1: /* dnsmasq is Copyright (c) 2000-2013 Simon Kelley
2:
3: This program is free software; you can redistribute it and/or modify
4: it under the terms of the GNU General Public License as published by
5: the Free Software Foundation; version 2 dated June, 1991, or
6: (at your option) version 3 dated 29 June, 2007.
7:
8: This program is distributed in the hope that it will be useful,
9: but WITHOUT ANY WARRANTY; without even the implied warranty of
10: MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11: GNU General Public License for more details.
12:
13: You should have received a copy of the GNU General Public License
14: along with this program. If not, see <http://www.gnu.org/licenses/>.
15: */
16:
17: #include "dnsmasq.h"
18:
19: static struct frec *lookup_frec(unsigned short id, unsigned int crc);
20: static struct frec *lookup_frec_by_sender(unsigned short id,
21: union mysockaddr *addr,
22: unsigned int crc);
23: static unsigned short get_id(unsigned int crc);
24: static void free_frec(struct frec *f);
25: static struct randfd *allocate_rfd(int family);
26:
27: /* Send a UDP packet with its source address set as "source"
28: unless nowild is true, when we just send it with the kernel default */
29: int send_from(int fd, int nowild, char *packet, size_t len,
30: union mysockaddr *to, struct all_addr *source,
31: unsigned int iface)
32: {
33: struct msghdr msg;
34: struct iovec iov[1];
35: union {
36: struct cmsghdr align; /* this ensures alignment */
37: #if defined(HAVE_LINUX_NETWORK)
38: char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
39: #elif defined(IP_SENDSRCADDR)
40: char control[CMSG_SPACE(sizeof(struct in_addr))];
41: #endif
42: #ifdef HAVE_IPV6
43: char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
44: #endif
45: } control_u;
46:
47: iov[0].iov_base = packet;
48: iov[0].iov_len = len;
49:
50: msg.msg_control = NULL;
51: msg.msg_controllen = 0;
52: msg.msg_flags = 0;
53: msg.msg_name = to;
54: msg.msg_namelen = sa_len(to);
55: msg.msg_iov = iov;
56: msg.msg_iovlen = 1;
57:
58: if (!nowild)
59: {
60: struct cmsghdr *cmptr;
61: msg.msg_control = &control_u;
62: msg.msg_controllen = sizeof(control_u);
63: cmptr = CMSG_FIRSTHDR(&msg);
64:
65: if (to->sa.sa_family == AF_INET)
66: {
67: #if defined(HAVE_LINUX_NETWORK)
68: struct in_pktinfo p;
69: p.ipi_ifindex = 0;
70: p.ipi_spec_dst = source->addr.addr4;
71: memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
72: msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
73: cmptr->cmsg_level = IPPROTO_IP;
74: cmptr->cmsg_type = IP_PKTINFO;
75: #elif defined(IP_SENDSRCADDR)
76: memcpy(CMSG_DATA(cmptr), &(source->addr.addr4), sizeof(source->addr.addr4));
77: msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
78: cmptr->cmsg_level = IPPROTO_IP;
79: cmptr->cmsg_type = IP_SENDSRCADDR;
80: #endif
81: }
82: else
83: #ifdef HAVE_IPV6
84: {
85: struct in6_pktinfo p;
86: p.ipi6_ifindex = iface; /* Need iface for IPv6 to handle link-local addrs */
87: p.ipi6_addr = source->addr.addr6;
88: memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
89: msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
90: cmptr->cmsg_type = daemon->v6pktinfo;
91: cmptr->cmsg_level = IPPROTO_IPV6;
92: }
93: #else
94: (void)iface; /* eliminate warning */
95: #endif
96: }
97:
98: while (sendmsg(fd, &msg, 0) == -1)
99: {
100: if (retry_send())
101: continue;
102:
103: /* If interface is still in DAD, EINVAL results - ignore that. */
104: if (errno == EINVAL)
105: break;
106:
107: my_syslog(LOG_ERR, _("failed to send packet: %s"), strerror(errno));
108: return 0;
109: }
110:
111: return 1;
112: }
113:
114: static unsigned int search_servers(time_t now, struct all_addr **addrpp,
115: unsigned int qtype, char *qdomain, int *type, char **domain, int *norebind)
116:
117: {
118: /* If the query ends in the domain in one of our servers, set
119: domain to point to that name. We find the largest match to allow both
120: domain.org and sub.domain.org to exist. */
121:
122: unsigned int namelen = strlen(qdomain);
123: unsigned int matchlen = 0;
124: struct server *serv;
125: unsigned int flags = 0;
126:
127: for (serv = daemon->servers; serv; serv=serv->next)
128: /* domain matches take priority over NODOTS matches */
129: if ((serv->flags & SERV_FOR_NODOTS) && *type != SERV_HAS_DOMAIN && !strchr(qdomain, '.') && namelen != 0)
130: {
131: unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
132: *type = SERV_FOR_NODOTS;
133: if (serv->flags & SERV_NO_ADDR)
134: flags = F_NXDOMAIN;
135: else if (serv->flags & SERV_LITERAL_ADDRESS)
136: {
137: if (sflag & qtype)
138: {
139: flags = sflag;
140: if (serv->addr.sa.sa_family == AF_INET)
141: *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
142: #ifdef HAVE_IPV6
143: else
144: *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
145: #endif
146: }
147: else if (!flags || (flags & F_NXDOMAIN))
148: flags = F_NOERR;
149: }
150: }
151: else if (serv->flags & SERV_HAS_DOMAIN)
152: {
153: unsigned int domainlen = strlen(serv->domain);
154: char *matchstart = qdomain + namelen - domainlen;
155: if (namelen >= domainlen &&
156: hostname_isequal(matchstart, serv->domain) &&
157: (domainlen == 0 || namelen == domainlen || *(matchstart-1) == '.' ))
158: {
159: if (serv->flags & SERV_NO_REBIND)
160: *norebind = 1;
161: else
162: {
163: unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
164: /* implement priority rules for --address and --server for same domain.
165: --address wins if the address is for the correct AF
166: --server wins otherwise. */
167: if (domainlen != 0 && domainlen == matchlen)
168: {
169: if ((serv->flags & SERV_LITERAL_ADDRESS))
170: {
171: if (!(sflag & qtype) && flags == 0)
172: continue;
173: }
174: else
175: {
176: if (flags & (F_IPV4 | F_IPV6))
177: continue;
178: }
179: }
180:
181: if (domainlen >= matchlen)
182: {
183: *type = serv->flags & (SERV_HAS_DOMAIN | SERV_USE_RESOLV | SERV_NO_REBIND);
184: *domain = serv->domain;
185: matchlen = domainlen;
186: if (serv->flags & SERV_NO_ADDR)
187: flags = F_NXDOMAIN;
188: else if (serv->flags & SERV_LITERAL_ADDRESS)
189: {
190: if (sflag & qtype)
191: {
192: flags = sflag;
193: if (serv->addr.sa.sa_family == AF_INET)
194: *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
195: #ifdef HAVE_IPV6
196: else
197: *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
198: #endif
199: }
200: else if (!flags || (flags & F_NXDOMAIN))
201: flags = F_NOERR;
202: }
203: else
204: flags = 0;
205: }
206: }
207: }
208: }
209:
210: if (flags == 0 && !(qtype & F_QUERY) &&
211: option_bool(OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') && namelen != 0)
212: /* don't forward A or AAAA queries for simple names, except the empty name */
213: flags = F_NOERR;
214:
215: if (flags == F_NXDOMAIN && check_for_local_domain(qdomain, now))
216: flags = F_NOERR;
217:
218: if (flags)
219: {
220: int logflags = 0;
221:
222: if (flags == F_NXDOMAIN || flags == F_NOERR)
223: logflags = F_NEG | qtype;
224:
225: log_query(logflags | flags | F_CONFIG | F_FORWARD, qdomain, *addrpp, NULL);
226: }
227: else if ((*type) & SERV_USE_RESOLV)
228: {
229: *type = 0; /* use normal servers for this domain */
230: *domain = NULL;
231: }
232: return flags;
233: }
234:
235: static int forward_query(int udpfd, union mysockaddr *udpaddr,
236: struct all_addr *dst_addr, unsigned int dst_iface,
237: struct dns_header *header, size_t plen, time_t now, struct frec *forward)
238: {
239: char *domain = NULL;
240: int type = 0, norebind = 0;
241: struct all_addr *addrp = NULL;
242: unsigned int crc = questions_crc(header, plen, daemon->namebuff);
243: unsigned int flags = 0;
244: unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
245: struct server *start = NULL;
246:
247: /* RFC 4035: sect 4.6 para 2 */
248: header->hb4 &= ~HB4_AD;
249:
250: /* may be no servers available. */
251: if (!daemon->servers)
252: forward = NULL;
253: else if (forward || (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, crc)))
254: {
255: /* retry on existing query, send to all available servers */
256: domain = forward->sentto->domain;
257: forward->sentto->failed_queries++;
258: if (!option_bool(OPT_ORDER))
259: {
260: forward->forwardall = 1;
261: daemon->last_server = NULL;
262: }
263: type = forward->sentto->flags & SERV_TYPE;
264: if (!(start = forward->sentto->next))
265: start = daemon->servers; /* at end of list, recycle */
266: header->id = htons(forward->new_id);
267: }
268: else
269: {
270: if (gotname)
271: flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
272:
273: if (!flags && !(forward = get_new_frec(now, NULL)))
274: /* table full - server failure. */
275: flags = F_NEG;
276:
277: if (forward)
278: {
279: forward->source = *udpaddr;
280: forward->dest = *dst_addr;
281: forward->iface = dst_iface;
282: forward->orig_id = ntohs(header->id);
283: forward->new_id = get_id(crc);
284: forward->fd = udpfd;
285: forward->crc = crc;
286: forward->forwardall = 0;
287: if (norebind)
288: forward->flags |= FREC_NOREBIND;
289: if (header->hb4 & HB4_CD)
290: forward->flags |= FREC_CHECKING_DISABLED;
291:
292: header->id = htons(forward->new_id);
293:
294: /* In strict_order mode, always try servers in the order
295: specified in resolv.conf, if a domain is given
296: always try all the available servers,
297: otherwise, use the one last known to work. */
298:
299: if (type == 0)
300: {
301: if (option_bool(OPT_ORDER))
302: start = daemon->servers;
303: else if (!(start = daemon->last_server) ||
304: daemon->forwardcount++ > FORWARD_TEST ||
305: difftime(now, daemon->forwardtime) > FORWARD_TIME)
306: {
307: start = daemon->servers;
308: forward->forwardall = 1;
309: daemon->forwardcount = 0;
310: daemon->forwardtime = now;
311: }
312: }
313: else
314: {
315: start = daemon->servers;
316: if (!option_bool(OPT_ORDER))
317: forward->forwardall = 1;
318: }
319: }
320: }
321:
322: /* check for send errors here (no route to host)
323: if we fail to send to all nameservers, send back an error
324: packet straight away (helps modem users when offline) */
325:
326: if (!flags && forward)
327: {
328: struct server *firstsentto = start;
329: int forwarded = 0;
330:
331: if (udpaddr && option_bool(OPT_ADD_MAC))
332: plen = add_mac(header, plen, ((char *) header) + PACKETSZ, udpaddr);
333:
334: while (1)
335: {
336: /* only send to servers dealing with our domain.
337: domain may be NULL, in which case server->domain
338: must be NULL also. */
339:
340: if (type == (start->flags & SERV_TYPE) &&
341: (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) &&
342: !(start->flags & SERV_LITERAL_ADDRESS))
343: {
344: int fd;
345:
346: /* find server socket to use, may need to get random one. */
347: if (start->sfd)
348: fd = start->sfd->fd;
349: else
350: {
351: #ifdef HAVE_IPV6
352: if (start->addr.sa.sa_family == AF_INET6)
353: {
354: if (!forward->rfd6 &&
355: !(forward->rfd6 = allocate_rfd(AF_INET6)))
356: break;
357: daemon->rfd_save = forward->rfd6;
358: fd = forward->rfd6->fd;
359: }
360: else
361: #endif
362: {
363: if (!forward->rfd4 &&
364: !(forward->rfd4 = allocate_rfd(AF_INET)))
365: break;
366: daemon->rfd_save = forward->rfd4;
367: fd = forward->rfd4->fd;
368: }
369:
370: #ifdef HAVE_CONNTRACK
371: /* Copy connection mark of incoming query to outgoing connection. */
372: if (option_bool(OPT_CONNTRACK))
373: {
374: unsigned int mark;
375: if (get_incoming_mark(udpaddr, dst_addr, 0, &mark))
376: setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
377: }
378: #endif
379: }
380:
381: if (sendto(fd, (char *)header, plen, 0,
382: &start->addr.sa,
383: sa_len(&start->addr)) == -1)
384: {
385: if (retry_send())
386: continue;
387: }
388: else
389: {
390: /* Keep info in case we want to re-send this packet */
391: daemon->srv_save = start;
392: daemon->packet_len = plen;
393:
394: if (!gotname)
395: strcpy(daemon->namebuff, "query");
396: if (start->addr.sa.sa_family == AF_INET)
397: log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
398: (struct all_addr *)&start->addr.in.sin_addr, NULL);
399: #ifdef HAVE_IPV6
400: else
401: log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
402: (struct all_addr *)&start->addr.in6.sin6_addr, NULL);
403: #endif
404: start->queries++;
405: forwarded = 1;
406: forward->sentto = start;
407: if (!forward->forwardall)
408: break;
409: forward->forwardall++;
410: }
411: }
412:
413: if (!(start = start->next))
414: start = daemon->servers;
415:
416: if (start == firstsentto)
417: break;
418: }
419:
420: if (forwarded)
421: return 1;
422:
423: /* could not send on, prepare to return */
424: header->id = htons(forward->orig_id);
425: free_frec(forward); /* cancel */
426: }
427:
428: /* could not send on, return empty answer or address if known for whole domain */
429: if (udpfd != -1)
430: {
431: plen = setup_reply(header, plen, addrp, flags, daemon->local_ttl);
432: send_from(udpfd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND), (char *)header, plen, udpaddr, dst_addr, dst_iface);
433: }
434:
435: return 0;
436: }
437:
438: static size_t process_reply(struct dns_header *header, time_t now,
439: struct server *server, size_t n, int check_rebind, int checking_disabled)
440: {
441: unsigned char *pheader, *sizep;
442: char **sets = 0;
443: int munged = 0, is_sign;
444: size_t plen;
445:
446: #ifdef HAVE_IPSET
447: /* Similar algorithm to search_servers. */
448: struct ipsets *ipset_pos;
449: unsigned int namelen = strlen(daemon->namebuff);
450: unsigned int matchlen = 0;
451: for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next)
452: {
453: unsigned int domainlen = strlen(ipset_pos->domain);
454: char *matchstart = daemon->namebuff + namelen - domainlen;
455: if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) &&
456: (domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) &&
457: domainlen >= matchlen) {
458: matchlen = domainlen;
459: sets = ipset_pos->sets;
460: }
461: }
462: #endif
463:
464: /* If upstream is advertising a larger UDP packet size
465: than we allow, trim it so that we don't get overlarge
466: requests for the client. We can't do this for signed packets. */
467:
468: if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign)) && !is_sign)
469: {
470: unsigned short udpsz;
471: unsigned char *psave = sizep;
472:
473: GETSHORT(udpsz, sizep);
474: if (udpsz > daemon->edns_pktsz)
475: PUTSHORT(daemon->edns_pktsz, psave);
476: }
477:
478: /* RFC 4035 sect 4.6 para 3 */
479: if (!is_sign && !option_bool(OPT_DNSSEC))
480: header->hb4 &= ~HB4_AD;
481:
482: if (OPCODE(header) != QUERY || (RCODE(header) != NOERROR && RCODE(header) != NXDOMAIN))
483: return n;
484:
485: /* Complain loudly if the upstream server is non-recursive. */
486: if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR && ntohs(header->ancount) == 0 &&
487: server && !(server->flags & SERV_WARNED_RECURSIVE))
488: {
489: prettyprint_addr(&server->addr, daemon->namebuff);
490: my_syslog(LOG_WARNING, _("nameserver %s refused to do a recursive query"), daemon->namebuff);
491: if (!option_bool(OPT_LOG))
492: server->flags |= SERV_WARNED_RECURSIVE;
493: }
494:
495: if (daemon->bogus_addr && RCODE(header) != NXDOMAIN &&
496: check_for_bogus_wildcard(header, n, daemon->namebuff, daemon->bogus_addr, now))
497: {
498: munged = 1;
499: SET_RCODE(header, NXDOMAIN);
500: header->hb3 &= ~HB3_AA;
501: }
502: else
503: {
504: if (RCODE(header) == NXDOMAIN &&
505: extract_request(header, n, daemon->namebuff, NULL) &&
506: check_for_local_domain(daemon->namebuff, now))
507: {
508: /* if we forwarded a query for a locally known name (because it was for
509: an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
510: since we know that the domain exists, even if upstream doesn't */
511: munged = 1;
512: header->hb3 |= HB3_AA;
513: SET_RCODE(header, NOERROR);
514: }
515:
516: if (extract_addresses(header, n, daemon->namebuff, now, sets, is_sign, check_rebind, checking_disabled))
517: {
518: my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff);
519: munged = 1;
520: }
521: }
522:
523: /* do this after extract_addresses. Ensure NODATA reply and remove
524: nameserver info. */
525:
526: if (munged)
527: {
528: header->ancount = htons(0);
529: header->nscount = htons(0);
530: header->arcount = htons(0);
531: }
532:
533: /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
534: sections of the packet. Find the new length here and put back pseudoheader
535: if it was removed. */
536: return resize_packet(header, n, pheader, plen);
537: }
538:
539: /* sets new last_server */
540: void reply_query(int fd, int family, time_t now)
541: {
542: /* packet from peer server, extract data for cache, and send to
543: original requester */
544: struct dns_header *header;
545: union mysockaddr serveraddr;
546: struct frec *forward;
547: socklen_t addrlen = sizeof(serveraddr);
548: ssize_t n = recvfrom(fd, daemon->packet, daemon->edns_pktsz, 0, &serveraddr.sa, &addrlen);
549: size_t nn;
550: struct server *server;
551:
552: /* packet buffer overwritten */
553: daemon->srv_save = NULL;
554:
555: /* Determine the address of the server replying so that we can mark that as good */
556: serveraddr.sa.sa_family = family;
557: #ifdef HAVE_IPV6
558: if (serveraddr.sa.sa_family == AF_INET6)
559: serveraddr.in6.sin6_flowinfo = 0;
560: #endif
561:
562: /* spoof check: answer must come from known server, */
563: for (server = daemon->servers; server; server = server->next)
564: if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) &&
565: sockaddr_isequal(&server->addr, &serveraddr))
566: break;
567:
568: header = (struct dns_header *)daemon->packet;
569:
570: if (!server ||
571: n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR) ||
572: !(forward = lookup_frec(ntohs(header->id), questions_crc(header, n, daemon->namebuff))))
573: return;
574:
575: server = forward->sentto;
576:
577: if ((RCODE(header) == SERVFAIL || RCODE(header) == REFUSED) &&
578: !option_bool(OPT_ORDER) &&
579: forward->forwardall == 0)
580: /* for broken servers, attempt to send to another one. */
581: {
582: unsigned char *pheader;
583: size_t plen;
584: int is_sign;
585:
586: /* recreate query from reply */
587: pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign);
588: if (!is_sign)
589: {
590: header->ancount = htons(0);
591: header->nscount = htons(0);
592: header->arcount = htons(0);
593: if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
594: {
595: header->hb3 &= ~(HB3_QR | HB3_TC);
596: forward_query(-1, NULL, NULL, 0, header, nn, now, forward);
597: return;
598: }
599: }
600: }
601:
602: if ((forward->sentto->flags & SERV_TYPE) == 0)
603: {
604: if (RCODE(header) == SERVFAIL || RCODE(header) == REFUSED)
605: server = NULL;
606: else
607: {
608: struct server *last_server;
609:
610: /* find good server by address if possible, otherwise assume the last one we sent to */
611: for (last_server = daemon->servers; last_server; last_server = last_server->next)
612: if (!(last_server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR)) &&
613: sockaddr_isequal(&last_server->addr, &serveraddr))
614: {
615: server = last_server;
616: break;
617: }
618: }
619: if (!option_bool(OPT_ALL_SERVERS))
620: daemon->last_server = server;
621: }
622:
623: /* If the answer is an error, keep the forward record in place in case
624: we get a good reply from another server. Kill it when we've
625: had replies from all to avoid filling the forwarding table when
626: everything is broken */
627: if (forward->forwardall == 0 || --forward->forwardall == 1 ||
628: (RCODE(header) != REFUSED && RCODE(header) != SERVFAIL))
629: {
630: int check_rebind = !(forward->flags & FREC_NOREBIND);
631:
632: if (!option_bool(OPT_NO_REBIND))
633: check_rebind = 0;
634:
635: if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, forward->flags & FREC_CHECKING_DISABLED)))
636: {
637: header->id = htons(forward->orig_id);
638: header->hb4 |= HB4_RA; /* recursion if available */
639: send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn,
640: &forward->source, &forward->dest, forward->iface);
641: }
642: free_frec(forward); /* cancel */
643: }
644: }
645:
646:
647: void receive_query(struct listener *listen, time_t now)
648: {
649: struct dns_header *header = (struct dns_header *)daemon->packet;
650: union mysockaddr source_addr;
651: unsigned short type;
652: struct all_addr dst_addr;
653: struct in_addr netmask, dst_addr_4;
654: size_t m;
655: ssize_t n;
656: int if_index = 0;
657: int auth_dns = 0;
658: struct iovec iov[1];
659: struct msghdr msg;
660: struct cmsghdr *cmptr;
661: union {
662: struct cmsghdr align; /* this ensures alignment */
663: #ifdef HAVE_IPV6
664: char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
665: #endif
666: #if defined(HAVE_LINUX_NETWORK)
667: char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
668: #elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
669: char control[CMSG_SPACE(sizeof(struct in_addr)) +
670: CMSG_SPACE(sizeof(unsigned int))];
671: #elif defined(IP_RECVDSTADDR)
672: char control[CMSG_SPACE(sizeof(struct in_addr)) +
673: CMSG_SPACE(sizeof(struct sockaddr_dl))];
674: #endif
675: } control_u;
676:
677: /* packet buffer overwritten */
678: daemon->srv_save = NULL;
679:
680: dst_addr_4.s_addr = 0;
681: netmask.s_addr = 0;
682:
683: if (option_bool(OPT_NOWILD) && listen->iface)
684: {
685: auth_dns = listen->iface->dns_auth;
686:
687: if (listen->family == AF_INET)
688: {
689: dst_addr_4 = listen->iface->addr.in.sin_addr;
690: netmask = listen->iface->netmask;
691: }
692: }
693:
694: iov[0].iov_base = daemon->packet;
695: iov[0].iov_len = daemon->edns_pktsz;
696:
697: msg.msg_control = control_u.control;
698: msg.msg_controllen = sizeof(control_u);
699: msg.msg_flags = 0;
700: msg.msg_name = &source_addr;
701: msg.msg_namelen = sizeof(source_addr);
702: msg.msg_iov = iov;
703: msg.msg_iovlen = 1;
704:
705: if ((n = recvmsg(listen->fd, &msg, 0)) == -1)
706: return;
707:
708: if (n < (int)sizeof(struct dns_header) ||
709: (msg.msg_flags & MSG_TRUNC) ||
710: (header->hb3 & HB3_QR))
711: return;
712:
713: source_addr.sa.sa_family = listen->family;
714: #ifdef HAVE_IPV6
715: if (listen->family == AF_INET6)
716: source_addr.in6.sin6_flowinfo = 0;
717: #endif
718:
719: if (!option_bool(OPT_NOWILD))
720: {
721: struct ifreq ifr;
722:
723: if (msg.msg_controllen < sizeof(struct cmsghdr))
724: return;
725:
726: #if defined(HAVE_LINUX_NETWORK)
727: if (listen->family == AF_INET)
728: for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
729: if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
730: {
731: union {
732: unsigned char *c;
733: struct in_pktinfo *p;
734: } p;
735: p.c = CMSG_DATA(cmptr);
736: dst_addr_4 = dst_addr.addr.addr4 = p.p->ipi_spec_dst;
737: if_index = p.p->ipi_ifindex;
738: }
739: #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
740: if (listen->family == AF_INET)
741: {
742: for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
743: {
744: union {
745: unsigned char *c;
746: unsigned int *i;
747: struct in_addr *a;
748: #ifndef HAVE_SOLARIS_NETWORK
749: struct sockaddr_dl *s;
750: #endif
751: } p;
752: p.c = CMSG_DATA(cmptr);
753: if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
754: dst_addr_4 = dst_addr.addr.addr4 = *(p.a);
755: else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
756: #ifdef HAVE_SOLARIS_NETWORK
757: if_index = *(p.i);
758: #else
759: if_index = p.s->sdl_index;
760: #endif
761: }
762: }
763: #endif
764:
765: #ifdef HAVE_IPV6
766: if (listen->family == AF_INET6)
767: {
768: for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
769: if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
770: {
771: union {
772: unsigned char *c;
773: struct in6_pktinfo *p;
774: } p;
775: p.c = CMSG_DATA(cmptr);
776:
777: dst_addr.addr.addr6 = p.p->ipi6_addr;
778: if_index = p.p->ipi6_ifindex;
779: }
780: }
781: #endif
782:
783: /* enforce available interface configuration */
784:
785: if (!indextoname(listen->fd, if_index, ifr.ifr_name))
786: return;
787:
788: if (!iface_check(listen->family, &dst_addr, ifr.ifr_name, &auth_dns))
789: {
790: if (!option_bool(OPT_CLEVERBIND))
791: enumerate_interfaces();
792: if (!loopback_exception(listen->fd, listen->family, &dst_addr, ifr.ifr_name))
793: return;
794: }
795:
796: if (listen->family == AF_INET && option_bool(OPT_LOCALISE))
797: {
798: struct irec *iface;
799:
800: /* get the netmask of the interface whch has the address we were sent to.
801: This is no neccessarily the interface we arrived on. */
802:
803: for (iface = daemon->interfaces; iface; iface = iface->next)
804: if (iface->addr.sa.sa_family == AF_INET &&
805: iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
806: break;
807:
808: /* interface may be new */
809: if (!iface && !option_bool(OPT_CLEVERBIND))
810: enumerate_interfaces();
811:
812: for (iface = daemon->interfaces; iface; iface = iface->next)
813: if (iface->addr.sa.sa_family == AF_INET &&
814: iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
815: break;
816:
817: /* If we failed, abandon localisation */
818: if (iface)
819: netmask = iface->netmask;
820: else
821: dst_addr_4.s_addr = 0;
822: }
823: }
824:
825: if (extract_request(header, (size_t)n, daemon->namebuff, &type))
826: {
827: char types[20];
828:
829: querystr(auth_dns ? "auth" : "query", types, type);
830:
831: if (listen->family == AF_INET)
832: log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
833: (struct all_addr *)&source_addr.in.sin_addr, types);
834: #ifdef HAVE_IPV6
835: else
836: log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
837: (struct all_addr *)&source_addr.in6.sin6_addr, types);
838: #endif
839: }
840:
841: #ifdef HAVE_AUTH
842: if (auth_dns)
843: {
844: m = answer_auth(header, ((char *) header) + PACKETSZ, (size_t)n, now, &source_addr);
845: if (m >= 1)
846: send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
847: (char *)header, m, &source_addr, &dst_addr, if_index);
848: }
849: else
850: #endif
851: {
852: m = answer_request(header, ((char *) header) + PACKETSZ, (size_t)n,
853: dst_addr_4, netmask, now);
854:
855: if (m >= 1)
856: {
857: send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
858: (char *)header, m, &source_addr, &dst_addr, if_index);
859: daemon->local_answer++;
860: }
861: else if (forward_query(listen->fd, &source_addr, &dst_addr, if_index,
862: header, (size_t)n, now, NULL))
863: daemon->queries_forwarded++;
864: else
865: daemon->local_answer++;
866: }
867: }
868:
869: /* The daemon forks before calling this: it should deal with one connection,
870: blocking as neccessary, and then return. Note, need to be a bit careful
871: about resources for debug mode, when the fork is suppressed: that's
872: done by the caller. */
873: unsigned char *tcp_request(int confd, time_t now,
874: union mysockaddr *local_addr, struct in_addr netmask, int auth_dns)
875: {
876: size_t size = 0;
877: int norebind = 0;
878: int checking_disabled;
879: size_t m;
880: unsigned short qtype;
881: unsigned int gotname;
882: unsigned char c1, c2;
883: /* Max TCP packet + slop */
884: unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ);
885: struct dns_header *header;
886: struct server *last_server;
887: struct in_addr dst_addr_4;
888: union mysockaddr peer_addr;
889: socklen_t peer_len = sizeof(union mysockaddr);
890:
891: if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) == -1)
892: return packet;
893:
894: while (1)
895: {
896: if (!packet ||
897: !read_write(confd, &c1, 1, 1) || !read_write(confd, &c2, 1, 1) ||
898: !(size = c1 << 8 | c2) ||
899: !read_write(confd, packet, size, 1))
900: return packet;
901:
902: if (size < (int)sizeof(struct dns_header))
903: continue;
904:
905: header = (struct dns_header *)packet;
906:
907: /* save state of "cd" flag in query */
908: checking_disabled = header->hb4 & HB4_CD;
909:
910: /* RFC 4035: sect 4.6 para 2 */
911: header->hb4 &= ~HB4_AD;
912:
913: if ((gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
914: {
915: char types[20];
916:
917: querystr(auth_dns ? "auth" : "query", types, qtype);
918:
919: if (peer_addr.sa.sa_family == AF_INET)
920: log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
921: (struct all_addr *)&peer_addr.in.sin_addr, types);
922: #ifdef HAVE_IPV6
923: else
924: log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
925: (struct all_addr *)&peer_addr.in6.sin6_addr, types);
926: #endif
927: }
928:
929: if (local_addr->sa.sa_family == AF_INET)
930: dst_addr_4 = local_addr->in.sin_addr;
931: else
932: dst_addr_4.s_addr = 0;
933:
934: #ifdef HAVE_AUTH
935: if (auth_dns)
936: m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &peer_addr);
937: else
938: #endif
939: {
940: /* m > 0 if answered from cache */
941: m = answer_request(header, ((char *) header) + 65536, (size_t)size,
942: dst_addr_4, netmask, now);
943:
944: /* Do this by steam now we're not in the select() loop */
945: check_log_writer(NULL);
946:
947: if (m == 0)
948: {
949: unsigned int flags = 0;
950: struct all_addr *addrp = NULL;
951: int type = 0;
952: char *domain = NULL;
953:
954: if (option_bool(OPT_ADD_MAC))
955: size = add_mac(header, size, ((char *) header) + 65536, &peer_addr);
956:
957: if (gotname)
958: flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
959:
960: if (type != 0 || option_bool(OPT_ORDER) || !daemon->last_server)
961: last_server = daemon->servers;
962: else
963: last_server = daemon->last_server;
964:
965: if (!flags && last_server)
966: {
967: struct server *firstsendto = NULL;
968: unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff);
969:
970: /* Loop round available servers until we succeed in connecting to one.
971: Note that this code subtley ensures that consecutive queries on this connection
972: which can go to the same server, do so. */
973: while (1)
974: {
975: if (!firstsendto)
976: firstsendto = last_server;
977: else
978: {
979: if (!(last_server = last_server->next))
980: last_server = daemon->servers;
981:
982: if (last_server == firstsendto)
983: break;
984: }
985:
986: /* server for wrong domain */
987: if (type != (last_server->flags & SERV_TYPE) ||
988: (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, last_server->domain)))
989: continue;
990:
991: if (last_server->tcpfd == -1)
992: {
993: if ((last_server->tcpfd = socket(last_server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1)
994: continue;
995:
996: if ((!local_bind(last_server->tcpfd, &last_server->source_addr, last_server->interface, 1) ||
997: connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1))
998: {
999: close(last_server->tcpfd);
1000: last_server->tcpfd = -1;
1001: continue;
1002: }
1003:
1004: #ifdef HAVE_CONNTRACK
1005: /* Copy connection mark of incoming query to outgoing connection. */
1006: if (option_bool(OPT_CONNTRACK))
1007: {
1008: unsigned int mark;
1009: struct all_addr local;
1010: #ifdef HAVE_IPV6
1011: if (local_addr->sa.sa_family == AF_INET6)
1012: local.addr.addr6 = local_addr->in6.sin6_addr;
1013: else
1014: #endif
1015: local.addr.addr4 = local_addr->in.sin_addr;
1016:
1017: if (get_incoming_mark(&peer_addr, &local, 1, &mark))
1018: setsockopt(last_server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
1019: }
1020: #endif
1021: }
1022:
1023: c1 = size >> 8;
1024: c2 = size;
1025:
1026: if (!read_write(last_server->tcpfd, &c1, 1, 0) ||
1027: !read_write(last_server->tcpfd, &c2, 1, 0) ||
1028: !read_write(last_server->tcpfd, packet, size, 0) ||
1029: !read_write(last_server->tcpfd, &c1, 1, 1) ||
1030: !read_write(last_server->tcpfd, &c2, 1, 1))
1031: {
1032: close(last_server->tcpfd);
1033: last_server->tcpfd = -1;
1034: continue;
1035: }
1036:
1037: m = (c1 << 8) | c2;
1038: if (!read_write(last_server->tcpfd, packet, m, 1))
1039: return packet;
1040:
1041: if (!gotname)
1042: strcpy(daemon->namebuff, "query");
1043: if (last_server->addr.sa.sa_family == AF_INET)
1044: log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
1045: (struct all_addr *)&last_server->addr.in.sin_addr, NULL);
1046: #ifdef HAVE_IPV6
1047: else
1048: log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
1049: (struct all_addr *)&last_server->addr.in6.sin6_addr, NULL);
1050: #endif
1051:
1052: /* There's no point in updating the cache, since this process will exit and
1053: lose the information after a few queries. We make this call for the alias and
1054: bogus-nxdomain side-effects. */
1055: /* If the crc of the question section doesn't match the crc we sent, then
1056: someone might be attempting to insert bogus values into the cache by
1057: sending replies containing questions and bogus answers. */
1058: if (crc == questions_crc(header, (unsigned int)m, daemon->namebuff))
1059: m = process_reply(header, now, last_server, (unsigned int)m,
1060: option_bool(OPT_NO_REBIND) && !norebind, checking_disabled);
1061:
1062: break;
1063: }
1064: }
1065:
1066: /* In case of local answer or no connections made. */
1067: if (m == 0)
1068: m = setup_reply(header, (unsigned int)size, addrp, flags, daemon->local_ttl);
1069: }
1070: }
1071:
1072: check_log_writer(NULL);
1073:
1074: c1 = m>>8;
1075: c2 = m;
1076: if (m == 0 ||
1077: !read_write(confd, &c1, 1, 0) ||
1078: !read_write(confd, &c2, 1, 0) ||
1079: !read_write(confd, packet, m, 0))
1080: return packet;
1081: }
1082: }
1083:
1084: static struct frec *allocate_frec(time_t now)
1085: {
1086: struct frec *f;
1087:
1088: if ((f = (struct frec *)whine_malloc(sizeof(struct frec))))
1089: {
1090: f->next = daemon->frec_list;
1091: f->time = now;
1092: f->sentto = NULL;
1093: f->rfd4 = NULL;
1094: f->flags = 0;
1095: #ifdef HAVE_IPV6
1096: f->rfd6 = NULL;
1097: #endif
1098: daemon->frec_list = f;
1099: }
1100:
1101: return f;
1102: }
1103:
1104: static struct randfd *allocate_rfd(int family)
1105: {
1106: static int finger = 0;
1107: int i;
1108:
1109: /* limit the number of sockets we have open to avoid starvation of
1110: (eg) TFTP. Once we have a reasonable number, randomness should be OK */
1111:
1112: for (i = 0; i < RANDOM_SOCKS; i++)
1113: if (daemon->randomsocks[i].refcount == 0)
1114: {
1115: if ((daemon->randomsocks[i].fd = random_sock(family)) == -1)
1116: break;
1117:
1118: daemon->randomsocks[i].refcount = 1;
1119: daemon->randomsocks[i].family = family;
1120: return &daemon->randomsocks[i];
1121: }
1122:
1123: /* No free ones or cannot get new socket, grab an existing one */
1124: for (i = 0; i < RANDOM_SOCKS; i++)
1125: {
1126: int j = (i+finger) % RANDOM_SOCKS;
1127: if (daemon->randomsocks[j].refcount != 0 &&
1128: daemon->randomsocks[j].family == family &&
1129: daemon->randomsocks[j].refcount != 0xffff)
1130: {
1131: finger = j;
1132: daemon->randomsocks[j].refcount++;
1133: return &daemon->randomsocks[j];
1134: }
1135: }
1136:
1137: return NULL; /* doom */
1138: }
1139:
1140: static void free_frec(struct frec *f)
1141: {
1142: if (f->rfd4 && --(f->rfd4->refcount) == 0)
1143: close(f->rfd4->fd);
1144:
1145: f->rfd4 = NULL;
1146: f->sentto = NULL;
1147: f->flags = 0;
1148:
1149: #ifdef HAVE_IPV6
1150: if (f->rfd6 && --(f->rfd6->refcount) == 0)
1151: close(f->rfd6->fd);
1152:
1153: f->rfd6 = NULL;
1154: #endif
1155: }
1156:
1157: /* if wait==NULL return a free or older than TIMEOUT record.
1158: else return *wait zero if one available, or *wait is delay to
1159: when the oldest in-use record will expire. Impose an absolute
1160: limit of 4*TIMEOUT before we wipe things (for random sockets) */
1161: struct frec *get_new_frec(time_t now, int *wait)
1162: {
1163: struct frec *f, *oldest, *target;
1164: int count;
1165:
1166: if (wait)
1167: *wait = 0;
1168:
1169: for (f = daemon->frec_list, oldest = NULL, target = NULL, count = 0; f; f = f->next, count++)
1170: if (!f->sentto)
1171: target = f;
1172: else
1173: {
1174: if (difftime(now, f->time) >= 4*TIMEOUT)
1175: {
1176: free_frec(f);
1177: target = f;
1178: }
1179:
1180: if (!oldest || difftime(f->time, oldest->time) <= 0)
1181: oldest = f;
1182: }
1183:
1184: if (target)
1185: {
1186: target->time = now;
1187: return target;
1188: }
1189:
1190: /* can't find empty one, use oldest if there is one
1191: and it's older than timeout */
1192: if (oldest && ((int)difftime(now, oldest->time)) >= TIMEOUT)
1193: {
1194: /* keep stuff for twice timeout if we can by allocating a new
1195: record instead */
1196: if (difftime(now, oldest->time) < 2*TIMEOUT &&
1197: count <= daemon->ftabsize &&
1198: (f = allocate_frec(now)))
1199: return f;
1200:
1201: if (!wait)
1202: {
1203: free_frec(oldest);
1204: oldest->time = now;
1205: }
1206: return oldest;
1207: }
1208:
1209: /* none available, calculate time 'till oldest record expires */
1210: if (count > daemon->ftabsize)
1211: {
1212: if (oldest && wait)
1213: *wait = oldest->time + (time_t)TIMEOUT - now;
1214: return NULL;
1215: }
1216:
1217: if (!(f = allocate_frec(now)) && wait)
1218: /* wait one second on malloc failure */
1219: *wait = 1;
1220:
1221: return f; /* OK if malloc fails and this is NULL */
1222: }
1223:
1224: /* crc is all-ones if not known. */
1225: static struct frec *lookup_frec(unsigned short id, unsigned int crc)
1226: {
1227: struct frec *f;
1228:
1229: for(f = daemon->frec_list; f; f = f->next)
1230: if (f->sentto && f->new_id == id &&
1231: (f->crc == crc || crc == 0xffffffff))
1232: return f;
1233:
1234: return NULL;
1235: }
1236:
1237: static struct frec *lookup_frec_by_sender(unsigned short id,
1238: union mysockaddr *addr,
1239: unsigned int crc)
1240: {
1241: struct frec *f;
1242:
1243: for(f = daemon->frec_list; f; f = f->next)
1244: if (f->sentto &&
1245: f->orig_id == id &&
1246: f->crc == crc &&
1247: sockaddr_isequal(&f->source, addr))
1248: return f;
1249:
1250: return NULL;
1251: }
1252:
1253: /* A server record is going away, remove references to it */
1254: void server_gone(struct server *server)
1255: {
1256: struct frec *f;
1257:
1258: for (f = daemon->frec_list; f; f = f->next)
1259: if (f->sentto && f->sentto == server)
1260: free_frec(f);
1261:
1262: if (daemon->last_server == server)
1263: daemon->last_server = NULL;
1264:
1265: if (daemon->srv_save == server)
1266: daemon->srv_save = NULL;
1267: }
1268:
1269: /* return unique random ids. */
1270: static unsigned short get_id(unsigned int crc)
1271: {
1272: unsigned short ret = 0;
1273:
1274: do
1275: ret = rand16();
1276: while (lookup_frec(ret, crc));
1277:
1278: return ret;
1279: }
1280:
1281:
1282:
1283:
1284:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to forward.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / dnsmasq / src