import of dnsmasq-2.37.tar.gz

CHANGELOG

@@ -2086,4 +2086,40 @@ version 2.36
 	    as not to affect the validity of the signature. This
 	    should allow DDNS updates to be forwarded.
 
+version 2.37
+            Add better support for RFC-2855 DHCP-over-firewire and RFC
+           -4390 DHCP-over-InfiniBand. A good suggestion from Karl Svec.
+
+	    Some efficiency tweaks to the cache code for very large
+	    /etc/hosts files. Should improve reverse (address->name)
+	    lookups and garbage collection. Thanks to Jan 'RedBully'
+	    Seiffert for input on this.
+
+	    Fix regression in 2.36 which made bogus-nxdomain
+	    and DNS caching unreliable. Thanks to Dennis DeDonatis
+	    and Jan Seiffert for bug reports.
+
+	    Make DHCP encapsulated vendor-class	options sane. Be
+	    warned that some conceivable existing configurations 
+	    using these may break, but they work in a much 
+	    simpler and more logical way now. Prepending
+	    "vendor:<client-id>" to an option encapsulates it 
+	    in option 43, and the option is sent only if the 
+	    client-supplied vendor-class substring-matches with 
+	    the given client-id. Thanks to Dennis DeDonatis for 
+	    help with this.
+
+	    Apply patch from Jan Seiffert to tidy up tftp.c
+
+	    Add support for overloading the filename and servername 
+	    fields in DHCP packet. This gives extra option-space when
+	    these fields are not being used or with a modern client
+	    which supports moving them into options.
+
+	    Added a LIMITS section to the man-page, with guidance on
+	    maximum numbers of clients, file sizes and tuning.
+
+
+
+	
 

dnsmasq.conf.example

@@ -262,13 +262,20 @@
 # Send RFC-3442 classless static routes (note the netmask encoding)
 #dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
 
-# Send encapsulated vendor-class specific options. The vendor-class
-# is sent as DHCP option 60, and all the options marked with the
-# vendor class are send encapsulated in DHCP option 43. The meaning of
-# the options is defined by the vendor-class. This example sets the
-# mtftp address to 0.0.0.0 for PXEClients
+# Send vendor-class specific options encapsulated in DHCP option 43. 
+# The meaning of the options is defined by the vendor-class so
+# options are sent only when the client supplied vendor class
+# matches the class given here. (A substring match is OK, so "MSFT" 
+# matches "MSFT" and "MSFT 5.0"). This example sets the
+# mtftp address to 0.0.0.0 for PXEClients.
 #dhcp-option=vendor:PXEClient,1,0.0.0.0
 
+# Send microsoft-specific option to tell windows to release the DHCP lease
+# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
+# value as a four-byte integer - that's what microsoft wants. See
+# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
+#dhcp-option=vendor:MSFT,2,1i
+
 # Set the boot filename for BOOTP. You will only need 
 # this is you want to boot machines over the network and you will need
 # a TFTP server; either dnsmasq's built in TFTP server or an

doc.html

@@ -15,7 +15,8 @@ Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP
 <P>
  Dnsmasq is targeted at home networks using NAT and 
 connected to the internet via a modem, cable-modem or ADSL
-connection but would be a good choice for any small network where low
+connection but would be a good choice for any smallish network (up to
+1000 clients is known to work) where low
 resource use and ease of configuration are important. 
 <P>
 Supported platforms include Linux (with glibc and uclibc), *BSD and

hosts

-127.0.0.1 host1.domain
-

man/dnsmasq.8

@@ -6,7 +6,7 @@ dnsmasq \- A lightweight DHCP and caching DNS server.
 .I [OPTION]...
 .SH "DESCRIPTION"
 .BR dnsmasq
-is a lightweight DNS and DHCP server. It is intended to provide coupled DNS and DHCP service to a
+is a lightweight DNS, TFTP and DHCP server. It is intended to provide coupled DNS and DHCP service to a
 LAN.
 .PP
 Dnsmasq accepts DNS queries and either answers them from a small, local,
@@ -18,10 +18,12 @@ DNS queries for DHCP configured hosts.
 The dnsmasq DHCP server supports static address assignments, multiple
 networks, DHCP-relay and RFC3011 subnet specifiers. It automatically
 sends a sensible default set of DHCP options, and can be configured to
-send any desired set of DHCP options. It also supports BOOTP.
+send any desired set of DHCP options, inlcuding vendor-encapsulated
+options. It includes a secure, read-only,
+TFTP server to allow net/PXE boot of DHCP hosts and also supports BOOTP.
 .PP
 Dnsmasq 
-supports IPv6.
+supports IPv6 for DNS, but not DHCP.
 .SH OPTIONS
 Note that in general missing parameters are allowed and switch off
 functions, for instance "--pid-file" disables writing a PID file. On
@@ -233,7 +235,7 @@ Tells dnsmasq to never forward queries for plain names, without dots
 or domain parts, to upstream nameservers. If the name is not known
 from /etc/hosts or DHCP then a "not found" answer is returned.
 .TP
-.B \-S, ,--local, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>][@<source>[#<port>]]]
+.B \-S, --local, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>][@<source>[#<port>]]]
 Specify IP address of upstream severs directly. Setting this flag does
 not suppress reading of /etc/resolv.conf, use -R to do that. If one or
 more 
@@ -436,7 +438,7 @@ have exactly the same effect as
 .B --dhcp-host
 options containing the same information.
 .TP
-.B \-O, --dhcp-option=[<network-id>,[<network-id>,]][vendor:<vendor-class>]<opt>,[<value>[,<value>]]
+.B \-O, --dhcp-option=[<network-id>,[<network-id>,]][vendor:[<vendor-class>],]<opt>,[<value>[,<value>]]
 Specify different or extra options to DHCP clients. By default,
 dnsmasq sends some standard options to DHCP clients, the netmask and
 broadcast address are set to the same as the host running dnsmasq, and
@@ -478,10 +480,15 @@ a literal IP address as TFTP server name, it is necessary to do
 
 Encapsulated Vendor-class options may also be specified using
 --dhcp-option: for instance 
-.B --dhcp-option=vendor:PXEClient,1,0.0.0.0
-sends the vendor class "PXEClient" and the encapsulated vendor class-specific option "mftp-address=0.0.0.0" Only one vendor class is allowed for any
-host, but multiple options are allowed, provided they all have
-the same vendor class. The address 0.0.0.0 is not treated specially in
+.B --dhcp-option=vendor:PXEClient,1,0.0.0.0 
+sends the encapsulated vendor
+class-specific option "mftp-address=0.0.0.0" to any client whose
+vendor-class matches "PXEClient". The vendor-class matching is
+substring based (see --dhcp-vendorclass for details) and it is
+possible to omit the vendorclass completely;
+.B --dhcp-option=vendor:,1,0.0.0.0
+in which case the encapsulated option is always sent.
+The address 0.0.0.0 is not treated specially in
 encapsulated vendor class options.
 .TP
 .B \-U, --dhcp-vendorclass=<network-id>,<vendor-class>
@@ -589,7 +596,7 @@ The environment is inherited from the invoker of dnsmasq, and if the
 host provided a client-id, this is stored in the environment variable
 DNSMASQ_CLIENT_ID. If the client provides vendor-class or user-class 
 information, these are provided in DNSMASQ_VENDOR_CLASS and 
-DNSMASQ_USER_CLASS0..DNSMASQ_USER_CLASSn variables, but only fory
+DNSMASQ_USER_CLASS0..DNSMASQ_USER_CLASSn variables, but only for
 "add" actions or "old" actions when a host resumes an existing lease,
 since these data are not held in dnsmasq's lease
 database. If dnsmasq was compiled with HAVE_BROKEN_RTC, then
@@ -633,7 +640,15 @@ packets arrive at tap interfaces which don't have an IP address.
 Specifies the domain for the DHCP server. This has two effects;
 firstly it causes the DHCP server to return the domain to any hosts
 which request it, and secondly it sets the domain which it is legal
-for DHCP-configured hosts to claim. The intention is to constrain hostnames so that an untrusted host on the LAN cannot advertise it's name via dhcp as e.g. "microsoft.com" and capture traffic not meant for it. If no domain suffix is specified, then any DHCP hostname with a domain part (ie with a period) will be disallowed and logged. If suffix is specified, then hostnames with a domain part are allowed, provided the domain part matches the suffix. In addition, when a suffix is set then hostnames without a domain part have the suffix added as an optional domain part. Eg on my network I can set 
+for DHCP-configured hosts to claim. The intention is to constrain
+hostnames so that an untrusted host on the LAN cannot advertise 
+its name via dhcp as e.g. "microsoft.com" and capture traffic not 
+meant for it. If no domain suffix is specified, then any DHCP
+hostname with a domain part (ie with a period) will be disallowed 
+and logged. If suffix is specified, then hostnames with a domain 
+part are allowed, provided the domain part matches the suffix. In
+addition, when a suffix is set then hostnames without a domain
+part have the suffix added as an optional domain part. Eg on my network I can set 
 .B --domain=thekelleys.org.uk
 and have a machine whose DHCP hostname is "laptop". The IP address for that machine is available from 
 .B dnsmasq
@@ -657,7 +672,7 @@ the dnsmasq process under normal unix access-control rules is
 available via TFTP. When the --tftp-secure flag is given, only files
 owned by the user running the dnsmasq process are accessible. If
 dnsmasq is being run as root, different rules apply: --tftp-secure
-has not effect, but only files which have the world-readable bit set
+has no effect, but only files which have the world-readable bit set
 are accessible. It is not recommended to run dnsmasq as root with TFTP
 enabled, and certainly not without specifying --tftp-root. Doing so
 can expose any world-readable file on the server to any host on the net. 
@@ -823,6 +838,50 @@ parameter in a BOOTP request is matched against netids in
 configurations, allowing some control over the options returned to
 different classes of hosts.
 
+.SH LIMITS
+The default values for resource limits in dnsmasq are generally
+conservative, and appropriate for embedded router type devices with
+slow processors and limited memory. On more capable hardware, it is
+possible to increase the limits, and handle many more clients. The
+following applies to dnsmasq-2.37: earlier versions did not scale as well.
+ 
+.PP
+Dnsmasq is capable of handling DNS and DHCP for at least a thousand
+clients. Clearly to do this the value of 
+.B --dhcp-max
+must be increased,
+and lease times should not be very short (less than one hour). The
+value of 
+.B --dns-forward-max 
+can be increased: start with it equal to
+the number of clients and increase if DNS seems slow. Note that DNS
+performance depends too on the performance of the upstream
+nameservers. The size of the DNS cache may be increased: the hard
+limit is 10000 names and the default (150) is very low. Sending
+SIGUSR1 to dnsmasq makes it log information which is useful for tuning
+the cache size. See the 
+.B NOTES
+section for details.
+
+.PP
+The built-in TFTP server is capable of many simultaneous file
+transfers: the absolute limit is related to the number of file-handles
+allowed to a process and the ability of the select() system call to
+cope with large numbers of file handles. If the limit is set too high
+using 
+.B --tftp-max
+it will be scaled down and the actual limit logged at
+start-up. Note that more transfers are possible when the same file is
+being sent than when each transfer sends a different file.
+
+.PP
+It is possible to use dnsmasq to block Web advertising by using a list
+of known banner-ad servers, all resolving to 127.0.0.1 or 0.0.0.0, in
+.B /etc/hosts 
+or an additional hosts file. The list can be very long, 
+dnsmasq has been tested successfully with one million names. That size
+file needs a 1GHz processor and about 60Mb of RAM.
+
 .SH FILES
 .IR /etc/dnsmasq.conf 
 

src/cache.c

-/* dnsmasq is Copyright (c) 2000-2005 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2007 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -157,9 +157,24 @@ static struct crec **hash_bucket(char *name)
 
 static void cache_hash(struct crec *crecp)
 {
-  struct crec **bucket = hash_bucket(cache_get_name(crecp));
-  crecp->hash_next = *bucket;
-  *bucket = crecp;
+  /* maintain an invariant that all entries with F_REVERSE set
+     are at the start of the hash-chain  and all non-reverse
+     immortal entries are at the end of the hash-chain.
+     This allows reverse searches and garbage collection to be optimised */
+
+  struct crec **up = hash_bucket(cache_get_name(crecp));
+
+  if (!(crecp->flags & F_REVERSE))
+    {
+      while (*up && ((*up)->flags & F_REVERSE))
+	up = &((*up)->hash_next); 
+      
+      if (crecp->flags & F_IMMORTAL)
+	while (*up && (!(*up)->flags & F_IMMORTAL))
+	  up = &((*up)->hash_next);
+    }
+  crecp->hash_next = *up;
+  *up = crecp;
 }
  
 static void cache_free(struct crec *crecp)
@@ -258,13 +273,18 @@ static int cache_scan_free(char *name, struct all_addr *addr, time_t now, unsign
      If (flags == 0) remove any expired entries in the whole cache. 
 
      In the flags & F_FORWARD case, the return code is valid, and returns zero if the
-     name exists in the cache as a HOSTS or DHCP entry (these are never deleted) */
-  
-  struct crec *crecp, **up;
+     name exists in the cache as a HOSTS or DHCP entry (these are never deleted)
 
+     We take advantage of the fact that hash chains have stuff in the order <reverse>,<other>,<immortal>
+     so that when we hit an entry which isn't reverse and is immortal, we're done. */
+ 
+  struct crec *crecp, **up;
+  
   if (flags & F_FORWARD)
     {
-      for (up = hash_bucket(name), crecp = *up; crecp; crecp = crecp->hash_next)
+      for (up = hash_bucket(name), crecp = *up; 
+	   crecp && ((crecp->flags & F_REVERSE) || !(crecp->flags & F_IMMORTAL));
+	   crecp = crecp->hash_next)
 	if (is_expired(now, crecp) || is_outdated_cname_pointer(crecp))
 	  { 
 	    *up = crecp->hash_next;
@@ -296,7 +316,9 @@ static int cache_scan_free(char *name, struct all_addr *addr, time_t now, unsign
       int addrlen = INADDRSZ;
 #endif 
       for (i = 0; i < hash_size; i++)
-	for (crecp = hash_table[i], up = &hash_table[i]; crecp; crecp = crecp->hash_next)
+	for (crecp = hash_table[i], up = &hash_table[i]; 
+	     crecp && ((crecp->flags & F_REVERSE) || !(crecp->flags & F_IMMORTAL));
+	     crecp = crecp->hash_next)
 	  if (is_expired(now, crecp))
 	    {
 	      *up = crecp->hash_next;
@@ -567,12 +589,16 @@ struct crec *cache_find_by_addr(struct crec *crecp, struct all_addr *addr,
   else
     {  
       /* first search, look for relevant entries and push to top of list
-	 also free anything which has expired */
+	 also free anything which has expired. All the reverse entries are at the
+	 start of the hash chain, so we can give up when we find the first 
+	 non-REVERSE one.  */
        int i;
        struct crec **up, **chainp = &ans;
        
-       for(i=0; i<hash_size; i++)
-	 for (crecp = hash_table[i], up = &hash_table[i]; crecp; crecp = crecp->hash_next)
+       for (i=0; i<hash_size; i++)
+	 for (crecp = hash_table[i], up = &hash_table[i]; 
+	      crecp && (crecp->flags & F_REVERSE);
+	      crecp = crecp->hash_next)
 	   if (!is_expired(now, crecp))
 	     {      
 	       if ((crecp->flags & F_REVERSE) && 

src/config.h

@@ -10,7 +10,7 @@
    GNU General Public License for more details.
 */
 
-#define VERSION "2.36"
+#define VERSION "2.37"
 
 #define FTABSIZ 150 /* max number of outstanding requests (default) */
 #define MAX_PROCS 20 /* max no children for TCP requests */

src/dnsmasq.c

@@ -38,7 +38,11 @@ static char *compile_opts =
 #ifdef NO_GETTEXT
 "no-"
 #endif
-"I18N ";
+"I18N "
+#ifndef HAVE_TFTP
+"no-"
+#endif
+"TFTP";
 
 static pid_t pid;
 static int pipewrite;
@@ -368,6 +372,8 @@ int main (int argc, char **argv)
       if (daemon->resolv_files && !daemon->resolv_files->is_default)
 	syslog(LOG_WARNING, _("warning: ignoring resolv-file flag because no-resolv is set"));
       daemon->resolv_files = NULL;
+      if (!daemon->servers)
+	syslog(LOG_WARNING, _("warning: no upstream servers configured"));
     } 
 
   if (daemon->dhcp)

src/dnsmasq.h

-/* dnsmasq is Copyright (c) 2000-2005 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2007 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -10,7 +10,7 @@
    GNU General Public License for more details.
 */
 
-#define COPYRIGHT "Copyright (C) 2000-2006 Simon Kelley" 
+#define COPYRIGHT "Copyright (C) 2000-2007 Simon Kelley" 
 
 /* get these before config.h  for IPv6 stuff... */
 #include <sys/types.h> 
@@ -365,6 +365,7 @@ struct dhcp_opt {
 
 #define DHOPT_ADDR               1
 #define DHOPT_STRING             2
+#define DHOPT_VENDOR_MATCH       4
 
 struct dhcp_boot {
   char *file, *sname;

src/forward.c

@@ -365,7 +365,7 @@ static size_t process_reply(struct daemon *daemon, HEADER *header, time_t now,
 	PUTSHORT(daemon->edns_pktsz, psave);
     }
 
-  if (is_sign || header->opcode != QUERY || (header->rcode != NOERROR && header->rcode != NXDOMAIN))
+  if (header->opcode != QUERY || (header->rcode != NOERROR && header->rcode != NXDOMAIN))
     return n;
   
   /* Complain loudly if the upstream server is non-recursive. */

src/lease.c

@@ -312,7 +312,7 @@ struct dhcp_lease *lease_allocate(struct in_addr addr)
   memset(lease, 0, sizeof(struct dhcp_lease));
   lease->new = 1;
   lease->addr = addr;
-  lease->hwaddr_len = 225; /* illegal value */
+  lease->hwaddr_len = 256; /* illegal value */
   lease->expires = 1;
 #ifdef HAVE_BROKEN_RTC
   lease->length = 0xffffffff; /* illegal value */