ADD_LOCAL_HOSTNAME=1
ADD_WAN_FQDN=0
ADD_LOCAL_FQDN=""
-EXTRA_MOUNT=""
BASECONFIGFILE="/var/etc/dnsmasq.conf"
BASEHOSTFILE="/tmp/hosts/dhcp"
[ "${dnsmasq_features#* DNSSEC }" = "$dnsmasq_features" ] || dnsmasq_has_dnssec=1
[ "${dnsmasq_features#* TFTP }" = "$dnsmasq_features" ] || dnsmasq_has_tftp=1
[ "${dnsmasq_features#* ipset }" = "$dnsmasq_features" ] || dnsmasq_has_ipset=1
+ [ "${dnsmasq_features#* nftset }" = "$dnsmasq_features" ] || dnsmasq_has_nftset=1
fi
case "$opt" in
[ -z "$dnsmasq_has_tftp" ] ;;
ipset)
[ -z "$dnsmasq_has_ipset" ] ;;
+ nftset)
+ [ -z "$dnsmasq_has_nftset" ] ;;
*)
return 1
esac
xappend "--address=$1"
}
-append_ipset() {
- xappend "--ipset=$1"
+append_connmark_allowlist() {
+ xappend "--connmark-allowlist=$1"
}
append_interface() {
for dirname in $EXTRA_MOUNT ; do
case "$filename" in
"${dirname}/"* | "${dirname}" )
- return 1
+ return 0
;;
esac
done
- return 0
+ return 1
}
-append_addnhosts() {
+append_extramount() {
ismounted "$1" || append EXTRA_MOUNT "$1"
+}
+
+append_addnhosts() {
+ append_extramount "$1"
xappend "--addn-hosts=$1"
}
config_get subscriberid "$cfg" subscriberid
[ -n "$subscriberid" ] || return 0
- xappend "--dhcp-subscrid=$networkid,$subscriberid"
+ xappend "--dhcp-subscrid=set:$networkid,$subscriberid"
config_get_bool force "$cfg" force 0
config_get remoteid "$cfg" remoteid
[ -n "$remoteid" ] || return 0
- xappend "--dhcp-remoteid=$networkid,$remoteid"
+ xappend "--dhcp-remoteid=set:$networkid,$remoteid"
config_get_bool force "$cfg" force 0
config_get circuitid "$cfg" circuitid
[ -n "$circuitid" ] || return 0
- xappend "--dhcp-circuitid=$networkid,$circuitid"
+ xappend "--dhcp-circuitid=set:$networkid,$circuitid"
config_get_bool force "$cfg" force 0
config_get userclass "$cfg" userclass
[ -n "$userclass" ] || return 0
- xappend "--dhcp-userclass=$networkid,$userclass"
+ xappend "--dhcp-userclass=set:$networkid,$userclass"
config_get_bool force "$cfg" force 0
config_get vendorclass "$cfg" vendorclass
[ -n "$vendorclass" ] || return 0
- xappend "--dhcp-vendorclass=$networkid,$vendorclass"
+ xappend "--dhcp-vendorclass=set:$networkid,$vendorclass"
config_get_bool force "$cfg" force 0
config_get match "$cfg" match
[ -n "$match" ] || return 0
- xappend "--dhcp-match=$networkid,$match"
+ xappend "--dhcp-match=set:$networkid,$match"
config_get_bool force "$cfg" force 0
dhcp_host_add() {
local cfg="$1"
- local hosttag nametime addrs duids macs tags
+ local hosttag nametime addrs duids macs tags mtags
config_get_bool force "$cfg" force 0
config_get duid "$cfg" duid
config_get tag "$cfg" tag
+ add_tag() {
+ mtags="${mtags}tag:$1,"
+ }
+ config_list_foreach "$cfg" match_tag add_tag
+
if [ -n "$mac" ]; then
# --dhcp-host=00:20:e0:3b:13:af,192.168.0.199,lap
# many MAC are possible to track a laptop ON/OFF dock
if [ $DNSMASQ_DHCP_VER -eq 6 ]; then
addrs="${ip:+,$ip}${hostid:+,[::$hostid]}"
- xappend "--dhcp-host=$macs${duids:+,$duids}$hosttag$addrs$nametime"
+ xappend "--dhcp-host=$mtags$macs${duids:+,$duids}$hosttag$addrs$nametime"
else
- xappend "--dhcp-host=$macs$hosttag${ip:+,$ip}$nametime"
+ xappend "--dhcp-host=$mtags$macs$hosttag${ip:+,$ip}$nametime"
fi
}
dhcp_option_add "$cfg" "$networkid" "$force"
}
-
dhcp_add() {
local cfg="$1"
local dhcp6range="::"
# Do not support non-static interfaces for now
[ static = "$proto" ] || return 0
+ ipaddr="${subnet%%/*}"
+ prefix_or_netmask="${subnet##*/}"
+
# Override interface netmask with dhcp config if applicable
- config_get netmask "$cfg" netmask "${subnet##*/}"
+ config_get netmask "$cfg" netmask
- #check for an already active dhcp server on the interface, unless 'force' is set
- config_get_bool force "$cfg" force 0
- [ $force -gt 0 ] || dhcp_check "$ifname" || {
- logger -t dnsmasq \
- "found already running DHCP-server on interface '$ifname'" \
- "refusing to start, use 'option force 1' to override"
- return 0
- }
+ [ -n "$netmask" ] && prefix_or_netmask="$netmask"
config_get start "$cfg" start 100
config_get limit "$cfg" limit 150
config_get leasetime "$cfg" leasetime 12h
config_get options "$cfg" options
config_get_bool dynamicdhcp "$cfg" dynamicdhcp 1
+ config_get_bool dynamicdhcpv4 "$cfg" dynamicdhcpv4 $dynamicdhcp
+ config_get_bool dynamicdhcpv6 "$cfg" dynamicdhcpv6 $dynamicdhcp
config_get dhcpv4 "$cfg" dhcpv4
config_get dhcpv6 "$cfg" dhcpv6
config_get ra_management "$cfg" ra_management
config_get ra_preference "$cfg" ra_preference
config_get dns "$cfg" dns
+ config_get dns_sl "$cfg" domain
config_list_foreach "$cfg" "interface_name" append_interface_name "$ifname"
nettag="${networkid:+set:${networkid},}"
- if [ "$limit" -gt 0 ] ; then
- limit=$((limit-1))
- fi
+ # make sure the DHCP range is not empty
+ if [ "$dhcpv4" != "disabled" ] && ipcalc "$ipaddr/$prefix_or_netmask" "$start" "$limit" ; then
+ [ "$dynamicdhcpv4" = "0" ] && END="static"
- eval "$(ipcalc.sh "${subnet%%/*}" $netmask $start $limit)"
+ xappend "--dhcp-range=$tags$nettag$START,$END,$NETMASK,$leasetime${options:+ $options}"
+ fi
- if [ "$dynamicdhcp" = "0" ] ; then
- END="static"
+ if [ "$dynamicdhcpv6" = "0" ] ; then
dhcp6range="::,static"
else
dhcp6range="::1000,::ffff"
fi
- if [ "$dhcpv4" != "disabled" ] ; then
- xappend "--dhcp-range=$tags$nettag$START,$END,$NETMASK,$leasetime${options:+ $options}"
- fi
-
-
if [ $DNSMASQ_DHCP_VER -eq 6 ] && [ "$ra" = "server" ] ; then
# Note: dnsmasq cannot just be a DHCPv6 server (all-in-1)
# and let some other machine(s) send RA pointing to it.
fi
dhcp_option_append "option6:dns-server,$dnss" "$networkid"
+
+ if [ -n "$dns_sl" ]; then
+ ddssl=""
+ for dd in $dns_sl; do append ddssl "$dd" ","; done
+ fi
+
+ dhcp_option_append "option6:domain-search,$ddssl" "$networkid"
fi
dhcp_option_add "$cfg" "$networkid" 0
dnsmasq_ipset_add() {
local cfg="$1"
- local ipsets domains
+ local ipsets nftsets domains
add_ipset() {
ipsets="${ipsets:+$ipsets,}$1"
}
+ add_nftset() {
+ local IFS=,
+ for set in $1; do
+ local fam="$family"
+ [ -n "$fam" ] || fam=$(echo "$set" | sed -nre \
+ 's#^.*[^0-9]([46])$|^.*[-_]([46])[-_].*$|^([46])[^0-9].*$#\1\2\3#p')
+ [ -n "$fam" ] || \
+ fam=$(nft -t list set "$table_family" "$table" "$set" 2>&1 | sed -nre \
+ 's#^\t\ttype .*\bipv([46])_addr\b.*$#\1#p')
+
+ [ -n "$fam" ] || \
+ logger -t dnsmasq "Cannot infer address family from non-existent nftables set '$set'"
+
+ nftsets="${nftsets:+$nftsets,}${fam:+$fam#}$table_family#$table#$set"
+ done
+ }
+
add_domain() {
# leading '/' is expected
domains="$domains/$1"
}
+ config_get table "$cfg" table 'fw4'
+ config_get table_family "$cfg" table_family 'inet'
+ if [ "$table_family" = "ip" ] ; then
+ family="4"
+ elif [ "$table_family" = "ip6" ] ; then
+ family="6"
+ else
+ config_get family "$cfg" family
+ fi
+
config_list_foreach "$cfg" "name" add_ipset
+ config_list_foreach "$cfg" "name" add_nftset
config_list_foreach "$cfg" "domain" add_domain
- if [ -z "$ipsets" ] || [ -z "$domains" ]; then
+ if [ -z "$ipsets" ] || [ -z "$nftsets" ] || [ -z "$domains" ]; then
return 0
fi
xappend "--ipset=$domains/$ipsets"
+ xappend "--nftset=$domains/$nftsets"
}
dnsmasq_start()
{
local cfg="$1"
- local disabled user_dhcpscript
- local resolvfile resolvdir localuse=0
+ local disabled user_dhcpscript logfacility
+ local resolvfile resolvdir localuse=1
config_get_bool disabled "$cfg" disabled 0
[ "$disabled" -gt 0 ] && return 0
- # reset list of DOMAINS and DNS servers (for each dnsmasq instance)
+ # reset list of DOMAINS, DNS servers and EXTRA mounts (for each dnsmasq instance)
DNS_SERVERS=""
DOMAIN=""
+ EXTRA_MOUNT=""
CONFIGFILE="${BASECONFIGFILE}.${cfg}"
CONFIGFILE_TMP="${CONFIGFILE}.$$"
HOSTFILE="${BASEHOSTFILE}.${cfg}"
HOSTFILE_TMP="${HOSTFILE}.$$"
+ HOSTFILE_DIR="$(dirname "$HOSTFILE")"
BASEDHCPSTAMPFILE_CFG="${BASEDHCPSTAMPFILE}.${cfg}"
# before we can call xappend
+ umask u=rwx,g=rx,o=rx
mkdir -p /var/run/dnsmasq/
mkdir -p $(dirname $CONFIGFILE)
- mkdir -p $(dirname $HOSTFILE)
+ mkdir -p "$HOSTFILE_DIR"
mkdir -p /var/lib/misc
chown dnsmasq:dnsmasq /var/run/dnsmasq
xappend "--conf-file=${dnsmasqconffile}"
}
+ config_get_bool boguspriv "$cfg" boguspriv 1
+ [ "$boguspriv" -gt 0 ] && {
+ xappend "--bogus-priv"
+ [ -r "$RFC6761FILE" ] && xappend "--conf-file=$RFC6761FILE"
+ }
+
$PROG --version | grep -osqE "^Compile time options:.* DHCPv6( |$)" && DHCPv6CAPABLE=1 || DHCPv6CAPABLE=0
append_bool "$cfg" rapidcommit "--dhcp-rapid-commit"
append_bool "$cfg" scriptarp "--script-arp"
- append_parm "$cfg" logfacility "--log-facility"
+ append_bool "$cfg" filter_aaaa "--filter-AAAA"
+ append_bool "$cfg" filter_a "--filter-A"
+ append_parm "$cfg" logfacility "--log-facility"
+ config_get logfacility "$cfg" "logfacility"
append_parm "$cfg" cachesize "--cache-size"
append_parm "$cfg" dnsforwardmax "--dns-forward-max"
append_parm "$cfg" port "--port"
config_list_foreach "$cfg" "server" append_server
config_list_foreach "$cfg" "rev_server" append_rev_server
config_list_foreach "$cfg" "address" append_address
- config_list_foreach "$cfg" "ipset" append_ipset
+
+ local connmark_allowlist_enable
+ config_get connmark_allowlist_enable "$cfg" connmark_allowlist_enable 0
+ [ "$connmark_allowlist_enable" -gt 0 ] && {
+ append_parm "$cfg" "connmark_allowlist_enable" "--connmark-allowlist-enable"
+ config_list_foreach "$cfg" "connmark_allowlist" append_connmark_allowlist
+ }
+
[ -n "$BOOT" ] || {
config_list_foreach "$cfg" "interface" append_interface
config_list_foreach "$cfg" "notinterface" append_notinterface
config_list_foreach "$cfg" "addnhosts" append_addnhosts
config_list_foreach "$cfg" "bogusnxdomain" append_bogusnxdomain
append_parm "$cfg" "leasefile" "--dhcp-leasefile" "/tmp/dhcp.leases"
- append_parm "$cfg" "serversfile" "--servers-file"
+
+ local serversfile
+ config_get serversfile "$cfg" "serversfile"
+ [ -n "$serversfile" ] && {
+ xappend "--servers-file=$serversfile"
+ append EXTRA_MOUNT "$serversfile"
+ }
+
append_parm "$cfg" "tftp_root" "--tftp-root"
append_parm "$cfg" "dhcp_boot" "--dhcp-boot"
append_parm "$cfg" "local_ttl" "--local-ttl"
config_get resolvfile "$cfg" resolvfile /tmp/resolv.conf.d/resolv.conf.auto
[ -n "$resolvfile" ] && [ ! -e "$resolvfile" ] && touch "$resolvfile"
xappend "--resolv-file=$resolvfile"
- [ "$resolvfile" = "/tmp/resolv.conf.d/resolv.conf.auto" ] && localuse=1
+ [ "$resolvfile" != "/tmp/resolv.conf.d/resolv.conf.auto" ] && localuse=0
resolvdir="$(dirname "$resolvfile")"
fi
config_get_bool localuse "$cfg" localuse "$localuse"
xappend "--dhcp-broadcast=tag:needs-broadcast"
-
config_get dnsmasqconfdir "$cfg" confdir "/tmp/dnsmasq.d"
xappend "--conf-dir=$dnsmasqconfdir"
dnsmasqconfdir="${dnsmasqconfdir%%,*}"
config_foreach filter_dnsmasq mxhost dhcp_mx_add "$cfg"
echo >> $CONFIGFILE_TMP
- config_get_bool boguspriv "$cfg" boguspriv 1
- [ "$boguspriv" -gt 0 ] && {
- xappend "--bogus-priv"
- [ -r "$RFC6761FILE" ] && xappend "--conf-file=$RFC6761FILE"
- }
if [ "$DNSMASQ_DHCP_VER" -gt 4 ] ; then
# Enable RA feature for when/if it is constructed,
config_foreach filter_dnsmasq ipset dnsmasq_ipset_add "$cfg"
echo >> $CONFIGFILE_TMP
- echo >> $CONFIGFILE_TMP
mv -f $CONFIGFILE_TMP $CONFIGFILE
mv -f $HOSTFILE_TMP $HOSTFILE
done
}
+ config_list_foreach "$cfg" addnmount append_extramount
+
procd_open_instance $cfg
procd_set_param command $PROG -C $CONFIGFILE -k -x /var/run/dnsmasq/dnsmasq."${cfg}".pid
procd_set_param file $CONFIGFILE
[ -n "$user_dhcpscript" ] && procd_set_param env USER_DHCPSCRIPT="$user_dhcpscript"
procd_set_param respawn
+ local instance_ifc instance_netdev
+ config_get instance_ifc "$cfg" interface
+ [ -n "$instance_ifc" ] && network_get_device instance_netdev "$instance_ifc" &&
+ [ -n "$instance_netdev" ] && procd_set_param netdev $instance_netdev
+
procd_add_jail dnsmasq ubus log
procd_add_jail_mount $CONFIGFILE $DHCPBOGUSHOSTNAMEFILE $DHCPSCRIPT $DHCPSCRIPT_DEPENDS
procd_add_jail_mount $EXTRA_MOUNT $RFC6761FILE $TRUSTANCHORSFILE
procd_add_jail_mount $dnsmasqconffile $dnsmasqconfdir $resolvdir $user_dhcpscript
procd_add_jail_mount /etc/passwd /etc/group /etc/TZ /etc/hosts /etc/ethers
procd_add_jail_mount_rw /var/run/dnsmasq/ $leasefile
+ case "$logfacility" in */*)
+ [ ! -e "$logfacility" ] && touch "$logfacility"
+ procd_add_jail_mount_rw "$logfacility"
+ esac
+ [ -e "$hostsfile" ] && procd_add_jail_mount $hostsfile
procd_close_instance
}
dnsmasq_stop()
{
local cfg="$1"
- local noresolv resolvfile localuse=0
+ local noresolv resolvfile localuse=1
config_get_bool noresolv "$cfg" noresolv 0
config_get resolvfile "$cfg" "resolvfile"
- [ "$noresolv" = 0 ] && [ "$resolvfile" = "/tmp/resolv.conf.d/resolv.conf.auto" ] && localuse=1
+ [ "$noresolv" = 0 ] && [ "$resolvfile" != "/tmp/resolv.conf.d/resolv.conf.auto" ] && localuse=0
config_get_bool localuse "$cfg" localuse "$localuse"
[ "$localuse" -gt 0 ] && ln -sf "/tmp/resolv.conf.d/resolv.conf.auto" /tmp/resolv.conf