]> git.ipfire.org Git - people/ms/dnsmasq.git/blob - src/forward.c
projects / people / ms / dnsmasq.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Commit to allow master merge.
[people/ms/dnsmasq.git] / src / forward.c
1 /* dnsmasq is Copyright (c) 2000-2013 Simon Kelley
2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
7
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
12
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
15 */
16
17 #include "dnsmasq.h"
18
19 static struct frec *lookup_frec(unsigned short id, unsigned int crc);
20 static struct frec *lookup_frec_by_sender(unsigned short id,
21 union mysockaddr *addr,
22 unsigned int crc);
23 static unsigned short get_id(unsigned int crc);
24 static void free_frec(struct frec *f);
25 static struct randfd *allocate_rfd(int family);
26
27 /* Send a UDP packet with its source address set as "source"
28 unless nowild is true, when we just send it with the kernel default */
29 int send_from(int fd, int nowild, char *packet, size_t len,
30 union mysockaddr *to, struct all_addr *source,
31 unsigned int iface)
32 {
33 struct msghdr msg;
34 struct iovec iov[1];
35 union {
36 struct cmsghdr align; /* this ensures alignment */
37 #if defined(HAVE_LINUX_NETWORK)
38 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
39 #elif defined(IP_SENDSRCADDR)
40 char control[CMSG_SPACE(sizeof(struct in_addr))];
41 #endif
42 #ifdef HAVE_IPV6
43 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
44 #endif
45 } control_u;
46
47 iov[0].iov_base = packet;
48 iov[0].iov_len = len;
49
50 msg.msg_control = NULL;
51 msg.msg_controllen = 0;
52 msg.msg_flags = 0;
53 msg.msg_name = to;
54 msg.msg_namelen = sa_len(to);
55 msg.msg_iov = iov;
56 msg.msg_iovlen = 1;
57
58 if (!nowild)
59 {
60 struct cmsghdr *cmptr;
61 msg.msg_control = &control_u;
62 msg.msg_controllen = sizeof(control_u);
63 cmptr = CMSG_FIRSTHDR(&msg);
64
65 if (to->sa.sa_family == AF_INET)
66 {
67 #if defined(HAVE_LINUX_NETWORK)
68 struct in_pktinfo p;
69 p.ipi_ifindex = 0;
70 p.ipi_spec_dst = source->addr.addr4;
71 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
72 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
73 cmptr->cmsg_level = IPPROTO_IP;
74 cmptr->cmsg_type = IP_PKTINFO;
75 #elif defined(IP_SENDSRCADDR)
76 memcpy(CMSG_DATA(cmptr), &(source->addr.addr4), sizeof(source->addr.addr4));
77 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
78 cmptr->cmsg_level = IPPROTO_IP;
79 cmptr->cmsg_type = IP_SENDSRCADDR;
80 #endif
81 }
82 else
83 #ifdef HAVE_IPV6
84 {
85 struct in6_pktinfo p;
86 p.ipi6_ifindex = iface; /* Need iface for IPv6 to handle link-local addrs */
87 p.ipi6_addr = source->addr.addr6;
88 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
89 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
90 cmptr->cmsg_type = daemon->v6pktinfo;
91 cmptr->cmsg_level = IPPROTO_IPV6;
92 }
93 #else
94 (void)iface; /* eliminate warning */
95 #endif
96 }
97
98 while (sendmsg(fd, &msg, 0) == -1)
99 {
100 if (retry_send())
101 continue;
102
103 /* If interface is still in DAD, EINVAL results - ignore that. */
104 if (errno == EINVAL)
105 break;
106
107 my_syslog(LOG_ERR, _("failed to send packet: %s"), strerror(errno));
108 return 0;
109 }
110
111 return 1;
112 }
113
114 static unsigned int search_servers(time_t now, struct all_addr **addrpp,
115 unsigned int qtype, char *qdomain, int *type, char **domain, int *norebind)
116
117 {
118 /* If the query ends in the domain in one of our servers, set
119 domain to point to that name. We find the largest match to allow both
120 domain.org and sub.domain.org to exist. */
121
122 unsigned int namelen = strlen(qdomain);
123 unsigned int matchlen = 0;
124 struct server *serv;
125 unsigned int flags = 0;
126
127 for (serv = daemon->servers; serv; serv=serv->next)
128 /* domain matches take priority over NODOTS matches */
129 if ((serv->flags & SERV_FOR_NODOTS) && *type != SERV_HAS_DOMAIN && !strchr(qdomain, '.') && namelen != 0)
130 {
131 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
132 *type = SERV_FOR_NODOTS;
133 if (serv->flags & SERV_NO_ADDR)
134 flags = F_NXDOMAIN;
135 else if (serv->flags & SERV_LITERAL_ADDRESS)
136 {
137 if (sflag & qtype)
138 {
139 flags = sflag;
140 if (serv->addr.sa.sa_family == AF_INET)
141 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
142 #ifdef HAVE_IPV6
143 else
144 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
145 #endif
146 }
147 else if (!flags || (flags & F_NXDOMAIN))
148 flags = F_NOERR;
149 }
150 }
151 else if (serv->flags & SERV_HAS_DOMAIN)
152 {
153 unsigned int domainlen = strlen(serv->domain);
154 char *matchstart = qdomain + namelen - domainlen;
155 if (namelen >= domainlen &&
156 hostname_isequal(matchstart, serv->domain) &&
157 (domainlen == 0 || namelen == domainlen || *(matchstart-1) == '.' ))
158 {
159 if (serv->flags & SERV_NO_REBIND)
160 *norebind = 1;
161 else
162 {
163 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
164 /* implement priority rules for --address and --server for same domain.
165 --address wins if the address is for the correct AF
166 --server wins otherwise. */
167 if (domainlen != 0 && domainlen == matchlen)
168 {
169 if ((serv->flags & SERV_LITERAL_ADDRESS))
170 {
171 if (!(sflag & qtype) && flags == 0)
172 continue;
173 }
174 else
175 {
176 if (flags & (F_IPV4 | F_IPV6))
177 continue;
178 }
179 }
180
181 if (domainlen >= matchlen)
182 {
183 *type = serv->flags & (SERV_HAS_DOMAIN | SERV_USE_RESOLV | SERV_NO_REBIND);
184 *domain = serv->domain;
185 matchlen = domainlen;
186 if (serv->flags & SERV_NO_ADDR)
187 flags = F_NXDOMAIN;
188 else if (serv->flags & SERV_LITERAL_ADDRESS)
189 {
190 if (sflag & qtype)
191 {
192 flags = sflag;
193 if (serv->addr.sa.sa_family == AF_INET)
194 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
195 #ifdef HAVE_IPV6
196 else
197 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
198 #endif
199 }
200 else if (!flags || (flags & F_NXDOMAIN))
201 flags = F_NOERR;
202 }
203 else
204 flags = 0;
205 }
206 }
207 }
208 }
209
210 if (flags == 0 && !(qtype & F_QUERY) &&
211 option_bool(OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') && namelen != 0)
212 /* don't forward A or AAAA queries for simple names, except the empty name */
213 flags = F_NOERR;
214
215 if (flags == F_NXDOMAIN && check_for_local_domain(qdomain, now))
216 flags = F_NOERR;
217
218 if (flags)
219 {
220 int logflags = 0;
221
222 if (flags == F_NXDOMAIN || flags == F_NOERR)
223 logflags = F_NEG | qtype;
224
225 log_query(logflags | flags | F_CONFIG | F_FORWARD, qdomain, *addrpp, NULL);
226 }
227 else if ((*type) & SERV_USE_RESOLV)
228 {
229 *type = 0; /* use normal servers for this domain */
230 *domain = NULL;
231 }
232 return flags;
233 }
234
235 static int forward_query(int udpfd, union mysockaddr *udpaddr,
236 struct all_addr *dst_addr, unsigned int dst_iface,
237 struct dns_header *header, size_t plen, time_t now, struct frec *forward)
238 {
239 char *domain = NULL;
240 int type = 0, norebind = 0;
241 struct all_addr *addrp = NULL;
242 unsigned int crc = questions_crc(header, plen, daemon->namebuff);
243 unsigned int flags = 0;
244 unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
245 struct server *start = NULL;
246
247 /* RFC 4035: sect 4.6 para 2 */
248 header->hb4 &= ~HB4_AD;
249
250 /* may be no servers available. */
251 if (!daemon->servers)
252 forward = NULL;
253 else if (forward || (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, crc)))
254 {
255 /* retry on existing query, send to all available servers */
256 domain = forward->sentto->domain;
257 forward->sentto->failed_queries++;
258 if (!option_bool(OPT_ORDER))
259 {
260 forward->forwardall = 1;
261 daemon->last_server = NULL;
262 }
263 type = forward->sentto->flags & SERV_TYPE;
264 if (!(start = forward->sentto->next))
265 start = daemon->servers; /* at end of list, recycle */
266 header->id = htons(forward->new_id);
267 }
268 else
269 {
270 if (gotname)
271 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
272
273 if (!flags && !(forward = get_new_frec(now, NULL, 0)))
274 /* table full - server failure. */
275 flags = F_NEG;
276
277 if (forward)
278 {
279 forward->source = *udpaddr;
280 forward->dest = *dst_addr;
281 forward->iface = dst_iface;
282 forward->orig_id = ntohs(header->id);
283 forward->new_id = get_id(crc);
284 forward->fd = udpfd;
285 forward->crc = crc;
286 forward->forwardall = 0;
287 forward->flags = 0;
288 if (norebind)
289 forward->flags |= FREC_NOREBIND;
290 if (header->hb4 & HB4_CD)
291 forward->flags |= FREC_CHECKING_DISABLED;
292
293 header->id = htons(forward->new_id);
294
295 /* In strict_order mode, always try servers in the order
296 specified in resolv.conf, if a domain is given
297 always try all the available servers,
298 otherwise, use the one last known to work. */
299
300 if (type == 0)
301 {
302 if (option_bool(OPT_ORDER))
303 start = daemon->servers;
304 else if (!(start = daemon->last_server) ||
305 daemon->forwardcount++ > FORWARD_TEST ||
306 difftime(now, daemon->forwardtime) > FORWARD_TIME)
307 {
308 start = daemon->servers;
309 forward->forwardall = 1;
310 daemon->forwardcount = 0;
311 daemon->forwardtime = now;
312 }
313 }
314 else
315 {
316 start = daemon->servers;
317 if (!option_bool(OPT_ORDER))
318 forward->forwardall = 1;
319 }
320 }
321 }
322
323 /* check for send errors here (no route to host)
324 if we fail to send to all nameservers, send back an error
325 packet straight away (helps modem users when offline) */
326
327 if (!flags && forward)
328 {
329 struct server *firstsentto = start;
330 int forwarded = 0;
331
332 if (option_bool(OPT_ADD_MAC))
333 plen = add_mac(header, plen, ((char *) header) + PACKETSZ, &forward->source);
334
335 if (option_bool(OPT_CLIENT_SUBNET))
336 {
337 size_t new = add_source_addr(header, plen, ((char *) header) + PACKETSZ, &forward->source);
338 if (new != plen)
339 {
340 plen = new;
341 forward->flags |= FREC_HAS_SUBNET;
342 }
343 }
344
345 #ifdef HAVE_DNSSEC
346 if (option_bool(OPT_DNSSEC_VALID))
347 plen = add_do_bit(header, plen, ((char *) header) + PACKETSZ);
348 #endif
349
350 while (1)
351 {
352 /* only send to servers dealing with our domain.
353 domain may be NULL, in which case server->domain
354 must be NULL also. */
355
356 if (type == (start->flags & SERV_TYPE) &&
357 (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) &&
358 !(start->flags & SERV_LITERAL_ADDRESS))
359 {
360 int fd;
361
362 /* find server socket to use, may need to get random one. */
363 if (start->sfd)
364 fd = start->sfd->fd;
365 else
366 {
367 #ifdef HAVE_IPV6
368 if (start->addr.sa.sa_family == AF_INET6)
369 {
370 if (!forward->rfd6 &&
371 !(forward->rfd6 = allocate_rfd(AF_INET6)))
372 break;
373 daemon->rfd_save = forward->rfd6;
374 fd = forward->rfd6->fd;
375 }
376 else
377 #endif
378 {
379 if (!forward->rfd4 &&
380 !(forward->rfd4 = allocate_rfd(AF_INET)))
381 break;
382 daemon->rfd_save = forward->rfd4;
383 fd = forward->rfd4->fd;
384 }
385
386 #ifdef HAVE_CONNTRACK
387 /* Copy connection mark of incoming query to outgoing connection. */
388 if (option_bool(OPT_CONNTRACK))
389 {
390 unsigned int mark;
391 if (get_incoming_mark(&forward->source, &forward->dest, 0, &mark))
392 setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
393 }
394 #endif
395 }
396
397 if (sendto(fd, (char *)header, plen, 0,
398 &start->addr.sa,
399 sa_len(&start->addr)) == -1)
400 {
401 if (retry_send())
402 continue;
403 }
404 else
405 {
406 /* Keep info in case we want to re-send this packet */
407 daemon->srv_save = start;
408 daemon->packet_len = plen;
409
410 if (!gotname)
411 strcpy(daemon->namebuff, "query");
412 if (start->addr.sa.sa_family == AF_INET)
413 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
414 (struct all_addr *)&start->addr.in.sin_addr, NULL);
415 #ifdef HAVE_IPV6
416 else
417 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
418 (struct all_addr *)&start->addr.in6.sin6_addr, NULL);
419 #endif
420 start->queries++;
421 forwarded = 1;
422 forward->sentto = start;
423 if (!forward->forwardall)
424 break;
425 forward->forwardall++;
426 }
427 }
428
429 if (!(start = start->next))
430 start = daemon->servers;
431
432 if (start == firstsentto)
433 break;
434 }
435
436 if (forwarded)
437 return 1;
438
439 /* could not send on, prepare to return */
440 header->id = htons(forward->orig_id);
441 free_frec(forward); /* cancel */
442 }
443
444 /* could not send on, return empty answer or address if known for whole domain */
445 if (udpfd != -1)
446 {
447 plen = setup_reply(header, plen, addrp, flags, daemon->local_ttl);
448 send_from(udpfd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND), (char *)header, plen, udpaddr, dst_addr, dst_iface);
449 }
450
451 return 0;
452 }
453
454 static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind,
455 int no_cache, int cache_secure, int check_subnet, union mysockaddr *query_source)
456 {
457 unsigned char *pheader, *sizep;
458 char **sets = 0;
459 int munged = 0, is_sign;
460 size_t plen;
461 int squash_ad = 0;
462
463 #ifdef HAVE_IPSET
464 /* Similar algorithm to search_servers. */
465 struct ipsets *ipset_pos;
466 unsigned int namelen = strlen(daemon->namebuff);
467 unsigned int matchlen = 0;
468 for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next)
469 {
470 unsigned int domainlen = strlen(ipset_pos->domain);
471 char *matchstart = daemon->namebuff + namelen - domainlen;
472 if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) &&
473 (domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) &&
474 domainlen >= matchlen) {
475 matchlen = domainlen;
476 sets = ipset_pos->sets;
477 }
478 }
479 #endif
480
481 /* If upstream is advertising a larger UDP packet size
482 than we allow, trim it so that we don't get overlarge
483 requests for the client. We can't do this for signed packets. */
484
485 if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign)))
486 {
487 if (!is_sign)
488 {
489 unsigned short udpsz;
490 unsigned char *psave = sizep;
491
492 GETSHORT(udpsz, sizep);
493 if (udpsz > daemon->edns_pktsz)
494 PUTSHORT(daemon->edns_pktsz, psave);
495 }
496
497 if (check_subnet && !check_source(header, plen, pheader, query_source))
498 {
499 my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
500 return 0;
501 }
502 }
503
504 /* RFC 4035 sect 4.6 para 3 */
505 if (!is_sign && !option_bool(OPT_DNSSEC_PROXY))
506 squash_ad = 1;
507
508 #ifdef HAVE_DNSSEC
509 if (option_bool(OPT_DNSSEC_VALID))
510 squash_ad = no_cache;
511
512 if (cache_secure)
513 header->hb4 |= HB4_AD;
514 #endif
515
516 if (squash_ad)
517 header->hb4 &= ~HB4_AD;
518
519 if (OPCODE(header) != QUERY || (RCODE(header) != NOERROR && RCODE(header) != NXDOMAIN))
520 return n;
521
522 /* Complain loudly if the upstream server is non-recursive. */
523 if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR && ntohs(header->ancount) == 0 &&
524 server && !(server->flags & SERV_WARNED_RECURSIVE))
525 {
526 prettyprint_addr(&server->addr, daemon->namebuff);
527 my_syslog(LOG_WARNING, _("nameserver %s refused to do a recursive query"), daemon->namebuff);
528 if (!option_bool(OPT_LOG))
529 server->flags |= SERV_WARNED_RECURSIVE;
530 }
531
532 if (daemon->bogus_addr && RCODE(header) != NXDOMAIN &&
533 check_for_bogus_wildcard(header, n, daemon->namebuff, daemon->bogus_addr, now))
534 {
535 munged = 1;
536 SET_RCODE(header, NXDOMAIN);
537 header->hb3 &= ~HB3_AA;
538 }
539 else
540 {
541 if (RCODE(header) == NXDOMAIN &&
542 extract_request(header, n, daemon->namebuff, NULL) &&
543 check_for_local_domain(daemon->namebuff, now))
544 {
545 /* if we forwarded a query for a locally known name (because it was for
546 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
547 since we know that the domain exists, even if upstream doesn't */
548 munged = 1;
549 header->hb3 |= HB3_AA;
550 SET_RCODE(header, NOERROR);
551 }
552
553 if (extract_addresses(header, n, daemon->namebuff, now, sets, is_sign, check_rebind, no_cache))
554 {
555 my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff);
556 munged = 1;
557 }
558 }
559
560 /* do this after extract_addresses. Ensure NODATA reply and remove
561 nameserver info. */
562
563 if (munged)
564 {
565 header->ancount = htons(0);
566 header->nscount = htons(0);
567 header->arcount = htons(0);
568 }
569
570 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
571 sections of the packet. Find the new length here and put back pseudoheader
572 if it was removed. */
573 return resize_packet(header, n, pheader, plen);
574 }
575
576 /* sets new last_server */
577 void reply_query(int fd, int family, time_t now)
578 {
579 /* packet from peer server, extract data for cache, and send to
580 original requester */
581 struct dns_header *header;
582 union mysockaddr serveraddr;
583 struct frec *forward;
584 socklen_t addrlen = sizeof(serveraddr);
585 ssize_t n = recvfrom(fd, daemon->packet, daemon->edns_pktsz, 0, &serveraddr.sa, &addrlen);
586 size_t nn;
587 struct server *server;
588
589 /* packet buffer overwritten */
590 daemon->srv_save = NULL;
591
592 /* Determine the address of the server replying so that we can mark that as good */
593 serveraddr.sa.sa_family = family;
594 #ifdef HAVE_IPV6
595 if (serveraddr.sa.sa_family == AF_INET6)
596 serveraddr.in6.sin6_flowinfo = 0;
597 #endif
598
599 /* spoof check: answer must come from known server, */
600 for (server = daemon->servers; server; server = server->next)
601 if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) &&
602 sockaddr_isequal(&server->addr, &serveraddr))
603 break;
604
605 header = (struct dns_header *)daemon->packet;
606
607 if (!server ||
608 n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR) ||
609 !(forward = lookup_frec(ntohs(header->id), questions_crc(header, n, daemon->namebuff))))
610 return;
611
612 if ((RCODE(header) == SERVFAIL || RCODE(header) == REFUSED) &&
613 !option_bool(OPT_ORDER) &&
614 forward->forwardall == 0)
615 /* for broken servers, attempt to send to another one. */
616 {
617 unsigned char *pheader;
618 size_t plen;
619 int is_sign;
620
621 /* recreate query from reply */
622 pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign);
623 if (!is_sign)
624 {
625 header->ancount = htons(0);
626 header->nscount = htons(0);
627 header->arcount = htons(0);
628 if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
629 {
630 header->hb3 &= ~(HB3_QR | HB3_TC);
631 forward_query(-1, NULL, NULL, 0, header, nn, now, forward);
632 return;
633 }
634 }
635 }
636
637 server = forward->sentto;
638
639 if ((forward->sentto->flags & SERV_TYPE) == 0)
640 {
641 if (RCODE(header) == SERVFAIL || RCODE(header) == REFUSED)
642 server = NULL;
643 else
644 {
645 struct server *last_server;
646
647 /* find good server by address if possible, otherwise assume the last one we sent to */
648 for (last_server = daemon->servers; last_server; last_server = last_server->next)
649 if (!(last_server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR)) &&
650 sockaddr_isequal(&last_server->addr, &serveraddr))
651 {
652 server = last_server;
653 break;
654 }
655 }
656 if (!option_bool(OPT_ALL_SERVERS))
657 daemon->last_server = server;
658 }
659
660 /* If the answer is an error, keep the forward record in place in case
661 we get a good reply from another server. Kill it when we've
662 had replies from all to avoid filling the forwarding table when
663 everything is broken */
664 if (forward->forwardall == 0 || --forward->forwardall == 1 ||
665 (RCODE(header) != REFUSED && RCODE(header) != SERVFAIL))
666 {
667 int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0;
668
669 if (option_bool(OPT_NO_REBIND))
670 check_rebind = !(forward->flags & FREC_NOREBIND);
671
672 /* Don't cache replies where DNSSEC validation was turned off, either
673 the upstream server told us so, or the original query specified it. */
674 if ((header->hb4 & HB4_CD) || (forward->flags & FREC_CHECKING_DISABLED))
675 no_cache_dnssec = 1;
676
677 #ifdef HAVE_DNSSEC
678 if (option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
679 {
680 int status = dnssec_validate(forward->flags, header, n);
681
682 /* Can't validate, as we're missing key data. Put this
683 answer aside, whilst we get that. */
684 if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
685 {
686 struct frec *new;
687 if ((forward->stash = blockdata_alloc((char *)header, n)))
688 {
689 forward->stash_len = n;
690
691 /* Now formulate a query for the missing data. */
692 nn = dnssec_generate_query(header, status);
693 new = get_new_frec(now, NULL, 1);
694
695 if (new)
696 {
697 int fd;
698
699 new = forward; /* copy everything, then overwrite */
700 new->dependent = forward; /* to find query awaiting new one. */
701 forward->blocking_query = new; /* for garbage cleaning */
702 new->flags |= FREC_DNSSEC_QUERY;
703 if (status == STAT_NEED_KEY)
704 new->flags |= FREC_DNSKEY_QUERY; /* So we verify differently */
705 else if (status == STAT_NEED_DS)
706 new->flags |= FREC_DS_QUERY;
707 new->crc = questions_crc(header, nn, daemon->namebuff);
708 new->new_id = get_id(new->crc);
709
710 /* Don't resend this. */
711 daemon->srv_save = NULL;
712
713 if (server->sfd)
714 fd = server->sfd->fd;
715 else
716 #ifdef HAVE_IPV6
717 /* Note that we use the same random port for the DNSSEC stuff */
718 if (server->addr.sa.sa_family == AF_INET6)
719 {
720 fd = new->rfd6->fd;
721 new->rfd6->refcount++;
722 }
723 else
724 #endif
725 {
726 fd = new->rfd4->fd;
727 new->rfd4->refcount++;
728 }
729
730 /* Send DNSSEC query to same server as original query */
731 while (sendto(fd, (char *)header, nn, 0, &server->addr.sa, sa_len(&server->addr)) == -1 && retry_send());
732 }
733 }
734 return;
735 }
736
737 /* Ok, we reached far enough up the chain-of-trust that we can validate something.
738 Now wind back down, pulling back answers which wouldn't previously validate
739 and validate them with the new data. Failure to find needed data here is an internal error.
740 Once we get to the original answer (FREC_DNSSEC_QUERY not set) and it validates,
741 return it to the original requestor. */
742 while (forward->flags & FREC_DNSSEC_QUERY)
743 {
744 if (status == STAT_SECURE)
745 extract_dnssec_replies();
746 free_frec(forward);
747 forward = forward->dependent;
748 blockdata_retrieve_and_free(forward->stash, forward->stash_len, (void *)header);
749 n = forward->stash_len;
750 if (status == STAT_SECURE)
751 {
752 status = dnssec_validate(forward->flags, header, n);
753 if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
754 my_syslog(LOG_ERR, _("Unexpected missing data for DNSSEC validation"));
755 }
756 }
757
758 if (status == STAT_SECURE)
759 cache_secure = 1;
760 /* TODO return SERVFAIL here */
761 else if (status == STAT_BOGUS)
762 no_cache_dnssec = 1;
763 }
764 #endif
765
766 if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure,
767 forward->flags & FREC_HAS_SUBNET, &forward->source)))
768 {
769 header->id = htons(forward->orig_id);
770 header->hb4 |= HB4_RA; /* recursion if available */
771 send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn,
772 &forward->source, &forward->dest, forward->iface);
773 }
774 free_frec(forward); /* cancel */
775 }
776 }
777
778
779 void receive_query(struct listener *listen, time_t now)
780 {
781 struct dns_header *header = (struct dns_header *)daemon->packet;
782 union mysockaddr source_addr;
783 unsigned short type;
784 struct all_addr dst_addr;
785 struct in_addr netmask, dst_addr_4;
786 size_t m;
787 ssize_t n;
788 int if_index = 0;
789 int local_auth = 0, auth_dns = 0;
790 struct iovec iov[1];
791 struct msghdr msg;
792 struct cmsghdr *cmptr;
793 union {
794 struct cmsghdr align; /* this ensures alignment */
795 #ifdef HAVE_IPV6
796 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
797 #endif
798 #if defined(HAVE_LINUX_NETWORK)
799 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
800 #elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
801 char control[CMSG_SPACE(sizeof(struct in_addr)) +
802 CMSG_SPACE(sizeof(unsigned int))];
803 #elif defined(IP_RECVDSTADDR)
804 char control[CMSG_SPACE(sizeof(struct in_addr)) +
805 CMSG_SPACE(sizeof(struct sockaddr_dl))];
806 #endif
807 } control_u;
808
809 /* packet buffer overwritten */
810 daemon->srv_save = NULL;
811
812 dst_addr_4.s_addr = 0;
813 netmask.s_addr = 0;
814
815 if (option_bool(OPT_NOWILD) && listen->iface)
816 {
817 auth_dns = listen->iface->dns_auth;
818
819 if (listen->family == AF_INET)
820 {
821 dst_addr_4 = listen->iface->addr.in.sin_addr;
822 netmask = listen->iface->netmask;
823 }
824 }
825
826 iov[0].iov_base = daemon->packet;
827 iov[0].iov_len = daemon->edns_pktsz;
828
829 msg.msg_control = control_u.control;
830 msg.msg_controllen = sizeof(control_u);
831 msg.msg_flags = 0;
832 msg.msg_name = &source_addr;
833 msg.msg_namelen = sizeof(source_addr);
834 msg.msg_iov = iov;
835 msg.msg_iovlen = 1;
836
837 if ((n = recvmsg(listen->fd, &msg, 0)) == -1)
838 return;
839
840 if (n < (int)sizeof(struct dns_header) ||
841 (msg.msg_flags & MSG_TRUNC) ||
842 (header->hb3 & HB3_QR))
843 return;
844
845 source_addr.sa.sa_family = listen->family;
846 #ifdef HAVE_IPV6
847 if (listen->family == AF_INET6)
848 source_addr.in6.sin6_flowinfo = 0;
849 #endif
850
851 if (!option_bool(OPT_NOWILD))
852 {
853 struct ifreq ifr;
854
855 if (msg.msg_controllen < sizeof(struct cmsghdr))
856 return;
857
858 #if defined(HAVE_LINUX_NETWORK)
859 if (listen->family == AF_INET)
860 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
861 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
862 {
863 union {
864 unsigned char *c;
865 struct in_pktinfo *p;
866 } p;
867 p.c = CMSG_DATA(cmptr);
868 dst_addr_4 = dst_addr.addr.addr4 = p.p->ipi_spec_dst;
869 if_index = p.p->ipi_ifindex;
870 }
871 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
872 if (listen->family == AF_INET)
873 {
874 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
875 {
876 union {
877 unsigned char *c;
878 unsigned int *i;
879 struct in_addr *a;
880 #ifndef HAVE_SOLARIS_NETWORK
881 struct sockaddr_dl *s;
882 #endif
883 } p;
884 p.c = CMSG_DATA(cmptr);
885 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
886 dst_addr_4 = dst_addr.addr.addr4 = *(p.a);
887 else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
888 #ifdef HAVE_SOLARIS_NETWORK
889 if_index = *(p.i);
890 #else
891 if_index = p.s->sdl_index;
892 #endif
893 }
894 }
895 #endif
896
897 #ifdef HAVE_IPV6
898 if (listen->family == AF_INET6)
899 {
900 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
901 if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
902 {
903 union {
904 unsigned char *c;
905 struct in6_pktinfo *p;
906 } p;
907 p.c = CMSG_DATA(cmptr);
908
909 dst_addr.addr.addr6 = p.p->ipi6_addr;
910 if_index = p.p->ipi6_ifindex;
911 }
912 }
913 #endif
914
915 /* enforce available interface configuration */
916
917 if (!indextoname(listen->fd, if_index, ifr.ifr_name))
918 return;
919
920 if (!iface_check(listen->family, &dst_addr, ifr.ifr_name, &auth_dns))
921 {
922 if (!option_bool(OPT_CLEVERBIND))
923 enumerate_interfaces(0);
924 if (!loopback_exception(listen->fd, listen->family, &dst_addr, ifr.ifr_name) &&
925 !label_exception(if_index, listen->family, &dst_addr))
926 return;
927 }
928
929 if (listen->family == AF_INET && option_bool(OPT_LOCALISE))
930 {
931 struct irec *iface;
932
933 /* get the netmask of the interface whch has the address we were sent to.
934 This is no neccessarily the interface we arrived on. */
935
936 for (iface = daemon->interfaces; iface; iface = iface->next)
937 if (iface->addr.sa.sa_family == AF_INET &&
938 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
939 break;
940
941 /* interface may be new */
942 if (!iface && !option_bool(OPT_CLEVERBIND))
943 enumerate_interfaces(0);
944
945 for (iface = daemon->interfaces; iface; iface = iface->next)
946 if (iface->addr.sa.sa_family == AF_INET &&
947 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
948 break;
949
950 /* If we failed, abandon localisation */
951 if (iface)
952 netmask = iface->netmask;
953 else
954 dst_addr_4.s_addr = 0;
955 }
956 }
957
958 if (extract_request(header, (size_t)n, daemon->namebuff, &type))
959 {
960 char types[20];
961 #ifdef HAVE_AUTH
962 struct auth_zone *zone;
963 #endif
964
965 querystr(auth_dns ? "auth" : "query", types, type);
966
967 if (listen->family == AF_INET)
968 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
969 (struct all_addr *)&source_addr.in.sin_addr, types);
970 #ifdef HAVE_IPV6
971 else
972 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
973 (struct all_addr *)&source_addr.in6.sin6_addr, types);
974 #endif
975
976 #ifdef HAVE_AUTH
977 /* find queries for zones we're authoritative for, and answer them directly */
978 if (!auth_dns)
979 for (zone = daemon->auth_zones; zone; zone = zone->next)
980 if (in_zone(zone, daemon->namebuff, NULL))
981 {
982 auth_dns = 1;
983 local_auth = 1;
984 break;
985 }
986 #endif
987 }
988
989 #ifdef HAVE_AUTH
990 if (auth_dns)
991 {
992 m = answer_auth(header, ((char *) header) + PACKETSZ, (size_t)n, now, &source_addr, local_auth);
993 if (m >= 1)
994 {
995 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
996 (char *)header, m, &source_addr, &dst_addr, if_index);
997 daemon->auth_answer++;
998 }
999 }
1000 else
1001 #endif
1002 {
1003 m = answer_request(header, ((char *) header) + PACKETSZ, (size_t)n,
1004 dst_addr_4, netmask, now);
1005
1006 if (m >= 1)
1007 {
1008 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1009 (char *)header, m, &source_addr, &dst_addr, if_index);
1010 daemon->local_answer++;
1011 }
1012 else if (forward_query(listen->fd, &source_addr, &dst_addr, if_index,
1013 header, (size_t)n, now, NULL))
1014 daemon->queries_forwarded++;
1015 else
1016 daemon->local_answer++;
1017 }
1018 }
1019
1020 /* The daemon forks before calling this: it should deal with one connection,
1021 blocking as neccessary, and then return. Note, need to be a bit careful
1022 about resources for debug mode, when the fork is suppressed: that's
1023 done by the caller. */
1024 unsigned char *tcp_request(int confd, time_t now,
1025 union mysockaddr *local_addr, struct in_addr netmask, int auth_dns)
1026 {
1027 size_t size = 0;
1028 int norebind = 0;
1029 int local_auth = 0;
1030 int checking_disabled, check_subnet;
1031 size_t m;
1032 unsigned short qtype;
1033 unsigned int gotname;
1034 unsigned char c1, c2;
1035 /* Max TCP packet + slop + size */
1036 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1037 unsigned char *payload = &packet[2];
1038 /* largest field in header is 16-bits, so this is still sufficiently aligned */
1039 struct dns_header *header = (struct dns_header *)payload;
1040 u16 *length = (u16 *)packet;
1041 struct server *last_server;
1042 struct in_addr dst_addr_4;
1043 union mysockaddr peer_addr;
1044 socklen_t peer_len = sizeof(union mysockaddr);
1045
1046 if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) == -1)
1047 return packet;
1048
1049 while (1)
1050 {
1051 if (!packet ||
1052 !read_write(confd, &c1, 1, 1) || !read_write(confd, &c2, 1, 1) ||
1053 !(size = c1 << 8 | c2) ||
1054 !read_write(confd, payload, size, 1))
1055 return packet;
1056
1057 if (size < (int)sizeof(struct dns_header))
1058 continue;
1059
1060 check_subnet = 0;
1061
1062 /* save state of "cd" flag in query */
1063 checking_disabled = header->hb4 & HB4_CD;
1064
1065 /* RFC 4035: sect 4.6 para 2 */
1066 header->hb4 &= ~HB4_AD;
1067
1068 if ((gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
1069 {
1070 char types[20];
1071 #ifdef HAVE_AUTH
1072 struct auth_zone *zone;
1073 #endif
1074 querystr(auth_dns ? "auth" : "query", types, qtype);
1075
1076 if (peer_addr.sa.sa_family == AF_INET)
1077 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1078 (struct all_addr *)&peer_addr.in.sin_addr, types);
1079 #ifdef HAVE_IPV6
1080 else
1081 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1082 (struct all_addr *)&peer_addr.in6.sin6_addr, types);
1083 #endif
1084
1085 #ifdef HAVE_AUTH
1086 /* find queries for zones we're authoritative for, and answer them directly */
1087 if (!auth_dns)
1088 for (zone = daemon->auth_zones; zone; zone = zone->next)
1089 if (in_zone(zone, daemon->namebuff, NULL))
1090 {
1091 auth_dns = 1;
1092 local_auth = 1;
1093 break;
1094 }
1095 #endif
1096 }
1097
1098 if (local_addr->sa.sa_family == AF_INET)
1099 dst_addr_4 = local_addr->in.sin_addr;
1100 else
1101 dst_addr_4.s_addr = 0;
1102
1103 #ifdef HAVE_AUTH
1104 if (auth_dns)
1105 m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &peer_addr, local_auth);
1106 else
1107 #endif
1108 {
1109 /* m > 0 if answered from cache */
1110 m = answer_request(header, ((char *) header) + 65536, (size_t)size,
1111 dst_addr_4, netmask, now);
1112
1113 /* Do this by steam now we're not in the select() loop */
1114 check_log_writer(NULL);
1115
1116 if (m == 0)
1117 {
1118 unsigned int flags = 0;
1119 struct all_addr *addrp = NULL;
1120 int type = 0;
1121 char *domain = NULL;
1122
1123 if (option_bool(OPT_ADD_MAC))
1124 size = add_mac(header, size, ((char *) header) + 65536, &peer_addr);
1125
1126 if (option_bool(OPT_CLIENT_SUBNET))
1127 {
1128 size_t new = add_source_addr(header, size, ((char *) header) + 65536, &peer_addr);
1129 if (size != new)
1130 {
1131 size = new;
1132 check_subnet = 1;
1133 }
1134 }
1135
1136 if (gotname)
1137 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
1138
1139 if (type != 0 || option_bool(OPT_ORDER) || !daemon->last_server)
1140 last_server = daemon->servers;
1141 else
1142 last_server = daemon->last_server;
1143
1144 if (!flags && last_server)
1145 {
1146 struct server *firstsendto = NULL;
1147 unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff);
1148
1149 /* Loop round available servers until we succeed in connecting to one.
1150 Note that this code subtley ensures that consecutive queries on this connection
1151 which can go to the same server, do so. */
1152 while (1)
1153 {
1154 if (!firstsendto)
1155 firstsendto = last_server;
1156 else
1157 {
1158 if (!(last_server = last_server->next))
1159 last_server = daemon->servers;
1160
1161 if (last_server == firstsendto)
1162 break;
1163 }
1164
1165 /* server for wrong domain */
1166 if (type != (last_server->flags & SERV_TYPE) ||
1167 (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, last_server->domain)))
1168 continue;
1169
1170 if (last_server->tcpfd == -1)
1171 {
1172 if ((last_server->tcpfd = socket(last_server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1)
1173 continue;
1174
1175 if ((!local_bind(last_server->tcpfd, &last_server->source_addr, last_server->interface, 1) ||
1176 connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1))
1177 {
1178 close(last_server->tcpfd);
1179 last_server->tcpfd = -1;
1180 continue;
1181 }
1182
1183 #ifdef HAVE_CONNTRACK
1184 /* Copy connection mark of incoming query to outgoing connection. */
1185 if (option_bool(OPT_CONNTRACK))
1186 {
1187 unsigned int mark;
1188 struct all_addr local;
1189 #ifdef HAVE_IPV6
1190 if (local_addr->sa.sa_family == AF_INET6)
1191 local.addr.addr6 = local_addr->in6.sin6_addr;
1192 else
1193 #endif
1194 local.addr.addr4 = local_addr->in.sin_addr;
1195
1196 if (get_incoming_mark(&peer_addr, &local, 1, &mark))
1197 setsockopt(last_server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
1198 }
1199 #endif
1200 }
1201
1202 *length = htons(size);
1203
1204 if (!read_write(last_server->tcpfd, packet, size + sizeof(u16), 0) ||
1205 !read_write(last_server->tcpfd, &c1, 1, 1) ||
1206 !read_write(last_server->tcpfd, &c2, 1, 1))
1207 {
1208 close(last_server->tcpfd);
1209 last_server->tcpfd = -1;
1210 continue;
1211 }
1212
1213 m = (c1 << 8) | c2;
1214 if (!read_write(last_server->tcpfd, payload, m, 1))
1215 return packet;
1216
1217 if (!gotname)
1218 strcpy(daemon->namebuff, "query");
1219 if (last_server->addr.sa.sa_family == AF_INET)
1220 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
1221 (struct all_addr *)&last_server->addr.in.sin_addr, NULL);
1222 #ifdef HAVE_IPV6
1223 else
1224 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
1225 (struct all_addr *)&last_server->addr.in6.sin6_addr, NULL);
1226 #endif
1227
1228 /* There's no point in updating the cache, since this process will exit and
1229 lose the information after a few queries. We make this call for the alias and
1230 bogus-nxdomain side-effects. */
1231 /* If the crc of the question section doesn't match the crc we sent, then
1232 someone might be attempting to insert bogus values into the cache by
1233 sending replies containing questions and bogus answers. */
1234 if (crc == questions_crc(header, (unsigned int)m, daemon->namebuff))
1235 m = process_reply(header, now, last_server, (unsigned int)m,
1236 option_bool(OPT_NO_REBIND) && !norebind, checking_disabled,
1237 0, check_subnet, &peer_addr); /* TODO - cache secure */
1238
1239 break;
1240 }
1241 }
1242
1243 /* In case of local answer or no connections made. */
1244 if (m == 0)
1245 m = setup_reply(header, (unsigned int)size, addrp, flags, daemon->local_ttl);
1246 }
1247 }
1248
1249 check_log_writer(NULL);
1250
1251 *length = htons(m);
1252
1253 if (m == 0 || !read_write(confd, packet, m + sizeof(u16), 0))
1254 return packet;
1255 }
1256 }
1257
1258 static struct frec *allocate_frec(time_t now)
1259 {
1260 struct frec *f;
1261
1262 if ((f = (struct frec *)whine_malloc(sizeof(struct frec))))
1263 {
1264 f->next = daemon->frec_list;
1265 f->time = now;
1266 f->sentto = NULL;
1267 f->rfd4 = NULL;
1268 f->flags = 0;
1269 #ifdef HAVE_IPV6
1270 f->rfd6 = NULL;
1271 #endif
1272 #ifdef HAVE_DNSSEC
1273 f->blocking_query = NULL;
1274 #endif
1275 daemon->frec_list = f;
1276 }
1277
1278 return f;
1279 }
1280
1281 static struct randfd *allocate_rfd(int family)
1282 {
1283 static int finger = 0;
1284 int i;
1285
1286 /* limit the number of sockets we have open to avoid starvation of
1287 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
1288
1289 for (i = 0; i < RANDOM_SOCKS; i++)
1290 if (daemon->randomsocks[i].refcount == 0)
1291 {
1292 if ((daemon->randomsocks[i].fd = random_sock(family)) == -1)
1293 break;
1294
1295 daemon->randomsocks[i].refcount = 1;
1296 daemon->randomsocks[i].family = family;
1297 return &daemon->randomsocks[i];
1298 }
1299
1300 /* No free ones or cannot get new socket, grab an existing one */
1301 for (i = 0; i < RANDOM_SOCKS; i++)
1302 {
1303 int j = (i+finger) % RANDOM_SOCKS;
1304 if (daemon->randomsocks[j].refcount != 0 &&
1305 daemon->randomsocks[j].family == family &&
1306 daemon->randomsocks[j].refcount != 0xffff)
1307 {
1308 finger = j;
1309 daemon->randomsocks[j].refcount++;
1310 return &daemon->randomsocks[j];
1311 }
1312 }
1313
1314 return NULL; /* doom */
1315 }
1316
1317 static void free_frec(struct frec *f)
1318 {
1319 if (f->rfd4 && --(f->rfd4->refcount) == 0)
1320 close(f->rfd4->fd);
1321
1322 f->rfd4 = NULL;
1323 f->sentto = NULL;
1324 f->flags = 0;
1325
1326 #ifdef HAVE_IPV6
1327 if (f->rfd6 && --(f->rfd6->refcount) == 0)
1328 close(f->rfd6->fd);
1329
1330 f->rfd6 = NULL;
1331 #endif
1332
1333 #ifdef HAVE_DNSSEC
1334 if (f->stash)
1335 blockdata_free(f->stash);
1336
1337 /* Anything we're waiting on is pointless now, too */
1338 if (f->blocking_query)
1339 free_frec(f->blocking_query);
1340 f->blocking_query = NULL;
1341
1342 #endif
1343 }
1344
1345 /* if wait==NULL return a free or older than TIMEOUT record.
1346 else return *wait zero if one available, or *wait is delay to
1347 when the oldest in-use record will expire. Impose an absolute
1348 limit of 4*TIMEOUT before we wipe things (for random sockets).
1349 If force is set, always return a result, even if we have
1350 to allocate above the limit. */
1351 struct frec *get_new_frec(time_t now, int *wait, int force)
1352 {
1353 struct frec *f, *oldest, *target;
1354 int count;
1355
1356 if (wait)
1357 *wait = 0;
1358
1359 for (f = daemon->frec_list, oldest = NULL, target = NULL, count = 0; f; f = f->next, count++)
1360 if (!f->sentto)
1361 target = f;
1362 else
1363 {
1364 if (difftime(now, f->time) >= 4*TIMEOUT)
1365 {
1366 free_frec(f);
1367 target = f;
1368 }
1369
1370 if (!oldest || difftime(f->time, oldest->time) <= 0)
1371 oldest = f;
1372 }
1373
1374 if (target)
1375 {
1376 target->time = now;
1377 return target;
1378 }
1379
1380 /* can't find empty one, use oldest if there is one
1381 and it's older than timeout */
1382 if (oldest && ((int)difftime(now, oldest->time)) >= TIMEOUT)
1383 {
1384 /* keep stuff for twice timeout if we can by allocating a new
1385 record instead */
1386 if (difftime(now, oldest->time) < 2*TIMEOUT &&
1387 count <= daemon->ftabsize &&
1388 (f = allocate_frec(now)))
1389 return f;
1390
1391 if (!wait)
1392 {
1393 free_frec(oldest);
1394 oldest->time = now;
1395 }
1396 return oldest;
1397 }
1398
1399 /* none available, calculate time 'till oldest record expires */
1400 if (!force && count > daemon->ftabsize)
1401 {
1402 static time_t last_log = 0;
1403
1404 if (oldest && wait)
1405 *wait = oldest->time + (time_t)TIMEOUT - now;
1406
1407 if ((int)difftime(now, last_log) > 5)
1408 {
1409 last_log = now;
1410 my_syslog(LOG_WARNING, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon->ftabsize);
1411 }
1412
1413 return NULL;
1414 }
1415
1416 if (!(f = allocate_frec(now)) && wait)
1417 /* wait one second on malloc failure */
1418 *wait = 1;
1419
1420 return f; /* OK if malloc fails and this is NULL */
1421 }
1422
1423 /* crc is all-ones if not known. */
1424 static struct frec *lookup_frec(unsigned short id, unsigned int crc)
1425 {
1426 struct frec *f;
1427
1428 for(f = daemon->frec_list; f; f = f->next)
1429 if (f->sentto && f->new_id == id &&
1430 (f->crc == crc || crc == 0xffffffff))
1431 return f;
1432
1433 return NULL;
1434 }
1435
1436 static struct frec *lookup_frec_by_sender(unsigned short id,
1437 union mysockaddr *addr,
1438 unsigned int crc)
1439 {
1440 struct frec *f;
1441
1442 for(f = daemon->frec_list; f; f = f->next)
1443 if (f->sentto &&
1444 f->orig_id == id &&
1445 f->crc == crc &&
1446 sockaddr_isequal(&f->source, addr))
1447 return f;
1448
1449 return NULL;
1450 }
1451
1452 /* A server record is going away, remove references to it */
1453 void server_gone(struct server *server)
1454 {
1455 struct frec *f;
1456
1457 for (f = daemon->frec_list; f; f = f->next)
1458 if (f->sentto && f->sentto == server)
1459 free_frec(f);
1460
1461 if (daemon->last_server == server)
1462 daemon->last_server = NULL;
1463
1464 if (daemon->srv_save == server)
1465 daemon->srv_save = NULL;
1466 }
1467
1468 /* return unique random ids. */
1469 static unsigned short get_id(unsigned int crc)
1470 {
1471 unsigned short ret = 0;
1472
1473 do
1474 ret = rand16();
1475 while (lookup_frec(ret, crc));
1476
1477 return ret;
1478 }
1479
1480
1481
1482
1483
Michael's tree of dnsmasq.