From e2df1a2d9baf84d890e5e2d91a720891fb82ff89 Mon Sep 17 00:00:00 2001
From: Ross Shen <sjtuross@users.noreply.github.com>
Date: Sun, 20 Feb 2022 16:04:59 +0800
Subject: [PATCH] add dnsmasq-filter-aaaa+https+unknown.patch (#8909)

1. patch for dnsmasq-2.86 based on https://github.com/rozahp/dnsmasq
2. compatible with mini-ttl.patch
---
 .../services/dnsmasq/files/dnsmasq.init       |   2 +
 ...11-dnsmasq-filter-aaaa+https+unknown.patch | 143 ++++++++++++++++++
 .../patches/911-dnsmasq-filter-aaaa.patch     |  68 ---------
 3 files changed, 145 insertions(+), 68 deletions(-)
 create mode 100644 package/network/services/dnsmasq/patches/911-dnsmasq-filter-aaaa+https+unknown.patch
 delete mode 100644 package/network/services/dnsmasq/patches/911-dnsmasq-filter-aaaa.patch

diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init
index c8274e70a..ebf5b5eab 100755
--- a/package/network/services/dnsmasq/files/dnsmasq.init
+++ b/package/network/services/dnsmasq/files/dnsmasq.init
@@ -931,6 +931,8 @@ dnsmasq_start()
 	append_bool "$cfg" scriptarp "--script-arp"
 	
 	append_bool "$cfg" filter_aaaa "--filter-aaaa"
+	append_bool "$cfg" filter_https "--filter-https"
+	append_bool "$cfg" filter_unknown "--filter-unknown"
 
 	append_parm "$cfg" logfacility "--log-facility"
 	
diff --git a/package/network/services/dnsmasq/patches/911-dnsmasq-filter-aaaa+https+unknown.patch b/package/network/services/dnsmasq/patches/911-dnsmasq-filter-aaaa+https+unknown.patch
new file mode 100644
index 000000000..ec082ec09
--- /dev/null
+++ b/package/network/services/dnsmasq/patches/911-dnsmasq-filter-aaaa+https+unknown.patch
@@ -0,0 +1,143 @@
+diff --git a/src/cache.c b/src/cache.c
+index 8add610..c94132e 100644
+--- a/src/cache.c
++++ b/src/cache.c
+@@ -66,6 +66,7 @@ static const struct {
+   { 52,  "TLSA" },
+   { 53,  "SMIMEA" },
+   { 55,  "HIP" },
++  { 65,  "HTTPS"},
+   { 249, "TKEY" },
+   { 250, "TSIG" },
+   { 251, "IXFR" },
+@@ -1805,6 +1806,20 @@ char *record_source(unsigned int index)
+   return "<unknown>";
+ }
+ 
++// patch: function returns integer 1 if query type is unknown.
++// known types are defined in cache.c:typestr:36.
++int is_query_type_unknown(unsigned short type)
++{
++  unsigned int i;
++  for (i = 0; i < (sizeof(typestr)/sizeof(typestr[0])); i++)
++    if (typestr[i].type == type) 
++      {
++	return 0;
++      }
++  return 1;
++}
++// end of patch 
++
+ char *querystr(char *desc, unsigned short type)
+ {
+   unsigned int i;
+diff --git a/src/dns-protocol.h b/src/dns-protocol.h
+index 496a4bb..ed0d64a 100644
+--- a/src/dns-protocol.h
++++ b/src/dns-protocol.h
+@@ -71,6 +71,7 @@
+ #define T_NSEC          47
+ #define T_DNSKEY        48
+ #define T_NSEC3         50
++#define T_HTTPS         65
+ #define	T_TKEY		249		
+ #define	T_TSIG		250
+ #define T_AXFR          252
+diff --git a/src/dnsmasq.h b/src/dnsmasq.h
+index 8674823..d067741 100644
+--- a/src/dnsmasq.h
++++ b/src/dnsmasq.h
+@@ -275,7 +275,10 @@ struct event_desc {
+ #define OPT_UMBRELLA_DEVID 64
+ #define OPT_CMARK_ALST_EN  65
+ #define OPT_QUIET_TFTP     66
+-#define OPT_LAST           67
++#define OPT_FILTER_AAAA    67
++#define OPT_FILTER_HTTPS   68
++#define OPT_FILTER_UNKNOWN 69
++#define OPT_LAST           70
+ 
+ #define OPTION_BITS (sizeof(unsigned int)*8)
+ #define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) )
+@@ -1247,6 +1250,10 @@ void cache_init(void);
+ void next_uid(struct crec *crecp);
+ void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg); 
+ char *record_source(unsigned int index);
++// patch: function returns integer 1 if query type is unknown
++// known types are defined in cache.c:typestr:36.
++int is_query_type_unknown(unsigned short type);
++// end of patch
+ char *querystr(char *desc, unsigned short type);
+ int cache_find_non_terminal(char *name, time_t now);
+ struct crec *cache_find_by_addr(struct crec *crecp,
+diff --git a/src/option.c b/src/option.c
+index ffce9fc..3993c10 100644
+--- a/src/option.c
++++ b/src/option.c
+@@ -174,6 +174,9 @@ struct myoption {
+ #define LOPT_CMARK_ALST    366
+ #define LOPT_QUIET_TFTP    367
+ #define LOPT_MINTTL        368
++#define LOPT_FILTER_AAAA   369
++#define LOPT_FILTER_HTTPS  370
++#define LOPT_FILTER_UNKNOWN 371
+  
+ #ifdef HAVE_GETOPT_LONG
+ static const struct option opts[] =  
+@@ -353,6 +356,9 @@ static const struct myoption opts[] =
+     { "log-debug", 0, 0, LOPT_LOG_DEBUG },
+ 	{ "umbrella", 2, 0, LOPT_UMBRELLA },
+     { "quiet-tftp", 0, 0, LOPT_QUIET_TFTP },
++    { "filter-aaaa", 0, 0, LOPT_FILTER_AAAA },
++    { "filter-https", 0, 0, LOPT_FILTER_HTTPS },
++    { "filter-unknown", 0, 0, LOPT_FILTER_UNKNOWN },
+     { NULL, 0, 0, 0 }
+   };
+ 
+@@ -539,6 +545,9 @@ static struct {
+   { LOPT_SCRIPT_TIME, OPT_LEASE_RENEW, NULL, gettext_noop("Call dhcp-script when lease expiry changes."), NULL },
+   { LOPT_UMBRELLA, ARG_ONE, "[=<optspec>]", gettext_noop("Send Cisco Umbrella identifiers including remote IP."), NULL },
+   { LOPT_QUIET_TFTP, OPT_QUIET_TFTP, NULL, gettext_noop("Do not log routine TFTP."), NULL },
++  { LOPT_FILTER_AAAA, OPT_FILTER_AAAA, NULL, gettext_noop("Filter all AAAA requests."), NULL },
++  { LOPT_FILTER_HTTPS, OPT_FILTER_HTTPS, NULL, gettext_noop("Filter all HTTPS/query type 65 requests."), NULL },
++  { LOPT_FILTER_UNKNOWN, OPT_FILTER_UNKNOWN, NULL, gettext_noop("Filter all unknown query types (known are defined in cache.c)."), NULL },
+   { 0, 0, NULL, NULL, NULL }
+ }; 
+ 
+diff --git a/src/rfc1035.c b/src/rfc1035.c
+index 6fc4f26..395634b 100644
+--- a/src/rfc1035.c
++++ b/src/rfc1035.c
+@@ -1987,6 +1987,32 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
+ 	    }
+ 	}
+ 
++    //patch to filter aaaa forwards
++    if (qtype == T_AAAA && option_bool(OPT_FILTER_AAAA) ){
++        //return a null reply
++        ans = 1;
++        if (!dryrun) log_query(F_CONFIG | F_IPV6 | F_NEG, name, &addr, NULL);
++            break;
++    }
++    //end of patch
++    //patch to filter https/query type 65 forwards
++    if (qtype == T_HTTPS && option_bool(OPT_FILTER_HTTPS) ){
++        //return a null reply
++        ans = 1;
++        if (!dryrun) log_query(F_CONFIG | F_IPV4 | F_NEG, name, &addr, NULL);
++            break;
++    }
++    //end of patch
++    //patch to filter all unknown query types
++    //known types are defined in cache.c:typestr:36.
++    if (is_query_type_unknown(qtype) && option_bool(OPT_FILTER_UNKNOWN)) {
++        //return a null reply
++        ans = 1;
++        if (!dryrun) log_query(F_CONFIG | F_NEG, name, NULL, NULL);
++            break;
++    }
++    //end of patch
++
+       if (!ans)
+ 	return 0; /* failed to answer a question */
+     }
diff --git a/package/network/services/dnsmasq/patches/911-dnsmasq-filter-aaaa.patch b/package/network/services/dnsmasq/patches/911-dnsmasq-filter-aaaa.patch
deleted file mode 100644
index 82ba913d9..000000000
--- a/package/network/services/dnsmasq/patches/911-dnsmasq-filter-aaaa.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From 966471712184cfb3b067f2ae8dad9d8e2a896cae Mon Sep 17 00:00:00 2001
-From: Bearice Ren <bearice@icybear.net>
-Date: Tue, 20 Sep 2016 11:52:08 +0800
-Subject: [PATCH] add filter-aaaa option
-
----
- src/dnsmasq.h | 3 ++-
- src/option.c  | 3 +++
- src/rfc1035.c | 9 +++++++++
- 3 files changed, 14 insertions(+), 1 deletion(-)
-
---- a/src/dnsmasq.h
-+++ b/src/dnsmasq.h
-@@ -275,7 +275,8 @@ struct event_desc {
- #define OPT_UMBRELLA_DEVID 64
- #define OPT_CMARK_ALST_EN  65
- #define OPT_QUIET_TFTP     66
--#define OPT_LAST           67
-+#define OPT_FILTER_AAAA    67
-+#define OPT_LAST           68
- 
- #define OPTION_BITS (sizeof(unsigned int)*8)
- #define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) )
---- a/src/option.c
-+++ b/src/option.c
-@@ -175,6 +175,7 @@ struct myoption {
- #define LOPT_CMARK_ALST    366
- #define LOPT_QUIET_TFTP    367
- #define LOPT_MINTTL        368
-+#define LOPT_FILTER_AAAA   369
-  
- #ifdef HAVE_GETOPT_LONG
- static const struct option opts[] =  
-@@ -355,6 +356,7 @@ static const struct myoption opts[] =
-     { "log-debug", 0, 0, LOPT_LOG_DEBUG },
- 	{ "umbrella", 2, 0, LOPT_UMBRELLA },
-     { "quiet-tftp", 0, 0, LOPT_QUIET_TFTP },
-+    { "filter-aaaa", 0, 0, LOPT_FILTER_AAAA },
-     { NULL, 0, 0, 0 }
-   };
- 
-@@ -542,6 +544,7 @@ static struct {
-   { LOPT_SCRIPT_TIME, OPT_LEASE_RENEW, NULL, gettext_noop("Call dhcp-script when lease expiry changes."), NULL },
-   { LOPT_UMBRELLA, ARG_ONE, "[=<optspec>]", gettext_noop("Send Cisco Umbrella identifiers including remote IP."), NULL },
-   { LOPT_QUIET_TFTP, OPT_QUIET_TFTP, NULL, gettext_noop("Do not log routine TFTP."), NULL },
-+  { LOPT_FILTER_AAAA, OPT_FILTER_AAAA, NULL, gettext_noop("Filter all AAAA requests."), NULL },
-   { 0, 0, NULL, NULL, NULL }
- }; 
- 
---- a/src/rfc1035.c
-+++ b/src/rfc1035.c
-@@ -2005,6 +2005,16 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
- 	    }
- 	}
- 
-+      /* patch to filter aaaa forwards */
-+      if (qtype == T_AAAA && option_bool(OPT_FILTER_AAAA))
-+        {
-+          /* return a null reply */
-+          ans = 1;
-+          if (!dryrun)
-+            log_query(F_CONFIG | F_IPV6 | F_NEG, name, &addr, NULL);
-+          break;
-+        }
-+
-       if (!ans)
- 	return 0; /* failed to answer a question */
-     }