Package: dnsmasq Version: 2.87-1.1 Severity: minor Dear Maintainer,
I updated dnsmasq, and expectedly there are new commented-out default options in dnsmasq.conf. This is great, I'm happy to merge these into my config. What's much less great is the whitespace errors, new in this release. Naturally, the default apt/ucf "D" update action doesn't show that they're whitespace errors, so there are just a lot of identical lines in the diff. Most of them are in the comments, some aren't, and that's more worrying. I've attached a "clean" (i.e. removed all my customisation) diff piped through cat -A that shows the differences users will see (or, rather, not see) and have to decide upon. Please consider enforcing some sort of trim regimen if the upstream dnsmasq.confs are also damaged like this. Best, наб -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: x32 (x86_64) Foreign Architectures: amd64, i386 Kernel: Linux 5.19.0-1-amd64 (SMP w/2 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages dnsmasq depends on: ii dnsmasq-base [dnsmasq-base] 2.87-1.1 ii init-system-helpers 1.65.2 ii lsb-base 11.4 ii netbase 6.4 ii runit-helper 2.15.0 ii sysvinit-utils [lsb-base] 3.05-6 dnsmasq recommends no packages. Versions of packages dnsmasq suggests: pn resolvconf <none> -- Configuration Files: /etc/default/dnsmasq changed [not included] /etc/dnsmasq.conf changed [not included] -- no debconf information
diff --git a/etc/dnsmasq.conf b/etc/dnsmasq.conf.dpkg-new$
index bb4c8ed..2047630 100644$
--- a/etc/dnsmasq.conf$
+++ b/etc/dnsmasq.conf.dpkg-new$
@@ -27,8 +27,8 @@ bogus-priv$
$
# Replies which are not DNSSEC signed may be legitimate, because the domain$
# is unsigned, or may be forgeries. Setting this option tells dnsmasq to$
-# check that an unsigned reply is OK, by finding a secure proof that a DS$
-# record somewhere between the root and the domain does not exist.$
+# check that an unsigned reply is OK, by finding a secure proof that a DS $
+# record somewhere between the root and the domain does not exist. $
# The cost of setting this is that even queries in unsigned domains will need$
# one or more extra DNS queries to verify.$
#dnssec-check-unsigned$
@@ -86,6 +85,16 @@ server=8.8.8.8$
# subdomains to the vpn and search ipsets:$
#ipset=/yahoo.com/google.com/vpn,search$
$
+# Add the IPs of all queries to yahoo.com, google.com, and their$
+# subdomains to netfilters sets, which is equivalent to$
+# 'nft add element ip test vpn { ... }; nft add element ip test search { ...
}'$
+#nftset=/yahoo.com/google.com/ip#test#vpn,ip#test#search$
+$
+# Use netfilters sets for both IPv4 and IPv6:$
+# This adds all addresses in *.yahoo.com to vpn4 and vpn6 for IPv4 and IPv6
addresses.$
+#nftset=/yahoo.com/4#ip#test#vpn4$
+#nftset=/yahoo.com/6#ip#test#vpn6$
+$
# You can control how dnsmasq talks to a server: this forces$
# queries to 10.1.2.3 to be routed via eth1$
# server=10.1.2.3@eth1$
@@ -155,7 +164,7 @@ domain=nabijaczleweli.xyz$
# a lease time. If you have more than one network, you will need to$
# repeat this for each network on which you want to supply DHCP$
# service.$
-#dhcp-range=192.168.1.2,192.168.1.254,24h$
+#dhcp-range=192.168.0.50,192.168.0.150,12h$
$
# This is an example of a DHCP range where the netmask is given. This$
# is needed for networks we reach the dnsmasq DHCP server via a relay$
@@ -184,11 +193,11 @@ domain=nabijaczleweli.xyz$
#dhcp-range=1234::2, 1234::500, 64, 12h$
$
# Do Router Advertisements, BUT NOT DHCP for this subnet.$
-#dhcp-range=1234::, ra-only$
+#dhcp-range=1234::, ra-only $
$
# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and$
-# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack$
-# hosts. Use the DHCPv4 lease to derive the name, network segment and$
+# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack $
+# hosts. Use the DHCPv4 lease to derive the name, network segment and $
# MAC address and assume that the host will also have an$
# IPv6 address calculated using the SLAAC algorithm.$
#dhcp-range=1234::, ra-names$
@@ -211,9 +220,9 @@ domain=nabijaczleweli.xyz$
#dhcp-range=1234::, ra-stateless, ra-names$
$
# Do router advertisements for all subnets where we're doing DHCPv6$
-# Unless overridden by ra-stateless, ra-names, et al, the router$
+# Unless overridden by ra-stateless, ra-names, et al, the router $
# advertisements will have the M and O bits set, so that the clients$
-# get addresses and configuration from DHCPv6, and the A bit reset, so the$
+# get addresses and configuration from DHCPv6, and the A bit reset, so the $
# clients don't use SLAAC addresses.$
#enable-ra$
$
@@ -290,11 +295,11 @@ domain=nabijaczleweli.xyz$
# any machine with Ethernet address starting 11:22:33:$
#dhcp-host=11:22:33:*:*:*,set:red$
$
-# Give a fixed IPv6 address and name to client with$
+# Give a fixed IPv6 address and name to client with $
# DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2$
# Note the MAC addresses CANNOT be used to identify DHCPv6 clients.$
# Note also that the [] around the IPv6 address are obligatory.$
-#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5]$
+#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5] $
$
# Ignore any clients which are not specified in dhcp-host lines$
# or /etc/ethers. Equivalent to ISC "deny unknown-clients".$
@@ -350,7 +355,7 @@ dhcp-option=option:router,192.168.1.1$
# Send DHCPv6 option. Note [] around IPv6 addresses.$
#dhcp-option=option6:dns-server,[1234::77],[1234::88]$
$
-# Send DHCPv6 option for namservers as the machine running$
+# Send DHCPv6 option for namservers as the machine running $
# dnsmasq and another.$
#dhcp-option=option6:dns-server,[::],[1234::88]$
$
@@ -555,7 +560,7 @@ dhcp-option=option:router,192.168.1.1$
# Set the DHCP server to enable DHCPv4 Rapid Commit Option per RFC 4039.$
# In this mode it will respond to a DHCPDISCOVER message including a Rapid
Commit$
# option with a DHCPACK including a Rapid Commit option and fully committed
address$
-# and configuration information. This must only be enabled if either the
server is$
+# and configuration information. This must only be enabled if either the
server is $
# the only server for the subnet, or multiple servers are present and they
each$
# commit a binding for all clients.$
#dhcp-rapid-commit$
signature.asc
Description: PGP signature
