]>
Commit | Line | Data |
---|---|---|
1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ | |
2 | ||
3 | #include <fcntl.h> | |
4 | #include <netinet/in.h> | |
5 | #include <poll.h> | |
6 | #include <sys/ioctl.h> | |
7 | #include <sys/stat.h> | |
8 | #include <sys/types.h> | |
9 | #include <unistd.h> | |
10 | ||
11 | #include "af-list.h" | |
12 | #include "alloc-util.h" | |
13 | #include "bus-polkit.h" | |
14 | #include "daemon-util.h" | |
15 | #include "dirent-util.h" | |
16 | #include "dns-domain.h" | |
17 | #include "event-util.h" | |
18 | #include "fd-util.h" | |
19 | #include "fileio.h" | |
20 | #include "hostname-util.h" | |
21 | #include "idn-util.h" | |
22 | #include "io-util.h" | |
23 | #include "iovec-util.h" | |
24 | #include "memstream-util.h" | |
25 | #include "missing_network.h" | |
26 | #include "missing_socket.h" | |
27 | #include "netlink-util.h" | |
28 | #include "ordered-set.h" | |
29 | #include "parse-util.h" | |
30 | #include "random-util.h" | |
31 | #include "resolved-bus.h" | |
32 | #include "resolved-conf.h" | |
33 | #include "resolved-dns-stub.h" | |
34 | #include "resolved-dnssd.h" | |
35 | #include "resolved-etc-hosts.h" | |
36 | #include "resolved-llmnr.h" | |
37 | #include "resolved-manager.h" | |
38 | #include "resolved-mdns.h" | |
39 | #include "resolved-resolv-conf.h" | |
40 | #include "resolved-util.h" | |
41 | #include "resolved-varlink.h" | |
42 | #include "socket-util.h" | |
43 | #include "string-table.h" | |
44 | #include "string-util.h" | |
45 | #include "utf8.h" | |
46 | ||
47 | #define SEND_TIMEOUT_USEC (200 * USEC_PER_MSEC) | |
48 | ||
49 | static int manager_process_link(sd_netlink *rtnl, sd_netlink_message *mm, void *userdata) { | |
50 | Manager *m = ASSERT_PTR(userdata); | |
51 | uint16_t type; | |
52 | Link *l; | |
53 | int ifindex, r; | |
54 | ||
55 | assert(rtnl); | |
56 | assert(mm); | |
57 | ||
58 | r = sd_netlink_message_get_type(mm, &type); | |
59 | if (r < 0) | |
60 | goto fail; | |
61 | ||
62 | r = sd_rtnl_message_link_get_ifindex(mm, &ifindex); | |
63 | if (r < 0) | |
64 | goto fail; | |
65 | ||
66 | l = hashmap_get(m->links, INT_TO_PTR(ifindex)); | |
67 | ||
68 | switch (type) { | |
69 | ||
70 | case RTM_NEWLINK:{ | |
71 | bool is_new = !l; | |
72 | ||
73 | if (!l) { | |
74 | r = link_new(m, &l, ifindex); | |
75 | if (r < 0) | |
76 | goto fail; | |
77 | } | |
78 | ||
79 | r = link_process_rtnl(l, mm); | |
80 | if (r < 0) | |
81 | goto fail; | |
82 | ||
83 | r = link_update(l); | |
84 | if (r < 0) | |
85 | goto fail; | |
86 | ||
87 | if (is_new) | |
88 | log_debug("Found new link %i/%s", ifindex, l->ifname); | |
89 | ||
90 | break; | |
91 | } | |
92 | ||
93 | case RTM_DELLINK: | |
94 | if (l) { | |
95 | log_debug("Removing link %i/%s", l->ifindex, l->ifname); | |
96 | link_remove_user(l); | |
97 | link_free(l); | |
98 | } | |
99 | ||
100 | break; | |
101 | } | |
102 | ||
103 | return 0; | |
104 | ||
105 | fail: | |
106 | log_warning_errno(r, "Failed to process RTNL link message: %m"); | |
107 | return 0; | |
108 | } | |
109 | ||
110 | static int manager_process_address(sd_netlink *rtnl, sd_netlink_message *mm, void *userdata) { | |
111 | Manager *m = ASSERT_PTR(userdata); | |
112 | union in_addr_union address, broadcast = {}; | |
113 | uint16_t type; | |
114 | int r, ifindex, family; | |
115 | LinkAddress *a; | |
116 | Link *l; | |
117 | ||
118 | assert(rtnl); | |
119 | assert(mm); | |
120 | ||
121 | r = sd_netlink_message_get_type(mm, &type); | |
122 | if (r < 0) | |
123 | goto fail; | |
124 | ||
125 | r = sd_rtnl_message_addr_get_ifindex(mm, &ifindex); | |
126 | if (r < 0) | |
127 | goto fail; | |
128 | ||
129 | l = hashmap_get(m->links, INT_TO_PTR(ifindex)); | |
130 | if (!l) | |
131 | return 0; | |
132 | ||
133 | r = sd_rtnl_message_addr_get_family(mm, &family); | |
134 | if (r < 0) | |
135 | goto fail; | |
136 | ||
137 | switch (family) { | |
138 | ||
139 | case AF_INET: | |
140 | sd_netlink_message_read_in_addr(mm, IFA_BROADCAST, &broadcast.in); | |
141 | r = sd_netlink_message_read_in_addr(mm, IFA_LOCAL, &address.in); | |
142 | if (r < 0) { | |
143 | r = sd_netlink_message_read_in_addr(mm, IFA_ADDRESS, &address.in); | |
144 | if (r < 0) | |
145 | goto fail; | |
146 | } | |
147 | ||
148 | break; | |
149 | ||
150 | case AF_INET6: | |
151 | r = sd_netlink_message_read_in6_addr(mm, IFA_LOCAL, &address.in6); | |
152 | if (r < 0) { | |
153 | r = sd_netlink_message_read_in6_addr(mm, IFA_ADDRESS, &address.in6); | |
154 | if (r < 0) | |
155 | goto fail; | |
156 | } | |
157 | ||
158 | break; | |
159 | ||
160 | default: | |
161 | return 0; | |
162 | } | |
163 | ||
164 | a = link_find_address(l, family, &address); | |
165 | ||
166 | switch (type) { | |
167 | ||
168 | case RTM_NEWADDR: | |
169 | ||
170 | if (!a) { | |
171 | r = link_address_new(l, &a, family, &address, &broadcast); | |
172 | if (r < 0) | |
173 | return r; | |
174 | } | |
175 | ||
176 | r = link_address_update_rtnl(a, mm); | |
177 | if (r < 0) | |
178 | return r; | |
179 | ||
180 | break; | |
181 | ||
182 | case RTM_DELADDR: | |
183 | link_address_free(a); | |
184 | break; | |
185 | } | |
186 | ||
187 | return 0; | |
188 | ||
189 | fail: | |
190 | log_warning_errno(r, "Failed to process RTNL address message: %m"); | |
191 | return 0; | |
192 | } | |
193 | ||
194 | static int manager_rtnl_listen(Manager *m) { | |
195 | _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *req = NULL, *reply = NULL; | |
196 | int r; | |
197 | ||
198 | assert(m); | |
199 | ||
200 | /* First, subscribe to interfaces coming and going */ | |
201 | r = sd_netlink_open(&m->rtnl); | |
202 | if (r < 0) | |
203 | return r; | |
204 | ||
205 | r = sd_netlink_attach_event(m->rtnl, m->event, SD_EVENT_PRIORITY_IMPORTANT); | |
206 | if (r < 0) | |
207 | return r; | |
208 | ||
209 | r = sd_netlink_add_match(m->rtnl, NULL, RTM_NEWLINK, manager_process_link, NULL, m, "resolve-NEWLINK"); | |
210 | if (r < 0) | |
211 | return r; | |
212 | ||
213 | r = sd_netlink_add_match(m->rtnl, NULL, RTM_DELLINK, manager_process_link, NULL, m, "resolve-DELLINK"); | |
214 | if (r < 0) | |
215 | return r; | |
216 | ||
217 | r = sd_netlink_add_match(m->rtnl, NULL, RTM_NEWADDR, manager_process_address, NULL, m, "resolve-NEWADDR"); | |
218 | if (r < 0) | |
219 | return r; | |
220 | ||
221 | r = sd_netlink_add_match(m->rtnl, NULL, RTM_DELADDR, manager_process_address, NULL, m, "resolve-DELADDR"); | |
222 | if (r < 0) | |
223 | return r; | |
224 | ||
225 | /* Then, enumerate all links */ | |
226 | r = sd_rtnl_message_new_link(m->rtnl, &req, RTM_GETLINK, 0); | |
227 | if (r < 0) | |
228 | return r; | |
229 | ||
230 | r = sd_netlink_message_set_request_dump(req, true); | |
231 | if (r < 0) | |
232 | return r; | |
233 | ||
234 | r = sd_netlink_call(m->rtnl, req, 0, &reply); | |
235 | if (r < 0) | |
236 | return r; | |
237 | ||
238 | for (sd_netlink_message *i = reply; i; i = sd_netlink_message_next(i)) { | |
239 | r = manager_process_link(m->rtnl, i, m); | |
240 | if (r < 0) | |
241 | return r; | |
242 | } | |
243 | ||
244 | req = sd_netlink_message_unref(req); | |
245 | reply = sd_netlink_message_unref(reply); | |
246 | ||
247 | /* Finally, enumerate all addresses, too */ | |
248 | r = sd_rtnl_message_new_addr(m->rtnl, &req, RTM_GETADDR, 0, AF_UNSPEC); | |
249 | if (r < 0) | |
250 | return r; | |
251 | ||
252 | r = sd_netlink_message_set_request_dump(req, true); | |
253 | if (r < 0) | |
254 | return r; | |
255 | ||
256 | r = sd_netlink_call(m->rtnl, req, 0, &reply); | |
257 | if (r < 0) | |
258 | return r; | |
259 | ||
260 | for (sd_netlink_message *i = reply; i; i = sd_netlink_message_next(i)) { | |
261 | r = manager_process_address(m->rtnl, i, m); | |
262 | if (r < 0) | |
263 | return r; | |
264 | } | |
265 | ||
266 | return r; | |
267 | } | |
268 | ||
269 | static int on_network_event(sd_event_source *s, int fd, uint32_t revents, void *userdata) { | |
270 | Manager *m = ASSERT_PTR(userdata); | |
271 | Link *l; | |
272 | int r; | |
273 | ||
274 | sd_network_monitor_flush(m->network_monitor); | |
275 | ||
276 | HASHMAP_FOREACH(l, m->links) { | |
277 | r = link_update(l); | |
278 | if (r < 0) | |
279 | log_warning_errno(r, "Failed to update monitor information for %i: %m", l->ifindex); | |
280 | } | |
281 | ||
282 | (void) manager_write_resolv_conf(m); | |
283 | (void) manager_send_changed(m, "DNS"); | |
284 | ||
285 | return 0; | |
286 | } | |
287 | ||
288 | static int manager_network_monitor_listen(Manager *m) { | |
289 | int r, fd, events; | |
290 | ||
291 | assert(m); | |
292 | ||
293 | r = sd_network_monitor_new(&m->network_monitor, NULL); | |
294 | if (r < 0) | |
295 | return r; | |
296 | ||
297 | fd = sd_network_monitor_get_fd(m->network_monitor); | |
298 | if (fd < 0) | |
299 | return fd; | |
300 | ||
301 | events = sd_network_monitor_get_events(m->network_monitor); | |
302 | if (events < 0) | |
303 | return events; | |
304 | ||
305 | r = sd_event_add_io(m->event, &m->network_event_source, fd, events, &on_network_event, m); | |
306 | if (r < 0) | |
307 | return r; | |
308 | ||
309 | r = sd_event_source_set_priority(m->network_event_source, SD_EVENT_PRIORITY_IMPORTANT+5); | |
310 | if (r < 0) | |
311 | return r; | |
312 | ||
313 | (void) sd_event_source_set_description(m->network_event_source, "network-monitor"); | |
314 | ||
315 | return 0; | |
316 | } | |
317 | ||
318 | static int manager_clock_change_listen(Manager *m); | |
319 | ||
320 | static int on_clock_change(sd_event_source *source, int fd, uint32_t revents, void *userdata) { | |
321 | Manager *m = ASSERT_PTR(userdata); | |
322 | ||
323 | /* The clock has changed, let's flush all caches. Why that? That's because DNSSEC validation takes | |
324 | * the system clock into consideration, and if the clock changes the old validations might have been | |
325 | * wrong. Let's redo all validation with the new, correct time. | |
326 | * | |
327 | * (Also, this is triggered after system suspend, which is also a good reason to drop caches, since | |
328 | * we might be connected to a different network now without this being visible in a dropped link | |
329 | * carrier or so.) */ | |
330 | ||
331 | log_info("Clock change detected. Flushing caches."); | |
332 | manager_flush_caches(m, LOG_DEBUG /* downgrade the functions own log message, since we already logged here at LOG_INFO level */); | |
333 | ||
334 | /* The clock change timerfd is unusable after it triggered once, create a new one. */ | |
335 | return manager_clock_change_listen(m); | |
336 | } | |
337 | ||
338 | static int manager_clock_change_listen(Manager *m) { | |
339 | int r; | |
340 | ||
341 | assert(m); | |
342 | ||
343 | m->clock_change_event_source = sd_event_source_disable_unref(m->clock_change_event_source); | |
344 | ||
345 | r = event_add_time_change(m->event, &m->clock_change_event_source, on_clock_change, m); | |
346 | if (r < 0) | |
347 | return log_error_errno(r, "Failed to create clock change event source: %m"); | |
348 | ||
349 | return 0; | |
350 | } | |
351 | ||
352 | static int determine_hostnames(char **full_hostname, char **llmnr_hostname, char **mdns_hostname) { | |
353 | _cleanup_free_ char *h = NULL, *n = NULL; | |
354 | int r; | |
355 | ||
356 | assert(full_hostname); | |
357 | assert(llmnr_hostname); | |
358 | assert(mdns_hostname); | |
359 | ||
360 | r = resolve_system_hostname(&h, &n); | |
361 | if (r < 0) | |
362 | return r; | |
363 | ||
364 | r = dns_name_concat(n, "local", 0, mdns_hostname); | |
365 | if (r < 0) | |
366 | return log_error_errno(r, "Failed to determine mDNS hostname: %m"); | |
367 | ||
368 | *llmnr_hostname = TAKE_PTR(n); | |
369 | *full_hostname = TAKE_PTR(h); | |
370 | ||
371 | return 0; | |
372 | } | |
373 | ||
374 | static char* fallback_hostname(void) { | |
375 | ||
376 | /* Determine the fall back hostname. For exposing this system to the outside world, we cannot have it | |
377 | * to be "localhost" even if that's the default hostname. In this case, let's revert to "linux" | |
378 | * instead. */ | |
379 | ||
380 | _cleanup_free_ char *n = get_default_hostname(); | |
381 | if (!n) | |
382 | return NULL; | |
383 | ||
384 | if (is_localhost(n)) | |
385 | return strdup("linux"); | |
386 | ||
387 | return TAKE_PTR(n); | |
388 | } | |
389 | ||
390 | static int make_fallback_hostnames(char **full_hostname, char **llmnr_hostname, char **mdns_hostname) { | |
391 | _cleanup_free_ char *h = NULL, *n = NULL, *m = NULL; | |
392 | char label[DNS_LABEL_MAX+1]; | |
393 | const char *p; | |
394 | int r; | |
395 | ||
396 | assert(full_hostname); | |
397 | assert(llmnr_hostname); | |
398 | assert(mdns_hostname); | |
399 | ||
400 | p = h = fallback_hostname(); | |
401 | if (!h) | |
402 | return log_oom(); | |
403 | ||
404 | r = dns_label_unescape(&p, label, sizeof label, 0); | |
405 | if (r < 0) | |
406 | return log_error_errno(r, "Failed to unescape fallback hostname: %m"); | |
407 | ||
408 | assert(r > 0); /* The fallback hostname must have at least one label */ | |
409 | ||
410 | r = dns_label_escape_new(label, r, &n); | |
411 | if (r < 0) | |
412 | return log_error_errno(r, "Failed to escape fallback hostname: %m"); | |
413 | ||
414 | r = dns_name_concat(n, "local", 0, &m); | |
415 | if (r < 0) | |
416 | return log_error_errno(r, "Failed to concatenate mDNS hostname: %m"); | |
417 | ||
418 | *llmnr_hostname = TAKE_PTR(n); | |
419 | *mdns_hostname = TAKE_PTR(m); | |
420 | *full_hostname = TAKE_PTR(h); | |
421 | ||
422 | return 0; | |
423 | } | |
424 | ||
425 | static int on_hostname_change(sd_event_source *es, int fd, uint32_t revents, void *userdata) { | |
426 | _cleanup_free_ char *full_hostname = NULL, *llmnr_hostname = NULL, *mdns_hostname = NULL; | |
427 | Manager *m = ASSERT_PTR(userdata); | |
428 | bool llmnr_hostname_changed; | |
429 | int r; | |
430 | ||
431 | r = determine_hostnames(&full_hostname, &llmnr_hostname, &mdns_hostname); | |
432 | if (r < 0) { | |
433 | log_warning_errno(r, "Failed to determine the local hostname and LLMNR/mDNS names, ignoring: %m"); | |
434 | return 0; /* ignore invalid hostnames */ | |
435 | } | |
436 | ||
437 | llmnr_hostname_changed = !streq(llmnr_hostname, m->llmnr_hostname); | |
438 | if (streq(full_hostname, m->full_hostname) && | |
439 | !llmnr_hostname_changed && | |
440 | streq(mdns_hostname, m->mdns_hostname)) | |
441 | return 0; | |
442 | ||
443 | log_info("System hostname changed to '%s'.", full_hostname); | |
444 | ||
445 | free_and_replace(m->full_hostname, full_hostname); | |
446 | free_and_replace(m->llmnr_hostname, llmnr_hostname); | |
447 | free_and_replace(m->mdns_hostname, mdns_hostname); | |
448 | ||
449 | manager_refresh_rrs(m); | |
450 | (void) manager_send_changed(m, "LLMNRHostname"); | |
451 | ||
452 | return 0; | |
453 | } | |
454 | ||
455 | static int manager_watch_hostname(Manager *m) { | |
456 | int r; | |
457 | ||
458 | assert(m); | |
459 | ||
460 | m->hostname_fd = open("/proc/sys/kernel/hostname", | |
461 | O_RDONLY|O_CLOEXEC|O_NONBLOCK|O_NOCTTY); | |
462 | if (m->hostname_fd < 0) { | |
463 | log_warning_errno(errno, "Failed to watch hostname: %m"); | |
464 | return 0; | |
465 | } | |
466 | ||
467 | r = sd_event_add_io(m->event, &m->hostname_event_source, m->hostname_fd, 0, on_hostname_change, m); | |
468 | if (r < 0) { | |
469 | if (r == -EPERM) | |
470 | /* kernels prior to 3.2 don't support polling this file. Ignore the failure. */ | |
471 | m->hostname_fd = safe_close(m->hostname_fd); | |
472 | else | |
473 | return log_error_errno(r, "Failed to add hostname event source: %m"); | |
474 | } | |
475 | ||
476 | (void) sd_event_source_set_description(m->hostname_event_source, "hostname"); | |
477 | ||
478 | r = determine_hostnames(&m->full_hostname, &m->llmnr_hostname, &m->mdns_hostname); | |
479 | if (r < 0) { | |
480 | _cleanup_free_ char *d = NULL; | |
481 | ||
482 | d = fallback_hostname(); | |
483 | if (!d) | |
484 | return log_oom(); | |
485 | ||
486 | log_info("Defaulting to hostname '%s'.", d); | |
487 | ||
488 | r = make_fallback_hostnames(&m->full_hostname, &m->llmnr_hostname, &m->mdns_hostname); | |
489 | if (r < 0) | |
490 | return r; | |
491 | } else | |
492 | log_info("Using system hostname '%s'.", m->full_hostname); | |
493 | ||
494 | return 0; | |
495 | } | |
496 | ||
497 | static int manager_sigusr1(sd_event_source *s, const struct signalfd_siginfo *si, void *userdata) { | |
498 | _cleanup_(memstream_done) MemStream ms = {}; | |
499 | Manager *m = ASSERT_PTR(userdata); | |
500 | Link *l; | |
501 | FILE *f; | |
502 | ||
503 | assert(s); | |
504 | assert(si); | |
505 | ||
506 | f = memstream_init(&ms); | |
507 | if (!f) | |
508 | return log_oom(); | |
509 | ||
510 | LIST_FOREACH(scopes, scope, m->dns_scopes) | |
511 | dns_scope_dump(scope, f); | |
512 | ||
513 | LIST_FOREACH(servers, server, m->dns_servers) | |
514 | dns_server_dump(server, f); | |
515 | LIST_FOREACH(servers, server, m->fallback_dns_servers) | |
516 | dns_server_dump(server, f); | |
517 | HASHMAP_FOREACH(l, m->links) | |
518 | LIST_FOREACH(servers, server, l->dns_servers) | |
519 | dns_server_dump(server, f); | |
520 | ||
521 | return memstream_dump(LOG_INFO, &ms); | |
522 | } | |
523 | ||
524 | static int manager_sigusr2(sd_event_source *s, const struct signalfd_siginfo *si, void *userdata) { | |
525 | Manager *m = ASSERT_PTR(userdata); | |
526 | ||
527 | assert(s); | |
528 | assert(si); | |
529 | ||
530 | manager_flush_caches(m, LOG_INFO); | |
531 | ||
532 | return 0; | |
533 | } | |
534 | ||
535 | static int manager_sigrtmin1(sd_event_source *s, const struct signalfd_siginfo *si, void *userdata) { | |
536 | Manager *m = ASSERT_PTR(userdata); | |
537 | ||
538 | assert(s); | |
539 | assert(si); | |
540 | ||
541 | manager_reset_server_features(m); | |
542 | return 0; | |
543 | } | |
544 | ||
545 | static int manager_memory_pressure(sd_event_source *s, void *userdata) { | |
546 | Manager *m = ASSERT_PTR(userdata); | |
547 | ||
548 | log_info("Under memory pressure, flushing caches."); | |
549 | ||
550 | manager_flush_caches(m, LOG_INFO); | |
551 | sd_event_trim_memory(); | |
552 | ||
553 | return 0; | |
554 | } | |
555 | ||
556 | static int manager_memory_pressure_listen(Manager *m) { | |
557 | int r; | |
558 | ||
559 | assert(m); | |
560 | ||
561 | r = sd_event_add_memory_pressure(m->event, NULL, manager_memory_pressure, m); | |
562 | if (r < 0) | |
563 | log_full_errno(ERRNO_IS_NOT_SUPPORTED(r) || ERRNO_IS_PRIVILEGE(r) || (r == -EHOSTDOWN )? LOG_DEBUG : LOG_NOTICE, r, | |
564 | "Failed to install memory pressure event source, ignoring: %m"); | |
565 | ||
566 | return 0; | |
567 | } | |
568 | ||
569 | static void manager_set_defaults(Manager *m) { | |
570 | assert(m); | |
571 | ||
572 | m->llmnr_support = DEFAULT_LLMNR_MODE; | |
573 | m->mdns_support = DEFAULT_MDNS_MODE; | |
574 | m->dnssec_mode = DEFAULT_DNSSEC_MODE; | |
575 | m->dns_over_tls_mode = DEFAULT_DNS_OVER_TLS_MODE; | |
576 | m->enable_cache = DNS_CACHE_MODE_YES; | |
577 | m->dns_stub_listener_mode = DNS_STUB_LISTENER_YES; | |
578 | m->read_etc_hosts = true; | |
579 | m->resolve_unicast_single_label = false; | |
580 | m->cache_from_localhost = false; | |
581 | m->stale_retention_usec = 0; | |
582 | } | |
583 | ||
584 | static int manager_dispatch_reload_signal(sd_event_source *s, const struct signalfd_siginfo *si, void *userdata) { | |
585 | Manager *m = ASSERT_PTR(userdata); | |
586 | int r; | |
587 | ||
588 | (void) notify_reloading(); | |
589 | ||
590 | manager_set_defaults(m); | |
591 | ||
592 | dns_server_unlink_on_reload(m->dns_servers); | |
593 | dns_server_unlink_on_reload(m->fallback_dns_servers); | |
594 | m->dns_extra_stub_listeners = ordered_set_free(m->dns_extra_stub_listeners); | |
595 | dnssd_service_clear_on_reload(m->dnssd_services); | |
596 | m->unicast_scope = dns_scope_free(m->unicast_scope); | |
597 | ||
598 | dns_trust_anchor_flush(&m->trust_anchor); | |
599 | ||
600 | r = dns_trust_anchor_load(&m->trust_anchor); | |
601 | if (r < 0) | |
602 | return r; | |
603 | ||
604 | r = manager_parse_config_file(m); | |
605 | if (r < 0) | |
606 | log_warning_errno(r, "Failed to parse config file on reload: %m"); | |
607 | else | |
608 | log_info("Config file reloaded."); | |
609 | ||
610 | r = dnssd_load(m); | |
611 | if (r < 0) | |
612 | log_warning_errno(r, "Failed to load DNS-SD configuration files: %m"); | |
613 | ||
614 | /* The default scope configuration is influenced by the manager's configuration (modes, etc.), so | |
615 | * recreate it on reload. */ | |
616 | r = dns_scope_new(m, &m->unicast_scope, NULL, DNS_PROTOCOL_DNS, AF_UNSPEC); | |
617 | if (r < 0) | |
618 | return r; | |
619 | ||
620 | /* The configuration has changed, so reload the per-interface configuration too in order to take | |
621 | * into account any changes (e.g.: enable/disable DNSSEC). */ | |
622 | r = on_network_event(/* sd_event_source= */ NULL, -EBADF, /* revents= */ 0, m); | |
623 | if (r < 0) | |
624 | log_warning_errno(r, "Failed to update network information: %m"); | |
625 | ||
626 | /* We have new configuration, which means potentially new servers, so close all connections and drop | |
627 | * all caches, so that we can start fresh. */ | |
628 | (void) dns_stream_disconnect_all(m); | |
629 | manager_flush_caches(m, LOG_INFO); | |
630 | manager_verify_all(m); | |
631 | ||
632 | (void) sd_notify(/* unset= */ false, NOTIFY_READY); | |
633 | return 0; | |
634 | } | |
635 | ||
636 | int manager_new(Manager **ret) { | |
637 | _cleanup_(manager_freep) Manager *m = NULL; | |
638 | int r; | |
639 | ||
640 | assert(ret); | |
641 | ||
642 | m = new(Manager, 1); | |
643 | if (!m) | |
644 | return -ENOMEM; | |
645 | ||
646 | *m = (Manager) { | |
647 | .llmnr_ipv4_udp_fd = -EBADF, | |
648 | .llmnr_ipv6_udp_fd = -EBADF, | |
649 | .llmnr_ipv4_tcp_fd = -EBADF, | |
650 | .llmnr_ipv6_tcp_fd = -EBADF, | |
651 | .mdns_ipv4_fd = -EBADF, | |
652 | .mdns_ipv6_fd = -EBADF, | |
653 | .hostname_fd = -EBADF, | |
654 | ||
655 | .read_resolv_conf = true, | |
656 | .need_builtin_fallbacks = true, | |
657 | .etc_hosts_last = USEC_INFINITY, | |
658 | ||
659 | .sigrtmin18_info.memory_pressure_handler = manager_memory_pressure, | |
660 | .sigrtmin18_info.memory_pressure_userdata = m, | |
661 | }; | |
662 | ||
663 | manager_set_defaults(m); | |
664 | ||
665 | r = dns_trust_anchor_load(&m->trust_anchor); | |
666 | if (r < 0) | |
667 | return r; | |
668 | ||
669 | r = manager_parse_config_file(m); | |
670 | if (r < 0) | |
671 | log_warning_errno(r, "Failed to parse configuration file: %m"); | |
672 | ||
673 | #if ENABLE_DNS_OVER_TLS | |
674 | r = dnstls_manager_init(m); | |
675 | if (r < 0) | |
676 | return r; | |
677 | #endif | |
678 | ||
679 | r = sd_event_default(&m->event); | |
680 | if (r < 0) | |
681 | return r; | |
682 | ||
683 | (void) sd_event_add_signal(m->event, NULL, SIGTERM, NULL, NULL); | |
684 | (void) sd_event_add_signal(m->event, NULL, SIGINT, NULL, NULL); | |
685 | (void) sd_event_add_signal(m->event, NULL, SIGHUP | SD_EVENT_SIGNAL_PROCMASK, manager_dispatch_reload_signal, m); | |
686 | ||
687 | (void) sd_event_set_watchdog(m->event, true); | |
688 | ||
689 | r = manager_watch_hostname(m); | |
690 | if (r < 0) | |
691 | return r; | |
692 | ||
693 | r = dnssd_load(m); | |
694 | if (r < 0) | |
695 | log_warning_errno(r, "Failed to load DNS-SD configuration files: %m"); | |
696 | ||
697 | r = dns_scope_new(m, &m->unicast_scope, NULL, DNS_PROTOCOL_DNS, AF_UNSPEC); | |
698 | if (r < 0) | |
699 | return r; | |
700 | ||
701 | r = manager_network_monitor_listen(m); | |
702 | if (r < 0) | |
703 | return r; | |
704 | ||
705 | r = manager_rtnl_listen(m); | |
706 | if (r < 0) | |
707 | return r; | |
708 | ||
709 | r = manager_clock_change_listen(m); | |
710 | if (r < 0) | |
711 | return r; | |
712 | ||
713 | r = manager_memory_pressure_listen(m); | |
714 | if (r < 0) | |
715 | return r; | |
716 | ||
717 | r = manager_connect_bus(m); | |
718 | if (r < 0) | |
719 | return r; | |
720 | ||
721 | (void) sd_event_add_signal(m->event, &m->sigusr1_event_source, SIGUSR1, manager_sigusr1, m); | |
722 | (void) sd_event_add_signal(m->event, &m->sigusr2_event_source, SIGUSR2, manager_sigusr2, m); | |
723 | (void) sd_event_add_signal(m->event, &m->sigrtmin1_event_source, SIGRTMIN+1, manager_sigrtmin1, m); | |
724 | (void) sd_event_add_signal(m->event, NULL, SIGRTMIN+18, sigrtmin18_handler, &m->sigrtmin18_info); | |
725 | ||
726 | manager_cleanup_saved_user(m); | |
727 | ||
728 | *ret = TAKE_PTR(m); | |
729 | ||
730 | return 0; | |
731 | } | |
732 | ||
733 | int manager_start(Manager *m) { | |
734 | int r; | |
735 | ||
736 | assert(m); | |
737 | ||
738 | r = manager_dns_stub_start(m); | |
739 | if (r < 0) | |
740 | return r; | |
741 | ||
742 | r = manager_varlink_init(m); | |
743 | if (r < 0) | |
744 | return r; | |
745 | ||
746 | return 0; | |
747 | } | |
748 | ||
749 | Manager *manager_free(Manager *m) { | |
750 | Link *l; | |
751 | DnssdService *s; | |
752 | ||
753 | if (!m) | |
754 | return NULL; | |
755 | ||
756 | dns_server_unlink_all(m->dns_servers); | |
757 | dns_server_unlink_all(m->fallback_dns_servers); | |
758 | dns_search_domain_unlink_all(m->search_domains); | |
759 | ||
760 | while ((l = hashmap_first(m->links))) | |
761 | link_free(l); | |
762 | ||
763 | while (m->dns_queries) | |
764 | dns_query_free(m->dns_queries); | |
765 | ||
766 | m->stub_queries_by_packet = hashmap_free(m->stub_queries_by_packet); | |
767 | ||
768 | dns_scope_free(m->unicast_scope); | |
769 | ||
770 | /* At this point only orphaned streams should remain. All others should have been freed already by their | |
771 | * owners */ | |
772 | while (m->dns_streams) | |
773 | dns_stream_unref(m->dns_streams); | |
774 | ||
775 | #if ENABLE_DNS_OVER_TLS | |
776 | dnstls_manager_free(m); | |
777 | #endif | |
778 | ||
779 | hashmap_free(m->links); | |
780 | hashmap_free(m->dns_transactions); | |
781 | ||
782 | sd_event_source_unref(m->network_event_source); | |
783 | sd_network_monitor_unref(m->network_monitor); | |
784 | ||
785 | sd_netlink_unref(m->rtnl); | |
786 | sd_event_source_unref(m->rtnl_event_source); | |
787 | sd_event_source_unref(m->clock_change_event_source); | |
788 | ||
789 | manager_llmnr_stop(m); | |
790 | manager_mdns_stop(m); | |
791 | manager_dns_stub_stop(m); | |
792 | manager_varlink_done(m); | |
793 | ||
794 | manager_socket_graveyard_clear(m); | |
795 | ||
796 | ordered_set_free(m->dns_extra_stub_listeners); | |
797 | ||
798 | hashmap_free(m->polkit_registry); | |
799 | ||
800 | sd_bus_flush_close_unref(m->bus); | |
801 | ||
802 | sd_event_source_unref(m->sigusr1_event_source); | |
803 | sd_event_source_unref(m->sigusr2_event_source); | |
804 | sd_event_source_unref(m->sigrtmin1_event_source); | |
805 | ||
806 | dns_resource_key_unref(m->llmnr_host_ipv4_key); | |
807 | dns_resource_key_unref(m->llmnr_host_ipv6_key); | |
808 | dns_resource_key_unref(m->mdns_host_ipv4_key); | |
809 | dns_resource_key_unref(m->mdns_host_ipv6_key); | |
810 | ||
811 | sd_event_source_unref(m->hostname_event_source); | |
812 | safe_close(m->hostname_fd); | |
813 | ||
814 | sd_event_unref(m->event); | |
815 | ||
816 | free(m->full_hostname); | |
817 | free(m->llmnr_hostname); | |
818 | free(m->mdns_hostname); | |
819 | ||
820 | while ((s = hashmap_first(m->dnssd_services))) | |
821 | dnssd_service_free(s); | |
822 | hashmap_free(m->dnssd_services); | |
823 | ||
824 | dns_trust_anchor_flush(&m->trust_anchor); | |
825 | manager_etc_hosts_flush(m); | |
826 | ||
827 | return mfree(m); | |
828 | } | |
829 | ||
830 | int manager_recv(Manager *m, int fd, DnsProtocol protocol, DnsPacket **ret) { | |
831 | _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL; | |
832 | CMSG_BUFFER_TYPE(CMSG_SPACE(MAXSIZE(struct in_pktinfo, struct in6_pktinfo)) | |
833 | + CMSG_SPACE(int) /* ttl/hoplimit */ | |
834 | + EXTRA_CMSG_SPACE /* kernel appears to require extra buffer space */) control; | |
835 | union sockaddr_union sa; | |
836 | struct iovec iov; | |
837 | struct msghdr mh = { | |
838 | .msg_name = &sa.sa, | |
839 | .msg_namelen = sizeof(sa), | |
840 | .msg_iov = &iov, | |
841 | .msg_iovlen = 1, | |
842 | .msg_control = &control, | |
843 | .msg_controllen = sizeof(control), | |
844 | }; | |
845 | struct cmsghdr *cmsg; | |
846 | ssize_t ms, l; | |
847 | int r; | |
848 | ||
849 | assert(m); | |
850 | assert(fd >= 0); | |
851 | assert(ret); | |
852 | ||
853 | ms = next_datagram_size_fd(fd); | |
854 | if (ms < 0) | |
855 | return ms; | |
856 | ||
857 | r = dns_packet_new(&p, protocol, ms, DNS_PACKET_SIZE_MAX); | |
858 | if (r < 0) | |
859 | return r; | |
860 | ||
861 | iov = IOVEC_MAKE(DNS_PACKET_DATA(p), p->allocated); | |
862 | ||
863 | l = recvmsg_safe(fd, &mh, 0); | |
864 | if (ERRNO_IS_NEG_TRANSIENT(l)) | |
865 | return 0; | |
866 | if (l <= 0) | |
867 | return l; | |
868 | ||
869 | assert(!(mh.msg_flags & MSG_TRUNC)); | |
870 | ||
871 | p->size = (size_t) l; | |
872 | ||
873 | p->family = sa.sa.sa_family; | |
874 | p->ipproto = IPPROTO_UDP; | |
875 | if (p->family == AF_INET) { | |
876 | p->sender.in = sa.in.sin_addr; | |
877 | p->sender_port = be16toh(sa.in.sin_port); | |
878 | } else if (p->family == AF_INET6) { | |
879 | p->sender.in6 = sa.in6.sin6_addr; | |
880 | p->sender_port = be16toh(sa.in6.sin6_port); | |
881 | p->ifindex = sa.in6.sin6_scope_id; | |
882 | } else | |
883 | return -EAFNOSUPPORT; | |
884 | ||
885 | p->timestamp = now(CLOCK_BOOTTIME); | |
886 | ||
887 | CMSG_FOREACH(cmsg, &mh) { | |
888 | ||
889 | if (cmsg->cmsg_level == IPPROTO_IPV6) { | |
890 | assert(p->family == AF_INET6); | |
891 | ||
892 | switch (cmsg->cmsg_type) { | |
893 | ||
894 | case IPV6_PKTINFO: { | |
895 | struct in6_pktinfo *i = CMSG_TYPED_DATA(cmsg, struct in6_pktinfo); | |
896 | ||
897 | if (p->ifindex <= 0) | |
898 | p->ifindex = i->ipi6_ifindex; | |
899 | ||
900 | p->destination.in6 = i->ipi6_addr; | |
901 | break; | |
902 | } | |
903 | ||
904 | case IPV6_HOPLIMIT: | |
905 | p->ttl = *CMSG_TYPED_DATA(cmsg, int); | |
906 | break; | |
907 | ||
908 | case IPV6_RECVFRAGSIZE: | |
909 | p->fragsize = *CMSG_TYPED_DATA(cmsg, int); | |
910 | break; | |
911 | } | |
912 | } else if (cmsg->cmsg_level == IPPROTO_IP) { | |
913 | assert(p->family == AF_INET); | |
914 | ||
915 | switch (cmsg->cmsg_type) { | |
916 | ||
917 | case IP_PKTINFO: { | |
918 | struct in_pktinfo *i = CMSG_TYPED_DATA(cmsg, struct in_pktinfo); | |
919 | ||
920 | if (p->ifindex <= 0) | |
921 | p->ifindex = i->ipi_ifindex; | |
922 | ||
923 | p->destination.in = i->ipi_addr; | |
924 | break; | |
925 | } | |
926 | ||
927 | case IP_TTL: | |
928 | p->ttl = *CMSG_TYPED_DATA(cmsg, int); | |
929 | break; | |
930 | ||
931 | case IP_RECVFRAGSIZE: | |
932 | p->fragsize = *CMSG_TYPED_DATA(cmsg, int); | |
933 | break; | |
934 | } | |
935 | } | |
936 | } | |
937 | ||
938 | /* The Linux kernel sets the interface index to the loopback | |
939 | * device if the packet came from the local host since it | |
940 | * avoids the routing table in such a case. Let's unset the | |
941 | * interface index in such a case. */ | |
942 | if (p->ifindex == LOOPBACK_IFINDEX) | |
943 | p->ifindex = 0; | |
944 | ||
945 | if (protocol != DNS_PROTOCOL_DNS) { | |
946 | /* If we don't know the interface index still, we look for the | |
947 | * first local interface with a matching address. Yuck! */ | |
948 | if (p->ifindex <= 0) | |
949 | p->ifindex = manager_find_ifindex(m, p->family, &p->destination); | |
950 | } | |
951 | ||
952 | log_debug("Received %s UDP packet of size %zu, ifindex=%i, ttl=%u, fragsize=%zu, sender=%s, destination=%s", | |
953 | dns_protocol_to_string(protocol), p->size, p->ifindex, p->ttl, p->fragsize, | |
954 | IN_ADDR_TO_STRING(p->family, &p->sender), | |
955 | IN_ADDR_TO_STRING(p->family, &p->destination)); | |
956 | ||
957 | *ret = TAKE_PTR(p); | |
958 | return 1; | |
959 | } | |
960 | ||
961 | int sendmsg_loop(int fd, struct msghdr *mh, int flags) { | |
962 | usec_t end; | |
963 | int r; | |
964 | ||
965 | assert(fd >= 0); | |
966 | assert(mh); | |
967 | ||
968 | end = usec_add(now(CLOCK_MONOTONIC), SEND_TIMEOUT_USEC); | |
969 | ||
970 | for (;;) { | |
971 | if (sendmsg(fd, mh, flags) >= 0) | |
972 | return 0; | |
973 | if (errno == EINTR) | |
974 | continue; | |
975 | if (errno != EAGAIN) | |
976 | return -errno; | |
977 | ||
978 | r = fd_wait_for_event(fd, POLLOUT, LESS_BY(end, now(CLOCK_MONOTONIC))); | |
979 | if (ERRNO_IS_NEG_TRANSIENT(r)) | |
980 | continue; | |
981 | if (r < 0) | |
982 | return r; | |
983 | if (r == 0) | |
984 | return -ETIMEDOUT; | |
985 | } | |
986 | } | |
987 | ||
988 | static int write_loop(int fd, void *message, size_t length) { | |
989 | usec_t end; | |
990 | int r; | |
991 | ||
992 | assert(fd >= 0); | |
993 | assert(message); | |
994 | ||
995 | end = usec_add(now(CLOCK_MONOTONIC), SEND_TIMEOUT_USEC); | |
996 | ||
997 | for (;;) { | |
998 | if (write(fd, message, length) >= 0) | |
999 | return 0; | |
1000 | if (errno == EINTR) | |
1001 | continue; | |
1002 | if (errno != EAGAIN) | |
1003 | return -errno; | |
1004 | ||
1005 | r = fd_wait_for_event(fd, POLLOUT, LESS_BY(end, now(CLOCK_MONOTONIC))); | |
1006 | if (ERRNO_IS_NEG_TRANSIENT(r)) | |
1007 | continue; | |
1008 | if (r < 0) | |
1009 | return r; | |
1010 | if (r == 0) | |
1011 | return -ETIMEDOUT; | |
1012 | } | |
1013 | } | |
1014 | ||
1015 | int manager_write(Manager *m, int fd, DnsPacket *p) { | |
1016 | int r; | |
1017 | ||
1018 | log_debug("Sending %s%s packet with id %" PRIu16 " of size %zu.", | |
1019 | DNS_PACKET_TC(p) ? "truncated (!) " : "", | |
1020 | DNS_PACKET_QR(p) ? "response" : "query", | |
1021 | DNS_PACKET_ID(p), | |
1022 | p->size); | |
1023 | ||
1024 | r = write_loop(fd, DNS_PACKET_DATA(p), p->size); | |
1025 | if (r < 0) | |
1026 | return r; | |
1027 | ||
1028 | return 0; | |
1029 | } | |
1030 | ||
1031 | static int manager_ipv4_send( | |
1032 | Manager *m, | |
1033 | int fd, | |
1034 | int ifindex, | |
1035 | const struct in_addr *destination, | |
1036 | uint16_t port, | |
1037 | const struct in_addr *source, | |
1038 | DnsPacket *p) { | |
1039 | ||
1040 | CMSG_BUFFER_TYPE(CMSG_SPACE(sizeof(struct in_pktinfo))) control = {}; | |
1041 | union sockaddr_union sa; | |
1042 | struct iovec iov; | |
1043 | struct msghdr mh = { | |
1044 | .msg_iov = &iov, | |
1045 | .msg_iovlen = 1, | |
1046 | .msg_name = &sa.sa, | |
1047 | .msg_namelen = sizeof(sa.in), | |
1048 | }; | |
1049 | ||
1050 | assert(m); | |
1051 | assert(fd >= 0); | |
1052 | assert(destination); | |
1053 | assert(port > 0); | |
1054 | assert(p); | |
1055 | ||
1056 | iov = IOVEC_MAKE(DNS_PACKET_DATA(p), p->size); | |
1057 | ||
1058 | sa = (union sockaddr_union) { | |
1059 | .in.sin_family = AF_INET, | |
1060 | .in.sin_addr = *destination, | |
1061 | .in.sin_port = htobe16(port), | |
1062 | }; | |
1063 | ||
1064 | if (ifindex > 0) { | |
1065 | struct cmsghdr *cmsg; | |
1066 | struct in_pktinfo *pi; | |
1067 | ||
1068 | mh.msg_control = &control; | |
1069 | mh.msg_controllen = sizeof(control); | |
1070 | ||
1071 | cmsg = CMSG_FIRSTHDR(&mh); | |
1072 | cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo)); | |
1073 | cmsg->cmsg_level = IPPROTO_IP; | |
1074 | cmsg->cmsg_type = IP_PKTINFO; | |
1075 | ||
1076 | pi = CMSG_TYPED_DATA(cmsg, struct in_pktinfo); | |
1077 | pi->ipi_ifindex = ifindex; | |
1078 | ||
1079 | if (source) | |
1080 | pi->ipi_spec_dst = *source; | |
1081 | } | |
1082 | ||
1083 | return sendmsg_loop(fd, &mh, 0); | |
1084 | } | |
1085 | ||
1086 | static int manager_ipv6_send( | |
1087 | Manager *m, | |
1088 | int fd, | |
1089 | int ifindex, | |
1090 | const struct in6_addr *destination, | |
1091 | uint16_t port, | |
1092 | const struct in6_addr *source, | |
1093 | DnsPacket *p) { | |
1094 | ||
1095 | CMSG_BUFFER_TYPE(CMSG_SPACE(sizeof(struct in6_pktinfo))) control = {}; | |
1096 | union sockaddr_union sa; | |
1097 | struct iovec iov; | |
1098 | struct msghdr mh = { | |
1099 | .msg_iov = &iov, | |
1100 | .msg_iovlen = 1, | |
1101 | .msg_name = &sa.sa, | |
1102 | .msg_namelen = sizeof(sa.in6), | |
1103 | }; | |
1104 | ||
1105 | assert(m); | |
1106 | assert(fd >= 0); | |
1107 | assert(destination); | |
1108 | assert(port > 0); | |
1109 | assert(p); | |
1110 | ||
1111 | iov = IOVEC_MAKE(DNS_PACKET_DATA(p), p->size); | |
1112 | ||
1113 | sa = (union sockaddr_union) { | |
1114 | .in6.sin6_family = AF_INET6, | |
1115 | .in6.sin6_addr = *destination, | |
1116 | .in6.sin6_port = htobe16(port), | |
1117 | .in6.sin6_scope_id = ifindex, | |
1118 | }; | |
1119 | ||
1120 | if (ifindex > 0) { | |
1121 | struct cmsghdr *cmsg; | |
1122 | struct in6_pktinfo *pi; | |
1123 | ||
1124 | mh.msg_control = &control; | |
1125 | mh.msg_controllen = sizeof(control); | |
1126 | ||
1127 | cmsg = CMSG_FIRSTHDR(&mh); | |
1128 | cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo)); | |
1129 | cmsg->cmsg_level = IPPROTO_IPV6; | |
1130 | cmsg->cmsg_type = IPV6_PKTINFO; | |
1131 | ||
1132 | pi = CMSG_TYPED_DATA(cmsg, struct in6_pktinfo); | |
1133 | pi->ipi6_ifindex = ifindex; | |
1134 | ||
1135 | if (source) | |
1136 | pi->ipi6_addr = *source; | |
1137 | } | |
1138 | ||
1139 | return sendmsg_loop(fd, &mh, 0); | |
1140 | } | |
1141 | ||
1142 | static int dns_question_to_json(DnsQuestion *q, JsonVariant **ret) { | |
1143 | _cleanup_(json_variant_unrefp) JsonVariant *l = NULL; | |
1144 | DnsResourceKey *key; | |
1145 | int r; | |
1146 | ||
1147 | assert(ret); | |
1148 | ||
1149 | DNS_QUESTION_FOREACH(key, q) { | |
1150 | _cleanup_(json_variant_unrefp) JsonVariant *v = NULL; | |
1151 | ||
1152 | r = dns_resource_key_to_json(key, &v); | |
1153 | if (r < 0) | |
1154 | return r; | |
1155 | ||
1156 | r = json_variant_append_array(&l, v); | |
1157 | if (r < 0) | |
1158 | return r; | |
1159 | } | |
1160 | ||
1161 | *ret = TAKE_PTR(l); | |
1162 | return 0; | |
1163 | } | |
1164 | ||
1165 | int manager_monitor_send(Manager *m, DnsQuery *q) { | |
1166 | _cleanup_(json_variant_unrefp) JsonVariant *jquestion = NULL, *jcollected_questions = NULL, *janswer = NULL; | |
1167 | _cleanup_(dns_question_unrefp) DnsQuestion *merged = NULL; | |
1168 | Varlink *connection; | |
1169 | DnsAnswerItem *rri; | |
1170 | int r; | |
1171 | ||
1172 | assert(m); | |
1173 | ||
1174 | if (set_isempty(m->varlink_subscription)) | |
1175 | return 0; | |
1176 | ||
1177 | /* Merge all questions into one */ | |
1178 | r = dns_question_merge(q->question_idna, q->question_utf8, &merged); | |
1179 | if (r < 0) | |
1180 | return log_error_errno(r, "Failed to merge UTF8/IDNA questions: %m"); | |
1181 | ||
1182 | if (q->question_bypass) { | |
1183 | _cleanup_(dns_question_unrefp) DnsQuestion *merged2 = NULL; | |
1184 | ||
1185 | r = dns_question_merge(merged, q->question_bypass->question, &merged2); | |
1186 | if (r < 0) | |
1187 | return log_error_errno(r, "Failed to merge UTF8/IDNA questions and DNS packet question: %m"); | |
1188 | ||
1189 | dns_question_unref(merged); | |
1190 | merged = TAKE_PTR(merged2); | |
1191 | } | |
1192 | ||
1193 | /* Convert the current primary question to JSON */ | |
1194 | r = dns_question_to_json(merged, &jquestion); | |
1195 | if (r < 0) | |
1196 | return log_error_errno(r, "Failed to convert question to JSON: %m"); | |
1197 | ||
1198 | /* Generate a JSON array of the questions preceding the current one in the CNAME chain */ | |
1199 | r = dns_question_to_json(q->collected_questions, &jcollected_questions); | |
1200 | if (r < 0) | |
1201 | return log_error_errno(r, "Failed to convert question to JSON: %m"); | |
1202 | ||
1203 | DNS_ANSWER_FOREACH_ITEM(rri, q->answer) { | |
1204 | _cleanup_(json_variant_unrefp) JsonVariant *v = NULL; | |
1205 | ||
1206 | r = dns_resource_record_to_json(rri->rr, &v); | |
1207 | if (r < 0) | |
1208 | return log_error_errno(r, "Failed to convert answer resource record to JSON: %m"); | |
1209 | ||
1210 | r = dns_resource_record_to_wire_format(rri->rr, /* canonical= */ false); /* don't use DNSSEC canonical format, since it removes casing, but we want that for DNS_SD compat */ | |
1211 | if (r < 0) | |
1212 | return log_error_errno(r, "Failed to generate RR wire format: %m"); | |
1213 | ||
1214 | r = json_variant_append_arrayb( | |
1215 | &janswer, | |
1216 | JSON_BUILD_OBJECT( | |
1217 | JSON_BUILD_PAIR_CONDITION(v, "rr", JSON_BUILD_VARIANT(v)), | |
1218 | JSON_BUILD_PAIR("raw", JSON_BUILD_BASE64(rri->rr->wire_format, rri->rr->wire_format_size)), | |
1219 | JSON_BUILD_PAIR_CONDITION(rri->ifindex > 0, "ifindex", JSON_BUILD_INTEGER(rri->ifindex)))); | |
1220 | if (r < 0) | |
1221 | return log_debug_errno(r, "Failed to append notification entry to array: %m"); | |
1222 | } | |
1223 | ||
1224 | SET_FOREACH(connection, m->varlink_subscription) { | |
1225 | r = varlink_notifyb(connection, | |
1226 | JSON_BUILD_OBJECT(JSON_BUILD_PAIR("state", JSON_BUILD_STRING(dns_transaction_state_to_string(q->state))), | |
1227 | JSON_BUILD_PAIR_CONDITION(q->state == DNS_TRANSACTION_DNSSEC_FAILED, | |
1228 | "result", JSON_BUILD_STRING(dnssec_result_to_string(q->answer_dnssec_result))), | |
1229 | JSON_BUILD_PAIR_CONDITION(q->state == DNS_TRANSACTION_RCODE_FAILURE, | |
1230 | "rcode", JSON_BUILD_INTEGER(q->answer_rcode)), | |
1231 | JSON_BUILD_PAIR_CONDITION(q->state == DNS_TRANSACTION_ERRNO, | |
1232 | "errno", JSON_BUILD_INTEGER(q->answer_errno)), | |
1233 | JSON_BUILD_PAIR_CONDITION(IN_SET(q->state, | |
1234 | DNS_TRANSACTION_DNSSEC_FAILED, | |
1235 | DNS_TRANSACTION_RCODE_FAILURE) && | |
1236 | q->answer_ede_rcode >= 0, | |
1237 | "extendedDNSErrorCode", JSON_BUILD_INTEGER(q->answer_ede_rcode)), | |
1238 | JSON_BUILD_PAIR_CONDITION(IN_SET(q->state, | |
1239 | DNS_TRANSACTION_DNSSEC_FAILED, | |
1240 | DNS_TRANSACTION_RCODE_FAILURE) && | |
1241 | q->answer_ede_rcode >= 0 && !isempty(q->answer_ede_msg), | |
1242 | "extendedDNSErrorMessage", JSON_BUILD_STRING(q->answer_ede_msg)), | |
1243 | JSON_BUILD_PAIR("question", JSON_BUILD_VARIANT(jquestion)), | |
1244 | JSON_BUILD_PAIR_CONDITION(jcollected_questions, | |
1245 | "collectedQuestions", JSON_BUILD_VARIANT(jcollected_questions)), | |
1246 | JSON_BUILD_PAIR_CONDITION(janswer, | |
1247 | "answer", JSON_BUILD_VARIANT(janswer)))); | |
1248 | if (r < 0) | |
1249 | log_debug_errno(r, "Failed to send monitor event, ignoring: %m"); | |
1250 | } | |
1251 | ||
1252 | return 0; | |
1253 | } | |
1254 | ||
1255 | int manager_send( | |
1256 | Manager *m, | |
1257 | int fd, | |
1258 | int ifindex, | |
1259 | int family, | |
1260 | const union in_addr_union *destination, | |
1261 | uint16_t port, | |
1262 | const union in_addr_union *source, | |
1263 | DnsPacket *p) { | |
1264 | ||
1265 | assert(m); | |
1266 | assert(fd >= 0); | |
1267 | assert(destination); | |
1268 | assert(port > 0); | |
1269 | assert(p); | |
1270 | ||
1271 | /* For mDNS, it is natural that the packet have truncated flag when we have many known answers. */ | |
1272 | bool truncated = DNS_PACKET_TC(p) && (p->protocol != DNS_PROTOCOL_MDNS || !p->more); | |
1273 | ||
1274 | log_debug("Sending %s%s packet with id %" PRIu16 " on interface %i/%s of size %zu.", | |
1275 | truncated ? "truncated (!) " : "", | |
1276 | DNS_PACKET_QR(p) ? "response" : "query", | |
1277 | DNS_PACKET_ID(p), | |
1278 | ifindex, af_to_name(family), | |
1279 | p->size); | |
1280 | ||
1281 | if (family == AF_INET) | |
1282 | return manager_ipv4_send(m, fd, ifindex, &destination->in, port, source ? &source->in : NULL, p); | |
1283 | if (family == AF_INET6) | |
1284 | return manager_ipv6_send(m, fd, ifindex, &destination->in6, port, source ? &source->in6 : NULL, p); | |
1285 | ||
1286 | return -EAFNOSUPPORT; | |
1287 | } | |
1288 | ||
1289 | uint32_t manager_find_mtu(Manager *m) { | |
1290 | uint32_t mtu = 0; | |
1291 | Link *l; | |
1292 | ||
1293 | /* If we don't know on which link a DNS packet would be delivered, let's find the largest MTU that | |
1294 | * works on all interfaces we know of that have an IP address associated */ | |
1295 | ||
1296 | HASHMAP_FOREACH(l, m->links) { | |
1297 | /* Let's filter out links without IP addresses (e.g. AF_CAN links and suchlike) */ | |
1298 | if (!l->addresses) | |
1299 | continue; | |
1300 | ||
1301 | /* Safety check: MTU shorter than what we need for the absolutely shortest DNS request? Then | |
1302 | * let's ignore this link. */ | |
1303 | if (l->mtu < MIN(UDP4_PACKET_HEADER_SIZE + DNS_PACKET_HEADER_SIZE, | |
1304 | UDP6_PACKET_HEADER_SIZE + DNS_PACKET_HEADER_SIZE)) | |
1305 | continue; | |
1306 | ||
1307 | if (mtu <= 0 || l->mtu < mtu) | |
1308 | mtu = l->mtu; | |
1309 | } | |
1310 | ||
1311 | if (mtu == 0) /* found nothing? then let's assume the typical Ethernet MTU for lack of anything more precise */ | |
1312 | return 1500; | |
1313 | ||
1314 | return mtu; | |
1315 | } | |
1316 | ||
1317 | int manager_find_ifindex(Manager *m, int family, const union in_addr_union *in_addr) { | |
1318 | LinkAddress *a; | |
1319 | ||
1320 | assert(m); | |
1321 | ||
1322 | if (!IN_SET(family, AF_INET, AF_INET6)) | |
1323 | return 0; | |
1324 | ||
1325 | if (!in_addr) | |
1326 | return 0; | |
1327 | ||
1328 | a = manager_find_link_address(m, family, in_addr); | |
1329 | if (a) | |
1330 | return a->link->ifindex; | |
1331 | ||
1332 | return 0; | |
1333 | } | |
1334 | ||
1335 | void manager_refresh_rrs(Manager *m) { | |
1336 | Link *l; | |
1337 | DnssdService *s; | |
1338 | ||
1339 | assert(m); | |
1340 | ||
1341 | m->llmnr_host_ipv4_key = dns_resource_key_unref(m->llmnr_host_ipv4_key); | |
1342 | m->llmnr_host_ipv6_key = dns_resource_key_unref(m->llmnr_host_ipv6_key); | |
1343 | m->mdns_host_ipv4_key = dns_resource_key_unref(m->mdns_host_ipv4_key); | |
1344 | m->mdns_host_ipv6_key = dns_resource_key_unref(m->mdns_host_ipv6_key); | |
1345 | ||
1346 | HASHMAP_FOREACH(l, m->links) | |
1347 | link_add_rrs(l, true); | |
1348 | ||
1349 | if (m->mdns_support == RESOLVE_SUPPORT_YES) | |
1350 | HASHMAP_FOREACH(s, m->dnssd_services) | |
1351 | if (dnssd_update_rrs(s) < 0) | |
1352 | log_warning("Failed to refresh DNS-SD service '%s'", s->id); | |
1353 | ||
1354 | HASHMAP_FOREACH(l, m->links) | |
1355 | link_add_rrs(l, false); | |
1356 | } | |
1357 | ||
1358 | static int manager_next_random_name(const char *old, char **ret_new) { | |
1359 | const char *p; | |
1360 | uint64_t u, a; | |
1361 | char *n; | |
1362 | ||
1363 | p = strchr(old, 0); | |
1364 | assert(p); | |
1365 | ||
1366 | while (p > old) { | |
1367 | if (!ascii_isdigit(p[-1])) | |
1368 | break; | |
1369 | ||
1370 | p--; | |
1371 | } | |
1372 | ||
1373 | if (*p == 0 || safe_atou64(p, &u) < 0 || u <= 0) | |
1374 | u = 1; | |
1375 | ||
1376 | /* Add a random number to the old value. This way we can avoid | |
1377 | * that two hosts pick the same hostname, win on IPv4 and lose | |
1378 | * on IPv6 (or vice versa), and pick the same hostname | |
1379 | * replacement hostname, ad infinitum. We still want the | |
1380 | * numbers to go up monotonically, hence we just add a random | |
1381 | * value 1..10 */ | |
1382 | ||
1383 | random_bytes(&a, sizeof(a)); | |
1384 | u += 1 + a % 10; | |
1385 | ||
1386 | if (asprintf(&n, "%.*s%" PRIu64, (int) (p - old), old, u) < 0) | |
1387 | return -ENOMEM; | |
1388 | ||
1389 | *ret_new = n; | |
1390 | ||
1391 | return 0; | |
1392 | } | |
1393 | ||
1394 | int manager_next_hostname(Manager *m) { | |
1395 | _cleanup_free_ char *h = NULL, *k = NULL; | |
1396 | int r; | |
1397 | ||
1398 | assert(m); | |
1399 | ||
1400 | r = manager_next_random_name(m->llmnr_hostname, &h); | |
1401 | if (r < 0) | |
1402 | return r; | |
1403 | ||
1404 | r = dns_name_concat(h, "local", 0, &k); | |
1405 | if (r < 0) | |
1406 | return r; | |
1407 | ||
1408 | log_info("Hostname conflict, changing published hostname from '%s' to '%s'.", m->llmnr_hostname, h); | |
1409 | ||
1410 | free_and_replace(m->llmnr_hostname, h); | |
1411 | free_and_replace(m->mdns_hostname, k); | |
1412 | ||
1413 | manager_refresh_rrs(m); | |
1414 | (void) manager_send_changed(m, "LLMNRHostname"); | |
1415 | ||
1416 | return 0; | |
1417 | } | |
1418 | ||
1419 | LinkAddress* manager_find_link_address(Manager *m, int family, const union in_addr_union *in_addr) { | |
1420 | Link *l; | |
1421 | ||
1422 | assert(m); | |
1423 | ||
1424 | if (!IN_SET(family, AF_INET, AF_INET6)) | |
1425 | return NULL; | |
1426 | ||
1427 | if (!in_addr) | |
1428 | return NULL; | |
1429 | ||
1430 | HASHMAP_FOREACH(l, m->links) { | |
1431 | LinkAddress *a; | |
1432 | ||
1433 | a = link_find_address(l, family, in_addr); | |
1434 | if (a) | |
1435 | return a; | |
1436 | } | |
1437 | ||
1438 | return NULL; | |
1439 | } | |
1440 | ||
1441 | bool manager_packet_from_local_address(Manager *m, DnsPacket *p) { | |
1442 | assert(m); | |
1443 | assert(p); | |
1444 | ||
1445 | /* Let's see if this packet comes from an IP address we have on any local interface */ | |
1446 | ||
1447 | return !!manager_find_link_address(m, p->family, &p->sender); | |
1448 | } | |
1449 | ||
1450 | bool manager_packet_from_our_transaction(Manager *m, DnsPacket *p) { | |
1451 | DnsTransaction *t; | |
1452 | ||
1453 | assert(m); | |
1454 | assert(p); | |
1455 | ||
1456 | /* Let's see if we have a transaction with a query message with the exact same binary contents as the | |
1457 | * one we just got. If so, it's almost definitely a packet loop of some kind. */ | |
1458 | ||
1459 | t = hashmap_get(m->dns_transactions, UINT_TO_PTR(DNS_PACKET_ID(p))); | |
1460 | if (!t) | |
1461 | return false; | |
1462 | ||
1463 | return t->sent && dns_packet_equal(t->sent, p); | |
1464 | } | |
1465 | ||
1466 | DnsScope* manager_find_scope(Manager *m, DnsPacket *p) { | |
1467 | Link *l; | |
1468 | ||
1469 | assert(m); | |
1470 | assert(p); | |
1471 | ||
1472 | l = hashmap_get(m->links, INT_TO_PTR(p->ifindex)); | |
1473 | if (!l) | |
1474 | return NULL; | |
1475 | ||
1476 | switch (p->protocol) { | |
1477 | case DNS_PROTOCOL_LLMNR: | |
1478 | if (p->family == AF_INET) | |
1479 | return l->llmnr_ipv4_scope; | |
1480 | else if (p->family == AF_INET6) | |
1481 | return l->llmnr_ipv6_scope; | |
1482 | ||
1483 | break; | |
1484 | ||
1485 | case DNS_PROTOCOL_MDNS: | |
1486 | if (p->family == AF_INET) | |
1487 | return l->mdns_ipv4_scope; | |
1488 | else if (p->family == AF_INET6) | |
1489 | return l->mdns_ipv6_scope; | |
1490 | ||
1491 | break; | |
1492 | ||
1493 | default: | |
1494 | break; | |
1495 | } | |
1496 | ||
1497 | return NULL; | |
1498 | } | |
1499 | ||
1500 | void manager_verify_all(Manager *m) { | |
1501 | assert(m); | |
1502 | ||
1503 | LIST_FOREACH(scopes, s, m->dns_scopes) | |
1504 | dns_zone_verify_all(&s->zone); | |
1505 | } | |
1506 | ||
1507 | int manager_is_own_hostname(Manager *m, const char *name) { | |
1508 | int r; | |
1509 | ||
1510 | assert(m); | |
1511 | assert(name); | |
1512 | ||
1513 | if (m->llmnr_hostname) { | |
1514 | r = dns_name_equal(name, m->llmnr_hostname); | |
1515 | if (r != 0) | |
1516 | return r; | |
1517 | } | |
1518 | ||
1519 | if (m->mdns_hostname) { | |
1520 | r = dns_name_equal(name, m->mdns_hostname); | |
1521 | if (r != 0) | |
1522 | return r; | |
1523 | } | |
1524 | ||
1525 | if (m->full_hostname) | |
1526 | return dns_name_equal(name, m->full_hostname); | |
1527 | ||
1528 | return 0; | |
1529 | } | |
1530 | ||
1531 | int manager_compile_dns_servers(Manager *m, OrderedSet **dns) { | |
1532 | Link *l; | |
1533 | int r; | |
1534 | ||
1535 | assert(m); | |
1536 | assert(dns); | |
1537 | ||
1538 | r = ordered_set_ensure_allocated(dns, &dns_server_hash_ops); | |
1539 | if (r < 0) | |
1540 | return r; | |
1541 | ||
1542 | /* First add the system-wide servers and domains */ | |
1543 | LIST_FOREACH(servers, s, m->dns_servers) { | |
1544 | r = ordered_set_put(*dns, s); | |
1545 | if (r == -EEXIST) | |
1546 | continue; | |
1547 | if (r < 0) | |
1548 | return r; | |
1549 | } | |
1550 | ||
1551 | /* Then, add the per-link servers */ | |
1552 | HASHMAP_FOREACH(l, m->links) { | |
1553 | LIST_FOREACH(servers, s, l->dns_servers) { | |
1554 | r = ordered_set_put(*dns, s); | |
1555 | if (r == -EEXIST) | |
1556 | continue; | |
1557 | if (r < 0) | |
1558 | return r; | |
1559 | } | |
1560 | } | |
1561 | ||
1562 | /* If we found nothing, add the fallback servers */ | |
1563 | if (ordered_set_isempty(*dns)) { | |
1564 | LIST_FOREACH(servers, s, m->fallback_dns_servers) { | |
1565 | r = ordered_set_put(*dns, s); | |
1566 | if (r == -EEXIST) | |
1567 | continue; | |
1568 | if (r < 0) | |
1569 | return r; | |
1570 | } | |
1571 | } | |
1572 | ||
1573 | return 0; | |
1574 | } | |
1575 | ||
1576 | /* filter_route is a tri-state: | |
1577 | * < 0: no filtering | |
1578 | * = 0 or false: return only domains which should be used for searching | |
1579 | * > 0 or true: return only domains which are for routing only | |
1580 | */ | |
1581 | int manager_compile_search_domains(Manager *m, OrderedSet **domains, int filter_route) { | |
1582 | Link *l; | |
1583 | int r; | |
1584 | ||
1585 | assert(m); | |
1586 | assert(domains); | |
1587 | ||
1588 | r = ordered_set_ensure_allocated(domains, &dns_name_hash_ops); | |
1589 | if (r < 0) | |
1590 | return r; | |
1591 | ||
1592 | LIST_FOREACH(domains, d, m->search_domains) { | |
1593 | ||
1594 | if (filter_route >= 0 && | |
1595 | d->route_only != !!filter_route) | |
1596 | continue; | |
1597 | ||
1598 | r = ordered_set_put(*domains, d->name); | |
1599 | if (r == -EEXIST) | |
1600 | continue; | |
1601 | if (r < 0) | |
1602 | return r; | |
1603 | } | |
1604 | ||
1605 | HASHMAP_FOREACH(l, m->links) { | |
1606 | ||
1607 | LIST_FOREACH(domains, d, l->search_domains) { | |
1608 | ||
1609 | if (filter_route >= 0 && | |
1610 | d->route_only != !!filter_route) | |
1611 | continue; | |
1612 | ||
1613 | r = ordered_set_put(*domains, d->name); | |
1614 | if (r == -EEXIST) | |
1615 | continue; | |
1616 | if (r < 0) | |
1617 | return r; | |
1618 | } | |
1619 | } | |
1620 | ||
1621 | return 0; | |
1622 | } | |
1623 | ||
1624 | DnssecMode manager_get_dnssec_mode(Manager *m) { | |
1625 | assert(m); | |
1626 | ||
1627 | if (m->dnssec_mode != _DNSSEC_MODE_INVALID) | |
1628 | return m->dnssec_mode; | |
1629 | ||
1630 | return DNSSEC_NO; | |
1631 | } | |
1632 | ||
1633 | bool manager_dnssec_supported(Manager *m) { | |
1634 | DnsServer *server; | |
1635 | Link *l; | |
1636 | ||
1637 | assert(m); | |
1638 | ||
1639 | if (manager_get_dnssec_mode(m) == DNSSEC_NO) | |
1640 | return false; | |
1641 | ||
1642 | server = manager_get_dns_server(m); | |
1643 | if (server && !dns_server_dnssec_supported(server)) | |
1644 | return false; | |
1645 | ||
1646 | HASHMAP_FOREACH(l, m->links) | |
1647 | if (!link_dnssec_supported(l)) | |
1648 | return false; | |
1649 | ||
1650 | return true; | |
1651 | } | |
1652 | ||
1653 | DnsOverTlsMode manager_get_dns_over_tls_mode(Manager *m) { | |
1654 | assert(m); | |
1655 | ||
1656 | if (m->dns_over_tls_mode != _DNS_OVER_TLS_MODE_INVALID) | |
1657 | return m->dns_over_tls_mode; | |
1658 | ||
1659 | return DNS_OVER_TLS_NO; | |
1660 | } | |
1661 | ||
1662 | void manager_dnssec_verdict(Manager *m, DnssecVerdict verdict, const DnsResourceKey *key) { | |
1663 | ||
1664 | assert(verdict >= 0); | |
1665 | assert(verdict < _DNSSEC_VERDICT_MAX); | |
1666 | ||
1667 | if (DEBUG_LOGGING) { | |
1668 | char s[DNS_RESOURCE_KEY_STRING_MAX]; | |
1669 | ||
1670 | log_debug("Found verdict for lookup %s: %s", | |
1671 | dns_resource_key_to_string(key, s, sizeof s), | |
1672 | dnssec_verdict_to_string(verdict)); | |
1673 | } | |
1674 | ||
1675 | m->n_dnssec_verdict[verdict]++; | |
1676 | } | |
1677 | ||
1678 | bool manager_routable(Manager *m) { | |
1679 | Link *l; | |
1680 | ||
1681 | assert(m); | |
1682 | ||
1683 | /* Returns true if the host has at least one interface with a routable address (regardless if IPv4 or IPv6) */ | |
1684 | ||
1685 | HASHMAP_FOREACH(l, m->links) | |
1686 | if (link_relevant(l, AF_UNSPEC, false)) | |
1687 | return true; | |
1688 | ||
1689 | return false; | |
1690 | } | |
1691 | ||
1692 | void manager_flush_caches(Manager *m, int log_level) { | |
1693 | assert(m); | |
1694 | ||
1695 | LIST_FOREACH(scopes, scope, m->dns_scopes) | |
1696 | dns_cache_flush(&scope->cache); | |
1697 | ||
1698 | log_full(log_level, "Flushed all caches."); | |
1699 | } | |
1700 | ||
1701 | void manager_reset_server_features(Manager *m) { | |
1702 | Link *l; | |
1703 | ||
1704 | dns_server_reset_features_all(m->dns_servers); | |
1705 | dns_server_reset_features_all(m->fallback_dns_servers); | |
1706 | ||
1707 | HASHMAP_FOREACH(l, m->links) | |
1708 | dns_server_reset_features_all(l->dns_servers); | |
1709 | ||
1710 | log_info("Resetting learnt feature levels on all servers."); | |
1711 | } | |
1712 | ||
1713 | void manager_cleanup_saved_user(Manager *m) { | |
1714 | _cleanup_closedir_ DIR *d = NULL; | |
1715 | ||
1716 | assert(m); | |
1717 | ||
1718 | /* Clean up all saved per-link files in /run/systemd/resolve/netif/ that don't have a matching interface | |
1719 | * anymore. These files are created to persist settings pushed in by the user via the bus, so that resolved can | |
1720 | * be restarted without losing this data. */ | |
1721 | ||
1722 | d = opendir("/run/systemd/resolve/netif/"); | |
1723 | if (!d) { | |
1724 | if (errno == ENOENT) | |
1725 | return; | |
1726 | ||
1727 | log_warning_errno(errno, "Failed to open interface directory: %m"); | |
1728 | return; | |
1729 | } | |
1730 | ||
1731 | FOREACH_DIRENT_ALL(de, d, log_error_errno(errno, "Failed to read interface directory: %m")) { | |
1732 | _cleanup_free_ char *p = NULL; | |
1733 | int ifindex; | |
1734 | Link *l; | |
1735 | ||
1736 | if (!IN_SET(de->d_type, DT_UNKNOWN, DT_REG)) | |
1737 | continue; | |
1738 | ||
1739 | if (dot_or_dot_dot(de->d_name)) | |
1740 | continue; | |
1741 | ||
1742 | ifindex = parse_ifindex(de->d_name); | |
1743 | if (ifindex < 0) /* Probably some temporary file from a previous run. Delete it */ | |
1744 | goto rm; | |
1745 | ||
1746 | l = hashmap_get(m->links, INT_TO_PTR(ifindex)); | |
1747 | if (!l) /* link vanished */ | |
1748 | goto rm; | |
1749 | ||
1750 | if (l->is_managed) /* now managed by networkd, hence the bus settings are useless */ | |
1751 | goto rm; | |
1752 | ||
1753 | continue; | |
1754 | ||
1755 | rm: | |
1756 | p = path_join("/run/systemd/resolve/netif", de->d_name); | |
1757 | if (!p) { | |
1758 | log_oom(); | |
1759 | return; | |
1760 | } | |
1761 | ||
1762 | (void) unlink(p); | |
1763 | } | |
1764 | } | |
1765 | ||
1766 | bool manager_next_dnssd_names(Manager *m) { | |
1767 | DnssdService *s; | |
1768 | bool tried = false; | |
1769 | int r; | |
1770 | ||
1771 | assert(m); | |
1772 | ||
1773 | HASHMAP_FOREACH(s, m->dnssd_services) { | |
1774 | _cleanup_free_ char * new_name = NULL; | |
1775 | ||
1776 | if (!s->withdrawn) | |
1777 | continue; | |
1778 | ||
1779 | r = manager_next_random_name(s->name_template, &new_name); | |
1780 | if (r < 0) { | |
1781 | log_warning_errno(r, "Failed to get new name for service '%s': %m", s->id); | |
1782 | continue; | |
1783 | } | |
1784 | ||
1785 | free_and_replace(s->name_template, new_name); | |
1786 | ||
1787 | s->withdrawn = false; | |
1788 | ||
1789 | tried = true; | |
1790 | } | |
1791 | ||
1792 | if (tried) | |
1793 | manager_refresh_rrs(m); | |
1794 | ||
1795 | return tried; | |
1796 | } | |
1797 | ||
1798 | bool manager_server_is_stub(Manager *m, DnsServer *s) { | |
1799 | DnsStubListenerExtra *l; | |
1800 | ||
1801 | assert(m); | |
1802 | assert(s); | |
1803 | ||
1804 | /* Safety check: we generally already skip the main stub when parsing configuration. But let's be | |
1805 | * extra careful, and check here again */ | |
1806 | if (s->family == AF_INET && | |
1807 | s->address.in.s_addr == htobe32(INADDR_DNS_STUB) && | |
1808 | dns_server_port(s) == 53) | |
1809 | return true; | |
1810 | ||
1811 | /* Main reason to call this is to check server data against the extra listeners, and filter things | |
1812 | * out. */ | |
1813 | ORDERED_SET_FOREACH(l, m->dns_extra_stub_listeners) | |
1814 | if (s->family == l->family && | |
1815 | in_addr_equal(s->family, &s->address, &l->address) && | |
1816 | dns_server_port(s) == dns_stub_listener_extra_port(l)) | |
1817 | return true; | |
1818 | ||
1819 | return false; | |
1820 | } | |
1821 | ||
1822 | int socket_disable_pmtud(int fd, int af) { | |
1823 | int r; | |
1824 | ||
1825 | assert(fd >= 0); | |
1826 | ||
1827 | if (af == AF_UNSPEC) { | |
1828 | af = socket_get_family(fd); | |
1829 | if (af < 0) | |
1830 | return af; | |
1831 | } | |
1832 | ||
1833 | switch (af) { | |
1834 | ||
1835 | case AF_INET: { | |
1836 | /* Turn off path MTU discovery, let's rather fragment on the way than to open us up against | |
1837 | * PMTU forgery vulnerabilities. | |
1838 | * | |
1839 | * There appears to be no documentation about IP_PMTUDISC_OMIT, but it has the effect that | |
1840 | * the "Don't Fragment" bit in the IPv4 header is turned off, thus enforcing fragmentation if | |
1841 | * our datagram size exceeds the MTU of a router in the path, and turning off path MTU | |
1842 | * discovery. | |
1843 | * | |
1844 | * This helps mitigating the PMTUD vulnerability described here: | |
1845 | * | |
1846 | * https://blog.apnic.net/2019/07/12/its-time-to-consider-avoiding-ip-fragmentation-in-the-dns/ | |
1847 | * | |
1848 | * Similar logic is in place in most DNS servers. | |
1849 | * | |
1850 | * There are multiple conflicting goals: we want to allow the largest datagrams possible (for | |
1851 | * efficiency reasons), but not have fragmentation (for security reasons), nor use PMTUD (for | |
1852 | * security reasons, too). Our strategy to deal with this is: use large packets, turn off | |
1853 | * PMTUD, but watch fragmentation taking place, and then size our packets to the max of the | |
1854 | * fragments seen — and if we need larger packets always go to TCP. | |
1855 | */ | |
1856 | ||
1857 | r = setsockopt_int(fd, IPPROTO_IP, IP_MTU_DISCOVER, IP_PMTUDISC_OMIT); | |
1858 | if (r < 0) | |
1859 | return r; | |
1860 | ||
1861 | return 0; | |
1862 | } | |
1863 | ||
1864 | case AF_INET6: { | |
1865 | /* On IPv6 fragmentation only is done by the sender — never by routers on the path. PMTUD is | |
1866 | * mandatory. If we want to turn off PMTUD, the only way is by sending with minimal MTU only, | |
1867 | * so that we apply maximum fragmentation locally already, and thus PMTUD doesn't happen | |
1868 | * because there's nothing that could be fragmented further anymore. */ | |
1869 | ||
1870 | r = setsockopt_int(fd, IPPROTO_IPV6, IPV6_MTU, IPV6_MIN_MTU); | |
1871 | if (r < 0) | |
1872 | return r; | |
1873 | ||
1874 | return 0; | |
1875 | } | |
1876 | ||
1877 | default: | |
1878 | return -EAFNOSUPPORT; | |
1879 | } | |
1880 | } | |
1881 | ||
1882 | int dns_manager_dump_statistics_json(Manager *m, JsonVariant **ret) { | |
1883 | uint64_t size = 0, hit = 0, miss = 0; | |
1884 | ||
1885 | assert(m); | |
1886 | assert(ret); | |
1887 | ||
1888 | LIST_FOREACH(scopes, s, m->dns_scopes) { | |
1889 | size += dns_cache_size(&s->cache); | |
1890 | hit += s->cache.n_hit; | |
1891 | miss += s->cache.n_miss; | |
1892 | } | |
1893 | ||
1894 | return json_build(ret, | |
1895 | JSON_BUILD_OBJECT( | |
1896 | JSON_BUILD_PAIR("transactions", JSON_BUILD_OBJECT( | |
1897 | JSON_BUILD_PAIR_UNSIGNED("currentTransactions", hashmap_size(m->dns_transactions)), | |
1898 | JSON_BUILD_PAIR_UNSIGNED("totalTransactions", m->n_transactions_total), | |
1899 | JSON_BUILD_PAIR_UNSIGNED("totalTimeouts", m->n_timeouts_total), | |
1900 | JSON_BUILD_PAIR_UNSIGNED("totalTimeoutsServedStale", m->n_timeouts_served_stale_total), | |
1901 | JSON_BUILD_PAIR_UNSIGNED("totalFailedResponses", m->n_failure_responses_total), | |
1902 | JSON_BUILD_PAIR_UNSIGNED("totalFailedResponsesServedStale", m->n_failure_responses_served_stale_total) | |
1903 | )), | |
1904 | JSON_BUILD_PAIR("cache", JSON_BUILD_OBJECT( | |
1905 | JSON_BUILD_PAIR_UNSIGNED("size", size), | |
1906 | JSON_BUILD_PAIR_UNSIGNED("hits", hit), | |
1907 | JSON_BUILD_PAIR_UNSIGNED("misses", miss) | |
1908 | )), | |
1909 | JSON_BUILD_PAIR("dnssec", JSON_BUILD_OBJECT( | |
1910 | JSON_BUILD_PAIR_UNSIGNED("secure", m->n_dnssec_verdict[DNSSEC_SECURE]), | |
1911 | JSON_BUILD_PAIR_UNSIGNED("insecure", m->n_dnssec_verdict[DNSSEC_INSECURE]), | |
1912 | JSON_BUILD_PAIR_UNSIGNED("bogus", m->n_dnssec_verdict[DNSSEC_BOGUS]), | |
1913 | JSON_BUILD_PAIR_UNSIGNED("indeterminate", m->n_dnssec_verdict[DNSSEC_INDETERMINATE]) | |
1914 | )))); | |
1915 | } | |
1916 | ||
1917 | void dns_manager_reset_statistics(Manager *m) { | |
1918 | ||
1919 | assert(m); | |
1920 | ||
1921 | LIST_FOREACH(scopes, s, m->dns_scopes) | |
1922 | s->cache.n_hit = s->cache.n_miss = 0; | |
1923 | ||
1924 | m->n_transactions_total = 0; | |
1925 | m->n_timeouts_total = 0; | |
1926 | m->n_timeouts_served_stale_total = 0; | |
1927 | m->n_failure_responses_total = 0; | |
1928 | m->n_failure_responses_served_stale_total = 0; | |
1929 | zero(m->n_dnssec_verdict); | |
1930 | } |