[Dnsmasq-discuss] [PATCH] Improve --address and --ipset docs, fix --help output
Simon Kelley
simon at thekelleys.org.uk
Sun Aug 28 21:28:13 BST 2016
On 18/08/16 23:19, Peter Wu wrote:
> Hi,
>
> Recently I discovered the --ipset option but the manpage and --help output were
> slightly confusing, so here are some fixes for that. This patch is best viewed
> with git diff --color-words or with side-by-side diff.
>
Applied. Many thanks.
> The modifications were done based on the implementation (source code). Other
> discoveries:
>
> - Once added to the ipset and flushed (or removed due to a timeout), you need
> to SIGHUP or restart dnsmasq to make it re-consider future occurrences.
I'm not sure if that's a problem or not, and if it is, how it could be
done better?
> - Due to the use of extract_request() in process_reply(), addresses for queries
> with qdcount >= 2 are ignored (not added to the ipset). This is lucky,
> because the add_to_ipset() currently assumes that the given address is
> always an IPv6 address whenever an AAAA type is present in the question. So
> if an A + AAAA is in the question, then it would yield the wrong result.
qdcount is a fossil from the early DNS. It's completely inadmissable
for qdcount to have any value other than one in the modern world. As
long as qdcount != 1 doesn't trigger bad behaviour (like a crash or
information leak) then the actually results of such a query are pretty
much irrelevant.
> - ipset errors are not logged. Maybe not a problem for errors where the family
> mismatches, but a full ipset could indicate a problem.
Trivial logging code added to git repo, does that work better?
Cheers,
Simon.
>
> Kind regards,
> Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20160828/83ffbce6/attachment-0001.sig>
More information about the Dnsmasq-discuss
mailing list