Iodine now uses a procd init.d service and output is sent to the system
log.
Two new options have been added:
- debuglevel — increases the verbosity of debug output.
- check_client_ip — controls whether to accept or reject queries from
different IP addresses for the same login. This should be disabled if
the recursive DNS server might send queries from varying IPs. However,
disabling this option also makes replay attacks significantly easier.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
The crude loop I wrote to come up with this changeset:
find -L package/feeds/packages/ -name patches | \
sed 's/patches$/refresh/' | sort | xargs make
Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
The arpa/nameser.h header of musl libc indirectly depends on the endian.h
header but fails to explicitely include it to properly define
`__BYTE_ORDER` and `__BIG_ENDIAN` prior to declaring the DNS `HEADER`
structure.
When both the appropriate `__BYTE_ORDER` and `__BIG_ENDIAN` defines are
unset, the `#if __BYTE_ORDER == __BIG_ENDIAN` condition in `nameser.h`
evaluates to true, causing it to declare a bad (big endian) DNS packet
header structure on little endian systems.
Work around this musl bug by forcibly passing `-include endian.h` through
the `osflags` file.
An upstream fix for musl libc has been submitted with
http://www.openwall.com/lists/musl/2017/12/04/3
This should solve iodine packet corruption on little endian musl systems
reported at
http://lists.infradead.org/pipermail/lede-dev/2017-November/010085.html
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
fix Makefile chmod (644)
replace MD5SUM with HASH
add PKG_MIRROR_HASH when PKG_SOURCE_PROTO:=git
(PKG_SOURCE_PROTO:=svn tarballs are not reproducible for now)
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
In the absense of an address entry bind to all interfaces which is also
iodined's default when -l isn't given.
Signed-off-by: Uwe Kleine-König <uwe+openwrt@kleine-koenig.org>
Fall back to the default DNS port (i.e. 53). If you configure something
different than 53 this results in a warning from iodined:
ALERT! Other dns servers expect you to run on port 53.
You must manually forward port 53 to port $port for things to work.
This is obviously true.
Signed-off-by: Uwe Kleine-König <uwe+openwrt@kleine-koenig.org>
This is compatible to 0.6.0-rc1 client and servers and fixes an
authentication bypass bug (CVE-2014-4168).
Signed-off-by: Uwe Kleine-König <uwe+openwrt@kleine-koenig.org>
Yanase Yuki
Luiz Angelo Daros de Luca
Michael Gerlach
Sergey V. Lobanov
Ilya Lipnitskiy
Jan Pavlinec
Rosen Penev
Jo-Philipp Wich
Etienne Champetier
Maxim Storchak
Uwe Kleine-König