From 8a0901a90e38fb504c3127b7ec382dbf546fda50 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Mon, 20 Aug 2018 17:13:46 +0200
Subject: [PATCH] Randomize ports

---
 dnsmasq-2.79-randomize-ports.patch | 87 ++++++++++++++++++++++++++++++
 dnsmasq.spec                       |  7 ++-
 2 files changed, 93 insertions(+), 1 deletion(-)
 create mode 100644 dnsmasq-2.79-randomize-ports.patch

diff --git a/dnsmasq-2.79-randomize-ports.patch b/dnsmasq-2.79-randomize-ports.patch
new file mode 100644
index 0000000..e37931b
--- /dev/null
+++ b/dnsmasq-2.79-randomize-ports.patch
@@ -0,0 +1,87 @@
+From 6899c5c5b9a32aa2ce0513b5e69356844988c64e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Thu, 9 Aug 2018 18:17:26 +0200
+Subject: [PATCH] Use OS random ports by default
+
+Unless max-port or min-port is given, let OS allocate random ports for
+DNS queries. Randomize similar to --query-port=0, but for each query
+separately. Would use port according to system policy.
+---
+ src/dnsmasq.c |  2 +-
+ src/network.c | 15 ++++++++++++---
+ src/option.c  |  4 +++-
+ 3 files changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/src/dnsmasq.c b/src/dnsmasq.c
+index 9f6c020..4cd478e 100644
+--- a/src/dnsmasq.c
++++ b/src/dnsmasq.c
+@@ -226,7 +226,7 @@ int main (int argc, char **argv)
+     die(_("loop detection not available: set HAVE_LOOP in src/config.h"), NULL, EC_BADCONF);
+ #endif
+ 
+-  if (daemon->max_port < daemon->min_port)
++  if (daemon->max_port >= 0 && daemon->max_port < daemon->min_port)
+     die(_("max_port cannot be smaller than min_port"), NULL, EC_BADCONF);
+ 
+   now = dnsmasq_time();
+diff --git a/src/network.c b/src/network.c
+index 0381513..9747d26 100644
+--- a/src/network.c
++++ b/src/network.c
+@@ -1138,18 +1138,27 @@ int random_sock(int family)
+   if ((fd = socket(family, SOCK_DGRAM, 0)) != -1)
+     {
+       union mysockaddr addr;
+-      unsigned int ports_avail = ((unsigned short)daemon->max_port - (unsigned short)daemon->min_port) + 1;
+-      int tries = ports_avail < 30 ? 3 * ports_avail : 100;
++      unsigned short ports_avail = 0;
++      int tries = 100;
++      unsigned short port = 0;
+ 
+       memset(&addr, 0, sizeof(addr));
+       addr.sa.sa_family = family;
+ 
++      if (daemon->max_port >= 0)
++        {
++          ports_avail = ((unsigned short)daemon->max_port - (unsigned short)daemon->min_port) + 1;
++          if (ports_avail < 30)
++            tries = 3 * ports_avail;
++        }
++
+       /* don't loop forever if all ports in use. */
+ 
+       if (fix_fd(fd))
+ 	while(tries--)
+ 	  {
+-	    unsigned short port = htons(daemon->min_port + (rand16() % ((unsigned short)ports_avail)));
++            if (ports_avail)
++	      port = htons(daemon->min_port + (rand16() % ports_avail));
+ 	    
+ 	    if (family == AF_INET) 
+ 	      {
+diff --git a/src/option.c b/src/option.c
+index d358d99..b7eaff0 100644
+--- a/src/option.c
++++ b/src/option.c
+@@ -2602,6 +2602,8 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
+     case LOPT_MINPORT:  /* --min-port */
+       if (!atoi_check16(arg, &daemon->min_port))
+ 	ret_err(gen_err);
++      if (daemon->max_port < 0)
++        daemon->max_port = MAX_PORT;
+       break;
+ 
+     case LOPT_MAXPORT:  /* --max-port */
+@@ -4678,7 +4680,7 @@ void read_opts(int argc, char **argv, char *compile_opts)
+   daemon->soa_refresh = SOA_REFRESH;
+   daemon->soa_retry = SOA_RETRY;
+   daemon->soa_expiry = SOA_EXPIRY;
+-  daemon->max_port = MAX_PORT;
++  daemon->max_port = -1;
+   daemon->min_port = MIN_PORT;
+ 
+ #ifndef NO_ID
+-- 
+2.14.4
+
diff --git a/dnsmasq.spec b/dnsmasq.spec
index f1a5a9f..3319fd7 100644
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@@ -13,7 +13,7 @@
 
 Name:           dnsmasq
 Version:        2.79
-Release:        7%{?extraversion:.%{extraversion}}%{?dist}
+Release:        8%{?extraversion:.%{extraversion}}%{?dist}
 Summary:        A lightweight DHCP/caching DNS server
 
 License:        GPLv2 or GPLv3
@@ -26,6 +26,7 @@ Source2:        dnsmasq-systemd-sysusers.conf
 Patch1:         dnsmasq-2.77-underflow.patch
 Patch3:         dnsmasq-2.78-fips.patch
 Patch4:         dnsmasq-2.80-dnssec.patch
+Patch5: dnsmasq-2.79-randomize-ports.patch
 
 # This is workaround to nettle bug #1549190
 # https://bugzilla.redhat.com/show_bug.cgi?id=1549190
@@ -63,6 +64,7 @@ server's leases.
 %patch1 -p1 -b .underflow
 %patch3 -p1 -b .fips
 %patch4 -p1 -b .dnssec
+%patch5 -p1 -b .ports
 
 # use /var/lib/dnsmasq instead of /var/lib/misc
 for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
@@ -163,6 +165,9 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/dnsmasq.conf
 %{_mandir}/man1/dhcp_*
 
 %changelog
+* Thu Aug 09 2018 Petr Menšík <pemensik@redhat.com> - 2.79-8
+- Better randomize ports
+
 * Tue Jul 31 2018 Florian Weimer <fweimer@redhat.com> - 2.79-7
 - Rebuild with fixed binutils