1. 14 Oct, 2017 2 commits
    • Simon Kelley's avatar
      Fix logic on EDNS0 headers. · 6fd5d79e
      Simon Kelley authored
      The logic to determine is an EDNS0 header was added was wrong. It compared
      the packet length before and after the operations on the EDNS0 header,
      but these can include adding options to an existing EDNS0 header. So
      a query may have an existing EDNS0 header, which is extended, and logic
      thinks that it had a header added de-novo.
      
      Replace this with a simpler system. Check if the packet has an EDSN0 header,
      do the updates/additions, and then check again. If it didn't have one
      initially, but it has one laterly, that's the correct condition
      to strip the header from a reply, and to assume that the client
      cannot handle packets larger than 512 bytes.
      6fd5d79e
    • Simon Kelley's avatar
      Use IP[V6]_UNICAST_IF socket option instead of SO_BINDTODEVICE for DNS. · 9d6918d3
      Simon Kelley authored
      dnsmasq allows to specify a interface for each name server passed with
      the -S option or pushed through D-Bus; when an interface is set,
      queries to the server will be forced via that interface.
      
      Currently dnsmasq uses SO_BINDTODEVICE to enforce that traffic goes
      through the given interface; SO_BINDTODEVICE also guarantees that any
      response coming from other interfaces is ignored.
      
      This can cause problems in some scenarios: consider the case where
      eth0 and eth1 are in the same subnet and eth0 has a name server ns0
      associated.  There is no guarantee that the response to a query sent
      via eth0 to ns0 will be received on eth0 because the local router may
      have in the ARP table the MAC address of eth1 for the IP of eth0. This
      can happen because Linux sends ARP responses for all the IPs of the
      machine through all interfaces. The response packet on the wrong
      interface will be dropped because of SO_BINDTODEVICE and the
      resolution will fail.
      
      To avoid this situation, dnsmasq should only restrict queries, but not
      responses, to the given interface. A way to do this on Linux is with
      the IP_UNICAST_IF and IPV6_UNICAST_IF socket options which were added
      in kernel 3.4 and, respectively, glibc versions 2.16 and 2.26.
      Reported-by: default avatarHector Martin <marcan@marcan.st>
      Signed-off-by: default avatarBeniamino Galvani <bgalvani@redhat.com>
      9d6918d3
  2. 11 Oct, 2017 1 commit
  3. 10 Oct, 2017 1 commit
  4. 02 Oct, 2017 1 commit
  5. 30 Sep, 2017 1 commit
  6. 27 Sep, 2017 2 commits
  7. 26 Sep, 2017 10 commits
  8. 25 Sep, 2017 1 commit
  9. 08 Sep, 2017 1 commit
  10. 07 Sep, 2017 1 commit
  11. 09 Jul, 2017 3 commits
  12. 28 Jun, 2017 3 commits
    • Rosen Penev's avatar
      Printf related fixes. · cbd29e5d
      Rosen Penev authored
      cbd29e5d
    • Rosen Penev's avatar
      Fix function declarations. · 50a2841d
      Rosen Penev authored
      50a2841d
    • Hans Dedecker's avatar
      Try other servers if first returns REFUSED when --strict-order active. · 9396752c
      Hans Dedecker authored
      If a DNS server replies REFUSED for a given DNS query in strict order mode
      no failover to the next DNS server is triggered as the failover logic only
      covers non strict mode.
      As a result the client will be returned the REFUSED reply without first
      falling back to the secondary DNS server(s).
      
      Make failover support work as well for strict mode config in case REFUSED is
      replied by deleting the strict order check and rely only on forwardall being
      equal to 0 which is the case in non strict mode when a single server has been
      contacted or when strict order mode has been configured.
      9396752c
  13. 26 Jun, 2017 3 commits
  14. 25 Jun, 2017 1 commit
  15. 16 Jun, 2017 1 commit
  16. 07 Jun, 2017 1 commit
    • Chris Novakovic's avatar
      Fix logic of appending ".<layer>" to PXE basename · 2446514e
      Chris Novakovic authored
      Commit f77700aa, which fixes a compiler warning, also breaks the
      behaviour of prepending ".<layer>" to basenames in --pxe-service: in
      situations where the basename contains a ".", the ".<layer>" suffix is
      erroneously added, and in situations where the basename doesn't contain
      a ".", the ".<layer>" suffix is erroneously omitted.
      
      A patch against the git HEAD is attached that inverts this logic and
      restores the expected behaviour of --pxe-service.
      2446514e
  17. 06 Jun, 2017 1 commit
  18. 23 May, 2017 1 commit
  19. 22 May, 2017 5 commits