From 899cc45dc4e70320bbc817cc468993a635811c0c Mon Sep 17 00:00:00 2001 From: Daniel Golle Date: Fri, 3 Jan 2020 13:39:06 +0200 Subject: [PATCH] dnsmasq: switch to /tmp/resolv.conf.d/resolv.conf.auto Mount-bind directory instead of resolv.conf.auto file in jail to avoid problems when the file is deleted/replaced. Signed-off-by: Daniel Golle --- package/network/services/dnsmasq/Makefile | 2 +- .../50-dnsmasq-migrate-resolv-conf-auto.sh | 8 ++ .../network/services/dnsmasq/files/dhcp.conf | 2 +- .../services/dnsmasq/files/dnsmasq.init | 132 ++++++++++++------ .../services/dnsmasq/files/dnsmasqsec.hotplug | 7 +- 5 files changed, 99 insertions(+), 52 deletions(-) create mode 100755 package/network/services/dnsmasq/files/50-dnsmasq-migrate-resolv-conf-auto.sh mode change 100755 => 100644 package/network/services/dnsmasq/files/dnsmasq.init mode change 100755 => 100644 package/network/services/dnsmasq/files/dnsmasqsec.hotplug diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile index 14be809ec1..12bf991a36 100644 --- a/package/network/services/dnsmasq/Makefile +++ b/package/network/services/dnsmasq/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dnsmasq PKG_VERSION:=2.82 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq diff --git a/package/network/services/dnsmasq/files/50-dnsmasq-migrate-resolv-conf-auto.sh b/package/network/services/dnsmasq/files/50-dnsmasq-migrate-resolv-conf-auto.sh new file mode 100755 index 0000000000..480e2df471 --- /dev/null +++ b/package/network/services/dnsmasq/files/50-dnsmasq-migrate-resolv-conf-auto.sh @@ -0,0 +1,8 @@ +#!/bin/sh + +[ "$(uci get dhcp.@dnsmasq[0].resolvfile)" = "/tmp/resolv.conf.auto" ] && { + uci set dhcp.@dnsmasq[0].resolvfile="/tmp/resolv.conf.d/resolv.conf.auto" + uci commit dhcp +} + +exit 0 diff --git a/package/network/services/dnsmasq/files/dhcp.conf b/package/network/services/dnsmasq/files/dhcp.conf index 60477ed2cd..c2b4a8c56f 100644 --- a/package/network/services/dnsmasq/files/dhcp.conf +++ b/package/network/services/dnsmasq/files/dhcp.conf @@ -13,7 +13,7 @@ config dnsmasq option authoritative 1 option readethers 1 option leasefile '/tmp/dhcp.leases' - option resolvfile '/tmp/resolv.conf.auto' + option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto' #list server '/mycompany.local/1.2.3.4' option nonwildcard 1 # bind to & keep track of interfaces #list interface br-lan diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init old mode 100755 new mode 100644 index dc615831bf..c26433563e --- a/package/network/services/dnsmasq/files/dnsmasq.init +++ b/package/network/services/dnsmasq/files/dnsmasq.init @@ -22,10 +22,45 @@ DHCPSCRIPT="/usr/lib/dnsmasq/dhcp-script.sh" DNSMASQ_DHCP_VER=4 -xappend() { - local value="$1" +dnsmasq_ignore_opt() { + local opt="$1" - echo "${value#--}" >> $CONFIGFILE_TMP + if [ -z "$dnsmasq_features" ]; then + dnsmasq_features="$(dnsmasq --version | grep -m1 'Compile time options:' | cut -d: -f2) " + [ "${dnsmasq_features#* DHCP }" = "$dnsmasq_features" ] || dnsmasq_has_dhcp=1 + [ "${dnsmasq_features#* DHCPv6 }" = "$dnsmasq_features" ] || dnsmasq_has_dhcp6=1 + [ "${dnsmasq_features#* DNSSEC }" = "$dnsmasq_features" ] || dnsmasq_has_dnssec=1 + [ "${dnsmasq_features#* TFTP }" = "$dnsmasq_features" ] || dnsmasq_has_tftp=1 + [ "${dnsmasq_features#* ipset }" = "$dnsmasq_features" ] || dnsmasq_has_ipset=1 + fi + + case "$opt" in + dhcp-duid|\ + ra-param) + [ -z "$dnsmasq_has_dhcp6" ] ;; + dhcp-*|\ + bootp-*|\ + pxe-*) + [ -z "$dnsmasq_has_dhcp" ] ;; + dnssec-*|\ + trust-anchor) + [ -z "$dnsmasq_has_dnssec" ] ;; + tftp-*) + [ -z "$dnsmasq_has_tftp" ] ;; + ipset) + [ -z "$dnsmasq_has_ipset" ] ;; + *) + return 1 + esac +} + +xappend() { + local value="${1#--}" + local opt="${value%%=*}" + + if ! dnsmasq_ignore_opt "$opt"; then + echo "$value" >>$CONFIGFILE_TMP + fi } hex_to_hostid() { @@ -75,11 +110,6 @@ dhcp_check() { udhcpc -n -q -s /bin/true -t 1 -i "$ifname" >&- && rv=1 || rv=0 - [ $rv -eq 1 ] && \ - logger -t dnsmasq \ - "found already running DHCP-server on interface '$ifname'" \ - "refusing to start, use 'option force 1' to override" - echo $rv > "$stamp" return $rv } @@ -172,7 +202,7 @@ filter_dnsmasq() { # use entry when no instance entry set, or if it matches config_get found_cfg "$cfg" "instance" - if [ -z "$found_cfg" -o "$found_cfg" = "$match_cfg" ]; then + if [ -z "$found_cfg" ] || [ "$found_cfg" = "$match_cfg" ]; then $func $cfg fi } @@ -291,10 +321,10 @@ dhcp_host_add() { config_get ip "$cfg" ip config_get hostid "$cfg" hostid - [ -n "$ip" -o -n "$name" -o -n "$hostid" ] || return 0 + [ -z "$ip" ] && [ -z "$name" ] && [ -z "$hostid" ] && return 0 config_get_bool dns "$cfg" dns 0 - [ "$dns" = "1" -a -n "$ip" -a -n "$name" ] && { + [ "$dns" = "1" ] && [ -n "$ip" ] && [ -n "$name" ] && { echo "$ip $name${DOMAIN:+.$DOMAIN}" >> $HOSTFILE_TMP } @@ -308,13 +338,13 @@ dhcp_host_add() { for m in $mac; do append macs "$m" ","; done fi - if [ $DNSMASQ_DHCP_VER -eq 6 -a -n "$duid" ]; then + if [ $DNSMASQ_DHCP_VER -eq 6 ] && [ -n "$duid" ]; then # --dhcp-host=id:00:03:00:01:12:00:00:01:02:03,[::beef],lap # one (virtual) machine gets one DUID per RFC3315 duids="id:${duid// */}" fi - if [ -z "$macs" -a -z "$duids" ]; then + if [ -z "$macs" ] && [ -z "$duids" ]; then # --dhcp-host=lap,192.168.0.199,[::beef] [ -n "$name" ] || return 0 macs="$name" @@ -381,7 +411,7 @@ dhcp_this_host_add() { dhcp_domain_add "" "$routername" "$lanaddr" fi - if [ -n "$ulaprefix" -a -n "$lanaddrs6" ] ; then + if [ -n "$ulaprefix" ] && [ -n "$lanaddrs6" ] ; then for lanaddr6 in $lanaddrs6 ; do case "$lanaddr6" in "${ulaprefix%%:/*}"*) @@ -437,7 +467,7 @@ dhcp_boot_add() { config_get servername "$cfg" servername config_get serveraddress "$cfg" serveraddress - [ -n "$serveraddress" -a ! -n "$servername" ] && return 0 + [ -n "$serveraddress" ] && [ ! -n "$servername" ] && return 0 xappend "--dhcp-boot=${networkid:+net:$networkid,}${filename}${servername:+,$servername}${serveraddress:+,$serveraddress}" @@ -482,7 +512,12 @@ dhcp_add() { #check for an already active dhcp server on the interface, unless 'force' is set config_get_bool force "$cfg" force 0 - [ $force -gt 0 ] || dhcp_check "$ifname" || return 0 + [ $force -gt 0 ] || dhcp_check "$ifname" || { + logger -t dnsmasq \ + "found already running DHCP-server on interface '$ifname'" \ + "refusing to start, use 'option force 1' to override" + return 0 + } config_get start "$cfg" start 100 config_get limit "$cfg" limit 150 @@ -531,7 +566,7 @@ dhcp_add() { fi - if [ $DNSMASQ_DHCP_VER -eq 6 -a "$ra" = "server" ] ; then + if [ $DNSMASQ_DHCP_VER -eq 6 ] && [ "$ra" = "server" ] ; then # Note: dnsmasq cannot just be a DHCPv6 server (all-in-1) # and let some other machine(s) send RA pointing to it. @@ -731,7 +766,9 @@ dhcp_relay_add() { dnsmasq_start() { - local cfg="$1" disabled resolvfile user_dhcpscript + local cfg="$1" + local disabled user_dhcpscript + local resolvfile resolvdir localuse=0 config_get_bool disabled "$cfg" disabled 0 [ "$disabled" -gt 0 ] && return 0 @@ -768,13 +805,13 @@ dnsmasq_start() $PROG --version | grep -osqE "^Compile time options:.* DHCPv6( |$)" && DHCPv6CAPABLE=1 || DHCPv6CAPABLE=0 - if [ -x /usr/sbin/odhcpd -a -x /etc/init.d/odhcpd ] ; then + if [ -x /usr/sbin/odhcpd ] && [ -x /etc/init.d/odhcpd ] ; then local odhcpd_is_main odhcpd_is_enabled config_get odhcpd_is_main odhcpd maindhcp 0 /etc/init.d/odhcpd enabled && odhcpd_is_enabled=1 || odhcpd_is_enabled=0 - if [ "$odhcpd_is_enabled" -eq 0 -a "$DHCPv6CAPABLE" -eq 1 ] ; then + if [ "$odhcpd_is_enabled" -eq 0 ] && [ "$DHCPv6CAPABLE" -eq 1 ] ; then # DHCP V4 and V6 in DNSMASQ DNSMASQ_DHCP_VER=6 elif [ "$odhcpd_is_main" -gt 0 ] ; then @@ -797,7 +834,7 @@ dnsmasq_start() if [ -x /etc/init.d/dhcpd ] ; then /etc/init.d/dhcpd enabled && DNSMASQ_DHCP_VER=0 fi - if [ -x /etc/init.d/dhcpd6 -a "$DNSMASQ_DHCP_VER" -gt 0 ] ; then + if [ -x /etc/init.d/dhcpd6 ] && [ "$DNSMASQ_DHCP_VER" -gt 0 ] ; then /etc/init.d/dhcpd6 enabled && DNSMASQ_DHCP_VER=4 fi fi @@ -828,11 +865,13 @@ dnsmasq_start() append_bool "$cfg" sequential_ip "--dhcp-sequential-ip" append_bool "$cfg" allservers "--all-servers" append_bool "$cfg" noping "--no-ping" + append_bool "$cfg" rapidcommit "--dhcp-rapid-commit" + append_bool "$cfg" scriptarp "--script-arp" append_bool "$cfg" filter_aaaa "--filter-aaaa" append_parm "$cfg" logfacility "--log-facility" - + append_parm "$cfg" mini_ttl "--min-ttl" append_parm "$cfg" cachesize "--cache-size" @@ -861,6 +900,9 @@ dnsmasq_start() append_parm "$cfg" "tftp_root" "--tftp-root" append_parm "$cfg" "dhcp_boot" "--dhcp-boot" append_parm "$cfg" "local_ttl" "--local-ttl" + append_parm "$cfg" "max_ttl" "--max-ttl" + append_parm "$cfg" "min_cache_ttl" "--min-cache-ttl" + append_parm "$cfg" "max_cache_ttl" "--max-cache-ttl" append_parm "$cfg" "pxe_prompt" "--pxe-prompt" config_list_foreach "$cfg" "pxe_service" append_pxe_service config_get DOMAIN "$cfg" domain @@ -878,20 +920,22 @@ dnsmasq_start() config_get user_dhcpscript $cfg dhcpscript if has_handler || [ -n "$user_dhcpscript" ]; then xappend "--dhcp-script=$DHCPSCRIPT" + xappend "--script-arp" fi config_get leasefile $cfg leasefile "/tmp/dhcp.leases" - [ -n "$leasefile" -a \! -e "$leasefile" ] && touch "$leasefile" + [ -n "$leasefile" ] && [ ! -e "$leasefile" ] && touch "$leasefile" config_get_bool cachelocal "$cfg" cachelocal 1 config_get_bool noresolv "$cfg" noresolv 0 if [ "$noresolv" != "1" ]; then - config_get resolvfile "$cfg" resolvfile "/tmp/resolv.conf.auto" - # So jail doesn't complain if file missing - [ -n "$resolvfile" -a \! -e "$resolvfile" ] && touch "$resolvfile" + config_get resolvfile "$cfg" resolvfile /tmp/resolv.conf.d/resolv.conf.auto + [ -n "$resolvfile" ] && [ ! -e "$resolvfile" ] && touch "$resolvfile" + xappend "--resolv-file=$resolvfile" + [ "$resolvfile" = "/tmp/resolv.conf.d/resolv.conf.auto" ] && localuse=1 + resolvdir="$(dirname "$resolvfile")" fi - - [ -n "$resolvfile" ] && xappend "--resolv-file=$resolvfile" + config_get_bool localuse "$cfg" localuse "$localuse" config_get hostsfile "$cfg" dhcphostsfile [ -e "$hostsfile" ] && xappend "--dhcp-hostsfile=$hostsfile" @@ -924,12 +968,12 @@ dnsmasq_start() xappend "--conf-file=$TRUSTANCHORSFILE" xappend "--dnssec" [ -x /etc/init.d/sysntpd ] && { - /etc/init.d/sysntpd enabled - [ "$?" -ne 0 -o "$(uci_get system.ntp.enabled)" = "1" ] && { + if /etc/init.d/sysntpd enabled || [ "$(uci_get system.ntp.enabled)" = "1" ] ; then [ -f "$TIMEVALIDFILE" ] || xappend "--dnssec-no-timecheck" - } + fi } - append_bool "$cfg" dnsseccheckunsigned "--dnssec-check-unsigned" + config_get_bool dnsseccheckunsigned "$cfg" dnsseccheckunsigned 1 + [ "$dnsseccheckunsigned" -eq 0 ] && xappend "--dnssec-check-unsigned=no" } config_get addmac "$cfg" addmac 0 @@ -1014,7 +1058,7 @@ dnsmasq_start() mv -f $CONFIGFILE_TMP $CONFIGFILE mv -f $HOSTFILE_TMP $HOSTFILE - [ "$resolvfile" = "/tmp/resolv.conf.auto" ] && { + [ "$localuse" -gt 0 ] && { rm -f /tmp/resolv.conf [ $ADD_LOCAL_DOMAIN -eq 1 ] && [ -n "$DOMAIN" ] && { echo "search $DOMAIN" >> /tmp/resolv.conf @@ -1032,7 +1076,7 @@ dnsmasq_start() procd_set_param respawn procd_add_jail dnsmasq ubus log - procd_add_jail_mount $CONFIGFILE $TRUSTANCHORSFILE $HOSTFILE $RFC6761FILE $DHCPBOGUSHOSTNAMEFILE /etc/passwd /etc/group /etc/TZ /dev/null /dev/urandom $dnsmasqconffile $dnsmasqconfdir $resolvfile $user_dhcpscript /etc/hosts /etc/ethers /sbin/hotplug-call $EXTRA_MOUNT $DHCPSCRIPT + procd_add_jail_mount $CONFIGFILE $TRUSTANCHORSFILE $HOSTFILE $RFC6761FILE $DHCPBOGUSHOSTNAMEFILE /etc/passwd /etc/group /etc/TZ /dev/null /dev/urandom $dnsmasqconffile $dnsmasqconfdir $resolvdir $user_dhcpscript /etc/hosts /etc/ethers /sbin/hotplug-call $EXTRA_MOUNT $DHCPSCRIPT procd_add_jail_mount_rw /var/run/dnsmasq/ $leasefile procd_close_instance @@ -1040,17 +1084,15 @@ dnsmasq_start() dnsmasq_stop() { - local cfg="$1" resolvfile + local cfg="$1" + local noresolv resolvfile localuse=0 + config_get_bool noresolv "$cfg" noresolv 0 config_get resolvfile "$cfg" "resolvfile" - #relink /tmp/resolve.conf only for main instance - [ "$resolvfile" = "/tmp/resolv.conf.auto" ] && { - [ -f /tmp/resolv.conf ] && { - rm -f /tmp/resolv.conf - ln -s "$resolvfile" /tmp/resolv.conf - } - } + [ "$noresolv" = 0 ] && [ "$resolvfile" = "/tmp/resolv.conf.d/resolv.conf.auto" ] && localuse=1 + config_get_bool localuse "$cfg" localuse "$localuse" + [ "$localuse" -gt 0 ] && ln -sf "/tmp/resolv.conf.d/resolv.conf.auto" /tmp/resolv.conf rm -f ${BASEDHCPSTAMPFILE}.${cfg}.*.dhcp } @@ -1062,7 +1104,7 @@ add_interface_trigger() config_get interface "$1" interface config_get_bool ignore "$1" ignore 0 - [ -n "$interface" -a $ignore -eq 0 ] && procd_add_interface_trigger "interface.*" "$interface" /etc/init.d/dnsmasq reload + [ -n "$interface" ] && [ $ignore -eq 0 ] && procd_add_interface_trigger "interface.*" "$interface" /etc/init.d/dnsmasq reload } service_triggers() @@ -1090,7 +1132,7 @@ start_service() { local type="$1" local name="$2" if [ "$type" = "dnsmasq" ]; then - if [ -n "$instance" -a "$instance" = "$name" ]; then + if [ -n "$instance" ] && [ "$instance" = "$name" ]; then instance_found=1 fi fi @@ -1119,7 +1161,7 @@ stop_service() { local type="$1" local name="$2" if [ "$type" = "dnsmasq" ]; then - if [ -n "$instance" -a "$instance" = "$name" ]; then + if [ -n "$instance" ] && [ "$instance" = "$name" ]; then instance_found=1 fi fi diff --git a/package/network/services/dnsmasq/files/dnsmasqsec.hotplug b/package/network/services/dnsmasq/files/dnsmasqsec.hotplug old mode 100755 new mode 100644 index 781d533734..71f5e68b2d --- a/package/network/services/dnsmasq/files/dnsmasqsec.hotplug +++ b/package/network/services/dnsmasq/files/dnsmasqsec.hotplug @@ -1,14 +1,11 @@ -#!/bin/sh - -. /lib/functions/procd.sh - TIMEVALIDFILE="/var/state/dnsmasqsec" -[ "$ACTION" = stratum ] || exit 0 +[ "$ACTION" = "stratum" ] || exit 0 [ -f "$TIMEVALIDFILE" ] || { echo "ntpd says time is valid" >$TIMEVALIDFILE /etc/init.d/dnsmasq enabled && { + . /lib/functions/procd.sh procd_send_signal dnsmasq '*' INT } }