]>
git.ipfire.org Git - people/ms/dnsmasq.git/blob - src/forward.c
1 /* dnsmasq is Copyright (c) 2000-2012 Simon Kelley
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 static struct frec
*lookup_frec(unsigned short id
, unsigned int crc
);
20 static struct frec
*lookup_frec_by_sender(unsigned short id
,
21 union mysockaddr
*addr
,
23 static unsigned short get_id(unsigned int crc
);
24 static void free_frec(struct frec
*f
);
25 static struct randfd
*allocate_rfd(int family
);
27 /* Send a UDP packet with its source address set as "source"
28 unless nowild is true, when we just send it with the kernel default */
29 int send_from(int fd
, int nowild
, char *packet
, size_t len
,
30 union mysockaddr
*to
, struct all_addr
*source
,
36 struct cmsghdr align
; /* this ensures alignment */
37 #if defined(HAVE_LINUX_NETWORK)
38 char control
[CMSG_SPACE(sizeof(struct in_pktinfo
))];
39 #elif defined(IP_SENDSRCADDR)
40 char control
[CMSG_SPACE(sizeof(struct in_addr
))];
43 char control6
[CMSG_SPACE(sizeof(struct in6_pktinfo
))];
47 iov
[0].iov_base
= packet
;
50 msg
.msg_control
= NULL
;
51 msg
.msg_controllen
= 0;
54 msg
.msg_namelen
= sa_len(to
);
60 struct cmsghdr
*cmptr
;
61 msg
.msg_control
= &control_u
;
62 msg
.msg_controllen
= sizeof(control_u
);
63 cmptr
= CMSG_FIRSTHDR(&msg
);
65 if (to
->sa
.sa_family
== AF_INET
)
67 #if defined(HAVE_LINUX_NETWORK)
70 p
.ipi_spec_dst
= source
->addr
.addr4
;
71 memcpy(CMSG_DATA(cmptr
), &p
, sizeof(p
));
72 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in_pktinfo
));
73 cmptr
->cmsg_level
= IPPROTO_IP
;
74 cmptr
->cmsg_type
= IP_PKTINFO
;
75 #elif defined(IP_SENDSRCADDR)
76 memcpy(CMSG_DATA(cmptr
), &(source
->addr
.addr4
), sizeof(source
->addr
.addr4
));
77 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in_addr
));
78 cmptr
->cmsg_level
= IPPROTO_IP
;
79 cmptr
->cmsg_type
= IP_SENDSRCADDR
;
86 p
.ipi6_ifindex
= iface
; /* Need iface for IPv6 to handle link-local addrs */
87 p
.ipi6_addr
= source
->addr
.addr6
;
88 memcpy(CMSG_DATA(cmptr
), &p
, sizeof(p
));
89 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in6_pktinfo
));
90 cmptr
->cmsg_type
= daemon
->v6pktinfo
;
91 cmptr
->cmsg_level
= IPPROTO_IPV6
;
94 (void)iface
; /* eliminate warning */
98 while (sendmsg(fd
, &msg
, 0) == -1)
103 /* If interface is still in DAD, EINVAL results - ignore that. */
107 my_syslog(LOG_ERR
, _("failed to send packet: %s"), strerror(errno
));
114 static unsigned int search_servers(time_t now
, struct all_addr
**addrpp
,
115 unsigned int qtype
, char *qdomain
, int *type
, char **domain
, int *norebind
)
118 /* If the query ends in the domain in one of our servers, set
119 domain to point to that name. We find the largest match to allow both
120 domain.org and sub.domain.org to exist. */
122 unsigned int namelen
= strlen(qdomain
);
123 unsigned int matchlen
= 0;
125 unsigned int flags
= 0;
127 for (serv
= daemon
->servers
; serv
; serv
=serv
->next
)
128 /* domain matches take priority over NODOTS matches */
129 if ((serv
->flags
& SERV_FOR_NODOTS
) && *type
!= SERV_HAS_DOMAIN
&& !strchr(qdomain
, '.') && namelen
!= 0)
131 unsigned int sflag
= serv
->addr
.sa
.sa_family
== AF_INET
? F_IPV4
: F_IPV6
;
132 *type
= SERV_FOR_NODOTS
;
133 if (serv
->flags
& SERV_NO_ADDR
)
135 else if (serv
->flags
& SERV_LITERAL_ADDRESS
)
140 if (serv
->addr
.sa
.sa_family
== AF_INET
)
141 *addrpp
= (struct all_addr
*)&serv
->addr
.in
.sin_addr
;
144 *addrpp
= (struct all_addr
*)&serv
->addr
.in6
.sin6_addr
;
147 else if (!flags
|| (flags
& F_NXDOMAIN
))
151 else if (serv
->flags
& SERV_HAS_DOMAIN
)
153 unsigned int domainlen
= strlen(serv
->domain
);
154 char *matchstart
= qdomain
+ namelen
- domainlen
;
155 if (namelen
>= domainlen
&&
156 hostname_isequal(matchstart
, serv
->domain
) &&
157 (domainlen
== 0 || namelen
== domainlen
|| *(matchstart
-1) == '.' ))
159 if (serv
->flags
& SERV_NO_REBIND
)
163 unsigned int sflag
= serv
->addr
.sa
.sa_family
== AF_INET
? F_IPV4
: F_IPV6
;
164 /* implement priority rules for --address and --server for same domain.
165 --address wins if the address is for the correct AF
166 --server wins otherwise. */
167 if (domainlen
!= 0 && domainlen
== matchlen
)
169 if ((serv
->flags
& SERV_LITERAL_ADDRESS
))
171 if (!(sflag
& qtype
) && flags
== 0)
176 if (flags
& (F_IPV4
| F_IPV6
))
181 if (domainlen
>= matchlen
)
183 *type
= serv
->flags
& (SERV_HAS_DOMAIN
| SERV_USE_RESOLV
| SERV_NO_REBIND
);
184 *domain
= serv
->domain
;
185 matchlen
= domainlen
;
186 if (serv
->flags
& SERV_NO_ADDR
)
188 else if (serv
->flags
& SERV_LITERAL_ADDRESS
)
193 if (serv
->addr
.sa
.sa_family
== AF_INET
)
194 *addrpp
= (struct all_addr
*)&serv
->addr
.in
.sin_addr
;
197 *addrpp
= (struct all_addr
*)&serv
->addr
.in6
.sin6_addr
;
200 else if (!flags
|| (flags
& F_NXDOMAIN
))
210 if (flags
== 0 && !(qtype
& F_QUERY
) &&
211 option_bool(OPT_NODOTS_LOCAL
) && !strchr(qdomain
, '.') && namelen
!= 0)
212 /* don't forward A or AAAA queries for simple names, except the empty name */
215 if (flags
== F_NXDOMAIN
&& check_for_local_domain(qdomain
, now
))
222 if (flags
== F_NXDOMAIN
|| flags
== F_NOERR
)
223 logflags
= F_NEG
| qtype
;
225 log_query(logflags
| flags
| F_CONFIG
| F_FORWARD
, qdomain
, *addrpp
, NULL
);
227 else if ((*type
) & SERV_USE_RESOLV
)
229 *type
= 0; /* use normal servers for this domain */
235 static int forward_query(int udpfd
, union mysockaddr
*udpaddr
,
236 struct all_addr
*dst_addr
, unsigned int dst_iface
,
237 struct dns_header
*header
, size_t plen
, time_t now
, struct frec
*forward
)
240 int type
= 0, norebind
= 0;
241 struct all_addr
*addrp
= NULL
;
242 unsigned int crc
= questions_crc(header
, plen
, daemon
->namebuff
);
243 unsigned int flags
= 0;
244 unsigned int gotname
= extract_request(header
, plen
, daemon
->namebuff
, NULL
);
245 struct server
*start
= NULL
;
247 /* RFC 4035: sect 4.6 para 2 */
248 header
->hb4
&= ~HB4_AD
;
250 /* may be no servers available. */
251 if (!daemon
->servers
)
253 else if (forward
|| (forward
= lookup_frec_by_sender(ntohs(header
->id
), udpaddr
, crc
)))
255 /* retry on existing query, send to all available servers */
256 domain
= forward
->sentto
->domain
;
257 forward
->sentto
->failed_queries
++;
258 if (!option_bool(OPT_ORDER
))
260 forward
->forwardall
= 1;
261 daemon
->last_server
= NULL
;
263 type
= forward
->sentto
->flags
& SERV_TYPE
;
264 if (!(start
= forward
->sentto
->next
))
265 start
= daemon
->servers
; /* at end of list, recycle */
266 header
->id
= htons(forward
->new_id
);
271 flags
= search_servers(now
, &addrp
, gotname
, daemon
->namebuff
, &type
, &domain
, &norebind
);
273 if (!flags
&& !(forward
= get_new_frec(now
, NULL
)))
274 /* table full - server failure. */
279 forward
->source
= *udpaddr
;
280 forward
->dest
= *dst_addr
;
281 forward
->iface
= dst_iface
;
282 forward
->orig_id
= ntohs(header
->id
);
283 forward
->new_id
= get_id(crc
);
286 forward
->forwardall
= 0;
288 forward
->flags
|= FREC_NOREBIND
;
289 if (header
->hb4
& HB4_CD
)
290 forward
->flags
|= FREC_CHECKING_DISABLED
;
292 header
->id
= htons(forward
->new_id
);
294 /* In strict_order mode, always try servers in the order
295 specified in resolv.conf, if a domain is given
296 always try all the available servers,
297 otherwise, use the one last known to work. */
301 if (option_bool(OPT_ORDER
))
302 start
= daemon
->servers
;
303 else if (!(start
= daemon
->last_server
) ||
304 daemon
->forwardcount
++ > FORWARD_TEST
||
305 difftime(now
, daemon
->forwardtime
) > FORWARD_TIME
)
307 start
= daemon
->servers
;
308 forward
->forwardall
= 1;
309 daemon
->forwardcount
= 0;
310 daemon
->forwardtime
= now
;
315 start
= daemon
->servers
;
316 if (!option_bool(OPT_ORDER
))
317 forward
->forwardall
= 1;
322 /* check for send errors here (no route to host)
323 if we fail to send to all nameservers, send back an error
324 packet straight away (helps modem users when offline) */
326 if (!flags
&& forward
)
328 struct server
*firstsentto
= start
;
331 if (udpaddr
&& option_bool(OPT_ADD_MAC
))
332 plen
= add_mac(header
, plen
, ((char *) header
) + PACKETSZ
, udpaddr
);
336 /* only send to servers dealing with our domain.
337 domain may be NULL, in which case server->domain
338 must be NULL also. */
340 if (type
== (start
->flags
& SERV_TYPE
) &&
341 (type
!= SERV_HAS_DOMAIN
|| hostname_isequal(domain
, start
->domain
)) &&
342 !(start
->flags
& SERV_LITERAL_ADDRESS
))
346 /* find server socket to use, may need to get random one. */
352 if (start
->addr
.sa
.sa_family
== AF_INET6
)
354 if (!forward
->rfd6
&&
355 !(forward
->rfd6
= allocate_rfd(AF_INET6
)))
357 daemon
->rfd_save
= forward
->rfd6
;
358 fd
= forward
->rfd6
->fd
;
363 if (!forward
->rfd4
&&
364 !(forward
->rfd4
= allocate_rfd(AF_INET
)))
366 daemon
->rfd_save
= forward
->rfd4
;
367 fd
= forward
->rfd4
->fd
;
370 #ifdef HAVE_CONNTRACK
371 /* Copy connection mark of incoming query to outgoing connection. */
372 if (option_bool(OPT_CONNTRACK
))
375 if (get_incoming_mark(udpaddr
, dst_addr
, 0, &mark
))
376 setsockopt(fd
, SOL_SOCKET
, SO_MARK
, &mark
, sizeof(unsigned int));
381 if (sendto(fd
, (char *)header
, plen
, 0,
383 sa_len(&start
->addr
)) == -1)
390 /* Keep info in case we want to re-send this packet */
391 daemon
->srv_save
= start
;
392 daemon
->packet_len
= plen
;
395 strcpy(daemon
->namebuff
, "query");
396 if (start
->addr
.sa
.sa_family
== AF_INET
)
397 log_query(F_SERVER
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
398 (struct all_addr
*)&start
->addr
.in
.sin_addr
, NULL
);
401 log_query(F_SERVER
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
402 (struct all_addr
*)&start
->addr
.in6
.sin6_addr
, NULL
);
406 forward
->sentto
= start
;
407 if (!forward
->forwardall
)
409 forward
->forwardall
++;
413 if (!(start
= start
->next
))
414 start
= daemon
->servers
;
416 if (start
== firstsentto
)
423 /* could not send on, prepare to return */
424 header
->id
= htons(forward
->orig_id
);
425 free_frec(forward
); /* cancel */
428 /* could not send on, return empty answer or address if known for whole domain */
431 plen
= setup_reply(header
, plen
, addrp
, flags
, daemon
->local_ttl
);
432 send_from(udpfd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
), (char *)header
, plen
, udpaddr
, dst_addr
, dst_iface
);
438 static size_t process_reply(struct dns_header
*header
, time_t now
,
439 struct server
*server
, size_t n
, int check_rebind
, int checking_disabled
)
441 unsigned char *pheader
, *sizep
;
442 int munged
= 0, is_sign
;
445 /* If upstream is advertising a larger UDP packet size
446 than we allow, trim it so that we don't get overlarge
447 requests for the client. We can't do this for signed packets. */
449 if ((pheader
= find_pseudoheader(header
, n
, &plen
, &sizep
, &is_sign
)) && !is_sign
)
451 unsigned short udpsz
;
452 unsigned char *psave
= sizep
;
454 GETSHORT(udpsz
, sizep
);
455 if (udpsz
> daemon
->edns_pktsz
)
456 PUTSHORT(daemon
->edns_pktsz
, psave
);
459 /* RFC 4035 sect 4.6 para 3 */
460 if (!is_sign
&& !option_bool(OPT_DNSSEC
))
461 header
->hb4
&= ~HB4_AD
;
463 if (OPCODE(header
) != QUERY
|| (RCODE(header
) != NOERROR
&& RCODE(header
) != NXDOMAIN
))
466 /* Complain loudly if the upstream server is non-recursive. */
467 if (!(header
->hb4
& HB4_RA
) && RCODE(header
) == NOERROR
&& ntohs(header
->ancount
) == 0 &&
468 server
&& !(server
->flags
& SERV_WARNED_RECURSIVE
))
470 prettyprint_addr(&server
->addr
, daemon
->namebuff
);
471 my_syslog(LOG_WARNING
, _("nameserver %s refused to do a recursive query"), daemon
->namebuff
);
472 if (!option_bool(OPT_LOG
))
473 server
->flags
|= SERV_WARNED_RECURSIVE
;
476 if (daemon
->bogus_addr
&& RCODE(header
) != NXDOMAIN
&&
477 check_for_bogus_wildcard(header
, n
, daemon
->namebuff
, daemon
->bogus_addr
, now
))
480 SET_RCODE(header
, NXDOMAIN
);
481 header
->hb3
&= ~HB3_AA
;
485 if (RCODE(header
) == NXDOMAIN
&&
486 extract_request(header
, n
, daemon
->namebuff
, NULL
) &&
487 check_for_local_domain(daemon
->namebuff
, now
))
489 /* if we forwarded a query for a locally known name (because it was for
490 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
491 since we know that the domain exists, even if upstream doesn't */
493 header
->hb3
|= HB3_AA
;
494 SET_RCODE(header
, NOERROR
);
497 if (extract_addresses(header
, n
, daemon
->namebuff
, now
, is_sign
, check_rebind
, checking_disabled
))
499 my_syslog(LOG_WARNING
, _("possible DNS-rebind attack detected: %s"), daemon
->namebuff
);
504 /* do this after extract_addresses. Ensure NODATA reply and remove
509 header
->ancount
= htons(0);
510 header
->nscount
= htons(0);
511 header
->arcount
= htons(0);
514 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
515 sections of the packet. Find the new length here and put back pseudoheader
516 if it was removed. */
517 return resize_packet(header
, n
, pheader
, plen
);
520 /* sets new last_server */
521 void reply_query(int fd
, int family
, time_t now
)
523 /* packet from peer server, extract data for cache, and send to
524 original requester */
525 struct dns_header
*header
;
526 union mysockaddr serveraddr
;
527 struct frec
*forward
;
528 socklen_t addrlen
= sizeof(serveraddr
);
529 ssize_t n
= recvfrom(fd
, daemon
->packet
, daemon
->edns_pktsz
, 0, &serveraddr
.sa
, &addrlen
);
531 struct server
*server
;
533 /* packet buffer overwritten */
534 daemon
->srv_save
= NULL
;
536 /* Determine the address of the server replying so that we can mark that as good */
537 serveraddr
.sa
.sa_family
= family
;
539 if (serveraddr
.sa
.sa_family
== AF_INET6
)
540 serveraddr
.in6
.sin6_flowinfo
= 0;
543 /* spoof check: answer must come from known server, */
544 for (server
= daemon
->servers
; server
; server
= server
->next
)
545 if (!(server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_NO_ADDR
)) &&
546 sockaddr_isequal(&server
->addr
, &serveraddr
))
549 header
= (struct dns_header
*)daemon
->packet
;
552 n
< (int)sizeof(struct dns_header
) || !(header
->hb3
& HB3_QR
) ||
553 !(forward
= lookup_frec(ntohs(header
->id
), questions_crc(header
, n
, daemon
->namebuff
))))
556 server
= forward
->sentto
;
558 if ((RCODE(header
) == SERVFAIL
|| RCODE(header
) == REFUSED
) &&
559 !option_bool(OPT_ORDER
) &&
560 forward
->forwardall
== 0)
561 /* for broken servers, attempt to send to another one. */
563 unsigned char *pheader
;
567 /* recreate query from reply */
568 pheader
= find_pseudoheader(header
, (size_t)n
, &plen
, NULL
, &is_sign
);
571 header
->ancount
= htons(0);
572 header
->nscount
= htons(0);
573 header
->arcount
= htons(0);
574 if ((nn
= resize_packet(header
, (size_t)n
, pheader
, plen
)))
576 header
->hb3
&= ~(HB3_QR
| HB3_TC
);
577 forward_query(-1, NULL
, NULL
, 0, header
, nn
, now
, forward
);
583 if ((forward
->sentto
->flags
& SERV_TYPE
) == 0)
585 if (RCODE(header
) == SERVFAIL
|| RCODE(header
) == REFUSED
)
589 struct server
*last_server
;
591 /* find good server by address if possible, otherwise assume the last one we sent to */
592 for (last_server
= daemon
->servers
; last_server
; last_server
= last_server
->next
)
593 if (!(last_server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_HAS_DOMAIN
| SERV_FOR_NODOTS
| SERV_NO_ADDR
)) &&
594 sockaddr_isequal(&last_server
->addr
, &serveraddr
))
596 server
= last_server
;
600 if (!option_bool(OPT_ALL_SERVERS
))
601 daemon
->last_server
= server
;
604 /* If the answer is an error, keep the forward record in place in case
605 we get a good reply from another server. Kill it when we've
606 had replies from all to avoid filling the forwarding table when
607 everything is broken */
608 if (forward
->forwardall
== 0 || --forward
->forwardall
== 1 ||
609 (RCODE(header
) != REFUSED
&& RCODE(header
) != SERVFAIL
))
611 int check_rebind
= !(forward
->flags
& FREC_NOREBIND
);
613 if (!option_bool(OPT_NO_REBIND
))
616 if ((nn
= process_reply(header
, now
, server
, (size_t)n
, check_rebind
, forward
->flags
& FREC_CHECKING_DISABLED
)))
618 header
->id
= htons(forward
->orig_id
);
619 header
->hb4
|= HB4_RA
; /* recursion if available */
620 send_from(forward
->fd
, option_bool(OPT_NOWILD
) || option_bool (OPT_CLEVERBIND
), daemon
->packet
, nn
,
621 &forward
->source
, &forward
->dest
, forward
->iface
);
623 free_frec(forward
); /* cancel */
628 void receive_query(struct listener
*listen
, time_t now
)
630 struct dns_header
*header
= (struct dns_header
*)daemon
->packet
;
631 union mysockaddr source_addr
;
633 struct all_addr dst_addr
;
634 struct in_addr netmask
, dst_addr_4
;
641 struct cmsghdr
*cmptr
;
643 struct cmsghdr align
; /* this ensures alignment */
645 char control6
[CMSG_SPACE(sizeof(struct in6_pktinfo
))];
647 #if defined(HAVE_LINUX_NETWORK)
648 char control
[CMSG_SPACE(sizeof(struct in_pktinfo
))];
649 #elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
650 char control
[CMSG_SPACE(sizeof(struct in_addr
)) +
651 CMSG_SPACE(sizeof(unsigned int))];
652 #elif defined(IP_RECVDSTADDR)
653 char control
[CMSG_SPACE(sizeof(struct in_addr
)) +
654 CMSG_SPACE(sizeof(struct sockaddr_dl
))];
658 /* packet buffer overwritten */
659 daemon
->srv_save
= NULL
;
661 dst_addr_4
.s_addr
= 0;
664 if (listen
->iface
&& option_bool(OPT_NOWILD
))
666 auth_dns
= listen
->iface
->dns_auth
;
668 if (listen
->family
== AF_INET
)
670 dst_addr_4
= listen
->iface
->addr
.in
.sin_addr
;
671 netmask
= listen
->iface
->netmask
;
675 iov
[0].iov_base
= daemon
->packet
;
676 iov
[0].iov_len
= daemon
->edns_pktsz
;
678 msg
.msg_control
= control_u
.control
;
679 msg
.msg_controllen
= sizeof(control_u
);
681 msg
.msg_name
= &source_addr
;
682 msg
.msg_namelen
= sizeof(source_addr
);
686 if ((n
= recvmsg(listen
->fd
, &msg
, 0)) == -1)
689 if (n
< (int)sizeof(struct dns_header
) ||
690 (msg
.msg_flags
& MSG_TRUNC
) ||
691 (header
->hb3
& HB3_QR
))
694 source_addr
.sa
.sa_family
= listen
->family
;
696 if (listen
->family
== AF_INET6
)
697 source_addr
.in6
.sin6_flowinfo
= 0;
700 if (!option_bool(OPT_NOWILD
))
704 if (msg
.msg_controllen
< sizeof(struct cmsghdr
))
707 #if defined(HAVE_LINUX_NETWORK)
708 if (listen
->family
== AF_INET
)
709 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
710 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_PKTINFO
)
714 struct in_pktinfo
*p
;
716 p
.c
= CMSG_DATA(cmptr
);
717 dst_addr_4
= dst_addr
.addr
.addr4
= p
.p
->ipi_spec_dst
;
718 if_index
= p
.p
->ipi_ifindex
;
720 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
721 if (listen
->family
== AF_INET
)
723 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
729 #ifndef HAVE_SOLARIS_NETWORK
730 struct sockaddr_dl
*s
;
733 p
.c
= CMSG_DATA(cmptr
);
734 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVDSTADDR
)
735 dst_addr_4
= dst_addr
.addr
.addr4
= *(p
.a
);
736 else if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVIF
)
737 #ifdef HAVE_SOLARIS_NETWORK
740 if_index
= p
.s
->sdl_index
;
747 if (listen
->family
== AF_INET6
)
749 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
750 if (cmptr
->cmsg_level
== IPPROTO_IPV6
&& cmptr
->cmsg_type
== daemon
->v6pktinfo
)
754 struct in6_pktinfo
*p
;
756 p
.c
= CMSG_DATA(cmptr
);
758 dst_addr
.addr
.addr6
= p
.p
->ipi6_addr
;
759 if_index
= p
.p
->ipi6_ifindex
;
764 /* enforce available interface configuration */
766 if (!indextoname(listen
->fd
, if_index
, ifr
.ifr_name
) ||
767 !iface_check(listen
->family
, &dst_addr
, ifr
.ifr_name
, &auth_dns
))
770 if (listen
->family
== AF_INET
&& option_bool(OPT_LOCALISE
))
774 /* get the netmask of the interface whch has the address we were sent to.
775 This is no neccessarily the interface we arrived on. */
777 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
778 if (iface
->addr
.sa
.sa_family
== AF_INET
&&
779 iface
->addr
.in
.sin_addr
.s_addr
== dst_addr_4
.s_addr
)
782 /* interface may be new */
784 enumerate_interfaces();
786 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
787 if (iface
->addr
.sa
.sa_family
== AF_INET
&&
788 iface
->addr
.in
.sin_addr
.s_addr
== dst_addr_4
.s_addr
)
791 /* If we failed, abandon localisation */
793 netmask
= iface
->netmask
;
795 dst_addr_4
.s_addr
= 0;
799 if (extract_request(header
, (size_t)n
, daemon
->namebuff
, &type
))
803 querystr(auth_dns
? "auth" : "query", types
, type
);
805 if (listen
->family
== AF_INET
)
806 log_query(F_QUERY
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
807 (struct all_addr
*)&source_addr
.in
.sin_addr
, types
);
810 log_query(F_QUERY
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
811 (struct all_addr
*)&source_addr
.in6
.sin6_addr
, types
);
817 m
= answer_auth(header
, ((char *) header
) + PACKETSZ
, (size_t)n
, now
, &source_addr
);
819 send_from(listen
->fd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
),
820 (char *)header
, m
, &source_addr
, &dst_addr
, if_index
);
824 m
= answer_request(header
, ((char *) header
) + PACKETSZ
, (size_t)n
,
825 dst_addr_4
, netmask
, now
);
829 send_from(listen
->fd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
),
830 (char *)header
, m
, &source_addr
, &dst_addr
, if_index
);
831 daemon
->local_answer
++;
833 else if (forward_query(listen
->fd
, &source_addr
, &dst_addr
, if_index
,
834 header
, (size_t)n
, now
, NULL
))
835 daemon
->queries_forwarded
++;
837 daemon
->local_answer
++;
841 /* The daemon forks before calling this: it should deal with one connection,
842 blocking as neccessary, and then return. Note, need to be a bit careful
843 about resources for debug mode, when the fork is suppressed: that's
844 done by the caller. */
845 unsigned char *tcp_request(int confd
, time_t now
,
846 union mysockaddr
*local_addr
, struct in_addr netmask
, int auth_dns
)
850 int checking_disabled
;
852 unsigned short qtype
;
853 unsigned int gotname
;
854 unsigned char c1
, c2
;
855 /* Max TCP packet + slop */
856 unsigned char *packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
);
857 struct dns_header
*header
;
858 struct server
*last_server
;
859 struct in_addr dst_addr_4
;
860 union mysockaddr peer_addr
;
861 socklen_t peer_len
= sizeof(union mysockaddr
);
863 if (getpeername(confd
, (struct sockaddr
*)&peer_addr
, &peer_len
) == -1)
869 !read_write(confd
, &c1
, 1, 1) || !read_write(confd
, &c2
, 1, 1) ||
870 !(size
= c1
<< 8 | c2
) ||
871 !read_write(confd
, packet
, size
, 1))
874 if (size
< (int)sizeof(struct dns_header
))
877 header
= (struct dns_header
*)packet
;
879 /* save state of "cd" flag in query */
880 checking_disabled
= header
->hb4
& HB4_CD
;
882 /* RFC 4035: sect 4.6 para 2 */
883 header
->hb4
&= ~HB4_AD
;
885 if ((gotname
= extract_request(header
, (unsigned int)size
, daemon
->namebuff
, &qtype
)))
889 querystr(auth_dns
? "auth" : "query", types
, qtype
);
891 if (peer_addr
.sa
.sa_family
== AF_INET
)
892 log_query(F_QUERY
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
893 (struct all_addr
*)&peer_addr
.in
.sin_addr
, types
);
896 log_query(F_QUERY
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
897 (struct all_addr
*)&peer_addr
.in6
.sin6_addr
, types
);
901 if (local_addr
->sa
.sa_family
== AF_INET
)
902 dst_addr_4
= local_addr
->in
.sin_addr
;
904 dst_addr_4
.s_addr
= 0;
907 m
= answer_auth(header
, ((char *) header
) + 65536, (size_t)size
, now
, &peer_addr
);
910 /* m > 0 if answered from cache */
911 m
= answer_request(header
, ((char *) header
) + 65536, (size_t)size
,
912 dst_addr_4
, netmask
, now
);
914 /* Do this by steam now we're not in the select() loop */
915 check_log_writer(NULL
);
919 unsigned int flags
= 0;
920 struct all_addr
*addrp
= NULL
;
924 if (option_bool(OPT_ADD_MAC
))
925 size
= add_mac(header
, size
, ((char *) header
) + 65536, &peer_addr
);
928 flags
= search_servers(now
, &addrp
, gotname
, daemon
->namebuff
, &type
, &domain
, &norebind
);
930 if (type
!= 0 || option_bool(OPT_ORDER
) || !daemon
->last_server
)
931 last_server
= daemon
->servers
;
933 last_server
= daemon
->last_server
;
935 if (!flags
&& last_server
)
937 struct server
*firstsendto
= NULL
;
938 unsigned int crc
= questions_crc(header
, (unsigned int)size
, daemon
->namebuff
);
940 /* Loop round available servers until we succeed in connecting to one.
941 Note that this code subtley ensures that consecutive queries on this connection
942 which can go to the same server, do so. */
946 firstsendto
= last_server
;
949 if (!(last_server
= last_server
->next
))
950 last_server
= daemon
->servers
;
952 if (last_server
== firstsendto
)
956 /* server for wrong domain */
957 if (type
!= (last_server
->flags
& SERV_TYPE
) ||
958 (type
== SERV_HAS_DOMAIN
&& !hostname_isequal(domain
, last_server
->domain
)))
961 if (last_server
->tcpfd
== -1)
963 if ((last_server
->tcpfd
= socket(last_server
->addr
.sa
.sa_family
, SOCK_STREAM
, 0)) == -1)
966 if ((!local_bind(last_server
->tcpfd
, &last_server
->source_addr
, last_server
->interface
, 1) ||
967 connect(last_server
->tcpfd
, &last_server
->addr
.sa
, sa_len(&last_server
->addr
)) == -1))
969 close(last_server
->tcpfd
);
970 last_server
->tcpfd
= -1;
974 #ifdef HAVE_CONNTRACK
975 /* Copy connection mark of incoming query to outgoing connection. */
976 if (option_bool(OPT_CONNTRACK
))
979 struct all_addr local
;
981 if (local_addr
->sa
.sa_family
== AF_INET6
)
982 local
.addr
.addr6
= local_addr
->in6
.sin6_addr
;
985 local
.addr
.addr4
= local_addr
->in
.sin_addr
;
987 if (get_incoming_mark(&peer_addr
, &local
, 1, &mark
))
988 setsockopt(last_server
->tcpfd
, SOL_SOCKET
, SO_MARK
, &mark
, sizeof(unsigned int));
996 if (!read_write(last_server
->tcpfd
, &c1
, 1, 0) ||
997 !read_write(last_server
->tcpfd
, &c2
, 1, 0) ||
998 !read_write(last_server
->tcpfd
, packet
, size
, 0) ||
999 !read_write(last_server
->tcpfd
, &c1
, 1, 1) ||
1000 !read_write(last_server
->tcpfd
, &c2
, 1, 1))
1002 close(last_server
->tcpfd
);
1003 last_server
->tcpfd
= -1;
1008 if (!read_write(last_server
->tcpfd
, packet
, m
, 1))
1012 strcpy(daemon
->namebuff
, "query");
1013 if (last_server
->addr
.sa
.sa_family
== AF_INET
)
1014 log_query(F_SERVER
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1015 (struct all_addr
*)&last_server
->addr
.in
.sin_addr
, NULL
);
1018 log_query(F_SERVER
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1019 (struct all_addr
*)&last_server
->addr
.in6
.sin6_addr
, NULL
);
1022 /* There's no point in updating the cache, since this process will exit and
1023 lose the information after a few queries. We make this call for the alias and
1024 bogus-nxdomain side-effects. */
1025 /* If the crc of the question section doesn't match the crc we sent, then
1026 someone might be attempting to insert bogus values into the cache by
1027 sending replies containing questions and bogus answers. */
1028 if (crc
== questions_crc(header
, (unsigned int)m
, daemon
->namebuff
))
1029 m
= process_reply(header
, now
, last_server
, (unsigned int)m
,
1030 option_bool(OPT_NO_REBIND
) && !norebind
, checking_disabled
);
1036 /* In case of local answer or no connections made. */
1038 m
= setup_reply(header
, (unsigned int)size
, addrp
, flags
, daemon
->local_ttl
);
1042 check_log_writer(NULL
);
1047 !read_write(confd
, &c1
, 1, 0) ||
1048 !read_write(confd
, &c2
, 1, 0) ||
1049 !read_write(confd
, packet
, m
, 0))
1054 static struct frec
*allocate_frec(time_t now
)
1058 if ((f
= (struct frec
*)whine_malloc(sizeof(struct frec
))))
1060 f
->next
= daemon
->frec_list
;
1068 daemon
->frec_list
= f
;
1074 static struct randfd
*allocate_rfd(int family
)
1076 static int finger
= 0;
1079 /* limit the number of sockets we have open to avoid starvation of
1080 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
1082 for (i
= 0; i
< RANDOM_SOCKS
; i
++)
1083 if (daemon
->randomsocks
[i
].refcount
== 0)
1085 if ((daemon
->randomsocks
[i
].fd
= random_sock(family
)) == -1)
1088 daemon
->randomsocks
[i
].refcount
= 1;
1089 daemon
->randomsocks
[i
].family
= family
;
1090 return &daemon
->randomsocks
[i
];
1093 /* No free ones or cannot get new socket, grab an existing one */
1094 for (i
= 0; i
< RANDOM_SOCKS
; i
++)
1096 int j
= (i
+finger
) % RANDOM_SOCKS
;
1097 if (daemon
->randomsocks
[j
].refcount
!= 0 &&
1098 daemon
->randomsocks
[j
].family
== family
&&
1099 daemon
->randomsocks
[j
].refcount
!= 0xffff)
1102 daemon
->randomsocks
[j
].refcount
++;
1103 return &daemon
->randomsocks
[j
];
1107 return NULL
; /* doom */
1110 static void free_frec(struct frec
*f
)
1112 if (f
->rfd4
&& --(f
->rfd4
->refcount
) == 0)
1120 if (f
->rfd6
&& --(f
->rfd6
->refcount
) == 0)
1127 /* if wait==NULL return a free or older than TIMEOUT record.
1128 else return *wait zero if one available, or *wait is delay to
1129 when the oldest in-use record will expire. Impose an absolute
1130 limit of 4*TIMEOUT before we wipe things (for random sockets) */
1131 struct frec
*get_new_frec(time_t now
, int *wait
)
1133 struct frec
*f
, *oldest
, *target
;
1139 for (f
= daemon
->frec_list
, oldest
= NULL
, target
= NULL
, count
= 0; f
; f
= f
->next
, count
++)
1144 if (difftime(now
, f
->time
) >= 4*TIMEOUT
)
1150 if (!oldest
|| difftime(f
->time
, oldest
->time
) <= 0)
1160 /* can't find empty one, use oldest if there is one
1161 and it's older than timeout */
1162 if (oldest
&& ((int)difftime(now
, oldest
->time
)) >= TIMEOUT
)
1164 /* keep stuff for twice timeout if we can by allocating a new
1166 if (difftime(now
, oldest
->time
) < 2*TIMEOUT
&&
1167 count
<= daemon
->ftabsize
&&
1168 (f
= allocate_frec(now
)))
1179 /* none available, calculate time 'till oldest record expires */
1180 if (count
> daemon
->ftabsize
)
1183 *wait
= oldest
->time
+ (time_t)TIMEOUT
- now
;
1187 if (!(f
= allocate_frec(now
)) && wait
)
1188 /* wait one second on malloc failure */
1191 return f
; /* OK if malloc fails and this is NULL */
1194 /* crc is all-ones if not known. */
1195 static struct frec
*lookup_frec(unsigned short id
, unsigned int crc
)
1199 for(f
= daemon
->frec_list
; f
; f
= f
->next
)
1200 if (f
->sentto
&& f
->new_id
== id
&&
1201 (f
->crc
== crc
|| crc
== 0xffffffff))
1207 static struct frec
*lookup_frec_by_sender(unsigned short id
,
1208 union mysockaddr
*addr
,
1213 for(f
= daemon
->frec_list
; f
; f
= f
->next
)
1217 sockaddr_isequal(&f
->source
, addr
))
1223 /* A server record is going away, remove references to it */
1224 void server_gone(struct server
*server
)
1228 for (f
= daemon
->frec_list
; f
; f
= f
->next
)
1229 if (f
->sentto
&& f
->sentto
== server
)
1232 if (daemon
->last_server
== server
)
1233 daemon
->last_server
= NULL
;
1235 if (daemon
->srv_save
== server
)
1236 daemon
->srv_save
= NULL
;
1239 /* return unique random ids. */
1240 static unsigned short get_id(unsigned int crc
)
1242 unsigned short ret
= 0;
1246 while (lookup_frec(ret
, crc
));