Re: [Dnsmasq-discuss] [PATCH] unittests

[Vladislav Grishenko]

Hi,

> https://github.com/themiron/dnsmasq
Thank you for asking, it's my private mirrored master branch and related
openssl fork (in separate branch).
Updated occasionally from release to release, so hardly can be ~official
mirror.

--
Best Regards, Vladislav Grishenko

> -Original Message-
> From: - Neustradamus - 
> Sent: Thursday, April 15, 2021 7:27 PM
> To: Petr Menšík ; dnsmasq-
> disc...@lists.thekelleys.org.uk
> Cc: webs...@sarvepalli.net; themiron...@gmail.com
> Subject: Re: [Dnsmasq-discuss] [PATCH] unittests
> Importance: High
> 
> Hello Simon, and all others,
> 
> Here, I see a fork of Dnsmasq on GitHub, thanks Petr :)
> 
> Can you look for https://github.com/dnsmasq organization and add the
> https://github.com/dnsmasq/dnsmasq after it?
> And remove the old https://github.com/simonkelley/dnsmasq-collab which is
a
> fork of https://github.com/sei-vsarvepalli/dnsmasq-collab.
> 
> The goal is to have a best development of Dnsmasq, and more contributors,
> improvements etc.
> It will be better to devs to fork directly the dnsmasq/dnsmasq.
> 
> If this repo is a real mirror (without changes), I can see with Vladislav
Grishenko
> (themiron) to transfer directly into dnsmasq organization.
> - https://github.com/themiron/dnsmasq
> 
> Thanks in advance.
> 
> Regards,
> 
> Neustradamus
> 
> 
> From: Dnsmasq-discuss  on
> behalf of Petr Menšík 
> Sent: Wednesday, April 14, 2021 19:35
> To: dnsmasq-discuss@lists.thekelleys.org.uk
> Subject: [Dnsmasq-discuss] [PATCH] unittests
> 
> Hi Simon and other dnsmasq friends,
> 
> after some struggling with Makefile support, I am sending my dnsmasq unit
> tests. It uses another directory with tests specific code. I moved some
common
> parts to Makefile.config, in order to be able to reuse them.
> Unit tests are under tests directory with own Makefile.
> 
> New target make check should work also from top directory. Some checks
> would work only from tests directory (make kyua). Current coverage is
rather
> poor, but I hope can be used as a building block to better tests.
> Especially option parsing tests are easy to write. Testing of sending and
> receiving packets seems to be difficult, it should be tested by different
kind of
> test IMHO.
> 
> First is attempt to refactor, the second is what evolved into more complex
set of
> tests.
> 
> Original separate commits are still available on github [1].
> 
> What do you think?
> 
> PS: sending this message again, because patch #2 were big enough to
require
> moderator's approval. Compressed it as a workaround.
> 
> Cheers,
> Petr
> 
> 1. https://github.com/InfrastructureServices/dnsmasq/tree/unittests
> --
> Petr Menšík
> Software Engineer
> Red Hat, http://www.redhat.com/
> email: pemen...@redhat.com
> PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [PATCH] Fix HAVE_CRYPOHASH build and tune GOST/ECDSA usage

[Vladislav Grishenko]

Hi Simon,

> I committed a slightly more comprehensive clean up that fixes
> this.

Thank you, unfortunately it will not compile with 2.x and 3.0 nettle due no
version.h.
It was fixed in my original patch with bignum.h include at first place - for
indirect version, if available.

> This shouldn't be a problem, is both are not available, then the
signatures cannot
> be used.

No problem, may then NO_GOST compile time option please be available to turn
insecure GOST validation off when it's available in nettle?
Before nettle 3.6 there was no such support, so GOST validation was actually
not working.
I'm ok to specially disable it to keep original behavior.

> RFC8624 says it's a MAY. When that changes to MUST NOT, then we'll delete.

Russian authority has draft since 2020 year for GOST R 34.11-2012 which will
(although de facto already is) officially deprecate GOST R 34.10-2001, not
standardized yet by IETF.
https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-rfc5933-bis-03
Maybe it makes sense for the decision, and nettle has no GOST R 34.11-2012
support at the moment.

Thank you
--
Best Regards, Vladislav Grishenko

> -Original Message-
> From: Dnsmasq-discuss  On
> Behalf Of Simon Kelley
> Sent: Wednesday, April 14, 2021 3:44 AM
> To: dnsmasq-discuss@lists.thekelleys.org.uk
> Subject: Re: [Dnsmasq-discuss] [PATCH] Fix HAVE_CRYPOHASH build and tune
> GOST/ECDSA usage
> 
> On 10/04/2021 15:57, Vladislav Grishenko wrote:
> > Hello,
> >
> >
> >
> > Recent nettle version detection changes in dnsmasq 2.85 have brought
> > build regression with HAVE_CRYPTOHASH defined due no MIN_VERSION
> macro
> > is defined.
> 
> That's not good. I committed a slightly more comprehensive clean up that
fixes
> this.
> 
> I also built myself a script which test compiles with lots of different
compile-time
> options, to try and avoid this in the future. I counted 20 different
options, so all
> combinations at a million test combinations, and not practical. I do at
least
> check each one by itself, and interacting combinations.
> >
> > Also, DNSSEC GOST validation is not consistent in case only hash but
> > not signature functions are available.
> >
> 
> This shouldn't be a problem, is both are not available, then the
signatures cannot
> be used.
> 
> > Please refer patch set attached.
> >
> >
> >
> > As for disabling GOST, what if disable it by default?
> >
> > Current implemented GOST algos are obsolete, newer ones didn't pass
> > certification as DNSSEC algo, so.
> >
> >
> 
> 
> RFC8624 says it's a MAY. When that changes to MUST NOT, then we'll delete.
> 
> 
> Simon.
> 
> 
> >
> > --
> >
> > Best Regards, Vladislav Grishenko
> >
> >
> >
> >
> > ___
> > Dnsmasq-discuss mailing list
> > Dnsmasq-discuss@lists.thekelleys.org.uk
> > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discu
> > ss
> >
> 
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] [PATCH] Fix HAVE_CRYPOHASH build and tune GOST/ECDSA usage

[Vladislav Grishenko]

Hello,

 

Recent nettle version detection changes in dnsmasq 2.85 have brought build
regression with HAVE_CRYPTOHASH defined due no MIN_VERSION macro is defined.

Also, DNSSEC GOST validation is not consistent in case only hash but not
signature functions are available.

Please refer patch set attached.

 

As for disabling GOST, what if disable it by default?

Current implemented GOST algos are obsolete, newer ones didn't pass
certification as DNSSEC algo, so.

 

--

Best Regards, Vladislav Grishenko

 



0001-Fix-HAVE_CRYPOHASH-build-and-tune-GOST-ECDSA-usage.patch
Description: Binary data


0002-Allow-to-disable-DNSSEC-GOST-algo-validation.patch
Description: Binary data
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [PATCH] Rename HAVE_NETTLEHASH to HAVE_CRYPTOHASH

[Vladislav Grishenko]

Hi Petr,

> Where is openssl version used anyway?
In https://asuswrt-merlin.net, embedded software for wireless routers

> Would it make sense to support multiple crypto libraries?
Taking into account existing official support of nettle and required support of 
system openssl (in asuswrt-merlin) - multilib support looks useful.
Current dnsmasq-openssl work is here https://github.com/themiron/dnsmasq

> Why is just nettle support inadequate?
Because of additional ram/flash footprint, libnettle is used only by dnsmasq 
among the rest of firmware packages.

> Our crypto team asked me, why is nettle used.
I believe nettle was picked due openssl licensing incompatibility while initial 
dnssec approach was done with openssl.
Another point is memory usage with openssl, allocations are dynamic so frequent 
allocations/frees are expected unlike mostly-static nettle.
Simon may give more light on this.

> It has no independent FIPS ceritification, so they would like to use 
> different library, like gnutls or openssl. Is that similar reason to yours?
My reasons are above, fortunately certification is not an issue for 3rd party 
project.
As for openssl license, 3.x version is compatible, and 1.x has no license issue 
if used as system library (as we have).
Ggnutls support implementation seems possible for me, almost like openssl, tho 
till this moment I was not really interested (we have no gnutls used in our 
project).

> I just did not think long about the name, CRYPTOHASH sound much better.
> Thanks!
Np

> 
> On 1/25/21 10:53 AM, Vladislav Grishenko wrote:
> > Hi,
> >
> >> Patch modified to keep backwards compatibility with HAVE_NETTLEHASH
> >> because, why not? and applied. Looks like a sensible idea.
> >
> > Indeed, much better. Thank you
> >
> > --
> > Best Regards, Vladislav Grishenko
> >
> >> -Original Message-
> >> From: Dnsmasq-discuss
> >>  On Behalf Of Simon
> >> Kelley
> >> Sent: Monday, January 25, 2021 3:15 AM
> >> To: dnsmasq-discuss@lists.thekelleys.org.uk
> >> Subject: Re: [Dnsmasq-discuss] [PATCH] Rename HAVE_NETTLEHASH to
> >> HAVE_CRYPTOHASH
> >>
> >> On 24/01/2021 14:30, Vladislav Grishenko wrote:
> >>> Hi,
> >>>
> >>>
> >>>
> >>> Commit 2024f9729713fd657d65e64c2e4e471baa0a3e5b "Support hash
> >> function
> >>> from nettle (only)" has introduced HAVE_NETTLEHASH option (thanks,
> > Petr!).
> >>> But, I think, there's no much sense to bind feature name to specific
> >>> cryptolib because this will require rename or introduce more similar
> >>> opts for some other cryptolib backend if/when it'll be available
> >>> (for example in my dnsmasq-openssl fork).
> >>>
> >>> If no objections, let's name it "cryptohash" early before 2.84 is out?
> >>> Sorry, have missed pre-2.83, but it has dns issues so unlikely be
> >>> widely deployed.
> >>>
> >>> Please refer patch attached.
> >>>
> >>>
> >>
> >> Patch modified to keep backwards compatibility with HAVE_NETTLEHASH
> >> because, why not? and applied. Looks like a sensible idea.
> >>
> >>
> >>
> >> Cheers,
> >>
> >> Simon.
> >>
> >>>
> >>> --
> >>>
> >>> Best Regards, Vladislav Grishenko
> >>>
> >>>
> >>>
> >>>
> >>> ___
> >>> Dnsmasq-discuss mailing list
> >>> Dnsmasq-discuss@lists.thekelleys.org.uk
> >>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >>>
> >>
> >>
> >> ___
> >> Dnsmasq-discuss mailing list
> >> Dnsmasq-discuss@lists.thekelleys.org.uk
> >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >
> >
> > ___
> > Dnsmasq-discuss mailing list
> > Dnsmasq-discuss@lists.thekelleys.org.uk
> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >
> 
> --
> Petr Menšík
> Software Engineer
> Red Hat, http://www.redhat.com/
> email: pemen...@redhat.com
> PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [PATCH] Rename HAVE_NETTLEHASH to HAVE_CRYPTOHASH

[Vladislav Grishenko]

Hi,

> Patch modified to keep backwards compatibility with HAVE_NETTLEHASH
> because, why not? and applied. Looks like a sensible idea.

Indeed, much better. Thank you

--
Best Regards, Vladislav Grishenko

> -Original Message-
> From: Dnsmasq-discuss  On
> Behalf Of Simon Kelley
> Sent: Monday, January 25, 2021 3:15 AM
> To: dnsmasq-discuss@lists.thekelleys.org.uk
> Subject: Re: [Dnsmasq-discuss] [PATCH] Rename HAVE_NETTLEHASH to
> HAVE_CRYPTOHASH
> 
> On 24/01/2021 14:30, Vladislav Grishenko wrote:
> > Hi,
> >
> >
> >
> > Commit 2024f9729713fd657d65e64c2e4e471baa0a3e5b "Support hash
> function
> > from nettle (only)" has introduced HAVE_NETTLEHASH option (thanks,
Petr!).
> > But, I think, there's no much sense to bind feature name to specific
> > cryptolib because this will require rename or introduce more similar
> > opts for some other cryptolib backend if/when it'll be available (for
> > example in my dnsmasq-openssl fork).
> >
> > If no objections, let's name it "cryptohash" early before 2.84 is out?
> > Sorry, have missed pre-2.83, but it has dns issues so unlikely be
> > widely deployed.
> >
> > Please refer patch attached.
> >
> >
> 
> Patch modified to keep backwards compatibility with HAVE_NETTLEHASH
> because, why not? and applied. Looks like a sensible idea.
> 
> 
> 
> Cheers,
> 
> Simon.
> 
> >
> > --
> >
> > Best Regards, Vladislav Grishenko
> >
> >
> >
> >
> > ___
> > Dnsmasq-discuss mailing list
> > Dnsmasq-discuss@lists.thekelleys.org.uk
> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >
> 
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] [PATCH] Rename HAVE_NETTLEHASH to HAVE_CRYPTOHASH

[Vladislav Grishenko]

Hi,

 

Commit 2024f9729713fd657d65e64c2e4e471baa0a3e5b "Support hash function from
nettle (only)" has introduced HAVE_NETTLEHASH option (thanks, Petr!).
But, I think, there's no much sense to bind feature name to specific
cryptolib because this will require rename or introduce more similar opts
for some other cryptolib backend if/when it'll be available (for example in
my dnsmasq-openssl fork).

If no objections, let's name it "cryptohash" early before 2.84 is out?
Sorry, have missed pre-2.83, but it has dns issues so unlikely be widely
deployed.

Please refer patch attached.

 

--

Best Regards, Vladislav Grishenko

 

>From d0a80d2ba18cb8d6bf3e93b66656ca5a9339df9f Mon Sep 17 00:00:00 2001
From: Vladislav Grishenko 
Date: Sun, 24 Jan 2021 19:15:31 +0500
Subject: [PATCH] Rename HAVE_NETTLEHASH to HAVE_CRYPTOHASH

There's no much sense to bind feature name to specific cryptolib
because this will require rename or introduce more similar opts
for some other cryptolib backend if/when it'll be available.
So, let's name it "cryptohash" early before 2.84 is out, 2.83
has dns issues so unlikely be widely deployed.
---
 Makefile |  4 ++--
 src/config.h | 10 +-
 src/crypto.c |  2 +-
 src/dnsmasq.h|  2 +-
 src/hash_questions.c |  2 +-
 5 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/Makefile b/Makefile
index 7d2afd1..92bc811 100644
--- a/Makefile
+++ b/Makefile
@@ -63,9 +63,9 @@ ct_libs =   `echo $(COPTS) | $(top)/bld/pkg-wrapper 
HAVE_CONNTRACK $(PKG_CON
 lua_cflags =`echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT 
$(PKG_CONFIG) --cflags lua5.2` 
 lua_libs =  `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT 
$(PKG_CONFIG) --libs lua5.2` 
 nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC 
$(PKG_CONFIG) --cflags 'nettle hogweed' \
-HAVE_NETTLEHASH 
$(PKG_CONFIG) --cflags nettle`
+HAVE_CRYPTOHASH 
$(PKG_CONFIG) --cflags nettle`
 nettle_libs =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC 
$(PKG_CONFIG) --libs 'nettle hogweed' \
-HAVE_NETTLEHASH 
$(PKG_CONFIG) --libs nettle`
+HAVE_CRYPTOHASH 
$(PKG_CONFIG) --libs nettle`
 gmp_libs =  `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC NO_GMP 
--copy -lgmp`
 sunos_libs =`if uname | grep SunOS >/dev/null 2>&1; then echo -lsocket 
-lnsl -lposix4; fi`
 version = -DVERSION='\"`$(top)/bld/get-version $(top)`\"'
diff --git a/src/config.h b/src/config.h
index e71a117..ba461b7 100644
--- a/src/config.h
+++ b/src/config.h
@@ -120,8 +120,8 @@ HAVE_AUTH
define this to include the facility to act as an authoritative DNS
server for one or more zones.
 
-HAVE_NETTLEHASH
-   include just hash function from nettle, but no DNSSEC.
+HAVE_CRYPTOHASH
+   include just hash function from crypto library, but no DNSSEC.
 
 HAVE_DNSSEC
include DNSSEC validator.
@@ -190,7 +190,7 @@ RESOLVFILE
 /* #define HAVE_IDN */
 /* #define HAVE_LIBIDN2 */
 /* #define HAVE_CONNTRACK */
-/* #define HAVE_NETTLEHASH */
+/* #define HAVE_CRYPTOHASH */
 /* #define HAVE_DNSSEC */
 
 
@@ -424,10 +424,10 @@ static char *compile_opts =
 "no-"
 #endif
 "auth "
-#if !defined(HAVE_NETTLEHASH) && !defined(HAVE_DNSSEC)
+#if !defined(HAVE_CRYPTOHASH) && !defined(HAVE_DNSSEC)
 "no-"
 #endif
-"nettlehash "
+"cryptohash "
 #ifndef HAVE_DNSSEC
 "no-"
 #endif
diff --git a/src/crypto.c b/src/crypto.c
index 09525d2..5f4c390 100644
--- a/src/crypto.c
+++ b/src/crypto.c
@@ -27,7 +27,7 @@
 #endif
 #endif
 
-#if defined(HAVE_DNSSEC) || defined(HAVE_NETTLEHASH)
+#if defined(HAVE_DNSSEC) || defined(HAVE_CRYPTOHASH)
 #include 
 #include 
 
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index 360c226..e108359 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -157,7 +157,7 @@ extern int capget(cap_user_header_t header, cap_user_data_t 
data);
 #include 
 #endif
 
-#if defined(HAVE_DNSSEC) || defined(HAVE_NETTLEHASH)
+#if defined(HAVE_DNSSEC) || defined(HAVE_CRYPTOHASH)
 #  include 
 #endif
 
diff --git a/src/hash_questions.c b/src/hash_questions.c
index 51d88c2..90fa9f8 100644
--- a/src/hash_questions.c
+++ b/src/hash_questions.c
@@ -28,7 +28,7 @@
 
 #include "dnsmasq.h"
 
-#if defined(HAVE_DNSSEC) || defined(HAVE_NETTLEHASH)
+#if defined(HAVE_DNSSEC) || defined(HAVE_CRYPTOHASH)
 unsigned char *hash_questions(struct dns_header *header, size_t plen, char 
*name)
 {
   int q;
-- 
2.17.1

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [PATCH] Convert dnsmasq log timestamp to use timespec.

[Vladislav Grishenko]

Hi,

timespec_get() can be not available on all the supported platforms/libc*.
For glibc (since ~2.17) please refer
https://www.gnu.org/software/gnulib/manual/html_node/timespec_005fget.html
Using other functions may require linking with additional libs (rt for
example).
I'd suggest to reconsider the msec/nsec time source.

--
Best Regards, Vladislav Grishenko

> -Original Message-
> From: Dnsmasq-discuss  On
> Behalf Of Cody Carey
> Sent: Monday, October 12, 2020 2:12 AM
> To: dnsmasq-discuss@lists.thekelleys.org.uk
> Subject: [Dnsmasq-discuss] [PATCH] Convert dnsmasq log timestamp to use
> timespec.
> 
> This patch converts log timestamps to an RFC3339 format and includes
> nanoseconds. This provides more complete timestamp information and
> granularity. This is particularly important when dealing with SIEM's and
other log
> analysis systems where less specific timestamps can cause out-of-order
issues,
> particularly where UDP is used.
> 
> From ffd56111d61021f709967caf3767fbda19785d20 Mon Sep 17 00:00:00 2001
> From: Cody Carey <17598826+codyaca...@users.noreply.github.com>
> Date: Sun, 11 Oct 2020 17:01:59 -0400
> Subject: [PATCH] Convert dnsmasq log timestamp to use timespec.
> 
> Signed-off-by: Cody Carey <17598826+codyaca...@users.noreply.github.com>
> ---
>  src/log.c | 12 +---
>  1 file changed, 9 insertions(+), 3 deletions(-)
> 
> diff --git a/src/log.c b/src/log.c
> index dbd6bd4..6e273aa 100644
> --- a/src/log.c
> +++ b/src/log.c
> @@ -278,7 +278,7 @@ void my_syslog(int priority, const char *format, ...)
{
>va_list ap;
>struct log_entry *entry;
> -  time_t time_now;
> +  struct timespec ts;
>char *p;
>size_t len;
>pid_t pid = getpid();
> @@ -364,14 +364,20 @@ void my_syslog(int priority, const char *format,
...)
>   tmp->next = entry;
> }
> 
> -  time(&time_now);
> +  timespec_get(&ts, TIME_UTC);
>p = entry->payload;
>if (!log_to_file)
> p += sprintf(p, "<%d>", priority | log_fac);
> 
>/* Omit timestamp for default daemontools situation */
>if (!log_stderr || !option_bool(OPT_NO_FORK))
> -   p += sprintf(p, "%.15s ", ctime(&time_now) + 4);
> +{
> +  char timestamp[100];
> +  char timezone[6];
> +  strftime(timestamp, sizeof timestamp, "%FT%T",
gmtime(&ts.tv_sec));
> +  strftime(timezone, sizeof timezone, "%z", gmtime(&ts.tv_sec));
> +  p += sprintf(p, "%s.%09ld%s ", timestamp, ts.tv_nsec,
timezone);
> +}
> 
>p += sprintf(p, "dnsmasq%s[%d]: ", func, (int)pid);
> 
> --
> 2.25.1
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] [PATCH] Add DHCPv6 NTP server option handling

[Vladislav Grishenko]

Hi, Simon

There was discussion in the past regarding DHCPv6 NTP server option which needs 
special subclassing per RFC5908.
Patch adds support for unicast, multicast IPv6 address and for FQDN string, 
preserving possibly used (as suggested earlier) hex value.
Unfortunately it's still not fully free from limitations - only address list or 
only fqdn value list is possible, not mixed due current state option parsing & 
flagging.
Would be nice to have it in 2.81.

Hi Kevin,
FYI

Thank you and
Best Regards, Vladislav Grishenko



0001-Add-DHCPv6-ntp-server-56-option-handling.patch
Description: Binary data
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Remove ECC-GOST (GOST R 34.10-2001) algorithm as this is set to status MUST NOT implement in RFC 8624

[Vladislav Grishenko]

Sorry, overlooked it (along with GOST R 34.11-94) must not be used for 
signing/delegation, but still may - for validation.
Please ignore previous mail.

Best Regards, Vladislav Grishenko

-Original Message-
From: Vladislav Grishenko  
Sent: Sunday, March 1, 2020 10:00 PM
To: 'Simon Kelley' ; 
dnsmasq-discuss@lists.thekelleys.org.uk
Subject: Remove ECC-GOST (GOST R 34.10-2001) algorithm as this is set to status 
MUST NOT implement in RFC 8624

Hi Simon,

Thank you for the DSA update.
According https://tools.ietf.org/html/rfc8624 ECC-GOST must not be implemented 
too:

   ECC-GOST (GOST R 34.10-2001) has been superseded by GOST R 34.10-2012
   in [RFC7091].  GOST R 34.10-2012 hasn't been standardized for use in
   DNSSEC.

Maybe worth to drop it too and save a couple of bytes?

Thank you and
Best Regards, Vladislav Grishenko




___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] Remove ECC-GOST (GOST R 34.10-2001) algorithm as this is set to status MUST NOT implement in RFC 8624

[Vladislav Grishenko]

Hi Simon,

Thank you for the DSA update.
According https://tools.ietf.org/html/rfc8624 ECC-GOST must not be
implemented too:

   ECC-GOST (GOST R 34.10-2001) has been superseded by GOST R 34.10-2012
   in [RFC7091].  GOST R 34.10-2012 hasn't been standardized for use in
   DNSSEC.

Maybe worth to drop it too and save a couple of bytes?

Thank you and
Best Regards, Vladislav Grishenko



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Remove DSA-NSEC3-SHA1 & DSA DNSSEC algorithm as this is set to status MUST NOT implement in RFC 8624

[Vladislav Grishenko]

Hi,

Have that since last year with possibility to reenable with HAVE_DNS build-time 
define:
https://github.com/themiron/dnsmasq/commit/5a1a8bc039561455677e825194f470219093aaf6.patch

Also, GOST is obsolete and GOST2012 is not standardized yet. This helps to turn 
it off by default:
https://github.com/themiron/dnsmasq/commit/a9ef96041fd0b594b662cbcb1a9b475844a4a5ab.patch

p.s Please ignore ctypto-openssl.c part, it's not part of official dnsmasq 
source.

Best Regards, Vladislav Grishenko

-Original Message-
From: Dnsmasq-discuss  On 
Behalf Of Loganaden Velvindron
Sent: Monday, February 24, 2020 12:08 PM
To: dnsmasq-discuss@lists.thekelleys.org.uk
Subject: [Dnsmasq-discuss] Remove DSA-NSEC3-SHA1 & DSA DNSSEC algorithm as this 
is set to status MUST NOT implement in RFC 8624

Google might mangle the patch. Feedback welcomed.

RFC 8624  Section 3.1 (https://www.rfc-editor.org/rfc/rfc8624.txt )says:

3  | DSA| MUST NOT| MUST NOT
6  | DSA-NSEC3-SHA1 | MUST NOT| MUST NOT




I've added them on this gh repo:
1) Remove DSA-NSEC3-SHA1 DNSSEC algorithm as this is set to status MUST NOT 
implement in RFC 8624:
https://raw.githubusercontent.com/cyberstormdotmu/dnsmasq_dnssec_patches/master/0001-Remove-DSA-NSEC3-SHA1-DNSSEC-algorithm-as-this-is-se.patch
2) Remove DSA DNSSEC algorithm as this is set to status MUST NOT implement in 
RFC 8624:
https://github.com/cyberstormdotmu/dnsmasq_dnssec_patches/blob/master/0002-Remove-DSA-DNSSEC-algorithm-as-this-is-set-to-status.patch

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] CPU spinning bug, possibly related to SSHFP queries

[Vladislav Grishenko]

Hi Tore,

Can you try to capture dns exchange to dnsmasq (on lo interface) and from it 
(on your nic interface) both at the same time?
$ tcpdump -i lo port 53 -w /path/to/dns-lo.pcap
$ tcpdump -i  port 53 -w /path/to/dns-ext.pcap
Highly possible that trigger query (or reply) can't be logged in usual way, but 
will be captured by tcpdump.
Next, I'd like to take a look at them, will there be something after/near the 
last logged query before spinning starts.

p.s. Caution, pcap files will contain all your dns traffic, sending it to mail 
list might be not a really good idea.

Best Regards, Vladislav Grishenko

-Original Message-
From: Dnsmasq-discuss  On 
Behalf Of Tore Anderson
Sent: Thursday, November 28, 2019 12:38 PM
To: dnsmasq-discuss@lists.thekelleys.org.uk
Subject: [Dnsmasq-discuss] CPU spinning bug, possibly related to SSHFP queries

Hello,

I've noticed that Dnsmasq on my system sometimes enters a defective state where 
it starts spinning on the CPU. When it has entered this state, I need to send 
it SIGKILL to get rid of it - SIGTERM is ignored.

The version is current Git master (2.80-93-g6ebdc95).

I've enabled query logging and grabbed the final log lines of a few incidents 
(slightly anonymised):

Example 1:

forwarded git.i.example.org to 192.168.33.1 reply git.i.example.org is  
reply git01-osl3.i.example.org is 10.22.3.196 reply git.i.example.org is 
 reply git01-osl3.i.example.org is 2001:db8:400:c:18:59ff:fe7a:73c4 
query[type=44] git.i.example.org from 127.0.0.1 (CPU spin begins)

Example 2:

query[A] s2-a8-osl3.n.example.org from 127.0.0.1 forwarded 
s2-a8-osl3.n.example.org to 192.168.33.1 query[] s2-a8-osl3.n.example.org 
from 127.0.0.1 forwarded s2-a8-osl3.n.example.org to 192.168.33.1 reply 
s2-a8-osl3.n.example.org is  reply lo.s2-a8-osl3.n.example.org is 
2001:db8:1::4:1 reply s2-a8-osl3.n.example.org is  reply 
lo.s2-a8-osl3.n.example.org is 192.168.63.11 query[type=44] 
s2-a8-osl3.n.example.org from 127.0.0.1 (CPU spin begins)

Example 3:

query[A] s1-a8-osl3.n.example.org from 127.0.0.1 forwarded 
s1-a8-osl3.n.example.org to 192.168.33.1 query[] s1-a8-osl3.n.example.org 
from 127.0.0.1 forwarded s1-a8-osl3.n.example.org to 192.168.33.1 reply 
s1-a8-osl3.n.example.org is  reply lo.s1-a8-osl3.n.example.org is 
192.168.63.10 reply s1-a8-osl3.n.example.org is  reply 
lo.s1-a8-osl3.n.example.org is 2001:db8:1::4:0 query[type=44] 
s1-a8-osl3.n.example.org from 127.0.0.1 (CPU spin begins)

All of them ends with an incoming query for SSHFP records (type 44), which I 
find highly suspect. The SSHFP requests comes from the SSH client (due to 
VerifyHostKeyDNS being set in my ~/.ssh/config).

None of the hostnames in question do have SSHFP records published, but that 
does not seem to matter, as the query does not seem to be forwarded upstream in 
the first place. When the bug does not occur, Dnsmasq does log that it forwards 
the query upstream, like so:

query[type=44] l1-a9-osl3.n.example.org from 127.0.0.1 forwarded 
l1-a9-osl3.n.example.org to 192.168.33.1

Dnsmasq is invoked from NetworkManager, using the following command line:

/usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces 
--pid-file=/run/NetworkManager/dnsmasq.pid --listen-address=127.0.0.1 
--cache-size=400 --clear-on-reload --conf-file=/dev/null --proxy-dnssec 
--enable-dbus=org.freedesktop.NetworkManager.dnsmasq 
--conf-dir=/etc/NetworkManager/dnsmasq.d

Additional configuration in /etc/NetworkManager/dnsmasq.d/dnssec.conf:

dnssec
conf-file = /usr/share/dnsmasq/trust-anchors.conf
log-queries

Finally, my environment contains RES_OPTIONS=edns0 in case that is relevant 
(this is required for SSH's VerifyHostKeyDNS feature to work correctly).

I cannot reliably reproduce the issue. It seems to happen regularly (several 
times a day) during normal usage - I use the SSH client quite frequently.

I would be happy to provide additional debugging information, if given 
instructions on how to obtain it.'

Tore

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [BUG] RA are sent too fast and slows down the machine

[Vladislav Grishenko]

Hi, Petr,

Just worrying, isn't this bug a side effect of previous interface-related 
binding patch we're talking about?
If yes, since it's not in upstream, it can be quite tricky to reproduce it on 
vanilla sources.

Best Regards, Vladislav Grishenko

-Original Message-
From: Dnsmasq-discuss  On 
Behalf Of Petr Mensik
Sent: Wednesday, August 28, 2019 12:11 PM
To: dnsmasq-discuss@lists.thekelleys.org.uk
Subject: Re: [Dnsmasq-discuss] [BUG] RA are sent too fast and slows down the 
machine

Hi Iain,

of course. I am sorry, forgot to add a link as intended[1]. Used base report 
from Network Manager tester report. I added it to Fedora bug mentioned, but 
forgot to add script itself. At least to me, it produces tens of RA announces.

Regards,
Petr

[1]
https://github.com/InfrastructureServices/dnsmasq-tests/blob/master/bz1739797.sh

On 8/27/19 10:45 AM, Iain Lane wrote:
> On Wed, Aug 21, 2019 at 08:59:07PM +0200, Petr Mensik wrote:
>> Hi Simon and Maarten,
>>
>> we discovered when playing with NetworkManager-ci [1], that lastest 
>> release is somehow broken. Test running dnsmasq are quite slow on 
>> latest release.
>>
>> I have created repeatable started script that reproduces it. Then 
>> used git bisect to find when it was broken. It seems fast sending 
>> were intentional in commit 0a496f059c1e9 [2], but maybe way it 
>> affects the system were underestimated. It is significant for systems 
>> that hit such issue. I think it has to be fixed to slow it down to 
>> short time interval, not endless loop. Reported as Fedora bug [3].
> 
> Thanks for this Petr. Would you be able to share the script you've 
> used, so that perhaps an upstream developer could recreate the bug?
> 
> Mainly I wanted to chime in and say that (in addition to the other 
> instance referenced), we found this in the NetworkManager testsuite in 
> Ubuntu. I didn't come up with a nice reproducer at the time, but we 
> did identify the same commit and we've reverted it in Ubuntu. I posted 
> on the ML back then but we didn't get much traction and I didn't 
> follow up very aggressively.
> 
>   
> http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2018q4/012709
> .html
> 
>   
> https://launchpadlibrarian.net/405377161/dnsmasq_2.80-1_2.80-1ubuntu1.diff.gz
>   (the commit ID referenced in the changelog there seems or from
>   somewhere else, it's the same patch)
> 
> Cheers,
> 
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 

--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemen...@redhat.com  PGP: 65C6C973



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [PATCH] Issues with TCP queries on recreated interfaces.

[Vladislav Grishenko]

Hi Petr,

> Not tested this specific case, but I think it should be handled correctly, 
> unlike previous code. Because it now compares also interface index, it will 
> mark existing entry as found only if interface index also match. If it does 
> not, new entry is created with correct index instead.

Checked, unfortunately interface index comparison breaks the things.
If there's 2+ interface with same address on startup, no error is happen, 
single TCP and multiple UDP (unlike before) sockets are created, on any of such 
interface shutdown - thins single TCP socket is closed (unlike before), so 
there are noting listens on TCP:53 after that.
If there's only one interface on startup - single TCP&UDP sockets are created, 
on subsequent interface up with the same address - bind error raised and only 
UDP socket is created additionally (unlike before).

At the moment, dnsmasq logic expects single TCP/UDP socket per address even for 
multiple interfaces.
For example, comment in iface_allowed() states that:
/* check whether the interface IP has been added already
 * we call this routine multiple times */
So, I'm afraid, seems proposed changes does not play well with that.
How do you think, can it be solved too?
Reproduction this case is quite easy, just need to create dummy interface with 
same address (different netmask) and up/down it.

> Ok, I forgot to follow style on 3rd patch. Attached fixed formatting and 
> removed debug log on interface removal.

Thanks,  fyi sed -r 's/[ ]{8}/\t/' is missed too.

> I think that is better to state explicitly return value is not used.

I think that would be better to rip it off from functional patch, and let it be 
as separate full patch for all prettyprint_* instances not just for some 
selected.
At the other hand, with no __attribute__((warn_unused_result)) it will not 
generate warning anyway.

Best Regards, Vladislav Grishenko

-Original Message-
From: Petr Mensik  
Sent: Wednesday, July 10, 2019 3:01 PM
To: Vladislav Grishenko ; 
dnsmasq-discuss@lists.thekelleys.org.uk
Subject: Re: [Dnsmasq-discuss] [PATCH] Issues with TCP queries on recreated 
interfaces.

Hi Vladislav

On 7/9/19 10:00 PM, Vladislav Grishenko wrote:
> Hi Petr,
> 
> Regarding 0002-Compare-address-and-interface-index-for-allowed-inte.patch, 
> does it support case with different valid interfaces with the same address?
> For example:
>   eth0 192.168.1.1/24
>   tun0 192.168.1.1./16 (created/destroyed dynamically)

Not tested this specific case, but I think it should be handled correctly, 
unlike previous code. Because it now compares also interface index, it will 
mark existing entry as found only if interface index also match. If it does 
not, new entry is created with correct index instead.
It should work, unlike previous code, it should keep both interface addresses 
stored separately.

If tun0 is often destroyed and recreated, number of interfaces records might 
grow. That is reason for patch #3, which removes dropped interfaces after 
creating new ones.
> 
> Regarding appearance, seems newly added code doesn’t fully follow dnsmasq 
> code style in several places:
> * indentation (should be ident ==2 spaces, 8 spaces == \t)
> * brackets on the same code lines
Ok, I forgot to follow style on 3rd patch. Attached fixed formatting and 
removed debug log on interface removal.
> * function args on the next line are not aligned with the first 
> argument
> * prettyprint_addr() result is forcibly ignored with (void) unlike 
> other places
I think that is better to state explicitly return value is not used.
> 
> Best Regards, Vladislav Grishenko
> 
> -Original Message-
> From: Dnsmasq-discuss 
>  On Behalf Of Petr 
> Mensik
> Sent: Tuesday, July 9, 2019 5:31 PM
> To: dnsmasq-discuss@lists.thekelleys.org.uk
> Subject: [Dnsmasq-discuss] [PATCH] Issues with TCP queries on recreated 
> interfaces.
> 
> Hello Simon and others,
> 
> we have discovered issues with TCP DNS query on dnsmasq, when running in 
> bind-dynamic or bind-interfaces mode. dnsmasq scans automatically new 
> interfaces or do that on new query in second case. However, because used 
> speedup comparing only IP adresses in iface_allowed function, it never gets 
> updated index of an interface.
> 
> In case where named interface is destroyed and created again, that drops TCP 
> queries on that interface. They are checked for incoming interface number. If 
> such number is not found in interfaces list, query is denied.
> 
> Luckily, there was a bug in checking, hiding this problem from usual 
> configuration. If IPv6 address is enabled on the new device, new iface entry 
> would be created, because scope_id of sockaddr_in6 does not match previous. 
> That makes even IPv4 queries succeed.
> 
> Bug on bugzilla [1] is par

Re: [Dnsmasq-discuss] [PATCH] Issues with TCP queries on recreated interfaces.

[Vladislav Grishenko]

Hi Petr,

Regarding 0002-Compare-address-and-interface-index-for-allowed-inte.patch, does 
it support case with different valid interfaces with the same address?
For example:
eth0 192.168.1.1/24
tun0 192.168.1.1./16 (created/destroyed dynamically)

Regarding appearance, seems newly added code doesn’t fully follow dnsmasq code 
style in several places:
* indentation (should be ident ==2 spaces, 8 spaces == \t)
* brackets on the same code lines
* function args on the next line are not aligned with the first argument
* prettyprint_addr() result is forcibly ignored with (void) unlike other places

Best Regards, Vladislav Grishenko

-Original Message-
From: Dnsmasq-discuss  On 
Behalf Of Petr Mensik
Sent: Tuesday, July 9, 2019 5:31 PM
To: dnsmasq-discuss@lists.thekelleys.org.uk
Subject: [Dnsmasq-discuss] [PATCH] Issues with TCP queries on recreated 
interfaces.

Hello Simon and others,

we have discovered issues with TCP DNS query on dnsmasq, when running in 
bind-dynamic or bind-interfaces mode. dnsmasq scans automatically new 
interfaces or do that on new query in second case. However, because used 
speedup comparing only IP adresses in iface_allowed function, it never gets 
updated index of an interface.

In case where named interface is destroyed and created again, that drops TCP 
queries on that interface. They are checked for incoming interface number. If 
such number is not found in interfaces list, query is denied.

Luckily, there was a bug in checking, hiding this problem from usual 
configuration. If IPv6 address is enabled on the new device, new iface entry 
would be created, because scope_id of sockaddr_in6 does not match previous. 
That makes even IPv4 queries succeed.

Bug on bugzilla [1] is partly private.

I propose three changes. First is just helper to log what happens with 
listeners on bind-dynamic configuration.

Second is the most important. Create new interface every time index changes. 
Also test address family of incoming TCP query when checking allowed clients.

Third is cleanup of unused interfaces. On some virtual machines hosts, 
interfaces may often be created and destroyed. It might have negative effect on 
walking trough interfaces list. I think listeners should be garbage collected 
also on bind-interfaces configuration. But for now, release memory for unused 
interfaces at least for bind-dynamic.

1. https://bugzilla.redhat.com/show_bug.cgi?id=1721668
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemen...@redhat.com  PGP: 65C6C973


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] nettle 3.5 breaks build of dnsmasq

[Vladislav Grishenko]

Hi Juergen,

Temporary workaround/patch is here
https://github.com/themiron/dnsmasq/commit/6fd9aba7abe1e084123bc5002959350897774ace

Best Regards, Vladislav Grishenko

-Original Message-
From: Dnsmasq-discuss  On 
Behalf Of Juergen Daubert
Sent: Wednesday, June 26, 2019 4:57 PM
To: dnsmasq-discuss@lists.thekelleys.org.uk
Subject: [Dnsmasq-discuss] nettle 3.5 breaks build of dnsmasq

Hi,

just discovered that new version 3.5 of nettle breaks building dnsmasq 2.80:

make COPTS=-DHAVE_DNSSEC

crypto.c: In function 'dnsmasq_ecdsa_verify':
crypto.c:297:36: error: 'nettle_secp_256r1' undeclared (first use in this 
function); did you mean 'nettle_get_secp_256r1'?
nettle_ecc_point_init(key_256, &nettle_secp_256r1);
^
nettle_get_secp_256r1
crypto.c:297:36: note: each undeclared identifier is reported only once for 
each function it appears in
crypto.c:310:36: error: 'nettle_secp_384r1' undeclared (first use in this 
function); did you mean 'nettle_get_secp_384r1'?
nettle_ecc_point_init(key_384, &nettle_secp_384r1);
^
nettle_get_secp_384r1
make[1]: *** [/tmp/dnsmasq-2.80/Makefile:161: crypto.o] Error 1


thanks
Juergen


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Problem with server=/local/127.0.0.1

[Vladislav Grishenko]

Hi Denis,

.local is reserved domain for mdns, therefore by default it's resolved
mdns multicast on the client, not via dns.
check nsswitch.conf, if you're on linux, maybe for windows host
there's something similar.
it's not recommended to use .local domains for internal services.

чт, 13 дек. 2018 г. в 10:27, Denis :
>
> Hello, everyone!
>
> In my dnsmasq.conf "server=/local/127.0.0.1" doesn't seem to work. At least, 
> it doesn't work how I thought it was supposed to work. I was under the 
> impression that server=/$domainname/$address should cause the $domainname to 
> be looked up only in $address. However, like I said, I have the line 
> "server=/local/127.0.0.1", dnsmasq --test returns "syntax check OK", but my 
> *.local names are not resolved.
>
> Here's the full content of my dnsmasq.conf:
>
> domain-needed
> bogus-priv
> strict-order
> server=/local/127.0.0.1
> local=/local/
> listen-address=127.0.0.1
> no-dhcp-interface=127.0.0.1
> expand-hosts
> domain=local
>
> Am I missing something, ir is this option not supposed to work like I think?
>
> --
> Respectfully,
> Denis Shadrin
>
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



-- 

Best regards, Vladislav Grishenko

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [PATCH] dhcpv6: fix unaligned access crash on aarch64

[Vladislav Grishenko]

Yep, it works as expected, thanks.
Unfortunately, struct copying is still there and need to keep in mind
that pointers must be aligned or absence of protection will crash it
again in any possible future.
Btw, alignment rule was applied to DECLINE, but seems missed in
DHCPRELEASE part, put_opt6(opt6_ptr(ia_option, 0)...) is still there
instead of put_opt6(&addr...).

Best Regards, Vladislav Grishenko
ср, 22 авг. 2018 г. в 2:11, Simon Kelley :
>
> Thanks for chasing that down. Your patch will fix it, but I think it's
> probably better to solve the problem at source, where we copy addresses
> out of packets, rather than pass unaligned pointers to struct in6_addr
> around and patch things up at the other end. That stops this coming and
> biting us again.
>
> That makes a much bigger patch, unfortunately.
>
> I just pushed my attempt at doing that. Does it work OK for you?
>
>
> Cheers,
> Simon.
>
> On 21/08/18 14:04, Vladislav Grishenko wrote:
> > Hi, Simon
> >
> >
> >
> > Faced with dnsmasq crash on aarch64 (32bit userspace,
> > arm-buildroot-linux-gnueabi-gcc 5.3.0) with dhcpv6 stateful configured.
> >
> > Unaligned packet’s req_addr is used in lease6_allocate() for struct copy
> > since 2.67test15 (commit 89500e31f199e9ae1eadc86213b911ff44d30d6f).
> >
> > As for other places, seems well-aligned stack-local vars are used.
> >
> > Please refer proposed patch attached and gdb trace:
> >
> >
> >
> > Program received signal SIGBUS, Bus error.
> >
> > 0x0003f990 in lease6_allocate (addrp=0xa55e6, lease_type=32) at lease.c:822
> >
> > 822   lease->addr6 = *addrp;
> >
> > (gdb) bt
> >
> > #0  0x0003f990 in lease6_allocate (addrp=0xa55e6, lease_type=32) at
> > lease.c:822
> >
> > #1  0x00055fac in update_leases (state=0xfffef8ac, context=0xa7ee8,
> > addr=0xa55e6, lease_time=900, now=14609) at rfc3315.c:1825
> >
> > #2  0x00055ab4 in add_address (state=0xfffef8ac, context=0xa7ee8,
> > lease_time=900, ia_option=0xa55e2, min_time=0xfffef6d0, addr=0xa55e6,
> > now=14609) at rfc3315.c:1684
> >
> > #3  0x00053764 in dhcp6_no_relay (state=0xfffef8ac, msg_type=3,
> > inbuff=0xa55a8, sz=128, is_unicast=0, now=14609) at rfc3315.c:938
> >
> > #4  0x00051744 in dhcp6_maybe_relay (state=0xfffef8ac, inbuff=0xa55a8,
> > sz=128, client_addr=0xfffef9a0, is_unicast=0, now=14609) at rfc3315.c:172
> >
> > #5  0x000513b8 in dhcp6_reply (context=0xa7ee8, interface=23,
> > iface_name=0xfffef978, fallback=0xfffef9f8, ll_addr=0xfffefa18,
> > ula_addr=0xfffefa28, sz=128, client_addr=0xfffef9a0,
> >
> > now=14609) at rfc3315.c:103
> >
> > #6  0x0004f4b4 in dhcp6_packet (now=14609) at dhcp6.c:233
> >
> > #7  0x00038c78 in main (argc=3, argv=0xfffefd34) at dnsmasq.c:1099
> >
> >
> >
> > Best Regards, Vladislav Grishenko
> >
> >
> >
>


-- 

Best regards, Vladislav Grishenko

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] [PATCH] dhcpv6: fix unaligned access crash on aarch64

[Vladislav Grishenko]

Hi, Simon

 

Faced with dnsmasq crash on aarch64 (32bit userspace, 
arm-buildroot-linux-gnueabi-gcc 5.3.0) with dhcpv6 stateful configured.

Unaligned packet’s req_addr is used in lease6_allocate() for struct copy since 
2.67test15 (commit 89500e31f199e9ae1eadc86213b911ff44d30d6f).

As for other places, seems well-aligned stack-local vars are used.

Please refer proposed patch attached and gdb trace:

 

Program received signal SIGBUS, Bus error.

0x0003f990 in lease6_allocate (addrp=0xa55e6, lease_type=32) at lease.c:822

822   lease->addr6 = *addrp;

(gdb) bt

#0  0x0003f990 in lease6_allocate (addrp=0xa55e6, lease_type=32) at lease.c:822

#1  0x00055fac in update_leases (state=0xfffef8ac, context=0xa7ee8, 
addr=0xa55e6, lease_time=900, now=14609) at rfc3315.c:1825

#2  0x00055ab4 in add_address (state=0xfffef8ac, context=0xa7ee8, 
lease_time=900, ia_option=0xa55e2, min_time=0xfffef6d0, addr=0xa55e6, 
now=14609) at rfc3315.c:1684

#3  0x00053764 in dhcp6_no_relay (state=0xfffef8ac, msg_type=3, inbuff=0xa55a8, 
sz=128, is_unicast=0, now=14609) at rfc3315.c:938

#4  0x00051744 in dhcp6_maybe_relay (state=0xfffef8ac, inbuff=0xa55a8, sz=128, 
client_addr=0xfffef9a0, is_unicast=0, now=14609) at rfc3315.c:172

#5  0x000513b8 in dhcp6_reply (context=0xa7ee8, interface=23, 
iface_name=0xfffef978, fallback=0xfffef9f8, ll_addr=0xfffefa18, 
ula_addr=0xfffefa28, sz=128, client_addr=0xfffef9a0,

now=14609) at rfc3315.c:103

#6  0x0004f4b4 in dhcp6_packet (now=14609) at dhcp6.c:233

#7  0x00038c78 in main (argc=3, argv=0xfffefd34) at dnsmasq.c:1099

 

Best Regards, Vladislav Grishenko

 



0001-dhcpv6-fix-unaligned-access-crash-on-aarch64.patch
Description: Binary data
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [PATCH] Support --server syntax in resolv-file

[Vladislav Grishenko]

Hi Kristian,

FYI, changing resolv.conf format could lead libc resolver to fail, so it's 
quite dangerous change.
As I understand, you want dynamic DNS servers update with additional info 
(interface/src ip binding).
With no DBUS, can't it be done with --servers-file option (available since 
2.69)?
This files allow full format of --server & --rev-server and are reread on 
SIGHUP, polling is not supported at the moment.

Best Regards, Vladislav Grishenko

-Original Message-
From: Dnsmasq-discuss [mailto:dnsmasq-discuss-boun...@lists.thekelleys.org.uk] 
On Behalf Of Kristian Evensen
Sent: Monday, April 10, 2017 1:35 PM
To: Simon Kelley 
Cc: dnsmasq-discuss@lists.thekelleys.org.uk
Subject: Re: [Dnsmasq-discuss] [PATCH] Support --server syntax in resolv-file

Hi Simon,

On Fri, Apr 7, 2017 at 11:27 PM, Simon Kelley  wrote:
> The overriding objection to this is that it adds to the syntax and 
> semantics of the resolv-file format, but dnsmasq doesn't "own" that
> format: it's actually a libc configuration file, and dnsmasq takes 
> advantage of the fact that the format is "well known" to extract 
> useful information from it. If you start adding extra fields to 
> /etc/resolv.conf then the c-library will get upset.

I have been thinking some more about this. The reason for locking the support 
for server-strings in the resolv behind a command line option, was to avoid 
what you are describing here - compatibility issues with the existing 
resolv-file format. I assume that if anyone enables the option, they know what 
they are doing and what implications it might have. I should maybe have 
explained this better in either the commit or the addition to the man-page.

> I understand the desire to be able to specify resolvers dynamically 
> with the full set of source-address and routing options; that's 
> actually already available, and has been for a long time, using the 
> DBus interface to dnsmasq, which includes the "SetDomainServers" 
> method, which takes strings identical to argument to --server. I've 
> not looked at the code, but your previous patch to allow binding both 
> IP and interface should have automatically added that feature to 
> SetDomainServers. (if it didn't then I'd certainly take a patch to 
> correct that.)

I did a quick test and it seems that specifying servers (with the additional 
interface/ip-information) using the DBus-interface works fine. However, this 
does not help on systems not using DBus (like OpenWRT/LEDE). Do you have any 
suggestions for an acceptable way to implement this feature, without requiring 
the use DBus?

Thanks in advance for the help,
Kristian

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Sequential IP doesn't look for unused IPs

[Vladislav Grishenko]

Hi Alec,

 

A bit disagree on that, at up-to-time Asus routers use hashed mac allocations, 
not sequential.

Older ones – did sequential allocation with reuse of expired IP from the very 
start (original udhcpd behavior), and in my practice, it rose issues when the 
same ip was allocated to different interfaces of one particular host, first 
time – as a first lease, second – after a hibernate/sleep. Same code was merged 
into udhcpd@busybox and was fixed into sdbm hash several years ago.

In my opinion, sequential reuse of ip pool does more harm than helps to keep 
the “things” in order.

Best Regards, Vladislav Grishenko

 

From: Dnsmasq-discuss [mailto:dnsmasq-discuss-boun...@lists.thekelleys.org.uk] 
On Behalf Of Alec Robertson
Sent: Sunday, December 25, 2016 4:14 AM
To: dnsmasq-discuss@lists.thekelleys.org.uk
Subject: Re: [Dnsmasq-discuss] Sequential IP doesn't look for unused IPs

 

I understand what you’re saying but I was suggesting this should be a feature 
enhancement. All the other routers I have used work the way I have described, 
be it NETGEAR, Asus, Huawei, etc.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Dnsmasq not resolving addresses for an hour

[Vladislav Grishenko]

Hi, all
Just FYI, common way to really control resolv.conf updates w/o races and even 
with sym&hardlinks is to kick dnsmasq with signal after resolv.conf update is 
fully finished in any way.This also triggers hosts/ether/etc reread and 
corresponding reconf.
Best Regards, Vladislav Grishenko

_
From: Albert ARIBAUD 
Sent: вторник, октября 25, 2016 2:51 ДП
Subject: Re: [Dnsmasq-discuss] Dnsmasq not resolving addresses for an hour
To: John Knight 
Cc:  


Hi John,

Yes, you can submit patches to the list.

However, 2.55 is quite old with respect to the current release of
dnsmasq, which is 2.76 IIRC.

Amicalement,
Albert.

Le Mon, 24 Oct 2016 17:57:03 +
John Knight  a écrit:

> Hi Albert,
> 
> I have finished making my changes to dnsmasq 2.55 and I have a patch
> file.  However, I am not sure how to submit it... do I send it to the
> discussion list?
> 
> Thanks,
> 
> John Knight
> 
> 
> -Original Message-
> From: John Knight
> Sent: Wednesday, October 19, 2016 12:57 PM
> To: 'Albert ARIBAUD'
> Cc: dnsmasq-discuss@lists.thekelleys.org.uk
> Subject: RE: [Dnsmasq-discuss] Dnsmasq not resolving addresses for an
> hour
> 
> Hi Albert,
> 
> My comments inline.
> 
> John
> 
> > Hi All,  
> 
> > The main while(1) loop uses select() to determine if it has work to
> > do.  In most cases, it appears to use timeout of 0, which I believe
> > means just wait indefinitely for work on the file descriptors.
> > Other times, it appears that the timeout is set to a quarter second
> > when doing a tftp transfer or polling the dbus.
> >
> > Now what concerns me is that when a "retry later" condition occurs,
> > we may get stuck on the select() for a long period of time.  Alas,
> > I do not know how frequent one might expect to see work arrive on
> > the file descriptors that select is watching, so I don't really
> > know if this is a long time or not.  It seems though that in this
> > failure scenario, the poll_resolv() function does NOT get called
> > very often at all.  
> 
> Albert:  Actually, if dnsmasq does not receive any request from
> clients, it does not need to poll servers, so I would ask: does the
> select() include descriptors for client requests (either UDP
> datagrams received, or TCP connections opened)? If so, I think it
> will exit just when necessary and no tiemout is needed; otherwise,
> you are right that a timeout is required.
> 
> Albert: Also, it may be improbable that select() does not return for
> a whole hour; but then, is every return from select() followed by a
> resolv file poll, or can select() return and then be entered again
> without polling the resolv files? I am thinking, for instance, about
> cached answers which do not need servers if their TTL is long enough.
> 
> John: I have made a simple change that provides a one second timeout
> for select.  I have found that dnsmasq is much more responsive now to
> changes made to /etc/resolv.conf.  With code that calls poll_resolv,
> it rate limits the calls to once every two seconds, which I believe
> is fine and responsive enough.
> 
> John:  Given I am testing this in a lab situation and just me on the
> console and one idle PC connected to the router, there is little use
> of DNS.  In my experience since the initial failure, I believe I did
> see poll_resolv polled in one case at an interval of about 20
> minutes.  I don’t think this poll interval should be driven by how
> active the users are and how much they use dns; just my personal
> feeling about that.
> 
> John: It should be noted that if I had been doing a tftp transfer,
> the code would set the select timeout for 250ms.  I am not sure why
> the tftp transfer being active would warrant the much quicker
> timeout?  Anyhow, what I did was an else statement... if tftp
> transfer, set timeout to 250ms else set timeout to 1 second.
> 
> John: I don't know dnsmasq well enough to answer your other questions
> about select and what all of the file descriptors are associated
> with.  Perhaps someone more knowledgeable can chime in.  My change
> was made in response to the situation where a "retry later" situation
> was pending, and not getting poll_resolv was not getting polled again
> in a reasonable time period to do the retry.
> 
> John: I believe on our router, dhcp entries have an hour TTL and we
> do use dnsmasq for dhcp.  On an idle PC, would it have any reason to
> initiate a dnsmasq query?  Occasionally if the browser is up and
> running, I do see the browser query the address of its update server,
> but I haven't generally speaking had my browser running on the PC
> while doing my d

Re: [Dnsmasq-discuss] Dnsmasq not resolving addresses for an hour

[Vladislav Grishenko]

Hi Albert,

> The clock and the RTC are two different things.
Of course they are.
In my opinion, RTC in dnsmasq terms shouldn't be literally treated as it 
exactly is, but as main (original) reason leads to local time available to 
application is not equal to real time.
If platform has no RTC chip, NTP is the almost only time source, so time shifts 
are expeted.
If platform has RTC chip, but system clock source is inaccurate and NTP "fixes" 
it from time to time - time shifts are expeted.
If platform has RTC chip, but is has wrong value (battery failure/etc) - time 
shifts are expected.
All expected time shifts cases require HAVE_BROKEN_RTC to be define for normal 
flow.
There's nothing to fix here, because here nothing is broken.

> But timeouts can occur, TTLs can get past, etc. To treat those properly,
> dnsmasq needs to know how much time has flown while it was sleeping (if
> it ever does, of course).

It does (actually not due sleeping, more likely to timer granulation), can be 
easily checked in code.
Despite the fact that sleeping DHCP/DNS servers looks quite ridiculous, if 
dnsmasq code without HAVE_BROKEN_RTC has issue with time goes backward too 
much, it needs to be fixed.
Not with changing the clock source, because it'll just mask the problem, but 
with proper dealing with such kind of time values.
And, seems John have already found last_change variable wasn't static, didn’t 
check it by myself yet.

Best Regards, Vladislav Grishenko


> -Original Message-
> From: Albert ARIBAUD [mailto:albert.arib...@free.fr]
> Sent: Friday, October 14, 2016 7:04 PM
> To: Vladislav Grishenko 
> Cc: 'John Knight' ; dnsmasq-
> disc...@lists.thekelleys.org.uk; 'Simon Kelley' 
> Subject: Re: [Dnsmasq-discuss] Dnsmasq not resolving addresses for an hour
> 
> Hi Vladislav,
> 
> Le Fri, 14 Oct 2016 11:52:33 +0500
> "Vladislav Grishenko"  a écrit:
> 
> > Hi, Albert,
> >
> > > 1. HAVE_BROKEN_RTC should be used for, well, broken RTCs. Here, we
> > > are not dealing with broken RTC.
> >
> > Root issue from original mail:
> > > One of which acknowledges potential problem if the clock goes
> > > backwards...
> > As for me it's indeed broken RTC behavior, not?
> 
> The clock and the RTC are two different things.
> 
> The RTC is what keeps time in between power-offs. It has backup power
> (frequently on PCs it is a CR20xx battery) and a slow autonomous clock
> source (typically a 32 kHz crystal). IT is not set or read frequently
> while the system is on, because it is usually slow to access.
> 
> So while it is on, the system keeps track of the time not through the
> RTC but through some internal clock reference which is easier and
> faster to read and set. It is this clock reference which gets read
> every time a process needs to known what time is "now", and it is what
> gets affected by NTP etc.
> 
> > > 2. The man mage for times() states that "a portable application
> > > would be wise to avoid using [the] value [returned by times()]. To
> > > measure changes in elapsed time, use clock_gettime(2) instead".
> >
> > Because start value of posix's times() return value may vary across
> > kernel versions & UNIX impl., combined with possibility of value
> > overflow the clock_t range. Since we don’t care neither about initial
> > boot value nor about sleep/suspended time (files can't be modified
> > when suspended, right?)
> 
> But timeouts can occur, TTLs can get past, etc. To treat those properly,
> dnsmasq needs to know how much time has flown while it was sleeping (if
> it ever does, of course).
> 
> > - the only possible issue is overflow. Since
> > times() not counting CPU ticks in sleep/supspended mode, suggestion
> > clock_gettime here is about using CLOCK_MONOTONIC which is almost the
> > same, but with no-overflow API.
> 
> Hm... I believe that's what my proposal amounts to on systems where
> CLOCK_BOOTTIME is not available.
> 
> > > - otherwise, if CLOCK_MONOTONIC is defined (it should always) and if
> > >   clock_gettime(CLOCK_MONOTONIC,...) succeeds at run time, use
> > > that;
> >
> > Even with defined CLOCK_MONOTONIC, the real presence of this clock
> > source can be retrieved from kernel in runtime only.
> 
> Indeed, hence my double test suggestion: one must test the existence
> of CLOCK_MONOTONIC and only call clock_gettime(CLOCK_MONOTONIC...)
> if
> it exists, and mone must test the return value of clock_gettime() in
> case dnsmasq runs on an older kernel/glic than it was compiled and
> built against.
> 
> > Yes, there're
> > old running kernels with no CLOCK_MONOTONIC, clock_gettime() returns
> > EINVAL. Same check is true for CLOCK_BOOTTIME.
> 
> Exact, hence my "returns success" conditional.
> 
> > Best Regards, Vladislav Grishenko
> 
> Amicalement,
> --
> Albert.


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Dnsmasq not resolving addresses for an hour

[Vladislav Grishenko]

Hi, Albert,

> 1. HAVE_BROKEN_RTC should be used for, well, broken RTCs. Here, we are
> not dealing with broken RTC.

Root issue from original mail:
> One of which acknowledges potential problem if the clock goes backwards...
As for me it's indeed broken RTC behavior, not?

> 2. The man mage for times() states that "a portable application would be
>wise to avoid using [the] value [returned by times()]. To measure
>changes in elapsed time, use clock_gettime(2) instead".

Because start value of posix's times() return value may vary across kernel 
versions & UNIX impl., combined with possibility of value overflow the clock_t 
range.
Since we don’t care neither about initial boot value nor about sleep/suspended 
time (files can't be modified when suspended, right?) - the only possible issue 
is overflow.
Since times() not counting CPU ticks in sleep/supspended mode, suggestion 
clock_gettime here is about using CLOCK_MONOTONIC which is almost the same, but 
with no-overflow API.

> - otherwise, if CLOCK_MONOTONIC is defined (it should always) and if
>   clock_gettime(CLOCK_MONOTONIC,...) succeeds at run time, use that;

Even with defined CLOCK_MONOTONIC, the real presence of this clock source can 
be retrieved from kernel in runtime only.
Yes, there're old running kernels with no CLOCK_MONOTONIC, clock_gettime() 
returns EINVAL. Same check is true for CLOCK_BOOTTIME. 

Best Regards, Vladislav Grishenko

> -Original Message-
> From: Albert ARIBAUD [mailto:albert.arib...@free.fr]
> Sent: Friday, October 14, 2016 2:40 AM
> To: Vladislav Grishenko 
> Cc: John Knight ; dnsmasq-
> disc...@lists.thekelleys.org.uk; Simon Kelley 
> Subject: Re: [Dnsmasq-discuss] Dnsmasq not resolving addresses for an hour
> 
> Hi,
> 
> I think it is preferable not to use HAVE_BROKEN_RTC for at least two
> reasons, in increasing order of importance:
> 
> 1. HAVE_BROKEN_RTC should be used for, well, broken RTCs. Here, we are
> not dealing with broken RTC.
> 
> 2. The man mage for times() states that "a portable application would be
>wise to avoid using [the] value [returned by times()]. To measure
>changes in elapsed time, use clock_gettime(2) instead".
> 
> But you are right that CLOCK_BOOTTIME is Linux specific (I did mention that,
> in fact).
> 
> So my proposal would become:
> 
> - if CLOCK_BOOTTIME is defined as compile time, and if
>   clock_gettime(CLOCK_BOOTTIME,...) succeeds at run time, use that;
> 
> - otherwise, if CLOCK_MONOTONIC is defined (it should always) and if
>   clock_gettime(CLOCK_MONOTONIC,...) succeeds at run time, use that;
> 
> - otherwise, if CLOCK_REALTIME is defined (it should always) and if
>   clock_gettime(CLOCK_REALTIME,...) succeeds at run time, use that;
> 
> - otherwise, as a last resort, use times().
> 
> Amicalement,
> Albert.
> 
> Le Thu, 13 Oct 2016 20:15:15 + (UTC) Vladislav Grishenko
>  a écrit:
> 
> > Hi,
> > Why not just use existing HAVE_BROKEN_RTC?CLOCK_BOOTIME is
> > linux-specific, non-portable, absent in older (but still running)
> > kernels and logically is the same as CLOCK_MONOTONIC except counting
> > suspended/sleep time. In turn using CLOCK_MONOTONIC is already there
> > in times() form when HAVE_BROKEN_RTC is enabled.
> >
> > Best Regards, Vladislav Grishenko
> >
> > _
> > From: John Knight 
> > Sent: четверг, октября 13, 2016 11:00 ПП
> > Subject: Re: [Dnsmasq-discuss] Dnsmasq not resolving addresses for an
> > hour To: Albert ARIBAUD 
> > Cc:  
> >
> >
> > Hi Albert,
> >
> > That sounds like a very good idea to use CLOCK_BOOTTIME. Good
> > suggestion.
> >
> > When I did a search for difftime in the source code... there are quite
> > a few calls... each one is a potential issue with respect to time
> > going backwards.  I only see one instance that actually considers the
> > case if time goes backwards and that is in dnsmasq.c where it does
> > difftime(now, daemon->last_resolv) and compares the
> > result to both > 1.0 and < -1.0.   So in general, I am somewhat
> > concerned about possible affects of changing time on dnsmasq.  We have
> > seen some issues in the past which we suspected were probably caused
> > by changing the time, so your suggested change could potentially fix
> > some other issues.
> >
> > Thanks!
> >
> > John
> >
> >
> >
> >
> > -Original Message-
> > From: Albert ARIBAUD [mailto:albert.arib...@free.fr]
> > Sent: Thursday, October 13, 2016 2:16 AM
> > To: John Knight
> > Cc: dnsmasq-discuss@lists.thekelleys.or

Re: [Dnsmasq-discuss] Dnsmasq not resolving addresses for an hour

[Vladislav Grishenko]

Hi,
Why not just use existing HAVE_BROKEN_RTC?CLOCK_BOOTIME is linux-specific, 
non-portable, absent in older (but still running) kernels and logically is the 
same as CLOCK_MONOTONIC except counting suspended/sleep time. In turn using 
CLOCK_MONOTONIC is already there in times() form when HAVE_BROKEN_RTC is 
enabled.

Best Regards, Vladislav Grishenko

_
From: John Knight 
Sent: четверг, октября 13, 2016 11:00 ПП
Subject: Re: [Dnsmasq-discuss] Dnsmasq not resolving addresses for an hour
To: Albert ARIBAUD 
Cc:  


Hi Albert,

That sounds like a very good idea to use CLOCK_BOOTTIME. Good suggestion.

When I did a search for difftime in the source code... there are quite a few 
calls... each one is a potential issue with respect to time going backwards.  I 
only see one instance that actually considers the case if time goes backwards 
and that is in dnsmasq.c where it does difftime(now, daemon->last_resolv) and 
compares the result to both > 1.0 and < -1.0.   So in general, I am somewhat 
concerned about possible affects of changing time on dnsmasq.  We have seen 
some issues in the past which we suspected were probably caused by changing the 
time, so your suggested change could potentially fix some other issues.

Thanks!

John




-Original Message-
From: Albert ARIBAUD [mailto:albert.arib...@free.fr]
Sent: Thursday, October 13, 2016 2:16 AM
To: John Knight
Cc: dnsmasq-discuss@lists.thekelleys.org.uk
Subject: Re: [Dnsmasq-discuss] Dnsmasq not resolving addresses for an hour

Hi,

Just a generic comment: from what I can see, all absolute times in dnsmasq are 
returned bu dnsmasq_time() which calls either times() or time(). This, IIUC, 
corresponds to CLOCK_REALTIME in clock_gettime(), which is indeed affected when 
(re)setting the time.

Maybe a fix to time jump issues would be (in Linux at least) to replace
time() with clock_gettime(CLOCK_BOOTTIME,...) which seems to have been designed 
to get around discontinuities caused by settimeofday().

Note: maybe dates used for logging purposes should still use time() or
clock_gettime(CLOCK_REALTIME) in order to remain comparable to other logs in 
the same system -- or maybe not.

Sources: man times, man time, man clock_gettime.

HTH,

Amicalement,
Albert.

Le Wed, 12 Oct 2016 23:50:11 +
John Knight  a écrit:

> Hi,
>
> I think I may know what the issue is... it appears that the time may
> be changed by ntp in my failure scenario as suggested by the URLs
> referencing ntp in the dnsmasq.log file.  There are numerous
> references to difftime in dnsmasq code.  One of which acknowledges
> potential problem if the clock goes backwards... and is handled by
> comparing last_resolv >1.0 and < -1.0 to accommodate such a
> possibility.  However, in function poll_resolv(), the difftime() call
> checks for > 0.0, assuming the modification time of the file is
> greater than the last_change time.  If the time had changed on the
> router, then its possible that the modification time of the
> /etc/resolv.conf could be less than that of the last_change.  I think
> this needs to be a check for != 0.  If the time is changed negatively,
> then the existing code will not work properly me thinks.
> Its imperative that latest gets set in order for the reload_servers()
> code to run... and if the time is not right, then the
> reload_servers() won't get called.  This specific code (poll_resolv)
> hasn't changed, and if I am right, it is also broken in 2.76.
>
> What do you think?  I am going to make the change locally and re-test
> and see if I can make it fail again.  Unfortunately, it doesn't always
> fail, but I have reproduced it twice now, hopefully it will happen
> again if my fix is not right.
>
> Best Regards,
>
> John Knight
>
> __
> Confidential This e-mail and any files transmitted with it are the
> property of Belkin International, Inc. and/or its affiliates, are
> confidential, and are intended solely for the use of the individual or
> entity to whom this e-mail is addressed. If you are not one of the
> named recipients or otherwise have reason to believe that you have
> received this e-mail in error, please notify the sender and delete
> this message immediately from your computer. Any other use, retention,
> dissemination, forwarding, printing or copying of this e-mail is
> strictly prohibited. Pour la version fran?aise:
> http://www.belkin.com/email-notice/French.html F?r die deutsche
> ?bersetzung: http://www.belkin.com/email-notice/German.html
> __



Amicalement,
--
Albert.

__ Confidential 
This e-mail and any files transmitted with it are the property of Belkin 
Inte

Re: [Dnsmasq-discuss] fe80/10 link local dns forwarding

[Vladislav Grishenko]

Hi Kevin,

There's RFC 6303 for that, current status is best current practice.
As for dnsmasq implementation of that recommendations, it could depend on auth 
support, since it enables zone support.

Best Regards, Vladislav Grishenko

> -Original Message-
> From: Dnsmasq-discuss [mailto:dnsmasq-discuss-
> boun...@lists.thekelleys.org.uk] On Behalf Of Kevin Darbyshire-Bryant
> Sent: Monday, September 07, 2015 6:28 PM
> To: dnsmasq-discuss@lists.thekelleys.org.uk
> Subject: [Dnsmasq-discuss] fe80/10 link local dns forwarding
> 
> Hi All,
> 
> After enabling dnsmasq's dns logging the other day I was a little surprised to
> see queries for fe80:: being forwarded to my ISP's resolvers.  I'd say that
> they're extremely unlikely to know anything about my link local stuff so as a
> solution I've added the following to my config:
> 
> server=/8.e.f.ip6.arpa/
> 
> What don't I understand here?  Awaiting education :-)
> 
> Kevin



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq not responding to DNS queries for local addresses when WAN down

[Vladislav Grishenko]

When wan is down, dns queries to router gets intercepted with help of iptables.
So, dnsmasq receives (and replies) nothing.

Best Regards, Vladislav Grishenko

> -Original Message-
> From: Justin Smith [mailto:jus...@smithpolglase.com]
> Sent: Monday, July 20, 2015 4:02 PM
> To: Vladislav Grishenko 
> Cc: dnsmasq-discuss@lists.thekelleys.org.uk
> Subject: Re: [Dnsmasq-discuss] dnsmasq not responding to DNS queries for
> local addresses when WAN down
> 
> Thanks Vladislav. That solved my problem!
> 
> But I'm a little confused as to why... Isn't dnsmasq (running on the
> router) responsible for processing all DNS queries on the local network? Or is
> this a "modified" version of dnsmasq?
> 
> Thanks again.
> Justin.



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq not responding to DNS queries for local addresses when WAN down

[Vladislav Grishenko]

Hi Justin,

There's nothing wrong with dnsmasq.
Instead, when your wan in down, all dns queries from lan gets faked by
answering fake 10.0.0.1 address which is used for showing the router's wan
state and reason.
You could turn it off with "Enable WAN down browser redirect notice" under
Administration / System web ui page.

Best Regards, Vladislav Grishenko

> -Original Message-
> From: Dnsmasq-discuss [mailto:dnsmasq-discuss-
> boun...@lists.thekelleys.org.uk] On Behalf Of Justin Smith
> Sent: Sunday, July 19, 2015 2:20 PM
> To: dnsmasq-discuss@lists.thekelleys.org.uk
> Subject: [Dnsmasq-discuss] dnsmasq not responding to DNS queries for local
> addresses when WAN down
> 
> Hi,
> 
> My home network uses an Asus RT-N66U running Merlin's firmware (ver
> 378.55). I have dnsmasq running on the router. My problem is that when the
> WAN interface goes down (as it does occasionally) dnsmasq no longer
> returns the correct IP address to DNS queries to local hosts.
> 
> For example (fake domain name):
> 
> WAN UP
> ===
> justin@juka:~$ nslookup myhost1
> Server: 127.0.1.1
> Address: 127.0.1.1#53
> 
> Name: myhost1
> Address: 192.168.30.3
> 
> WAN DOWN
> ==
> justin@juka:~$ nslookup myhost1
> Server: 127.0.1.1
> Address: 127.0.1.1#53
> 
> Name: myhost1.mydomain.com
> Address: 10.0.0.1
> 
> 
> My dnsmasq.conf looks something like this (personal data
> suppressed/changed):
> 
> bind-dynamic
> interface=br0
> no-negcache
> cache-size=1500
> domain-needed
> bogus-priv
> no-resolv
> no-poll
> server=aaa.bbb.ccc.ddd   # ISP DNS server IP address
> local=/mydomain.com/
> domain=mydomain.com
> dhcp-range=192.168.30.200,192.168.30.250,24h
> dhcp-host=f4:6d:04:da:3e:c4,myhost1,192.168.30.3
> dhcp-host=38:2c:4a:af:e4:53,myhost2,192.168.30.4
> ...
> dhcp-authoritative
> 
> 
> My resolv.conf on the router looks like:
> # cat /tmp/etc/resolv.conf
> nameserver 127.0.0.1
> 
> 
> Does anyone offer advice on how to correctly set up dnsmasq?
> 
> 
> Thanks,
> Justin.
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] IPv6 RA issues when bound to IPv4

[Vladislav Grishenko]

Hi Michal
Use netstat -g to display multicast group memberships

Best Regards, Vladislav Grishenko

> -Original Message-
> From: Dnsmasq-discuss [mailto:dnsmasq-discuss-
> boun...@lists.thekelleys.org.uk] On Behalf Of Michal Zatloukal
> Sent: Friday, July 17, 2015 5:01 PM
> To: dnsmasq-discuss@lists.thekelleys.org.uk
> Subject: Re: [Dnsmasq-discuss] IPv6 RA issues when bound to IPv4
> 
> I'm not sure what you mean - what exactly should I have in the
> configuration?
> Is there a way to check, if the correct multicast address is being bound
to?
> netstat -tupan doesn't show any multicast addresses.
> 
> MZ
> 
> On 16 July 2015 at 19:49, Simon Kelley  wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> > Dnsmasq needs to advertise the global address, I think. Receiving RAs
> > shouldn't be a problem, dnsmasq binds the correct multicast address.
> >
> > Cheers,
> >
> > Simon.
> >
> >
> > On 16/07/15 16:27, Michal Zatloukal wrote:
> >> Hi all,
> >>
> >> I'm using dnsmasq (2.68-1ubuntu0.1) on a machine where the need to
> >> run tftpd-hpa along with dnsmasq's own tftp server has arisen (both
> >> on just IPv4). I decided to use the "secondary IP address" feature in
> >> Linux networking system to bind tftpd-hpa to the secondary IP
> >> address, and set up dnsmasq to bind the following: - primary IPv4
> >> address - localhost IPv4 - For IPv6, I put in localhost, global and
> >> link-local addresses. IIUC, RA can't work in this config, since the
> >> destination on RS is multicast ff02::2 and therefore aren't delivered
> >> to any of the sockets opened by dnsmasq.
> >>
> >> Now, which IPv6 address do I enter so that IPv6 router announcements
> >> work correctly? (Is it even possible?) - adding
> >> ff02::2 doesn't work, dnsmasq reports error in syslog - cannot bind
> >> to this address. - replacing all IPv6 addresses with "::" allows
> >> dnsmasq to start and bind to wildcard IPv6, but it seems incoming RS
> >> packets are ignored - nothing appears in syslog when clients send
> >> solicitation. Is the filtering code in DSNmasq perhaps not expecting
> >> a wildcard address in the listen-address parameter and filters
> >> packets against it?
> >>
> >> Regards,
> >>
> >> MZ
> >>
> >> ___ Dnsmasq-
> discuss
> >> mailing list Dnsmasq-discuss@lists.thekelleys.org.uk
> >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >>
> > -BEGIN PGP SIGNATURE-
> > Version: GnuPG v1
> >
> >
> iQIcBAEBCAAGBQJVp+6bAAoJEBXN2mrhkTWitrYP/i/4dcuoEBWJohhXhjMS6lI
> 7
> >
> G9/jw80md0bSwzyddi8k+8+SM+oPqMBmnaqh9TWJ5pQT0j8rQsNd06ByJ85cf
> k4k
> >
> 2k5QKJoc1o6dfA/E6bJU9DtxMUqupBdQZdOo6c+b57nRRxwubXXmJe2qpDUF
> V1wQ
> >
> Z3INhtdVAHwNBAM1+amDGMrps1dmOv+cBKr81jpoX/ySvUL1j5nG2cMz+wi
> 4ux2Y
> >
> 0xf4RKsH2WqUOwVpVfmYMe/Mc5V2thdG6xpwdZ+qzMbrux/RWeNJ+4r/G7
> +mSS7l
> >
> TeAKtFkT5mrhxMIbrmC49a12WQtBZBpaAHUuSwkesGAytPelpuU5e3TwgvP0
> WCc8
> > QXoDGRm1YntM1dlu24TOPPz5jRk9L9qrJnzpXf1lyiojxpzsvRJa+Ei8uu2IWg4q
> >
> 75eVCs1wX4hLMmf9J7L759KpBrhqPoV2vu5J15vwsfXmP4bCIcDAuQOSLDiJjG
> XV
> >
> My3oeNw9Rws6qKCFYZX8YQ7SRtNDA7ssEM/aneJKTUMB7k6O3i41z2Y7DRP2
> m9uf
> >
> u5Yo3HUi9B+1G9fICNnicxZdAh5hLKilo4Fvswvn5dEMgo3LMkHiGUgHLebhsJW
> e
> >
> 68UwmvFmmZyStg1wd4qBJ4eUKIRpsvWgvaUA+Huv+nzfco2GOM8tZVPb2W
> Aq+XFj
> > Ct+n7zarBZQeIS0Ku/kJ
> > =Gn77
> > -END PGP SIGNATURE-
> >
> > ___
> > Dnsmasq-discuss mailing list
> > Dnsmasq-discuss@lists.thekelleys.org.uk
> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Query about solving a DHCPNAK issue

[Vladislav Grishenko]

> On the surface it looks like it's either pointless behavior on the server's 
> part or incorrect logic in the DHCP client. Am I missing something?

Yes, without overriding serverid to one from incoming request packet, the 
server’s nak could be pointless.

But with overriding, it’ll introduce the same naking issue even with clients 
which were checking server id and ignoring naks from non-selected servers.

 

Dnsmasq starts to nak request from selecting clients in 2.46, see the story here

http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2008q4/002476.html

Point of busybox’s udhcpc changes is described here

https://bugs.busybox.net/show_bug.cgi?id=4267

 

As for ISC DHCP, it’s known client ignores NAK from non-selected servers in 
SELECTING state.

As for server, it allow run-time control over weither or not a server, 
participating in failover, verifies server id option.

This commit contains the old and new descriptions

https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commitdiff;h=7116a34fc9b1fb307bcdca22e6963254289ecb80
 

 

Best Regards, Vladislav Grishenko

 

From: Kevin Benton [mailto:blak...@gmail.com] 
Sent: Monday, June 01, 2015 5:15 PM
To: Vladislav Grishenko
Cc: Brian Haley; Simon Kelley; dnsmasq-discuss@lists.thekelleys.org.uk
Subject: Re: [Dnsmasq-discuss] Query about solving a DHCPNAK issue

 

Let me rephrase it slightly. What is the point of dnsmasq NAKing client 
responses to other servers if the clients are being programmed to ignore the 
NAKs? 

 

On the surface it looks like it's either pointless behavior on the server's 
part or incorrect logic in the DHCP client. Am I missing something?

 

On Mon, Jun 1, 2015 at 2:58 AM, Vladislav Grishenko mailto:themi...@mail.ru> > wrote:

Hi Kevin,

ы 

> why do DHCP servers like dnsmasq generate them in the first place?

Because it’s per dnsmasq configuration and the effects are well-described in 
the man. 

 

http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

-K, --dhcp-authoritative

Should be set when dnsmasq is definitely the only DHCP server on a network. For 
DHCPv4, it changes the behaviour from strict RFC compliance so that DHCP 
requests on unknown leases from unknown hosts are not ignored. This allows new 
hosts to get a lease without a tedious timeout under all circumstances. It also 
allows dnsmasq to rebuild its lease database without each client needing to 
reacquire a lease, if the database is lost. For DHCPv6 it sets the priority in 
replies to 255 (the maximum) instead of 0 (the minimum).

 

you definitely have multiple dhcp servers, so this option is misused under your 
circumstances, not?

 

Best Regards, Vladislav Grishenko

 

From: Kevin Benton [mailto:blak...@gmail.com <mailto:blak...@gmail.com> ] 
Sent: Monday, June 01, 2015 2:02 PM


To: Vladislav Grishenko
Cc: Brian Haley; Simon Kelley; dnsmasq-discuss@lists.thekelleys.org.uk 
<mailto:dnsmasq-discuss@lists.thekelleys.org.uk> 
Subject: Re: [Dnsmasq-discuss] Query about solving a DHCPNAK issue

 

I understand, but that eliminates the whole 'correcting rouge dhcp offers' part 
of the authoritative mode. 

 

If we are teaching clients to ignore NAKs from other DHCP servers, why do DHCP 
servers like dnsmasq generate them in the first place? Wouldn't it be logically 
consistent to make a change to dnsmasq to prevent it from generating a NAK if 
the client is communicating with a different server?

 

Is the client behavior regarding NAKs outlined in one of the DHCP RFCs? It does 
seem like there is a lot of confusion around what authoritative servers should 
be doing.

 

On Tue, May 26, 2015 at 10:40 PM, Vladislav Grishenko mailto:themi...@mail.ru> > wrote:

Hi Kevin,

Ignoring all naks – would be, but the fix is different.

That fix ignores all naks except from the selected/requested server only, it’s 
ok.

 

Best Regards, Vladislav Grishenko

 

From: Kevin Benton [mailto:blak...@gmail.com <mailto:blak...@gmail.com> ] 
Sent: Wednesday, May 27, 2015 9:32 AM
To: Vladislav Grishenko
Cc: Brian Haley; Simon Kelley; dnsmasq-discuss@lists.thekelleys.org.uk 
<mailto:dnsmasq-discuss@lists.thekelleys.org.uk> 
Subject: Re: [Dnsmasq-discuss] Query about solving a DHCPNAK issue

 

That fix is interesting. Doesn't ignoring a NAK sort of defeat the point of the 
'authoritative' NAKing in the first place?

 

On Tue, May 26, 2015 at 2:26 PM, Vladislav Grishenko mailto:themi...@mail.ru> > wrote:

> On 02/02/2015 05:47 PM, Brian Haley wrote:
> >>
> >>> The one thing I'm curious about is if dnsmasq is restarted while a
> >>> VM holds a lease, how will it respond?  As someone else has
> >>> pointed-out to me - isc-dhcp will respond with a DHCPNAK in that
> >>> case, and wondered why there would be a difference with dnsmasq.
> >>> Different interpretation of an RFC?
> >&

Re: [Dnsmasq-discuss] Query about solving a DHCPNAK issue

[Vladislav Grishenko]

Hi Kevin,

 

> why do DHCP servers like dnsmasq generate them in the first place?

Because it’s per dnsmasq configuration and the effects are well-described in 
the man. 

 

http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

-K, --dhcp-authoritative

Should be set when dnsmasq is definitely the only DHCP server on a network. For 
DHCPv4, it changes the behaviour from strict RFC compliance so that DHCP 
requests on unknown leases from unknown hosts are not ignored. This allows new 
hosts to get a lease without a tedious timeout under all circumstances. It also 
allows dnsmasq to rebuild its lease database without each client needing to 
reacquire a lease, if the database is lost. For DHCPv6 it sets the priority in 
replies to 255 (the maximum) instead of 0 (the minimum).

 

you definitely have multiple dhcp servers, so this option is misused under your 
circumstances, not?

 

Best Regards, Vladislav Grishenko

 

From: Kevin Benton [mailto:blak...@gmail.com] 
Sent: Monday, June 01, 2015 2:02 PM
To: Vladislav Grishenko
Cc: Brian Haley; Simon Kelley; dnsmasq-discuss@lists.thekelleys.org.uk
Subject: Re: [Dnsmasq-discuss] Query about solving a DHCPNAK issue

 

I understand, but that eliminates the whole 'correcting rouge dhcp offers' part 
of the authoritative mode. 

 

If we are teaching clients to ignore NAKs from other DHCP servers, why do DHCP 
servers like dnsmasq generate them in the first place? Wouldn't it be logically 
consistent to make a change to dnsmasq to prevent it from generating a NAK if 
the client is communicating with a different server?

 

Is the client behavior regarding NAKs outlined in one of the DHCP RFCs? It does 
seem like there is a lot of confusion around what authoritative servers should 
be doing.

 

On Tue, May 26, 2015 at 10:40 PM, Vladislav Grishenko mailto:themi...@mail.ru> > wrote:

Hi Kevin,

Ignoring all naks – would be, but the fix is different.

That fix ignores all naks except from the selected/requested server only, it’s 
ok.

 

Best Regards, Vladislav Grishenko

 

From: Kevin Benton [mailto:blak...@gmail.com <mailto:blak...@gmail.com> ] 
Sent: Wednesday, May 27, 2015 9:32 AM
To: Vladislav Grishenko
Cc: Brian Haley; Simon Kelley; dnsmasq-discuss@lists.thekelleys.org.uk 
<mailto:dnsmasq-discuss@lists.thekelleys.org.uk> 
Subject: Re: [Dnsmasq-discuss] Query about solving a DHCPNAK issue

 

That fix is interesting. Doesn't ignoring a NAK sort of defeat the point of the 
'authoritative' NAKing in the first place?

 

On Tue, May 26, 2015 at 2:26 PM, Vladislav Grishenko mailto:themi...@mail.ru> > wrote:

> On 02/02/2015 05:47 PM, Brian Haley wrote:
> >>
> >>> The one thing I'm curious about is if dnsmasq is restarted while a
> >>> VM holds a lease, how will it respond?  As someone else has
> >>> pointed-out to me - isc-dhcp will respond with a DHCPNAK in that
> >>> case, and wondered why there would be a difference with dnsmasq.
> >>> Different interpretation of an RFC?
> >>
> >>
> >> If by "dnsmasq is restarted" you mean "dnsmasq is restarted and
> >> therefore has its lease database deleted", then the RFC says that if
> >> a server gets a renewal for an unknown lease, it should return
> >> DHCPNAK. That's what dnsmasq does _unless_ --dhcp-authoritative is
> >> set, when instead it quietly re-creates the lease.
> >
> > Yes, your assumption is correct, as --leasefile-ro is used it knows of
> > no current leases, and by default get a DHCPNAK.
> >
> >> dhcp-authoritative gives permission to dnsmasq to violate the RFC in
> >> a way which is useful in certain circumstances.
> >
> > Thanks, it does seem to do what I want with my initial testing.
>
> Hi Simon,
>
> Replying to my old thread since using --dhcp-authoritative seems to have
> introduced an issue where a DHCP client can get a NAK when using multiple
> dnsmasq servers on the same subnet (they both have the same host
> information, >1 running just to get HA).
>
> Short story is that both dnsmasq's return the same lease info, but when
the
> client ACKs (sending to broadcast), one agent ACKs and the other agent
> NAKs.
> The tcpdump shows this better than I'm describing:
>
> https://launchpadlibrarian.net/207180476/dhcp_neutron_bug.html
>
> Does that seem like normal operation to you?  Does this second dnsmasq
> assume this response is from a rogue server and NAKs since it didn't send
out
> the offer?
>

Hi Brian,

Second dnsmasq assume the client request is to another server and responds
with NAK in authoritative mode.
The root of loop issue is in that busybox 1.20.x udhcpc client, it doesn't
check server id for anything but offer p

Re: [Dnsmasq-discuss] Query about solving a DHCPNAK issue

[Vladislav Grishenko]

Hi Kevin,

Ignoring all naks – would be, but the fix is different.

That fix ignores all naks except from the selected/requested server only, it’s 
ok.

 

Best Regards, Vladislav Grishenko

 

From: Kevin Benton [mailto:blak...@gmail.com] 
Sent: Wednesday, May 27, 2015 9:32 AM
To: Vladislav Grishenko
Cc: Brian Haley; Simon Kelley; dnsmasq-discuss@lists.thekelleys.org.uk
Subject: Re: [Dnsmasq-discuss] Query about solving a DHCPNAK issue

 

That fix is interesting. Doesn't ignoring a NAK sort of defeat the point of the 
'authoritative' NAKing in the first place?

 

On Tue, May 26, 2015 at 2:26 PM, Vladislav Grishenko mailto:themi...@mail.ru> > wrote:

> On 02/02/2015 05:47 PM, Brian Haley wrote:
> >>
> >>> The one thing I'm curious about is if dnsmasq is restarted while a
> >>> VM holds a lease, how will it respond?  As someone else has
> >>> pointed-out to me - isc-dhcp will respond with a DHCPNAK in that
> >>> case, and wondered why there would be a difference with dnsmasq.
> >>> Different interpretation of an RFC?
> >>
> >>
> >> If by "dnsmasq is restarted" you mean "dnsmasq is restarted and
> >> therefore has its lease database deleted", then the RFC says that if
> >> a server gets a renewal for an unknown lease, it should return
> >> DHCPNAK. That's what dnsmasq does _unless_ --dhcp-authoritative is
> >> set, when instead it quietly re-creates the lease.
> >
> > Yes, your assumption is correct, as --leasefile-ro is used it knows of
> > no current leases, and by default get a DHCPNAK.
> >
> >> dhcp-authoritative gives permission to dnsmasq to violate the RFC in
> >> a way which is useful in certain circumstances.
> >
> > Thanks, it does seem to do what I want with my initial testing.
>
> Hi Simon,
>
> Replying to my old thread since using --dhcp-authoritative seems to have
> introduced an issue where a DHCP client can get a NAK when using multiple
> dnsmasq servers on the same subnet (they both have the same host
> information, >1 running just to get HA).
>
> Short story is that both dnsmasq's return the same lease info, but when
the
> client ACKs (sending to broadcast), one agent ACKs and the other agent
> NAKs.
> The tcpdump shows this better than I'm describing:
>
> https://launchpadlibrarian.net/207180476/dhcp_neutron_bug.html
>
> Does that seem like normal operation to you?  Does this second dnsmasq
> assume this response is from a rogue server and NAKs since it didn't send
out
> the offer?
>

Hi Brian,

Second dnsmasq assume the client request is to another server and responds
with NAK in authoritative mode.
The root of loop issue is in that busybox 1.20.x udhcpc client, it doesn't
check server id for anything but offer packet.
Bug is already fixed in bb 1.23.x, see commit
http://git.busybox.net/busybox/commit/?id=e2318bbad786d6f9ebff704490246bfe52 
<http://git.busybox.net/busybox/commit/?id=e2318bbad786d6f9ebff704490246bfe52e588c0>
 
e588c0

Best Regards, Vladislav Grishenko




___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk 
<mailto:Dnsmasq-discuss@lists.thekelleys.org.uk> 
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss





 

-- 

Kevin Benton

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Query about solving a DHCPNAK issue

[Vladislav Grishenko]

> On 02/02/2015 05:47 PM, Brian Haley wrote:
> >>
> >>> The one thing I'm curious about is if dnsmasq is restarted while a
> >>> VM holds a lease, how will it respond?  As someone else has
> >>> pointed-out to me - isc-dhcp will respond with a DHCPNAK in that
> >>> case, and wondered why there would be a difference with dnsmasq.
> >>> Different interpretation of an RFC?
> >>
> >>
> >> If by "dnsmasq is restarted" you mean "dnsmasq is restarted and
> >> therefore has its lease database deleted", then the RFC says that if
> >> a server gets a renewal for an unknown lease, it should return
> >> DHCPNAK. That's what dnsmasq does _unless_ --dhcp-authoritative is
> >> set, when instead it quietly re-creates the lease.
> >
> > Yes, your assumption is correct, as --leasefile-ro is used it knows of
> > no current leases, and by default get a DHCPNAK.
> >
> >> dhcp-authoritative gives permission to dnsmasq to violate the RFC in
> >> a way which is useful in certain circumstances.
> >
> > Thanks, it does seem to do what I want with my initial testing.
> 
> Hi Simon,
> 
> Replying to my old thread since using --dhcp-authoritative seems to have
> introduced an issue where a DHCP client can get a NAK when using multiple
> dnsmasq servers on the same subnet (they both have the same host
> information, >1 running just to get HA).
> 
> Short story is that both dnsmasq's return the same lease info, but when
the
> client ACKs (sending to broadcast), one agent ACKs and the other agent
> NAKs.
> The tcpdump shows this better than I'm describing:
> 
> https://launchpadlibrarian.net/207180476/dhcp_neutron_bug.html
> 
> Does that seem like normal operation to you?  Does this second dnsmasq
> assume this response is from a rogue server and NAKs since it didn't send
out
> the offer?
> 

Hi Brian,

Second dnsmasq assume the client request is to another server and responds
with NAK in authoritative mode.
The root of loop issue is in that busybox 1.20.x udhcpc client, it doesn't
check server id for anything but offer packet.
Bug is already fixed in bb 1.23.x, see commit 
http://git.busybox.net/busybox/commit/?id=e2318bbad786d6f9ebff704490246bfe52
e588c0

Best Regards, Vladislav Grishenko



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Mirror the git repository to github.com

[Vladislav Grishenko]

Hi Simon,
There's a number of dnsmasq forks on github, so imho, it would be good to
have official mirror there to base against.

Best Regards, Vladislav Grishenko

> -Original Message-
> From: Dnsmasq-discuss [mailto:dnsmasq-discuss-
> boun...@lists.thekelleys.org.uk] On Behalf Of Simon Kelley
> Sent: Wednesday, May 13, 2015 4:38 PM
> To: dnsmasq-discuss@lists.thekelleys.org.uk
> Subject: Re: [Dnsmasq-discuss] Mirror the git repository to github.com
> 
> On 11/05/15 17:51, Thiago Farina wrote:
> > On Sat, May 9, 2015 at 5:38 PM, Karl-Philipp Richter
> >  wrote:
> >> Hi,
> >> Mirroring the git repository git://thekelleys.org.uk/dnsmasq.git to
> >> github.com would facilitate contributions by providing the pull
> >> request feature.
> >>
> > Is Simon fine with pull requests?
> >
> 
> I like to be sent a patch. If a mirror at github makes it easier for
people to
> generate a patch, then I'm happy to do it, or have someone else set it up.
> 
> 
> Cheers,
> 
> Simon.
> 
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Don't reply to requests for DHCPv6 addresses when M flag is off

[Vladislav Grishenko]

Simon, thanks
As for reasons, I guess, Steven thought it departs from ordinal meaning of
RFC and prevents his odhcp6c to work normally.

p.s in my previous mail was a typo, RFC 2119, of course, not 2219. sorry

Best Regards, Vladislav Grishenko

> -Original Message-
> From: Simon Kelley [mailto:si...@thekelleys.org.uk]
> Sent: Monday, April 20, 2015 1:21 AM
> To: Vladislav Grishenko; 'Win King Wan'
> Cc: dnsmasq-discuss@lists.thekelleys.org.uk
> Subject: Re: [Dnsmasq-discuss] Don't reply to requests for DHCPv6
addresses
> when M flag is off
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> 
> My feeling is that this is a better solution, and I'm inclined to apply
the patch.
> Does anyone know what caused openWRT to revert the patc h?
> 
> 
> Cheers,
> 
> Simon.
> 
> 
> 
> On 17/04/15 12:51, Vladislav Grishenko wrote:
> > Hi,
> >
> > Per RFC 3315 17.2.1 the server MAY discard the Solicit message, but
> > per 17.2.2, if the server will not assign any addresses to any IAs in
> > a subsequent Request from the client, the server MUST send an
> > Advertise message to client. Also, per RFC 2219 MAY is truly optional
> > item, and MUST be prepared to interoperate with another inverse option
> > existence implementation. So, interpreting that dnsmasq may not
> > respond at all in stateless mode into RFC 3315
> > 17.2.1 seems a bit farfetched.
> >
> > In real world, absence of Advertise message with NoAddrsAvail Status
> > Code may lead to client misbehavior and prevent it from fallback to
> > DHCPv6 Stateless mode, because RFC 3315 doesn't state any non-zero MRC
> > & MRD non-zero values by default for Solicit messages transmission.
> > Example of such client is https://github.com/sbyx/odhcp6c Also,
> > openwrt has already reverted this change, refer
> >
> https://dev.openwrt.org/browser/trunk/package/network/services/dnsmas
> q
> /patch
> >
> >
> es/200-fix-dhcpv6-solicit-handling.patch
> >
> > Since the original issue was in log flooding, log error only for
> > non-stateless contexts and threat it as false-positive error if it's
> > expected due the configuration. Please refer patch attached.
> >
> > Best Regards, Vladislav Grishenko
> >
> >> -Original Message- From: Dnsmasq-discuss
> >> [mailto:dnsmasq-discuss- boun...@lists.thekelleys.org.uk] On Behalf
> >> Of Simon Kelley Sent: Thursday, January 22, 2015 2:02 AM
> >> To: dnsmasq-discuss@lists.thekelleys.org.uk Subject: Re:
> >> [Dnsmasq-discuss] Don't reply to requests for DHCPv6
> > addresses
> >> when M flag is off
> >>
> > My first reaction to this was to apply it, but then I went and looked
> > at RFC3315, and found this:
> >
> > If the server will not assign any addresses to any IAs in a subsequent
> > Request from the client, the server MUST send an Advertise message to
> > the client that includes only a Status Code option with code
> > NoAddrsAvail and a status message for the user, a Server Identifier
> > option with the server's DUID, and a Client Identifier option with the
> > client's DUID.
> >
> > Which seems to indicate that the patch would violate the RFC.
> >
> > But then I looked some more, and found this:
> >
> > 17.2.1. Receipt of Solicit Messages
> >
> >
> > The server determines the information about the client and its
> > location as described in section 11 and checks its administrative
> > policy about responding to the client.  If the server is not permitted
> > to respond to the client, the server discards the Solicit message.
> > For example, if the administrative policy for the server is that it
> > may only respond to a client that is willing to accept a Reconfigure
> > message, if the client indicates with a Reconfigure Accept option in
> > the Solicit message that it will not accept a Reconfigure message, the
> > servers discard the Solicit message.
> >
> >
> > So I think we can define "DHCPv6 address allocation not configured"
> > as administrative policy and chose to discard the solict message in
> > this
> >> case.
> >
> > Patch applied, with some style changes, thanks.
> >
> >
> > Cheers,
> >
> > Simon.
> >
> >
> >
> >
> >
> >
> >
> > On 19/01/15 21:30, Win King Wan wrote:
> >>>> Hi,
> >>>>
> >>>> In https://github.com/RMerl/asuswrt-merlin/pull/854 I patched the
> >>>> dnsmasq version of my ro

Re: [Dnsmasq-discuss] Don't reply to requests for DHCPv6 addresses when M flag is off

[Vladislav Grishenko]

Hi,

Per RFC 3315 17.2.1 the server MAY discard the Solicit message, but per
17.2.2, if the server will not assign any addresses to any IAs in a
subsequent Request from the client, the server MUST send an Advertise
message to client. Also, per RFC 2219 MAY is truly optional item, and MUST
be prepared to interoperate with another inverse option existence
implementation.
So, interpreting that dnsmasq may not respond at all in stateless mode into
RFC 3315 17.2.1 seems a bit farfetched.

In real world, absence of Advertise message with NoAddrsAvail Status Code
may lead to client misbehavior and prevent it from fallback to DHCPv6
Stateless mode, because RFC 3315 doesn't state any non-zero MRC & MRD
non-zero values by default for Solicit messages transmission.
Example of such client is https://github.com/sbyx/odhcp6c
Also, openwrt has already reverted this change, refer
https://dev.openwrt.org/browser/trunk/package/network/services/dnsmasq/patch
es/200-fix-dhcpv6-solicit-handling.patch

Since the original issue was in log flooding, log error only for
non-stateless contexts and threat it as false-positive error if it's
expected due the configuration.
Please refer patch attached.

Best Regards, Vladislav Grishenko

> -Original Message-
> From: Dnsmasq-discuss [mailto:dnsmasq-discuss-
> boun...@lists.thekelleys.org.uk] On Behalf Of Simon Kelley
> Sent: Thursday, January 22, 2015 2:02 AM
> To: dnsmasq-discuss@lists.thekelleys.org.uk
> Subject: Re: [Dnsmasq-discuss] Don't reply to requests for DHCPv6
addresses
> when M flag is off
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> My first reaction to this was to apply it, but then I went and looked at
> RFC3315, and found this:
> 
>If the server will not assign any addresses to any IAs in a
>subsequent Request from the client, the server MUST send an Advertise
>message to the client that includes only a Status Code option with
>code NoAddrsAvail and a status message for the user, a Server
>Identifier option with the server's DUID, and a Client Identifier
>option with the client's DUID.
> 
> Which seems to indicate that the patch would violate the RFC.
> 
> But then I looked some more, and found this:
> 
> 17.2.1. Receipt of Solicit Messages
> 
> 
>The server determines the information about the client and its
>location as described in section 11 and checks its administrative
>policy about responding to the client.  If the server is not
>permitted to respond to the client, the server discards the Solicit
>message.  For example, if the administrative policy for the server is
>that it may only respond to a client that is willing to accept a
>Reconfigure message, if the client indicates with a Reconfigure
>Accept option in the Solicit message that it will not accept a
>Reconfigure message, the servers discard the Solicit message.
> 
> 
> So I think we can define "DHCPv6 address allocation not configured" as
> administrative policy and chose to discard the solict message in this
case.
> 
> Patch applied, with some style changes, thanks.
> 
> 
> Cheers,
> 
> Simon.
> 
> 
> 
> 
> 
> 
> 
> On 19/01/15 21:30, Win King Wan wrote:
> > Hi,
> >
> > In https://github.com/RMerl/asuswrt-merlin/pull/854 I patched the
> > dnsmasq version of my router's firmware to not send out replies to
> > DHCPv6 queries when dhcp-range mode is ra-stateless.
> >
> > Even though the M flag is off in the router advertisement, Windows
> > 8 (and newer) clients will still request an address via DHCPv6.
> > When it receives a reply that no addresses are available, it tries a
> > few more time before giving up for several minutes. After several
> > minutes however it retries. This causes the syslog to be filled up
> > with noise stating that there are no DHCPv6 addresses available for a
> > specific MAC address. (--quiet-dhcp6 does not help much as the "no
> > addresses  available" message is always logged.)
> >
> > My changes basically stops dnsmasq from sending this reply. Since the
> > O flag is on, Windows 8 will try to get other information from the
> > DHCPv6 server if it does not get an reply for its initial request for
> > an address (which seems to still work, as it is able to get the IPv6
> > DNS server).
> >
> > After running Wireshark for quite some time, it appears that Windows 8
> > will not send out subsequent requests for an IPv6 address to the
> > DHCPv6 server (after my patch), at least not within several minutes.
> >
> > I have included the patch for completeness sake. Would it be possible
> > to apply it? Or perhaps there is a

Re: [Dnsmasq-discuss] dhcp option 43 question

[Vladislav Grishenko]

Hi AJ,

> There's apparently an option 43 setting that will resolve this, but even
after a
> few google searches, I'm confused as to how to configure this in dnsmasq.
> I'd like to configure it so only this vendor's devices gets the option
returned.
> 
> Here's the sample config for Cisco and linux dhcpd.conf...I need help
> translating this into what I should include into my dnsmasq.conf file,
please?
> http://wiki.ubnt.com/UniFi_FAQ#To_use_DHCP_Option_43
> 
> The other, alternate, is that these APs use the url
http://unifi:8080/inform --
> so I considered setting the "cname" option in dnsmasq to my controller.
But I
> couldn't get that working for some reason.

Try either dhcp-option=vendor:,1,ip.ip.ip.ip or or
dhcp-option=vendor:,1,http://fqdn:8080/inform
Refer --dhcp-option
http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html for details

Best Regards, Vladislav Grishenko



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Adding Route Information Option to prefixes in RA

[Vladislav Grishenko]

In spite of fact that dnsmasq send's only on-link prefixes and in absence of
RIO control, let's follow Steven proposal regarding RIO and avoidance of
duplicate routes on Win* platforms.
Please refer patch, it also tides up option length calculating, as used in
other parts of code.

http://wl500g.googlecode.com/svn/trunk/dnsmasq/071-ra-route-info.patch

Best Regards, Vladislav Grishenko

> -Original Message-
> From: Dnsmasq-discuss [mailto:dnsmasq-discuss-
> boun...@lists.thekelleys.org.uk] On Behalf Of Steven Barth
> Sent: Thursday, September 11, 2014 12:36 PM
> To: Simon Kelley; dnsmasq-discuss@lists.thekelleys.org.uk
> Subject: Re: [Dnsmasq-discuss] Adding Route Information Option to prefixes
> in RA
> 
> 
> > Focusing on the current dnsmasq code, I guess the take-home message
> > here is that we're probably better off to revert the code which adds
> > RIOs, for now, as the only RIOs we're sending are exactly the ones
> > which Steven suggests should be suppressed. Should probably re-visit
> > the issue of more general support for RIO in the next release.
> Possibly rare client issues aside if you announce a prefix both using an
on-link
> PIO and a RIO the RIO doesn't do you any good. In the best case it just
adds
> another redundant route for the same /64 in the worst case it confuses
> clients. My personal opinion would be to only send it if you announce the
PIO
> as off-link (don't know if that is configurable in
> dnsmasq) and otherwise just drop the RIO if it would be identical to the
PIO.
> 
> I think it would make more sense to add some kind of option to specify the
> RIO-length for a prefix and only announce the RIO if said RIO length is <
than
> that of the prefix announced in the PIO or just add a generic option which
> let's you add arbitrary RIOs or so.
> 
> 
> Cheers,
> 
> Steven



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dhcpv6

[Vladislav Grishenko]

> From: v...@selfip.ru [mailto:v...@selfip.ru] On Behalf Of Vasiliy Tolstov
> Sent: Wednesday, September 03, 2014 3:55 AM
> 
> 2014-09-03 1:52 GMT+04:00 Vladislav Grishenko :
> > Hi Vasiliy,
> > Kernel never sends RA, so it's always up to userspace like dnsmasq.
> >
> 
> Please, re-read my question. I'm understand who send ra, but who send NS
> and NA ?

Sorry, misread.
dnsmasq sends unsolicited periodic RA and sends solicited RA in reply to 
incoming RS from client only.
dnsmasq may send several NS to client in reply to incoming DHCPv6 requests to 
know its hw address (mac).
All other cases of NS/NA sending and receiving are up to kernel only.

Best Regards, Vladislav Grishenko



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dhcpv6

[Vladislav Grishenko]

Hi Vasiliy,
Kernel never sends RA, so it's always up to userspace like dnsmasq.

Best Regards, Vladislav Grishenko

> -Original Message-
> From: Dnsmasq-discuss [mailto:dnsmasq-discuss-
> boun...@lists.thekelleys.org.uk] On Behalf Of Vasiliy Tolstov
> Sent: Monday, September 01, 2014 6:59 PM
> To: Simon Kelley
> Cc: dnsmasq-discuss@lists.thekelleys.org.uk
> Subject: Re: [Dnsmasq-discuss] dhcpv6
> 
> 2014-09-01 12:57 GMT+04:00 Simon Kelley :
> >
> > It definitely listens on port 547 UDP.
> >
> > Simon.
> 
> 
> Thanks. Last question - when dnsmasq sends RA to client who send in
> response  Neighbor Solicitation and Neighbor Advertisement , kernel or
> dnsmasq ?
> 
> --
> Vasiliy Tolstov,
> e-mail: v.tols...@selfip.ru
> jabber: v...@selfip.ru
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dhcp-pd, and autoassigned internal interfaces issues

[Vladislav Grishenko]

Hi Simon,

> > -if (ifa->ifa_flags&  IFA_F_PERMANENT)
> > +if (!(ifa->ifa_flags&  IFA_F_TEMPORARY))

IFA_F_TEMPORARY flag used only if privacy extensions are enabled in kernel,
in all other cases it makes no sense and will not be there.
That means condition will be always evaluated as TRUE for any kind of
address, including event tentative, and any address but privacy-generated
will get permanent flag.
Meanwhile, construct_worker() has no protection against tentative, temporary
and so on flags, so, after patch, it will work for any address on linux.
Was it really intended?

Best Regards, Vladislav Grishenko



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq-2.68rc3 Coverity difference scan against 2.67

[Vladislav Grishenko]

Hi Simon,
Could you please also check out compiler warning fixes from here? Thanks
http://wl500g.googlecode.com/svn/trunk/dnsmasq/

Best Regards, Vladislav Grishenko

> -Original Message-
> From: dnsmasq-discuss-boun...@lists.thekelleys.org.uk [mailto:dnsmasq-
> discuss-boun...@lists.thekelleys.org.uk] On Behalf Of Simon Kelley
> Sent: Tuesday, November 26, 2013 4:17 PM
> To: Tomas Hozza
> Cc: dnsmasq discussion list
> Subject: Re: [Dnsmasq-discuss] dnsmasq-2.68rc3 Coverity difference scan
> against 2.67
> 
> On 26/11/13 09:11, Tomas Hozza wrote:
> > Hi.
> >
> > I scanned dnsmasq-2.68rc3 against 2.67 for added errors with Coverity.
> > The log is attached. There is missing one check of whine_malloc return
> > value in cache.c. I checked that the value is commonly checked in
> > other parts of the source.
> 
> 
> Fix pushed. Thanks.
> 
> >  Otherwise
> > looks good :)
> >
> 
> Great stuff.
> 
> Simon.
> 
> > Regards,
> >
> > Tomas Hozza
> 
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Need some example for ipv6 dhcp mode(ra-only, slaac, ra-names, ra-stateless)

[Vladislav Grishenko]

Since dnsmasq 2.67 it's possible to use MAC addresses for DHCPv6 as well
Of course, there's some limitations, refer dnsmasq man for details

Best Regards, Vladislav Grishenko

> -Original Message-
> From: dnsmasq-discuss-boun...@lists.thekelleys.org.uk [mailto:dnsmasq-
> discuss-boun...@lists.thekelleys.org.uk] On Behalf Of mudru...@spoje.net
> Sent: Monday, November 11, 2013 7:58 PM
> To: dnsmasq-discuss@lists.thekelleys.org.uk
> Subject: Re: [Dnsmasq-discuss] Need some example for ipv6 dhcp mode(ra-
> only, slaac, ra-names, ra-stateless)
> 
> Unfortunately DHCPv6 does not use MAC adresses, but rather software
> defined string called DUID.
> However better documentation and examples of dnsmasq configs for
> various DHCPv6 usecases would be great.
> 
> Dne 11.11.2013 09:56, Da Zhao Y Yu napsal:
> > Hi,
> >
> > Now I was a bit confused about IPv6 dhcp mode, such as ra-only, slaac,
> > ra-names, ra-stateless, whether have some guys can give me some
> > example about it?
> >
> > I want to use IPv6 stateless address autoconfiguration function via
> > dnsmasq server, but I do not know the difference between ra-only,
> > slaac, ra-names and ra-stateless? Who can give me some example about
> > it, thanks!
> >
> > For example, one host's mac address is 00:12:34:00:AB:CD, base on the
> > method of automatically generation IPv6 address(EUI-64), if the dhcp
> > mode was set to RA-ONLY, then how much is the destination IPv6
> > address? if the dhcp mode was set to RA-NAMES, what is the result?
> > how
> > about "slaac" and "ra-stateless"? All of the IPv6 address is same?
> >
> > Thanks & Best Regards
> >  Yu Da Zhao(于大钊)
> >  --
> >  Cloud Solutions & OpenStack Development  China Systems & Technology
> > Laboratory in Beijing
> >  Email: d...@cn.ibm.com
> >  Tel: (86)10-82450677
> >  --
> 
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] DNSMasq and DNS reflection attacks

[Vladislav Grishenko]

> From: Simon Kelley
> Sent: Friday, October 25, 2013 4:15 PM
>
> On 24/10/13 23:41, Vladislav Grishenko wrote:
> >> From: Simon Kelley
> >> Sent: Thursday, October 24, 2013 11:00 PM
> >>
> >> So, don't use --bind-interfaces. If you're on Linux, you can use
> >> --bind- dynamic instead if you're running multiple dnsmasq instances.
> >>
> >
> > So, on linux --bind-interfaces can be just an alias of --bind-dynamic,
> > with no --bind-interfaces code and no warnings, less binary size, more
> seciruty.
> 
> There's practically no code that could be removed with --bind-interfaces,
--
> bind-dynamic is pretty much bind-interfaces plus the code to determine
> arrival interface which is disabled or missing with bind interfaces plus
some
> new code to notice new addresses arriving.
> 
> If it could be supported everywhere, I'd just have extended
bind-interfaces
> to work in the way that the new bind-dynamic mode does, but I don't want
> to have one mode which behaves subtly differently on different platforms.
> By giving the new mode a new option, I can raise an error when it's not
> available.

I see, wasn't aware it can't be supported on BSD. makes sense than, thanks
for pointing out.

Best Regards, Vladislav Grishenko



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] DNSMasq and DNS reflection attacks

[Vladislav Grishenko]

> From: Simon Kelley
> Sent: Thursday, October 24, 2013 11:00 PM
> 
> So, don't use --bind-interfaces. If you're on Linux, you can use --bind-
> dynamic instead if you're running multiple dnsmasq instances.
> 

So, on linux --bind-interfaces can be just an alias of --bind-dynamic, with
no --bind-interfaces code and no warnings, less binary size, more seciruty.

Best Regards, Vladislav Grishenko



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Clarification of prefix length field in dhcp-range

[Vladislav Grishenko]

Hi, Kevin

Refer http://wl500g.googlecode.com/svn/trunk/dnsmasq/020-relax-prefix.patch
It does what you want (ugly a bit), but, beware, it was made before
following dnsmasq commit, need to handle it too, had no time to do so yet.
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=486479e94308f8579a
d5132a5218a74dbc707521

Best Regards, Vladislav Grishenko



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] gatway

[Vladislav Grishenko]

> The problem with that is that RDNSS and DNSSL are per interface, not per-
> prefix. Maybe the calculation should the maximum valid time of any prefix
> advertised on the interface?

It will not work for several different prefixes and serveral different
global-scope addresses on dnsmasq interface.
Since it's per interface (actually not, per router, but whatever), and
onlink flag is always set, auto-cooked [::] rdnss address  should contain
link-local address of that interface, not global. After that, lifetimes can
be max (or 2/3 of max to fit RFC defaults) of any valid ra lifetime.
Also, announcing link-local addres of interface as RDNSS make life easier
while prefix changing, renumbering, etc.
As for user-specified RDNSS addresses, it's up to him to shoot in own foots
and specify static or dynamic servers.

Best Regards, Vladislav Grishenko



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] gatway

[Vladislav Grishenko]

Hi, Simon,

Thanks for the implementation, works well with one issue is still there
RDNSS & DNS Search List RA options contain lifetimes calculated from
MaxRtrAdvInterval, where MaxRtrAdvInterval = , and
MinRtrAdvInterval = 3/4*
Since, there's no way to specify MinRtrAdvInterval & MaxRtrAdvInterval (as I
proposed before), RDNSS & DNS Search List lifetimes always equal
2*.
So, if  is small, like 10sec, that lifetimes are small too,
just 20sec, without any connection to . Hosts may refresh
RDNSS info with RS packets and trigger solicited RA answers in addition to
existing unsolicited RA packets.
In the same time, with working DHCPv6 stateless/full lifetime is taken from
dhcp-range, 600 sec as min.

In radvd, MinRtrAdvInterval, MaxRtrAdvInterval, DefaultLifetime and other
lifetimes can be set via conf file,
In dnsmasq they are automatic, guess automatic needs to be tuned up.
What do you think?

Best Regards, Vladislav Grishenko

> -Original Message-
> From: Simon Kelley [mailto:si...@thekelleys.org.uk]
> Sent: Friday, October 11, 2013 2:01 AM
> To: Vladislav Grishenko
> Cc: dnsmasq-discuss@lists.thekelleys.org.uk
> Subject: Re: [Dnsmasq-discuss] gatway
> 
> On 08/10/13 12:09, Vladislav Grishenko wrote:
> >> From: Simon Kelley
> >> Sent: Tuesday, October 08, 2013 4:20 PM On 06/10/13 11:32, Vladislav
> >> Grishenko wrote:
> >>> Hi, RFC4861 says:
> >>>
> >>>  A router might want to send Router Advertisements without
> > advertising
> >>>  itself as a default router.  For instance, a router might
advertise
> >>>  prefixes for stateless address autoconfiguration while not
> >>> wishing
> > to
> >>>  forward packets.  Such a router sets the Router Lifetime field in
> >>>  outgoing advertisements to zero.
> >>>
> >>>>> is it possible to tell dnsmasq not to announce itself as router?
> >>> So , yes, it's theoretically possible.
> >>
> >> That's good information, thanks. In answer to the next question, no,
> >> it's
> > not
> >> possible to configure dnsmasq to send Router Lifetime == 0.
> >>
> >> The lifetime, in dhcp-range is used to calculate the lifetimes for
> > prefixes, no
> >> the router lifetime. In fact the router lifetime is always advertised
> >> as
> > 1800
> >> seconds, I think.
> >>
> >> Since this is a per-broadcast domain thing, and not per prefix thing,
> >> it
> > needs
> >> to be associated with an interface.
> >>
> >> Simplest would be
> >>
> >> no-router-interface=[,,]
> >>
> >> to set the interfaces that get router lifetime of zero.
> >>
> >> More complex would be to allow explict setting of the router lifetime
> >> per interface, that would have to be linked to the RA frequency: you
> >> wouldn't want a router expiring before it could be re-advertised.
> >>
> >
> > No-router-interface is simplest, and adds more option to control RA.
> > Currently we have already:
> > --dhcp-range=...ra-only|slaac|ra-names...
> > --enable-ra
> > --force-fast-ra
> >
> > What if to logically split options to dhcp*-related and to
slaac-related?
> > --dhcp-range=
> > Sets only DHCP range/RA prefix parameters (including
> > lease/prefix/rdnss/domain lifetimes), but not RA timeouts
> >
> > --enable-ra=[,,...][,AdvDefaultLifetime][,MinRtr
> > AdvInt
> > erval,MaxRtrAdvInterval]
> > Sets only RA timouts, if params absent - use defaults, 600 as max,
> > 1/3*600 as min.
> > With this, both min&  max can be configured, As per RFC,
> > max should be in range 4-1800 secodns, default 600
> > min should be in range 3-3/4*max, default 1/3*max, if max>=9,
> > otherwise equal to max
> >
> > With this approach, --no-router-interface will be alias of
> > --enable-ra=interface,0
> > And --force-fast-ra will be an alias of
> > --enable-ra=interface,1800,5,20
> >
> > Also, current code uses 600 as max, and 3/4*max as min ra intervals,
> > what fits RFC, bit, guessб isn't optimal, too big min delay.
> > As for startup advertisements and force-fast-ra, interval is 5-20, but
> > can be limited to range
> > MIN_DELAY_BETWEEN_RAS-MAX_INITIAL_RTR_ADVERT_INTERVAL, 3 and
> 16
> > respectively as RFC suggests Since RA can be very frequent, is it ever
> > worth to log with LOG_INFO level every unsolicited RTR-ADVERT? It just
> > floods syslog and has no other meaning in my opinion.
> >
&g

Re: [Dnsmasq-discuss] gatway

[Vladislav Grishenko]

> From: Simon Kelley 
> Sent: Tuesday, October 08, 2013 4:20 PM
> On 06/10/13 11:32, Vladislav Grishenko wrote:
> > Hi, RFC4861 says:
> >
> > A router might want to send Router Advertisements without
advertising
> > itself as a default router.  For instance, a router might advertise
> > prefixes for stateless address autoconfiguration while not wishing
to
> > forward packets.  Such a router sets the Router Lifetime field in
> > outgoing advertisements to zero.
> >
> >>> is it possible to tell dnsmasq not to announce itself as router?
> > So , yes, it's theoretically possible.
> 
> That's good information, thanks. In answer to the next question, no, it's
not
> possible to configure dnsmasq to send Router Lifetime == 0.
> 
> The lifetime, in dhcp-range is used to calculate the lifetimes for
prefixes, no
> the router lifetime. In fact the router lifetime is always advertised as
1800
> seconds, I think.
> 
> Since this is a per-broadcast domain thing, and not per prefix thing, it
needs
> to be associated with an interface.
> 
> Simplest would be
> 
> no-router-interface=[,,]
> 
> to set the interfaces that get router lifetime of zero.
> 
> More complex would be to allow explict setting of the router lifetime per
> interface, that would have to be linked to the RA frequency: you wouldn't
> want a router expiring before it could be re-advertised.
> 

No-router-interface is simplest, and adds more option to control RA.
Currently we have already:
--dhcp-range=...ra-only|slaac|ra-names...
--enable-ra
--force-fast-ra

What if to logically split options to dhcp*-related and to slaac-related?
--dhcp-range=
Sets only DHCP range/RA prefix parameters (including
lease/prefix/rdnss/domain lifetimes), but not RA timeouts

--enable-ra=[,,...][,AdvDefaultLifetime][,MinRtrAdvInt
erval,MaxRtrAdvInterval]
Sets only RA timouts, if params absent - use defaults, 600 as max, 1/3*600
as min.
With this, both min & max can be configured,
As per RFC,
max should be in range 4-1800 secodns, default 600
min should be in range 3-3/4*max, default 1/3*max, if max >=9,
otherwise equal to max

With this approach, --no-router-interface will be alias of
--enable-ra=interface,0
And --force-fast-ra will be an alias of --enable-ra=interface,1800,5,20

Also, current code uses 600 as max, and 3/4*max as min ra intervals, what
fits RFC, bit, guessб isn't optimal, too big min delay.
As for startup advertisements and force-fast-ra, interval is 5-20, but can
be limited to range MIN_DELAY_BETWEEN_RAS-MAX_INITIAL_RTR_ADVERT_INTERVAL, 3
and 16 respectively as RFC suggests
Since RA can be very frequent, is it ever worth to log with LOG_INFO level
every unsolicited RTR-ADVERT? It just floods syslog and has no other meaning
in my opinion.

Best Regards, Vladislav Grishenko



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] gatway

[Vladislav Grishenko]

Hi, RFC4861 says:

   A router might want to send Router Advertisements without advertising
   itself as a default router.  For instance, a router might advertise
   prefixes for stateless address autoconfiguration while not wishing to
   forward packets.  Such a router sets the Router Lifetime field in
   outgoing advertisements to zero.

> > is it possible to tell dnsmasq not to announce itself as router?
So , yes, it's theoretically possible.

Best Regards, Vladislav Grishenko

> -Original Message-
> From: dnsmasq-discuss-boun...@lists.thekelleys.org.uk [mailto:dnsmasq-
> discuss-boun...@lists.thekelleys.org.uk] On Behalf Of Simon Kelley
> Sent: Wednesday, October 02, 2013 3:44 PM
> To: dnsmasq-discuss@lists.thekelleys.org.uk
> Subject: Re: [Dnsmasq-discuss] gatway
> 
> On 02/10/13 02:57, Moritz Warning wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA1
> >
> > Hi,
> >
> > is it possible to tell dnsmasq not to announce itself as router?
> > The problem is that connected computers try to use the router as
gateway.
> > The router is not the gateway of the network, but some other computer.
> >
> > For what it matter, this is the IPv6 setting in my Dnsmasq (version
2.66)
> configuration:
> >
> > dhcp-range=public,fdef:1700:::,ra-names,slaac,64,infinite
> 
> I don't think it is, except by stopping it from advertising prefixes as
well, (ie,
> remove the above line completely). The protocol doesn't
> (AFAIK) allow prefix advertisements which are not also router
> advertisements.
> 
> 
> It _might_ be possible to do the ra-names functionality whilst leaving
> router/prefix announcement to another host, it would required code
> changes and I've not thought hard about if it would work or be desirable.
> 
> 
> Cheers,
> 
> Simon.
> 
> >
> > thanks,
> > mwarning
> > -BEGIN PGP SIGNATURE-
> > Version: GnuPG v1.4.12 (GNU/Linux)
> > Comment: Using GnuPG with Icedove - http://www.enigmail.net/
> >
> >
> iQEcBAEBAgAGBQJSS319AAoJECHrh56PP4wpXgUH/j0D8rSF7qWciHLfmjlLtVh
> Q
> >
> NUicHU4rN2ZyX1XTNn9HZi66tziZc3PcOs4y3xg+QKdUCkMKiQAV0CDgRmoqg
> pe6
> >
> ER03eC9ibBm7VLU/TubX2Z1tnHIDFwvkyDSP66LBwTbstyaxmS4cOTX6bzizL0o
> H
> >
> fE2lwRMIYLn1eV5G/niLdxkZI+WjrWy/d6bggZ6N4M2GqPnwkHkdvdDRwMgo
> 7F0h
> >
> 2aZWQs6PUxpFVuHpVYIZcDEvjYI1CBBi9BF6XXaiWIVSktnIQ0AfKYK58E3tkWAI
> >
> RnRJ0G3Di3DwNGpPJZ2Da6v0pR1PEKMcjzmcvfKgwdFiKBVP2SMa3VHPXkAQ
> z7s=
> > =ign/
> > -END PGP SIGNATURE-
> >
> > ___
> > Dnsmasq-discuss mailing list
> > Dnsmasq-discuss@lists.thekelleys.org.uk
> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >
> 
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Announce: dnsmasq-2.67rc1

[Vladislav Grishenko]

Hi Simon,

>  Remove the rule for constructed DHCP ranges that the local
>  address must be either the first or last address in the
>  range. This was originally to avoid SLAAC addresses, but
>  we now explicitly autoconfig and privacy addresses
>   instead.

There's minor cosmetic issue after above changes.
Dnsmasq logs first address for SLAAC/DHCP stateless templates on startup,
what makes sense only for DHCPv6 stateful.

Example:
br0  inet6 addr: 2001:db8::1/64 Scope:Global
dhcp-range=lan,::2,::255,constructor:br0,ra-names,64,86400

dnsmasq-dhcp: DHCPv6, IP range ::2 -- ::255, lease time 1d, template
for br0
dnsmasq-dhcp: DHCPv4-derived IPv6 names on ::2, template for br0
dnsmasq-dhcp: router advertisement on ::2, template for br0
dnsmasq-dhcp: DHCPv6, IP range 2001:db8::2 -- 2001:db8::255, lease
time 1d, constructed for br0
dnsmasq-dhcp: DHCPv4-derived IPv6 names on 2001:db8::, constructed
for br0
dnsmasq-dhcp: router advertisement on 2001:db8::, constructed for
br0
dnsmasq-dhcp: IPv6 router advertisement enabled

Addr "::2" shown above in DHCPv4-derived IPv6 names and router advertisement
is redundant, because not further used.
Actually, non-DHCPv6 stateful templates use only prefix part of the first
address in configured range, in example above "::2/64" => "::".

Best Regards, Vladislav Grishenko



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Reg: Info related to leases file

[Vladislav Grishenko]

> From: Simon Kelley [mailto:si...@thekelleys.org.uk]
> > I understand that leasefile format is preserved due legacy reasons to
> > allow dnsmasq precompiled updates.
> > What if just to add LEASEFILE_LEGACY_FORMAT define to control the subj
> > format?
> > Ppl who able to build it and to control lease format dependent apps
> > would be able to enable/disable it and use on his own, while the rests
> > can continue to use legacy defaults with no harm.
> > No code redundancy would be brought this way, new/old lease-format
> > code would be just not compiled in, anyway don't treat this opinion as
> > a kind of pushing, just consider it's probably good to have it in
upstream.
> 
> The problem is that you're asking for two incompatible things. You want
the
> leasefile format to be a defined interface, which implies, amongst other
> things, that it's stable, and you want to change the leasefile format.
> BTW, as far as I'm concerned, the leasefile format has never been a
defined
> interface, if people are looking in there directly, that's their risk.

Actually not exactly, I see possible leasfile code simplification, and in
the side effect it could be possible to have file format as defined
interface, nothing else.
Ok, if lease format hasn't never been a defined interface, nothing should
prevent from format change at any time, right? So, why not then.

> >
> > Thanks for the remind, both cases require either HAVE_SCRIPT or
> HAVE_DBUS to
> > be enabled, openwrt folks use scripts from the very start.
> > So, dnsmasq code, additional not-dnsmasq file sizes&  required mem
> > increases, complexity grows, possible fault places number too, with the
> same
> > desired result as if leasefile contains new lease info.
> > In my humble opinion, it seems a little bit overkill for embedded world.
> > As an example - a number of recent mails of Tomato firmware folks here
in
> > the list when they decided to update dnsmasq and have accidentally
> dropped
> > homegrown leases-save code, that extends the format of the original one.
> > They have the same reasons - keep dnsmasq&  outter environment as
> small and
> > functional as possible.
> 
> HAVE_SCRIPT isn't very big and this tiny shell script makes a file of
> (IP-address, MAC-address) pairs. It's trivial to alter it to split IPv4
> and IPv6 into different files or include any information from the fields
> exposed by the script interface. The script interface is defined and
> I'll keep it compatible going forward.

Ok, giving up. Script-based has even-driven pros while adding/deleting
lease. My next concern is about lease init stage, when dnsmasq needs to be
restarted due reconfig. Does it need to be implemented, or leasefile in
whatever format could coexist with script?

Best Regards, Vladislav Grishenko



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Reg: Info related to leases file

[Vladislav Grishenko]

> From: Simon Kelley [mailto:si...@thekelleys.org.uk]
> Sent: Tuesday, September 24, 2013 9:16 PM
> 
> On 24/09/13 15:31, Vladislav Grishenko wrote:
> > Hi Simon,
> >
> >> However, if you're interested in the MAC addresses of clients, the
> >> very
> > latest
> >> dnsmasq code can determine that in most cases. The MAC address is not
> >> stored in the leases file, but it can be used to key configurations
> >> to
> > particular
> >> MAC addresses, and it's made available to the DHCP lease external
> >> script,
> > so
> >> an external application can use it.
> >
> > Storing MACs for DHCPv6 clients is just exactly I'm looking for.
> > In my scenario, lease file is used to obtain current list of DHCP4/6
> > clients as some status information, the latter usage of this info is:
> > * DHCP4/6 reservation, it's MAC-based, because client DHCP6 DUID-LLT
> > is dynamic by the nature, thanks for implementing this approach
> > * client blocking, it's MAC bases too
> > So, storing lease info with MAC for DHCPv6 clients (if available, that
> > is highly likely for direct-connected clients) is the simplest way for
> > my case without usage any other leasudump-like api
> >
> > Best Regards, Vladislav Grishenko
> >
> >
> >
> 
> I realise that adding to MAC to the leasefile for DHCPv6 clients would
make
> this possible, but I'm reluctant to change the leasefile format.

I understand that leasefile format is preserved due legacy reasons to allow
dnsmasq precompiled updates.
What if just to add LEASEFILE_LEGACY_FORMAT define to control the subj
format?
Ppl who able to build it and to control lease format dependent apps would be
able to enable/disable it and use on his own, while the rests can continue
to use legacy defaults with no harm.
No code redundancy would be brought this way, new/old lease-format code
would be just not compiled in, anyway don't treat this opinion as a kind of
pushing, just consider it's probably good to have it in upstream.

> One way to do this now is to script (as script or with Lua) something
> which maintains an extended lease database. It's actually possible to do
> without the leasefile at all (which saves on writes to flash
> filesystems) and have the script maintain the database in any database
> engine you like.
> Another possibility for a future enhancement is to add a method to the
> DBus interface to read the lease database. There's a lot of information
> that can be known about a lease/client that will never go into the
> leases file, but could be accessible this way: look at all the
> environment variables set when the DHCP script is run.

Thanks for the remind, both cases require either HAVE_SCRIPT or HAVE_DBUS to
be enabled, openwrt folks use scripts from the very start. 
So, dnsmasq code, additional not-dnsmasq file sizes & required mem
increases, complexity grows, possible fault places number too, with the same
desired result as if leasefile contains new lease info.
In my humble opinion, it seems a little bit overkill for embedded world.
As an example - a number of recent mails of Tomato firmware folks here in
the list when they decided to update dnsmasq and have accidentally dropped
homegrown leases-save code, that extends the format of the original one.
They have the same reasons - keep dnsmasq & outter environment as small and
functional as possible.

Best Regards, Vladislav Grishenko



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Reg: Info related to leases file

[Vladislav Grishenko]

Hi Simon,

> However, if you're interested in the MAC addresses of clients, the very
latest
> dnsmasq code can determine that in most cases. The MAC address is not
> stored in the leases file, but it can be used to key configurations to
particular
> MAC addresses, and it's made available to the DHCP lease external script,
so
> an external application can use it.

Storing MACs for DHCPv6 clients is just exactly I'm looking for.
In my scenario, lease file is used to obtain current list of DHCP4/6 clients
as some status information, the latter usage of this info is:
* DHCP4/6 reservation, it's MAC-based, because client DHCP6 DUID-LLT is
dynamic by the nature, thanks for implementing this approach
* client blocking, it's MAC bases too
So, storing lease info with MAC for DHCPv6 clients (if available, that is
highly likely for direct-connected clients) is the simplest way for my case
without usage any other leasudump-like api

Best Regards, Vladislav Grishenko



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Reg: Info related to leases file

[Vladislav Grishenko]

> Out of the three types:  DUID-LLT, DUID-EN and DUID-LL, which one is used
> by dnsmasq? I am asking because I want to confirm whether the MAC
> address of the network interface is always a substring of the client DUID
or
> not.

1. DUID-EN, if --dhcp-duid specified
2. DUID-LL from MAC of the first suitable interface, if HAVE_BROKEN_RTC
defined
3. DUID-LLT from MAC of the first suitable interface for all other cases

FYI, as per RFC3315 DUIDs should be treated as opaque values only:
> 9. DHCP Unique Identifier (DUID)
> Clients and servers MUST treat DUIDs as opaque values and MUST only
> compare DUIDs for equality.  Clients and servers MUST NOT in any
> other way interpret DUIDs.

Best Regards, Vladislav Grishenko




___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] DHCPv6 Server not respecting lease time setting

[Vladislav Grishenko]

Hi Jonathan,

There's quick fix for your issue, if client hasn't specified preferred
address lifetime, lease time is used. Valid timeout value is still ignored.

 
<http://wl500g.googlecode.com/svn/trunk/dnsmasq/110-no-lifetime-preference.p
atch>
http://wl500g.googlecode.com/svn/trunk/dnsmasq/110-no-lifetime-preference.pa
tch

 

Best Regards, Vladislav Grishenko

 

From: dnsmasq-discuss-boun...@lists.thekelleys.org.uk
[mailto:dnsmasq-discuss-boun...@lists.thekelleys.org.uk] On Behalf Of
Jonathan Fabian
Sent: Thursday, August 01, 2013 4:06 AM
To: dnsmasq-discuss@lists.thekelleys.org.uk
Subject: [Dnsmasq-discuss] DHCPv6 Server not respecting lease time setting

 

Hi,

 

I'm seeing some strange behavior between my mac and dnsmasq (running on arch
linux arm) when getting assigned an IPv6 address. Specifically, I have the
DHCPv6 set to give out a 12 hour lease time: dhcp-range=a:b:c::1, a:b:c::ff,
64, 12h, but it will only give the mac a 2 min lease time (as a side note, I
have also tried setting a dhcp host option specifically for macs duid and it
ignores those lease time values as well). The lease time setting works fine
with the windows machines on the same network.

 

Looking at the network packets, I see the mac solicit the dhcp server, the
dhcp server replies with an advertisement message offering an ip address
with a valid and preferred lifetime of 43200, then the mac replies with a
request for the advertised ip address with the valid and preferred lifetimes
set to 0 (which looking at rfc3315 should be treated as no preference),
dnsmasq then sends back a reply with the address but the valid and preferred
lifetimes only set to 120 (the min time allowed)!

 

The only difference I can see with the windows machines is that when a
windows machine sends the request message they copy the preferred and valid
lifetimes of 43200 from the advertise message. 

 

Maybe I'm wrong, but it seems that dnsmasq should always be ignoring the 0
when sent, and only treating the valid and preferred lifetimes from the
client as a request at best. It seems, however, to be treating them in a
manner that overrides the explicitly configured setting in its config files.
Can anyone shed some light on this behavior?

 

Thanks,

Jonathan

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] DHCPv6 lease hwaddr

[Vladislav Grishenko]

Little addition, previous mail says nothing about iaid, it needs be moved to
separate lease filed too, and, for example before/after/with flags in
leasefile.

Best Regards, Vladislav Grishenko


> -Original Message-
> From: Vladislav Grishenko [mailto:themi...@mail.ru]
> Sent: Sunday, August 04, 2013 7:32 PM
> To: 'dnsmasq-discuss@lists.thekelleys.org.uk'
> Cc: Simon Kelley (si...@thekelleys.org.uk)
> Subject: DHCPv6 lease hwaddr
> 
> Hi Simon,
> 
> dnsmasq 2.67test9 dhcpv6 leases implementation uses only clid approach,
> which is the same and should not be treated as containing client's hwaddr.
> It makes impossible in real life to specify specific dhcpv6 options for
clients, if
> only mac address is known (ISP billing, specific & static allocations,
etc).
> 
> But, in fact, if DHCPv6 client directly attached, link layer address is
available
> just from the packet, but if they are served via relay,  relay agent may
use
> OPTION_CLIENT_LINKLAYER_ADDR as defined in RFC6939. Refer
> http://tools.ietf.org/html/rfc6939:
> 
> 5.  DHCPv6 Relay Agent Behavior
>DHCPv6 relay agents that receive messages originating from clients
>(for example, Solicit and Request, but not, for example,
>Relay-Forward or Advertise) MAY include the link-layer source address
>of the received DHCPv6 message in the Client Link-Layer Address
>option, in relayed DHCPv6 Relay-Forward messages.  The DHCPv6 relay
>agent behavior can depend on configuration that decides whether the
>Client Link-Layer Address option needs to be included.
> 6.  DHCPv6 Server Behavior
>If the DHCPv6 server is configured to store or use a client link-
>layer address, it SHOULD look for the Client Link-Layer Address
>option in the Relay-Forward DHCP message of the DHCPv6 relay agent
>closest to the client.  The mechanism described in this document is
>not necessary in the case where the DHCPv6 server is connected to the
>same network link as the client, because the server can obtain the
>link-layer address from the link-layer header of the DHCPv6 message.
>If the DHCP server receives a Client Link-Layer Address option
>anywhere in any encapsulated message that is not a Relay-Forward DHCP
>message, the server MUST silently ignore that option
> 
> So, we can keep using hwaddr for DHCPv6 clients, if it's available, and
make
> leasefile & mac-based options work.
> Also, it will allow struct lease, code and leasefile format cleanup:
> 
> Lease struct contains struct in_addr addr and hwaddr member is reused as
> struct in_addr in6_addr, so we have no hwaddr for v6 clients Lease file is
> looks like, where for DHCPv6 records hwaddr is replaced by hwtype + 32 bit
> of hwaddr
>   86400 00:21:6a:xx:xx:xx 192.168.1.191 host 01:00:21:6a:xx:xx:xx
>   86400 553656682 201:db8::109 host
> 00:01:00:01:14:0d:23:69:90:e6:ba:xx:xx:xx
> If lease struct will contain separate struct in6_addr for ipv6 address or
even
> struct all_addr, hwaddr could be kept and used as is.
> As for lease file format, it could look like below:
>   86400 [hwtype-]00:21:6a:xx:xx:xx 192.168.1.191 host
01:00:21:6a:xx:xx:xx
> [%04x: flags like TA/NA/other]
>   86400 [hwtype-]00:21:6a:xx:xx:xx 201:db8::109 host
> 00:01:00:01:14:0d:23:69:90:e6:ba:xx:xx:xx [%04x: flags like TA/NA/etc]
Legacy
> format with %u (even not %lu for keeping the whole hwaddr...) can be
easily
> supported, but doesn't worth to, since no soft writes it directly for ipv6
> leases.
> 
> Best Regards, Vladislav Grishenko



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] DHCPv6 lease hwaddr

[Vladislav Grishenko]

Hi Simon,

dnsmasq 2.67test9 dhcpv6 leases implementation uses only clid approach,
which is the same and should not be treated as containing client's hwaddr.
It makes impossible in real life to specify specific dhcpv6 options for
clients, if only mac address is known (ISP billing, specific & static
allocations, etc).

But, in fact, if DHCPv6 client directly attached, link layer address is
available just from the packet, but if they are served via relay,  relay
agent may use OPTION_CLIENT_LINKLAYER_ADDR as defined in RFC6939. Refer
http://tools.ietf.org/html/rfc6939:

5.  DHCPv6 Relay Agent Behavior
   DHCPv6 relay agents that receive messages originating from clients
   (for example, Solicit and Request, but not, for example,
   Relay-Forward or Advertise) MAY include the link-layer source address
   of the received DHCPv6 message in the Client Link-Layer Address
   option, in relayed DHCPv6 Relay-Forward messages.  The DHCPv6 relay
   agent behavior can depend on configuration that decides whether the
   Client Link-Layer Address option needs to be included.
6.  DHCPv6 Server Behavior
   If the DHCPv6 server is configured to store or use a client link-
   layer address, it SHOULD look for the Client Link-Layer Address
   option in the Relay-Forward DHCP message of the DHCPv6 relay agent
   closest to the client.  The mechanism described in this document is
   not necessary in the case where the DHCPv6 server is connected to the
   same network link as the client, because the server can obtain the
   link-layer address from the link-layer header of the DHCPv6 message.
   If the DHCP server receives a Client Link-Layer Address option
   anywhere in any encapsulated message that is not a Relay-Forward DHCP
   message, the server MUST silently ignore that option

So, we can keep using hwaddr for DHCPv6 clients, if it's available, and make
leasefile & mac-based options work.
Also, it will allow struct lease, code and leasefile format cleanup:

Lease struct contains struct in_addr addr and hwaddr member is reused as
struct in_addr in6_addr, so we have no hwaddr for v6 clients
Lease file is looks like, where for DHCPv6 records hwaddr is replaced by
hwtype + 32 bit of hwaddr
  86400 00:21:6a:xx:xx:xx 192.168.1.191 host 01:00:21:6a:xx:xx:xx
  86400 553656682 201:db8::109 host
00:01:00:01:14:0d:23:69:90:e6:ba:xx:xx:xx
If lease struct will contain separate struct in6_addr for ipv6 address or
even struct all_addr, hwaddr could be kept and used as is.
As for lease file format, it could look like below:
  86400 [hwtype-]00:21:6a:xx:xx:xx 192.168.1.191 host
01:00:21:6a:xx:xx:xx [%04x: flags like TA/NA/other]
  86400 [hwtype-]00:21:6a:xx:xx:xx 201:db8::109 host
00:01:00:01:14:0d:23:69:90:e6:ba:xx:xx:xx [%04x: flags like TA/NA/etc]
Legacy format with %u (even not %lu for keeping the whole hwaddr...) can be
easily supported, but doesn't worth to, since no soft writes it directly for
ipv6 leases. 

Best Regards, Vladislav Grishenko



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Forwarding all DNS requests (wildcard effectively) to single upstream server

[Vladislav Grishenko]

> From: Stuart Jenkins
> Sent: Wednesday, May 22, 2013 2:44 AM
>
>I thought a quick one line in the /etc/dnsmasq.conf file would be the
solution (a variant of)
>server=[/[]/[domain/]][[#][@|[#
]]
>But apparently server=//a.b.c.d will not work as: "An empty domain
specification, // has the special meaning of "unqualified names only" ie
names without any dots in them. "
>I know I am missing something - any hints?

"server=/#/a.b.c.d" does what you need, # matches everything and becomes a
zero length domain string.

Best Regards, Vladislav Grishenko



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] autogenerating dns records

[Vladislav Grishenko]

> From: Simon Kelley [mailto:si...@thekelleys.org.uk]
> Sent: Thursday, April 25, 2013 4:18 PM
> 
> I'm not clear what the advantage is.

The main advantage is to have automatic reverse PTR records for the
subnet(s) for online services that check it (ftp, irc, etc). While IPv4 is
quite ok to pre-generate, it's quite impossible/inefficient for IPv6 SLAAC
subnet(s). Mean intended to be viewable, but not to be reused by human
offen. There're already tools to force readable names in dnsmasq/hosts, this
is about autogeneration only.

> The maximum length of the presentation
> form of an IPv6 address is 46 characters, which fits in a DNS label (63
max)
> quite comfortably.

A matter of taste, I'd say. Full IPv6 reverse PTR representation plus domain
could not fit format (example: IRC server names name!name@host, where host
is reverse looked-up name) 

> By encoding the address, that makes it useless for
> humans, which is the main point of doing this, plus you'd have to support
the
> encoded form in forward as well as reverse queries, since people will do a
> reverse query and then use the result in a forward query later.

Actually not, since IPv6 address (with zero comp) could be more readable
(mean short), than expanded one plus domain. As wrote above, main aim - to
have reverse PTR records without pregeneration for services, not for humans,
also it's kind of masking.

> You've reminded me however that the prefix is limited to 63-46 for IPv6,
to
> be sure to avoid the label length limit.

The problem is it's artificial limit, one can use private prefix even with
/3 or less.

Best Regards, Vladislav Grishenko



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] autogenerating dns records

[Vladislav Grishenko]

Hi Simon,

Really, good feature, thanks for including it.
Have a suggestion not for naming, but for ipv6 reverse domain algo. Since
ipv6 domain representation could be quite long, it can be shortened.
For example, using duotrigesimal system (base 32) + zero compression:
2001:db8::1 => 1zigr64z21
2001:db8:1234:5678:90ab:cdef:1234:5678 => ojl839stdua19spakh4gr64z21

Here's working minimalistic IPv6 Reverse DNS daemon I'm using (with dnsmasq
conf server=/domain.local/127.0.0.1#5353) which implements the approach.
https://code.google.com/p/rev6dns/

$ rev6dns -a 127.0.0.1 -p 5353 ns.domain.local domain.local 2001:db8::/32
$ dig -x 2001:db8::1 @127.0.0.1 -p 5353
;; ANSWER SECTION:
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
3994671 IN PTR 1zigr64z21.domain.local.
$ dig -x 2001:db8:1234:5678:90ab:cdef:1234:5678 @127.0.0.1 -p 5353
;; ANSWER SECTION:
8.7.6.5.4.3.2.1.f.e.d.c.b.a.0.9.8.7.6.5.4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa.
3994671 IN PTR ojl839stdua19spakh4gr64z21.domain.local.
$ dig  1zigr64z21.domain.local. @127.0.0.1 -p 5353
;; ANSWER SECTION:
1zigr64z21.domain.local. 62511  IN  2001:db8::1

Best Regards, Vladislav Grishenko

> -Original Message-
> From: dnsmasq-discuss-boun...@lists.thekelleys.org.uk [mailto:dnsmasq-
> discuss-boun...@lists.thekelleys.org.uk] On Behalf Of Simon Kelley
> Sent: Thursday, April 25, 2013 1:48 AM
> To: Vishvananda Ishaya
> Cc: dnsmasq discussion list
> Subject: Re: [Dnsmasq-discuss] autogenerating dns records
> 
> On 08/04/13 18:07, Vishvananda Ishaya wrote:
> > Thanks appreciate the feedback. I am going to do some testing to see
> > how expensive it is to add a whole bunch to the hosts file for now.
> > If that is too painful I will work on a patch.
> >
> > Vish
> >
> 
> 
> I've been working through my post-release TODO list. Please try
> 2.67test3 which has a new --synth-domain option.
> 
> Suggestions as to a better name for the option gratefully received.
> 
> Cheers,
> 
> Simon.
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [Patch] dnsmasq with IPSET feature enabled doesn't compile on linux kernel < 2.6.24

[Vladislav Grishenko]

Dears,
We have 2.6.22 with ipset. Plz, keep in mind there're no only vanilla
kernels around.

Best Regards, Vladislav Grishenko

> -Original Message-
> From: dnsmasq-discuss-boun...@lists.thekelleys.org.uk [mailto:dnsmasq-
> discuss-boun...@lists.thekelleys.org.uk] On Behalf Of Simon Kelley
> Sent: Monday, April 22, 2013 7:07 PM
> To: dnsmasq-discuss@lists.thekelleys.org.uk
> Subject: Re: [Dnsmasq-discuss] [Patch] dnsmasq with IPSET feature enabled
> doesn't compile on linux kernel < 2.6.24
> 
> On 20/04/13 15:31, Eugene Rudoy wrote:
> > Dear all,
> >
> > dnsmasq with IPSET feature enabled (added in dnsmasq-2.66 and enabled
> > by
> > default) doesn't compile on linux kernel versions<  2.6.24. The
> > attached patch fixes the problem by disabling the feature for these
kernel
> versions.
> >
> > As far as I understand the missing symbols are just convenience ones,
> > from technical point of view it is possible to add IPSET support also
> > for kernel versions prior to 2.6.24. I however don't need this
> > feature, thus simple disable-patch.
> >
> 
> Hmmm, As I recall, considerable effort was made to get this code to work
> with old kernels, so I'm wary of just disabling it in this circumstance.
>   CC'ing the orginal author for his comments.
> 
> 
> Cheers,
> 
> Simon.
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Config file behaviour - change/bug/feature - comments

[Vladislav Grishenko]

Hi Kevin,

Frankly speaking, resulting following conf should be only treated as
misconfiguration.
> interface=br0
> no-dhcp-interface=br0
> interface=br0

As for tomato, it's up to fw logic/general settings why dhcp is disabled via
web ui, but tried ti be enabled by user custom settings.
So, there's nothing wrong with dnsmasq to be fixed, instead just drop
no-dhcp-interface line from being saved. If there's no dhcp-range, no dhcp
will happen anyway.

Best Regards, Vladislav Grishenko


> -Original Message-
> From: dnsmasq-discuss-boun...@lists.thekelleys.org.uk [mailto:dnsmasq-
> discuss-boun...@lists.thekelleys.org.uk] On Behalf Of Kevin Darbyshire-
> Bryant
> Sent: Wednesday, March 27, 2013 11:41 PM
> To: dnsmasq-discuss@lists.thekelleys.org.uk
> Subject: [Dnsmasq-discuss] Config file behaviour - change/bug/feature -
> comments
> 
> Hi Simon,
> 
> As previously mentioned I got 2.66test16 into a recent version of Tomato
> router firmware which means it's now out in the wild and being used.  An
> obscure corner case change in behaviour has been observed, relating to
> disabling and then re-enabling dhcp service on an interface, and
specifically
> which lines in a config file stick.  Example config:
> 
> interface=br0
> no-dhcp-interface=br0
> 
> then later in the file:
> 
> interface=br0
> dhcp-range=br0,192.168.235.21,192.168.235.254,255.255.255.0,720m
> dhcp-option=br0,3,192.168.235.1
> dhcp-option=br0,44,0.0.0.0
> 
> Now in v2.61 (!) dnsmasq would take the last interface line and say 'oh
you
> do want dns AND dhcp service' and everything would procede as expected.
> In 2.66, once no-dhcp-interface is set it's set and dhcp service is
disabled
> forever.  Now there's a very valid argument that the above example is a
> stupid config file.  Unfortunately the example config file is
representative of
> the conflicts between the automatically generated part of Tomato's dnsmasq
> config, and the manual 'advanced config options' that get appended to the
> file via the router's GUI.
> 
> Now I personally think the router's gui should be fixed (though I've no
idea
> how at this point) but is there perhaps an argument that an
'interface=intfn'
> command later in the file should also reset the 'no-dhcp-flag'?
> 
> Kevin



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Enable HAVE_IPSET by default

[Vladislav Grishenko]

Hi Simon,

Here's output from bloat-o-meter (busybox's one) after enabling HAVE_IPSET
on mips32 platform

The growth is ~2Kb, I guess it's ok to have it enabled by default for bb,
but please, insist on not to drop HAVE_IPSET define.

At least, not the all kernels jave it patched/builtin.

 

function old new   delta

add_to_ipset   - 832+832

one_opt25184   25600+416

ipset_init - 392+392

process_reply8721104+232

extract_addresses   23402464+124

main68406872 +32

.rodata25440   25472 +32

snl-  12 +12

old_kernel -   4  +4

ipset_sock -   4  +4

buffer -   4  +4


--

(add/remove: 6/0 grow/shrink: 5/0 up/down: 2084/0)   Total: 2084
bytes

 

 

 

Best Regards, Vladislav Grishenko

 

 

> -Original Message-

> From: dnsmasq-discuss-boun...@lists.thekelleys.org.uk [mailto:dnsmasq-

> discuss-boun...@lists.thekelleys.org.uk] On Behalf Of Simon Kelley

> Sent: Thursday, March 21, 2013 9:09 PM

> To: dnsmasq-discuss@lists.thekelleys.org.uk

> Subject: Re: [Dnsmasq-discuss] Enable HAVE_IPSET by default

> 

> On 21/03/13 15:05, sven falempin wrote:

> 

> >

> > DNSMASQ also run on system like FreeBSD, do not assume a linux kernel

> > -_- you could also have a cygwin port one day.

> >

> > You want IPSET ? you turn it on.

> > Imagine if everyone want his very own favorite feature set by default !

> 

> 

> That's true, but not relevant. IPSET gets turned off automatically in
non-linux

> builds, and it's not proposed to change that.

> 

> 

> Cheers,

> 

> Simon.

> 

> 

> 

> ___

> Dnsmasq-discuss mailing list

>  <mailto:Dnsmasq-discuss@lists.thekelleys.org.uk>
Dnsmasq-discuss@lists.thekelleys.org.uk

>  <http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss>
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Enable HAVE_IPSET by default

[Vladislav Grishenko]

Hi Simon,
Just my 2 cents, binary size is important on devices with very limited flash
size (2Mb, 4Mb).
So HAVE_IPSET compile-time switch should continue to exist, same as others,
have no idea about default compile-time states, we always can override them.

Best Regards, Vladislav Grishenko


> -Original Message-
> From: dnsmasq-discuss-boun...@lists.thekelleys.org.uk [mailto:dnsmasq-
> discuss-boun...@lists.thekelleys.org.uk] On Behalf Of Simon Kelley
> Sent: Thursday, March 21, 2013 4:08 PM
> To: dnsmasq-discuss@lists.thekelleys.org.uk
> Subject: Re: [Dnsmasq-discuss] Enable HAVE_IPSET by default
> 
> On 20/03/13 17:31, Jason A. Donenfeld wrote:
> > Hi Simon,
> >
> > It's just occurred to me that no router developer is going to know to
> > turn HAVE_IPSET on, and hence, it won't be available immediately on
> > any devices, which is a bummer. Further, unless the --ipset= options
> > are used, HAVE_IPSET doesn't contribute at _all_ to the runtime of the
> app.
> > And even further, if HAVE_LINUX_NETWORK isn't enabled, HAVE_IPSET is
> > automatically disabled.
> >
> > Makes sense, then, I think, to uncomment HAVE_IPSET by default.
> >
> > How about it?
> >
> 
> I'm torn.
> 
> The main reason for not including this is to reduce footprint. (It does
affect
> binary size, which matters, but the delta isn't going to be very
> big.)
> 
> The second reason (in general) for excluding stuff at compile time is to
> maintain the invariant that the distributed tarball can be built with just
a C-
> compiler and make: no other library or tool dependencies. This was
relevant
> for the first versions of ipset, but is no longer a factor as it doesn't
depend on
> external libraries.
> 
> OTOH.
> 
> Router firmware makers, in my experience, make definite decisions about
> what they want included at compile time: the defaults as I distribute them
> are not very relevant, as they get overridden. Ideally, you want router
distros
> to actively take up the new facility and support it in their configuration
> system/ web pages/ documentation.
> 
> "Full fat" distro packagers also pick what they want, taking into account
that
> library dependencies are not a problem. I include ipset in the Debian
> dnsmasq package, that will cascade to Ubuntu. I'd expect Fedora and thus
> Redhat to take the same path.
> 
> 
> Finally, if it's going to be on by default, and given the limited size
delta/lack of
> library definitions, there's an argument for not making it compile-time
> selectable at all. Every compile-time switch contributes to the
combinatorial
> explosion of possible binaries, and lots of bugs come from unanticipated
> interactions in untested compile-flag combinations.
> 
> 
> Opinions, anyone?
> 
> 
> 
> Simon.
> 
> 
> 
> 
> 
> 
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] build fails with HAVE_BROKEN_RTC

[Vladislav Grishenko]

Hi, Simon

 

After auth code merging, one die() call has insufficient agrs for
HAVE_BROKEN_RTC case.

Refer patch attached

 

Best Regards, Vladislav Grishenko

 



zone-serial-with-broken-rtc-fix.patch
Description: Binary data
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [dnsmasq] Errors found by static analysis of source code (Coverity)

[Vladislav Grishenko]

Hi Simon,

We have a regression after aa608c84b499f75b692a1eb4120f7851f10912e4 Fix
wrong syntax check.
If lease time is set and valid, *cp points to \0 and so !*cp triggers bad
dhcp-range error for valid case.
Refer obvious patch attached.

Btw, why not to use strto(u)l funcs for number checking simplification?
Refer alternative patch as well, probably other code places need it too.

Best Regards, Vladislav Grishenko

> -Original Message-
> From: dnsmasq-discuss-boun...@lists.thekelleys.org.uk [mailto:dnsmasq-
> discuss-boun...@lists.thekelleys.org.uk] On Behalf Of Simon Kelley
> Sent: Tuesday, February 05, 2013 8:58 PM
> To: Tomas Hozza
> Cc: dnsmasq-disc...@thekelleys.org.uk
> Subject: Re: [Dnsmasq-discuss] [dnsmasq] Errors found by static analysis
of
> source code (Coverity)
> 
> On 04/02/13 10:24, Tomas Hozza wrote:
> > Hello Simon.
> >
> > We at Red Hat are scanning a lot of open source packages with static
> > analysis tool named Coverity. I have been scanning and reviewing group
> > of network daemons where dnsmasq falls in, too.
> >
> > I scanned the latest dnsmasq-2.66-test13 source with Coverity version
> > 6.5.1. It found 115 errors from which a lot of are just false
> > positives or are not worth fixing. I wrote patches for issues that I
> > think should be fixed. Please review and consider fixing these issues.
> > I'm also including the Coverity scan log, so you can have a look at
> > all errors.
> >
> > Coverity is also running a project where they allow open source
> > project to be scanned for FREE. If you find it interesting you can
> > find more information on http://scan.coverity.com/.
> >
> > If you have any questions about the scan or want to do more scanning,
> > don't hesitate to write me back.
> >
> >
> 
> More patches:
> 
> 0018-RESOURCE_LEAK-CWE-404.patch
> Taken, but only a problem if one malloc succeeds and a second fails - then
we
> leak the first block. I won't lose sleep over that.
> 
> 0019-REVERSE_INULL-CWE-476.patch
> Fixed. !cp should be !*cp
> 
> 0020-STRING_OVERFLOW-CWE-120.patch
> Not taken, same as 0001-STRING_OVERFLOW.
> 
> 0021-UNUSED_VALUE-CWE-563.patch
> Taken. straightforward.
> 
> 0022-USE_AFTER_FREE-CWE-416.patch
> Taken. New code in 2.66test*
> 
> 0023-USE_AFTER_FREE-CWE-416.patch
> Taken, changed style of fix to match other code.
> 
> 
> 
> A very worthwhile exercise, thanks Tomas.
> 
> I've pushed the fixes into git.
> 
> 
> Cheers,
> 
> Simon.
> 
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


dhcp-range-lease-fix.patch
Description: Binary data


dhcp-range-lease-fix-alt.patch
Description: Binary data
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Additional feature requested for stateful DHCHv6 together with a 6RD-tunnel to the ISP

[Vladislav Grishenko]

> From: Simon Kelley
> Sent: Friday, January 11, 2013 8:59 PM
> 
> On 11/01/13 11:09, Vladislav Grishenko wrote:
> > 4. syntax constructor: can be done in constructor[:]
> > way, with usage of interface= data minus dhcp excluded interfaces.
> 
> Sorry, I don't understand what you're suggesting here.

I mean it would be handy to re-use interface= option values (if any)
for dhcp-range construction.
Current syntax (br0 interface appears twice)
interface=br0
dhcp-range=::1,constructor:br0,...
Suggested syntax:
interface=br0
dhcp-range=::1,constructor,...
Reason - configuration simplification

Best Regards, Vladislav Grishenko






___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Additional feature requested for stateful DHCHv6 together with a 6RD-tunnel to the ISP

[Vladislav Grishenko]

Hi Simon,

constructor: stuff works well, and is useful not only for 6RD, but
for 6to4, upstream DHCPv6_PD also, and even for simplifying static addresses
configuration without dnsmasq restart. Great.
There's still some thought about:

1. DHCP stateless with dhcp-range=::1,constructor:br0,ra-stateless,64
Works with unneeded (in case of no DHCPv6 stateful) full address in log
dnsmasq-dhcp[9636]: DHCPv6 stateless on ::1 
dnsmasq-dhcp[9636]: router advertisement on ::1, template for br0
dnsmasq-dhcp[9636]: DHCPv6 stateless on ::::1
dnsmasq-dhcp[9636]: router advertisement on ::::,
constructed for br0
For dhcp stateless, only prefix should be used/shown, imho

2. DHCP stateless with dhcp-range=::,constructor:br0,ra-stateless,64
I.e empty prefix before construction, this is not working at all. Neither
with 64 prefix, nor without (it's 64 by default, and resetting to 0, if
prefix is empty in options.c)

3. Only new addresses on interface trigger recalculation.
This works for scenarios:
1. Del old address from interface
2. Add new address on interface => only new is announced now
And this is not work well with backorder scenario:
1. Add new address on interface => both addresses are announced
2. Del old address from interface => nothing happens
If address is deleted, shouldn't it became deprecated for announcing (ra)?
Haven't played with address deprecation instead of deletion yet.

4. syntax constructor: can be done in constructor[:] way,
with usage of interface= data minus dhcp excluded interfaces.

Best Regards, Vladislav Grishenko

> -Original Message-
> From: dnsmasq-discuss-boun...@lists.thekelleys.org.uk [mailto:dnsmasq-
> discuss-boun...@lists.thekelleys.org.uk] On Behalf Of Simon Kelley
> Sent: Friday, January 11, 2013 4:24 PM
> To: dnsmasq-discuss@lists.thekelleys.org.uk
> Subject: Re: [Dnsmasq-discuss] Additional feature requested for stateful
> DHCHv6 together with a 6RD-tunnel to the ISP
> 
> I meant to say in my last reply that the new constructor: mode only
currently
> works on Linux. I need a *BSD networking guru to help me with the BSd
> equivalent of the netlink-foo used to make it all happen.
> 
> 
> Cheers,
> 
> Simon.
> 
> 
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] RA support in dnsmasq

[Vladislav Grishenko]

Hi Gene,
Instead of deprecating/turning-off logging by facility, it would be better
to have ability to tune loglevel for each sysbsystem.
Like following: where 0 means 
log-level=dhcp,dhcpv6,6,dns,7,ra,-1

Best Regards, Vladislav Grishenko


> -Original Message-
> From: dnsmasq-discuss-boun...@lists.thekelleys.org.uk [mailto:dnsmasq-
> discuss-boun...@lists.thekelleys.org.uk] On Behalf Of Gene Czarcinski
> Sent: Sunday, November 25, 2012 9:31 PM
> To: dnsmasq-discuss@lists.thekelleys.org.uk
> Subject: Re: [Dnsmasq-discuss] RA support in dnsmasq
> 
> On 11/24/2012 11:20 AM, Gene Czarcinski wrote:
> > OK, I am using both "ra-only" and "enable-ra" in a couple of libvirt
> > dnsmasq instances.
> >
> > 1.  I am getting a lot of "clutter" in syslog.  How about using
> > log-dhcp to also enable all of the "RTR-ADVERT" messages.  There are a
> > lot of them but they really provide little if any useful information.
> > That is, add:
> >   if (option_bool(OPT_LOG_OPTS))
> >
> > 2.  I am getting a lot of RTR-ADVERT messages.  I know it is suppose
> > to start off frequently but then slow up to a much less frequent
> > period (intervals of seconds).  I thought this was a problem but then
> > I looked into radvd and it also issues advertisements often so I
> > assume things are working properly. However, I am concerned that all
> > those syslog messages will lead others to suspect a problem where
> > there is none.
> >
> > 3. Similar to radvd, should there be some dnsmasq parameters which are
> > used to specify how often RAs will be issued?
> >
> OK, I am going to slightly increase the scope of this.  Simon, how
receptive
> are you to adding a "couple" of new options to enable/disable some
logging.
> 
> 1. log-ra to enable RA logging which, by default, is disabled.  This would
be its
> own option and not related to log-dhcp.
> 
> 2. log-dhcp-renew to enable the log messages about renewing DHCP
> requests which would, by default, be disabled.
> 
> The messages from both of these currently run as if they were disabled.
> Since I am running/testing using dnsmasq's RA services, I first noticed
all of
> the RA related messages and would like them to be normally suppressed.
> 
> Apparently other libvirt users noticed the dhcp-renew messages and don't
> wish to see them either.
> 
> If you are receptive, I will do the heavy lifting but I would like to see
this in
> 2.64 if there is possibly enough time.
> 
> Gene
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] Improve DHCP stateless support

[Vladislav Grishenko]

Hi Simon,

As I wrote bofore, it's impossible to setup dnsmasq to do only DHCPv6
stateless and to not depend on interface/config addresses/prefixes.
DHCPv6 stateless mode should not care about address allocation, but dnsmasq
code enforces it with ra-stateless and even static.
Suggested patch allows to setup DHCPv6 static range up to ::/0, what means
every and any client will be served with stateless options like DNS, etc.

Following example enables DHCPv6 stateless information allocation for any
requesting client (after interface/address filtering, if set), including
DNSv6 derived from current interface address, DNSv6 search list and
information-refresh time to prevent obsolete data usage on clients for the
default time value (86400).
Clients get autonomous prefixes and default route via RA (radvd) with O bit
(AdvOtherConfigFlag) set.
No dnsmasq restart is needed in case of prefixes and listening interface
address changes.

dhcp-range=::,::,static,0
dhcp-option=option6:23,[::]
dhcp-option=option6:24,example.com
dhcp-option=option6:32,600

Known bug: information-request messages handling lacks of full tag support,
including ra-stateless, static ranges.
Only interface name and DHCPv6 tag will be added, whatever they were set for
range. DNSv6 option will be used in any case (if set), but any others with
tags - will not.
Fixing it is highly useful, but is out of the subject scope.
Test case:

dhcp-range=set:lan,::,::,static,0
dhcp-option=tag:lan,option6:23,[::]
dhcp-option=tag:lan,option6:24,example.com
dhcp-option=tag:lan,option6:32,600

Refer patch attached.

Best Regards, Vladislav Grishenko
ICQ: 303357
MSN: themi...@mail.ru
Skype: the.miron



0001-Relax-static-dhcpv6-ranges-up-to-0.patch
Description: Binary data
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] It works: multiple dnsmasqs running

[Vladislav Grishenko]

Refer patch attached (against current git)

Best Regards, Vladislav Grishenko


> -Original Message-
> From: Vladislav Grishenko [mailto:themi...@mail.ru]
> Sent: Sunday, October 14, 2012 3:51 PM
> To: 'Gene Czarcinski'; 'dnsmasq-discuss@lists.thekelleys.org.uk'
> Subject: RE: [Dnsmasq-discuss] It works: multiple dnsmasqs running
> 
> Hi Gene, Simon,
> 
> I'm using similar patch for a couple of months already.
> Works fine, hadn't time to send it here yet.
> 
> As for V6ONLY, with wildcarding and without this socket will listen for
IPv4
> messages too on 547 port, nut not sure v6-mapped addresses will pass
> checks there.
> Anyway, behavior is externally controlled by sysctl net.ipv6.bindv6only,
so,
> it's better to set the flag, just in case.
> 
> Best Regards, Vladislav Grishenko
> 
> > -Original Message-
> > From: dnsmasq-discuss-boun...@lists.thekelleys.org.uk [mailto:dnsmasq-
> > discuss-boun...@lists.thekelleys.org.uk] On Behalf Of Gene Czarcinski
> > Sent: Sunday, October 14, 2012 1:45 AM
> > To: dnsmasq-discuss@lists.thekelleys.org.uk
> > Subject: Re: [Dnsmasq-discuss] It works: multiple dnsmasqs running
> >
> > On 10/13/2012 02:39 PM, Gene Czarcinski wrote:
> > > I still have the setting of IPV6_V6ONLY and I do not know if this is
> > > needed.  I will try and run some tests without it and see if it
> > > still works.
> > Tested: not needed.
> >
> > Gene
> >
> > ___
> > Dnsmasq-discuss mailing list
> > Dnsmasq-discuss@lists.thekelleys.org.uk
> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


0001-Allow-multiple-dnsmasq-instances-and-fix-DHCPv6-sock.patch
Description: Binary data
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] It works: multiple dnsmasqs running

[Vladislav Grishenko]

Hi Gene, Simon,

I'm using similar patch for a couple of months already.
Works fine, hadn't time to send it here yet.

As for V6ONLY, with wildcarding and without this socket will listen for IPv4
messages too on 547 port, nut not sure v6-mapped addresses will pass checks
there.
Anyway, behavior is externally controlled by sysctl net.ipv6.bindv6only, so,
it's better to set the flag, just in case.

Best Regards, Vladislav Grishenko

> -Original Message-
> From: dnsmasq-discuss-boun...@lists.thekelleys.org.uk [mailto:dnsmasq-
> discuss-boun...@lists.thekelleys.org.uk] On Behalf Of Gene Czarcinski
> Sent: Sunday, October 14, 2012 1:45 AM
> To: dnsmasq-discuss@lists.thekelleys.org.uk
> Subject: Re: [Dnsmasq-discuss] It works: multiple dnsmasqs running
> 
> On 10/13/2012 02:39 PM, Gene Czarcinski wrote:
> > I still have the setting of IPV6_V6ONLY and I do not know if this is
> > needed.  I will try and run some tests without it and see if it still
> > works.
> Tested: not needed.
> 
> Gene
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] [PATCH] Use IP family for initial setup logging

[Vladislav Grishenko]

Hi,
Initial setup logging is a bit inconsistent for DHCP/DHCPv6,
Patch add actual IP family usage for stateless, static, proxy and range
messages

Before:
dnsmasq-dhcp: IPv6 router advertisement enabled
dnsmasq-dhcp: DHCP, IP range 192.168.10.101 -- 192.168.10.254, lease time 1d
dnsmasq-dhcp: DHCP, IP range 2001:db8::1 -- 2001:db8::1255, lease time 1d
dnsmasq-dhcp: stateless DHCPv6 on 2001:db8::
dnsmasq-dhcp: SLAAC on 2001:db8:: prefix valid 1d

After:
dnsmasq-dhcp: IPv6 router advertisement enabled
dnsmasq-dhcp: DHCP, IP range 192.168.10.101 -- 192.168.10.254, lease time 1d
dnsmasq-dhcp: DHCPv6, IP range 2001:db8::1 -- 2001:db8::1255, lease time 1d
dnsmasq-dhcp: DHCPv6 stateless on 2001:db8::
dnsmasq-dhcp: SLAAC on 2001:db8:: prefix valid 1d

Best Regards, Vladislav Grishenko



Use-IP-family-for-initial-setup-logging.patch
Description: Binary data
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] [PATCH] Avoid false netlink errors logging

[Vladislav Grishenko]

Hi all,

Commit 54dd393f [PATCH] Add --bind-dynamic introduced regression.
Netlink errors with actual success status gets logged as errors.
Patch fixes that by checking status, as it was before 54dd393f, could be
applied to current git.

Best Regards, Vladislav Grishenko



Avoid-false-netlink-errors-logging.patch
Description: Binary data
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] НА: dnsmasq 2.61 no periodic RA's and sendto errors

[Vladislav Grishenko]

Jim, make sure you're using enable-ra in your config

Best regards, Vladislav Grishenko

- Reply message -
От: "Jim Bos" 
Кому: "Simon Kelley" 
Копия: "Vladislav Grishenko" , 

Тема: dnsmasq 2.61 no periodic RA's and sendto errors
Дата: вс, май 13, 2012 22:29


On 05/12/2012 04:34 PM, Simon Kelley wrote:
> On 11/05/12 15:16, Vladislav Grishenko wrote:
>> Hi Simon,
>>
>> dnsmasq 2.61 has couple of issues:
>> 1. No Router Advertisement and corresponding syslog sendto error when
>> replying on Router Solicitation from Windows XP and possible other OSes
>> It's caused by absence of source IPv6 address in RS packet, what is
>> allowed
>> by RFC if host's interface doesn't acquired valid link-local yet
>> In this case RA should be sent to all nodes multicast address (sources
>> has
>> ALL_HOSTS define, which has a bit different meaning)
>> 2. For non-slaac modes periodic RA doesn't work because next RA event
>> could
>> be reset by empty next slaac event
>> Actually it could work only for the first time, if additional random
>> delay
>> is 0.
>>
>> Patches attached.
>>
>> Best Regards, Vladislav Grishenko
>>
>>
> 
> Many thanks. That solves the mystery of the sometime-missing periodic
> RAs. I was aware that could sometime happen, but hadn't reproduced the
> problem.
> 
> I've put out 2.62test1 with these fixes in place. This probably needs
> another release, but I'll leave it a week or two in case any other
> regressions come to light in 2.61.
> 
> Jim, I'm pretty sure this is the fix for you problem.
> 
> Cheers,
> 
> Simon.
> 

I tried the patches already but unfortunately still don't get RA's. But
note I'm using SLAAC-only and the patch seem to be for non-slaac cases.
 I'll see if I can try an almost empty config file on another PC to
exclude any specific problem on my router.

=
Jim

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq 2.61 no periodic RA's and sendto errors

[Vladislav Grishenko]

Thanks, Simon.
Now, the only noticeable thing to go is configurable RA periodical interval
values
Rfc2461 introduces:
MaxRtrAdvInterval:  valid range [4 .. 1800], default 600 seconds
MinRtrAdvInterval:  valid range [3 .. 3/4 * MaxRtrAdvInterval], default
1/3 * MaxRtrAdvInterval
AdvDefaultLifetime: valid range 0, [MaxRtrAdvInterval .. 9000], default
3 * MaxRtrAdvInterval

So, probably enable-ra syntax needs to be expanded, something like
enable-ra,[MaxRtrAdvInterval],[MinRtrAdvInterval],[AdvDefaultLifetime]
If AdvDefaultLifetime and/or MinRtrAdvInterval are not specified - just
calculate them from specified/default MaxRtrAdvInterval.
This will make configuration more handy for sure.

Best Regards, Vladislav Grishenko


> -Original Message-
> From: Simon Kelley [mailto:si...@thekelleys.org.uk]
> Sent: Saturday, May 12, 2012 8:35 PM
> To: Vladislav Grishenko
> Cc: dnsmasq-discuss@lists.thekelleys.org.uk; Jim Bos
> Subject: Re: dnsmasq 2.61 no periodic RA's and sendto errors
> 
> On 11/05/12 15:16, Vladislav Grishenko wrote:
> > Hi Simon,
> >
> > dnsmasq 2.61 has couple of issues:
> > 1. No Router Advertisement and corresponding syslog sendto error when
> > replying on Router Solicitation from Windows XP and possible other
> > OSes It's caused by absence of source IPv6 address in RS packet, what
> > is allowed by RFC if host's interface doesn't acquired valid
> > link-local yet In this case RA should be sent to all nodes multicast
> > address (sources has ALL_HOSTS define, which has a bit different
> > meaning) 2. For non-slaac modes periodic RA doesn't work because next
> > RA event could be reset by empty next slaac event Actually it could
> > work only for the first time, if additional random delay is 0.
> >
> > Patches attached.
> >
> > Best Regards, Vladislav Grishenko
> >
> >
> 
> Many thanks. That solves the mystery of the sometime-missing periodic RAs.
> I was aware that could sometime happen, but hadn't reproduced the
> problem.
> 
> I've put out 2.62test1 with these fixes in place. This probably needs
another
> release, but I'll leave it a week or two in case any other regressions
come to
> light in 2.61.
> 
> Jim, I'm pretty sure this is the fix for you problem.
> 
> Cheers,
> 
> Simon.


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] dnsmasq 2.61 no periodic RA's and sendto errors

[Vladislav Grishenko]

Hi Simon,

dnsmasq 2.61 has couple of issues:
1. No Router Advertisement and corresponding syslog sendto error when
replying on Router Solicitation from Windows XP and possible other OSes
It's caused by absence of source IPv6 address in RS packet, what is allowed
by RFC if host's interface doesn't acquired valid link-local yet
In this case RA should be sent to all nodes multicast address (sources has
ALL_HOSTS define, which has a bit different meaning)
2. For non-slaac modes periodic RA doesn't work because next RA event could
be reset by empty next slaac event
Actually it could work only for the first time, if additional random delay
is 0.

Patches attached.

Best Regards, Vladislav Grishenko




0001-fix-RA-sendto-error-in-case-of-answering-to-RS-witho.patch
Description: Binary data


0002-cosmetics-use-ALL_NODES-as-defined-in-rfc4861.patch
Description: Binary data


0003-fix-periodical-RA-for-all-non-slaac-only-cases.patch
Description: Binary data
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq 2.61test7 & RA issues

[Vladislav Grishenko]

> From: dnsmasq-discuss-boun...@lists.thekelleys.org.uk [mailto:dnsmasq-
> discuss-boun...@lists.thekelleys.org.uk] On Behalf Of Jan Seiffert
> Sent: Monday, March 26, 2012 3:04 AM
> To: dnsmasq discussion list
> Subject: Re: [Dnsmasq-discuss] dnsmasq 2.61test7 & RA issues
> 
> 2012/3/25 Simon Kelley :
> > On 25/03/12 14:21, Vladislav Grishenko wrote:
> >>> From: Simon Kelley
> [snip]
> >>> The 6to4 case, maybe more useful.
> >>> But is 6to4 going to be used much in the real world?
> >> I'd say 6to4 is the only easy solution for end-users at the moment
> >> whose ISP doesn't allow any IPv6.
> >> If they uses some kind of CPE in router mode with dnsmasq on-board
> >> and want to use IPv6 too, it makes sense.
> >> Frankly speaking, in Russia/UA the majority ISP doesn't offer IPv6
> >> connectivity at all.
> >
> > That's true in most places. Very few UK ISPs offer IPv6. Most people I
> > know what want it use a 6in4 tunnel via a tunnel broker. I'm using
> > Sixxs and it works very well. 6to4 has a bad reputation, partly
> > because it comes with asymmetric routing.
> >
> > I think most people will not get IPv6 until their ISP offers it.
> >
> 
> Don't forget 6RD. It's basically 6to4, but with another, ISP-specific,
> IPv6 prefix. the ISP "Free" in France uses it to deploy IPv6 to all it's 
> customer
> AFAIK.
> The idea is that you don't need any new HW in the
> backbone/BRAS/whatever, the ISP only deploys new firmware to it's CPEs (if
> they already can talk 6to4, it's a 150 line change to allow arb.
> prefixes, see http://patchwork.ozlabs.org/patch/34121/), and the
> "asymmetric" 6to4 Routers are under the control (and SLAG and whatnot) of
> the ISP, some extra boxes without ties to the other HW.

Actually 6to4 is subset of 6RD with preset 2002:: prefix and 32bit of ipv4 
address length.
So, talking about 6to4 as more common solution with dynamic IPv4 , ISP's 6RD is 
assumed too.

Best Regards, Vladislav Grishenko



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq 2.61test7 & RA issues

[Vladislav Grishenko]

Sure, will look and update you ASAP
Thanks

Best Regards, Vladislav Grishenko

> -Original Message-
> From: Simon Kelley [mailto:si...@thekelleys.org.uk]
> Sent: Monday, March 26, 2012 1:58 AM
> To: Vladislav Grishenko
> Cc: dnsmasq-discuss@lists.thekelleys.org.uk
> Subject: Re: [Dnsmasq-discuss] dnsmasq 2.61test7 & RA issues
> 
> 
> Please could you look at 2.61test8, in the usual places now?
> 
> I wrote a long email detailing the various orthogonal config options and
which
> combinations were useful, which helped my thoughts enormously, but
> probably didn't make things clear for anyone else.
> 
> Note that I've not updated the man pages or examples yet, but here are
> examples of all the things that might be useful.
> 
> 
> Do DHCPv6 on subnets, do router advertisements on these subnets with M
> and O bits set and A bit not set, so that no SLAAC addresses used.
> enable-ra
> dhcp-range=1234::100, 1234::200
> dhcp-range=2345::100, 2345::200
> 
> As above, but for this subnet, set A bit so clients use SLAAC addresses as
well
> dhcp-range=1234::100, 1234::200, slaac
> 
> 
> Don't do DHCPv6 on subnet, only RA. M and O bits clear, A bit set dhcp-
> range=1234::, ra-only
> 
> As above, but also use DHCPv4-derived names for SLAAC addresses dhcp-
> range=1234::, ra-names.
> 
> 
> Do stateless DHCPv6 and RA on subnet. clear M bit, set O and A bits dhcp-
> range=1234::, ra-stateless
> 
> As above, but also use DHCPv4 derived names dhcp-range=1234::, ra-
> stateless, ra-names
> 
> It came together quite well, I think..
> 
> 
> Cheers,
> 
> Simon.



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq 2.61test7 & RA issues

[Vladislav Grishenko]

> From: Simon Kelley
> Sent: Sunday, March 25, 2012 7:48 PM

> > 3.Periodic RA isn't working, because alarm code goes into (dhcp ||
> > dhcp6) path and don't trigger RA alarms
> 
>  This code does that, I think.
> 
>  #ifdef HAVE_DHCP6
>   else if (daemon->ra_contexts)
> /* Not doing DHCP, so no lease system, manage alarms for
>  ra
> >>> only */
>   send_alarm(periodic_ra(now), now); #endif
> >>>
> >>> Yes, but it "else" condition of (damon->dhcp || daemon->dhcp6).
> >>> In my case and example, damon->dhcp is enabled, so periodic_ra will
> >>> not be executed as expected several times while first minute.
> >>
> >> In the damon->dhcp || daemon->dhcp6 case, send_alarm is called from
> >> lease_update_file, since the first event in the future might be a
> >> lease
> > expiry,
> >> or it might be an RA multicast.
> >
> > Got it, unfortunately under some circumstances there'll be neither
> > incoming router solicitations nor immediate dhcp leases expiration to
> trigger RA.
> > Example: big dhcpv4 leases ~ week to not stress network, dnsmasq
> > restart due reboot/etc, clients connected via 3 network switches
> > dnsmasq - [switch1] - [switch2] - [switch3] - IPV6 only clients.
> > If switch 2 is temporary off, dnsmasq and clients see the links up and
> > therefore take no action, so RA packets could be either not
> > originated/ or just lost.
> > That means RA timers should work independent to other dhcp/dhcp6
> > events, especially if the last ones are quite long.
> 
> They do. Check the code at the end of lease_update_file()
> 
> It find the shortest of
> time to next RA
> time to next ICMP6 for SLAAC-confirm
> time to next lease expiry
> LEASE_RETRY - if the leasefile write failed.
> 
> and sets the alarm to the time to first event.
> 
> 
> >
> > Only other netlink/dhcpv4 events could trigger it. Also, even if
> > fixed event logic leads to DHCP leases rewrite on every RA event
> > by
> >> design.
> >>
> >> It shouldn't. There'd a check in lease_update_file of the file_dirty
flag.
> >
> > Yep, really. Thanks for pointing out.
> >
> >> The 6to4 case, maybe more useful.
> >> But is 6to4 going to be used much in the real world?
> > I'd say 6to4 is the only easy solution for end-users at the moment
> > whose ISP doesn't allow any IPv6.
> > If they uses some kind of CPE in router mode with dnsmasq on-board and
> > want to use IPv6 too, it makes sense.
> > Frankly speaking, in Russia/UA the majority ISP doesn't offer IPv6
> > connectivity at all.
> 
> That's true in most places. Very few UK ISPs offer IPv6. Most people I
know
> what want it use a 6in4 tunnel via a tunnel broker. I'm using Sixxs and it
works
> very well. 6to4 has a bad reputation, partly because it comes with
> asymmetric routing.
> 
> I think most people will not get IPv6 until their ISP offers it.

Asymmetric routing can't be treated as bad-only, it has dual effect that
makes lower RTT also possible, comparing to 6in4/gogo6/etc tunnels per
countries. I'd say it's geo-dependent.
Anyway, 6to4 pro and cons discussing is out of the subject, the fact is it's
still more than widely used and will be used tomorrow and even the day after
tomorrow.
Personally I can't force users avoid to use tunnels just because it's
theoretically worse than native IPv6 connections, which are just not
available. Not a perfect world, yeah.

> > But, there's no other easy way to get runtime clients stats including
> > expiration (actually, preferred remaining) time with HAVE_BROKEN_RTC.
> > With udpcpd it can be done via dumpleases or just to read & parse
> > udhcpd's lease file and I was hoping for the same approach for dnsmasq.
> > Leases get read by request, so triggering actual lease file write
> > isn't the problem (used signal), the problem is no expiration/remaining
> time.
> 
> Use a dhcp-script. That has the the information you need in the
environment
> variable DNSMASQ_TIME_REMAINING.
> 
> If you don't want to store the data persistently, then send SIGHUP to
> dnsmasq and it will call the script on all existing leases with an "old"
> event.

Thanks, that was the documented way,
Script support gives +10Kb to dnsmasq size, corresponding script binding and
asymmetric of per-lease recording add more complexity.
So, I was thinking  just about to add another one parameter to dnsmasq
leases file with remaining time. Code is shared for RTC and BROKEN_RTC,
costs almost nothing to size, and for second case it would fix lease
prolongation issue as well. Of course, I can use it for my purposes only,
just let you know about.


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq 2.61test7 & RA issues

[Vladislav Grishenko]

> From: Simon Kelley
> Sent: Sunday, March 25, 2012 6:17 PM

> >>> 3.Periodic RA isn't working, because alarm code goes into (dhcp ||
> >>> dhcp6) path and don't trigger RA alarms
> >>
> >> This code does that, I think.
> >>
> >> #ifdef HAVE_DHCP6
> >>  else if (daemon->ra_contexts)
> >>/* Not doing DHCP, so no lease system, manage alarms for
> >> ra
> > only */
> >>  send_alarm(periodic_ra(now), now); #endif
> >
> > Yes, but it "else" condition of (damon->dhcp || daemon->dhcp6).
> > In my case and example, damon->dhcp is enabled, so periodic_ra will
> > not be executed as expected several times while first minute.
> 
> In the damon->dhcp || daemon->dhcp6 case, send_alarm is called from
> lease_update_file, since the first event in the future might be a lease
expiry,
> or it might be an RA multicast.

Got it, unfortunately under some circumstances there'll be neither incoming
router solicitations nor immediate dhcp leases expiration to trigger RA.
Example: big dhcpv4 leases ~ week to not stress network, dnsmasq restart due
reboot/etc, clients connected via 3 network switches
dnsmasq - [switch1] - [switch2] - [switch3] - IPV6 only clients.
If switch 2 is temporary off, dnsmasq and clients see the links up and
therefore take no action, so RA packets could be either not originated/ or
just lost.
That means RA timers should work independent to other dhcp/dhcp6 events,
especially if the last ones are quite long.

> >>> Only other netlink/dhcpv4 events could trigger it. Also, even if
> >>> fixed event logic leads to DHCP leases rewrite on every RA event by
> design.
> 
> It shouldn't. There'd a check in lease_update_file of the file_dirty flag.

Yep, really. Thanks for pointing out.

> The 6to4 case, maybe more useful.
> But is 6to4 going to be used much in the real world?
I'd say 6to4 is the only easy solution for end-users at the moment whose ISP
doesn't allow any IPv6.
If they uses some kind of CPE in router mode with dnsmasq on-board and want
to use IPv6 too, it makes sense.
Frankly speaking, in Russia/UA the majority ISP doesn't offer IPv6
connectivity at all.

> > Don't you find this trade-off between totally inaccurate lease time
> > and almost accurate with expections - as acceptable?
> 
> Yes. It would be unacceptable if the leases turned out shorter than
> promised, but this can only  make the leases longer. When a client gets a
> lease, it gets a promise that the address ins available for x hours.
> Increasing the time before the lease expires can only be a problem if
there's
> a shortage of addresses, so that addresses cannot be reused. In most
cases,
> the DHCP server will be up much longer than the lease time, so the effect
is
> small. If the DHCP server goes down often, the solution is to reduce the
lease
> time. Reducing the frequency of writes to flash is important.

Ok, that's true, it doesn't harm.
But, there's no other easy way to get runtime clients stats including
expiration (actually, preferred remaining) time with HAVE_BROKEN_RTC.
With udpcpd it can be done via dumpleases or just to read & parse udhcpd's
lease file and I was hoping for the same approach for dnsmasq.
Leases get read by request, so triggering actual lease file write isn't the
problem (used signal), the problem is no expiration/remaining time.

Best Regards, Vladislav Grishenko



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq 2.61test7 & RA issues

[Vladislav Grishenko]

> From: dnsmasq-discuss-boun...@lists.thekelleys.org.uk [mailto:dnsmasq-
> discuss-boun...@lists.thekelleys.org.uk] On Behalf Of Simon Kelley
> Sent: Saturday, March 24, 2012 8:31 PM
> 
> On 23/03/12 22:36, Vladislav Grishenko wrote:
> >
> > Usually it's done by specifying Other bit in RA, while Managed is
> > switched off. This allows host to configure address from the prefix,
> > but ask DNS, Domain, etc via DHCPv6.
> >
> 
> Thanks for your issues list below: I'll go through them in the next day or
two,
> but I can already see that 4) at least is a real bug.
> 
> It's worth saying that the RA support in dnsmasq is _not_ meant to be a
> complete implementation. It started as  an easy way to do the minimum
> required to be able to to DHCP, and has expanded a bit since then, but for
a
> completely flexible RA implementation, it's intended that radv or similar
will
> be used.
>
> Also, IPv6 is quite new to most people, me included, and so we're still
> learning what actual features will be used in practice. This is not really
known
> yet by anyone (see the IETF homenet working group for details). I don't
want
> to implement the whole of every possible facility that's been defined by
the
> rampant second system effect. that would bloat dnsmasq to much and it's
> supposed to be small.

More than agree, I respect your position and thanks for the effort.
But, it was quite expected that RA support improvement is about to be asked
just because it exists already in sub-minimal form,
So, just a matter of time, I guess.

> That said, I think SLAAC+stateless DHCPv6 is a mode I want to support, and
it
> isn't supported at the moment, you're right.

Ok, this solution is quite common until all possible clients/hosts are
dhcpv6-statful-aware.

> > Unfortunately, this config is quite impossible now, refer issues list:
> >
> > 1.M+O bits are set if dhcv6 enabled only, and no bits set, if disabled.
> > That means bits is always cleared with ra-only/ra-names, no matter set
> > dhcp6 options or not.
> >
> > 2.Dhcp6 options without range will not create contexts, therefore
> > dnsmasq doesn't listen dhcp6 requests. So, without this pt.1
> > enhancement is pointless.
> >
> 
> A way to do this is is have a "real" dhcp range, as well as the ra-only
one. The
> will  solve at least some of these problems. The M+O bits will both be
set, but
> DHCPv6 requests for stateless options will be honoured.

You mean different prefixes? Hosts should ignore RA prefix if there's
managed bit set.

> There's no way to set only the O bit, I'll think about how to do that.

Probably, ra-only/ra-names syntax can could be replaced with
slaac/dhcp6-stateless/dhcp-statefull form..
Can't say about the best solution which natively fits conf syntax.

> > 3.Periodic RA isn't working, because alarm code goes into (dhcp ||
> > dhcp6) path and don't trigger RA alarms
> 
> This code does that, I think.
> 
> #ifdef HAVE_DHCP6
>  else if (daemon->ra_contexts)
>/* Not doing DHCP, so no lease system, manage alarms for ra
only */
>  send_alarm(periodic_ra(now), now); #endif

Yes, but it "else" condition of (damon->dhcp || daemon->dhcp6).
In my case and example, damon->dhcp is enabled, so periodic_ra will not be
executed as expected several times while first minute.

> > Only other netlink/dhcpv4 events could trigger it. Also, even if fixed
> > event logic leads to DHCP leases rewrite on every RA event by design.
> 
> I'm not sure I follow that. How?

In ra_init first next event(s) are set to now or a bit ahead of ra_time.
At the dhcp/netlink alarm moment they could be in the past and therefore
just executed without any new ra alarm rearm.
This causes only post-check of ra conext timers.

> > About prefix lifetimes, you refer rfc2462 in the code which is
> > obsoleted by rfc4862.
> > 2 hours rules is only about Valid Lifetime, but Preferred Lifetime
> > might be and usually is much smaller in dynamic v6 prefix environments.
> > The problem is dnsmasq doesn't use separate valid/preferred values,
> > this leads to default gateway lost issue due some "server"
> > reconfiguration when client still threat 2h prefix is valid and
preferred.
> 
> This is a bigger problem: how to support hitless network re-numbering.
> I'll tackle it if it becomes clear that it's actually needed for the sort
of
> applications dnsmasq gets used for. At the moment it's not clear it will
be.

I can say that dnsmasq is widely used in embedded CPEs with wide range of
IPv6 upstream types.
Two cases really require the inner network renumbering 

[Dnsmasq-discuss] dnsmasq 2.61test7 & RA issues

[Vladislav Grishenko]

Hi Simon,

 

Latets git (2.61test7) brings several RA issues,

My configuration (simplified):

HAVE_DHCP, HAVE_DHCPv6, HAVE_BROKEN_RTC

interface=br0

dhcp-range=192.168.1.101,192.168.1.254,86400

dhcp-range=2001:470::::,ra-only,64,2h

dhcp-option=option6:23,[::]

 

I was trying to setup dual-stack environment with IPv6 SLAAC and DNS via
DHCPv6

Usually it's done by specifying Other bit in RA, while Managed is switched
off. This allows host to configure address from the prefix, but ask DNS,
Domain, etc via DHCPv6.

 

Unfortunately, this config is quite impossible now, refer issues list:

1.  M+O bits are set if dhcv6 enabled only, and no bits set, if
disabled. That means bits is always cleared with ra-only/ra-names, no matter
set dhcp6 options or not.

2.  Dhcp6 options without range will not create contexts, therefore
dnsmasq doesn't listen dhcp6 requests. So, without this pt.1 enhancement is
pointless.

3.  Periodic RA isn't working, because alarm code goes into (dhcp ||
dhcp6) path and don't trigger RA alarms

Only other netlink/dhcpv4 events could trigger it. Also, even if fixed event
logic leads to DHCP leases rewrite on every RA event by design.

4.  Router Solicitation messages doesn't trigger send RA, due 2 reasons:
icmp6fd isn't in read fdset , and icmp6fd socket isn't joined to ALL_ROUTERS
group.

All this because there's no dhcp6 context configured for ra-only/ra-names

 

About prefix lifetimes, you refer rfc2462 in the code which is obsoleted by
rfc4862.

2 hours rules is only about Valid Lifetime, but Preferred Lifetime might be
and usually is much smaller in dynamic v6 prefix environments.

The problem is dnsmasq doesn't use separate valid/preferred values, this
leads to default gateway lost issue due some "server" reconfiguration when
client still threat 2h prefix is valid and preferred.

 

Not related to subject, but have to say.

With HAVE_BROKEN_RTC lease file doesn't contain expire time, but length,
which is constant.

So, after restart/reload all leases get prolonged lease time, and possibly
never expired then.

Solution is quite simple - store not only lease length, but calculated
remaining time too. With this values it's possible to correct count all
previous timings.

 

Best Regards, Vladislav Grishenko

ICQ: 303357

MSN: themi...@mail.ru

Skype: the.miron

 

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Cunning plan, or hideous hack?

[Vladislav Grishenko]

Oh yes, misread, sorry.

> There are a lot of clients in the world now (eg all
> Android phones, at least per-ICS) which don't use privacy extensions and
> can't do DHCPv6 or don't do it by default. This hack is useful for those.

Got it, afaik Android devices, in general, use Android_%15d as dhcp name
template, and most of them don't allow to configure it.
Privacy-enabled SLAAC hosts (all Windows from XP uses that by default)
either will use DHCPv6 or will jammed.
This means, if enabled, ra-dhcpv4-name hack will be useful in rare cases and
unreliable in common.

Best Regards, Vladislav Grishenko


> -Original Message-
> From: Simon Kelley [mailto:si...@thekelleys.org.uk]
> Sent: Thursday, March 08, 2012 8:47 PM
> To: Vladislav Grishenko
> Cc: Dnsmasq-discuss@lists.thekelleys.org.uk
> Subject: Re: [Dnsmasq-discuss] Cunning plan, or hideous hack?
> 
> On 08/03/12 13:52, Vladislav Grishenko wrote:
> > Hi Simon,
> > With enabled IPv6 privacy extensions, the OS generates address by
> > combining advertised prefix and random host id, definitely not MAC-
> derived.
> > So, there's no any way to know host address, even if a "server" knows
> > prefix and client's MAC, and any attempts to do this is a kind of
> > hack, which is not supposed to work.
> 
> That's true, and I think I said so in my original mail. The only client on
my
> wireless network at the moment which uses privacy extensions by default is
> my daughter's Win 7 Laptop. That can be configured to use
> DHCPv6 if necessary. There are a lot of clients in the world now (eg all
> Android phones, at least per-ICS) which don't use privacy extensions and
> can't do DHCPv6 or don't do it by default. This hack is useful for those.
> 
> Simon.



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Cunning plan, or hideous hack?

[Vladislav Grishenko]

Hi Simon,
With enabled IPv6 privacy extensions, the OS generates address by combining
advertised prefix and random host id, definitely not MAC-derived.
So, there's no any way to know host address, even if a "server" knows prefix
and client's MAC, and any attempts to do this is a kind of hack, which is
not supposed to work.

Best Regards, Vladislav Grishenko


> -Original Message-
> From: dnsmasq-discuss-boun...@lists.thekelleys.org.uk [mailto:dnsmasq-
> discuss-boun...@lists.thekelleys.org.uk] On Behalf Of Simon Kelley
> Sent: Thursday, March 08, 2012 5:09 PM
> To: Dnsmasq-discuss@lists.thekelleys.org.uk
> Subject: [Dnsmasq-discuss] Cunning plan, or hideous hack?
> 
> As part the DHCPv6 work, I've fully enabled my home network for IPv6.
> The workstation machines on my wired subnet are now running DHCPv6 and
> get leases from dnsmasq. Their IPv6 addresses are now in the local DNS in
> just the same way as has always worked with DHCPv4 DNS and DHCP.
> 
> I also have a wireless network, and on that I've not enabled DHCPv6, just
> Router Advertisements, via the "ra-only" keyword. Hence, clients on that
> network get a SLAAC, MAC-derived IPv6 address which is not in the DNS.
> 
> Since all these clients are dual-stack or IPv4-only, they do get DHCPv4
leases
> and names in the IPv4-DNS.
> 
> It occurs to me that dnsmasq has all the information it needs to put the
> SLAAC addresses into the DNS. From the IPv4 DHCP lease it knows the name
> of the client, which network segment it's on and it's MAC address. The
"ra-
> only" DHCP ranges tell dnsmasq the IPv6 subnet(s) corresponding to the
> network segment, so combining this with the MAC address gives the SLAAC
> address, ready to put into the DNS as an  record along with the name.
> 
> I've implemented this, and it works well: my Ubuntu netbook and Android
> phone now have IPv6 names. (Andoid 2 has no DHCPv6 support.)
> 
> The downside is for clients which don't do IPv6 at all, or use privacy
> extensions. They end up with  records pointing to the SLAAC address,
> which is wrong and could end-up delaying fall-back to IPv4. This has not
yet
> been a problem in practise.
> 
> I don't want to enable this by default, so I've added a new keyword, "ra-
> names" to enable RA on a subnet plus the SLAAC names hack, thus
> 
> --dhcp-range=1234::1, ra-names
> 
> Is this a good idea, or am I blinded by my own idea into implementing a
nasty
> hack? Opinions?
> 
> Cheers,
> 
> Simon.
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dhcpv6 duid gen

[Vladislav Grishenko]

> On 01/03/12 11:40, Vladislav Grishenko wrote:
> >> I wonder if the solution might be to just have a duid-override
> >> =, configuration which suppresses
> >> storing anything in the lease file  and
> > just
> >> uses a type-2 DUID in the obvious way?
> >
> > Ok, and it can be even more easy - allow specify u_int64_t value and
> > use it with DUID-LL+27 ether type (eui64).
> > duid-override=
> >
> >> configuration which suppresses storing anything in the lease file
> >> and
> > just
> >> uses a type-2 DUID in the obvious way?
> > Storing is allowed, but until reboot...
> 
> But then what do you do when the configred DUID conficts with the stored
> one?

Configured overrides stored, if you mean one stored in leases file. It's
quite expected, I guess

> > And what about traversing over ethernet-like interfaces only?
> > Actually, for me, it would be more handy than to implement own duid
> > generation and storing it in conf.
> > The root issue was in sit (6to4 tunnels) interfaces, which has no
> > hwaddr to be used as duid ll source.
> 
> I think the solution to that is to ignore interfaces with HW address type
>=
> 256. See /include/linux/if_arp.h for details.
> 
> OK?

Should be ok, depite too small hwaddr length of some protos, like ARCNET,
LTALK 



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dhcpv6 duid gen

[Vladislav Grishenko]

> I wonder if the solution might be to just have a
> duid-override = , 
> configuration which suppresses storing anything in the lease file  and
just
> uses a type-2 DUID in the obvious way?

Ok, and it can be even more easy - allow specify u_int64_t value and use it
with DUID-LL+27 ether type (eui64).
duid-override=

> configuration which suppresses storing anything in the lease file  and
just
> uses a type-2 DUID in the obvious way?
Storing is allowed, but until reboot...

And what about traversing over ethernet-like interfaces only?
Actually, for me, it would be more handy than to implement own duid
generation and storing it in conf.
The root issue was in sit (6to4 tunnels) interfaces, which has no hwaddr to
be used as duid ll source.

Best Regards, Vladislav Grishenko


> -Original Message-
> From: Simon Kelley [mailto:si...@thekelleys.org.uk]
> Sent: Thursday, March 01, 2012 5:16 PM
> To: Vladislav Grishenko
> Cc: dnsmasq-discuss@lists.thekelleys.org.uk
> Subject: Re: dhcpv6 duid gen
> 
> On 29/02/12 23:26, Vladislav Grishenko wrote:
> > Little additions:
> >
> >> Allowing to specify from options would be useful too, eg. for
> >> multiple dnsmasq instances
> >
> > Per RFC3315 "A DHCP client that generates a DUID-LLT using this (using
> > sort
>^^^
> 
> > of time source) mechanism MUST provide an administrative interface
> > that replaces the existing DUID with a newly-generated DUID-LLT."
> >
> >
> 
>  >> Hmm, I wonder if
>  >> "stop dnsmasq, edit /var/lib/misc/dnsmasq.leases, start dnsmasq"
>  >> counts as an administrative interface?
> 
>  > sure doesn't. in embedded there's no persistent storage for such  >
files
> other than /tmp, so under some circumstances file can be lost >  >
(reboot,
> fast reinit, etc).
>  > due hashing, there's a kind of guarantee that dhcpv4 client will get  >
his
> leases back, but not for dhcpv6 guid.
> 
> 
> I wonder if the solution might be to just have a
> 
> duid-override = , 
> 
> configuration which suppresses storing anything in the lease file  and
just
> uses a type-2 DUID in the obvious way?
> 
> Cheers,
> 
> Simon.


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dhcpv6 duid gen

[Vladislav Grishenko]

> Hmm, I wonder if
> "stop dnsmasq, edit /var/lib/misc/dnsmasq.leases, start dnsmasq"
> counts as an administrative interface?

sure doesn't. in embedded there's no persistent storage for such files other
than /tmp, so under some circumstances file can be lost (reboot, fast
reinit, etc).
due hashing, there's a kind of guarantee that dhcpv4 client will get his
leases back, but not for dhcpv6 guid.

> I'm sure that an implementation of RECONFIGURE will be done, but not for
> this release: I want to get the basics working first.

np, just fyi

Best Regards, Vladislav Grishenko


> -Original Message-
> From: Simon Kelley [mailto:si...@thekelleys.org.uk]
> Sent: Thursday, March 01, 2012 4:03 PM
> To: Vladislav Grishenko
> Cc: dnsmasq-discuss@lists.thekelleys.org.uk
> Subject: Re: dhcpv6 duid gen
> 
> On 29/02/12 23:26, Vladislav Grishenko wrote:
> > Little additions:
> >
> >> Allowing to specify from options would be useful too, eg. for
> >> multiple dnsmasq instances
> >
> > Per RFC3315 "A DHCP client that generates a DUID-LLT using this (using
> > sort of time source) mechanism MUST provide an administrative
> > interface that replaces the existing DUID with a newly-generated DUID-
> LLT."
> 
> Hmm, I wonder if
> 
> "stop dnsmasq, edit /var/lib/misc/dnsmasq.leases, start dnsmasq"
> 
> counts as an administrative interface?
> >
> >> This leads to a much more longer client renew, possibly authoritative
> > option
> >> could be used to avoid it, can't say now is it per RFC.
> >
> > Not allowed for server, but RECONFIGURE implementation could be handy,
> > including cases of changing options.
> 
> I'm sure that an implementation of RECONFIGURE will be done, but not for
> this release: I want to get the basics working first.
> 
> 
> 
> Cheers,
> 
> Simon.
> 
> >
> > Best Regards, Vladislav Grishenko
> >


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dhcpv6 duid gen

[Vladislav Grishenko]

Little additions:

> Allowing to specify from options would be useful too, eg. for multiple
> dnsmasq instances

Per RFC3315 "A DHCP client that generates a DUID-LLT using this (using sort
of time source) mechanism MUST provide an administrative interface that
replaces the existing DUID with a newly-generated DUID-LLT."

> This leads to a much more longer client renew, possibly authoritative
option
> could be used to avoid it, can't say now is it per RFC.

Not allowed for server, but RECONFIGURE implementation could be handy,
including cases of changing options. 

Best Regards, Vladislav Grishenko


> -Original Message-----
> From: Vladislav Grishenko [mailto:themi...@mail.ru]
> Sent: Thursday, March 01, 2012 5:07 AM
> To: dnsmasq-discuss@lists.thekelleys.org.uk
> Cc: Simon Kelley (si...@thekelleys.org.uk)
> Subject: dhcpv6 duid gen
> 
> Hi, Simon
> 
> Currenly 2.60 uses first interface and its hw type as (time) link-layer
duid
> source with exceptions of loopback and ppp.
> RFC3315 says "The hardware type MUST be a valid hardware type assigned
> by the IANA, as described in RFC 826", which describes only 48bit-long
> ethernet addresses.
> So, if there's any kind non-ethernet interfaces in system, which has first
> index, dnsmasq duid generation is obviously wrong.
> Example - 6to4 tunnel interfaces
> sit0  Link encap:UNSPEC  HWaddr
00-00-00-00-00-00-4D-62-00-00-00-00-00-
> 00-00-00
>   NOARP  MTU:1480  Metric:1
>   RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>   TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>   collisions:0 txqueuelen:0
>   RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b) So, instead of checking
device flags,
> it's better to check against encap type and allow only ether&ieee802, like
> dhcp6s/wide-dhcpv6 do.
> Allowing to specify from options would be useful too, eg. for multiple
> dnsmasq instances,
> 
> Also, HAVE_BROKEN_RTC has issue, duid length and allocation should be
> equal to maclen+4, not maclen+8, because time bits are not used.
> Seems it's not a good idea to use LLT duid type now even with RTC
machines,
> because if lease file is lost and dnsmasq restarted, it will get new duid
and will
> ignore any renew requests completely.
> This leads to a much more longer client renew, possibly authoritative
option
> could be used to avoid it, can't say now is it per RFC.
> 
> Best Regards, Vladislav Grishenko



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] dhcpv6 duid gen

[Vladislav Grishenko]

Hi, Simon

Currenly 2.60 uses first interface and its hw type as (time) link-layer duid
source with exceptions of loopback and ppp.
RFC3315 says "The hardware type MUST be a valid hardware type assigned by
the IANA, as described in RFC 826", which describes only 48bit-long ethernet
addresses.
So, if there's any kind non-ethernet interfaces in system, which has first
index, dnsmasq duid generation is obviously wrong.
Example - 6to4 tunnel interfaces
sit0  Link encap:UNSPEC  HWaddr
00-00-00-00-00-00-4D-62-00-00-00-00-00-00-00-00
  NOARP  MTU:1480  Metric:1
  RX packets:0 errors:0 dropped:0 overruns:0 frame:0
  TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:0
  RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
So, instead of checking device flags, it's better to check against encap
type and allow only ether&ieee802, like dhcp6s/wide-dhcpv6 do.
Allowing to specify from options would be useful too, eg. for multiple
dnsmasq instances,

Also, HAVE_BROKEN_RTC has issue, duid length and allocation should be equal
to maclen+4, not maclen+8, because time bits are not used.
Seems it's not a good idea to use LLT duid type now even with RTC machines,
because if lease file is lost and dnsmasq restarted, it will get new duid
and will ignore any renew requests completely.
This leads to a much more longer client renew, possibly authoritative option
could be used to avoid it, can't say now is it per RFC.

Best Regards, Vladislav Grishenko



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] 2.60rc2

[Vladislav Grishenko]

Sorry, really missed it.
Thanks

Best Regards, Vladislav Grishenko


> -Original Message-
> From: Simon Kelley [mailto:si...@thekelleys.org.uk]
> Sent: Thursday, March 01, 2012 3:49 AM
> To: Vladislav Grishenko
> Cc: 'dnsmasq discussion list'
> Subject: Re: [Dnsmasq-discuss] 2.60rc2
> 
> On 29/02/12 21:30, Vladislav Grishenko wrote:
> > Doesn't build with HAVE_BROKEN_RTC
> > Trivial fix attached
> 
> Many Thanks. You missed rc3 by one minute, so there's now
> 
> http://www.thekelleys.org.uk/dnsmasq/release-candidates/dnsmasq-
> 2.60rc4.tar.gz
> 
> which has this fix, and an adjustment to the nasty Makefile-portability
hack
> to make it work with GNU-make 3.82. That should fix the Gentoo problems.
> 
> 
> Cheers,
> 
> Simon.


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] 2.60rc2

[Vladislav Grishenko]

Doesn't build with HAVE_BROKEN_RTC
Trivial fix attached

Best Regards, Vladislav Grishenko

> -Original Message-
> From: dnsmasq-discuss-boun...@lists.thekelleys.org.uk [mailto:dnsmasq-
> discuss-boun...@lists.thekelleys.org.uk] On Behalf Of Simon Kelley
> Sent: Thursday, March 01, 2012 2:30 AM
> To: dnsmasq discussion list
> Subject: [Dnsmasq-discuss] 2.60rc2
> 
> A fruitful day moving towards a release. This addresses:
> 
> * Makefile problems on Gentoo. Preston, I'd be especially grateful if you
> could see if this works better.
> 
> * Documentation improvements for RA.
> 
> * Substitute local address for [::] DHCPv6 options, like DHCPv4.
> 
> * Lorenzo and John's --localise-queries bug.
> 
> http://www.thekelleys.org.uk/dnsmasq/release-candidates/dnsmasq-
> 2.60rc2.tar.gz
> 
> 
> 
> 
> Cheers,
> 
> Simon.
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


0001-Fix-HAVE_BROKEN_RTC-build.patch
Description: Binary data
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Announce: release candidate dnsmasq-2.60rc1

[Vladislav Grishenko]

Same hit here, but due TOP variable is already exported from up-level
Makefile
I have source tree with packages and one general Makefile:

src/dnsmasq/...
src/Makefile
export TOP := $(shell pwd)
dnsmasq:
$(MAKE) -C $@

So, had to change it to $(MAKE) -C $@ TOP="$(TOP)/$@".
p.s Debian, GNU Make 3.81

Best Regards, Vladislav Grishenko


> -Original Message-
> From: dnsmasq-discuss-boun...@lists.thekelleys.org.uk [mailto:dnsmasq-
> discuss-boun...@lists.thekelleys.org.uk] On Behalf Of Simon Kelley
> Sent: Wednesday, February 29, 2012 1:59 PM
> To: dnsmasq-discuss@lists.thekelleys.org.uk
> Subject: Re: [Dnsmasq-discuss] Announce: release candidate dnsmasq-
> 2.60rc1
> 
> On 29/02/12 03:18, Preston Crow wrote:
> > I hit a Makefile issue (that wasn't there in dnsmasq-2.60test10):
> >
> > # pmake way to learn path of Makefile
> > TOP != echo `pwd`/
> > # GNU make way to learn path of Makefile TOP ?= $(shell pwd)
> >
> > This leads to:
> >
> > Makefile:38: *** missing separator. Stop.
> >
> > Apparently it doesn't like the first TOP line.
> >
> > I might be building it wrong. I'm using Gentoo Linux, and I copied and
> > tweaked the ebuild that I used for test10, which was copied and
> > tweaked from the ebuild for the previous release.
> >
> 
> Sigh. Writing portable makefiles is a thankless task. I tested this on
Gnu-make
> and BSD  make. What flavour/version on make are you using.
> 
> Related question: BSD people. Would you care if I gave up the fight and
> required GNU-make to build dnsmasq?
> 
> Cheers,
> 
> Simon.
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] dhcpv6 @ rc1

[Vladislav Grishenko]

Hi, Simon

 

In latest 60rc1, it seems need to use enable-ra along with
dhcp-range=ipv6,ipv6,.

Without it default link local gateway can't be assigned to clients, because
it's always done via RA.

 

About dhcp-range, prefix6::, ra-only syntax,

According sources, preffered and valid lifetime can be set with ra-only
token, but not mentioned in sample conf, a bit confusing

 

Next thing is dnsv6 option, it works a bit abnormally (comparing with v4)

Suppose we need to assign several dns servers, where one is dnsmasq itself.

With dhcpv4 it could be done with

dhcp-option=44,dns1,0.0.0.0

But following for dhcpv6 passes [::] in reply message, instead of interface
global/link local address

dhcp-option=option6,dns-server,[dns1],[dns2],[::]

 

As for dnsv6 without dhcpv6, list can be passed via RA RDNSS option, see RFC
6106.

Windows clients don't support it, and, according technet, will never do.
However, there's 3rd party win32 daemons, which can be used, like
rdnssd-win32

*nix also has support in 3rd party standalone daemons.

 

Best Regards, Vladislav Grishenko

ICQ: 303357

MSN: themi...@mail.ru

Skype: the.miron

 

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss