]>
git.ipfire.org Git - people/ms/dnsmasq.git/blob - src/forward.c
1 /* dnsmasq is Copyright (c) 2000-2014 Simon Kelley
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 static struct frec
*lookup_frec(unsigned short id
, unsigned int crc
);
20 static struct frec
*lookup_frec_by_sender(unsigned short id
,
21 union mysockaddr
*addr
,
23 static unsigned short get_id(unsigned int crc
);
24 static void free_frec(struct frec
*f
);
25 static struct randfd
*allocate_rfd(int family
);
27 /* Send a UDP packet with its source address set as "source"
28 unless nowild is true, when we just send it with the kernel default */
29 int send_from(int fd
, int nowild
, char *packet
, size_t len
,
30 union mysockaddr
*to
, struct all_addr
*source
,
36 struct cmsghdr align
; /* this ensures alignment */
37 #if defined(HAVE_LINUX_NETWORK)
38 char control
[CMSG_SPACE(sizeof(struct in_pktinfo
))];
39 #elif defined(IP_SENDSRCADDR)
40 char control
[CMSG_SPACE(sizeof(struct in_addr
))];
43 char control6
[CMSG_SPACE(sizeof(struct in6_pktinfo
))];
47 iov
[0].iov_base
= packet
;
50 msg
.msg_control
= NULL
;
51 msg
.msg_controllen
= 0;
54 msg
.msg_namelen
= sa_len(to
);
60 struct cmsghdr
*cmptr
;
61 msg
.msg_control
= &control_u
;
62 msg
.msg_controllen
= sizeof(control_u
);
63 cmptr
= CMSG_FIRSTHDR(&msg
);
65 if (to
->sa
.sa_family
== AF_INET
)
67 #if defined(HAVE_LINUX_NETWORK)
70 p
.ipi_spec_dst
= source
->addr
.addr4
;
71 memcpy(CMSG_DATA(cmptr
), &p
, sizeof(p
));
72 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in_pktinfo
));
73 cmptr
->cmsg_level
= IPPROTO_IP
;
74 cmptr
->cmsg_type
= IP_PKTINFO
;
75 #elif defined(IP_SENDSRCADDR)
76 memcpy(CMSG_DATA(cmptr
), &(source
->addr
.addr4
), sizeof(source
->addr
.addr4
));
77 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in_addr
));
78 cmptr
->cmsg_level
= IPPROTO_IP
;
79 cmptr
->cmsg_type
= IP_SENDSRCADDR
;
86 p
.ipi6_ifindex
= iface
; /* Need iface for IPv6 to handle link-local addrs */
87 p
.ipi6_addr
= source
->addr
.addr6
;
88 memcpy(CMSG_DATA(cmptr
), &p
, sizeof(p
));
89 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in6_pktinfo
));
90 cmptr
->cmsg_type
= daemon
->v6pktinfo
;
91 cmptr
->cmsg_level
= IPPROTO_IPV6
;
94 (void)iface
; /* eliminate warning */
98 while (sendmsg(fd
, &msg
, 0) == -1)
103 /* If interface is still in DAD, EINVAL results - ignore that. */
107 my_syslog(LOG_ERR
, _("failed to send packet: %s"), strerror(errno
));
114 static unsigned int search_servers(time_t now
, struct all_addr
**addrpp
,
115 unsigned int qtype
, char *qdomain
, int *type
, char **domain
, int *norebind
)
118 /* If the query ends in the domain in one of our servers, set
119 domain to point to that name. We find the largest match to allow both
120 domain.org and sub.domain.org to exist. */
122 unsigned int namelen
= strlen(qdomain
);
123 unsigned int matchlen
= 0;
125 unsigned int flags
= 0;
127 for (serv
= daemon
->servers
; serv
; serv
=serv
->next
)
128 /* domain matches take priority over NODOTS matches */
129 if ((serv
->flags
& SERV_FOR_NODOTS
) && *type
!= SERV_HAS_DOMAIN
&& !strchr(qdomain
, '.') && namelen
!= 0)
131 unsigned int sflag
= serv
->addr
.sa
.sa_family
== AF_INET
? F_IPV4
: F_IPV6
;
132 *type
= SERV_FOR_NODOTS
;
133 if (serv
->flags
& SERV_NO_ADDR
)
135 else if (serv
->flags
& SERV_LITERAL_ADDRESS
)
140 if (serv
->addr
.sa
.sa_family
== AF_INET
)
141 *addrpp
= (struct all_addr
*)&serv
->addr
.in
.sin_addr
;
144 *addrpp
= (struct all_addr
*)&serv
->addr
.in6
.sin6_addr
;
147 else if (!flags
|| (flags
& F_NXDOMAIN
))
151 else if (serv
->flags
& SERV_HAS_DOMAIN
)
153 unsigned int domainlen
= strlen(serv
->domain
);
154 char *matchstart
= qdomain
+ namelen
- domainlen
;
155 if (namelen
>= domainlen
&&
156 hostname_isequal(matchstart
, serv
->domain
) &&
157 (domainlen
== 0 || namelen
== domainlen
|| *(matchstart
-1) == '.' ))
159 if (serv
->flags
& SERV_NO_REBIND
)
163 unsigned int sflag
= serv
->addr
.sa
.sa_family
== AF_INET
? F_IPV4
: F_IPV6
;
164 /* implement priority rules for --address and --server for same domain.
165 --address wins if the address is for the correct AF
166 --server wins otherwise. */
167 if (domainlen
!= 0 && domainlen
== matchlen
)
169 if ((serv
->flags
& SERV_LITERAL_ADDRESS
))
171 if (!(sflag
& qtype
) && flags
== 0)
176 if (flags
& (F_IPV4
| F_IPV6
))
181 if (domainlen
>= matchlen
)
183 *type
= serv
->flags
& (SERV_HAS_DOMAIN
| SERV_USE_RESOLV
| SERV_NO_REBIND
);
184 *domain
= serv
->domain
;
185 matchlen
= domainlen
;
186 if (serv
->flags
& SERV_NO_ADDR
)
188 else if (serv
->flags
& SERV_LITERAL_ADDRESS
)
193 if (serv
->addr
.sa
.sa_family
== AF_INET
)
194 *addrpp
= (struct all_addr
*)&serv
->addr
.in
.sin_addr
;
197 *addrpp
= (struct all_addr
*)&serv
->addr
.in6
.sin6_addr
;
200 else if (!flags
|| (flags
& F_NXDOMAIN
))
210 if (flags
== 0 && !(qtype
& F_QUERY
) &&
211 option_bool(OPT_NODOTS_LOCAL
) && !strchr(qdomain
, '.') && namelen
!= 0)
212 /* don't forward A or AAAA queries for simple names, except the empty name */
215 if (flags
== F_NXDOMAIN
&& check_for_local_domain(qdomain
, now
))
222 if (flags
== F_NXDOMAIN
|| flags
== F_NOERR
)
223 logflags
= F_NEG
| qtype
;
225 log_query(logflags
| flags
| F_CONFIG
| F_FORWARD
, qdomain
, *addrpp
, NULL
);
227 else if ((*type
) & SERV_USE_RESOLV
)
229 *type
= 0; /* use normal servers for this domain */
235 static int forward_query(int udpfd
, union mysockaddr
*udpaddr
,
236 struct all_addr
*dst_addr
, unsigned int dst_iface
,
237 struct dns_header
*header
, size_t plen
, time_t now
, struct frec
*forward
)
240 int type
= 0, norebind
= 0;
241 struct all_addr
*addrp
= NULL
;
242 unsigned int crc
= questions_crc(header
, plen
, daemon
->namebuff
);
243 unsigned int flags
= 0;
244 unsigned int gotname
= extract_request(header
, plen
, daemon
->namebuff
, NULL
);
245 struct server
*start
= NULL
;
247 /* RFC 4035: sect 4.6 para 2 */
248 header
->hb4
&= ~HB4_AD
;
250 /* may be no servers available. */
251 if (!daemon
->servers
)
253 else if (forward
|| (forward
= lookup_frec_by_sender(ntohs(header
->id
), udpaddr
, crc
)))
255 /* retry on existing query, send to all available servers */
256 domain
= forward
->sentto
->domain
;
257 forward
->sentto
->failed_queries
++;
258 if (!option_bool(OPT_ORDER
))
260 forward
->forwardall
= 1;
261 daemon
->last_server
= NULL
;
263 type
= forward
->sentto
->flags
& SERV_TYPE
;
264 if (!(start
= forward
->sentto
->next
))
265 start
= daemon
->servers
; /* at end of list, recycle */
266 header
->id
= htons(forward
->new_id
);
271 flags
= search_servers(now
, &addrp
, gotname
, daemon
->namebuff
, &type
, &domain
, &norebind
);
273 if (!flags
&& !(forward
= get_new_frec(now
, NULL
, 0)))
274 /* table full - server failure. */
279 forward
->source
= *udpaddr
;
280 forward
->dest
= *dst_addr
;
281 forward
->iface
= dst_iface
;
282 forward
->orig_id
= ntohs(header
->id
);
283 forward
->new_id
= get_id(crc
);
286 forward
->forwardall
= 0;
289 forward
->flags
|= FREC_NOREBIND
;
290 if (header
->hb4
& HB4_CD
)
291 forward
->flags
|= FREC_CHECKING_DISABLED
;
293 header
->id
= htons(forward
->new_id
);
295 /* In strict_order mode, always try servers in the order
296 specified in resolv.conf, if a domain is given
297 always try all the available servers,
298 otherwise, use the one last known to work. */
302 if (option_bool(OPT_ORDER
))
303 start
= daemon
->servers
;
304 else if (!(start
= daemon
->last_server
) ||
305 daemon
->forwardcount
++ > FORWARD_TEST
||
306 difftime(now
, daemon
->forwardtime
) > FORWARD_TIME
)
308 start
= daemon
->servers
;
309 forward
->forwardall
= 1;
310 daemon
->forwardcount
= 0;
311 daemon
->forwardtime
= now
;
316 start
= daemon
->servers
;
317 if (!option_bool(OPT_ORDER
))
318 forward
->forwardall
= 1;
323 /* check for send errors here (no route to host)
324 if we fail to send to all nameservers, send back an error
325 packet straight away (helps modem users when offline) */
327 if (!flags
&& forward
)
329 struct server
*firstsentto
= start
;
332 if (option_bool(OPT_ADD_MAC
))
333 plen
= add_mac(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
, &forward
->source
);
335 if (option_bool(OPT_CLIENT_SUBNET
))
337 size_t new = add_source_addr(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
, &forward
->source
);
341 forward
->flags
|= FREC_HAS_SUBNET
;
346 if (option_bool(OPT_DNSSEC_VALID
))
348 plen
= add_do_bit(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
);
349 header
->hb4
|= HB4_CD
;
355 /* only send to servers dealing with our domain.
356 domain may be NULL, in which case server->domain
357 must be NULL also. */
359 if (type
== (start
->flags
& SERV_TYPE
) &&
360 (type
!= SERV_HAS_DOMAIN
|| hostname_isequal(domain
, start
->domain
)) &&
361 !(start
->flags
& SERV_LITERAL_ADDRESS
))
365 /* find server socket to use, may need to get random one. */
371 if (start
->addr
.sa
.sa_family
== AF_INET6
)
373 if (!forward
->rfd6
&&
374 !(forward
->rfd6
= allocate_rfd(AF_INET6
)))
376 daemon
->rfd_save
= forward
->rfd6
;
377 fd
= forward
->rfd6
->fd
;
382 if (!forward
->rfd4
&&
383 !(forward
->rfd4
= allocate_rfd(AF_INET
)))
385 daemon
->rfd_save
= forward
->rfd4
;
386 fd
= forward
->rfd4
->fd
;
389 #ifdef HAVE_CONNTRACK
390 /* Copy connection mark of incoming query to outgoing connection. */
391 if (option_bool(OPT_CONNTRACK
))
394 if (get_incoming_mark(&forward
->source
, &forward
->dest
, 0, &mark
))
395 setsockopt(fd
, SOL_SOCKET
, SO_MARK
, &mark
, sizeof(unsigned int));
400 if (sendto(fd
, (char *)header
, plen
, 0,
402 sa_len(&start
->addr
)) == -1)
409 /* Keep info in case we want to re-send this packet */
410 daemon
->srv_save
= start
;
411 daemon
->packet_len
= plen
;
414 strcpy(daemon
->namebuff
, "query");
415 if (start
->addr
.sa
.sa_family
== AF_INET
)
416 log_query(F_SERVER
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
417 (struct all_addr
*)&start
->addr
.in
.sin_addr
, NULL
);
420 log_query(F_SERVER
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
421 (struct all_addr
*)&start
->addr
.in6
.sin6_addr
, NULL
);
425 forward
->sentto
= start
;
426 if (!forward
->forwardall
)
428 forward
->forwardall
++;
432 if (!(start
= start
->next
))
433 start
= daemon
->servers
;
435 if (start
== firstsentto
)
442 /* could not send on, prepare to return */
443 header
->id
= htons(forward
->orig_id
);
444 free_frec(forward
); /* cancel */
447 /* could not send on, return empty answer or address if known for whole domain */
450 plen
= setup_reply(header
, plen
, addrp
, flags
, daemon
->local_ttl
);
451 send_from(udpfd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
), (char *)header
, plen
, udpaddr
, dst_addr
, dst_iface
);
457 static size_t process_reply(struct dns_header
*header
, time_t now
, struct server
*server
, size_t n
, int check_rebind
,
458 int no_cache
, int cache_secure
, int check_subnet
, union mysockaddr
*query_source
)
460 unsigned char *pheader
, *sizep
;
462 int munged
= 0, is_sign
;
466 /* Similar algorithm to search_servers. */
467 struct ipsets
*ipset_pos
;
468 unsigned int namelen
= strlen(daemon
->namebuff
);
469 unsigned int matchlen
= 0;
470 for (ipset_pos
= daemon
->ipsets
; ipset_pos
; ipset_pos
= ipset_pos
->next
)
472 unsigned int domainlen
= strlen(ipset_pos
->domain
);
473 char *matchstart
= daemon
->namebuff
+ namelen
- domainlen
;
474 if (namelen
>= domainlen
&& hostname_isequal(matchstart
, ipset_pos
->domain
) &&
475 (domainlen
== 0 || namelen
== domainlen
|| *(matchstart
- 1) == '.' ) &&
476 domainlen
>= matchlen
) {
477 matchlen
= domainlen
;
478 sets
= ipset_pos
->sets
;
483 /* If upstream is advertising a larger UDP packet size
484 than we allow, trim it so that we don't get overlarge
485 requests for the client. We can't do this for signed packets. */
487 if ((pheader
= find_pseudoheader(header
, n
, &plen
, &sizep
, &is_sign
)))
491 unsigned short udpsz
;
492 unsigned char *psave
= sizep
;
494 GETSHORT(udpsz
, sizep
);
495 if (udpsz
> daemon
->edns_pktsz
)
496 PUTSHORT(daemon
->edns_pktsz
, psave
);
499 if (check_subnet
&& !check_source(header
, plen
, pheader
, query_source
))
501 my_syslog(LOG_WARNING
, _("discarding DNS reply: subnet option mismatch"));
506 /* RFC 4035 sect 4.6 para 3 */
507 if (!is_sign
&& !option_bool(OPT_DNSSEC_PROXY
))
508 header
->hb4
&= ~HB4_AD
;
511 if (option_bool(OPT_DNSSEC_VALID
))
512 header
->hb4
&= ~HB4_AD
;
514 if (!(header
->hb4
& HB4_CD
) && cache_secure
)
515 header
->hb4
|= HB4_AD
;
518 if (OPCODE(header
) != QUERY
|| (RCODE(header
) != NOERROR
&& RCODE(header
) != NXDOMAIN
))
521 /* Complain loudly if the upstream server is non-recursive. */
522 if (!(header
->hb4
& HB4_RA
) && RCODE(header
) == NOERROR
&& ntohs(header
->ancount
) == 0 &&
523 server
&& !(server
->flags
& SERV_WARNED_RECURSIVE
))
525 prettyprint_addr(&server
->addr
, daemon
->namebuff
);
526 my_syslog(LOG_WARNING
, _("nameserver %s refused to do a recursive query"), daemon
->namebuff
);
527 if (!option_bool(OPT_LOG
))
528 server
->flags
|= SERV_WARNED_RECURSIVE
;
531 if (daemon
->bogus_addr
&& RCODE(header
) != NXDOMAIN
&&
532 check_for_bogus_wildcard(header
, n
, daemon
->namebuff
, daemon
->bogus_addr
, now
))
535 SET_RCODE(header
, NXDOMAIN
);
536 header
->hb3
&= ~HB3_AA
;
540 if (RCODE(header
) == NXDOMAIN
&&
541 extract_request(header
, n
, daemon
->namebuff
, NULL
) &&
542 check_for_local_domain(daemon
->namebuff
, now
))
544 /* if we forwarded a query for a locally known name (because it was for
545 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
546 since we know that the domain exists, even if upstream doesn't */
548 header
->hb3
|= HB3_AA
;
549 SET_RCODE(header
, NOERROR
);
552 if (extract_addresses(header
, n
, daemon
->namebuff
, now
, sets
, is_sign
, check_rebind
, no_cache
, cache_secure
))
554 my_syslog(LOG_WARNING
, _("possible DNS-rebind attack detected: %s"), daemon
->namebuff
);
560 if (no_cache
&& !(header
->hb4
& HB4_CD
))
562 if (option_bool(OPT_DNSSEC_PERMISS
))
567 if (extract_request(header
, (size_t)n
, daemon
->namebuff
, &type
))
569 querystr("", types
, type
);
570 my_syslog(LOG_WARNING
, _("DNSSEC validation failed: query %s%s"), daemon
->namebuff
, types
);
573 my_syslog(LOG_WARNING
, _("DNSSEC validation failed for unknown query"));
577 /* Bogus reply, turn into SERVFAIL */
578 SET_RCODE(header
, SERVFAIL
);
584 /* do this after extract_addresses. Ensure NODATA reply and remove
589 header
->ancount
= htons(0);
590 header
->nscount
= htons(0);
591 header
->arcount
= htons(0);
594 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
595 sections of the packet. Find the new length here and put back pseudoheader
596 if it was removed. */
597 return resize_packet(header
, n
, pheader
, plen
);
600 /* sets new last_server */
601 void reply_query(int fd
, int family
, time_t now
)
603 /* packet from peer server, extract data for cache, and send to
604 original requester */
605 struct dns_header
*header
;
606 union mysockaddr serveraddr
;
607 struct frec
*forward
;
608 socklen_t addrlen
= sizeof(serveraddr
);
609 ssize_t n
= recvfrom(fd
, daemon
->packet
, daemon
->packet_buff_sz
, 0, &serveraddr
.sa
, &addrlen
);
611 struct server
*server
;
613 /* packet buffer overwritten */
614 daemon
->srv_save
= NULL
;
616 /* Determine the address of the server replying so that we can mark that as good */
617 serveraddr
.sa
.sa_family
= family
;
619 if (serveraddr
.sa
.sa_family
== AF_INET6
)
620 serveraddr
.in6
.sin6_flowinfo
= 0;
623 /* spoof check: answer must come from known server, */
624 for (server
= daemon
->servers
; server
; server
= server
->next
)
625 if (!(server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_NO_ADDR
)) &&
626 sockaddr_isequal(&server
->addr
, &serveraddr
))
629 header
= (struct dns_header
*)daemon
->packet
;
632 n
< (int)sizeof(struct dns_header
) || !(header
->hb3
& HB3_QR
) ||
633 !(forward
= lookup_frec(ntohs(header
->id
), questions_crc(header
, n
, daemon
->namebuff
))))
636 if ((RCODE(header
) == SERVFAIL
|| RCODE(header
) == REFUSED
) &&
637 !option_bool(OPT_ORDER
) &&
638 forward
->forwardall
== 0)
639 /* for broken servers, attempt to send to another one. */
641 unsigned char *pheader
;
645 /* recreate query from reply */
646 pheader
= find_pseudoheader(header
, (size_t)n
, &plen
, NULL
, &is_sign
);
649 header
->ancount
= htons(0);
650 header
->nscount
= htons(0);
651 header
->arcount
= htons(0);
652 if ((nn
= resize_packet(header
, (size_t)n
, pheader
, plen
)))
654 header
->hb3
&= ~(HB3_QR
| HB3_TC
);
655 forward_query(-1, NULL
, NULL
, 0, header
, nn
, now
, forward
);
661 server
= forward
->sentto
;
663 if ((forward
->sentto
->flags
& SERV_TYPE
) == 0)
665 if (RCODE(header
) == SERVFAIL
|| RCODE(header
) == REFUSED
)
669 struct server
*last_server
;
671 /* find good server by address if possible, otherwise assume the last one we sent to */
672 for (last_server
= daemon
->servers
; last_server
; last_server
= last_server
->next
)
673 if (!(last_server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_HAS_DOMAIN
| SERV_FOR_NODOTS
| SERV_NO_ADDR
)) &&
674 sockaddr_isequal(&last_server
->addr
, &serveraddr
))
676 server
= last_server
;
680 if (!option_bool(OPT_ALL_SERVERS
))
681 daemon
->last_server
= server
;
684 /* If the answer is an error, keep the forward record in place in case
685 we get a good reply from another server. Kill it when we've
686 had replies from all to avoid filling the forwarding table when
687 everything is broken */
688 if (forward
->forwardall
== 0 || --forward
->forwardall
== 1 ||
689 (RCODE(header
) != REFUSED
&& RCODE(header
) != SERVFAIL
))
691 int check_rebind
= 0, no_cache_dnssec
= 0, cache_secure
= 0;
693 if (option_bool(OPT_NO_REBIND
))
694 check_rebind
= !(forward
->flags
& FREC_NOREBIND
);
696 /* Don't cache replies where DNSSEC validation was turned off, either
697 the upstream server told us so, or the original query specified it. */
698 if ((header
->hb4
& HB4_CD
) || (forward
->flags
& FREC_CHECKING_DISABLED
))
702 if (option_bool(OPT_DNSSEC_VALID
) && !(forward
->flags
& FREC_CHECKING_DISABLED
))
706 /* We've had a reply already, which we're validating. Ignore this duplicate */
710 if (header
->hb3
& HB3_TC
)
712 /* Truncated answer can't be validated.
713 The client will retry over TCP, but if this is an answer to a
714 DNSSEC-generated query, we have a problem. Should really re-send
715 over TCP. No-one with any sense will make a DNSKEY or DS RRset
716 exceed 4096, so this may not be a real problem. Just log
718 if (forward
->flags
& (FREC_DNSKEY_QUERY
| FREC_DS_QUERY
))
719 my_syslog(LOG_ERR
, _("Reply to DNSSEC query truncated - validation fails."));
720 status
= STAT_INSECURE
;
722 else if (forward
->flags
& FREC_DNSKEY_QUERY
)
723 status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
724 else if (forward
->flags
& FREC_DS_QUERY
)
725 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
727 status
= dnssec_validate_reply(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, &forward
->class);
729 /* Can't validate, as we're missing key data. Put this
730 answer aside, whilst we get that. */
731 if (status
== STAT_NEED_DS
|| status
== STAT_NEED_KEY
)
735 if ((new = get_new_frec(now
, NULL
, 1)))
737 struct frec
*next
= new->next
;
738 *new = *forward
; /* copy everything, then overwrite */
741 new->blocking_query
= NULL
;
746 new->flags
&= ~(FREC_DNSKEY_QUERY
| FREC_DS_QUERY
);
748 if ((forward
->stash
= blockdata_alloc((char *)header
, n
)))
752 forward
->stash_len
= n
;
754 new->dependent
= forward
; /* to find query awaiting new one. */
755 forward
->blocking_query
= new; /* for garbage cleaning */
756 /* validate routines leave name of required record in daemon->keyname */
757 if (status
== STAT_NEED_KEY
)
759 new->flags
|= FREC_DNSKEY_QUERY
;
760 nn
= dnssec_generate_query(header
, ((char *) header
) + daemon
->packet_buff_sz
,
761 daemon
->keyname
, forward
->class, T_DNSKEY
, &server
->addr
);
763 else if (status
== STAT_NEED_DS
)
765 new->flags
|= FREC_DS_QUERY
;
766 nn
= dnssec_generate_query(header
,((char *) header
) + daemon
->packet_buff_sz
,
767 daemon
->keyname
, forward
->class, T_DS
, &server
->addr
);
769 new->crc
= questions_crc(header
, nn
, daemon
->namebuff
);
770 new->new_id
= get_id(new->crc
);
771 header
->id
= htons(new->new_id
);
773 /* Don't resend this. */
774 daemon
->srv_save
= NULL
;
777 fd
= server
->sfd
->fd
;
782 if (server
->addr
.sa
.sa_family
== AF_INET6
)
784 if (new->rfd6
|| (new->rfd6
= allocate_rfd(AF_INET6
)))
790 if (new->rfd4
|| (new->rfd4
= allocate_rfd(AF_INET
)))
797 while (sendto(fd
, (char *)header
, nn
, 0, &server
->addr
.sa
, sa_len(&server
->addr
)) == -1 && retry_send());
806 /* Ok, we reached far enough up the chain-of-trust that we can validate something.
807 Now wind back down, pulling back answers which wouldn't previously validate
808 and validate them with the new data. Failure to find needed data here is an internal error.
809 Once we get to the original answer (FREC_DNSSEC_QUERY not set) and it validates,
810 return it to the original requestor. */
811 if (forward
->flags
& (FREC_DNSKEY_QUERY
| FREC_DS_QUERY
))
813 while (forward
->dependent
)
817 if (status
== STAT_SECURE
)
819 if (forward
->flags
& FREC_DNSKEY_QUERY
)
820 status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
821 else if (forward
->flags
& FREC_DS_QUERY
)
822 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
825 prev
= forward
->dependent
;
828 forward
->blocking_query
= NULL
; /* already gone */
829 blockdata_retrieve(forward
->stash
, forward
->stash_len
, (void *)header
);
830 n
= forward
->stash_len
;
833 /* All DNSKEY and DS records done and in cache, now finally validate original
834 answer, provided last DNSKEY is OK. */
835 if (status
== STAT_SECURE
)
836 status
= dnssec_validate_reply(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, &forward
->class);
838 if (status
== STAT_NEED_DS
|| status
== STAT_NEED_KEY
)
840 my_syslog(LOG_ERR
, _("Unexpected missing data for DNSSEC validation"));
841 status
= STAT_INSECURE
;
845 log_query(F_KEYTAG
| F_SECSTAT
, "result", NULL
,
846 status
== STAT_SECURE
? "SECURE" : (status
== STAT_INSECURE
? "INSECURE" : "BOGUS"));
850 if (status
== STAT_SECURE
)
852 else if (status
== STAT_BOGUS
)
855 /* restore CD bit to the value in the query */
856 if (forward
->flags
& FREC_CHECKING_DISABLED
)
857 header
->hb4
|= HB4_CD
;
859 header
->hb4
&= ~HB4_CD
;
863 if ((nn
= process_reply(header
, now
, server
, (size_t)n
, check_rebind
, no_cache_dnssec
, cache_secure
,
864 forward
->flags
& FREC_HAS_SUBNET
, &forward
->source
)))
866 header
->id
= htons(forward
->orig_id
);
867 header
->hb4
|= HB4_RA
; /* recursion if available */
868 send_from(forward
->fd
, option_bool(OPT_NOWILD
) || option_bool (OPT_CLEVERBIND
), daemon
->packet
, nn
,
869 &forward
->source
, &forward
->dest
, forward
->iface
);
871 free_frec(forward
); /* cancel */
876 void receive_query(struct listener
*listen
, time_t now
)
878 struct dns_header
*header
= (struct dns_header
*)daemon
->packet
;
879 union mysockaddr source_addr
;
881 struct all_addr dst_addr
;
882 struct in_addr netmask
, dst_addr_4
;
885 int if_index
= 0, auth_dns
= 0;
891 struct cmsghdr
*cmptr
;
893 struct cmsghdr align
; /* this ensures alignment */
895 char control6
[CMSG_SPACE(sizeof(struct in6_pktinfo
))];
897 #if defined(HAVE_LINUX_NETWORK)
898 char control
[CMSG_SPACE(sizeof(struct in_pktinfo
))];
899 #elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
900 char control
[CMSG_SPACE(sizeof(struct in_addr
)) +
901 CMSG_SPACE(sizeof(unsigned int))];
902 #elif defined(IP_RECVDSTADDR)
903 char control
[CMSG_SPACE(sizeof(struct in_addr
)) +
904 CMSG_SPACE(sizeof(struct sockaddr_dl
))];
908 /* Can always get recvd interface for IPv6 */
909 int check_dst
= !option_bool(OPT_NOWILD
) || listen
->family
== AF_INET6
;
911 int check_dst
= !option_bool(OPT_NOWILD
);
914 /* packet buffer overwritten */
915 daemon
->srv_save
= NULL
;
917 dst_addr_4
.s_addr
= 0;
920 if (option_bool(OPT_NOWILD
) && listen
->iface
)
922 auth_dns
= listen
->iface
->dns_auth
;
924 if (listen
->family
== AF_INET
)
926 dst_addr_4
= listen
->iface
->addr
.in
.sin_addr
;
927 netmask
= listen
->iface
->netmask
;
931 iov
[0].iov_base
= daemon
->packet
;
932 iov
[0].iov_len
= daemon
->edns_pktsz
;
934 msg
.msg_control
= control_u
.control
;
935 msg
.msg_controllen
= sizeof(control_u
);
937 msg
.msg_name
= &source_addr
;
938 msg
.msg_namelen
= sizeof(source_addr
);
942 if ((n
= recvmsg(listen
->fd
, &msg
, 0)) == -1)
945 if (n
< (int)sizeof(struct dns_header
) ||
946 (msg
.msg_flags
& MSG_TRUNC
) ||
947 (header
->hb3
& HB3_QR
))
950 source_addr
.sa
.sa_family
= listen
->family
;
952 if (listen
->family
== AF_INET6
)
953 source_addr
.in6
.sin6_flowinfo
= 0;
960 if (msg
.msg_controllen
< sizeof(struct cmsghdr
))
963 #if defined(HAVE_LINUX_NETWORK)
964 if (listen
->family
== AF_INET
)
965 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
966 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_PKTINFO
)
970 struct in_pktinfo
*p
;
972 p
.c
= CMSG_DATA(cmptr
);
973 dst_addr_4
= dst_addr
.addr
.addr4
= p
.p
->ipi_spec_dst
;
974 if_index
= p
.p
->ipi_ifindex
;
976 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
977 if (listen
->family
== AF_INET
)
979 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
985 #ifndef HAVE_SOLARIS_NETWORK
986 struct sockaddr_dl
*s
;
989 p
.c
= CMSG_DATA(cmptr
);
990 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVDSTADDR
)
991 dst_addr_4
= dst_addr
.addr
.addr4
= *(p
.a
);
992 else if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVIF
)
993 #ifdef HAVE_SOLARIS_NETWORK
996 if_index
= p
.s
->sdl_index
;
1003 if (listen
->family
== AF_INET6
)
1005 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
1006 if (cmptr
->cmsg_level
== IPPROTO_IPV6
&& cmptr
->cmsg_type
== daemon
->v6pktinfo
)
1010 struct in6_pktinfo
*p
;
1012 p
.c
= CMSG_DATA(cmptr
);
1014 dst_addr
.addr
.addr6
= p
.p
->ipi6_addr
;
1015 if_index
= p
.p
->ipi6_ifindex
;
1020 /* enforce available interface configuration */
1022 if (!indextoname(listen
->fd
, if_index
, ifr
.ifr_name
))
1025 if (!iface_check(listen
->family
, &dst_addr
, ifr
.ifr_name
, &auth_dns
))
1027 if (!option_bool(OPT_CLEVERBIND
))
1028 enumerate_interfaces(0);
1029 if (!loopback_exception(listen
->fd
, listen
->family
, &dst_addr
, ifr
.ifr_name
) &&
1030 !label_exception(if_index
, listen
->family
, &dst_addr
))
1034 if (listen
->family
== AF_INET
&& option_bool(OPT_LOCALISE
))
1038 /* get the netmask of the interface whch has the address we were sent to.
1039 This is no neccessarily the interface we arrived on. */
1041 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
1042 if (iface
->addr
.sa
.sa_family
== AF_INET
&&
1043 iface
->addr
.in
.sin_addr
.s_addr
== dst_addr_4
.s_addr
)
1046 /* interface may be new */
1047 if (!iface
&& !option_bool(OPT_CLEVERBIND
))
1048 enumerate_interfaces(0);
1050 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
1051 if (iface
->addr
.sa
.sa_family
== AF_INET
&&
1052 iface
->addr
.in
.sin_addr
.s_addr
== dst_addr_4
.s_addr
)
1055 /* If we failed, abandon localisation */
1057 netmask
= iface
->netmask
;
1059 dst_addr_4
.s_addr
= 0;
1063 if (extract_request(header
, (size_t)n
, daemon
->namebuff
, &type
))
1067 struct auth_zone
*zone
;
1070 querystr(auth_dns
? "auth" : "query", types
, type
);
1072 if (listen
->family
== AF_INET
)
1073 log_query(F_QUERY
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1074 (struct all_addr
*)&source_addr
.in
.sin_addr
, types
);
1077 log_query(F_QUERY
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1078 (struct all_addr
*)&source_addr
.in6
.sin6_addr
, types
);
1082 /* find queries for zones we're authoritative for, and answer them directly */
1084 for (zone
= daemon
->auth_zones
; zone
; zone
= zone
->next
)
1085 if (in_zone(zone
, daemon
->namebuff
, NULL
))
1097 m
= answer_auth(header
, ((char *) header
) + daemon
->packet_buff_sz
, (size_t)n
, now
, &source_addr
, local_auth
);
1100 send_from(listen
->fd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
),
1101 (char *)header
, m
, &source_addr
, &dst_addr
, if_index
);
1102 daemon
->auth_answer
++;
1108 m
= answer_request(header
, ((char *) header
) + daemon
->packet_buff_sz
, (size_t)n
,
1109 dst_addr_4
, netmask
, now
);
1113 send_from(listen
->fd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
),
1114 (char *)header
, m
, &source_addr
, &dst_addr
, if_index
);
1115 daemon
->local_answer
++;
1117 else if (forward_query(listen
->fd
, &source_addr
, &dst_addr
, if_index
,
1118 header
, (size_t)n
, now
, NULL
))
1119 daemon
->queries_forwarded
++;
1121 daemon
->local_answer
++;
1126 static int tcp_key_recurse(time_t now
, int status
, int class, char *keyname
, struct server
*server
)
1128 /* Recurse up the key heirarchy */
1130 unsigned char *packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
));
1131 unsigned char *payload
= &packet
[2];
1132 struct dns_header
*header
= (struct dns_header
*)payload
;
1133 u16
*length
= (u16
*)packet
;
1135 unsigned char c1
, c2
;
1137 n
= dnssec_generate_query(header
, ((char *) header
) + 65536, keyname
, class,
1138 status
== STAT_NEED_KEY
? T_DNSKEY
: T_DS
, &server
->addr
);
1142 if (!read_write(server
->tcpfd
, packet
, n
+ sizeof(u16
), 0) ||
1143 !read_write(server
->tcpfd
, &c1
, 1, 1) ||
1144 !read_write(server
->tcpfd
, &c2
, 1, 1) ||
1145 !read_write(server
->tcpfd
, payload
, (c1
<< 8) | c2
, 1))
1147 close(server
->tcpfd
);
1149 new_status
= STAT_INSECURE
;
1155 if (status
== STAT_NEED_KEY
)
1156 new_status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, class);
1158 new_status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, class);
1160 if (new_status
== STAT_NEED_DS
|| new_status
== STAT_NEED_KEY
)
1162 if ((new_status
= tcp_key_recurse(now
, new_status
, class, daemon
->keyname
, server
) == STAT_SECURE
))
1164 if (status
== STAT_NEED_KEY
)
1165 new_status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, class);
1167 new_status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, class);
1169 if (new_status
== STAT_NEED_DS
|| new_status
== STAT_NEED_KEY
)
1171 my_syslog(LOG_ERR
, _("Unexpected missing data for DNSSEC validation"));
1172 status
= STAT_INSECURE
;
1185 /* The daemon forks before calling this: it should deal with one connection,
1186 blocking as neccessary, and then return. Note, need to be a bit careful
1187 about resources for debug mode, when the fork is suppressed: that's
1188 done by the caller. */
1189 unsigned char *tcp_request(int confd
, time_t now
,
1190 union mysockaddr
*local_addr
, struct in_addr netmask
, int auth_dns
)
1197 int checking_disabled
, check_subnet
, no_cache_dnssec
= 0, cache_secure
= 0;
1199 unsigned short qtype
;
1200 unsigned int gotname
;
1201 unsigned char c1
, c2
;
1202 /* Max TCP packet + slop + size */
1203 unsigned char *packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
));
1204 unsigned char *payload
= &packet
[2];
1205 /* largest field in header is 16-bits, so this is still sufficiently aligned */
1206 struct dns_header
*header
= (struct dns_header
*)payload
;
1207 u16
*length
= (u16
*)packet
;
1208 struct server
*last_server
;
1209 struct in_addr dst_addr_4
;
1210 union mysockaddr peer_addr
;
1211 socklen_t peer_len
= sizeof(union mysockaddr
);
1213 if (getpeername(confd
, (struct sockaddr
*)&peer_addr
, &peer_len
) == -1)
1219 !read_write(confd
, &c1
, 1, 1) || !read_write(confd
, &c2
, 1, 1) ||
1220 !(size
= c1
<< 8 | c2
) ||
1221 !read_write(confd
, payload
, size
, 1))
1224 if (size
< (int)sizeof(struct dns_header
))
1229 /* save state of "cd" flag in query */
1230 if ((checking_disabled
= header
->hb4
& HB4_CD
))
1231 no_cache_dnssec
= 1;
1233 /* RFC 4035: sect 4.6 para 2 */
1234 header
->hb4
&= ~HB4_AD
;
1236 if ((gotname
= extract_request(header
, (unsigned int)size
, daemon
->namebuff
, &qtype
)))
1240 struct auth_zone
*zone
;
1242 querystr(auth_dns
? "auth" : "query", types
, qtype
);
1244 if (peer_addr
.sa
.sa_family
== AF_INET
)
1245 log_query(F_QUERY
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1246 (struct all_addr
*)&peer_addr
.in
.sin_addr
, types
);
1249 log_query(F_QUERY
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1250 (struct all_addr
*)&peer_addr
.in6
.sin6_addr
, types
);
1254 /* find queries for zones we're authoritative for, and answer them directly */
1256 for (zone
= daemon
->auth_zones
; zone
; zone
= zone
->next
)
1257 if (in_zone(zone
, daemon
->namebuff
, NULL
))
1266 if (local_addr
->sa
.sa_family
== AF_INET
)
1267 dst_addr_4
= local_addr
->in
.sin_addr
;
1269 dst_addr_4
.s_addr
= 0;
1273 m
= answer_auth(header
, ((char *) header
) + 65536, (size_t)size
, now
, &peer_addr
, local_auth
);
1277 /* m > 0 if answered from cache */
1278 m
= answer_request(header
, ((char *) header
) + 65536, (size_t)size
,
1279 dst_addr_4
, netmask
, now
);
1281 /* Do this by steam now we're not in the select() loop */
1282 check_log_writer(NULL
);
1286 unsigned int flags
= 0;
1287 struct all_addr
*addrp
= NULL
;
1289 char *domain
= NULL
;
1291 if (option_bool(OPT_ADD_MAC
))
1292 size
= add_mac(header
, size
, ((char *) header
) + 65536, &peer_addr
);
1294 if (option_bool(OPT_CLIENT_SUBNET
))
1296 size_t new = add_source_addr(header
, size
, ((char *) header
) + 65536, &peer_addr
);
1305 flags
= search_servers(now
, &addrp
, gotname
, daemon
->namebuff
, &type
, &domain
, &norebind
);
1307 if (type
!= 0 || option_bool(OPT_ORDER
) || !daemon
->last_server
)
1308 last_server
= daemon
->servers
;
1310 last_server
= daemon
->last_server
;
1312 if (!flags
&& last_server
)
1314 struct server
*firstsendto
= NULL
;
1315 unsigned int crc
= questions_crc(header
, (unsigned int)size
, daemon
->namebuff
);
1317 /* Loop round available servers until we succeed in connecting to one.
1318 Note that this code subtley ensures that consecutive queries on this connection
1319 which can go to the same server, do so. */
1323 firstsendto
= last_server
;
1326 if (!(last_server
= last_server
->next
))
1327 last_server
= daemon
->servers
;
1329 if (last_server
== firstsendto
)
1333 /* server for wrong domain */
1334 if (type
!= (last_server
->flags
& SERV_TYPE
) ||
1335 (type
== SERV_HAS_DOMAIN
&& !hostname_isequal(domain
, last_server
->domain
)))
1338 if (last_server
->tcpfd
== -1)
1340 if ((last_server
->tcpfd
= socket(last_server
->addr
.sa
.sa_family
, SOCK_STREAM
, 0)) == -1)
1343 if ((!local_bind(last_server
->tcpfd
, &last_server
->source_addr
, last_server
->interface
, 1) ||
1344 connect(last_server
->tcpfd
, &last_server
->addr
.sa
, sa_len(&last_server
->addr
)) == -1))
1346 close(last_server
->tcpfd
);
1347 last_server
->tcpfd
= -1;
1352 if (option_bool(OPT_DNSSEC_VALID
))
1354 size
= add_do_bit(header
, size
, ((char *) header
) + 65536);
1355 header
->hb4
|= HB4_CD
;
1359 #ifdef HAVE_CONNTRACK
1360 /* Copy connection mark of incoming query to outgoing connection. */
1361 if (option_bool(OPT_CONNTRACK
))
1364 struct all_addr local
;
1366 if (local_addr
->sa
.sa_family
== AF_INET6
)
1367 local
.addr
.addr6
= local_addr
->in6
.sin6_addr
;
1370 local
.addr
.addr4
= local_addr
->in
.sin_addr
;
1372 if (get_incoming_mark(&peer_addr
, &local
, 1, &mark
))
1373 setsockopt(last_server
->tcpfd
, SOL_SOCKET
, SO_MARK
, &mark
, sizeof(unsigned int));
1378 *length
= htons(size
);
1380 if (!read_write(last_server
->tcpfd
, packet
, size
+ sizeof(u16
), 0) ||
1381 !read_write(last_server
->tcpfd
, &c1
, 1, 1) ||
1382 !read_write(last_server
->tcpfd
, &c2
, 1, 1) ||
1383 !read_write(last_server
->tcpfd
, payload
, (c1
<< 8) | c2
, 1))
1385 close(last_server
->tcpfd
);
1386 last_server
->tcpfd
= -1;
1393 strcpy(daemon
->namebuff
, "query");
1394 if (last_server
->addr
.sa
.sa_family
== AF_INET
)
1395 log_query(F_SERVER
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1396 (struct all_addr
*)&last_server
->addr
.in
.sin_addr
, NULL
);
1399 log_query(F_SERVER
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1400 (struct all_addr
*)&last_server
->addr
.in6
.sin6_addr
, NULL
);
1404 if (option_bool(OPT_DNSSEC_VALID
) && !checking_disabled
)
1408 status
= dnssec_validate_reply(now
, header
, m
, daemon
->namebuff
, daemon
->keyname
, &class);
1410 if (status
== STAT_NEED_DS
|| status
== STAT_NEED_KEY
)
1412 if ((status
= tcp_key_recurse(now
, status
, class, daemon
->keyname
, last_server
)) == STAT_SECURE
)
1413 status
= dnssec_validate_reply(now
, header
, m
, daemon
->namebuff
, daemon
->keyname
, &class);
1416 log_query(F_KEYTAG
| F_SECSTAT
, "result", NULL
,
1417 status
== STAT_SECURE
? "SECURE" : (status
== STAT_INSECURE
? "INSECURE" : "BOGUS"));
1419 if (status
== STAT_BOGUS
)
1420 no_cache_dnssec
= 1;
1422 if (status
== STAT_SECURE
)
1427 /* restore CD bit to the value in the query */
1428 if (checking_disabled
)
1429 header
->hb4
|= HB4_CD
;
1431 header
->hb4
&= ~HB4_CD
;
1433 /* There's no point in updating the cache, since this process will exit and
1434 lose the information after a few queries. We make this call for the alias and
1435 bogus-nxdomain side-effects. */
1436 /* If the crc of the question section doesn't match the crc we sent, then
1437 someone might be attempting to insert bogus values into the cache by
1438 sending replies containing questions and bogus answers. */
1439 if (crc
== questions_crc(header
, (unsigned int)m
, daemon
->namebuff
))
1440 m
= process_reply(header
, now
, last_server
, (unsigned int)m
,
1441 option_bool(OPT_NO_REBIND
) && !norebind
, no_cache_dnssec
,
1442 cache_secure
, check_subnet
, &peer_addr
);
1448 /* In case of local answer or no connections made. */
1450 m
= setup_reply(header
, (unsigned int)size
, addrp
, flags
, daemon
->local_ttl
);
1454 check_log_writer(NULL
);
1458 if (m
== 0 || !read_write(confd
, packet
, m
+ sizeof(u16
), 0))
1463 static struct frec
*allocate_frec(time_t now
)
1467 if ((f
= (struct frec
*)whine_malloc(sizeof(struct frec
))))
1469 f
->next
= daemon
->frec_list
;
1478 f
->blocking_query
= NULL
;
1480 daemon
->frec_list
= f
;
1486 static struct randfd
*allocate_rfd(int family
)
1488 static int finger
= 0;
1491 /* limit the number of sockets we have open to avoid starvation of
1492 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
1494 for (i
= 0; i
< RANDOM_SOCKS
; i
++)
1495 if (daemon
->randomsocks
[i
].refcount
== 0)
1497 if ((daemon
->randomsocks
[i
].fd
= random_sock(family
)) == -1)
1500 daemon
->randomsocks
[i
].refcount
= 1;
1501 daemon
->randomsocks
[i
].family
= family
;
1502 return &daemon
->randomsocks
[i
];
1505 /* No free ones or cannot get new socket, grab an existing one */
1506 for (i
= 0; i
< RANDOM_SOCKS
; i
++)
1508 int j
= (i
+finger
) % RANDOM_SOCKS
;
1509 if (daemon
->randomsocks
[j
].refcount
!= 0 &&
1510 daemon
->randomsocks
[j
].family
== family
&&
1511 daemon
->randomsocks
[j
].refcount
!= 0xffff)
1514 daemon
->randomsocks
[j
].refcount
++;
1515 return &daemon
->randomsocks
[j
];
1519 return NULL
; /* doom */
1521 static void free_frec(struct frec
*f
)
1523 if (f
->rfd4
&& --(f
->rfd4
->refcount
) == 0)
1531 if (f
->rfd6
&& --(f
->rfd6
->refcount
) == 0)
1540 blockdata_free(f
->stash
);
1544 /* Anything we're waiting on is pointless now, too */
1545 if (f
->blocking_query
)
1546 free_frec(f
->blocking_query
);
1547 f
->blocking_query
= NULL
;
1552 /* if wait==NULL return a free or older than TIMEOUT record.
1553 else return *wait zero if one available, or *wait is delay to
1554 when the oldest in-use record will expire. Impose an absolute
1555 limit of 4*TIMEOUT before we wipe things (for random sockets).
1556 If force is set, always return a result, even if we have
1557 to allocate above the limit. */
1558 struct frec
*get_new_frec(time_t now
, int *wait
, int force
)
1560 struct frec
*f
, *oldest
, *target
;
1566 for (f
= daemon
->frec_list
, oldest
= NULL
, target
= NULL
, count
= 0; f
; f
= f
->next
, count
++)
1571 if (difftime(now
, f
->time
) >= 4*TIMEOUT
)
1577 if (!oldest
|| difftime(f
->time
, oldest
->time
) <= 0)
1587 /* can't find empty one, use oldest if there is one
1588 and it's older than timeout */
1589 if (oldest
&& ((int)difftime(now
, oldest
->time
)) >= TIMEOUT
)
1591 /* keep stuff for twice timeout if we can by allocating a new
1593 if (difftime(now
, oldest
->time
) < 2*TIMEOUT
&&
1594 count
<= daemon
->ftabsize
&&
1595 (f
= allocate_frec(now
)))
1606 /* none available, calculate time 'till oldest record expires */
1607 if (!force
&& count
> daemon
->ftabsize
)
1609 static time_t last_log
= 0;
1612 *wait
= oldest
->time
+ (time_t)TIMEOUT
- now
;
1614 if ((int)difftime(now
, last_log
) > 5)
1617 my_syslog(LOG_WARNING
, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon
->ftabsize
);
1623 if (!(f
= allocate_frec(now
)) && wait
)
1624 /* wait one second on malloc failure */
1627 return f
; /* OK if malloc fails and this is NULL */
1630 /* crc is all-ones if not known. */
1631 static struct frec
*lookup_frec(unsigned short id
, unsigned int crc
)
1635 for(f
= daemon
->frec_list
; f
; f
= f
->next
)
1636 if (f
->sentto
&& f
->new_id
== id
&&
1637 (f
->crc
== crc
|| crc
== 0xffffffff))
1643 static struct frec
*lookup_frec_by_sender(unsigned short id
,
1644 union mysockaddr
*addr
,
1649 for(f
= daemon
->frec_list
; f
; f
= f
->next
)
1653 sockaddr_isequal(&f
->source
, addr
))
1659 /* A server record is going away, remove references to it */
1660 void server_gone(struct server
*server
)
1664 for (f
= daemon
->frec_list
; f
; f
= f
->next
)
1665 if (f
->sentto
&& f
->sentto
== server
)
1668 if (daemon
->last_server
== server
)
1669 daemon
->last_server
= NULL
;
1671 if (daemon
->srv_save
== server
)
1672 daemon
->srv_save
= NULL
;
1675 /* return unique random ids. */
1676 static unsigned short get_id(unsigned int crc
)
1678 unsigned short ret
= 0;
1682 while (lookup_frec(ret
, crc
));