Merge branch 'master' into dnssec

Conflicts:
	src/dnsmasq.h
	src/forward.c
	src/option.c

.gitignore

@@ -2,6 +2,7 @@ src/*.o
 src/*.mo
 src/dnsmasq.pot
 src/dnsmasq
+src/dnsmasq_baseline
 src/.configured
 contrib/wrt/dhcp_lease_time
 contrib/wrt/dhcp_release

CHANGELOG

@@ -90,8 +90,6 @@ version 2.67
             smallest valid dhcp-range is sent. Thanks to Uwe Schindler 
 	    for suggesting this.
 
-	    Add --force-fast-ra option. Another thanks to Uwe Schindler.  
-
 	    Make --listen-address higher priority than --except-interface
 	    in all circumstances. Thanks to Thomas Hood for the bugreport.
 
@@ -101,7 +99,60 @@ version 2.67
 	    (provide TFTP to the same interfaces we provide DHCP to) 
 	    is retained. Thanks to Lonnie Abelbeck for the suggestion.
 
+	    Add --dhcp-relay config option. Many thanks to vtsl.net
+	    for sponsoring this development.
+
+	    Fix crash with empty tag: in --dhcp-range. Thanks to
+	    Kaspar Schleiser for the bug report.
+
+	    Add "baseline" and "bloatcheck" makefile targets, for 
+	    revealing size changes during development. Thanks to
+	    Vladislav Grishenko for the patch. 
+
+	    Cope with DHCPv6 clients which send REQUESTs without
+	    address options - treat them as SOLICIT with rapid commit.
+
+	    Support identification of clients by MAC address in
+	    DHCPv6. When using a relay, the relay must support RFC
+	    6939 for this to work. It always works for directly
+	    connected clients. Thanks to Vladislav Grishenko
+	    for prompting this feature.
+	    
+	    Remove the rule for constructed DHCP ranges that the local
+	    address must be either the first or last address in the
+	    range. This was originally to avoid SLAAC addresses, but
+	    we now explicitly autoconfig and privacy addresses instead.  
+
+	    Update Polish translation. Thanks to Jan Psota.
+
+	    Fix problem in DHCPv6 vendorclass/userclass matching
+	    code. Thanks to Tanguy Bouzeloc for the patch.
 
+ 	    Update Spanish transalation. Thanks to Vicente Soriano.
+
+	    Add --ra-param option. Thanks to Vladislav Grishenko for
+	    inspiration on this.
+
+	    Add --add-subnet configuration, to tell upstream DNS
+	    servers where the original client is. Thanks to DNSthingy
+	    for sponsoring this feature.
+
+	    Add --quiet-dhcp, --quiet-dhcp6 and --quiet-ra. Thanks to
+	    Kevin Darbyshire-Bryant for the initial patch.
+
+	    Allow A/AAAA records created by --interface-name to be the
+	    target of --cname. Thanks to Hadmut Danisch for the
+	    suggestion. 
+
+	    Avoid treating a --dhcp-host which has an IPv6 address
+	    as eligable for use with DHCPv4 on the grounds that it has
+	    no address, and vice-versa. Thanks to Yury Konovalov for
+	    spotting the problem.
+
+	    Do a better job caching dangling CNAMEs. Thanks to Yves
+	    Dorfsman for spotting the problem.
+
+ 
 version 2.66
             Add the ability to act as an authoritative DNS
             server. Dnsmasq can now answer queries from the wider 'net

Makefile

@@ -80,10 +80,14 @@ all : $(BUILDDIR)
  build_libs="$(dbus_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(ssl_libs)" \
  -f $(top)/Makefile dnsmasq 
 
-clean :
-	rm -f *~ $(BUILDDIR)/*.mo contrib/*/*~ */*~ $(BUILDDIR)/*.pot 
+mostly_clean :
+	rm -f $(BUILDDIR)/*.mo $(BUILDDIR)/*.pot 
 	rm -f $(BUILDDIR)/.configured $(BUILDDIR)/*.o $(BUILDDIR)/dnsmasq.a $(BUILDDIR)/dnsmasq 
-	rm -rf core */core
+
+clean : mostly_clean
+	rm -f $(BUILDDIR)/dnsmasq_baseline
+	rm -f core */core
+	rm -f *~ contrib/*/*~ */*~
 
 install : all install-common
 
@@ -113,9 +117,24 @@ merge :
 		echo -n msgmerge $(PO)/$$f && $(MSGMERGE) --no-wrap -U $(PO)/$$f $(BUILDDIR)/dnsmasq.pot; \
 	done
 
+# Cannonicalise .po file.
+%.po : 
+	@cd $(BUILDDIR) && $(MAKE) -f $(top)/Makefile dnsmasq.pot
+	mv $(PO)/$*.po $(PO)/$*.po.orig && $(MSGMERGE) --no-wrap $(PO)/$*.po.orig $(BUILDDIR)/dnsmasq.pot >$(PO)/$*.po; 
+
 $(BUILDDIR):
 	mkdir -p $(BUILDDIR)
 
+# rules below are helpers for size tracking
+
+baseline : mostly_clean all
+	@cd $(BUILDDIR) && \
+	   mv dnsmasq dnsmasq_baseline
+
+bloatcheck : $(BUILDDIR)/dnsmasq_baseline mostly_clean all
+	@cd $(BUILDDIR) && \
+           $(top)/bld/bloat-o-meter dnsmasq_baseline dnsmasq; \
+           size dnsmasq_baseline dnsmasq
 
 # rules below are targets in recusive makes with cwd=$(BUILDDIR)
 
@@ -129,7 +148,7 @@ $(objs:.o=.c) $(hdrs):
 .c.o:
 	$(CC) $(CFLAGS) $(COPTS) $(i18n) $(build_cflags) $(RPM_OPT_FLAGS) -c $<	
 
-dnsmasq : .configured $(hdrs) $(objs) 
+dnsmasq : .configured $(hdrs) $(objs)
 	$(CC) $(LDFLAGS) -o $@ $(objs) $(build_libs) $(LIBS) 
 
 dnsmasq.pot : $(objs:.o=.c) $(hdrs)
@@ -138,5 +157,4 @@ dnsmasq.pot : $(objs:.o=.c) $(hdrs)
 %.mo : $(top)/$(PO)/%.po dnsmasq.pot
 	$(MSGMERGE) -o - $(top)/$(PO)/$*.po dnsmasq.pot | $(MSGFMT) -o $*.mo -
 
-
-.PHONY : all clean install install-common all-i18n install-i18n merge 
+.PHONY : all clean mostly_clean install install-common all-i18n install-i18n merge baseline bloatcheck

bld/bloat-o-meter

+#!/usr/bin/env python
+#
+# Copyright 2004 Matt Mackall <mpm@selenic.com>
+#
+# Inspired by perl Bloat-O-Meter (c) 1997 by Andi Kleen
+#
+# This software may be used and distributed according to the terms
+# of the GNU General Public License, incorporated herein by reference.
+
+import sys, os#, re
+
+def usage():
+    sys.stderr.write("usage: %s [-t] file1 file2\n" % sys.argv[0])
+    sys.exit(-1)
+
+f1, f2 = (None, None)
+flag_timing, dashes = (False, False)
+
+for f in sys.argv[1:]:
+    if f.startswith("-"):
+        if f == "--": # sym_args
+            dashes = True
+            break
+        if f == "-t": # timings
+            flag_timing = True
+    else:
+        if not os.path.exists(f):
+            sys.stderr.write("Error: file '%s' does not exist\n" % f)
+            usage()
+        if f1 is None:
+            f1 = f
+        elif f2 is None:
+            f2 = f
+if flag_timing:
+    import time
+if f1 is None or f2 is None:
+    usage()
+
+sym_args = " ".join(sys.argv[3 + flag_timing + dashes:])
+def getsizes(file):
+    sym, alias, lut = {}, {}, {}
+    for l in os.popen("readelf -W -s %s %s" % (sym_args, file)).readlines():
+        l = l.strip()
+        if not (len(l) and l[0].isdigit() and len(l.split()) == 8):
+            continue
+        num, value, size, typ, bind, vis, ndx, name = l.split()
+        if ndx == "UND": continue # skip undefined
+        if typ in ["SECTION", "FILES"]: continue # skip sections and files
+        if "." in name: name = "static." + name.split(".")[0]
+        value = int(value, 16)
+        size = int(size, 16) if size.startswith('0x') else int(size)
+        if vis != "DEFAULT" and bind != "GLOBAL": # see if it is an alias
+            alias[(value, size)] = {"name" : name}
+        else:
+            sym[name] = {"addr" : value, "size":  size}
+            lut[(value, size)] = 0
+    for addr, sz in iter(alias.keys()):
+        # If the non-GLOBAL sym has an implementation elsewhere then
+        # it's an alias, disregard it.
+        if not (addr, sz) in lut:
+            # If this non-GLOBAL sym does not have an implementation at
+            # another address, then treat it as a normal symbol.
+            sym[alias[(addr, sz)]["name"]] = {"addr" : addr, "size": sz}
+    for l in os.popen("readelf -W -S " + file).readlines():
+        x = l.split()
+        if len(x)<6: continue
+        # Should take these into account too!
+        #if x[1] not in [".text", ".rodata", ".symtab", ".strtab"]: continue
+        if x[1] not in [".rodata"]: continue
+        sym[x[1]] = {"addr" : int(x[3], 16), "size" : int(x[5], 16)}
+    return sym
+
+if flag_timing:
+    start_t1 = int(time.time() * 1e9)
+old = getsizes(f1)
+if flag_timing:
+    end_t1 = int(time.time() * 1e9)
+    start_t2 = int(time.time() * 1e9)
+new = getsizes(f2)
+if flag_timing:
+    end_t2 = int(time.time() * 1e9)
+    start_t3 = int(time.time() * 1e9)
+grow, shrink, add, remove, up, down = 0, 0, 0, 0, 0, 0
+delta, common = [], {}
+
+for name in iter(old.keys()):
+    if name in new:
+        common[name] = 1
+
+for name in old:
+    if name not in common:
+        remove += 1
+        sz = old[name]["size"]
+        down += sz
+        delta.append((-sz, name))
+
+for name in new:
+    if name not in common:
+        add += 1
+        sz = new[name]["size"]
+        up += sz
+        delta.append((sz, name))
+
+for name in common:
+        d = new[name].get("size", 0) - old[name].get("size", 0)
+        if d>0: grow, up = grow+1, up+d
+        elif d<0: shrink, down = shrink+1, down-d
+        else:
+            continue
+        delta.append((d, name))
+
+delta.sort()
+delta.reverse()
+if flag_timing:
+    end_t3 = int(time.time() * 1e9)
+
+print("%-48s %7s %7s %+7s" % ("function", "old", "new", "delta"))
+for d, n in delta:
+    if d:
+        old_sz = old.get(n, {}).get("size", "-")
+        new_sz = new.get(n, {}).get("size", "-")
+        print("%-48s %7s %7s %+7d" % (n, old_sz, new_sz, d))
+print("-"*78)
+total="(add/remove: %s/%s grow/shrink: %s/%s up/down: %s/%s)%%sTotal: %s bytes"\
+    % (add, remove, grow, shrink, up, -down, up-down)
+print(total % (" "*(80-len(total))))
+if flag_timing:
+    print("\n%d/%d; %d Parse origin/new; processing nsecs" %
+        (end_t1-start_t1, end_t2-start_t2, end_t3-start_t3))
+    print("total nsecs: %d" % (end_t3-start_t1))

bld/get-version

@@ -12,7 +12,7 @@
 # first. This favours, eg v2.63 over 2.63rc6.
 
 if which git >/dev/null 2>&1 && [ -d $1/.git ]; then
-     cd $1; git describe
+     cd $1; git describe | sed 's/^v//'
 elif grep '\$Format:%d\$' $1/VERSION >/dev/null 2>&1; then
 # unsubstituted VERSION, but no git available.
     echo UNKNOWN

contrib/mactable/macscript

+#!/bin/bash
+
+STATUS_FILE="/tmp/dnsmasq-ip-mac.status"
+
+# Script for dnsmasq lease-change hook.
+# Maintains the above file with a IP address/MAC address pairs,
+# one lease per line. Works with IPv4 and IPv6 leases, file is
+# atomically updated, so no races for users of the data.
+
+action="$1"
+mac="$2"   # IPv4
+ip="$3"
+
+# ensure it always exists.
+
+if [ ! -f "$STATUS_FILE" ]; then
+  touch "$STATUS_FILE"
+fi
+
+if [  -n "$DNSMASQ_IAID" ]; then
+    mac="$DNSMASQ_MAC"   # IPv6
+fi
+
+# worry about an add or old action when the MAC address is not known:
+# leave any old one in place in that case.
+
+if [ "$action" = "add" -o "$action" = "old" -o "$action" = "del" ]; then
+  if [ -n "$mac" -o "$action" = "del" ]; then
+    sed "/^${ip//./\.} / d" "$STATUS_FILE" > "$STATUS_FILE".new
+  
+    if [ "$action" = "add" -o "$action" = "old" ]; then
+       echo "$ip $mac" >> "$STATUS_FILE".new
+    fi
+    mv  "$STATUS_FILE".new "$STATUS_FILE" # atomic update.
+  fi
+fi

debian/changelog

 dnsmasq (2.67-1) unstable; urgency=low
 
    * New upstream.
+   * Update resolvconf script. (closes: #720732)
 
  -- Simon Kelley <simon@thekelleys.org.uk>  Wed, 4 Aug 2013 14:53:22 +0000
 

debian/control

@@ -7,7 +7,7 @@ Standards-Version: 3.9.3
 
 Package: dnsmasq
 Architecture: all
-Depends: netbase, dnsmasq-base(>= ${source:Version})
+Depends: netbase, dnsmasq-base(>= ${binary:Version})
 Suggests: resolvconf
 Conflicts: resolvconf (<<1.15)
 Description: Small caching DNS proxy and DHCP/TFTP server

debian/readme

@@ -64,7 +64,9 @@ Notes on configuring dnsmasq as packaged for Debian.
       noi18n      : omit translations and internationalisation support.
       noidn       : omit international domain name support, must be
                     combined with noi18n to be effective.
-      
+      gitversion  : set the version of the produced packages from the
+                    git-derived versioning information on the source,
+                    rather the the debian changelog. 
 
 (9) Dnsmasq comes as three packages - dnsmasq-utils, dnsmasq-base and
     dnsmasq. Dnsmasq-base provides the dnsmasq executable and

debian/resolvconf

@@ -16,8 +16,7 @@ set -e
 RUN_DIR="/var/run/dnsmasq"
 RSLVRLIST_FILE="${RUN_DIR}/resolv.conf"
 TMP_FILE="${RSLVRLIST_FILE}_new.$$"
-MY_RECORD_NAME="lo.dnsmasq"
-DNSCRYPT_RECORD_NAME="lo.dnscrypt"
+MY_NAME_FOR_RESOLVCONF="dnsmasq"
 
 [ -x /usr/sbin/dnsmasq ] || exit 0
 [ -x /lib/resolvconf/list-records ] || exit 1
@@ -46,14 +45,14 @@ if [ ! -d "$RUN_DIR" ] && ! mkdir --parents --mode=0755 "$RUN_DIR" ; then
 fi
 
 RSLVCNFFILES=""
-for F in $(/lib/resolvconf/list-records --after "$MY_RECORD_NAME") ; do
+for F in $(/lib/resolvconf/list-records --after "lo.$MY_NAME_FOR_RESOLVCONF") ; do
 	case "$F" in
-	  "$MY_RECORD_NAME")
-		# Omit
+	    "lo.$MY_NAME_FOR_RESOLVCONF")
+		# Omit own record	 
 		;;
-	  "$DNSCRYPT_RECORD_NAME")
-		# Dnscrypt, I only have eyes for you
-		RSLVCNFFILES="$DNSCRYPT_RECORD_NAME"
+	    lo.*)
+		# Include no more records after one for a local nameserver
+		RSLVCNFFILES="${RSLVCNFFILES:+$RSLVCNFFILES }$F"
 		break
 		;;
 	  *)

debian/rules

@@ -23,6 +23,11 @@ TARGET = install-i18n
 
 DEB_BUILD_ARCH_OS := $(shell dpkg-architecture -qDEB_BUILD_ARCH_OS)
 
+# Force package version based on git tags.
+ifneq (,$(filter gitversion,$(DEB_BUILD_OPTIONS)))
+     PACKAGE_VERSION = $(shell bld/get-version `pwd` |  sed 's/test/~&/; s/[a-z]/~&/;  s/-/./g; s/$$/-1/; s/^/-v/';)
+endif
+
 ifeq (,$(filter nodbus,$(DEB_BUILD_OPTIONS)))
      COPTS += -DHAVE_DBUS
 endif
@@ -103,7 +108,7 @@ binary-indep:	checkroot
 	install -m 644 debian/insserv debian/daemon/etc/insserv.conf.d/dnsmasq
 	ln -s $(package) debian/daemon/usr/share/doc/dnsmasq
 	cd debian/daemon && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | xargs -r0 md5sum > DEBIAN/md5sums	
-	dpkg-gencontrol -pdnsmasq -Pdebian/daemon
+	dpkg-gencontrol $(PACKAGE_VERSION) -T -pdnsmasq -Pdebian/daemon
 	chown -R root.root debian/daemon
 	chmod -R g-ws debian/daemon
 	dpkg --build debian/daemon ..
@@ -150,8 +155,8 @@ ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
 	strip -R .note -R .comment debian/base/usr/sbin/dnsmasq
 endif
 	cd debian/base && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | xargs -r0 md5sum > DEBIAN/md5sums
-	dpkg-shlibdeps debian/base/usr/sbin/dnsmasq
-	dpkg-gencontrol -pdnsmasq-base -Pdebian/base
+	dpkg-shlibdeps --warnings=1 debian/base/usr/sbin/dnsmasq
+	dpkg-gencontrol $(PACKAGE_VERSION) -pdnsmasq-base -Pdebian/base
 	chown -R root.root debian/base
 	chmod -R g-ws debian/base 
 	dpkg --build debian/base ..
@@ -178,7 +183,7 @@ ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
 endif	
 	cd debian/utils && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | xargs -r0 md5sum > DEBIAN/md5sums
 	dpkg-shlibdeps -Tdebian/utils-substvars debian/utils/usr/bin/dhcp_release debian/utils/usr/bin/dhcp_lease_time
-	dpkg-gencontrol -Tdebian/utils-substvars -pdnsmasq-utils -Pdebian/utils
+	dpkg-gencontrol $(PACKAGE_VERSION) -Tdebian/utils-substvars -pdnsmasq-utils -Pdebian/utils
 	chown -R root.root debian/utils
 	chmod -R g-ws debian/utils 
 	dpkg --build debian/utils ..

man/dnsmasq.8

@@ -497,7 +497,7 @@ Return an NAPTR DNS record, as specified in RFC3403.
 Return a CNAME record which indicates that <cname> is really
 <target>. There are significant limitations on the target; it must be a
 DNS name which is known to dnsmasq from /etc/hosts (or additional
-hosts files), from DHCP or from another 
+hosts files), from DHCP, from --interface-name or from another 
 .B --cname.
 If the target does not satisfy this
 criteria, the whole cname is ignored. The cname must be unique, but it
@@ -543,7 +543,20 @@ server. The MAC address can only be added if the requestor is on the same
 subnet as the dnsmasq server. Note that the mechanism used to achieve this (an EDNS0 option)
 is not yet standardised, so this should be considered
 experimental. Also note that exposing MAC addresses in this way may
-have security and privacy implications. 
+have security and privacy implications. The warning about caching
+given for --add-subnet applies to --add-mac too.
+.TP 
+.B --add-subnet[[=<IPv4 prefix length>],<IPv6 prefix length>]
+Add the subnet address of the requestor to the DNS queries which are
+forwarded upstream. The amount of the address forwarded depends on the
+prefix length parameter: 32 (128 for IPv6) forwards the whole address,
+zero forwards none of it but still marks the request so that no
+upstream nameserver will add client address information either. The
+default is zero for both IPv4 and IPv6. Note that upstream nameservers
+may be configured to return different results based on this
+information, but the dnsmasq cache does not take account. If a dnsmasq
+instance is configured such that different results may be encountered,
+caching should be disabled.
 .TP
 .B \-c, --cache-size=<cachesize>
 Set the size of dnsmasq's cache. The default is 150 names. Setting the cache size to zero disables caching.
@@ -652,24 +665,20 @@ This forms a template which describes how to create ranges, based on the address
 
 .B --dhcp-range=::1,::400,constructor:eth0
 
-will look for addresses of the form <network>::1 or <network>:400 on
+will look for addresses on
 eth0 and then create a range from <network>::1 to <network>::400. If
 the interface is assigned more than one network, then the
 corresponding ranges will be automatically created, and then
 deprecated and finally removed again as the address is deprecated and
 then deleted. The interface name may have a final "*" wildcard. Note
-that just any address on eth0 will not do: the non-prefix part must be
-equal either the start or end address given in the dhcp-range. This is
-to prevent prefixes becoming perpetual if the interface 
-gains a SLAAC address for the prefix when it is advertised by dnsmasq.
+that just any address on eth0 will not do: it must not be an
+autoconfigured or privacy address, or be deprecated.
 
 If a dhcp-range is only being used for stateless DHCP and/or SLAAC,
 then the address can be simply ::
 
 .B --dhcp-range=::,constructor:eth0
 
-This removes the condition above, and will pick up the prefix from any address on eth0 which is NOT 
-autoconfigured, slaac, temporary or deprecated.
 
 There is a variant of the constructor: syntax using the keyword
 .B constructor-noauth.
@@ -766,7 +775,8 @@ the same subnet as some valid dhcp-range.  For
 subnets which don't need a pool of dynamically allocated addresses,
 use the "static" keyword in the dhcp-range declaration.
 
-It is allowed to use client identifiers rather than
+It is allowed to use client identifiers (called client
+DUID in IPv6-land rather than
 hardware addresses to identify hosts by prefixing with 'id:'. Thus: 
 .B --dhcp-host=id:01:02:03:04,..... 
 refers to the host with client identifier 01:02:03:04. It is also
@@ -781,11 +791,12 @@ IPv6 addresses may contain only the host-identifier part:
 .B --dhcp-host=laptop,[::56]
 in which case they act as wildcards in constructed dhcp ranges, with
 the appropriate network part inserted. 
-Note that in IPv6 DHCP, the hardware address is not normally
-available, so a client must be identified by client-id (called client
-DUID in IPv6-land) or hostname. 
+Note that in IPv6 DHCP, the hardware address may not be
+available, though it normally is for direct-connected clients, or
+clients using DHCP relays which support RFC 6939.
+
 
-The special option id:* means "ignore any client-id 
+For DHCPv4, the  special option id:* means "ignore any client-id 
 and use MAC addresses only." This is useful when a client presents a client-id sometimes 
 but not others.
 
@@ -973,6 +984,38 @@ DHCP options. This make extra space available in the DHCP packet for
 options but can, rarely, confuse old or broken clients. This flag
 forces "simple and safe" behaviour to avoid problems in such a case.
 .TP
+.B --dhcp-relay=<local address>,<server address>[,<interface]
+Configure dnsmasq to do DHCP relay. The local address is an address
+allocated to an interface on the host running dnsmasq. All DHCP
+requests arriving on that interface will we relayed to a remote DHCP
+server at the server address. It is possible to relay from a single local
+address to multiple remote servers by using multiple dhcp-relay
+configs with the same local address and different server
+addresses. A server address must be an IP literal address, not a
+domain name. In the case of DHCPv6, the server address may be the
+ALL_SERVERS multicast address, ff05::1:3. In this case the interface
+must be given, not be wildcard, and is used to direct the multicast to the
+correct interface to reach the DHCP server. 
+
+Access control for DHCP clients has the same rules as for the DHCP
+server, see --interface, --except-interface, etc. The optional
+interface name in the dhcp-relay config has a different function: it
+controls on which interface DHCP replies from the server will be
+accepted. This is intended for configurations which have three
+interfaces: one being relayed from, a second connecting the DHCP
+server, and a third untrusted network, typically the wider
+internet. It avoids the possibility of spoof replies arriving via this
+third interface.
+
+It is allowed to have dnsmasq act as a DHCP server on one set of
+interfaces and relay from a disjoint set of interfaces. Note that
+whilst it is quite possible to write configurations which appear to
+act as a server and a relay on the same interface, this is not
+supported: the relay function will take precedence.
+
+Both DHCPv4 and DHCPv6 relay is supported. It's not possible to relay
+DHCPv4 to a DHCPv6 server or vice-versa.
+.TP
 .B \-U, --dhcp-vendorclass=set:<tag>,[enterprise:<IANA-enterprise number>,]<vendor-class>
 Map from a vendor-class string to a tag. Most DHCP clients provide a 
 "vendor class" which represents, in some sense, the type of host. This option 
@@ -1001,7 +1044,7 @@ this to set a different printer server for hosts in the class
 "accounts" than for hosts in the class "engineering".
 .TP
 .B \-4, --dhcp-mac=set:<tag>,<MAC address>
-(IPv4 only) Map from a MAC address to a tag. The MAC address may include
+Map from a MAC address to a tag. The MAC address may include
 wildcards. For example
 .B --dhcp-mac=set:3com,01:34:23:*:*:*
 will set the tag "3com" for any host whose MAC address matches the pattern.
@@ -1217,6 +1260,11 @@ tried. This flag disables this check. Use with caution.
 Extra logging for DHCP: log all the options sent to DHCP clients and
 the tags used to determine them.
 .TP
+.B --quiet-dhcp, --quiet-dhcp6, --quiet-ra
+Suppress logging of the routine operation of these protocols. Errors and
+problems will still be logged. --quiet-dhcp and quiet-dhcp6 are
+over-ridden by --log-dhcp.
+.TP
 .B \-l, --dhcp-leasefile=<path>
 Use the specified file to store DHCP lease information.
 .TP 
@@ -1307,7 +1355,7 @@ every call to the script.
 DNSMASQ_IAID containing the IAID for the lease. If the lease is a
 temporary allocation, this is prefixed to 'T'.
 
-
+DNSMASQ_MAC containing the MAC address of the client, if known.
 
 Note that the supplied hostname, vendorclass and userclass data is
 only  supplied for
@@ -1495,11 +1543,19 @@ the relevant link-local address of the machine running dnsmasq is sent
 as recursive DNS server. If provided, the DHCPv6 options dns-server and
 domain-search are used for RDNSS and DNSSL.
 .TP
-.B --force-fast-ra
-Normally, dnsmasq advertises a new IPv6 prefix frequently (every 10 seconds or so) for the first minute, and then
-drops back to sending "maintenance" advertisements every 10 minutes or so. This option forces dnsmasq to be always in 
-frequent RA mode. It's a bug workaround for mobile devices which go deaf to RAs during sleep and therefore 
-lose conectivity; with frequent RAs they recover in a reasonable time after wakeup.
+.B --ra-param=<interface>,[high|low],[[<ra-interval>],<router lifetime>]
+Set non-default values for router advertisements sent via an
+interface. The priority field for the router may be altered from the
+default of medium with eg
+.B --ra-param=eth0,high.
+The interval between router advertisements may be set (in seconds) with 
+.B --ra-param=eth0,60.
+The lifetime of the route may be changed or set to zero, which allows
+a router to advertise prefixes but not a route via itself. 
+.B --ra-parm=eth0,0,0
+(A value of zero for the interval means the default value.) All three parameters may be set at once.
+.B --ra-param=low,60,1200
+The interface field may include a wildcard.
 .TP
 .B --enable-tftp[=<interface>[,<interface>]]
 Enable the TFTP server function. This is deliberately limited to that

src/auth.c

@@ -62,7 +62,7 @@ static int filter_constructed_dhcp(struct auth_zone *zone, int flag, struct all_
   return filter_zone(zone, flag, addr_u) != NULL;
 }
 
-static int in_zone(struct auth_zone *zone, char *name, char **cut)
+int in_zone(struct auth_zone *zone, char *name, char **cut)
 {
   size_t namelen = strlen(name);
   size_t domainlen = strlen(zone->domain);
@@ -89,7 +89,7 @@ static int in_zone(struct auth_zone *zone, char *name, char **cut)
 }
 
 
-size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t now, union mysockaddr *peer_addr) 
+size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t now, union mysockaddr *peer_addr, int local_query) 
 {
   char *name = daemon->namebuff;
   unsigned char *p, *ansp;
@@ -97,7 +97,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
   int nameoffset, axfroffset = 0;
   int q, anscount = 0, authcount = 0;
   struct crec *crecp;
-  int  auth = 1, trunc = 0, nxdomain = 1, soa = 0, ns = 0, axfr = 0;
+  int  auth = !local_query, trunc = 0, nxdomain = 1, soa = 0, ns = 0, axfr = 0;
   struct auth_zone *zone = NULL;
   struct subnet *subnet = NULL;
   char *cut;
@@ -110,7 +110,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
   
   if (ntohs(header->qdcount) == 0 || OPCODE(header) != QUERY )
     return 0;
-  
+
   /* determine end of question section (we put answers there) */
   if (!(ansp = skip_questions(header, qlen)))
     return 0; /* bad packet */
@@ -144,16 +144,19 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	  if (!(flag = in_arpa_name_2_addr(name, &addr)))
 	    continue;
 
-	  for (zone = daemon->auth_zones; zone; zone = zone->next)
-	    if ((subnet = filter_zone(zone, flag, &addr)))
-	      break;
-
-	  if (!zone)
+	  if (!local_query)
 	    {
-	      auth = 0;
-	      continue;
+	      for (zone = daemon->auth_zones; zone; zone = zone->next)
+		if ((subnet = filter_zone(zone, flag, &addr)))
+		  break;
+	      
+	      if (!zone)
+		{
+		  auth = 0;
+		  continue;
+		}
 	    }
-	  
+
 	  intr = NULL;
 
 	  if (flag == F_IPV4)
@@ -194,7 +197,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	      if (in_zone(zone, intr->name, NULL))
 		{	
 		  found = 1;
-		  log_query(flag| F_REVERSE | F_CONFIG, intr->name, &addr, NULL);
+		  log_query(flag | F_REVERSE | F_CONFIG, intr->name, &addr, NULL);
 		  if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 					  daemon->auth_ttl, NULL,
 					  T_PTR, C_IN, "d", intr->name))
@@ -358,25 +361,26 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	 if (hostname_isequal(name, intr->name))
 	   {
 	     struct addrlist *addrlist;
-
+	     
 	     addrlist = intr->addr4;
 #ifdef HAVE_IPV6
 	     if (qtype == T_AAAA)
 	       addrlist = intr->addr6;
 #endif	
 	     nxdomain = 0;
-	
-	     for (; addrlist; addrlist = addrlist->next)  
-	       if (filter_constructed_dhcp(zone, flag, &addrlist->addr))
-		 {
-		   found = 1;
-		   log_query(F_FORWARD | F_CONFIG | flag, name, &addrlist->addr, NULL);
-		   if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
-					   daemon->auth_ttl, NULL, qtype, C_IN, 
-					   qtype == T_A ? "4" : "6", &addrlist->addr))
-		     anscount++;
-		 }
-	   }
+	     
+	     if (flag)
+	       for (; addrlist; addrlist = addrlist->next)  
+		 if (local_query || filter_constructed_dhcp(zone, flag, &addrlist->addr))
+		   {
+		     found = 1;
+		     log_query(F_FORWARD | F_CONFIG | flag, name, &addrlist->addr, NULL);
+		     if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
+					     daemon->auth_ttl, NULL, qtype, C_IN, 
+					     qtype == T_A ? "4" : "6", &addrlist->addr))
+		       anscount++;
+		   }
+	     }
        
        for (a = daemon->cnames; a; a = a->next)
 	 if (hostname_isequal(name, a->alias) )
@@ -390,7 +394,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	       }
 	     found = 1;
 	     if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
-				     daemon->auth_ttl, NULL,
+				     daemon->auth_ttl, &nameoffset,
 				     T_CNAME, C_IN, "d", name))
 	       anscount++;
 	     
@@ -403,7 +407,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	  
 	  if (qtype == T_SOA)
 	    {
-	      soa = 1; /* inhibits auth section */
+	      auth = soa = 1; /* inhibits auth section */
 	      found = 1;
 	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<SOA>");
 	    }
@@ -436,6 +440,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		  return 0;
 		}
 	       	      
+	      auth = 1;
 	      soa = 1; /* inhibits auth section */
 	      ns = 1; /* ensure we include NS records! */
 	      axfr = 1;
@@ -445,6 +450,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	    }
       	  else if (qtype == T_NS)
 	    {
+	      auth = 1;
 	      ns = 1; /* inhibits auth section */
 	      found = 1;
 	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<NS>"); 
@@ -462,7 +468,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		  { 
 		    nxdomain = 0;
 		    if ((crecp->flags & flag) && 
-			(filter_constructed_dhcp(zone, flag, &(crecp->addr.addr))))
+			(local_query || filter_constructed_dhcp(zone, flag, &(crecp->addr.addr))))
 		      {
 			*cut = '.'; /* restore domain part */
 			log_query(crecp->flags, name, &crecp->addr.addr, record_source(crecp->uid));
@@ -485,7 +491,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	    do
 	      { 
 		 nxdomain = 0;
-		 if ((crecp->flags & flag) && filter_constructed_dhcp(zone, flag, &(crecp->addr.addr)))
+		 if ((crecp->flags & flag) && (local_query || filter_constructed_dhcp(zone, flag, &(crecp->addr.addr))))
 		   {
 		     log_query(crecp->flags, name, &crecp->addr.addr, record_source(crecp->uid));
 		     found = 1;
@@ -675,14 +681,14 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		  *cut = 0;
 		
 		for (addrlist = intr->addr4; addrlist; addrlist = addrlist->next) 
-		  if (filter_constructed_dhcp(zone, F_IPV4,  &addrlist->addr) && 
+		  if ((local_query || filter_constructed_dhcp(zone, F_IPV4,  &addrlist->addr)) && 
 		      add_resource_record(header, limit, &trunc, -axfroffset, &ansp, 
 					  daemon->auth_ttl, NULL, T_A, C_IN, "4", cut ? intr->name : NULL, &addrlist->addr))
 		    anscount++;
 		
 #ifdef HAVE_IPV6
 		for (addrlist = intr->addr6; addrlist; addrlist = addrlist->next) 
-		  if (filter_constructed_dhcp(zone, F_IPV6,  &addrlist->addr) &&
+		  if ((local_query || filter_constructed_dhcp(zone, F_IPV6,  &addrlist->addr)) &&
 		      add_resource_record(header, limit, &trunc, -axfroffset, &ansp, 
 					  daemon->auth_ttl, NULL, T_AAAA, C_IN, "6", cut ? intr->name : NULL, &addrlist->addr))
 		    anscount++;
@@ -722,7 +728,8 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		  if ((crecp->flags & F_DHCP) && !option_bool(OPT_DHCP_FQDN))
 		    {
 		      char *cache_name = cache_get_name(crecp);
-		      if (!strchr(cache_name, '.') && filter_constructed_dhcp(zone, (crecp->flags & (F_IPV6 | F_IPV4)), &(crecp->addr.addr)))
+		      if (!strchr(cache_name, '.') && 
+			  (local_query || filter_constructed_dhcp(zone, (crecp->flags & (F_IPV6 | F_IPV4)), &(crecp->addr.addr))))
 			{
 			  qtype = T_A;
 #ifdef HAVE_IPV6
@@ -739,7 +746,8 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		  if ((crecp->flags & F_HOSTS) || (((crecp->flags & F_DHCP) && option_bool(OPT_DHCP_FQDN))))
 		    {
 		      strcpy(name, cache_get_name(crecp));
-		      if (in_zone(zone, name, &cut) && filter_constructed_dhcp(zone, (crecp->flags & (F_IPV6 | F_IPV4)), &(crecp->addr.addr)))
+		      if (in_zone(zone, name, &cut) && 
+			  (local_query || filter_constructed_dhcp(zone, (crecp->flags & (F_IPV6 | F_IPV4)), &(crecp->addr.addr))))
 			{
 			  qtype = T_A;
 #ifdef HAVE_IPV6
@@ -774,8 +782,17 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
   /* done all questions, set up header and return length of result */
   /* clear authoritative and truncated flags, set QR flag */
   header->hb3 = (header->hb3 & ~(HB3_AA | HB3_TC)) | HB3_QR;
-  /* clear RA flag */
-  header->hb4 &= ~HB4_RA;
+
+  if (local_query)
+    {
+      /* set RA flag */
+      header->hb4 |= HB4_RA;
+    }
+  else
+    {
+      /* clear RA flag */
+      header->hb4 &= ~HB4_RA;
+    }
 
   /* authoritive */
   if (auth)
@@ -785,7 +802,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
   if (trunc)
     header->hb3 |= HB3_TC;
   
-  if (anscount == 0 && auth && nxdomain)
+  if ((auth || local_query) && nxdomain)
     SET_RCODE(header, NXDOMAIN);
   else
     SET_RCODE(header, NOERROR); /* no error */

src/bpf.c

@@ -160,9 +160,15 @@ int iface_enumerate(int family, void *parm, int (*callback)())
 		  if (ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_DEPRECATED)
 		    flags |= IFACE_DEPRECATED;
 
+#ifdef IN6_IFF_TEMPORARY
 		  if (!(ifr6.ifr_ifru.ifru_flags6 & (IN6_IFF_AUTOCONF | IN6_IFF_TEMPORARY)))
 		    flags |= IFACE_PERMANENT;
+#endif
 
+#ifdef IN6_IFF_PRIVACY
+		  if (!(ifr6.ifr_ifru.ifru_flags6 & (IN6_IFF_AUTOCONF | IN6_IFF_PRIVACY)))
+		    flags |= IFACE_PERMANENT;
+#endif
 		}
 	      
 	      ifr6.ifr_addr = *((struct sockaddr_in6 *) addrs->ifa_addr);

src/cache.c

@@ -24,7 +24,7 @@ static struct crec *new_chain = NULL;
 static int cache_inserted = 0, cache_live_freed = 0, insert_error;
 static union bigname *big_free = NULL;
 static int bignames_left, hash_size;
-static int uid = 0;
+static int uid = 1;
 #ifdef HAVE_DNSSEC
 static struct keydata *keyblock_free = NULL;
 #endif
@@ -76,7 +76,7 @@ void cache_init(void)
 {
   struct crec *crecp;
   int i;
-
+ 
   bignames_left = daemon->cachesize/10;
   
   if (daemon->cachesize > 0)
@@ -177,7 +177,10 @@ static void cache_free(struct crec *crecp)
   crecp->flags &= ~F_FORWARD;
   crecp->flags &= ~F_REVERSE;
   crecp->uid = uid++; /* invalidate CNAMES pointing to this. */
-  
+
+  if (uid == -1)
+    uid++;
+
   if (cache_tail)
     cache_tail->next = crecp;
   else
@@ -235,6 +238,16 @@ char *cache_get_name(struct crec *crecp)
   return crecp->name.sname;
 }
 
+char *cache_get_cname_target(struct crec *crecp)
+{
+  if (crecp->addr.cname.uid != -1)
+    return cache_get_name(crecp->addr.cname.target.cache);
+
+  return crecp->addr.cname.target.int_name->name;
+}
+
+
+
 struct crec *cache_enumerate(int init)
 {
   static int bucket;
@@ -260,14 +273,14 @@ struct crec *cache_enumerate(int init)
 
 static int is_outdated_cname_pointer(struct crec *crecp)
 {
-  if (!(crecp->flags & F_CNAME))
+  if (!(crecp->flags & F_CNAME) || crecp->addr.cname.uid == -1)
     return 0;
   
   /* NB. record may be reused as DS or DNSKEY, where uid is 
      overloaded for something completely different */
-  if (crecp->addr.cname.cache && 
-      (crecp->addr.cname.cache->flags & (F_IPV4 | F_IPV6 | F_CNAME)) &&
-      crecp->addr.cname.uid == crecp->addr.cname.cache->uid)
+  if (crecp->addr.cname.target.cache && 
+      (crecp->addr.cname.target.cache->flags & (F_IPV4 | F_IPV6 | F_CNAME)) &&
+      crecp->addr.cname.uid == crecp->addr.cname.target.cache->uid)
     return 0;
   
   return 1;
@@ -680,9 +693,9 @@ static void add_hosts_cname(struct crec *target)
     if (hostname_isequal(cache_get_name(target), a->target) &&
 	(crec = whine_malloc(sizeof(struct crec))))
       {
-	crec->flags = F_FORWARD | F_IMMORTAL | F_NAMEP | F_HOSTS | F_CNAME;
+	crec->flags = F_FORWARD | F_IMMORTAL | F_NAMEP | F_CONFIG | F_CNAME;
 	crec->name.namep = a->alias;
-	crec->addr.cname.cache = target;
+	crec->addr.cname.target.cache = target;
 	crec->addr.cname.uid = target->uid;
 	cache_hash(crec);
 	add_hosts_cname(crec); /* handle chains */
@@ -901,6 +914,8 @@ void cache_reload(void)
   struct hostsfile *ah;
   struct host_record *hr;
   struct name_list *nl;
+  struct cname *a;
+  struct interface_name *intr;
 
   cache_inserted = cache_live_freed = 0;
   
@@ -927,6 +942,20 @@ void cache_reload(void)
 	  up = &cache->hash_next;
       }
   
+  /* Add CNAMEs to interface_names to the cache */
+  for (a = daemon->cnames; a; a = a->next)
+    for (intr = daemon->int_names; intr; intr = intr->next)
+      if (hostname_isequal(a->target, intr->name))
+	{
+	  struct crec *aliasc = safe_malloc(sizeof(struct crec));
+	  aliasc->flags = F_FORWARD | F_NAMEP | F_CNAME | F_IMMORTAL | F_CONFIG;
+	  aliasc->name.namep = a->alias;
+	  aliasc->addr.cname.target.int_name = intr;
+	  aliasc->addr.cname.uid = -1;
+	  cache_hash(aliasc);
+	  add_hosts_cname(aliasc); /* handle chains */
+	}
+  
   /* borrow the packet buffer for a temporary by-address hash */
   memset(daemon->packet, 0, daemon->packet_buff_sz);
   revhashsz = daemon->packet_buff_sz / sizeof(struct crec *);
@@ -1019,13 +1048,13 @@ static void add_dhcp_cname(struct crec *target, time_t ttd)
 	
 	if (aliasc)
 	  {
-	    aliasc->flags = F_FORWARD | F_NAMEP | F_DHCP | F_CNAME;
+	    aliasc->flags = F_FORWARD | F_NAMEP | F_DHCP | F_CNAME | F_CONFIG;
 	    if (ttd == 0)
 	      aliasc->flags |= F_IMMORTAL;
 	    else
 	      aliasc->ttd = ttd;
 	    aliasc->name.namep = a->alias;
-	    aliasc->addr.cname.cache = target;
+	    aliasc->addr.cname.target.cache = target;
 	    aliasc->addr.cname.uid = target->uid;
 	    cache_hash(aliasc);
 	    add_dhcp_cname(aliasc, ttd);
@@ -1132,6 +1161,9 @@ void dump_cache(time_t now)
 	    daemon->cachesize, cache_live_freed, cache_inserted);
   my_syslog(LOG_INFO, _("queries forwarded %u, queries answered locally %u"), 
 	    daemon->queries_forwarded, daemon->local_answer);
+#ifdef HAVE_AUTH
+  my_syslog(LOG_INFO, _("queries for authoritative zones %u"), daemon->auth_answer);
+#endif
 
   /* sum counts from different records for same server */
   for (serv = daemon->servers; serv; serv = serv->next)
@@ -1173,7 +1205,7 @@ void dump_cache(time_t now)
 	      {
 		a = "";
 		if (!is_outdated_cname_pointer(cache))
-		  a = cache_get_name(cache->addr.cname.cache);
+		  a = cache_get_cname_target(cache);
 	      }
 #ifdef HAVE_DNSSEC
 	    else if (cache->flags & F_DNSKEY)

src/config.h

@@ -39,14 +39,12 @@
 #define TFTP_MAX_CONNECTIONS 50 /* max simultaneous connections */
 #define LOG_MAX 5 /* log-queue length */
 #define RANDFILE "/dev/urandom"
-#define EDNS0_OPTION_MAC 5 /* dyndns.org temporary assignment */
 #define DNSMASQ_SERVICE "uk.org.thekelleys.dnsmasq" /* Default - may be overridden by config */
 #define DNSMASQ_PATH "/uk/org/thekelleys/dnsmasq"
 #define AUTH_TTL 600 /* default TTL for auth DNS */
 #define SOA_REFRESH 1200 /* SOA refresh default */
 #define SOA_RETRY 180 /* SOA retry default */
 #define SOA_EXPIRY 1209600 /* SOA expiry default */
-#define RA_INTERVAL 600 /* Send unsolicited RA's this often when not provoked. */
  
 /* compile-time options: uncomment below to enable or do eg.
    make COPTS=-DHAVE_BROKEN_RTC

src/dhcp-common.c

@@ -253,6 +253,110 @@ int match_bytes(struct dhcp_opt *o, unsigned char *p, int len)
   return 0;
 }
 
+int config_has_mac(struct dhcp_config *config, unsigned char *hwaddr, int len, int type)
+{
+  struct hwaddr_config *conf_addr;
+  
+  for (conf_addr = config->hwaddr; conf_addr; conf_addr = conf_addr->next)
+    if (conf_addr->wildcard_mask == 0 &&
+	conf_addr->hwaddr_len == len &&
+	(conf_addr->hwaddr_type == type || conf_addr->hwaddr_type == 0) &&
+	memcmp(conf_addr->hwaddr, hwaddr, len) == 0)
+      return 1;
+  
+  return 0;
+}
+
+static int is_config_in_context(struct dhcp_context *context, struct dhcp_config *config)
+{
+  if (!context) /* called via find_config() from lease_update_from_configs() */
+    return 1; 
+
+  if (!(config->flags & (CONFIG_ADDR | CONFIG_ADDR6)))
+    return 1;
+  
+#ifdef HAVE_DHCP6
+  if ((context->flags & CONTEXT_V6) && (config->flags & CONFIG_WILDCARD))
+    return 1;
+#endif
+
+  for (; context; context = context->current)
+#ifdef HAVE_DHCP6
+    if (context->flags & CONTEXT_V6) 
+      {
+	if ((config->flags & CONFIG_ADDR6) && is_same_net6(&config->addr6, &context->start6, context->prefix))
+	  return 1;
+      }
+    else 
+#endif
+      if ((config->flags & CONFIG_ADDR) && is_same_net(config->addr, context->start, context->netmask))
+	return 1;
+
+  return 0;
+}
+
+struct dhcp_config *find_config(struct dhcp_config *configs,
+				struct dhcp_context *context,
+				unsigned char *clid, int clid_len,
+				unsigned char *hwaddr, int hw_len, 
+				int hw_type, char *hostname)
+{
+  int count, new;
+  struct dhcp_config *config, *candidate; 
+  struct hwaddr_config *conf_addr;
+
+  if (clid)
+    for (config = configs; config; config = config->next)
+      if (config->flags & CONFIG_CLID)
+	{
+	  if (config->clid_len == clid_len && 
+	      memcmp(config->clid, clid, clid_len) == 0 &&
+	      is_config_in_context(context, config))
+	    return config;
+	  
+	  /* dhcpcd prefixes ASCII client IDs by zero which is wrong, but we try and
+	     cope with that here. This is IPv4 only. context==NULL implies IPv4, 
+	     see lease_update_from_configs() */
+	  if ((!context || !(context->flags & CONTEXT_V6)) && *clid == 0 && config->clid_len == clid_len-1  &&
+	      memcmp(config->clid, clid+1, clid_len-1) == 0 &&
+	      is_config_in_context(context, config))
+	    return config;
+	}
+  
+
+  if (hwaddr)
+    for (config = configs; config; config = config->next)
+      if (config_has_mac(config, hwaddr, hw_len, hw_type) &&
+	  is_config_in_context(context, config))
+	return config;
+  
+  if (hostname && context)
+    for (config = configs; config; config = config->next)
+      if ((config->flags & CONFIG_NAME) && 
+	  hostname_isequal(config->hostname, hostname) &&
+	  is_config_in_context(context, config))
+	return config;
+
+  
+  if (!hwaddr)
+    return NULL;
+
+  /* use match with fewest wildcard octets */
+  for (candidate = NULL, count = 0, config = configs; config; config = config->next)
+    if (is_config_in_context(context, config))
+      for (conf_addr = config->hwaddr; conf_addr; conf_addr = conf_addr->next)
+	if (conf_addr->wildcard_mask != 0 &&
+	    conf_addr->hwaddr_len == hw_len &&	
+	    (conf_addr->hwaddr_type == hw_type || conf_addr->hwaddr_type == 0) &&
+	    (new = memcmp_masked(conf_addr->hwaddr, hwaddr, hw_len, conf_addr->wildcard_mask)) > count)
+	  {
+	      count = new;
+	      candidate = config;
+	  }
+  
+  return candidate;
+}
+
 void dhcp_update_configs(struct dhcp_config *configs)
 {
   /* Some people like to keep all static IP addresses in /etc/hosts.
@@ -341,7 +445,7 @@ void dhcp_update_configs(struct dhcp_config *configs)
 }
 
 #ifdef HAVE_LINUX_NETWORK 
-void bindtodevice(int fd)
+char *whichdevice(void)
 {
   /* If we are doing DHCP on exactly one interface, and running linux, do SO_BINDTODEVICE
      to that device. This is for the use case of  (eg) OpenStack, which runs a new
@@ -349,17 +453,20 @@ void bindtodevice(int fd)
      individual processes don't always see the packets they should.
      SO_BINDTODEVICE is only available Linux. 
 
-     Note that if wildcards are used in --interface, or a configured interface doesn't
-     yet exist, then more interfaces may arrive later, so we can't safely assert there
-     is only one interface and proceed.
+     Note that if wildcards are used in --interface, or --interface is not used at all,
+     or a configured interface doesn't yet exist, then more interfaces may arrive later, 
+     so we can't safely assert there is only one interface and proceed.
 */
   
   struct irec *iface, *found;
   struct iname *if_tmp;
-
+  
+  if (!daemon->if_names)
+    return NULL;
+  
   for (if_tmp = daemon->if_names; if_tmp; if_tmp = if_tmp->next)
     if (if_tmp->name && (!if_tmp->used || strchr(if_tmp->name, '*')))
-      return;
+      return NULL;
 
   for (found = NULL, iface = daemon->interfaces; iface; iface = iface->next)
     if (iface->dhcp_ok)
@@ -367,18 +474,24 @@ void bindtodevice(int fd)
 	if (!found)
 	  found = iface;
 	else if (strcmp(found->name, iface->name) != 0) 
-	  return; /* more than one. */
+	  return NULL; /* more than one. */
       }
-  
+
   if (found)
-    {
-      struct ifreq ifr;
-      strcpy(ifr.ifr_name, found->name);
-      /* only allowed by root. */
-      if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, (void *)&ifr, sizeof(ifr)) == -1 &&
-	  errno != EPERM)
-	die(_("failed to set SO_BINDTODEVICE on DHCP socket: %s"), NULL, EC_BADNET);
-    }
+    return found->name;
+
+  return NULL;
+}
+ 
+void  bindtodevice(char *device, int fd)
+{
+  struct ifreq ifr;
+  
+  strcpy(ifr.ifr_name, device);
+  /* only allowed by root. */
+  if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, (void *)&ifr, sizeof(ifr)) == -1 &&
+      errno != EPERM)
+    die(_("failed to set SO_BINDTODEVICE on DHCP socket: %s"), NULL, EC_BADNET);
 }
 #endif
 
@@ -523,6 +636,8 @@ int lookup_dhcp_opt(int prot, char *name)
   const struct opttab_t *t;
   int i;
 
+  (void)prot;
+
 #ifdef HAVE_DHCP6
   if (prot == AF_INET6)
     t = opttab6;
@@ -542,6 +657,8 @@ int lookup_dhcp_len(int prot, int val)
   const struct opttab_t *t;
   int i;
 
+  (void)prot;
+
 #ifdef HAVE_DHCP6
   if (prot == AF_INET6)
     t = opttab6;
@@ -719,14 +836,14 @@ void log_context(int family, struct dhcp_context *context)
       template = p;
       p += sprintf(p, ", ");
       
-      if (indextoname(daemon->doing_dhcp6 ? daemon->dhcp6fd : daemon->icmp6fd, context->if_index, ifrn_name))
+      if (indextoname(daemon->icmp6fd, context->if_index, ifrn_name))
 	sprintf(p, "%s for %s", (context->flags & CONTEXT_OLD) ? "old prefix" : "constructed", ifrn_name);
     }
-  else if (context->flags & CONTEXT_TEMPLATE)
+  else if (context->flags & CONTEXT_TEMPLATE && !(context->flags & CONTEXT_RA_STATELESS))
     {
       template = p;
       p += sprintf(p, ", ");
-       
+      
       sprintf(p, "template for %s", context->template_interface);  
     }
 #endif
@@ -734,21 +851,37 @@ void log_context(int family, struct dhcp_context *context)
   if (!(context->flags & CONTEXT_OLD) &&
       ((context->flags & CONTEXT_DHCP) || family == AF_INET)) 
     {
-      inet_ntop(family, start, daemon->dhcp_buff, 256);
+#ifdef HAVE_DHCP6
+      if (context->flags & CONTEXT_RA_STATELESS)
+	{
+	  if (context->flags & CONTEXT_TEMPLATE)
+	    strncpy(daemon->dhcp_buff, context->template_interface, 256);
+	  else
+	    strcpy(daemon->dhcp_buff, daemon->addrbuff);
+	}
+      else 
+#endif
+	inet_ntop(family, start, daemon->dhcp_buff, 256);
       inet_ntop(family, end, daemon->dhcp_buff3, 256);
       my_syslog(MS_DHCP | LOG_INFO, 
-	      (context->flags & CONTEXT_RA_STATELESS) ? 
-	      _("%s stateless on %s%.0s%.0s%s") :
-	      (context->flags & CONTEXT_STATIC) ? 
-	      _("%s, static leases only on %.0s%s%s%.0s") :
-	      (context->flags & CONTEXT_PROXY) ?
-	      _("%s, proxy on subnet %.0s%s%.0s%.0s") :
-	      _("%s, IP range %s -- %s%s%.0s"),
-	      (family != AF_INET) ? "DHCPv6" : "DHCP",
+		(context->flags & CONTEXT_RA_STATELESS) ? 
+		_("%s stateless on %s%.0s%.0s%s") :
+		(context->flags & CONTEXT_STATIC) ? 
+		_("%s, static leases only on %.0s%s%s%.0s") :
+		(context->flags & CONTEXT_PROXY) ?
+		_("%s, proxy on subnet %.0s%s%.0s%.0s") :
+		_("%s, IP range %s -- %s%s%.0s"),
+		(family != AF_INET) ? "DHCPv6" : "DHCP",
 		daemon->dhcp_buff, daemon->dhcp_buff3, daemon->namebuff, template);
     }
   
 #ifdef HAVE_DHCP6
+  if (context->flags & CONTEXT_TEMPLATE)
+    {
+      strcpy(daemon->addrbuff, context->template_interface);
+      template = "";
+    }
+
   if ((context->flags & CONTEXT_RA_NAME) && !(context->flags & CONTEXT_OLD))
     my_syslog(MS_DHCP | LOG_INFO, _("DHCPv4-derived IPv6 names on %s%s"), daemon->addrbuff, template);
   
@@ -757,6 +890,16 @@ void log_context(int family, struct dhcp_context *context)
 #endif
 
 }
-      
 
+void log_relay(int family, struct dhcp_relay *relay)
+{
+  inet_ntop(family, &relay->local, daemon->addrbuff, ADDRSTRLEN);
+  inet_ntop(family, &relay->server, daemon->namebuff, ADDRSTRLEN); 
+
+  if (relay->interface)
+    my_syslog(MS_DHCP | LOG_INFO, _("DHCP relay from %s to %s via %s"), daemon->addrbuff, daemon->namebuff, relay->interface);
+  else
+    my_syslog(MS_DHCP | LOG_INFO, _("DHCP relay from %s to %s"), daemon->addrbuff, daemon->namebuff);
+}
+   
 #endif

src/dhcp6-protocol.h

@@ -59,6 +59,7 @@
 #define OPTION6_REMOTE_ID       37
 #define OPTION6_SUBSCRIBER_ID   38
 #define OPTION6_FQDN            39
+#define OPTION6_CLIENT_MAC      79
 
 /* replace this with the real number when allocated.
    defining this also enables the relevant code. */ 

src/dns-protocol.h

@@ -60,6 +60,10 @@
 #define T_MAILB		253	
 #define T_ANY		255
 
+#define EDNS0_OPTION_MAC            65001 /* dyndns.org temporary assignment */
+#define EDNS0_OPTION_CLIENT_SUBNET  8     /* IANA */
+
+
 struct dns_header {
   u16 id;
   u8  hb3,hb4;

src/dnsmasq.c

@@ -50,8 +50,13 @@ int main (int argc, char **argv)
 #if defined(HAVE_LINUX_NETWORK)
   cap_user_header_t hdr = NULL;
   cap_user_data_t data = NULL;
+  char *bound_device = NULL;
+  int did_bind = 0;
 #endif 
+#if defined(HAVE_DHCP) || defined(HAVE_DHCP6)
   struct dhcp_context *context;
+  struct dhcp_relay *relay;
+#endif
 
 #ifdef LOCALEDIR
   setlocale(LC_ALL, "");
@@ -167,50 +172,47 @@ int main (int argc, char **argv)
   daemon->soa_sn = now;
 #endif
   
-#ifdef HAVE_DHCP
-  if (daemon->dhcp || daemon->dhcp6)
-    { 
+#ifdef HAVE_DHCP6
+  if (daemon->dhcp6)
+    {
+      daemon->doing_ra = option_bool(OPT_RA);
       
-#  ifdef HAVE_DHCP6
-      if (daemon->dhcp6)
+      for (context = daemon->dhcp6; context; context = context->next)
 	{
-	  daemon->doing_ra = option_bool(OPT_RA);
-	  
-	  for (context = daemon->dhcp6; context; context = context->next)
-	    {
-	      if (context->flags & CONTEXT_DHCP)
-		daemon->doing_dhcp6 = 1;
-	      if (context->flags & CONTEXT_RA)
-		daemon->doing_ra = 1;
+	  if (context->flags & CONTEXT_DHCP)
+	    daemon->doing_dhcp6 = 1;
+	  if (context->flags & CONTEXT_RA)
+	    daemon->doing_ra = 1;
 #ifndef  HAVE_LINUX_NETWORK
-	      if (context->flags & CONTEXT_TEMPLATE)
-		die (_("dhcp-range constructor not available on this platform"), NULL, EC_BADCONF);
+	  if (context->flags & CONTEXT_TEMPLATE)
+	    die (_("dhcp-range constructor not available on this platform"), NULL, EC_BADCONF);
 #endif 
-	    }
 	}
-#  endif
-
-      /* Note that order matters here, we must call lease_init before
-	 creating any file descriptors which shouldn't be leaked
-	 to the lease-script init process. We need to call common_init
-	 before lease_init to allocate buffers it uses.*/
+    }
+#endif
+  
+#ifdef HAVE_DHCP
+  /* Note that order matters here, we must call lease_init before
+     creating any file descriptors which shouldn't be leaked
+     to the lease-script init process. We need to call common_init
+     before lease_init to allocate buffers it uses.*/
+  if (daemon->dhcp || daemon->doing_dhcp6 || daemon->relay4 || daemon->relay6)
+    {
+      dhcp_common_init();
       if (daemon->dhcp || daemon->doing_dhcp6)
-	{
-	  dhcp_common_init();
-	  lease_init(now);
-	}
-
-      if (daemon->dhcp)
-	dhcp_init();
- 
+	lease_init(now);
+    }
+  
+  if (daemon->dhcp || daemon->relay4)
+    dhcp_init();
+  
 #  ifdef HAVE_DHCP6
-      if (daemon->doing_ra)
-	ra_init(now);
-      
-      if (daemon->doing_dhcp6)
-	dhcp6_init();
+  if (daemon->doing_ra || daemon->doing_dhcp6 || daemon->relay6)
+    ra_init(now);
+  
+  if (daemon->doing_dhcp6 || daemon->relay6)
+    dhcp6_init();
 #  endif
-    }
 
 #endif
 
@@ -240,17 +242,29 @@ int main (int argc, char **argv)
 
 #if defined(HAVE_LINUX_NETWORK) && defined(HAVE_DHCP)
       /* after enumerate_interfaces()  */
+      bound_device = whichdevice();
+      
       if (daemon->dhcp)
 	{
-	  bindtodevice(daemon->dhcpfd);
-	  if (daemon->enable_pxe)
-	    bindtodevice(daemon->pxefd);
+	  if (!daemon->relay4 && bound_device)
+	    {
+	      bindtodevice(bound_device, daemon->dhcpfd);
+	      did_bind = 1;
+	    }
+	  if (daemon->enable_pxe && bound_device)
+	    {
+	      bindtodevice(bound_device, daemon->pxefd);
+	      did_bind = 1;
+	    }
 	}
 #endif
 
 #if defined(HAVE_LINUX_NETWORK) && defined(HAVE_DHCP6)
-      if (daemon->doing_dhcp6)
-	bindtodevice(daemon->dhcp6fd);
+      if (daemon->doing_dhcp6 && !daemon->relay6 && bound_device)
+	{
+	  bindtodevice(bound_device, daemon->dhcp6fd);
+	  did_bind = 1;
+	}
 #endif
     }
   else 
@@ -258,7 +272,7 @@ int main (int argc, char **argv)
  
 #ifdef HAVE_DHCP6
   /* after enumerate_interfaces() */
-  if (daemon->doing_dhcp6 || daemon->doing_ra)
+  if (daemon->doing_dhcp6 || daemon->relay6 || daemon->doing_ra)
     join_multicast(1);
 #endif
   
@@ -619,6 +633,8 @@ int main (int argc, char **argv)
 
   if (bind_fallback)
     my_syslog(LOG_WARNING, _("setting --bind-interfaces option because of OS limitations"));
+
+  warn_bound_listeners();
   
   if (!option_bool(OPT_NOWILD)) 
     for (if_tmp = daemon->if_names; if_tmp; if_tmp = if_tmp->next)
@@ -642,10 +658,16 @@ int main (int argc, char **argv)
   for (context = daemon->dhcp; context; context = context->next)
     log_context(AF_INET, context);
 
+  for (relay = daemon->relay4; relay; relay = relay->next)
+    log_relay(AF_INET, relay);
+
 #  ifdef HAVE_DHCP6
   for (context = daemon->dhcp6; context; context = context->next)
     log_context(AF_INET6, context);
 
+  for (relay = daemon->relay6; relay; relay = relay->next)
+    log_relay(AF_INET6, relay);
+  
   if (daemon->doing_dhcp6 || daemon->doing_ra)
     dhcp_construct_contexts(now);
   
@@ -653,6 +675,11 @@ int main (int argc, char **argv)
     my_syslog(MS_DHCP | LOG_INFO, _("IPv6 router advertisement enabled"));
 #  endif
 
+#  ifdef HAVE_LINUX_NETWORK
+  if (did_bind)
+    my_syslog(MS_DHCP | LOG_INFO, _("DHCP, sockets bound exclusively to interface %s"), bound_device);
+#  endif
+
   /* after dhcp_contruct_contexts */
   if (daemon->dhcp || daemon->doing_dhcp6)
     lease_find_interfaces(now);
@@ -750,7 +777,7 @@ int main (int argc, char **argv)
 #endif	
   
 #ifdef HAVE_DHCP
-      if (daemon->dhcp)
+      if (daemon->dhcp || daemon->relay4)
 	{
 	  FD_SET(daemon->dhcpfd, &rset);
 	  bump_maxfd(daemon->dhcpfd, &maxfd);
@@ -763,7 +790,7 @@ int main (int argc, char **argv)
 #endif
 
 #ifdef HAVE_DHCP6
-      if (daemon->doing_dhcp6)
+      if (daemon->doing_dhcp6 || daemon->relay6)
 	{
 	  FD_SET(daemon->dhcp6fd, &rset);
 	  bump_maxfd(daemon->dhcp6fd, &maxfd);
@@ -832,6 +859,7 @@ int main (int argc, char **argv)
 	  enumerate_interfaces(0);
 	  /* NB, is_dad_listeners() == 1 --> we're binding interfaces */
 	  create_bound_listeners(0);
+	  warn_bound_listeners();
 	}
 
 #ifdef HAVE_LINUX_NETWORK
@@ -875,7 +903,7 @@ int main (int argc, char **argv)
 #endif      
 
 #ifdef HAVE_DHCP
-      if (daemon->dhcp)
+      if (daemon->dhcp || daemon->relay4)
 	{
 	  if (FD_ISSET(daemon->dhcpfd, &rset))
 	    dhcp_packet(now, 0);
@@ -884,7 +912,7 @@ int main (int argc, char **argv)
 	}
 
 #ifdef HAVE_DHCP6
-      if (daemon->doing_dhcp6 && FD_ISSET(daemon->dhcp6fd, &rset))
+      if ((daemon->doing_dhcp6 || daemon->relay6) && FD_ISSET(daemon->dhcp6fd, &rset))
 	dhcp6_packet(now);
 
       if (daemon->doing_ra && FD_ISSET(daemon->icmp6fd, &rset))
@@ -1227,6 +1255,8 @@ void poll_resolv(int force, int do_reload, time_t now)
 
 void clear_cache_and_reload(time_t now)
 {
+  (void)now;
+
   if (daemon->port != 0)
     cache_reload();
   

src/netlink.c

@@ -402,18 +402,20 @@ static int nl_async(struct nlmsghdr *h)
   	
 static void nl_newaddress(time_t now)
 {
-  if (option_bool(OPT_CLEVERBIND) || daemon->doing_dhcp6 || daemon->doing_ra)
+  (void)now;
+
+  if (option_bool(OPT_CLEVERBIND) || daemon->doing_dhcp6 || daemon->relay6 || daemon->doing_ra)
     enumerate_interfaces(0);
   
   if (option_bool(OPT_CLEVERBIND))
     create_bound_listeners(0);
   
 #ifdef HAVE_DHCP6
+  if (daemon->doing_dhcp6 || daemon->relay6 || daemon->doing_ra)
+    join_multicast(0);
+  
   if (daemon->doing_dhcp6 || daemon->doing_ra)
-    {
-      join_multicast(0);
-      dhcp_construct_contexts(now);
-    }
+    dhcp_construct_contexts(now);
   
   if (daemon->doing_dhcp6)
     lease_find_interfaces(now);

src/outpacket.c

@@ -70,9 +70,9 @@ void *put_opt6(void *data, size_t len)
 {
   void *p;
 
-  if ((p = expand(len)))
+  if ((p = expand(len)) && data)
     memcpy(p, data, len);   
-
+  
   return p;
 }