Patch for 36810 & 20352
This coves several related problems
1) When the primary is in conflict done it allows the secondary to
transition around resolution interrupted and potentical conflict previously
the primary would die on an illegal state.
2) It allows the servers to restart a bind update request. Previously if
one of the servers sent an udpate request and there died (or had the communications
interrupted) in some states the first server wouldn't retransmit a new
update request and the other server wouldn't send any bind updates. This
was noticed in potential conflict.
3) Updated the state transitions to move the leases on the ack queue
back to the update queue in case of conflict-done as we might need to
retransmit them all.
4) Updated a transition from startup to potentical conflict instead
of resolution interrupted when the servers reconnect during the startup
phase in order to avoid a diffferent dead lock.
Add support to set high and low thresholds for pools for
v4 and v6. A message will be emitted when the usage of
the pool first exceeds the high threshold. More messages
will be skipped until the usage has gone below the low
threshold and then back above the high threshold.
Add the "-df <duid file>" option to the client code in order
to make it easier to share DUIDs between a v4 instance and
a v6 instance. This option instructs the client to search
the duid file for a DUID if it didn't find one in the main
lease file.
In addition add the infrastructure for running ATF tests
for the client and write some ATF tests for this patch.
18933 - add an extra server by name call
26735 - when requested via a command line option
have client exit afer 1 failure per the docs
33098 - expose next-server option to dhclient script
Update the auto genrated files to add the required bind9
libraries
Fix up dhcpctl/Makefile.am to include the isccfg lib
Patch for 30461 to allow the DHCP server to find
the name server to update via the DNS
Conflicts:
[rt27912]
Add code to suppor on {commit expiry release} statements for DHCPv6.
There are several pieces to this change
1) Add space in the iasubopt structure to hold the statement pointers
2) Update the execute code to fill in the structures as necessary
3) Execute the statements when appropriate
Many of the changes in the non-v6 code are to pass the v6 structures
around to the execute code.
+- Add support for a simple check that the server id in a request message
+ to a failover peer matches the server id of the server. This support
+ is enabled by editing the file includes/site.h and uncommenting the
+ definition for SERVER_ID_CHECK. The option has several restrictions
+ and issues - please read the comment in the site.h file before
+ enabling it.
+ [ISC-Bugs #31463]
The client now passes information about the options it requested
from the server to the script code via environment variables.
These variables are of the form requested_<option_name>=1 with
the option name being the same as used in the new_* and old_*
variables. [ISC-Bugs #29068]
into a hardware address handle unexpected client ids properly.
Thanks to Markus Hietava of Codenomicon CROSS project for the
finding this issue and CERT-FI for vulnerability coordination.
[ISC-Bugs #29852]
CVE: CVE-2012-3570
length client ids to be processed. Under some situations use of
zero length client ids can cause the server to go into an infinite
loop. As such ids are not valid according to RFC 2132 section 9.14
the server no longer accepts them. Client ids with a length of 1
are also invalid but the server still accepts them in order to
minimize disruption. The restriction will likely be tightened in
the future to disallow ids with a length of 1.
Thanks to Markus Hietava of Codenomicon CROSS project for the
finding this issue and CERT-FI for vulnerability coordination.
[ISC-Bugs #29851]
CVE: CVE-2012-3571
When processing an IA that we've seen check to see if the
addresses are usable (not in use by somebody else) before
handing it out.
When reading in leases from the file discard expired addresses.
When picking an address for a client include the IA ID in
addition to the client ID to generally pick different addresses
for different IAs.
[ISC-Bugs #23138] [ISC-Bugs #27945] [ISC-Bugs #25586]
[ISC-Bugs #27684]
should be cancelled. This patch results in cancelling the
outstanding request less often. It fixes the problem caused
by a client doing a release where the txt and ptr records
weren't removed from the DNS.
[ISC-BUGS #27858]
relay code. We've tested this on Solaris and hope to expand
support for Infiniband in the future. This patch also corrects
some issues we found in the socket code. [ISC-Bugs #24245]
code to the DDNS handling. This code included a bug that caused it
to attempt to dereference a NULL pointer and eventually segfault.
While reviewing the code as we addressed this problem, we determined
that some of the updates to the lease structures would not work as
planned since the structures being updated were in the process of
being freed: these updates were removed. In addition we removed an
incorrect call to the DDNS removal function that could cause a failure
during the removal of DDNS information from the DNS server.
Thanks to Jasper Jongmans for reporting this issue.
[ISC-Bugs #27078]
CVE: CVE-2011-4868
processing if the configuration included overlapping pools or
multiple fixed-address entries for a single address. This issue
affected both IPv4 and IPv6. The fix allows a server to detect such
conditions, provides the user with extra information and recommended
steps to fix the problem. If the user enables the appropriate option
in site.h then server will be terminated
configured during compilation time. Even though RFC2132 does not allow
to store more than one domain in domain-name option, such behavior is
now enabled by default, but this may change some time in the future.
See ACCEPT_LIST_IN_DOMAIN_NAME define in includes/site.h.
[ISC-Bugs #24167]
has elapsed (default 25%), the server will reuse the allocated lease
(provide a lease within the currently allocated lease-time) rather
than extend or renew the lease. This absolves the server of needing
to perform an fsync() operation on the lease database before reply,
which improves performance. [ISC-Bugs #22228]
- set initial delay to 0 to speed up client start
- added 'initial-delay' parameter to possibly revert to old behavior
- better handling of very short (1 or 2s) leases
- client lease records are recorded at most once every 15 seconds
- ICMP ping-check is now timed more precisely
- Servers that don't offer lease-time are now black-listed
[ISC-Bugs #19660]
21518 we changed the print routines to always display time values
as a hex list. This had a side effect of printing all data strings
as a hex list. We shall investigate other ways of displaying time
values more usefully. [ISC-Bugs #22626]
[ISC-Bugs #20418] - Some systems don't support the "%s" argument to
strftime, paste together the same string using mktime instead.
[ISC-Bugs #19596] - When parsing iaid values accept printable
characters.
[ISC-Bugs #21585] - Always print time values in omshell as hex
instead of ascii if the values happen to be printable characters.
Brian Masney and S.Kalyanasundraram and maintained for application to
the DHCP-4 sources by David Cantrell has been included. Please be
advised that these sources were contributed, and do not yet meet the
high standards we place on production sources we include by default.
As a result, the LDAP features are only included by using a compile-time
option which defaults off, and if you enable it you do so under your
own recognizance. We will be improving this software over time.
[ISC-Bugs #17741]
DDNS code to use the bind libraries. This patch fixes that breakage and
includes support for the new DDNS code. This patch also deletes some dead
code and neatens up some log messages.
which permits a DHCP server operating in communications-interrupted state
to 'rewind' a lease to the state most recently transmitted to its peer,
greatly increasing a server's endurance in communications-interrupted.
This is supported using a new 'rewind state' record on the dhcpd.leases
entry for each lease. [ISC-Bugs #19601]
