| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
| |
migrate meta-tpm strongswan tweaks to meta-networking
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
| |
Not everyone wants this to be installed by default. Enable to remove
cureve25519 is someone wants to.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
=========
Fix error in example firewall.sh script
configure: remove useless -Wno-* from default CFLAGS
Add argv_insert_head__empty_argv__head_only to argv tests
Move deprecation of SWEET32/64bit block size ciphers to 2.7
Include --push-remove in the output of --help.
Move '--push-peer-info' documentation from 'server' to 'client options'
add test case(s) to notice 'openvpn --show-cipher' crashing
BUILD: enable CFG and Spectre mitigation for MSVC
Fix loading PKCS12 files on Windows
msvc: fix product version display
msvc: add missing header to project file
config-msvc.h: fix OpenSSL-related defines
contrib/vcpkg-ports: remove openssl port
GitHub Actions: use latest working lukka/run-vcpkg
Use network address for emulated DHCP server as a default
Load OpenSSL config on Windows from trusted location
ring_buffer.h: fix GCC warning about unused function
ssh_openssl.h: remove unused declaration
vcpkg/pkcs11-helper: compatibility with latest vcpkg
config-msvc.h: indicate key material export support
Don't use BF-CBC in unit tests if we don't have it
Define have_blowfish variable in ncp unit tests
doc link-options.rst: Use free open-source dynamic-DNS provider URL
Fix some more wrong defines in config-msvc.h
Ensure the current common_name is in the environment for scripts
Require EC key support in Windows builds
resolvconf fails with -p
Update IRC information in CONTRIBUTING.rst
doc/man (vpn-network-options): fix foreign_option_{n} typo
README.down-root: Fix plugin module name
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
refresh arm_eabi.patch
Changelog:
==========
Enhancements
-Add support for NTPv4 extension field improving synchronisation stability and
resolution of root delay and dispersion (experimental)
-Add support for NTP over PTP (experimental)
-Add support for AES-CMAC and hash functions in GnuTLS
-Improve server interleaved mode to be more reliable and support multiple clients behind NAT
-Update seccomp filter
-Add statistics about interleaved mode to serverstats report
Bug fixes
-Fix RTC support with 64-bit time_t on 32-bit Linux
-Fix seccomp filter to work correctly with bind*device directives
-Suppress kernel adjustments of system clock (dosynctodr) on illumos
Other changes
-Switch Solaris support to illumos
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
| |
mctpd ships with an example dbus service configuration, so install in
the dbus system configuration dir.
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
| |
We have a tag for 1.0, now: better handling of local stack configuration
at runtime, and the 5.15 kernel header change has been integrated.
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
| |
libtool is now longer renamed to ${host}-libtool, so remove the changes
to support this.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
| |
The commit hash is pointing out to the tag v4.0, not 2.1.0.
Signed-off-by: Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
| |
rv32 does not have seccomp support yet.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pyext_PATTERN will add native arch as suffix when cross compiling.
For example, on qemuarm64, it is expanded to:
pyext_PATTERN ='%s.cpython-310-x86_64-linux-gnu.so'
which will result in the incorrect library name.
root@qemuarm64:~# find /usr/lib/ -name \*ldb\*
/usr/lib/pkgconfig/pyldb-util.cpython-310-x86_64-linux-gnu.pc
/usr/lib/pkgconfig/ldb.pc
/usr/lib/libpyldb-util.cpython-310-x86-64-linux-gnu.so.2.3.2
/usr/lib/libldb.so.2.3.2
/usr/lib/libpyldb-util.cpython-310-x86-64-linux-gnu.so.2
/usr/lib/libldb.so
/usr/lib/libldb.so.2
/usr/lib/python3.10/site-packages/_ldb_text.py
/usr/lib/python3.10/site-packages/ldb.cpython-310-x86_64-linux-gnu.so
/usr/lib/libpyldb-util.cpython-310-x86-64-linux-gnu.so
Set pyext_PATTERN to '%s.so' to remove the suffix.
After the patch:
root@qemuarm64:~# find /usr/lib/ -name \*ldb\*
/usr/lib/pkgconfig/pyldb-util.pc
/usr/lib/pkgconfig/ldb.pc
/usr/lib/libpyldb-util.so.2.3.2
/usr/lib/libldb.so.2.3.2
/usr/lib/libpyldb-util.so.2
/usr/lib/libldb.so
/usr/lib/libldb.so.2
/usr/lib/python3.10/site-packages/_ldb_text.py
/usr/lib/python3.10/site-packages/ldb.so
/usr/lib/libpyldb-util.so
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pyext_PATTERN will add native arch as suffix when cross compiling.
For example, on qemuarm64, it is expanded to:
pyext_PATTERN ='%s.cpython-310-x86_64-linux-gnu.so'
which will result in the incorrect library name.
root@qemuarm64:~# find /usr/lib/python3.10/ -name \*tevent\*.so
/usr/lib/python3.10/site-packages/_tevent.cpython-310-x86_64-linux-gnu.so
/usr/lib/python3.10/site-packages/_tevent.so
Set pyext_PATTERN to '%s.so' to remove the suffix.
After the patch:
root@qemuarm64:~# find /usr/lib/python3.10/ -name \*tevent\*.so
/usr/lib/python3.10/site-packages/_tevent.so
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pyext_PATTERN will add native arch as suffix when cross compiling.
For example, on qemuarm64, it is expanded to:
pyext_PATTERN ='%s.cpython-310-x86_64-linux-gnu.so'
which will result in the incorrect library name.
root@qemuarm64:~# find /usr/lib/python3.10/ -name tdb\*
/usr/lib/python3.10/site-packages/tdb.so
/usr/lib/python3.10/site-packages/tdb.cpython-310-x86_64-linux-gnu.so
Set pyext_PATTERN to '%s.so' to remove the suffix.
After the patch:
root@qemuarm64:~# find /usr/lib/python3.10/ -name tdb\*
/usr/lib/python3.10/site-packages/tdb.so
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pyext_PATTERN will add native arch as suffix when cross compiling.
For example, on qemuarm64, it is expanded to:
pyext_PATTERN ='%s.cpython-310-x86_64-linux-gnu.so'
which will result in the incorrect library name.
root@qemuarm64:~# find /usr/lib -name \*talloc\*
/usr/lib/pkgconfig/talloc.pc
/usr/lib/pkgconfig/pytalloc-util.cpython-310-x86_64-linux-gnu.pc
/usr/lib/libpytalloc-util.cpython-310-x86-64-linux-gnu.so.2.3.3
/usr/lib/libtalloc.so.2
/usr/lib/libpytalloc-util.cpython-310-x86-64-linux-gnu.so.2
/usr/lib/libpytalloc-util.cpython-310-x86-64-linux-gnu.so
/usr/lib/libtalloc.so
/usr/lib/libtalloc.so.2.3.3
/usr/lib/python3.10/site-packages/talloc.cpython-310-x86_64-linux-gnu.so
Set pyext_PATTERN to '%s.so' to remove the suffix.
After the patch:
root@qemuarm64:~# find /usr/lib -name \*talloc\*
/usr/lib/pkgconfig/talloc.pc
/usr/lib/pkgconfig/pytalloc-util.pc
/usr/lib/libpytalloc-util.so.2.3.3
/usr/lib/libtalloc.so.2
/usr/lib/libpytalloc-util.so.2
/usr/lib/libpytalloc-util.so
/usr/lib/libtalloc.so
/usr/lib/libtalloc.so.2.3.3
/usr/lib/python3.10/site-packages/talloc.so
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes:
Automatically extract new version from GIT tag
Fixes:
Avoid trying to delete inactive VIFs. Fixing an annoying bogus error:
"Failed deleting VIF for iface lo: Resource temporarily unavailable"
Fix #171: too small string buffer for IPv6 address causing garbled
output in periodic expiry callback
Fix too small buffer for IPv6 address in mroute display functions
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change makes the server use AES-256-GCM instead of BF-CBC as the default
cipher for the VPN tunnel. To avoid breaking existing running configurations
defaulting to BF-CBC, the Negotiable Crypto Parameters (NCP) list contains
the BF-CBC in addition to AES-CBC. This makes it possible to migrate
existing older client configurations one-by-one to use at least AES-CBC unless
the client is updated to v2.4 (which defaults to upgrade to AES-GCM automatically)
Upstream-Status: Backport [https://src.fedoraproject.org/rpms/openvpn/blob/rawhide/f/0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch]
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Drop
0001-hgfsmounter-Makefile.am-support-usrmerge.patch
(file no longer present)
0001-pollGtk-Fix-volatile-qualifier-exposed-incorrectly.patch
(issue fixed upstream)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Strongswan failed to startup because there is no kernel module named
ipsec. Add basic kernel modules required by strongswan per [1].
[1] https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules,
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
fetchmail-6.4.23 (released 2021-10-31, 30206 LoC):
For common ssh-based IMAP PREAUTH setups (i. e. those that use a plugin
- no matter its contents - and that set auth ssh), change the STARTTLS
error message to suggest sslproto '' instead.
This is a commonly reported issue after the CVE-2021-39272 fix in 6.4.22.
Fixes Redhat Bugzilla 2008160. Fixes GitLab #39.
License-Update:
Add "SSL library considerations" to COPYING.
Format of COPYING changed.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* fixes:
ERROR: Nothing RPROVIDES 'gnuplot' (but meta-openembedded/meta-networking/recipes-support/ntpsec/ntpsec_1.2.1.bb RDEPENDS on or otherwise requires it)
gnuplot was skipped: missing required distro feature 'x11' (not in DISTRO_FEATURES)
NOTE: Runtime target 'gnuplot' is unbuildable, removing...
Missing or unbuildable dependency chain was: ['gnuplot']
NOTE: Runtime target 'ntpsec' is unbuildable, removing...
Missing or unbuildable dependency chain was: ['ntpsec', 'gnuplot']
NOTE: Runtime target 'ntpsec-python' is unbuildable, removing...
Missing or unbuildable dependency chain was: ['ntpsec-python', 'gnuplot']
ERROR: Nothing RPROVIDES 'ntpsec-dev' (but meta-openembedded/meta-networking/recipes-support/ntpsec/ntpsec_1.2.1.bb RDEPENDS on or otherwise requires it)
No eligible RPROVIDERs exist for 'ntpsec-dev'
NOTE: Runtime target 'ntpsec-dev' is unbuildable, removing...
Missing or unbuildable dependency chain was: ['ntpsec-dev']
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
| |
It seems to require asciidoctor and currently does not build
until someone fixes it, disable it for cosnsitency.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
| |
seccomp on musl is not fully done yet
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
NTPsec, "a secure, hardened, and improved implementation of Network Time
Protocol derived from NTP Classic, Dave Mills’s original."
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Alex Kiernan <alexk@zuma.ai>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
This patch updates SRC_URIs using git to include branch=master if no branch is set
and also to use protocol=https for github urls as generated by the conversion script
in OE-Core.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
| |
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
| |
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change adds a recipe for the Management Component Transport
Protocol userspace utilities. This contains:
- the command-line 'mctp' tool, similar to 'ip', for setting up links,
assigning local address and configuring routing.
- an optional 'mctpd' daemon, which implements the MCTP control
protocol, and manages remote address assignment.
The latter depends on systemd (for sdbus), so use a
PACKAGECONFIG[systemd] for the conditional service installation.
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
| |
Add openssl PACKAGECONFIG back as the openssl 3.0 compatibility issue
has been fixed.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ifenslave (2.13) unstable; urgency=medium
* QA upload.
[ Guillem Jover ]
* Fix MAC address setting messed up by udev for bond interfaces.
(Closes: #949062)
* Use ifquery instead of example contrib script ifstate. (Closes: #991930)
* Fix ifquery redirections.
* Bump Standards-Version to 4.6.0 (no changed needed).
* Remove long supported Linux version requirements from Description.
[ Sami Haahtinen ]
* Use correct argument in setup_slave_device(). (Closes: #968368)
[ Oleander Reis ]
* Handle slave definitions of interfaces with no bond settings.
(Closes: #990428)
* Delete bond interfaces on ifdown -a. (Closes: #992102)
-- Guillem Jover <guillem@debian.org> Sun, 17 Oct 2021 06:02:55 +0200
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
2021.10.04 -- Version 2.5.4
Antonio Quartulli (3):
route.c: pass the right parameter to IN6_IS_ADDR_UNSPECIFIED
configure: search also for rst2{man, html}.py
networking: add networking API net_addr_ll_set() and use it on Linux
Arne Schwabe (1):
Move examples into openvpn-examples(5) man page
David Korczynski (1):
Fix argv leaks in add_route() and add_route_ipv6()
David Sommerseth (2):
doc: Use generic rules for man/html generation
man: Clarify IV_HWADDR
Gert Doering (1):
Add error reporting to get_console_input_win32().
Lev Stipakov (3):
Fix console prompts with redirected log
Add building man page on Windows
GitHub Actions: remove Ubuntu 16.04 environment
Max Fillinger (1):
Update Fox e-mail address in copyright notices
Selva Nair (1):
Minor doc correction: tls-crypt-v2 key generation
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
| |
Until upstream addresses openssl 3.x compatibility issues.
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
| |
Fixes
../git/configure: line 5918: syntax error near unexpected token `libsystemd,'
../git/configure: line 5918: ` PKG_CHECK_MODULES(libsystemd, libsystemd, with_libsystemd=yes, true)'
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
v2.5.3 Changes
New tests to verify add/del of IPv4/IPv6 routes in kernel MFC
Fixes
Fix #166: build warning with gcc 10.2.1: "comparison is always true due to limited range of data type"
Fix build warning with --disable-mrdisc configure option
Fix #167: cannot remove routes added with smcroutectl add, only affects add/del at runtime with smcroutectl, not .conf reload
Fix #168: build problem on Debian/kFreeBSD, used wrong queue.h
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
| |
fixes
CMake Error at /home/pokybuild/yocto-worker/meta-oe/build/build/tmp/work/core2-64-poky-linux/rdma-core/36.0-r0/recipe-sysroot-native/usr/share/cmake-3.21/Modules/FindPackageHandleStandardArgs.cmake:230 (message):
| Could NOT find PkgConfig (missing: PKG_CONFIG_EXECUTABLE)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
| |
Fixes
| make: *** No targets specified and no makefile found. Stop.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Fixes linking errors
| ../../lib/tevent/tevent.h:1446:8: error: unknown type name 'pid_t'
| pid_t *pid,
| ^
| ../../lib/tevent/tevent.h:1525:8: error: unknown type name 'pid_t'
| pid_t pid,
| ^
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Fixes
configure.ac:1: error: possibly undefined macro: dnl
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
| |
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
build: Fix compile error with libressl
build: Always include optional files to EXTRA_DIST
build: Add missing cmake files to EXTRA_DIST
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Features
Merge PR #317: ZONEMD Zone Verification, with RFC 8976 support.
ZONEMD records are checked for zones loaded as auth-zone, with DNSSEC if available. There is an added option zonemd-permissive-mode that makes it log but not fail wrong zones. With zonemd-reject-absence for an auth-zone the presence of a zonemd can be mandated for specific zones.
Fix: Resolve interface names on control-interface too.
Merge #470 from edevil: Allow configuration of persistent TCP connections.
Fix #474: always_null and others inside view.
Add that log-servfail prints an IP address and more information about one of the last failures for that query.
Merge #478: Allow configuration of TCP timeout while waiting for response.
Add ./configure --with-deprecate-rsa-1024 that turns off RSA 1024.
Move the NSEC3 max iterations count in line with the 150 value used by BIND, Knot and PowerDNS. This sets the default value for it in the configuration to 150 for all key sizes.
zonemd-check: yesno option, default no, enables the processing of ZONEMD records for that zone.
Merge #486 by fobster: Make VAL_MAX_RESTART_COUNT configurable.
Merge PR #491: Add SVCB and HTTPS types and handling according to draft-ietf-dnsop-svcb-https.
Introduce 'http-user-agent:' and 'hide-http-user-agent:' options.
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
version 2.86
Handle DHCPREBIND requests in the DHCPv6 server code.
Thanks to Aichun Li for spotting this omission, and the initial
patch.
Fix bug which caused dnsmasq to lose track of processes forked
to handle TCP DNS connections under heavy load. The code
checked that at least one free process table slot was
available before listening on TCP sockets, but didn't take
into account that more than one TCP connection could
arrive, so that check was not sufficient to ensure that
there would be slots for all new processes. It compounded
this error by silently failing to store the process when
it did run out of slots. Even when this bug is triggered,
all the right things happen, and answers are still returned.
Only under very exceptional circumstances, does the bug
manifest itself: see
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q2/014976.html
Thanks to Tijs Van Buggenhout for finding the conditions under
which the bug manifests itself, and then working out
exactly what was going on.
Major rewrite of the DNS server and domain handling code.
This should be largely transparent, but it drastically
improves performance and reduces memory foot-print when
configuring large numbers domains of the form
local=/adserver.com/
or
local=/adserver.com/#
Lookup times now grow as log-to-base-2 of the number of domains,
rather than greater than linearly, as before.
The change makes multiple addresses associated with a domain work
address=/example.com/1.2.3.4
address=/example.com/5.6.7.8
It also handles multiple upstream servers for a domain better; using
the same try/retry algorithms as non domain-specific servers. This
also applies to DNSSEC-generated queries.
Finally, some of the oldest and gnarliest code in dnsmasq has had
a significant clean-up. It's far from perfect, but it _is_ better.
Revise resource handling for number of concurrent DNS queries. This
used to have a global limit, but that has a problem when using
different servers for different upstream domains. Queries which are
routed by domain to an upstream server which is not responding will
build up and trigger the limit, which breaks DNS service for
all other domains which could be handled by other servers. The
change is to make the limit per server-group, where a server group
is the set of servers configured for a particular domain. In the
common case, where only default servers are declared, there is
no effective change.
Improve efficiency of DNSSEC. The sharing point for DNSSEC RR data
used to be when it entered the cache, having been validated. After
that queries requiring the KEY or DS records would share the cached
values. There is a common case in dual-stack hosts that queries for
A and AAAA records for the same domain are made simultaneously.
If required keys were not in the cache, this would result in two
requests being sent upstream for the same key data (and all the
subsequent chain-of-trust queries.) Now we combine these requests
and elide the duplicates, resulting in fewer queries upstream
and better performance. To keep a better handle on what's
going on, the "extra" logging mode has been modified to associate
queries and answers for DNSSEC queries in the same way as ordinary
queries. The requesting address and port have been removed from
DNSSEC logging lines, since this is no longer strictly defined.
Connection track mark based DNS query filtering. Thanks to
Etan Kissling for implementing this It extends query filtering
support beyond what is currently possible
with the `--ipset` configuration option, by adding support for:
1) Specifying allowlists on a per-client basis, based on their
associated Linux connection track mark.
2) Dynamic configuration of allowlists via Ubus.
3) Reporting when a DNS query resolves or is rejected via Ubus.
4) DNS name patterns containing wildcards.
Disallowed queries are not forwarded; they are rejected
with a REFUSED error code.
Allow smaller than 64 prefix lengths in synth-domain, with caveats.
--synth-domain=1234:4567::/56,example.com is now valid.
Make domains generated by --synth-domain appear in replies
when in authoritative mode.
Ensure CAP_NET_ADMIN capability is available when
conntrack is configured. Thanks to Yick Xie for spotting
the lack of this.
When --dhcp-hostsfile --dhcp-optsfile and --addn-hosts are
given a directory as argument, define the order in which
files within that directory are read (alphabetical order
of filename). Thanks to Ed Wildgoose for the initial patch
and motivation for this.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
STABLE RELEASE 1.0.5:
- Add --no-solicit option to skip sending the discovery packet.
- Ignore multicast advertisements when discovery was sent as unicast
- Since its point release, no need to use +git${SRCPV} in PV it can be
absolute
Signed-off-by: William A. Kennington III <wak@google.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
