dnsmasq: bump to v2.80

Cherry-picked & squashed from relevant commits from master:

dnsmasq v2.80 release

Change from rc1:

91421cb Fix compiler warning.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 6c4d3d705a)

dnsmasq: remove creation of /etc/ethers

Remove creation of file /etc/ethers in dnsmasq init script as the
file is now created by default in the base-files package by
commit fa3301a28e

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
(cherry picked from commit 6c227e45cb)

dnsmasq: bump to dnsmasq v2.80test5

Refresh patches
Remove 240-ubus patch as upstream accepted.
Add uci option ubus which allows to enable/disable ubus support (enabled
by default)

Upstream commits since last bump:

da8b651 Implement --address=/example.com/#
c5db8f9 Tidy 7f876b64c22b2b18412e2e3d8506ee33e42db7c
974a6d0 Add --caa-record
b758b67 Improve logging of RRs from --dns-rr.
9bafdc6 Tidy up file parsing code.
97f876b Properly deal with unaligned addresses in DHCPv6 packets.
cbfbd17 Fix broken DNSSEC records in previous.
b6f926f Don't return NXDOMAIN to empty non-terminals.
c822620 Add --dhcp-name-match
397c050 Handle case of --auth-zone but no --auth-server.
1682d15 Add missing EDNS0 section. EDNS0 section missing in replies to EDNS0-containing queries where answer generated from --local=/<domain>/
dd33e98 Fix crash parsing a --synth-domain with no prefix. Problem introduced in 2.79/6b2b564ac34cb3c862f168e6b1457f9f0b9ca69c
c16d966 Add copyright to src/metrics.h
1dfed16 Remove C99 only code.
6f835ed Format fixes - ubus.c
9d6fd17 dnsmasq.c fix OPT_UBUS option usage
8c1b6a5 New metrics and ubus files.
8dcdb33 Add --enable-ubus option.
aba8bbb Add collection of metrics
caf4d57 Add OpenWRT ubus patch

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
(cherry picked from commit 3d377f4375)

dnsmasq: bump to dnsmasq 2.80test6

Refresh patches

Changes since latest bump:

af3bd07 Man page typo.
d682099 Picky changes to 47b45b2967c931fed3c89a2e6a8df9f9183a5789
47b45b2 Fix lengths of interface names
2b38e38 Minor improvements in lease-tools
282eab7 Mark die function as never returning
c346f61 Handle ANY queries in context of da8b6517decdac593e7ce24bde2824dd841725c8
03212e5 Manpage typo.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
(cherry picked from commit 43d4b8e89e)

dnsmasq: Handle memory allocation failure in make_non_terminals()

Backport upstream commit:

ea6cc33 Handle memory allocation failure in make_non_terminals()

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 687168ccd9)

dnsmasq: Change behavior when RD bit unset in queries.

Backport upstream commit

Change anti cache-snooping behaviour with queries with the
recursion-desired bit unset. Instead to returning SERVFAIL, we
now always forward, and never answer from the cache. This
allows "dig +trace" command to work.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 6c4cbe94bd)

dnsmasq: bump to v2.80test7

Bump to latest test release:

3a610a0 Finesse allocation of memory for "struct crec" cache entries.
48b090c Fix b6f926fbefcd2471699599e44f32b8d25b87b471 to not SEGV on startup (rarely).
4139298 Change behavior when RD bit unset in queries.
51cc10f Add warning about 0.0.0.0 and :: addresses to man page.
ea6cc33 Handle memory allocation failure in make_non_terminals()
ad03967 Add debian/tmpfiles.conf
f4fd07d Debian bugfix.
e3c08a3 Debian packaging fix. (restorecon)
118011f Debian packaging fix. (tmpfiles.d)

Delete our own backports of ea6cc33 & 4139298, so the only real changes
here, since we don't care about the Debian stuff are 48b090c & 3a610a0

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit d9a37d8d1e)

dnsmasq: bump to v2.80test8

e1791f3 Fix logging of DNSSEC queries in TCP mode. Destination server address was misleading.
0fdf3c1 Fix dhcp-match-name to match hostname, not complete FQDN.
ee1df06 Tweak strategy for confirming SLAAC addresses.
1e87eba Clarify manpage for --auth-sec-servers
0893347 Make interface spec optional in --auth-server.
7cbf497 Example config file fix for CERT Vulnerability VU#598349.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 30cc5b0bf4)

dnsmasq: add dhcp-ignore-names support - CERT VU#598349

dnsmasq v2.80test8 adds the ability to ignore dhcp client's requests for
specific hostnames.  Clients claiming certain hostnames and thus
claiming DNS namespace represent a potential security risk. e.g. a
malicious host could claim 'wpad' for itself and redirect other web
client requests to it for nefarious purpose. See CERT VU#598349 for more
details.

Some Samsung TVs are claiming the hostname 'localhost', it is believed
not (yet) for nefarious purposes.

/usr/share/dnsmasq/dhcpbogushostname.conf contains a list of hostnames
in correct syntax to be excluded. e.g.

dhcp-name-match=set:dhcp_bogus_hostname,localhost

Inclusion of this file is controlled by uci option dhcpbogushostname
which is enabled by default.

To be absolutely clear, DHCP leases to these requesting hosts are still
permitted, but they do NOT get to claim ownership of the hostname
itself and hence put into DNS for other hosts to be confused/manipulate by.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit a45f4f50e1)

dnsmasq: fix compile issue

Fix compile issue in case HAVE_BROKEN_RTC is enabled

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
(cherry picked from commit 39e5e17045)

dnsmasq: bump to v2.80rc1

53792c9 fix typo
df07182 Update German translation.

Remove local patch 001-fix-typo which is a backport of the above 53792c9

There is no practical difference between our test8 release and this rc
release, but this does at least say 'release candidate'

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit b8bc672f24)

dnsmasq: fix dnsmasq failure to start when ujail'd

This patch fixes jailed dnsmasq running into the following issue:

|dnsmasq[1]: cannot read /usr/share/dnsmasq/dhcpbogushostname.conf: No such file or directory
|dnsmasq[1]: FAILED to start up
|procd: Instance dnsmasq::cfg01411c s in a crash loop 6 crashes, 0 seconds since last crash

Fixes: a45f4f50e1 ("dnsmasq: add dhcp-ignore-names support - CERT VU#598349")

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
[bump package release]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 583466bb5b)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>

package/network/services/dnsmasq/Makefile

@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dnsmasq
-PKG_VERSION:=2.80test3
+PKG_VERSION:=2.80
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/test-releases
-PKG_HASH:=af9f6fd13e0d6c5a68059bcf8634c2784c0533017fd48fbaf59cd2955342d301
+PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq
+PKG_HASH:=cdaba2785e92665cf090646cba6f94812760b9d7d8c8d0cfb07ac819377a63bb
 
 PKG_LICENSE:=GPL-2.0
 PKG_LICENSE_FILES:=COPYING
@@ -124,7 +124,8 @@ Package/dnsmasq-full/conffiles = $(Package/dnsmasq/conffiles)
 TARGET_CFLAGS += -ffunction-sections -fdata-sections
 TARGET_LDFLAGS += -Wl,--gc-sections
 
-COPTS = $(if $(CONFIG_IPV6),,-DNO_IPV6)
+COPTS = -DHAVE_UBUS \
+	$(if $(CONFIG_IPV6),,-DNO_IPV6)
 
 ifeq ($(BUILD_VARIANT),nodhcpv6)
 	COPTS += -DNO_DHCP6
@@ -165,6 +166,7 @@ define Package/dnsmasq/install
 	$(INSTALL_DIR) $(1)/etc/hotplug.d/tftp
 	$(INSTALL_DATA) ./files/dnsmasqsec.hotplug $(1)/etc/hotplug.d/ntp/25-dnsmasqsec
 	$(INSTALL_DIR) $(1)/usr/share/dnsmasq
+	$(INSTALL_DATA) ./files/dhcpbogushostname.conf $(1)/usr/share/dnsmasq/
 	$(INSTALL_DATA) ./files/rfc6761.conf $(1)/usr/share/dnsmasq/
 	$(INSTALL_DIR) $(1)/usr/lib/dnsmasq
 	$(INSTALL_BIN) ./files/dhcp-script.sh $(1)/usr/lib/dnsmasq/dhcp-script.sh

package/network/services/dnsmasq/files/dhcpbogushostname.conf

@@ -0,0 +1,8 @@
+# dhcpbogushostname.conf included configuration file for dnsmasq
+#
+# includes a list of hostnames that should not be associated with dhcp leases
+# in response to CERT VU#598349
+# file included by default, option dhcpbogushostname 0  to disable
+
+dhcp-name-match=set:dhcp_bogus_hostname,localhost
+dhcp-name-match=set:dhcp_bogus_hostname,wpad

package/network/services/dnsmasq/files/dnsmasq.init

@@ -16,6 +16,7 @@ BASEHOSTFILE="/tmp/hosts/dhcp"
 TRUSTANCHORSFILE="/usr/share/dnsmasq/trust-anchors.conf"
 TIMEVALIDFILE="/var/state/dnsmasqsec"
 BASEDHCPSTAMPFILE="/var/run/dnsmasq"
+DHCPBOGUSHOSTNAMEFILE="/usr/share/dnsmasq/dhcpbogushostname.conf"
 RFC6761FILE="/usr/share/dnsmasq/rfc6761.conf"
 DHCPSCRIPT="/usr/lib/dnsmasq/dhcp-script.sh"
 
@@ -813,6 +814,7 @@ dnsmasq_start()
 	append_bool "$cfg" localise_queries "--localise-queries"
 	append_bool "$cfg" readethers "--read-ethers"
 	append_bool "$cfg" dbus "--enable-dbus"
+	append_bool "$cfg" ubus "--enable-ubus"	1
 	append_bool "$cfg" expandhosts "--expand-hosts"
 	config_get tftp_root "$cfg" "tftp_root"
 	[ -n "$tftp_root" ] && mkdir -p "$tftp_root" && append_bool "$cfg" enable_tftp "--enable-tftp"
@@ -869,9 +871,6 @@ dnsmasq_start()
 		ADD_LOCAL_FQDN="$ADD_LOCAL_HOSTNAME"
 	fi
 
-	config_get_bool readethers "$cfg" readethers
-	[ "$readethers" = "1" -a \! -e "/etc/ethers" ] && touch /etc/ethers
-
 	config_get user_dhcpscript $cfg dhcpscript
 	if has_handler || [ -n "$user_dhcpscript" ]; then
 		xappend "--dhcp-script=$DHCPSCRIPT"
@@ -958,6 +957,13 @@ dnsmasq_start()
 
 	config_foreach filter_dnsmasq host dhcp_host_add "$cfg"
 	echo >> $CONFIGFILE_TMP
+
+	config_get_bool dhcpbogushostname "$cfg" dhcpbogushostname 1
+	[ "$dhcpbogushostname" -gt 0 ] && {
+		xappend "--dhcp-ignore-names=tag:dhcp_bogus_hostname"
+		[ -r "$DHCPBOGUSHOSTNAMEFILE" ] && xappend "--conf-file=$DHCPBOGUSHOSTNAMEFILE"
+	}
+
 	config_foreach filter_dnsmasq boot dhcp_boot_add "$cfg"
 	config_foreach filter_dnsmasq mac dhcp_mac_add "$cfg"
 	config_foreach filter_dnsmasq tag dhcp_tag_add "$cfg"
@@ -1022,7 +1028,7 @@ dnsmasq_start()
 	procd_set_param respawn
 
 	procd_add_jail dnsmasq ubus log
-	procd_add_jail_mount $CONFIGFILE $TRUSTANCHORSFILE $HOSTFILE $RFC6761FILE /etc/passwd /etc/group /etc/TZ /dev/null /dev/urandom $dnsmasqconffile $dnsmasqconfdir $resolvfile $user_dhcpscript /etc/hosts /etc/ethers /sbin/hotplug-call $EXTRA_MOUNT $DHCPSCRIPT
+	procd_add_jail_mount $CONFIGFILE $TRUSTANCHORSFILE $HOSTFILE $RFC6761FILE $DHCPBOGUSHOSTNAMEFILE /etc/passwd /etc/group /etc/TZ /dev/null /dev/urandom $dnsmasqconffile $dnsmasqconfdir $resolvfile $user_dhcpscript /etc/hosts /etc/ethers /sbin/hotplug-call $EXTRA_MOUNT $DHCPSCRIPT
 	procd_add_jail_mount_rw /var/run/dnsmasq/ $leasefile
 
 	procd_close_instance

package/network/services/dnsmasq/patches/230-fix-poll-h-include-warning-on-musl.patch

@@ -7,7 +7,7 @@ Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
 
 --- a/src/dnsmasq.h
 +++ b/src/dnsmasq.h
-@@ -88,7 +88,7 @@ typedef unsigned long long u64;
+@@ -95,7 +95,7 @@ typedef unsigned long long u64;
  #if defined(HAVE_SOLARIS_NETWORK)
  #  include <sys/sockio.h>
  #endif

package/network/services/dnsmasq/patches/240-ubus.patch

@@ -1,128 +0,0 @@
---- a/src/dnsmasq.c
-+++ b/src/dnsmasq.c
-@@ -19,6 +19,8 @@
- 
- #include "dnsmasq.h"
- 
-+#include <libubus.h>
-+
- struct daemon *daemon;
- 
- static volatile pid_t pid = 0;
-@@ -32,6 +34,64 @@ static void fatal_event(struct event_des
- static int read_event(int fd, struct event_desc *evp, char **msg);
- static void poll_resolv(int force, int do_reload, time_t now);
- 
-+static struct ubus_context *ubus;
-+static struct blob_buf b;
-+
-+static struct ubus_object_type ubus_object_type = {
-+	.name = "dnsmasq",
-+};
-+
-+static struct ubus_object ubus_object = {
-+	.name = "dnsmasq",
-+	.type = &ubus_object_type,
-+};
-+
-+void ubus_event_bcast(const char *type, const char *mac, const char *ip, const char *name, const char *interface)
-+{
-+	if (!ubus || !ubus_object.has_subscribers)
-+		return;
-+
-+	blob_buf_init(&b, 0);
-+	if (mac)
-+		blobmsg_add_string(&b, "mac", mac);
-+	if (ip)
-+		blobmsg_add_string(&b, "ip", ip);
-+	if (name)
-+		blobmsg_add_string(&b, "name", name);
-+	if (interface)
-+		blobmsg_add_string(&b, "interface", interface);
-+	ubus_notify(ubus, &ubus_object, type, b.head, -1);
-+}
-+
-+static void set_ubus_listeners(void)
-+{
-+	if (!ubus)
-+		return;
-+
-+	poll_listen(ubus->sock.fd, POLLIN);
-+	poll_listen(ubus->sock.fd, POLLERR);
-+	poll_listen(ubus->sock.fd, POLLHUP);
-+}
-+
-+static void check_ubus_listeners()
-+{
-+	if (!ubus) {
-+		ubus = ubus_connect(NULL);
-+		if (ubus)
-+			ubus_add_object(ubus, &ubus_object);
-+		else
-+			return;
-+	}
-+
-+	if (poll_check(ubus->sock.fd, POLLIN))
-+		ubus_handle_event(ubus);
-+
-+	if (poll_check(ubus->sock.fd, POLLHUP)) {
-+		ubus_free(ubus);
-+		ubus = NULL;
-+	}
-+}
-+
- int main (int argc, char **argv)
- {
-   int bind_fallback = 0;
-@@ -949,6 +1009,7 @@ int main (int argc, char **argv)
-       set_dbus_listeners();
- #endif	
-   
-+      set_ubus_listeners();
- #ifdef HAVE_DHCP
-       if (daemon->dhcp || daemon->relay4)
- 	{
-@@ -1079,6 +1140,8 @@ int main (int argc, char **argv)
-       check_dbus_listeners();
- #endif
-       
-+      check_ubus_listeners();
-+
-       check_dns_listeners(now);
- 
- #ifdef HAVE_TFTP
---- a/Makefile
-+++ b/Makefile
-@@ -85,7 +85,7 @@ all : $(BUILDDIR)
- 	@cd $(BUILDDIR) && $(MAKE) \
-  top="$(top)" \
-  build_cflags="$(version) $(dbus_cflags) $(idn2_cflags) $(idn_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags)" \
-- build_libs="$(dbus_libs) $(idn2_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs)" \
-+ build_libs="$(dbus_libs) $(idn2_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs) -lubox -lubus" \
-  -f $(top)/Makefile dnsmasq 
- 
- mostly_clean :
---- a/src/dnsmasq.h
-+++ b/src/dnsmasq.h
-@@ -1445,6 +1445,8 @@ void emit_dbus_signal(int action, struct
- #  endif
- #endif
- 
-+void ubus_event_bcast(const char *type, const char *mac, const char *ip, const char *name, const char *interface);
-+
- /* ipset.c */
- #ifdef HAVE_IPSET
- void ipset_init(void);
---- a/src/rfc2131.c
-+++ b/src/rfc2131.c
-@@ -1636,6 +1636,10 @@ static void log_packet(char *type, void
- 	      daemon->namebuff,
- 	      string ? string : "",
- 	      err ? err : "");
-+  if (!strcmp(type, "DHCPACK"))
-+	  ubus_event_bcast("dhcp.ack", daemon->namebuff, addr ? inet_ntoa(a) : NULL, string ? string : NULL, interface);
-+  else if (!strcmp(type, "DHCPRELEASE"))
-+	  ubus_event_bcast("dhcp.release", daemon->namebuff, addr ? inet_ntoa(a) : NULL, string ? string : NULL, interface);
- }
- 
- static void log_options(unsigned char *start, u32 xid)