]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/resolve/resolved-dns-scope.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #2267 from gdamjan/dont-drop-critical
[thirdparty/systemd.git] / src / resolve / resolved-dns-scope.c
1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
2
3 /***
4 This file is part of systemd.
5
6 Copyright 2014 Lennart Poettering
7
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
12
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
17
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
20 ***/
21
22 #include <netinet/tcp.h>
23
24 #include "af-list.h"
25 #include "alloc-util.h"
26 #include "dns-domain.h"
27 #include "fd-util.h"
28 #include "hostname-util.h"
29 #include "missing.h"
30 #include "random-util.h"
31 #include "resolved-dns-scope.h"
32 #include "resolved-llmnr.h"
33 #include "resolved-mdns.h"
34 #include "socket-util.h"
35 #include "strv.h"
36
37 #define MULTICAST_RATELIMIT_INTERVAL_USEC (1*USEC_PER_SEC)
38 #define MULTICAST_RATELIMIT_BURST 1000
39
40 /* After how much time to repeat LLMNR requests, see RFC 4795 Section 7 */
41 #define MULTICAST_RESEND_TIMEOUT_MIN_USEC (100 * USEC_PER_MSEC)
42 #define MULTICAST_RESEND_TIMEOUT_MAX_USEC (1 * USEC_PER_SEC)
43
44 int dns_scope_new(Manager *m, DnsScope **ret, Link *l, DnsProtocol protocol, int family) {
45 DnsScope *s;
46
47 assert(m);
48 assert(ret);
49
50 s = new0(DnsScope, 1);
51 if (!s)
52 return -ENOMEM;
53
54 s->manager = m;
55 s->link = l;
56 s->protocol = protocol;
57 s->family = family;
58 s->resend_timeout = MULTICAST_RESEND_TIMEOUT_MIN_USEC;
59
60 s->dnssec_mode = _DNSSEC_MODE_INVALID;
61
62 if (protocol == DNS_PROTOCOL_DNS) {
63 /* Copy DNSSEC mode from the link if it is set there,
64 * otherwise take the manager's DNSSEC mode. Note that
65 * we copy this only at scope creation time, and do
66 * not update it from the on, even if the setting
67 * changes. */
68
69 if (l)
70 s->dnssec_mode = link_get_dnssec_mode(l);
71 else
72 s->dnssec_mode = manager_get_dnssec_mode(m);
73 }
74
75 LIST_PREPEND(scopes, m->dns_scopes, s);
76
77 dns_scope_llmnr_membership(s, true);
78 dns_scope_mdns_membership(s, true);
79
80 log_debug("New scope on link %s, protocol %s, family %s", l ? l->name : "*", dns_protocol_to_string(protocol), family == AF_UNSPEC ? "*" : af_to_name(family));
81
82 /* Enforce ratelimiting for the multicast protocols */
83 RATELIMIT_INIT(s->ratelimit, MULTICAST_RATELIMIT_INTERVAL_USEC, MULTICAST_RATELIMIT_BURST);
84
85 *ret = s;
86 return 0;
87 }
88
89 static void dns_scope_abort_transactions(DnsScope *s) {
90 assert(s);
91
92 while (s->transactions) {
93 DnsTransaction *t = s->transactions;
94
95 /* Abort the transaction, but make sure it is not
96 * freed while we still look at it */
97
98 t->block_gc++;
99 if (DNS_TRANSACTION_IS_LIVE(t->state))
100 dns_transaction_complete(t, DNS_TRANSACTION_ABORTED);
101 t->block_gc--;
102
103 dns_transaction_free(t);
104 }
105 }
106
107 DnsScope* dns_scope_free(DnsScope *s) {
108 DnsResourceRecord *rr;
109
110 if (!s)
111 return NULL;
112
113 log_debug("Removing scope on link %s, protocol %s, family %s", s->link ? s->link->name : "*", dns_protocol_to_string(s->protocol), s->family == AF_UNSPEC ? "*" : af_to_name(s->family));
114
115 dns_scope_llmnr_membership(s, false);
116 dns_scope_mdns_membership(s, false);
117 dns_scope_abort_transactions(s);
118
119 while (s->query_candidates)
120 dns_query_candidate_free(s->query_candidates);
121
122 hashmap_free(s->transactions_by_key);
123
124 while ((rr = ordered_hashmap_steal_first(s->conflict_queue)))
125 dns_resource_record_unref(rr);
126
127 ordered_hashmap_free(s->conflict_queue);
128 sd_event_source_unref(s->conflict_event_source);
129
130 dns_cache_flush(&s->cache);
131 dns_zone_flush(&s->zone);
132
133 LIST_REMOVE(scopes, s->manager->dns_scopes, s);
134 free(s);
135
136 return NULL;
137 }
138
139 DnsServer *dns_scope_get_dns_server(DnsScope *s) {
140 assert(s);
141
142 if (s->protocol != DNS_PROTOCOL_DNS)
143 return NULL;
144
145 if (s->link)
146 return link_get_dns_server(s->link);
147 else
148 return manager_get_dns_server(s->manager);
149 }
150
151 void dns_scope_next_dns_server(DnsScope *s) {
152 assert(s);
153
154 if (s->protocol != DNS_PROTOCOL_DNS)
155 return;
156
157 if (s->link)
158 link_next_dns_server(s->link);
159 else
160 manager_next_dns_server(s->manager);
161 }
162
163 void dns_scope_packet_received(DnsScope *s, usec_t rtt) {
164 assert(s);
165
166 if (rtt <= s->max_rtt)
167 return;
168
169 s->max_rtt = rtt;
170 s->resend_timeout = MIN(MAX(MULTICAST_RESEND_TIMEOUT_MIN_USEC, s->max_rtt * 2), MULTICAST_RESEND_TIMEOUT_MAX_USEC);
171 }
172
173 void dns_scope_packet_lost(DnsScope *s, usec_t usec) {
174 assert(s);
175
176 if (s->resend_timeout <= usec)
177 s->resend_timeout = MIN(s->resend_timeout * 2, MULTICAST_RESEND_TIMEOUT_MAX_USEC);
178 }
179
180 static int dns_scope_emit_one(DnsScope *s, int fd, DnsPacket *p) {
181 union in_addr_union addr;
182 int ifindex = 0, r;
183 int family;
184 uint32_t mtu;
185
186 assert(s);
187 assert(p);
188 assert(p->protocol == s->protocol);
189
190 if (s->link) {
191 mtu = s->link->mtu;
192 ifindex = s->link->ifindex;
193 } else
194 mtu = manager_find_mtu(s->manager);
195
196 switch (s->protocol) {
197
198 case DNS_PROTOCOL_DNS:
199 assert(fd >= 0);
200
201 if (DNS_PACKET_QDCOUNT(p) > 1)
202 return -EOPNOTSUPP;
203
204 if (p->size > DNS_PACKET_UNICAST_SIZE_MAX)
205 return -EMSGSIZE;
206
207 if (p->size + UDP_PACKET_HEADER_SIZE > mtu)
208 return -EMSGSIZE;
209
210 r = manager_write(s->manager, fd, p);
211 if (r < 0)
212 return r;
213
214 break;
215
216 case DNS_PROTOCOL_LLMNR:
217 assert(fd < 0);
218
219 if (DNS_PACKET_QDCOUNT(p) > 1)
220 return -EOPNOTSUPP;
221
222 if (!ratelimit_test(&s->ratelimit))
223 return -EBUSY;
224
225 family = s->family;
226
227 if (family == AF_INET) {
228 addr.in = LLMNR_MULTICAST_IPV4_ADDRESS;
229 fd = manager_llmnr_ipv4_udp_fd(s->manager);
230 } else if (family == AF_INET6) {
231 addr.in6 = LLMNR_MULTICAST_IPV6_ADDRESS;
232 fd = manager_llmnr_ipv6_udp_fd(s->manager);
233 } else
234 return -EAFNOSUPPORT;
235 if (fd < 0)
236 return fd;
237
238 r = manager_send(s->manager, fd, ifindex, family, &addr, LLMNR_PORT, p);
239 if (r < 0)
240 return r;
241
242 break;
243
244 case DNS_PROTOCOL_MDNS:
245 assert(fd < 0);
246
247 if (!ratelimit_test(&s->ratelimit))
248 return -EBUSY;
249
250 family = s->family;
251
252 if (family == AF_INET) {
253 addr.in = MDNS_MULTICAST_IPV4_ADDRESS;
254 fd = manager_mdns_ipv4_fd(s->manager);
255 } else if (family == AF_INET6) {
256 addr.in6 = MDNS_MULTICAST_IPV6_ADDRESS;
257 fd = manager_mdns_ipv6_fd(s->manager);
258 } else
259 return -EAFNOSUPPORT;
260 if (fd < 0)
261 return fd;
262
263 r = manager_send(s->manager, fd, ifindex, family, &addr, MDNS_PORT, p);
264 if (r < 0)
265 return r;
266
267 break;
268
269 default:
270 return -EAFNOSUPPORT;
271 }
272
273 return 1;
274 }
275
276 int dns_scope_emit_udp(DnsScope *s, int fd, DnsPacket *p) {
277 int r;
278
279 assert(s);
280 assert(p);
281 assert(p->protocol == s->protocol);
282 assert((s->protocol == DNS_PROTOCOL_DNS) == (fd >= 0));
283
284 do {
285 /* If there are multiple linked packets, set the TC bit in all but the last of them */
286 if (p->more) {
287 assert(p->protocol == DNS_PROTOCOL_MDNS);
288 dns_packet_set_flags(p, true, true);
289 }
290
291 r = dns_scope_emit_one(s, fd, p);
292 if (r < 0)
293 return r;
294
295 p = p->more;
296 } while (p);
297
298 return 0;
299 }
300
301 static int dns_scope_socket(
302 DnsScope *s,
303 int type,
304 int family,
305 const union in_addr_union *address,
306 DnsServer *server,
307 uint16_t port) {
308
309 _cleanup_close_ int fd = -1;
310 union sockaddr_union sa = {};
311 socklen_t salen;
312 static const int one = 1;
313 int ret, r;
314
315 assert(s);
316
317 if (server) {
318 assert(family == AF_UNSPEC);
319 assert(!address);
320
321 sa.sa.sa_family = server->family;
322 if (server->family == AF_INET) {
323 sa.in.sin_port = htobe16(port);
324 sa.in.sin_addr = server->address.in;
325 salen = sizeof(sa.in);
326 } else if (server->family == AF_INET6) {
327 sa.in6.sin6_port = htobe16(port);
328 sa.in6.sin6_addr = server->address.in6;
329 sa.in6.sin6_scope_id = s->link ? s->link->ifindex : 0;
330 salen = sizeof(sa.in6);
331 } else
332 return -EAFNOSUPPORT;
333 } else {
334 assert(family != AF_UNSPEC);
335 assert(address);
336
337 sa.sa.sa_family = family;
338
339 if (family == AF_INET) {
340 sa.in.sin_port = htobe16(port);
341 sa.in.sin_addr = address->in;
342 salen = sizeof(sa.in);
343 } else if (family == AF_INET6) {
344 sa.in6.sin6_port = htobe16(port);
345 sa.in6.sin6_addr = address->in6;
346 sa.in6.sin6_scope_id = s->link ? s->link->ifindex : 0;
347 salen = sizeof(sa.in6);
348 } else
349 return -EAFNOSUPPORT;
350 }
351
352 fd = socket(sa.sa.sa_family, type|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
353 if (fd < 0)
354 return -errno;
355
356 if (type == SOCK_STREAM) {
357 r = setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &one, sizeof(one));
358 if (r < 0)
359 return -errno;
360 }
361
362 if (s->link) {
363 uint32_t ifindex = htobe32(s->link->ifindex);
364
365 if (sa.sa.sa_family == AF_INET) {
366 r = setsockopt(fd, IPPROTO_IP, IP_UNICAST_IF, &ifindex, sizeof(ifindex));
367 if (r < 0)
368 return -errno;
369 } else if (sa.sa.sa_family == AF_INET6) {
370 r = setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_IF, &ifindex, sizeof(ifindex));
371 if (r < 0)
372 return -errno;
373 }
374 }
375
376 if (s->protocol == DNS_PROTOCOL_LLMNR) {
377 /* RFC 4795, section 2.5 requires the TTL to be set to 1 */
378
379 if (sa.sa.sa_family == AF_INET) {
380 r = setsockopt(fd, IPPROTO_IP, IP_TTL, &one, sizeof(one));
381 if (r < 0)
382 return -errno;
383 } else if (sa.sa.sa_family == AF_INET6) {
384 r = setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS, &one, sizeof(one));
385 if (r < 0)
386 return -errno;
387 }
388 }
389
390 r = connect(fd, &sa.sa, salen);
391 if (r < 0 && errno != EINPROGRESS)
392 return -errno;
393
394 ret = fd;
395 fd = -1;
396
397 return ret;
398 }
399
400 int dns_scope_socket_udp(DnsScope *s, DnsServer *server, uint16_t port) {
401 return dns_scope_socket(s, SOCK_DGRAM, AF_UNSPEC, NULL, server, port);
402 }
403
404 int dns_scope_socket_tcp(DnsScope *s, int family, const union in_addr_union *address, DnsServer *server, uint16_t port) {
405 return dns_scope_socket(s, SOCK_STREAM, family, address, server, port);
406 }
407
408 DnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, const char *domain) {
409 DnsSearchDomain *d;
410
411 assert(s);
412 assert(domain);
413
414 /* Checks if the specified domain is something to look up on
415 * this scope. Note that this accepts non-qualified hostnames,
416 * i.e. those without any search path prefixed yet. */
417
418 if (ifindex != 0 && (!s->link || s->link->ifindex != ifindex))
419 return DNS_SCOPE_NO;
420
421 if ((SD_RESOLVED_FLAGS_MAKE(s->protocol, s->family, 0) & flags) == 0)
422 return DNS_SCOPE_NO;
423
424 /* Never resolve any loopback hostname or IP address via DNS,
425 * LLMNR or mDNS. Instead, always rely on synthesized RRs for
426 * these. */
427 if (is_localhost(domain) ||
428 dns_name_endswith(domain, "127.in-addr.arpa") > 0 ||
429 dns_name_equal(domain, "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
430 return DNS_SCOPE_NO;
431
432 /* Never respond to some of the domains listed in RFC6303 */
433 if (dns_name_endswith(domain, "0.in-addr.arpa") > 0 ||
434 dns_name_equal(domain, "255.255.255.255.in-addr.arpa") > 0 ||
435 dns_name_equal(domain, "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
436 return DNS_SCOPE_NO;
437
438 /* Never respond to some of the domains listed in RFC6761 */
439 if (dns_name_endswith(domain, "invalid") > 0)
440 return DNS_SCOPE_NO;
441
442 /* Always honour search domains for routing queries. Note that
443 * we return DNS_SCOPE_YES here, rather than just
444 * DNS_SCOPE_MAYBE, which means wildcard scopes won't be
445 * considered anymore. */
446 LIST_FOREACH(domains, d, dns_scope_get_search_domains(s))
447 if (dns_name_endswith(domain, d->name) > 0)
448 return DNS_SCOPE_YES;
449
450 switch (s->protocol) {
451
452 case DNS_PROTOCOL_DNS:
453
454 /* Exclude link-local IP ranges */
455 if (dns_name_endswith(domain, "254.169.in-addr.arpa") == 0 &&
456 dns_name_endswith(domain, "8.e.f.ip6.arpa") == 0 &&
457 dns_name_endswith(domain, "9.e.f.ip6.arpa") == 0 &&
458 dns_name_endswith(domain, "a.e.f.ip6.arpa") == 0 &&
459 dns_name_endswith(domain, "b.e.f.ip6.arpa") == 0 &&
460 /* If networks use .local in their private setups, they are supposed to also add .local to their search
461 * domains, which we already checked above. Otherwise, we consider .local specific to mDNS and won't
462 * send such queries ordinary DNS servers. */
463 dns_name_endswith(domain, "local") == 0)
464 return DNS_SCOPE_MAYBE;
465
466 return DNS_SCOPE_NO;
467
468 case DNS_PROTOCOL_MDNS:
469 if ((s->family == AF_INET && dns_name_endswith(domain, "in-addr.arpa") > 0) ||
470 (s->family == AF_INET6 && dns_name_endswith(domain, "ip6.arpa") > 0) ||
471 (dns_name_endswith(domain, "local") > 0 && /* only resolve names ending in .local via mDNS */
472 dns_name_equal(domain, "local") == 0 && /* but not the single-label "local" name itself */
473 manager_is_own_hostname(s->manager, domain) <= 0)) /* never resolve the local hostname via mDNS */
474 return DNS_SCOPE_MAYBE;
475
476 return DNS_SCOPE_NO;
477
478 case DNS_PROTOCOL_LLMNR:
479 if ((s->family == AF_INET && dns_name_endswith(domain, "in-addr.arpa") > 0) ||
480 (s->family == AF_INET6 && dns_name_endswith(domain, "ip6.arpa") > 0) ||
481 (dns_name_is_single_label(domain) && /* only resolve single label names via LLMNR */
482 !is_gateway_hostname(domain) && /* don't resolve "gateway" with LLMNR, let nss-myhostname handle this */
483 manager_is_own_hostname(s->manager, domain) <= 0)) /* never resolve the local hostname via LLMNR */
484 return DNS_SCOPE_MAYBE;
485
486 return DNS_SCOPE_NO;
487
488 default:
489 assert_not_reached("Unknown scope protocol");
490 }
491 }
492
493 int dns_scope_good_key(DnsScope *s, DnsResourceKey *key) {
494 assert(s);
495 assert(key);
496
497 /* Check if it makes sense to resolve the specified key on
498 * this scope. Note that this call assumes as fully qualified
499 * name, i.e. the search suffixes already appended. */
500
501 if (s->protocol == DNS_PROTOCOL_DNS) {
502
503 /* On classic DNS, looking up non-address RRs is always
504 * fine. (Specifically, we want to permit looking up
505 * DNSKEY and DS records on the root and top-level
506 * domains.) */
507 if (!dns_resource_key_is_address(key))
508 return true;
509
510 /* However, we refuse to look up A and AAAA RRs on the
511 * root and single-label domains, under the assumption
512 * that those should be resolved via LLMNR or search
513 * path only, and should not be leaked onto the
514 * internet. */
515 return !(dns_name_is_single_label(DNS_RESOURCE_KEY_NAME(key)) ||
516 dns_name_is_root(DNS_RESOURCE_KEY_NAME(key)));
517 }
518
519 /* On mDNS and LLMNR, send A and AAAA queries only on the
520 * respective scopes */
521
522 if (s->family == AF_INET && key->class == DNS_CLASS_IN && key->type == DNS_TYPE_AAAA)
523 return false;
524
525 if (s->family == AF_INET6 && key->class == DNS_CLASS_IN && key->type == DNS_TYPE_A)
526 return false;
527
528 return true;
529 }
530
531 static int dns_scope_multicast_membership(DnsScope *s, bool b, struct in_addr in, struct in6_addr in6) {
532 int fd;
533
534 assert(s);
535 assert(s->link);
536
537 if (s->family == AF_INET) {
538 struct ip_mreqn mreqn = {
539 .imr_multiaddr = in,
540 .imr_ifindex = s->link->ifindex,
541 };
542
543 fd = manager_llmnr_ipv4_udp_fd(s->manager);
544 if (fd < 0)
545 return fd;
546
547 /* Always first try to drop membership before we add
548 * one. This is necessary on some devices, such as
549 * veth. */
550 if (b)
551 (void) setsockopt(fd, IPPROTO_IP, IP_DROP_MEMBERSHIP, &mreqn, sizeof(mreqn));
552
553 if (setsockopt(fd, IPPROTO_IP, b ? IP_ADD_MEMBERSHIP : IP_DROP_MEMBERSHIP, &mreqn, sizeof(mreqn)) < 0)
554 return -errno;
555
556 } else if (s->family == AF_INET6) {
557 struct ipv6_mreq mreq = {
558 .ipv6mr_multiaddr = in6,
559 .ipv6mr_interface = s->link->ifindex,
560 };
561
562 fd = manager_llmnr_ipv6_udp_fd(s->manager);
563 if (fd < 0)
564 return fd;
565
566 if (b)
567 (void) setsockopt(fd, IPPROTO_IPV6, IPV6_DROP_MEMBERSHIP, &mreq, sizeof(mreq));
568
569 if (setsockopt(fd, IPPROTO_IPV6, b ? IPV6_ADD_MEMBERSHIP : IPV6_DROP_MEMBERSHIP, &mreq, sizeof(mreq)) < 0)
570 return -errno;
571 } else
572 return -EAFNOSUPPORT;
573
574 return 0;
575 }
576
577 int dns_scope_llmnr_membership(DnsScope *s, bool b) {
578
579 if (s->protocol != DNS_PROTOCOL_LLMNR)
580 return 0;
581
582 return dns_scope_multicast_membership(s, b, LLMNR_MULTICAST_IPV4_ADDRESS, LLMNR_MULTICAST_IPV6_ADDRESS);
583 }
584
585 int dns_scope_mdns_membership(DnsScope *s, bool b) {
586
587 if (s->protocol != DNS_PROTOCOL_MDNS)
588 return 0;
589
590 return dns_scope_multicast_membership(s, b, MDNS_MULTICAST_IPV4_ADDRESS, MDNS_MULTICAST_IPV6_ADDRESS);
591 }
592
593 static int dns_scope_make_reply_packet(
594 DnsScope *s,
595 uint16_t id,
596 int rcode,
597 DnsQuestion *q,
598 DnsAnswer *answer,
599 DnsAnswer *soa,
600 bool tentative,
601 DnsPacket **ret) {
602
603 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
604 unsigned i;
605 int r;
606
607 assert(s);
608 assert(ret);
609
610 if ((!q || q->n_keys <= 0)
611 && (!answer || answer->n_rrs <= 0)
612 && (!soa || soa->n_rrs <= 0))
613 return -EINVAL;
614
615 r = dns_packet_new(&p, s->protocol, 0);
616 if (r < 0)
617 return r;
618
619 DNS_PACKET_HEADER(p)->id = id;
620 DNS_PACKET_HEADER(p)->flags = htobe16(DNS_PACKET_MAKE_FLAGS(
621 1 /* qr */,
622 0 /* opcode */,
623 0 /* c */,
624 0 /* tc */,
625 tentative,
626 0 /* (ra) */,
627 0 /* (ad) */,
628 0 /* (cd) */,
629 rcode));
630
631 if (q) {
632 for (i = 0; i < q->n_keys; i++) {
633 r = dns_packet_append_key(p, q->keys[i], NULL);
634 if (r < 0)
635 return r;
636 }
637
638 DNS_PACKET_HEADER(p)->qdcount = htobe16(q->n_keys);
639 }
640
641 if (answer) {
642 for (i = 0; i < answer->n_rrs; i++) {
643 r = dns_packet_append_rr(p, answer->items[i].rr, NULL, NULL);
644 if (r < 0)
645 return r;
646 }
647
648 DNS_PACKET_HEADER(p)->ancount = htobe16(answer->n_rrs);
649 }
650
651 if (soa) {
652 for (i = 0; i < soa->n_rrs; i++) {
653 r = dns_packet_append_rr(p, soa->items[i].rr, NULL, NULL);
654 if (r < 0)
655 return r;
656 }
657
658 DNS_PACKET_HEADER(p)->arcount = htobe16(soa->n_rrs);
659 }
660
661 *ret = p;
662 p = NULL;
663
664 return 0;
665 }
666
667 static void dns_scope_verify_conflicts(DnsScope *s, DnsPacket *p) {
668 unsigned n;
669
670 assert(s);
671 assert(p);
672
673 if (p->question)
674 for (n = 0; n < p->question->n_keys; n++)
675 dns_zone_verify_conflicts(&s->zone, p->question->keys[n]);
676 if (p->answer)
677 for (n = 0; n < p->answer->n_rrs; n++)
678 dns_zone_verify_conflicts(&s->zone, p->answer->items[n].rr->key);
679 }
680
681 void dns_scope_process_query(DnsScope *s, DnsStream *stream, DnsPacket *p) {
682 _cleanup_(dns_packet_unrefp) DnsPacket *reply = NULL;
683 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL, *soa = NULL;
684 DnsResourceKey *key = NULL;
685 bool tentative = false;
686 int r, fd;
687
688 assert(s);
689 assert(p);
690
691 if (p->protocol != DNS_PROTOCOL_LLMNR)
692 return;
693
694 if (p->ipproto == IPPROTO_UDP) {
695 /* Don't accept UDP queries directed to anything but
696 * the LLMNR multicast addresses. See RFC 4795,
697 * section 2.5. */
698
699 if (p->family == AF_INET && !in_addr_equal(AF_INET, &p->destination, (union in_addr_union*) &LLMNR_MULTICAST_IPV4_ADDRESS))
700 return;
701
702 if (p->family == AF_INET6 && !in_addr_equal(AF_INET6, &p->destination, (union in_addr_union*) &LLMNR_MULTICAST_IPV6_ADDRESS))
703 return;
704 }
705
706 r = dns_packet_extract(p);
707 if (r < 0) {
708 log_debug_errno(r, "Failed to extract resources from incoming packet: %m");
709 return;
710 }
711
712 if (DNS_PACKET_LLMNR_C(p)) {
713 /* Somebody notified us about a possible conflict */
714 dns_scope_verify_conflicts(s, p);
715 return;
716 }
717
718 assert(p->question->n_keys == 1);
719 key = p->question->keys[0];
720
721 r = dns_zone_lookup(&s->zone, key, &answer, &soa, &tentative);
722 if (r < 0) {
723 log_debug_errno(r, "Failed to lookup key: %m");
724 return;
725 }
726 if (r == 0)
727 return;
728
729 if (answer)
730 dns_answer_order_by_scope(answer, in_addr_is_link_local(p->family, &p->sender) > 0);
731
732 r = dns_scope_make_reply_packet(s, DNS_PACKET_ID(p), DNS_RCODE_SUCCESS, p->question, answer, soa, tentative, &reply);
733 if (r < 0) {
734 log_debug_errno(r, "Failed to build reply packet: %m");
735 return;
736 }
737
738 if (stream)
739 r = dns_stream_write_packet(stream, reply);
740 else {
741 if (!ratelimit_test(&s->ratelimit))
742 return;
743
744 if (p->family == AF_INET)
745 fd = manager_llmnr_ipv4_udp_fd(s->manager);
746 else if (p->family == AF_INET6)
747 fd = manager_llmnr_ipv6_udp_fd(s->manager);
748 else {
749 log_debug("Unknown protocol");
750 return;
751 }
752 if (fd < 0) {
753 log_debug_errno(fd, "Failed to get reply socket: %m");
754 return;
755 }
756
757 /* Note that we always immediately reply to all LLMNR
758 * requests, and do not wait any time, since we
759 * verified uniqueness for all records. Also see RFC
760 * 4795, Section 2.7 */
761
762 r = manager_send(s->manager, fd, p->ifindex, p->family, &p->sender, p->sender_port, reply);
763 }
764
765 if (r < 0) {
766 log_debug_errno(r, "Failed to send reply packet: %m");
767 return;
768 }
769 }
770
771 DnsTransaction *dns_scope_find_transaction(DnsScope *scope, DnsResourceKey *key, bool cache_ok) {
772 DnsTransaction *t;
773
774 assert(scope);
775 assert(key);
776
777 /* Try to find an ongoing transaction that is a equal to the
778 * specified question */
779 t = hashmap_get(scope->transactions_by_key, key);
780 if (!t)
781 return NULL;
782
783 /* Refuse reusing transactions that completed based on cached
784 * data instead of a real packet, if that's requested. */
785 if (!cache_ok &&
786 IN_SET(t->state, DNS_TRANSACTION_SUCCESS, DNS_TRANSACTION_RCODE_FAILURE) &&
787 t->answer_source != DNS_TRANSACTION_NETWORK)
788 return NULL;
789
790 return t;
791 }
792
793 static int dns_scope_make_conflict_packet(
794 DnsScope *s,
795 DnsResourceRecord *rr,
796 DnsPacket **ret) {
797
798 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
799 int r;
800
801 assert(s);
802 assert(rr);
803 assert(ret);
804
805 r = dns_packet_new(&p, s->protocol, 0);
806 if (r < 0)
807 return r;
808
809 DNS_PACKET_HEADER(p)->flags = htobe16(DNS_PACKET_MAKE_FLAGS(
810 0 /* qr */,
811 0 /* opcode */,
812 1 /* conflict */,
813 0 /* tc */,
814 0 /* t */,
815 0 /* (ra) */,
816 0 /* (ad) */,
817 0 /* (cd) */,
818 0));
819
820 /* For mDNS, the transaction ID should always be 0 */
821 if (s->protocol != DNS_PROTOCOL_MDNS)
822 random_bytes(&DNS_PACKET_HEADER(p)->id, sizeof(uint16_t));
823
824 DNS_PACKET_HEADER(p)->qdcount = htobe16(1);
825 DNS_PACKET_HEADER(p)->arcount = htobe16(1);
826
827 r = dns_packet_append_key(p, rr->key, NULL);
828 if (r < 0)
829 return r;
830
831 r = dns_packet_append_rr(p, rr, NULL, NULL);
832 if (r < 0)
833 return r;
834
835 *ret = p;
836 p = NULL;
837
838 return 0;
839 }
840
841 static int on_conflict_dispatch(sd_event_source *es, usec_t usec, void *userdata) {
842 DnsScope *scope = userdata;
843 int r;
844
845 assert(es);
846 assert(scope);
847
848 scope->conflict_event_source = sd_event_source_unref(scope->conflict_event_source);
849
850 for (;;) {
851 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;
852 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
853
854 rr = ordered_hashmap_steal_first(scope->conflict_queue);
855 if (!rr)
856 break;
857
858 r = dns_scope_make_conflict_packet(scope, rr, &p);
859 if (r < 0) {
860 log_error_errno(r, "Failed to make conflict packet: %m");
861 return 0;
862 }
863
864 r = dns_scope_emit_udp(scope, -1, p);
865 if (r < 0)
866 log_debug_errno(r, "Failed to send conflict packet: %m");
867 }
868
869 return 0;
870 }
871
872 int dns_scope_notify_conflict(DnsScope *scope, DnsResourceRecord *rr) {
873 usec_t jitter;
874 int r;
875
876 assert(scope);
877 assert(rr);
878
879 /* We don't send these queries immediately. Instead, we queue
880 * them, and send them after some jitter delay. */
881 r = ordered_hashmap_ensure_allocated(&scope->conflict_queue, &dns_resource_key_hash_ops);
882 if (r < 0) {
883 log_oom();
884 return r;
885 }
886
887 /* We only place one RR per key in the conflict
888 * messages, not all of them. That should be enough to
889 * indicate where there might be a conflict */
890 r = ordered_hashmap_put(scope->conflict_queue, rr->key, rr);
891 if (r == -EEXIST || r == 0)
892 return 0;
893 if (r < 0)
894 return log_debug_errno(r, "Failed to queue conflicting RR: %m");
895
896 dns_resource_record_ref(rr);
897
898 if (scope->conflict_event_source)
899 return 0;
900
901 random_bytes(&jitter, sizeof(jitter));
902 jitter %= LLMNR_JITTER_INTERVAL_USEC;
903
904 r = sd_event_add_time(scope->manager->event,
905 &scope->conflict_event_source,
906 clock_boottime_or_monotonic(),
907 now(clock_boottime_or_monotonic()) + jitter,
908 LLMNR_JITTER_INTERVAL_USEC,
909 on_conflict_dispatch, scope);
910 if (r < 0)
911 return log_debug_errno(r, "Failed to add conflict dispatch event: %m");
912
913 (void) sd_event_source_set_description(scope->conflict_event_source, "scope-conflict");
914
915 return 0;
916 }
917
918 void dns_scope_check_conflicts(DnsScope *scope, DnsPacket *p) {
919 unsigned i;
920 int r;
921
922 assert(scope);
923 assert(p);
924
925 if (p->protocol != DNS_PROTOCOL_LLMNR)
926 return;
927
928 if (DNS_PACKET_RRCOUNT(p) <= 0)
929 return;
930
931 if (DNS_PACKET_LLMNR_C(p) != 0)
932 return;
933
934 if (DNS_PACKET_LLMNR_T(p) != 0)
935 return;
936
937 if (manager_our_packet(scope->manager, p))
938 return;
939
940 r = dns_packet_extract(p);
941 if (r < 0) {
942 log_debug_errno(r, "Failed to extract packet: %m");
943 return;
944 }
945
946 log_debug("Checking for conflicts...");
947
948 for (i = 0; i < p->answer->n_rrs; i++) {
949
950 /* Check for conflicts against the local zone. If we
951 * found one, we won't check any further */
952 r = dns_zone_check_conflicts(&scope->zone, p->answer->items[i].rr);
953 if (r != 0)
954 continue;
955
956 /* Check for conflicts against the local cache. If so,
957 * send out an advisory query, to inform everybody */
958 r = dns_cache_check_conflicts(&scope->cache, p->answer->items[i].rr, p->family, &p->sender);
959 if (r <= 0)
960 continue;
961
962 dns_scope_notify_conflict(scope, p->answer->items[i].rr);
963 }
964 }
965
966 void dns_scope_dump(DnsScope *s, FILE *f) {
967 assert(s);
968
969 if (!f)
970 f = stdout;
971
972 fputs("[Scope protocol=", f);
973 fputs(dns_protocol_to_string(s->protocol), f);
974
975 if (s->link) {
976 fputs(" interface=", f);
977 fputs(s->link->name, f);
978 }
979
980 if (s->family != AF_UNSPEC) {
981 fputs(" family=", f);
982 fputs(af_to_name(s->family), f);
983 }
984
985 fputs("]\n", f);
986
987 if (!dns_zone_is_empty(&s->zone)) {
988 fputs("ZONE:\n", f);
989 dns_zone_dump(&s->zone, f);
990 }
991
992 if (!dns_cache_is_empty(&s->cache)) {
993 fputs("CACHE:\n", f);
994 dns_cache_dump(&s->cache, f);
995 }
996 }
997
998 DnsSearchDomain *dns_scope_get_search_domains(DnsScope *s) {
999 assert(s);
1000
1001 if (s->protocol != DNS_PROTOCOL_DNS)
1002 return NULL;
1003
1004 if (s->link)
1005 return s->link->search_domains;
1006
1007 return s->manager->search_domains;
1008 }
1009
1010 bool dns_scope_name_needs_search_domain(DnsScope *s, const char *name) {
1011 assert(s);
1012
1013 if (s->protocol != DNS_PROTOCOL_DNS)
1014 return false;
1015
1016 return dns_name_is_single_label(name);
1017 }
Unnamed repository; edit this file 'description' to name the repository.