]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/resolve/resolved-dns-scope.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #2076 from keszybz/downgrade-masked-unit-message
[thirdparty/systemd.git] / src / resolve / resolved-dns-scope.c
1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
2
3 /***
4 This file is part of systemd.
5
6 Copyright 2014 Lennart Poettering
7
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
12
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
17
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
20 ***/
21
22 #include <netinet/tcp.h>
23
24 #include "af-list.h"
25 #include "alloc-util.h"
26 #include "dns-domain.h"
27 #include "fd-util.h"
28 #include "hostname-util.h"
29 #include "missing.h"
30 #include "random-util.h"
31 #include "resolved-dns-scope.h"
32 #include "resolved-llmnr.h"
33 #include "resolved-mdns.h"
34 #include "socket-util.h"
35 #include "strv.h"
36
37 #define MULTICAST_RATELIMIT_INTERVAL_USEC (1*USEC_PER_SEC)
38 #define MULTICAST_RATELIMIT_BURST 1000
39
40 /* After how much time to repeat LLMNR requests, see RFC 4795 Section 7 */
41 #define MULTICAST_RESEND_TIMEOUT_MIN_USEC (100 * USEC_PER_MSEC)
42 #define MULTICAST_RESEND_TIMEOUT_MAX_USEC (1 * USEC_PER_SEC)
43
44 int dns_scope_new(Manager *m, DnsScope **ret, Link *l, DnsProtocol protocol, int family) {
45 DnsScope *s;
46
47 assert(m);
48 assert(ret);
49
50 s = new0(DnsScope, 1);
51 if (!s)
52 return -ENOMEM;
53
54 s->manager = m;
55 s->link = l;
56 s->protocol = protocol;
57 s->family = family;
58 s->resend_timeout = MULTICAST_RESEND_TIMEOUT_MIN_USEC;
59
60 LIST_PREPEND(scopes, m->dns_scopes, s);
61
62 dns_scope_llmnr_membership(s, true);
63 dns_scope_mdns_membership(s, true);
64
65 log_debug("New scope on link %s, protocol %s, family %s", l ? l->name : "*", dns_protocol_to_string(protocol), family == AF_UNSPEC ? "*" : af_to_name(family));
66
67 /* Enforce ratelimiting for the multicast protocols */
68 RATELIMIT_INIT(s->ratelimit, MULTICAST_RATELIMIT_INTERVAL_USEC, MULTICAST_RATELIMIT_BURST);
69
70 *ret = s;
71 return 0;
72 }
73
74 static void dns_scope_abort_transactions(DnsScope *s) {
75 assert(s);
76
77 while (s->transactions) {
78 DnsTransaction *t = s->transactions;
79
80 /* Abort the transaction, but make sure it is not
81 * freed while we still look at it */
82
83 t->block_gc++;
84 dns_transaction_complete(t, DNS_TRANSACTION_ABORTED);
85 t->block_gc--;
86
87 dns_transaction_free(t);
88 }
89 }
90
91 DnsScope* dns_scope_free(DnsScope *s) {
92 DnsResourceRecord *rr;
93
94 if (!s)
95 return NULL;
96
97 log_debug("Removing scope on link %s, protocol %s, family %s", s->link ? s->link->name : "*", dns_protocol_to_string(s->protocol), s->family == AF_UNSPEC ? "*" : af_to_name(s->family));
98
99 dns_scope_llmnr_membership(s, false);
100 dns_scope_mdns_membership(s, false);
101 dns_scope_abort_transactions(s);
102
103 while (s->query_candidates)
104 dns_query_candidate_free(s->query_candidates);
105
106 hashmap_free(s->transactions_by_key);
107
108 while ((rr = ordered_hashmap_steal_first(s->conflict_queue)))
109 dns_resource_record_unref(rr);
110
111 ordered_hashmap_free(s->conflict_queue);
112 sd_event_source_unref(s->conflict_event_source);
113
114 dns_cache_flush(&s->cache);
115 dns_zone_flush(&s->zone);
116
117 LIST_REMOVE(scopes, s->manager->dns_scopes, s);
118 free(s);
119
120 return NULL;
121 }
122
123 DnsServer *dns_scope_get_dns_server(DnsScope *s) {
124 assert(s);
125
126 if (s->protocol != DNS_PROTOCOL_DNS)
127 return NULL;
128
129 if (s->link)
130 return link_get_dns_server(s->link);
131 else
132 return manager_get_dns_server(s->manager);
133 }
134
135 void dns_scope_next_dns_server(DnsScope *s) {
136 assert(s);
137
138 if (s->protocol != DNS_PROTOCOL_DNS)
139 return;
140
141 if (s->link)
142 link_next_dns_server(s->link);
143 else
144 manager_next_dns_server(s->manager);
145 }
146
147 void dns_scope_packet_received(DnsScope *s, usec_t rtt) {
148 assert(s);
149
150 if (rtt <= s->max_rtt)
151 return;
152
153 s->max_rtt = rtt;
154 s->resend_timeout = MIN(MAX(MULTICAST_RESEND_TIMEOUT_MIN_USEC, s->max_rtt * 2), MULTICAST_RESEND_TIMEOUT_MAX_USEC);
155 }
156
157 void dns_scope_packet_lost(DnsScope *s, usec_t usec) {
158 assert(s);
159
160 if (s->resend_timeout <= usec)
161 s->resend_timeout = MIN(s->resend_timeout * 2, MULTICAST_RESEND_TIMEOUT_MAX_USEC);
162 }
163
164 static int dns_scope_emit_one(DnsScope *s, int fd, DnsServer *server, DnsPacket *p) {
165 union in_addr_union addr;
166 int ifindex = 0, r;
167 int family;
168 uint32_t mtu;
169 size_t saved_size = 0;
170
171 assert(s);
172 assert(p);
173 assert(p->protocol == s->protocol);
174 assert((s->protocol == DNS_PROTOCOL_DNS) != (fd < 0));
175
176 if (s->link) {
177 mtu = s->link->mtu;
178 ifindex = s->link->ifindex;
179 } else
180 mtu = manager_find_mtu(s->manager);
181
182 switch (s->protocol) {
183 case DNS_PROTOCOL_DNS:
184 assert(server);
185
186 if (DNS_PACKET_QDCOUNT(p) > 1)
187 return -EOPNOTSUPP;
188
189 if (server->possible_features >= DNS_SERVER_FEATURE_LEVEL_EDNS0) {
190 bool edns_do;
191 size_t packet_size;
192
193 edns_do = server->possible_features >= DNS_SERVER_FEATURE_LEVEL_DO;
194
195 if (server->possible_features >= DNS_SERVER_FEATURE_LEVEL_LARGE)
196 packet_size = DNS_PACKET_UNICAST_SIZE_LARGE_MAX;
197 else
198 packet_size = server->received_udp_packet_max;
199
200 r = dns_packet_append_opt_rr(p, packet_size, edns_do, &saved_size);
201 if (r < 0)
202 return r;
203
204 DNS_PACKET_HEADER(p)->arcount = htobe16(be16toh(DNS_PACKET_HEADER(p)->arcount) + 1);
205 }
206
207 if (p->size > DNS_PACKET_UNICAST_SIZE_MAX)
208 return -EMSGSIZE;
209
210 if (p->size + UDP_PACKET_HEADER_SIZE > mtu)
211 return -EMSGSIZE;
212
213 r = manager_write(s->manager, fd, p);
214 if (r < 0)
215 return r;
216
217 if (saved_size > 0) {
218 dns_packet_truncate(p, saved_size);
219
220 DNS_PACKET_HEADER(p)->arcount = htobe16(be16toh(DNS_PACKET_HEADER(p)->arcount) - 1);
221 }
222
223 break;
224
225 case DNS_PROTOCOL_LLMNR:
226 if (DNS_PACKET_QDCOUNT(p) > 1)
227 return -EOPNOTSUPP;
228
229 if (!ratelimit_test(&s->ratelimit))
230 return -EBUSY;
231
232 family = s->family;
233
234 if (family == AF_INET) {
235 addr.in = LLMNR_MULTICAST_IPV4_ADDRESS;
236 fd = manager_llmnr_ipv4_udp_fd(s->manager);
237 } else if (family == AF_INET6) {
238 addr.in6 = LLMNR_MULTICAST_IPV6_ADDRESS;
239 fd = manager_llmnr_ipv6_udp_fd(s->manager);
240 } else
241 return -EAFNOSUPPORT;
242 if (fd < 0)
243 return fd;
244
245 r = manager_send(s->manager, fd, ifindex, family, &addr, LLMNR_PORT, p);
246 if (r < 0)
247 return r;
248
249 break;
250
251 case DNS_PROTOCOL_MDNS:
252 if (!ratelimit_test(&s->ratelimit))
253 return -EBUSY;
254
255 family = s->family;
256
257 if (family == AF_INET) {
258 addr.in = MDNS_MULTICAST_IPV4_ADDRESS;
259 fd = manager_mdns_ipv4_fd(s->manager);
260 } else if (family == AF_INET6) {
261 addr.in6 = MDNS_MULTICAST_IPV6_ADDRESS;
262 fd = manager_mdns_ipv6_fd(s->manager);
263 } else
264 return -EAFNOSUPPORT;
265 if (fd < 0)
266 return fd;
267
268 r = manager_send(s->manager, fd, ifindex, family, &addr, MDNS_PORT, p);
269 if (r < 0)
270 return r;
271
272 break;
273
274 default:
275 return -EAFNOSUPPORT;
276 }
277
278 return 1;
279 }
280
281 int dns_scope_emit(DnsScope *s, int fd, DnsServer *server, DnsPacket *p) {
282 int r;
283
284 assert(s);
285 assert(p);
286 assert(p->protocol == s->protocol);
287 assert((s->protocol == DNS_PROTOCOL_DNS) != (fd < 0));
288
289 do {
290 /* If there are multiple linked packets, set the TC bit in all but the last of them */
291 if (p->more) {
292 assert(p->protocol == DNS_PROTOCOL_MDNS);
293 dns_packet_set_flags(p, true, true);
294 }
295
296 r = dns_scope_emit_one(s, fd, server, p);
297 if (r < 0)
298 return r;
299
300 p = p->more;
301 } while(p);
302
303 return 0;
304 }
305
306 static int dns_scope_socket(DnsScope *s, int type, int family, const union in_addr_union *address, uint16_t port, DnsServer **server) {
307 DnsServer *srv = NULL;
308 _cleanup_close_ int fd = -1;
309 union sockaddr_union sa = {};
310 socklen_t salen;
311 static const int one = 1;
312 int ret, r;
313
314 assert(s);
315 assert((family == AF_UNSPEC) == !address);
316
317 if (family == AF_UNSPEC) {
318 srv = dns_scope_get_dns_server(s);
319 if (!srv)
320 return -ESRCH;
321
322 srv->possible_features = dns_server_possible_features(srv);
323
324 if (type == SOCK_DGRAM && srv->possible_features < DNS_SERVER_FEATURE_LEVEL_UDP)
325 return -EAGAIN;
326
327 sa.sa.sa_family = srv->family;
328 if (srv->family == AF_INET) {
329 sa.in.sin_port = htobe16(port);
330 sa.in.sin_addr = srv->address.in;
331 salen = sizeof(sa.in);
332 } else if (srv->family == AF_INET6) {
333 sa.in6.sin6_port = htobe16(port);
334 sa.in6.sin6_addr = srv->address.in6;
335 sa.in6.sin6_scope_id = s->link ? s->link->ifindex : 0;
336 salen = sizeof(sa.in6);
337 } else
338 return -EAFNOSUPPORT;
339 } else {
340 sa.sa.sa_family = family;
341
342 if (family == AF_INET) {
343 sa.in.sin_port = htobe16(port);
344 sa.in.sin_addr = address->in;
345 salen = sizeof(sa.in);
346 } else if (family == AF_INET6) {
347 sa.in6.sin6_port = htobe16(port);
348 sa.in6.sin6_addr = address->in6;
349 sa.in6.sin6_scope_id = s->link ? s->link->ifindex : 0;
350 salen = sizeof(sa.in6);
351 } else
352 return -EAFNOSUPPORT;
353 }
354
355 fd = socket(sa.sa.sa_family, type|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
356 if (fd < 0)
357 return -errno;
358
359 if (type == SOCK_STREAM) {
360 r = setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &one, sizeof(one));
361 if (r < 0)
362 return -errno;
363 }
364
365 if (s->link) {
366 uint32_t ifindex = htobe32(s->link->ifindex);
367
368 if (sa.sa.sa_family == AF_INET) {
369 r = setsockopt(fd, IPPROTO_IP, IP_UNICAST_IF, &ifindex, sizeof(ifindex));
370 if (r < 0)
371 return -errno;
372 } else if (sa.sa.sa_family == AF_INET6) {
373 r = setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_IF, &ifindex, sizeof(ifindex));
374 if (r < 0)
375 return -errno;
376 }
377 }
378
379 if (s->protocol == DNS_PROTOCOL_LLMNR) {
380 /* RFC 4795, section 2.5 requires the TTL to be set to 1 */
381
382 if (sa.sa.sa_family == AF_INET) {
383 r = setsockopt(fd, IPPROTO_IP, IP_TTL, &one, sizeof(one));
384 if (r < 0)
385 return -errno;
386 } else if (sa.sa.sa_family == AF_INET6) {
387 r = setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS, &one, sizeof(one));
388 if (r < 0)
389 return -errno;
390 }
391 }
392
393 r = connect(fd, &sa.sa, salen);
394 if (r < 0 && errno != EINPROGRESS)
395 return -errno;
396
397 if (server)
398 *server = srv;
399
400 ret = fd;
401 fd = -1;
402
403 return ret;
404 }
405
406 int dns_scope_udp_dns_socket(DnsScope *s, DnsServer **server) {
407 return dns_scope_socket(s, SOCK_DGRAM, AF_UNSPEC, NULL, 53, server);
408 }
409
410 int dns_scope_tcp_socket(DnsScope *s, int family, const union in_addr_union *address, uint16_t port, DnsServer **server) {
411 return dns_scope_socket(s, SOCK_STREAM, family, address, port, server);
412 }
413
414 DnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, const char *domain) {
415 DnsSearchDomain *d;
416
417 assert(s);
418 assert(domain);
419
420 /* Checks if the specified domain is something to look up on
421 * this scope. Note that this accepts non-qualified hostnames,
422 * i.e. those without any search path prefixed yet. */
423
424 if (ifindex != 0 && (!s->link || s->link->ifindex != ifindex))
425 return DNS_SCOPE_NO;
426
427 if ((SD_RESOLVED_FLAGS_MAKE(s->protocol, s->family, 0) & flags) == 0)
428 return DNS_SCOPE_NO;
429
430 /* Never resolve any loopback hostname or IP address via DNS,
431 * LLMNR or mDNS. Instead, always rely on synthesized RRs for
432 * these. */
433 if (is_localhost(domain) ||
434 dns_name_endswith(domain, "127.in-addr.arpa") > 0 ||
435 dns_name_equal(domain, "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
436 return DNS_SCOPE_NO;
437
438 /* Never respond to some of the domains listed in RFC6303 */
439 if (dns_name_endswith(domain, "0.in-addr.arpa") > 0 ||
440 dns_name_equal(domain, "255.255.255.255.in-addr.arpa") > 0 ||
441 dns_name_equal(domain, "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
442 return DNS_SCOPE_NO;
443
444 /* Always honour search domains for routing queries. Note that
445 * we return DNS_SCOPE_YES here, rather than just
446 * DNS_SCOPE_MAYBE, which means wildcard scopes won't be
447 * considered anymore. */
448 LIST_FOREACH(domains, d, dns_scope_get_search_domains(s))
449 if (dns_name_endswith(domain, d->name) > 0)
450 return DNS_SCOPE_YES;
451
452 switch (s->protocol) {
453
454 case DNS_PROTOCOL_DNS:
455
456 /* Exclude link-local IP ranges */
457 if (dns_name_endswith(domain, "254.169.in-addr.arpa") == 0 &&
458 dns_name_endswith(domain, "8.e.f.ip6.arpa") == 0 &&
459 dns_name_endswith(domain, "9.e.f.ip6.arpa") == 0 &&
460 dns_name_endswith(domain, "a.e.f.ip6.arpa") == 0 &&
461 dns_name_endswith(domain, "b.e.f.ip6.arpa") == 0 &&
462 /* If networks use .local in their private setups, they are supposed to also add .local to their search
463 * domains, which we already checked above. Otherwise, we consider .local specific to mDNS and won't
464 * send such queries ordinary DNS servers. */
465 dns_name_endswith(domain, "local") == 0)
466 return DNS_SCOPE_MAYBE;
467
468 return DNS_SCOPE_NO;
469
470 case DNS_PROTOCOL_MDNS:
471 if ((s->family == AF_INET && dns_name_endswith(domain, "in-addr.arpa") > 0) ||
472 (s->family == AF_INET6 && dns_name_endswith(domain, "ip6.arpa") > 0) ||
473 (dns_name_endswith(domain, "local") > 0 && /* only resolve names ending in .local via mDNS */
474 dns_name_equal(domain, "local") == 0 && /* but not the single-label "local" name itself */
475 manager_is_own_hostname(s->manager, domain) <= 0)) /* never resolve the local hostname via mDNS */
476 return DNS_SCOPE_MAYBE;
477
478 return DNS_SCOPE_NO;
479
480 case DNS_PROTOCOL_LLMNR:
481 if ((s->family == AF_INET && dns_name_endswith(domain, "in-addr.arpa") > 0) ||
482 (s->family == AF_INET6 && dns_name_endswith(domain, "ip6.arpa") > 0) ||
483 (dns_name_is_single_label(domain) && /* only resolve single label names via LLMNR */
484 !is_gateway_hostname(domain) && /* don't resolve "gateway" with LLMNR, let nss-myhostname handle this */
485 manager_is_own_hostname(s->manager, domain) <= 0)) /* never resolve the local hostname via LLMNR */
486 return DNS_SCOPE_MAYBE;
487
488 return DNS_SCOPE_NO;
489
490 default:
491 assert_not_reached("Unknown scope protocol");
492 }
493 }
494
495 int dns_scope_good_key(DnsScope *s, DnsResourceKey *key) {
496 assert(s);
497 assert(key);
498
499 /* Check if it makes sense to resolve the specified key on
500 * this scope. Note that this call assumes as fully qualified
501 * name, i.e. the search suffixes already appended. */
502
503 if (s->protocol == DNS_PROTOCOL_DNS) {
504
505 /* On classic DNS, lookin up non-address RRs is always
506 * fine. (Specifically, we want to permit looking up
507 * DNSKEY and DS records on the root and top-level
508 * domains.) */
509 if (!dns_resource_key_is_address(key))
510 return true;
511
512 /* However, we refuse to look up A and AAAA RRs on the
513 * root and single-label domains, under the assumption
514 * that those should be resolved via LLMNR or search
515 * path only, and should not be leaked onto the
516 * internet. */
517 return !(dns_name_is_single_label(DNS_RESOURCE_KEY_NAME(key)) ||
518 dns_name_is_root(DNS_RESOURCE_KEY_NAME(key)));
519 }
520
521 /* On mDNS and LLMNR, send A and AAAA queries only on the
522 * respective scopes */
523
524 if (s->family == AF_INET && key->class == DNS_CLASS_IN && key->type == DNS_TYPE_AAAA)
525 return false;
526
527 if (s->family == AF_INET6 && key->class == DNS_CLASS_IN && key->type == DNS_TYPE_A)
528 return false;
529
530 return true;
531 }
532
533 static int dns_scope_multicast_membership(DnsScope *s, bool b, struct in_addr in, struct in6_addr in6) {
534 int fd;
535
536 assert(s);
537 assert(s->link);
538
539 if (s->family == AF_INET) {
540 struct ip_mreqn mreqn = {
541 .imr_multiaddr = in,
542 .imr_ifindex = s->link->ifindex,
543 };
544
545 fd = manager_llmnr_ipv4_udp_fd(s->manager);
546 if (fd < 0)
547 return fd;
548
549 /* Always first try to drop membership before we add
550 * one. This is necessary on some devices, such as
551 * veth. */
552 if (b)
553 (void) setsockopt(fd, IPPROTO_IP, IP_DROP_MEMBERSHIP, &mreqn, sizeof(mreqn));
554
555 if (setsockopt(fd, IPPROTO_IP, b ? IP_ADD_MEMBERSHIP : IP_DROP_MEMBERSHIP, &mreqn, sizeof(mreqn)) < 0)
556 return -errno;
557
558 } else if (s->family == AF_INET6) {
559 struct ipv6_mreq mreq = {
560 .ipv6mr_multiaddr = in6,
561 .ipv6mr_interface = s->link->ifindex,
562 };
563
564 fd = manager_llmnr_ipv6_udp_fd(s->manager);
565 if (fd < 0)
566 return fd;
567
568 if (b)
569 (void) setsockopt(fd, IPPROTO_IPV6, IPV6_DROP_MEMBERSHIP, &mreq, sizeof(mreq));
570
571 if (setsockopt(fd, IPPROTO_IPV6, b ? IPV6_ADD_MEMBERSHIP : IPV6_DROP_MEMBERSHIP, &mreq, sizeof(mreq)) < 0)
572 return -errno;
573 } else
574 return -EAFNOSUPPORT;
575
576 return 0;
577 }
578
579 int dns_scope_llmnr_membership(DnsScope *s, bool b) {
580
581 if (s->protocol != DNS_PROTOCOL_LLMNR)
582 return 0;
583
584 return dns_scope_multicast_membership(s, b, LLMNR_MULTICAST_IPV4_ADDRESS, LLMNR_MULTICAST_IPV6_ADDRESS);
585 }
586
587 int dns_scope_mdns_membership(DnsScope *s, bool b) {
588
589 if (s->protocol != DNS_PROTOCOL_MDNS)
590 return 0;
591
592 return dns_scope_multicast_membership(s, b, MDNS_MULTICAST_IPV4_ADDRESS, MDNS_MULTICAST_IPV6_ADDRESS);
593 }
594
595 static int dns_scope_make_reply_packet(
596 DnsScope *s,
597 uint16_t id,
598 int rcode,
599 DnsQuestion *q,
600 DnsAnswer *answer,
601 DnsAnswer *soa,
602 bool tentative,
603 DnsPacket **ret) {
604
605 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
606 unsigned i;
607 int r;
608
609 assert(s);
610 assert(ret);
611
612 if ((!q || q->n_keys <= 0)
613 && (!answer || answer->n_rrs <= 0)
614 && (!soa || soa->n_rrs <= 0))
615 return -EINVAL;
616
617 r = dns_packet_new(&p, s->protocol, 0);
618 if (r < 0)
619 return r;
620
621 DNS_PACKET_HEADER(p)->id = id;
622 DNS_PACKET_HEADER(p)->flags = htobe16(DNS_PACKET_MAKE_FLAGS(
623 1 /* qr */,
624 0 /* opcode */,
625 0 /* c */,
626 0 /* tc */,
627 tentative,
628 0 /* (ra) */,
629 0 /* (ad) */,
630 0 /* (cd) */,
631 rcode));
632
633 if (q) {
634 for (i = 0; i < q->n_keys; i++) {
635 r = dns_packet_append_key(p, q->keys[i], NULL);
636 if (r < 0)
637 return r;
638 }
639
640 DNS_PACKET_HEADER(p)->qdcount = htobe16(q->n_keys);
641 }
642
643 if (answer) {
644 for (i = 0; i < answer->n_rrs; i++) {
645 r = dns_packet_append_rr(p, answer->items[i].rr, NULL, NULL);
646 if (r < 0)
647 return r;
648 }
649
650 DNS_PACKET_HEADER(p)->ancount = htobe16(answer->n_rrs);
651 }
652
653 if (soa) {
654 for (i = 0; i < soa->n_rrs; i++) {
655 r = dns_packet_append_rr(p, soa->items[i].rr, NULL, NULL);
656 if (r < 0)
657 return r;
658 }
659
660 DNS_PACKET_HEADER(p)->arcount = htobe16(soa->n_rrs);
661 }
662
663 *ret = p;
664 p = NULL;
665
666 return 0;
667 }
668
669 static void dns_scope_verify_conflicts(DnsScope *s, DnsPacket *p) {
670 unsigned n;
671
672 assert(s);
673 assert(p);
674
675 if (p->question)
676 for (n = 0; n < p->question->n_keys; n++)
677 dns_zone_verify_conflicts(&s->zone, p->question->keys[n]);
678 if (p->answer)
679 for (n = 0; n < p->answer->n_rrs; n++)
680 dns_zone_verify_conflicts(&s->zone, p->answer->items[n].rr->key);
681 }
682
683 void dns_scope_process_query(DnsScope *s, DnsStream *stream, DnsPacket *p) {
684 _cleanup_(dns_packet_unrefp) DnsPacket *reply = NULL;
685 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL, *soa = NULL;
686 DnsResourceKey *key = NULL;
687 bool tentative = false;
688 int r, fd;
689
690 assert(s);
691 assert(p);
692
693 if (p->protocol != DNS_PROTOCOL_LLMNR)
694 return;
695
696 if (p->ipproto == IPPROTO_UDP) {
697 /* Don't accept UDP queries directed to anything but
698 * the LLMNR multicast addresses. See RFC 4795,
699 * section 2.5. */
700
701 if (p->family == AF_INET && !in_addr_equal(AF_INET, &p->destination, (union in_addr_union*) &LLMNR_MULTICAST_IPV4_ADDRESS))
702 return;
703
704 if (p->family == AF_INET6 && !in_addr_equal(AF_INET6, &p->destination, (union in_addr_union*) &LLMNR_MULTICAST_IPV6_ADDRESS))
705 return;
706 }
707
708 r = dns_packet_extract(p);
709 if (r < 0) {
710 log_debug_errno(r, "Failed to extract resources from incoming packet: %m");
711 return;
712 }
713
714 if (DNS_PACKET_LLMNR_C(p)) {
715 /* Somebody notified us about a possible conflict */
716 dns_scope_verify_conflicts(s, p);
717 return;
718 }
719
720 assert(p->question->n_keys == 1);
721 key = p->question->keys[0];
722
723 r = dns_zone_lookup(&s->zone, key, &answer, &soa, &tentative);
724 if (r < 0) {
725 log_debug_errno(r, "Failed to lookup key: %m");
726 return;
727 }
728 if (r == 0)
729 return;
730
731 if (answer)
732 dns_answer_order_by_scope(answer, in_addr_is_link_local(p->family, &p->sender) > 0);
733
734 r = dns_scope_make_reply_packet(s, DNS_PACKET_ID(p), DNS_RCODE_SUCCESS, p->question, answer, soa, tentative, &reply);
735 if (r < 0) {
736 log_debug_errno(r, "Failed to build reply packet: %m");
737 return;
738 }
739
740 if (stream)
741 r = dns_stream_write_packet(stream, reply);
742 else {
743 if (!ratelimit_test(&s->ratelimit))
744 return;
745
746 if (p->family == AF_INET)
747 fd = manager_llmnr_ipv4_udp_fd(s->manager);
748 else if (p->family == AF_INET6)
749 fd = manager_llmnr_ipv6_udp_fd(s->manager);
750 else {
751 log_debug("Unknown protocol");
752 return;
753 }
754 if (fd < 0) {
755 log_debug_errno(fd, "Failed to get reply socket: %m");
756 return;
757 }
758
759 /* Note that we always immediately reply to all LLMNR
760 * requests, and do not wait any time, since we
761 * verified uniqueness for all records. Also see RFC
762 * 4795, Section 2.7 */
763
764 r = manager_send(s->manager, fd, p->ifindex, p->family, &p->sender, p->sender_port, reply);
765 }
766
767 if (r < 0) {
768 log_debug_errno(r, "Failed to send reply packet: %m");
769 return;
770 }
771 }
772
773 DnsTransaction *dns_scope_find_transaction(DnsScope *scope, DnsResourceKey *key, bool cache_ok) {
774 DnsTransaction *t;
775
776 assert(scope);
777 assert(key);
778
779 /* Try to find an ongoing transaction that is a equal to the
780 * specified question */
781 t = hashmap_get(scope->transactions_by_key, key);
782 if (!t)
783 return NULL;
784
785 /* Refuse reusing transactions that completed based on cached
786 * data instead of a real packet, if that's requested. */
787 if (!cache_ok &&
788 IN_SET(t->state, DNS_TRANSACTION_SUCCESS, DNS_TRANSACTION_FAILURE) &&
789 t->answer_source != DNS_TRANSACTION_NETWORK)
790 return NULL;
791
792 return t;
793 }
794
795 static int dns_scope_make_conflict_packet(
796 DnsScope *s,
797 DnsResourceRecord *rr,
798 DnsPacket **ret) {
799
800 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
801 int r;
802
803 assert(s);
804 assert(rr);
805 assert(ret);
806
807 r = dns_packet_new(&p, s->protocol, 0);
808 if (r < 0)
809 return r;
810
811 DNS_PACKET_HEADER(p)->flags = htobe16(DNS_PACKET_MAKE_FLAGS(
812 0 /* qr */,
813 0 /* opcode */,
814 1 /* conflict */,
815 0 /* tc */,
816 0 /* t */,
817 0 /* (ra) */,
818 0 /* (ad) */,
819 0 /* (cd) */,
820 0));
821 random_bytes(&DNS_PACKET_HEADER(p)->id, sizeof(uint16_t));
822 DNS_PACKET_HEADER(p)->qdcount = htobe16(1);
823 DNS_PACKET_HEADER(p)->arcount = htobe16(1);
824
825 r = dns_packet_append_key(p, rr->key, NULL);
826 if (r < 0)
827 return r;
828
829 r = dns_packet_append_rr(p, rr, NULL, NULL);
830 if (r < 0)
831 return r;
832
833 *ret = p;
834 p = NULL;
835
836 return 0;
837 }
838
839 static int on_conflict_dispatch(sd_event_source *es, usec_t usec, void *userdata) {
840 DnsScope *scope = userdata;
841 int r;
842
843 assert(es);
844 assert(scope);
845
846 scope->conflict_event_source = sd_event_source_unref(scope->conflict_event_source);
847
848 for (;;) {
849 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;
850 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
851
852 rr = ordered_hashmap_steal_first(scope->conflict_queue);
853 if (!rr)
854 break;
855
856 r = dns_scope_make_conflict_packet(scope, rr, &p);
857 if (r < 0) {
858 log_error_errno(r, "Failed to make conflict packet: %m");
859 return 0;
860 }
861
862 r = dns_scope_emit(scope, -1, NULL, p);
863 if (r < 0)
864 log_debug_errno(r, "Failed to send conflict packet: %m");
865 }
866
867 return 0;
868 }
869
870 int dns_scope_notify_conflict(DnsScope *scope, DnsResourceRecord *rr) {
871 usec_t jitter;
872 int r;
873
874 assert(scope);
875 assert(rr);
876
877 /* We don't send these queries immediately. Instead, we queue
878 * them, and send them after some jitter delay. */
879 r = ordered_hashmap_ensure_allocated(&scope->conflict_queue, &dns_resource_key_hash_ops);
880 if (r < 0) {
881 log_oom();
882 return r;
883 }
884
885 /* We only place one RR per key in the conflict
886 * messages, not all of them. That should be enough to
887 * indicate where there might be a conflict */
888 r = ordered_hashmap_put(scope->conflict_queue, rr->key, rr);
889 if (r == -EEXIST || r == 0)
890 return 0;
891 if (r < 0)
892 return log_debug_errno(r, "Failed to queue conflicting RR: %m");
893
894 dns_resource_record_ref(rr);
895
896 if (scope->conflict_event_source)
897 return 0;
898
899 random_bytes(&jitter, sizeof(jitter));
900 jitter %= LLMNR_JITTER_INTERVAL_USEC;
901
902 r = sd_event_add_time(scope->manager->event,
903 &scope->conflict_event_source,
904 clock_boottime_or_monotonic(),
905 now(clock_boottime_or_monotonic()) + jitter,
906 LLMNR_JITTER_INTERVAL_USEC,
907 on_conflict_dispatch, scope);
908 if (r < 0)
909 return log_debug_errno(r, "Failed to add conflict dispatch event: %m");
910
911 return 0;
912 }
913
914 void dns_scope_check_conflicts(DnsScope *scope, DnsPacket *p) {
915 unsigned i;
916 int r;
917
918 assert(scope);
919 assert(p);
920
921 if (p->protocol != DNS_PROTOCOL_LLMNR)
922 return;
923
924 if (DNS_PACKET_RRCOUNT(p) <= 0)
925 return;
926
927 if (DNS_PACKET_LLMNR_C(p) != 0)
928 return;
929
930 if (DNS_PACKET_LLMNR_T(p) != 0)
931 return;
932
933 if (manager_our_packet(scope->manager, p))
934 return;
935
936 r = dns_packet_extract(p);
937 if (r < 0) {
938 log_debug_errno(r, "Failed to extract packet: %m");
939 return;
940 }
941
942 log_debug("Checking for conflicts...");
943
944 for (i = 0; i < p->answer->n_rrs; i++) {
945
946 /* Check for conflicts against the local zone. If we
947 * found one, we won't check any further */
948 r = dns_zone_check_conflicts(&scope->zone, p->answer->items[i].rr);
949 if (r != 0)
950 continue;
951
952 /* Check for conflicts against the local cache. If so,
953 * send out an advisory query, to inform everybody */
954 r = dns_cache_check_conflicts(&scope->cache, p->answer->items[i].rr, p->family, &p->sender);
955 if (r <= 0)
956 continue;
957
958 dns_scope_notify_conflict(scope, p->answer->items[i].rr);
959 }
960 }
961
962 void dns_scope_dump(DnsScope *s, FILE *f) {
963 assert(s);
964
965 if (!f)
966 f = stdout;
967
968 fputs("[Scope protocol=", f);
969 fputs(dns_protocol_to_string(s->protocol), f);
970
971 if (s->link) {
972 fputs(" interface=", f);
973 fputs(s->link->name, f);
974 }
975
976 if (s->family != AF_UNSPEC) {
977 fputs(" family=", f);
978 fputs(af_to_name(s->family), f);
979 }
980
981 fputs("]\n", f);
982
983 if (!dns_zone_is_empty(&s->zone)) {
984 fputs("ZONE:\n", f);
985 dns_zone_dump(&s->zone, f);
986 }
987
988 if (!dns_cache_is_empty(&s->cache)) {
989 fputs("CACHE:\n", f);
990 dns_cache_dump(&s->cache, f);
991 }
992 }
993
994 DnsSearchDomain *dns_scope_get_search_domains(DnsScope *s) {
995 assert(s);
996
997 if (s->protocol != DNS_PROTOCOL_DNS)
998 return NULL;
999
1000 if (s->link)
1001 return s->link->search_domains;
1002
1003 return s->manager->search_domains;
1004 }
1005
1006 bool dns_scope_name_needs_search_domain(DnsScope *s, const char *name) {
1007 assert(s);
1008
1009 if (s->protocol != DNS_PROTOCOL_DNS)
1010 return false;
1011
1012 return dns_name_is_single_label(name);
1013 }
Unnamed repository; edit this file 'description' to name the repository.