[thirdparty/systemd.git] / src / resolve / resolved-resolv-conf.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include <resolv.h>
#include <sys/stat.h>

#include "alloc-util.h"
#include "fd-util.h"
#include "fileio.h"
#include "fs-util.h"
#include "label-util.h"
#include "log.h"
#include "ordered-set.h"
#include "path-util.h"
#include "resolved-dns-cache.h"
#include "resolved-dns-scope.h"
#include "resolved-dns-search-domain.h"
#include "resolved-dns-server.h"
#include "resolved-dns-stub.h"
#include "resolved-manager.h"
#include "resolved-resolv-conf.h"
#include "stat-util.h"
#include "string-table.h"
#include "string-util.h"
#include "strv.h"
#include "tmpfile-util-label.h"

int manager_check_resolv_conf(const Manager *m) {
        struct stat st, own;

        assert(m);

        /* This warns only when our stub listener is disabled and /etc/resolv.conf is a symlink to
         * PRIVATE_STATIC_RESOLV_CONF. */

        if (m->dns_stub_listener_mode != DNS_STUB_LISTENER_NO)
                return 0;

        if (stat("/etc/resolv.conf", &st) < 0) {
                if (errno == ENOENT)
                        return 0;

                return log_warning_errno(errno, "Failed to stat /etc/resolv.conf: %m");
        }

        /* Is it symlinked to our own uplink file? */
        if (stat(PRIVATE_STATIC_RESOLV_CONF, &own) >= 0 &&
            stat_inode_same(&st, &own))
                return log_warning_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
                                         "DNSStubListener= is disabled, but /etc/resolv.conf is a symlink to "
                                         PRIVATE_STATIC_RESOLV_CONF " which expects DNSStubListener= to be enabled.");

        return 0;
}

static bool file_is_our_own(const struct stat *st) {
        assert(st);

        FOREACH_STRING(path,
                       PRIVATE_UPLINK_RESOLV_CONF,
                       PRIVATE_STUB_RESOLV_CONF,
                       PRIVATE_STATIC_RESOLV_CONF) {

                struct stat own;

                /* Is it symlinked to our own uplink file? */
                if (stat(path, &own) >= 0 &&
                    stat_inode_same(st, &own))
                        return true;
        }

        return false;
}

int manager_read_resolv_conf(Manager *m) {
        _cleanup_fclose_ FILE *f = NULL;
        struct stat st;
        unsigned n = 0;
        int r;

        assert(m);

        /* Reads the system /etc/resolv.conf, if it exists and is not
         * symlinked to our own resolv.conf instance */

        if (!m->read_resolv_conf)
                return 0;

        r = stat("/etc/resolv.conf", &st);
        if (r < 0) {
                if (errno == ENOENT)
                        return 0;

                r = log_warning_errno(errno, "Failed to stat /etc/resolv.conf: %m");
                goto clear;
        }

        /* Have we already seen the file? */
        if (stat_inode_unmodified(&st, &m->resolv_conf_stat))
                return 0;

        if (file_is_our_own(&st))
                return 0;

        f = fopen("/etc/resolv.conf", "re");
        if (!f) {
                if (errno == ENOENT)
                        return 0;

                r = log_warning_errno(errno, "Failed to open %s: %m", "/etc/resolv.conf");
                goto clear;
        }

        if (fstat(fileno(f), &st) < 0) {
                r = log_error_errno(errno, "Failed to stat open file: %m");
                goto clear;
        }

        if (file_is_our_own(&st))
                return 0;

        dns_server_mark_all(m->dns_servers);
        dns_search_domain_mark_all(m->search_domains);

        for (;;) {
                _cleanup_free_ char *line = NULL;
                const char *a;

                r = read_stripped_line(f, LONG_LINE_MAX, &line);
                if (r < 0) {
                        log_error_errno(r, "Failed to read /etc/resolv.conf: %m");
                        goto clear;
                }
                if (r == 0)
                        break;

                n++;

                if (IN_SET(*line, '#', ';', 0))
                        continue;

                a = first_word(line, "nameserver");
                if (a) {
                        r = manager_parse_dns_server_string_and_warn(m, DNS_SERVER_SYSTEM, a);
                        if (r < 0)
                                log_warning_errno(r, "Failed to parse DNS server address '%s', ignoring.", a);

                        continue;
                }

                a = first_word(line, "domain");
                if (!a) /* We treat "domain" lines, and "search" lines as equivalent, and add both to our list. */
                        a = first_word(line, "search");
                if (a) {
                        r = manager_parse_search_domains_and_warn(m, a);
                        if (r < 0)
                                log_warning_errno(r, "Failed to parse search domain string '%s', ignoring.", a);

                        continue;
                }

                log_syntax(NULL, LOG_DEBUG, "/etc/resolv.conf", n, 0, "Ignoring resolv.conf line: %s", line);
        }

        m->resolv_conf_stat = st;

        /* Flush out all servers and search domains that are still
         * marked. Those are then ones that didn't appear in the new
         * /etc/resolv.conf */
        dns_server_unlink_marked(m->dns_servers);
        dns_search_domain_unlink_marked(m->search_domains);

        /* Whenever /etc/resolv.conf changes, start using the first
         * DNS server of it. This is useful to deal with broken
         * network managing implementations (like NetworkManager),
         * that when connecting to a VPN place both the VPN DNS
         * servers and the local ones in /etc/resolv.conf. Without
         * resetting the DNS server to use back to the first entry we
         * will continue to use the local one thus being unable to
         * resolve VPN domains. */
        manager_set_dns_server(m, m->dns_servers);

        /* Unconditionally flush the cache when /etc/resolv.conf is
         * modified, even if the data it contained was completely
         * identical to the previous version we used. We do this
         * because altering /etc/resolv.conf is typically done when
         * the network configuration changes, and that should be
         * enough to flush the global unicast DNS cache. */
        if (m->unicast_scope)
                dns_cache_flush(&m->unicast_scope->cache);

        /* If /etc/resolv.conf changed, make sure to forget everything we learned about the DNS servers. After all we
         * might now talk to a very different DNS server that just happens to have the same IP address as an old one
         * (think 192.168.1.1). */
        dns_server_reset_features_all(m->dns_servers);

        return 0;

clear:
        dns_server_unlink_all(m->dns_servers);
        dns_search_domain_unlink_all(m->search_domains);
        return r;
}

static void write_resolv_conf_server(DnsServer *s, FILE *f, unsigned *count) {
        DnsScope *scope;

        assert(s);
        assert(f);
        assert(count);

        if (!dns_server_string(s)) {
                log_warning("Out of memory, or invalid DNS address. Ignoring server.");
                return;
        }

        /* resolv.conf simply doesn't support any other ports than 53, hence there's nothing much we can
         * do — we have to suppress these entries */
        if (dns_server_port(s) != 53) {
                log_debug("DNS server %s with non-standard UDP port number, suppressing from generated resolv.conf.", dns_server_string(s));
                return;
        }

        /* Check if the scope this DNS server belongs to is suitable as 'default' route for lookups; resolv.conf does
         * not have a syntax to express that, so it must not appear as a global name server to avoid routing unrelated
         * domains to it (which is a privacy violation, will most probably fail anyway, and adds unnecessary load) */
        scope = dns_server_scope(s);
        if (scope && !dns_scope_is_default_route(scope)) {
                log_debug("Scope of DNS server %s has only route-only domains, not using as global name server", dns_server_string(s));
                return;
        }

        if (*count == MAXNS)
                fputs("# Too many DNS servers configured, the following entries may be ignored.\n", f);
        (*count)++;

        fprintf(f, "nameserver %s\n", dns_server_string(s));
}

static void write_resolv_conf_search(
                OrderedSet *domains,
                FILE *f) {
        char *domain;

        assert(domains);
        assert(f);

        fputs("search", f);

        ORDERED_SET_FOREACH(domain, domains) {
                fputc(' ', f);
                fputs(domain, f);
        }

        fputs("\n", f);
}

static int write_uplink_resolv_conf_contents(FILE *f, OrderedSet *dns, OrderedSet *domains) {

        fputs("# This is "PRIVATE_UPLINK_RESOLV_CONF" managed by man:systemd-resolved(8).\n"
              "# Do not edit.\n"
              "#\n"
              "# This file might be symlinked as /etc/resolv.conf. If you're looking at\n"
              "# /etc/resolv.conf and seeing this text, you have followed the symlink.\n"
              "#\n"
              "# This is a dynamic resolv.conf file for connecting local clients directly to\n"
              "# all known uplink DNS servers. This file lists all configured search domains.\n"
              "#\n"
              "# Third party programs should typically not access this file directly, but only\n"
              "# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a\n"
              "# different way, replace this symlink by a static file or a different symlink.\n"
              "#\n"
              "# See man:systemd-resolved.service(8) for details about the supported modes of\n"
              "# operation for /etc/resolv.conf.\n"
              "\n", f);

        if (ordered_set_isempty(dns))
                fputs("# No DNS servers known.\n", f);
        else {
                unsigned count = 0;
                DnsServer *s;

                ORDERED_SET_FOREACH(s, dns)
                        write_resolv_conf_server(s, f, &count);
        }

        if (ordered_set_isempty(domains))
                fputs("search .\n", f); /* Make sure that if the local hostname is chosen as fqdn this does not
                                         * imply a search domain */
        else
                write_resolv_conf_search(domains, f);

        return fflush_and_check(f);
}

static int write_stub_resolv_conf_contents(FILE *f, OrderedSet *dns, OrderedSet *domains) {
        fputs("# This is "PRIVATE_STUB_RESOLV_CONF" managed by man:systemd-resolved(8).\n"
              "# Do not edit.\n"
              "#\n"
              "# This file might be symlinked as /etc/resolv.conf. If you're looking at\n"
              "# /etc/resolv.conf and seeing this text, you have followed the symlink.\n"
              "#\n"
              "# This is a dynamic resolv.conf file for connecting local clients to the\n"
              "# internal DNS stub resolver of systemd-resolved. This file lists all\n"
              "# configured search domains.\n"
              "#\n"
              "# Run \"resolvectl status\" to see details about the uplink DNS servers\n"
              "# currently in use.\n"
              "#\n"
              "# Third party programs should typically not access this file directly, but only\n"
              "# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a\n"
              "# different way, replace this symlink by a static file or a different symlink.\n"
              "#\n"
              "# See man:systemd-resolved.service(8) for details about the supported modes of\n"
              "# operation for /etc/resolv.conf.\n"
              "\n"
              "nameserver 127.0.0.53\n"
              "options edns0 trust-ad\n", f);

        if (ordered_set_isempty(domains))
                fputs("search .\n", f); /* Make sure that if the local hostname is chosen as fqdn this does not
                                         * imply a search domain */
        else
                write_resolv_conf_search(domains, f);

        return fflush_and_check(f);
}

int manager_write_resolv_conf(Manager *m) {
        _cleanup_ordered_set_free_ OrderedSet *dns = NULL, *domains = NULL;
        _cleanup_(unlink_and_freep) char *temp_path_uplink = NULL, *temp_path_stub = NULL;
        _cleanup_fclose_ FILE *f_uplink = NULL, *f_stub = NULL;
        int r;

        assert(m);

        /* Read the system /etc/resolv.conf first */
        (void) manager_read_resolv_conf(m);

        /* Add the full list to a set, to filter out duplicates */
        r = manager_compile_dns_servers(m, &dns);
        if (r < 0)
                return log_warning_errno(r, "Failed to compile list of DNS servers, ignoring: %m");

        r = manager_compile_search_domains(m, &domains, false);
        if (r < 0)
                return log_warning_errno(r, "Failed to compile list of search domains, ignoring: %m");

        r = fopen_temporary_label(PRIVATE_UPLINK_RESOLV_CONF, PRIVATE_UPLINK_RESOLV_CONF, &f_uplink, &temp_path_uplink);
        if (r < 0)
                return log_warning_errno(r, "Failed to open new %s for writing, ignoring: %m", PRIVATE_UPLINK_RESOLV_CONF);

        (void) fchmod(fileno(f_uplink), 0644);

        r = write_uplink_resolv_conf_contents(f_uplink, dns, domains);
        if (r < 0)
                return log_warning_errno(r, "Failed to write new %s, ignoring: %m", PRIVATE_UPLINK_RESOLV_CONF);

        if (m->dns_stub_listener_mode != DNS_STUB_LISTENER_NO) {
                r = fopen_temporary_label(PRIVATE_STUB_RESOLV_CONF, PRIVATE_STUB_RESOLV_CONF, &f_stub, &temp_path_stub);
                if (r < 0)
                        return log_warning_errno(r, "Failed to open new %s for writing, ignoring: %m", PRIVATE_STUB_RESOLV_CONF);

                (void) fchmod(fileno(f_stub), 0644);

                r = write_stub_resolv_conf_contents(f_stub, dns, domains);
                if (r < 0)
                        return log_warning_errno(r, "Failed to write new %s, ignoring: %m", PRIVATE_STUB_RESOLV_CONF);

                r = conservative_rename(temp_path_stub, PRIVATE_STUB_RESOLV_CONF);
                if (r < 0)
                        log_warning_errno(r, "Failed to move new %s into place, ignoring: %m", PRIVATE_STUB_RESOLV_CONF);

                temp_path_stub = mfree(temp_path_stub); /* free the string explicitly, so that we don't unlink anymore */
        } else {
                _cleanup_free_ char *fname = NULL;
                r = path_extract_filename(PRIVATE_UPLINK_RESOLV_CONF, &fname);
                if (r < 0)
                        return log_warning_errno(r, "Failed to extract filename from path '" PRIVATE_UPLINK_RESOLV_CONF "', ignoring: %m");

                r = symlinkat_atomic_full(fname, AT_FDCWD, PRIVATE_STUB_RESOLV_CONF, SYMLINK_LABEL);
                if (r < 0)
                        log_warning_errno(r, "Failed to symlink %s, ignoring: %m", PRIVATE_STUB_RESOLV_CONF);
        }

        r = conservative_rename(temp_path_uplink, PRIVATE_UPLINK_RESOLV_CONF);
        if (r < 0)
                log_warning_errno(r, "Failed to move new %s into place: %m", PRIVATE_UPLINK_RESOLV_CONF);

        temp_path_uplink = mfree(temp_path_uplink); /* free the string explicitly, so that we don't unlink anymore */
        return r;
}

int resolv_conf_mode(void) {
        static const char * const table[_RESOLV_CONF_MODE_MAX] = {
                [RESOLV_CONF_UPLINK] = PRIVATE_UPLINK_RESOLV_CONF,
                [RESOLV_CONF_STUB] = PRIVATE_STUB_RESOLV_CONF,
                [RESOLV_CONF_STATIC] = PRIVATE_STATIC_RESOLV_CONF,
        };

        struct stat system_st;

        if (stat("/etc/resolv.conf", &system_st) < 0) {
                if (errno == ENOENT)
                        return RESOLV_CONF_MISSING;

                return -errno;
        }

        for (ResolvConfMode m = 0; m < _RESOLV_CONF_MODE_MAX; m++) {
                struct stat our_st;

                if (!table[m])
                        continue;

                if (stat(table[m], &our_st) < 0) {
                        if (errno != ENOENT)
                                log_debug_errno(errno, "Failed to stat() %s, ignoring: %m", table[m]);

                        continue;
                }

                if (stat_inode_same(&system_st, &our_st))
                        return m;
        }

        return RESOLV_CONF_FOREIGN;
}

static const char* const resolv_conf_mode_table[_RESOLV_CONF_MODE_MAX] = {
        [RESOLV_CONF_UPLINK] = "uplink",
        [RESOLV_CONF_STUB] = "stub",
        [RESOLV_CONF_STATIC] = "static",
        [RESOLV_CONF_MISSING] = "missing",
        [RESOLV_CONF_FOREIGN] = "foreign",
};
DEFINE_STRING_TABLE_LOOKUP(resolv_conf_mode, ResolvConfMode);
Commit	Line	Data
db9ecf05	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
f8dc7e34 LP	2
f8dc7e34 LP	3	#include <resolv.h>
ca78ad1d	4	#include <sys/stat.h>
f8dc7e34 LP	5
f8dc7e34 LP	6	#include "alloc-util.h"
f8dc7e34	7	#include "fd-util.h"
f8dc7e34	8	#include "fileio.h"
ca8b81d9	9	#include "fs-util.h"
0690160e	10	#include "label-util.h"
284d7641	11	#include "log.h"
f8dc7e34	12	#include "ordered-set.h"
b8953115	13	#include "path-util.h"
68527d30 DDM	14	#include "resolved-dns-cache.h"
	15	#include "resolved-dns-scope.h"
	16	#include "resolved-dns-search-domain.h"
59c0fd0e	17	#include "resolved-dns-server.h"
68527d30 DDM	18	#include "resolved-dns-stub.h"
68527d30 DDM	19	#include "resolved-manager.h"
f8dc7e34	20	#include "resolved-resolv-conf.h"
61c12865	21	#include "stat-util.h"
4261ab65	22	#include "string-table.h"
f8dc7e34 LP	23	#include "string-util.h"
f8dc7e34 LP	24	#include "strv.h"
e4de7287	25	#include "tmpfile-util-label.h"
f8dc7e34	26
f43580f1	27	int manager_check_resolv_conf(const Manager *m) {
ca8b81d9	28	struct stat st, own;
f43580f1 YW	29
	30	assert(m);
	31
	32	/* This warns only when our stub listener is disabled and /etc/resolv.conf is a symlink to
ca8b81d9	33	* PRIVATE_STATIC_RESOLV_CONF. */
f43580f1 YW	34
	35	if (m->dns_stub_listener_mode != DNS_STUB_LISTENER_NO)
	36	return 0;
	37
ca8b81d9	38	if (stat("/etc/resolv.conf", &st) < 0) {
f43580f1 YW	39	if (errno == ENOENT)
	40	return 0;
	41
	42	return log_warning_errno(errno, "Failed to stat /etc/resolv.conf: %m");
	43	}
	44
ca8b81d9 ZJS	45	/* Is it symlinked to our own uplink file? */
ca8b81d9 ZJS	46	if (stat(PRIVATE_STATIC_RESOLV_CONF, &own) >= 0 &&
a9dac7a6	47	stat_inode_same(&st, &own))
ca8b81d9 ZJS	48	return log_warning_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
	49	"DNSStubListener= is disabled, but /etc/resolv.conf is a symlink to "
	50	PRIVATE_STATIC_RESOLV_CONF " which expects DNSStubListener= to be enabled.");
f43580f1 YW	51
	52	return 0;
	53	}
	54
043d3928	55	static bool file_is_our_own(const struct stat *st) {
043d3928 LP	56	assert(st);
043d3928 LP	57
b6de578d LP	58	FOREACH_STRING(path,
	59	PRIVATE_UPLINK_RESOLV_CONF,
	60	PRIVATE_STUB_RESOLV_CONF,
	61	PRIVATE_STATIC_RESOLV_CONF) {
	62
	63	struct stat own;
	64
	65	/* Is it symlinked to our own uplink file? */
	66	if (stat(path, &own) >= 0 &&
a9dac7a6	67	stat_inode_same(st, &own))
b6de578d LP	68	return true;
b6de578d LP	69	}
043d3928 LP	70
	71	return false;
	72	}
	73
f8dc7e34 LP	74	int manager_read_resolv_conf(Manager *m) {
f8dc7e34 LP	75	_cleanup_fclose_ FILE *f = NULL;
043d3928	76	struct stat st;
b351c300	77	unsigned n = 0;
f8dc7e34 LP	78	int r;
	79
	80	assert(m);
	81
	82	/* Reads the system /etc/resolv.conf, if it exists and is not
	83	* symlinked to our own resolv.conf instance */
	84
	85	if (!m->read_resolv_conf)
	86	return 0;
	87
	88	r = stat("/etc/resolv.conf", &st);
	89	if (r < 0) {
	90	if (errno == ENOENT)
bf7fabd6 LP	91	return 0;
	92
	93	r = log_warning_errno(errno, "Failed to stat /etc/resolv.conf: %m");
f8dc7e34 LP	94	goto clear;
	95	}
	96
	97	/* Have we already seen the file? */
61c12865	98	if (stat_inode_unmodified(&st, &m->resolv_conf_stat))
f8dc7e34 LP	99	return 0;
f8dc7e34 LP	100
043d3928	101	if (file_is_our_own(&st))
bf7fabd6	102	return 0;
f8dc7e34 LP	103
	104	f = fopen("/etc/resolv.conf", "re");
	105	if (!f) {
	106	if (errno == ENOENT)
bf7fabd6 LP	107	return 0;
bf7fabd6 LP	108
42ba9974	109	r = log_warning_errno(errno, "Failed to open %s: %m", "/etc/resolv.conf");
f8dc7e34 LP	110	goto clear;
	111	}
	112
	113	if (fstat(fileno(f), &st) < 0) {
	114	r = log_error_errno(errno, "Failed to stat open file: %m");
	115	goto clear;
	116	}
	117
043d3928 LP	118	if (file_is_our_own(&st))
	119	return 0;
	120
4b95f179	121	dns_server_mark_all(m->dns_servers);
a51c1048	122	dns_search_domain_mark_all(m->search_domains);
f8dc7e34	123
e1b9fc23 LP	124	for (;;) {
e1b9fc23 LP	125	_cleanup_free_ char *line = NULL;
f8dc7e34	126	const char *a;
f8dc7e34	127
0ff6ff2b	128	r = read_stripped_line(f, LONG_LINE_MAX, &line);
e1b9fc23 LP	129	if (r < 0) {
	130	log_error_errno(r, "Failed to read /etc/resolv.conf: %m");
	131	goto clear;
	132	}
	133	if (r == 0)
	134	break;
	135
b351c300 LP	136	n++;
b351c300 LP	137
0ff6ff2b	138	if (IN_SET(*line, '#', ';', 0))
f8dc7e34 LP	139	continue;
f8dc7e34 LP	140
0ff6ff2b	141	a = first_word(line, "nameserver");
f8dc7e34	142	if (a) {
281df579	143	r = manager_parse_dns_server_string_and_warn(m, DNS_SERVER_SYSTEM, a);
f8dc7e34 LP	144	if (r < 0)
	145	log_warning_errno(r, "Failed to parse DNS server address '%s', ignoring.", a);
	146
	147	continue;
	148	}
a51c1048	149
0ff6ff2b	150	a = first_word(line, "domain");
a51c1048	151	if (!a) /* We treat "domain" lines, and "search" lines as equivalent, and add both to our list. */
0ff6ff2b	152	a = first_word(line, "search");
a51c1048 LP	153	if (a) {
	154	r = manager_parse_search_domains_and_warn(m, a);
	155	if (r < 0)
	156	log_warning_errno(r, "Failed to parse search domain string '%s', ignoring.", a);
02c20535 LP	157
02c20535 LP	158	continue;
a51c1048	159	}
b351c300	160
0ff6ff2b	161	log_syntax(NULL, LOG_DEBUG, "/etc/resolv.conf", n, 0, "Ignoring resolv.conf line: %s", line);
f8dc7e34 LP	162	}
f8dc7e34 LP	163
61c12865	164	m->resolv_conf_stat = st;
bf7fabd6	165
a51c1048 LP	166	/* Flush out all servers and search domains that are still
	167	* marked. Those are then ones that didn't appear in the new
	168	* /etc/resolv.conf */
4b95f179	169	dns_server_unlink_marked(m->dns_servers);
a51c1048	170	dns_search_domain_unlink_marked(m->search_domains);
f8dc7e34 LP	171
	172	/* Whenever /etc/resolv.conf changes, start using the first
	173	* DNS server of it. This is useful to deal with broken
	174	* network managing implementations (like NetworkManager),
	175	* that when connecting to a VPN place both the VPN DNS
	176	* servers and the local ones in /etc/resolv.conf. Without
	177	* resetting the DNS server to use back to the first entry we
	178	* will continue to use the local one thus being unable to
	179	* resolve VPN domains. */
	180	manager_set_dns_server(m, m->dns_servers);
	181
452b4e32 LP	182	/* Unconditionally flush the cache when /etc/resolv.conf is
	183	* modified, even if the data it contained was completely
	184	* identical to the previous version we used. We do this
	185	* because altering /etc/resolv.conf is typically done when
	186	* the network configuration changes, and that should be
	187	* enough to flush the global unicast DNS cache. */
	188	if (m->unicast_scope)
	189	dns_cache_flush(&m->unicast_scope->cache);
	190
59c0fd0e LP	191	/* If /etc/resolv.conf changed, make sure to forget everything we learned about the DNS servers. After all we
	192	* might now talk to a very different DNS server that just happens to have the same IP address as an old one
	193	* (think 192.168.1.1). */
	194	dns_server_reset_features_all(m->dns_servers);
	195
f8dc7e34 LP	196	return 0;
	197
	198	clear:
4b95f179	199	dns_server_unlink_all(m->dns_servers);
a51c1048	200	dns_search_domain_unlink_all(m->search_domains);
f8dc7e34 LP	201	return r;
	202	}
	203
	204	static void write_resolv_conf_server(DnsServer s, FILE f, unsigned *count) {
f76fa088 LP	205	DnsScope *scope;
f76fa088 LP	206
f8dc7e34 LP	207	assert(s);
	208	assert(f);
	209	assert(count);
	210
2817157b	211	if (!dns_server_string(s)) {
be4bf266	212	log_warning("Out of memory, or invalid DNS address. Ignoring server.");
f8dc7e34 LP	213	return;
	214	}
	215
a50dadf2 LP	216	/* resolv.conf simply doesn't support any other ports than 53, hence there's nothing much we can
	217	* do — we have to suppress these entries */
	218	if (dns_server_port(s) != 53) {
	219	log_debug("DNS server %s with non-standard UDP port number, suppressing from generated resolv.conf.", dns_server_string(s));
	220	return;
	221	}
	222
ca5394d2 LP	223	/* Check if the scope this DNS server belongs to is suitable as 'default' route for lookups; resolv.conf does
	224	* not have a syntax to express that, so it must not appear as a global name server to avoid routing unrelated
	225	* domains to it (which is a privacy violation, will most probably fail anyway, and adds unnecessary load) */
f76fa088	226	scope = dns_server_scope(s);
ca5394d2	227	if (scope && !dns_scope_is_default_route(scope)) {
f76fa088	228	log_debug("Scope of DNS server %s has only route-only domains, not using as global name server", dns_server_string(s));
b9fe94ca MP	229	return;
	230	}
	231
f8dc7e34	232	if (*count == MAXNS)
0d536673	233	fputs("# Too many DNS servers configured, the following entries may be ignored.\n", f);
313cefa1	234	(*count)++;
f8dc7e34	235
2817157b	236	fprintf(f, "nameserver %s\n", dns_server_string(s));
f8dc7e34 LP	237	}
	238
	239	static void write_resolv_conf_search(
d2bc1251 MP	240	OrderedSet *domains,
d2bc1251 MP	241	FILE *f) {
d2bc1251	242	char *domain;
f8dc7e34	243
d2bc1251	244	assert(domains);
f8dc7e34	245	assert(f);
f8dc7e34	246
0d536673	247	fputs("search", f);
f8dc7e34	248
90e74a66	249	ORDERED_SET_FOREACH(domain, domains) {
0d536673 LP	250	fputc(' ', f);
0d536673 LP	251	fputs(domain, f);
f8dc7e34 LP	252	}
f8dc7e34 LP	253
0d536673	254	fputs("\n", f);
f8dc7e34 LP	255	}
f8dc7e34 LP	256
e6b2d948	257	static int write_uplink_resolv_conf_contents(FILE f, OrderedSet dns, OrderedSet *domains) {
f8dc7e34	258
2b767e92 ZJS	259	fputs("# This is "PRIVATE_UPLINK_RESOLV_CONF" managed by man:systemd-resolved(8).\n"
	260	"# Do not edit.\n"
	261	"#\n"
	262	"# This file might be symlinked as /etc/resolv.conf. If you're looking at\n"
	263	"# /etc/resolv.conf and seeing this text, you have followed the symlink.\n"
0d536673 LP	264	"#\n"
	265	"# This is a dynamic resolv.conf file for connecting local clients directly to\n"
	266	"# all known uplink DNS servers. This file lists all configured search domains.\n"
	267	"#\n"
ce416f42 LP	268	"# Third party programs should typically not access this file directly, but only\n"
	269	"# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a\n"
	270	"# different way, replace this symlink by a static file or a different symlink.\n"
0d536673 LP	271	"#\n"
	272	"# See man:systemd-resolved.service(8) for details about the supported modes of\n"
	273	"# operation for /etc/resolv.conf.\n"
	274	"\n", f);
f8dc7e34 LP	275
f8dc7e34 LP	276	if (ordered_set_isempty(dns))
0d536673	277	fputs("# No DNS servers known.\n", f);
f8dc7e34 LP	278	else {
	279	unsigned count = 0;
	280	DnsServer *s;
	281
90e74a66	282	ORDERED_SET_FOREACH(s, dns)
f8dc7e34 LP	283	write_resolv_conf_server(s, f, &count);
	284	}
	285
b3ffa2b5	286	if (ordered_set_isempty(domains))
31619e2f ZJS	287	fputs("search .\n", f); /* Make sure that if the local hostname is chosen as fqdn this does not
31619e2f ZJS	288	* imply a search domain */
b3ffa2b5	289	else
d2bc1251	290	write_resolv_conf_search(domains, f);
f8dc7e34 LP	291
	292	return fflush_and_check(f);
	293	}
	294
e6b2d948	295	static int write_stub_resolv_conf_contents(FILE f, OrderedSet dns, OrderedSet *domains) {
2b767e92 ZJS	296	fputs("# This is "PRIVATE_STUB_RESOLV_CONF" managed by man:systemd-resolved(8).\n"
	297	"# Do not edit.\n"
	298	"#\n"
	299	"# This file might be symlinked as /etc/resolv.conf. If you're looking at\n"
	300	"# /etc/resolv.conf and seeing this text, you have followed the symlink.\n"
ce416f42 LP	301	"#\n"
	302	"# This is a dynamic resolv.conf file for connecting local clients to the\n"
	303	"# internal DNS stub resolver of systemd-resolved. This file lists all\n"
	304	"# configured search domains.\n"
	305	"#\n"
	306	"# Run \"resolvectl status\" to see details about the uplink DNS servers\n"
	307	"# currently in use.\n"
	308	"#\n"
	309	"# Third party programs should typically not access this file directly, but only\n"
	310	"# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a\n"
	311	"# different way, replace this symlink by a static file or a different symlink.\n"
	312	"#\n"
	313	"# See man:systemd-resolved.service(8) for details about the supported modes of\n"
	314	"# operation for /etc/resolv.conf.\n"
	315	"\n"
	316	"nameserver 127.0.0.53\n"
a742f982	317	"options edns0 trust-ad\n", f);
e6b2d948	318
b3ffa2b5	319	if (ordered_set_isempty(domains))
31619e2f ZJS	320	fputs("search .\n", f); /* Make sure that if the local hostname is chosen as fqdn this does not
31619e2f ZJS	321	* imply a search domain */
b3ffa2b5	322	else
e6b2d948 DJL	323	write_resolv_conf_search(domains, f);
	324
	325	return fflush_and_check(f);
	326	}
	327
f8dc7e34	328	int manager_write_resolv_conf(Manager *m) {
9176a57c	329	_cleanup_ordered_set_free_ OrderedSet dns = NULL, domains = NULL;
e2ef1e9a	330	_cleanup_(unlink_and_freep) char temp_path_uplink = NULL, temp_path_stub = NULL;
0d536673	331	_cleanup_fclose_ FILE f_uplink = NULL, f_stub = NULL;
f8dc7e34 LP	332	int r;
	333
	334	assert(m);
	335
	336	/* Read the system /etc/resolv.conf first */
7207052d	337	(void) manager_read_resolv_conf(m);
f8dc7e34 LP	338
f8dc7e34 LP	339	/* Add the full list to a set, to filter out duplicates */
9176a57c LP	340	r = manager_compile_dns_servers(m, &dns);
9176a57c LP	341	if (r < 0)
e2ef1e9a	342	return log_warning_errno(r, "Failed to compile list of DNS servers, ignoring: %m");
f8dc7e34	343
6f7da49d	344	r = manager_compile_search_domains(m, &domains, false);
9176a57c	345	if (r < 0)
e2ef1e9a	346	return log_warning_errno(r, "Failed to compile list of search domains, ignoring: %m");
f8dc7e34	347
e6b2d948	348	r = fopen_temporary_label(PRIVATE_UPLINK_RESOLV_CONF, PRIVATE_UPLINK_RESOLV_CONF, &f_uplink, &temp_path_uplink);
f8dc7e34	349	if (r < 0)
e2ef1e9a	350	return log_warning_errno(r, "Failed to open new %s for writing, ignoring: %m", PRIVATE_UPLINK_RESOLV_CONF);
0d536673	351
0d536673 LP	352	(void) fchmod(fileno(f_uplink), 0644);
0d536673 LP	353
e6b2d948	354	r = write_uplink_resolv_conf_contents(f_uplink, dns, domains);
e2ef1e9a LP	355	if (r < 0)
e2ef1e9a LP	356	return log_warning_errno(r, "Failed to write new %s, ignoring: %m", PRIVATE_UPLINK_RESOLV_CONF);
f8dc7e34	357
ca8b81d9 ZJS	358	if (m->dns_stub_listener_mode != DNS_STUB_LISTENER_NO) {
ca8b81d9 ZJS	359	r = fopen_temporary_label(PRIVATE_STUB_RESOLV_CONF, PRIVATE_STUB_RESOLV_CONF, &f_stub, &temp_path_stub);
e2ef1e9a LP	360	if (r < 0)
e2ef1e9a LP	361	return log_warning_errno(r, "Failed to open new %s for writing, ignoring: %m", PRIVATE_STUB_RESOLV_CONF);
f8dc7e34	362
ca8b81d9	363	(void) fchmod(fileno(f_stub), 0644);
965228a8	364
ca8b81d9	365	r = write_stub_resolv_conf_contents(f_stub, dns, domains);
e2ef1e9a LP	366	if (r < 0)
e2ef1e9a LP	367	return log_warning_errno(r, "Failed to write new %s, ignoring: %m", PRIVATE_STUB_RESOLV_CONF);
ca8b81d9	368
10195179	369	r = conservative_rename(temp_path_stub, PRIVATE_STUB_RESOLV_CONF);
f3e1f00d	370	if (r < 0)
e2ef1e9a	371	log_warning_errno(r, "Failed to move new %s into place, ignoring: %m", PRIVATE_STUB_RESOLV_CONF);
ca8b81d9	372
e2ef1e9a	373	temp_path_stub = mfree(temp_path_stub); /* free the string explicitly, so that we don't unlink anymore */
ca8b81d9	374	} else {
b8953115 SL	375	_cleanup_free_ char *fname = NULL;
	376	r = path_extract_filename(PRIVATE_UPLINK_RESOLV_CONF, &fname);
	377	if (r < 0)
	378	return log_warning_errno(r, "Failed to extract filename from path '" PRIVATE_UPLINK_RESOLV_CONF "', ignoring: %m");
	379
9ea5a6e7	380	r = symlinkat_atomic_full(fname, AT_FDCWD, PRIVATE_STUB_RESOLV_CONF, SYMLINK_LABEL);
ca8b81d9	381	if (r < 0)
e2ef1e9a	382	log_warning_errno(r, "Failed to symlink %s, ignoring: %m", PRIVATE_STUB_RESOLV_CONF);
e6b2d948 DJL	383	}
e6b2d948 DJL	384
10195179	385	r = conservative_rename(temp_path_uplink, PRIVATE_UPLINK_RESOLV_CONF);
f3e1f00d	386	if (r < 0)
e2ef1e9a	387	log_warning_errno(r, "Failed to move new %s into place: %m", PRIVATE_UPLINK_RESOLV_CONF);
7207052d	388
e2ef1e9a	389	temp_path_uplink = mfree(temp_path_uplink); /* free the string explicitly, so that we don't unlink anymore */
f8dc7e34 LP	390	return r;
f8dc7e34 LP	391	}
4261ab65 LP	392
	393	int resolv_conf_mode(void) {
	394	static const char * const table[_RESOLV_CONF_MODE_MAX] = {
	395	[RESOLV_CONF_UPLINK] = PRIVATE_UPLINK_RESOLV_CONF,
	396	[RESOLV_CONF_STUB] = PRIVATE_STUB_RESOLV_CONF,
	397	[RESOLV_CONF_STATIC] = PRIVATE_STATIC_RESOLV_CONF,
	398	};
	399
	400	struct stat system_st;
	401
	402	if (stat("/etc/resolv.conf", &system_st) < 0) {
	403	if (errno == ENOENT)
	404	return RESOLV_CONF_MISSING;
	405
	406	return -errno;
	407	}
	408
	409	for (ResolvConfMode m = 0; m < _RESOLV_CONF_MODE_MAX; m++) {
	410	struct stat our_st;
	411
	412	if (!table[m])
	413	continue;
	414
	415	if (stat(table[m], &our_st) < 0) {
	416	if (errno != ENOENT)
	417	log_debug_errno(errno, "Failed to stat() %s, ignoring: %m", table[m]);
	418
	419	continue;
	420	}
	421
a9dac7a6	422	if (stat_inode_same(&system_st, &our_st))
4261ab65 LP	423	return m;
	424	}
	425
	426	return RESOLV_CONF_FOREIGN;
	427	}
	428
	429	static const char* const resolv_conf_mode_table[_RESOLV_CONF_MODE_MAX] = {
	430	[RESOLV_CONF_UPLINK] = "uplink",
	431	[RESOLV_CONF_STUB] = "stub",
	432	[RESOLV_CONF_STATIC] = "static",
	433	[RESOLV_CONF_MISSING] = "missing",
	434	[RESOLV_CONF_FOREIGN] = "foreign",
	435	};
	436	DEFINE_STRING_TABLE_LOOKUP(resolv_conf_mode, ResolvConfMode);