]> git.ipfire.org Git - people/ms/dnsmasq.git/blob - src/forward.c
projects / people / ms / dnsmasq.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Zone-transfer peer restriction option.
[people/ms/dnsmasq.git] / src / forward.c
1 /* dnsmasq is Copyright (c) 2000-2012 Simon Kelley
2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
7
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
12
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
15 */
16
17 #include "dnsmasq.h"
18
19 static struct frec *lookup_frec(unsigned short id, unsigned int crc);
20 static struct frec *lookup_frec_by_sender(unsigned short id,
21 union mysockaddr *addr,
22 unsigned int crc);
23 static unsigned short get_id(unsigned int crc);
24 static void free_frec(struct frec *f);
25 static struct randfd *allocate_rfd(int family);
26
27 /* Send a UDP packet with its source address set as "source"
28 unless nowild is true, when we just send it with the kernel default */
29 int send_from(int fd, int nowild, char *packet, size_t len,
30 union mysockaddr *to, struct all_addr *source,
31 unsigned int iface)
32 {
33 struct msghdr msg;
34 struct iovec iov[1];
35 union {
36 struct cmsghdr align; /* this ensures alignment */
37 #if defined(HAVE_LINUX_NETWORK)
38 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
39 #elif defined(IP_SENDSRCADDR)
40 char control[CMSG_SPACE(sizeof(struct in_addr))];
41 #endif
42 #ifdef HAVE_IPV6
43 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
44 #endif
45 } control_u;
46
47 iov[0].iov_base = packet;
48 iov[0].iov_len = len;
49
50 msg.msg_control = NULL;
51 msg.msg_controllen = 0;
52 msg.msg_flags = 0;
53 msg.msg_name = to;
54 msg.msg_namelen = sa_len(to);
55 msg.msg_iov = iov;
56 msg.msg_iovlen = 1;
57
58 if (!nowild)
59 {
60 struct cmsghdr *cmptr;
61 msg.msg_control = &control_u;
62 msg.msg_controllen = sizeof(control_u);
63 cmptr = CMSG_FIRSTHDR(&msg);
64
65 if (to->sa.sa_family == AF_INET)
66 {
67 #if defined(HAVE_LINUX_NETWORK)
68 struct in_pktinfo p;
69 p.ipi_ifindex = 0;
70 p.ipi_spec_dst = source->addr.addr4;
71 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
72 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
73 cmptr->cmsg_level = IPPROTO_IP;
74 cmptr->cmsg_type = IP_PKTINFO;
75 #elif defined(IP_SENDSRCADDR)
76 memcpy(CMSG_DATA(cmptr), &(source->addr.addr4), sizeof(source->addr.addr4));
77 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
78 cmptr->cmsg_level = IPPROTO_IP;
79 cmptr->cmsg_type = IP_SENDSRCADDR;
80 #endif
81 }
82 else
83 #ifdef HAVE_IPV6
84 {
85 struct in6_pktinfo p;
86 p.ipi6_ifindex = iface; /* Need iface for IPv6 to handle link-local addrs */
87 p.ipi6_addr = source->addr.addr6;
88 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
89 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
90 cmptr->cmsg_type = daemon->v6pktinfo;
91 cmptr->cmsg_level = IPPROTO_IPV6;
92 }
93 #else
94 (void)iface; /* eliminate warning */
95 #endif
96 }
97
98 while (sendmsg(fd, &msg, 0) == -1)
99 {
100 if (retry_send())
101 continue;
102
103 /* If interface is still in DAD, EINVAL results - ignore that. */
104 if (errno == EINVAL)
105 break;
106
107 my_syslog(LOG_ERR, _("failed to send packet: %s"), strerror(errno));
108 return 0;
109 }
110
111 return 1;
112 }
113
114 static unsigned int search_servers(time_t now, struct all_addr **addrpp,
115 unsigned int qtype, char *qdomain, int *type, char **domain, int *norebind)
116
117 {
118 /* If the query ends in the domain in one of our servers, set
119 domain to point to that name. We find the largest match to allow both
120 domain.org and sub.domain.org to exist. */
121
122 unsigned int namelen = strlen(qdomain);
123 unsigned int matchlen = 0;
124 struct server *serv;
125 unsigned int flags = 0;
126
127 for (serv = daemon->servers; serv; serv=serv->next)
128 /* domain matches take priority over NODOTS matches */
129 if ((serv->flags & SERV_FOR_NODOTS) && *type != SERV_HAS_DOMAIN && !strchr(qdomain, '.') && namelen != 0)
130 {
131 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
132 *type = SERV_FOR_NODOTS;
133 if (serv->flags & SERV_NO_ADDR)
134 flags = F_NXDOMAIN;
135 else if (serv->flags & SERV_LITERAL_ADDRESS)
136 {
137 if (sflag & qtype)
138 {
139 flags = sflag;
140 if (serv->addr.sa.sa_family == AF_INET)
141 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
142 #ifdef HAVE_IPV6
143 else
144 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
145 #endif
146 }
147 else if (!flags || (flags & F_NXDOMAIN))
148 flags = F_NOERR;
149 }
150 }
151 else if (serv->flags & SERV_HAS_DOMAIN)
152 {
153 unsigned int domainlen = strlen(serv->domain);
154 char *matchstart = qdomain + namelen - domainlen;
155 if (namelen >= domainlen &&
156 hostname_isequal(matchstart, serv->domain) &&
157 (domainlen == 0 || namelen == domainlen || *(matchstart-1) == '.' ))
158 {
159 if (serv->flags & SERV_NO_REBIND)
160 *norebind = 1;
161 else
162 {
163 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
164 /* implement priority rules for --address and --server for same domain.
165 --address wins if the address is for the correct AF
166 --server wins otherwise. */
167 if (domainlen != 0 && domainlen == matchlen)
168 {
169 if ((serv->flags & SERV_LITERAL_ADDRESS))
170 {
171 if (!(sflag & qtype) && flags == 0)
172 continue;
173 }
174 else
175 {
176 if (flags & (F_IPV4 | F_IPV6))
177 continue;
178 }
179 }
180
181 if (domainlen >= matchlen)
182 {
183 *type = serv->flags & (SERV_HAS_DOMAIN | SERV_USE_RESOLV | SERV_NO_REBIND);
184 *domain = serv->domain;
185 matchlen = domainlen;
186 if (serv->flags & SERV_NO_ADDR)
187 flags = F_NXDOMAIN;
188 else if (serv->flags & SERV_LITERAL_ADDRESS)
189 {
190 if (sflag & qtype)
191 {
192 flags = sflag;
193 if (serv->addr.sa.sa_family == AF_INET)
194 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
195 #ifdef HAVE_IPV6
196 else
197 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
198 #endif
199 }
200 else if (!flags || (flags & F_NXDOMAIN))
201 flags = F_NOERR;
202 }
203 else
204 flags = 0;
205 }
206 }
207 }
208 }
209
210 if (flags == 0 && !(qtype & F_QUERY) &&
211 option_bool(OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') && namelen != 0)
212 /* don't forward A or AAAA queries for simple names, except the empty name */
213 flags = F_NOERR;
214
215 if (flags == F_NXDOMAIN && check_for_local_domain(qdomain, now))
216 flags = F_NOERR;
217
218 if (flags)
219 {
220 int logflags = 0;
221
222 if (flags == F_NXDOMAIN || flags == F_NOERR)
223 logflags = F_NEG | qtype;
224
225 log_query(logflags | flags | F_CONFIG | F_FORWARD, qdomain, *addrpp, NULL);
226 }
227 else if ((*type) & SERV_USE_RESOLV)
228 {
229 *type = 0; /* use normal servers for this domain */
230 *domain = NULL;
231 }
232 return flags;
233 }
234
235 static int forward_query(int udpfd, union mysockaddr *udpaddr,
236 struct all_addr *dst_addr, unsigned int dst_iface,
237 struct dns_header *header, size_t plen, time_t now, struct frec *forward)
238 {
239 char *domain = NULL;
240 int type = 0, norebind = 0;
241 struct all_addr *addrp = NULL;
242 unsigned int crc = questions_crc(header, plen, daemon->namebuff);
243 unsigned int flags = 0;
244 unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
245 struct server *start = NULL;
246
247 /* RFC 4035: sect 4.6 para 2 */
248 header->hb4 &= ~HB4_AD;
249
250 /* may be no servers available. */
251 if (!daemon->servers)
252 forward = NULL;
253 else if (forward || (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, crc)))
254 {
255 /* retry on existing query, send to all available servers */
256 domain = forward->sentto->domain;
257 forward->sentto->failed_queries++;
258 if (!option_bool(OPT_ORDER))
259 {
260 forward->forwardall = 1;
261 daemon->last_server = NULL;
262 }
263 type = forward->sentto->flags & SERV_TYPE;
264 if (!(start = forward->sentto->next))
265 start = daemon->servers; /* at end of list, recycle */
266 header->id = htons(forward->new_id);
267 }
268 else
269 {
270 if (gotname)
271 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
272
273 if (!flags && !(forward = get_new_frec(now, NULL)))
274 /* table full - server failure. */
275 flags = F_NEG;
276
277 if (forward)
278 {
279 forward->source = *udpaddr;
280 forward->dest = *dst_addr;
281 forward->iface = dst_iface;
282 forward->orig_id = ntohs(header->id);
283 forward->new_id = get_id(crc);
284 forward->fd = udpfd;
285 forward->crc = crc;
286 forward->forwardall = 0;
287 if (norebind)
288 forward->flags |= FREC_NOREBIND;
289 if (header->hb4 & HB4_CD)
290 forward->flags |= FREC_CHECKING_DISABLED;
291
292 header->id = htons(forward->new_id);
293
294 /* In strict_order mode, always try servers in the order
295 specified in resolv.conf, if a domain is given
296 always try all the available servers,
297 otherwise, use the one last known to work. */
298
299 if (type == 0)
300 {
301 if (option_bool(OPT_ORDER))
302 start = daemon->servers;
303 else if (!(start = daemon->last_server) ||
304 daemon->forwardcount++ > FORWARD_TEST ||
305 difftime(now, daemon->forwardtime) > FORWARD_TIME)
306 {
307 start = daemon->servers;
308 forward->forwardall = 1;
309 daemon->forwardcount = 0;
310 daemon->forwardtime = now;
311 }
312 }
313 else
314 {
315 start = daemon->servers;
316 if (!option_bool(OPT_ORDER))
317 forward->forwardall = 1;
318 }
319 }
320 }
321
322 /* check for send errors here (no route to host)
323 if we fail to send to all nameservers, send back an error
324 packet straight away (helps modem users when offline) */
325
326 if (!flags && forward)
327 {
328 struct server *firstsentto = start;
329 int forwarded = 0;
330
331 if (udpaddr && option_bool(OPT_ADD_MAC))
332 plen = add_mac(header, plen, ((char *) header) + PACKETSZ, udpaddr);
333
334 while (1)
335 {
336 /* only send to servers dealing with our domain.
337 domain may be NULL, in which case server->domain
338 must be NULL also. */
339
340 if (type == (start->flags & SERV_TYPE) &&
341 (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) &&
342 !(start->flags & SERV_LITERAL_ADDRESS))
343 {
344 int fd;
345
346 /* find server socket to use, may need to get random one. */
347 if (start->sfd)
348 fd = start->sfd->fd;
349 else
350 {
351 #ifdef HAVE_IPV6
352 if (start->addr.sa.sa_family == AF_INET6)
353 {
354 if (!forward->rfd6 &&
355 !(forward->rfd6 = allocate_rfd(AF_INET6)))
356 break;
357 daemon->rfd_save = forward->rfd6;
358 fd = forward->rfd6->fd;
359 }
360 else
361 #endif
362 {
363 if (!forward->rfd4 &&
364 !(forward->rfd4 = allocate_rfd(AF_INET)))
365 break;
366 daemon->rfd_save = forward->rfd4;
367 fd = forward->rfd4->fd;
368 }
369
370 #ifdef HAVE_CONNTRACK
371 /* Copy connection mark of incoming query to outgoing connection. */
372 if (option_bool(OPT_CONNTRACK))
373 {
374 unsigned int mark;
375 if (get_incoming_mark(udpaddr, dst_addr, 0, &mark))
376 setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
377 }
378 #endif
379 }
380
381 if (sendto(fd, (char *)header, plen, 0,
382 &start->addr.sa,
383 sa_len(&start->addr)) == -1)
384 {
385 if (retry_send())
386 continue;
387 }
388 else
389 {
390 /* Keep info in case we want to re-send this packet */
391 daemon->srv_save = start;
392 daemon->packet_len = plen;
393
394 if (!gotname)
395 strcpy(daemon->namebuff, "query");
396 if (start->addr.sa.sa_family == AF_INET)
397 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
398 (struct all_addr *)&start->addr.in.sin_addr, NULL);
399 #ifdef HAVE_IPV6
400 else
401 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
402 (struct all_addr *)&start->addr.in6.sin6_addr, NULL);
403 #endif
404 start->queries++;
405 forwarded = 1;
406 forward->sentto = start;
407 if (!forward->forwardall)
408 break;
409 forward->forwardall++;
410 }
411 }
412
413 if (!(start = start->next))
414 start = daemon->servers;
415
416 if (start == firstsentto)
417 break;
418 }
419
420 if (forwarded)
421 return 1;
422
423 /* could not send on, prepare to return */
424 header->id = htons(forward->orig_id);
425 free_frec(forward); /* cancel */
426 }
427
428 /* could not send on, return empty answer or address if known for whole domain */
429 if (udpfd != -1)
430 {
431 plen = setup_reply(header, plen, addrp, flags, daemon->local_ttl);
432 send_from(udpfd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND), (char *)header, plen, udpaddr, dst_addr, dst_iface);
433 }
434
435 return 0;
436 }
437
438 static size_t process_reply(struct dns_header *header, time_t now,
439 struct server *server, size_t n, int check_rebind, int checking_disabled)
440 {
441 unsigned char *pheader, *sizep;
442 int munged = 0, is_sign;
443 size_t plen;
444
445 /* If upstream is advertising a larger UDP packet size
446 than we allow, trim it so that we don't get overlarge
447 requests for the client. We can't do this for signed packets. */
448
449 if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign)) && !is_sign)
450 {
451 unsigned short udpsz;
452 unsigned char *psave = sizep;
453
454 GETSHORT(udpsz, sizep);
455 if (udpsz > daemon->edns_pktsz)
456 PUTSHORT(daemon->edns_pktsz, psave);
457 }
458
459 /* RFC 4035 sect 4.6 para 3 */
460 if (!is_sign && !option_bool(OPT_DNSSEC))
461 header->hb4 &= ~HB4_AD;
462
463 if (OPCODE(header) != QUERY || (RCODE(header) != NOERROR && RCODE(header) != NXDOMAIN))
464 return n;
465
466 /* Complain loudly if the upstream server is non-recursive. */
467 if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR && ntohs(header->ancount) == 0 &&
468 server && !(server->flags & SERV_WARNED_RECURSIVE))
469 {
470 prettyprint_addr(&server->addr, daemon->namebuff);
471 my_syslog(LOG_WARNING, _("nameserver %s refused to do a recursive query"), daemon->namebuff);
472 if (!option_bool(OPT_LOG))
473 server->flags |= SERV_WARNED_RECURSIVE;
474 }
475
476 if (daemon->bogus_addr && RCODE(header) != NXDOMAIN &&
477 check_for_bogus_wildcard(header, n, daemon->namebuff, daemon->bogus_addr, now))
478 {
479 munged = 1;
480 SET_RCODE(header, NXDOMAIN);
481 header->hb3 &= ~HB3_AA;
482 }
483 else
484 {
485 if (RCODE(header) == NXDOMAIN &&
486 extract_request(header, n, daemon->namebuff, NULL) &&
487 check_for_local_domain(daemon->namebuff, now))
488 {
489 /* if we forwarded a query for a locally known name (because it was for
490 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
491 since we know that the domain exists, even if upstream doesn't */
492 munged = 1;
493 header->hb3 |= HB3_AA;
494 SET_RCODE(header, NOERROR);
495 }
496
497 if (extract_addresses(header, n, daemon->namebuff, now, is_sign, check_rebind, checking_disabled))
498 {
499 my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff);
500 munged = 1;
501 }
502 }
503
504 /* do this after extract_addresses. Ensure NODATA reply and remove
505 nameserver info. */
506
507 if (munged)
508 {
509 header->ancount = htons(0);
510 header->nscount = htons(0);
511 header->arcount = htons(0);
512 }
513
514 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
515 sections of the packet. Find the new length here and put back pseudoheader
516 if it was removed. */
517 return resize_packet(header, n, pheader, plen);
518 }
519
520 /* sets new last_server */
521 void reply_query(int fd, int family, time_t now)
522 {
523 /* packet from peer server, extract data for cache, and send to
524 original requester */
525 struct dns_header *header;
526 union mysockaddr serveraddr;
527 struct frec *forward;
528 socklen_t addrlen = sizeof(serveraddr);
529 ssize_t n = recvfrom(fd, daemon->packet, daemon->edns_pktsz, 0, &serveraddr.sa, &addrlen);
530 size_t nn;
531 struct server *server;
532
533 /* packet buffer overwritten */
534 daemon->srv_save = NULL;
535
536 /* Determine the address of the server replying so that we can mark that as good */
537 serveraddr.sa.sa_family = family;
538 #ifdef HAVE_IPV6
539 if (serveraddr.sa.sa_family == AF_INET6)
540 serveraddr.in6.sin6_flowinfo = 0;
541 #endif
542
543 /* spoof check: answer must come from known server, */
544 for (server = daemon->servers; server; server = server->next)
545 if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) &&
546 sockaddr_isequal(&server->addr, &serveraddr))
547 break;
548
549 header = (struct dns_header *)daemon->packet;
550
551 if (!server ||
552 n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR) ||
553 !(forward = lookup_frec(ntohs(header->id), questions_crc(header, n, daemon->namebuff))))
554 return;
555
556 server = forward->sentto;
557
558 if ((RCODE(header) == SERVFAIL || RCODE(header) == REFUSED) &&
559 !option_bool(OPT_ORDER) &&
560 forward->forwardall == 0)
561 /* for broken servers, attempt to send to another one. */
562 {
563 unsigned char *pheader;
564 size_t plen;
565 int is_sign;
566
567 /* recreate query from reply */
568 pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign);
569 if (!is_sign)
570 {
571 header->ancount = htons(0);
572 header->nscount = htons(0);
573 header->arcount = htons(0);
574 if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
575 {
576 header->hb3 &= ~(HB3_QR | HB3_TC);
577 forward_query(-1, NULL, NULL, 0, header, nn, now, forward);
578 return;
579 }
580 }
581 }
582
583 if ((forward->sentto->flags & SERV_TYPE) == 0)
584 {
585 if (RCODE(header) == SERVFAIL || RCODE(header) == REFUSED)
586 server = NULL;
587 else
588 {
589 struct server *last_server;
590
591 /* find good server by address if possible, otherwise assume the last one we sent to */
592 for (last_server = daemon->servers; last_server; last_server = last_server->next)
593 if (!(last_server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR)) &&
594 sockaddr_isequal(&last_server->addr, &serveraddr))
595 {
596 server = last_server;
597 break;
598 }
599 }
600 if (!option_bool(OPT_ALL_SERVERS))
601 daemon->last_server = server;
602 }
603
604 /* If the answer is an error, keep the forward record in place in case
605 we get a good reply from another server. Kill it when we've
606 had replies from all to avoid filling the forwarding table when
607 everything is broken */
608 if (forward->forwardall == 0 || --forward->forwardall == 1 ||
609 (RCODE(header) != REFUSED && RCODE(header) != SERVFAIL))
610 {
611 int check_rebind = !(forward->flags & FREC_NOREBIND);
612
613 if (!option_bool(OPT_NO_REBIND))
614 check_rebind = 0;
615
616 if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, forward->flags & FREC_CHECKING_DISABLED)))
617 {
618 header->id = htons(forward->orig_id);
619 header->hb4 |= HB4_RA; /* recursion if available */
620 send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn,
621 &forward->source, &forward->dest, forward->iface);
622 }
623 free_frec(forward); /* cancel */
624 }
625 }
626
627
628 void receive_query(struct listener *listen, time_t now)
629 {
630 struct dns_header *header = (struct dns_header *)daemon->packet;
631 union mysockaddr source_addr;
632 unsigned short type;
633 struct all_addr dst_addr;
634 struct in_addr netmask, dst_addr_4;
635 size_t m;
636 ssize_t n;
637 int if_index = 0;
638 int auth_dns = 0;
639 struct iovec iov[1];
640 struct msghdr msg;
641 struct cmsghdr *cmptr;
642 union {
643 struct cmsghdr align; /* this ensures alignment */
644 #ifdef HAVE_IPV6
645 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
646 #endif
647 #if defined(HAVE_LINUX_NETWORK)
648 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
649 #elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
650 char control[CMSG_SPACE(sizeof(struct in_addr)) +
651 CMSG_SPACE(sizeof(unsigned int))];
652 #elif defined(IP_RECVDSTADDR)
653 char control[CMSG_SPACE(sizeof(struct in_addr)) +
654 CMSG_SPACE(sizeof(struct sockaddr_dl))];
655 #endif
656 } control_u;
657
658 /* packet buffer overwritten */
659 daemon->srv_save = NULL;
660
661 dst_addr_4.s_addr = 0;
662 netmask.s_addr = 0;
663
664 if (listen->iface && option_bool(OPT_NOWILD))
665 {
666 auth_dns = listen->iface->dns_auth;
667
668 if (listen->family == AF_INET)
669 {
670 dst_addr_4 = listen->iface->addr.in.sin_addr;
671 netmask = listen->iface->netmask;
672 }
673 }
674
675 iov[0].iov_base = daemon->packet;
676 iov[0].iov_len = daemon->edns_pktsz;
677
678 msg.msg_control = control_u.control;
679 msg.msg_controllen = sizeof(control_u);
680 msg.msg_flags = 0;
681 msg.msg_name = &source_addr;
682 msg.msg_namelen = sizeof(source_addr);
683 msg.msg_iov = iov;
684 msg.msg_iovlen = 1;
685
686 if ((n = recvmsg(listen->fd, &msg, 0)) == -1)
687 return;
688
689 if (n < (int)sizeof(struct dns_header) ||
690 (msg.msg_flags & MSG_TRUNC) ||
691 (header->hb3 & HB3_QR))
692 return;
693
694 source_addr.sa.sa_family = listen->family;
695 #ifdef HAVE_IPV6
696 if (listen->family == AF_INET6)
697 source_addr.in6.sin6_flowinfo = 0;
698 #endif
699
700 if (!option_bool(OPT_NOWILD))
701 {
702 struct ifreq ifr;
703
704 if (msg.msg_controllen < sizeof(struct cmsghdr))
705 return;
706
707 #if defined(HAVE_LINUX_NETWORK)
708 if (listen->family == AF_INET)
709 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
710 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
711 {
712 union {
713 unsigned char *c;
714 struct in_pktinfo *p;
715 } p;
716 p.c = CMSG_DATA(cmptr);
717 dst_addr_4 = dst_addr.addr.addr4 = p.p->ipi_spec_dst;
718 if_index = p.p->ipi_ifindex;
719 }
720 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
721 if (listen->family == AF_INET)
722 {
723 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
724 {
725 union {
726 unsigned char *c;
727 unsigned int *i;
728 struct in_addr *a;
729 #ifndef HAVE_SOLARIS_NETWORK
730 struct sockaddr_dl *s;
731 #endif
732 } p;
733 p.c = CMSG_DATA(cmptr);
734 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
735 dst_addr_4 = dst_addr.addr.addr4 = *(p.a);
736 else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
737 #ifdef HAVE_SOLARIS_NETWORK
738 if_index = *(p.i);
739 #else
740 if_index = p.s->sdl_index;
741 #endif
742 }
743 }
744 #endif
745
746 #ifdef HAVE_IPV6
747 if (listen->family == AF_INET6)
748 {
749 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
750 if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
751 {
752 union {
753 unsigned char *c;
754 struct in6_pktinfo *p;
755 } p;
756 p.c = CMSG_DATA(cmptr);
757
758 dst_addr.addr.addr6 = p.p->ipi6_addr;
759 if_index = p.p->ipi6_ifindex;
760 }
761 }
762 #endif
763
764 /* enforce available interface configuration */
765
766 if (!indextoname(listen->fd, if_index, ifr.ifr_name) ||
767 !iface_check(listen->family, &dst_addr, ifr.ifr_name, &auth_dns))
768 return;
769
770 if (listen->family == AF_INET && option_bool(OPT_LOCALISE))
771 {
772 struct irec *iface;
773
774 /* get the netmask of the interface whch has the address we were sent to.
775 This is no neccessarily the interface we arrived on. */
776
777 for (iface = daemon->interfaces; iface; iface = iface->next)
778 if (iface->addr.sa.sa_family == AF_INET &&
779 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
780 break;
781
782 /* interface may be new */
783 if (!iface)
784 enumerate_interfaces();
785
786 for (iface = daemon->interfaces; iface; iface = iface->next)
787 if (iface->addr.sa.sa_family == AF_INET &&
788 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
789 break;
790
791 /* If we failed, abandon localisation */
792 if (iface)
793 netmask = iface->netmask;
794 else
795 dst_addr_4.s_addr = 0;
796 }
797 }
798
799 if (extract_request(header, (size_t)n, daemon->namebuff, &type))
800 {
801 char types[20];
802
803 querystr(auth_dns ? "auth" : "query", types, type);
804
805 if (listen->family == AF_INET)
806 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
807 (struct all_addr *)&source_addr.in.sin_addr, types);
808 #ifdef HAVE_IPV6
809 else
810 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
811 (struct all_addr *)&source_addr.in6.sin6_addr, types);
812 #endif
813 }
814
815 if (auth_dns)
816 {
817 m = answer_auth(header, ((char *) header) + PACKETSZ, (size_t)n, now, &source_addr);
818 if (m >= 1)
819 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
820 (char *)header, m, &source_addr, &dst_addr, if_index);
821 }
822 else
823 {
824 m = answer_request(header, ((char *) header) + PACKETSZ, (size_t)n,
825 dst_addr_4, netmask, now);
826
827 if (m >= 1)
828 {
829 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
830 (char *)header, m, &source_addr, &dst_addr, if_index);
831 daemon->local_answer++;
832 }
833 else if (forward_query(listen->fd, &source_addr, &dst_addr, if_index,
834 header, (size_t)n, now, NULL))
835 daemon->queries_forwarded++;
836 else
837 daemon->local_answer++;
838 }
839 }
840
841 /* The daemon forks before calling this: it should deal with one connection,
842 blocking as neccessary, and then return. Note, need to be a bit careful
843 about resources for debug mode, when the fork is suppressed: that's
844 done by the caller. */
845 unsigned char *tcp_request(int confd, time_t now,
846 union mysockaddr *local_addr, struct in_addr netmask, int auth_dns)
847 {
848 size_t size = 0;
849 int norebind = 0;
850 int checking_disabled;
851 size_t m;
852 unsigned short qtype;
853 unsigned int gotname;
854 unsigned char c1, c2;
855 /* Max TCP packet + slop */
856 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ);
857 struct dns_header *header;
858 struct server *last_server;
859 struct in_addr dst_addr_4;
860 union mysockaddr peer_addr;
861 socklen_t peer_len = sizeof(union mysockaddr);
862
863 if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) == -1)
864 return packet;
865
866 while (1)
867 {
868 if (!packet ||
869 !read_write(confd, &c1, 1, 1) || !read_write(confd, &c2, 1, 1) ||
870 !(size = c1 << 8 | c2) ||
871 !read_write(confd, packet, size, 1))
872 return packet;
873
874 if (size < (int)sizeof(struct dns_header))
875 continue;
876
877 header = (struct dns_header *)packet;
878
879 /* save state of "cd" flag in query */
880 checking_disabled = header->hb4 & HB4_CD;
881
882 /* RFC 4035: sect 4.6 para 2 */
883 header->hb4 &= ~HB4_AD;
884
885 if ((gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
886 {
887 char types[20];
888
889 querystr(auth_dns ? "auth" : "query", types, qtype);
890
891 if (peer_addr.sa.sa_family == AF_INET)
892 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
893 (struct all_addr *)&peer_addr.in.sin_addr, types);
894 #ifdef HAVE_IPV6
895 else
896 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
897 (struct all_addr *)&peer_addr.in6.sin6_addr, types);
898 #endif
899 }
900
901 if (local_addr->sa.sa_family == AF_INET)
902 dst_addr_4 = local_addr->in.sin_addr;
903 else
904 dst_addr_4.s_addr = 0;
905
906 if (auth_dns)
907 m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &peer_addr);
908 else
909 {
910 /* m > 0 if answered from cache */
911 m = answer_request(header, ((char *) header) + 65536, (size_t)size,
912 dst_addr_4, netmask, now);
913
914 /* Do this by steam now we're not in the select() loop */
915 check_log_writer(NULL);
916
917 if (m == 0)
918 {
919 unsigned int flags = 0;
920 struct all_addr *addrp = NULL;
921 int type = 0;
922 char *domain = NULL;
923
924 if (option_bool(OPT_ADD_MAC))
925 size = add_mac(header, size, ((char *) header) + 65536, &peer_addr);
926
927 if (gotname)
928 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
929
930 if (type != 0 || option_bool(OPT_ORDER) || !daemon->last_server)
931 last_server = daemon->servers;
932 else
933 last_server = daemon->last_server;
934
935 if (!flags && last_server)
936 {
937 struct server *firstsendto = NULL;
938 unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff);
939
940 /* Loop round available servers until we succeed in connecting to one.
941 Note that this code subtley ensures that consecutive queries on this connection
942 which can go to the same server, do so. */
943 while (1)
944 {
945 if (!firstsendto)
946 firstsendto = last_server;
947 else
948 {
949 if (!(last_server = last_server->next))
950 last_server = daemon->servers;
951
952 if (last_server == firstsendto)
953 break;
954 }
955
956 /* server for wrong domain */
957 if (type != (last_server->flags & SERV_TYPE) ||
958 (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, last_server->domain)))
959 continue;
960
961 if (last_server->tcpfd == -1)
962 {
963 if ((last_server->tcpfd = socket(last_server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1)
964 continue;
965
966 if ((!local_bind(last_server->tcpfd, &last_server->source_addr, last_server->interface, 1) ||
967 connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1))
968 {
969 close(last_server->tcpfd);
970 last_server->tcpfd = -1;
971 continue;
972 }
973
974 #ifdef HAVE_CONNTRACK
975 /* Copy connection mark of incoming query to outgoing connection. */
976 if (option_bool(OPT_CONNTRACK))
977 {
978 unsigned int mark;
979 struct all_addr local;
980 #ifdef HAVE_IPV6
981 if (local_addr->sa.sa_family == AF_INET6)
982 local.addr.addr6 = local_addr->in6.sin6_addr;
983 else
984 #endif
985 local.addr.addr4 = local_addr->in.sin_addr;
986
987 if (get_incoming_mark(&peer_addr, &local, 1, &mark))
988 setsockopt(last_server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
989 }
990 #endif
991 }
992
993 c1 = size >> 8;
994 c2 = size;
995
996 if (!read_write(last_server->tcpfd, &c1, 1, 0) ||
997 !read_write(last_server->tcpfd, &c2, 1, 0) ||
998 !read_write(last_server->tcpfd, packet, size, 0) ||
999 !read_write(last_server->tcpfd, &c1, 1, 1) ||
1000 !read_write(last_server->tcpfd, &c2, 1, 1))
1001 {
1002 close(last_server->tcpfd);
1003 last_server->tcpfd = -1;
1004 continue;
1005 }
1006
1007 m = (c1 << 8) | c2;
1008 if (!read_write(last_server->tcpfd, packet, m, 1))
1009 return packet;
1010
1011 if (!gotname)
1012 strcpy(daemon->namebuff, "query");
1013 if (last_server->addr.sa.sa_family == AF_INET)
1014 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
1015 (struct all_addr *)&last_server->addr.in.sin_addr, NULL);
1016 #ifdef HAVE_IPV6
1017 else
1018 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
1019 (struct all_addr *)&last_server->addr.in6.sin6_addr, NULL);
1020 #endif
1021
1022 /* There's no point in updating the cache, since this process will exit and
1023 lose the information after a few queries. We make this call for the alias and
1024 bogus-nxdomain side-effects. */
1025 /* If the crc of the question section doesn't match the crc we sent, then
1026 someone might be attempting to insert bogus values into the cache by
1027 sending replies containing questions and bogus answers. */
1028 if (crc == questions_crc(header, (unsigned int)m, daemon->namebuff))
1029 m = process_reply(header, now, last_server, (unsigned int)m,
1030 option_bool(OPT_NO_REBIND) && !norebind, checking_disabled);
1031
1032 break;
1033 }
1034 }
1035
1036 /* In case of local answer or no connections made. */
1037 if (m == 0)
1038 m = setup_reply(header, (unsigned int)size, addrp, flags, daemon->local_ttl);
1039 }
1040 }
1041
1042 check_log_writer(NULL);
1043
1044 c1 = m>>8;
1045 c2 = m;
1046 if (m == 0 ||
1047 !read_write(confd, &c1, 1, 0) ||
1048 !read_write(confd, &c2, 1, 0) ||
1049 !read_write(confd, packet, m, 0))
1050 return packet;
1051 }
1052 }
1053
1054 static struct frec *allocate_frec(time_t now)
1055 {
1056 struct frec *f;
1057
1058 if ((f = (struct frec *)whine_malloc(sizeof(struct frec))))
1059 {
1060 f->next = daemon->frec_list;
1061 f->time = now;
1062 f->sentto = NULL;
1063 f->rfd4 = NULL;
1064 f->flags = 0;
1065 #ifdef HAVE_IPV6
1066 f->rfd6 = NULL;
1067 #endif
1068 daemon->frec_list = f;
1069 }
1070
1071 return f;
1072 }
1073
1074 static struct randfd *allocate_rfd(int family)
1075 {
1076 static int finger = 0;
1077 int i;
1078
1079 /* limit the number of sockets we have open to avoid starvation of
1080 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
1081
1082 for (i = 0; i < RANDOM_SOCKS; i++)
1083 if (daemon->randomsocks[i].refcount == 0)
1084 {
1085 if ((daemon->randomsocks[i].fd = random_sock(family)) == -1)
1086 break;
1087
1088 daemon->randomsocks[i].refcount = 1;
1089 daemon->randomsocks[i].family = family;
1090 return &daemon->randomsocks[i];
1091 }
1092
1093 /* No free ones or cannot get new socket, grab an existing one */
1094 for (i = 0; i < RANDOM_SOCKS; i++)
1095 {
1096 int j = (i+finger) % RANDOM_SOCKS;
1097 if (daemon->randomsocks[j].refcount != 0 &&
1098 daemon->randomsocks[j].family == family &&
1099 daemon->randomsocks[j].refcount != 0xffff)
1100 {
1101 finger = j;
1102 daemon->randomsocks[j].refcount++;
1103 return &daemon->randomsocks[j];
1104 }
1105 }
1106
1107 return NULL; /* doom */
1108 }
1109
1110 static void free_frec(struct frec *f)
1111 {
1112 if (f->rfd4 && --(f->rfd4->refcount) == 0)
1113 close(f->rfd4->fd);
1114
1115 f->rfd4 = NULL;
1116 f->sentto = NULL;
1117 f->flags = 0;
1118
1119 #ifdef HAVE_IPV6
1120 if (f->rfd6 && --(f->rfd6->refcount) == 0)
1121 close(f->rfd6->fd);
1122
1123 f->rfd6 = NULL;
1124 #endif
1125 }
1126
1127 /* if wait==NULL return a free or older than TIMEOUT record.
1128 else return *wait zero if one available, or *wait is delay to
1129 when the oldest in-use record will expire. Impose an absolute
1130 limit of 4*TIMEOUT before we wipe things (for random sockets) */
1131 struct frec *get_new_frec(time_t now, int *wait)
1132 {
1133 struct frec *f, *oldest, *target;
1134 int count;
1135
1136 if (wait)
1137 *wait = 0;
1138
1139 for (f = daemon->frec_list, oldest = NULL, target = NULL, count = 0; f; f = f->next, count++)
1140 if (!f->sentto)
1141 target = f;
1142 else
1143 {
1144 if (difftime(now, f->time) >= 4*TIMEOUT)
1145 {
1146 free_frec(f);
1147 target = f;
1148 }
1149
1150 if (!oldest || difftime(f->time, oldest->time) <= 0)
1151 oldest = f;
1152 }
1153
1154 if (target)
1155 {
1156 target->time = now;
1157 return target;
1158 }
1159
1160 /* can't find empty one, use oldest if there is one
1161 and it's older than timeout */
1162 if (oldest && ((int)difftime(now, oldest->time)) >= TIMEOUT)
1163 {
1164 /* keep stuff for twice timeout if we can by allocating a new
1165 record instead */
1166 if (difftime(now, oldest->time) < 2*TIMEOUT &&
1167 count <= daemon->ftabsize &&
1168 (f = allocate_frec(now)))
1169 return f;
1170
1171 if (!wait)
1172 {
1173 free_frec(oldest);
1174 oldest->time = now;
1175 }
1176 return oldest;
1177 }
1178
1179 /* none available, calculate time 'till oldest record expires */
1180 if (count > daemon->ftabsize)
1181 {
1182 if (oldest && wait)
1183 *wait = oldest->time + (time_t)TIMEOUT - now;
1184 return NULL;
1185 }
1186
1187 if (!(f = allocate_frec(now)) && wait)
1188 /* wait one second on malloc failure */
1189 *wait = 1;
1190
1191 return f; /* OK if malloc fails and this is NULL */
1192 }
1193
1194 /* crc is all-ones if not known. */
1195 static struct frec *lookup_frec(unsigned short id, unsigned int crc)
1196 {
1197 struct frec *f;
1198
1199 for(f = daemon->frec_list; f; f = f->next)
1200 if (f->sentto && f->new_id == id &&
1201 (f->crc == crc || crc == 0xffffffff))
1202 return f;
1203
1204 return NULL;
1205 }
1206
1207 static struct frec *lookup_frec_by_sender(unsigned short id,
1208 union mysockaddr *addr,
1209 unsigned int crc)
1210 {
1211 struct frec *f;
1212
1213 for(f = daemon->frec_list; f; f = f->next)
1214 if (f->sentto &&
1215 f->orig_id == id &&
1216 f->crc == crc &&
1217 sockaddr_isequal(&f->source, addr))
1218 return f;
1219
1220 return NULL;
1221 }
1222
1223 /* A server record is going away, remove references to it */
1224 void server_gone(struct server *server)
1225 {
1226 struct frec *f;
1227
1228 for (f = daemon->frec_list; f; f = f->next)
1229 if (f->sentto && f->sentto == server)
1230 free_frec(f);
1231
1232 if (daemon->last_server == server)
1233 daemon->last_server = NULL;
1234
1235 if (daemon->srv_save == server)
1236 daemon->srv_save = NULL;
1237 }
1238
1239 /* return unique random ids. */
1240 static unsigned short get_id(unsigned int crc)
1241 {
1242 unsigned short ret = 0;
1243
1244 do
1245 ret = rand16();
1246 while (lookup_frec(ret, crc));
1247
1248 return ret;
1249 }
1250
1251
1252
1253
1254
Michael's tree of dnsmasq.