]>
git.ipfire.org Git - people/ms/dnsmasq.git/blob - src/forward.c
1 /* dnsmasq is Copyright (c) 2000-2013 Simon Kelley
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 static struct frec
*lookup_frec(unsigned short id
, unsigned int crc
);
20 static struct frec
*lookup_frec_by_sender(unsigned short id
,
21 union mysockaddr
*addr
,
23 static unsigned short get_id(unsigned int crc
);
24 static void free_frec(struct frec
*f
);
25 static struct randfd
*allocate_rfd(int family
);
27 /* Send a UDP packet with its source address set as "source"
28 unless nowild is true, when we just send it with the kernel default */
29 int send_from(int fd
, int nowild
, char *packet
, size_t len
,
30 union mysockaddr
*to
, struct all_addr
*source
,
36 struct cmsghdr align
; /* this ensures alignment */
37 #if defined(HAVE_LINUX_NETWORK)
38 char control
[CMSG_SPACE(sizeof(struct in_pktinfo
))];
39 #elif defined(IP_SENDSRCADDR)
40 char control
[CMSG_SPACE(sizeof(struct in_addr
))];
43 char control6
[CMSG_SPACE(sizeof(struct in6_pktinfo
))];
47 iov
[0].iov_base
= packet
;
50 msg
.msg_control
= NULL
;
51 msg
.msg_controllen
= 0;
54 msg
.msg_namelen
= sa_len(to
);
60 struct cmsghdr
*cmptr
;
61 msg
.msg_control
= &control_u
;
62 msg
.msg_controllen
= sizeof(control_u
);
63 cmptr
= CMSG_FIRSTHDR(&msg
);
65 if (to
->sa
.sa_family
== AF_INET
)
67 #if defined(HAVE_LINUX_NETWORK)
70 p
.ipi_spec_dst
= source
->addr
.addr4
;
71 memcpy(CMSG_DATA(cmptr
), &p
, sizeof(p
));
72 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in_pktinfo
));
73 cmptr
->cmsg_level
= IPPROTO_IP
;
74 cmptr
->cmsg_type
= IP_PKTINFO
;
75 #elif defined(IP_SENDSRCADDR)
76 memcpy(CMSG_DATA(cmptr
), &(source
->addr
.addr4
), sizeof(source
->addr
.addr4
));
77 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in_addr
));
78 cmptr
->cmsg_level
= IPPROTO_IP
;
79 cmptr
->cmsg_type
= IP_SENDSRCADDR
;
86 p
.ipi6_ifindex
= iface
; /* Need iface for IPv6 to handle link-local addrs */
87 p
.ipi6_addr
= source
->addr
.addr6
;
88 memcpy(CMSG_DATA(cmptr
), &p
, sizeof(p
));
89 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in6_pktinfo
));
90 cmptr
->cmsg_type
= daemon
->v6pktinfo
;
91 cmptr
->cmsg_level
= IPPROTO_IPV6
;
94 (void)iface
; /* eliminate warning */
98 while (sendmsg(fd
, &msg
, 0) == -1)
103 /* If interface is still in DAD, EINVAL results - ignore that. */
107 my_syslog(LOG_ERR
, _("failed to send packet: %s"), strerror(errno
));
114 static unsigned int search_servers(time_t now
, struct all_addr
**addrpp
,
115 unsigned int qtype
, char *qdomain
, int *type
, char **domain
, int *norebind
)
118 /* If the query ends in the domain in one of our servers, set
119 domain to point to that name. We find the largest match to allow both
120 domain.org and sub.domain.org to exist. */
122 unsigned int namelen
= strlen(qdomain
);
123 unsigned int matchlen
= 0;
125 unsigned int flags
= 0;
127 for (serv
= daemon
->servers
; serv
; serv
=serv
->next
)
128 /* domain matches take priority over NODOTS matches */
129 if ((serv
->flags
& SERV_FOR_NODOTS
) && *type
!= SERV_HAS_DOMAIN
&& !strchr(qdomain
, '.') && namelen
!= 0)
131 unsigned int sflag
= serv
->addr
.sa
.sa_family
== AF_INET
? F_IPV4
: F_IPV6
;
132 *type
= SERV_FOR_NODOTS
;
133 if (serv
->flags
& SERV_NO_ADDR
)
135 else if (serv
->flags
& SERV_LITERAL_ADDRESS
)
140 if (serv
->addr
.sa
.sa_family
== AF_INET
)
141 *addrpp
= (struct all_addr
*)&serv
->addr
.in
.sin_addr
;
144 *addrpp
= (struct all_addr
*)&serv
->addr
.in6
.sin6_addr
;
147 else if (!flags
|| (flags
& F_NXDOMAIN
))
151 else if (serv
->flags
& SERV_HAS_DOMAIN
)
153 unsigned int domainlen
= strlen(serv
->domain
);
154 char *matchstart
= qdomain
+ namelen
- domainlen
;
155 if (namelen
>= domainlen
&&
156 hostname_isequal(matchstart
, serv
->domain
) &&
157 (domainlen
== 0 || namelen
== domainlen
|| *(matchstart
-1) == '.' ))
159 if (serv
->flags
& SERV_NO_REBIND
)
163 unsigned int sflag
= serv
->addr
.sa
.sa_family
== AF_INET
? F_IPV4
: F_IPV6
;
164 /* implement priority rules for --address and --server for same domain.
165 --address wins if the address is for the correct AF
166 --server wins otherwise. */
167 if (domainlen
!= 0 && domainlen
== matchlen
)
169 if ((serv
->flags
& SERV_LITERAL_ADDRESS
))
171 if (!(sflag
& qtype
) && flags
== 0)
176 if (flags
& (F_IPV4
| F_IPV6
))
181 if (domainlen
>= matchlen
)
183 *type
= serv
->flags
& (SERV_HAS_DOMAIN
| SERV_USE_RESOLV
| SERV_NO_REBIND
);
184 *domain
= serv
->domain
;
185 matchlen
= domainlen
;
186 if (serv
->flags
& SERV_NO_ADDR
)
188 else if (serv
->flags
& SERV_LITERAL_ADDRESS
)
193 if (serv
->addr
.sa
.sa_family
== AF_INET
)
194 *addrpp
= (struct all_addr
*)&serv
->addr
.in
.sin_addr
;
197 *addrpp
= (struct all_addr
*)&serv
->addr
.in6
.sin6_addr
;
200 else if (!flags
|| (flags
& F_NXDOMAIN
))
210 if (flags
== 0 && !(qtype
& F_QUERY
) &&
211 option_bool(OPT_NODOTS_LOCAL
) && !strchr(qdomain
, '.') && namelen
!= 0)
212 /* don't forward A or AAAA queries for simple names, except the empty name */
215 if (flags
== F_NXDOMAIN
&& check_for_local_domain(qdomain
, now
))
222 if (flags
== F_NXDOMAIN
|| flags
== F_NOERR
)
223 logflags
= F_NEG
| qtype
;
225 log_query(logflags
| flags
| F_CONFIG
| F_FORWARD
, qdomain
, *addrpp
, NULL
);
227 else if ((*type
) & SERV_USE_RESOLV
)
229 *type
= 0; /* use normal servers for this domain */
235 static int forward_query(int udpfd
, union mysockaddr
*udpaddr
,
236 struct all_addr
*dst_addr
, unsigned int dst_iface
,
237 struct dns_header
*header
, size_t plen
, time_t now
, struct frec
*forward
)
240 int type
= 0, norebind
= 0;
241 struct all_addr
*addrp
= NULL
;
242 unsigned int crc
= questions_crc(header
, plen
, daemon
->namebuff
);
243 unsigned int flags
= 0;
244 unsigned int gotname
= extract_request(header
, plen
, daemon
->namebuff
, NULL
);
245 struct server
*start
= NULL
;
247 /* RFC 4035: sect 4.6 para 2 */
248 header
->hb4
&= ~HB4_AD
;
250 /* may be no servers available. */
251 if (!daemon
->servers
)
253 else if (forward
|| (forward
= lookup_frec_by_sender(ntohs(header
->id
), udpaddr
, crc
)))
255 /* retry on existing query, send to all available servers */
256 domain
= forward
->sentto
->domain
;
257 forward
->sentto
->failed_queries
++;
258 if (!option_bool(OPT_ORDER
))
260 forward
->forwardall
= 1;
261 daemon
->last_server
= NULL
;
263 type
= forward
->sentto
->flags
& SERV_TYPE
;
264 if (!(start
= forward
->sentto
->next
))
265 start
= daemon
->servers
; /* at end of list, recycle */
266 header
->id
= htons(forward
->new_id
);
271 flags
= search_servers(now
, &addrp
, gotname
, daemon
->namebuff
, &type
, &domain
, &norebind
);
273 if (!flags
&& !(forward
= get_new_frec(now
, NULL
)))
274 /* table full - server failure. */
279 forward
->source
= *udpaddr
;
280 forward
->dest
= *dst_addr
;
281 forward
->iface
= dst_iface
;
282 forward
->orig_id
= ntohs(header
->id
);
283 forward
->new_id
= get_id(crc
);
286 forward
->forwardall
= 0;
288 forward
->flags
|= FREC_NOREBIND
;
289 if (header
->hb4
& HB4_CD
)
290 forward
->flags
|= FREC_CHECKING_DISABLED
;
292 header
->id
= htons(forward
->new_id
);
294 /* In strict_order mode, always try servers in the order
295 specified in resolv.conf, if a domain is given
296 always try all the available servers,
297 otherwise, use the one last known to work. */
301 if (option_bool(OPT_ORDER
))
302 start
= daemon
->servers
;
303 else if (!(start
= daemon
->last_server
) ||
304 daemon
->forwardcount
++ > FORWARD_TEST
||
305 difftime(now
, daemon
->forwardtime
) > FORWARD_TIME
)
307 start
= daemon
->servers
;
308 forward
->forwardall
= 1;
309 daemon
->forwardcount
= 0;
310 daemon
->forwardtime
= now
;
315 start
= daemon
->servers
;
316 if (!option_bool(OPT_ORDER
))
317 forward
->forwardall
= 1;
322 /* check for send errors here (no route to host)
323 if we fail to send to all nameservers, send back an error
324 packet straight away (helps modem users when offline) */
326 if (!flags
&& forward
)
328 struct server
*firstsentto
= start
;
331 if (option_bool(OPT_ADD_MAC
))
332 plen
= add_mac(header
, plen
, ((char *) header
) + PACKETSZ
, &forward
->source
);
336 /* only send to servers dealing with our domain.
337 domain may be NULL, in which case server->domain
338 must be NULL also. */
340 if (type
== (start
->flags
& SERV_TYPE
) &&
341 (type
!= SERV_HAS_DOMAIN
|| hostname_isequal(domain
, start
->domain
)) &&
342 !(start
->flags
& SERV_LITERAL_ADDRESS
))
346 /* find server socket to use, may need to get random one. */
352 if (start
->addr
.sa
.sa_family
== AF_INET6
)
354 if (!forward
->rfd6
&&
355 !(forward
->rfd6
= allocate_rfd(AF_INET6
)))
357 daemon
->rfd_save
= forward
->rfd6
;
358 fd
= forward
->rfd6
->fd
;
363 if (!forward
->rfd4
&&
364 !(forward
->rfd4
= allocate_rfd(AF_INET
)))
366 daemon
->rfd_save
= forward
->rfd4
;
367 fd
= forward
->rfd4
->fd
;
370 #ifdef HAVE_CONNTRACK
371 /* Copy connection mark of incoming query to outgoing connection. */
372 if (option_bool(OPT_CONNTRACK
))
375 if (get_incoming_mark(&forward
->source
, &forward
->dest
, 0, &mark
))
376 setsockopt(fd
, SOL_SOCKET
, SO_MARK
, &mark
, sizeof(unsigned int));
381 if (sendto(fd
, (char *)header
, plen
, 0,
383 sa_len(&start
->addr
)) == -1)
390 /* Keep info in case we want to re-send this packet */
391 daemon
->srv_save
= start
;
392 daemon
->packet_len
= plen
;
395 strcpy(daemon
->namebuff
, "query");
396 if (start
->addr
.sa
.sa_family
== AF_INET
)
397 log_query(F_SERVER
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
398 (struct all_addr
*)&start
->addr
.in
.sin_addr
, NULL
);
401 log_query(F_SERVER
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
402 (struct all_addr
*)&start
->addr
.in6
.sin6_addr
, NULL
);
406 forward
->sentto
= start
;
407 if (!forward
->forwardall
)
409 forward
->forwardall
++;
413 if (!(start
= start
->next
))
414 start
= daemon
->servers
;
416 if (start
== firstsentto
)
423 /* could not send on, prepare to return */
424 header
->id
= htons(forward
->orig_id
);
425 free_frec(forward
); /* cancel */
428 /* could not send on, return empty answer or address if known for whole domain */
431 plen
= setup_reply(header
, plen
, addrp
, flags
, daemon
->local_ttl
);
432 send_from(udpfd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
), (char *)header
, plen
, udpaddr
, dst_addr
, dst_iface
);
438 static size_t process_reply(struct dns_header
*header
, time_t now
,
439 struct server
*server
, size_t n
, int check_rebind
, int checking_disabled
)
441 unsigned char *pheader
, *sizep
;
443 int munged
= 0, is_sign
;
447 /* Similar algorithm to search_servers. */
448 struct ipsets
*ipset_pos
;
449 unsigned int namelen
= strlen(daemon
->namebuff
);
450 unsigned int matchlen
= 0;
451 for (ipset_pos
= daemon
->ipsets
; ipset_pos
; ipset_pos
= ipset_pos
->next
)
453 unsigned int domainlen
= strlen(ipset_pos
->domain
);
454 char *matchstart
= daemon
->namebuff
+ namelen
- domainlen
;
455 if (namelen
>= domainlen
&& hostname_isequal(matchstart
, ipset_pos
->domain
) &&
456 (domainlen
== 0 || namelen
== domainlen
|| *(matchstart
- 1) == '.' ) &&
457 domainlen
>= matchlen
) {
458 matchlen
= domainlen
;
459 sets
= ipset_pos
->sets
;
464 /* If upstream is advertising a larger UDP packet size
465 than we allow, trim it so that we don't get overlarge
466 requests for the client. We can't do this for signed packets. */
468 if ((pheader
= find_pseudoheader(header
, n
, &plen
, &sizep
, &is_sign
)) && !is_sign
)
470 unsigned short udpsz
;
471 unsigned char *psave
= sizep
;
473 GETSHORT(udpsz
, sizep
);
474 if (udpsz
> daemon
->edns_pktsz
)
475 PUTSHORT(daemon
->edns_pktsz
, psave
);
478 /* RFC 4035 sect 4.6 para 3 */
479 if (!is_sign
&& !option_bool(OPT_DNSSEC
))
480 header
->hb4
&= ~HB4_AD
;
482 if (OPCODE(header
) != QUERY
|| (RCODE(header
) != NOERROR
&& RCODE(header
) != NXDOMAIN
))
485 /* Complain loudly if the upstream server is non-recursive. */
486 if (!(header
->hb4
& HB4_RA
) && RCODE(header
) == NOERROR
&& ntohs(header
->ancount
) == 0 &&
487 server
&& !(server
->flags
& SERV_WARNED_RECURSIVE
))
489 prettyprint_addr(&server
->addr
, daemon
->namebuff
);
490 my_syslog(LOG_WARNING
, _("nameserver %s refused to do a recursive query"), daemon
->namebuff
);
491 if (!option_bool(OPT_LOG
))
492 server
->flags
|= SERV_WARNED_RECURSIVE
;
495 if (daemon
->bogus_addr
&& RCODE(header
) != NXDOMAIN
&&
496 check_for_bogus_wildcard(header
, n
, daemon
->namebuff
, daemon
->bogus_addr
, now
))
499 SET_RCODE(header
, NXDOMAIN
);
500 header
->hb3
&= ~HB3_AA
;
504 if (RCODE(header
) == NXDOMAIN
&&
505 extract_request(header
, n
, daemon
->namebuff
, NULL
) &&
506 check_for_local_domain(daemon
->namebuff
, now
))
508 /* if we forwarded a query for a locally known name (because it was for
509 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
510 since we know that the domain exists, even if upstream doesn't */
512 header
->hb3
|= HB3_AA
;
513 SET_RCODE(header
, NOERROR
);
516 if (extract_addresses(header
, n
, daemon
->namebuff
, now
, sets
, is_sign
, check_rebind
, checking_disabled
))
518 my_syslog(LOG_WARNING
, _("possible DNS-rebind attack detected: %s"), daemon
->namebuff
);
523 /* do this after extract_addresses. Ensure NODATA reply and remove
528 header
->ancount
= htons(0);
529 header
->nscount
= htons(0);
530 header
->arcount
= htons(0);
533 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
534 sections of the packet. Find the new length here and put back pseudoheader
535 if it was removed. */
536 return resize_packet(header
, n
, pheader
, plen
);
539 /* sets new last_server */
540 void reply_query(int fd
, int family
, time_t now
)
542 /* packet from peer server, extract data for cache, and send to
543 original requester */
544 struct dns_header
*header
;
545 union mysockaddr serveraddr
;
546 struct frec
*forward
;
547 socklen_t addrlen
= sizeof(serveraddr
);
548 ssize_t n
= recvfrom(fd
, daemon
->packet
, daemon
->edns_pktsz
, 0, &serveraddr
.sa
, &addrlen
);
550 struct server
*server
;
552 /* packet buffer overwritten */
553 daemon
->srv_save
= NULL
;
555 /* Determine the address of the server replying so that we can mark that as good */
556 serveraddr
.sa
.sa_family
= family
;
558 if (serveraddr
.sa
.sa_family
== AF_INET6
)
559 serveraddr
.in6
.sin6_flowinfo
= 0;
562 /* spoof check: answer must come from known server, */
563 for (server
= daemon
->servers
; server
; server
= server
->next
)
564 if (!(server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_NO_ADDR
)) &&
565 sockaddr_isequal(&server
->addr
, &serveraddr
))
568 header
= (struct dns_header
*)daemon
->packet
;
571 n
< (int)sizeof(struct dns_header
) || !(header
->hb3
& HB3_QR
) ||
572 !(forward
= lookup_frec(ntohs(header
->id
), questions_crc(header
, n
, daemon
->namebuff
))))
575 server
= forward
->sentto
;
577 if ((RCODE(header
) == SERVFAIL
|| RCODE(header
) == REFUSED
) &&
578 !option_bool(OPT_ORDER
) &&
579 forward
->forwardall
== 0)
580 /* for broken servers, attempt to send to another one. */
582 unsigned char *pheader
;
586 /* recreate query from reply */
587 pheader
= find_pseudoheader(header
, (size_t)n
, &plen
, NULL
, &is_sign
);
590 header
->ancount
= htons(0);
591 header
->nscount
= htons(0);
592 header
->arcount
= htons(0);
593 if ((nn
= resize_packet(header
, (size_t)n
, pheader
, plen
)))
595 header
->hb3
&= ~(HB3_QR
| HB3_TC
);
596 forward_query(-1, NULL
, NULL
, 0, header
, nn
, now
, forward
);
602 if ((forward
->sentto
->flags
& SERV_TYPE
) == 0)
604 if (RCODE(header
) == SERVFAIL
|| RCODE(header
) == REFUSED
)
608 struct server
*last_server
;
610 /* find good server by address if possible, otherwise assume the last one we sent to */
611 for (last_server
= daemon
->servers
; last_server
; last_server
= last_server
->next
)
612 if (!(last_server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_HAS_DOMAIN
| SERV_FOR_NODOTS
| SERV_NO_ADDR
)) &&
613 sockaddr_isequal(&last_server
->addr
, &serveraddr
))
615 server
= last_server
;
619 if (!option_bool(OPT_ALL_SERVERS
))
620 daemon
->last_server
= server
;
623 /* If the answer is an error, keep the forward record in place in case
624 we get a good reply from another server. Kill it when we've
625 had replies from all to avoid filling the forwarding table when
626 everything is broken */
627 if (forward
->forwardall
== 0 || --forward
->forwardall
== 1 ||
628 (RCODE(header
) != REFUSED
&& RCODE(header
) != SERVFAIL
))
630 int check_rebind
= !(forward
->flags
& FREC_NOREBIND
);
632 if (!option_bool(OPT_NO_REBIND
))
635 if ((nn
= process_reply(header
, now
, server
, (size_t)n
, check_rebind
, forward
->flags
& FREC_CHECKING_DISABLED
)))
637 header
->id
= htons(forward
->orig_id
);
638 header
->hb4
|= HB4_RA
; /* recursion if available */
639 send_from(forward
->fd
, option_bool(OPT_NOWILD
) || option_bool (OPT_CLEVERBIND
), daemon
->packet
, nn
,
640 &forward
->source
, &forward
->dest
, forward
->iface
);
642 free_frec(forward
); /* cancel */
647 void receive_query(struct listener
*listen
, time_t now
)
649 struct dns_header
*header
= (struct dns_header
*)daemon
->packet
;
650 union mysockaddr source_addr
;
652 struct all_addr dst_addr
;
653 struct in_addr netmask
, dst_addr_4
;
660 struct cmsghdr
*cmptr
;
662 struct cmsghdr align
; /* this ensures alignment */
664 char control6
[CMSG_SPACE(sizeof(struct in6_pktinfo
))];
666 #if defined(HAVE_LINUX_NETWORK)
667 char control
[CMSG_SPACE(sizeof(struct in_pktinfo
))];
668 #elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
669 char control
[CMSG_SPACE(sizeof(struct in_addr
)) +
670 CMSG_SPACE(sizeof(unsigned int))];
671 #elif defined(IP_RECVDSTADDR)
672 char control
[CMSG_SPACE(sizeof(struct in_addr
)) +
673 CMSG_SPACE(sizeof(struct sockaddr_dl
))];
677 /* packet buffer overwritten */
678 daemon
->srv_save
= NULL
;
680 dst_addr_4
.s_addr
= 0;
683 if (option_bool(OPT_NOWILD
) && listen
->iface
)
685 auth_dns
= listen
->iface
->dns_auth
;
687 if (listen
->family
== AF_INET
)
689 dst_addr_4
= listen
->iface
->addr
.in
.sin_addr
;
690 netmask
= listen
->iface
->netmask
;
694 iov
[0].iov_base
= daemon
->packet
;
695 iov
[0].iov_len
= daemon
->edns_pktsz
;
697 msg
.msg_control
= control_u
.control
;
698 msg
.msg_controllen
= sizeof(control_u
);
700 msg
.msg_name
= &source_addr
;
701 msg
.msg_namelen
= sizeof(source_addr
);
705 if ((n
= recvmsg(listen
->fd
, &msg
, 0)) == -1)
708 if (n
< (int)sizeof(struct dns_header
) ||
709 (msg
.msg_flags
& MSG_TRUNC
) ||
710 (header
->hb3
& HB3_QR
))
713 source_addr
.sa
.sa_family
= listen
->family
;
715 if (listen
->family
== AF_INET6
)
716 source_addr
.in6
.sin6_flowinfo
= 0;
719 if (!option_bool(OPT_NOWILD
))
723 if (msg
.msg_controllen
< sizeof(struct cmsghdr
))
726 #if defined(HAVE_LINUX_NETWORK)
727 if (listen
->family
== AF_INET
)
728 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
729 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_PKTINFO
)
733 struct in_pktinfo
*p
;
735 p
.c
= CMSG_DATA(cmptr
);
736 dst_addr_4
= dst_addr
.addr
.addr4
= p
.p
->ipi_spec_dst
;
737 if_index
= p
.p
->ipi_ifindex
;
739 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
740 if (listen
->family
== AF_INET
)
742 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
748 #ifndef HAVE_SOLARIS_NETWORK
749 struct sockaddr_dl
*s
;
752 p
.c
= CMSG_DATA(cmptr
);
753 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVDSTADDR
)
754 dst_addr_4
= dst_addr
.addr
.addr4
= *(p
.a
);
755 else if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVIF
)
756 #ifdef HAVE_SOLARIS_NETWORK
759 if_index
= p
.s
->sdl_index
;
766 if (listen
->family
== AF_INET6
)
768 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
769 if (cmptr
->cmsg_level
== IPPROTO_IPV6
&& cmptr
->cmsg_type
== daemon
->v6pktinfo
)
773 struct in6_pktinfo
*p
;
775 p
.c
= CMSG_DATA(cmptr
);
777 dst_addr
.addr
.addr6
= p
.p
->ipi6_addr
;
778 if_index
= p
.p
->ipi6_ifindex
;
783 /* enforce available interface configuration */
785 if (!indextoname(listen
->fd
, if_index
, ifr
.ifr_name
))
788 if (!iface_check(listen
->family
, &dst_addr
, ifr
.ifr_name
, &auth_dns
))
790 if (!option_bool(OPT_CLEVERBIND
))
791 enumerate_interfaces(0);
792 if (!loopback_exception(listen
->fd
, listen
->family
, &dst_addr
, ifr
.ifr_name
) &&
793 !label_exception(if_index
, listen
->family
, &dst_addr
))
797 if (listen
->family
== AF_INET
&& option_bool(OPT_LOCALISE
))
801 /* get the netmask of the interface whch has the address we were sent to.
802 This is no neccessarily the interface we arrived on. */
804 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
805 if (iface
->addr
.sa
.sa_family
== AF_INET
&&
806 iface
->addr
.in
.sin_addr
.s_addr
== dst_addr_4
.s_addr
)
809 /* interface may be new */
810 if (!iface
&& !option_bool(OPT_CLEVERBIND
))
811 enumerate_interfaces(0);
813 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
814 if (iface
->addr
.sa
.sa_family
== AF_INET
&&
815 iface
->addr
.in
.sin_addr
.s_addr
== dst_addr_4
.s_addr
)
818 /* If we failed, abandon localisation */
820 netmask
= iface
->netmask
;
822 dst_addr_4
.s_addr
= 0;
826 if (extract_request(header
, (size_t)n
, daemon
->namebuff
, &type
))
830 querystr(auth_dns
? "auth" : "query", types
, type
);
832 if (listen
->family
== AF_INET
)
833 log_query(F_QUERY
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
834 (struct all_addr
*)&source_addr
.in
.sin_addr
, types
);
837 log_query(F_QUERY
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
838 (struct all_addr
*)&source_addr
.in6
.sin6_addr
, types
);
845 m
= answer_auth(header
, ((char *) header
) + PACKETSZ
, (size_t)n
, now
, &source_addr
);
847 send_from(listen
->fd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
),
848 (char *)header
, m
, &source_addr
, &dst_addr
, if_index
);
853 m
= answer_request(header
, ((char *) header
) + PACKETSZ
, (size_t)n
,
854 dst_addr_4
, netmask
, now
);
858 send_from(listen
->fd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
),
859 (char *)header
, m
, &source_addr
, &dst_addr
, if_index
);
860 daemon
->local_answer
++;
862 else if (forward_query(listen
->fd
, &source_addr
, &dst_addr
, if_index
,
863 header
, (size_t)n
, now
, NULL
))
864 daemon
->queries_forwarded
++;
866 daemon
->local_answer
++;
870 /* The daemon forks before calling this: it should deal with one connection,
871 blocking as neccessary, and then return. Note, need to be a bit careful
872 about resources for debug mode, when the fork is suppressed: that's
873 done by the caller. */
874 unsigned char *tcp_request(int confd
, time_t now
,
875 union mysockaddr
*local_addr
, struct in_addr netmask
, int auth_dns
)
879 int checking_disabled
;
881 unsigned short qtype
;
882 unsigned int gotname
;
883 unsigned char c1
, c2
;
884 /* Max TCP packet + slop + size */
885 unsigned char *packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
));
886 unsigned char *payload
= &packet
[2];
887 /* largest field in header is 16-bits, so this is still sufficiently aligned */
888 struct dns_header
*header
= (struct dns_header
*)payload
;
889 u16
*length
= (u16
*)packet
;
890 struct server
*last_server
;
891 struct in_addr dst_addr_4
;
892 union mysockaddr peer_addr
;
893 socklen_t peer_len
= sizeof(union mysockaddr
);
895 if (getpeername(confd
, (struct sockaddr
*)&peer_addr
, &peer_len
) == -1)
901 !read_write(confd
, &c1
, 1, 1) || !read_write(confd
, &c2
, 1, 1) ||
902 !(size
= c1
<< 8 | c2
) ||
903 !read_write(confd
, payload
, size
, 1))
906 if (size
< (int)sizeof(struct dns_header
))
909 /* save state of "cd" flag in query */
910 checking_disabled
= header
->hb4
& HB4_CD
;
912 /* RFC 4035: sect 4.6 para 2 */
913 header
->hb4
&= ~HB4_AD
;
915 if ((gotname
= extract_request(header
, (unsigned int)size
, daemon
->namebuff
, &qtype
)))
919 querystr(auth_dns
? "auth" : "query", types
, qtype
);
921 if (peer_addr
.sa
.sa_family
== AF_INET
)
922 log_query(F_QUERY
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
923 (struct all_addr
*)&peer_addr
.in
.sin_addr
, types
);
926 log_query(F_QUERY
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
927 (struct all_addr
*)&peer_addr
.in6
.sin6_addr
, types
);
931 if (local_addr
->sa
.sa_family
== AF_INET
)
932 dst_addr_4
= local_addr
->in
.sin_addr
;
934 dst_addr_4
.s_addr
= 0;
938 m
= answer_auth(header
, ((char *) header
) + 65536, (size_t)size
, now
, &peer_addr
);
942 /* m > 0 if answered from cache */
943 m
= answer_request(header
, ((char *) header
) + 65536, (size_t)size
,
944 dst_addr_4
, netmask
, now
);
946 /* Do this by steam now we're not in the select() loop */
947 check_log_writer(NULL
);
951 unsigned int flags
= 0;
952 struct all_addr
*addrp
= NULL
;
956 if (option_bool(OPT_ADD_MAC
))
957 size
= add_mac(header
, size
, ((char *) header
) + 65536, &peer_addr
);
960 flags
= search_servers(now
, &addrp
, gotname
, daemon
->namebuff
, &type
, &domain
, &norebind
);
962 if (type
!= 0 || option_bool(OPT_ORDER
) || !daemon
->last_server
)
963 last_server
= daemon
->servers
;
965 last_server
= daemon
->last_server
;
967 if (!flags
&& last_server
)
969 struct server
*firstsendto
= NULL
;
970 unsigned int crc
= questions_crc(header
, (unsigned int)size
, daemon
->namebuff
);
972 /* Loop round available servers until we succeed in connecting to one.
973 Note that this code subtley ensures that consecutive queries on this connection
974 which can go to the same server, do so. */
978 firstsendto
= last_server
;
981 if (!(last_server
= last_server
->next
))
982 last_server
= daemon
->servers
;
984 if (last_server
== firstsendto
)
988 /* server for wrong domain */
989 if (type
!= (last_server
->flags
& SERV_TYPE
) ||
990 (type
== SERV_HAS_DOMAIN
&& !hostname_isequal(domain
, last_server
->domain
)))
993 if (last_server
->tcpfd
== -1)
995 if ((last_server
->tcpfd
= socket(last_server
->addr
.sa
.sa_family
, SOCK_STREAM
, 0)) == -1)
998 if ((!local_bind(last_server
->tcpfd
, &last_server
->source_addr
, last_server
->interface
, 1) ||
999 connect(last_server
->tcpfd
, &last_server
->addr
.sa
, sa_len(&last_server
->addr
)) == -1))
1001 close(last_server
->tcpfd
);
1002 last_server
->tcpfd
= -1;
1006 #ifdef HAVE_CONNTRACK
1007 /* Copy connection mark of incoming query to outgoing connection. */
1008 if (option_bool(OPT_CONNTRACK
))
1011 struct all_addr local
;
1013 if (local_addr
->sa
.sa_family
== AF_INET6
)
1014 local
.addr
.addr6
= local_addr
->in6
.sin6_addr
;
1017 local
.addr
.addr4
= local_addr
->in
.sin_addr
;
1019 if (get_incoming_mark(&peer_addr
, &local
, 1, &mark
))
1020 setsockopt(last_server
->tcpfd
, SOL_SOCKET
, SO_MARK
, &mark
, sizeof(unsigned int));
1025 *length
= htons(size
);
1027 if (!read_write(last_server
->tcpfd
, packet
, size
+ sizeof(u16
), 0) ||
1028 !read_write(last_server
->tcpfd
, &c1
, 1, 1) ||
1029 !read_write(last_server
->tcpfd
, &c2
, 1, 1))
1031 close(last_server
->tcpfd
);
1032 last_server
->tcpfd
= -1;
1037 if (!read_write(last_server
->tcpfd
, payload
, m
, 1))
1041 strcpy(daemon
->namebuff
, "query");
1042 if (last_server
->addr
.sa
.sa_family
== AF_INET
)
1043 log_query(F_SERVER
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1044 (struct all_addr
*)&last_server
->addr
.in
.sin_addr
, NULL
);
1047 log_query(F_SERVER
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1048 (struct all_addr
*)&last_server
->addr
.in6
.sin6_addr
, NULL
);
1051 /* There's no point in updating the cache, since this process will exit and
1052 lose the information after a few queries. We make this call for the alias and
1053 bogus-nxdomain side-effects. */
1054 /* If the crc of the question section doesn't match the crc we sent, then
1055 someone might be attempting to insert bogus values into the cache by
1056 sending replies containing questions and bogus answers. */
1057 if (crc
== questions_crc(header
, (unsigned int)m
, daemon
->namebuff
))
1058 m
= process_reply(header
, now
, last_server
, (unsigned int)m
,
1059 option_bool(OPT_NO_REBIND
) && !norebind
, checking_disabled
);
1065 /* In case of local answer or no connections made. */
1067 m
= setup_reply(header
, (unsigned int)size
, addrp
, flags
, daemon
->local_ttl
);
1071 check_log_writer(NULL
);
1075 if (m
== 0 || !read_write(confd
, packet
, m
+ sizeof(u16
), 0))
1080 static struct frec
*allocate_frec(time_t now
)
1084 if ((f
= (struct frec
*)whine_malloc(sizeof(struct frec
))))
1086 f
->next
= daemon
->frec_list
;
1094 daemon
->frec_list
= f
;
1100 static struct randfd
*allocate_rfd(int family
)
1102 static int finger
= 0;
1105 /* limit the number of sockets we have open to avoid starvation of
1106 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
1108 for (i
= 0; i
< RANDOM_SOCKS
; i
++)
1109 if (daemon
->randomsocks
[i
].refcount
== 0)
1111 if ((daemon
->randomsocks
[i
].fd
= random_sock(family
)) == -1)
1114 daemon
->randomsocks
[i
].refcount
= 1;
1115 daemon
->randomsocks
[i
].family
= family
;
1116 return &daemon
->randomsocks
[i
];
1119 /* No free ones or cannot get new socket, grab an existing one */
1120 for (i
= 0; i
< RANDOM_SOCKS
; i
++)
1122 int j
= (i
+finger
) % RANDOM_SOCKS
;
1123 if (daemon
->randomsocks
[j
].refcount
!= 0 &&
1124 daemon
->randomsocks
[j
].family
== family
&&
1125 daemon
->randomsocks
[j
].refcount
!= 0xffff)
1128 daemon
->randomsocks
[j
].refcount
++;
1129 return &daemon
->randomsocks
[j
];
1133 return NULL
; /* doom */
1136 static void free_frec(struct frec
*f
)
1138 if (f
->rfd4
&& --(f
->rfd4
->refcount
) == 0)
1146 if (f
->rfd6
&& --(f
->rfd6
->refcount
) == 0)
1153 /* if wait==NULL return a free or older than TIMEOUT record.
1154 else return *wait zero if one available, or *wait is delay to
1155 when the oldest in-use record will expire. Impose an absolute
1156 limit of 4*TIMEOUT before we wipe things (for random sockets) */
1157 struct frec
*get_new_frec(time_t now
, int *wait
)
1159 struct frec
*f
, *oldest
, *target
;
1165 for (f
= daemon
->frec_list
, oldest
= NULL
, target
= NULL
, count
= 0; f
; f
= f
->next
, count
++)
1170 if (difftime(now
, f
->time
) >= 4*TIMEOUT
)
1176 if (!oldest
|| difftime(f
->time
, oldest
->time
) <= 0)
1186 /* can't find empty one, use oldest if there is one
1187 and it's older than timeout */
1188 if (oldest
&& ((int)difftime(now
, oldest
->time
)) >= TIMEOUT
)
1190 /* keep stuff for twice timeout if we can by allocating a new
1192 if (difftime(now
, oldest
->time
) < 2*TIMEOUT
&&
1193 count
<= daemon
->ftabsize
&&
1194 (f
= allocate_frec(now
)))
1205 /* none available, calculate time 'till oldest record expires */
1206 if (count
> daemon
->ftabsize
)
1209 *wait
= oldest
->time
+ (time_t)TIMEOUT
- now
;
1213 if (!(f
= allocate_frec(now
)) && wait
)
1214 /* wait one second on malloc failure */
1217 return f
; /* OK if malloc fails and this is NULL */
1220 /* crc is all-ones if not known. */
1221 static struct frec
*lookup_frec(unsigned short id
, unsigned int crc
)
1225 for(f
= daemon
->frec_list
; f
; f
= f
->next
)
1226 if (f
->sentto
&& f
->new_id
== id
&&
1227 (f
->crc
== crc
|| crc
== 0xffffffff))
1233 static struct frec
*lookup_frec_by_sender(unsigned short id
,
1234 union mysockaddr
*addr
,
1239 for(f
= daemon
->frec_list
; f
; f
= f
->next
)
1243 sockaddr_isequal(&f
->source
, addr
))
1249 /* A server record is going away, remove references to it */
1250 void server_gone(struct server
*server
)
1254 for (f
= daemon
->frec_list
; f
; f
= f
->next
)
1255 if (f
->sentto
&& f
->sentto
== server
)
1258 if (daemon
->last_server
== server
)
1259 daemon
->last_server
= NULL
;
1261 if (daemon
->srv_save
== server
)
1262 daemon
->srv_save
= NULL
;
1265 /* return unique random ids. */
1266 static unsigned short get_id(unsigned int crc
)
1268 unsigned short ret
= 0;
1272 while (lookup_frec(ret
, crc
));