]> git.ipfire.org Git - people/ms/dnsmasq.git/blob - src/forward.c
projects / people / ms / dnsmasq.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Handle wrong interface for locally-routed packets.
[people/ms/dnsmasq.git] / src / forward.c
1 /* dnsmasq is Copyright (c) 2000-2012 Simon Kelley
2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
7
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
12
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
15 */
16
17 #include "dnsmasq.h"
18
19 static struct frec *lookup_frec(unsigned short id, unsigned int crc);
20 static struct frec *lookup_frec_by_sender(unsigned short id,
21 union mysockaddr *addr,
22 unsigned int crc);
23 static unsigned short get_id(unsigned int crc);
24 static void free_frec(struct frec *f);
25 static struct randfd *allocate_rfd(int family);
26
27 /* Send a UDP packet with its source address set as "source"
28 unless nowild is true, when we just send it with the kernel default */
29 int send_from(int fd, int nowild, char *packet, size_t len,
30 union mysockaddr *to, struct all_addr *source,
31 unsigned int iface)
32 {
33 struct msghdr msg;
34 struct iovec iov[1];
35 union {
36 struct cmsghdr align; /* this ensures alignment */
37 #if defined(HAVE_LINUX_NETWORK)
38 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
39 #elif defined(IP_SENDSRCADDR)
40 char control[CMSG_SPACE(sizeof(struct in_addr))];
41 #endif
42 #ifdef HAVE_IPV6
43 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
44 #endif
45 } control_u;
46
47 iov[0].iov_base = packet;
48 iov[0].iov_len = len;
49
50 msg.msg_control = NULL;
51 msg.msg_controllen = 0;
52 msg.msg_flags = 0;
53 msg.msg_name = to;
54 msg.msg_namelen = sa_len(to);
55 msg.msg_iov = iov;
56 msg.msg_iovlen = 1;
57
58 if (!nowild)
59 {
60 struct cmsghdr *cmptr;
61 msg.msg_control = &control_u;
62 msg.msg_controllen = sizeof(control_u);
63 cmptr = CMSG_FIRSTHDR(&msg);
64
65 if (to->sa.sa_family == AF_INET)
66 {
67 #if defined(HAVE_LINUX_NETWORK)
68 struct in_pktinfo p;
69 p.ipi_ifindex = 0;
70 p.ipi_spec_dst = source->addr.addr4;
71 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
72 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
73 cmptr->cmsg_level = IPPROTO_IP;
74 cmptr->cmsg_type = IP_PKTINFO;
75 #elif defined(IP_SENDSRCADDR)
76 memcpy(CMSG_DATA(cmptr), &(source->addr.addr4), sizeof(source->addr.addr4));
77 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
78 cmptr->cmsg_level = IPPROTO_IP;
79 cmptr->cmsg_type = IP_SENDSRCADDR;
80 #endif
81 }
82 else
83 #ifdef HAVE_IPV6
84 {
85 struct in6_pktinfo p;
86 p.ipi6_ifindex = iface; /* Need iface for IPv6 to handle link-local addrs */
87 p.ipi6_addr = source->addr.addr6;
88 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
89 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
90 cmptr->cmsg_type = daemon->v6pktinfo;
91 cmptr->cmsg_level = IPPROTO_IPV6;
92 }
93 #else
94 (void)iface; /* eliminate warning */
95 #endif
96 }
97
98 while (sendmsg(fd, &msg, 0) == -1)
99 {
100 if (retry_send())
101 continue;
102
103 /* If interface is still in DAD, EINVAL results - ignore that. */
104 if (errno == EINVAL)
105 break;
106
107 my_syslog(LOG_ERR, _("failed to send packet: %s"), strerror(errno));
108 return 0;
109 }
110
111 return 1;
112 }
113
114 static unsigned int search_servers(time_t now, struct all_addr **addrpp,
115 unsigned int qtype, char *qdomain, int *type, char **domain, int *norebind)
116
117 {
118 /* If the query ends in the domain in one of our servers, set
119 domain to point to that name. We find the largest match to allow both
120 domain.org and sub.domain.org to exist. */
121
122 unsigned int namelen = strlen(qdomain);
123 unsigned int matchlen = 0;
124 struct server *serv;
125 unsigned int flags = 0;
126
127 for (serv = daemon->servers; serv; serv=serv->next)
128 /* domain matches take priority over NODOTS matches */
129 if ((serv->flags & SERV_FOR_NODOTS) && *type != SERV_HAS_DOMAIN && !strchr(qdomain, '.') && namelen != 0)
130 {
131 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
132 *type = SERV_FOR_NODOTS;
133 if (serv->flags & SERV_NO_ADDR)
134 flags = F_NXDOMAIN;
135 else if (serv->flags & SERV_LITERAL_ADDRESS)
136 {
137 if (sflag & qtype)
138 {
139 flags = sflag;
140 if (serv->addr.sa.sa_family == AF_INET)
141 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
142 #ifdef HAVE_IPV6
143 else
144 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
145 #endif
146 }
147 else if (!flags || (flags & F_NXDOMAIN))
148 flags = F_NOERR;
149 }
150 }
151 else if (serv->flags & SERV_HAS_DOMAIN)
152 {
153 unsigned int domainlen = strlen(serv->domain);
154 char *matchstart = qdomain + namelen - domainlen;
155 if (namelen >= domainlen &&
156 hostname_isequal(matchstart, serv->domain) &&
157 (domainlen == 0 || namelen == domainlen || *(matchstart-1) == '.' ))
158 {
159 if (serv->flags & SERV_NO_REBIND)
160 *norebind = 1;
161 else
162 {
163 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
164 /* implement priority rules for --address and --server for same domain.
165 --address wins if the address is for the correct AF
166 --server wins otherwise. */
167 if (domainlen != 0 && domainlen == matchlen)
168 {
169 if ((serv->flags & SERV_LITERAL_ADDRESS))
170 {
171 if (!(sflag & qtype) && flags == 0)
172 continue;
173 }
174 else
175 {
176 if (flags & (F_IPV4 | F_IPV6))
177 continue;
178 }
179 }
180
181 if (domainlen >= matchlen)
182 {
183 *type = serv->flags & (SERV_HAS_DOMAIN | SERV_USE_RESOLV | SERV_NO_REBIND);
184 *domain = serv->domain;
185 matchlen = domainlen;
186 if (serv->flags & SERV_NO_ADDR)
187 flags = F_NXDOMAIN;
188 else if (serv->flags & SERV_LITERAL_ADDRESS)
189 {
190 if (sflag & qtype)
191 {
192 flags = sflag;
193 if (serv->addr.sa.sa_family == AF_INET)
194 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
195 #ifdef HAVE_IPV6
196 else
197 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
198 #endif
199 }
200 else if (!flags || (flags & F_NXDOMAIN))
201 flags = F_NOERR;
202 }
203 else
204 flags = 0;
205 }
206 }
207 }
208 }
209
210 if (flags == 0 && !(qtype & F_QUERY) &&
211 option_bool(OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') && namelen != 0)
212 /* don't forward A or AAAA queries for simple names, except the empty name */
213 flags = F_NOERR;
214
215 if (flags == F_NXDOMAIN && check_for_local_domain(qdomain, now))
216 flags = F_NOERR;
217
218 if (flags)
219 {
220 int logflags = 0;
221
222 if (flags == F_NXDOMAIN || flags == F_NOERR)
223 logflags = F_NEG | qtype;
224
225 log_query(logflags | flags | F_CONFIG | F_FORWARD, qdomain, *addrpp, NULL);
226 }
227 else if ((*type) & SERV_USE_RESOLV)
228 {
229 *type = 0; /* use normal servers for this domain */
230 *domain = NULL;
231 }
232 return flags;
233 }
234
235 static int forward_query(int udpfd, union mysockaddr *udpaddr,
236 struct all_addr *dst_addr, unsigned int dst_iface,
237 struct dns_header *header, size_t plen, time_t now, struct frec *forward)
238 {
239 char *domain = NULL;
240 int type = 0, norebind = 0;
241 struct all_addr *addrp = NULL;
242 unsigned int crc = questions_crc(header, plen, daemon->namebuff);
243 unsigned int flags = 0;
244 unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
245 struct server *start = NULL;
246
247 /* RFC 4035: sect 4.6 para 2 */
248 header->hb4 &= ~HB4_AD;
249
250 /* may be no servers available. */
251 if (!daemon->servers)
252 forward = NULL;
253 else if (forward || (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, crc)))
254 {
255 /* retry on existing query, send to all available servers */
256 domain = forward->sentto->domain;
257 forward->sentto->failed_queries++;
258 if (!option_bool(OPT_ORDER))
259 {
260 forward->forwardall = 1;
261 daemon->last_server = NULL;
262 }
263 type = forward->sentto->flags & SERV_TYPE;
264 if (!(start = forward->sentto->next))
265 start = daemon->servers; /* at end of list, recycle */
266 header->id = htons(forward->new_id);
267 }
268 else
269 {
270 if (gotname)
271 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
272
273 if (!flags && !(forward = get_new_frec(now, NULL)))
274 /* table full - server failure. */
275 flags = F_NEG;
276
277 if (forward)
278 {
279 forward->source = *udpaddr;
280 forward->dest = *dst_addr;
281 forward->iface = dst_iface;
282 forward->orig_id = ntohs(header->id);
283 forward->new_id = get_id(crc);
284 forward->fd = udpfd;
285 forward->crc = crc;
286 forward->forwardall = 0;
287 if (norebind)
288 forward->flags |= FREC_NOREBIND;
289 if (header->hb4 & HB4_CD)
290 forward->flags |= FREC_CHECKING_DISABLED;
291
292 header->id = htons(forward->new_id);
293
294 /* In strict_order mode, always try servers in the order
295 specified in resolv.conf, if a domain is given
296 always try all the available servers,
297 otherwise, use the one last known to work. */
298
299 if (type == 0)
300 {
301 if (option_bool(OPT_ORDER))
302 start = daemon->servers;
303 else if (!(start = daemon->last_server) ||
304 daemon->forwardcount++ > FORWARD_TEST ||
305 difftime(now, daemon->forwardtime) > FORWARD_TIME)
306 {
307 start = daemon->servers;
308 forward->forwardall = 1;
309 daemon->forwardcount = 0;
310 daemon->forwardtime = now;
311 }
312 }
313 else
314 {
315 start = daemon->servers;
316 if (!option_bool(OPT_ORDER))
317 forward->forwardall = 1;
318 }
319 }
320 }
321
322 /* check for send errors here (no route to host)
323 if we fail to send to all nameservers, send back an error
324 packet straight away (helps modem users when offline) */
325
326 if (!flags && forward)
327 {
328 struct server *firstsentto = start;
329 int forwarded = 0;
330
331 if (udpaddr && option_bool(OPT_ADD_MAC))
332 plen = add_mac(header, plen, ((char *) header) + PACKETSZ, udpaddr);
333
334 while (1)
335 {
336 /* only send to servers dealing with our domain.
337 domain may be NULL, in which case server->domain
338 must be NULL also. */
339
340 if (type == (start->flags & SERV_TYPE) &&
341 (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) &&
342 !(start->flags & SERV_LITERAL_ADDRESS))
343 {
344 int fd;
345
346 /* find server socket to use, may need to get random one. */
347 if (start->sfd)
348 fd = start->sfd->fd;
349 else
350 {
351 #ifdef HAVE_IPV6
352 if (start->addr.sa.sa_family == AF_INET6)
353 {
354 if (!forward->rfd6 &&
355 !(forward->rfd6 = allocate_rfd(AF_INET6)))
356 break;
357 daemon->rfd_save = forward->rfd6;
358 fd = forward->rfd6->fd;
359 }
360 else
361 #endif
362 {
363 if (!forward->rfd4 &&
364 !(forward->rfd4 = allocate_rfd(AF_INET)))
365 break;
366 daemon->rfd_save = forward->rfd4;
367 fd = forward->rfd4->fd;
368 }
369
370 #ifdef HAVE_CONNTRACK
371 /* Copy connection mark of incoming query to outgoing connection. */
372 if (option_bool(OPT_CONNTRACK))
373 {
374 unsigned int mark;
375 if (get_incoming_mark(udpaddr, dst_addr, 0, &mark))
376 setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
377 }
378 #endif
379 }
380
381 if (sendto(fd, (char *)header, plen, 0,
382 &start->addr.sa,
383 sa_len(&start->addr)) == -1)
384 {
385 if (retry_send())
386 continue;
387 }
388 else
389 {
390 /* Keep info in case we want to re-send this packet */
391 daemon->srv_save = start;
392 daemon->packet_len = plen;
393
394 if (!gotname)
395 strcpy(daemon->namebuff, "query");
396 if (start->addr.sa.sa_family == AF_INET)
397 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
398 (struct all_addr *)&start->addr.in.sin_addr, NULL);
399 #ifdef HAVE_IPV6
400 else
401 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
402 (struct all_addr *)&start->addr.in6.sin6_addr, NULL);
403 #endif
404 start->queries++;
405 forwarded = 1;
406 forward->sentto = start;
407 if (!forward->forwardall)
408 break;
409 forward->forwardall++;
410 }
411 }
412
413 if (!(start = start->next))
414 start = daemon->servers;
415
416 if (start == firstsentto)
417 break;
418 }
419
420 if (forwarded)
421 return 1;
422
423 /* could not send on, prepare to return */
424 header->id = htons(forward->orig_id);
425 free_frec(forward); /* cancel */
426 }
427
428 /* could not send on, return empty answer or address if known for whole domain */
429 if (udpfd != -1)
430 {
431 plen = setup_reply(header, plen, addrp, flags, daemon->local_ttl);
432 send_from(udpfd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND), (char *)header, plen, udpaddr, dst_addr, dst_iface);
433 }
434
435 return 0;
436 }
437
438 static size_t process_reply(struct dns_header *header, time_t now,
439 struct server *server, size_t n, int check_rebind, int checking_disabled)
440 {
441 unsigned char *pheader, *sizep;
442 int munged = 0, is_sign;
443 size_t plen;
444
445 /* If upstream is advertising a larger UDP packet size
446 than we allow, trim it so that we don't get overlarge
447 requests for the client. We can't do this for signed packets. */
448
449 if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign)) && !is_sign)
450 {
451 unsigned short udpsz;
452 unsigned char *psave = sizep;
453
454 GETSHORT(udpsz, sizep);
455 if (udpsz > daemon->edns_pktsz)
456 PUTSHORT(daemon->edns_pktsz, psave);
457 }
458
459 /* RFC 4035 sect 4.6 para 3 */
460 if (!is_sign && !option_bool(OPT_DNSSEC))
461 header->hb4 &= ~HB4_AD;
462
463 if (OPCODE(header) != QUERY || (RCODE(header) != NOERROR && RCODE(header) != NXDOMAIN))
464 return n;
465
466 /* Complain loudly if the upstream server is non-recursive. */
467 if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR && ntohs(header->ancount) == 0 &&
468 server && !(server->flags & SERV_WARNED_RECURSIVE))
469 {
470 prettyprint_addr(&server->addr, daemon->namebuff);
471 my_syslog(LOG_WARNING, _("nameserver %s refused to do a recursive query"), daemon->namebuff);
472 if (!option_bool(OPT_LOG))
473 server->flags |= SERV_WARNED_RECURSIVE;
474 }
475
476 if (daemon->bogus_addr && RCODE(header) != NXDOMAIN &&
477 check_for_bogus_wildcard(header, n, daemon->namebuff, daemon->bogus_addr, now))
478 {
479 munged = 1;
480 SET_RCODE(header, NXDOMAIN);
481 header->hb3 &= ~HB3_AA;
482 }
483 else
484 {
485 if (RCODE(header) == NXDOMAIN &&
486 extract_request(header, n, daemon->namebuff, NULL) &&
487 check_for_local_domain(daemon->namebuff, now))
488 {
489 /* if we forwarded a query for a locally known name (because it was for
490 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
491 since we know that the domain exists, even if upstream doesn't */
492 munged = 1;
493 header->hb3 |= HB3_AA;
494 SET_RCODE(header, NOERROR);
495 }
496
497 if (extract_addresses(header, n, daemon->namebuff, now, is_sign, check_rebind, checking_disabled))
498 {
499 my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff);
500 munged = 1;
501 }
502 }
503
504 /* do this after extract_addresses. Ensure NODATA reply and remove
505 nameserver info. */
506
507 if (munged)
508 {
509 header->ancount = htons(0);
510 header->nscount = htons(0);
511 header->arcount = htons(0);
512 }
513
514 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
515 sections of the packet. Find the new length here and put back pseudoheader
516 if it was removed. */
517 return resize_packet(header, n, pheader, plen);
518 }
519
520 /* sets new last_server */
521 void reply_query(int fd, int family, time_t now)
522 {
523 /* packet from peer server, extract data for cache, and send to
524 original requester */
525 struct dns_header *header;
526 union mysockaddr serveraddr;
527 struct frec *forward;
528 socklen_t addrlen = sizeof(serveraddr);
529 ssize_t n = recvfrom(fd, daemon->packet, daemon->edns_pktsz, 0, &serveraddr.sa, &addrlen);
530 size_t nn;
531 struct server *server;
532
533 /* packet buffer overwritten */
534 daemon->srv_save = NULL;
535
536 /* Determine the address of the server replying so that we can mark that as good */
537 serveraddr.sa.sa_family = family;
538 #ifdef HAVE_IPV6
539 if (serveraddr.sa.sa_family == AF_INET6)
540 serveraddr.in6.sin6_flowinfo = 0;
541 #endif
542
543 /* spoof check: answer must come from known server, */
544 for (server = daemon->servers; server; server = server->next)
545 if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) &&
546 sockaddr_isequal(&server->addr, &serveraddr))
547 break;
548
549 header = (struct dns_header *)daemon->packet;
550
551 if (!server ||
552 n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR) ||
553 !(forward = lookup_frec(ntohs(header->id), questions_crc(header, n, daemon->namebuff))))
554 return;
555
556 server = forward->sentto;
557
558 if ((RCODE(header) == SERVFAIL || RCODE(header) == REFUSED) &&
559 !option_bool(OPT_ORDER) &&
560 forward->forwardall == 0)
561 /* for broken servers, attempt to send to another one. */
562 {
563 unsigned char *pheader;
564 size_t plen;
565 int is_sign;
566
567 /* recreate query from reply */
568 pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign);
569 if (!is_sign)
570 {
571 header->ancount = htons(0);
572 header->nscount = htons(0);
573 header->arcount = htons(0);
574 if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
575 {
576 header->hb3 &= ~(HB3_QR | HB3_TC);
577 forward_query(-1, NULL, NULL, 0, header, nn, now, forward);
578 return;
579 }
580 }
581 }
582
583 if ((forward->sentto->flags & SERV_TYPE) == 0)
584 {
585 if (RCODE(header) == SERVFAIL || RCODE(header) == REFUSED)
586 server = NULL;
587 else
588 {
589 struct server *last_server;
590
591 /* find good server by address if possible, otherwise assume the last one we sent to */
592 for (last_server = daemon->servers; last_server; last_server = last_server->next)
593 if (!(last_server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR)) &&
594 sockaddr_isequal(&last_server->addr, &serveraddr))
595 {
596 server = last_server;
597 break;
598 }
599 }
600 if (!option_bool(OPT_ALL_SERVERS))
601 daemon->last_server = server;
602 }
603
604 /* If the answer is an error, keep the forward record in place in case
605 we get a good reply from another server. Kill it when we've
606 had replies from all to avoid filling the forwarding table when
607 everything is broken */
608 if (forward->forwardall == 0 || --forward->forwardall == 1 ||
609 (RCODE(header) != REFUSED && RCODE(header) != SERVFAIL))
610 {
611 int check_rebind = !(forward->flags & FREC_NOREBIND);
612
613 if (!option_bool(OPT_NO_REBIND))
614 check_rebind = 0;
615
616 if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, forward->flags & FREC_CHECKING_DISABLED)))
617 {
618 header->id = htons(forward->orig_id);
619 header->hb4 |= HB4_RA; /* recursion if available */
620 send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn,
621 &forward->source, &forward->dest, forward->iface);
622 }
623 free_frec(forward); /* cancel */
624 }
625 }
626
627
628 void receive_query(struct listener *listen, time_t now)
629 {
630 struct dns_header *header = (struct dns_header *)daemon->packet;
631 union mysockaddr source_addr;
632 unsigned short type;
633 struct all_addr dst_addr;
634 struct in_addr netmask, dst_addr_4;
635 size_t m;
636 ssize_t n;
637 int if_index = 0;
638 int auth_dns = 0;
639 struct iovec iov[1];
640 struct msghdr msg;
641 struct cmsghdr *cmptr;
642 union {
643 struct cmsghdr align; /* this ensures alignment */
644 #ifdef HAVE_IPV6
645 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
646 #endif
647 #if defined(HAVE_LINUX_NETWORK)
648 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
649 #elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
650 char control[CMSG_SPACE(sizeof(struct in_addr)) +
651 CMSG_SPACE(sizeof(unsigned int))];
652 #elif defined(IP_RECVDSTADDR)
653 char control[CMSG_SPACE(sizeof(struct in_addr)) +
654 CMSG_SPACE(sizeof(struct sockaddr_dl))];
655 #endif
656 } control_u;
657
658 /* packet buffer overwritten */
659 daemon->srv_save = NULL;
660
661 dst_addr_4.s_addr = 0;
662 netmask.s_addr = 0;
663
664 if (listen->iface && option_bool(OPT_NOWILD))
665 {
666 auth_dns = listen->iface->dns_auth;
667
668 if (listen->family == AF_INET)
669 {
670 dst_addr_4 = listen->iface->addr.in.sin_addr;
671 netmask = listen->iface->netmask;
672 }
673 }
674
675 iov[0].iov_base = daemon->packet;
676 iov[0].iov_len = daemon->edns_pktsz;
677
678 msg.msg_control = control_u.control;
679 msg.msg_controllen = sizeof(control_u);
680 msg.msg_flags = 0;
681 msg.msg_name = &source_addr;
682 msg.msg_namelen = sizeof(source_addr);
683 msg.msg_iov = iov;
684 msg.msg_iovlen = 1;
685
686 if ((n = recvmsg(listen->fd, &msg, 0)) == -1)
687 return;
688
689 if (n < (int)sizeof(struct dns_header) ||
690 (msg.msg_flags & MSG_TRUNC) ||
691 (header->hb3 & HB3_QR))
692 return;
693
694 source_addr.sa.sa_family = listen->family;
695 #ifdef HAVE_IPV6
696 if (listen->family == AF_INET6)
697 source_addr.in6.sin6_flowinfo = 0;
698 #endif
699
700 if (!option_bool(OPT_NOWILD))
701 {
702 struct ifreq ifr;
703
704 if (msg.msg_controllen < sizeof(struct cmsghdr))
705 return;
706
707 #if defined(HAVE_LINUX_NETWORK)
708 if (listen->family == AF_INET)
709 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
710 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
711 {
712 union {
713 unsigned char *c;
714 struct in_pktinfo *p;
715 } p;
716 p.c = CMSG_DATA(cmptr);
717 dst_addr_4 = dst_addr.addr.addr4 = p.p->ipi_spec_dst;
718 if_index = p.p->ipi_ifindex;
719 }
720 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
721 if (listen->family == AF_INET)
722 {
723 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
724 {
725 union {
726 unsigned char *c;
727 unsigned int *i;
728 struct in_addr *a;
729 #ifndef HAVE_SOLARIS_NETWORK
730 struct sockaddr_dl *s;
731 #endif
732 } p;
733 p.c = CMSG_DATA(cmptr);
734 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
735 dst_addr_4 = dst_addr.addr.addr4 = *(p.a);
736 else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
737 #ifdef HAVE_SOLARIS_NETWORK
738 if_index = *(p.i);
739 #else
740 if_index = p.s->sdl_index;
741 #endif
742 }
743 }
744 #endif
745
746 #ifdef HAVE_IPV6
747 if (listen->family == AF_INET6)
748 {
749 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
750 if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
751 {
752 union {
753 unsigned char *c;
754 struct in6_pktinfo *p;
755 } p;
756 p.c = CMSG_DATA(cmptr);
757
758 dst_addr.addr.addr6 = p.p->ipi6_addr;
759 if_index = p.p->ipi6_ifindex;
760 }
761 }
762 #endif
763
764 /* enforce available interface configuration */
765
766 if (!indextoname(listen->fd, if_index, ifr.ifr_name))
767 return;
768
769 if (!iface_check(listen->family, &dst_addr, ifr.ifr_name, &auth_dns))
770 {
771 if (!option_bool(OPT_CLEVERBIND))
772 enumerate_interfaces();
773 if (!loopback_exception(listen->fd, listen->family, &dst_addr, ifr.ifr_name))
774 return;
775 }
776
777 if (listen->family == AF_INET && option_bool(OPT_LOCALISE))
778 {
779 struct irec *iface;
780
781 /* get the netmask of the interface whch has the address we were sent to.
782 This is no neccessarily the interface we arrived on. */
783
784 for (iface = daemon->interfaces; iface; iface = iface->next)
785 if (iface->addr.sa.sa_family == AF_INET &&
786 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
787 break;
788
789 /* interface may be new */
790 if (!iface && !option_bool(OPT_CLEVERBIND))
791 enumerate_interfaces();
792
793 for (iface = daemon->interfaces; iface; iface = iface->next)
794 if (iface->addr.sa.sa_family == AF_INET &&
795 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
796 break;
797
798 /* If we failed, abandon localisation */
799 if (iface)
800 netmask = iface->netmask;
801 else
802 dst_addr_4.s_addr = 0;
803 }
804 }
805
806 if (extract_request(header, (size_t)n, daemon->namebuff, &type))
807 {
808 char types[20];
809
810 querystr(auth_dns ? "auth" : "query", types, type);
811
812 if (listen->family == AF_INET)
813 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
814 (struct all_addr *)&source_addr.in.sin_addr, types);
815 #ifdef HAVE_IPV6
816 else
817 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
818 (struct all_addr *)&source_addr.in6.sin6_addr, types);
819 #endif
820 }
821
822 #ifdef HAVE_AUTH
823 if (auth_dns)
824 {
825 m = answer_auth(header, ((char *) header) + PACKETSZ, (size_t)n, now, &source_addr);
826 if (m >= 1)
827 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
828 (char *)header, m, &source_addr, &dst_addr, if_index);
829 }
830 else
831 #endif
832 {
833 m = answer_request(header, ((char *) header) + PACKETSZ, (size_t)n,
834 dst_addr_4, netmask, now);
835
836 if (m >= 1)
837 {
838 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
839 (char *)header, m, &source_addr, &dst_addr, if_index);
840 daemon->local_answer++;
841 }
842 else if (forward_query(listen->fd, &source_addr, &dst_addr, if_index,
843 header, (size_t)n, now, NULL))
844 daemon->queries_forwarded++;
845 else
846 daemon->local_answer++;
847 }
848 }
849
850 /* The daemon forks before calling this: it should deal with one connection,
851 blocking as neccessary, and then return. Note, need to be a bit careful
852 about resources for debug mode, when the fork is suppressed: that's
853 done by the caller. */
854 unsigned char *tcp_request(int confd, time_t now,
855 union mysockaddr *local_addr, struct in_addr netmask, int auth_dns)
856 {
857 size_t size = 0;
858 int norebind = 0;
859 int checking_disabled;
860 size_t m;
861 unsigned short qtype;
862 unsigned int gotname;
863 unsigned char c1, c2;
864 /* Max TCP packet + slop */
865 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ);
866 struct dns_header *header;
867 struct server *last_server;
868 struct in_addr dst_addr_4;
869 union mysockaddr peer_addr;
870 socklen_t peer_len = sizeof(union mysockaddr);
871
872 if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) == -1)
873 return packet;
874
875 while (1)
876 {
877 if (!packet ||
878 !read_write(confd, &c1, 1, 1) || !read_write(confd, &c2, 1, 1) ||
879 !(size = c1 << 8 | c2) ||
880 !read_write(confd, packet, size, 1))
881 return packet;
882
883 if (size < (int)sizeof(struct dns_header))
884 continue;
885
886 header = (struct dns_header *)packet;
887
888 /* save state of "cd" flag in query */
889 checking_disabled = header->hb4 & HB4_CD;
890
891 /* RFC 4035: sect 4.6 para 2 */
892 header->hb4 &= ~HB4_AD;
893
894 if ((gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
895 {
896 char types[20];
897
898 querystr(auth_dns ? "auth" : "query", types, qtype);
899
900 if (peer_addr.sa.sa_family == AF_INET)
901 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
902 (struct all_addr *)&peer_addr.in.sin_addr, types);
903 #ifdef HAVE_IPV6
904 else
905 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
906 (struct all_addr *)&peer_addr.in6.sin6_addr, types);
907 #endif
908 }
909
910 if (local_addr->sa.sa_family == AF_INET)
911 dst_addr_4 = local_addr->in.sin_addr;
912 else
913 dst_addr_4.s_addr = 0;
914
915 #ifdef HAVE_AUTH
916 if (auth_dns)
917 m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &peer_addr);
918 else
919 #endif
920 {
921 /* m > 0 if answered from cache */
922 m = answer_request(header, ((char *) header) + 65536, (size_t)size,
923 dst_addr_4, netmask, now);
924
925 /* Do this by steam now we're not in the select() loop */
926 check_log_writer(NULL);
927
928 if (m == 0)
929 {
930 unsigned int flags = 0;
931 struct all_addr *addrp = NULL;
932 int type = 0;
933 char *domain = NULL;
934
935 if (option_bool(OPT_ADD_MAC))
936 size = add_mac(header, size, ((char *) header) + 65536, &peer_addr);
937
938 if (gotname)
939 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
940
941 if (type != 0 || option_bool(OPT_ORDER) || !daemon->last_server)
942 last_server = daemon->servers;
943 else
944 last_server = daemon->last_server;
945
946 if (!flags && last_server)
947 {
948 struct server *firstsendto = NULL;
949 unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff);
950
951 /* Loop round available servers until we succeed in connecting to one.
952 Note that this code subtley ensures that consecutive queries on this connection
953 which can go to the same server, do so. */
954 while (1)
955 {
956 if (!firstsendto)
957 firstsendto = last_server;
958 else
959 {
960 if (!(last_server = last_server->next))
961 last_server = daemon->servers;
962
963 if (last_server == firstsendto)
964 break;
965 }
966
967 /* server for wrong domain */
968 if (type != (last_server->flags & SERV_TYPE) ||
969 (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, last_server->domain)))
970 continue;
971
972 if (last_server->tcpfd == -1)
973 {
974 if ((last_server->tcpfd = socket(last_server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1)
975 continue;
976
977 if ((!local_bind(last_server->tcpfd, &last_server->source_addr, last_server->interface, 1) ||
978 connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1))
979 {
980 close(last_server->tcpfd);
981 last_server->tcpfd = -1;
982 continue;
983 }
984
985 #ifdef HAVE_CONNTRACK
986 /* Copy connection mark of incoming query to outgoing connection. */
987 if (option_bool(OPT_CONNTRACK))
988 {
989 unsigned int mark;
990 struct all_addr local;
991 #ifdef HAVE_IPV6
992 if (local_addr->sa.sa_family == AF_INET6)
993 local.addr.addr6 = local_addr->in6.sin6_addr;
994 else
995 #endif
996 local.addr.addr4 = local_addr->in.sin_addr;
997
998 if (get_incoming_mark(&peer_addr, &local, 1, &mark))
999 setsockopt(last_server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
1000 }
1001 #endif
1002 }
1003
1004 c1 = size >> 8;
1005 c2 = size;
1006
1007 if (!read_write(last_server->tcpfd, &c1, 1, 0) ||
1008 !read_write(last_server->tcpfd, &c2, 1, 0) ||
1009 !read_write(last_server->tcpfd, packet, size, 0) ||
1010 !read_write(last_server->tcpfd, &c1, 1, 1) ||
1011 !read_write(last_server->tcpfd, &c2, 1, 1))
1012 {
1013 close(last_server->tcpfd);
1014 last_server->tcpfd = -1;
1015 continue;
1016 }
1017
1018 m = (c1 << 8) | c2;
1019 if (!read_write(last_server->tcpfd, packet, m, 1))
1020 return packet;
1021
1022 if (!gotname)
1023 strcpy(daemon->namebuff, "query");
1024 if (last_server->addr.sa.sa_family == AF_INET)
1025 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
1026 (struct all_addr *)&last_server->addr.in.sin_addr, NULL);
1027 #ifdef HAVE_IPV6
1028 else
1029 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
1030 (struct all_addr *)&last_server->addr.in6.sin6_addr, NULL);
1031 #endif
1032
1033 /* There's no point in updating the cache, since this process will exit and
1034 lose the information after a few queries. We make this call for the alias and
1035 bogus-nxdomain side-effects. */
1036 /* If the crc of the question section doesn't match the crc we sent, then
1037 someone might be attempting to insert bogus values into the cache by
1038 sending replies containing questions and bogus answers. */
1039 if (crc == questions_crc(header, (unsigned int)m, daemon->namebuff))
1040 m = process_reply(header, now, last_server, (unsigned int)m,
1041 option_bool(OPT_NO_REBIND) && !norebind, checking_disabled);
1042
1043 break;
1044 }
1045 }
1046
1047 /* In case of local answer or no connections made. */
1048 if (m == 0)
1049 m = setup_reply(header, (unsigned int)size, addrp, flags, daemon->local_ttl);
1050 }
1051 }
1052
1053 check_log_writer(NULL);
1054
1055 c1 = m>>8;
1056 c2 = m;
1057 if (m == 0 ||
1058 !read_write(confd, &c1, 1, 0) ||
1059 !read_write(confd, &c2, 1, 0) ||
1060 !read_write(confd, packet, m, 0))
1061 return packet;
1062 }
1063 }
1064
1065 static struct frec *allocate_frec(time_t now)
1066 {
1067 struct frec *f;
1068
1069 if ((f = (struct frec *)whine_malloc(sizeof(struct frec))))
1070 {
1071 f->next = daemon->frec_list;
1072 f->time = now;
1073 f->sentto = NULL;
1074 f->rfd4 = NULL;
1075 f->flags = 0;
1076 #ifdef HAVE_IPV6
1077 f->rfd6 = NULL;
1078 #endif
1079 daemon->frec_list = f;
1080 }
1081
1082 return f;
1083 }
1084
1085 static struct randfd *allocate_rfd(int family)
1086 {
1087 static int finger = 0;
1088 int i;
1089
1090 /* limit the number of sockets we have open to avoid starvation of
1091 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
1092
1093 for (i = 0; i < RANDOM_SOCKS; i++)
1094 if (daemon->randomsocks[i].refcount == 0)
1095 {
1096 if ((daemon->randomsocks[i].fd = random_sock(family)) == -1)
1097 break;
1098
1099 daemon->randomsocks[i].refcount = 1;
1100 daemon->randomsocks[i].family = family;
1101 return &daemon->randomsocks[i];
1102 }
1103
1104 /* No free ones or cannot get new socket, grab an existing one */
1105 for (i = 0; i < RANDOM_SOCKS; i++)
1106 {
1107 int j = (i+finger) % RANDOM_SOCKS;
1108 if (daemon->randomsocks[j].refcount != 0 &&
1109 daemon->randomsocks[j].family == family &&
1110 daemon->randomsocks[j].refcount != 0xffff)
1111 {
1112 finger = j;
1113 daemon->randomsocks[j].refcount++;
1114 return &daemon->randomsocks[j];
1115 }
1116 }
1117
1118 return NULL; /* doom */
1119 }
1120
1121 static void free_frec(struct frec *f)
1122 {
1123 if (f->rfd4 && --(f->rfd4->refcount) == 0)
1124 close(f->rfd4->fd);
1125
1126 f->rfd4 = NULL;
1127 f->sentto = NULL;
1128 f->flags = 0;
1129
1130 #ifdef HAVE_IPV6
1131 if (f->rfd6 && --(f->rfd6->refcount) == 0)
1132 close(f->rfd6->fd);
1133
1134 f->rfd6 = NULL;
1135 #endif
1136 }
1137
1138 /* if wait==NULL return a free or older than TIMEOUT record.
1139 else return *wait zero if one available, or *wait is delay to
1140 when the oldest in-use record will expire. Impose an absolute
1141 limit of 4*TIMEOUT before we wipe things (for random sockets) */
1142 struct frec *get_new_frec(time_t now, int *wait)
1143 {
1144 struct frec *f, *oldest, *target;
1145 int count;
1146
1147 if (wait)
1148 *wait = 0;
1149
1150 for (f = daemon->frec_list, oldest = NULL, target = NULL, count = 0; f; f = f->next, count++)
1151 if (!f->sentto)
1152 target = f;
1153 else
1154 {
1155 if (difftime(now, f->time) >= 4*TIMEOUT)
1156 {
1157 free_frec(f);
1158 target = f;
1159 }
1160
1161 if (!oldest || difftime(f->time, oldest->time) <= 0)
1162 oldest = f;
1163 }
1164
1165 if (target)
1166 {
1167 target->time = now;
1168 return target;
1169 }
1170
1171 /* can't find empty one, use oldest if there is one
1172 and it's older than timeout */
1173 if (oldest && ((int)difftime(now, oldest->time)) >= TIMEOUT)
1174 {
1175 /* keep stuff for twice timeout if we can by allocating a new
1176 record instead */
1177 if (difftime(now, oldest->time) < 2*TIMEOUT &&
1178 count <= daemon->ftabsize &&
1179 (f = allocate_frec(now)))
1180 return f;
1181
1182 if (!wait)
1183 {
1184 free_frec(oldest);
1185 oldest->time = now;
1186 }
1187 return oldest;
1188 }
1189
1190 /* none available, calculate time 'till oldest record expires */
1191 if (count > daemon->ftabsize)
1192 {
1193 if (oldest && wait)
1194 *wait = oldest->time + (time_t)TIMEOUT - now;
1195 return NULL;
1196 }
1197
1198 if (!(f = allocate_frec(now)) && wait)
1199 /* wait one second on malloc failure */
1200 *wait = 1;
1201
1202 return f; /* OK if malloc fails and this is NULL */
1203 }
1204
1205 /* crc is all-ones if not known. */
1206 static struct frec *lookup_frec(unsigned short id, unsigned int crc)
1207 {
1208 struct frec *f;
1209
1210 for(f = daemon->frec_list; f; f = f->next)
1211 if (f->sentto && f->new_id == id &&
1212 (f->crc == crc || crc == 0xffffffff))
1213 return f;
1214
1215 return NULL;
1216 }
1217
1218 static struct frec *lookup_frec_by_sender(unsigned short id,
1219 union mysockaddr *addr,
1220 unsigned int crc)
1221 {
1222 struct frec *f;
1223
1224 for(f = daemon->frec_list; f; f = f->next)
1225 if (f->sentto &&
1226 f->orig_id == id &&
1227 f->crc == crc &&
1228 sockaddr_isequal(&f->source, addr))
1229 return f;
1230
1231 return NULL;
1232 }
1233
1234 /* A server record is going away, remove references to it */
1235 void server_gone(struct server *server)
1236 {
1237 struct frec *f;
1238
1239 for (f = daemon->frec_list; f; f = f->next)
1240 if (f->sentto && f->sentto == server)
1241 free_frec(f);
1242
1243 if (daemon->last_server == server)
1244 daemon->last_server = NULL;
1245
1246 if (daemon->srv_save == server)
1247 daemon->srv_save = NULL;
1248 }
1249
1250 /* return unique random ids. */
1251 static unsigned short get_id(unsigned int crc)
1252 {
1253 unsigned short ret = 0;
1254
1255 do
1256 ret = rand16();
1257 while (lookup_frec(ret, crc));
1258
1259 return ret;
1260 }
1261
1262
1263
1264
1265
Michael's tree of dnsmasq.