1 /* dnsmasq is Copyright (c) 2000-2014 Simon Kelley
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 #ifdef HAVE_LINUX_NETWORK
21 int indextoname(int fd
, int index
, char *name
)
28 ifr
.ifr_ifindex
= index
;
29 if (ioctl(fd
, SIOCGIFNAME
, &ifr
) == -1)
32 strncpy(name
, ifr
.ifr_name
, IF_NAMESIZE
);
38 #elif defined(HAVE_SOLARIS_NETWORK)
42 #ifndef LIFC_UNDER_IPMP
43 # define LIFC_UNDER_IPMP 0
46 int indextoname(int fd
, int index
, char *name
)
50 int numifs
, bufsize
, i
;
57 if (getzoneid() == GLOBAL_ZONEID
)
59 if (!if_indextoname(index
, name
))
64 lifc_flags
= LIFC_NOXMIT
| LIFC_TEMPORARY
| LIFC_ALLZONES
| LIFC_UNDER_IPMP
;
65 lifn
.lifn_family
= AF_UNSPEC
;
66 lifn
.lifn_flags
= lifc_flags
;
67 if (ioctl(fd
, SIOCGLIFNUM
, &lifn
) < 0)
70 numifs
= lifn
.lifn_count
;
71 bufsize
= numifs
* sizeof(struct lifreq
);
73 lifc
.lifc_family
= AF_UNSPEC
;
74 lifc
.lifc_flags
= lifc_flags
;
75 lifc
.lifc_len
= bufsize
;
76 lifc
.lifc_buf
= alloca(bufsize
);
78 if (ioctl(fd
, SIOCGLIFCONF
, &lifc
) < 0)
81 lifrp
= lifc
.lifc_req
;
82 for (i
= lifc
.lifc_len
/ sizeof(struct lifreq
); i
; i
--, lifrp
++)
85 strncpy(lifr
.lifr_name
, lifrp
->lifr_name
, IF_NAMESIZE
);
86 if (ioctl(fd
, SIOCGLIFINDEX
, &lifr
) < 0)
89 if (lifr
.lifr_index
== index
) {
90 strncpy(name
, lifr
.lifr_name
, IF_NAMESIZE
);
100 int indextoname(int fd
, int index
, char *name
)
104 if (index
== 0 || !if_indextoname(index
, name
))
112 int iface_check(int family
, struct all_addr
*addr
, char *name
, int *auth
)
115 int ret
= 1, match_addr
= 0;
117 /* Note: have to check all and not bail out early, so that we set the
120 May be called with family == AF_LOCALto check interface by name only. */
125 if (daemon
->if_names
|| daemon
->if_addrs
)
129 for (tmp
= daemon
->if_names
; tmp
; tmp
= tmp
->next
)
130 if (tmp
->name
&& wildcard_match(tmp
->name
, name
))
134 for (tmp
= daemon
->if_addrs
; tmp
; tmp
= tmp
->next
)
135 if (tmp
->addr
.sa
.sa_family
== family
)
137 if (family
== AF_INET
&&
138 tmp
->addr
.in
.sin_addr
.s_addr
== addr
->addr
.addr4
.s_addr
)
139 ret
= match_addr
= tmp
->used
= 1;
141 else if (family
== AF_INET6
&&
142 IN6_ARE_ADDR_EQUAL(&tmp
->addr
.in6
.sin6_addr
,
144 ret
= match_addr
= tmp
->used
= 1;
150 for (tmp
= daemon
->if_except
; tmp
; tmp
= tmp
->next
)
151 if (tmp
->name
&& wildcard_match(tmp
->name
, name
))
155 for (tmp
= daemon
->authinterface
; tmp
; tmp
= tmp
->next
)
158 if (strcmp(tmp
->name
, name
) == 0 &&
159 (tmp
->addr
.sa
.sa_family
== 0 || tmp
->addr
.sa
.sa_family
== family
))
162 else if (addr
&& tmp
->addr
.sa
.sa_family
== AF_INET
&& family
== AF_INET
&&
163 tmp
->addr
.in
.sin_addr
.s_addr
== addr
->addr
.addr4
.s_addr
)
166 else if (addr
&& tmp
->addr
.sa
.sa_family
== AF_INET6
&& family
== AF_INET6
&&
167 IN6_ARE_ADDR_EQUAL(&tmp
->addr
.in6
.sin6_addr
, &addr
->addr
.addr6
))
181 /* Fix for problem that the kernel sometimes reports the loopback inerface as the
182 arrival interface when a packet originates locally, even when sent to address of
183 an interface other than the loopback. Accept packet if it arrived via a loopback
184 interface, even when we're not accepting packets that way, as long as the destination
185 address is one we're believing. Interface list must be up-to-date before calling. */
186 int loopback_exception(int fd
, int family
, struct all_addr
*addr
, char *name
)
191 strncpy(ifr
.ifr_name
, name
, IF_NAMESIZE
);
192 if (ioctl(fd
, SIOCGIFFLAGS
, &ifr
) != -1 &&
193 ifr
.ifr_flags
& IFF_LOOPBACK
)
195 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
196 if (iface
->addr
.sa
.sa_family
== family
)
198 if (family
== AF_INET
)
200 if (iface
->addr
.in
.sin_addr
.s_addr
== addr
->addr
.addr4
.s_addr
)
204 else if (IN6_ARE_ADDR_EQUAL(&iface
->addr
.in6
.sin6_addr
, &addr
->addr
.addr6
))
213 /* If we're configured with something like --interface=eth0:0 then we'll listen correctly
214 on the relevant address, but the name of the arrival interface, derived from the
215 index won't match the config. Check that we found an interface address for the arrival
216 interface: daemon->interfaces must be up-to-date. */
217 int label_exception(int index
, int family
, struct all_addr
*addr
)
221 /* labels only supported on IPv4 addresses. */
222 if (family
!= AF_INET
)
225 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
226 if (iface
->index
== index
&& iface
->addr
.sa
.sa_family
== AF_INET
&&
227 iface
->addr
.in
.sin_addr
.s_addr
== addr
->addr
.addr4
.s_addr
)
234 struct addrlist
*spare
;
238 static int iface_allowed(struct iface_param
*param
, int if_index
, char *label
,
239 union mysockaddr
*addr
, struct in_addr netmask
, int prefixlen
, int iface_flags
)
242 int mtu
= 0, loopback
;
244 int tftp_ok
= !!option_bool(OPT_TFTP
);
247 #if defined(HAVE_DHCP) || defined(HAVE_TFTP)
253 if (!indextoname(param
->fd
, if_index
, ifr
.ifr_name
) ||
254 ioctl(param
->fd
, SIOCGIFFLAGS
, &ifr
) == -1)
257 loopback
= ifr
.ifr_flags
& IFF_LOOPBACK
;
262 if (ioctl(param
->fd
, SIOCGIFMTU
, &ifr
) != -1)
266 label
= ifr
.ifr_name
;
268 /* maintain a list of all addresses on all interfaces for --local-service option */
269 if (option_bool(OPT_LOCAL_SERVICE
))
276 param
->spare
= al
->next
;
279 al
= whine_malloc(sizeof(struct addrlist
));
283 al
->next
= daemon
->interface_addrs
;
284 daemon
->interface_addrs
= al
;
285 al
->prefixlen
= prefixlen
;
287 if (addr
->sa
.sa_family
== AF_INET
)
289 al
->addr
.addr
.addr4
= addr
->in
.sin_addr
;
295 al
->addr
.addr
.addr6
= addr
->in6
.sin6_addr
;
296 al
->flags
= ADDRLIST_IPV6
;
303 if (addr
->sa
.sa_family
!= AF_INET6
|| !IN6_IS_ADDR_LINKLOCAL(&addr
->in6
.sin6_addr
))
306 struct interface_name
*int_name
;
309 struct auth_zone
*zone
;
310 struct auth_name_list
*name
;
312 /* Find subnets in auth_zones */
313 for (zone
= daemon
->auth_zones
; zone
; zone
= zone
->next
)
314 for (name
= zone
->interface_names
; name
; name
= name
->next
)
315 if (wildcard_match(name
->name
, label
))
317 if (addr
->sa
.sa_family
== AF_INET
&& (name
->flags
& AUTH4
))
322 param
->spare
= al
->next
;
325 al
= whine_malloc(sizeof(struct addrlist
));
329 al
->next
= zone
->subnet
;
331 al
->prefixlen
= prefixlen
;
332 al
->addr
.addr
.addr4
= addr
->in
.sin_addr
;
338 if (addr
->sa
.sa_family
== AF_INET6
&& (name
->flags
& AUTH6
))
343 param
->spare
= al
->next
;
346 al
= whine_malloc(sizeof(struct addrlist
));
350 al
->next
= zone
->subnet
;
352 al
->prefixlen
= prefixlen
;
353 al
->addr
.addr
.addr6
= addr
->in6
.sin6_addr
;
354 al
->flags
= ADDRLIST_IPV6
;
362 /* Update addresses from interface_names. These are a set independent
363 of the set we're listening on. */
364 for (int_name
= daemon
->int_names
; int_name
; int_name
= int_name
->next
)
365 if (strncmp(label
, int_name
->intr
, IF_NAMESIZE
) == 0 &&
366 (addr
->sa
.sa_family
== int_name
->family
|| int_name
->family
== 0))
371 param
->spare
= al
->next
;
374 al
= whine_malloc(sizeof(struct addrlist
));
378 al
->next
= int_name
->addr
;
381 if (addr
->sa
.sa_family
== AF_INET
)
383 al
->addr
.addr
.addr4
= addr
->in
.sin_addr
;
389 al
->addr
.addr
.addr6
= addr
->in6
.sin6_addr
;
390 al
->flags
= ADDRLIST_IPV6
;
391 /* Privacy addresses and addresses still undergoing DAD and deprecated addresses
392 don't appear in forward queries, but will in reverse ones. */
393 if (!(iface_flags
& IFACE_PERMANENT
) || (iface_flags
& (IFACE_DEPRECATED
| IFACE_TENTATIVE
)))
394 al
->flags
|= ADDRLIST_REVONLY
;
401 /* check whether the interface IP has been added already
402 we call this routine multiple times. */
403 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
404 if (sockaddr_isequal(&iface
->addr
, addr
))
406 iface
->dad
= !!(iface_flags
& IFACE_TENTATIVE
);
407 iface
->found
= 1; /* for garbage collection */
411 /* If we are restricting the set of interfaces to use, make
412 sure that loopback interfaces are in that set. */
413 if (daemon
->if_names
&& loopback
)
416 for (lo
= daemon
->if_names
; lo
; lo
= lo
->next
)
417 if (lo
->name
&& strcmp(lo
->name
, ifr
.ifr_name
) == 0)
420 if (!lo
&& (lo
= whine_malloc(sizeof(struct iname
))))
422 if ((lo
->name
= whine_malloc(strlen(ifr
.ifr_name
)+1)))
424 strcpy(lo
->name
, ifr
.ifr_name
);
426 lo
->next
= daemon
->if_names
;
427 daemon
->if_names
= lo
;
434 if (addr
->sa
.sa_family
== AF_INET
&&
435 !iface_check(AF_INET
, (struct all_addr
*)&addr
->in
.sin_addr
, label
, &auth_dns
))
439 if (addr
->sa
.sa_family
== AF_INET6
&&
440 !iface_check(AF_INET6
, (struct all_addr
*)&addr
->in6
.sin6_addr
, label
, &auth_dns
))
445 /* No DHCP where we're doing auth DNS. */
452 for (tmp
= daemon
->dhcp_except
; tmp
; tmp
= tmp
->next
)
453 if (tmp
->name
&& wildcard_match(tmp
->name
, ifr
.ifr_name
))
462 if (daemon
->tftp_interfaces
)
464 /* dedicated tftp interface list */
466 for (tmp
= daemon
->tftp_interfaces
; tmp
; tmp
= tmp
->next
)
467 if (tmp
->name
&& wildcard_match(tmp
->name
, ifr
.ifr_name
))
473 if ((iface
= whine_malloc(sizeof(struct irec
))))
476 iface
->netmask
= netmask
;
477 iface
->tftp_ok
= tftp_ok
;
478 iface
->dhcp_ok
= dhcp_ok
;
479 iface
->dns_auth
= auth_dns
;
481 iface
->dad
= !!(iface_flags
& IFACE_TENTATIVE
);
483 iface
->done
= iface
->multicast_done
= iface
->warned
= 0;
484 iface
->index
= if_index
;
485 if ((iface
->name
= whine_malloc(strlen(ifr
.ifr_name
)+1)))
487 strcpy(iface
->name
, ifr
.ifr_name
);
488 iface
->next
= daemon
->interfaces
;
489 daemon
->interfaces
= iface
;
501 static int iface_allowed_v6(struct in6_addr
*local
, int prefix
,
502 int scope
, int if_index
, int flags
,
503 int preferred
, int valid
, void *vparam
)
505 union mysockaddr addr
;
506 struct in_addr netmask
; /* dummy */
509 (void)scope
; /* warning */
513 memset(&addr
, 0, sizeof(addr
));
514 #ifdef HAVE_SOCKADDR_SA_LEN
515 addr
.in6
.sin6_len
= sizeof(addr
.in6
);
517 addr
.in6
.sin6_family
= AF_INET6
;
518 addr
.in6
.sin6_addr
= *local
;
519 addr
.in6
.sin6_port
= htons(daemon
->port
);
520 /* FreeBSD insists this is zero for non-linklocal addresses */
521 if (IN6_IS_ADDR_LINKLOCAL(local
))
522 addr
.in6
.sin6_scope_id
= if_index
;
524 addr
.in6
.sin6_scope_id
= 0;
526 return iface_allowed((struct iface_param
*)vparam
, if_index
, NULL
, &addr
, netmask
, prefix
, flags
);
530 static int iface_allowed_v4(struct in_addr local
, int if_index
, char *label
,
531 struct in_addr netmask
, struct in_addr broadcast
, void *vparam
)
533 union mysockaddr addr
;
536 memset(&addr
, 0, sizeof(addr
));
537 #ifdef HAVE_SOCKADDR_SA_LEN
538 addr
.in
.sin_len
= sizeof(addr
.in
);
540 addr
.in
.sin_family
= AF_INET
;
541 addr
.in
.sin_addr
= broadcast
; /* warning */
542 addr
.in
.sin_addr
= local
;
543 addr
.in
.sin_port
= htons(daemon
->port
);
545 /* determine prefix length from netmask */
546 for (prefix
= 32, bit
= 1; (bit
& ntohl(netmask
.s_addr
)) == 0 && prefix
!= 0; bit
= bit
<< 1, prefix
--);
548 return iface_allowed((struct iface_param
*)vparam
, if_index
, label
, &addr
, netmask
, prefix
, 0);
551 int enumerate_interfaces(int reset
)
553 static struct addrlist
*spare
= NULL
;
555 struct iface_param param
;
556 int errsave
, ret
= 1;
557 struct addrlist
*addr
, *tmp
;
558 struct interface_name
*intname
;
561 struct auth_zone
*zone
;
564 /* Do this max once per select cycle - also inhibits netlink socket use
565 in TCP child processes. */
578 if ((param
.fd
= socket(PF_INET
, SOCK_DGRAM
, 0)) == -1)
581 /* Mark interfaces for garbage collection */
582 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
585 /* remove addresses stored against interface_names */
586 for (intname
= daemon
->int_names
; intname
; intname
= intname
->next
)
588 for (addr
= intname
->addr
; addr
; addr
= tmp
)
595 intname
->addr
= NULL
;
598 /* Remove list of addresses of local interfaces */
599 for (addr
= daemon
->interface_addrs
; addr
; addr
= tmp
)
605 daemon
->interface_addrs
= NULL
;
608 /* remove addresses stored against auth_zone subnets, but not
609 ones configured as address literals */
610 for (zone
= daemon
->auth_zones
; zone
; zone
= zone
->next
)
611 if (zone
->interface_names
)
613 struct addrlist
**up
;
614 for (up
= &zone
->subnet
, addr
= zone
->subnet
; addr
; addr
= tmp
)
617 if (addr
->flags
& ADDRLIST_LITERAL
)
632 ret
= iface_enumerate(AF_INET6
, ¶m
, iface_allowed_v6
);
636 ret
= iface_enumerate(AF_INET
, ¶m
, iface_allowed_v4
);
641 if (option_bool(OPT_CLEVERBIND
))
643 /* Garbage-collect listeners listening on addresses that no longer exist.
644 Does nothing when not binding interfaces or for listeners on localhost,
645 since the ->iface field is NULL. Note that this needs the protections
646 against re-entrancy, hence it's here. It also means there's a possibility,
647 in OPT_CLEVERBIND mode, that at listener will just disappear after
648 a call to enumerate_interfaces, this is checked OK on all calls. */
649 struct listener
*l
, *tmp
, **up
;
651 for (up
= &daemon
->listeners
, l
= daemon
->listeners
; l
; l
= tmp
)
655 if (!l
->iface
|| l
->iface
->found
)
661 /* In case it ever returns */
682 /* set NONBLOCK bit on fd: See Stevens 16.6 */
687 if ((flags
= fcntl(fd
, F_GETFL
)) == -1 ||
688 fcntl(fd
, F_SETFL
, flags
| O_NONBLOCK
) == -1)
694 static int make_sock(union mysockaddr
*addr
, int type
, int dienow
)
696 int family
= addr
->sa
.sa_family
;
699 if ((fd
= socket(family
, type
, 0)) == -1)
704 /* No error if the kernel just doesn't support this IP flavour */
705 if (errno
== EPROTONOSUPPORT
||
706 errno
== EAFNOSUPPORT
||
712 port
= prettyprint_addr(addr
, daemon
->addrbuff
);
713 if (!option_bool(OPT_NOWILD
) && !option_bool(OPT_CLEVERBIND
))
714 sprintf(daemon
->addrbuff
, "port %d", port
);
715 s
= _("failed to create listening socket for %s: %s");
724 /* failure to bind addresses given by --listen-address at this point
725 is OK if we're doing bind-dynamic */
726 if (!option_bool(OPT_CLEVERBIND
))
727 die(s
, daemon
->addrbuff
, EC_BADNET
);
730 my_syslog(LOG_WARNING
, s
, daemon
->addrbuff
, strerror(errno
));
735 if (setsockopt(fd
, SOL_SOCKET
, SO_REUSEADDR
, &opt
, sizeof(opt
)) == -1 || !fix_fd(fd
))
739 if (family
== AF_INET6
&& setsockopt(fd
, IPPROTO_IPV6
, IPV6_V6ONLY
, &opt
, sizeof(opt
)) == -1)
743 if ((rc
= bind(fd
, (struct sockaddr
*)addr
, sa_len(addr
))) == -1)
746 if (type
== SOCK_STREAM
)
748 if (listen(fd
, 5) == -1)
751 else if (family
== AF_INET
)
753 if (!option_bool(OPT_NOWILD
))
755 #if defined(HAVE_LINUX_NETWORK)
756 if (setsockopt(fd
, IPPROTO_IP
, IP_PKTINFO
, &opt
, sizeof(opt
)) == -1)
758 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
759 if (setsockopt(fd
, IPPROTO_IP
, IP_RECVDSTADDR
, &opt
, sizeof(opt
)) == -1 ||
760 setsockopt(fd
, IPPROTO_IP
, IP_RECVIF
, &opt
, sizeof(opt
)) == -1)
766 else if (!set_ipv6pktinfo(fd
))
774 int set_ipv6pktinfo(int fd
)
778 /* The API changed around Linux 2.6.14 but the old ABI is still supported:
779 handle all combinations of headers and kernel.
780 OpenWrt note that this fixes the problem addressed by your very broken patch. */
781 daemon
->v6pktinfo
= IPV6_PKTINFO
;
783 #ifdef IPV6_RECVPKTINFO
784 if (setsockopt(fd
, IPPROTO_IPV6
, IPV6_RECVPKTINFO
, &opt
, sizeof(opt
)) != -1)
786 # ifdef IPV6_2292PKTINFO
787 else if (errno
== ENOPROTOOPT
&& setsockopt(fd
, IPPROTO_IPV6
, IPV6_2292PKTINFO
, &opt
, sizeof(opt
)) != -1)
789 daemon
->v6pktinfo
= IPV6_2292PKTINFO
;
794 if (setsockopt(fd
, IPPROTO_IPV6
, IPV6_PKTINFO
, &opt
, sizeof(opt
)) != -1)
803 /* Find the interface on which a TCP connection arrived, if possible, or zero otherwise. */
804 int tcp_interface(int fd
, int af
)
808 #ifdef HAVE_LINUX_NETWORK
810 struct cmsghdr
*cmptr
;
813 /* use mshdr do that the CMSDG_* macros are available */
814 msg
.msg_control
= daemon
->packet
;
815 msg
.msg_controllen
= daemon
->packet_buff_sz
;
817 /* we overwrote the buffer... */
818 daemon
->srv_save
= NULL
;
822 if (setsockopt(fd
, IPPROTO_IP
, IP_PKTINFO
, &opt
, sizeof(opt
)) != -1 &&
823 getsockopt(fd
, IPPROTO_IP
, IP_PKTOPTIONS
, msg
.msg_control
, (socklen_t
*)&msg
.msg_controllen
) != -1)
824 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
825 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_PKTINFO
)
829 struct in_pktinfo
*p
;
832 p
.c
= CMSG_DATA(cmptr
);
833 if_index
= p
.p
->ipi_ifindex
;
839 /* Only the RFC-2292 API has the ability to find the interface for TCP connections,
840 it was removed in RFC-3542 !!!!
842 Fortunately, Linux kept the 2292 ABI when it moved to 3542. The following code always
843 uses the old ABI, and should work with pre- and post-3542 kernel headers */
845 #ifdef IPV6_2292PKTOPTIONS
846 # define PKTOPTIONS IPV6_2292PKTOPTIONS
848 # define PKTOPTIONS IPV6_PKTOPTIONS
851 if (set_ipv6pktinfo(fd
) &&
852 getsockopt(fd
, IPPROTO_IPV6
, PKTOPTIONS
, msg
.msg_control
, (socklen_t
*)&msg
.msg_controllen
) != -1)
854 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
855 if (cmptr
->cmsg_level
== IPPROTO_IPV6
&& cmptr
->cmsg_type
== daemon
->v6pktinfo
)
859 struct in6_pktinfo
*p
;
861 p
.c
= CMSG_DATA(cmptr
);
863 if_index
= p
.p
->ipi6_ifindex
;
873 static struct listener
*create_listeners(union mysockaddr
*addr
, int do_tftp
, int dienow
)
875 struct listener
*l
= NULL
;
876 int fd
= -1, tcpfd
= -1, tftpfd
= -1;
880 if (daemon
->port
!= 0)
882 fd
= make_sock(addr
, SOCK_DGRAM
, dienow
);
883 tcpfd
= make_sock(addr
, SOCK_STREAM
, dienow
);
889 if (addr
->sa
.sa_family
== AF_INET
)
891 /* port must be restored to DNS port for TCP code */
892 short save
= addr
->in
.sin_port
;
893 addr
->in
.sin_port
= htons(TFTP_PORT
);
894 tftpfd
= make_sock(addr
, SOCK_DGRAM
, dienow
);
895 addr
->in
.sin_port
= save
;
900 short save
= addr
->in6
.sin6_port
;
901 addr
->in6
.sin6_port
= htons(TFTP_PORT
);
902 tftpfd
= make_sock(addr
, SOCK_DGRAM
, dienow
);
903 addr
->in6
.sin6_port
= save
;
909 if (fd
!= -1 || tcpfd
!= -1 || tftpfd
!= -1)
911 l
= safe_malloc(sizeof(struct listener
));
913 l
->family
= addr
->sa
.sa_family
;
923 void create_wildcard_listeners(void)
925 union mysockaddr addr
;
926 struct listener
*l
, *l6
;
928 memset(&addr
, 0, sizeof(addr
));
929 #ifdef HAVE_SOCKADDR_SA_LEN
930 addr
.in
.sin_len
= sizeof(addr
.in
);
932 addr
.in
.sin_family
= AF_INET
;
933 addr
.in
.sin_addr
.s_addr
= INADDR_ANY
;
934 addr
.in
.sin_port
= htons(daemon
->port
);
936 l
= create_listeners(&addr
, !!option_bool(OPT_TFTP
), 1);
939 memset(&addr
, 0, sizeof(addr
));
940 # ifdef HAVE_SOCKADDR_SA_LEN
941 addr
.in6
.sin6_len
= sizeof(addr
.in6
);
943 addr
.in6
.sin6_family
= AF_INET6
;
944 addr
.in6
.sin6_addr
= in6addr_any
;
945 addr
.in6
.sin6_port
= htons(daemon
->port
);
947 l6
= create_listeners(&addr
, !!option_bool(OPT_TFTP
), 1);
954 daemon
->listeners
= l
;
957 void create_bound_listeners(int dienow
)
959 struct listener
*new;
961 struct iname
*if_tmp
;
963 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
964 if (!iface
->done
&& !iface
->dad
&& iface
->found
&&
965 (new = create_listeners(&iface
->addr
, iface
->tftp_ok
, dienow
)))
968 new->next
= daemon
->listeners
;
969 daemon
->listeners
= new;
973 /* Check for --listen-address options that haven't been used because there's
974 no interface with a matching address. These may be valid: eg it's possible
975 to listen on 127.0.1.1 even if the loopback interface is 127.0.0.1
977 If the address isn't valid the bind() will fail and we'll die()
978 (except in bind-dynamic mode, when we'll complain but keep trying.)
980 The resulting listeners have the ->iface field NULL, and this has to be
981 handled by the DNS and TFTP code. It disables --localise-queries processing
982 (no netmask) and some MTU login the tftp code. */
984 for (if_tmp
= daemon
->if_addrs
; if_tmp
; if_tmp
= if_tmp
->next
)
986 (new = create_listeners(&if_tmp
->addr
, !!option_bool(OPT_TFTP
), dienow
)))
988 new->next
= daemon
->listeners
;
989 daemon
->listeners
= new;
993 /* In --bind-interfaces, the only access control is the addresses we're listening on.
994 There's nothing to avoid a query to the address of an internal interface arriving via
995 an external interface where we don't want to accept queries, except that in the usual
996 case the addresses of internal interfaces are RFC1918. When bind-interfaces in use,
997 and we listen on an address that looks like it's probably globally routeable, shout.
999 The fix is to use --bind-dynamic, which actually checks the arrival interface too.
1000 Tough if your platform doesn't support this.
1002 Note that checking the arrival interface is supported in the standard IPv6 API and
1003 always done, so we don't warn about any IPv6 addresses here.
1006 void warn_bound_listeners(void)
1011 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
1012 if (!iface
->dns_auth
)
1014 if (iface
->addr
.sa
.sa_family
== AF_INET
)
1016 if (!private_net(iface
->addr
.in
.sin_addr
, 1))
1018 inet_ntop(AF_INET
, &iface
->addr
.in
.sin_addr
, daemon
->addrbuff
, ADDRSTRLEN
);
1019 iface
->warned
= advice
= 1;
1020 my_syslog(LOG_WARNING
,
1021 _("LOUD WARNING: listening on %s may accept requests via interfaces other than %s"),
1022 daemon
->addrbuff
, iface
->name
);
1028 my_syslog(LOG_WARNING
, _("LOUD WARNING: use --bind-dynamic rather than --bind-interfaces to avoid DNS amplification attacks via these interface(s)"));
1031 void warn_int_names(void)
1033 struct interface_name
*intname
;
1035 for (intname
= daemon
->int_names
; intname
; intname
= intname
->next
)
1037 my_syslog(LOG_WARNING
, _("warning: no addresses found for interface %s"), intname
->intr
);
1040 int is_dad_listeners(void)
1044 if (option_bool(OPT_NOWILD
))
1045 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
1046 if (iface
->dad
&& !iface
->done
)
1053 void join_multicast(int dienow
)
1055 struct irec
*iface
, *tmp
;
1057 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
1058 if (iface
->addr
.sa
.sa_family
== AF_INET6
&& iface
->dhcp_ok
&& !iface
->multicast_done
)
1060 /* There's an irec per address but we only want to join for multicast
1061 once per interface. Weed out duplicates. */
1062 for (tmp
= daemon
->interfaces
; tmp
; tmp
= tmp
->next
)
1063 if (tmp
->multicast_done
&& tmp
->index
== iface
->index
)
1066 iface
->multicast_done
= 1;
1070 struct ipv6_mreq mreq
;
1073 mreq
.ipv6mr_interface
= iface
->index
;
1075 inet_pton(AF_INET6
, ALL_RELAY_AGENTS_AND_SERVERS
, &mreq
.ipv6mr_multiaddr
);
1077 if ((daemon
->doing_dhcp6
|| daemon
->relay6
) &&
1078 setsockopt(daemon
->dhcp6fd
, IPPROTO_IPV6
, IPV6_JOIN_GROUP
, &mreq
, sizeof(mreq
)) == -1)
1081 inet_pton(AF_INET6
, ALL_SERVERS
, &mreq
.ipv6mr_multiaddr
);
1083 if (daemon
->doing_dhcp6
&&
1084 setsockopt(daemon
->dhcp6fd
, IPPROTO_IPV6
, IPV6_JOIN_GROUP
, &mreq
, sizeof(mreq
)) == -1)
1087 inet_pton(AF_INET6
, ALL_ROUTERS
, &mreq
.ipv6mr_multiaddr
);
1089 if (daemon
->doing_ra
&&
1090 setsockopt(daemon
->icmp6fd
, IPPROTO_IPV6
, IPV6_JOIN_GROUP
, &mreq
, sizeof(mreq
)) == -1)
1095 char *s
= _("interface %s failed to join DHCPv6 multicast group: %s");
1097 die(s
, iface
->name
, EC_BADNET
);
1099 my_syslog(LOG_ERR
, s
, iface
->name
, strerror(errno
));
1106 /* return a UDP socket bound to a random port, have to cope with straying into
1107 occupied port nos and reserved ones. */
1108 int random_sock(int family
)
1112 if ((fd
= socket(family
, SOCK_DGRAM
, 0)) != -1)
1114 union mysockaddr addr
;
1115 unsigned int ports_avail
= 65536u - (unsigned short)daemon
->min_port
;
1116 int tries
= ports_avail
< 30 ? 3 * ports_avail
: 100;
1118 memset(&addr
, 0, sizeof(addr
));
1119 addr
.sa
.sa_family
= family
;
1121 /* don't loop forever if all ports in use. */
1126 unsigned short port
= rand16();
1128 if (daemon
->min_port
!= 0)
1129 port
= htons(daemon
->min_port
+ (port
% ((unsigned short)ports_avail
)));
1131 if (family
== AF_INET
)
1133 addr
.in
.sin_addr
.s_addr
= INADDR_ANY
;
1134 addr
.in
.sin_port
= port
;
1135 #ifdef HAVE_SOCKADDR_SA_LEN
1136 addr
.in
.sin_len
= sizeof(struct sockaddr_in
);
1142 addr
.in6
.sin6_addr
= in6addr_any
;
1143 addr
.in6
.sin6_port
= port
;
1144 #ifdef HAVE_SOCKADDR_SA_LEN
1145 addr
.in6
.sin6_len
= sizeof(struct sockaddr_in6
);
1150 if (bind(fd
, (struct sockaddr
*)&addr
, sa_len(&addr
)) == 0)
1153 if (errno
!= EADDRINUSE
&& errno
!= EACCES
)
1164 int local_bind(int fd
, union mysockaddr
*addr
, char *intname
, int is_tcp
)
1166 union mysockaddr addr_copy
= *addr
;
1168 /* cannot set source _port_ for TCP connections. */
1171 if (addr_copy
.sa
.sa_family
== AF_INET
)
1172 addr_copy
.in
.sin_port
= 0;
1175 addr_copy
.in6
.sin6_port
= 0;
1179 if (bind(fd
, (struct sockaddr
*)&addr_copy
, sa_len(&addr_copy
)) == -1)
1182 #if defined(SO_BINDTODEVICE)
1183 if (intname
[0] != 0 &&
1184 setsockopt(fd
, SOL_SOCKET
, SO_BINDTODEVICE
, intname
, IF_NAMESIZE
) == -1)
1191 static struct serverfd
*allocate_sfd(union mysockaddr
*addr
, char *intname
)
1193 struct serverfd
*sfd
;
1196 /* when using random ports, servers which would otherwise use
1197 the INADDR_ANY/port0 socket have sfd set to NULL */
1198 if (!daemon
->osport
&& intname
[0] == 0)
1202 if (addr
->sa
.sa_family
== AF_INET
&&
1203 addr
->in
.sin_addr
.s_addr
== INADDR_ANY
&&
1204 addr
->in
.sin_port
== htons(0))
1208 if (addr
->sa
.sa_family
== AF_INET6
&&
1209 memcmp(&addr
->in6
.sin6_addr
, &in6addr_any
, sizeof(in6addr_any
)) == 0 &&
1210 addr
->in6
.sin6_port
== htons(0))
1215 /* may have a suitable one already */
1216 for (sfd
= daemon
->sfds
; sfd
; sfd
= sfd
->next
)
1217 if (sockaddr_isequal(&sfd
->source_addr
, addr
) &&
1218 strcmp(intname
, sfd
->interface
) == 0)
1221 /* need to make a new one. */
1222 errno
= ENOMEM
; /* in case malloc fails. */
1223 if (!(sfd
= whine_malloc(sizeof(struct serverfd
))))
1226 if ((sfd
->fd
= socket(addr
->sa
.sa_family
, SOCK_DGRAM
, 0)) == -1)
1232 if (!local_bind(sfd
->fd
, addr
, intname
, 0) || !fix_fd(sfd
->fd
))
1234 errsave
= errno
; /* save error from bind. */
1241 strcpy(sfd
->interface
, intname
);
1242 sfd
->source_addr
= *addr
;
1243 sfd
->next
= daemon
->sfds
;
1248 /* create upstream sockets during startup, before root is dropped which may be needed
1249 this allows query_port to be a low port and interface binding */
1250 void pre_allocate_sfds(void)
1254 if (daemon
->query_port
!= 0)
1256 union mysockaddr addr
;
1257 memset(&addr
, 0, sizeof(addr
));
1258 addr
.in
.sin_family
= AF_INET
;
1259 addr
.in
.sin_addr
.s_addr
= INADDR_ANY
;
1260 addr
.in
.sin_port
= htons(daemon
->query_port
);
1261 #ifdef HAVE_SOCKADDR_SA_LEN
1262 addr
.in
.sin_len
= sizeof(struct sockaddr_in
);
1264 allocate_sfd(&addr
, "");
1266 memset(&addr
, 0, sizeof(addr
));
1267 addr
.in6
.sin6_family
= AF_INET6
;
1268 addr
.in6
.sin6_addr
= in6addr_any
;
1269 addr
.in6
.sin6_port
= htons(daemon
->query_port
);
1270 #ifdef HAVE_SOCKADDR_SA_LEN
1271 addr
.in6
.sin6_len
= sizeof(struct sockaddr_in6
);
1273 allocate_sfd(&addr
, "");
1277 for (srv
= daemon
->servers
; srv
; srv
= srv
->next
)
1278 if (!(srv
->flags
& (SERV_LITERAL_ADDRESS
| SERV_NO_ADDR
| SERV_USE_RESOLV
| SERV_NO_REBIND
)) &&
1279 !allocate_sfd(&srv
->source_addr
, srv
->interface
) &&
1281 option_bool(OPT_NOWILD
))
1283 prettyprint_addr(&srv
->source_addr
, daemon
->namebuff
);
1284 if (srv
->interface
[0] != 0)
1286 strcat(daemon
->namebuff
, " ");
1287 strcat(daemon
->namebuff
, srv
->interface
);
1289 die(_("failed to bind server socket for %s: %s"),
1290 daemon
->namebuff
, EC_BADNET
);
1294 void mark_servers(int flag
)
1296 struct server
*serv
;
1298 /* mark everything with argument flag */
1299 for (serv
= daemon
->servers
; serv
; serv
= serv
->next
)
1301 if (serv
->flags
& flag
)
1302 serv
->flags
|= SERV_MARK
;
1304 /* Give looped servers another chance */
1305 serv
->flags
&= ~SERV_LOOP
;
1310 void cleanup_servers(void)
1312 struct server
*serv
, *tmp
, **up
;
1314 /* unlink and free anything still marked. */
1315 for (serv
= daemon
->servers
, up
= &daemon
->servers
; serv
; serv
= tmp
)
1318 if (serv
->flags
& SERV_MARK
)
1331 /* Now we have a new set of servers, test for loops. */
1336 void add_update_server(int flags
,
1337 union mysockaddr
*addr
,
1338 union mysockaddr
*source_addr
,
1339 const char *interface
,
1342 struct server
*serv
, *next
= NULL
;
1343 char *domain_str
= NULL
;
1345 /* See if there is a suitable candidate, and unmark */
1346 for (serv
= daemon
->servers
; serv
; serv
= serv
->next
)
1347 if (serv
->flags
& SERV_MARK
)
1351 if (!(serv
->flags
& SERV_HAS_DOMAIN
) || !hostname_isequal(domain
, serv
->domain
))
1356 if (serv
->flags
& SERV_HAS_DOMAIN
)
1365 domain_str
= serv
->domain
;
1368 else if ((serv
= whine_malloc(sizeof (struct server
))))
1370 /* Not found, create a new one. */
1371 if (domain
&& !(domain_str
= whine_malloc(strlen(domain
)+1)))
1379 /* Add to the end of the chain, for order */
1380 if (!daemon
->servers
)
1381 daemon
->servers
= serv
;
1384 for (s
= daemon
->servers
; s
->next
; s
= s
->next
);
1388 strcpy(domain_str
, domain
);
1394 memset(serv
, 0, sizeof(struct server
));
1395 serv
->flags
= flags
;
1396 serv
->domain
= domain_str
;
1398 serv
->queries
= serv
->failed_queries
= 0;
1400 serv
->uid
= rand32();
1404 serv
->flags
|= SERV_HAS_DOMAIN
;
1407 strcpy(serv
->interface
, interface
);
1411 serv
->source_addr
= *source_addr
;
1415 void check_servers(void)
1418 struct server
*serv
;
1421 /* interface may be new since startup */
1422 if (!option_bool(OPT_NOWILD
))
1423 enumerate_interfaces(0);
1425 for (serv
= daemon
->servers
; serv
; serv
= serv
->next
)
1427 if (!(serv
->flags
& (SERV_LITERAL_ADDRESS
| SERV_NO_ADDR
| SERV_USE_RESOLV
| SERV_NO_REBIND
)))
1429 port
= prettyprint_addr(&serv
->addr
, daemon
->namebuff
);
1431 /* 0.0.0.0 is nothing, the stack treats it like 127.0.0.1 */
1432 if (serv
->addr
.sa
.sa_family
== AF_INET
&&
1433 serv
->addr
.in
.sin_addr
.s_addr
== 0)
1435 serv
->flags
|= SERV_MARK
;
1439 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
1440 if (sockaddr_isequal(&serv
->addr
, &iface
->addr
))
1444 my_syslog(LOG_WARNING
, _("ignoring nameserver %s - local interface"), daemon
->namebuff
);
1445 serv
->flags
|= SERV_MARK
;
1449 /* Do we need a socket set? */
1451 !(serv
->sfd
= allocate_sfd(&serv
->source_addr
, serv
->interface
)) &&
1454 my_syslog(LOG_WARNING
,
1455 _("ignoring nameserver %s - cannot make/bind socket: %s"),
1456 daemon
->namebuff
, strerror(errno
));
1457 serv
->flags
|= SERV_MARK
;
1462 if (!(serv
->flags
& SERV_NO_REBIND
))
1464 if (serv
->flags
& (SERV_HAS_DOMAIN
| SERV_FOR_NODOTS
| SERV_USE_RESOLV
))
1467 if (!(serv
->flags
& SERV_HAS_DOMAIN
))
1468 s1
= _("unqualified"), s2
= _("names");
1469 else if (strlen(serv
->domain
) == 0)
1470 s1
= _("default"), s2
= "";
1472 s1
= _("domain"), s2
= serv
->domain
;
1474 if (serv
->flags
& SERV_NO_ADDR
)
1475 my_syslog(LOG_INFO
, _("using local addresses only for %s %s"), s1
, s2
);
1476 else if (serv
->flags
& SERV_USE_RESOLV
)
1477 my_syslog(LOG_INFO
, _("using standard nameservers for %s %s"), s1
, s2
);
1478 else if (!(serv
->flags
& SERV_LITERAL_ADDRESS
))
1479 my_syslog(LOG_INFO
, _("using nameserver %s#%d for %s %s"), daemon
->namebuff
, port
, s1
, s2
);
1482 else if (serv
->flags
& SERV_LOOP
)
1483 my_syslog(LOG_INFO
, _("NOT using nameserver %s#%d - query loop detected"), daemon
->namebuff
, port
);
1485 else if (serv
->interface
[0] != 0)
1486 my_syslog(LOG_INFO
, _("using nameserver %s#%d(via %s)"), daemon
->namebuff
, port
, serv
->interface
);
1488 my_syslog(LOG_INFO
, _("using nameserver %s#%d"), daemon
->namebuff
, port
);
1495 /* Return zero if no servers found, in that case we keep polling.
1496 This is a protection against an update-time/write race on resolv.conf */
1497 int reload_servers(char *fname
)
1503 /* buff happens to be MAXDNAME long... */
1504 if (!(f
= fopen(fname
, "r")))
1506 my_syslog(LOG_ERR
, _("failed to read %s: %s"), fname
, strerror(errno
));
1510 mark_servers(SERV_FROM_RESOLV
);
1512 while ((line
= fgets(daemon
->namebuff
, MAXDNAME
, f
)))
1514 union mysockaddr addr
, source_addr
;
1515 char *token
= strtok(line
, " \t\n\r");
1519 if (strcmp(token
, "nameserver") != 0 && strcmp(token
, "server") != 0)
1521 if (!(token
= strtok(NULL
, " \t\n\r")))
1524 memset(&addr
, 0, sizeof(addr
));
1525 memset(&source_addr
, 0, sizeof(source_addr
));
1527 if ((addr
.in
.sin_addr
.s_addr
= inet_addr(token
)) != (in_addr_t
) -1)
1529 #ifdef HAVE_SOCKADDR_SA_LEN
1530 source_addr
.in
.sin_len
= addr
.in
.sin_len
= sizeof(source_addr
.in
);
1532 source_addr
.in
.sin_family
= addr
.in
.sin_family
= AF_INET
;
1533 addr
.in
.sin_port
= htons(NAMESERVER_PORT
);
1534 source_addr
.in
.sin_addr
.s_addr
= INADDR_ANY
;
1535 source_addr
.in
.sin_port
= htons(daemon
->query_port
);
1540 int scope_index
= 0;
1541 char *scope_id
= strchr(token
, '%');
1546 scope_index
= if_nametoindex(scope_id
);
1549 if (inet_pton(AF_INET6
, token
, &addr
.in6
.sin6_addr
) > 0)
1551 #ifdef HAVE_SOCKADDR_SA_LEN
1552 source_addr
.in6
.sin6_len
= addr
.in6
.sin6_len
= sizeof(source_addr
.in6
);
1554 source_addr
.in6
.sin6_family
= addr
.in6
.sin6_family
= AF_INET6
;
1555 source_addr
.in6
.sin6_flowinfo
= addr
.in6
.sin6_flowinfo
= 0;
1556 addr
.in6
.sin6_port
= htons(NAMESERVER_PORT
);
1557 addr
.in6
.sin6_scope_id
= scope_index
;
1558 source_addr
.in6
.sin6_addr
= in6addr_any
;
1559 source_addr
.in6
.sin6_port
= htons(daemon
->query_port
);
1560 source_addr
.in6
.sin6_scope_id
= 0;
1570 add_update_server(SERV_FROM_RESOLV
, &addr
, &source_addr
, NULL
, NULL
);
1580 /* Called when addresses are added or deleted from an interface */
1581 void newaddress(time_t now
)
1585 if (option_bool(OPT_CLEVERBIND
) || option_bool(OPT_LOCAL_SERVICE
) ||
1586 daemon
->doing_dhcp6
|| daemon
->relay6
|| daemon
->doing_ra
)
1587 enumerate_interfaces(0);
1589 if (option_bool(OPT_CLEVERBIND
))
1590 create_bound_listeners(0);
1593 if (daemon
->doing_dhcp6
|| daemon
->relay6
|| daemon
->doing_ra
)
1596 if (daemon
->doing_dhcp6
|| daemon
->doing_ra
)
1597 dhcp_construct_contexts(now
);
1599 if (daemon
->doing_dhcp6
)
1600 lease_find_interfaces(now
);