]>
Commit | Line | Data |
---|---|---|
53e1b683 | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
b30bf55d | 2 | |
4ff9bc2e | 3 | #include "errno-util.h" |
b30bf55d | 4 | #include "fd-util.h" |
ef118d00 | 5 | #include "missing_network.h" |
b30bf55d | 6 | #include "resolved-dns-stub.h" |
1f05101f | 7 | #include "socket-netlink.h" |
b30bf55d LP |
8 | #include "socket-util.h" |
9 | ||
10 | /* The MTU of the loopback device is 64K on Linux, advertise that as maximum datagram size, but subtract the Ethernet, | |
11 | * IP and UDP header sizes */ | |
12 | #define ADVERTISE_DATAGRAM_SIZE_MAX (65536U-14U-20U-8U) | |
13 | ||
424e490b ZJS |
14 | static int manager_dns_stub_udp_fd(Manager *m); |
15 | static int manager_dns_stub_tcp_fd(Manager *m); | |
16 | ||
1f05101f SS |
17 | int dns_stub_extra_new(DNSStubListenerExtra **ret) { |
18 | DNSStubListenerExtra *l; | |
19 | ||
20 | l = new(DNSStubListenerExtra, 1); | |
21 | if (!l) | |
22 | return -ENOMEM; | |
23 | ||
24 | *l = (DNSStubListenerExtra) { | |
25 | .fd = -1, | |
26 | }; | |
27 | ||
28 | *ret = TAKE_PTR(l); | |
29 | ||
30 | return 0; | |
31 | } | |
32 | ||
b30bf55d | 33 | static int dns_stub_make_reply_packet( |
e8d23f92 | 34 | DnsPacket **p, |
51027656 | 35 | size_t max_size, |
b30bf55d | 36 | DnsQuestion *q, |
51027656 LP |
37 | DnsAnswer *answer, |
38 | bool *ret_truncated) { | |
b30bf55d | 39 | |
51027656 | 40 | bool truncated = false; |
b30bf55d LP |
41 | DnsResourceRecord *rr; |
42 | unsigned c = 0; | |
43 | int r; | |
44 | ||
e8d23f92 LP |
45 | assert(p); |
46 | ||
b30bf55d LP |
47 | /* Note that we don't bother with any additional RRs, as this is stub is for local lookups only, and hence |
48 | * roundtrips aren't expensive. */ | |
49 | ||
e8d23f92 | 50 | if (!*p) { |
51027656 | 51 | r = dns_packet_new(p, DNS_PROTOCOL_DNS, 0, max_size); |
e8d23f92 LP |
52 | if (r < 0) |
53 | return r; | |
b30bf55d | 54 | |
e8d23f92 LP |
55 | r = dns_packet_append_question(*p, q); |
56 | if (r < 0) | |
57 | return r; | |
b30bf55d | 58 | |
e8d23f92 LP |
59 | DNS_PACKET_HEADER(*p)->qdcount = htobe16(dns_question_size(q)); |
60 | } | |
b30bf55d LP |
61 | |
62 | DNS_ANSWER_FOREACH(rr, answer) { | |
e8d23f92 | 63 | |
b30bf55d LP |
64 | r = dns_question_matches_rr(q, rr, NULL); |
65 | if (r < 0) | |
66 | return r; | |
67 | if (r > 0) | |
68 | goto add; | |
69 | ||
70 | r = dns_question_matches_cname_or_dname(q, rr, NULL); | |
71 | if (r < 0) | |
72 | return r; | |
73 | if (r > 0) | |
74 | goto add; | |
75 | ||
76 | continue; | |
77 | add: | |
01c901e2 | 78 | r = dns_packet_append_rr(*p, rr, 0, NULL, NULL); |
51027656 LP |
79 | if (r == -EMSGSIZE) { |
80 | truncated = true; | |
81 | break; | |
82 | } | |
b30bf55d LP |
83 | if (r < 0) |
84 | return r; | |
85 | ||
86 | c++; | |
87 | } | |
e8d23f92 | 88 | |
51027656 LP |
89 | if (ret_truncated) |
90 | *ret_truncated = truncated; | |
91 | else if (truncated) | |
92 | return -EMSGSIZE; | |
93 | ||
e8d23f92 LP |
94 | DNS_PACKET_HEADER(*p)->ancount = htobe16(be16toh(DNS_PACKET_HEADER(*p)->ancount) + c); |
95 | ||
96 | return 0; | |
97 | } | |
98 | ||
99 | static int dns_stub_finish_reply_packet( | |
100 | DnsPacket *p, | |
101 | uint16_t id, | |
102 | int rcode, | |
51027656 | 103 | bool tc, /* set the Truncated bit? */ |
e8d23f92 LP |
104 | bool add_opt, /* add an OPT RR to this packet? */ |
105 | bool edns0_do, /* set the EDNS0 DNSSEC OK bit? */ | |
106 | bool ad) { /* set the DNSSEC authenticated data bit? */ | |
107 | ||
108 | int r; | |
109 | ||
110 | assert(p); | |
111 | ||
ff4caaae LP |
112 | if (add_opt) { |
113 | r = dns_packet_append_opt(p, ADVERTISE_DATAGRAM_SIZE_MAX, edns0_do, rcode, NULL); | |
114 | if (r == -EMSGSIZE) /* Hit the size limit? then indicate truncation */ | |
115 | tc = true; | |
116 | else if (r < 0) | |
117 | return r; | |
118 | ||
119 | } else { | |
941dd294 LP |
120 | /* If the client can't to EDNS0, don't do DO either */ |
121 | edns0_do = false; | |
122 | ||
123 | /* If the client didn't do EDNS, clamp the rcode to 4 bit */ | |
124 | if (rcode > 0xF) | |
125 | rcode = DNS_RCODE_SERVFAIL; | |
126 | } | |
127 | ||
128 | /* Don't set the AD bit unless DO is on, too */ | |
129 | if (!edns0_do) | |
130 | ad = false; | |
e8d23f92 LP |
131 | |
132 | DNS_PACKET_HEADER(p)->id = id; | |
133 | ||
134 | DNS_PACKET_HEADER(p)->flags = htobe16(DNS_PACKET_MAKE_FLAGS( | |
51027656 LP |
135 | 1 /* qr */, |
136 | 0 /* opcode */, | |
137 | 0 /* aa */, | |
138 | tc /* tc */, | |
139 | 1 /* rd */, | |
140 | 1 /* ra */, | |
e8d23f92 | 141 | ad /* ad */, |
51027656 | 142 | 0 /* cd */, |
e8d23f92 | 143 | rcode)); |
b30bf55d | 144 | |
b30bf55d LP |
145 | return 0; |
146 | } | |
147 | ||
b30bf55d LP |
148 | static int dns_stub_send(Manager *m, DnsStream *s, DnsPacket *p, DnsPacket *reply) { |
149 | int r; | |
150 | ||
151 | assert(m); | |
152 | assert(p); | |
153 | assert(reply); | |
154 | ||
155 | if (s) | |
156 | r = dns_stream_write_packet(s, reply); | |
157 | else { | |
158 | int fd; | |
159 | ||
b30bf55d LP |
160 | fd = manager_dns_stub_udp_fd(m); |
161 | if (fd < 0) | |
162 | return log_debug_errno(fd, "Failed to get reply socket: %m"); | |
163 | ||
164 | /* Note that it is essential here that we explicitly choose the source IP address for this packet. This | |
165 | * is because otherwise the kernel will choose it automatically based on the routing table and will | |
166 | * thus pick 127.0.0.1 rather than 127.0.0.53. */ | |
167 | ||
168 | r = manager_send(m, fd, LOOPBACK_IFINDEX, p->family, &p->sender, p->sender_port, &p->destination, reply); | |
169 | } | |
170 | if (r < 0) | |
171 | return log_debug_errno(r, "Failed to send reply packet: %m"); | |
172 | ||
173 | return 0; | |
174 | } | |
175 | ||
2b2d98c1 | 176 | static int dns_stub_send_failure(Manager *m, DnsStream *s, DnsPacket *p, int rcode, bool authenticated) { |
b30bf55d LP |
177 | _cleanup_(dns_packet_unrefp) DnsPacket *reply = NULL; |
178 | int r; | |
179 | ||
180 | assert(m); | |
181 | assert(p); | |
182 | ||
51027656 | 183 | r = dns_stub_make_reply_packet(&reply, DNS_PACKET_PAYLOAD_SIZE_MAX(p), p->question, NULL, NULL); |
e8d23f92 LP |
184 | if (r < 0) |
185 | return log_debug_errno(r, "Failed to make failure packet: %m"); | |
186 | ||
51027656 | 187 | r = dns_stub_finish_reply_packet(reply, DNS_PACKET_ID(p), rcode, false, !!p->opt, DNS_PACKET_DO(p), authenticated); |
b30bf55d LP |
188 | if (r < 0) |
189 | return log_debug_errno(r, "Failed to build failure packet: %m"); | |
190 | ||
191 | return dns_stub_send(m, s, p, reply); | |
192 | } | |
193 | ||
194 | static void dns_stub_query_complete(DnsQuery *q) { | |
195 | int r; | |
196 | ||
197 | assert(q); | |
198 | assert(q->request_dns_packet); | |
199 | ||
200 | switch (q->state) { | |
201 | ||
51027656 LP |
202 | case DNS_TRANSACTION_SUCCESS: { |
203 | bool truncated; | |
e8d23f92 | 204 | |
51027656 | 205 | r = dns_stub_make_reply_packet(&q->reply_dns_packet, DNS_PACKET_PAYLOAD_SIZE_MAX(q->request_dns_packet), q->question_idna, q->answer, &truncated); |
e8d23f92 LP |
206 | if (r < 0) { |
207 | log_debug_errno(r, "Failed to build reply packet: %m"); | |
208 | break; | |
209 | } | |
b30bf55d | 210 | |
aa11cab9 LP |
211 | if (!truncated) { |
212 | r = dns_query_process_cname(q); | |
213 | if (r == -ELOOP) { | |
214 | (void) dns_stub_send_failure(q->manager, q->request_dns_stream, q->request_dns_packet, DNS_RCODE_SERVFAIL, false); | |
215 | break; | |
216 | } | |
217 | if (r < 0) { | |
218 | log_debug_errno(r, "Failed to process CNAME: %m"); | |
219 | break; | |
220 | } | |
221 | if (r == DNS_QUERY_RESTARTED) | |
222 | return; | |
e8d23f92 | 223 | } |
e8d23f92 LP |
224 | |
225 | r = dns_stub_finish_reply_packet( | |
226 | q->reply_dns_packet, | |
b30bf55d LP |
227 | DNS_PACKET_ID(q->request_dns_packet), |
228 | q->answer_rcode, | |
51027656 | 229 | truncated, |
b30bf55d LP |
230 | !!q->request_dns_packet->opt, |
231 | DNS_PACKET_DO(q->request_dns_packet), | |
941dd294 | 232 | dns_query_fully_authenticated(q)); |
b30bf55d | 233 | if (r < 0) { |
e8d23f92 | 234 | log_debug_errno(r, "Failed to finish reply packet: %m"); |
b30bf55d LP |
235 | break; |
236 | } | |
237 | ||
e8d23f92 | 238 | (void) dns_stub_send(q->manager, q->request_dns_stream, q->request_dns_packet, q->reply_dns_packet); |
b30bf55d | 239 | break; |
51027656 | 240 | } |
b30bf55d LP |
241 | |
242 | case DNS_TRANSACTION_RCODE_FAILURE: | |
2b2d98c1 | 243 | (void) dns_stub_send_failure(q->manager, q->request_dns_stream, q->request_dns_packet, q->answer_rcode, dns_query_fully_authenticated(q)); |
b30bf55d LP |
244 | break; |
245 | ||
246 | case DNS_TRANSACTION_NOT_FOUND: | |
2b2d98c1 | 247 | (void) dns_stub_send_failure(q->manager, q->request_dns_stream, q->request_dns_packet, DNS_RCODE_NXDOMAIN, dns_query_fully_authenticated(q)); |
b30bf55d LP |
248 | break; |
249 | ||
250 | case DNS_TRANSACTION_TIMEOUT: | |
251 | case DNS_TRANSACTION_ATTEMPTS_MAX_REACHED: | |
252 | /* Propagate a timeout as a no packet, i.e. that the client also gets a timeout */ | |
253 | break; | |
254 | ||
255 | case DNS_TRANSACTION_NO_SERVERS: | |
256 | case DNS_TRANSACTION_INVALID_REPLY: | |
257 | case DNS_TRANSACTION_ERRNO: | |
258 | case DNS_TRANSACTION_ABORTED: | |
259 | case DNS_TRANSACTION_DNSSEC_FAILED: | |
260 | case DNS_TRANSACTION_NO_TRUST_ANCHOR: | |
261 | case DNS_TRANSACTION_RR_TYPE_UNSUPPORTED: | |
262 | case DNS_TRANSACTION_NETWORK_DOWN: | |
2b2d98c1 | 263 | (void) dns_stub_send_failure(q->manager, q->request_dns_stream, q->request_dns_packet, DNS_RCODE_SERVFAIL, false); |
b30bf55d LP |
264 | break; |
265 | ||
266 | case DNS_TRANSACTION_NULL: | |
267 | case DNS_TRANSACTION_PENDING: | |
268 | case DNS_TRANSACTION_VALIDATING: | |
269 | default: | |
270 | assert_not_reached("Impossible state"); | |
271 | } | |
272 | ||
b30bf55d LP |
273 | dns_query_free(q); |
274 | } | |
275 | ||
276 | static int dns_stub_stream_complete(DnsStream *s, int error) { | |
277 | assert(s); | |
278 | ||
b412af57 LP |
279 | log_debug_errno(error, "DNS TCP connection terminated, destroying queries: %m"); |
280 | ||
281 | for (;;) { | |
282 | DnsQuery *q; | |
283 | ||
284 | q = set_first(s->queries); | |
285 | if (!q) | |
286 | break; | |
b30bf55d | 287 | |
b412af57 LP |
288 | dns_query_free(q); |
289 | } | |
b30bf55d | 290 | |
b412af57 LP |
291 | /* This drops the implicit ref we keep around since it was allocated, as incoming stub connections |
292 | * should be kept as long as the client wants to. */ | |
293 | dns_stream_unref(s); | |
b30bf55d LP |
294 | return 0; |
295 | } | |
296 | ||
297 | static void dns_stub_process_query(Manager *m, DnsStream *s, DnsPacket *p) { | |
ceb17827 | 298 | _cleanup_(dns_query_freep) DnsQuery *q = NULL; |
b30bf55d LP |
299 | int r; |
300 | ||
301 | assert(m); | |
302 | assert(p); | |
303 | assert(p->protocol == DNS_PROTOCOL_DNS); | |
304 | ||
b30bf55d LP |
305 | if (in_addr_is_localhost(p->family, &p->sender) <= 0 || |
306 | in_addr_is_localhost(p->family, &p->destination) <= 0) { | |
307 | log_error("Got packet on unexpected IP range, refusing."); | |
2b2d98c1 | 308 | dns_stub_send_failure(m, s, p, DNS_RCODE_SERVFAIL, false); |
ceb17827 | 309 | return; |
b30bf55d LP |
310 | } |
311 | ||
312 | r = dns_packet_extract(p); | |
313 | if (r < 0) { | |
314 | log_debug_errno(r, "Failed to extract resources from incoming packet, ignoring packet: %m"); | |
2b2d98c1 | 315 | dns_stub_send_failure(m, s, p, DNS_RCODE_FORMERR, false); |
ceb17827 | 316 | return; |
b30bf55d LP |
317 | } |
318 | ||
319 | if (!DNS_PACKET_VERSION_SUPPORTED(p)) { | |
320 | log_debug("Got EDNS OPT field with unsupported version number."); | |
2b2d98c1 | 321 | dns_stub_send_failure(m, s, p, DNS_RCODE_BADVERS, false); |
ceb17827 | 322 | return; |
b30bf55d LP |
323 | } |
324 | ||
325 | if (dns_type_is_obsolete(p->question->keys[0]->type)) { | |
326 | log_debug("Got message with obsolete key type, refusing."); | |
2b2d98c1 | 327 | dns_stub_send_failure(m, s, p, DNS_RCODE_NOTIMP, false); |
ceb17827 | 328 | return; |
b30bf55d LP |
329 | } |
330 | ||
331 | if (dns_type_is_zone_transer(p->question->keys[0]->type)) { | |
332 | log_debug("Got request for zone transfer, refusing."); | |
2b2d98c1 | 333 | dns_stub_send_failure(m, s, p, DNS_RCODE_NOTIMP, false); |
ceb17827 | 334 | return; |
b30bf55d LP |
335 | } |
336 | ||
337 | if (!DNS_PACKET_RD(p)) { | |
338 | /* If the "rd" bit is off (i.e. recursion was not requested), then refuse operation */ | |
339 | log_debug("Got request with recursion disabled, refusing."); | |
2b2d98c1 | 340 | dns_stub_send_failure(m, s, p, DNS_RCODE_REFUSED, false); |
ceb17827 | 341 | return; |
b30bf55d LP |
342 | } |
343 | ||
344 | if (DNS_PACKET_DO(p) && DNS_PACKET_CD(p)) { | |
345 | log_debug("Got request with DNSSEC CD bit set, refusing."); | |
2b2d98c1 | 346 | dns_stub_send_failure(m, s, p, DNS_RCODE_NOTIMP, false); |
ceb17827 | 347 | return; |
b30bf55d LP |
348 | } |
349 | ||
e8d23f92 | 350 | r = dns_query_new(m, &q, p->question, p->question, 0, SD_RESOLVED_PROTOCOLS_ALL|SD_RESOLVED_NO_SEARCH); |
b30bf55d LP |
351 | if (r < 0) { |
352 | log_error_errno(r, "Failed to generate query object: %m"); | |
2b2d98c1 | 353 | dns_stub_send_failure(m, s, p, DNS_RCODE_SERVFAIL, false); |
ceb17827 | 354 | return; |
b30bf55d LP |
355 | } |
356 | ||
357 | /* Request that the TTL is corrected by the cached time for this lookup, so that we return vaguely useful TTLs */ | |
358 | q->clamp_ttl = true; | |
359 | ||
360 | q->request_dns_packet = dns_packet_ref(p); | |
361 | q->request_dns_stream = dns_stream_ref(s); /* make sure the stream stays around until we can send a reply through it */ | |
362 | q->complete = dns_stub_query_complete; | |
363 | ||
364 | if (s) { | |
b412af57 LP |
365 | /* Remember which queries belong to this stream, so that we can cancel them when the stream |
366 | * is disconnected early */ | |
367 | ||
ceb17827 | 368 | r = set_ensure_put(&s->queries, NULL, q); |
b412af57 LP |
369 | if (r < 0) { |
370 | log_oom(); | |
ceb17827 | 371 | return; |
b412af57 | 372 | } |
ceb17827 | 373 | assert(r > 0); |
b30bf55d LP |
374 | } |
375 | ||
376 | r = dns_query_go(q); | |
377 | if (r < 0) { | |
378 | log_error_errno(r, "Failed to start query: %m"); | |
2b2d98c1 | 379 | dns_stub_send_failure(m, s, p, DNS_RCODE_SERVFAIL, false); |
ceb17827 | 380 | return; |
b30bf55d LP |
381 | } |
382 | ||
52e63427 | 383 | log_debug("Processing query..."); |
ceb17827 | 384 | TAKE_PTR(q); |
b30bf55d LP |
385 | } |
386 | ||
387 | static int on_dns_stub_packet(sd_event_source *s, int fd, uint32_t revents, void *userdata) { | |
388 | _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL; | |
389 | Manager *m = userdata; | |
390 | int r; | |
391 | ||
392 | r = manager_recv(m, fd, DNS_PROTOCOL_DNS, &p); | |
393 | if (r <= 0) | |
394 | return r; | |
395 | ||
396 | if (dns_packet_validate_query(p) > 0) { | |
397 | log_debug("Got DNS stub UDP query packet for id %u", DNS_PACKET_ID(p)); | |
398 | ||
399 | dns_stub_process_query(m, NULL, p); | |
400 | } else | |
401 | log_debug("Invalid DNS stub UDP packet, ignoring."); | |
402 | ||
403 | return 0; | |
404 | } | |
405 | ||
1f05101f SS |
406 | static int set_dns_stub_common_socket_options(int fd) { |
407 | int r; | |
408 | ||
409 | assert(fd >= 0); | |
410 | ||
411 | r = setsockopt_int(fd, SOL_SOCKET, SO_REUSEADDR, true); | |
412 | if (r < 0) | |
413 | return r; | |
414 | ||
415 | r = setsockopt_int(fd, IPPROTO_IP, IP_PKTINFO, true); | |
416 | if (r < 0) | |
417 | return r; | |
418 | ||
419 | return setsockopt_int(fd, IPPROTO_IP, IP_RECVTTL, true); | |
420 | } | |
421 | ||
424e490b | 422 | static int manager_dns_stub_udp_fd(Manager *m) { |
b30bf55d LP |
423 | union sockaddr_union sa = { |
424 | .in.sin_family = AF_INET, | |
425 | .in.sin_port = htobe16(53), | |
426 | .in.sin_addr.s_addr = htobe32(INADDR_DNS_STUB), | |
427 | }; | |
424e490b | 428 | _cleanup_close_ int fd = -1; |
b30bf55d LP |
429 | int r; |
430 | ||
431 | if (m->dns_stub_udp_fd >= 0) | |
432 | return m->dns_stub_udp_fd; | |
433 | ||
424e490b ZJS |
434 | fd = socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0); |
435 | if (fd < 0) | |
b30bf55d LP |
436 | return -errno; |
437 | ||
1f05101f | 438 | r = set_dns_stub_common_socket_options(fd); |
2ff48e98 LP |
439 | if (r < 0) |
440 | return r; | |
b30bf55d LP |
441 | |
442 | /* Make sure no traffic from outside the local host can leak to onto this socket */ | |
953a02d1 LP |
443 | r = socket_bind_to_ifindex(fd, LOOPBACK_IFINDEX); |
444 | if (r < 0) | |
445 | return r; | |
b30bf55d | 446 | |
424e490b ZJS |
447 | if (bind(fd, &sa.sa, sizeof(sa.in)) < 0) |
448 | return -errno; | |
b30bf55d | 449 | |
424e490b | 450 | r = sd_event_add_io(m->event, &m->dns_stub_udp_event_source, fd, EPOLLIN, on_dns_stub_packet, m); |
b30bf55d | 451 | if (r < 0) |
424e490b | 452 | return r; |
b30bf55d LP |
453 | |
454 | (void) sd_event_source_set_description(m->dns_stub_udp_event_source, "dns-stub-udp"); | |
455 | ||
c10d6bdb | 456 | return m->dns_stub_udp_fd = TAKE_FD(fd); |
b30bf55d LP |
457 | } |
458 | ||
1f05101f SS |
459 | static int manager_dns_stub_udp_fd_extra(Manager *m, DNSStubListenerExtra *l) { |
460 | _cleanup_free_ char *pretty = NULL; | |
461 | _cleanup_close_ int fd = -1; | |
462 | int r; | |
463 | ||
464 | if (l->fd >= 0) | |
465 | return 0; | |
466 | ||
467 | fd = socket(socket_address_family(&l->address), SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0); | |
468 | if (fd < 0) { | |
469 | r = -errno; | |
470 | goto fail; | |
471 | } | |
472 | ||
473 | r = setsockopt_int(fd, IPPROTO_IP, IP_FREEBIND, true); | |
474 | if (r < 0) | |
475 | goto fail; | |
476 | ||
477 | r = set_dns_stub_common_socket_options(fd); | |
478 | if (r < 0) | |
479 | goto fail; | |
480 | ||
481 | if (bind(fd, &l->address.sockaddr.sa, l->address.size) < 0) { | |
482 | r = -errno; | |
483 | goto fail; | |
484 | } | |
485 | ||
486 | r = sd_event_add_io(m->event, &l->dns_stub_extra_event_source, fd, EPOLLIN, on_dns_stub_packet, m); | |
487 | if (r < 0) | |
488 | goto fail; | |
489 | ||
490 | (void) sd_event_source_set_description(l->dns_stub_extra_event_source, "dns-stub-udp-extra"); | |
491 | ||
492 | l->fd = TAKE_FD(fd); | |
493 | ||
494 | if (DEBUG_LOGGING) { | |
495 | (void) sockaddr_pretty(&l->address.sockaddr.sa, FAMILY_ADDRESS_SIZE(l->address.sockaddr.sa.sa_family), true, true, &pretty); | |
496 | log_debug("Listening on UDP socket %s.", strnull(pretty)); | |
497 | } | |
498 | ||
499 | return 0; | |
500 | ||
501 | fail: | |
502 | (void) sockaddr_pretty(&l->address.sockaddr.sa, FAMILY_ADDRESS_SIZE(l->address.sockaddr.sa.sa_family), true, true, &pretty); | |
503 | if (r == -EADDRINUSE) | |
504 | return log_warning_errno(r, | |
505 | "Another process is already listening on UDP socket %s.\n" | |
506 | "Turning off local DNS stub extra support.", strnull(pretty)); | |
507 | if (r == -EPERM) | |
508 | return log_warning_errno(r, | |
509 | "Failed to listen on UDP socket %s: %m.\n" | |
510 | "Turning off local DNS stub extra support.", strnull(pretty)); | |
511 | ||
512 | assert(r < 0); | |
513 | ||
514 | return log_warning_errno(r, "Failed to listen on UDP socket %s, ignoring: %m", strnull(pretty)); | |
515 | } | |
516 | ||
b30bf55d | 517 | static int on_dns_stub_stream_packet(DnsStream *s) { |
aa337a5e LP |
518 | _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL; |
519 | ||
b30bf55d | 520 | assert(s); |
b30bf55d | 521 | |
aa337a5e LP |
522 | p = dns_stream_take_read_packet(s); |
523 | assert(p); | |
524 | ||
525 | if (dns_packet_validate_query(p) > 0) { | |
526 | log_debug("Got DNS stub TCP query packet for id %u", DNS_PACKET_ID(p)); | |
b30bf55d | 527 | |
aa337a5e | 528 | dns_stub_process_query(s->manager, s, p); |
b30bf55d LP |
529 | } else |
530 | log_debug("Invalid DNS stub TCP packet, ignoring."); | |
531 | ||
b30bf55d LP |
532 | return 0; |
533 | } | |
534 | ||
535 | static int on_dns_stub_stream(sd_event_source *s, int fd, uint32_t revents, void *userdata) { | |
536 | DnsStream *stream; | |
537 | Manager *m = userdata; | |
538 | int cfd, r; | |
539 | ||
540 | cfd = accept4(fd, NULL, NULL, SOCK_NONBLOCK|SOCK_CLOEXEC); | |
541 | if (cfd < 0) { | |
4ff9bc2e | 542 | if (ERRNO_IS_ACCEPT_AGAIN(errno)) |
b30bf55d LP |
543 | return 0; |
544 | ||
545 | return -errno; | |
546 | } | |
547 | ||
652ba568 | 548 | r = dns_stream_new(m, &stream, DNS_STREAM_STUB, DNS_PROTOCOL_DNS, cfd, NULL); |
b30bf55d LP |
549 | if (r < 0) { |
550 | safe_close(cfd); | |
551 | return r; | |
552 | } | |
553 | ||
554 | stream->on_packet = on_dns_stub_stream_packet; | |
b412af57 | 555 | stream->complete = dns_stub_stream_complete; |
b30bf55d | 556 | |
b412af57 | 557 | /* We let the reference to the stream dangle here, it will be dropped later by the complete callback. */ |
b30bf55d LP |
558 | |
559 | return 0; | |
560 | } | |
561 | ||
424e490b | 562 | static int manager_dns_stub_tcp_fd(Manager *m) { |
b30bf55d LP |
563 | union sockaddr_union sa = { |
564 | .in.sin_family = AF_INET, | |
565 | .in.sin_addr.s_addr = htobe32(INADDR_DNS_STUB), | |
566 | .in.sin_port = htobe16(53), | |
567 | }; | |
424e490b | 568 | _cleanup_close_ int fd = -1; |
b30bf55d LP |
569 | int r; |
570 | ||
571 | if (m->dns_stub_tcp_fd >= 0) | |
572 | return m->dns_stub_tcp_fd; | |
573 | ||
424e490b ZJS |
574 | fd = socket(AF_INET, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0); |
575 | if (fd < 0) | |
b30bf55d LP |
576 | return -errno; |
577 | ||
1f05101f | 578 | r = set_dns_stub_common_socket_options(fd); |
2ff48e98 LP |
579 | if (r < 0) |
580 | return r; | |
b30bf55d | 581 | |
1f05101f | 582 | r = setsockopt_int(fd, IPPROTO_IP, IP_TTL, true); |
2ff48e98 LP |
583 | if (r < 0) |
584 | return r; | |
b30bf55d LP |
585 | |
586 | /* Make sure no traffic from outside the local host can leak to onto this socket */ | |
953a02d1 LP |
587 | r = socket_bind_to_ifindex(fd, LOOPBACK_IFINDEX); |
588 | if (r < 0) | |
589 | return r; | |
b30bf55d | 590 | |
424e490b ZJS |
591 | if (bind(fd, &sa.sa, sizeof(sa.in)) < 0) |
592 | return -errno; | |
b30bf55d | 593 | |
424e490b ZJS |
594 | if (listen(fd, SOMAXCONN) < 0) |
595 | return -errno; | |
b30bf55d | 596 | |
424e490b | 597 | r = sd_event_add_io(m->event, &m->dns_stub_tcp_event_source, fd, EPOLLIN, on_dns_stub_stream, m); |
b30bf55d | 598 | if (r < 0) |
424e490b | 599 | return r; |
b30bf55d LP |
600 | |
601 | (void) sd_event_source_set_description(m->dns_stub_tcp_event_source, "dns-stub-tcp"); | |
602 | ||
c10d6bdb | 603 | return m->dns_stub_tcp_fd = TAKE_FD(fd); |
b30bf55d LP |
604 | } |
605 | ||
1f05101f SS |
606 | static int manager_dns_stub_tcp_fd_extra(Manager *m, DNSStubListenerExtra *l) { |
607 | _cleanup_free_ char *pretty = NULL; | |
608 | _cleanup_close_ int fd = -1; | |
609 | int r; | |
610 | ||
611 | if (l->fd >= 0) | |
612 | return 0; | |
613 | ||
614 | fd = socket(socket_address_family(&l->address), SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0); | |
615 | if (fd < 0) { | |
616 | r = -errno; | |
617 | goto fail; | |
618 | } | |
619 | ||
620 | r = set_dns_stub_common_socket_options(fd); | |
621 | if (r < 0) | |
622 | goto fail; | |
623 | ||
624 | r = setsockopt_int(fd, IPPROTO_IP, IP_TTL, true); | |
625 | if (r < 0) | |
626 | goto fail; | |
627 | ||
628 | r = setsockopt_int(fd, IPPROTO_IP, IP_FREEBIND, true); | |
629 | if (r < 0) | |
630 | goto fail; | |
631 | ||
632 | if (bind(fd, &l->address.sockaddr.sa, l->address.size) < 0) { | |
633 | r = -errno; | |
634 | goto fail; | |
635 | } | |
636 | ||
637 | if (listen(fd, SOMAXCONN) < 0) { | |
638 | r = -errno; | |
639 | goto fail; | |
640 | } | |
641 | ||
642 | r = sd_event_add_io(m->event, &l->dns_stub_extra_event_source, fd, EPOLLIN, on_dns_stub_packet, m); | |
643 | if (r < 0) | |
644 | goto fail; | |
645 | ||
646 | (void) sd_event_source_set_description(l->dns_stub_extra_event_source, "dns-stub-tcp-extra"); | |
647 | ||
648 | l->fd = TAKE_FD(fd); | |
649 | ||
650 | if (DEBUG_LOGGING) { | |
651 | (void) sockaddr_pretty(&l->address.sockaddr.sa, FAMILY_ADDRESS_SIZE(l->address.sockaddr.sa.sa_family), true, true, &pretty); | |
652 | log_debug("Listening on TCP socket %s.", strnull(pretty)); | |
653 | } | |
654 | ||
655 | return 0; | |
656 | ||
657 | fail: | |
658 | (void) sockaddr_pretty(&l->address.sockaddr.sa, FAMILY_ADDRESS_SIZE(l->address.sockaddr.sa.sa_family), true, true, &pretty); | |
659 | if (r == -EADDRINUSE) | |
660 | return log_warning_errno(r, | |
661 | "Another process is already listening on TCP socket %s.\n" | |
662 | "Turning off local DNS stub extra support.", strnull(pretty)); | |
663 | if (r == -EPERM) | |
664 | return log_warning_errno(r, | |
665 | "Failed to listen on TCP socket %s: %m.\n" | |
666 | "Turning off local DNS stub extra support.", strnull(pretty)); | |
667 | ||
668 | assert(r < 0); | |
669 | ||
670 | return log_warning_errno(r, "Failed to listen on TCP socket %s, ignoring: %m", strnull(pretty)); | |
671 | } | |
672 | ||
b30bf55d | 673 | int manager_dns_stub_start(Manager *m) { |
424e490b | 674 | const char *t = "UDP"; |
01b0669e | 675 | int r = 0; |
b30bf55d LP |
676 | |
677 | assert(m); | |
678 | ||
d5da7707 ZJS |
679 | if (m->dns_stub_listener_mode == DNS_STUB_LISTENER_NO) |
680 | log_debug("Not creating stub listener."); | |
681 | else | |
682 | log_debug("Creating stub listener using %s.", | |
683 | m->dns_stub_listener_mode == DNS_STUB_LISTENER_UDP ? "UDP" : | |
684 | m->dns_stub_listener_mode == DNS_STUB_LISTENER_TCP ? "TCP" : | |
685 | "UDP/TCP"); | |
686 | ||
424e490b | 687 | if (IN_SET(m->dns_stub_listener_mode, DNS_STUB_LISTENER_YES, DNS_STUB_LISTENER_UDP)) |
1ae43295 | 688 | r = manager_dns_stub_udp_fd(m); |
b30bf55d | 689 | |
424e490b ZJS |
690 | if (r >= 0 && |
691 | IN_SET(m->dns_stub_listener_mode, DNS_STUB_LISTENER_YES, DNS_STUB_LISTENER_TCP)) { | |
692 | t = "TCP"; | |
1ae43295 | 693 | r = manager_dns_stub_tcp_fd(m); |
1ae43295 | 694 | } |
b30bf55d | 695 | |
0f4db364 ZJS |
696 | if (IN_SET(r, -EADDRINUSE, -EPERM)) { |
697 | if (r == -EADDRINUSE) | |
698 | log_warning_errno(r, | |
699 | "Another process is already listening on %s socket 127.0.0.53:53.\n" | |
700 | "Turning off local DNS stub support.", t); | |
701 | else | |
702 | log_warning_errno(r, | |
703 | "Failed to listen on %s socket 127.0.0.53:53: %m.\n" | |
704 | "Turning off local DNS stub support.", t); | |
424e490b ZJS |
705 | manager_dns_stub_stop(m); |
706 | } else if (r < 0) | |
707 | return log_error_errno(r, "Failed to listen on %s socket 127.0.0.53:53: %m", t); | |
b30bf55d | 708 | |
1f05101f SS |
709 | if (!ordered_set_isempty(m->dns_extra_stub_listeners)) { |
710 | DNSStubListenerExtra *l; | |
711 | Iterator i; | |
712 | ||
713 | log_debug("Creating stub listener extra using %s.", | |
714 | m->dns_stub_listener_mode == DNS_STUB_LISTENER_UDP ? "UDP" : | |
715 | m->dns_stub_listener_mode == DNS_STUB_LISTENER_TCP ? "TCP" : | |
716 | "UDP/TCP"); | |
717 | ||
718 | ORDERED_SET_FOREACH(l, m->dns_extra_stub_listeners, i) | |
719 | if (l->mode == DNS_STUB_LISTENER_UDP) | |
720 | (void) manager_dns_stub_udp_fd_extra(m, l); | |
721 | else | |
722 | (void) manager_dns_stub_tcp_fd_extra(m, l); | |
723 | } | |
724 | ||
b30bf55d LP |
725 | return 0; |
726 | } | |
727 | ||
728 | void manager_dns_stub_stop(Manager *m) { | |
729 | assert(m); | |
730 | ||
731 | m->dns_stub_udp_event_source = sd_event_source_unref(m->dns_stub_udp_event_source); | |
732 | m->dns_stub_tcp_event_source = sd_event_source_unref(m->dns_stub_tcp_event_source); | |
733 | ||
734 | m->dns_stub_udp_fd = safe_close(m->dns_stub_udp_fd); | |
735 | m->dns_stub_tcp_fd = safe_close(m->dns_stub_tcp_fd); | |
736 | } | |
1f05101f SS |
737 | |
738 | void manager_dns_stub_stop_extra(Manager *m) { | |
739 | DNSStubListenerExtra *l; | |
740 | Iterator i; | |
741 | ||
742 | assert(m); | |
743 | ||
744 | ORDERED_SET_FOREACH(l, m->dns_extra_stub_listeners, i) { | |
745 | l->dns_stub_extra_event_source = sd_event_source_unref(l->dns_stub_extra_event_source); | |
746 | l->fd = safe_close(l->fd); | |
747 | } | |
748 | } |