[ipfire-2.x.git] / src / patches / dnsmasq / 0015-Eliminate-IPv6-privacy-addresses-from-interface-name.patch

From 476693678e778886b64d0b56e27eb7695cbcca99 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed, 17 Dec 2014 12:41:56 +0000
Subject: [PATCH 15/98] Eliminate IPv6 privacy addresses from --interface-name
 answers.

---
 CHANGELOG     |  5 +++++
 src/auth.c    |  4 ++++
 src/dnsmasq.h |  1 +
 src/network.c | 12 ++++++++----
 src/rfc1035.c | 17 ++++++++++-------
 5 files changed, 28 insertions(+), 11 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 9e6c7aa4fd68..01f5208ec006 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -14,6 +14,11 @@ version 2.73
 	    Fix breakage of --domain=<domain>,<subnet>,local - only reverse
 	    queries were intercepted. THis appears to have been broken 
 	    since 2.69. Thanks to Josh Stone for finding the bug.
+
+	    Eliminate IPv6 privacy addresses and deprecated addresses from
+	    the answers given by --interface-name. Note that reverse queries
+	    (ie looking for names, given addresses) are not affected. 
+	    Thanks to Michael Gorbach for the suggestion.
 	
 
 version 2.72
diff --git a/src/auth.c b/src/auth.c
index dd46566ec2cc..a327f16d8c0b 100644
--- a/src/auth.c
+++ b/src/auth.c
@@ -363,6 +363,10 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		 if (((addrlist->flags & ADDRLIST_IPV6)  ? T_AAAA : T_A) == qtype &&
 		     (local_query || filter_zone(zone, flag, &addrlist->addr)))
 		   {
+#ifdef HAVE_IPV6
+		     if (addrlist->flags & ADDRLIST_REVONLY)
+		       continue;
+#endif
 		     found = 1;
 		     log_query(F_FORWARD | F_CONFIG | flag, name, &addrlist->addr, NULL);
 		     if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index ebb6b957812f..1dd61c5edba3 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -318,6 +318,7 @@ struct ds_config {
 
 #define ADDRLIST_LITERAL 1
 #define ADDRLIST_IPV6    2
+#define ADDRLIST_REVONLY 4
 
 struct addrlist {
   struct all_addr addr;
diff --git a/src/network.c b/src/network.c
index 99419f57951e..14d2af2ce313 100644
--- a/src/network.c
+++ b/src/network.c
@@ -236,7 +236,7 @@ struct iface_param {
 };
 
 static int iface_allowed(struct iface_param *param, int if_index, char *label,
-			 union mysockaddr *addr, struct in_addr netmask, int prefixlen, int dad) 
+			 union mysockaddr *addr, struct in_addr netmask, int prefixlen, int iface_flags) 
 {
   struct irec *iface;
   int mtu = 0, loopback;
@@ -388,6 +388,10 @@ static int iface_allowed(struct iface_param *param, int if_index, char *label,
 		 {
 		    al->addr.addr.addr6 = addr->in6.sin6_addr;
 		    al->flags = ADDRLIST_IPV6;
+		    /* Privacy addresses and addresses still undergoing DAD and deprecated addresses
+		       don't appear in forward queries, but will in reverse ones. */
+		    if (!(iface_flags & IFACE_PERMANENT) || (iface_flags & (IFACE_DEPRECATED | IFACE_TENTATIVE)))
+		      al->flags |= ADDRLIST_REVONLY;
 		 } 
 #endif
 	      }
@@ -399,7 +403,7 @@ static int iface_allowed(struct iface_param *param, int if_index, char *label,
   for (iface = daemon->interfaces; iface; iface = iface->next) 
     if (sockaddr_isequal(&iface->addr, addr))
       {
-	iface->dad = dad;
+	iface->dad = !!(iface_flags & IFACE_TENTATIVE);
 	iface->found = 1; /* for garbage collection */
 	return 1;
       }
@@ -474,7 +478,7 @@ static int iface_allowed(struct iface_param *param, int if_index, char *label,
       iface->dhcp_ok = dhcp_ok;
       iface->dns_auth = auth_dns;
       iface->mtu = mtu;
-      iface->dad = dad;
+      iface->dad = !!(iface_flags & IFACE_TENTATIVE);
       iface->found = 1;
       iface->done = iface->multicast_done = iface->warned = 0;
       iface->index = if_index;
@@ -519,7 +523,7 @@ static int iface_allowed_v6(struct in6_addr *local, int prefix,
   else
     addr.in6.sin6_scope_id = 0;
   
-  return iface_allowed((struct iface_param *)vparam, if_index, NULL, &addr, netmask, prefix, !!(flags & IFACE_TENTATIVE));
+  return iface_allowed((struct iface_param *)vparam, if_index, NULL, &addr, netmask, prefix, flags);
 }
 #endif
 
diff --git a/src/rfc1035.c b/src/rfc1035.c
index 8a7d2608dac5..bdeb3fb10e68 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -1923,14 +1923,17 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 		  for (intr = daemon->int_names; intr; intr = intr->next)
 		    if (hostname_isequal(name, intr->name))
 		      {
-			ans = 1;
-			if (!dryrun)
-			  {
-			    
-			    for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)
+			for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)
 #ifdef HAVE_IPV6
-			      if (((addrlist->flags & ADDRLIST_IPV6) ? T_AAAA : T_A) == type)
+			  if (((addrlist->flags & ADDRLIST_IPV6) ? T_AAAA : T_A) == type)
 #endif
+			    {
+#ifdef HAVE_IPV6
+			      if (addrlist->flags & ADDRLIST_REVONLY)
+				continue;
+#endif	
+			      ans = 1;	
+			      if (!dryrun)
 				{
 				  gotit = 1;
 				  log_query(F_FORWARD | F_CONFIG | flag, name, &addrlist->addr, NULL);
@@ -1939,7 +1942,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 							  type == T_A ? "4" : "6", &addrlist->addr))
 				    anscount++;
 				}
-			  }
+			    }
 		      }
 		  
 		  if (!dryrun && !gotit)
-- 
2.1.0
Commit	Line	Data
6644c1c7 MT	1	From 476693678e778886b64d0b56e27eb7695cbcca99 Mon Sep 17 00:00:00 2001
	2	From: Simon Kelley <simon@thekelleys.org.uk>
	3	Date: Wed, 17 Dec 2014 12:41:56 +0000
efbd3a9a	4	Subject: [PATCH 15/98] Eliminate IPv6 privacy addresses from --interface-name
6644c1c7 MT	5	answers.
	6
	7	---
	8	CHANGELOG \| 5 +++++
	9	src/auth.c \| 4 ++++
	10	src/dnsmasq.h \| 1 +
	11	src/network.c \| 12 ++++++++----
	12	src/rfc1035.c \| 17 ++++++++++-------
	13	5 files changed, 28 insertions(+), 11 deletions(-)
	14
	15	diff --git a/CHANGELOG b/CHANGELOG
	16	index 9e6c7aa4fd68..01f5208ec006 100644
	17	--- a/CHANGELOG
	18	+++ b/CHANGELOG
	19	@@ -14,6 +14,11 @@ version 2.73
	20	Fix breakage of --domain=<domain>,<subnet>,local - only reverse
	21	queries were intercepted. THis appears to have been broken
	22	since 2.69. Thanks to Josh Stone for finding the bug.
	23	+
	24	+ Eliminate IPv6 privacy addresses and deprecated addresses from
	25	+ the answers given by --interface-name. Note that reverse queries
	26	+ (ie looking for names, given addresses) are not affected.
	27	+ Thanks to Michael Gorbach for the suggestion.
	28
	29
	30	version 2.72
	31	diff --git a/src/auth.c b/src/auth.c
	32	index dd46566ec2cc..a327f16d8c0b 100644
	33	--- a/src/auth.c
	34	+++ b/src/auth.c
	35	@@ -363,6 +363,10 @@ size_t answer_auth(struct dns_header header, char limit, size_t qlen, time_t n
	36	if (((addrlist->flags & ADDRLIST_IPV6) ? T_AAAA : T_A) == qtype &&
	37	(local_query \|\| filter_zone(zone, flag, &addrlist->addr)))
	38	{
	39	+#ifdef HAVE_IPV6
	40	+ if (addrlist->flags & ADDRLIST_REVONLY)
	41	+ continue;
	42	+#endif
	43	found = 1;
	44	log_query(F_FORWARD \| F_CONFIG \| flag, name, &addrlist->addr, NULL);
	45	if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
	46	diff --git a/src/dnsmasq.h b/src/dnsmasq.h
	47	index ebb6b957812f..1dd61c5edba3 100644
	48	--- a/src/dnsmasq.h
	49	+++ b/src/dnsmasq.h
	50	@@ -318,6 +318,7 @@ struct ds_config {
	51
	52	#define ADDRLIST_LITERAL 1
	53	#define ADDRLIST_IPV6 2
	54	+#define ADDRLIST_REVONLY 4
	55
	56	struct addrlist {
	57	struct all_addr addr;
	58	diff --git a/src/network.c b/src/network.c
	59	index 99419f57951e..14d2af2ce313 100644
	60	--- a/src/network.c
	61	+++ b/src/network.c
	62	@@ -236,7 +236,7 @@ struct iface_param {
	63	};
	64
	65	static int iface_allowed(struct iface_param param, int if_index, char label,
	66	- union mysockaddr *addr, struct in_addr netmask, int prefixlen, int dad)
	67	+ union mysockaddr *addr, struct in_addr netmask, int prefixlen, int iface_flags)
	68	{
69	struct irec *iface;
70	int mtu = 0, loopback;
71	@@ -388,6 +388,10 @@ static int iface_allowed(struct iface_param param, int if_index, char label,
72	{
73	al->addr.addr.addr6 = addr->in6.sin6_addr;
74	al->flags = ADDRLIST_IPV6;
75	+ /* Privacy addresses and addresses still undergoing DAD and deprecated addresses
76	+ don't appear in forward queries, but will in reverse ones. */
77	+ if (!(iface_flags & IFACE_PERMANENT) \|\| (iface_flags & (IFACE_DEPRECATED \| IFACE_TENTATIVE)))
78	+ al->flags \|= ADDRLIST_REVONLY;
79	}
80	#endif
81	}
82	@@ -399,7 +403,7 @@ static int iface_allowed(struct iface_param param, int if_index, char label,
83	for (iface = daemon->interfaces; iface; iface = iface->next)
84	if (sockaddr_isequal(&iface->addr, addr))
85	{
86	- iface->dad = dad;
87	+ iface->dad = !!(iface_flags & IFACE_TENTATIVE);
88	iface->found = 1; /* for garbage collection */
89	return 1;
90	}
91	@@ -474,7 +478,7 @@ static int iface_allowed(struct iface_param param, int if_index, char label,
92	iface->dhcp_ok = dhcp_ok;
93	iface->dns_auth = auth_dns;
94	iface->mtu = mtu;
95	- iface->dad = dad;
96	+ iface->dad = !!(iface_flags & IFACE_TENTATIVE);
97	iface->found = 1;
98	iface->done = iface->multicast_done = iface->warned = 0;
99	iface->index = if_index;
100	@@ -519,7 +523,7 @@ static int iface_allowed_v6(struct in6_addr *local, int prefix,
101	else
102	addr.in6.sin6_scope_id = 0;
103
104	- return iface_allowed((struct iface_param *)vparam, if_index, NULL, &addr, netmask, prefix, !!(flags & IFACE_TENTATIVE));
105	+ return iface_allowed((struct iface_param *)vparam, if_index, NULL, &addr, netmask, prefix, flags);
106	}
107	#endif
108
109	diff --git a/src/rfc1035.c b/src/rfc1035.c
110	index 8a7d2608dac5..bdeb3fb10e68 100644
111	--- a/src/rfc1035.c
112	+++ b/src/rfc1035.c
113	@@ -1923,14 +1923,17 @@ size_t answer_request(struct dns_header header, char limit, size_t qlen,
114	for (intr = daemon->int_names; intr; intr = intr->next)
115	if (hostname_isequal(name, intr->name))
116	{
117	- ans = 1;
118	- if (!dryrun)
119	- {
120	-
121	- for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)
122	+ for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)
123	#ifdef HAVE_IPV6
124	- if (((addrlist->flags & ADDRLIST_IPV6) ? T_AAAA : T_A) == type)
125	+ if (((addrlist->flags & ADDRLIST_IPV6) ? T_AAAA : T_A) == type)
126	#endif
127	+ {
128	+#ifdef HAVE_IPV6
129	+ if (addrlist->flags & ADDRLIST_REVONLY)
130	+ continue;
131	+#endif
132	+ ans = 1;
133	+ if (!dryrun)
134	{
135	gotit = 1;
136	log_query(F_FORWARD \| F_CONFIG \| flag, name, &addrlist->addr, NULL);
137	@@ -1939,7 +1942,7 @@ size_t answer_request(struct dns_header header, char limit, size_t qlen,
138	type == T_A ? "4" : "6", &addrlist->addr))
139	anscount++;
140	}
141	- }
142	+ }
143	}
144
145	if (!dryrun && !gotit)
146	--
147	2.1.0
148