[thirdparty/systemd.git] / src / resolve / resolved-conf.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include "alloc-util.h"
#include "conf-parser.h"
#include "constants.h"
#include "creds-util.h"
#include "dns-domain.h"
#include "extract-word.h"
#include "hexdecoct.h"
#include "parse-util.h"
#include "proc-cmdline.h"
#include "resolved-conf.h"
#include "resolved-dns-search-domain.h"
#include "resolved-dns-stub.h"
#include "resolved-dnssd.h"
#include "resolved-manager.h"
#include "socket-netlink.h"
#include "specifier.h"
#include "string-table.h"
#include "string-util.h"
#include "strv.h"
#include "utf8.h"

DEFINE_CONFIG_PARSE_ENUM(config_parse_dns_stub_listener_mode, dns_stub_listener_mode, DnsStubListenerMode, "Failed to parse DNS stub listener mode setting");

static int manager_add_dns_server_by_string(Manager *m, DnsServerType type, const char *word) {
        _cleanup_free_ char *server_name = NULL;
        union in_addr_union address;
        int family, r, ifindex = 0;
        uint16_t port;
        DnsServer *s;

        assert(m);
        assert(word);

        r = in_addr_port_ifindex_name_from_string_auto(word, &family, &address, &port, &ifindex, &server_name);
        if (r < 0)
                return r;

        /* Silently filter out 0.0.0.0, 127.0.0.53, 127.0.0.54 (our own stub DNS listener) */
        if (!dns_server_address_valid(family, &address))
                return 0;

        /* By default, the port number is determined with the transaction feature level.
         * See dns_transaction_port() and dns_server_port(). */
        if (IN_SET(port, 53, 853))
                port = 0;

        /* Filter out duplicates */
        s = dns_server_find(manager_get_first_dns_server(m, type), family, &address, port, ifindex, server_name);
        if (s) {
                /* Drop the marker. This is used to find the servers that ceased to exist, see
                 * manager_mark_dns_servers() and manager_flush_marked_dns_servers(). */
                dns_server_move_back_and_unmark(s);
                return 0;
        }

        return dns_server_new(m, NULL, type, NULL, family, &address, port, ifindex, server_name, RESOLVE_CONFIG_SOURCE_FILE);
}

int manager_parse_dns_server_string_and_warn(Manager *m, DnsServerType type, const char *string) {
        int r;

        assert(m);
        assert(string);

        for (;;) {
                _cleanup_free_ char *word = NULL;

                r = extract_first_word(&string, &word, NULL, 0);
                if (r <= 0)
                        return r;

                r = manager_add_dns_server_by_string(m, type, word);
                if (r < 0)
                        log_warning_errno(r, "Failed to add DNS server address '%s', ignoring: %m", word);
        }
}

static int manager_add_search_domain_by_string(Manager *m, const char *domain) {
        DnsSearchDomain *d;
        bool route_only;
        int r;

        assert(m);
        assert(domain);

        route_only = *domain == '~';
        if (route_only)
                domain++;

        if (dns_name_is_root(domain) || streq(domain, "*")) {
                route_only = true;
                domain = ".";
        }

        r = dns_search_domain_find(m->search_domains, domain, &d);
        if (r < 0)
                return r;
        if (r > 0)
                dns_search_domain_move_back_and_unmark(d);
        else {
                r = dns_search_domain_new(m, &d, DNS_SEARCH_DOMAIN_SYSTEM, NULL, domain);
                if (r < 0)
                        return r;
        }

        d->route_only = route_only;
        return 0;
}

int manager_parse_search_domains_and_warn(Manager *m, const char *string) {
        int r;

        assert(m);
        assert(string);

        for (;;) {
                _cleanup_free_ char *word = NULL;

                r = extract_first_word(&string, &word, NULL, EXTRACT_UNQUOTE);
                if (r <= 0)
                        return r;

                r = manager_add_search_domain_by_string(m, word);
                if (r < 0)
                        log_warning_errno(r, "Failed to add search domain '%s', ignoring: %m", word);
        }
}

int config_parse_dns_servers(
                const char *unit,
                const char *filename,
                unsigned line,
                const char *section,
                unsigned section_line,
                const char *lvalue,
                int ltype,
                const char *rvalue,
                void *data,
                void *userdata) {

        Manager *m = ASSERT_PTR(userdata);
        int r;

        assert(filename);
        assert(lvalue);
        assert(rvalue);

        if (isempty(rvalue))
                /* Empty assignment means clear the list */
                dns_server_unlink_all(manager_get_first_dns_server(m, ltype));
        else {
                /* Otherwise, add to the list */
                r = manager_parse_dns_server_string_and_warn(m, ltype, rvalue);
                if (r < 0) {
                        log_syntax(unit, LOG_WARNING, filename, line, r,
                                   "Failed to parse DNS server string '%s', ignoring.", rvalue);
                        return 0;
                }
        }

        /* If we have a manual setting, then we stop reading
         * /etc/resolv.conf */
        if (ltype == DNS_SERVER_SYSTEM)
                m->read_resolv_conf = false;
        if (ltype == DNS_SERVER_FALLBACK)
                m->need_builtin_fallbacks = false;

        return 0;
}

int config_parse_search_domains(
                const char *unit,
                const char *filename,
                unsigned line,
                const char *section,
                unsigned section_line,
                const char *lvalue,
                int ltype,
                const char *rvalue,
                void *data,
                void *userdata) {

        Manager *m = ASSERT_PTR(userdata);
        int r;

        assert(filename);
        assert(lvalue);
        assert(rvalue);

        if (isempty(rvalue))
                /* Empty assignment means clear the list */
                dns_search_domain_unlink_all(m->search_domains);
        else {
                /* Otherwise, add to the list */
                r = manager_parse_search_domains_and_warn(m, rvalue);
                if (r < 0) {
                        log_syntax(unit, LOG_WARNING, filename, line, r,
                                   "Failed to parse search domains string '%s', ignoring.", rvalue);
                        return 0;
                }
        }

        /* If we have a manual setting, then we stop reading
         * /etc/resolv.conf */
        m->read_resolv_conf = false;

        return 0;
}

int config_parse_dnssd_service_name(
                const char *unit,
                const char *filename,
                unsigned line,
                const char *section,
                unsigned section_line,
                const char *lvalue,
                int ltype,
                const char *rvalue,
                void *data,
                void *userdata) {

        static const Specifier specifier_table[] = {
                { 'a', specifier_architecture,    NULL },
                { 'b', specifier_boot_id,         NULL },
                { 'B', specifier_os_build_id,     NULL },
                { 'H', specifier_hostname,        NULL }, /* We will use specifier_dnssd_hostname(). */
                { 'm', specifier_machine_id,      NULL },
                { 'o', specifier_os_id,           NULL },
                { 'v', specifier_kernel_release,  NULL },
                { 'w', specifier_os_version_id,   NULL },
                { 'W', specifier_os_variant_id,   NULL },
                {}
        };
        DnssdService *s = ASSERT_PTR(userdata);
        _cleanup_free_ char *name = NULL;
        int r;

        assert(filename);
        assert(lvalue);
        assert(rvalue);

        if (isempty(rvalue)) {
                s->name_template = mfree(s->name_template);
                return 0;
        }

        r = specifier_printf(rvalue, DNS_LABEL_MAX, specifier_table, NULL, NULL, &name);
        if (r < 0) {
                log_syntax(unit, LOG_WARNING, filename, line, r,
                           "Invalid service instance name template '%s', ignoring assignment: %m", rvalue);
                return 0;
        }

        if (!dns_service_name_is_valid(name)) {
                log_syntax(unit, LOG_WARNING, filename, line, 0,
                           "Service instance name template '%s' renders to invalid name '%s'. Ignoring assignment.",
                           rvalue, name);
                return 0;
        }

        return free_and_strdup_warn(&s->name_template, rvalue);
}

int config_parse_dnssd_service_type(
                const char *unit,
                const char *filename,
                unsigned line,
                const char *section,
                unsigned section_line,
                const char *lvalue,
                int ltype,
                const char *rvalue,
                void *data,
                void *userdata) {

        DnssdService *s = ASSERT_PTR(userdata);
        int r;

        assert(filename);
        assert(lvalue);
        assert(rvalue);

        if (isempty(rvalue)) {
                s->type = mfree(s->type);
                return 0;
        }

        if (!dnssd_srv_type_is_valid(rvalue)) {
                log_syntax(unit, LOG_WARNING, filename, line, 0, "Service type is invalid. Ignoring.");
                return 0;
        }

        r = free_and_strdup(&s->type, rvalue);
        if (r < 0)
                return log_oom();

        return 0;
}

int config_parse_dnssd_service_subtype(
                const char *unit,
                const char *filename,
                unsigned line,
                const char *section,
                unsigned section_line,
                const char *lvalue,
                int ltype,
                const char *rvalue,
                void *data,
                void *userdata) {

        DnssdService *s = ASSERT_PTR(userdata);

        assert(filename);
        assert(lvalue);
        assert(rvalue);

        if (isempty(rvalue)) {
                s->subtype = mfree(s->subtype);
                return 0;
        }

        if (!dns_subtype_name_is_valid(rvalue)) {
                log_syntax(unit, LOG_WARNING, filename, line, 0, "Service subtype is invalid. Ignoring.");
                return 0;
        }

        return free_and_strdup_warn(&s->subtype, rvalue);
}

int config_parse_dnssd_txt(
                const char *unit,
                const char *filename,
                unsigned line,
                const char *section,
                unsigned section_line,
                const char *lvalue,
                int ltype,
                const char *rvalue,
                void *data,
                void *userdata) {

        _cleanup_(dnssd_txtdata_freep) DnssdTxtData *txt_data = NULL;
        DnssdService *s = ASSERT_PTR(userdata);
        DnsTxtItem *last = NULL;

        assert(filename);
        assert(lvalue);
        assert(rvalue);

        if (isempty(rvalue)) {
                /* Flush out collected items */
                s->txt_data_items = dnssd_txtdata_free_all(s->txt_data_items);
                return 0;
        }

        txt_data = new0(DnssdTxtData, 1);
        if (!txt_data)
                return log_oom();

        for (;;) {
                _cleanup_free_ char *word = NULL, *key = NULL, *value = NULL;
                _cleanup_free_ void *decoded = NULL;
                size_t length = 0;
                DnsTxtItem *i;
                int r;

                r = extract_first_word(&rvalue, &word, NULL,
                                       EXTRACT_UNQUOTE|EXTRACT_CUNESCAPE|EXTRACT_UNESCAPE_RELAX);
                if (r == 0)
                        break;
                if (r == -ENOMEM)
                        return log_oom();
                if (r < 0) {
                        log_syntax(unit, LOG_WARNING, filename, line, r, "Invalid syntax, ignoring: %s", rvalue);
                        return 0;
                }

                r = split_pair(word, "=", &key, &value);
                if (r == -ENOMEM)
                        return log_oom();
                if (r == -EINVAL)
                        key = TAKE_PTR(word);

                if (!ascii_is_valid(key)) {
                        log_syntax(unit, LOG_WARNING, filename, line, 0, "Invalid key, ignoring: %s", key);
                        continue;
                }

                switch (ltype) {

                case DNS_TXT_ITEM_DATA:
                        if (value) {
                                r = unbase64mem(value, &decoded, &length);
                                if (r == -ENOMEM)
                                        return log_oom();
                                if (r < 0) {
                                        log_syntax(unit, LOG_WARNING, filename, line, r,
                                                   "Invalid base64 encoding, ignoring: %s", value);
                                        continue;
                                }
                        }

                        r = dnssd_txt_item_new_from_data(key, decoded, length, &i);
                        if (r < 0)
                                return log_oom();
                        break;

                case DNS_TXT_ITEM_TEXT:
                        r = dnssd_txt_item_new_from_string(key, value, &i);
                        if (r < 0)
                                return log_oom();
                        break;

                default:
                        assert_not_reached();
                }

                LIST_INSERT_AFTER(items, txt_data->txts, last, i);
                last = i;
        }

        if (txt_data->txts) {
                LIST_PREPEND(items, s->txt_data_items, txt_data);
                TAKE_PTR(txt_data);
        }

        return 0;
}

int config_parse_dns_stub_listener_extra(
                const char *unit,
                const char *filename,
                unsigned line,
                const char *section,
                unsigned section_line,
                const char *lvalue,
                int ltype,
                const char *rvalue,
                void *data,
                void *userdata) {

        _cleanup_free_ DnsStubListenerExtra *stub = NULL;
        Manager *m = userdata;
        const char *p;
        int r;

        assert(filename);
        assert(lvalue);
        assert(rvalue);
        assert(data);

        if (isempty(rvalue)) {
                m->dns_extra_stub_listeners = ordered_set_free(m->dns_extra_stub_listeners);
                return 0;
        }

        r = dns_stub_listener_extra_new(m, &stub);
        if (r < 0)
                return log_oom();

        p = startswith(rvalue, "udp:");
        if (p)
                stub->mode = DNS_STUB_LISTENER_UDP;
        else {
                p = startswith(rvalue, "tcp:");
                if (p)
                        stub->mode = DNS_STUB_LISTENER_TCP;
                else {
                        stub->mode = DNS_STUB_LISTENER_YES;
                        p = rvalue;
                }
        }

        r = in_addr_port_ifindex_name_from_string_auto(p, &stub->family, &stub->address, &stub->port, NULL, NULL);
        if (r < 0) {
                log_syntax(unit, LOG_WARNING, filename, line, r,
                           "Failed to parse address in %s=%s, ignoring assignment: %m",
                           lvalue, rvalue);
                return 0;
        }

        r = ordered_set_ensure_put(&m->dns_extra_stub_listeners, &dns_stub_listener_extra_hash_ops, stub);
        if (r == -ENOMEM)
                return log_oom();
        if (r < 0) {
                log_syntax(unit, LOG_WARNING, filename, line, r,
                           "Failed to store %s=%s, ignoring assignment: %m", lvalue, rvalue);
                return 0;
        }

        TAKE_PTR(stub);

        return 0;
}

static void read_credentials(Manager *m) {
        _cleanup_free_ char *dns = NULL, *domains = NULL;
        int r;

        assert(m);

        /* Hmm, if we aren't supposed to read /etc/resolv.conf because the DNS settings were already
         * configured explicitly in our config file, we don't want to honour credentials either */
        if (!m->read_resolv_conf)
                return;

        r = read_credential_strings_many("network.dns", &dns,
                                         "network.search_domains", &domains);
        if (r < 0)
                log_warning_errno(r, "Failed to read credentials, ignoring: %m");

        if (dns) {
                r = manager_parse_dns_server_string_and_warn(m, DNS_SERVER_SYSTEM, dns);
                if (r < 0)
                        log_warning_errno(r, "Failed to parse credential network.dns '%s', ignoring.", dns);

                m->read_resolv_conf = false;
        }

        if (domains) {
                r = manager_parse_search_domains_and_warn(m, domains);
                if (r < 0)
                        log_warning_errno(r, "Failed to parse credential network.search_domains '%s', ignoring.", domains);

                m->read_resolv_conf = false;
        }
}

struct ProcCmdlineInfo {
        Manager *manager;

        /* If there's a setting configured via /proc/cmdline we want to reset the configured lists, but only
         * once, so that multiple nameserver= or domain= settings can be specified on the kernel command line
         * and will be combined. These booleans will be set once we erase the list once. */
        bool dns_server_unlinked;
        bool search_domain_unlinked;
};

static int proc_cmdline_callback(const char *key, const char *value, void *data) {
        struct ProcCmdlineInfo *info = ASSERT_PTR(data);
        int r;

        assert(key);
        assert(info->manager);

        /* The kernel command line option names are chosen to be compatible with what various tools already
         * interpret, for example dracut and SUSE Linux. */

        if (streq(key, "nameserver")) {

                if (proc_cmdline_value_missing(key, value))
                        return 0;

                if (!info->dns_server_unlinked) {
                        /* The kernel command line overrides any prior configuration */
                        dns_server_unlink_all(manager_get_first_dns_server(info->manager, DNS_SERVER_SYSTEM));
                        info->dns_server_unlinked = true;
                }

                r = manager_parse_dns_server_string_and_warn(info->manager, DNS_SERVER_SYSTEM, value);
                if (r < 0)
                        log_warning_errno(r, "Failed to parse DNS server string '%s', ignoring.", value);

                info->manager->read_resolv_conf = false;

        } else if (streq(key, "domain")) {

                if (proc_cmdline_value_missing(key, value))
                        return 0;

                if (!info->search_domain_unlinked) {
                        dns_search_domain_unlink_all(info->manager->search_domains);
                        info->search_domain_unlinked = true;
                }

                r = manager_parse_search_domains_and_warn(info->manager, value);
                if (r < 0)
                        log_warning_errno(r, "Failed to parse credential provided search domain string '%s', ignoring.", value);

                info->manager->read_resolv_conf = false;
        }

        return 0;
}

static void read_proc_cmdline(Manager *m) {
        int r;

        assert(m);

        r = proc_cmdline_parse(proc_cmdline_callback, &(struct ProcCmdlineInfo) { .manager = m }, 0);
        if (r < 0)
                log_warning_errno(r, "Failed to read kernel command line, ignoring: %m");
}

int manager_parse_config_file(Manager *m) {
        int r;

        assert(m);

        r = config_parse_standard_file_with_dropins(
                        "systemd/resolved.conf",
                        "Resolve\0",
                        config_item_perf_lookup, resolved_gperf_lookup,
                        CONFIG_PARSE_WARN,
                        /* userdata= */ m);
        if (r < 0)
                return r;

        read_credentials(m);   /* credentials are only used when nothing is explicitly configured … */
        read_proc_cmdline(m);  /* … but kernel command line overrides local configuration. */

        if (m->need_builtin_fallbacks) {
                r = manager_parse_dns_server_string_and_warn(m, DNS_SERVER_FALLBACK, DNS_SERVERS);
                if (r < 0)
                        return r;
        }

#if !HAVE_OPENSSL_OR_GCRYPT
        if (m->dnssec_mode != DNSSEC_NO) {
                log_warning("DNSSEC option cannot be enabled or set to allow-downgrade when systemd-resolved is built without a cryptographic library. Turning off DNSSEC support.");
                m->dnssec_mode = DNSSEC_NO;
        }
#endif

#if !ENABLE_DNS_OVER_TLS
        if (m->dns_over_tls_mode != DNS_OVER_TLS_NO) {
                log_warning("DNS-over-TLS option cannot be enabled or set to opportunistic when systemd-resolved is built without DNS-over-TLS support. Turning off DNS-over-TLS support.");
                m->dns_over_tls_mode = DNS_OVER_TLS_NO;
        }
#endif
        return 0;

}
Commit	Line	Data
db9ecf05	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
4e945a6f	2
b5efdb8a	3	#include "alloc-util.h"
4e945a6f	4	#include "conf-parser.h"
28db6fbf	5	#include "constants.h"
116687f2 LP	6	#include "creds-util.h"
116687f2 LP	7	#include "dns-domain.h"
b5efdb8a	8	#include "extract-word.h"
6501dd31	9	#include "hexdecoct.h"
6bedfcbb	10	#include "parse-util.h"
116687f2	11	#include "proc-cmdline.h"
4e945a6f	12	#include "resolved-conf.h"
be28f72d	13	#include "resolved-dns-search-domain.h"
1f05101f	14	#include "resolved-dns-stub.h"
116687f2 LP	15	#include "resolved-dnssd.h"
116687f2 LP	16	#include "resolved-manager.h"
2d95d81f	17	#include "socket-netlink.h"
6501dd31	18	#include "specifier.h"
1ae43295	19	#include "string-table.h"
6bedfcbb	20	#include "string-util.h"
1f05101f	21	#include "strv.h"
6501dd31	22	#include "utf8.h"
4e945a6f	23
1ae43295 DM	24	DEFINE_CONFIG_PARSE_ENUM(config_parse_dns_stub_listener_mode, dns_stub_listener_mode, DnsStubListenerMode, "Failed to parse DNS stub listener mode setting");
1ae43295 DM	25
8e97dc67	26	static int manager_add_dns_server_by_string(Manager m, DnsServerType type, const char word) {
da9de738	27	_cleanup_free_ char *server_name = NULL;
636e813d	28	union in_addr_union address;
2817157b	29	int family, r, ifindex = 0;
da9de738	30	uint16_t port;
0eac4623	31	DnsServer *s;
4e945a6f LP	32
4e945a6f LP	33	assert(m);
636e813d LP	34	assert(word);
636e813d LP	35
da9de738	36	r = in_addr_port_ifindex_name_from_string_auto(word, &family, &address, &port, &ifindex, &server_name);
636e813d LP	37	if (r < 0)
636e813d LP	38	return r;
4e945a6f	39
281df579 LP	40	/* Silently filter out 0.0.0.0, 127.0.0.53, 127.0.0.54 (our own stub DNS listener) */
	41	if (!dns_server_address_valid(family, &address))
	42	return 0;
	43
	44	/* By default, the port number is determined with the transaction feature level.
da9de738 YW	45	* See dns_transaction_port() and dns_server_port(). */
	46	if (IN_SET(port, 53, 853))
	47	port = 0;
	48
636e813d	49	/* Filter out duplicates */
1b860092	50	s = dns_server_find(manager_get_first_dns_server(m, type), family, &address, port, ifindex, server_name);
636e813d	51	if (s) {
c4c6ee3a ZJS	52	/* Drop the marker. This is used to find the servers that ceased to exist, see
c4c6ee3a ZJS	53	* manager_mark_dns_servers() and manager_flush_marked_dns_servers(). */
0b58db65	54	dns_server_move_back_and_unmark(s);
636e813d LP	55	return 0;
	56	}
	57
14a52176	58	return dns_server_new(m, NULL, type, NULL, family, &address, port, ifindex, server_name, RESOLVE_CONFIG_SOURCE_FILE);
636e813d LP	59	}
636e813d LP	60
281df579	61	int manager_parse_dns_server_string_and_warn(Manager m, DnsServerType type, const char string) {
636e813d LP	62	int r;
	63
	64	assert(m);
	65	assert(string);
	66
9ed794a3	67	for (;;) {
b5efdb8a	68	_cleanup_free_ char *word = NULL;
880603a1 SS	69
880603a1 SS	70	r = extract_first_word(&string, &word, NULL, 0);
9d84fdec	71	if (r <= 0)
636e813d	72	return r;
4e945a6f	73
636e813d	74	r = manager_add_dns_server_by_string(m, type, word);
281df579	75	if (r < 0)
2817157b	76	log_warning_errno(r, "Failed to add DNS server address '%s', ignoring: %m", word);
a51c1048	77	}
a51c1048 LP	78	}
a51c1048 LP	79
8e97dc67	80	static int manager_add_search_domain_by_string(Manager m, const char domain) {
a51c1048	81	DnsSearchDomain *d;
adc800a6	82	bool route_only;
a51c1048 LP	83	int r;
	84
	85	assert(m);
	86	assert(domain);
	87
adc800a6 LP	88	route_only = *domain == '~';
	89	if (route_only)
	90	domain++;
	91
	92	if (dns_name_is_root(domain) \|\| streq(domain, "*")) {
	93	route_only = true;
	94	domain = ".";
	95	}
	96
a51c1048 LP	97	r = dns_search_domain_find(m->search_domains, domain, &d);
	98	if (r < 0)
	99	return r;
adc800a6	100	if (r > 0)
a51c1048	101	dns_search_domain_move_back_and_unmark(d);
adc800a6 LP	102	else {
	103	r = dns_search_domain_new(m, &d, DNS_SEARCH_DOMAIN_SYSTEM, NULL, domain);
	104	if (r < 0)
	105	return r;
a51c1048 LP	106	}
a51c1048 LP	107
adc800a6 LP	108	d->route_only = route_only;
adc800a6 LP	109	return 0;
a51c1048 LP	110	}
	111
	112	int manager_parse_search_domains_and_warn(Manager m, const char string) {
	113	int r;
	114
	115	assert(m);
	116	assert(string);
	117
9ed794a3	118	for (;;) {
a51c1048 LP	119	_cleanup_free_ char *word = NULL;
a51c1048 LP	120
4ec85141	121	r = extract_first_word(&string, &word, NULL, EXTRACT_UNQUOTE);
9d84fdec	122	if (r <= 0)
a51c1048	123	return r;
a51c1048 LP	124
	125	r = manager_add_search_domain_by_string(m, word);
	126	if (r < 0)
2817157b	127	log_warning_errno(r, "Failed to add search domain '%s', ignoring: %m", word);
4e945a6f	128	}
4e945a6f LP	129	}
4e945a6f LP	130
636e813d	131	int config_parse_dns_servers(
4e945a6f LP	132	const char *unit,
	133	const char *filename,
	134	unsigned line,
	135	const char *section,
	136	unsigned section_line,
	137	const char *lvalue,
	138	int ltype,
	139	const char *rvalue,
	140	void *data,
	141	void *userdata) {
	142
99534007	143	Manager *m = ASSERT_PTR(userdata);
4e945a6f LP	144	int r;
	145
	146	assert(filename);
	147	assert(lvalue);
	148	assert(rvalue);
4e945a6f	149
3e684349	150	if (isempty(rvalue))
5cb36f41	151	/* Empty assignment means clear the list */
4b95f179	152	dns_server_unlink_all(manager_get_first_dns_server(m, ltype));
3e684349	153	else {
b938cb90	154	/* Otherwise, add to the list */
281df579	155	r = manager_parse_dns_server_string_and_warn(m, ltype, rvalue);
5cb36f41	156	if (r < 0) {
94069bef YW	157	log_syntax(unit, LOG_WARNING, filename, line, r,
94069bef YW	158	"Failed to parse DNS server string '%s', ignoring.", rvalue);
5cb36f41 LP	159	return 0;
5cb36f41 LP	160	}
4e945a6f LP	161	}
4e945a6f LP	162
281df579 LP	163	/* If we have a manual setting, then we stop reading
281df579 LP	164	* /etc/resolv.conf */
5cb36f41 LP	165	if (ltype == DNS_SERVER_SYSTEM)
5cb36f41 LP	166	m->read_resolv_conf = false;
00fa60ae LP	167	if (ltype == DNS_SERVER_FALLBACK)
00fa60ae LP	168	m->need_builtin_fallbacks = false;
5cb36f41	169
4e945a6f LP	170	return 0;
	171	}
	172
a51c1048 LP	173	int config_parse_search_domains(
	174	const char *unit,
	175	const char *filename,
	176	unsigned line,
	177	const char *section,
	178	unsigned section_line,
	179	const char *lvalue,
	180	int ltype,
	181	const char *rvalue,
	182	void *data,
	183	void *userdata) {
	184
99534007	185	Manager *m = ASSERT_PTR(userdata);
a51c1048 LP	186	int r;
	187
	188	assert(filename);
	189	assert(lvalue);
	190	assert(rvalue);
a51c1048 LP	191
	192	if (isempty(rvalue))
	193	/* Empty assignment means clear the list */
	194	dns_search_domain_unlink_all(m->search_domains);
	195	else {
	196	/* Otherwise, add to the list */
	197	r = manager_parse_search_domains_and_warn(m, rvalue);
	198	if (r < 0) {
94069bef YW	199	log_syntax(unit, LOG_WARNING, filename, line, r,
94069bef YW	200	"Failed to parse search domains string '%s', ignoring.", rvalue);
a51c1048 LP	201	return 0;
	202	}
	203	}
	204
281df579 LP	205	/* If we have a manual setting, then we stop reading
281df579 LP	206	* /etc/resolv.conf */
a51c1048	207	m->read_resolv_conf = false;
6501dd31 DR	208
	209	return 0;
	210	}
	211
d63542bc YW	212	int config_parse_dnssd_service_name(
	213	const char *unit,
	214	const char *filename,
	215	unsigned line,
	216	const char *section,
	217	unsigned section_line,
	218	const char *lvalue,
	219	int ltype,
	220	const char *rvalue,
	221	void *data,
	222	void *userdata) {
	223
07e4a8dc	224	static const Specifier specifier_table[] = {
e93387f3	225	{ 'a', specifier_architecture, NULL },
07e4a8dc	226	{ 'b', specifier_boot_id, NULL },
e93387f3	227	{ 'B', specifier_os_build_id, NULL },
9a5893e9	228	{ 'H', specifier_hostname, NULL }, /* We will use specifier_dnssd_hostname(). */
e93387f3	229	{ 'm', specifier_machine_id, NULL },
07e4a8dc	230	{ 'o', specifier_os_id, NULL },
e93387f3	231	{ 'v', specifier_kernel_release, NULL },
07e4a8dc	232	{ 'w', specifier_os_version_id, NULL },
07e4a8dc RB	233	{ 'W', specifier_os_variant_id, NULL },
	234	{}
	235	};
99534007	236	DnssdService *s = ASSERT_PTR(userdata);
07e4a8dc	237	_cleanup_free_ char *name = NULL;
6501dd31 DR	238	int r;
	239
	240	assert(filename);
	241	assert(lvalue);
	242	assert(rvalue);
6501dd31 DR	243
6501dd31 DR	244	if (isempty(rvalue)) {
0c949643 YW	245	s->name_template = mfree(s->name_template);
0c949643 YW	246	return 0;
34136e15	247	}
6501dd31	248
de61a04b	249	r = specifier_printf(rvalue, DNS_LABEL_MAX, specifier_table, NULL, NULL, &name);
dd2e9e1d YW	250	if (r < 0) {
	251	log_syntax(unit, LOG_WARNING, filename, line, r,
	252	"Invalid service instance name template '%s', ignoring assignment: %m", rvalue);
	253	return 0;
	254	}
07e4a8dc RB	255
07e4a8dc RB	256	if (!dns_service_name_is_valid(name)) {
dd2e9e1d YW	257	log_syntax(unit, LOG_WARNING, filename, line, 0,
	258	"Service instance name template '%s' renders to invalid name '%s'. Ignoring assignment.",
	259	rvalue, name);
	260	return 0;
07e4a8dc RB	261	}
07e4a8dc RB	262
dd2e9e1d	263	return free_and_strdup_warn(&s->name_template, rvalue);
6501dd31 DR	264	}
6501dd31 DR	265
94069bef YW	266	int config_parse_dnssd_service_type(
	267	const char *unit,
	268	const char *filename,
	269	unsigned line,
	270	const char *section,
	271	unsigned section_line,
	272	const char *lvalue,
	273	int ltype,
	274	const char *rvalue,
	275	void *data,
	276	void *userdata) {
	277
99534007	278	DnssdService *s = ASSERT_PTR(userdata);
6501dd31 DR	279	int r;
	280
	281	assert(filename);
	282	assert(lvalue);
	283	assert(rvalue);
6501dd31 DR	284
6501dd31 DR	285	if (isempty(rvalue)) {
94069bef YW	286	s->type = mfree(s->type);
94069bef YW	287	return 0;
6501dd31 DR	288	}
	289
	290	if (!dnssd_srv_type_is_valid(rvalue)) {
94069bef YW	291	log_syntax(unit, LOG_WARNING, filename, line, 0, "Service type is invalid. Ignoring.");
94069bef YW	292	return 0;
6501dd31 DR	293	}
	294
	295	r = free_and_strdup(&s->type, rvalue);
	296	if (r < 0)
	297	return log_oom();
	298
	299	return 0;
	300	}
	301
88123aa2 RP	302	int config_parse_dnssd_service_subtype(
	303	const char *unit,
	304	const char *filename,
	305	unsigned line,
	306	const char *section,
	307	unsigned section_line,
	308	const char *lvalue,
	309	int ltype,
	310	const char *rvalue,
	311	void *data,
	312	void *userdata) {
	313
	314	DnssdService *s = ASSERT_PTR(userdata);
	315
	316	assert(filename);
	317	assert(lvalue);
	318	assert(rvalue);
	319
	320	if (isempty(rvalue)) {
	321	s->subtype = mfree(s->subtype);
	322	return 0;
	323	}
	324
	325	if (!dns_subtype_name_is_valid(rvalue)) {
	326	log_syntax(unit, LOG_WARNING, filename, line, 0, "Service subtype is invalid. Ignoring.");
	327	return 0;
	328	}
	329
	330	return free_and_strdup_warn(&s->subtype, rvalue);
	331	}
	332
94069bef YW	333	int config_parse_dnssd_txt(
	334	const char *unit,
	335	const char *filename,
	336	unsigned line,
	337	const char *section,
	338	unsigned section_line,
	339	const char *lvalue,
	340	int ltype,
	341	const char *rvalue,
	342	void *data,
	343	void *userdata) {
	344
400f54fb	345	_cleanup_(dnssd_txtdata_freep) DnssdTxtData *txt_data = NULL;
99534007	346	DnssdService *s = ASSERT_PTR(userdata);
6501dd31 DR	347	DnsTxtItem *last = NULL;
	348
	349	assert(filename);
	350	assert(lvalue);
	351	assert(rvalue);
6501dd31	352
400f54fb DR	353	if (isempty(rvalue)) {
	354	/* Flush out collected items */
	355	s->txt_data_items = dnssd_txtdata_free_all(s->txt_data_items);
6501dd31	356	return 0;
400f54fb DR	357	}
	358
	359	txt_data = new0(DnssdTxtData, 1);
	360	if (!txt_data)
	361	return log_oom();
6501dd31 DR	362
6501dd31 DR	363	for (;;) {
94069bef	364	_cleanup_free_ char word = NULL, key = NULL, *value = NULL;
6501dd31 DR	365	_cleanup_free_ void *decoded = NULL;
	366	size_t length = 0;
	367	DnsTxtItem *i;
	368	int r;
	369
	370	r = extract_first_word(&rvalue, &word, NULL,
3141089f	371	EXTRACT_UNQUOTE\|EXTRACT_CUNESCAPE\|EXTRACT_UNESCAPE_RELAX);
6501dd31 DR	372	if (r == 0)
	373	break;
	374	if (r == -ENOMEM)
	375	return log_oom();
94069bef YW	376	if (r < 0) {
	377	log_syntax(unit, LOG_WARNING, filename, line, r, "Invalid syntax, ignoring: %s", rvalue);
	378	return 0;
	379	}
6501dd31 DR	380
	381	r = split_pair(word, "=", &key, &value);
	382	if (r == -ENOMEM)
	383	return log_oom();
1cc6c93a YW	384	if (r == -EINVAL)
1cc6c93a YW	385	key = TAKE_PTR(word);
6501dd31 DR	386
6501dd31 DR	387	if (!ascii_is_valid(key)) {
94069bef YW	388	log_syntax(unit, LOG_WARNING, filename, line, 0, "Invalid key, ignoring: %s", key);
94069bef YW	389	continue;
6501dd31 DR	390	}
	391
	392	switch (ltype) {
	393
	394	case DNS_TXT_ITEM_DATA:
	395	if (value) {
bdd2036e	396	r = unbase64mem(value, &decoded, &length);
6501dd31 DR	397	if (r == -ENOMEM)
6501dd31 DR	398	return log_oom();
94069bef YW	399	if (r < 0) {
	400	log_syntax(unit, LOG_WARNING, filename, line, r,
	401	"Invalid base64 encoding, ignoring: %s", value);
	402	continue;
	403	}
6501dd31 DR	404	}
	405
	406	r = dnssd_txt_item_new_from_data(key, decoded, length, &i);
	407	if (r < 0)
	408	return log_oom();
	409	break;
	410
	411	case DNS_TXT_ITEM_TEXT:
	412	r = dnssd_txt_item_new_from_string(key, value, &i);
	413	if (r < 0)
	414	return log_oom();
	415	break;
	416
	417	default:
04499a70	418	assert_not_reached();
6501dd31 DR	419	}
6501dd31 DR	420
d70f15f5	421	LIST_INSERT_AFTER(items, txt_data->txts, last, i);
6501dd31 DR	422	last = i;
6501dd31 DR	423	}
400f54fb	424
d70f15f5	425	if (txt_data->txts) {
400f54fb	426	LIST_PREPEND(items, s->txt_data_items, txt_data);
94069bef	427	TAKE_PTR(txt_data);
400f54fb	428	}
a51c1048 LP	429
	430	return 0;
	431	}
	432
1f05101f SS	433	int config_parse_dns_stub_listener_extra(
	434	const char *unit,
	435	const char *filename,
	436	unsigned line,
	437	const char *section,
	438	unsigned section_line,
	439	const char *lvalue,
	440	int ltype,
	441	const char *rvalue,
	442	void *data,
	443	void *userdata) {
	444
36aaabc3	445	_cleanup_free_ DnsStubListenerExtra *stub = NULL;
1f05101f	446	Manager *m = userdata;
1f05101f SS	447	const char *p;
	448	int r;
	449
	450	assert(filename);
	451	assert(lvalue);
	452	assert(rvalue);
	453	assert(data);
	454
	455	if (isempty(rvalue)) {
	456	m->dns_extra_stub_listeners = ordered_set_free(m->dns_extra_stub_listeners);
	457	return 0;
	458	}
	459
0354029b	460	r = dns_stub_listener_extra_new(m, &stub);
7314b397	461	if (r < 0)
1f05101f	462	return log_oom();
1f05101f	463
7314b397 YW	464	p = startswith(rvalue, "udp:");
	465	if (p)
	466	stub->mode = DNS_STUB_LISTENER_UDP;
	467	else {
	468	p = startswith(rvalue, "tcp:");
	469	if (p)
	470	stub->mode = DNS_STUB_LISTENER_TCP;
	471	else {
	472	stub->mode = DNS_STUB_LISTENER_YES;
	473	p = rvalue;
1f05101f SS	474	}
	475	}
	476
222eaaf9	477	r = in_addr_port_ifindex_name_from_string_auto(p, &stub->family, &stub->address, &stub->port, NULL, NULL);
7314b397 YW	478	if (r < 0) {
	479	log_syntax(unit, LOG_WARNING, filename, line, r,
	480	"Failed to parse address in %s=%s, ignoring assignment: %m",
	481	lvalue, rvalue);
	482	return 0;
1f05101f SS	483	}
1f05101f SS	484
7314b397 YW	485	r = ordered_set_ensure_put(&m->dns_extra_stub_listeners, &dns_stub_listener_extra_hash_ops, stub);
	486	if (r == -ENOMEM)
	487	return log_oom();
	488	if (r < 0) {
	489	log_syntax(unit, LOG_WARNING, filename, line, r,
	490	"Failed to store %s=%s, ignoring assignment: %m", lvalue, rvalue);
	491	return 0;
1f05101f SS	492	}
1f05101f SS	493
7314b397	494	TAKE_PTR(stub);
1f05101f SS	495
	496	return 0;
	497	}
	498
116687f2 LP	499	static void read_credentials(Manager *m) {
	500	_cleanup_free_ char dns = NULL, domains = NULL;
	501	int r;
	502
	503	assert(m);
	504
	505	/* Hmm, if we aren't supposed to read /etc/resolv.conf because the DNS settings were already
	506	* configured explicitly in our config file, we don't want to honour credentials either */
	507	if (!m->read_resolv_conf)
	508	return;
	509
55ace8e5 ZJS	510	r = read_credential_strings_many("network.dns", &dns,
	511	"network.search_domains", &domains);
	512	if (r < 0)
116687f2 LP	513	log_warning_errno(r, "Failed to read credentials, ignoring: %m");
	514
	515	if (dns) {
	516	r = manager_parse_dns_server_string_and_warn(m, DNS_SERVER_SYSTEM, dns);
	517	if (r < 0)
1c7ed990	518	log_warning_errno(r, "Failed to parse credential network.dns '%s', ignoring.", dns);
116687f2 LP	519
	520	m->read_resolv_conf = false;
	521	}
	522
	523	if (domains) {
	524	r = manager_parse_search_domains_and_warn(m, domains);
	525	if (r < 0)
1c7ed990	526	log_warning_errno(r, "Failed to parse credential network.search_domains '%s', ignoring.", domains);
116687f2 LP	527
	528	m->read_resolv_conf = false;
	529	}
	530	}
	531
	532	struct ProcCmdlineInfo {
	533	Manager *manager;
	534
	535	/* If there's a setting configured via /proc/cmdline we want to reset the configured lists, but only
	536	* once, so that multiple nameserver= or domain= settings can be specified on the kernel command line
	537	* and will be combined. These booleans will be set once we erase the list once. */
	538	bool dns_server_unlinked;
	539	bool search_domain_unlinked;
	540	};
	541
	542	static int proc_cmdline_callback(const char key, const char value, void *data) {
	543	struct ProcCmdlineInfo *info = ASSERT_PTR(data);
	544	int r;
	545
a8d3315b	546	assert(key);
116687f2 LP	547	assert(info->manager);
	548
	549	/* The kernel command line option names are chosen to be compatible with what various tools already
	550	* interpret, for example dracut and SUSE Linux. */
	551
a8d3315b	552	if (streq(key, "nameserver")) {
91acee99 YW	553
	554	if (proc_cmdline_value_missing(key, value))
	555	return 0;
	556
116687f2 LP	557	if (!info->dns_server_unlinked) {
	558	/* The kernel command line overrides any prior configuration */
	559	dns_server_unlink_all(manager_get_first_dns_server(info->manager, DNS_SERVER_SYSTEM));
	560	info->dns_server_unlinked = true;
	561	}
	562
	563	r = manager_parse_dns_server_string_and_warn(info->manager, DNS_SERVER_SYSTEM, value);
	564	if (r < 0)
	565	log_warning_errno(r, "Failed to parse DNS server string '%s', ignoring.", value);
	566
	567	info->manager->read_resolv_conf = false;
	568
a8d3315b	569	} else if (streq(key, "domain")) {
116687f2	570
91acee99 YW	571	if (proc_cmdline_value_missing(key, value))
	572	return 0;
	573
116687f2 LP	574	if (!info->search_domain_unlinked) {
	575	dns_search_domain_unlink_all(info->manager->search_domains);
	576	info->search_domain_unlinked = true;
	577	}
	578
	579	r = manager_parse_search_domains_and_warn(info->manager, value);
	580	if (r < 0)
	581	log_warning_errno(r, "Failed to parse credential provided search domain string '%s', ignoring.", value);
	582
	583	info->manager->read_resolv_conf = false;
	584	}
	585
	586	return 0;
	587	}
	588
	589	static void read_proc_cmdline(Manager *m) {
	590	int r;
	591
	592	assert(m);
	593
	594	r = proc_cmdline_parse(proc_cmdline_callback, &(struct ProcCmdlineInfo) { .manager = m }, 0);
	595	if (r < 0)
	596	log_warning_errno(r, "Failed to read kernel command line, ignoring: %m");
	597	}
	598
4e945a6f	599	int manager_parse_config_file(Manager *m) {
00fa60ae LP	600	int r;
00fa60ae LP	601
4e945a6f LP	602	assert(m);
4e945a6f LP	603
6378f257 ZJS	604	r = config_parse_standard_file_with_dropins(
	605	"systemd/resolved.conf",
	606	"Resolve\0",
	607	config_item_perf_lookup, resolved_gperf_lookup,
	608	CONFIG_PARSE_WARN,
	609	/* userdata= */ m);
00fa60ae LP	610	if (r < 0)
	611	return r;
	612
116687f2 LP	613	read_credentials(m); /* credentials are only used when nothing is explicitly configured … */
	614	read_proc_cmdline(m); /* … but kernel command line overrides local configuration. */
	615
00fa60ae	616	if (m->need_builtin_fallbacks) {
281df579	617	r = manager_parse_dns_server_string_and_warn(m, DNS_SERVER_FALLBACK, DNS_SERVERS);
00fa60ae LP	618	if (r < 0)
	619	return r;
	620	}
	621
7e8facb3	622	#if !HAVE_OPENSSL_OR_GCRYPT
42303dcb	623	if (m->dnssec_mode != DNSSEC_NO) {
7e8facb3	624	log_warning("DNSSEC option cannot be enabled or set to allow-downgrade when systemd-resolved is built without a cryptographic library. Turning off DNSSEC support.");
42303dcb YW	625	m->dnssec_mode = DNSSEC_NO;
	626	}
	627	#endif
5d67a7ae	628
7e8facb3	629	#if !ENABLE_DNS_OVER_TLS
c9299be2	630	if (m->dns_over_tls_mode != DNS_OVER_TLS_NO) {
4310bfc2	631	log_warning("DNS-over-TLS option cannot be enabled or set to opportunistic when systemd-resolved is built without DNS-over-TLS support. Turning off DNS-over-TLS support.");
c9299be2	632	m->dns_over_tls_mode = DNS_OVER_TLS_NO;
5d67a7ae IT	633	}
5d67a7ae IT	634	#endif
00fa60ae LP	635	return 0;
00fa60ae LP	636
4e945a6f	637	}