resolve: refuse traffic from the local host only for queries

diff --git a/src/resolve/resolved-mdns.c b/src/resolve/resolved-mdns.c
index fb20ba9cd02868a3d5d5bf111434a8b4eaacde5a..5026b10ff4c8bf37f3e1784465cf41864c75f3ef 100644 (file)
--- a/src/resolve/resolved-mdns.c
+++ b/src/resolve/resolved-mdns.c
@@ -413,14 +413,6 @@ static int on_mdns_packet(sd_event_source *s, int fd, uint32_t revents, void *us
         if (r <= 0)
                 return r;
 
-        /* Refuse traffic from the local host, to avoid query loops. However, allow legacy mDNS
-         * unicast queries through anyway (we never send those ourselves, hence no risk).
-         * i.e. check for the source port nr. */
-        if (p->sender_port == MDNS_PORT && manager_packet_from_local_address(m, p)) {
-                log_debug("Got mDNS UDP packet from local host, ignoring.");
-                return 0;
-        }
-
         scope = manager_find_scope(m, p);
         if (!scope) {
                 log_debug("Got mDNS UDP packet on unknown scope. Ignoring.");
@@ -537,6 +529,14 @@ static int on_mdns_packet(sd_event_source *s, int fd, uint32_t revents, void *us
                 if (unsolicited_packet)
                         mdns_notify_browsers_unsolicited_updates(m, p->answer, p->family);
         } else if (dns_packet_validate_query(p) > 0)  {
+                /* Refuse traffic from the local host, to avoid query loops. However, allow legacy mDNS
+                 * unicast queries through anyway (we never send those ourselves, hence no risk).
+                 * i.e. check for the source port nr. */
+                if (p->sender_port == MDNS_PORT && manager_packet_from_local_address(m, p)) {
+                        log_debug("Got mDNS UDP packet from local host, ignoring.");
+                        return 0;
+                }
+
                 log_debug("Got mDNS query packet for id %u", DNS_PACKET_ID(p));
 
                 r = mdns_scope_process_query(scope, p);