diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile index c36faa1192..6cd28d51c4 100644 --- a/package/network/services/dnsmasq/Makefile +++ b/package/network/services/dnsmasq/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dnsmasq -PKG_UPSTREAM_VERSION:=2.87rc1 +PKG_UPSTREAM_VERSION:=2.87 PKG_VERSION:=$(subst test,~~test,$(subst rc,~rc,$(PKG_UPSTREAM_VERSION))) PKG_RELEASE:=$(AUTORELEASE) PKG_SOURCE:=$(PKG_NAME)-$(PKG_UPSTREAM_VERSION).tar.xz -PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/release-candidates/ -PKG_HASH:=a13df87ac500bdda920197f33a07251559ff60f4fbe26f46317241bd2bade9a9 +PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/ +PKG_HASH:=0228c0364a7f2356fd7e7f1549937cbf3099a78d3b2eb1ba5bb0c31e2b89de7a PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init index c5ebc12206..7747329774 100755 --- a/package/network/services/dnsmasq/files/dnsmasq.init +++ b/package/network/services/dnsmasq/files/dnsmasq.init @@ -793,14 +793,24 @@ dnsmasq_ipset_add() { } add_nftset() { - nftsets="${nftsets:+$nftsets,}inet#fw4#$1" + local IFS=, + for set in $1; do + local family=$(echo "$set" | sed -nre 's#^.*[^0-9]([46])$#\1#p') + [ -n "$family" ] || \ + family=$(nft -t list set inet "$table" "$set" 2>&1 | sed -nre 's#^\t\ttype .*\bipv([46])_addr\b.*$#\1#p') + + [ -n "$family" ] || \ + logger -t dnsmasq "Cannot infer address family from non-existent nftables set '$set'" + + nftsets="${nftsets:+$nftsets,}${family:+$family#}inet#$table#$set" + done } add_domain() { # leading '/' is expected domains="$domains/$1" } - + config_get table "$cfg" table 'fw4' config_list_foreach "$cfg" "name" add_ipset config_list_foreach "$cfg" "name" add_nftset config_list_foreach "$cfg" "domain" add_domain diff --git a/package/network/services/dnsmasq/patches/0001-Fix-a-problem-in-overload-handling.patch b/package/network/services/dnsmasq/patches/0001-Fix-a-problem-in-overload-handling.patch deleted file mode 100644 index ecc49c4753..0000000000 --- a/package/network/services/dnsmasq/patches/0001-Fix-a-problem-in-overload-handling.patch +++ /dev/null @@ -1,43 +0,0 @@ -From c4b9bc63e0029cf1beaf8bdcbd92fa09f33b599d Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Fri, 9 Sep 2022 12:53:49 +0100 -Subject: [PATCH] Fix a problem in overload handling. - -Sending the same query repeatedly to a dnsmasq instance which -doesn't get replies from upstream will eventually hit the -hard limit on frec_src structures and start gettin REFUSED -replies. This is OK, except that since the queries are no longer -being forwarded, an upstream server coming back doesn't reset the -situation. If there is any other traffic, frec allocation will -eventually delete the timed-out frec and get things moving again, -but that's not guaranteed. - -To fix this we explicitly delete the frec once timed out in this case. - -Thanks to Filip Jenicek for noticing and characterising this problem. ---- - src/forward.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/src/forward.c b/src/forward.c -index 8562b2d..fa80251 100644 ---- a/src/forward.c -+++ b/src/forward.c -@@ -244,6 +244,14 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr, - if (!daemon->free_frec_src) - { - query_full(now, NULL); -+ /* This is tricky; if we're blasted with the same query -+ over and over, we'll end up taking this path each time -+ and never resetting until the frec gets deleted by -+ aging followed by the receipt of a different query. This -+ is a bit of a DoS vuln. Avoid by explicitly deleting the -+ frec once it expires. */ -+ if (difftime(now, forward->time) >= TIMEOUT) -+ free_frec(forward); - goto reply; - } - --- -2.37.3 -