projects / thirdparty / systemd.git / blame
| Commit | Line | Data |
|---|---|---|
| 53e1b683 | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
| b30bf55d | 2 | |
| 4ff9bc2e | 3 | #include "errno-util.h" |
| b30bf55d | 4 | #include "fd-util.h" |
| ef118d00 | 5 | #include "missing_network.h" |
| b30bf55d LP |
6 | #include "resolved-dns-stub.h" |
| 7 | #include "socket-util.h" | |
| 8 | ||
| 9 | /* The MTU of the loopback device is 64K on Linux, advertise that as maximum datagram size, but subtract the Ethernet, | |
| 10 | * IP and UDP header sizes */ | |
| 11 | #define ADVERTISE_DATAGRAM_SIZE_MAX (65536U-14U-20U-8U) | |
| 12 | ||
| 424e490b ZJS |
13 | static int manager_dns_stub_udp_fd(Manager *m); |
| 14 | static int manager_dns_stub_tcp_fd(Manager *m); | |
| 15 | ||
| b30bf55d | 16 | static int dns_stub_make_reply_packet( |
| e8d23f92 | 17 | DnsPacket **p, |
| 51027656 | 18 | size_t max_size, |
| b30bf55d | 19 | DnsQuestion *q, |
| 51027656 LP |
20 | DnsAnswer *answer, |
| 21 | bool *ret_truncated) { | |
| b30bf55d | 22 | |
| 51027656 | 23 | bool truncated = false; |
| b30bf55d LP |
24 | DnsResourceRecord *rr; |
| 25 | unsigned c = 0; | |
| 26 | int r; | |
| 27 | ||
| e8d23f92 LP |
28 | assert(p); |
| 29 | ||
| b30bf55d LP |
30 | /* Note that we don't bother with any additional RRs, as this is stub is for local lookups only, and hence |
| 31 | * roundtrips aren't expensive. */ | |
| 32 | ||
| e8d23f92 | 33 | if (!*p) { |
| 51027656 | 34 | r = dns_packet_new(p, DNS_PROTOCOL_DNS, 0, max_size); |
| e8d23f92 LP |
35 | if (r < 0) |
| 36 | return r; | |
| b30bf55d | 37 | |
| e8d23f92 LP |
38 | r = dns_packet_append_question(*p, q); |
| 39 | if (r < 0) | |
| 40 | return r; | |
| b30bf55d | 41 | |
| e8d23f92 LP |
42 | DNS_PACKET_HEADER(*p)->qdcount = htobe16(dns_question_size(q)); |
| 43 | } | |
| b30bf55d LP |
44 | |
| 45 | DNS_ANSWER_FOREACH(rr, answer) { | |
| e8d23f92 | 46 | |
| b30bf55d LP |
47 | r = dns_question_matches_rr(q, rr, NULL); |
| 48 | if (r < 0) | |
| 49 | return r; | |
| 50 | if (r > 0) | |
| 51 | goto add; | |
| 52 | ||
| 53 | r = dns_question_matches_cname_or_dname(q, rr, NULL); | |
| 54 | if (r < 0) | |
| 55 | return r; | |
| 56 | if (r > 0) | |
| 57 | goto add; | |
| 58 | ||
| 59 | continue; | |
| 60 | add: | |
| 01c901e2 | 61 | r = dns_packet_append_rr(*p, rr, 0, NULL, NULL); |
| 51027656 LP |
62 | if (r == -EMSGSIZE) { |
| 63 | truncated = true; | |
| 64 | break; | |
| 65 | } | |
| b30bf55d LP |
66 | if (r < 0) |
| 67 | return r; | |
| 68 | ||
| 69 | c++; | |
| 70 | } | |
| e8d23f92 | 71 | |
| 51027656 LP |
72 | if (ret_truncated) |
| 73 | *ret_truncated = truncated; | |
| 74 | else if (truncated) | |
| 75 | return -EMSGSIZE; | |
| 76 | ||
| e8d23f92 LP |
77 | DNS_PACKET_HEADER(*p)->ancount = htobe16(be16toh(DNS_PACKET_HEADER(*p)->ancount) + c); |
| 78 | ||
| 79 | return 0; | |
| 80 | } | |
| 81 | ||
| 82 | static int dns_stub_finish_reply_packet( | |
| 83 | DnsPacket *p, | |
| 84 | uint16_t id, | |
| 85 | int rcode, | |
| 51027656 | 86 | bool tc, /* set the Truncated bit? */ |
| e8d23f92 LP |
87 | bool add_opt, /* add an OPT RR to this packet? */ |
| 88 | bool edns0_do, /* set the EDNS0 DNSSEC OK bit? */ | |
| 89 | bool ad) { /* set the DNSSEC authenticated data bit? */ | |
| 90 | ||
| 91 | int r; | |
| 92 | ||
| 93 | assert(p); | |
| 94 | ||
| ff4caaae LP |
95 | if (add_opt) { |
| 96 | r = dns_packet_append_opt(p, ADVERTISE_DATAGRAM_SIZE_MAX, edns0_do, rcode, NULL); | |
| 97 | if (r == -EMSGSIZE) /* Hit the size limit? then indicate truncation */ | |
| 98 | tc = true; | |
| 99 | else if (r < 0) | |
| 100 | return r; | |
| 101 | ||
| 102 | } else { | |
| 941dd294 LP |
103 | /* If the client can't to EDNS0, don't do DO either */ |
| 104 | edns0_do = false; | |
| 105 | ||
| 106 | /* If the client didn't do EDNS, clamp the rcode to 4 bit */ | |
| 107 | if (rcode > 0xF) | |
| 108 | rcode = DNS_RCODE_SERVFAIL; | |
| 109 | } | |
| 110 | ||
| 111 | /* Don't set the AD bit unless DO is on, too */ | |
| 112 | if (!edns0_do) | |
| 113 | ad = false; | |
| e8d23f92 LP |
114 | |
| 115 | DNS_PACKET_HEADER(p)->id = id; | |
| 116 | ||
| 117 | DNS_PACKET_HEADER(p)->flags = htobe16(DNS_PACKET_MAKE_FLAGS( | |
| 51027656 LP |
118 | 1 /* qr */, |
| 119 | 0 /* opcode */, | |
| 120 | 0 /* aa */, | |
| 121 | tc /* tc */, | |
| 122 | 1 /* rd */, | |
| 123 | 1 /* ra */, | |
| e8d23f92 | 124 | ad /* ad */, |
| 51027656 | 125 | 0 /* cd */, |
| e8d23f92 | 126 | rcode)); |
| b30bf55d | 127 | |
| b30bf55d LP |
128 | return 0; |
| 129 | } | |
| 130 | ||
| b30bf55d LP |
131 | static int dns_stub_send(Manager *m, DnsStream *s, DnsPacket *p, DnsPacket *reply) { |
| 132 | int r; | |
| 133 | ||
| 134 | assert(m); | |
| 135 | assert(p); | |
| 136 | assert(reply); | |
| 137 | ||
| 138 | if (s) | |
| 139 | r = dns_stream_write_packet(s, reply); | |
| 140 | else { | |
| 141 | int fd; | |
| 142 | ||
| b30bf55d LP |
143 | fd = manager_dns_stub_udp_fd(m); |
| 144 | if (fd < 0) | |
| 145 | return log_debug_errno(fd, "Failed to get reply socket: %m"); | |
| 146 | ||
| 147 | /* Note that it is essential here that we explicitly choose the source IP address for this packet. This | |
| 148 | * is because otherwise the kernel will choose it automatically based on the routing table and will | |
| 149 | * thus pick 127.0.0.1 rather than 127.0.0.53. */ | |
| 150 | ||
| 151 | r = manager_send(m, fd, LOOPBACK_IFINDEX, p->family, &p->sender, p->sender_port, &p->destination, reply); | |
| 152 | } | |
| 153 | if (r < 0) | |
| 154 | return log_debug_errno(r, "Failed to send reply packet: %m"); | |
| 155 | ||
| 156 | return 0; | |
| 157 | } | |
| 158 | ||
| 2b2d98c1 | 159 | static int dns_stub_send_failure(Manager *m, DnsStream *s, DnsPacket *p, int rcode, bool authenticated) { |
| b30bf55d LP |
160 | _cleanup_(dns_packet_unrefp) DnsPacket *reply = NULL; |
| 161 | int r; | |
| 162 | ||
| 163 | assert(m); | |
| 164 | assert(p); | |
| 165 | ||
| 51027656 | 166 | r = dns_stub_make_reply_packet(&reply, DNS_PACKET_PAYLOAD_SIZE_MAX(p), p->question, NULL, NULL); |
| e8d23f92 LP |
167 | if (r < 0) |
| 168 | return log_debug_errno(r, "Failed to make failure packet: %m"); | |
| 169 | ||
| 51027656 | 170 | r = dns_stub_finish_reply_packet(reply, DNS_PACKET_ID(p), rcode, false, !!p->opt, DNS_PACKET_DO(p), authenticated); |
| b30bf55d LP |
171 | if (r < 0) |
| 172 | return log_debug_errno(r, "Failed to build failure packet: %m"); | |
| 173 | ||
| 174 | return dns_stub_send(m, s, p, reply); | |
| 175 | } | |
| 176 | ||
| 177 | static void dns_stub_query_complete(DnsQuery *q) { | |
| 178 | int r; | |
| 179 | ||
| 180 | assert(q); | |
| 181 | assert(q->request_dns_packet); | |
| 182 | ||
| 183 | switch (q->state) { | |
| 184 | ||
| 51027656 LP |
185 | case DNS_TRANSACTION_SUCCESS: { |
| 186 | bool truncated; | |
| e8d23f92 | 187 | |
| 51027656 | 188 | r = dns_stub_make_reply_packet(&q->reply_dns_packet, DNS_PACKET_PAYLOAD_SIZE_MAX(q->request_dns_packet), q->question_idna, q->answer, &truncated); |
| e8d23f92 LP |
189 | if (r < 0) { |
| 190 | log_debug_errno(r, "Failed to build reply packet: %m"); | |
| 191 | break; | |
| 192 | } | |
| b30bf55d | 193 | |
| aa11cab9 LP |
194 | if (!truncated) { |
| 195 | r = dns_query_process_cname(q); | |
| 196 | if (r == -ELOOP) { | |
| 197 | (void) dns_stub_send_failure(q->manager, q->request_dns_stream, q->request_dns_packet, DNS_RCODE_SERVFAIL, false); | |
| 198 | break; | |
| 199 | } | |
| 200 | if (r < 0) { | |
| 201 | log_debug_errno(r, "Failed to process CNAME: %m"); | |
| 202 | break; | |
| 203 | } | |
| 204 | if (r == DNS_QUERY_RESTARTED) | |
| 205 | return; | |
| e8d23f92 | 206 | } |
| e8d23f92 LP |
207 | |
| 208 | r = dns_stub_finish_reply_packet( | |
| 209 | q->reply_dns_packet, | |
| b30bf55d LP |
210 | DNS_PACKET_ID(q->request_dns_packet), |
| 211 | q->answer_rcode, | |
| 51027656 | 212 | truncated, |
| b30bf55d LP |
213 | !!q->request_dns_packet->opt, |
| 214 | DNS_PACKET_DO(q->request_dns_packet), | |
| 941dd294 | 215 | dns_query_fully_authenticated(q)); |
| b30bf55d | 216 | if (r < 0) { |
| e8d23f92 | 217 | log_debug_errno(r, "Failed to finish reply packet: %m"); |
| b30bf55d LP |
218 | break; |
| 219 | } | |
| 220 | ||
| e8d23f92 | 221 | (void) dns_stub_send(q->manager, q->request_dns_stream, q->request_dns_packet, q->reply_dns_packet); |
| b30bf55d | 222 | break; |
| 51027656 | 223 | } |
| b30bf55d LP |
224 | |
| 225 | case DNS_TRANSACTION_RCODE_FAILURE: | |
| 2b2d98c1 | 226 | (void) dns_stub_send_failure(q->manager, q->request_dns_stream, q->request_dns_packet, q->answer_rcode, dns_query_fully_authenticated(q)); |
| b30bf55d LP |
227 | break; |
| 228 | ||
| 229 | case DNS_TRANSACTION_NOT_FOUND: | |
| 2b2d98c1 | 230 | (void) dns_stub_send_failure(q->manager, q->request_dns_stream, q->request_dns_packet, DNS_RCODE_NXDOMAIN, dns_query_fully_authenticated(q)); |
| b30bf55d LP |
231 | break; |
| 232 | ||
| 233 | case DNS_TRANSACTION_TIMEOUT: | |
| 234 | case DNS_TRANSACTION_ATTEMPTS_MAX_REACHED: | |
| 235 | /* Propagate a timeout as a no packet, i.e. that the client also gets a timeout */ | |
| 236 | break; | |
| 237 | ||
| 238 | case DNS_TRANSACTION_NO_SERVERS: | |
| 239 | case DNS_TRANSACTION_INVALID_REPLY: | |
| 240 | case DNS_TRANSACTION_ERRNO: | |
| 241 | case DNS_TRANSACTION_ABORTED: | |
| 242 | case DNS_TRANSACTION_DNSSEC_FAILED: | |
| 243 | case DNS_TRANSACTION_NO_TRUST_ANCHOR: | |
| 244 | case DNS_TRANSACTION_RR_TYPE_UNSUPPORTED: | |
| 245 | case DNS_TRANSACTION_NETWORK_DOWN: | |
| 2b2d98c1 | 246 | (void) dns_stub_send_failure(q->manager, q->request_dns_stream, q->request_dns_packet, DNS_RCODE_SERVFAIL, false); |
| b30bf55d LP |
247 | break; |
| 248 | ||
| 249 | case DNS_TRANSACTION_NULL: | |
| 250 | case DNS_TRANSACTION_PENDING: | |
| 251 | case DNS_TRANSACTION_VALIDATING: | |
| 252 | default: | |
| 253 | assert_not_reached("Impossible state"); | |
| 254 | } | |
| 255 | ||
| b30bf55d LP |
256 | dns_query_free(q); |
| 257 | } | |
| 258 | ||
| 259 | static int dns_stub_stream_complete(DnsStream *s, int error) { | |
| 260 | assert(s); | |
| 261 | ||
| b412af57 LP |
262 | log_debug_errno(error, "DNS TCP connection terminated, destroying queries: %m"); |
| 263 | ||
| 264 | for (;;) { | |
| 265 | DnsQuery *q; | |
| 266 | ||
| 267 | q = set_first(s->queries); | |
| 268 | if (!q) | |
| 269 | break; | |
| b30bf55d | 270 | |
| b412af57 LP |
271 | dns_query_free(q); |
| 272 | } | |
| b30bf55d | 273 | |
| b412af57 LP |
274 | /* This drops the implicit ref we keep around since it was allocated, as incoming stub connections |
| 275 | * should be kept as long as the client wants to. */ | |
| 276 | dns_stream_unref(s); | |
| b30bf55d LP |
277 | return 0; |
| 278 | } | |
| 279 | ||
| 280 | static void dns_stub_process_query(Manager *m, DnsStream *s, DnsPacket *p) { | |
| ceb17827 | 281 | _cleanup_(dns_query_freep) DnsQuery *q = NULL; |
| b30bf55d LP |
282 | int r; |
| 283 | ||
| 284 | assert(m); | |
| 285 | assert(p); | |
| 286 | assert(p->protocol == DNS_PROTOCOL_DNS); | |
| 287 | ||
| b30bf55d LP |
288 | if (in_addr_is_localhost(p->family, &p->sender) <= 0 || |
| 289 | in_addr_is_localhost(p->family, &p->destination) <= 0) { | |
| 290 | log_error("Got packet on unexpected IP range, refusing."); | |
| 2b2d98c1 | 291 | dns_stub_send_failure(m, s, p, DNS_RCODE_SERVFAIL, false); |
| ceb17827 | 292 | return; |
| b30bf55d LP |
293 | } |
| 294 | ||
| 295 | r = dns_packet_extract(p); | |
| 296 | if (r < 0) { | |
| 297 | log_debug_errno(r, "Failed to extract resources from incoming packet, ignoring packet: %m"); | |
| 2b2d98c1 | 298 | dns_stub_send_failure(m, s, p, DNS_RCODE_FORMERR, false); |
| ceb17827 | 299 | return; |
| b30bf55d LP |
300 | } |
| 301 | ||
| 302 | if (!DNS_PACKET_VERSION_SUPPORTED(p)) { | |
| 303 | log_debug("Got EDNS OPT field with unsupported version number."); | |
| 2b2d98c1 | 304 | dns_stub_send_failure(m, s, p, DNS_RCODE_BADVERS, false); |
| ceb17827 | 305 | return; |
| b30bf55d LP |
306 | } |
| 307 | ||
| 308 | if (dns_type_is_obsolete(p->question->keys[0]->type)) { | |
| 309 | log_debug("Got message with obsolete key type, refusing."); | |
| 2b2d98c1 | 310 | dns_stub_send_failure(m, s, p, DNS_RCODE_NOTIMP, false); |
| ceb17827 | 311 | return; |
| b30bf55d LP |
312 | } |
| 313 | ||
| 314 | if (dns_type_is_zone_transer(p->question->keys[0]->type)) { | |
| 315 | log_debug("Got request for zone transfer, refusing."); | |
| 2b2d98c1 | 316 | dns_stub_send_failure(m, s, p, DNS_RCODE_NOTIMP, false); |
| ceb17827 | 317 | return; |
| b30bf55d LP |
318 | } |
| 319 | ||
| 320 | if (!DNS_PACKET_RD(p)) { | |
| 321 | /* If the "rd" bit is off (i.e. recursion was not requested), then refuse operation */ | |
| 322 | log_debug("Got request with recursion disabled, refusing."); | |
| 2b2d98c1 | 323 | dns_stub_send_failure(m, s, p, DNS_RCODE_REFUSED, false); |
| ceb17827 | 324 | return; |
| b30bf55d LP |
325 | } |
| 326 | ||
| 327 | if (DNS_PACKET_DO(p) && DNS_PACKET_CD(p)) { | |
| 328 | log_debug("Got request with DNSSEC CD bit set, refusing."); | |
| 2b2d98c1 | 329 | dns_stub_send_failure(m, s, p, DNS_RCODE_NOTIMP, false); |
| ceb17827 | 330 | return; |
| b30bf55d LP |
331 | } |
| 332 | ||
| e8d23f92 | 333 | r = dns_query_new(m, &q, p->question, p->question, 0, SD_RESOLVED_PROTOCOLS_ALL|SD_RESOLVED_NO_SEARCH); |
| b30bf55d LP |
334 | if (r < 0) { |
| 335 | log_error_errno(r, "Failed to generate query object: %m"); | |
| 2b2d98c1 | 336 | dns_stub_send_failure(m, s, p, DNS_RCODE_SERVFAIL, false); |
| ceb17827 | 337 | return; |
| b30bf55d LP |
338 | } |
| 339 | ||
| 340 | /* Request that the TTL is corrected by the cached time for this lookup, so that we return vaguely useful TTLs */ | |
| 341 | q->clamp_ttl = true; | |
| 342 | ||
| 343 | q->request_dns_packet = dns_packet_ref(p); | |
| 344 | q->request_dns_stream = dns_stream_ref(s); /* make sure the stream stays around until we can send a reply through it */ | |
| 345 | q->complete = dns_stub_query_complete; | |
| 346 | ||
| 347 | if (s) { | |
| b412af57 LP |
348 | /* Remember which queries belong to this stream, so that we can cancel them when the stream |
| 349 | * is disconnected early */ | |
| 350 | ||
| ceb17827 | 351 | r = set_ensure_put(&s->queries, NULL, q); |
| b412af57 LP |
352 | if (r < 0) { |
| 353 | log_oom(); | |
| ceb17827 | 354 | return; |
| b412af57 | 355 | } |
| ceb17827 | 356 | assert(r > 0); |
| b30bf55d LP |
357 | } |
| 358 | ||
| 359 | r = dns_query_go(q); | |
| 360 | if (r < 0) { | |
| 361 | log_error_errno(r, "Failed to start query: %m"); | |
| 2b2d98c1 | 362 | dns_stub_send_failure(m, s, p, DNS_RCODE_SERVFAIL, false); |
| ceb17827 | 363 | return; |
| b30bf55d LP |
364 | } |
| 365 | ||
| 52e63427 | 366 | log_debug("Processing query..."); |
| ceb17827 | 367 | TAKE_PTR(q); |
| b30bf55d LP |
368 | } |
| 369 | ||
| 370 | static int on_dns_stub_packet(sd_event_source *s, int fd, uint32_t revents, void *userdata) { | |
| 371 | _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL; | |
| 372 | Manager *m = userdata; | |
| 373 | int r; | |
| 374 | ||
| 375 | r = manager_recv(m, fd, DNS_PROTOCOL_DNS, &p); | |
| 376 | if (r <= 0) | |
| 377 | return r; | |
| 378 | ||
| 379 | if (dns_packet_validate_query(p) > 0) { | |
| 380 | log_debug("Got DNS stub UDP query packet for id %u", DNS_PACKET_ID(p)); | |
| 381 | ||
| 382 | dns_stub_process_query(m, NULL, p); | |
| 383 | } else | |
| 384 | log_debug("Invalid DNS stub UDP packet, ignoring."); | |
| 385 | ||
| 386 | return 0; | |
| 387 | } | |
| 388 | ||
| 424e490b | 389 | static int manager_dns_stub_udp_fd(Manager *m) { |
| b30bf55d LP |
390 | union sockaddr_union sa = { |
| 391 | .in.sin_family = AF_INET, | |
| 392 | .in.sin_port = htobe16(53), | |
| 393 | .in.sin_addr.s_addr = htobe32(INADDR_DNS_STUB), | |
| 394 | }; | |
| 424e490b | 395 | _cleanup_close_ int fd = -1; |
| b30bf55d LP |
396 | int r; |
| 397 | ||
| 398 | if (m->dns_stub_udp_fd >= 0) | |
| 399 | return m->dns_stub_udp_fd; | |
| 400 | ||
| 424e490b ZJS |
401 | fd = socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0); |
| 402 | if (fd < 0) | |
| b30bf55d LP |
403 | return -errno; |
| 404 | ||
| 2ff48e98 LP |
405 | r = setsockopt_int(fd, SOL_SOCKET, SO_REUSEADDR, true); |
| 406 | if (r < 0) | |
| 407 | return r; | |
| b30bf55d | 408 | |
| 2ff48e98 LP |
409 | r = setsockopt_int(fd, IPPROTO_IP, IP_PKTINFO, true); |
| 410 | if (r < 0) | |
| 411 | return r; | |
| b30bf55d | 412 | |
| 2ff48e98 LP |
413 | r = setsockopt_int(fd, IPPROTO_IP, IP_RECVTTL, true); |
| 414 | if (r < 0) | |
| 415 | return r; | |
| b30bf55d LP |
416 | |
| 417 | /* Make sure no traffic from outside the local host can leak to onto this socket */ | |
| 953a02d1 LP |
418 | r = socket_bind_to_ifindex(fd, LOOPBACK_IFINDEX); |
| 419 | if (r < 0) | |
| 420 | return r; | |
| b30bf55d | 421 | |
| 424e490b ZJS |
422 | if (bind(fd, &sa.sa, sizeof(sa.in)) < 0) |
| 423 | return -errno; | |
| b30bf55d | 424 | |
| 424e490b | 425 | r = sd_event_add_io(m->event, &m->dns_stub_udp_event_source, fd, EPOLLIN, on_dns_stub_packet, m); |
| b30bf55d | 426 | if (r < 0) |
| 424e490b | 427 | return r; |
| b30bf55d LP |
428 | |
| 429 | (void) sd_event_source_set_description(m->dns_stub_udp_event_source, "dns-stub-udp"); | |
| 430 | ||
| c10d6bdb | 431 | return m->dns_stub_udp_fd = TAKE_FD(fd); |
| b30bf55d LP |
432 | } |
| 433 | ||
| 434 | static int on_dns_stub_stream_packet(DnsStream *s) { | |
| aa337a5e LP |
435 | _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL; |
| 436 | ||
| b30bf55d | 437 | assert(s); |
| b30bf55d | 438 | |
| aa337a5e LP |
439 | p = dns_stream_take_read_packet(s); |
| 440 | assert(p); | |
| 441 | ||
| 442 | if (dns_packet_validate_query(p) > 0) { | |
| 443 | log_debug("Got DNS stub TCP query packet for id %u", DNS_PACKET_ID(p)); | |
| b30bf55d | 444 | |
| aa337a5e | 445 | dns_stub_process_query(s->manager, s, p); |
| b30bf55d LP |
446 | } else |
| 447 | log_debug("Invalid DNS stub TCP packet, ignoring."); | |
| 448 | ||
| b30bf55d LP |
449 | return 0; |
| 450 | } | |
| 451 | ||
| 452 | static int on_dns_stub_stream(sd_event_source *s, int fd, uint32_t revents, void *userdata) { | |
| 453 | DnsStream *stream; | |
| 454 | Manager *m = userdata; | |
| 455 | int cfd, r; | |
| 456 | ||
| 457 | cfd = accept4(fd, NULL, NULL, SOCK_NONBLOCK|SOCK_CLOEXEC); | |
| 458 | if (cfd < 0) { | |
| 4ff9bc2e | 459 | if (ERRNO_IS_ACCEPT_AGAIN(errno)) |
| b30bf55d LP |
460 | return 0; |
| 461 | ||
| 462 | return -errno; | |
| 463 | } | |
| 464 | ||
| 652ba568 | 465 | r = dns_stream_new(m, &stream, DNS_STREAM_STUB, DNS_PROTOCOL_DNS, cfd, NULL); |
| b30bf55d LP |
466 | if (r < 0) { |
| 467 | safe_close(cfd); | |
| 468 | return r; | |
| 469 | } | |
| 470 | ||
| 471 | stream->on_packet = on_dns_stub_stream_packet; | |
| b412af57 | 472 | stream->complete = dns_stub_stream_complete; |
| b30bf55d | 473 | |
| b412af57 | 474 | /* We let the reference to the stream dangle here, it will be dropped later by the complete callback. */ |
| b30bf55d LP |
475 | |
| 476 | return 0; | |
| 477 | } | |
| 478 | ||
| 424e490b | 479 | static int manager_dns_stub_tcp_fd(Manager *m) { |
| b30bf55d LP |
480 | union sockaddr_union sa = { |
| 481 | .in.sin_family = AF_INET, | |
| 482 | .in.sin_addr.s_addr = htobe32(INADDR_DNS_STUB), | |
| 483 | .in.sin_port = htobe16(53), | |
| 484 | }; | |
| 424e490b | 485 | _cleanup_close_ int fd = -1; |
| b30bf55d LP |
486 | int r; |
| 487 | ||
| 488 | if (m->dns_stub_tcp_fd >= 0) | |
| 489 | return m->dns_stub_tcp_fd; | |
| 490 | ||
| 424e490b ZJS |
491 | fd = socket(AF_INET, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0); |
| 492 | if (fd < 0) | |
| b30bf55d LP |
493 | return -errno; |
| 494 | ||
| 2ff48e98 LP |
495 | r = setsockopt_int(fd, IPPROTO_IP, IP_TTL, true); |
| 496 | if (r < 0) | |
| 497 | return r; | |
| b30bf55d | 498 | |
| 2ff48e98 LP |
499 | r = setsockopt_int(fd, SOL_SOCKET, SO_REUSEADDR, true); |
| 500 | if (r < 0) | |
| 501 | return r; | |
| b30bf55d | 502 | |
| 2ff48e98 LP |
503 | r = setsockopt_int(fd, IPPROTO_IP, IP_PKTINFO, true); |
| 504 | if (r < 0) | |
| 505 | return r; | |
| b30bf55d | 506 | |
| 2ff48e98 LP |
507 | r = setsockopt_int(fd, IPPROTO_IP, IP_RECVTTL, true); |
| 508 | if (r < 0) | |
| 509 | return r; | |
| b30bf55d LP |
510 | |
| 511 | /* Make sure no traffic from outside the local host can leak to onto this socket */ | |
| 953a02d1 LP |
512 | r = socket_bind_to_ifindex(fd, LOOPBACK_IFINDEX); |
| 513 | if (r < 0) | |
| 514 | return r; | |
| b30bf55d | 515 | |
| 424e490b ZJS |
516 | if (bind(fd, &sa.sa, sizeof(sa.in)) < 0) |
| 517 | return -errno; | |
| b30bf55d | 518 | |
| 424e490b ZJS |
519 | if (listen(fd, SOMAXCONN) < 0) |
| 520 | return -errno; | |
| b30bf55d | 521 | |
| 424e490b | 522 | r = sd_event_add_io(m->event, &m->dns_stub_tcp_event_source, fd, EPOLLIN, on_dns_stub_stream, m); |
| b30bf55d | 523 | if (r < 0) |
| 424e490b | 524 | return r; |
| b30bf55d LP |
525 | |
| 526 | (void) sd_event_source_set_description(m->dns_stub_tcp_event_source, "dns-stub-tcp"); | |
| 527 | ||
| c10d6bdb | 528 | return m->dns_stub_tcp_fd = TAKE_FD(fd); |
| b30bf55d LP |
529 | } |
| 530 | ||
| 531 | int manager_dns_stub_start(Manager *m) { | |
| 424e490b | 532 | const char *t = "UDP"; |
| 01b0669e | 533 | int r = 0; |
| b30bf55d LP |
534 | |
| 535 | assert(m); | |
| 536 | ||
| d5da7707 ZJS |
537 | if (m->dns_stub_listener_mode == DNS_STUB_LISTENER_NO) |
| 538 | log_debug("Not creating stub listener."); | |
| 539 | else | |
| 540 | log_debug("Creating stub listener using %s.", | |
| 541 | m->dns_stub_listener_mode == DNS_STUB_LISTENER_UDP ? "UDP" : | |
| 542 | m->dns_stub_listener_mode == DNS_STUB_LISTENER_TCP ? "TCP" : | |
| 543 | "UDP/TCP"); | |
| 544 | ||
| 424e490b | 545 | if (IN_SET(m->dns_stub_listener_mode, DNS_STUB_LISTENER_YES, DNS_STUB_LISTENER_UDP)) |
| 1ae43295 | 546 | r = manager_dns_stub_udp_fd(m); |
| b30bf55d | 547 | |
| 424e490b ZJS |
548 | if (r >= 0 && |
| 549 | IN_SET(m->dns_stub_listener_mode, DNS_STUB_LISTENER_YES, DNS_STUB_LISTENER_TCP)) { | |
| 550 | t = "TCP"; | |
| 1ae43295 | 551 | r = manager_dns_stub_tcp_fd(m); |
| 1ae43295 | 552 | } |
| b30bf55d | 553 | |
| 0f4db364 ZJS |
554 | if (IN_SET(r, -EADDRINUSE, -EPERM)) { |
| 555 | if (r == -EADDRINUSE) | |
| 556 | log_warning_errno(r, | |
| 557 | "Another process is already listening on %s socket 127.0.0.53:53.\n" | |
| 558 | "Turning off local DNS stub support.", t); | |
| 559 | else | |
| 560 | log_warning_errno(r, | |
| 561 | "Failed to listen on %s socket 127.0.0.53:53: %m.\n" | |
| 562 | "Turning off local DNS stub support.", t); | |
| 424e490b ZJS |
563 | manager_dns_stub_stop(m); |
| 564 | } else if (r < 0) | |
| 565 | return log_error_errno(r, "Failed to listen on %s socket 127.0.0.53:53: %m", t); | |
| b30bf55d LP |
566 | |
| 567 | return 0; | |
| 568 | } | |
| 569 | ||
| 570 | void manager_dns_stub_stop(Manager *m) { | |
| 571 | assert(m); | |
| 572 | ||
| 573 | m->dns_stub_udp_event_source = sd_event_source_unref(m->dns_stub_udp_event_source); | |
| 574 | m->dns_stub_tcp_event_source = sd_event_source_unref(m->dns_stub_tcp_event_source); | |
| 575 | ||
| 576 | m->dns_stub_udp_fd = safe_close(m->dns_stub_udp_fd); | |
| 577 | m->dns_stub_tcp_fd = safe_close(m->dns_stub_tcp_fd); | |
| 578 | } |