]> git.ipfire.org Git - people/ms/dnsmasq.git/blame - src/forward.c
projects / people / ms / dnsmasq.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Fix SEGV and failure to validate on x86_64.
[people/ms/dnsmasq.git] / src / forward.c
CommitLineData
c47e3ba4 1/* dnsmasq is Copyright (c) 2000-2014 Simon Kelley
9e4abcb5
SK		 2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
824af85b
SK		 5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
7
9e4abcb5
SK		 8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
824af85b 12
73a08a24
SK		 13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
9e4abcb5
SK		 15*/
16
9e4abcb5
SK		 17#include "dnsmasq.h"
18
832af0ba 19static struct frec *lookup_frec(unsigned short id, unsigned int crc);
9e4abcb5 20static struct frec *lookup_frec_by_sender(unsigned short id,
fd9fa481
SK		 21 union mysockaddr *addr,
22 unsigned int crc);
316e2730 23static unsigned short get_id(unsigned int crc);
1a6bca81
SK		 24static void free_frec(struct frec *f);
25static struct randfd *allocate_rfd(int family);
9e4abcb5 26
824af85b 27/* Send a UDP packet with its source address set as "source"
44a2a316 28 unless nowild is true, when we just send it with the kernel default */
29689cfa
SK		 29int send_from(int fd, int nowild, char *packet, size_t len,
30 union mysockaddr *to, struct all_addr *source,
50303b19 31 unsigned int iface)
9e4abcb5 32{
44a2a316
SK		 33 struct msghdr msg;
34 struct iovec iov[1];
44a2a316
SK		 35 union {
36 struct cmsghdr align; /* this ensures alignment */
5e9e0efb 37#if defined(HAVE_LINUX_NETWORK)
44a2a316
SK		 38 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
39#elif defined(IP_SENDSRCADDR)
40 char control[CMSG_SPACE(sizeof(struct in_addr))];
41#endif
42#ifdef HAVE_IPV6
43 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
44#endif
45 } control_u;
feba5c1d 46
44a2a316
SK		 47 iov[0].iov_base = packet;
48 iov[0].iov_len = len;
49
feba5c1d
SK		 50 msg.msg_control = NULL;
51 msg.msg_controllen = 0;
44a2a316
SK		 52 msg.msg_flags = 0;
53 msg.msg_name = to;
54 msg.msg_namelen = sa_len(to);
55 msg.msg_iov = iov;
56 msg.msg_iovlen = 1;
feba5c1d 57
26128d27 58 if (!nowild)
44a2a316 59 {
26128d27 60 struct cmsghdr *cmptr;
feba5c1d
SK		 61 msg.msg_control = &control_u;
62 msg.msg_controllen = sizeof(control_u);
26128d27
SK		 63 cmptr = CMSG_FIRSTHDR(&msg);
64
65 if (to->sa.sa_family == AF_INET)
66 {
5e9e0efb 67#if defined(HAVE_LINUX_NETWORK)
8ef5ada2
SK		 68 struct in_pktinfo p;
69 p.ipi_ifindex = 0;
70 p.ipi_spec_dst = source->addr.addr4;
71 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
26128d27 72 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
c72daea8 73 cmptr->cmsg_level = IPPROTO_IP;
26128d27 74 cmptr->cmsg_type = IP_PKTINFO;
44a2a316 75#elif defined(IP_SENDSRCADDR)
8ef5ada2 76 memcpy(CMSG_DATA(cmptr), &(source->addr.addr4), sizeof(source->addr.addr4));
26128d27
SK		 77 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
78 cmptr->cmsg_level = IPPROTO_IP;
79 cmptr->cmsg_type = IP_SENDSRCADDR;
44a2a316 80#endif
26128d27 81 }
26128d27 82 else
b8187c80 83#ifdef HAVE_IPV6
26128d27 84 {
8ef5ada2
SK		 85 struct in6_pktinfo p;
86 p.ipi6_ifindex = iface; /* Need iface for IPv6 to handle link-local addrs */
87 p.ipi6_addr = source->addr.addr6;
88 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
26128d27 89 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
316e2730 90 cmptr->cmsg_type = daemon->v6pktinfo;
c72daea8 91 cmptr->cmsg_level = IPPROTO_IPV6;
26128d27 92 }
3d8df260 93#else
c72daea8 94 (void)iface; /* eliminate warning */
44a2a316 95#endif
26128d27 96 }
feba5c1d 97
29d28dda 98 while (sendmsg(fd, &msg, 0) == -1)
feba5c1d 99 {
fd9fa481 100 if (retry_send())
29d28dda 101 continue;
22d904db 102
29d28dda
SK		 103 /* If interface is still in DAD, EINVAL results - ignore that. */
104 if (errno == EINVAL)
105 break;
29689cfa 106
29d28dda 107 my_syslog(LOG_ERR, _("failed to send packet: %s"), strerror(errno));
29689cfa 108 return 0;
feba5c1d 109 }
29d28dda 110
29689cfa 111 return 1;
9e4abcb5 112}
44a2a316 113
28866e95
SK		 114static unsigned int search_servers(time_t now, struct all_addr **addrpp,
115 unsigned int qtype, char *qdomain, int *type, char **domain, int *norebind)
feba5c1d
SK		 116
117{
118 /* If the query ends in the domain in one of our servers, set
119 domain to point to that name. We find the largest match to allow both
120 domain.org and sub.domain.org to exist. */
121
122 unsigned int namelen = strlen(qdomain);
123 unsigned int matchlen = 0;
124 struct server *serv;
28866e95 125 unsigned int flags = 0;
feba5c1d 126
3be34541 127 for (serv = daemon->servers; serv; serv=serv->next)
feba5c1d 128 /* domain matches take priority over NODOTS matches */
3d8df260 129 if ((serv->flags & SERV_FOR_NODOTS) && *type != SERV_HAS_DOMAIN && !strchr(qdomain, '.') && namelen != 0)
feba5c1d 130 {
28866e95 131 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
feba5c1d 132 *type = SERV_FOR_NODOTS;
feba5c1d 133 if (serv->flags & SERV_NO_ADDR)
36717eee
SK		 134 flags = F_NXDOMAIN;
135 else if (serv->flags & SERV_LITERAL_ADDRESS)
136 {
137 if (sflag & qtype)
138 {
139 flags = sflag;
140 if (serv->addr.sa.sa_family == AF_INET)
141 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
feba5c1d 142#ifdef HAVE_IPV6
36717eee
SK		 143 else
144 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
feba5c1d 145#endif
36717eee 146 }
824af85b 147 else if (!flags || (flags & F_NXDOMAIN))
36717eee
SK		 148 flags = F_NOERR;
149 }
feba5c1d
SK		 150 }
151 else if (serv->flags & SERV_HAS_DOMAIN)
152 {
153 unsigned int domainlen = strlen(serv->domain);
b8187c80 154 char *matchstart = qdomain + namelen - domainlen;
feba5c1d 155 if (namelen >= domainlen &&
b8187c80 156 hostname_isequal(matchstart, serv->domain) &&
8ef5ada2 157 (domainlen == 0 || namelen == domainlen || *(matchstart-1) == '.' ))
feba5c1d 158 {
8ef5ada2
SK		 159 if (serv->flags & SERV_NO_REBIND)
160 *norebind = 1;
28866e95 161 else
feba5c1d 162 {
28866e95
SK		 163 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
164 /* implement priority rules for --address and --server for same domain.
165 --address wins if the address is for the correct AF
166 --server wins otherwise. */
167 if (domainlen != 0 && domainlen == matchlen)
36717eee 168 {
28866e95 169 if ((serv->flags & SERV_LITERAL_ADDRESS))
8ef5ada2 170 {
28866e95
SK		 171 if (!(sflag & qtype) && flags == 0)
172 continue;
173 }
174 else
175 {
176 if (flags & (F_IPV4 | F_IPV6))
177 continue;
178 }
179 }
180
181 if (domainlen >= matchlen)
182 {
183 *type = serv->flags & (SERV_HAS_DOMAIN | SERV_USE_RESOLV | SERV_NO_REBIND);
184 *domain = serv->domain;
185 matchlen = domainlen;
186 if (serv->flags & SERV_NO_ADDR)
187 flags = F_NXDOMAIN;
188 else if (serv->flags & SERV_LITERAL_ADDRESS)
189 {
190 if (sflag & qtype)
191 {
192 flags = sflag;
193 if (serv->addr.sa.sa_family == AF_INET)
194 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
feba5c1d 195#ifdef HAVE_IPV6
28866e95
SK		 196 else
197 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
feba5c1d 198#endif
28866e95
SK		 199 }
200 else if (!flags || (flags & F_NXDOMAIN))
201 flags = F_NOERR;
8ef5ada2 202 }
28866e95
SK		 203 else
204 flags = 0;
205 }
206 }
8ef5ada2 207 }
feba5c1d 208 }
8ef5ada2 209
7de060b0 210 if (flags == 0 && !(qtype & F_QUERY) &&
28866e95 211 option_bool(OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') && namelen != 0)
7de060b0
SK		 212 /* don't forward A or AAAA queries for simple names, except the empty name */
213 flags = F_NOERR;
8ef5ada2 214
5aabfc78 215 if (flags == F_NXDOMAIN && check_for_local_domain(qdomain, now))
c1bb8504 216 flags = F_NOERR;
feba5c1d 217
824af85b
SK		 218 if (flags)
219 {
220 int logflags = 0;
221
222 if (flags == F_NXDOMAIN || flags == F_NOERR)
223 logflags = F_NEG | qtype;
224
1a6bca81 225 log_query(logflags | flags | F_CONFIG | F_FORWARD, qdomain, *addrpp, NULL);
824af85b 226 }
8ef5ada2
SK		 227 else if ((*type) & SERV_USE_RESOLV)
228 {
229 *type = 0; /* use normal servers for this domain */
230 *domain = NULL;
231 }
feba5c1d
SK		 232 return flags;
233}
44a2a316 234
824af85b
SK		 235static int forward_query(int udpfd, union mysockaddr *udpaddr,
236 struct all_addr *dst_addr, unsigned int dst_iface,
572b41eb 237 struct dns_header *header, size_t plen, time_t now, struct frec *forward)
9e4abcb5 238{
9e4abcb5 239 char *domain = NULL;
8ef5ada2 240 int type = 0, norebind = 0;
9e4abcb5 241 struct all_addr *addrp = NULL;
cdeda28f 242 unsigned int crc = questions_crc(header, plen, daemon->namebuff);
28866e95
SK		 243 unsigned int flags = 0;
244 unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
de37951c 245 struct server *start = NULL;
7de060b0 246
28866e95 247 /* RFC 4035: sect 4.6 para 2 */
572b41eb
SK		 248 header->hb4 &= ~HB4_AD;
249
3d8df260
SK		 250 /* may be no servers available. */
251 if (!daemon->servers)
9e4abcb5 252 forward = NULL;
b8187c80 253 else if (forward || (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, crc)))
9e4abcb5 254 {
de37951c 255 /* retry on existing query, send to all available servers */
9e4abcb5 256 domain = forward->sentto->domain;
824af85b 257 forward->sentto->failed_queries++;
28866e95 258 if (!option_bool(OPT_ORDER))
de37951c 259 {
0a852541 260 forward->forwardall = 1;
3be34541 261 daemon->last_server = NULL;
de37951c 262 }
9e4abcb5 263 type = forward->sentto->flags & SERV_TYPE;
de37951c 264 if (!(start = forward->sentto->next))
3be34541 265 start = daemon->servers; /* at end of list, recycle */
9e4abcb5
SK		 266 header->id = htons(forward->new_id);
267 }
268 else
269 {
270 if (gotname)
8ef5ada2 271 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
9e4abcb5 272
3a237152 273 if (!flags && !(forward = get_new_frec(now, NULL, 0)))
feba5c1d
SK		 274 /* table full - server failure. */
275 flags = F_NEG;
9e4abcb5
SK		 276
277 if (forward)
278 {
0a852541
SK		 279 forward->source = *udpaddr;
280 forward->dest = *dst_addr;
281 forward->iface = dst_iface;
0a852541 282 forward->orig_id = ntohs(header->id);
316e2730 283 forward->new_id = get_id(crc);
832af0ba 284 forward->fd = udpfd;
0a852541
SK		 285 forward->crc = crc;
286 forward->forwardall = 0;
ed4c0767 287 forward->flags = 0;
28866e95
SK		 288 if (norebind)
289 forward->flags |= FREC_NOREBIND;
572b41eb 290 if (header->hb4 & HB4_CD)
28866e95 291 forward->flags |= FREC_CHECKING_DISABLED;
0a852541 292
28866e95
SK		 293 header->id = htons(forward->new_id);
294
8ef5ada2
SK		 295 /* In strict_order mode, always try servers in the order
296 specified in resolv.conf, if a domain is given
297 always try all the available servers,
9e4abcb5
SK		 298 otherwise, use the one last known to work. */
299
8ef5ada2
SK		 300 if (type == 0)
301 {
28866e95 302 if (option_bool(OPT_ORDER))
8ef5ada2
SK		 303 start = daemon->servers;
304 else if (!(start = daemon->last_server) ||
305 daemon->forwardcount++ > FORWARD_TEST ||
306 difftime(now, daemon->forwardtime) > FORWARD_TIME)
307 {
308 start = daemon->servers;
309 forward->forwardall = 1;
310 daemon->forwardcount = 0;
311 daemon->forwardtime = now;
312 }
313 }
314 else
de37951c 315 {
3be34541 316 start = daemon->servers;
28866e95 317 if (!option_bool(OPT_ORDER))
8ef5ada2 318 forward->forwardall = 1;
de37951c 319 }
9e4abcb5
SK		 320 }
321 }
feba5c1d 322
9e4abcb5
SK		 323 /* check for send errors here (no route to host)
324 if we fail to send to all nameservers, send back an error
325 packet straight away (helps modem users when offline) */
326
327 if (!flags && forward)
328 {
de37951c
SK		 329 struct server *firstsentto = start;
330 int forwarded = 0;
28866e95 331
797a7afb 332 if (option_bool(OPT_ADD_MAC))
60b68069 333 plen = add_mac(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
28866e95 334
ed4c0767
SK		 335 if (option_bool(OPT_CLIENT_SUBNET))
336 {
60b68069 337 size_t new = add_source_addr(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
ed4c0767
SK		 338 if (new != plen)
339 {
340 plen = new;
341 forward->flags |= FREC_HAS_SUBNET;
342 }
343 }
344
3a237152
SK		 345#ifdef HAVE_DNSSEC
346 if (option_bool(OPT_DNSSEC_VALID))
0fc2f313 347 {
60b68069 348 plen = add_do_bit(header, plen, ((char *) header) + daemon->packet_buff_sz);
0fc2f313
SK		 349 header->hb4 |= HB4_CD;
350 }
3a237152
SK		 351#endif
352
9e4abcb5
SK		 353 while (1)
354 {
9e4abcb5
SK		 355 /* only send to servers dealing with our domain.
356 domain may be NULL, in which case server->domain
357 must be NULL also. */
358
de37951c 359 if (type == (start->flags & SERV_TYPE) &&
fd9fa481
SK		 360 (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) &&
361 !(start->flags & SERV_LITERAL_ADDRESS))
9e4abcb5 362 {
1a6bca81
SK		 363 int fd;
364
365 /* find server socket to use, may need to get random one. */
366 if (start->sfd)
367 fd = start->sfd->fd;
368 else
369 {
370#ifdef HAVE_IPV6
371 if (start->addr.sa.sa_family == AF_INET6)
372 {
373 if (!forward->rfd6 &&
374 !(forward->rfd6 = allocate_rfd(AF_INET6)))
375 break;
3927da46 376 daemon->rfd_save = forward->rfd6;
1a6bca81
SK		 377 fd = forward->rfd6->fd;
378 }
379 else
380#endif
381 {
382 if (!forward->rfd4 &&
383 !(forward->rfd4 = allocate_rfd(AF_INET)))
384 break;
3927da46 385 daemon->rfd_save = forward->rfd4;
1a6bca81
SK		 386 fd = forward->rfd4->fd;
387 }
7de060b0
SK		 388
389#ifdef HAVE_CONNTRACK
390 /* Copy connection mark of incoming query to outgoing connection. */
391 if (option_bool(OPT_CONNTRACK))
392 {
393 unsigned int mark;
797a7afb 394 if (get_incoming_mark(&forward->source, &forward->dest, 0, &mark))
7de060b0
SK		 395 setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
396 }
397#endif
1a6bca81
SK		 398 }
399
400 if (sendto(fd, (char *)header, plen, 0,
feba5c1d 401 &start->addr.sa,
fd9fa481
SK		 402 sa_len(&start->addr)) == -1)
403 {
404 if (retry_send())
405 continue;
406 }
407 else
9e4abcb5 408 {
cdeda28f
SK		 409 /* Keep info in case we want to re-send this packet */
410 daemon->srv_save = start;
411 daemon->packet_len = plen;
412
de37951c 413 if (!gotname)
3be34541 414 strcpy(daemon->namebuff, "query");
de37951c 415 if (start->addr.sa.sa_family == AF_INET)
3be34541 416 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
1a6bca81 417 (struct all_addr *)&start->addr.in.sin_addr, NULL);
de37951c
SK		 418#ifdef HAVE_IPV6
419 else
3be34541 420 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
1a6bca81 421 (struct all_addr *)&start->addr.in6.sin6_addr, NULL);
de37951c 422#endif
824af85b 423 start->queries++;
de37951c
SK		 424 forwarded = 1;
425 forward->sentto = start;
0a852541 426 if (!forward->forwardall)
de37951c 427 break;
0a852541 428 forward->forwardall++;
9e4abcb5
SK		 429 }
430 }
431
de37951c 432 if (!(start = start->next))
3be34541 433 start = daemon->servers;
9e4abcb5 434
de37951c 435 if (start == firstsentto)
9e4abcb5
SK		 436 break;
437 }
438
de37951c 439 if (forwarded)
824af85b 440 return 1;
de37951c 441
9e4abcb5
SK		 442 /* could not send on, prepare to return */
443 header->id = htons(forward->orig_id);
1a6bca81 444 free_frec(forward); /* cancel */
9e4abcb5
SK		 445 }
446
447 /* could not send on, return empty answer or address if known for whole domain */
b8187c80
SK		 448 if (udpfd != -1)
449 {
cdeda28f 450 plen = setup_reply(header, plen, addrp, flags, daemon->local_ttl);
54dd393f 451 send_from(udpfd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND), (char *)header, plen, udpaddr, dst_addr, dst_iface);
b8187c80
SK		 452 }
453
824af85b 454 return 0;
9e4abcb5
SK		 455}
456
ed4c0767 457static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind,
3a237152 458 int no_cache, int cache_secure, int check_subnet, union mysockaddr *query_source)
feba5c1d 459{
36717eee 460 unsigned char *pheader, *sizep;
13d86c73 461 char **sets = 0;
832af0ba 462 int munged = 0, is_sign;
cdeda28f
SK		 463 size_t plen;
464
13d86c73
JD		 465#ifdef HAVE_IPSET
466 /* Similar algorithm to search_servers. */
467 struct ipsets *ipset_pos;
468 unsigned int namelen = strlen(daemon->namebuff);
469 unsigned int matchlen = 0;
470 for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next)
471 {
472 unsigned int domainlen = strlen(ipset_pos->domain);
473 char *matchstart = daemon->namebuff + namelen - domainlen;
474 if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) &&
475 (domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) &&
476 domainlen >= matchlen) {
477 matchlen = domainlen;
478 sets = ipset_pos->sets;
479 }
480 }
481#endif
482
feba5c1d 483 /* If upstream is advertising a larger UDP packet size
9009d746
SK		 484 than we allow, trim it so that we don't get overlarge
485 requests for the client. We can't do this for signed packets. */
feba5c1d 486
ed4c0767 487 if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign)))
feba5c1d 488 {
ed4c0767
SK		 489 if (!is_sign)
490 {
491 unsigned short udpsz;
492 unsigned char *psave = sizep;
493
494 GETSHORT(udpsz, sizep);
495 if (udpsz > daemon->edns_pktsz)
496 PUTSHORT(daemon->edns_pktsz, psave);
497 }
feba5c1d 498
ed4c0767
SK		 499 if (check_subnet && !check_source(header, plen, pheader, query_source))
500 {
501 my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
502 return 0;
503 }
feba5c1d 504 }
ed4c0767 505
28866e95 506 /* RFC 4035 sect 4.6 para 3 */
237724c0 507 if (!is_sign && !option_bool(OPT_DNSSEC_PROXY))
795501bc 508 header->hb4 &= ~HB4_AD;
3a237152
SK		 509
510#ifdef HAVE_DNSSEC
511 if (option_bool(OPT_DNSSEC_VALID))
795501bc
SK		 512 header->hb4 &= ~HB4_AD;
513
a25720a3 514 if (!(header->hb4 & HB4_CD) && cache_secure)
3a237152
SK		 515 header->hb4 |= HB4_AD;
516#endif
517
572b41eb 518 if (OPCODE(header) != QUERY || (RCODE(header) != NOERROR && RCODE(header) != NXDOMAIN))
0a852541
SK		 519 return n;
520
feba5c1d 521 /* Complain loudly if the upstream server is non-recursive. */
572b41eb 522 if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR && ntohs(header->ancount) == 0 &&
0a852541 523 server && !(server->flags & SERV_WARNED_RECURSIVE))
feba5c1d 524 {
3d8df260 525 prettyprint_addr(&server->addr, daemon->namebuff);
f2621c7f 526 my_syslog(LOG_WARNING, _("nameserver %s refused to do a recursive query"), daemon->namebuff);
28866e95 527 if (!option_bool(OPT_LOG))
0a852541
SK		 528 server->flags |= SERV_WARNED_RECURSIVE;
529 }
e292e93d 530
572b41eb 531 if (daemon->bogus_addr && RCODE(header) != NXDOMAIN &&
fd9fa481 532 check_for_bogus_wildcard(header, n, daemon->namebuff, daemon->bogus_addr, now))
feba5c1d 533 {
fd9fa481 534 munged = 1;
572b41eb
SK		 535 SET_RCODE(header, NXDOMAIN);
536 header->hb3 &= ~HB3_AA;
36717eee 537 }
fd9fa481 538 else
36717eee 539 {
572b41eb 540 if (RCODE(header) == NXDOMAIN &&
fd9fa481 541 extract_request(header, n, daemon->namebuff, NULL) &&
5aabfc78 542 check_for_local_domain(daemon->namebuff, now))
36717eee
SK		 543 {
544 /* if we forwarded a query for a locally known name (because it was for
545 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
546 since we know that the domain exists, even if upstream doesn't */
fd9fa481 547 munged = 1;
572b41eb
SK		 548 header->hb3 |= HB3_AA;
549 SET_RCODE(header, NOERROR);
feba5c1d 550 }
832af0ba 551
0fc2f313 552 if (extract_addresses(header, n, daemon->namebuff, now, sets, is_sign, check_rebind, no_cache, cache_secure))
824af85b 553 {
8ef5ada2 554 my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff);
824af85b
SK		 555 munged = 1;
556 }
feba5c1d 557 }
fd9fa481 558
a25720a3
SK		 559#ifdef HAVE_DNSSEC
560 if (no_cache && !(header->hb4 & HB4_CD))
561 {
562 if (option_bool(OPT_DNSSEC_PERMISS))
563 {
564 unsigned short type;
565 char types[20];
566
567 if (extract_request(header, (size_t)n, daemon->namebuff, &type))
568 {
569 querystr("", types, type);
570 my_syslog(LOG_WARNING, _("DNSSEC validation failed: query %s%s"), daemon->namebuff, types);
571 }
572 else
573 my_syslog(LOG_WARNING, _("DNSSEC validation failed for unknown query"));
574 }
575 else
576 {
577 /* Bogus reply, turn into SERVFAIL */
578 SET_RCODE(header, SERVFAIL);
579 munged = 1;
580 }
581 }
582#endif
583
fd9fa481
SK		 584 /* do this after extract_addresses. Ensure NODATA reply and remove
585 nameserver info. */
586
587 if (munged)
588 {
589 header->ancount = htons(0);
590 header->nscount = htons(0);
591 header->arcount = htons(0);
592 }
593
36717eee
SK		 594 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
595 sections of the packet. Find the new length here and put back pseudoheader
596 if it was removed. */
597 return resize_packet(header, n, pheader, plen);
feba5c1d
SK		 598}
599
3be34541 600/* sets new last_server */
1a6bca81 601void reply_query(int fd, int family, time_t now)
9e4abcb5
SK		 602{
603 /* packet from peer server, extract data for cache, and send to
604 original requester */
572b41eb 605 struct dns_header *header;
de37951c 606 union mysockaddr serveraddr;
832af0ba 607 struct frec *forward;
de37951c 608 socklen_t addrlen = sizeof(serveraddr);
60b68069 609 ssize_t n = recvfrom(fd, daemon->packet, daemon->packet_buff_sz, 0, &serveraddr.sa, &addrlen);
cdeda28f 610 size_t nn;
1a6bca81
SK		 611 struct server *server;
612
cdeda28f
SK		 613 /* packet buffer overwritten */
614 daemon->srv_save = NULL;
832af0ba 615
de37951c 616 /* Determine the address of the server replying so that we can mark that as good */
1a6bca81 617 serveraddr.sa.sa_family = family;
de37951c
SK		 618#ifdef HAVE_IPV6
619 if (serveraddr.sa.sa_family == AF_INET6)
5e9e0efb 620 serveraddr.in6.sin6_flowinfo = 0;
de37951c 621#endif
9e4abcb5 622
1a6bca81
SK		 623 /* spoof check: answer must come from known server, */
624 for (server = daemon->servers; server; server = server->next)
625 if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) &&
626 sockaddr_isequal(&server->addr, &serveraddr))
627 break;
628
572b41eb 629 header = (struct dns_header *)daemon->packet;
fd9fa481 630
1a6bca81 631 if (!server ||
572b41eb 632 n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR) ||
1a6bca81
SK		 633 !(forward = lookup_frec(ntohs(header->id), questions_crc(header, n, daemon->namebuff))))
634 return;
3a237152 635
572b41eb 636 if ((RCODE(header) == SERVFAIL || RCODE(header) == REFUSED) &&
28866e95 637 !option_bool(OPT_ORDER) &&
1a6bca81
SK		 638 forward->forwardall == 0)
639 /* for broken servers, attempt to send to another one. */
9e4abcb5 640 {
1a6bca81
SK		 641 unsigned char *pheader;
642 size_t plen;
643 int is_sign;
832af0ba 644
1a6bca81
SK		 645 /* recreate query from reply */
646 pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign);
647 if (!is_sign)
832af0ba 648 {
1a6bca81
SK		 649 header->ancount = htons(0);
650 header->nscount = htons(0);
651 header->arcount = htons(0);
652 if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
832af0ba 653 {
572b41eb 654 header->hb3 &= ~(HB3_QR | HB3_TC);
1a6bca81
SK		 655 forward_query(-1, NULL, NULL, 0, header, nn, now, forward);
656 return;
832af0ba 657 }
832af0ba 658 }
1a6bca81 659 }
3a237152
SK		 660
661 server = forward->sentto;
1a6bca81
SK		 662
663 if ((forward->sentto->flags & SERV_TYPE) == 0)
664 {
572b41eb 665 if (RCODE(header) == SERVFAIL || RCODE(header) == REFUSED)
1a6bca81
SK		 666 server = NULL;
667 else
b8187c80 668 {
1a6bca81
SK		 669 struct server *last_server;
670
671 /* find good server by address if possible, otherwise assume the last one we sent to */
672 for (last_server = daemon->servers; last_server; last_server = last_server->next)
673 if (!(last_server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR)) &&
674 sockaddr_isequal(&last_server->addr, &serveraddr))
675 {
676 server = last_server;
677 break;
678 }
679 }
28866e95 680 if (!option_bool(OPT_ALL_SERVERS))
1a6bca81
SK		 681 daemon->last_server = server;
682 }
3a237152 683
1a6bca81
SK		 684 /* If the answer is an error, keep the forward record in place in case
685 we get a good reply from another server. Kill it when we've
686 had replies from all to avoid filling the forwarding table when
687 everything is broken */
688 if (forward->forwardall == 0 || --forward->forwardall == 1 ||
572b41eb 689 (RCODE(header) != REFUSED && RCODE(header) != SERVFAIL))
1a6bca81 690 {
3a237152
SK		 691 int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0;
692
693 if (option_bool(OPT_NO_REBIND))
694 check_rebind = !(forward->flags & FREC_NOREBIND);
695
696 /* Don't cache replies where DNSSEC validation was turned off, either
697 the upstream server told us so, or the original query specified it. */
698 if ((header->hb4 & HB4_CD) || (forward->flags & FREC_CHECKING_DISABLED))
699 no_cache_dnssec = 1;
700
701#ifdef HAVE_DNSSEC
702 if (option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
703 {
9d633048 704 int status;
0fc2f313
SK		 705
706 /* We've had a reply already, which we're validating. Ignore this duplicate */
707 if (forward->stash)
708 return;
9d633048 709
871417d4
SK		 710 if (header->hb3 & HB3_TC)
711 {
712 /* Truncated answer can't be validated.
713 The client will retry over TCP, but if this is an answer to a
714 DNSSEC-generated query, we have a problem. Should really re-send
715 over TCP. No-one with any sense will make a DNSKEY or DS RRset
716 exceed 4096, so this may not be a real problem. Just log
717 for now. */
718 if (forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY))
719 my_syslog(LOG_ERR, _("Reply to DNSSEC query truncated - validation fails."));
720 status = STAT_INSECURE;
721 }
722 else if (forward->flags & FREC_DNSKEY_QUERY)
0fc2f313 723 status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
c3e0b9b6
SK		 724 else if (forward->flags & FREC_DS_QUERY)
725 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
9d633048 726 else
0fc2f313 727 status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class);
3a237152
SK		 728
729 /* Can't validate, as we're missing key data. Put this
730 answer aside, whilst we get that. */
731 if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
732 {
733 struct frec *new;
0fc2f313
SK		 734
735 if ((new = get_new_frec(now, NULL, 1)))
3a237152 736 {
0fc2f313
SK		 737 struct frec *next = new->next;
738 *new = *forward; /* copy everything, then overwrite */
739 new->next = next;
740 new->stash = NULL;
741 new->blocking_query = NULL;
f1668d27
SK		 742 new->rfd4 = NULL;
743#ifdef HAVE_IPV6
744 new->rfd6 = NULL;
745#endif
0fc2f313 746 new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY);
9d633048 747
0fc2f313 748 if ((forward->stash = blockdata_alloc((char *)header, n)))
3a237152
SK		 749 {
750 int fd;
9d633048 751
0fc2f313
SK		 752 forward->stash_len = n;
753
3a237152
SK		 754 new->dependent = forward; /* to find query awaiting new one. */
755 forward->blocking_query = new; /* for garbage cleaning */
0fc2f313 756 /* validate routines leave name of required record in daemon->keyname */
3a237152 757 if (status == STAT_NEED_KEY)
9d633048
SK		 758 {
759 new->flags |= FREC_DNSKEY_QUERY;
60b68069
SK		 760 nn = dnssec_generate_query(header, ((char *) header) + daemon->packet_buff_sz,
761 daemon->keyname, forward->class, T_DNSKEY, &server->addr);
9d633048 762 }
3a237152 763 else if (status == STAT_NEED_DS)
9d633048
SK		 764 {
765 new->flags |= FREC_DS_QUERY;
60b68069
SK		 766 nn = dnssec_generate_query(header,((char *) header) + daemon->packet_buff_sz,
767 daemon->keyname, forward->class, T_DS, &server->addr);
9d633048 768 }
3a237152
SK		 769 new->crc = questions_crc(header, nn, daemon->namebuff);
770 new->new_id = get_id(new->crc);
c3e0b9b6 771 header->id = htons(new->new_id);
9d633048 772
3a237152
SK		 773 /* Don't resend this. */
774 daemon->srv_save = NULL;
775
776 if (server->sfd)
777 fd = server->sfd->fd;
778 else
f1668d27
SK		 779 {
780 fd = -1;
3a237152 781#ifdef HAVE_IPV6
f1668d27
SK		 782 if (server->addr.sa.sa_family == AF_INET6)
783 {
784 if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6)))
785 fd = new->rfd6->fd;
786 }
787 else
3a237152 788#endif
f1668d27
SK		 789 {
790 if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET)))
791 fd = new->rfd4->fd;
792 }
793 }
9d633048 794
f1668d27
SK		 795 if (fd != -1)
796 {
797 while (sendto(fd, (char *)header, nn, 0, &server->addr.sa, sa_len(&server->addr)) == -1 && retry_send());
798 server->queries++;
799 }
3a237152
SK		 800 }
801 }
0fc2f313 802
3a237152
SK		 803 return;
804 }
805
806 /* Ok, we reached far enough up the chain-of-trust that we can validate something.
807 Now wind back down, pulling back answers which wouldn't previously validate
808 and validate them with the new data. Failure to find needed data here is an internal error.
809 Once we get to the original answer (FREC_DNSSEC_QUERY not set) and it validates,
810 return it to the original requestor. */
0fc2f313 811 if (forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY))
3a237152 812 {
0fc2f313 813 while (forward->dependent)
3a237152 814 {
0fc2f313 815 struct frec *prev;
c3e0b9b6 816
0fc2f313
SK		 817 if (status == STAT_SECURE)
818 {
819 if (forward->flags & FREC_DNSKEY_QUERY)
820 status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
821 else if (forward->flags & FREC_DS_QUERY)
822 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
823 }
824
825 prev = forward->dependent;
826 free_frec(forward);
827 forward = prev;
828 forward->blocking_query = NULL; /* already gone */
829 blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
830 n = forward->stash_len;
831 }
832
833 /* All DNSKEY and DS records done and in cache, now finally validate original
834 answer, provided last DNSKEY is OK. */
835 if (status == STAT_SECURE)
836 status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class);
837
838 if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
839 {
840 my_syslog(LOG_ERR, _("Unexpected missing data for DNSSEC validation"));
841 status = STAT_INSECURE;
3a237152
SK		 842 }
843 }
0fc2f313
SK		 844
845 log_query(F_KEYTAG | F_SECSTAT, "result", NULL,
846 status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
847
848 no_cache_dnssec = 0;
c3e0b9b6 849
3a237152
SK		 850 if (status == STAT_SECURE)
851 cache_secure = 1;
3a237152
SK		 852 else if (status == STAT_BOGUS)
853 no_cache_dnssec = 1;
0fc2f313
SK		 854
855 /* restore CD bit to the value in the query */
856 if (forward->flags & FREC_CHECKING_DISABLED)
857 header->hb4 |= HB4_CD;
858 else
859 header->hb4 &= ~HB4_CD;
3a237152
SK		 860 }
861#endif
8ef5ada2 862
3a237152 863 if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure,
ed4c0767 864 forward->flags & FREC_HAS_SUBNET, &forward->source)))
1a6bca81
SK		 865 {
866 header->id = htons(forward->orig_id);
572b41eb 867 header->hb4 |= HB4_RA; /* recursion if available */
54dd393f 868 send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn,
50303b19 869 &forward->source, &forward->dest, forward->iface);
b8187c80 870 }
1a6bca81 871 free_frec(forward); /* cancel */
9e4abcb5 872 }
9e4abcb5 873}
44a2a316 874
1a6bca81 875
5aabfc78 876void receive_query(struct listener *listen, time_t now)
44a2a316 877{
572b41eb 878 struct dns_header *header = (struct dns_header *)daemon->packet;
44a2a316 879 union mysockaddr source_addr;
c1bb8504 880 unsigned short type;
44a2a316 881 struct all_addr dst_addr;
f6b7dc47 882 struct in_addr netmask, dst_addr_4;
cdeda28f
SK		 883 size_t m;
884 ssize_t n;
3b195961
VG		 885 int if_index = 0, auth_dns = 0;
886#ifdef HAVE_AUTH
887 int local_auth = 0;
888#endif
44a2a316
SK		 889 struct iovec iov[1];
890 struct msghdr msg;
891 struct cmsghdr *cmptr;
44a2a316
SK		 892 union {
893 struct cmsghdr align; /* this ensures alignment */
894#ifdef HAVE_IPV6
895 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
896#endif
5e9e0efb 897#if defined(HAVE_LINUX_NETWORK)
44a2a316 898 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
824af85b
SK		 899#elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
900 char control[CMSG_SPACE(sizeof(struct in_addr)) +
901 CMSG_SPACE(sizeof(unsigned int))];
44a2a316
SK		 902#elif defined(IP_RECVDSTADDR)
903 char control[CMSG_SPACE(sizeof(struct in_addr)) +
904 CMSG_SPACE(sizeof(struct sockaddr_dl))];
905#endif
906 } control_u;
2329bef5
SK		 907#ifdef HAVE_IPV6
908 /* Can always get recvd interface for IPv6 */
909 int check_dst = !option_bool(OPT_NOWILD) || listen->family == AF_INET6;
910#else
911 int check_dst = !option_bool(OPT_NOWILD);
912#endif
913
cdeda28f
SK		 914 /* packet buffer overwritten */
915 daemon->srv_save = NULL;
916
4f7b304f
SK		 917 dst_addr_4.s_addr = 0;
918 netmask.s_addr = 0;
919
7e5664bd 920 if (option_bool(OPT_NOWILD) && listen->iface)
3d8df260 921 {
4f7b304f
SK		 922 auth_dns = listen->iface->dns_auth;
923
924 if (listen->family == AF_INET)
925 {
926 dst_addr_4 = listen->iface->addr.in.sin_addr;
927 netmask = listen->iface->netmask;
928 }
3d8df260 929 }
4f7b304f 930
3be34541
SK		 931 iov[0].iov_base = daemon->packet;
932 iov[0].iov_len = daemon->edns_pktsz;
44a2a316
SK		 933
934 msg.msg_control = control_u.control;
935 msg.msg_controllen = sizeof(control_u);
936 msg.msg_flags = 0;
937 msg.msg_name = &source_addr;
938 msg.msg_namelen = sizeof(source_addr);
939 msg.msg_iov = iov;
940 msg.msg_iovlen = 1;
941
de37951c 942 if ((n = recvmsg(listen->fd, &msg, 0)) == -1)
3be34541 943 return;
44a2a316 944
572b41eb 945 if (n < (int)sizeof(struct dns_header) ||
5e9e0efb 946 (msg.msg_flags & MSG_TRUNC) ||
572b41eb 947 (header->hb3 & HB3_QR))
26128d27
SK		 948 return;
949
44a2a316
SK		 950 source_addr.sa.sa_family = listen->family;
951#ifdef HAVE_IPV6
952 if (listen->family == AF_INET6)
5e9e0efb 953 source_addr.in6.sin6_flowinfo = 0;
44a2a316 954#endif
28866e95 955
2329bef5 956 if (check_dst)
26128d27
SK		 957 {
958 struct ifreq ifr;
959
960 if (msg.msg_controllen < sizeof(struct cmsghdr))
961 return;
44a2a316 962
5e9e0efb 963#if defined(HAVE_LINUX_NETWORK)
26128d27
SK		 964 if (listen->family == AF_INET)
965 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
c72daea8 966 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
26128d27 967 {
8ef5ada2
SK		 968 union {
969 unsigned char *c;
970 struct in_pktinfo *p;
971 } p;
972 p.c = CMSG_DATA(cmptr);
973 dst_addr_4 = dst_addr.addr.addr4 = p.p->ipi_spec_dst;
974 if_index = p.p->ipi_ifindex;
26128d27
SK		 975 }
976#elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
977 if (listen->family == AF_INET)
44a2a316 978 {
26128d27 979 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
8ef5ada2
SK		 980 {
981 union {
982 unsigned char *c;
983 unsigned int *i;
984 struct in_addr *a;
985#ifndef HAVE_SOLARIS_NETWORK
986 struct sockaddr_dl *s;
987#endif
988 } p;
989 p.c = CMSG_DATA(cmptr);
990 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
991 dst_addr_4 = dst_addr.addr.addr4 = *(p.a);
992 else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
824af85b 993#ifdef HAVE_SOLARIS_NETWORK
8ef5ada2 994 if_index = *(p.i);
824af85b 995#else
8ef5ada2 996 if_index = p.s->sdl_index;
824af85b 997#endif
8ef5ada2 998 }
44a2a316 999 }
44a2a316 1000#endif
26128d27 1001
44a2a316 1002#ifdef HAVE_IPV6
26128d27
SK		 1003 if (listen->family == AF_INET6)
1004 {
1005 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
c72daea8 1006 if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
26128d27 1007 {
8ef5ada2
SK		 1008 union {
1009 unsigned char *c;
1010 struct in6_pktinfo *p;
1011 } p;
1012 p.c = CMSG_DATA(cmptr);
1013
1014 dst_addr.addr.addr6 = p.p->ipi6_addr;
1015 if_index = p.p->ipi6_ifindex;
26128d27
SK		 1016 }
1017 }
44a2a316 1018#endif
26128d27
SK		 1019
1020 /* enforce available interface configuration */
1021
e25db1f2 1022 if (!indextoname(listen->fd, if_index, ifr.ifr_name))
5e9e0efb 1023 return;
832af0ba 1024
e25db1f2
SK		 1025 if (!iface_check(listen->family, &dst_addr, ifr.ifr_name, &auth_dns))
1026 {
1027 if (!option_bool(OPT_CLEVERBIND))
115ac3e4 1028 enumerate_interfaces(0);
3f2873d4
SK		 1029 if (!loopback_exception(listen->fd, listen->family, &dst_addr, ifr.ifr_name) &&
1030 !label_exception(if_index, listen->family, &dst_addr))
e25db1f2
SK		 1031 return;
1032 }
1033
552af8b9
SK		 1034 if (listen->family == AF_INET && option_bool(OPT_LOCALISE))
1035 {
1036 struct irec *iface;
1037
1038 /* get the netmask of the interface whch has the address we were sent to.
1039 This is no neccessarily the interface we arrived on. */
1040
1041 for (iface = daemon->interfaces; iface; iface = iface->next)
1042 if (iface->addr.sa.sa_family == AF_INET &&
1043 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
1044 break;
1045
1046 /* interface may be new */
e25db1f2 1047 if (!iface && !option_bool(OPT_CLEVERBIND))
115ac3e4 1048 enumerate_interfaces(0);
552af8b9
SK		 1049
1050 for (iface = daemon->interfaces; iface; iface = iface->next)
1051 if (iface->addr.sa.sa_family == AF_INET &&
1052 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
1053 break;
1054
1055 /* If we failed, abandon localisation */
1056 if (iface)
1057 netmask = iface->netmask;
1058 else
1059 dst_addr_4.s_addr = 0;
1060 }
44a2a316
SK		 1061 }
1062
cdeda28f 1063 if (extract_request(header, (size_t)n, daemon->namebuff, &type))
44a2a316 1064 {
1a6bca81 1065 char types[20];
b485ed97
SK		 1066#ifdef HAVE_AUTH
1067 struct auth_zone *zone;
1068#endif
1a6bca81 1069
4f7b304f 1070 querystr(auth_dns ? "auth" : "query", types, type);
1a6bca81 1071
44a2a316 1072 if (listen->family == AF_INET)
3be34541 1073 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1a6bca81 1074 (struct all_addr *)&source_addr.in.sin_addr, types);
44a2a316
SK		 1075#ifdef HAVE_IPV6
1076 else
3be34541 1077 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1a6bca81 1078 (struct all_addr *)&source_addr.in6.sin6_addr, types);
44a2a316 1079#endif
44a2a316 1080
b485ed97
SK		 1081#ifdef HAVE_AUTH
1082 /* find queries for zones we're authoritative for, and answer them directly */
6008bdbb
SK		 1083 if (!auth_dns)
1084 for (zone = daemon->auth_zones; zone; zone = zone->next)
1085 if (in_zone(zone, daemon->namebuff, NULL))
1086 {
1087 auth_dns = 1;
1088 local_auth = 1;
1089 break;
1090 }
b485ed97
SK		 1091#endif
1092 }
1093
4820dce9 1094#ifdef HAVE_AUTH
4f7b304f 1095 if (auth_dns)
824af85b 1096 {
60b68069 1097 m = answer_auth(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n, now, &source_addr, local_auth);
4f7b304f 1098 if (m >= 1)
b485ed97
SK		 1099 {
1100 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1101 (char *)header, m, &source_addr, &dst_addr, if_index);
1102 daemon->auth_answer++;
1103 }
824af85b 1104 }
44a2a316 1105 else
4820dce9 1106#endif
4f7b304f 1107 {
60b68069 1108 m = answer_request(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n,
4f7b304f
SK		 1109 dst_addr_4, netmask, now);
1110
1111 if (m >= 1)
1112 {
1113 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1114 (char *)header, m, &source_addr, &dst_addr, if_index);
1115 daemon->local_answer++;
1116 }
1117 else if (forward_query(listen->fd, &source_addr, &dst_addr, if_index,
1118 header, (size_t)n, now, NULL))
1119 daemon->queries_forwarded++;
1120 else
1121 daemon->local_answer++;
1122 }
44a2a316
SK		 1123}
1124
7d7b7b31
SK		 1125#ifdef HAVE_DNSSEC
1126static int tcp_key_recurse(time_t now, int status, int class, char *keyname, struct server *server)
1127{
1128 /* Recurse up the key heirarchy */
1129 size_t n;
1130 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1131 unsigned char *payload = &packet[2];
1132 struct dns_header *header = (struct dns_header *)payload;
1133 u16 *length = (u16 *)packet;
1134 int new_status;
1135 unsigned char c1, c2;
1136
1137 n = dnssec_generate_query(header, ((char *) header) + 65536, keyname, class,
1138 status == STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr);
1139
1140 *length = htons(n);
1141
1142 if (!read_write(server->tcpfd, packet, n + sizeof(u16), 0) ||
1143 !read_write(server->tcpfd, &c1, 1, 1) ||
1144 !read_write(server->tcpfd, &c2, 1, 1) ||
1145 !read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
1146 {
1147 close(server->tcpfd);
1148 server->tcpfd = -1;
1149 new_status = STAT_INSECURE;
1150 }
1151 else
1152 {
1153 n = (c1 << 8) | c2;
1154
1155 if (status == STAT_NEED_KEY)
1156 new_status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, class);
1157 else
1158 new_status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, class);
1159
1160 if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
1161 {
1162 if ((new_status = tcp_key_recurse(now, new_status, class, daemon->keyname, server) == STAT_SECURE))
1163 {
1164 if (status == STAT_NEED_KEY)
1165 new_status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, class);
1166 else
1167 new_status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, class);
1168
1169 if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
1170 {
1171 my_syslog(LOG_ERR, _("Unexpected missing data for DNSSEC validation"));
1172 status = STAT_INSECURE;
f1668d27 1173 }
7d7b7b31
SK		 1174 }
1175 }
1176 }
1177
1178 free(packet);
1179
1180 return new_status;
1181}
1182#endif
1183
1184
feba5c1d
SK		 1185/* The daemon forks before calling this: it should deal with one connection,
1186 blocking as neccessary, and then return. Note, need to be a bit careful
1187 about resources for debug mode, when the fork is suppressed: that's
1188 done by the caller. */
5aabfc78 1189unsigned char *tcp_request(int confd, time_t now,
4f7b304f 1190 union mysockaddr *local_addr, struct in_addr netmask, int auth_dns)
feba5c1d 1191{
28866e95
SK		 1192 size_t size = 0;
1193 int norebind = 0;
3b195961 1194#ifdef HAVE_AUTH
19b16891 1195 int local_auth = 0;
3b195961 1196#endif
7d7b7b31 1197 int checking_disabled, check_subnet, no_cache_dnssec = 0, cache_secure = 0;
cdeda28f 1198 size_t m;
ee86ce68
SK		 1199 unsigned short qtype;
1200 unsigned int gotname;
feba5c1d 1201 unsigned char c1, c2;
4b5ea12e
SK		 1202 /* Max TCP packet + slop + size */
1203 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1204 unsigned char *payload = &packet[2];
1205 /* largest field in header is 16-bits, so this is still sufficiently aligned */
1206 struct dns_header *header = (struct dns_header *)payload;
1207 u16 *length = (u16 *)packet;
3be34541 1208 struct server *last_server;
7de060b0
SK		 1209 struct in_addr dst_addr_4;
1210 union mysockaddr peer_addr;
1211 socklen_t peer_len = sizeof(union mysockaddr);
3be34541 1212
7de060b0
SK		 1213 if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) == -1)
1214 return packet;
1215
feba5c1d
SK		 1216 while (1)
1217 {
1218 if (!packet ||
1219 !read_write(confd, &c1, 1, 1) || !read_write(confd, &c2, 1, 1) ||
1220 !(size = c1 << 8 | c2) ||
4b5ea12e 1221 !read_write(confd, payload, size, 1))
feba5c1d
SK		 1222 return packet;
1223
572b41eb 1224 if (size < (int)sizeof(struct dns_header))
feba5c1d
SK		 1225 continue;
1226
ed4c0767
SK		 1227 check_subnet = 0;
1228
28866e95 1229 /* save state of "cd" flag in query */
7d7b7b31
SK		 1230 if ((checking_disabled = header->hb4 & HB4_CD))
1231 no_cache_dnssec = 1;
28866e95
SK		 1232
1233 /* RFC 4035: sect 4.6 para 2 */
572b41eb 1234 header->hb4 &= ~HB4_AD;
feba5c1d 1235
3be34541 1236 if ((gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
feba5c1d 1237 {
7de060b0 1238 char types[20];
b485ed97
SK		 1239#ifdef HAVE_AUTH
1240 struct auth_zone *zone;
1241#endif
4f7b304f 1242 querystr(auth_dns ? "auth" : "query", types, qtype);
7de060b0
SK		 1243
1244 if (peer_addr.sa.sa_family == AF_INET)
1245 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1246 (struct all_addr *)&peer_addr.in.sin_addr, types);
feba5c1d 1247#ifdef HAVE_IPV6
7de060b0
SK		 1248 else
1249 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1250 (struct all_addr *)&peer_addr.in6.sin6_addr, types);
feba5c1d 1251#endif
b485ed97
SK		 1252
1253#ifdef HAVE_AUTH
1254 /* find queries for zones we're authoritative for, and answer them directly */
6008bdbb
SK		 1255 if (!auth_dns)
1256 for (zone = daemon->auth_zones; zone; zone = zone->next)
1257 if (in_zone(zone, daemon->namebuff, NULL))
1258 {
1259 auth_dns = 1;
1260 local_auth = 1;
1261 break;
1262 }
b485ed97 1263#endif
feba5c1d
SK		 1264 }
1265
7de060b0
SK		 1266 if (local_addr->sa.sa_family == AF_INET)
1267 dst_addr_4 = local_addr->in.sin_addr;
1268 else
1269 dst_addr_4.s_addr = 0;
1270
4820dce9 1271#ifdef HAVE_AUTH
4f7b304f 1272 if (auth_dns)
19b16891 1273 m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &peer_addr, local_auth);
4f7b304f 1274 else
4820dce9 1275#endif
feba5c1d 1276 {
4f7b304f
SK		 1277 /* m > 0 if answered from cache */
1278 m = answer_request(header, ((char *) header) + 65536, (size_t)size,
1279 dst_addr_4, netmask, now);
feba5c1d 1280
4f7b304f
SK		 1281 /* Do this by steam now we're not in the select() loop */
1282 check_log_writer(NULL);
1283
1284 if (m == 0)
feba5c1d 1285 {
4f7b304f
SK		 1286 unsigned int flags = 0;
1287 struct all_addr *addrp = NULL;
1288 int type = 0;
1289 char *domain = NULL;
feba5c1d 1290
4f7b304f
SK		 1291 if (option_bool(OPT_ADD_MAC))
1292 size = add_mac(header, size, ((char *) header) + 65536, &peer_addr);
ed4c0767
SK		 1293
1294 if (option_bool(OPT_CLIENT_SUBNET))
1295 {
1296 size_t new = add_source_addr(header, size, ((char *) header) + 65536, &peer_addr);
1297 if (size != new)
1298 {
1299 size = new;
1300 check_subnet = 1;
1301 }
1302 }
1303
4f7b304f
SK		 1304 if (gotname)
1305 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
1306
1307 if (type != 0 || option_bool(OPT_ORDER) || !daemon->last_server)
1308 last_server = daemon->servers;
1309 else
1310 last_server = daemon->last_server;
1311
1312 if (!flags && last_server)
1313 {
1314 struct server *firstsendto = NULL;
1315 unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff);
1316
1317 /* Loop round available servers until we succeed in connecting to one.
1318 Note that this code subtley ensures that consecutive queries on this connection
1319 which can go to the same server, do so. */
1320 while (1)
feba5c1d 1321 {
4f7b304f
SK		 1322 if (!firstsendto)
1323 firstsendto = last_server;
1324 else
1325 {
1326 if (!(last_server = last_server->next))
1327 last_server = daemon->servers;
1328
1329 if (last_server == firstsendto)
1330 break;
1331 }
1332
1333 /* server for wrong domain */
1334 if (type != (last_server->flags & SERV_TYPE) ||
1335 (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, last_server->domain)))
7de060b0
SK		 1336 continue;
1337
4f7b304f 1338 if (last_server->tcpfd == -1)
7de060b0 1339 {
4f7b304f
SK		 1340 if ((last_server->tcpfd = socket(last_server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1)
1341 continue;
1342
1343 if ((!local_bind(last_server->tcpfd, &last_server->source_addr, last_server->interface, 1) ||
1344 connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1))
1345 {
1346 close(last_server->tcpfd);
1347 last_server->tcpfd = -1;
1348 continue;
1349 }
1350
7d7b7b31
SK		 1351#ifdef HAVE_DNSSEC
1352 if (option_bool(OPT_DNSSEC_VALID))
1353 {
1354 size = add_do_bit(header, size, ((char *) header) + 65536);
1355 header->hb4 |= HB4_CD;
1356 }
1357#endif
1358
7de060b0 1359#ifdef HAVE_CONNTRACK
4f7b304f
SK		 1360 /* Copy connection mark of incoming query to outgoing connection. */
1361 if (option_bool(OPT_CONNTRACK))
1362 {
1363 unsigned int mark;
1364 struct all_addr local;
7de060b0 1365#ifdef HAVE_IPV6
4f7b304f
SK		 1366 if (local_addr->sa.sa_family == AF_INET6)
1367 local.addr.addr6 = local_addr->in6.sin6_addr;
1368 else
7de060b0 1369#endif
4f7b304f
SK		 1370 local.addr.addr4 = local_addr->in.sin_addr;
1371
1372 if (get_incoming_mark(&peer_addr, &local, 1, &mark))
1373 setsockopt(last_server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
1374 }
7de060b0 1375#endif
4f7b304f
SK		 1376 }
1377
4b5ea12e 1378 *length = htons(size);
4f7b304f 1379
4b5ea12e 1380 if (!read_write(last_server->tcpfd, packet, size + sizeof(u16), 0) ||
4f7b304f 1381 !read_write(last_server->tcpfd, &c1, 1, 1) ||
7d7b7b31
SK		 1382 !read_write(last_server->tcpfd, &c2, 1, 1) ||
1383 !read_write(last_server->tcpfd, payload, (c1 << 8) | c2, 1))
4f7b304f
SK		 1384 {
1385 close(last_server->tcpfd);
1386 last_server->tcpfd = -1;
1387 continue;
1388 }
1389
1390 m = (c1 << 8) | c2;
4f7b304f
SK		 1391
1392 if (!gotname)
1393 strcpy(daemon->namebuff, "query");
1394 if (last_server->addr.sa.sa_family == AF_INET)
1395 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
1396 (struct all_addr *)&last_server->addr.in.sin_addr, NULL);
feba5c1d 1397#ifdef HAVE_IPV6
4f7b304f
SK		 1398 else
1399 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
1400 (struct all_addr *)&last_server->addr.in6.sin6_addr, NULL);
feba5c1d 1401#endif
7d7b7b31
SK		 1402
1403#ifdef HAVE_DNSSEC
1404 if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled)
1405 {
1406 int class, status;
1407
1408 status = dnssec_validate_reply(now, header, m, daemon->namebuff, daemon->keyname, &class);
1409
1410 if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
1411 {
1412 if ((status = tcp_key_recurse(now, status, class, daemon->keyname, last_server)) == STAT_SECURE)
1413 status = dnssec_validate_reply(now, header, m, daemon->namebuff, daemon->keyname, &class);
1414 }
1415
1416 log_query(F_KEYTAG | F_SECSTAT, "result", NULL,
1417 status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
1418
1419 if (status == STAT_BOGUS)
1420 no_cache_dnssec = 1;
1421
1422 if (status == STAT_SECURE)
1423 cache_secure = 1;
1424 }
1425#endif
1426
1427 /* restore CD bit to the value in the query */
1428 if (checking_disabled)
1429 header->hb4 |= HB4_CD;
1430 else
1431 header->hb4 &= ~HB4_CD;
4f7b304f
SK		 1432
1433 /* There's no point in updating the cache, since this process will exit and
1434 lose the information after a few queries. We make this call for the alias and
1435 bogus-nxdomain side-effects. */
1436 /* If the crc of the question section doesn't match the crc we sent, then
1437 someone might be attempting to insert bogus values into the cache by
1438 sending replies containing questions and bogus answers. */
1439 if (crc == questions_crc(header, (unsigned int)m, daemon->namebuff))
1440 m = process_reply(header, now, last_server, (unsigned int)m,
7d7b7b31
SK		 1441 option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec,
1442 cache_secure, check_subnet, &peer_addr);
4f7b304f
SK		 1443
1444 break;
1445 }
feba5c1d 1446 }
4f7b304f
SK		 1447
1448 /* In case of local answer or no connections made. */
1449 if (m == 0)
1450 m = setup_reply(header, (unsigned int)size, addrp, flags, daemon->local_ttl);
feba5c1d 1451 }
feba5c1d 1452 }
4f7b304f 1453
5aabfc78 1454 check_log_writer(NULL);
feba5c1d 1455
4b5ea12e
SK		 1456 *length = htons(m);
1457
1458 if (m == 0 || !read_write(confd, packet, m + sizeof(u16), 0))
feba5c1d
SK		 1459 return packet;
1460 }
1461}
1462
1697269c 1463static struct frec *allocate_frec(time_t now)
9e4abcb5 1464{
1697269c
SK		 1465 struct frec *f;
1466
5aabfc78 1467 if ((f = (struct frec *)whine_malloc(sizeof(struct frec))))
9e4abcb5 1468 {
1a6bca81 1469 f->next = daemon->frec_list;
1697269c 1470 f->time = now;
832af0ba 1471 f->sentto = NULL;
1a6bca81 1472 f->rfd4 = NULL;
28866e95 1473 f->flags = 0;
1a6bca81
SK		 1474#ifdef HAVE_IPV6
1475 f->rfd6 = NULL;
3a237152
SK		 1476#endif
1477#ifdef HAVE_DNSSEC
1478 f->blocking_query = NULL;
4619d946 1479 f->stash = NULL;
1a6bca81
SK		 1480#endif
1481 daemon->frec_list = f;
1697269c 1482 }
9e4abcb5 1483
1697269c
SK		 1484 return f;
1485}
9e4abcb5 1486
1a6bca81
SK		 1487static struct randfd *allocate_rfd(int family)
1488{
1489 static int finger = 0;
1490 int i;
1491
1492 /* limit the number of sockets we have open to avoid starvation of
1493 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
1494
1495 for (i = 0; i < RANDOM_SOCKS; i++)
9009d746 1496 if (daemon->randomsocks[i].refcount == 0)
1a6bca81 1497 {
9009d746
SK		 1498 if ((daemon->randomsocks[i].fd = random_sock(family)) == -1)
1499 break;
1500
1a6bca81
SK		 1501 daemon->randomsocks[i].refcount = 1;
1502 daemon->randomsocks[i].family = family;
1503 return &daemon->randomsocks[i];
1504 }
1505
9009d746 1506 /* No free ones or cannot get new socket, grab an existing one */
1a6bca81
SK		 1507 for (i = 0; i < RANDOM_SOCKS; i++)
1508 {
1509 int j = (i+finger) % RANDOM_SOCKS;
9009d746
SK		 1510 if (daemon->randomsocks[j].refcount != 0 &&
1511 daemon->randomsocks[j].family == family &&
1512 daemon->randomsocks[j].refcount != 0xffff)
1a6bca81
SK		 1513 {
1514 finger = j;
1515 daemon->randomsocks[j].refcount++;
1516 return &daemon->randomsocks[j];
1517 }
1518 }
1519
1520 return NULL; /* doom */
1521}
1a6bca81
SK		 1522static void free_frec(struct frec *f)
1523{
1524 if (f->rfd4 && --(f->rfd4->refcount) == 0)
1525 close(f->rfd4->fd);
1526
1527 f->rfd4 = NULL;
1528 f->sentto = NULL;
28866e95 1529 f->flags = 0;
1a6bca81
SK		 1530
1531#ifdef HAVE_IPV6
1532 if (f->rfd6 && --(f->rfd6->refcount) == 0)
1533 close(f->rfd6->fd);
1534
1535 f->rfd6 = NULL;
1536#endif
3a237152
SK		 1537
1538#ifdef HAVE_DNSSEC
1539 if (f->stash)
0fc2f313
SK		 1540 {
1541 blockdata_free(f->stash);
1542 f->stash = NULL;
1543 }
3a237152
SK		 1544
1545 /* Anything we're waiting on is pointless now, too */
1546 if (f->blocking_query)
1547 free_frec(f->blocking_query);
1548 f->blocking_query = NULL;
1549
1550#endif
1a6bca81
SK		 1551}
1552
1697269c
SK		 1553/* if wait==NULL return a free or older than TIMEOUT record.
1554 else return *wait zero if one available, or *wait is delay to
1a6bca81 1555 when the oldest in-use record will expire. Impose an absolute
3a237152
SK		 1556 limit of 4*TIMEOUT before we wipe things (for random sockets).
1557 If force is set, always return a result, even if we have
1558 to allocate above the limit. */
1559struct frec *get_new_frec(time_t now, int *wait, int force)
1697269c 1560{
1a6bca81 1561 struct frec *f, *oldest, *target;
1697269c
SK		 1562 int count;
1563
1564 if (wait)
1565 *wait = 0;
1566
1a6bca81 1567 for (f = daemon->frec_list, oldest = NULL, target = NULL, count = 0; f; f = f->next, count++)
832af0ba 1568 if (!f->sentto)
1a6bca81
SK		 1569 target = f;
1570 else
1697269c 1571 {
1a6bca81
SK		 1572 if (difftime(now, f->time) >= 4*TIMEOUT)
1573 {
1574 free_frec(f);
1575 target = f;
1576 }
1577
1578 if (!oldest || difftime(f->time, oldest->time) <= 0)
1579 oldest = f;
1697269c 1580 }
1a6bca81
SK		 1581
1582 if (target)
1583 {
1584 target->time = now;
1585 return target;
1586 }
9e4abcb5
SK		 1587
1588 /* can't find empty one, use oldest if there is one
1589 and it's older than timeout */
1697269c 1590 if (oldest && ((int)difftime(now, oldest->time)) >= TIMEOUT)
9e4abcb5 1591 {
1697269c
SK		 1592 /* keep stuff for twice timeout if we can by allocating a new
1593 record instead */
1594 if (difftime(now, oldest->time) < 2*TIMEOUT &&
1595 count <= daemon->ftabsize &&
1596 (f = allocate_frec(now)))
1597 return f;
1598
1599 if (!wait)
1600 {
1a6bca81 1601 free_frec(oldest);
1697269c
SK		 1602 oldest->time = now;
1603 }
9e4abcb5
SK		 1604 return oldest;
1605 }
1606
1697269c 1607 /* none available, calculate time 'till oldest record expires */
3a237152 1608 if (!force && count > daemon->ftabsize)
1697269c 1609 {
0da5e897
MSB		 1610 static time_t last_log = 0;
1611
1697269c
SK		 1612 if (oldest && wait)
1613 *wait = oldest->time + (time_t)TIMEOUT - now;
0da5e897
MSB		 1614
1615 if ((int)difftime(now, last_log) > 5)
1616 {
1617 last_log = now;
1618 my_syslog(LOG_WARNING, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon->ftabsize);
1619 }
1620
9e4abcb5
SK		 1621 return NULL;
1622 }
1697269c
SK		 1623
1624 if (!(f = allocate_frec(now)) && wait)
1625 /* wait one second on malloc failure */
1626 *wait = 1;
9e4abcb5 1627
9e4abcb5
SK		 1628 return f; /* OK if malloc fails and this is NULL */
1629}
1630
832af0ba
SK		 1631/* crc is all-ones if not known. */
1632static struct frec *lookup_frec(unsigned short id, unsigned int crc)
9e4abcb5
SK		 1633{
1634 struct frec *f;
1635
1a6bca81 1636 for(f = daemon->frec_list; f; f = f->next)
832af0ba
SK		 1637 if (f->sentto && f->new_id == id &&
1638 (f->crc == crc || crc == 0xffffffff))
9e4abcb5
SK		 1639 return f;
1640
1641 return NULL;
1642}
1643
1644static struct frec *lookup_frec_by_sender(unsigned short id,
fd9fa481
SK		 1645 union mysockaddr *addr,
1646 unsigned int crc)
9e4abcb5 1647{
feba5c1d
SK		 1648 struct frec *f;
1649
1a6bca81 1650 for(f = daemon->frec_list; f; f = f->next)
832af0ba 1651 if (f->sentto &&
9e4abcb5 1652 f->orig_id == id &&
fd9fa481 1653 f->crc == crc &&
9e4abcb5
SK		 1654 sockaddr_isequal(&f->source, addr))
1655 return f;
1656
1657 return NULL;
1658}
1659
849a8357 1660/* A server record is going away, remove references to it */
5aabfc78 1661void server_gone(struct server *server)
849a8357
SK		 1662{
1663 struct frec *f;
1664
1a6bca81 1665 for (f = daemon->frec_list; f; f = f->next)
832af0ba 1666 if (f->sentto && f->sentto == server)
1a6bca81 1667 free_frec(f);
849a8357
SK		 1668
1669 if (daemon->last_server == server)
1670 daemon->last_server = NULL;
1671
1672 if (daemon->srv_save == server)
1673 daemon->srv_save = NULL;
1674}
9e4abcb5 1675
316e2730
SK		 1676/* return unique random ids. */
1677static unsigned short get_id(unsigned int crc)
9e4abcb5
SK		 1678{
1679 unsigned short ret = 0;
832af0ba 1680
316e2730 1681 do
832af0ba
SK		 1682 ret = rand16();
1683 while (lookup_frec(ret, crc));
1684
9e4abcb5
SK		 1685 return ret;
1686}
1687
1688
1689
1690
1691
Michael's tree of dnsmasq.