298977887/lede
1
0
Fork 0
mirror of https://github.com/coolsnowwolf/lede.git synced 2025-04-15 18:03:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

dnsmasq: bump to v2.87

Browse Source
This commit is contained in:
coolsnowwolf 2022-11-19 15:23:46 +08:00
parent 6f77eb8769
commit c5b0c71a92
9 changed files with 19 additions and 507 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
package/network/services/dnsmasq/Makefile
View File

@ -8,13 +8,13 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=dnsmasq
PKG_UPSTREAM_VERSION:=2.86
PKG_UPSTREAM_VERSION:=2.87
PKG_VERSION:=$(subst test,~~test,$(subst rc,~rc,$(PKG_UPSTREAM_VERSION)))
PKG_RELEASE:=$(AUTORELEASE)
PKG_SOURCE:=$(PKG_NAME)-$(PKG_UPSTREAM_VERSION).tar.xz
PKG_SOURCE_URL:=https://thekelleys.org.uk/dnsmasq
PKG_HASH:=28d52cfc9e2004ac4f85274f52b32e1647b4dbc9761b82e7de1e41c49907eb08
PKG_SOURCE_URL:=https://thekelleys.org.uk/dnsmasq/
PKG_HASH:=0228c0364a7f2356fd7e7f1549937cbf3099a78d3b2eb1ba5bb0c31e2b89de7a
PKG_LICENSE:=GPL-2.0
PKG_LICENSE_FILES:=COPYING

1
package/network/services/dnsmasq/files/dhcp.conf
View File

@ -21,6 +21,7 @@ config dnsmasq
#list bogusnxdomain '64.94.110.11'
option localservice 1 # disable to allow DNS requests from non-local subnets
option filter_aaaa 1
option filter_a 0
option cachesize 8000
option mini_ttl 3600
option ednspacket_max 1232

5
package/network/services/dnsmasq/files/dnsmasq.init
View File

@ -930,9 +930,8 @@ dnsmasq_start()
append_bool "$cfg" rapidcommit "--dhcp-rapid-commit"
append_bool "$cfg" scriptarp "--script-arp"
append_bool "$cfg" filter_aaaa "--filter-aaaa"
append_bool "$cfg" filter_https "--filter-https"
append_bool "$cfg" filter_unknown "--filter-unknown"
append_bool "$cfg" filter_aaaa "--filter-AAAA"
append_bool "$cfg" filter_a "--filter-A"
append_parm "$cfg" logfacility "--log-facility"

179
package/network/services/dnsmasq/patches/001-CVE-2022-0934-Fix-write-after-free-error-in-DHCPv6-code.patch
View File

@ -1,179 +0,0 @@
From 03345ecefeb0d82e3c3a4c28f27c3554f0611b39 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Thu, 31 Mar 2022 21:35:20 +0100
Subject: Fix write-after-free error in DHCPv6 code. CVE-2022-0934 refers.
---
CHANGELOG | 3 +++
src/rfc3315.c | 48 +++++++++++++++++++++++++++---------------------
2 files changed, 30 insertions(+), 21 deletions(-)
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -92,6 +92,9 @@ version 2.86
of filename). Thanks to Ed Wildgoose for the initial patch
and motivation for this.
+ Fix write-after-free error in DHCPv6 server code.
+ CVE-2022-0934 refers.
+
version 2.85
Fix problem with DNS retries in 2.83/2.84.
--- a/src/rfc3315.c
+++ b/src/rfc3315.c
@@ -33,9 +33,9 @@ struct state {
unsigned int mac_len, mac_type;
};
-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
+static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz,
struct in6_addr *client_addr, int is_unicast, time_t now);
-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now);
+static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now);
static void log6_opts(int nest, unsigned int xid, void *start_opts, void *end_opts);
static void log6_packet(struct state *state, char *type, struct in6_addr *addr, char *string);
static void log6_quiet(struct state *state, char *type, struct in6_addr *addr, char *string);
@@ -104,12 +104,12 @@ unsigned short dhcp6_reply(struct dhcp_c
}
/* This cost me blood to write, it will probably cost you blood to understand - srk. */
-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
+static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz,
struct in6_addr *client_addr, int is_unicast, time_t now)
{
void *end = inbuff + sz;
void *opts = inbuff + 34;
- int msg_type = *((unsigned char *)inbuff);
+ int msg_type = *inbuff;
unsigned char *outmsgtypep;
void *opt;
struct dhcp_vendor *vendor;
@@ -259,15 +259,15 @@ static int dhcp6_maybe_relay(struct stat
return 1;
}
-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now)
+static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now)
{
void *opt;
- int i, o, o1, start_opts;
+ int i, o, o1, start_opts, start_msg;
struct dhcp_opt *opt_cfg;
struct dhcp_netid *tagif;
struct dhcp_config *config = NULL;
struct dhcp_netid known_id, iface_id, v6_id;
- unsigned char *outmsgtypep;
+ unsigned char outmsgtype;
struct dhcp_vendor *vendor;
struct dhcp_context *context_tmp;
struct dhcp_mac *mac_opt;
@@ -296,12 +296,13 @@ static int dhcp6_no_relay(struct state *
v6_id.next = state->tags;
state->tags = &v6_id;
- /* copy over transaction-id, and save pointer to message type */
- if (!(outmsgtypep = put_opt6(inbuff, 4)))
+ start_msg = save_counter(-1);
+ /* copy over transaction-id */
+ if (!put_opt6(inbuff, 4))
return 0;
start_opts = save_counter(-1);
- state->xid = outmsgtypep[3] | outmsgtypep[2] << 8 | outmsgtypep[1] << 16;
-
+ state->xid = inbuff[3] | inbuff[2] << 8 | inbuff[1] << 16;
+
/* We're going to be linking tags from all context we use.
mark them as unused so we don't link one twice and break the list */
for (context_tmp = state->context; context_tmp; context_tmp = context_tmp->current)
@@ -347,7 +348,7 @@ static int dhcp6_no_relay(struct state *
(msg_type == DHCP6REQUEST || msg_type == DHCP6RENEW || msg_type == DHCP6RELEASE || msg_type == DHCP6DECLINE))
{
- *outmsgtypep = DHCP6REPLY;
+ outmsgtype = DHCP6REPLY;
o1 = new_opt6(OPTION6_STATUS_CODE);
put_opt6_short(DHCP6USEMULTI);
put_opt6_string("Use multicast");
@@ -619,11 +620,11 @@ static int dhcp6_no_relay(struct state *
struct dhcp_netid *solicit_tags;
struct dhcp_context *c;
- *outmsgtypep = DHCP6ADVERTISE;
+ outmsgtype = DHCP6ADVERTISE;
if (opt6_find(state->packet_options, state->end, OPTION6_RAPID_COMMIT, 0))
{
- *outmsgtypep = DHCP6REPLY;
+ outmsgtype = DHCP6REPLY;
state->lease_allocate = 1;
o = new_opt6(OPTION6_RAPID_COMMIT);
end_opt6(o);
@@ -809,7 +810,7 @@ static int dhcp6_no_relay(struct state *
int start = save_counter(-1);
/* set reply message type */
- *outmsgtypep = DHCP6REPLY;
+ outmsgtype = DHCP6REPLY;
state->lease_allocate = 1;
log6_quiet(state, "DHCPREQUEST", NULL, ignore ? _("ignored") : NULL);
@@ -924,7 +925,7 @@ static int dhcp6_no_relay(struct state *
int address_assigned = 0;
/* set reply message type */
- *outmsgtypep = DHCP6REPLY;
+ outmsgtype = DHCP6REPLY;
log6_quiet(state, msg_type == DHCP6RENEW ? "DHCPRENEW" : "DHCPREBIND", NULL, NULL);
@@ -1057,7 +1058,7 @@ static int dhcp6_no_relay(struct state *
int good_addr = 0;
/* set reply message type */
- *outmsgtypep = DHCP6REPLY;
+ outmsgtype = DHCP6REPLY;
log6_quiet(state, "DHCPCONFIRM", NULL, NULL);
@@ -1121,7 +1122,7 @@ static int dhcp6_no_relay(struct state *
log6_quiet(state, "DHCPINFORMATION-REQUEST", NULL, ignore ? _("ignored") : state->hostname);
if (ignore)
return 0;
- *outmsgtypep = DHCP6REPLY;
+ outmsgtype = DHCP6REPLY;
tagif = add_options(state, 1);
break;
}
@@ -1130,7 +1131,7 @@ static int dhcp6_no_relay(struct state *
case DHCP6RELEASE:
{
/* set reply message type */
- *outmsgtypep = DHCP6REPLY;
+ outmsgtype = DHCP6REPLY;
log6_quiet(state, "DHCPRELEASE", NULL, NULL);
@@ -1195,7 +1196,7 @@ static int dhcp6_no_relay(struct state *
case DHCP6DECLINE:
{
/* set reply message type */
- *outmsgtypep = DHCP6REPLY;
+ outmsgtype = DHCP6REPLY;
log6_quiet(state, "DHCPDECLINE", NULL, NULL);
@@ -1275,7 +1276,12 @@ static int dhcp6_no_relay(struct state *
}
}
-
+
+ /* Fill in the message type. Note that we store the offset,
+ not a direct pointer, since the packet memory may have been
+ reallocated. */
+ ((unsigned char *)(daemon->outpacket.iov_base))[start_msg] = outmsgtype;
+
log_tags(tagif, state->xid);
log6_opts(0, state->xid, daemon->outpacket.iov_base + start_opts, daemon->outpacket.iov_base + save_counter(-1));

8
package/network/services/dnsmasq/patches/100-remove-old-runtime-kernel-support.patch
View File

@ -13,7 +13,7 @@ Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -95,10 +95,6 @@ int main (int argc, char **argv)
@@ -103,10 +103,6 @@ int main (int argc, char **argv)
read_opts(argc, argv, compile_opts);
@ -26,7 +26,7 @@ Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -1201,7 +1201,7 @@ extern struct daemon {
@@ -1229,7 +1229,7 @@ extern struct daemon {
int inotifyfd;
#endif
#if defined(HAVE_LINUX_NETWORK)
@ -35,7 +35,7 @@ Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
#elif defined(HAVE_BSD_NETWORK)
int dhcp_raw_fd, dhcp_icmp_fd, routefd;
#endif
@@ -1388,9 +1388,6 @@ int read_write(int fd, unsigned char *pa
@@ -1422,9 +1422,6 @@ int read_write(int fd, unsigned char *pa
void close_fds(long max_fd, int spare1, int spare2, int spare3);
int wildcard_match(const char* wildcard, const char* match);
int wildcard_matchn(const char* wildcard, const char* match, int num);
@ -140,7 +140,7 @@ Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
my_syslog(LOG_ERR, _("failed to update ipset %s: %s"), setname, strerror(errno));
--- a/src/util.c
+++ b/src/util.c
@@ -796,22 +796,3 @@ int wildcard_matchn(const char* wildcard
@@ -833,22 +833,3 @@ int wildcard_matchn(const char* wildcard
return (!num) || (*wildcard == *match);
}

6
package/network/services/dnsmasq/patches/200-ubus_dns.patch
View File

@ -1,6 +1,6 @@
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -1564,14 +1564,26 @@ void emit_dbus_signal(int action, struct
@@ -1598,14 +1598,26 @@ void emit_dbus_signal(int action, struct
/* ubus.c */
#ifdef HAVE_UBUS
@ -151,7 +151,7 @@
if (!ADD_RDLEN(header, p, qlen, rdlen))
return 0; /* bad packet */
}
@@ -563,7 +632,7 @@ int extract_addresses(struct dns_header
@@ -568,7 +637,7 @@ int extract_addresses(struct dns_header
cache_start_insert();
/* find_soa is needed for dns_doctor side effects, so don't call it lazily if there are any. */
@ -269,7 +269,7 @@
struct ubus_context *ubus = (struct ubus_context *)daemon->ubus;
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -1972,6 +1972,10 @@ static void check_dns_listeners(time_t n
@@ -1998,6 +1998,10 @@ static void check_dns_listeners(time_t n
daemon->pipe_to_parent = pipefd[1];
}

166
package/network/services/dnsmasq/patches/300-DHCPv6-Honor-assigning-IPv6-address-based-on-MAC-add.patch
View File

@ -1,166 +0,0 @@
From 93ac8f9d469ff08d41170eb6934842b3626d5fdd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pali=20Roh=C3=A1r?= <pali@kernel.org>
Date: Wed, 23 Dec 2015 22:10:44 +0100
Subject: [PATCH] DHCPv6: Honor assigning IPv6 address based on MAC address
Currently IPv6 addresses are assigned to tuple (IAID, DUID). When system
changes IAID/DUID then old assigned IPv6 address cannot be reused, even
when in config file was DHCPv6 assignment based on MAC address (and not on
DUID).
IAID/DUID is changed when rebooting from one operating system to another;
or after reinstalling system. In reality it is normal that DUID of some
machine is changed, so people rather assign also IPv6 addresses based on
MAC address.
So assigning IPv6 based on MAC address in dnsmasq is currently semi-broken.
This patch tries to fix it and honors IPv6 config rules with MAC address,
to always assign particular IPv6 address to specific MAC address (when
configured). And ignores the fact if IAID/DUID was changed.
Normally IPv6 address should be assigned by IAID/DUID (which also state
DHCPv6 RFCs), but dnsmasq has already some support for assigning IPv6
address based on MAC address, when users configured in config file.
So this patch just tries to fix above problem for user configuration with
MAC addresses. It does not change assignment based on DUID.
---
src/rfc3315.c | 55 +++++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 47 insertions(+), 8 deletions(-)
--- a/src/rfc3315.c
+++ b/src/rfc3315.c
@@ -48,7 +48,7 @@ static int build_ia(struct state *state,
static void end_ia(int t1cntr, unsigned int min_time, int do_fuzz);
static void mark_context_used(struct state *state, struct in6_addr *addr);
static void mark_config_used(struct dhcp_context *context, struct in6_addr *addr);
-static int check_address(struct state *state, struct in6_addr *addr);
+static int check_address(struct state *state, struct dhcp_config *config, struct in6_addr *addr);
static int config_valid(struct dhcp_config *config, struct dhcp_context *context, struct in6_addr *addr, struct state *state, time_t now);
static struct addrlist *config_implies(struct dhcp_config *config, struct dhcp_context *context, struct in6_addr *addr);
static void add_address(struct state *state, struct dhcp_context *context, unsigned int lease_time, void *ia_option,
@@ -688,8 +688,13 @@ static int dhcp6_no_relay(struct state *
}
else if (!(c = address6_available(state->context, &req_addr, solicit_tags, plain_range)))
continue; /* not an address we're allowed */
- else if (!check_address(state, &req_addr))
+ else if (!check_address(state, config, &req_addr))
continue; /* address leased elsewhere */
+ else if (state->mac_len && config &&
+ config_has_mac(config, state->mac, state->mac_len, state->mac_type) &&
+ match_netid(c->filter, solicit_tags, plain_range) &&
+ !config_implies(config, c, &req_addr))
+ continue; /* another static address is configured */
/* add address to output packet */
add_address(state, c, lease_time, ia_option, &min_time, &req_addr, now);
@@ -701,7 +706,10 @@ static int dhcp6_no_relay(struct state *
/* Suggest configured address(es) */
for (c = state->context; c; c = c->current)
- if (!(c->flags & CONTEXT_CONF_USED) &&
+ if ((!(c->flags & CONTEXT_CONF_USED) ||
+ (state->mac_len && config &&
+ config_has_mac(config, state->mac, state->mac_len, state->mac_type)
+ )) &&
match_netid(c->filter, solicit_tags, plain_range) &&
config_valid(config, c, &addr, state, now))
{
@@ -725,6 +733,11 @@ static int dhcp6_no_relay(struct state *
req_addr = ltmp->addr6;
if ((c = address6_available(state->context, &req_addr, solicit_tags, plain_range)))
{
+ if (state->mac_len && config &&
+ config_has_mac(config, state->mac, state->mac_len, state->mac_type) &&
+ match_netid(c->filter, solicit_tags, plain_range) &&
+ !config_implies(config, c, &req_addr))
+ continue; /* skip this lease because another static address is configured */
add_address(state, c, c->lease_time, NULL, &min_time, &req_addr, now);
mark_context_used(state, &req_addr);
get_context_tag(state, c);
@@ -859,7 +872,7 @@ static int dhcp6_no_relay(struct state *
put_opt6_string(_("address unavailable"));
end_opt6(o1);
}
- else if (!check_address(state, &req_addr))
+ else if (!check_address(state, config, &req_addr))
{
/* Address leased to another DUID/IAID */
o1 = new_opt6(OPTION6_STATUS_CODE);
@@ -989,6 +1002,16 @@ static int dhcp6_no_relay(struct state *
{
unsigned int lease_time;
+ /* check if another static address is preferred */
+ if (state->mac_len && config &&
+ config_has_mac(config, state->mac, state->mac_len, state->mac_type) &&
+ !config_implies(config, this_context, &req_addr))
+ {
+ preferred_time = valid_time = 0;
+ message = _("deprecated");
+ }
+ else
+ {
get_context_tag(state, this_context);
if (config_implies(config, this_context, &req_addr) && have_config(config, CONFIG_TIME))
@@ -1014,6 +1037,7 @@ static int dhcp6_no_relay(struct state *
if (preferred_time == 0)
message = _("deprecated");
+ }
address_assigned = 1;
}
@@ -1070,11 +1094,22 @@ static int dhcp6_no_relay(struct state *
ia_option = opt6_find(opt6_next(ia_option, ia_end), ia_end, OPTION6_IAADDR, 24))
{
struct in6_addr req_addr;
+ struct dhcp_context *c;
+ int config_addr_ok = 1;
/* alignment */
memcpy(&req_addr, opt6_ptr(ia_option, 0), IN6ADDRSZ);
+
+ c = address6_valid(state->context, &req_addr, tagif, 1);
+
+ if (c && state->mac_len && config &&
+ config_has_mac(config, state->mac, state->mac_len, state->mac_type) &&
+ !config_implies(config, c, &req_addr))
+ {
+ config_addr_ok = 0;
+ }
- if (!address6_valid(state->context, &req_addr, tagif, 1))
+ if (!c || !config_addr_ok)
{
o1 = new_opt6(OPTION6_STATUS_CODE);
put_opt6_short(DHCP6NOTONLINK);
@@ -1692,11 +1727,15 @@ static void mark_config_used(struct dhcp
context->flags |= CONTEXT_CONF_USED;
}
-/* make sure address not leased to another CLID/IAID */
-static int check_address(struct state *state, struct in6_addr *addr)
+/* check that ipv6 address belongs to config with same mac address as in state or ipv6 address is not leased to another CLID/IAID */
+static int check_address(struct state *state, struct dhcp_config *config, struct in6_addr *addr)
{
struct dhcp_lease *lease;
+ if (state->mac_len && config &&
+ config_has_mac(config, state->mac, state->mac_len, state->mac_type))
+ return 1;
+
if (!(lease = lease6_find_by_addr(addr, 128, 0)))
return 1;
@@ -1773,7 +1812,7 @@ static int config_valid(struct dhcp_conf
{
setaddr6part(addr, addrpart+i);
- if (check_address(state, addr))
+ if (check_address(state, config, addr))
return 1;
}
}

12
package/network/services/dnsmasq/patches/910-mini-ttl.patch
View File

@ -11,12 +11,12 @@
u32 umbrella_asset;
--- a/src/option.c
+++ b/src/option.c
@@ -174,6 +174,7 @@ struct myoption {
#define LOPT_CMARK_ALST_EN 365
#define LOPT_CMARK_ALST 366
#define LOPT_QUIET_TFTP 367
+#define LOPT_MINTTL 368
@@ -181,6 +181,7 @@
#define LOPT_STRIP_MAC 372
#define LOPT_CONF_OPT 373
#define LOPT_CONF_SCRIPT 374
+#define LOPT_MINTTL 375
#ifdef HAVE_GETOPT_LONG
static const struct option opts[] =
@@ -292,6 +293,7 @@ static const struct myoption opts[] =

143
package/network/services/dnsmasq/patches/911-dnsmasq-filter-aaaa+https+unknown.patch
View File

@ -1,143 +0,0 @@
diff --git a/src/cache.c b/src/cache.c
index 8add610..c94132e 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -66,6 +66,7 @@ static const struct {
{ 52, "TLSA" },
{ 53, "SMIMEA" },
{ 55, "HIP" },
+ { 65, "HTTPS"},
{ 249, "TKEY" },
{ 250, "TSIG" },
{ 251, "IXFR" },
@@ -1805,6 +1806,20 @@ char *record_source(unsigned int index)
return "<unknown>";
}
+// patch: function returns integer 1 if query type is unknown.
+// known types are defined in cache.c:typestr:36.
+int is_query_type_unknown(unsigned short type)
+{
+ unsigned int i;
+ for (i = 0; i < (sizeof(typestr)/sizeof(typestr[0])); i++)
+ if (typestr[i].type == type)
+ {
+ return 0;
+ }
+ return 1;
+}
+// end of patch
+
char *querystr(char *desc, unsigned short type)
{
unsigned int i;
diff --git a/src/dns-protocol.h b/src/dns-protocol.h
index 496a4bb..ed0d64a 100644
--- a/src/dns-protocol.h
+++ b/src/dns-protocol.h
@@ -71,6 +71,7 @@
#define T_NSEC 47
#define T_DNSKEY 48
#define T_NSEC3 50
+#define T_HTTPS 65
#define T_TKEY 249
#define T_TSIG 250
#define T_AXFR 252
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index 8674823..d067741 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -275,7 +275,10 @@ struct event_desc {
#define OPT_UMBRELLA_DEVID 64
#define OPT_CMARK_ALST_EN 65
#define OPT_QUIET_TFTP 66
-#define OPT_LAST 67
+#define OPT_FILTER_AAAA 67
+#define OPT_FILTER_HTTPS 68
+#define OPT_FILTER_UNKNOWN 69
+#define OPT_LAST 70
#define OPTION_BITS (sizeof(unsigned int)*8)
#define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) )
@@ -1247,6 +1250,10 @@ void cache_init(void);
void next_uid(struct crec *crecp);
void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg);
char *record_source(unsigned int index);
+// patch: function returns integer 1 if query type is unknown
+// known types are defined in cache.c:typestr:36.
+int is_query_type_unknown(unsigned short type);
+// end of patch
char *querystr(char *desc, unsigned short type);
int cache_find_non_terminal(char *name, time_t now);
struct crec *cache_find_by_addr(struct crec *crecp,
diff --git a/src/option.c b/src/option.c
index ffce9fc..3993c10 100644
--- a/src/option.c
+++ b/src/option.c
@@ -174,6 +174,9 @@ struct myoption {
#define LOPT_CMARK_ALST 366
#define LOPT_QUIET_TFTP 367
#define LOPT_MINTTL 368
+#define LOPT_FILTER_AAAA 369
+#define LOPT_FILTER_HTTPS 370
+#define LOPT_FILTER_UNKNOWN 371
#ifdef HAVE_GETOPT_LONG
static const struct option opts[] =
@@ -353,6 +356,9 @@ static const struct myoption opts[] =
{ "log-debug", 0, 0, LOPT_LOG_DEBUG },
{ "umbrella", 2, 0, LOPT_UMBRELLA },
{ "quiet-tftp", 0, 0, LOPT_QUIET_TFTP },
+ { "filter-aaaa", 0, 0, LOPT_FILTER_AAAA },
+ { "filter-https", 0, 0, LOPT_FILTER_HTTPS },
+ { "filter-unknown", 0, 0, LOPT_FILTER_UNKNOWN },
{ NULL, 0, 0, 0 }
};
@@ -539,6 +545,9 @@ static struct {
{ LOPT_SCRIPT_TIME, OPT_LEASE_RENEW, NULL, gettext_noop("Call dhcp-script when lease expiry changes."), NULL },
{ LOPT_UMBRELLA, ARG_ONE, "[=<optspec>]", gettext_noop("Send Cisco Umbrella identifiers including remote IP."), NULL },
{ LOPT_QUIET_TFTP, OPT_QUIET_TFTP, NULL, gettext_noop("Do not log routine TFTP."), NULL },
+ { LOPT_FILTER_AAAA, OPT_FILTER_AAAA, NULL, gettext_noop("Filter all AAAA requests."), NULL },
+ { LOPT_FILTER_HTTPS, OPT_FILTER_HTTPS, NULL, gettext_noop("Filter all HTTPS/query type 65 requests."), NULL },
+ { LOPT_FILTER_UNKNOWN, OPT_FILTER_UNKNOWN, NULL, gettext_noop("Filter all unknown query types (known are defined in cache.c)."), NULL },
{ 0, 0, NULL, NULL, NULL }
};
diff --git a/src/rfc1035.c b/src/rfc1035.c
index 6fc4f26..395634b 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -1987,6 +1987,32 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
}
}
+ //patch to filter aaaa forwards
+ if (qtype == T_AAAA && option_bool(OPT_FILTER_AAAA) ){
+ //return a null reply
+ ans = 1;
+ if (!dryrun) log_query(F_CONFIG | F_IPV6 | F_NEG, name, &addr, NULL);
+ break;
+ }
+ //end of patch
+ //patch to filter https/query type 65 forwards
+ if (qtype == T_HTTPS && option_bool(OPT_FILTER_HTTPS) ){
+ //return a null reply
+ ans = 1;
+ if (!dryrun) log_query(F_CONFIG | F_IPV4 | F_NEG, name, &addr, NULL);
+ break;
+ }
+ //end of patch
+ //patch to filter all unknown query types
+ //known types are defined in cache.c:typestr:36.
+ if (is_query_type_unknown(qtype) && option_bool(OPT_FILTER_UNKNOWN)) {
+ //return a null reply
+ ans = 1;
+ if (!dryrun) log_query(F_CONFIG | F_NEG, name, NULL, NULL);
+ break;
+ }
+ //end of patch
+
if (!ans)
return 0; /* failed to answer a question */
}