]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/resolve/resolved-dns-scope.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #2043 from teg/resolved-edns0-5
[thirdparty/systemd.git] / src / resolve / resolved-dns-scope.c
1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
2
3 /***
4 This file is part of systemd.
5
6 Copyright 2014 Lennart Poettering
7
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
12
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
17
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
20 ***/
21
22 #include <netinet/tcp.h>
23
24 #include "af-list.h"
25 #include "alloc-util.h"
26 #include "dns-domain.h"
27 #include "fd-util.h"
28 #include "hostname-util.h"
29 #include "missing.h"
30 #include "random-util.h"
31 #include "resolved-dns-scope.h"
32 #include "resolved-llmnr.h"
33 #include "socket-util.h"
34 #include "strv.h"
35
36 #define MULTICAST_RATELIMIT_INTERVAL_USEC (1*USEC_PER_SEC)
37 #define MULTICAST_RATELIMIT_BURST 1000
38
39 /* After how much time to repeat LLMNR requests, see RFC 4795 Section 7 */
40 #define MULTICAST_RESEND_TIMEOUT_MIN_USEC (100 * USEC_PER_MSEC)
41 #define MULTICAST_RESEND_TIMEOUT_MAX_USEC (1 * USEC_PER_SEC)
42
43 int dns_scope_new(Manager *m, DnsScope **ret, Link *l, DnsProtocol protocol, int family) {
44 DnsScope *s;
45
46 assert(m);
47 assert(ret);
48
49 s = new0(DnsScope, 1);
50 if (!s)
51 return -ENOMEM;
52
53 s->manager = m;
54 s->link = l;
55 s->protocol = protocol;
56 s->family = family;
57 s->resend_timeout = MULTICAST_RESEND_TIMEOUT_MIN_USEC;
58
59 LIST_PREPEND(scopes, m->dns_scopes, s);
60
61 dns_scope_llmnr_membership(s, true);
62
63 log_debug("New scope on link %s, protocol %s, family %s", l ? l->name : "*", dns_protocol_to_string(protocol), family == AF_UNSPEC ? "*" : af_to_name(family));
64
65 /* Enforce ratelimiting for the multicast protocols */
66 RATELIMIT_INIT(s->ratelimit, MULTICAST_RATELIMIT_INTERVAL_USEC, MULTICAST_RATELIMIT_BURST);
67
68 *ret = s;
69 return 0;
70 }
71
72 static void dns_scope_abort_transactions(DnsScope *s) {
73 assert(s);
74
75 while (s->transactions) {
76 DnsTransaction *t = s->transactions;
77
78 /* Abort the transaction, but make sure it is not
79 * freed while we still look at it */
80
81 t->block_gc++;
82 dns_transaction_complete(t, DNS_TRANSACTION_ABORTED);
83 t->block_gc--;
84
85 dns_transaction_free(t);
86 }
87 }
88
89 DnsScope* dns_scope_free(DnsScope *s) {
90 DnsResourceRecord *rr;
91
92 if (!s)
93 return NULL;
94
95 log_debug("Removing scope on link %s, protocol %s, family %s", s->link ? s->link->name : "*", dns_protocol_to_string(s->protocol), s->family == AF_UNSPEC ? "*" : af_to_name(s->family));
96
97 dns_scope_llmnr_membership(s, false);
98 dns_scope_abort_transactions(s);
99
100 while (s->query_candidates)
101 dns_query_candidate_free(s->query_candidates);
102
103 hashmap_free(s->transactions_by_key);
104
105 while ((rr = ordered_hashmap_steal_first(s->conflict_queue)))
106 dns_resource_record_unref(rr);
107
108 ordered_hashmap_free(s->conflict_queue);
109 sd_event_source_unref(s->conflict_event_source);
110
111 dns_cache_flush(&s->cache);
112 dns_zone_flush(&s->zone);
113
114 LIST_REMOVE(scopes, s->manager->dns_scopes, s);
115 free(s);
116
117 return NULL;
118 }
119
120 DnsServer *dns_scope_get_dns_server(DnsScope *s) {
121 assert(s);
122
123 if (s->protocol != DNS_PROTOCOL_DNS)
124 return NULL;
125
126 if (s->link)
127 return link_get_dns_server(s->link);
128 else
129 return manager_get_dns_server(s->manager);
130 }
131
132 void dns_scope_next_dns_server(DnsScope *s) {
133 assert(s);
134
135 if (s->protocol != DNS_PROTOCOL_DNS)
136 return;
137
138 if (s->link)
139 link_next_dns_server(s->link);
140 else
141 manager_next_dns_server(s->manager);
142 }
143
144 void dns_scope_packet_received(DnsScope *s, usec_t rtt) {
145 assert(s);
146
147 if (rtt <= s->max_rtt)
148 return;
149
150 s->max_rtt = rtt;
151 s->resend_timeout = MIN(MAX(MULTICAST_RESEND_TIMEOUT_MIN_USEC, s->max_rtt * 2), MULTICAST_RESEND_TIMEOUT_MAX_USEC);
152 }
153
154 void dns_scope_packet_lost(DnsScope *s, usec_t usec) {
155 assert(s);
156
157 if (s->resend_timeout <= usec)
158 s->resend_timeout = MIN(s->resend_timeout * 2, MULTICAST_RESEND_TIMEOUT_MAX_USEC);
159 }
160
161 int dns_scope_emit(DnsScope *s, int fd, DnsServer *server, DnsPacket *p) {
162 union in_addr_union addr;
163 int ifindex = 0, r;
164 int family;
165 uint16_t port;
166 uint32_t mtu;
167 size_t saved_size = 0;
168
169 assert(s);
170 assert(p);
171 assert(p->protocol == s->protocol);
172 assert((s->protocol == DNS_PROTOCOL_DNS) != (fd < 0));
173
174 if (s->link) {
175 mtu = s->link->mtu;
176 ifindex = s->link->ifindex;
177 } else
178 mtu = manager_find_mtu(s->manager);
179
180 switch (s->protocol) {
181 case DNS_PROTOCOL_DNS:
182 assert(server);
183
184 if (DNS_PACKET_QDCOUNT(p) > 1)
185 return -EOPNOTSUPP;
186
187 if (server->possible_features >= DNS_SERVER_FEATURE_LEVEL_EDNS0) {
188 bool edns_do;
189 size_t packet_size;
190
191 edns_do = server->possible_features >= DNS_SERVER_FEATURE_LEVEL_DO;
192
193 if (server->possible_features >= DNS_SERVER_FEATURE_LEVEL_LARGE)
194 packet_size = DNS_PACKET_UNICAST_SIZE_LARGE_MAX;
195 else
196 packet_size = server->received_udp_packet_max;
197
198 r = dns_packet_append_opt_rr(p, packet_size, edns_do, &saved_size);
199 if (r < 0)
200 return r;
201
202 DNS_PACKET_HEADER(p)->arcount = htobe16(be16toh(DNS_PACKET_HEADER(p)->arcount) + 1);
203 }
204
205 if (p->size > DNS_PACKET_UNICAST_SIZE_MAX)
206 return -EMSGSIZE;
207
208 if (p->size + UDP_PACKET_HEADER_SIZE > mtu)
209 return -EMSGSIZE;
210
211 r = manager_write(s->manager, fd, p);
212 if (r < 0)
213 return r;
214
215 if (saved_size > 0) {
216 dns_packet_truncate(p, saved_size);
217
218 DNS_PACKET_HEADER(p)->arcount = htobe16(be16toh(DNS_PACKET_HEADER(p)->arcount) - 1);
219 }
220
221 break;
222
223 case DNS_PROTOCOL_LLMNR:
224 if (DNS_PACKET_QDCOUNT(p) > 1)
225 return -EOPNOTSUPP;
226
227 if (!ratelimit_test(&s->ratelimit))
228 return -EBUSY;
229
230 family = s->family;
231 port = LLMNR_PORT;
232
233 if (family == AF_INET) {
234 addr.in = LLMNR_MULTICAST_IPV4_ADDRESS;
235 fd = manager_llmnr_ipv4_udp_fd(s->manager);
236 } else if (family == AF_INET6) {
237 addr.in6 = LLMNR_MULTICAST_IPV6_ADDRESS;
238 fd = manager_llmnr_ipv6_udp_fd(s->manager);
239 } else
240 return -EAFNOSUPPORT;
241 if (fd < 0)
242 return fd;
243
244 r = manager_send(s->manager, fd, ifindex, family, &addr, port, p);
245 if (r < 0)
246 return r;
247
248 break;
249
250 default:
251 return -EAFNOSUPPORT;
252 }
253
254 return 1;
255 }
256
257 static int dns_scope_socket(DnsScope *s, int type, int family, const union in_addr_union *address, uint16_t port, DnsServer **server) {
258 DnsServer *srv = NULL;
259 _cleanup_close_ int fd = -1;
260 union sockaddr_union sa = {};
261 socklen_t salen;
262 static const int one = 1;
263 int ret, r;
264
265 assert(s);
266 assert((family == AF_UNSPEC) == !address);
267
268 if (family == AF_UNSPEC) {
269 srv = dns_scope_get_dns_server(s);
270 if (!srv)
271 return -ESRCH;
272
273 srv->possible_features = dns_server_possible_features(srv);
274
275 if (type == SOCK_DGRAM && srv->possible_features < DNS_SERVER_FEATURE_LEVEL_UDP)
276 return -EAGAIN;
277
278 sa.sa.sa_family = srv->family;
279 if (srv->family == AF_INET) {
280 sa.in.sin_port = htobe16(port);
281 sa.in.sin_addr = srv->address.in;
282 salen = sizeof(sa.in);
283 } else if (srv->family == AF_INET6) {
284 sa.in6.sin6_port = htobe16(port);
285 sa.in6.sin6_addr = srv->address.in6;
286 sa.in6.sin6_scope_id = s->link ? s->link->ifindex : 0;
287 salen = sizeof(sa.in6);
288 } else
289 return -EAFNOSUPPORT;
290 } else {
291 sa.sa.sa_family = family;
292
293 if (family == AF_INET) {
294 sa.in.sin_port = htobe16(port);
295 sa.in.sin_addr = address->in;
296 salen = sizeof(sa.in);
297 } else if (family == AF_INET6) {
298 sa.in6.sin6_port = htobe16(port);
299 sa.in6.sin6_addr = address->in6;
300 sa.in6.sin6_scope_id = s->link ? s->link->ifindex : 0;
301 salen = sizeof(sa.in6);
302 } else
303 return -EAFNOSUPPORT;
304 }
305
306 fd = socket(sa.sa.sa_family, type|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
307 if (fd < 0)
308 return -errno;
309
310 if (type == SOCK_STREAM) {
311 r = setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &one, sizeof(one));
312 if (r < 0)
313 return -errno;
314 }
315
316 if (s->link) {
317 uint32_t ifindex = htobe32(s->link->ifindex);
318
319 if (sa.sa.sa_family == AF_INET) {
320 r = setsockopt(fd, IPPROTO_IP, IP_UNICAST_IF, &ifindex, sizeof(ifindex));
321 if (r < 0)
322 return -errno;
323 } else if (sa.sa.sa_family == AF_INET6) {
324 r = setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_IF, &ifindex, sizeof(ifindex));
325 if (r < 0)
326 return -errno;
327 }
328 }
329
330 if (s->protocol == DNS_PROTOCOL_LLMNR) {
331 /* RFC 4795, section 2.5 requires the TTL to be set to 1 */
332
333 if (sa.sa.sa_family == AF_INET) {
334 r = setsockopt(fd, IPPROTO_IP, IP_TTL, &one, sizeof(one));
335 if (r < 0)
336 return -errno;
337 } else if (sa.sa.sa_family == AF_INET6) {
338 r = setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS, &one, sizeof(one));
339 if (r < 0)
340 return -errno;
341 }
342 }
343
344 r = connect(fd, &sa.sa, salen);
345 if (r < 0 && errno != EINPROGRESS)
346 return -errno;
347
348 if (server)
349 *server = srv;
350
351 ret = fd;
352 fd = -1;
353
354 return ret;
355 }
356
357 int dns_scope_udp_dns_socket(DnsScope *s, DnsServer **server) {
358 return dns_scope_socket(s, SOCK_DGRAM, AF_UNSPEC, NULL, 53, server);
359 }
360
361 int dns_scope_tcp_socket(DnsScope *s, int family, const union in_addr_union *address, uint16_t port, DnsServer **server) {
362 return dns_scope_socket(s, SOCK_STREAM, family, address, port, server);
363 }
364
365 DnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, const char *domain) {
366 DnsSearchDomain *d;
367
368 assert(s);
369 assert(domain);
370
371 if (ifindex != 0 && (!s->link || s->link->ifindex != ifindex))
372 return DNS_SCOPE_NO;
373
374 if ((SD_RESOLVED_FLAGS_MAKE(s->protocol, s->family) & flags) == 0)
375 return DNS_SCOPE_NO;
376
377 if (dns_name_is_root(domain))
378 return DNS_SCOPE_NO;
379
380 /* Never resolve any loopback hostname or IP address via DNS,
381 * LLMNR or mDNS. Instead, always rely on synthesized RRs for
382 * these. */
383 if (is_localhost(domain) ||
384 dns_name_endswith(domain, "127.in-addr.arpa") > 0 ||
385 dns_name_equal(domain, "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
386 return DNS_SCOPE_NO;
387
388 /* Always honour search domains for routing queries. Note that
389 * we return DNS_SCOPE_YES here, rather than just
390 * DNS_SCOPE_MAYBE, which means wildcard scopes won't be
391 * considered anymore. */
392 LIST_FOREACH(domains, d, dns_scope_get_search_domains(s))
393 if (dns_name_endswith(domain, d->name) > 0)
394 return DNS_SCOPE_YES;
395
396 switch (s->protocol) {
397
398 case DNS_PROTOCOL_DNS:
399
400 if ((!dns_name_is_single_label(domain) ||
401 (!(flags & SD_RESOLVED_NO_SEARCH) && dns_scope_has_search_domains(s))) &&
402 dns_name_endswith(domain, "254.169.in-addr.arpa") == 0 &&
403 dns_name_endswith(domain, "0.8.e.f.ip6.arpa") == 0)
404 return DNS_SCOPE_MAYBE;
405
406 return DNS_SCOPE_NO;
407
408 case DNS_PROTOCOL_MDNS:
409 if ((s->family == AF_INET && dns_name_endswith(domain, "in-addr.arpa") > 0) ||
410 (s->family == AF_INET6 && dns_name_endswith(domain, "ip6.arpa") > 0) ||
411 (dns_name_endswith(domain, "local") > 0 && /* only resolve names ending in .local via mDNS */
412 dns_name_equal(domain, "local") == 0 && /* but not the single-label "local" name itself */
413 manager_is_own_hostname(s->manager, domain) <= 0)) /* never resolve the local hostname via mDNS */
414 return DNS_SCOPE_MAYBE;
415
416 return DNS_SCOPE_NO;
417
418 case DNS_PROTOCOL_LLMNR:
419 if ((s->family == AF_INET && dns_name_endswith(domain, "in-addr.arpa") > 0) ||
420 (s->family == AF_INET6 && dns_name_endswith(domain, "ip6.arpa") > 0) ||
421 (dns_name_is_single_label(domain) && /* only resolve single label names via LLMNR */
422 !is_gateway_hostname(domain) && /* don't resolve "gateway" with LLMNR, let nss-myhostname handle this */
423 manager_is_own_hostname(s->manager, domain) <= 0)) /* never resolve the local hostname via LLMNR */
424 return DNS_SCOPE_MAYBE;
425
426 return DNS_SCOPE_NO;
427
428 default:
429 assert_not_reached("Unknown scope protocol");
430 }
431 }
432
433 int dns_scope_good_key(DnsScope *s, DnsResourceKey *key) {
434 assert(s);
435 assert(key);
436
437 if (s->protocol == DNS_PROTOCOL_DNS)
438 return true;
439
440 /* On mDNS and LLMNR, send A and AAAA queries only on the
441 * respective scopes */
442
443 if (s->family == AF_INET && key->class == DNS_CLASS_IN && key->type == DNS_TYPE_AAAA)
444 return false;
445
446 if (s->family == AF_INET6 && key->class == DNS_CLASS_IN && key->type == DNS_TYPE_A)
447 return false;
448
449 return true;
450 }
451
452 int dns_scope_llmnr_membership(DnsScope *s, bool b) {
453 int fd;
454
455 assert(s);
456
457 if (s->protocol != DNS_PROTOCOL_LLMNR)
458 return 0;
459
460 assert(s->link);
461
462 if (s->family == AF_INET) {
463 struct ip_mreqn mreqn = {
464 .imr_multiaddr = LLMNR_MULTICAST_IPV4_ADDRESS,
465 .imr_ifindex = s->link->ifindex,
466 };
467
468 fd = manager_llmnr_ipv4_udp_fd(s->manager);
469 if (fd < 0)
470 return fd;
471
472 /* Always first try to drop membership before we add
473 * one. This is necessary on some devices, such as
474 * veth. */
475 if (b)
476 (void) setsockopt(fd, IPPROTO_IP, IP_DROP_MEMBERSHIP, &mreqn, sizeof(mreqn));
477
478 if (setsockopt(fd, IPPROTO_IP, b ? IP_ADD_MEMBERSHIP : IP_DROP_MEMBERSHIP, &mreqn, sizeof(mreqn)) < 0)
479 return -errno;
480
481 } else if (s->family == AF_INET6) {
482 struct ipv6_mreq mreq = {
483 .ipv6mr_multiaddr = LLMNR_MULTICAST_IPV6_ADDRESS,
484 .ipv6mr_interface = s->link->ifindex,
485 };
486
487 fd = manager_llmnr_ipv6_udp_fd(s->manager);
488 if (fd < 0)
489 return fd;
490
491 if (b)
492 (void) setsockopt(fd, IPPROTO_IPV6, IPV6_DROP_MEMBERSHIP, &mreq, sizeof(mreq));
493
494 if (setsockopt(fd, IPPROTO_IPV6, b ? IPV6_ADD_MEMBERSHIP : IPV6_DROP_MEMBERSHIP, &mreq, sizeof(mreq)) < 0)
495 return -errno;
496 } else
497 return -EAFNOSUPPORT;
498
499 return 0;
500 }
501
502 static int dns_scope_make_reply_packet(
503 DnsScope *s,
504 uint16_t id,
505 int rcode,
506 DnsQuestion *q,
507 DnsAnswer *answer,
508 DnsAnswer *soa,
509 bool tentative,
510 DnsPacket **ret) {
511
512 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
513 unsigned i;
514 int r;
515
516 assert(s);
517 assert(ret);
518
519 if ((!q || q->n_keys <= 0)
520 && (!answer || answer->n_rrs <= 0)
521 && (!soa || soa->n_rrs <= 0))
522 return -EINVAL;
523
524 r = dns_packet_new(&p, s->protocol, 0);
525 if (r < 0)
526 return r;
527
528 DNS_PACKET_HEADER(p)->id = id;
529 DNS_PACKET_HEADER(p)->flags = htobe16(DNS_PACKET_MAKE_FLAGS(
530 1 /* qr */,
531 0 /* opcode */,
532 0 /* c */,
533 0 /* tc */,
534 tentative,
535 0 /* (ra) */,
536 0 /* (ad) */,
537 0 /* (cd) */,
538 rcode));
539
540 if (q) {
541 for (i = 0; i < q->n_keys; i++) {
542 r = dns_packet_append_key(p, q->keys[i], NULL);
543 if (r < 0)
544 return r;
545 }
546
547 DNS_PACKET_HEADER(p)->qdcount = htobe16(q->n_keys);
548 }
549
550 if (answer) {
551 for (i = 0; i < answer->n_rrs; i++) {
552 r = dns_packet_append_rr(p, answer->items[i].rr, NULL);
553 if (r < 0)
554 return r;
555 }
556
557 DNS_PACKET_HEADER(p)->ancount = htobe16(answer->n_rrs);
558 }
559
560 if (soa) {
561 for (i = 0; i < soa->n_rrs; i++) {
562 r = dns_packet_append_rr(p, soa->items[i].rr, NULL);
563 if (r < 0)
564 return r;
565 }
566
567 DNS_PACKET_HEADER(p)->arcount = htobe16(soa->n_rrs);
568 }
569
570 *ret = p;
571 p = NULL;
572
573 return 0;
574 }
575
576 static void dns_scope_verify_conflicts(DnsScope *s, DnsPacket *p) {
577 unsigned n;
578
579 assert(s);
580 assert(p);
581
582 if (p->question)
583 for (n = 0; n < p->question->n_keys; n++)
584 dns_zone_verify_conflicts(&s->zone, p->question->keys[n]);
585 if (p->answer)
586 for (n = 0; n < p->answer->n_rrs; n++)
587 dns_zone_verify_conflicts(&s->zone, p->answer->items[n].rr->key);
588 }
589
590 void dns_scope_process_query(DnsScope *s, DnsStream *stream, DnsPacket *p) {
591 _cleanup_(dns_packet_unrefp) DnsPacket *reply = NULL;
592 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL, *soa = NULL;
593 DnsResourceKey *key = NULL;
594 bool tentative = false;
595 int r, fd;
596
597 assert(s);
598 assert(p);
599
600 if (p->protocol != DNS_PROTOCOL_LLMNR)
601 return;
602
603 if (p->ipproto == IPPROTO_UDP) {
604 /* Don't accept UDP queries directed to anything but
605 * the LLMNR multicast addresses. See RFC 4795,
606 * section 2.5. */
607
608 if (p->family == AF_INET && !in_addr_equal(AF_INET, &p->destination, (union in_addr_union*) &LLMNR_MULTICAST_IPV4_ADDRESS))
609 return;
610
611 if (p->family == AF_INET6 && !in_addr_equal(AF_INET6, &p->destination, (union in_addr_union*) &LLMNR_MULTICAST_IPV6_ADDRESS))
612 return;
613 }
614
615 r = dns_packet_extract(p);
616 if (r < 0) {
617 log_debug_errno(r, "Failed to extract resources from incoming packet: %m");
618 return;
619 }
620
621 if (DNS_PACKET_LLMNR_C(p)) {
622 /* Somebody notified us about a possible conflict */
623 dns_scope_verify_conflicts(s, p);
624 return;
625 }
626
627 assert(p->question->n_keys == 1);
628 key = p->question->keys[0];
629
630 r = dns_zone_lookup(&s->zone, key, &answer, &soa, &tentative);
631 if (r < 0) {
632 log_debug_errno(r, "Failed to lookup key: %m");
633 return;
634 }
635 if (r == 0)
636 return;
637
638 if (answer)
639 dns_answer_order_by_scope(answer, in_addr_is_link_local(p->family, &p->sender) > 0);
640
641 r = dns_scope_make_reply_packet(s, DNS_PACKET_ID(p), DNS_RCODE_SUCCESS, p->question, answer, soa, tentative, &reply);
642 if (r < 0) {
643 log_debug_errno(r, "Failed to build reply packet: %m");
644 return;
645 }
646
647 if (stream)
648 r = dns_stream_write_packet(stream, reply);
649 else {
650 if (!ratelimit_test(&s->ratelimit))
651 return;
652
653 if (p->family == AF_INET)
654 fd = manager_llmnr_ipv4_udp_fd(s->manager);
655 else if (p->family == AF_INET6)
656 fd = manager_llmnr_ipv6_udp_fd(s->manager);
657 else {
658 log_debug("Unknown protocol");
659 return;
660 }
661 if (fd < 0) {
662 log_debug_errno(fd, "Failed to get reply socket: %m");
663 return;
664 }
665
666 /* Note that we always immediately reply to all LLMNR
667 * requests, and do not wait any time, since we
668 * verified uniqueness for all records. Also see RFC
669 * 4795, Section 2.7 */
670
671 r = manager_send(s->manager, fd, p->ifindex, p->family, &p->sender, p->sender_port, reply);
672 }
673
674 if (r < 0) {
675 log_debug_errno(r, "Failed to send reply packet: %m");
676 return;
677 }
678 }
679
680 DnsTransaction *dns_scope_find_transaction(DnsScope *scope, DnsResourceKey *key, bool cache_ok) {
681 DnsTransaction *t;
682
683 assert(scope);
684 assert(key);
685
686 /* Try to find an ongoing transaction that is a equal to the
687 * specified question */
688 t = hashmap_get(scope->transactions_by_key, key);
689 if (!t)
690 return NULL;
691
692 /* Refuse reusing transactions that completed based on cached
693 * data instead of a real packet, if that's requested. */
694 if (!cache_ok &&
695 IN_SET(t->state, DNS_TRANSACTION_SUCCESS, DNS_TRANSACTION_FAILURE) &&
696 t->answer_source != DNS_TRANSACTION_NETWORK)
697 return NULL;
698
699 return t;
700 }
701
702 static int dns_scope_make_conflict_packet(
703 DnsScope *s,
704 DnsResourceRecord *rr,
705 DnsPacket **ret) {
706
707 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
708 int r;
709
710 assert(s);
711 assert(rr);
712 assert(ret);
713
714 r = dns_packet_new(&p, s->protocol, 0);
715 if (r < 0)
716 return r;
717
718 DNS_PACKET_HEADER(p)->flags = htobe16(DNS_PACKET_MAKE_FLAGS(
719 0 /* qr */,
720 0 /* opcode */,
721 1 /* conflict */,
722 0 /* tc */,
723 0 /* t */,
724 0 /* (ra) */,
725 0 /* (ad) */,
726 0 /* (cd) */,
727 0));
728 random_bytes(&DNS_PACKET_HEADER(p)->id, sizeof(uint16_t));
729 DNS_PACKET_HEADER(p)->qdcount = htobe16(1);
730 DNS_PACKET_HEADER(p)->arcount = htobe16(1);
731
732 r = dns_packet_append_key(p, rr->key, NULL);
733 if (r < 0)
734 return r;
735
736 r = dns_packet_append_rr(p, rr, NULL);
737 if (r < 0)
738 return r;
739
740 *ret = p;
741 p = NULL;
742
743 return 0;
744 }
745
746 static int on_conflict_dispatch(sd_event_source *es, usec_t usec, void *userdata) {
747 DnsScope *scope = userdata;
748 int r;
749
750 assert(es);
751 assert(scope);
752
753 scope->conflict_event_source = sd_event_source_unref(scope->conflict_event_source);
754
755 for (;;) {
756 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;
757 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
758
759 rr = ordered_hashmap_steal_first(scope->conflict_queue);
760 if (!rr)
761 break;
762
763 r = dns_scope_make_conflict_packet(scope, rr, &p);
764 if (r < 0) {
765 log_error_errno(r, "Failed to make conflict packet: %m");
766 return 0;
767 }
768
769 r = dns_scope_emit(scope, -1, NULL, p);
770 if (r < 0)
771 log_debug_errno(r, "Failed to send conflict packet: %m");
772 }
773
774 return 0;
775 }
776
777 int dns_scope_notify_conflict(DnsScope *scope, DnsResourceRecord *rr) {
778 usec_t jitter;
779 int r;
780
781 assert(scope);
782 assert(rr);
783
784 /* We don't send these queries immediately. Instead, we queue
785 * them, and send them after some jitter delay. */
786 r = ordered_hashmap_ensure_allocated(&scope->conflict_queue, &dns_resource_key_hash_ops);
787 if (r < 0) {
788 log_oom();
789 return r;
790 }
791
792 /* We only place one RR per key in the conflict
793 * messages, not all of them. That should be enough to
794 * indicate where there might be a conflict */
795 r = ordered_hashmap_put(scope->conflict_queue, rr->key, rr);
796 if (r == -EEXIST || r == 0)
797 return 0;
798 if (r < 0)
799 return log_debug_errno(r, "Failed to queue conflicting RR: %m");
800
801 dns_resource_record_ref(rr);
802
803 if (scope->conflict_event_source)
804 return 0;
805
806 random_bytes(&jitter, sizeof(jitter));
807 jitter %= LLMNR_JITTER_INTERVAL_USEC;
808
809 r = sd_event_add_time(scope->manager->event,
810 &scope->conflict_event_source,
811 clock_boottime_or_monotonic(),
812 now(clock_boottime_or_monotonic()) + jitter,
813 LLMNR_JITTER_INTERVAL_USEC,
814 on_conflict_dispatch, scope);
815 if (r < 0)
816 return log_debug_errno(r, "Failed to add conflict dispatch event: %m");
817
818 return 0;
819 }
820
821 void dns_scope_check_conflicts(DnsScope *scope, DnsPacket *p) {
822 unsigned i;
823 int r;
824
825 assert(scope);
826 assert(p);
827
828 if (p->protocol != DNS_PROTOCOL_LLMNR)
829 return;
830
831 if (DNS_PACKET_RRCOUNT(p) <= 0)
832 return;
833
834 if (DNS_PACKET_LLMNR_C(p) != 0)
835 return;
836
837 if (DNS_PACKET_LLMNR_T(p) != 0)
838 return;
839
840 if (manager_our_packet(scope->manager, p))
841 return;
842
843 r = dns_packet_extract(p);
844 if (r < 0) {
845 log_debug_errno(r, "Failed to extract packet: %m");
846 return;
847 }
848
849 log_debug("Checking for conflicts...");
850
851 for (i = 0; i < p->answer->n_rrs; i++) {
852
853 /* Check for conflicts against the local zone. If we
854 * found one, we won't check any further */
855 r = dns_zone_check_conflicts(&scope->zone, p->answer->items[i].rr);
856 if (r != 0)
857 continue;
858
859 /* Check for conflicts against the local cache. If so,
860 * send out an advisory query, to inform everybody */
861 r = dns_cache_check_conflicts(&scope->cache, p->answer->items[i].rr, p->family, &p->sender);
862 if (r <= 0)
863 continue;
864
865 dns_scope_notify_conflict(scope, p->answer->items[i].rr);
866 }
867 }
868
869 void dns_scope_dump(DnsScope *s, FILE *f) {
870 assert(s);
871
872 if (!f)
873 f = stdout;
874
875 fputs("[Scope protocol=", f);
876 fputs(dns_protocol_to_string(s->protocol), f);
877
878 if (s->link) {
879 fputs(" interface=", f);
880 fputs(s->link->name, f);
881 }
882
883 if (s->family != AF_UNSPEC) {
884 fputs(" family=", f);
885 fputs(af_to_name(s->family), f);
886 }
887
888 fputs("]\n", f);
889
890 if (!dns_zone_is_empty(&s->zone)) {
891 fputs("ZONE:\n", f);
892 dns_zone_dump(&s->zone, f);
893 }
894
895 if (!dns_cache_is_empty(&s->cache)) {
896 fputs("CACHE:\n", f);
897 dns_cache_dump(&s->cache, f);
898 }
899 }
900
901 DnsSearchDomain *dns_scope_get_search_domains(DnsScope *s) {
902 assert(s);
903
904 /* Returns the list of *local* search domains -- not the
905 * global ones. */
906
907 if (s->protocol != DNS_PROTOCOL_DNS)
908 return NULL;
909
910 if (s->link)
911 return s->link->search_domains;
912
913 return NULL;
914 }
915
916 bool dns_scope_has_search_domains(DnsScope *s) {
917 assert(s);
918
919 /* Tests if there are *any* search domains suitable for this
920 * scope. This means either local or global ones */
921
922 if (s->protocol != DNS_PROTOCOL_DNS)
923 return false;
924
925 if (s->manager->search_domains)
926 return true;
927
928 if (s->link && s->link->search_domains)
929 return true;
930
931 return false;
932 }
933
934 bool dns_scope_name_needs_search_domain(DnsScope *s, const char *name) {
935 assert(s);
936
937 if (s->protocol != DNS_PROTOCOL_DNS)
938 return false;
939
940 return dns_name_is_single_label(name);
941 }
Unnamed repository; edit this file 'description' to name the repository.