[Dnsmasq-discuss] [PATCH] Improve --address and --ipset docs, fix --help output

Simon Kelley simon at thekelleys.org.uk
Sun Aug 28 21:28:13 BST 2016

On 18/08/16 23:19, Peter Wu wrote:

> Hi,
> Recently I discovered the --ipset option but the manpage and --help output were
> slightly confusing, so here are some fixes for that. This patch is best viewed
> with git diff --color-words or with side-by-side diff.

Applied. Many thanks.

> The modifications were done based on the implementation (source code). Other
> discoveries:
>  - Once added to the ipset and flushed (or removed due to a timeout), you need
>    to SIGHUP or restart dnsmasq to make it re-consider future occurrences.

I'm not sure if that's a problem or not, and if it is, how it could be
done better?

>  - Due to the use of extract_request() in process_reply(), addresses for queries
>    with qdcount >= 2 are ignored (not added to the ipset). This is lucky,
>    because the add_to_ipset() currently assumes that the given address is
>    always an IPv6 address whenever an AAAA type is present in the question. So
>    if an A + AAAA is in the question, then it would yield the wrong result.

qdcount  is a fossil from the early DNS. It's completely inadmissable
for qdcount to have any value other than one in the modern world. As
long as qdcount != 1 doesn't trigger bad behaviour (like a crash or
information leak) then the actually results of such a query are pretty
much irrelevant.

>  - ipset errors are not logged. Maybe not a problem for errors where the family
>    mismatches, but a full ipset could indicate a problem.

Trivial logging code added to git repo, does that work better?



> Kind regards,
> Peter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20160828/83ffbce6/attachment-0001.sig>

More information about the Dnsmasq-discuss mailing list