]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/resolve/resolved-dns-scope.c
projects / thirdparty / systemd.git / blob
? search:


91353a63c6bc97001251c20ff31454d7a8ef703a
[thirdparty/systemd.git] / src / resolve / resolved-dns-scope.c
1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
2
3 /***
4 This file is part of systemd.
5
6 Copyright 2014 Lennart Poettering
7
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
12
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
17
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
20 ***/
21
22 #include <netinet/tcp.h>
23
24 #include "af-list.h"
25 #include "alloc-util.h"
26 #include "dns-domain.h"
27 #include "fd-util.h"
28 #include "hostname-util.h"
29 #include "missing.h"
30 #include "random-util.h"
31 #include "resolved-dns-scope.h"
32 #include "resolved-llmnr.h"
33 #include "socket-util.h"
34 #include "strv.h"
35
36 #define MULTICAST_RATELIMIT_INTERVAL_USEC (1*USEC_PER_SEC)
37 #define MULTICAST_RATELIMIT_BURST 1000
38
39 /* After how much time to repeat LLMNR requests, see RFC 4795 Section 7 */
40 #define MULTICAST_RESEND_TIMEOUT_MIN_USEC (100 * USEC_PER_MSEC)
41 #define MULTICAST_RESEND_TIMEOUT_MAX_USEC (1 * USEC_PER_SEC)
42
43 int dns_scope_new(Manager *m, DnsScope **ret, Link *l, DnsProtocol protocol, int family) {
44 DnsScope *s;
45
46 assert(m);
47 assert(ret);
48
49 s = new0(DnsScope, 1);
50 if (!s)
51 return -ENOMEM;
52
53 s->manager = m;
54 s->link = l;
55 s->protocol = protocol;
56 s->family = family;
57 s->resend_timeout = MULTICAST_RESEND_TIMEOUT_MIN_USEC;
58
59 LIST_PREPEND(scopes, m->dns_scopes, s);
60
61 dns_scope_llmnr_membership(s, true);
62
63 log_debug("New scope on link %s, protocol %s, family %s", l ? l->name : "*", dns_protocol_to_string(protocol), family == AF_UNSPEC ? "*" : af_to_name(family));
64
65 /* Enforce ratelimiting for the multicast protocols */
66 RATELIMIT_INIT(s->ratelimit, MULTICAST_RATELIMIT_INTERVAL_USEC, MULTICAST_RATELIMIT_BURST);
67
68 *ret = s;
69 return 0;
70 }
71
72 static void dns_scope_abort_transactions(DnsScope *s) {
73 assert(s);
74
75 while (s->transactions) {
76 DnsTransaction *t = s->transactions;
77
78 /* Abort the transaction, but make sure it is not
79 * freed while we still look at it */
80
81 t->block_gc++;
82 dns_transaction_complete(t, DNS_TRANSACTION_ABORTED);
83 t->block_gc--;
84
85 dns_transaction_free(t);
86 }
87 }
88
89 DnsScope* dns_scope_free(DnsScope *s) {
90 DnsResourceRecord *rr;
91
92 if (!s)
93 return NULL;
94
95 log_debug("Removing scope on link %s, protocol %s, family %s", s->link ? s->link->name : "*", dns_protocol_to_string(s->protocol), s->family == AF_UNSPEC ? "*" : af_to_name(s->family));
96
97 dns_scope_llmnr_membership(s, false);
98 dns_scope_abort_transactions(s);
99
100 while (s->query_candidates)
101 dns_query_candidate_free(s->query_candidates);
102
103 hashmap_free(s->transactions_by_key);
104
105 while ((rr = ordered_hashmap_steal_first(s->conflict_queue)))
106 dns_resource_record_unref(rr);
107
108 ordered_hashmap_free(s->conflict_queue);
109 sd_event_source_unref(s->conflict_event_source);
110
111 dns_cache_flush(&s->cache);
112 dns_zone_flush(&s->zone);
113
114 LIST_REMOVE(scopes, s->manager->dns_scopes, s);
115 free(s);
116
117 return NULL;
118 }
119
120 DnsServer *dns_scope_get_dns_server(DnsScope *s) {
121 assert(s);
122
123 if (s->protocol != DNS_PROTOCOL_DNS)
124 return NULL;
125
126 if (s->link)
127 return link_get_dns_server(s->link);
128 else
129 return manager_get_dns_server(s->manager);
130 }
131
132 void dns_scope_next_dns_server(DnsScope *s) {
133 assert(s);
134
135 if (s->protocol != DNS_PROTOCOL_DNS)
136 return;
137
138 if (s->link)
139 link_next_dns_server(s->link);
140 else
141 manager_next_dns_server(s->manager);
142 }
143
144 void dns_scope_packet_received(DnsScope *s, usec_t rtt) {
145 assert(s);
146
147 if (rtt <= s->max_rtt)
148 return;
149
150 s->max_rtt = rtt;
151 s->resend_timeout = MIN(MAX(MULTICAST_RESEND_TIMEOUT_MIN_USEC, s->max_rtt * 2), MULTICAST_RESEND_TIMEOUT_MAX_USEC);
152 }
153
154 void dns_scope_packet_lost(DnsScope *s, usec_t usec) {
155 assert(s);
156
157 if (s->resend_timeout <= usec)
158 s->resend_timeout = MIN(s->resend_timeout * 2, MULTICAST_RESEND_TIMEOUT_MAX_USEC);
159 }
160
161 int dns_scope_emit(DnsScope *s, int fd, DnsServer *server, DnsPacket *p) {
162 union in_addr_union addr;
163 int ifindex = 0, r;
164 int family;
165 uint16_t port;
166 uint32_t mtu;
167 size_t saved_size = 0;
168
169 assert(s);
170 assert(p);
171 assert(p->protocol == s->protocol);
172 assert((s->protocol == DNS_PROTOCOL_DNS) != (fd < 0));
173
174 if (s->link) {
175 mtu = s->link->mtu;
176 ifindex = s->link->ifindex;
177 } else
178 mtu = manager_find_mtu(s->manager);
179
180 switch (s->protocol) {
181 case DNS_PROTOCOL_DNS:
182 assert(server);
183
184 if (DNS_PACKET_QDCOUNT(p) > 1)
185 return -EOPNOTSUPP;
186
187 if (server->possible_features >= DNS_SERVER_FEATURE_LEVEL_EDNS0) {
188 bool edns_do;
189 size_t packet_size;
190
191 edns_do = server->possible_features >= DNS_SERVER_FEATURE_LEVEL_DO;
192
193 if (server->possible_features >= DNS_SERVER_FEATURE_LEVEL_LARGE)
194 packet_size = DNS_PACKET_UNICAST_SIZE_LARGE_MAX;
195 else
196 packet_size = server->received_udp_packet_max;
197
198 r = dns_packet_append_opt_rr(p, packet_size, edns_do, &saved_size);
199 if (r < 0)
200 return r;
201
202 DNS_PACKET_HEADER(p)->arcount = htobe16(be16toh(DNS_PACKET_HEADER(p)->arcount) + 1);
203 }
204
205 if (p->size > DNS_PACKET_UNICAST_SIZE_MAX)
206 return -EMSGSIZE;
207
208 if (p->size + UDP_PACKET_HEADER_SIZE > mtu)
209 return -EMSGSIZE;
210
211 r = manager_write(s->manager, fd, p);
212 if (r < 0)
213 return r;
214
215 if (saved_size > 0) {
216 dns_packet_truncate(p, saved_size);
217
218 DNS_PACKET_HEADER(p)->arcount = htobe16(be16toh(DNS_PACKET_HEADER(p)->arcount) - 1);
219 }
220
221 break;
222
223 case DNS_PROTOCOL_LLMNR:
224 if (DNS_PACKET_QDCOUNT(p) > 1)
225 return -EOPNOTSUPP;
226
227 if (!ratelimit_test(&s->ratelimit))
228 return -EBUSY;
229
230 family = s->family;
231 port = LLMNR_PORT;
232
233 if (family == AF_INET) {
234 addr.in = LLMNR_MULTICAST_IPV4_ADDRESS;
235 fd = manager_llmnr_ipv4_udp_fd(s->manager);
236 } else if (family == AF_INET6) {
237 addr.in6 = LLMNR_MULTICAST_IPV6_ADDRESS;
238 fd = manager_llmnr_ipv6_udp_fd(s->manager);
239 } else
240 return -EAFNOSUPPORT;
241 if (fd < 0)
242 return fd;
243
244 r = manager_send(s->manager, fd, ifindex, family, &addr, port, p);
245 if (r < 0)
246 return r;
247
248 break;
249
250 default:
251 return -EAFNOSUPPORT;
252 }
253
254 return 1;
255 }
256
257 static int dns_scope_socket(DnsScope *s, int type, int family, const union in_addr_union *address, uint16_t port, DnsServer **server) {
258 DnsServer *srv = NULL;
259 _cleanup_close_ int fd = -1;
260 union sockaddr_union sa = {};
261 socklen_t salen;
262 static const int one = 1;
263 int ret, r;
264
265 assert(s);
266 assert((family == AF_UNSPEC) == !address);
267
268 if (family == AF_UNSPEC) {
269 srv = dns_scope_get_dns_server(s);
270 if (!srv)
271 return -ESRCH;
272
273 srv->possible_features = dns_server_possible_features(srv);
274
275 if (type == SOCK_DGRAM && srv->possible_features < DNS_SERVER_FEATURE_LEVEL_UDP)
276 return -EAGAIN;
277
278 sa.sa.sa_family = srv->family;
279 if (srv->family == AF_INET) {
280 sa.in.sin_port = htobe16(port);
281 sa.in.sin_addr = srv->address.in;
282 salen = sizeof(sa.in);
283 } else if (srv->family == AF_INET6) {
284 sa.in6.sin6_port = htobe16(port);
285 sa.in6.sin6_addr = srv->address.in6;
286 sa.in6.sin6_scope_id = s->link ? s->link->ifindex : 0;
287 salen = sizeof(sa.in6);
288 } else
289 return -EAFNOSUPPORT;
290 } else {
291 sa.sa.sa_family = family;
292
293 if (family == AF_INET) {
294 sa.in.sin_port = htobe16(port);
295 sa.in.sin_addr = address->in;
296 salen = sizeof(sa.in);
297 } else if (family == AF_INET6) {
298 sa.in6.sin6_port = htobe16(port);
299 sa.in6.sin6_addr = address->in6;
300 sa.in6.sin6_scope_id = s->link ? s->link->ifindex : 0;
301 salen = sizeof(sa.in6);
302 } else
303 return -EAFNOSUPPORT;
304 }
305
306 fd = socket(sa.sa.sa_family, type|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
307 if (fd < 0)
308 return -errno;
309
310 if (type == SOCK_STREAM) {
311 r = setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &one, sizeof(one));
312 if (r < 0)
313 return -errno;
314 }
315
316 if (s->link) {
317 uint32_t ifindex = htobe32(s->link->ifindex);
318
319 if (sa.sa.sa_family == AF_INET) {
320 r = setsockopt(fd, IPPROTO_IP, IP_UNICAST_IF, &ifindex, sizeof(ifindex));
321 if (r < 0)
322 return -errno;
323 } else if (sa.sa.sa_family == AF_INET6) {
324 r = setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_IF, &ifindex, sizeof(ifindex));
325 if (r < 0)
326 return -errno;
327 }
328 }
329
330 if (s->protocol == DNS_PROTOCOL_LLMNR) {
331 /* RFC 4795, section 2.5 requires the TTL to be set to 1 */
332
333 if (sa.sa.sa_family == AF_INET) {
334 r = setsockopt(fd, IPPROTO_IP, IP_TTL, &one, sizeof(one));
335 if (r < 0)
336 return -errno;
337 } else if (sa.sa.sa_family == AF_INET6) {
338 r = setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS, &one, sizeof(one));
339 if (r < 0)
340 return -errno;
341 }
342 }
343
344 r = connect(fd, &sa.sa, salen);
345 if (r < 0 && errno != EINPROGRESS)
346 return -errno;
347
348 if (server)
349 *server = srv;
350
351 ret = fd;
352 fd = -1;
353
354 return ret;
355 }
356
357 int dns_scope_udp_dns_socket(DnsScope *s, DnsServer **server) {
358 return dns_scope_socket(s, SOCK_DGRAM, AF_UNSPEC, NULL, 53, server);
359 }
360
361 int dns_scope_tcp_socket(DnsScope *s, int family, const union in_addr_union *address, uint16_t port, DnsServer **server) {
362 return dns_scope_socket(s, SOCK_STREAM, family, address, port, server);
363 }
364
365 DnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, const char *domain) {
366 DnsSearchDomain *d;
367
368 assert(s);
369 assert(domain);
370
371 if (ifindex != 0 && (!s->link || s->link->ifindex != ifindex))
372 return DNS_SCOPE_NO;
373
374 if ((SD_RESOLVED_FLAGS_MAKE(s->protocol, s->family) & flags) == 0)
375 return DNS_SCOPE_NO;
376
377 if (dns_name_is_root(domain))
378 return DNS_SCOPE_NO;
379
380 /* Never resolve any loopback hostname or IP address via DNS,
381 * LLMNR or mDNS. Instead, always rely on synthesized RRs for
382 * these. */
383 if (is_localhost(domain) ||
384 dns_name_endswith(domain, "127.in-addr.arpa") > 0 ||
385 dns_name_equal(domain, "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
386 return DNS_SCOPE_NO;
387
388 /* Never respond to some of the domains listed in RFC6303 */
389 if (dns_name_endswith(domain, "0.in-addr.arpa") > 0 ||
390 dns_name_equal(domain, "255.255.255.255.in-addr.arpa") > 0 ||
391 dns_name_equal(domain, "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
392 return DNS_SCOPE_NO;
393
394 /* Always honour search domains for routing queries. Note that
395 * we return DNS_SCOPE_YES here, rather than just
396 * DNS_SCOPE_MAYBE, which means wildcard scopes won't be
397 * considered anymore. */
398 LIST_FOREACH(domains, d, dns_scope_get_search_domains(s))
399 if (dns_name_endswith(domain, d->name) > 0)
400 return DNS_SCOPE_YES;
401
402 switch (s->protocol) {
403
404 case DNS_PROTOCOL_DNS:
405
406 if ((!dns_name_is_single_label(domain) ||
407 (!(flags & SD_RESOLVED_NO_SEARCH) && dns_scope_has_search_domains(s))) &&
408 dns_name_endswith(domain, "254.169.in-addr.arpa") == 0 &&
409 dns_name_endswith(domain, "8.e.f.ip6.arpa") == 0 &&
410 dns_name_endswith(domain, "9.e.f.ip6.arpa") == 0 &&
411 dns_name_endswith(domain, "a.e.f.ip6.arpa") == 0 &&
412 dns_name_endswith(domain, "b.e.f.ip6.arpa") == 0)
413 return DNS_SCOPE_MAYBE;
414
415 return DNS_SCOPE_NO;
416
417 case DNS_PROTOCOL_MDNS:
418 if ((s->family == AF_INET && dns_name_endswith(domain, "in-addr.arpa") > 0) ||
419 (s->family == AF_INET6 && dns_name_endswith(domain, "ip6.arpa") > 0) ||
420 (dns_name_endswith(domain, "local") > 0 && /* only resolve names ending in .local via mDNS */
421 dns_name_equal(domain, "local") == 0 && /* but not the single-label "local" name itself */
422 manager_is_own_hostname(s->manager, domain) <= 0)) /* never resolve the local hostname via mDNS */
423 return DNS_SCOPE_MAYBE;
424
425 return DNS_SCOPE_NO;
426
427 case DNS_PROTOCOL_LLMNR:
428 if ((s->family == AF_INET && dns_name_endswith(domain, "in-addr.arpa") > 0) ||
429 (s->family == AF_INET6 && dns_name_endswith(domain, "ip6.arpa") > 0) ||
430 (dns_name_is_single_label(domain) && /* only resolve single label names via LLMNR */
431 !is_gateway_hostname(domain) && /* don't resolve "gateway" with LLMNR, let nss-myhostname handle this */
432 manager_is_own_hostname(s->manager, domain) <= 0)) /* never resolve the local hostname via LLMNR */
433 return DNS_SCOPE_MAYBE;
434
435 return DNS_SCOPE_NO;
436
437 default:
438 assert_not_reached("Unknown scope protocol");
439 }
440 }
441
442 int dns_scope_good_key(DnsScope *s, DnsResourceKey *key) {
443 assert(s);
444 assert(key);
445
446 if (s->protocol == DNS_PROTOCOL_DNS)
447 return true;
448
449 /* On mDNS and LLMNR, send A and AAAA queries only on the
450 * respective scopes */
451
452 if (s->family == AF_INET && key->class == DNS_CLASS_IN && key->type == DNS_TYPE_AAAA)
453 return false;
454
455 if (s->family == AF_INET6 && key->class == DNS_CLASS_IN && key->type == DNS_TYPE_A)
456 return false;
457
458 return true;
459 }
460
461 int dns_scope_llmnr_membership(DnsScope *s, bool b) {
462 int fd;
463
464 assert(s);
465
466 if (s->protocol != DNS_PROTOCOL_LLMNR)
467 return 0;
468
469 assert(s->link);
470
471 if (s->family == AF_INET) {
472 struct ip_mreqn mreqn = {
473 .imr_multiaddr = LLMNR_MULTICAST_IPV4_ADDRESS,
474 .imr_ifindex = s->link->ifindex,
475 };
476
477 fd = manager_llmnr_ipv4_udp_fd(s->manager);
478 if (fd < 0)
479 return fd;
480
481 /* Always first try to drop membership before we add
482 * one. This is necessary on some devices, such as
483 * veth. */
484 if (b)
485 (void) setsockopt(fd, IPPROTO_IP, IP_DROP_MEMBERSHIP, &mreqn, sizeof(mreqn));
486
487 if (setsockopt(fd, IPPROTO_IP, b ? IP_ADD_MEMBERSHIP : IP_DROP_MEMBERSHIP, &mreqn, sizeof(mreqn)) < 0)
488 return -errno;
489
490 } else if (s->family == AF_INET6) {
491 struct ipv6_mreq mreq = {
492 .ipv6mr_multiaddr = LLMNR_MULTICAST_IPV6_ADDRESS,
493 .ipv6mr_interface = s->link->ifindex,
494 };
495
496 fd = manager_llmnr_ipv6_udp_fd(s->manager);
497 if (fd < 0)
498 return fd;
499
500 if (b)
501 (void) setsockopt(fd, IPPROTO_IPV6, IPV6_DROP_MEMBERSHIP, &mreq, sizeof(mreq));
502
503 if (setsockopt(fd, IPPROTO_IPV6, b ? IPV6_ADD_MEMBERSHIP : IPV6_DROP_MEMBERSHIP, &mreq, sizeof(mreq)) < 0)
504 return -errno;
505 } else
506 return -EAFNOSUPPORT;
507
508 return 0;
509 }
510
511 static int dns_scope_make_reply_packet(
512 DnsScope *s,
513 uint16_t id,
514 int rcode,
515 DnsQuestion *q,
516 DnsAnswer *answer,
517 DnsAnswer *soa,
518 bool tentative,
519 DnsPacket **ret) {
520
521 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
522 unsigned i;
523 int r;
524
525 assert(s);
526 assert(ret);
527
528 if ((!q || q->n_keys <= 0)
529 && (!answer || answer->n_rrs <= 0)
530 && (!soa || soa->n_rrs <= 0))
531 return -EINVAL;
532
533 r = dns_packet_new(&p, s->protocol, 0);
534 if (r < 0)
535 return r;
536
537 DNS_PACKET_HEADER(p)->id = id;
538 DNS_PACKET_HEADER(p)->flags = htobe16(DNS_PACKET_MAKE_FLAGS(
539 1 /* qr */,
540 0 /* opcode */,
541 0 /* c */,
542 0 /* tc */,
543 tentative,
544 0 /* (ra) */,
545 0 /* (ad) */,
546 0 /* (cd) */,
547 rcode));
548
549 if (q) {
550 for (i = 0; i < q->n_keys; i++) {
551 r = dns_packet_append_key(p, q->keys[i], NULL);
552 if (r < 0)
553 return r;
554 }
555
556 DNS_PACKET_HEADER(p)->qdcount = htobe16(q->n_keys);
557 }
558
559 if (answer) {
560 for (i = 0; i < answer->n_rrs; i++) {
561 r = dns_packet_append_rr(p, answer->items[i].rr, NULL, NULL);
562 if (r < 0)
563 return r;
564 }
565
566 DNS_PACKET_HEADER(p)->ancount = htobe16(answer->n_rrs);
567 }
568
569 if (soa) {
570 for (i = 0; i < soa->n_rrs; i++) {
571 r = dns_packet_append_rr(p, soa->items[i].rr, NULL, NULL);
572 if (r < 0)
573 return r;
574 }
575
576 DNS_PACKET_HEADER(p)->arcount = htobe16(soa->n_rrs);
577 }
578
579 *ret = p;
580 p = NULL;
581
582 return 0;
583 }
584
585 static void dns_scope_verify_conflicts(DnsScope *s, DnsPacket *p) {
586 unsigned n;
587
588 assert(s);
589 assert(p);
590
591 if (p->question)
592 for (n = 0; n < p->question->n_keys; n++)
593 dns_zone_verify_conflicts(&s->zone, p->question->keys[n]);
594 if (p->answer)
595 for (n = 0; n < p->answer->n_rrs; n++)
596 dns_zone_verify_conflicts(&s->zone, p->answer->items[n].rr->key);
597 }
598
599 void dns_scope_process_query(DnsScope *s, DnsStream *stream, DnsPacket *p) {
600 _cleanup_(dns_packet_unrefp) DnsPacket *reply = NULL;
601 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL, *soa = NULL;
602 DnsResourceKey *key = NULL;
603 bool tentative = false;
604 int r, fd;
605
606 assert(s);
607 assert(p);
608
609 if (p->protocol != DNS_PROTOCOL_LLMNR)
610 return;
611
612 if (p->ipproto == IPPROTO_UDP) {
613 /* Don't accept UDP queries directed to anything but
614 * the LLMNR multicast addresses. See RFC 4795,
615 * section 2.5. */
616
617 if (p->family == AF_INET && !in_addr_equal(AF_INET, &p->destination, (union in_addr_union*) &LLMNR_MULTICAST_IPV4_ADDRESS))
618 return;
619
620 if (p->family == AF_INET6 && !in_addr_equal(AF_INET6, &p->destination, (union in_addr_union*) &LLMNR_MULTICAST_IPV6_ADDRESS))
621 return;
622 }
623
624 r = dns_packet_extract(p);
625 if (r < 0) {
626 log_debug_errno(r, "Failed to extract resources from incoming packet: %m");
627 return;
628 }
629
630 if (DNS_PACKET_LLMNR_C(p)) {
631 /* Somebody notified us about a possible conflict */
632 dns_scope_verify_conflicts(s, p);
633 return;
634 }
635
636 assert(p->question->n_keys == 1);
637 key = p->question->keys[0];
638
639 r = dns_zone_lookup(&s->zone, key, &answer, &soa, &tentative);
640 if (r < 0) {
641 log_debug_errno(r, "Failed to lookup key: %m");
642 return;
643 }
644 if (r == 0)
645 return;
646
647 if (answer)
648 dns_answer_order_by_scope(answer, in_addr_is_link_local(p->family, &p->sender) > 0);
649
650 r = dns_scope_make_reply_packet(s, DNS_PACKET_ID(p), DNS_RCODE_SUCCESS, p->question, answer, soa, tentative, &reply);
651 if (r < 0) {
652 log_debug_errno(r, "Failed to build reply packet: %m");
653 return;
654 }
655
656 if (stream)
657 r = dns_stream_write_packet(stream, reply);
658 else {
659 if (!ratelimit_test(&s->ratelimit))
660 return;
661
662 if (p->family == AF_INET)
663 fd = manager_llmnr_ipv4_udp_fd(s->manager);
664 else if (p->family == AF_INET6)
665 fd = manager_llmnr_ipv6_udp_fd(s->manager);
666 else {
667 log_debug("Unknown protocol");
668 return;
669 }
670 if (fd < 0) {
671 log_debug_errno(fd, "Failed to get reply socket: %m");
672 return;
673 }
674
675 /* Note that we always immediately reply to all LLMNR
676 * requests, and do not wait any time, since we
677 * verified uniqueness for all records. Also see RFC
678 * 4795, Section 2.7 */
679
680 r = manager_send(s->manager, fd, p->ifindex, p->family, &p->sender, p->sender_port, reply);
681 }
682
683 if (r < 0) {
684 log_debug_errno(r, "Failed to send reply packet: %m");
685 return;
686 }
687 }
688
689 DnsTransaction *dns_scope_find_transaction(DnsScope *scope, DnsResourceKey *key, bool cache_ok) {
690 DnsTransaction *t;
691
692 assert(scope);
693 assert(key);
694
695 /* Try to find an ongoing transaction that is a equal to the
696 * specified question */
697 t = hashmap_get(scope->transactions_by_key, key);
698 if (!t)
699 return NULL;
700
701 /* Refuse reusing transactions that completed based on cached
702 * data instead of a real packet, if that's requested. */
703 if (!cache_ok &&
704 IN_SET(t->state, DNS_TRANSACTION_SUCCESS, DNS_TRANSACTION_FAILURE) &&
705 t->answer_source != DNS_TRANSACTION_NETWORK)
706 return NULL;
707
708 return t;
709 }
710
711 static int dns_scope_make_conflict_packet(
712 DnsScope *s,
713 DnsResourceRecord *rr,
714 DnsPacket **ret) {
715
716 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
717 int r;
718
719 assert(s);
720 assert(rr);
721 assert(ret);
722
723 r = dns_packet_new(&p, s->protocol, 0);
724 if (r < 0)
725 return r;
726
727 DNS_PACKET_HEADER(p)->flags = htobe16(DNS_PACKET_MAKE_FLAGS(
728 0 /* qr */,
729 0 /* opcode */,
730 1 /* conflict */,
731 0 /* tc */,
732 0 /* t */,
733 0 /* (ra) */,
734 0 /* (ad) */,
735 0 /* (cd) */,
736 0));
737 random_bytes(&DNS_PACKET_HEADER(p)->id, sizeof(uint16_t));
738 DNS_PACKET_HEADER(p)->qdcount = htobe16(1);
739 DNS_PACKET_HEADER(p)->arcount = htobe16(1);
740
741 r = dns_packet_append_key(p, rr->key, NULL);
742 if (r < 0)
743 return r;
744
745 r = dns_packet_append_rr(p, rr, NULL, NULL);
746 if (r < 0)
747 return r;
748
749 *ret = p;
750 p = NULL;
751
752 return 0;
753 }
754
755 static int on_conflict_dispatch(sd_event_source *es, usec_t usec, void *userdata) {
756 DnsScope *scope = userdata;
757 int r;
758
759 assert(es);
760 assert(scope);
761
762 scope->conflict_event_source = sd_event_source_unref(scope->conflict_event_source);
763
764 for (;;) {
765 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;
766 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
767
768 rr = ordered_hashmap_steal_first(scope->conflict_queue);
769 if (!rr)
770 break;
771
772 r = dns_scope_make_conflict_packet(scope, rr, &p);
773 if (r < 0) {
774 log_error_errno(r, "Failed to make conflict packet: %m");
775 return 0;
776 }
777
778 r = dns_scope_emit(scope, -1, NULL, p);
779 if (r < 0)
780 log_debug_errno(r, "Failed to send conflict packet: %m");
781 }
782
783 return 0;
784 }
785
786 int dns_scope_notify_conflict(DnsScope *scope, DnsResourceRecord *rr) {
787 usec_t jitter;
788 int r;
789
790 assert(scope);
791 assert(rr);
792
793 /* We don't send these queries immediately. Instead, we queue
794 * them, and send them after some jitter delay. */
795 r = ordered_hashmap_ensure_allocated(&scope->conflict_queue, &dns_resource_key_hash_ops);
796 if (r < 0) {
797 log_oom();
798 return r;
799 }
800
801 /* We only place one RR per key in the conflict
802 * messages, not all of them. That should be enough to
803 * indicate where there might be a conflict */
804 r = ordered_hashmap_put(scope->conflict_queue, rr->key, rr);
805 if (r == -EEXIST || r == 0)
806 return 0;
807 if (r < 0)
808 return log_debug_errno(r, "Failed to queue conflicting RR: %m");
809
810 dns_resource_record_ref(rr);
811
812 if (scope->conflict_event_source)
813 return 0;
814
815 random_bytes(&jitter, sizeof(jitter));
816 jitter %= LLMNR_JITTER_INTERVAL_USEC;
817
818 r = sd_event_add_time(scope->manager->event,
819 &scope->conflict_event_source,
820 clock_boottime_or_monotonic(),
821 now(clock_boottime_or_monotonic()) + jitter,
822 LLMNR_JITTER_INTERVAL_USEC,
823 on_conflict_dispatch, scope);
824 if (r < 0)
825 return log_debug_errno(r, "Failed to add conflict dispatch event: %m");
826
827 return 0;
828 }
829
830 void dns_scope_check_conflicts(DnsScope *scope, DnsPacket *p) {
831 unsigned i;
832 int r;
833
834 assert(scope);
835 assert(p);
836
837 if (p->protocol != DNS_PROTOCOL_LLMNR)
838 return;
839
840 if (DNS_PACKET_RRCOUNT(p) <= 0)
841 return;
842
843 if (DNS_PACKET_LLMNR_C(p) != 0)
844 return;
845
846 if (DNS_PACKET_LLMNR_T(p) != 0)
847 return;
848
849 if (manager_our_packet(scope->manager, p))
850 return;
851
852 r = dns_packet_extract(p);
853 if (r < 0) {
854 log_debug_errno(r, "Failed to extract packet: %m");
855 return;
856 }
857
858 log_debug("Checking for conflicts...");
859
860 for (i = 0; i < p->answer->n_rrs; i++) {
861
862 /* Check for conflicts against the local zone. If we
863 * found one, we won't check any further */
864 r = dns_zone_check_conflicts(&scope->zone, p->answer->items[i].rr);
865 if (r != 0)
866 continue;
867
868 /* Check for conflicts against the local cache. If so,
869 * send out an advisory query, to inform everybody */
870 r = dns_cache_check_conflicts(&scope->cache, p->answer->items[i].rr, p->family, &p->sender);
871 if (r <= 0)
872 continue;
873
874 dns_scope_notify_conflict(scope, p->answer->items[i].rr);
875 }
876 }
877
878 void dns_scope_dump(DnsScope *s, FILE *f) {
879 assert(s);
880
881 if (!f)
882 f = stdout;
883
884 fputs("[Scope protocol=", f);
885 fputs(dns_protocol_to_string(s->protocol), f);
886
887 if (s->link) {
888 fputs(" interface=", f);
889 fputs(s->link->name, f);
890 }
891
892 if (s->family != AF_UNSPEC) {
893 fputs(" family=", f);
894 fputs(af_to_name(s->family), f);
895 }
896
897 fputs("]\n", f);
898
899 if (!dns_zone_is_empty(&s->zone)) {
900 fputs("ZONE:\n", f);
901 dns_zone_dump(&s->zone, f);
902 }
903
904 if (!dns_cache_is_empty(&s->cache)) {
905 fputs("CACHE:\n", f);
906 dns_cache_dump(&s->cache, f);
907 }
908 }
909
910 DnsSearchDomain *dns_scope_get_search_domains(DnsScope *s) {
911 assert(s);
912
913 /* Returns the list of *local* search domains -- not the
914 * global ones. */
915
916 if (s->protocol != DNS_PROTOCOL_DNS)
917 return NULL;
918
919 if (s->link)
920 return s->link->search_domains;
921
922 return NULL;
923 }
924
925 bool dns_scope_has_search_domains(DnsScope *s) {
926 assert(s);
927
928 /* Tests if there are *any* search domains suitable for this
929 * scope. This means either local or global ones */
930
931 if (s->protocol != DNS_PROTOCOL_DNS)
932 return false;
933
934 if (s->manager->search_domains)
935 return true;
936
937 if (s->link && s->link->search_domains)
938 return true;
939
940 return false;
941 }
942
943 bool dns_scope_name_needs_search_domain(DnsScope *s, const char *name) {
944 assert(s);
945
946 if (s->protocol != DNS_PROTOCOL_DNS)
947 return false;
948
949 return dns_name_is_single_label(name);
950 }
Unnamed repository; edit this file 'description' to name the repository.