1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
4 #include <netinet/in.h>
12 #include "alloc-util.h"
13 #include "bus-polkit.h"
14 #include "dirent-util.h"
15 #include "dns-domain.h"
16 #include "event-util.h"
19 #include "hostname-util.h"
22 #include "memstream-util.h"
23 #include "missing_network.h"
24 #include "missing_socket.h"
25 #include "netlink-util.h"
26 #include "ordered-set.h"
27 #include "parse-util.h"
28 #include "random-util.h"
29 #include "resolved-bus.h"
30 #include "resolved-conf.h"
31 #include "resolved-dns-stub.h"
32 #include "resolved-dnssd.h"
33 #include "resolved-etc-hosts.h"
34 #include "resolved-llmnr.h"
35 #include "resolved-manager.h"
36 #include "resolved-mdns.h"
37 #include "resolved-resolv-conf.h"
38 #include "resolved-util.h"
39 #include "resolved-varlink.h"
40 #include "socket-util.h"
41 #include "string-table.h"
42 #include "string-util.h"
45 #define SEND_TIMEOUT_USEC (200 * USEC_PER_MSEC)
47 static int manager_process_link(sd_netlink
*rtnl
, sd_netlink_message
*mm
, void *userdata
) {
48 Manager
*m
= ASSERT_PTR(userdata
);
56 r
= sd_netlink_message_get_type(mm
, &type
);
60 r
= sd_rtnl_message_link_get_ifindex(mm
, &ifindex
);
64 l
= hashmap_get(m
->links
, INT_TO_PTR(ifindex
));
72 r
= link_new(m
, &l
, ifindex
);
77 r
= link_process_rtnl(l
, mm
);
86 log_debug("Found new link %i/%s", ifindex
, l
->ifname
);
93 log_debug("Removing link %i/%s", l
->ifindex
, l
->ifname
);
104 log_warning_errno(r
, "Failed to process RTNL link message: %m");
108 static int manager_process_address(sd_netlink
*rtnl
, sd_netlink_message
*mm
, void *userdata
) {
109 Manager
*m
= ASSERT_PTR(userdata
);
110 union in_addr_union address
, broadcast
= {};
112 int r
, ifindex
, family
;
119 r
= sd_netlink_message_get_type(mm
, &type
);
123 r
= sd_rtnl_message_addr_get_ifindex(mm
, &ifindex
);
127 l
= hashmap_get(m
->links
, INT_TO_PTR(ifindex
));
131 r
= sd_rtnl_message_addr_get_family(mm
, &family
);
138 sd_netlink_message_read_in_addr(mm
, IFA_BROADCAST
, &broadcast
.in
);
139 r
= sd_netlink_message_read_in_addr(mm
, IFA_LOCAL
, &address
.in
);
141 r
= sd_netlink_message_read_in_addr(mm
, IFA_ADDRESS
, &address
.in
);
149 r
= sd_netlink_message_read_in6_addr(mm
, IFA_LOCAL
, &address
.in6
);
151 r
= sd_netlink_message_read_in6_addr(mm
, IFA_ADDRESS
, &address
.in6
);
162 a
= link_find_address(l
, family
, &address
);
169 r
= link_address_new(l
, &a
, family
, &address
, &broadcast
);
174 r
= link_address_update_rtnl(a
, mm
);
181 link_address_free(a
);
188 log_warning_errno(r
, "Failed to process RTNL address message: %m");
192 static int manager_rtnl_listen(Manager
*m
) {
193 _cleanup_(sd_netlink_message_unrefp
) sd_netlink_message
*req
= NULL
, *reply
= NULL
;
198 /* First, subscribe to interfaces coming and going */
199 r
= sd_netlink_open(&m
->rtnl
);
203 r
= sd_netlink_attach_event(m
->rtnl
, m
->event
, SD_EVENT_PRIORITY_IMPORTANT
);
207 r
= sd_netlink_add_match(m
->rtnl
, NULL
, RTM_NEWLINK
, manager_process_link
, NULL
, m
, "resolve-NEWLINK");
211 r
= sd_netlink_add_match(m
->rtnl
, NULL
, RTM_DELLINK
, manager_process_link
, NULL
, m
, "resolve-DELLINK");
215 r
= sd_netlink_add_match(m
->rtnl
, NULL
, RTM_NEWADDR
, manager_process_address
, NULL
, m
, "resolve-NEWADDR");
219 r
= sd_netlink_add_match(m
->rtnl
, NULL
, RTM_DELADDR
, manager_process_address
, NULL
, m
, "resolve-DELADDR");
223 /* Then, enumerate all links */
224 r
= sd_rtnl_message_new_link(m
->rtnl
, &req
, RTM_GETLINK
, 0);
228 r
= sd_netlink_message_set_request_dump(req
, true);
232 r
= sd_netlink_call(m
->rtnl
, req
, 0, &reply
);
236 for (sd_netlink_message
*i
= reply
; i
; i
= sd_netlink_message_next(i
)) {
237 r
= manager_process_link(m
->rtnl
, i
, m
);
242 req
= sd_netlink_message_unref(req
);
243 reply
= sd_netlink_message_unref(reply
);
245 /* Finally, enumerate all addresses, too */
246 r
= sd_rtnl_message_new_addr(m
->rtnl
, &req
, RTM_GETADDR
, 0, AF_UNSPEC
);
250 r
= sd_netlink_message_set_request_dump(req
, true);
254 r
= sd_netlink_call(m
->rtnl
, req
, 0, &reply
);
258 for (sd_netlink_message
*i
= reply
; i
; i
= sd_netlink_message_next(i
)) {
259 r
= manager_process_address(m
->rtnl
, i
, m
);
267 static int on_network_event(sd_event_source
*s
, int fd
, uint32_t revents
, void *userdata
) {
268 Manager
*m
= ASSERT_PTR(userdata
);
272 sd_network_monitor_flush(m
->network_monitor
);
274 HASHMAP_FOREACH(l
, m
->links
) {
277 log_warning_errno(r
, "Failed to update monitor information for %i: %m", l
->ifindex
);
280 (void) manager_write_resolv_conf(m
);
281 (void) manager_send_changed(m
, "DNS");
286 static int manager_network_monitor_listen(Manager
*m
) {
291 r
= sd_network_monitor_new(&m
->network_monitor
, NULL
);
295 fd
= sd_network_monitor_get_fd(m
->network_monitor
);
299 events
= sd_network_monitor_get_events(m
->network_monitor
);
303 r
= sd_event_add_io(m
->event
, &m
->network_event_source
, fd
, events
, &on_network_event
, m
);
307 r
= sd_event_source_set_priority(m
->network_event_source
, SD_EVENT_PRIORITY_IMPORTANT
+5);
311 (void) sd_event_source_set_description(m
->network_event_source
, "network-monitor");
316 static int manager_clock_change_listen(Manager
*m
);
318 static int on_clock_change(sd_event_source
*source
, int fd
, uint32_t revents
, void *userdata
) {
319 Manager
*m
= ASSERT_PTR(userdata
);
321 /* The clock has changed, let's flush all caches. Why that? That's because DNSSEC validation takes
322 * the system clock into consideration, and if the clock changes the old validations might have been
323 * wrong. Let's redo all validation with the new, correct time.
325 * (Also, this is triggered after system suspend, which is also a good reason to drop caches, since
326 * we might be connected to a different network now without this being visible in a dropped link
329 log_info("Clock change detected. Flushing caches.");
330 manager_flush_caches(m
, LOG_DEBUG
/* downgrade the functions own log message, since we already logged here at LOG_INFO level */);
332 /* The clock change timerfd is unusable after it triggered once, create a new one. */
333 return manager_clock_change_listen(m
);
336 static int manager_clock_change_listen(Manager
*m
) {
341 m
->clock_change_event_source
= sd_event_source_disable_unref(m
->clock_change_event_source
);
343 r
= event_add_time_change(m
->event
, &m
->clock_change_event_source
, on_clock_change
, m
);
345 return log_error_errno(r
, "Failed to create clock change event source: %m");
350 static int determine_hostnames(char **full_hostname
, char **llmnr_hostname
, char **mdns_hostname
) {
351 _cleanup_free_
char *h
= NULL
, *n
= NULL
;
354 assert(full_hostname
);
355 assert(llmnr_hostname
);
356 assert(mdns_hostname
);
358 r
= resolve_system_hostname(&h
, &n
);
362 r
= dns_name_concat(n
, "local", 0, mdns_hostname
);
364 return log_error_errno(r
, "Failed to determine mDNS hostname: %m");
366 *llmnr_hostname
= TAKE_PTR(n
);
367 *full_hostname
= TAKE_PTR(h
);
372 static char* fallback_hostname(void) {
374 /* Determine the fall back hostname. For exposing this system to the outside world, we cannot have it
375 * to be "localhost" even if that's the default hostname. In this case, let's revert to "linux"
378 _cleanup_free_
char *n
= get_default_hostname();
383 return strdup("linux");
388 static int make_fallback_hostnames(char **full_hostname
, char **llmnr_hostname
, char **mdns_hostname
) {
389 _cleanup_free_
char *h
= NULL
, *n
= NULL
, *m
= NULL
;
390 char label
[DNS_LABEL_MAX
];
394 assert(full_hostname
);
395 assert(llmnr_hostname
);
396 assert(mdns_hostname
);
398 p
= h
= fallback_hostname();
402 r
= dns_label_unescape(&p
, label
, sizeof label
, 0);
404 return log_error_errno(r
, "Failed to unescape fallback hostname: %m");
406 assert(r
> 0); /* The fallback hostname must have at least one label */
408 r
= dns_label_escape_new(label
, r
, &n
);
410 return log_error_errno(r
, "Failed to escape fallback hostname: %m");
412 r
= dns_name_concat(n
, "local", 0, &m
);
414 return log_error_errno(r
, "Failed to concatenate mDNS hostname: %m");
416 *llmnr_hostname
= TAKE_PTR(n
);
417 *mdns_hostname
= TAKE_PTR(m
);
418 *full_hostname
= TAKE_PTR(h
);
423 static int on_hostname_change(sd_event_source
*es
, int fd
, uint32_t revents
, void *userdata
) {
424 _cleanup_free_
char *full_hostname
= NULL
, *llmnr_hostname
= NULL
, *mdns_hostname
= NULL
;
425 Manager
*m
= ASSERT_PTR(userdata
);
426 bool llmnr_hostname_changed
;
429 r
= determine_hostnames(&full_hostname
, &llmnr_hostname
, &mdns_hostname
);
431 log_warning_errno(r
, "Failed to determine the local hostname and LLMNR/mDNS names, ignoring: %m");
432 return 0; /* ignore invalid hostnames */
435 llmnr_hostname_changed
= !streq(llmnr_hostname
, m
->llmnr_hostname
);
436 if (streq(full_hostname
, m
->full_hostname
) &&
437 !llmnr_hostname_changed
&&
438 streq(mdns_hostname
, m
->mdns_hostname
))
441 log_info("System hostname changed to '%s'.", full_hostname
);
443 free_and_replace(m
->full_hostname
, full_hostname
);
444 free_and_replace(m
->llmnr_hostname
, llmnr_hostname
);
445 free_and_replace(m
->mdns_hostname
, mdns_hostname
);
447 manager_refresh_rrs(m
);
448 (void) manager_send_changed(m
, "LLMNRHostname");
453 static int manager_watch_hostname(Manager
*m
) {
458 m
->hostname_fd
= open("/proc/sys/kernel/hostname",
459 O_RDONLY
|O_CLOEXEC
|O_NONBLOCK
|O_NOCTTY
);
460 if (m
->hostname_fd
< 0) {
461 log_warning_errno(errno
, "Failed to watch hostname: %m");
465 r
= sd_event_add_io(m
->event
, &m
->hostname_event_source
, m
->hostname_fd
, 0, on_hostname_change
, m
);
468 /* kernels prior to 3.2 don't support polling this file. Ignore the failure. */
469 m
->hostname_fd
= safe_close(m
->hostname_fd
);
471 return log_error_errno(r
, "Failed to add hostname event source: %m");
474 (void) sd_event_source_set_description(m
->hostname_event_source
, "hostname");
476 r
= determine_hostnames(&m
->full_hostname
, &m
->llmnr_hostname
, &m
->mdns_hostname
);
478 _cleanup_free_
char *d
= NULL
;
480 d
= fallback_hostname();
484 log_info("Defaulting to hostname '%s'.", d
);
486 r
= make_fallback_hostnames(&m
->full_hostname
, &m
->llmnr_hostname
, &m
->mdns_hostname
);
490 log_info("Using system hostname '%s'.", m
->full_hostname
);
495 static int manager_sigusr1(sd_event_source
*s
, const struct signalfd_siginfo
*si
, void *userdata
) {
496 _cleanup_(memstream_done
) MemStream ms
= {};
497 Manager
*m
= ASSERT_PTR(userdata
);
504 f
= memstream_init(&ms
);
508 LIST_FOREACH(scopes
, scope
, m
->dns_scopes
)
509 dns_scope_dump(scope
, f
);
511 LIST_FOREACH(servers
, server
, m
->dns_servers
)
512 dns_server_dump(server
, f
);
513 LIST_FOREACH(servers
, server
, m
->fallback_dns_servers
)
514 dns_server_dump(server
, f
);
515 HASHMAP_FOREACH(l
, m
->links
)
516 LIST_FOREACH(servers
, server
, l
->dns_servers
)
517 dns_server_dump(server
, f
);
519 return memstream_dump(LOG_INFO
, &ms
);
522 static int manager_sigusr2(sd_event_source
*s
, const struct signalfd_siginfo
*si
, void *userdata
) {
523 Manager
*m
= ASSERT_PTR(userdata
);
528 manager_flush_caches(m
, LOG_INFO
);
533 static int manager_sigrtmin1(sd_event_source
*s
, const struct signalfd_siginfo
*si
, void *userdata
) {
534 Manager
*m
= ASSERT_PTR(userdata
);
539 manager_reset_server_features(m
);
543 static int manager_memory_pressure(sd_event_source
*s
, void *userdata
) {
544 Manager
*m
= ASSERT_PTR(userdata
);
546 log_info("Under memory pressure, flushing caches.");
548 manager_flush_caches(m
, LOG_INFO
);
549 sd_event_trim_memory();
554 static int manager_memory_pressure_listen(Manager
*m
) {
559 r
= sd_event_add_memory_pressure(m
->event
, NULL
, manager_memory_pressure
, m
);
561 log_full_errno(ERRNO_IS_NOT_SUPPORTED(r
) || ERRNO_IS_PRIVILEGE(r
) || (r
== -EHOSTDOWN
)? LOG_DEBUG
: LOG_NOTICE
, r
,
562 "Failed to install memory pressure event source, ignoring: %m");
567 int manager_new(Manager
**ret
) {
568 _cleanup_(manager_freep
) Manager
*m
= NULL
;
578 .llmnr_ipv4_udp_fd
= -EBADF
,
579 .llmnr_ipv6_udp_fd
= -EBADF
,
580 .llmnr_ipv4_tcp_fd
= -EBADF
,
581 .llmnr_ipv6_tcp_fd
= -EBADF
,
582 .mdns_ipv4_fd
= -EBADF
,
583 .mdns_ipv6_fd
= -EBADF
,
584 .hostname_fd
= -EBADF
,
586 .llmnr_support
= DEFAULT_LLMNR_MODE
,
587 .mdns_support
= DEFAULT_MDNS_MODE
,
588 .dnssec_mode
= DEFAULT_DNSSEC_MODE
,
589 .dns_over_tls_mode
= DEFAULT_DNS_OVER_TLS_MODE
,
590 .enable_cache
= DNS_CACHE_MODE_YES
,
591 .dns_stub_listener_mode
= DNS_STUB_LISTENER_YES
,
592 .read_resolv_conf
= true,
593 .need_builtin_fallbacks
= true,
594 .etc_hosts_last
= USEC_INFINITY
,
595 .read_etc_hosts
= true,
597 .sigrtmin18_info
.memory_pressure_handler
= manager_memory_pressure
,
598 .sigrtmin18_info
.memory_pressure_userdata
= m
,
601 r
= dns_trust_anchor_load(&m
->trust_anchor
);
605 r
= manager_parse_config_file(m
);
607 log_warning_errno(r
, "Failed to parse configuration file: %m");
609 #if ENABLE_DNS_OVER_TLS
610 r
= dnstls_manager_init(m
);
615 r
= sd_event_default(&m
->event
);
619 (void) sd_event_add_signal(m
->event
, NULL
, SIGTERM
, NULL
, NULL
);
620 (void) sd_event_add_signal(m
->event
, NULL
, SIGINT
, NULL
, NULL
);
622 (void) sd_event_set_watchdog(m
->event
, true);
624 r
= manager_watch_hostname(m
);
630 log_warning_errno(r
, "Failed to load DNS-SD configuration files: %m");
632 r
= dns_scope_new(m
, &m
->unicast_scope
, NULL
, DNS_PROTOCOL_DNS
, AF_UNSPEC
);
636 r
= manager_network_monitor_listen(m
);
640 r
= manager_rtnl_listen(m
);
644 r
= manager_clock_change_listen(m
);
648 r
= manager_memory_pressure_listen(m
);
652 r
= manager_connect_bus(m
);
656 (void) sd_event_add_signal(m
->event
, &m
->sigusr1_event_source
, SIGUSR1
, manager_sigusr1
, m
);
657 (void) sd_event_add_signal(m
->event
, &m
->sigusr2_event_source
, SIGUSR2
, manager_sigusr2
, m
);
658 (void) sd_event_add_signal(m
->event
, &m
->sigrtmin1_event_source
, SIGRTMIN
+1, manager_sigrtmin1
, m
);
659 (void) sd_event_add_signal(m
->event
, NULL
, SIGRTMIN
+18, sigrtmin18_handler
, &m
->sigrtmin18_info
);
661 manager_cleanup_saved_user(m
);
668 int manager_start(Manager
*m
) {
673 r
= manager_dns_stub_start(m
);
677 r
= manager_varlink_init(m
);
684 Manager
*manager_free(Manager
*m
) {
691 dns_server_unlink_all(m
->dns_servers
);
692 dns_server_unlink_all(m
->fallback_dns_servers
);
693 dns_search_domain_unlink_all(m
->search_domains
);
695 while ((l
= hashmap_first(m
->links
)))
698 while (m
->dns_queries
)
699 dns_query_free(m
->dns_queries
);
701 m
->stub_queries_by_packet
= hashmap_free(m
->stub_queries_by_packet
);
703 dns_scope_free(m
->unicast_scope
);
705 /* At this point only orphaned streams should remain. All others should have been freed already by their
707 while (m
->dns_streams
)
708 dns_stream_unref(m
->dns_streams
);
710 #if ENABLE_DNS_OVER_TLS
711 dnstls_manager_free(m
);
714 hashmap_free(m
->links
);
715 hashmap_free(m
->dns_transactions
);
717 sd_event_source_unref(m
->network_event_source
);
718 sd_network_monitor_unref(m
->network_monitor
);
720 sd_netlink_unref(m
->rtnl
);
721 sd_event_source_unref(m
->rtnl_event_source
);
722 sd_event_source_unref(m
->clock_change_event_source
);
724 manager_llmnr_stop(m
);
725 manager_mdns_stop(m
);
726 manager_dns_stub_stop(m
);
727 manager_varlink_done(m
);
729 manager_socket_graveyard_clear(m
);
731 ordered_set_free(m
->dns_extra_stub_listeners
);
733 bus_verify_polkit_async_registry_free(m
->polkit_registry
);
735 sd_bus_flush_close_unref(m
->bus
);
737 sd_event_source_unref(m
->sigusr1_event_source
);
738 sd_event_source_unref(m
->sigusr2_event_source
);
739 sd_event_source_unref(m
->sigrtmin1_event_source
);
741 dns_resource_key_unref(m
->llmnr_host_ipv4_key
);
742 dns_resource_key_unref(m
->llmnr_host_ipv6_key
);
743 dns_resource_key_unref(m
->mdns_host_ipv4_key
);
744 dns_resource_key_unref(m
->mdns_host_ipv6_key
);
746 sd_event_source_unref(m
->hostname_event_source
);
747 safe_close(m
->hostname_fd
);
749 sd_event_unref(m
->event
);
751 free(m
->full_hostname
);
752 free(m
->llmnr_hostname
);
753 free(m
->mdns_hostname
);
755 while ((s
= hashmap_first(m
->dnssd_services
)))
756 dnssd_service_free(s
);
757 hashmap_free(m
->dnssd_services
);
759 dns_trust_anchor_flush(&m
->trust_anchor
);
760 manager_etc_hosts_flush(m
);
765 int manager_recv(Manager
*m
, int fd
, DnsProtocol protocol
, DnsPacket
**ret
) {
766 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
767 CMSG_BUFFER_TYPE(CMSG_SPACE(MAXSIZE(struct in_pktinfo
, struct in6_pktinfo
))
768 + CMSG_SPACE(int) /* ttl/hoplimit */
769 + EXTRA_CMSG_SPACE
/* kernel appears to require extra buffer space */) control
;
770 union sockaddr_union sa
;
774 .msg_namelen
= sizeof(sa
),
777 .msg_control
= &control
,
778 .msg_controllen
= sizeof(control
),
780 struct cmsghdr
*cmsg
;
788 ms
= next_datagram_size_fd(fd
);
792 r
= dns_packet_new(&p
, protocol
, ms
, DNS_PACKET_SIZE_MAX
);
796 iov
= IOVEC_MAKE(DNS_PACKET_DATA(p
), p
->allocated
);
798 l
= recvmsg_safe(fd
, &mh
, 0);
800 if (ERRNO_IS_TRANSIENT(l
))
807 assert(!(mh
.msg_flags
& MSG_TRUNC
));
809 p
->size
= (size_t) l
;
811 p
->family
= sa
.sa
.sa_family
;
812 p
->ipproto
= IPPROTO_UDP
;
813 if (p
->family
== AF_INET
) {
814 p
->sender
.in
= sa
.in
.sin_addr
;
815 p
->sender_port
= be16toh(sa
.in
.sin_port
);
816 } else if (p
->family
== AF_INET6
) {
817 p
->sender
.in6
= sa
.in6
.sin6_addr
;
818 p
->sender_port
= be16toh(sa
.in6
.sin6_port
);
819 p
->ifindex
= sa
.in6
.sin6_scope_id
;
821 return -EAFNOSUPPORT
;
823 p
->timestamp
= now(CLOCK_BOOTTIME
);
825 CMSG_FOREACH(cmsg
, &mh
) {
827 if (cmsg
->cmsg_level
== IPPROTO_IPV6
) {
828 assert(p
->family
== AF_INET6
);
830 switch (cmsg
->cmsg_type
) {
833 struct in6_pktinfo
*i
= CMSG_TYPED_DATA(cmsg
, struct in6_pktinfo
);
836 p
->ifindex
= i
->ipi6_ifindex
;
838 p
->destination
.in6
= i
->ipi6_addr
;
843 p
->ttl
= *CMSG_TYPED_DATA(cmsg
, int);
846 case IPV6_RECVFRAGSIZE
:
847 p
->fragsize
= *CMSG_TYPED_DATA(cmsg
, int);
850 } else if (cmsg
->cmsg_level
== IPPROTO_IP
) {
851 assert(p
->family
== AF_INET
);
853 switch (cmsg
->cmsg_type
) {
856 struct in_pktinfo
*i
= CMSG_TYPED_DATA(cmsg
, struct in_pktinfo
);
859 p
->ifindex
= i
->ipi_ifindex
;
861 p
->destination
.in
= i
->ipi_addr
;
866 p
->ttl
= *CMSG_TYPED_DATA(cmsg
, int);
869 case IP_RECVFRAGSIZE
:
870 p
->fragsize
= *CMSG_TYPED_DATA(cmsg
, int);
876 /* The Linux kernel sets the interface index to the loopback
877 * device if the packet came from the local host since it
878 * avoids the routing table in such a case. Let's unset the
879 * interface index in such a case. */
880 if (p
->ifindex
== LOOPBACK_IFINDEX
)
883 if (protocol
!= DNS_PROTOCOL_DNS
) {
884 /* If we don't know the interface index still, we look for the
885 * first local interface with a matching address. Yuck! */
887 p
->ifindex
= manager_find_ifindex(m
, p
->family
, &p
->destination
);
890 log_debug("Received %s UDP packet of size %zu, ifindex=%i, ttl=%u, fragsize=%zu, sender=%s, destination=%s",
891 dns_protocol_to_string(protocol
), p
->size
, p
->ifindex
, p
->ttl
, p
->fragsize
,
892 IN_ADDR_TO_STRING(p
->family
, &p
->sender
),
893 IN_ADDR_TO_STRING(p
->family
, &p
->destination
));
899 static int sendmsg_loop(int fd
, struct msghdr
*mh
, int flags
) {
906 end
= usec_add(now(CLOCK_MONOTONIC
), SEND_TIMEOUT_USEC
);
909 if (sendmsg(fd
, mh
, flags
) >= 0)
916 r
= fd_wait_for_event(fd
, POLLOUT
, LESS_BY(end
, now(CLOCK_MONOTONIC
)));
918 if (ERRNO_IS_TRANSIENT(r
))
927 static int write_loop(int fd
, void *message
, size_t length
) {
934 end
= usec_add(now(CLOCK_MONOTONIC
), SEND_TIMEOUT_USEC
);
937 if (write(fd
, message
, length
) >= 0)
944 r
= fd_wait_for_event(fd
, POLLOUT
, LESS_BY(end
, now(CLOCK_MONOTONIC
)));
946 if (ERRNO_IS_TRANSIENT(r
))
955 int manager_write(Manager
*m
, int fd
, DnsPacket
*p
) {
958 log_debug("Sending %s%s packet with id %" PRIu16
" of size %zu.",
959 DNS_PACKET_TC(p
) ? "truncated (!) " : "",
960 DNS_PACKET_QR(p
) ? "response" : "query",
964 r
= write_loop(fd
, DNS_PACKET_DATA(p
), p
->size
);
971 static int manager_ipv4_send(
975 const struct in_addr
*destination
,
977 const struct in_addr
*source
,
980 CMSG_BUFFER_TYPE(CMSG_SPACE(sizeof(struct in_pktinfo
))) control
= {};
981 union sockaddr_union sa
;
987 .msg_namelen
= sizeof(sa
.in
),
996 iov
= IOVEC_MAKE(DNS_PACKET_DATA(p
), p
->size
);
998 sa
= (union sockaddr_union
) {
999 .in
.sin_family
= AF_INET
,
1000 .in
.sin_addr
= *destination
,
1001 .in
.sin_port
= htobe16(port
),
1005 struct cmsghdr
*cmsg
;
1006 struct in_pktinfo
*pi
;
1008 mh
.msg_control
= &control
;
1009 mh
.msg_controllen
= sizeof(control
);
1011 cmsg
= CMSG_FIRSTHDR(&mh
);
1012 cmsg
->cmsg_len
= CMSG_LEN(sizeof(struct in_pktinfo
));
1013 cmsg
->cmsg_level
= IPPROTO_IP
;
1014 cmsg
->cmsg_type
= IP_PKTINFO
;
1016 pi
= CMSG_TYPED_DATA(cmsg
, struct in_pktinfo
);
1017 pi
->ipi_ifindex
= ifindex
;
1020 pi
->ipi_spec_dst
= *source
;
1023 return sendmsg_loop(fd
, &mh
, 0);
1026 static int manager_ipv6_send(
1030 const struct in6_addr
*destination
,
1032 const struct in6_addr
*source
,
1035 CMSG_BUFFER_TYPE(CMSG_SPACE(sizeof(struct in6_pktinfo
))) control
= {};
1036 union sockaddr_union sa
;
1038 struct msghdr mh
= {
1042 .msg_namelen
= sizeof(sa
.in6
),
1047 assert(destination
);
1051 iov
= IOVEC_MAKE(DNS_PACKET_DATA(p
), p
->size
);
1053 sa
= (union sockaddr_union
) {
1054 .in6
.sin6_family
= AF_INET6
,
1055 .in6
.sin6_addr
= *destination
,
1056 .in6
.sin6_port
= htobe16(port
),
1057 .in6
.sin6_scope_id
= ifindex
,
1061 struct cmsghdr
*cmsg
;
1062 struct in6_pktinfo
*pi
;
1064 mh
.msg_control
= &control
;
1065 mh
.msg_controllen
= sizeof(control
);
1067 cmsg
= CMSG_FIRSTHDR(&mh
);
1068 cmsg
->cmsg_len
= CMSG_LEN(sizeof(struct in6_pktinfo
));
1069 cmsg
->cmsg_level
= IPPROTO_IPV6
;
1070 cmsg
->cmsg_type
= IPV6_PKTINFO
;
1072 pi
= CMSG_TYPED_DATA(cmsg
, struct in6_pktinfo
);
1073 pi
->ipi6_ifindex
= ifindex
;
1076 pi
->ipi6_addr
= *source
;
1079 return sendmsg_loop(fd
, &mh
, 0);
1082 static int dns_question_to_json(DnsQuestion
*q
, JsonVariant
**ret
) {
1083 _cleanup_(json_variant_unrefp
) JsonVariant
*l
= NULL
;
1084 DnsResourceKey
*key
;
1089 DNS_QUESTION_FOREACH(key
, q
) {
1090 _cleanup_(json_variant_unrefp
) JsonVariant
*v
= NULL
;
1092 r
= dns_resource_key_to_json(key
, &v
);
1096 r
= json_variant_append_array(&l
, v
);
1105 int manager_monitor_send(
1110 DnsQuestion
*question_idna
,
1111 DnsQuestion
*question_utf8
,
1112 DnsQuestion
*collected_questions
,
1113 DnsAnswer
*answer
) {
1115 _cleanup_(json_variant_unrefp
) JsonVariant
*jquestion
= NULL
, *jcollected_questions
= NULL
, *janswer
= NULL
;
1116 _cleanup_(dns_question_unrefp
) DnsQuestion
*merged
= NULL
;
1117 Varlink
*connection
;
1123 if (set_isempty(m
->varlink_subscription
))
1126 /* Merge both questions format into one */
1127 r
= dns_question_merge(question_idna
, question_utf8
, &merged
);
1129 return log_error_errno(r
, "Failed to merge UTF8/IDNA questions: %m");
1131 /* Convert the current primary question to JSON */
1132 r
= dns_question_to_json(merged
, &jquestion
);
1134 return log_error_errno(r
, "Failed to convert question to JSON: %m");
1136 /* Generate a JSON array of the questions preceding the current one in the CNAME chain */
1137 r
= dns_question_to_json(collected_questions
, &jcollected_questions
);
1139 return log_error_errno(r
, "Failed to convert question to JSON: %m");
1141 DNS_ANSWER_FOREACH_ITEM(rri
, answer
) {
1142 _cleanup_(json_variant_unrefp
) JsonVariant
*v
= NULL
, *w
= NULL
;
1144 r
= dns_resource_record_to_json(rri
->rr
, &v
);
1146 return log_error_errno(r
, "Failed to convert answer resource record to JSON: %m");
1148 r
= dns_resource_record_to_wire_format(rri
->rr
, /* canonical= */ false); /* don't use DNSSEC canonical format, since it removes casing, but we want that for DNS_SD compat */
1150 return log_error_errno(r
, "Failed to generate RR wire format: %m");
1152 r
= json_build(&w
, JSON_BUILD_OBJECT(
1153 JSON_BUILD_PAIR_CONDITION(v
, "rr", JSON_BUILD_VARIANT(v
)),
1154 JSON_BUILD_PAIR("raw", JSON_BUILD_BASE64(rri
->rr
->wire_format
, rri
->rr
->wire_format_size
)),
1155 JSON_BUILD_PAIR_CONDITION(rri
->ifindex
> 0, "ifindex", JSON_BUILD_INTEGER(rri
->ifindex
))));
1157 return log_error_errno(r
, "Failed to make answer RR object: %m");
1159 r
= json_variant_append_array(&janswer
, w
);
1161 return log_debug_errno(r
, "Failed to append notification entry to array: %m");
1164 SET_FOREACH(connection
, m
->varlink_subscription
) {
1165 r
= varlink_notifyb(connection
,
1166 JSON_BUILD_OBJECT(JSON_BUILD_PAIR("state", JSON_BUILD_STRING(dns_transaction_state_to_string(state
))),
1167 JSON_BUILD_PAIR_CONDITION(state
== DNS_TRANSACTION_RCODE_FAILURE
, "rcode", JSON_BUILD_INTEGER(rcode
)),
1168 JSON_BUILD_PAIR_CONDITION(state
== DNS_TRANSACTION_ERRNO
, "errno", JSON_BUILD_INTEGER(error
)),
1169 JSON_BUILD_PAIR("question", JSON_BUILD_VARIANT(jquestion
)),
1170 JSON_BUILD_PAIR_CONDITION(jcollected_questions
, "collectedQuestions", JSON_BUILD_VARIANT(jcollected_questions
)),
1171 JSON_BUILD_PAIR_CONDITION(janswer
, "answer", JSON_BUILD_VARIANT(janswer
))));
1173 log_debug_errno(r
, "Failed to send monitor event, ignoring: %m");
1184 const union in_addr_union
*destination
,
1186 const union in_addr_union
*source
,
1191 assert(destination
);
1195 log_debug("Sending %s%s packet with id %" PRIu16
" on interface %i/%s of size %zu.",
1196 DNS_PACKET_TC(p
) ? "truncated (!) " : "",
1197 DNS_PACKET_QR(p
) ? "response" : "query",
1199 ifindex
, af_to_name(family
),
1202 if (family
== AF_INET
)
1203 return manager_ipv4_send(m
, fd
, ifindex
, &destination
->in
, port
, source
? &source
->in
: NULL
, p
);
1204 if (family
== AF_INET6
)
1205 return manager_ipv6_send(m
, fd
, ifindex
, &destination
->in6
, port
, source
? &source
->in6
: NULL
, p
);
1207 return -EAFNOSUPPORT
;
1210 uint32_t manager_find_mtu(Manager
*m
) {
1214 /* If we don't know on which link a DNS packet would be delivered, let's find the largest MTU that
1215 * works on all interfaces we know of that have an IP address associated */
1217 HASHMAP_FOREACH(l
, m
->links
) {
1218 /* Let's filter out links without IP addresses (e.g. AF_CAN links and suchlike) */
1222 /* Safety check: MTU shorter than what we need for the absolutely shortest DNS request? Then
1223 * let's ignore this link. */
1224 if (l
->mtu
< MIN(UDP4_PACKET_HEADER_SIZE
+ DNS_PACKET_HEADER_SIZE
,
1225 UDP6_PACKET_HEADER_SIZE
+ DNS_PACKET_HEADER_SIZE
))
1228 if (mtu
<= 0 || l
->mtu
< mtu
)
1232 if (mtu
== 0) /* found nothing? then let's assume the typical Ethernet MTU for lack of anything more precise */
1238 int manager_find_ifindex(Manager
*m
, int family
, const union in_addr_union
*in_addr
) {
1243 if (!IN_SET(family
, AF_INET
, AF_INET6
))
1249 a
= manager_find_link_address(m
, family
, in_addr
);
1251 return a
->link
->ifindex
;
1256 void manager_refresh_rrs(Manager
*m
) {
1262 m
->llmnr_host_ipv4_key
= dns_resource_key_unref(m
->llmnr_host_ipv4_key
);
1263 m
->llmnr_host_ipv6_key
= dns_resource_key_unref(m
->llmnr_host_ipv6_key
);
1264 m
->mdns_host_ipv4_key
= dns_resource_key_unref(m
->mdns_host_ipv4_key
);
1265 m
->mdns_host_ipv6_key
= dns_resource_key_unref(m
->mdns_host_ipv6_key
);
1267 HASHMAP_FOREACH(l
, m
->links
)
1268 link_add_rrs(l
, true);
1270 if (m
->mdns_support
== RESOLVE_SUPPORT_YES
)
1271 HASHMAP_FOREACH(s
, m
->dnssd_services
)
1272 if (dnssd_update_rrs(s
) < 0)
1273 log_warning("Failed to refresh DNS-SD service '%s'", s
->name
);
1275 HASHMAP_FOREACH(l
, m
->links
)
1276 link_add_rrs(l
, false);
1279 static int manager_next_random_name(const char *old
, char **ret_new
) {
1288 if (!ascii_isdigit(p
[-1]))
1294 if (*p
== 0 || safe_atou64(p
, &u
) < 0 || u
<= 0)
1297 /* Add a random number to the old value. This way we can avoid
1298 * that two hosts pick the same hostname, win on IPv4 and lose
1299 * on IPv6 (or vice versa), and pick the same hostname
1300 * replacement hostname, ad infinitum. We still want the
1301 * numbers to go up monotonically, hence we just add a random
1304 random_bytes(&a
, sizeof(a
));
1307 if (asprintf(&n
, "%.*s%" PRIu64
, (int) (p
- old
), old
, u
) < 0)
1315 int manager_next_hostname(Manager
*m
) {
1316 _cleanup_free_
char *h
= NULL
, *k
= NULL
;
1321 r
= manager_next_random_name(m
->llmnr_hostname
, &h
);
1325 r
= dns_name_concat(h
, "local", 0, &k
);
1329 log_info("Hostname conflict, changing published hostname from '%s' to '%s'.", m
->llmnr_hostname
, h
);
1331 free_and_replace(m
->llmnr_hostname
, h
);
1332 free_and_replace(m
->mdns_hostname
, k
);
1334 manager_refresh_rrs(m
);
1335 (void) manager_send_changed(m
, "LLMNRHostname");
1340 LinkAddress
* manager_find_link_address(Manager
*m
, int family
, const union in_addr_union
*in_addr
) {
1345 if (!IN_SET(family
, AF_INET
, AF_INET6
))
1351 HASHMAP_FOREACH(l
, m
->links
) {
1354 a
= link_find_address(l
, family
, in_addr
);
1362 bool manager_packet_from_local_address(Manager
*m
, DnsPacket
*p
) {
1366 /* Let's see if this packet comes from an IP address we have on any local interface */
1368 return !!manager_find_link_address(m
, p
->family
, &p
->sender
);
1371 bool manager_packet_from_our_transaction(Manager
*m
, DnsPacket
*p
) {
1377 /* Let's see if we have a transaction with a query message with the exact same binary contents as the
1378 * one we just got. If so, it's almost definitely a packet loop of some kind. */
1380 t
= hashmap_get(m
->dns_transactions
, UINT_TO_PTR(DNS_PACKET_ID(p
)));
1384 return t
->sent
&& dns_packet_equal(t
->sent
, p
);
1387 DnsScope
* manager_find_scope(Manager
*m
, DnsPacket
*p
) {
1393 l
= hashmap_get(m
->links
, INT_TO_PTR(p
->ifindex
));
1397 switch (p
->protocol
) {
1398 case DNS_PROTOCOL_LLMNR
:
1399 if (p
->family
== AF_INET
)
1400 return l
->llmnr_ipv4_scope
;
1401 else if (p
->family
== AF_INET6
)
1402 return l
->llmnr_ipv6_scope
;
1406 case DNS_PROTOCOL_MDNS
:
1407 if (p
->family
== AF_INET
)
1408 return l
->mdns_ipv4_scope
;
1409 else if (p
->family
== AF_INET6
)
1410 return l
->mdns_ipv6_scope
;
1421 void manager_verify_all(Manager
*m
) {
1424 LIST_FOREACH(scopes
, s
, m
->dns_scopes
)
1425 dns_zone_verify_all(&s
->zone
);
1428 int manager_is_own_hostname(Manager
*m
, const char *name
) {
1434 if (m
->llmnr_hostname
) {
1435 r
= dns_name_equal(name
, m
->llmnr_hostname
);
1440 if (m
->mdns_hostname
) {
1441 r
= dns_name_equal(name
, m
->mdns_hostname
);
1446 if (m
->full_hostname
)
1447 return dns_name_equal(name
, m
->full_hostname
);
1452 int manager_compile_dns_servers(Manager
*m
, OrderedSet
**dns
) {
1459 r
= ordered_set_ensure_allocated(dns
, &dns_server_hash_ops
);
1463 /* First add the system-wide servers and domains */
1464 LIST_FOREACH(servers
, s
, m
->dns_servers
) {
1465 r
= ordered_set_put(*dns
, s
);
1472 /* Then, add the per-link servers */
1473 HASHMAP_FOREACH(l
, m
->links
) {
1474 LIST_FOREACH(servers
, s
, l
->dns_servers
) {
1475 r
= ordered_set_put(*dns
, s
);
1483 /* If we found nothing, add the fallback servers */
1484 if (ordered_set_isempty(*dns
)) {
1485 LIST_FOREACH(servers
, s
, m
->fallback_dns_servers
) {
1486 r
= ordered_set_put(*dns
, s
);
1497 /* filter_route is a tri-state:
1499 * = 0 or false: return only domains which should be used for searching
1500 * > 0 or true: return only domains which are for routing only
1502 int manager_compile_search_domains(Manager
*m
, OrderedSet
**domains
, int filter_route
) {
1509 r
= ordered_set_ensure_allocated(domains
, &dns_name_hash_ops
);
1513 LIST_FOREACH(domains
, d
, m
->search_domains
) {
1515 if (filter_route
>= 0 &&
1516 d
->route_only
!= !!filter_route
)
1519 r
= ordered_set_put(*domains
, d
->name
);
1526 HASHMAP_FOREACH(l
, m
->links
) {
1528 LIST_FOREACH(domains
, d
, l
->search_domains
) {
1530 if (filter_route
>= 0 &&
1531 d
->route_only
!= !!filter_route
)
1534 r
= ordered_set_put(*domains
, d
->name
);
1545 DnssecMode
manager_get_dnssec_mode(Manager
*m
) {
1548 if (m
->dnssec_mode
!= _DNSSEC_MODE_INVALID
)
1549 return m
->dnssec_mode
;
1554 bool manager_dnssec_supported(Manager
*m
) {
1560 if (manager_get_dnssec_mode(m
) == DNSSEC_NO
)
1563 server
= manager_get_dns_server(m
);
1564 if (server
&& !dns_server_dnssec_supported(server
))
1567 HASHMAP_FOREACH(l
, m
->links
)
1568 if (!link_dnssec_supported(l
))
1574 DnsOverTlsMode
manager_get_dns_over_tls_mode(Manager
*m
) {
1577 if (m
->dns_over_tls_mode
!= _DNS_OVER_TLS_MODE_INVALID
)
1578 return m
->dns_over_tls_mode
;
1580 return DNS_OVER_TLS_NO
;
1583 void manager_dnssec_verdict(Manager
*m
, DnssecVerdict verdict
, const DnsResourceKey
*key
) {
1585 assert(verdict
>= 0);
1586 assert(verdict
< _DNSSEC_VERDICT_MAX
);
1588 if (DEBUG_LOGGING
) {
1589 char s
[DNS_RESOURCE_KEY_STRING_MAX
];
1591 log_debug("Found verdict for lookup %s: %s",
1592 dns_resource_key_to_string(key
, s
, sizeof s
),
1593 dnssec_verdict_to_string(verdict
));
1596 m
->n_dnssec_verdict
[verdict
]++;
1599 bool manager_routable(Manager
*m
) {
1604 /* Returns true if the host has at least one interface with a routable address (regardless if IPv4 or IPv6) */
1606 HASHMAP_FOREACH(l
, m
->links
)
1607 if (link_relevant(l
, AF_UNSPEC
, false))
1613 void manager_flush_caches(Manager
*m
, int log_level
) {
1616 LIST_FOREACH(scopes
, scope
, m
->dns_scopes
)
1617 dns_cache_flush(&scope
->cache
);
1619 log_full(log_level
, "Flushed all caches.");
1622 void manager_reset_server_features(Manager
*m
) {
1625 dns_server_reset_features_all(m
->dns_servers
);
1626 dns_server_reset_features_all(m
->fallback_dns_servers
);
1628 HASHMAP_FOREACH(l
, m
->links
)
1629 dns_server_reset_features_all(l
->dns_servers
);
1631 log_info("Resetting learnt feature levels on all servers.");
1634 void manager_cleanup_saved_user(Manager
*m
) {
1635 _cleanup_closedir_
DIR *d
= NULL
;
1639 /* Clean up all saved per-link files in /run/systemd/resolve/netif/ that don't have a matching interface
1640 * anymore. These files are created to persist settings pushed in by the user via the bus, so that resolved can
1641 * be restarted without losing this data. */
1643 d
= opendir("/run/systemd/resolve/netif/");
1645 if (errno
== ENOENT
)
1648 log_warning_errno(errno
, "Failed to open interface directory: %m");
1652 FOREACH_DIRENT_ALL(de
, d
, log_error_errno(errno
, "Failed to read interface directory: %m")) {
1653 _cleanup_free_
char *p
= NULL
;
1657 if (!IN_SET(de
->d_type
, DT_UNKNOWN
, DT_REG
))
1660 if (dot_or_dot_dot(de
->d_name
))
1663 ifindex
= parse_ifindex(de
->d_name
);
1664 if (ifindex
< 0) /* Probably some temporary file from a previous run. Delete it */
1667 l
= hashmap_get(m
->links
, INT_TO_PTR(ifindex
));
1668 if (!l
) /* link vanished */
1671 if (l
->is_managed
) /* now managed by networkd, hence the bus settings are useless */
1677 p
= path_join("/run/systemd/resolve/netif", de
->d_name
);
1687 bool manager_next_dnssd_names(Manager
*m
) {
1694 HASHMAP_FOREACH(s
, m
->dnssd_services
) {
1695 _cleanup_free_
char * new_name
= NULL
;
1700 r
= manager_next_random_name(s
->name_template
, &new_name
);
1702 log_warning_errno(r
, "Failed to get new name for service '%s': %m", s
->name
);
1706 free_and_replace(s
->name_template
, new_name
);
1708 s
->withdrawn
= false;
1714 manager_refresh_rrs(m
);
1719 bool manager_server_is_stub(Manager
*m
, DnsServer
*s
) {
1720 DnsStubListenerExtra
*l
;
1725 /* Safety check: we generally already skip the main stub when parsing configuration. But let's be
1726 * extra careful, and check here again */
1727 if (s
->family
== AF_INET
&&
1728 s
->address
.in
.s_addr
== htobe32(INADDR_DNS_STUB
) &&
1729 dns_server_port(s
) == 53)
1732 /* Main reason to call this is to check server data against the extra listeners, and filter things
1734 ORDERED_SET_FOREACH(l
, m
->dns_extra_stub_listeners
)
1735 if (s
->family
== l
->family
&&
1736 in_addr_equal(s
->family
, &s
->address
, &l
->address
) &&
1737 dns_server_port(s
) == dns_stub_listener_extra_port(l
))
1743 int socket_disable_pmtud(int fd
, int af
) {
1748 if (af
== AF_UNSPEC
) {
1749 af
= socket_get_family(fd
);
1757 /* Turn off path MTU discovery, let's rather fragment on the way than to open us up against
1758 * PMTU forgery vulnerabilities.
1760 * There appears to be no documentation about IP_PMTUDISC_OMIT, but it has the effect that
1761 * the "Don't Fragment" bit in the IPv4 header is turned off, thus enforcing fragmentation if
1762 * our datagram size exceeds the MTU of a router in the path, and turning off path MTU
1765 * This helps mitigating the PMTUD vulnerability described here:
1767 * https://blog.apnic.net/2019/07/12/its-time-to-consider-avoiding-ip-fragmentation-in-the-dns/
1769 * Similar logic is in place in most DNS servers.
1771 * There are multiple conflicting goals: we want to allow the largest datagrams possible (for
1772 * efficiency reasons), but not have fragmentation (for security reasons), nor use PMTUD (for
1773 * security reasons, too). Our strategy to deal with this is: use large packets, turn off
1774 * PMTUD, but watch fragmentation taking place, and then size our packets to the max of the
1775 * fragments seen — and if we need larger packets always go to TCP.
1778 r
= setsockopt_int(fd
, IPPROTO_IP
, IP_MTU_DISCOVER
, IP_PMTUDISC_OMIT
);
1786 /* On IPv6 fragmentation only is done by the sender — never by routers on the path. PMTUD is
1787 * mandatory. If we want to turn off PMTUD, the only way is by sending with minimal MTU only,
1788 * so that we apply maximum fragmentation locally already, and thus PMTUD doesn't happen
1789 * because there's nothing that could be fragmented further anymore. */
1791 r
= setsockopt_int(fd
, IPPROTO_IPV6
, IPV6_MTU
, IPV6_MIN_MTU
);
1799 return -EAFNOSUPPORT
;