]> git.ipfire.org Git - people/ms/dnsmasq.git/blame - src/forward.c
projects / people / ms / dnsmasq.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Fix to hostname_cmp, and update to canonicalisation table. RFC 4034 LIES.
[people/ms/dnsmasq.git] / src / forward.c
CommitLineData
c47e3ba4 1/* dnsmasq is Copyright (c) 2000-2014 Simon Kelley
9e4abcb5
SK		 2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
824af85b
SK		 5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
7
9e4abcb5
SK		 8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
824af85b 12
73a08a24
SK		 13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
9e4abcb5
SK		 15*/
16
9e4abcb5
SK		 17#include "dnsmasq.h"
18
832af0ba 19static struct frec *lookup_frec(unsigned short id, unsigned int crc);
9e4abcb5 20static struct frec *lookup_frec_by_sender(unsigned short id,
fd9fa481
SK		 21 union mysockaddr *addr,
22 unsigned int crc);
316e2730 23static unsigned short get_id(unsigned int crc);
1a6bca81
SK		 24static void free_frec(struct frec *f);
25static struct randfd *allocate_rfd(int family);
9e4abcb5 26
824af85b 27/* Send a UDP packet with its source address set as "source"
44a2a316 28 unless nowild is true, when we just send it with the kernel default */
29689cfa
SK		 29int send_from(int fd, int nowild, char *packet, size_t len,
30 union mysockaddr *to, struct all_addr *source,
50303b19 31 unsigned int iface)
9e4abcb5 32{
44a2a316
SK		 33 struct msghdr msg;
34 struct iovec iov[1];
44a2a316
SK		 35 union {
36 struct cmsghdr align; /* this ensures alignment */
5e9e0efb 37#if defined(HAVE_LINUX_NETWORK)
44a2a316
SK		 38 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
39#elif defined(IP_SENDSRCADDR)
40 char control[CMSG_SPACE(sizeof(struct in_addr))];
41#endif
42#ifdef HAVE_IPV6
43 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
44#endif
45 } control_u;
feba5c1d 46
44a2a316
SK		 47 iov[0].iov_base = packet;
48 iov[0].iov_len = len;
49
feba5c1d
SK		 50 msg.msg_control = NULL;
51 msg.msg_controllen = 0;
44a2a316
SK		 52 msg.msg_flags = 0;
53 msg.msg_name = to;
54 msg.msg_namelen = sa_len(to);
55 msg.msg_iov = iov;
56 msg.msg_iovlen = 1;
feba5c1d 57
26128d27 58 if (!nowild)
44a2a316 59 {
26128d27 60 struct cmsghdr *cmptr;
feba5c1d
SK		 61 msg.msg_control = &control_u;
62 msg.msg_controllen = sizeof(control_u);
26128d27
SK		 63 cmptr = CMSG_FIRSTHDR(&msg);
64
65 if (to->sa.sa_family == AF_INET)
66 {
5e9e0efb 67#if defined(HAVE_LINUX_NETWORK)
8ef5ada2
SK		 68 struct in_pktinfo p;
69 p.ipi_ifindex = 0;
70 p.ipi_spec_dst = source->addr.addr4;
71 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
26128d27 72 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
c72daea8 73 cmptr->cmsg_level = IPPROTO_IP;
26128d27 74 cmptr->cmsg_type = IP_PKTINFO;
44a2a316 75#elif defined(IP_SENDSRCADDR)
8ef5ada2 76 memcpy(CMSG_DATA(cmptr), &(source->addr.addr4), sizeof(source->addr.addr4));
26128d27
SK		 77 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
78 cmptr->cmsg_level = IPPROTO_IP;
79 cmptr->cmsg_type = IP_SENDSRCADDR;
44a2a316 80#endif
26128d27 81 }
26128d27 82 else
b8187c80 83#ifdef HAVE_IPV6
26128d27 84 {
8ef5ada2
SK		 85 struct in6_pktinfo p;
86 p.ipi6_ifindex = iface; /* Need iface for IPv6 to handle link-local addrs */
87 p.ipi6_addr = source->addr.addr6;
88 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
26128d27 89 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
316e2730 90 cmptr->cmsg_type = daemon->v6pktinfo;
c72daea8 91 cmptr->cmsg_level = IPPROTO_IPV6;
26128d27 92 }
3d8df260 93#else
c72daea8 94 (void)iface; /* eliminate warning */
44a2a316 95#endif
26128d27 96 }
feba5c1d 97
29d28dda 98 while (sendmsg(fd, &msg, 0) == -1)
feba5c1d 99 {
fd9fa481 100 if (retry_send())
29d28dda 101 continue;
22d904db 102
29d28dda
SK		 103 /* If interface is still in DAD, EINVAL results - ignore that. */
104 if (errno == EINVAL)
105 break;
29689cfa 106
29d28dda 107 my_syslog(LOG_ERR, _("failed to send packet: %s"), strerror(errno));
29689cfa 108 return 0;
feba5c1d 109 }
29d28dda 110
29689cfa 111 return 1;
9e4abcb5 112}
44a2a316 113
28866e95
SK		 114static unsigned int search_servers(time_t now, struct all_addr **addrpp,
115 unsigned int qtype, char *qdomain, int *type, char **domain, int *norebind)
feba5c1d
SK		 116
117{
118 /* If the query ends in the domain in one of our servers, set
119 domain to point to that name. We find the largest match to allow both
120 domain.org and sub.domain.org to exist. */
121
122 unsigned int namelen = strlen(qdomain);
123 unsigned int matchlen = 0;
124 struct server *serv;
28866e95 125 unsigned int flags = 0;
feba5c1d 126
3be34541 127 for (serv = daemon->servers; serv; serv=serv->next)
feba5c1d 128 /* domain matches take priority over NODOTS matches */
3d8df260 129 if ((serv->flags & SERV_FOR_NODOTS) && *type != SERV_HAS_DOMAIN && !strchr(qdomain, '.') && namelen != 0)
feba5c1d 130 {
28866e95 131 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
feba5c1d 132 *type = SERV_FOR_NODOTS;
feba5c1d 133 if (serv->flags & SERV_NO_ADDR)
36717eee
SK		 134 flags = F_NXDOMAIN;
135 else if (serv->flags & SERV_LITERAL_ADDRESS)
136 {
137 if (sflag & qtype)
138 {
139 flags = sflag;
140 if (serv->addr.sa.sa_family == AF_INET)
141 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
feba5c1d 142#ifdef HAVE_IPV6
36717eee
SK		 143 else
144 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
feba5c1d 145#endif
36717eee 146 }
824af85b 147 else if (!flags || (flags & F_NXDOMAIN))
36717eee
SK		 148 flags = F_NOERR;
149 }
feba5c1d
SK		 150 }
151 else if (serv->flags & SERV_HAS_DOMAIN)
152 {
153 unsigned int domainlen = strlen(serv->domain);
b8187c80 154 char *matchstart = qdomain + namelen - domainlen;
feba5c1d 155 if (namelen >= domainlen &&
b8187c80 156 hostname_isequal(matchstart, serv->domain) &&
8ef5ada2 157 (domainlen == 0 || namelen == domainlen || *(matchstart-1) == '.' ))
feba5c1d 158 {
8ef5ada2
SK		 159 if (serv->flags & SERV_NO_REBIND)
160 *norebind = 1;
28866e95 161 else
feba5c1d 162 {
28866e95
SK		 163 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
164 /* implement priority rules for --address and --server for same domain.
165 --address wins if the address is for the correct AF
166 --server wins otherwise. */
167 if (domainlen != 0 && domainlen == matchlen)
36717eee 168 {
28866e95 169 if ((serv->flags & SERV_LITERAL_ADDRESS))
8ef5ada2 170 {
28866e95
SK		 171 if (!(sflag & qtype) && flags == 0)
172 continue;
173 }
174 else
175 {
176 if (flags & (F_IPV4 | F_IPV6))
177 continue;
178 }
179 }
180
181 if (domainlen >= matchlen)
182 {
183 *type = serv->flags & (SERV_HAS_DOMAIN | SERV_USE_RESOLV | SERV_NO_REBIND);
184 *domain = serv->domain;
185 matchlen = domainlen;
186 if (serv->flags & SERV_NO_ADDR)
187 flags = F_NXDOMAIN;
188 else if (serv->flags & SERV_LITERAL_ADDRESS)
189 {
190 if (sflag & qtype)
191 {
192 flags = sflag;
193 if (serv->addr.sa.sa_family == AF_INET)
194 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
feba5c1d 195#ifdef HAVE_IPV6
28866e95
SK		 196 else
197 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
feba5c1d 198#endif
28866e95
SK		 199 }
200 else if (!flags || (flags & F_NXDOMAIN))
201 flags = F_NOERR;
8ef5ada2 202 }
28866e95
SK		 203 else
204 flags = 0;
205 }
206 }
8ef5ada2 207 }
feba5c1d 208 }
8ef5ada2 209
7de060b0 210 if (flags == 0 && !(qtype & F_QUERY) &&
28866e95 211 option_bool(OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') && namelen != 0)
7de060b0
SK		 212 /* don't forward A or AAAA queries for simple names, except the empty name */
213 flags = F_NOERR;
8ef5ada2 214
5aabfc78 215 if (flags == F_NXDOMAIN && check_for_local_domain(qdomain, now))
c1bb8504 216 flags = F_NOERR;
feba5c1d 217
824af85b
SK		 218 if (flags)
219 {
220 int logflags = 0;
221
222 if (flags == F_NXDOMAIN || flags == F_NOERR)
223 logflags = F_NEG | qtype;
224
1a6bca81 225 log_query(logflags | flags | F_CONFIG | F_FORWARD, qdomain, *addrpp, NULL);
824af85b 226 }
8ef5ada2
SK		 227 else if ((*type) & SERV_USE_RESOLV)
228 {
229 *type = 0; /* use normal servers for this domain */
230 *domain = NULL;
231 }
feba5c1d
SK		 232 return flags;
233}
44a2a316 234
824af85b
SK		 235static int forward_query(int udpfd, union mysockaddr *udpaddr,
236 struct all_addr *dst_addr, unsigned int dst_iface,
572b41eb 237 struct dns_header *header, size_t plen, time_t now, struct frec *forward)
9e4abcb5 238{
9e4abcb5 239 char *domain = NULL;
8ef5ada2 240 int type = 0, norebind = 0;
9e4abcb5 241 struct all_addr *addrp = NULL;
cdeda28f 242 unsigned int crc = questions_crc(header, plen, daemon->namebuff);
28866e95
SK		 243 unsigned int flags = 0;
244 unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
de37951c 245 struct server *start = NULL;
7de060b0 246
28866e95 247 /* RFC 4035: sect 4.6 para 2 */
572b41eb
SK		 248 header->hb4 &= ~HB4_AD;
249
3d8df260
SK		 250 /* may be no servers available. */
251 if (!daemon->servers)
9e4abcb5 252 forward = NULL;
b8187c80 253 else if (forward || (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, crc)))
9e4abcb5 254 {
e0c0ad3b
SK		 255#ifdef HAVE_DNSSEC
256 /* If we've already got an answer to this query, but we're awaiting keys for vaildation,
257 there's no point retrying the query, retry the key query instead...... */
258 if (forward->blocking_query)
259 {
260 int fd;
261
262 while (forward->blocking_query)
263 forward = forward->blocking_query;
264
265 blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
266 plen = forward->stash_len;
267
268 if (forward->sentto->addr.sa.sa_family)
269 log_query(F_DNSSEC | F_IPV4, "retry", (struct all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec");
270#ifdef HAVE_IPV6
271 else
272 log_query(F_DNSSEC | F_IPV6, "retry", (struct all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec");
273#endif
274
275 if (forward->sentto->sfd)
276 fd = forward->sentto->sfd->fd;
277 else
278 {
279#ifdef HAVE_IPV6
280 if (forward->sentto->addr.sa.sa_family == AF_INET6)
281 fd = forward->rfd6->fd;
282 else
283#endif
284 fd = forward->rfd4->fd;
285 }
286
287 while (sendto(fd, (char *)header, plen, 0,
288 &forward->sentto->addr.sa,
289 sa_len(&forward->sentto->addr)) == -1 && retry_send());
290
291 return 1;
292 }
293#endif
294
de37951c 295 /* retry on existing query, send to all available servers */
9e4abcb5 296 domain = forward->sentto->domain;
824af85b 297 forward->sentto->failed_queries++;
28866e95 298 if (!option_bool(OPT_ORDER))
de37951c 299 {
0a852541 300 forward->forwardall = 1;
3be34541 301 daemon->last_server = NULL;
de37951c 302 }
9e4abcb5 303 type = forward->sentto->flags & SERV_TYPE;
de37951c 304 if (!(start = forward->sentto->next))
3be34541 305 start = daemon->servers; /* at end of list, recycle */
9e4abcb5
SK		 306 header->id = htons(forward->new_id);
307 }
308 else
309 {
310 if (gotname)
8ef5ada2 311 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
9e4abcb5 312
3a237152 313 if (!flags && !(forward = get_new_frec(now, NULL, 0)))
feba5c1d
SK		 314 /* table full - server failure. */
315 flags = F_NEG;
9e4abcb5
SK		 316
317 if (forward)
318 {
0a852541
SK		 319 forward->source = *udpaddr;
320 forward->dest = *dst_addr;
321 forward->iface = dst_iface;
0a852541 322 forward->orig_id = ntohs(header->id);
316e2730 323 forward->new_id = get_id(crc);
832af0ba 324 forward->fd = udpfd;
0a852541
SK		 325 forward->crc = crc;
326 forward->forwardall = 0;
ed4c0767 327 forward->flags = 0;
28866e95
SK		 328 if (norebind)
329 forward->flags |= FREC_NOREBIND;
572b41eb 330 if (header->hb4 & HB4_CD)
28866e95 331 forward->flags |= FREC_CHECKING_DISABLED;
0a852541 332
28866e95
SK		 333 header->id = htons(forward->new_id);
334
8ef5ada2
SK		 335 /* In strict_order mode, always try servers in the order
336 specified in resolv.conf, if a domain is given
337 always try all the available servers,
9e4abcb5
SK		 338 otherwise, use the one last known to work. */
339
8ef5ada2
SK		 340 if (type == 0)
341 {
28866e95 342 if (option_bool(OPT_ORDER))
8ef5ada2
SK		 343 start = daemon->servers;
344 else if (!(start = daemon->last_server) ||
345 daemon->forwardcount++ > FORWARD_TEST ||
346 difftime(now, daemon->forwardtime) > FORWARD_TIME)
347 {
348 start = daemon->servers;
349 forward->forwardall = 1;
350 daemon->forwardcount = 0;
351 daemon->forwardtime = now;
352 }
353 }
354 else
de37951c 355 {
3be34541 356 start = daemon->servers;
28866e95 357 if (!option_bool(OPT_ORDER))
8ef5ada2 358 forward->forwardall = 1;
de37951c 359 }
9e4abcb5
SK		 360 }
361 }
feba5c1d 362
9e4abcb5
SK		 363 /* check for send errors here (no route to host)
364 if we fail to send to all nameservers, send back an error
365 packet straight away (helps modem users when offline) */
366
367 if (!flags && forward)
368 {
de37951c
SK		 369 struct server *firstsentto = start;
370 int forwarded = 0;
28866e95 371
797a7afb 372 if (option_bool(OPT_ADD_MAC))
60b68069 373 plen = add_mac(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
28866e95 374
ed4c0767
SK		 375 if (option_bool(OPT_CLIENT_SUBNET))
376 {
60b68069 377 size_t new = add_source_addr(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
ed4c0767
SK		 378 if (new != plen)
379 {
380 plen = new;
381 forward->flags |= FREC_HAS_SUBNET;
382 }
383 }
384
3a237152
SK		 385#ifdef HAVE_DNSSEC
386 if (option_bool(OPT_DNSSEC_VALID))
0fc2f313 387 {
60b68069 388 plen = add_do_bit(header, plen, ((char *) header) + daemon->packet_buff_sz);
0fc2f313
SK		 389 header->hb4 |= HB4_CD;
390 }
3a237152
SK		 391#endif
392
9e4abcb5
SK		 393 while (1)
394 {
9e4abcb5
SK		 395 /* only send to servers dealing with our domain.
396 domain may be NULL, in which case server->domain
397 must be NULL also. */
398
de37951c 399 if (type == (start->flags & SERV_TYPE) &&
fd9fa481
SK		 400 (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) &&
401 !(start->flags & SERV_LITERAL_ADDRESS))
9e4abcb5 402 {
1a6bca81
SK		 403 int fd;
404
405 /* find server socket to use, may need to get random one. */
406 if (start->sfd)
407 fd = start->sfd->fd;
408 else
409 {
410#ifdef HAVE_IPV6
411 if (start->addr.sa.sa_family == AF_INET6)
412 {
413 if (!forward->rfd6 &&
414 !(forward->rfd6 = allocate_rfd(AF_INET6)))
415 break;
3927da46 416 daemon->rfd_save = forward->rfd6;
1a6bca81
SK		 417 fd = forward->rfd6->fd;
418 }
419 else
420#endif
421 {
422 if (!forward->rfd4 &&
423 !(forward->rfd4 = allocate_rfd(AF_INET)))
424 break;
3927da46 425 daemon->rfd_save = forward->rfd4;
1a6bca81
SK		 426 fd = forward->rfd4->fd;
427 }
7de060b0
SK		 428
429#ifdef HAVE_CONNTRACK
430 /* Copy connection mark of incoming query to outgoing connection. */
431 if (option_bool(OPT_CONNTRACK))
432 {
433 unsigned int mark;
797a7afb 434 if (get_incoming_mark(&forward->source, &forward->dest, 0, &mark))
7de060b0
SK		 435 setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
436 }
437#endif
1a6bca81
SK		 438 }
439
440 if (sendto(fd, (char *)header, plen, 0,
feba5c1d 441 &start->addr.sa,
fd9fa481
SK		 442 sa_len(&start->addr)) == -1)
443 {
444 if (retry_send())
445 continue;
446 }
447 else
9e4abcb5 448 {
cdeda28f
SK		 449 /* Keep info in case we want to re-send this packet */
450 daemon->srv_save = start;
451 daemon->packet_len = plen;
452
de37951c 453 if (!gotname)
3be34541 454 strcpy(daemon->namebuff, "query");
de37951c 455 if (start->addr.sa.sa_family == AF_INET)
3be34541 456 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
1a6bca81 457 (struct all_addr *)&start->addr.in.sin_addr, NULL);
de37951c
SK		 458#ifdef HAVE_IPV6
459 else
3be34541 460 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
1a6bca81 461 (struct all_addr *)&start->addr.in6.sin6_addr, NULL);
de37951c 462#endif
824af85b 463 start->queries++;
de37951c
SK		 464 forwarded = 1;
465 forward->sentto = start;
0a852541 466 if (!forward->forwardall)
de37951c 467 break;
0a852541 468 forward->forwardall++;
9e4abcb5
SK		 469 }
470 }
471
de37951c 472 if (!(start = start->next))
3be34541 473 start = daemon->servers;
9e4abcb5 474
de37951c 475 if (start == firstsentto)
9e4abcb5
SK		 476 break;
477 }
478
de37951c 479 if (forwarded)
824af85b 480 return 1;
de37951c 481
9e4abcb5
SK		 482 /* could not send on, prepare to return */
483 header->id = htons(forward->orig_id);
1a6bca81 484 free_frec(forward); /* cancel */
9e4abcb5
SK		 485 }
486
487 /* could not send on, return empty answer or address if known for whole domain */
b8187c80
SK		 488 if (udpfd != -1)
489 {
cdeda28f 490 plen = setup_reply(header, plen, addrp, flags, daemon->local_ttl);
54dd393f 491 send_from(udpfd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND), (char *)header, plen, udpaddr, dst_addr, dst_iface);
b8187c80
SK		 492 }
493
824af85b 494 return 0;
9e4abcb5
SK		 495}
496
ed4c0767 497static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind,
3a237152 498 int no_cache, int cache_secure, int check_subnet, union mysockaddr *query_source)
feba5c1d 499{
36717eee 500 unsigned char *pheader, *sizep;
13d86c73 501 char **sets = 0;
832af0ba 502 int munged = 0, is_sign;
cdeda28f
SK		 503 size_t plen;
504
13d86c73
JD		 505#ifdef HAVE_IPSET
506 /* Similar algorithm to search_servers. */
507 struct ipsets *ipset_pos;
508 unsigned int namelen = strlen(daemon->namebuff);
509 unsigned int matchlen = 0;
510 for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next)
511 {
512 unsigned int domainlen = strlen(ipset_pos->domain);
513 char *matchstart = daemon->namebuff + namelen - domainlen;
514 if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) &&
515 (domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) &&
6c0cb858
SK		 516 domainlen >= matchlen)
517 {
518 matchlen = domainlen;
519 sets = ipset_pos->sets;
520 }
13d86c73
JD		 521 }
522#endif
523
feba5c1d 524 /* If upstream is advertising a larger UDP packet size
9009d746
SK		 525 than we allow, trim it so that we don't get overlarge
526 requests for the client. We can't do this for signed packets. */
feba5c1d 527
ed4c0767 528 if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign)))
feba5c1d 529 {
ed4c0767
SK		 530 if (!is_sign)
531 {
532 unsigned short udpsz;
533 unsigned char *psave = sizep;
534
535 GETSHORT(udpsz, sizep);
536 if (udpsz > daemon->edns_pktsz)
537 PUTSHORT(daemon->edns_pktsz, psave);
538 }
feba5c1d 539
ed4c0767
SK		 540 if (check_subnet && !check_source(header, plen, pheader, query_source))
541 {
542 my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
543 return 0;
544 }
feba5c1d 545 }
ed4c0767 546
28866e95 547 /* RFC 4035 sect 4.6 para 3 */
237724c0 548 if (!is_sign && !option_bool(OPT_DNSSEC_PROXY))
795501bc 549 header->hb4 &= ~HB4_AD;
3a237152
SK		 550
551#ifdef HAVE_DNSSEC
552 if (option_bool(OPT_DNSSEC_VALID))
795501bc
SK		 553 header->hb4 &= ~HB4_AD;
554
a25720a3 555 if (!(header->hb4 & HB4_CD) && cache_secure)
3a237152
SK		 556 header->hb4 |= HB4_AD;
557#endif
558
572b41eb 559 if (OPCODE(header) != QUERY || (RCODE(header) != NOERROR && RCODE(header) != NXDOMAIN))
0a852541
SK		 560 return n;
561
feba5c1d 562 /* Complain loudly if the upstream server is non-recursive. */
572b41eb 563 if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR && ntohs(header->ancount) == 0 &&
0a852541 564 server && !(server->flags & SERV_WARNED_RECURSIVE))
feba5c1d 565 {
3d8df260 566 prettyprint_addr(&server->addr, daemon->namebuff);
f2621c7f 567 my_syslog(LOG_WARNING, _("nameserver %s refused to do a recursive query"), daemon->namebuff);
28866e95 568 if (!option_bool(OPT_LOG))
0a852541
SK		 569 server->flags |= SERV_WARNED_RECURSIVE;
570 }
e292e93d 571
572b41eb 572 if (daemon->bogus_addr && RCODE(header) != NXDOMAIN &&
fd9fa481 573 check_for_bogus_wildcard(header, n, daemon->namebuff, daemon->bogus_addr, now))
feba5c1d 574 {
fd9fa481 575 munged = 1;
572b41eb
SK		 576 SET_RCODE(header, NXDOMAIN);
577 header->hb3 &= ~HB3_AA;
36717eee 578 }
fd9fa481 579 else
36717eee 580 {
572b41eb 581 if (RCODE(header) == NXDOMAIN &&
fd9fa481 582 extract_request(header, n, daemon->namebuff, NULL) &&
5aabfc78 583 check_for_local_domain(daemon->namebuff, now))
36717eee
SK		 584 {
585 /* if we forwarded a query for a locally known name (because it was for
586 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
587 since we know that the domain exists, even if upstream doesn't */
fd9fa481 588 munged = 1;
572b41eb
SK		 589 header->hb3 |= HB3_AA;
590 SET_RCODE(header, NOERROR);
feba5c1d 591 }
832af0ba 592
0fc2f313 593 if (extract_addresses(header, n, daemon->namebuff, now, sets, is_sign, check_rebind, no_cache, cache_secure))
824af85b 594 {
8ef5ada2 595 my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff);
824af85b
SK		 596 munged = 1;
597 }
feba5c1d 598 }
fd9fa481 599
a25720a3
SK		 600#ifdef HAVE_DNSSEC
601 if (no_cache && !(header->hb4 & HB4_CD))
602 {
603 if (option_bool(OPT_DNSSEC_PERMISS))
604 {
605 unsigned short type;
606 char types[20];
607
608 if (extract_request(header, (size_t)n, daemon->namebuff, &type))
609 {
610 querystr("", types, type);
611 my_syslog(LOG_WARNING, _("DNSSEC validation failed: query %s%s"), daemon->namebuff, types);
612 }
613 else
614 my_syslog(LOG_WARNING, _("DNSSEC validation failed for unknown query"));
615 }
616 else
617 {
618 /* Bogus reply, turn into SERVFAIL */
619 SET_RCODE(header, SERVFAIL);
620 munged = 1;
621 }
622 }
623#endif
624
fd9fa481
SK		 625 /* do this after extract_addresses. Ensure NODATA reply and remove
626 nameserver info. */
627
628 if (munged)
629 {
630 header->ancount = htons(0);
631 header->nscount = htons(0);
632 header->arcount = htons(0);
633 }
634
36717eee
SK		 635 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
636 sections of the packet. Find the new length here and put back pseudoheader
637 if it was removed. */
638 return resize_packet(header, n, pheader, plen);
feba5c1d
SK		 639}
640
3be34541 641/* sets new last_server */
1a6bca81 642void reply_query(int fd, int family, time_t now)
9e4abcb5
SK		 643{
644 /* packet from peer server, extract data for cache, and send to
645 original requester */
572b41eb 646 struct dns_header *header;
de37951c 647 union mysockaddr serveraddr;
832af0ba 648 struct frec *forward;
de37951c 649 socklen_t addrlen = sizeof(serveraddr);
60b68069 650 ssize_t n = recvfrom(fd, daemon->packet, daemon->packet_buff_sz, 0, &serveraddr.sa, &addrlen);
cdeda28f 651 size_t nn;
1a6bca81
SK		 652 struct server *server;
653
cdeda28f
SK		 654 /* packet buffer overwritten */
655 daemon->srv_save = NULL;
832af0ba 656
de37951c 657 /* Determine the address of the server replying so that we can mark that as good */
1a6bca81 658 serveraddr.sa.sa_family = family;
de37951c
SK		 659#ifdef HAVE_IPV6
660 if (serveraddr.sa.sa_family == AF_INET6)
5e9e0efb 661 serveraddr.in6.sin6_flowinfo = 0;
de37951c 662#endif
9e4abcb5 663
1a6bca81
SK		 664 /* spoof check: answer must come from known server, */
665 for (server = daemon->servers; server; server = server->next)
666 if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) &&
667 sockaddr_isequal(&server->addr, &serveraddr))
668 break;
669
572b41eb 670 header = (struct dns_header *)daemon->packet;
fd9fa481 671
1a6bca81 672 if (!server ||
572b41eb 673 n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR) ||
1a6bca81
SK		 674 !(forward = lookup_frec(ntohs(header->id), questions_crc(header, n, daemon->namebuff))))
675 return;
3a237152 676
572b41eb 677 if ((RCODE(header) == SERVFAIL || RCODE(header) == REFUSED) &&
28866e95 678 !option_bool(OPT_ORDER) &&
1a6bca81
SK		 679 forward->forwardall == 0)
680 /* for broken servers, attempt to send to another one. */
9e4abcb5 681 {
1a6bca81
SK		 682 unsigned char *pheader;
683 size_t plen;
684 int is_sign;
832af0ba 685
1a6bca81
SK		 686 /* recreate query from reply */
687 pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign);
688 if (!is_sign)
832af0ba 689 {
1a6bca81
SK		 690 header->ancount = htons(0);
691 header->nscount = htons(0);
692 header->arcount = htons(0);
693 if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
832af0ba 694 {
572b41eb 695 header->hb3 &= ~(HB3_QR | HB3_TC);
1a6bca81
SK		 696 forward_query(-1, NULL, NULL, 0, header, nn, now, forward);
697 return;
832af0ba 698 }
832af0ba 699 }
1a6bca81 700 }
3a237152
SK		 701
702 server = forward->sentto;
1a6bca81
SK		 703
704 if ((forward->sentto->flags & SERV_TYPE) == 0)
705 {
572b41eb 706 if (RCODE(header) == SERVFAIL || RCODE(header) == REFUSED)
1a6bca81
SK		 707 server = NULL;
708 else
b8187c80 709 {
1a6bca81
SK		 710 struct server *last_server;
711
712 /* find good server by address if possible, otherwise assume the last one we sent to */
713 for (last_server = daemon->servers; last_server; last_server = last_server->next)
714 if (!(last_server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR)) &&
715 sockaddr_isequal(&last_server->addr, &serveraddr))
716 {
717 server = last_server;
718 break;
719 }
720 }
28866e95 721 if (!option_bool(OPT_ALL_SERVERS))
1a6bca81
SK		 722 daemon->last_server = server;
723 }
3a237152 724
1a6bca81
SK		 725 /* If the answer is an error, keep the forward record in place in case
726 we get a good reply from another server. Kill it when we've
727 had replies from all to avoid filling the forwarding table when
728 everything is broken */
729 if (forward->forwardall == 0 || --forward->forwardall == 1 ||
572b41eb 730 (RCODE(header) != REFUSED && RCODE(header) != SERVFAIL))
1a6bca81 731 {
3a237152
SK		 732 int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0;
733
734 if (option_bool(OPT_NO_REBIND))
735 check_rebind = !(forward->flags & FREC_NOREBIND);
736
737 /* Don't cache replies where DNSSEC validation was turned off, either
738 the upstream server told us so, or the original query specified it. */
739 if ((header->hb4 & HB4_CD) || (forward->flags & FREC_CHECKING_DISABLED))
740 no_cache_dnssec = 1;
741
742#ifdef HAVE_DNSSEC
743 if (option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
744 {
9d633048 745 int status;
0fc2f313
SK		 746
747 /* We've had a reply already, which we're validating. Ignore this duplicate */
e0c0ad3b 748 if (forward->blocking_query)
0fc2f313 749 return;
9d633048 750
871417d4
SK		 751 if (header->hb3 & HB3_TC)
752 {
753 /* Truncated answer can't be validated.
5d3b87a4
SK		 754 If this is an answer to a DNSSEC-generated query, we still
755 need to get the client to retry over TCP, so return
756 an answer with the TC bit set, even if the actual answer fits.
757 */
758 status = STAT_TRUNCATED;
871417d4
SK		 759 }
760 else if (forward->flags & FREC_DNSKEY_QUERY)
0fc2f313 761 status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
c3e0b9b6
SK		 762 else if (forward->flags & FREC_DS_QUERY)
763 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
9d633048 764 else
0fc2f313 765 status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class);
3a237152
SK		 766
767 /* Can't validate, as we're missing key data. Put this
768 answer aside, whilst we get that. */
769 if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
770 {
771 struct frec *new;
0fc2f313
SK		 772
773 if ((new = get_new_frec(now, NULL, 1)))
3a237152 774 {
0fc2f313
SK		 775 struct frec *next = new->next;
776 *new = *forward; /* copy everything, then overwrite */
777 new->next = next;
0fc2f313 778 new->blocking_query = NULL;
f1668d27
SK		 779 new->rfd4 = NULL;
780#ifdef HAVE_IPV6
781 new->rfd6 = NULL;
782#endif
0fc2f313 783 new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY);
9d633048 784
e0c0ad3b
SK		 785 /* Free any saved query */
786 if (forward->stash)
787 blockdata_free(forward->stash);
788
789 /* Now save reply pending receipt of key data */
790 if (!(forward->stash = blockdata_alloc((char *)header, n)))
791 free_frec(new); /* malloc failure, unwind */
792 else
3a237152
SK		 793 {
794 int fd;
9d633048 795
0fc2f313
SK		 796 forward->stash_len = n;
797
3a237152
SK		 798 new->dependent = forward; /* to find query awaiting new one. */
799 forward->blocking_query = new; /* for garbage cleaning */
0fc2f313 800 /* validate routines leave name of required record in daemon->keyname */
3a237152 801 if (status == STAT_NEED_KEY)
9d633048
SK		 802 {
803 new->flags |= FREC_DNSKEY_QUERY;
60b68069
SK		 804 nn = dnssec_generate_query(header, ((char *) header) + daemon->packet_buff_sz,
805 daemon->keyname, forward->class, T_DNSKEY, &server->addr);
9d633048 806 }
e0c0ad3b 807 else
9d633048
SK		 808 {
809 new->flags |= FREC_DS_QUERY;
60b68069
SK		 810 nn = dnssec_generate_query(header,((char *) header) + daemon->packet_buff_sz,
811 daemon->keyname, forward->class, T_DS, &server->addr);
9d633048 812 }
3a237152
SK		 813 new->crc = questions_crc(header, nn, daemon->namebuff);
814 new->new_id = get_id(new->crc);
c3e0b9b6 815 header->id = htons(new->new_id);
e0c0ad3b
SK		 816 /* Save query for retransmission */
817 new->stash = blockdata_alloc((char *)header, nn);
818 new->stash_len = nn;
9d633048 819
3a237152
SK		 820 /* Don't resend this. */
821 daemon->srv_save = NULL;
822
823 if (server->sfd)
824 fd = server->sfd->fd;
825 else
f1668d27
SK		 826 {
827 fd = -1;
3a237152 828#ifdef HAVE_IPV6
f1668d27
SK		 829 if (server->addr.sa.sa_family == AF_INET6)
830 {
831 if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6)))
832 fd = new->rfd6->fd;
833 }
834 else
3a237152 835#endif
f1668d27
SK		 836 {
837 if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET)))
838 fd = new->rfd4->fd;
839 }
840 }
9d633048 841
f1668d27
SK		 842 if (fd != -1)
843 {
844 while (sendto(fd, (char *)header, nn, 0, &server->addr.sa, sa_len(&server->addr)) == -1 && retry_send());
845 server->queries++;
846 }
3a237152
SK		 847 }
848 }
0fc2f313 849
3a237152
SK		 850 return;
851 }
852
853 /* Ok, we reached far enough up the chain-of-trust that we can validate something.
854 Now wind back down, pulling back answers which wouldn't previously validate
855 and validate them with the new data. Failure to find needed data here is an internal error.
856 Once we get to the original answer (FREC_DNSSEC_QUERY not set) and it validates,
857 return it to the original requestor. */
0fc2f313 858 if (forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY))
3a237152 859 {
0fc2f313 860 while (forward->dependent)
3a237152 861 {
0fc2f313 862 struct frec *prev;
c3e0b9b6 863
0fc2f313
SK		 864 if (status == STAT_SECURE)
865 {
866 if (forward->flags & FREC_DNSKEY_QUERY)
867 status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
868 else if (forward->flags & FREC_DS_QUERY)
869 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
870 }
871
872 prev = forward->dependent;
873 free_frec(forward);
874 forward = prev;
875 forward->blocking_query = NULL; /* already gone */
876 blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
877 n = forward->stash_len;
878 }
879
880 /* All DNSKEY and DS records done and in cache, now finally validate original
881 answer, provided last DNSKEY is OK. */
882 if (status == STAT_SECURE)
883 status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class);
884
885 if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
886 {
887 my_syslog(LOG_ERR, _("Unexpected missing data for DNSSEC validation"));
888 status = STAT_INSECURE;
3a237152
SK		 889 }
890 }
5d3b87a4
SK		 891
892 if (status == STAT_TRUNCATED)
893 header->hb3 |= HB3_TC;
894 else
895 log_query(F_KEYTAG | F_SECSTAT, "result", NULL,
896 status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
897
0fc2f313 898 no_cache_dnssec = 0;
5d3b87a4 899
3a237152
SK		 900 if (status == STAT_SECURE)
901 cache_secure = 1;
3a237152
SK		 902 else if (status == STAT_BOGUS)
903 no_cache_dnssec = 1;
0fc2f313
SK		 904
905 /* restore CD bit to the value in the query */
906 if (forward->flags & FREC_CHECKING_DISABLED)
907 header->hb4 |= HB4_CD;
908 else
909 header->hb4 &= ~HB4_CD;
3a237152
SK		 910 }
911#endif
8ef5ada2 912
3a237152 913 if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure,
ed4c0767 914 forward->flags & FREC_HAS_SUBNET, &forward->source)))
1a6bca81
SK		 915 {
916 header->id = htons(forward->orig_id);
572b41eb 917 header->hb4 |= HB4_RA; /* recursion if available */
54dd393f 918 send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn,
50303b19 919 &forward->source, &forward->dest, forward->iface);
b8187c80 920 }
1a6bca81 921 free_frec(forward); /* cancel */
9e4abcb5 922 }
9e4abcb5 923}
44a2a316 924
1a6bca81 925
5aabfc78 926void receive_query(struct listener *listen, time_t now)
44a2a316 927{
572b41eb 928 struct dns_header *header = (struct dns_header *)daemon->packet;
44a2a316 929 union mysockaddr source_addr;
c1bb8504 930 unsigned short type;
44a2a316 931 struct all_addr dst_addr;
f6b7dc47 932 struct in_addr netmask, dst_addr_4;
cdeda28f
SK		 933 size_t m;
934 ssize_t n;
3b195961
VG		 935 int if_index = 0, auth_dns = 0;
936#ifdef HAVE_AUTH
937 int local_auth = 0;
938#endif
44a2a316
SK		 939 struct iovec iov[1];
940 struct msghdr msg;
941 struct cmsghdr *cmptr;
44a2a316
SK		 942 union {
943 struct cmsghdr align; /* this ensures alignment */
944#ifdef HAVE_IPV6
945 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
946#endif
5e9e0efb 947#if defined(HAVE_LINUX_NETWORK)
44a2a316 948 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
824af85b
SK		 949#elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
950 char control[CMSG_SPACE(sizeof(struct in_addr)) +
951 CMSG_SPACE(sizeof(unsigned int))];
44a2a316
SK		 952#elif defined(IP_RECVDSTADDR)
953 char control[CMSG_SPACE(sizeof(struct in_addr)) +
954 CMSG_SPACE(sizeof(struct sockaddr_dl))];
955#endif
956 } control_u;
2329bef5
SK		 957#ifdef HAVE_IPV6
958 /* Can always get recvd interface for IPv6 */
959 int check_dst = !option_bool(OPT_NOWILD) || listen->family == AF_INET6;
960#else
961 int check_dst = !option_bool(OPT_NOWILD);
962#endif
963
cdeda28f
SK		 964 /* packet buffer overwritten */
965 daemon->srv_save = NULL;
966
4f7b304f
SK		 967 dst_addr_4.s_addr = 0;
968 netmask.s_addr = 0;
969
7e5664bd 970 if (option_bool(OPT_NOWILD) && listen->iface)
3d8df260 971 {
4f7b304f
SK		 972 auth_dns = listen->iface->dns_auth;
973
974 if (listen->family == AF_INET)
975 {
976 dst_addr_4 = listen->iface->addr.in.sin_addr;
977 netmask = listen->iface->netmask;
978 }
3d8df260 979 }
4f7b304f 980
3be34541
SK		 981 iov[0].iov_base = daemon->packet;
982 iov[0].iov_len = daemon->edns_pktsz;
44a2a316
SK		 983
984 msg.msg_control = control_u.control;
985 msg.msg_controllen = sizeof(control_u);
986 msg.msg_flags = 0;
987 msg.msg_name = &source_addr;
988 msg.msg_namelen = sizeof(source_addr);
989 msg.msg_iov = iov;
990 msg.msg_iovlen = 1;
991
de37951c 992 if ((n = recvmsg(listen->fd, &msg, 0)) == -1)
3be34541 993 return;
44a2a316 994
572b41eb 995 if (n < (int)sizeof(struct dns_header) ||
5e9e0efb 996 (msg.msg_flags & MSG_TRUNC) ||
572b41eb 997 (header->hb3 & HB3_QR))
26128d27
SK		 998 return;
999
44a2a316
SK		 1000 source_addr.sa.sa_family = listen->family;
1001#ifdef HAVE_IPV6
1002 if (listen->family == AF_INET6)
5e9e0efb 1003 source_addr.in6.sin6_flowinfo = 0;
44a2a316 1004#endif
28866e95 1005
2329bef5 1006 if (check_dst)
26128d27
SK		 1007 {
1008 struct ifreq ifr;
1009
1010 if (msg.msg_controllen < sizeof(struct cmsghdr))
1011 return;
44a2a316 1012
5e9e0efb 1013#if defined(HAVE_LINUX_NETWORK)
26128d27
SK		 1014 if (listen->family == AF_INET)
1015 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
c72daea8 1016 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
26128d27 1017 {
8ef5ada2
SK		 1018 union {
1019 unsigned char *c;
1020 struct in_pktinfo *p;
1021 } p;
1022 p.c = CMSG_DATA(cmptr);
1023 dst_addr_4 = dst_addr.addr.addr4 = p.p->ipi_spec_dst;
1024 if_index = p.p->ipi_ifindex;
26128d27
SK		 1025 }
1026#elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
1027 if (listen->family == AF_INET)
44a2a316 1028 {
26128d27 1029 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
8ef5ada2
SK		 1030 {
1031 union {
1032 unsigned char *c;
1033 unsigned int *i;
1034 struct in_addr *a;
1035#ifndef HAVE_SOLARIS_NETWORK
1036 struct sockaddr_dl *s;
1037#endif
1038 } p;
1039 p.c = CMSG_DATA(cmptr);
1040 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
1041 dst_addr_4 = dst_addr.addr.addr4 = *(p.a);
1042 else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
824af85b 1043#ifdef HAVE_SOLARIS_NETWORK
8ef5ada2 1044 if_index = *(p.i);
824af85b 1045#else
8ef5ada2 1046 if_index = p.s->sdl_index;
824af85b 1047#endif
8ef5ada2 1048 }
44a2a316 1049 }
44a2a316 1050#endif
26128d27 1051
44a2a316 1052#ifdef HAVE_IPV6
26128d27
SK		 1053 if (listen->family == AF_INET6)
1054 {
1055 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
c72daea8 1056 if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
26128d27 1057 {
8ef5ada2
SK		 1058 union {
1059 unsigned char *c;
1060 struct in6_pktinfo *p;
1061 } p;
1062 p.c = CMSG_DATA(cmptr);
1063
1064 dst_addr.addr.addr6 = p.p->ipi6_addr;
1065 if_index = p.p->ipi6_ifindex;
26128d27
SK		 1066 }
1067 }
44a2a316 1068#endif
26128d27
SK		 1069
1070 /* enforce available interface configuration */
1071
e25db1f2 1072 if (!indextoname(listen->fd, if_index, ifr.ifr_name))
5e9e0efb 1073 return;
832af0ba 1074
e25db1f2
SK		 1075 if (!iface_check(listen->family, &dst_addr, ifr.ifr_name, &auth_dns))
1076 {
1077 if (!option_bool(OPT_CLEVERBIND))
115ac3e4 1078 enumerate_interfaces(0);
3f2873d4
SK		 1079 if (!loopback_exception(listen->fd, listen->family, &dst_addr, ifr.ifr_name) &&
1080 !label_exception(if_index, listen->family, &dst_addr))
e25db1f2
SK		 1081 return;
1082 }
1083
552af8b9
SK		 1084 if (listen->family == AF_INET && option_bool(OPT_LOCALISE))
1085 {
1086 struct irec *iface;
1087
1088 /* get the netmask of the interface whch has the address we were sent to.
1089 This is no neccessarily the interface we arrived on. */
1090
1091 for (iface = daemon->interfaces; iface; iface = iface->next)
1092 if (iface->addr.sa.sa_family == AF_INET &&
1093 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
1094 break;
1095
1096 /* interface may be new */
e25db1f2 1097 if (!iface && !option_bool(OPT_CLEVERBIND))
115ac3e4 1098 enumerate_interfaces(0);
552af8b9
SK		 1099
1100 for (iface = daemon->interfaces; iface; iface = iface->next)
1101 if (iface->addr.sa.sa_family == AF_INET &&
1102 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
1103 break;
1104
1105 /* If we failed, abandon localisation */
1106 if (iface)
1107 netmask = iface->netmask;
1108 else
1109 dst_addr_4.s_addr = 0;
1110 }
44a2a316
SK		 1111 }
1112
cdeda28f 1113 if (extract_request(header, (size_t)n, daemon->namebuff, &type))
44a2a316 1114 {
1a6bca81 1115 char types[20];
b485ed97
SK		 1116#ifdef HAVE_AUTH
1117 struct auth_zone *zone;
1118#endif
1a6bca81 1119
4f7b304f 1120 querystr(auth_dns ? "auth" : "query", types, type);
1a6bca81 1121
44a2a316 1122 if (listen->family == AF_INET)
3be34541 1123 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1a6bca81 1124 (struct all_addr *)&source_addr.in.sin_addr, types);
44a2a316
SK		 1125#ifdef HAVE_IPV6
1126 else
3be34541 1127 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1a6bca81 1128 (struct all_addr *)&source_addr.in6.sin6_addr, types);
44a2a316 1129#endif
44a2a316 1130
b485ed97
SK		 1131#ifdef HAVE_AUTH
1132 /* find queries for zones we're authoritative for, and answer them directly */
6008bdbb
SK		 1133 if (!auth_dns)
1134 for (zone = daemon->auth_zones; zone; zone = zone->next)
1135 if (in_zone(zone, daemon->namebuff, NULL))
1136 {
1137 auth_dns = 1;
1138 local_auth = 1;
1139 break;
1140 }
b485ed97
SK		 1141#endif
1142 }
1143
4820dce9 1144#ifdef HAVE_AUTH
4f7b304f 1145 if (auth_dns)
824af85b 1146 {
60b68069 1147 m = answer_auth(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n, now, &source_addr, local_auth);
4f7b304f 1148 if (m >= 1)
b485ed97
SK		 1149 {
1150 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1151 (char *)header, m, &source_addr, &dst_addr, if_index);
1152 daemon->auth_answer++;
1153 }
824af85b 1154 }
44a2a316 1155 else
4820dce9 1156#endif
4f7b304f 1157 {
60b68069 1158 m = answer_request(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n,
4f7b304f
SK		 1159 dst_addr_4, netmask, now);
1160
1161 if (m >= 1)
1162 {
1163 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1164 (char *)header, m, &source_addr, &dst_addr, if_index);
1165 daemon->local_answer++;
1166 }
1167 else if (forward_query(listen->fd, &source_addr, &dst_addr, if_index,
1168 header, (size_t)n, now, NULL))
1169 daemon->queries_forwarded++;
1170 else
1171 daemon->local_answer++;
1172 }
44a2a316
SK		 1173}
1174
7d7b7b31
SK		 1175#ifdef HAVE_DNSSEC
1176static int tcp_key_recurse(time_t now, int status, int class, char *keyname, struct server *server)
1177{
1178 /* Recurse up the key heirarchy */
1179 size_t n;
1180 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1181 unsigned char *payload = &packet[2];
1182 struct dns_header *header = (struct dns_header *)payload;
1183 u16 *length = (u16 *)packet;
1184 int new_status;
1185 unsigned char c1, c2;
1186
1187 n = dnssec_generate_query(header, ((char *) header) + 65536, keyname, class,
1188 status == STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr);
1189
1190 *length = htons(n);
1191
1192 if (!read_write(server->tcpfd, packet, n + sizeof(u16), 0) ||
1193 !read_write(server->tcpfd, &c1, 1, 1) ||
1194 !read_write(server->tcpfd, &c2, 1, 1) ||
1195 !read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
1196 {
1197 close(server->tcpfd);
1198 server->tcpfd = -1;
1199 new_status = STAT_INSECURE;
1200 }
1201 else
1202 {
1203 n = (c1 << 8) | c2;
1204
1205 if (status == STAT_NEED_KEY)
1206 new_status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, class);
1207 else
1208 new_status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, class);
1209
1210 if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
1211 {
1212 if ((new_status = tcp_key_recurse(now, new_status, class, daemon->keyname, server) == STAT_SECURE))
1213 {
1214 if (status == STAT_NEED_KEY)
1215 new_status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, class);
1216 else
1217 new_status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, class);
1218
1219 if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
1220 {
1221 my_syslog(LOG_ERR, _("Unexpected missing data for DNSSEC validation"));
1222 status = STAT_INSECURE;
f1668d27 1223 }
7d7b7b31
SK		 1224 }
1225 }
1226 }
1227
1228 free(packet);
1229
1230 return new_status;
1231}
1232#endif
1233
1234
feba5c1d
SK		 1235/* The daemon forks before calling this: it should deal with one connection,
1236 blocking as neccessary, and then return. Note, need to be a bit careful
1237 about resources for debug mode, when the fork is suppressed: that's
1238 done by the caller. */
5aabfc78 1239unsigned char *tcp_request(int confd, time_t now,
4f7b304f 1240 union mysockaddr *local_addr, struct in_addr netmask, int auth_dns)
feba5c1d 1241{
28866e95
SK		 1242 size_t size = 0;
1243 int norebind = 0;
3b195961 1244#ifdef HAVE_AUTH
19b16891 1245 int local_auth = 0;
3b195961 1246#endif
7d7b7b31 1247 int checking_disabled, check_subnet, no_cache_dnssec = 0, cache_secure = 0;
cdeda28f 1248 size_t m;
ee86ce68
SK		 1249 unsigned short qtype;
1250 unsigned int gotname;
feba5c1d 1251 unsigned char c1, c2;
4b5ea12e
SK		 1252 /* Max TCP packet + slop + size */
1253 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1254 unsigned char *payload = &packet[2];
1255 /* largest field in header is 16-bits, so this is still sufficiently aligned */
1256 struct dns_header *header = (struct dns_header *)payload;
1257 u16 *length = (u16 *)packet;
3be34541 1258 struct server *last_server;
7de060b0
SK		 1259 struct in_addr dst_addr_4;
1260 union mysockaddr peer_addr;
1261 socklen_t peer_len = sizeof(union mysockaddr);
3be34541 1262
7de060b0
SK		 1263 if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) == -1)
1264 return packet;
1265
feba5c1d
SK		 1266 while (1)
1267 {
1268 if (!packet ||
1269 !read_write(confd, &c1, 1, 1) || !read_write(confd, &c2, 1, 1) ||
1270 !(size = c1 << 8 | c2) ||
4b5ea12e 1271 !read_write(confd, payload, size, 1))
feba5c1d
SK		 1272 return packet;
1273
572b41eb 1274 if (size < (int)sizeof(struct dns_header))
feba5c1d
SK		 1275 continue;
1276
ed4c0767
SK		 1277 check_subnet = 0;
1278
28866e95 1279 /* save state of "cd" flag in query */
7d7b7b31
SK		 1280 if ((checking_disabled = header->hb4 & HB4_CD))
1281 no_cache_dnssec = 1;
28866e95
SK		 1282
1283 /* RFC 4035: sect 4.6 para 2 */
572b41eb 1284 header->hb4 &= ~HB4_AD;
feba5c1d 1285
3be34541 1286 if ((gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
feba5c1d 1287 {
7de060b0 1288 char types[20];
b485ed97
SK		 1289#ifdef HAVE_AUTH
1290 struct auth_zone *zone;
1291#endif
4f7b304f 1292 querystr(auth_dns ? "auth" : "query", types, qtype);
7de060b0
SK		 1293
1294 if (peer_addr.sa.sa_family == AF_INET)
1295 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1296 (struct all_addr *)&peer_addr.in.sin_addr, types);
feba5c1d 1297#ifdef HAVE_IPV6
7de060b0
SK		 1298 else
1299 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1300 (struct all_addr *)&peer_addr.in6.sin6_addr, types);
feba5c1d 1301#endif
b485ed97
SK		 1302
1303#ifdef HAVE_AUTH
1304 /* find queries for zones we're authoritative for, and answer them directly */
6008bdbb
SK		 1305 if (!auth_dns)
1306 for (zone = daemon->auth_zones; zone; zone = zone->next)
1307 if (in_zone(zone, daemon->namebuff, NULL))
1308 {
1309 auth_dns = 1;
1310 local_auth = 1;
1311 break;
1312 }
b485ed97 1313#endif
feba5c1d
SK		 1314 }
1315
7de060b0
SK		 1316 if (local_addr->sa.sa_family == AF_INET)
1317 dst_addr_4 = local_addr->in.sin_addr;
1318 else
1319 dst_addr_4.s_addr = 0;
1320
4820dce9 1321#ifdef HAVE_AUTH
4f7b304f 1322 if (auth_dns)
19b16891 1323 m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &peer_addr, local_auth);
4f7b304f 1324 else
4820dce9 1325#endif
feba5c1d 1326 {
4f7b304f
SK		 1327 /* m > 0 if answered from cache */
1328 m = answer_request(header, ((char *) header) + 65536, (size_t)size,
1329 dst_addr_4, netmask, now);
feba5c1d 1330
4f7b304f
SK		 1331 /* Do this by steam now we're not in the select() loop */
1332 check_log_writer(NULL);
1333
1334 if (m == 0)
feba5c1d 1335 {
4f7b304f
SK		 1336 unsigned int flags = 0;
1337 struct all_addr *addrp = NULL;
1338 int type = 0;
1339 char *domain = NULL;
feba5c1d 1340
4f7b304f
SK		 1341 if (option_bool(OPT_ADD_MAC))
1342 size = add_mac(header, size, ((char *) header) + 65536, &peer_addr);
ed4c0767
SK		 1343
1344 if (option_bool(OPT_CLIENT_SUBNET))
1345 {
1346 size_t new = add_source_addr(header, size, ((char *) header) + 65536, &peer_addr);
1347 if (size != new)
1348 {
1349 size = new;
1350 check_subnet = 1;
1351 }
1352 }
1353
4f7b304f
SK		 1354 if (gotname)
1355 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
1356
1357 if (type != 0 || option_bool(OPT_ORDER) || !daemon->last_server)
1358 last_server = daemon->servers;
1359 else
1360 last_server = daemon->last_server;
1361
1362 if (!flags && last_server)
1363 {
1364 struct server *firstsendto = NULL;
1365 unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff);
1366
1367 /* Loop round available servers until we succeed in connecting to one.
1368 Note that this code subtley ensures that consecutive queries on this connection
1369 which can go to the same server, do so. */
1370 while (1)
feba5c1d 1371 {
4f7b304f
SK		 1372 if (!firstsendto)
1373 firstsendto = last_server;
1374 else
1375 {
1376 if (!(last_server = last_server->next))
1377 last_server = daemon->servers;
1378
1379 if (last_server == firstsendto)
1380 break;
1381 }
1382
1383 /* server for wrong domain */
1384 if (type != (last_server->flags & SERV_TYPE) ||
1385 (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, last_server->domain)))
7de060b0
SK		 1386 continue;
1387
4f7b304f 1388 if (last_server->tcpfd == -1)
7de060b0 1389 {
4f7b304f
SK		 1390 if ((last_server->tcpfd = socket(last_server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1)
1391 continue;
1392
1393 if ((!local_bind(last_server->tcpfd, &last_server->source_addr, last_server->interface, 1) ||
1394 connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1))
1395 {
1396 close(last_server->tcpfd);
1397 last_server->tcpfd = -1;
1398 continue;
1399 }
1400
7d7b7b31
SK		 1401#ifdef HAVE_DNSSEC
1402 if (option_bool(OPT_DNSSEC_VALID))
1403 {
1404 size = add_do_bit(header, size, ((char *) header) + 65536);
1405 header->hb4 |= HB4_CD;
1406 }
1407#endif
1408
7de060b0 1409#ifdef HAVE_CONNTRACK
4f7b304f
SK		 1410 /* Copy connection mark of incoming query to outgoing connection. */
1411 if (option_bool(OPT_CONNTRACK))
1412 {
1413 unsigned int mark;
1414 struct all_addr local;
7de060b0 1415#ifdef HAVE_IPV6
4f7b304f
SK		 1416 if (local_addr->sa.sa_family == AF_INET6)
1417 local.addr.addr6 = local_addr->in6.sin6_addr;
1418 else
7de060b0 1419#endif
4f7b304f
SK		 1420 local.addr.addr4 = local_addr->in.sin_addr;
1421
1422 if (get_incoming_mark(&peer_addr, &local, 1, &mark))
1423 setsockopt(last_server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
1424 }
7de060b0 1425#endif
4f7b304f
SK		 1426 }
1427
4b5ea12e 1428 *length = htons(size);
4f7b304f 1429
4b5ea12e 1430 if (!read_write(last_server->tcpfd, packet, size + sizeof(u16), 0) ||
4f7b304f 1431 !read_write(last_server->tcpfd, &c1, 1, 1) ||
7d7b7b31
SK		 1432 !read_write(last_server->tcpfd, &c2, 1, 1) ||
1433 !read_write(last_server->tcpfd, payload, (c1 << 8) | c2, 1))
4f7b304f
SK		 1434 {
1435 close(last_server->tcpfd);
1436 last_server->tcpfd = -1;
1437 continue;
1438 }
1439
1440 m = (c1 << 8) | c2;
4f7b304f
SK		 1441
1442 if (!gotname)
1443 strcpy(daemon->namebuff, "query");
1444 if (last_server->addr.sa.sa_family == AF_INET)
1445 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
1446 (struct all_addr *)&last_server->addr.in.sin_addr, NULL);
feba5c1d 1447#ifdef HAVE_IPV6
4f7b304f
SK		 1448 else
1449 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
1450 (struct all_addr *)&last_server->addr.in6.sin6_addr, NULL);
feba5c1d 1451#endif
7d7b7b31
SK		 1452
1453#ifdef HAVE_DNSSEC
1454 if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled)
1455 {
1456 int class, status;
1457
1458 status = dnssec_validate_reply(now, header, m, daemon->namebuff, daemon->keyname, &class);
1459
1460 if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
1461 {
1462 if ((status = tcp_key_recurse(now, status, class, daemon->keyname, last_server)) == STAT_SECURE)
1463 status = dnssec_validate_reply(now, header, m, daemon->namebuff, daemon->keyname, &class);
1464 }
1465
1466 log_query(F_KEYTAG | F_SECSTAT, "result", NULL,
1467 status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
1468
1469 if (status == STAT_BOGUS)
1470 no_cache_dnssec = 1;
1471
1472 if (status == STAT_SECURE)
1473 cache_secure = 1;
1474 }
1475#endif
1476
1477 /* restore CD bit to the value in the query */
1478 if (checking_disabled)
1479 header->hb4 |= HB4_CD;
1480 else
1481 header->hb4 &= ~HB4_CD;
4f7b304f
SK		 1482
1483 /* There's no point in updating the cache, since this process will exit and
1484 lose the information after a few queries. We make this call for the alias and
1485 bogus-nxdomain side-effects. */
1486 /* If the crc of the question section doesn't match the crc we sent, then
1487 someone might be attempting to insert bogus values into the cache by
1488 sending replies containing questions and bogus answers. */
1489 if (crc == questions_crc(header, (unsigned int)m, daemon->namebuff))
1490 m = process_reply(header, now, last_server, (unsigned int)m,
7d7b7b31
SK		 1491 option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec,
1492 cache_secure, check_subnet, &peer_addr);
4f7b304f
SK		 1493
1494 break;
1495 }
feba5c1d 1496 }
4f7b304f
SK		 1497
1498 /* In case of local answer or no connections made. */
1499 if (m == 0)
1500 m = setup_reply(header, (unsigned int)size, addrp, flags, daemon->local_ttl);
feba5c1d 1501 }
feba5c1d 1502 }
4f7b304f 1503
5aabfc78 1504 check_log_writer(NULL);
feba5c1d 1505
4b5ea12e
SK		 1506 *length = htons(m);
1507
1508 if (m == 0 || !read_write(confd, packet, m + sizeof(u16), 0))
feba5c1d
SK		 1509 return packet;
1510 }
1511}
1512
1697269c 1513static struct frec *allocate_frec(time_t now)
9e4abcb5 1514{
1697269c
SK		 1515 struct frec *f;
1516
5aabfc78 1517 if ((f = (struct frec *)whine_malloc(sizeof(struct frec))))
9e4abcb5 1518 {
1a6bca81 1519 f->next = daemon->frec_list;
1697269c 1520 f->time = now;
832af0ba 1521 f->sentto = NULL;
1a6bca81 1522 f->rfd4 = NULL;
28866e95 1523 f->flags = 0;
1a6bca81
SK		 1524#ifdef HAVE_IPV6
1525 f->rfd6 = NULL;
3a237152
SK		 1526#endif
1527#ifdef HAVE_DNSSEC
1528 f->blocking_query = NULL;
4619d946 1529 f->stash = NULL;
1a6bca81
SK		 1530#endif
1531 daemon->frec_list = f;
1697269c 1532 }
9e4abcb5 1533
1697269c
SK		 1534 return f;
1535}
9e4abcb5 1536
1a6bca81
SK		 1537static struct randfd *allocate_rfd(int family)
1538{
1539 static int finger = 0;
1540 int i;
1541
1542 /* limit the number of sockets we have open to avoid starvation of
1543 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
1544
1545 for (i = 0; i < RANDOM_SOCKS; i++)
9009d746 1546 if (daemon->randomsocks[i].refcount == 0)
1a6bca81 1547 {
9009d746
SK		 1548 if ((daemon->randomsocks[i].fd = random_sock(family)) == -1)
1549 break;
1550
1a6bca81
SK		 1551 daemon->randomsocks[i].refcount = 1;
1552 daemon->randomsocks[i].family = family;
1553 return &daemon->randomsocks[i];
1554 }
1555
9009d746 1556 /* No free ones or cannot get new socket, grab an existing one */
1a6bca81
SK		 1557 for (i = 0; i < RANDOM_SOCKS; i++)
1558 {
1559 int j = (i+finger) % RANDOM_SOCKS;
9009d746
SK		 1560 if (daemon->randomsocks[j].refcount != 0 &&
1561 daemon->randomsocks[j].family == family &&
1562 daemon->randomsocks[j].refcount != 0xffff)
1a6bca81
SK		 1563 {
1564 finger = j;
1565 daemon->randomsocks[j].refcount++;
1566 return &daemon->randomsocks[j];
1567 }
1568 }
1569
1570 return NULL; /* doom */
1571}
1a6bca81
SK		 1572static void free_frec(struct frec *f)
1573{
1574 if (f->rfd4 && --(f->rfd4->refcount) == 0)
1575 close(f->rfd4->fd);
1576
1577 f->rfd4 = NULL;
1578 f->sentto = NULL;
28866e95 1579 f->flags = 0;
1a6bca81
SK		 1580
1581#ifdef HAVE_IPV6
1582 if (f->rfd6 && --(f->rfd6->refcount) == 0)
1583 close(f->rfd6->fd);
1584
1585 f->rfd6 = NULL;
1586#endif
3a237152
SK		 1587
1588#ifdef HAVE_DNSSEC
1589 if (f->stash)
0fc2f313
SK		 1590 {
1591 blockdata_free(f->stash);
1592 f->stash = NULL;
1593 }
3a237152
SK		 1594
1595 /* Anything we're waiting on is pointless now, too */
1596 if (f->blocking_query)
1597 free_frec(f->blocking_query);
1598 f->blocking_query = NULL;
1599
1600#endif
1a6bca81
SK		 1601}
1602
1697269c
SK		 1603/* if wait==NULL return a free or older than TIMEOUT record.
1604 else return *wait zero if one available, or *wait is delay to
1a6bca81 1605 when the oldest in-use record will expire. Impose an absolute
3a237152
SK		 1606 limit of 4*TIMEOUT before we wipe things (for random sockets).
1607 If force is set, always return a result, even if we have
1608 to allocate above the limit. */
1609struct frec *get_new_frec(time_t now, int *wait, int force)
1697269c 1610{
1a6bca81 1611 struct frec *f, *oldest, *target;
1697269c
SK		 1612 int count;
1613
1614 if (wait)
1615 *wait = 0;
1616
1a6bca81 1617 for (f = daemon->frec_list, oldest = NULL, target = NULL, count = 0; f; f = f->next, count++)
832af0ba 1618 if (!f->sentto)
1a6bca81
SK		 1619 target = f;
1620 else
1697269c 1621 {
1a6bca81
SK		 1622 if (difftime(now, f->time) >= 4*TIMEOUT)
1623 {
1624 free_frec(f);
1625 target = f;
1626 }
1627
1628 if (!oldest || difftime(f->time, oldest->time) <= 0)
1629 oldest = f;
1697269c 1630 }
1a6bca81
SK		 1631
1632 if (target)
1633 {
1634 target->time = now;
1635 return target;
1636 }
9e4abcb5
SK		 1637
1638 /* can't find empty one, use oldest if there is one
1639 and it's older than timeout */
1697269c 1640 if (oldest && ((int)difftime(now, oldest->time)) >= TIMEOUT)
9e4abcb5 1641 {
1697269c
SK		 1642 /* keep stuff for twice timeout if we can by allocating a new
1643 record instead */
1644 if (difftime(now, oldest->time) < 2*TIMEOUT &&
1645 count <= daemon->ftabsize &&
1646 (f = allocate_frec(now)))
1647 return f;
1648
1649 if (!wait)
1650 {
1a6bca81 1651 free_frec(oldest);
1697269c
SK		 1652 oldest->time = now;
1653 }
9e4abcb5
SK		 1654 return oldest;
1655 }
1656
1697269c 1657 /* none available, calculate time 'till oldest record expires */
3a237152 1658 if (!force && count > daemon->ftabsize)
1697269c 1659 {
0da5e897
MSB		 1660 static time_t last_log = 0;
1661
1697269c
SK		 1662 if (oldest && wait)
1663 *wait = oldest->time + (time_t)TIMEOUT - now;
0da5e897
MSB		 1664
1665 if ((int)difftime(now, last_log) > 5)
1666 {
1667 last_log = now;
1668 my_syslog(LOG_WARNING, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon->ftabsize);
1669 }
1670
9e4abcb5
SK		 1671 return NULL;
1672 }
1697269c
SK		 1673
1674 if (!(f = allocate_frec(now)) && wait)
1675 /* wait one second on malloc failure */
1676 *wait = 1;
9e4abcb5 1677
9e4abcb5
SK		 1678 return f; /* OK if malloc fails and this is NULL */
1679}
1680
832af0ba
SK		 1681/* crc is all-ones if not known. */
1682static struct frec *lookup_frec(unsigned short id, unsigned int crc)
9e4abcb5
SK		 1683{
1684 struct frec *f;
1685
1a6bca81 1686 for(f = daemon->frec_list; f; f = f->next)
832af0ba
SK		 1687 if (f->sentto && f->new_id == id &&
1688 (f->crc == crc || crc == 0xffffffff))
9e4abcb5
SK		 1689 return f;
1690
1691 return NULL;
1692}
1693
1694static struct frec *lookup_frec_by_sender(unsigned short id,
fd9fa481
SK		 1695 union mysockaddr *addr,
1696 unsigned int crc)
9e4abcb5 1697{
feba5c1d
SK		 1698 struct frec *f;
1699
1a6bca81 1700 for(f = daemon->frec_list; f; f = f->next)
832af0ba 1701 if (f->sentto &&
9e4abcb5 1702 f->orig_id == id &&
fd9fa481 1703 f->crc == crc &&
9e4abcb5
SK		 1704 sockaddr_isequal(&f->source, addr))
1705 return f;
1706
1707 return NULL;
1708}
1709
849a8357 1710/* A server record is going away, remove references to it */
5aabfc78 1711void server_gone(struct server *server)
849a8357
SK		 1712{
1713 struct frec *f;
1714
1a6bca81 1715 for (f = daemon->frec_list; f; f = f->next)
832af0ba 1716 if (f->sentto && f->sentto == server)
1a6bca81 1717 free_frec(f);
849a8357
SK		 1718
1719 if (daemon->last_server == server)
1720 daemon->last_server = NULL;
1721
1722 if (daemon->srv_save == server)
1723 daemon->srv_save = NULL;
1724}
9e4abcb5 1725
316e2730
SK		 1726/* return unique random ids. */
1727static unsigned short get_id(unsigned int crc)
9e4abcb5
SK		 1728{
1729 unsigned short ret = 0;
832af0ba 1730
316e2730 1731 do
832af0ba
SK		 1732 ret = rand16();
1733 while (lookup_frec(ret, crc));
1734
9e4abcb5
SK		 1735 return ret;
1736}
1737
1738
1739
1740
1741
Michael's tree of dnsmasq.