diff --git a/dns/dnsmasq/Makefile b/dns/dnsmasq/Makefile index c874a61429ff..9982bb996080 100644 --- a/dns/dnsmasq/Makefile +++ b/dns/dnsmasq/Makefile @@ -1,173 +1,173 @@ PORTNAME= dnsmasq DISTVERSION= 2.92 # Leave the PORTREVISION in even if 0 to avoid accidental PORTEPOCH bumps: -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH= 1 CATEGORIES= dns MASTER_SITES= LOCAL/mandree/ \ https://thekelleys.org.uk/dnsmasq/ MAINTAINER= mandree@FreeBSD.org COMMENT= Lightweight DNS forwarder, DHCP, and TFTP server WWW= https://www.thekelleys.org.uk/dnsmasq/doc.html LICENSE= GPLv2 USES= compiler cpe shebangfix tar:xz CPE_VENDOR= thekelleys SHEBANG_FILES= contrib/dnslist/dnslist.pl \ contrib/dynamic-dnsmasq/dynamic-dnsmasq.pl MAKE_ARGS= CC="${CC}" \ CFLAGS="${CFLAGS}" \ COPTS="${CFLAGS}" \ LIBS="${LDFLAGS}" \ PREFIX="${PREFIX}" \ RPM_OPT_FLAGS="${CPPFLAGS}" CFLAGS+= -Wall # https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html # Note there are ${ARCH}-dependent options below after .include # Note that these are enforced, and we won't subject them to PIE/FORTIFY/SSP_UNSAFE or WITHOUT_ options. CFLAGS+= -Wall -Wformat -Wformat=2 \ -Werror=format-security \ -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 \ -fstrict-flex-arrays=3 \ -fstack-clash-protection -fstack-protector-strong \ -fno-delete-null-pointer-checks -fno-strict-overflow \ -fno-strict-aliasing -ftrivial-auto-var-init=zero LDFLAGS+= -Wl,-z,nodlopen -Wl,-z,noexecstack \ -Wl,-z,relro -Wl,-z,now \ -Wl,--as-needed -Wl,--no-copy-dt-needed-entries CFLAGS+= -fPIE LDFLAGS+= -pie # error on obsolete C constructs CFLAGS+= -Werror=implicit -Werror=incompatible-pointer-types \ -Werror=int-conversion # tune down harmless warnings due to coding style CFLAGS+= -Wno-unused-function -Wno-unused-parameter \ -Wno-unused-value -Wno-unused-variable -Wno-format-nonliteral CPPFLAGS+= -I${LOCALBASE}/include CONFLICTS_INSTALL= dnsmasq-devel SUB_FILES= pkg-message PORTDOCS= CHANGELOG CHANGELOG.archive FAQ doc.html setup.html OPTIONS_DEFINE= DBUS DNSSEC DOCS IPSET IPV6 LUA OPTIONS_DEFAULT= DNSSEC IPSET OPTIONS_RADIO= INTL OPTIONS_RADIO_INTL= IDN NLS OPTIONS_EXCLUDE+= EXAMPLES DNSSEC_DESC= Enable DNSSEC caching and validation (needs nettle) IDN_DESC= IDN: Int'l Domain Names WITHOUT full NLS INTL_DESC= Internationalization Support Level IPSET_DESC= Dynamic firewall management of resolved names (needs PF) LUA_DESC= Support lease-change scripts written in Lua NLS_DESC= IDN+NLS: Int'l Domain Names & National Language support IPSET_CFLAGS_OFF= -DNO_IPSET IPV6_CFLAGS_OFF= -DNO_IPV6 .include .if ${PORT_OPTIONS:MNLS} USES+= gettext gmake iconv pkgconfig CFLAGS+= -DHAVE_LIBIDN2 LIB_DEPENDS+= libidn2.so:dns/libidn2 PLIST_SUB+= NLS="" ALL_TARGET= all-i18n _intllibs= -lidn2 -lintl .else _intllibs= PLIST_SUB+= NLS="@comment " .if ${PORT_OPTIONS:MIDN} USES+= iconv CFLAGS+= -DHAVE_LIBIDN2 LIB_DEPENDS+= libidn2.so:dns/libidn2 _intllibs+= -lidn2 .endif .endif .if ${PORT_OPTIONS:MDBUS} LIB_DEPENDS+= libdbus-1.so:devel/dbus USES+= pkgconfig CPPFLAGS+= `pkg-config --cflags dbus-1` CFLAGS+= -DHAVE_DBUS LDFLAGS+= `pkg-config --libs dbus-1` .endif .if ${PORT_OPTIONS:MLUA} CPPFLAGS+= -I${LUA_INCDIR} CFLAGS+= -DHAVE_LUASCRIPT LDFLAGS+= -L${LUA_LIBDIR} -llua-${LUA_VER} USES+= lua pkgconfig .endif .if ${PORT_OPTIONS:MDNSSEC} CFLAGS+= -DHAVE_DNSSEC -I${LOCALBASE}/include USES+= pkgconfig LIB_DEPENDS+= libgmp.so:math/gmp \ libnettle.so:security/nettle .endif USE_RC_SUBR= dnsmasq .include # https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html .if ${ARCH} == "amd64" CFLAGS+= -fcf-protection=full .endif .if ${ARCH} == "aarch64" CFLAGS+= -mbranch-protection=standard .endif .if ${CHOSEN_COMPILER_TYPE} == "gcc" CFLAGS+= -Wtrampolines .endif LDFLAGS+= -L${LOCALBASE}/lib ${_intllibs} ${ICONV_LIB} post-patch: ${REINPLACE_CMD} -e '/^LUA /s/lua/lua-${LUA_VER}/' ${WRKSRC}/Makefile pre-configure: pretty-print-config .if ${PORT_OPTIONS:MIDN} .if empty(PORT_OPTIONS:MNLS) @if ${READELF} -d ${LOCALBASE}/lib/libidn2.so \ | ${EGREP} -q '\.*\[libintl\.so' ; \ then ${ECHO} ; ${ECHO} 'WARNING: dns/libidn2 was compiled with NLS support!' ; \ ${ECHO} 'Recompile libidn2 WITHOUT_NLS to get rid of NLS dependencies.' ; ${ECHO} ; \ fi .else @${ECHO} 'WARNING: IDN and NLS enabled, building IDN WITH NLS.' .endif .endif do-install: ${INSTALL_PROGRAM} ${WRKSRC}/src/dnsmasq ${STAGEDIR}${PREFIX}/sbin ${INSTALL_DATA} ${WRKSRC}/dnsmasq.conf.example ${STAGEDIR}${PREFIX}/etc/dnsmasq.conf.sample ${REINPLACE_CMD} -i '' 's}%%PREFIX%%}${PREFIX}}' ${STAGEDIR}${PREFIX}/etc/dnsmasq.conf.sample ${INSTALL_MAN} ${WRKSRC}/man/${PORTNAME}.8 ${STAGEDIR}${PREFIX}/share/man/man8 ${MKDIR} ${STAGEDIR}${DATADIR} ${INSTALL_DATA} ${WRKSRC}/trust-anchors.conf ${STAGEDIR}${DATADIR}/ .if ${PORT_OPTIONS:MDOCS} @${MKDIR} ${STAGEDIR}${DOCSDIR} cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR} .endif .if ${PORT_OPTIONS:MNLS} .for i in de es fi fr id it no pl pt_BR ro ${MKDIR} ${STAGEDIR}${PREFIX}/share/locale/${i}/LC_MESSAGES ${INSTALL_DATA} ${WRKSRC}/src/${i}.mo \ ${STAGEDIR}${PREFIX}/share/locale/${i}/LC_MESSAGES/${PORTNAME}.mo .endfor .endif ${MKDIR} ${STAGEDIR}${EXAMPLESDIR}/dynamic-dnsmasq ${STAGEDIR}${EXAMPLESDIR}/dnslist ${INSTALL_SCRIPT} ${WRKSRC}/contrib/dynamic-dnsmasq/dynamic-dnsmasq.pl ${STAGEDIR}${EXAMPLESDIR}/dynamic-dnsmasq/ ${INSTALL_SCRIPT} ${WRKSRC}/contrib/dnslist/dnslist.pl ${STAGEDIR}${EXAMPLESDIR}/dnslist/ ${INSTALL_DATA} ${WRKSRC}/contrib/dnslist/dhcp.css ${STAGEDIR}${EXAMPLESDIR}/dnslist/ ${INSTALL_DATA} ${WRKSRC}/contrib/dnslist/dnslist.tt2 ${STAGEDIR}${EXAMPLESDIR}/dnslist/ .include diff --git a/dns/dnsmasq/files/patch-src_dhcp.c b/dns/dnsmasq/files/patch-src_dhcp.c new file mode 100644 index 000000000000..0da2c5e1e56b --- /dev/null +++ b/dns/dnsmasq/files/patch-src_dhcp.c @@ -0,0 +1,110 @@ +commit 84415a87be571a6da82c910c1b87b194e5f54727 +Author: Clayton O'Neill +Date: Thu Feb 5 15:38:27 2026 +0000 + + Fix PXE boot server (PXEBS) responses broken in 2.92 + + I think I've found a regression in dnsmasq 2.92 that breaks PXE boot server + (PXEBS) responses when running in proxy DHCP mode. Fair warning: I'm not + familiar with the dnsmasq codebase and used AI tooling to help trace through + the source and identify the issue, so please take the analysis below with + appropriate skepticism. PXE boot works fine on 2.91 + but fails on 2.92 — the client gets the initial proxy DHCPOFFER, but the PXEBS + ACK on port 4011 never reaches it. + + My setup is dnsmasq in proxy DHCP mode serving iPXE to Proxmox VMs via their + virtio-net ROM. Here's a stripped-down version of my config: + + port=0 + enable-tftp + tftp-root=/tftpboot + dhcp-range=172.19.74.0,proxy,255.255.255.0 + interface=eno1 + bind-interfaces + dhcp-match=set:ipxe,175 + pxe-service=tag:ipxe,x86PC,"Network Boot",http://server:8081/boot.ipxe + pxe-service=tag:!ipxe,x86PC,"Network Boot",undionly.kpxe + log-dhcp + + The issue seems to be in src/dhcp.c in the response routing logic after + dhcp_reply() returns. In 2.91, the destination selection was an if/else-if + chain: + + if (pxe_fd) + { ... } + else if (mess->giaddr.s_addr && !is_relay_reply) + { ... } + else if (mess->ciaddr.s_addr) + { ... } + else + { ... broadcast to 255.255.255.255:68 ... } + + In 2.92, the else between the pxe_fd block and the giaddr/relay check was + removed in commit 4fbe1ad ("Implement RFC-4388 DHCPv4 leasequery") to + accommodate the new is_relay_use_source logic: + + if (pxe_fd) + { ... } + if ((is_relay_use_source || mess->giaddr.s_addr) && !is_relay_reply) + { ... } + else if (mess->ciaddr.s_addr) + { ... } + else + { ... broadcast to 255.255.255.255:68 ... } + + For PXEBS responses, dhcp_reply() in rfc2131.c (around line 924-925) does: + + mess->yiaddr = mess->ciaddr; + mess->ciaddr.s_addr = 0; + + So after dhcp_reply() returns for a PXEBS request, ciaddr is 0, giaddr is 0 + (no relay), and is_relay_use_source is 0. In 2.91, the pxe_fd block runs and + the rest of the chain is skipped — dest stays as received from recvmsg, and the + response goes back to the client correctly. In 2.92, the pxe_fd block runs but + then falls through to the standalone if, which is false, so the else block runs + and sets dest to 255.255.255.255 port 68. The client is listening on port 4011 + and ignores it. + + Here are the relevant dnsmasq logs. With 2.91 (working), I see normal proxy + DHCP and PXE boot server exchanges: + + dnsmasq-dhcp: DHCPDISCOVER(eno1) bc:24:11:59:85:90 + dnsmasq-dhcp: DHCPOFFER(eno1) 172.19.74.60 bc:24:11:59:85:90 + dnsmasq-dhcp: DHCPREQUEST(eno1) 172.19.74.60 bc:24:11:59:85:90 + dnsmasq-dhcp: DHCPACK(eno1) 172.19.74.60 bc:24:11:59:85:90 + dnsmasq-dhcp: PXE(eno1) bc:24:11:59:85:90 proxy + dnsmasq-dhcp: PXE(eno1) bc:24:11:59:85:90 proxy + dnsmasq-dhcp: PXEBS(eno1) bc:24:11:59:85:90 undionly.kpxe + dnsmasq-dhcp: PXE(eno1) bc:24:11:59:85:90 proxy + dnsmasq-dhcp: PXEBS(eno1) bc:24:11:59:85:90 http://infra1.oneill.net:8081/boot.ipxe + + With 2.92 (broken), the DHCPDISCOVER/OFFER/REQUEST/ACK cycle and the proxy + PXE response work, but the PXEBS response never reaches the client — it times + out after repeated attempts. The dnsmasq side shows it sending the response, + but the client keeps retrying: + + dnsmasq-dhcp: PXE(eno1) bc:24:11:59:85:90 proxy + dnsmasq-dhcp: PXE(eno1) bc:24:11:59:85:90 proxy + dnsmasq-dhcp: PXEBS(eno1) bc:24:11:59:85:90 undionly.kpxe + dnsmasq-dhcp: PXEBS(eno1) bc:24:11:59:85:90 undionly.kpxe + dnsmasq-dhcp: PXEBS(eno1) bc:24:11:59:85:90 undionly.kpxe + dnsmasq-dhcp: PXEBS(eno1) bc:24:11:59:85:90 undionly.kpxe + + I tested by restoring the else keyword and the fix appears to work — 2.92 with + the patch below PXE boots successfully. I believe this change preserves the + leasequery behavior since that path only applies when pxe_fd is false (normal + DHCP handling, not port 4011). + +diff --git a/src/dhcp.c b/src/dhcp.c +index 6775fb6..efda023 100644 +--- src/dhcp.c~ ++++ src/dhcp.c +@@ -399,7 +399,7 @@ void dhcp_packet(time_t now, int pxe_fd) + if (mess->ciaddr.s_addr != 0) + dest.sin_addr = mess->ciaddr; + } +- if ((is_relay_use_source || mess->giaddr.s_addr) && !is_relay_reply) ++ else if ((is_relay_use_source || mess->giaddr.s_addr) && !is_relay_reply) + { + /* Send to BOOTP relay. */ + if (is_relay_use_source)