v2.5.3 Changes
New tests to verify add/del of IPv4/IPv6 routes in kernel MFC
Fixes
Fix#166: build warning with gcc 10.2.1: "comparison is always true due to limited range of data type"
Fix build warning with --disable-mrdisc configure option
Fix#167: cannot remove routes added with smcroutectl add, only affects add/del at runtime with smcroutectl, not .conf reload
Fix#168: build problem on Debian/kFreeBSD, used wrong queue.h
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fixes
configure.ac:1: error: possibly undefined macro: dnl
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Features
Merge PR #317: ZONEMD Zone Verification, with RFC 8976 support.
ZONEMD records are checked for zones loaded as auth-zone, with DNSSEC if available. There is an added option zonemd-permissive-mode that makes it log but not fail wrong zones. With zonemd-reject-absence for an auth-zone the presence of a zonemd can be mandated for specific zones.
Fix: Resolve interface names on control-interface too.
Merge #470 from edevil: Allow configuration of persistent TCP connections.
Fix#474: always_null and others inside view.
Add that log-servfail prints an IP address and more information about one of the last failures for that query.
Merge #478: Allow configuration of TCP timeout while waiting for response.
Add ./configure --with-deprecate-rsa-1024 that turns off RSA 1024.
Move the NSEC3 max iterations count in line with the 150 value used by BIND, Knot and PowerDNS. This sets the default value for it in the configuration to 150 for all key sizes.
zonemd-check: yesno option, default no, enables the processing of ZONEMD records for that zone.
Merge #486 by fobster: Make VAL_MAX_RESTART_COUNT configurable.
Merge PR #491: Add SVCB and HTTPS types and handling according to draft-ietf-dnsop-svcb-https.
Introduce 'http-user-agent:' and 'hide-http-user-agent:' options.
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
version 2.86
Handle DHCPREBIND requests in the DHCPv6 server code.
Thanks to Aichun Li for spotting this omission, and the initial
patch.
Fix bug which caused dnsmasq to lose track of processes forked
to handle TCP DNS connections under heavy load. The code
checked that at least one free process table slot was
available before listening on TCP sockets, but didn't take
into account that more than one TCP connection could
arrive, so that check was not sufficient to ensure that
there would be slots for all new processes. It compounded
this error by silently failing to store the process when
it did run out of slots. Even when this bug is triggered,
all the right things happen, and answers are still returned.
Only under very exceptional circumstances, does the bug
manifest itself: see
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q2/014976.html
Thanks to Tijs Van Buggenhout for finding the conditions under
which the bug manifests itself, and then working out
exactly what was going on.
Major rewrite of the DNS server and domain handling code.
This should be largely transparent, but it drastically
improves performance and reduces memory foot-print when
configuring large numbers domains of the form
local=/adserver.com/
or
local=/adserver.com/#
Lookup times now grow as log-to-base-2 of the number of domains,
rather than greater than linearly, as before.
The change makes multiple addresses associated with a domain work
address=/example.com/1.2.3.4
address=/example.com/5.6.7.8
It also handles multiple upstream servers for a domain better; using
the same try/retry algorithms as non domain-specific servers. This
also applies to DNSSEC-generated queries.
Finally, some of the oldest and gnarliest code in dnsmasq has had
a significant clean-up. It's far from perfect, but it _is_ better.
Revise resource handling for number of concurrent DNS queries. This
used to have a global limit, but that has a problem when using
different servers for different upstream domains. Queries which are
routed by domain to an upstream server which is not responding will
build up and trigger the limit, which breaks DNS service for
all other domains which could be handled by other servers. The
change is to make the limit per server-group, where a server group
is the set of servers configured for a particular domain. In the
common case, where only default servers are declared, there is
no effective change.
Improve efficiency of DNSSEC. The sharing point for DNSSEC RR data
used to be when it entered the cache, having been validated. After
that queries requiring the KEY or DS records would share the cached
values. There is a common case in dual-stack hosts that queries for
A and AAAA records for the same domain are made simultaneously.
If required keys were not in the cache, this would result in two
requests being sent upstream for the same key data (and all the
subsequent chain-of-trust queries.) Now we combine these requests
and elide the duplicates, resulting in fewer queries upstream
and better performance. To keep a better handle on what's
going on, the "extra" logging mode has been modified to associate
queries and answers for DNSSEC queries in the same way as ordinary
queries. The requesting address and port have been removed from
DNSSEC logging lines, since this is no longer strictly defined.
Connection track mark based DNS query filtering. Thanks to
Etan Kissling for implementing this It extends query filtering
support beyond what is currently possible
with the `--ipset` configuration option, by adding support for:
1) Specifying allowlists on a per-client basis, based on their
associated Linux connection track mark.
2) Dynamic configuration of allowlists via Ubus.
3) Reporting when a DNS query resolves or is rejected via Ubus.
4) DNS name patterns containing wildcards.
Disallowed queries are not forwarded; they are rejected
with a REFUSED error code.
Allow smaller than 64 prefix lengths in synth-domain, with caveats.
--synth-domain=1234:4567::/56,example.com is now valid.
Make domains generated by --synth-domain appear in replies
when in authoritative mode.
Ensure CAP_NET_ADMIN capability is available when
conntrack is configured. Thanks to Yick Xie for spotting
the lack of this.
When --dhcp-hostsfile --dhcp-optsfile and --addn-hosts are
given a directory as argument, define the order in which
files within that directory are read (alphabetical order
of filename). Thanks to Ed Wildgoose for the initial patch
and motivation for this.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
STABLE RELEASE 1.0.5:
- Add --no-solicit option to skip sending the discovery packet.
- Ignore multicast advertisements when discovery was sent as unicast
- Since its point release, no need to use +git${SRCPV} in PV it can be
absolute
Signed-off-by: William A. Kennington III <wak@google.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
To drop root privileges on Linux-based systems, chrony requires a
standard user to switch to and the use of capabilities. Fix up the
privdrop packageconfig to account for this.
Signed-off-by: Easwar Hariharan <easwar.hariharan@microsoft.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
bmon is a monitoring and debugging tool to capture networking
related statistics and prepare them visually in a human friendly way
Signed-off-by: Patrick Areny <patrick.areny@notiloplus.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
libconfuse a configuration file parser library written in C
Used by bmon network monitor.
Signed-off-by: Patrick Areny <patrick.areny@notiloplus.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* The new security fix in 6.4.20 for CVE-2021-36386 caused truncation of
messages logged to buffered outputs, predominantly --logfile.
This also caused lines in the logfile to run into one another because
the fragment containing the '\n' line-end character was usually lost.
Reason is that on all modern systems (with <stdarg.h> header and vsnprintf()
interface), the length of log message fragments was added up twice, so
that these ended too deep into a freshly allocated buffer, after the '\0'
byte. Unbuffered outputs flushed the fragments right away, which masked the
bug.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Adding -f*-prefix-map to LDFLAGS caused the following issue:
QA Issue: curlpp.pc failed sanity test (tmpdir)
Fix by filtering out -f*-prefix-map from *.pc files.
[YOCTO #14481]
Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is the result of automated script (0.9.1) conversion:
oe-core/scripts/contrib/convert-overrides.py .
converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
v1.44.0 changelog:
lib: Port new ngtcp2 map implementation
doc: Replace master with main
build: Add precious variables for libev and jemalloc and use JEMALLOC_CFLAGS
build: Add more --with-* configure flags
build: Add LIBTOOL_LDFLAGS configure variable
third-party: Bump llhttp to 6.0.2
src: Replace black-list with block-list
nghttpx: Fix max distance in weight group/address cycle comparison
nghttpx: Set connect_blocker and live_check after shuffling addresses
nghttpx: Replace master with main
nghttpx: Remove trailing white space after $method log variable
(https://github.com/nghttp2/nghttp2/pull/1553)
h2load: Add --rps option
(https://github.com/nghttp2/nghttp2/pull/1559)
h2load: Allow unit in -D option
asio: fix some typos (Patch from Jan Kundrát)
(https://github.com/nghttp2/nghttp2/pull/1550)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update:
add note:
** NOTE! The following LGPL license applies to the talloc
** library. This does NOT imply that all of Samba is released
** under the LGPL
"GNU General Public License" changed to "GNU Lesser General Public License"
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
- Added AES_ECB, SHA-3 and SHAKE-256 support to wolfssl plugin.
- Added AES_CCM and SHA-3 signature support to openssl plugin.
- The x509 and openssl plugins now consider the authorityKeyIdentifier, if
available, before verifying signatures, which avoids unnecessary signature
verifications after a CA key rollover if both certificates are loaded.
- The pkcs11 plugin better handles optional attributes like CKA_TRUSTED, which
previously depended on a version check.
- charon-nm now supports using SANs as client identities, not only full DNs.
- charon-tkm now handles IKE encryption.
- A MOBIKE update is sent again if a a change in the NAT mappings is detected
but the endpoints stay the same.
- Converted most of the test case scenarios to the vici interface
Signed-off-by: Zang Ruochen <zangrc.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
When using systemd, ntpdate-sync script will start in background
triggering the start of ntpd without actually exiting.
This results in an bind error in ntpd startup.
Add wait at the end of ntpdate script to ensure that when the ntpdate.service
is marked as finished the oneshot script ntpdate-sync finished and unbind the
ntp port
Fixes#386
Signed-off-by: Adrian Zaharia <Adrian.Zaharia@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client,
not for openvpn.
Signed-off-by: Akifumi Chikazawa <chikazawa.akifu@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fixes cif-utils recipe build when DISTRO_FEATURES includes 'usrmerge'
Add do_configure_prepend() to override ROOTSSBINDIR environment variable
so that the utilities are installed in /usr/sbin rather than /sbin.
Setting --exec-prefix or --prefix in EXTRA_OECONF does not work.
Update do_install_append() to NOT remove /usr/bin /usr/sbin if usrmerge
is set in DISTRO_FEATURES
Signed-off-by: Geoff Parker <geoffrey.parker@arthrex.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
For distros that want to use the ENABLE_LIB_ONLY option, the rm call
will fail, because ENABLE_HPACK_TOOLS (set implicitly as part of
ENABLE_LIB_ONLY) removes those two binaries from the build, so they then
can't be removed again. This commit sets ENABLE_HPACK_TOOLS=OFF, which not
only allows for the option to be overridden in other meta layers, also
allows a simplified use of ENABLE_LIB_ONLY in meta layers that don't
want to ship the binaries.
Signed-off-by: Ed Tanous <ed@tanous.net>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
CVE-2016-4983 affects only postinstall script on specific distribution, so add it to allowlist.
Signed-off-by: Yuichi Ito <ito-yuichi@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Native python is being probed on some builds
Fixes
recipe-sysroot-native/usr/share/cmake-3.20/Modules/FindPackageHandleStandardArgs.cmake:230 (message):
Could NOT find PythonLibs (missing: PYTHON_LIBRARIES PYTHON_INCLUDE_DIRS)
(Required is exact version "3.8")
Signed-off-by: Khem Raj <raj.khem@gmail.com>
zhengruoqin
Khem Raj
wangmy
William A. Kennington III
Changqing Li
Patrick Williams
zangrc
Peter Kjellerstedt
Easwar Hariharan
Patrick Areny
Geoff Parker
Tony Battersby
Martin Jansa
Armin Kuster
Adrian Zaharia
Akifumi Chikazawa
Sekine Shigeki
Ed Tanous
ito-yuichi@fujitsu.com
Yi Zhao