rec;

Re: [Dnsmasq-discuss] Dnsmasq with Gigantic hosts file

[Jan 'RedBully'; Seiffert]

Simon Kelley wrote:
> Jan 'RedBully' Seiffert wrote:
> 
>> While it is common that most of these entries will point to one address
>> (be it 127.0.0.1 or a local LAN machine) and F_REVERSE not set for them,
>> it's a pity it will still slow down reverse lookups...
> 
> Reverse lookups currently iterate over every cache entry, including (in
> the case) the 700k from /etc/hosts which don't have F_REVERSE set. It
> will ignore them, of course.
> 
> Actually the observation that most of these entries don't set F_REVERSE
> is a valuable insight; it's also case that they will have the F_IMMORTAL
> bit set.
> 
At least for the "common" 10k+ entrys from /etc/hosts case. Maybe a
large installation can also generate a lot of reverse entries, but that
should be more in the 100'th, which a server should be able to search.
Everything else could be simply over engineering.

> This allows a very simple optimisation: just put the reverse entries at
> the start of the hash-chain. Reverse lookups still need to check every
> hash chain, but only the first few entries which have F_REVERSE set, all
> the thousands of entries from /etc/hosts further down the list can just
> be skipped.
> 
> The IMMORTAL bit allows a similar optimisation for garbage-collection
> (the cache_scan_free() function.) IMMORTAL entries never need to be
> garbage collected, so  by putting them at the _end_ of the hash chain,
> iterating over every entry to find expired ones is no longer impacted by
> having lots of /etc/hosts names.
> 
H, OK, thats a impressive simple way to go.
This (re)sorting (last hit gets placed in front of chain?) and the
garbage-collection are things which scared me away not to touch the
complete rest of the code ;)

> I've not tested this yet, but I think the following patch should be enough.
[snip - patch]

But doesn't this sorting clash with the resorting of cache_find_by_name
(according to line 487)?
Is it necessary to traverse the lists to the end of the "region" on insert?

I will also test it, time to update to the last version...

>> Maybe the following patch will help:
>> Maintain a tree for reverse lookups.
>> Patch is compile tested only, i don't know if this will work, I surely
>> dropped the ball somewhere. Also because the cache logic 'as is' is
>> quite complex IMHO (but that's maybe just my brain always needing a
>> moment wrapping around hash tables when looking into the impl.).
> 
> That code is clearly in the spirit of the existing cache code, which
> scares me whenever I look at it!

I only tried to make it least intrusive because the lack of in deep
knowledge of the original cache code (and how every little bit works
together in every corner case). Also this way you can switch off the
tree to save like 2k RAM for memory constrained system like the OpenWRT.
Thats maybe not the optimal approach (and may not work this way) but as
i said, i tried to make it least intrusive, and from my look over the
code, these places looked like the best place to hook in.

> I'll test mine first, just because it's
> simpler and I (think I) understand it. If it's no good I'll work on
> understanding yours and go with that.
> 
No problem, mine is more like a sketch how this could be made. I thought
in terms of "talk is cheap, show me the Code".
And even if you do not take it, I could use it in a project of mine
where i also need to map back from IP addresses to "objects" for UDP
packets (but I need to worry on concurrent access, coding on dnsmasq is
mind relaxing in this regard ;)

> Cheers,
> 
> Simon.
> 
> 
Greetings
Jan

-- 
Live proud, live free - code in C

Re: [Dnsmasq-discuss] Dnsmasq with Gigantic hosts file

[Jan 'RedBully'; Seiffert]

Simon Kelley wrote:
> Jan 'RedBully' Seiffert wrote:
[snip 700k hosts file]
>> If you are talking about a traditional hosts file:
>> AFAIK dnsmasq uses a hash table for such lookups, so basically even a
>> large number should not be a problem. I for example have 10.000
>> "bad-hosts" in an extra file read by dnsmasq (50k where also already
>> mentioned here on the list), and my DNS lookups are "lightning fast" (I
>> also run dnsmasq with nice -1 + some traffic shaping rules prioritizing
>> DNS packets, but thats to reduce latencies).
>> But 700k may drive it to it's limits...
>> First you will need a little RAM for it (my dnsmasq uses 2MB ATM, so
>> _very_ roughly * 70 ~= 140MB), but secondly scalability-issues in the
>> hash table may surface (hash collision, but you may fix it locally by
>> setting a higher number of hash buckets in the source code and recompile).
>>
>> But the ultimate answer to this is only known by Simon.
> 
> Releases before 2.35 will choke reading a file this big. The code was
> re-written in 2.35 to make it usable. (and also to re-size the hash
> table based on the size of /etc/hosts, which addresses Jan's point).
> 
Ahhh, it's good to have someone knowing the code in and out ;)
I looked myself into 2.36 cache.c and yes, this should solve it.

> I'd expect the next choke-point to be reverse (address->names) DNS
> lookups, which are not hashed. I don't of anybody who has hit that brick
> wall yet, but 700,000 might. You will have to test. The lookup time
> should scale linearly with the size of the hosts file for reverse
> lookups, and much less than linearly for forward lookups.
> 
While it is common that most of these entries will point to one address
(be it 127.0.0.1 or a local LAN machine) and F_REVERSE not set for them,
it's a pity it will still slow down reverse lookups...

Maybe the following patch will help:
Maintain a tree for reverse lookups.
Patch is compile tested only, i don't know if this will work, I surely
dropped the ball somewhere. Also because the cache logic 'as is' is
quite complex IMHO (but that's maybe just my brain always needing a
moment wrapping around hash tables when looking into the impl.).

> Cheers,
> 
> Simon.
> 
Greeting
Jan

-- 
ASCII a stupid question,
get a stupid ANSI
diff -prN -U 10 dnsmasq-2.36.orig/src/cache.c dnsmasq-2.36.new/src/cache.c
--- dnsmasq-2.36.orig/src/cache.c	2006-12-30 14:44:08.0 +0100
+++ dnsmasq-2.36.new/src/cache.c	2007-01-29 20:44:57.0 +0100
@@ -56,20 +56,240 @@ static const struct {
   { 255, "ANY" }
 };
 
 static void cache_free(struct crec *crecp);
 static void cache_unlink(struct crec *crecp);
 static void cache_link(struct crec *crecp);
 static char *record_source(struct hostsfile *add_hosts, int index);
 static void rehash(int size);
 static void cache_hash(struct crec *crecp);
 
+#ifdef CONFIG_NO_REVERSE_TREE
+#define cache_reverse_add(x)
+#define cache_reverse_remove(x)
+#else
+/* if you change this, the index function needs to be adjustet */
+#define TREE_WIDTH 4
+static struct r_tree {
+   struct r_tree *parent;
+   char final[TREE_WIDTH];
+   union {
+  struct r_tree *next;
+  struct crec *leaf;
+   } links[TREE_WIDTH];
+} reverse_root_ipv4;
+#ifdef HAVE_IPV6
+static struct r_tree reverse_root_ipv6;
+#endif
+
+static int tree_ndx(unsigned char *addr, int bndx)
+{
+  /* bndx must be even, 0, 2, 4, 6 ... */
+  static const unsigned char addr_bmask[] = {0xC0, 0x06, 0x30, 0x04, 0x0C, 0x02, 0x03, 0x00};
+  return (addr[bndx / 8] & addr_bmask[bndx % 8]) >> addr_bmask[(bndx % 8) + 1];
+}
+
+static struct r_tree *tree_crec_info(struct all_addr *addr, unsigned char *addr_bits, int *addrlen, unsigned short flags)
+{
+  if (flags & F_REVERSE)
+return NULL;
+
+  if (flags & F_IPV4)
+{
+  *addrlen = INADDRSZ;
+  memcpy(addr_bits, &addr->addr.addr4.s_addr, *addrlen);
+  return &reverse_root_ipv4;
+}
+#ifdef HAVE_IPV6
+  else if (flags & F_IPV6)
+{
+  *addrlen = IN6ADDRSZ;
+  memcpy(addr_bits, &addr->addr.addr6.s6_addr, *addrlen);
+  return &reverse_root_ipv6;
+}
+#endif 
+
+  return NULL;
+}
+
+static void cache_reverse_add(struct crec *crecp)
+{
+  unsigned char addr_bits[128 / 8];
+  struct r_tree *wtree;
+  struct crec *safe_crec = NULL;
+  int addrlen, i;
+
+  wtree = tree_crec_info(&crecp->addr.addr, addr_bits, &addrlen, crecp->flags);
+  if (!wtree)
+return;
+
+  addrlen *= 8;
+  /* traverse addr bits */
+  for (i = 0; i < addrlen; i += 2)
+{
+  int ndx = tree_ndx(addr_bits, i);
+  /* slot used for shortcut? */
+  if (!wtree->final[ndx])
+	{
+	  /* no, is it a link to next addr bit level? */
+  if (wtree->links[ndx].next)
+	 wt

Re: [Dnsmasq-discuss] Dnsmasq with Gigantic hosts file

[Jan 'RedBully'; Seiffert]

Jason wrote:
> Hello all,
> 
Hi

> I'm considering replacing squidguard, a filtering redirector for the
> squid cache proxy, with a BIG hosts file and dnsmasq (716,093
> entries!).  Currently, my network serves less than 10 clients(dns only,
> no dhcp), but may reach 200 in the next few years.  Will this work. 
> It'd be nice to consolidate the functions and have the option to
> shutdown the squid cache.

If you are talking about a traditional hosts file:
AFAIK dnsmasq uses a hash table for such lookups, so basically even a
large number should not be a problem. I for example have 10.000
"bad-hosts" in an extra file read by dnsmasq (50k where also already
mentioned here on the list), and my DNS lookups are "lightning fast" (I
also run dnsmasq with nice -1 + some traffic shaping rules prioritizing
DNS packets, but thats to reduce latencies).
But 700k may drive it to it's limits...
First you will need a little RAM for it (my dnsmasq uses 2MB ATM, so
_very_ roughly * 70 ~= 140MB), but secondly scalability-issues in the
hash table may surface (hash collision, but you may fix it locally by
setting a higher number of hash buckets in the source code and recompile).

But the ultimate answer to this is only known by Simon.

I also have a patch installed to use RegEx on host names, so you can do
things like:
address=/:(double|fast|value|(euros|pay)4)[kc]lick?\.(com|net|tld):/127.0.0.1

This can compress a list of "bad hosts" in traditional hosts file format
and match things you never thought of in the first place.
Downside is, it internally uses a linked list, so it scales linear with
the number of rules (for every lookup!) + RegEx overhead (but you can
squeeze a lot in one RegEx ;).
But i'm still testing if it runs smoothly before letting it escape in to
the wild :-/

> Also, squidguard can block a specific url
> inside a domain, ie, www.goodsite.com/badarea/badstuff.html.  Can
> dnsmasq emulate this?  I know this is outside the design intent of
> dnsmasq, but it's not a bad application.

As Richard Voigt already mentioned, the URL is never transfered to your
DNS resolver, only the hostname.

IMHO the right tool for such a task is a proxy, like squid. I mean you get:
* Content cache to speed things up and save bandwidth (esp. with 200
clients)
* Filtering on URL, source, target, authentication, foo and bar
* Possibility to pass every file through clamav, for example

But since dnsmasq is so easy to set up and well performing you may split
up your task:
Basic host based blocking (and get a DNS cache for free ;) -> dnsmasq
Advanced URL filtering and other magic -> squid

But if this complication is wise, the question may has to be: Whats the
problem with your current setup?
(Oh, and no, i personally do not use squid, so i cannot help you on
problems with squid)

> Jason
> 
Greetings
Jan

PS: Jippie, first Post on the list.
I want to thank Simon for this great program.
And sorry for my bad English.
-- 
error compiling committee.c: too many arguments to function