Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package iodine for openSUSE:Factory checked in at 2026-03-04 21:02:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/iodine (Old) and /work/SRC/openSUSE:Factory/.iodine.new.561 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "iodine" Wed Mar 4 21:02:42 2026 rev:13 rq:1335832 version:0.8.0 Changes: -------- --- /work/SRC/openSUSE:Factory/iodine/iodine.changes 2023-10-24 20:07:54.775555417 +0200 +++ /work/SRC/openSUSE:Factory/.iodine.new.561/iodine.changes 2026-03-04 21:02:59.066895990 +0100 @@ -1,0 +2,19 @@ +Thu Feb 26 15:33:57 UTC 2026 - [email protected] + +- Updated to version 0.8.0: + * Patch from Ryan Welton that fixes compilation warning. + * README converted to markdown by Nicolas Braud-Santoni. + * Use pkg-config for systemd support flags. + * Add support for IPv6 in the server. + + Raw mode will be with same protocol as used for login. + + Traffic inside tunnel is still IPv4. + * Change external IP lookup to using myip.opendns.com via DNS. + * Add option to choose IPv4 listen address from external IP + lookup. + * Add server support for handling multiple domains via wildcard. +- Add SELinux support. +- Clean up documentation files. +- Add 120.patch: Answer NXDOMAIN for _.xxx.yyy.top.domain, + (https://github.com/yarrick/iodine/pull/120.patch). + +------------------------------------------------------------------- Old: ---- iodine-0.7.0.tar.gz New: ---- 120.patch iodine-0.8.0.tar.gz ----------(New B)---------- New:- Clean up documentation files. - Add 120.patch: Answer NXDOMAIN for _.xxx.yyy.top.domain, (https://github.com/yarrick/iodine/pull/120.patch). ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ iodine.spec ++++++ --- /var/tmp/diff_new_pack.Fz7G3w/_old 2026-03-04 21:02:59.826927405 +0100 +++ /var/tmp/diff_new_pack.Fz7G3w/_new 2026-03-04 21:02:59.830927570 +0100 @@ -1,8 +1,8 @@ # # spec file for package iodine # -# Copyright (c) 2023 SUSE LLC -# Copyright (c) 2012 Malcolm J Lewis <[email protected]> +# Copyright (c) 2026 SUSE LLC and contributors +# Copyright (c) 2026 Malcolm J Lewis <[email protected]> # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -23,11 +23,10 @@ %endif Name: iodine -Version: 0.7.0 +Version: 0.8.0 Release: 0 Summary: IPv4-through-DNS tunnel server and client License: ISC -Group: Productivity/Networking/System URL: http://code.kryo.se/iodine/ Source0: http://code.kryo.se/iodine/iodine-%{version}.tar.gz Source1: iodine.service @@ -35,10 +34,13 @@ Source3: iodined.service Source4: sysconfig.iodined Source5: system-user-iodined.conf -#PATCH-FIX-OPENSUSE iodine-fix-makefile-prefix.patch [email protected] -- Modify default install prefix. +##PATCH-FIX-OPENSUSE iodine-fix-makefile-prefix.patch [email protected] -- Modify default install prefix. Patch0: iodine-fix-makefile-prefix.patch +##PATCH-FIX-UPSTREAM 120.patch -- based on PR 120 +Patch1: https://github.com/yarrick/iodine/pull/120.patch BuildRequires: fdupes BuildRequires: zlib-devel +BuildRequires: pkgconfig(libselinux) BuildRequires: pkgconfig(systemd) # iodine still uses ifconfig Requires: net-tools-deprecated @@ -63,9 +65,7 @@ %build make PREFIX="%{_prefix}" -%if 0%{?suse_version} >= 1550 %sysusers_generate_pre %{SOURCE5} iodine system-user-iodined.conf -%endif %install make install PREFIX="%{buildroot}/%{_prefix}" @@ -79,25 +79,20 @@ install -m 0644 %{S:4} %{buildroot}%{_fillupdir}/ # Copy common man page to avoid warning pushd %{buildroot}%{_mandir}/man8/ -cp %{name}.8 %{name}d.8 +ln -s %{name}.8 %{name}d.8 popd +## Remove as we install as %%doc +rm -rf %{buildroot}%{_datadir}/doc/iodine # make chroot dir mkdir -p %{buildroot}/var/lib/iodined # make rc-link ln -sf /usr/sbin/service %{buildroot}%{_sbindir}/rciodine ln -sf /usr/sbin/service %{buildroot}%{_sbindir}/rciodined -%if 0%{?suse_version} >= 1550 mkdir -p %{buildroot}%{_sysusersdir} install -m 0644 %{SOURCE5} %{buildroot}%{_sysusersdir}/ -%endif -%if 0%{?suse_version} >= 1550 %pre -f iodine.pre -%else -%pre -/usr/sbin/useradd -r -d /var/lib/iodined -s /bin/false -c "user for iodine dns tunnel" -g nobody iodined 2> /dev/null || : -%endif %service_add_pre iodine.service iodined.service %post @@ -112,7 +107,8 @@ %service_del_postun iodine.service iodined.service %files -%doc CHANGELOG README TODO +%license LICENSE +%doc CHANGELOG README.md %{_sbindir}/%{name} %{_sbindir}/%{name}d %{_fillupdir}/sysconfig.iodine @@ -121,9 +117,7 @@ %{_sbindir}/rciodined %{_unitdir}/iodine.service %{_unitdir}/iodined.service -%if 0%{?suse_version} >= 1550 %{_sysusersdir}/system-user-iodined.conf -%endif %{_mandir}/man8/%{name}.8%{?ext_man} %{_mandir}/man8/%{name}d.8%{?ext_man} %attr(0700,iodined,nobody)/var/lib/iodined ++++++ 120.patch ++++++ >From 076ec9f77439ace72024e55e61e20884758f4296 Mon Sep 17 00:00:00 2001 From: Luiz Angelo Daros de Luca <[email protected]> Date: Sun, 3 Aug 2025 02:22:19 -0300 Subject: [PATCH] Answer NXDOMAIN for _.xxx.yyy.top.domain When a DNS query name is too long, it is split into multiple domain components. However, recursive DNS servers that implement QNAME minimization may query each subdomain individually without revealing the full name. As part of this behavior, they often send a preliminary query for a hostname like "_" before attempting to resolve the full name. If this query is not handled correctly, it can lead to timeouts and failed connections. The most effective way to avoid this is to respond with an NXDOMAIN for such queries. Signed-off-by: Luiz Angelo Daros de Luca <[email protected]> --- src/dns.c | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++ src/dns.h | 1 + src/iodined.c | 33 ++++++++++++++++++++++++++ src/windows.h | 1 + 4 files changed, 100 insertions(+) diff --git a/src/dns.c b/src/dns.c index 22d9ef42..9721f3e2 100644 --- a/src/dns.c +++ b/src/dns.c @@ -390,6 +390,71 @@ int dns_encode_a_response(char *buf, size_t buflen, struct query *q) return len; } +int dns_encode_nxdomain(char *buf, size_t buflen, struct query *q, const char *zone) +{ + char rnamebuf[256]; + char nsbuf[256]; + HEADER *header; + char *soa_start; + char *p; + + if (buflen < sizeof(HEADER)) + return 0; + + memset(buf, 0, buflen); + header = (HEADER*)buf; + + header->id = htons(q->id); + header->qr = 1; // response + header->opcode = 0; + header->aa = 1; // authoritative + header->tc = 0; + header->rd = 0; + header->ra = 0; + header->rcode = 3; // NXDOMAIN + + header->qdcount = htons(1); + header->ancount = htons(0); + header->nscount = htons(1); // We'll include SOA + header->arcount = htons(0); + + p = buf + sizeof(HEADER); + + // Question section + putname(&p, buflen - (p - buf), q->name); + CHECKLEN(4); + putshort(&p, q->type); + putshort(&p, C_IN); + + // Authority section (SOA) + CHECKLEN(10); + putname(&p, buflen - (p - buf), zone); // zone name (owner of SOA) + putshort(&p, T_SOA); + putshort(&p, C_IN); + putlong(&p, 60); // TTL + + soa_start = p; + p += 2; // skip rdlength (to be filled later) + + // Primary NS and responsible mailbox + snprintf(nsbuf, sizeof(nsbuf), "ns.%s", zone); + putname(&p, buflen - (p - buf), nsbuf); + snprintf(rnamebuf, sizeof(rnamebuf), "hostmaster.%s", zone); + putname(&p, buflen - (p - buf), rnamebuf); + + // SOA fields: serial, refresh, retry, expire, minimum + putlong(&p, 1); // serial + putlong(&p, 3600); // refresh + putlong(&p, 1800); // retry + putlong(&p, 604800); // expire + putlong(&p, 60); // minimum + + int soalen = p - soa_start - 2; + putshort(&soa_start, soalen); // fill in rdlength + + return p - buf; +} + #undef CHECKLEN unsigned short dns_get_id(char *packet, size_t packetlen) diff --git a/src/dns.h b/src/dns.h index 660f6105..aa179ab5 100644 --- a/src/dns.h +++ b/src/dns.h @@ -31,6 +31,7 @@ int dns_encode(char *, size_t, struct query *, qr_t, const char *, size_t); int dns_encode_ns_response(char *buf, size_t buflen, struct query *q, char *topdomain); int dns_encode_a_response(char *buf, size_t buflen, struct query *q); +int dns_encode_nxdomain(char *buf, size_t buflen, struct query *q, const char *zone); unsigned short dns_get_id(char *packet, size_t packetlen); int dns_decode(char *, size_t, struct query *, qr_t, char *, size_t); diff --git a/src/iodined.c b/src/iodined.c index f2d1dc56..6b6d1a48 100644 --- a/src/iodined.c +++ b/src/iodined.c @@ -1597,6 +1597,27 @@ handle_a_request(int dns_fd, struct query *q, int fakeip) } } +static void +handle_underscore_request(int dns_fd, struct query *q, const char *topdomain) +{ + char buf[64*1024]; + int len; + + len = dns_encode_nxdomain(buf, sizeof(buf), q, topdomain); + if (len < 1) { + warnx("dns_encode_nxdomain doesn't fit"); + return; + } + + if (debug >= 2) { + fprintf(stderr, "TX: client %s, type %d, name %s, %d bytes NXDOMAIN reply\n", + format_addr(&q->from, q->fromlen), q->type, q->name, len); + } + if (sendto(dns_fd, buf, len, 0, (struct sockaddr*)&q->from, q->fromlen) <= 0) { + warn("nxdomain reply send error"); + } +} + static void forward_query(int bind_fd, struct query *q) { @@ -1719,6 +1740,18 @@ tunnel_dns(int tun_fd, int dns_fd, struct dnsfd *dns_fds, int bind_fd) return 0; } + /* Handle A-type query for _.***.topdomain. It happens when + * + * https://datatracker.ietf.org/doc/html/rfc7816 (qname minimisation) + * https://github.com/isc-projects/bind9/commit/ae52c2117eba9fa0778125f4e10834d673ab811b + * */ + if (q.type == T_A && + (q.name[0] == '_') && + q.name[1] == '.') { + handle_underscore_request(dns_fd, &q, topdomain); + return 0; + } + switch (q.type) { case T_NULL: case T_PRIVATE: diff --git a/src/windows.h b/src/windows.h index 065c243f..d91126a3 100644 --- a/src/windows.h +++ b/src/windows.h @@ -40,6 +40,7 @@ typedef unsigned int in_addr_t; #define T_CNAME DNS_TYPE_CNAME #define T_MX DNS_TYPE_MX #define T_TXT DNS_TYPE_TXT +#define T_SOA DNS_TYPE_SOA #define T_SRV DNS_TYPE_SRV #define C_IN 1 ++++++ iodine-0.7.0.tar.gz -> iodine-0.8.0.tar.gz ++++++ ++++ 7671 lines of diff (skipped)
