[Dnsmasq-discuss] [PATCH] Do not set resolv.conf to 127.0.0.1 if port=0

2017-04-01 Thread Floris Bos 
dnsmasq's startup script seems to assume users always want to use
dnsmasq as local DNS resolver, and tells resolvconf to put
"nameserver 127.0.0.1" in /etc/resolv.conf
The problem with this is that if users just want to use dnsmasq
as DHCP server, and put port=0 in /etc/dnsmasq.conf to disable
the DNS functionality, they end up with broken name resolving.

Put a basic check in the startup script that skips resolvconf
configuration if a line starting with port=0 is in /etc/dnsmasq.conf
This doesn't cover all cases (e.g. configuration could also be in
 different file in /etc/dnsmasq.d), but is better than current
situation.

Signed-off-by: Floris Bos 
---
 debian/init | 5 +
 1 file changed, 5 insertions(+)

diff --git a/debian/init b/debian/init
index 8c562de..46abdc4 100644
--- a/debian/init
+++ b/debian/init
@@ -154,6 +154,11 @@ start_resolvconf()
[ $interface = lo ] && return
done
 
+# Also skip this if DNS functionality is disabled in /etc/dnsmasq.conf
+   if grep -qs '^port=0' /etc/dnsmasq.conf; then
+   return
+   fi
+
 if [ -x /sbin/resolvconf ] ; then
echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.$NAME
fi
-- 
2.7.4


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] [PATCH] Add support for unique TFTP root per MAC

2017-04-01 Thread Floris Bos 
It is currently only possible to let the TFTP server serve a different
folder depending on the client's IP address.
However it isn't always possible to predict what the client's
IP address will be, especially in situations in which we are not
responsible for handing them out (e.g. proxy dhcp setups).

Extend the current --tftp-unique-root parameter to support having a
separate folder per MAC address instead.

Signed-off-by: Floris Bos 
---
 man/dnsmasq.8 | 16 ++--
 src/dnsmasq.h |  5 +++--
 src/option.c  | 13 +++--
 src/tftp.c| 34 +-
 4 files changed, 57 insertions(+), 11 deletions(-)

diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index 05f800c..787c104 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -1814,12 +1814,16 @@ directory is only used for TFTP requests via that 
interface.
 .B --tftp-no-fail
 Do not abort startup if specified tftp root directories are inaccessible.
 .TP
-.B --tftp-unique-root
-Add the IP address of the TFTP client as a path component on the end
-of the TFTP-root (in standard dotted-quad format). Only valid if a
-tftp-root is set and the directory exists. For instance, if tftp-root is 
"/tftp" and client 
-1.2.3.4 requests file "myfile" then the effective path will be
-"/tftp/1.2.3.4/myfile" if /tftp/1.2.3.4 exists or /tftp/myfile otherwise.
+.B --tftp-unique-root[=ip|mac]
+Add the IP or hardware address of the TFTP client as a path component on the 
end
+of the TFTP-root. Only valid if a tftp-root is set and the directory exists.
+Defaults to adding IP address (in standard dotted-quad format).
+For instance, if tftp-root is "/tftp" and client 1.2.3.4 requests file "myfile"
+then the effective path will be "/tftp/1.2.3.4/myfile" if /tftp/1.2.3.4 exists 
or /tftp/myfile otherwise.
+When "=mac" is specified it will append the MAC address instead, using 
lowercase zero padded digits
+separated by dashes, e.g.: 01-02-03-04-aa-bb
+Note that resolving MAC addresses is only possible if the client is in the 
local network or obtained
+a DHCP lease from us.
 .TP
 .B --tftp-secure
 Enable TFTP secure mode: without this, any file which is readable by
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index 40f249f..25e4ad9 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -211,7 +211,7 @@ struct event_desc {
 #define OPT_TFTP_SECURE26
 #define OPT_TFTP_NOBLOCK   27
 #define OPT_LOG_OPTS   28
-#define OPT_TFTP_APREF 29
+#define OPT_TFTP_APREF_IP  29
 #define OPT_NO_OVERRIDE30
 #define OPT_NO_REBIND  31
 #define OPT_ADD_MAC32
@@ -238,7 +238,8 @@ struct event_desc {
 #define OPT_SCRIPT_ARP 53
 #define OPT_MAC_B6454
 #define OPT_MAC_HEX55
-#define OPT_LAST   56
+#define OPT_TFTP_APREF_MAC 56
+#define OPT_LAST   57
 
 /* extra flags for my_syslog, we use a couple of facilities since they are 
known 
not to occupy the same bits as priorities, no matter how syslog.h is set 
up. */
diff --git a/src/option.c b/src/option.c
index 12350cb..00e1d44 100644
--- a/src/option.c
+++ b/src/option.c
@@ -243,7 +243,7 @@ static const struct myoption opts[] =
 { "enable-tftp", 2, 0, LOPT_TFTP },
 { "tftp-secure", 0, 0, LOPT_SECURE },
 { "tftp-no-fail", 0, 0, LOPT_TFTP_NO_FAIL },
-{ "tftp-unique-root", 0, 0, LOPT_APREF },
+{ "tftp-unique-root", 2, 0, LOPT_APREF },
 { "tftp-root", 1, 0, LOPT_PREFIX },
 { "tftp-max", 1, 0, LOPT_TFTP_MAX },
 { "tftp-mtu", 1, 0, LOPT_TFTP_MTU },
@@ -432,7 +432,7 @@ static struct {
   { LOPT_OVERRIDE, OPT_NO_OVERRIDE, NULL, gettext_noop("Do NOT reuse filename 
and server fields for extra DHCP options."), NULL },
   { LOPT_TFTP, ARG_DUP, "[=[,]]", gettext_noop("Enable integrated 
read-only TFTP server."), NULL },
   { LOPT_PREFIX, ARG_DUP, "[,]", gettext_noop("Export files by 
TFTP only from the specified subtree."), NULL },
-  { LOPT_APREF, OPT_TFTP_APREF, NULL, gettext_noop("Add client IP address to 
tftp-root."), NULL },
+  { LOPT_APREF, ARG_DUP, "[=ip|mac]", gettext_noop("Add client IP or hardware 
address to tftp-root."), NULL },
   { LOPT_SECURE, OPT_TFTP_SECURE, NULL, gettext_noop("Allow access only to 
files owned by the user running dnsmasq."), NULL },
   { LOPT_TFTP_NO_FAIL, OPT_TFTP_NO_FAIL, NULL, gettext_noop("Do not terminate 
the service if TFTP directories are inaccessible."), NULL },
   { LOPT_TFTP_MAX, ARG_ONE, "", gettext_noop("Maximum number of 
concurrent TFTP transfers (defaults to %s)."), "#" },
@@ -2720,6 +2720,15 @@ static int one_opt(int option, char *arg, char *errstr, 
char *gen_err, int comma
} 
   
   break;
+
+case LOPT_APREF: /* --tftp-unique-root */
+  if (!arg || strcasecmp(arg, "ip") == 0)
+set_option_bool(OPT_TFTP_APREF_IP);
+  else if (strcasecmp(arg, "mac") == 0)
+set_option_bool(OPT_TFTP_APREF_MAC);
+  else
+ret_err(gen_err);
+  break;
 #endif
  
 case LOPT_BRIDGE:   /* --bridge-interface */
diff --git

Re: [Dnsmasq-discuss] About UEFI PXE booting in proxy mode

2017-04-01 Thread Steven Shiau 
Hi Doug,

Thanks. Simon mentioned to me: This is complicated and horrible (to
implement the mechanism). Therefore for the moment, no any solution for
using  "pxe-service" for both uEFI network booting and PXE in proxy mode
I believe.

Steven


On 2017/04/01 12:39, Doug Brown wrote:
> HI Steven,
>
> No -- because of grub's current inability to detect a proxy boot with
> UEFI, I don't think it's possible to get a proxy configuration to boot
> UEFI computers with grub, unless you play around with grub-mkstandalone
> to embed grub.cfg into grub.efi. I haven't had the time to play around
> with trying to make that configuration work.
>
> Doug
>
>
> On 3/31/2017 12:45 AM, Steven Shiau wrote:
>> Hi Doug,
>>
>> Thanks. However, what you mentioned is not in the proxy mode. Have you
>> successfully enable the proxy (relay) mode and it works for uEFI
>> network booting?
>>
>> Thanks.
>>
>> Steven
>>
>>
>> On 3/30/2017 PM 12:13, Doug Brown wrote:
>>> Hi Steven,
>>>
>>> If I find some free time, I might try tracing through the code to figure
>>> out why dnsmasq is throwing out the DHCP packets on port 4011 in the EFI
>>> + PXE configuration without a proxy. In the meantime, here is the
>>> configuration that works for me with dhcp-boot (assuming my dnsmasq
>>> server's IP address is 192.168.1.1):
>>>
>>> port=0
>>> log-dhcp
>>> enable-tftp
>>> tftp-root=/tftpboot
>>> dhcp-no-override
>>> dhcp-vendorclass=BIOS,PXEClient:Arch:0
>>> dhcp-vendorclass=UEFI,PXEClient:Arch:7
>>> dhcp-vendorclass=UEFI64,PXEClient:Arch:9
>>> dhcp-boot=pxelinux.0,,192.168.1.1
>>> dhcp-boot=net:UEFI,shim.efi,,192.168.1.1
>>> dhcp-boot=net:UEFI64,shim.efi,,192.168.1.1
>>> dhcp-range=ens33,192.168.1.50,192.168.1.99,10h
>>>
>>> In this example, I'm using shim-signed (named as shim.efi) and
>>> grubnetx64.efi.signed (named as grubx64.efi) from Ubuntu, and it should
>>> properly boot a UEFI computer even if it has Secure Boot enabled. Shim
>>> downloads grubx64.efi, which then downloads grub.cfg.
>>>
>>> Hope this helps!
>>> Doug
>>>
>>>
>>> On 3/28/2017 11:46 PM, Steven Shiau wrote:
 Hi Doug,

 Thanks for your explanation. Simon also emailed me after my post and
 let me know where the problem is. The conclusion is this issue seems
 not be easily fixed.
 So the patch for grub will be applied after grub 2.02. Before that,
 could you please show me the configuration file you confirmed it will
 work by using dhcp-boot strategy?
 Thank you very much.

 Steven


 On 3/27/2017 AM 11:29, Doug Brown wrote:
> Hi Simon and Steven,
>
> I just found this recent thread while I was Googling for the exact
> same problem (UEFI clients won't boot in PXE mode, but BIOS clients
> will) and there was never any conclusion reached. I'm running into
> the exact same problem, and I can provide a pcap dump, which I have
> attached to this message. After the initial DHCP exchange, it shows
> four DHCP packets on port 4011 sent from the client which seem to be
> ignored by dnsmasq. Here is the configuration I am using with dnsmasq
> 2.76, based on Steven's original third example:
>
> port=0
> log-dhcp
> dhcp-no-override
> enable-tftp
> tftp-root=/tftpboot
> dhcp-range=ens33,192.168.7.100,192.168.7.200,10h
> pxe-service=X86PC, "Boot BIOS PXE", pxelinux.0
> pxe-service=BC_EFI, "Boot UEFI BC", grubx64.efi
> pxe-service=X86-64_EFI, "Boot UEFI X86-64", grubx64.efi
>
> If I switch to using the dhcp-boot strategy, everything works great
> on both BIOS and UEFI. But the above configuration using PXE doesn't
> seem to work properly with UEFI clients for some reason, and it seems
> to be a dnsmasq issue. It does work fine with BIOS clients though.
>
> I think I can answer Steven's earlier question as to why proxy PXE
> (example config #4) doesn't work with UEFI. The problem in that case
> is not due to dnsmasq at all -- it's correctly sending grub to the
> client. The problem is that grub doesn't know how to detect that it
> was loaded from a DHCP proxy, so it won't know where to download
> grub.cfg. Shim, which you can use as a first stage bootloader to load
> grub if you need to support Secure Boot, has the exact same problem.
> It only knows how to look at the original DHCP ack's boot info. The
> UEFI environment provides info about the proxy offer, but grub and
> shim don't look at it. See the following thread where a patch was
> submitted for grub:
>
> https://lists.gnu.org/archive/html/grub-devel/2016-04/msg00051.html
>
> I think it's probably possible to work around the proxy problem by
> using grub-mkstandalone to create a version of grub.efi that has an
> embedded intermediate grub.cfg that is coded to download the real
> grub.cfg from your server, as long as you don't need Secure Boot
> support.
>
> Either way, I still think