1: /* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
2:
3: This program is free software; you can redistribute it and/or modify
4: it under the terms of the GNU General Public License as published by
5: the Free Software Foundation; version 2 dated June, 1991, or
6: (at your option) version 3 dated 29 June, 2007.
7:
8: This program is distributed in the hope that it will be useful,
9: but WITHOUT ANY WARRANTY; without even the implied warranty of
10: MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11: GNU General Public License for more details.
12:
13: You should have received a copy of the GNU General Public License
14: along with this program. If not, see <http://www.gnu.org/licenses/>.
15: */
16:
17: #include "dnsmasq.h"
18:
19: #ifdef HAVE_LINUX_NETWORK
20:
21: int indextoname(int fd, int index, char *name)
22: {
23: struct ifreq ifr;
24:
25: if (index == 0)
26: return 0;
27:
28: ifr.ifr_ifindex = index;
29: if (ioctl(fd, SIOCGIFNAME, &ifr) == -1)
30: return 0;
31:
32: safe_strncpy(name, ifr.ifr_name, IF_NAMESIZE);
33:
34: return 1;
35: }
36:
37:
38: #elif defined(HAVE_SOLARIS_NETWORK)
39:
40: #include <zone.h>
41: #include <alloca.h>
42: #ifndef LIFC_UNDER_IPMP
43: # define LIFC_UNDER_IPMP 0
44: #endif
45:
46: int indextoname(int fd, int index, char *name)
47: {
48: int64_t lifc_flags;
49: struct lifnum lifn;
50: int numifs, bufsize, i;
51: struct lifconf lifc;
52: struct lifreq *lifrp;
53:
54: if (index == 0)
55: return 0;
56:
57: if (getzoneid() == GLOBAL_ZONEID)
58: {
59: if (!if_indextoname(index, name))
60: return 0;
61: return 1;
62: }
63:
64: lifc_flags = LIFC_NOXMIT | LIFC_TEMPORARY | LIFC_ALLZONES | LIFC_UNDER_IPMP;
65: lifn.lifn_family = AF_UNSPEC;
66: lifn.lifn_flags = lifc_flags;
67: if (ioctl(fd, SIOCGLIFNUM, &lifn) < 0)
68: return 0;
69:
70: numifs = lifn.lifn_count;
71: bufsize = numifs * sizeof(struct lifreq);
72:
73: lifc.lifc_family = AF_UNSPEC;
74: lifc.lifc_flags = lifc_flags;
75: lifc.lifc_len = bufsize;
76: lifc.lifc_buf = alloca(bufsize);
77:
78: if (ioctl(fd, SIOCGLIFCONF, &lifc) < 0)
79: return 0;
80:
81: lifrp = lifc.lifc_req;
82: for (i = lifc.lifc_len / sizeof(struct lifreq); i; i--, lifrp++)
83: {
84: struct lifreq lifr;
85: safe_strncpy(lifr.lifr_name, lifrp->lifr_name, IF_NAMESIZE);
86: if (ioctl(fd, SIOCGLIFINDEX, &lifr) < 0)
87: return 0;
88:
89: if (lifr.lifr_index == index) {
90: safe_strncpy(name, lifr.lifr_name, IF_NAMESIZE);
91: return 1;
92: }
93: }
94: return 0;
95: }
96:
97:
98: #else
99:
100: int indextoname(int fd, int index, char *name)
101: {
102: (void)fd;
103:
104: if (index == 0 || !if_indextoname(index, name))
105: return 0;
106:
107: return 1;
108: }
109:
110: #endif
111:
112: int iface_check(int family, union all_addr *addr, char *name, int *auth)
113: {
114: struct iname *tmp;
115: int ret = 1, match_addr = 0;
116:
117: /* Note: have to check all and not bail out early, so that we set the "used" flags.
118: May be called with family == AF_LOCAL to check interface by name only. */
119:
120: if (daemon->if_names || daemon->if_addrs)
121: {
122: ret = 0;
123:
124: for (tmp = daemon->if_names; tmp; tmp = tmp->next)
125: if (tmp->name && wildcard_match(tmp->name, name))
126: ret = tmp->used = 1;
127:
128: if (addr)
129: for (tmp = daemon->if_addrs; tmp; tmp = tmp->next)
130: if (tmp->addr.sa.sa_family == family)
131: {
132: if (family == AF_INET &&
133: tmp->addr.in.sin_addr.s_addr == addr->addr4.s_addr)
134: ret = match_addr = tmp->used = 1;
135: else if (family == AF_INET6 &&
136: IN6_ARE_ADDR_EQUAL(&tmp->addr.in6.sin6_addr,
137: &addr->addr6))
138: ret = match_addr = tmp->used = 1;
139: }
140: }
141:
142: if (!match_addr)
143: for (tmp = daemon->if_except; tmp; tmp = tmp->next)
144: if (tmp->name && wildcard_match(tmp->name, name))
145: ret = 0;
146:
147: if (auth)
148: {
149: *auth = 0;
150:
151: for (tmp = daemon->authinterface; tmp; tmp = tmp->next)
152: if (tmp->name)
153: {
154: if (strcmp(tmp->name, name) == 0 &&
155: (tmp->addr.sa.sa_family == 0 || tmp->addr.sa.sa_family == family))
156: break;
157: }
158: else if (addr && tmp->addr.sa.sa_family == AF_INET && family == AF_INET &&
159: tmp->addr.in.sin_addr.s_addr == addr->addr4.s_addr)
160: break;
161: else if (addr && tmp->addr.sa.sa_family == AF_INET6 && family == AF_INET6 &&
162: IN6_ARE_ADDR_EQUAL(&tmp->addr.in6.sin6_addr, &addr->addr6))
163: break;
164:
165: if (tmp)
166: {
167: *auth = 1;
168: ret = 1;
169: }
170: }
171:
172: return ret;
173: }
174:
175:
176: /* Fix for problem that the kernel sometimes reports the loopback interface as the
177: arrival interface when a packet originates locally, even when sent to address of
178: an interface other than the loopback. Accept packet if it arrived via a loopback
179: interface, even when we're not accepting packets that way, as long as the destination
180: address is one we're believing. Interface list must be up-to-date before calling. */
181: int loopback_exception(int fd, int family, union all_addr *addr, char *name)
182: {
183: struct ifreq ifr;
184: struct irec *iface;
185:
186: safe_strncpy(ifr.ifr_name, name, IF_NAMESIZE);
187: if (ioctl(fd, SIOCGIFFLAGS, &ifr) != -1 &&
188: ifr.ifr_flags & IFF_LOOPBACK)
189: {
190: for (iface = daemon->interfaces; iface; iface = iface->next)
191: if (iface->addr.sa.sa_family == family)
192: {
193: if (family == AF_INET)
194: {
195: if (iface->addr.in.sin_addr.s_addr == addr->addr4.s_addr)
196: return 1;
197: }
198: else if (IN6_ARE_ADDR_EQUAL(&iface->addr.in6.sin6_addr, &addr->addr6))
199: return 1;
200: }
201: }
202: return 0;
203: }
204:
205: /* If we're configured with something like --interface=eth0:0 then we'll listen correctly
206: on the relevant address, but the name of the arrival interface, derived from the
207: index won't match the config. Check that we found an interface address for the arrival
208: interface: daemon->interfaces must be up-to-date. */
209: int label_exception(int index, int family, union all_addr *addr)
210: {
211: struct irec *iface;
212:
213: /* labels only supported on IPv4 addresses. */
214: if (family != AF_INET)
215: return 0;
216:
217: for (iface = daemon->interfaces; iface; iface = iface->next)
218: if (iface->index == index && iface->addr.sa.sa_family == AF_INET &&
219: iface->addr.in.sin_addr.s_addr == addr->addr4.s_addr)
220: return 1;
221:
222: return 0;
223: }
224:
225: struct iface_param {
226: struct addrlist *spare;
227: int fd;
228: };
229:
230: static int iface_allowed(struct iface_param *param, int if_index, char *label,
231: union mysockaddr *addr, struct in_addr netmask, int prefixlen, int iface_flags)
232: {
233: struct irec *iface;
234: struct cond_domain *cond;
235: int loopback;
236: struct ifreq ifr;
237: int tftp_ok = !!option_bool(OPT_TFTP);
238: int dhcp_ok = 1;
239: int auth_dns = 0;
240: int is_label = 0;
241: #if defined(HAVE_DHCP) || defined(HAVE_TFTP)
242: struct iname *tmp;
243: #endif
244:
245: (void)prefixlen;
246:
247: if (!indextoname(param->fd, if_index, ifr.ifr_name) ||
248: ioctl(param->fd, SIOCGIFFLAGS, &ifr) == -1)
249: return 0;
250:
251: loopback = ifr.ifr_flags & IFF_LOOPBACK;
252:
253: if (loopback)
254: dhcp_ok = 0;
255:
256: if (!label)
257: label = ifr.ifr_name;
258: else
259: is_label = strcmp(label, ifr.ifr_name);
260:
261: /* maintain a list of all addresses on all interfaces for --local-service option */
262: if (option_bool(OPT_LOCAL_SERVICE))
263: {
264: struct addrlist *al;
265:
266: if (param->spare)
267: {
268: al = param->spare;
269: param->spare = al->next;
270: }
271: else
272: al = whine_malloc(sizeof(struct addrlist));
273:
274: if (al)
275: {
276: al->next = daemon->interface_addrs;
277: daemon->interface_addrs = al;
278: al->prefixlen = prefixlen;
279:
280: if (addr->sa.sa_family == AF_INET)
281: {
282: al->addr.addr4 = addr->in.sin_addr;
283: al->flags = 0;
284: }
285: else
286: {
287: al->addr.addr6 = addr->in6.sin6_addr;
288: al->flags = ADDRLIST_IPV6;
289: }
290: }
291: }
292:
293: if (addr->sa.sa_family != AF_INET6 || !IN6_IS_ADDR_LINKLOCAL(&addr->in6.sin6_addr))
294: {
295: struct interface_name *int_name;
296: struct addrlist *al;
297: #ifdef HAVE_AUTH
298: struct auth_zone *zone;
299: struct auth_name_list *name;
300:
301: /* Find subnets in auth_zones */
302: for (zone = daemon->auth_zones; zone; zone = zone->next)
303: for (name = zone->interface_names; name; name = name->next)
304: if (wildcard_match(name->name, label))
305: {
306: if (addr->sa.sa_family == AF_INET && (name->flags & AUTH4))
307: {
308: if (param->spare)
309: {
310: al = param->spare;
311: param->spare = al->next;
312: }
313: else
314: al = whine_malloc(sizeof(struct addrlist));
315:
316: if (al)
317: {
318: al->next = zone->subnet;
319: zone->subnet = al;
320: al->prefixlen = prefixlen;
321: al->addr.addr4 = addr->in.sin_addr;
322: al->flags = 0;
323: }
324: }
325:
326: if (addr->sa.sa_family == AF_INET6 && (name->flags & AUTH6))
327: {
328: if (param->spare)
329: {
330: al = param->spare;
331: param->spare = al->next;
332: }
333: else
334: al = whine_malloc(sizeof(struct addrlist));
335:
336: if (al)
337: {
338: al->next = zone->subnet;
339: zone->subnet = al;
340: al->prefixlen = prefixlen;
341: al->addr.addr6 = addr->in6.sin6_addr;
342: al->flags = ADDRLIST_IPV6;
343: }
344: }
345: }
346: #endif
347:
348: /* Update addresses from interface_names. These are a set independent
349: of the set we're listening on. */
350: for (int_name = daemon->int_names; int_name; int_name = int_name->next)
351: if (strncmp(label, int_name->intr, IF_NAMESIZE) == 0)
352: {
353: struct addrlist *lp;
354:
355: al = NULL;
356:
357: if (addr->sa.sa_family == AF_INET && (int_name->flags & (IN4 | INP4)))
358: {
359: struct in_addr newaddr = addr->in.sin_addr;
360:
361: if (int_name->flags & INP4)
362: {
363: if (netmask.s_addr == 0xffffffff)
364: continue;
365:
366: newaddr.s_addr = (addr->in.sin_addr.s_addr & netmask.s_addr) |
367: (int_name->proto4.s_addr & ~netmask.s_addr);
368: }
369:
370: /* check for duplicates. */
371: for (lp = int_name->addr; lp; lp = lp->next)
372: if (lp->flags == 0 && lp->addr.addr4.s_addr == newaddr.s_addr)
373: break;
374:
375: if (!lp)
376: {
377: if (param->spare)
378: {
379: al = param->spare;
380: param->spare = al->next;
381: }
382: else
383: al = whine_malloc(sizeof(struct addrlist));
384:
385: if (al)
386: {
387: al->flags = 0;
388: al->addr.addr4 = newaddr;
389: }
390: }
391: }
392:
393: if (addr->sa.sa_family == AF_INET6 && (int_name->flags & (IN6 | INP6)))
394: {
395: struct in6_addr newaddr = addr->in6.sin6_addr;
396:
397: if (int_name->flags & INP6)
398: {
399: int i;
400:
401: /* No sense in doing /128. */
402: if (prefixlen == 128)
403: continue;
404:
405: for (i = 0; i < 16; i++)
406: {
407: int bits = ((i+1)*8) - prefixlen;
408:
409: if (bits >= 8)
410: newaddr.s6_addr[i] = int_name->proto6.s6_addr[i];
411: else if (bits >= 0)
412: {
413: unsigned char mask = 0xff << bits;
414: newaddr.s6_addr[i] =
415: (addr->in6.sin6_addr.s6_addr[i] & mask) |
416: (int_name->proto6.s6_addr[i] & ~mask);
417: }
418: }
419: }
420:
421: /* check for duplicates. */
422: for (lp = int_name->addr; lp; lp = lp->next)
423: if ((lp->flags & ADDRLIST_IPV6) &&
424: IN6_ARE_ADDR_EQUAL(&lp->addr.addr6, &newaddr))
425: break;
426:
427: if (!lp)
428: {
429: if (param->spare)
430: {
431: al = param->spare;
432: param->spare = al->next;
433: }
434: else
435: al = whine_malloc(sizeof(struct addrlist));
436:
437: if (al)
438: {
439: al->flags = ADDRLIST_IPV6;
440: al->addr.addr6 = newaddr;
441:
442: /* Privacy addresses and addresses still undergoing DAD and deprecated addresses
443: don't appear in forward queries, but will in reverse ones. */
444: if (!(iface_flags & IFACE_PERMANENT) || (iface_flags & (IFACE_DEPRECATED | IFACE_TENTATIVE)))
445: al->flags |= ADDRLIST_REVONLY;
446: }
447: }
448: }
449:
450: if (al)
451: {
452: al->next = int_name->addr;
453: int_name->addr = al;
454: }
455: }
456: }
457:
458: /* Update addresses for domain=<domain>,<interface> */
459: for (cond = daemon->cond_domain; cond; cond = cond->next)
460: if (cond->interface && strncmp(label, cond->interface, IF_NAMESIZE) == 0)
461: {
462: struct addrlist *al;
463:
464: if (param->spare)
465: {
466: al = param->spare;
467: param->spare = al->next;
468: }
469: else
470: al = whine_malloc(sizeof(struct addrlist));
471:
472: if (addr->sa.sa_family == AF_INET)
473: {
474: al->addr.addr4 = addr->in.sin_addr;
475: al->flags = 0;
476: }
477: else
478: {
479: al->addr.addr6 = addr->in6.sin6_addr;
480: al->flags = ADDRLIST_IPV6;
481: }
482:
483: al->prefixlen = prefixlen;
484: al->next = cond->al;
485: cond->al = al;
486: }
487:
488: /* check whether the interface IP has been added already
489: we call this routine multiple times. */
490: for (iface = daemon->interfaces; iface; iface = iface->next)
491: if (sockaddr_isequal(&iface->addr, addr) && iface->index == if_index)
492: {
493: iface->dad = !!(iface_flags & IFACE_TENTATIVE);
494: iface->found = 1; /* for garbage collection */
495: iface->netmask = netmask;
496: return 1;
497: }
498:
499: /* If we are restricting the set of interfaces to use, make
500: sure that loopback interfaces are in that set. */
501: if (daemon->if_names && loopback)
502: {
503: struct iname *lo;
504: for (lo = daemon->if_names; lo; lo = lo->next)
505: if (lo->name && strcmp(lo->name, ifr.ifr_name) == 0)
506: break;
507:
508: if (!lo && (lo = whine_malloc(sizeof(struct iname))))
509: {
510: if ((lo->name = whine_malloc(strlen(ifr.ifr_name)+1)))
511: {
512: strcpy(lo->name, ifr.ifr_name);
513: lo->used = 1;
514: lo->next = daemon->if_names;
515: daemon->if_names = lo;
516: }
517: else
518: free(lo);
519: }
520: }
521:
522: if (addr->sa.sa_family == AF_INET &&
523: !iface_check(AF_INET, (union all_addr *)&addr->in.sin_addr, label, &auth_dns))
524: return 1;
525:
526: if (addr->sa.sa_family == AF_INET6 &&
527: !iface_check(AF_INET6, (union all_addr *)&addr->in6.sin6_addr, label, &auth_dns))
528: return 1;
529:
530: #ifdef HAVE_DHCP
531: /* No DHCP where we're doing auth DNS. */
532: if (auth_dns)
533: {
534: tftp_ok = 0;
535: dhcp_ok = 0;
536: }
537: else
538: for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
539: if (tmp->name && wildcard_match(tmp->name, ifr.ifr_name))
540: {
541: tftp_ok = 0;
542: dhcp_ok = 0;
543: }
544: #endif
545:
546:
547: #ifdef HAVE_TFTP
548: if (daemon->tftp_interfaces)
549: {
550: /* dedicated tftp interface list */
551: tftp_ok = 0;
552: for (tmp = daemon->tftp_interfaces; tmp; tmp = tmp->next)
553: if (tmp->name && wildcard_match(tmp->name, ifr.ifr_name))
554: tftp_ok = 1;
555: }
556: #endif
557:
558: /* add to list */
559: if ((iface = whine_malloc(sizeof(struct irec))))
560: {
561: int mtu = 0;
562:
563: if (ioctl(param->fd, SIOCGIFMTU, &ifr) != -1)
564: mtu = ifr.ifr_mtu;
565:
566: iface->addr = *addr;
567: iface->netmask = netmask;
568: iface->tftp_ok = tftp_ok;
569: iface->dhcp_ok = dhcp_ok;
570: iface->dns_auth = auth_dns;
571: iface->mtu = mtu;
572: iface->dad = !!(iface_flags & IFACE_TENTATIVE);
573: iface->found = 1;
574: iface->done = iface->multicast_done = iface->warned = 0;
575: iface->index = if_index;
576: iface->label = is_label;
577: if ((iface->name = whine_malloc(strlen(ifr.ifr_name)+1)))
578: {
579: strcpy(iface->name, ifr.ifr_name);
580: iface->next = daemon->interfaces;
581: daemon->interfaces = iface;
582: return 1;
583: }
584: free(iface);
585:
586: }
587:
588: errno = ENOMEM;
589: return 0;
590: }
591:
592: static int iface_allowed_v6(struct in6_addr *local, int prefix,
593: int scope, int if_index, int flags,
594: int preferred, int valid, void *vparam)
595: {
596: union mysockaddr addr;
597: struct in_addr netmask; /* dummy */
598: netmask.s_addr = 0;
599:
600: (void)scope; /* warning */
601: (void)preferred;
602: (void)valid;
603:
604: memset(&addr, 0, sizeof(addr));
605: #ifdef HAVE_SOCKADDR_SA_LEN
606: addr.in6.sin6_len = sizeof(addr.in6);
607: #endif
608: addr.in6.sin6_family = AF_INET6;
609: addr.in6.sin6_addr = *local;
610: addr.in6.sin6_port = htons(daemon->port);
611: /* FreeBSD insists this is zero for non-linklocal addresses */
612: if (IN6_IS_ADDR_LINKLOCAL(local))
613: addr.in6.sin6_scope_id = if_index;
614: else
615: addr.in6.sin6_scope_id = 0;
616:
617: return iface_allowed((struct iface_param *)vparam, if_index, NULL, &addr, netmask, prefix, flags);
618: }
619:
620: static int iface_allowed_v4(struct in_addr local, int if_index, char *label,
621: struct in_addr netmask, struct in_addr broadcast, void *vparam)
622: {
623: union mysockaddr addr;
624: int prefix, bit;
625:
626: (void)broadcast; /* warning */
627:
628: memset(&addr, 0, sizeof(addr));
629: #ifdef HAVE_SOCKADDR_SA_LEN
630: addr.in.sin_len = sizeof(addr.in);
631: #endif
632: addr.in.sin_family = AF_INET;
633: addr.in.sin_addr = local;
634: addr.in.sin_port = htons(daemon->port);
635:
636: /* determine prefix length from netmask */
637: for (prefix = 32, bit = 1; (bit & ntohl(netmask.s_addr)) == 0 && prefix != 0; bit = bit << 1, prefix--);
638:
639: return iface_allowed((struct iface_param *)vparam, if_index, label, &addr, netmask, prefix, 0);
640: }
641:
642: /*
643: * Clean old interfaces no longer found.
644: */
645: static void clean_interfaces()
646: {
647: struct irec *iface;
648: struct irec **up = &daemon->interfaces;
649:
650: for (iface = *up; iface; iface = *up)
651: {
652: if (!iface->found && !iface->done)
653: {
654: *up = iface->next;
655: free(iface->name);
656: free(iface);
657: }
658: else
659: {
660: up = &iface->next;
661: }
662: }
663: }
664:
665: /** Release listener if no other interface needs it.
666: *
667: * @return 1 if released, 0 if still required
668: */
669: static int release_listener(struct listener *l)
670: {
671: if (l->used > 1)
672: {
673: struct irec *iface;
674: for (iface = daemon->interfaces; iface; iface = iface->next)
675: if (iface->done && sockaddr_isequal(&l->addr, &iface->addr))
676: {
677: if (iface->found)
678: {
679: /* update listener to point to active interface instead */
680: if (!l->iface->found)
681: l->iface = iface;
682: }
683: else
684: {
685: l->used--;
686: iface->done = 0;
687: }
688: }
689:
690: /* Someone is still using this listener, skip its deletion */
691: if (l->used > 0)
692: return 0;
693: }
694:
695: if (l->iface->done)
696: {
697: int port;
698:
699: port = prettyprint_addr(&l->iface->addr, daemon->addrbuff);
700: my_syslog(LOG_DEBUG|MS_DEBUG, _("stopped listening on %s(#%d): %s port %d"),
701: l->iface->name, l->iface->index, daemon->addrbuff, port);
702: /* In case it ever returns */
703: l->iface->done = 0;
704: }
705:
706: if (l->fd != -1)
707: close(l->fd);
708: if (l->tcpfd != -1)
709: close(l->tcpfd);
710: if (l->tftpfd != -1)
711: close(l->tftpfd);
712:
713: free(l);
714: return 1;
715: }
716:
717: int enumerate_interfaces(int reset)
718: {
719: static struct addrlist *spare = NULL;
720: static int done = 0;
721: struct iface_param param;
722: int errsave, ret = 1;
723: struct addrlist *addr, *tmp;
724: struct interface_name *intname;
725: struct cond_domain *cond;
726: struct irec *iface;
727: #ifdef HAVE_AUTH
728: struct auth_zone *zone;
729: #endif
730: struct server *serv;
731:
732: /* Do this max once per select cycle - also inhibits netlink socket use
733: in TCP child processes. */
734:
735: if (reset)
736: {
737: done = 0;
738: return 1;
739: }
740:
741: if (done)
742: return 1;
743:
744: done = 1;
745:
746: if ((param.fd = socket(PF_INET, SOCK_DGRAM, 0)) == -1)
747: return 0;
748:
749: /* iface indexes can change when interfaces are created/destroyed.
750: We use them in the main forwarding control path, when the path
751: to a server is specified by an interface, so cache them.
752: Update the cache here. */
753: for (serv = daemon->servers; serv; serv = serv->next)
754: if (serv->interface[0] != 0)
755: {
756: #ifdef HAVE_LINUX_NETWORK
757: struct ifreq ifr;
758:
759: safe_strncpy(ifr.ifr_name, serv->interface, IF_NAMESIZE);
760: if (ioctl(param.fd, SIOCGIFINDEX, &ifr) != -1)
761: serv->ifindex = ifr.ifr_ifindex;
762: #else
763: serv->ifindex = if_nametoindex(serv->interface);
764: #endif
765: }
766:
767: again:
768: /* Mark interfaces for garbage collection */
769: for (iface = daemon->interfaces; iface; iface = iface->next)
770: iface->found = 0;
771:
772: /* remove addresses stored against interface_names */
773: for (intname = daemon->int_names; intname; intname = intname->next)
774: {
775: for (addr = intname->addr; addr; addr = tmp)
776: {
777: tmp = addr->next;
778: addr->next = spare;
779: spare = addr;
780: }
781:
782: intname->addr = NULL;
783: }
784:
785: /* remove addresses stored against cond-domains. */
786: for (cond = daemon->cond_domain; cond; cond = cond->next)
787: {
788: for (addr = cond->al; addr; addr = tmp)
789: {
790: tmp = addr->next;
791: addr->next = spare;
792: spare = addr;
793: }
794:
795: cond->al = NULL;
796: }
797:
798: /* Remove list of addresses of local interfaces */
799: for (addr = daemon->interface_addrs; addr; addr = tmp)
800: {
801: tmp = addr->next;
802: addr->next = spare;
803: spare = addr;
804: }
805: daemon->interface_addrs = NULL;
806:
807: #ifdef HAVE_AUTH
808: /* remove addresses stored against auth_zone subnets, but not
809: ones configured as address literals */
810: for (zone = daemon->auth_zones; zone; zone = zone->next)
811: if (zone->interface_names)
812: {
813: struct addrlist **up;
814: for (up = &zone->subnet, addr = zone->subnet; addr; addr = tmp)
815: {
816: tmp = addr->next;
817: if (addr->flags & ADDRLIST_LITERAL)
818: up = &addr->next;
819: else
820: {
821: *up = addr->next;
822: addr->next = spare;
823: spare = addr;
824: }
825: }
826: }
827: #endif
828:
829: param.spare = spare;
830:
831: ret = iface_enumerate(AF_INET6, ¶m, iface_allowed_v6);
832: if (ret < 0)
833: goto again;
834: else if (ret)
835: {
836: ret = iface_enumerate(AF_INET, ¶m, iface_allowed_v4);
837: if (ret < 0)
838: goto again;
839: }
840:
841: errsave = errno;
842: close(param.fd);
843:
844: if (option_bool(OPT_CLEVERBIND))
845: {
846: /* Garbage-collect listeners listening on addresses that no longer exist.
847: Does nothing when not binding interfaces or for listeners on localhost,
848: since the ->iface field is NULL. Note that this needs the protections
849: against reentrancy, hence it's here. It also means there's a possibility,
850: in OPT_CLEVERBIND mode, that at listener will just disappear after
851: a call to enumerate_interfaces, this is checked OK on all calls. */
852: struct listener *l, *tmp, **up;
853: int freed = 0;
854:
855: for (up = &daemon->listeners, l = daemon->listeners; l; l = tmp)
856: {
857: tmp = l->next;
858:
859: if (!l->iface || l->iface->found)
860: up = &l->next;
861: else if (release_listener(l))
862: {
863: *up = tmp;
864: freed = 1;
865: }
866: }
867:
868: if (freed)
869: clean_interfaces();
870: }
871:
872: errno = errsave;
873: spare = param.spare;
874:
875: return ret;
876: }
877:
878: /* set NONBLOCK bit on fd: See Stevens 16.6 */
879: int fix_fd(int fd)
880: {
881: int flags;
882:
883: if ((flags = fcntl(fd, F_GETFL)) == -1 ||
884: fcntl(fd, F_SETFL, flags | O_NONBLOCK) == -1)
885: return 0;
886:
887: return 1;
888: }
889:
890: static int make_sock(union mysockaddr *addr, int type, int dienow)
891: {
892: int family = addr->sa.sa_family;
893: int fd, rc, opt = 1;
894:
895: if ((fd = socket(family, type, 0)) == -1)
896: {
897: int port, errsave;
898: char *s;
899:
900: /* No error if the kernel just doesn't support this IP flavour */
901: if (errno == EPROTONOSUPPORT ||
902: errno == EAFNOSUPPORT ||
903: errno == EINVAL)
904: return -1;
905:
906: err:
907: errsave = errno;
908: port = prettyprint_addr(addr, daemon->addrbuff);
909: if (!option_bool(OPT_NOWILD) && !option_bool(OPT_CLEVERBIND))
910: sprintf(daemon->addrbuff, "port %d", port);
911: s = _("failed to create listening socket for %s: %s");
912:
913: if (fd != -1)
914: close (fd);
915:
916: errno = errsave;
917:
918: if (dienow)
919: {
920: /* failure to bind addresses given by --listen-address at this point
921: is OK if we're doing bind-dynamic */
922: if (!option_bool(OPT_CLEVERBIND))
923: die(s, daemon->addrbuff, EC_BADNET);
924: }
925: else
926: my_syslog(LOG_WARNING, s, daemon->addrbuff, strerror(errno));
927:
928: return -1;
929: }
930:
931: if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)) == -1 || !fix_fd(fd))
932: goto err;
933:
934: if (family == AF_INET6 && setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &opt, sizeof(opt)) == -1)
935: goto err;
936:
937: if ((rc = bind(fd, (struct sockaddr *)addr, sa_len(addr))) == -1)
938: goto err;
939:
940: if (type == SOCK_STREAM)
941: {
942: #ifdef TCP_FASTOPEN
943: int qlen = 5;
944: setsockopt(fd, IPPROTO_TCP, TCP_FASTOPEN, &qlen, sizeof(qlen));
945: #endif
946:
947: if (listen(fd, TCP_BACKLOG) == -1)
948: goto err;
949: }
950: else if (family == AF_INET)
951: {
952: if (!option_bool(OPT_NOWILD))
953: {
954: #if defined(HAVE_LINUX_NETWORK)
955: if (setsockopt(fd, IPPROTO_IP, IP_PKTINFO, &opt, sizeof(opt)) == -1)
956: goto err;
957: #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
958: if (setsockopt(fd, IPPROTO_IP, IP_RECVDSTADDR, &opt, sizeof(opt)) == -1 ||
959: setsockopt(fd, IPPROTO_IP, IP_RECVIF, &opt, sizeof(opt)) == -1)
960: goto err;
961: #endif
962: }
963: }
964: else if (!set_ipv6pktinfo(fd))
965: goto err;
966:
967: return fd;
968: }
969:
970: int set_ipv6pktinfo(int fd)
971: {
972: int opt = 1;
973:
974: /* The API changed around Linux 2.6.14 but the old ABI is still supported:
975: handle all combinations of headers and kernel.
976: OpenWrt note that this fixes the problem addressed by your very broken patch. */
977: daemon->v6pktinfo = IPV6_PKTINFO;
978:
979: #ifdef IPV6_RECVPKTINFO
980: if (setsockopt(fd, IPPROTO_IPV6, IPV6_RECVPKTINFO, &opt, sizeof(opt)) != -1)
981: return 1;
982: # ifdef IPV6_2292PKTINFO
983: else if (errno == ENOPROTOOPT && setsockopt(fd, IPPROTO_IPV6, IPV6_2292PKTINFO, &opt, sizeof(opt)) != -1)
984: {
985: daemon->v6pktinfo = IPV6_2292PKTINFO;
986: return 1;
987: }
988: # endif
989: #else
990: if (setsockopt(fd, IPPROTO_IPV6, IPV6_PKTINFO, &opt, sizeof(opt)) != -1)
991: return 1;
992: #endif
993:
994: return 0;
995: }
996:
997:
998: /* Find the interface on which a TCP connection arrived, if possible, or zero otherwise. */
999: int tcp_interface(int fd, int af)
1000: {
1001: (void)fd; /* suppress potential unused warning */
1002: (void)af; /* suppress potential unused warning */
1003: int if_index = 0;
1004:
1005: #ifdef HAVE_LINUX_NETWORK
1006: int opt = 1;
1007: struct cmsghdr *cmptr;
1008: struct msghdr msg;
1009: socklen_t len;
1010:
1011: /* use mshdr so that the CMSDG_* macros are available */
1012: msg.msg_control = daemon->packet;
1013: msg.msg_controllen = len = daemon->packet_buff_sz;
1014:
1015: /* we overwrote the buffer... */
1016: daemon->srv_save = NULL;
1017:
1018: if (af == AF_INET)
1019: {
1020: if (setsockopt(fd, IPPROTO_IP, IP_PKTINFO, &opt, sizeof(opt)) != -1 &&
1021: getsockopt(fd, IPPROTO_IP, IP_PKTOPTIONS, msg.msg_control, &len) != -1)
1022: {
1023: msg.msg_controllen = len;
1024: for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
1025: if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
1026: {
1027: union {
1028: unsigned char *c;
1029: struct in_pktinfo *p;
1030: } p;
1031:
1032: p.c = CMSG_DATA(cmptr);
1033: if_index = p.p->ipi_ifindex;
1034: }
1035: }
1036: }
1037: else
1038: {
1039: /* Only the RFC-2292 API has the ability to find the interface for TCP connections,
1040: it was removed in RFC-3542 !!!!
1041:
1042: Fortunately, Linux kept the 2292 ABI when it moved to 3542. The following code always
1043: uses the old ABI, and should work with pre- and post-3542 kernel headers */
1044:
1045: #ifdef IPV6_2292PKTOPTIONS
1046: # define PKTOPTIONS IPV6_2292PKTOPTIONS
1047: #else
1048: # define PKTOPTIONS IPV6_PKTOPTIONS
1049: #endif
1050:
1051: if (set_ipv6pktinfo(fd) &&
1052: getsockopt(fd, IPPROTO_IPV6, PKTOPTIONS, msg.msg_control, &len) != -1)
1053: {
1054: msg.msg_controllen = len;
1055: for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
1056: if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
1057: {
1058: union {
1059: unsigned char *c;
1060: struct in6_pktinfo *p;
1061: } p;
1062: p.c = CMSG_DATA(cmptr);
1063:
1064: if_index = p.p->ipi6_ifindex;
1065: }
1066: }
1067: }
1068: #endif /* Linux */
1069:
1070: return if_index;
1071: }
1072:
1073: static struct listener *create_listeners(union mysockaddr *addr, int do_tftp, int dienow)
1074: {
1075: struct listener *l = NULL;
1076: int fd = -1, tcpfd = -1, tftpfd = -1;
1077:
1078: (void)do_tftp;
1079:
1080: if (daemon->port != 0)
1081: {
1082: fd = make_sock(addr, SOCK_DGRAM, dienow);
1083: tcpfd = make_sock(addr, SOCK_STREAM, dienow);
1084: }
1085:
1086: #ifdef HAVE_TFTP
1087: if (do_tftp)
1088: {
1089: if (addr->sa.sa_family == AF_INET)
1090: {
1091: /* port must be restored to DNS port for TCP code */
1092: short save = addr->in.sin_port;
1093: addr->in.sin_port = htons(TFTP_PORT);
1094: tftpfd = make_sock(addr, SOCK_DGRAM, dienow);
1095: addr->in.sin_port = save;
1096: }
1097: else
1098: {
1099: short save = addr->in6.sin6_port;
1100: addr->in6.sin6_port = htons(TFTP_PORT);
1101: tftpfd = make_sock(addr, SOCK_DGRAM, dienow);
1102: addr->in6.sin6_port = save;
1103: }
1104: }
1105: #endif
1106:
1107: if (fd != -1 || tcpfd != -1 || tftpfd != -1)
1108: {
1109: l = safe_malloc(sizeof(struct listener));
1110: l->next = NULL;
1111: l->fd = fd;
1112: l->tcpfd = tcpfd;
1113: l->tftpfd = tftpfd;
1114: l->addr = *addr;
1115: l->used = 1;
1116: l->iface = NULL;
1117: }
1118:
1119: return l;
1120: }
1121:
1122: void create_wildcard_listeners(void)
1123: {
1124: union mysockaddr addr;
1125: struct listener *l, *l6;
1126:
1127: memset(&addr, 0, sizeof(addr));
1128: #ifdef HAVE_SOCKADDR_SA_LEN
1129: addr.in.sin_len = sizeof(addr.in);
1130: #endif
1131: addr.in.sin_family = AF_INET;
1132: addr.in.sin_addr.s_addr = INADDR_ANY;
1133: addr.in.sin_port = htons(daemon->port);
1134:
1135: l = create_listeners(&addr, !!option_bool(OPT_TFTP), 1);
1136:
1137: memset(&addr, 0, sizeof(addr));
1138: #ifdef HAVE_SOCKADDR_SA_LEN
1139: addr.in6.sin6_len = sizeof(addr.in6);
1140: #endif
1141: addr.in6.sin6_family = AF_INET6;
1142: addr.in6.sin6_addr = in6addr_any;
1143: addr.in6.sin6_port = htons(daemon->port);
1144:
1145: l6 = create_listeners(&addr, !!option_bool(OPT_TFTP), 1);
1146: if (l)
1147: l->next = l6;
1148: else
1149: l = l6;
1150:
1151: daemon->listeners = l;
1152: }
1153:
1154: static struct listener *find_listener(union mysockaddr *addr)
1155: {
1156: struct listener *l;
1157: for (l = daemon->listeners; l; l = l->next)
1158: if (sockaddr_isequal(&l->addr, addr))
1159: return l;
1160: return NULL;
1161: }
1162:
1163: void create_bound_listeners(int dienow)
1164: {
1165: struct listener *new;
1166: struct irec *iface;
1167: struct iname *if_tmp;
1168: struct listener *existing;
1169:
1170: for (iface = daemon->interfaces; iface; iface = iface->next)
1171: if (!iface->done && !iface->dad && iface->found)
1172: {
1173: existing = find_listener(&iface->addr);
1174: if (existing)
1175: {
1176: iface->done = 1;
1177: existing->used++; /* increase usage counter */
1178: }
1179: else if ((new = create_listeners(&iface->addr, iface->tftp_ok, dienow)))
1180: {
1181: new->iface = iface;
1182: new->next = daemon->listeners;
1183: daemon->listeners = new;
1184: iface->done = 1;
1185:
1186: /* Don't log the initial set of listen addresses created
1187: at startup, since this is happening before the logging
1188: system is initialised and the sign-on printed. */
1189: if (!dienow)
1190: {
1191: int port = prettyprint_addr(&iface->addr, daemon->addrbuff);
1192: my_syslog(LOG_DEBUG|MS_DEBUG, _("listening on %s(#%d): %s port %d"),
1193: iface->name, iface->index, daemon->addrbuff, port);
1194: }
1195: }
1196: }
1197:
1198: /* Check for --listen-address options that haven't been used because there's
1199: no interface with a matching address. These may be valid: eg it's possible
1200: to listen on 127.0.1.1 even if the loopback interface is 127.0.0.1
1201:
1202: If the address isn't valid the bind() will fail and we'll die()
1203: (except in bind-dynamic mode, when we'll complain but keep trying.)
1204:
1205: The resulting listeners have the ->iface field NULL, and this has to be
1206: handled by the DNS and TFTP code. It disables --localise-queries processing
1207: (no netmask) and some MTU login the tftp code. */
1208:
1209: for (if_tmp = daemon->if_addrs; if_tmp; if_tmp = if_tmp->next)
1210: if (!if_tmp->used &&
1211: (new = create_listeners(&if_tmp->addr, !!option_bool(OPT_TFTP), dienow)))
1212: {
1213: new->next = daemon->listeners;
1214: daemon->listeners = new;
1215:
1216: if (!dienow)
1217: {
1218: int port = prettyprint_addr(&if_tmp->addr, daemon->addrbuff);
1219: my_syslog(LOG_DEBUG|MS_DEBUG, _("listening on %s port %d"), daemon->addrbuff, port);
1220: }
1221: }
1222: }
1223:
1224: /* In --bind-interfaces, the only access control is the addresses we're listening on.
1225: There's nothing to avoid a query to the address of an internal interface arriving via
1226: an external interface where we don't want to accept queries, except that in the usual
1227: case the addresses of internal interfaces are RFC1918. When bind-interfaces in use,
1228: and we listen on an address that looks like it's probably globally routeable, shout.
1229:
1230: The fix is to use --bind-dynamic, which actually checks the arrival interface too.
1231: Tough if your platform doesn't support this.
1232:
1233: Note that checking the arrival interface is supported in the standard IPv6 API and
1234: always done, so we don't warn about any IPv6 addresses here.
1235: */
1236:
1237: void warn_bound_listeners(void)
1238: {
1239: struct irec *iface;
1240: int advice = 0;
1241:
1242: for (iface = daemon->interfaces; iface; iface = iface->next)
1243: if (!iface->dns_auth)
1244: {
1245: if (iface->addr.sa.sa_family == AF_INET)
1246: {
1247: if (!private_net(iface->addr.in.sin_addr, 1))
1248: {
1249: inet_ntop(AF_INET, &iface->addr.in.sin_addr, daemon->addrbuff, ADDRSTRLEN);
1250: iface->warned = advice = 1;
1251: my_syslog(LOG_WARNING,
1252: _("LOUD WARNING: listening on %s may accept requests via interfaces other than %s"),
1253: daemon->addrbuff, iface->name);
1254: }
1255: }
1256: }
1257:
1258: if (advice)
1259: my_syslog(LOG_WARNING, _("LOUD WARNING: use --bind-dynamic rather than --bind-interfaces to avoid DNS amplification attacks via these interface(s)"));
1260: }
1261:
1262: void warn_wild_labels(void)
1263: {
1264: struct irec *iface;
1265:
1266: for (iface = daemon->interfaces; iface; iface = iface->next)
1267: if (iface->found && iface->name && iface->label)
1268: my_syslog(LOG_WARNING, _("warning: using interface %s instead"), iface->name);
1269: }
1270:
1271: void warn_int_names(void)
1272: {
1273: struct interface_name *intname;
1274:
1275: for (intname = daemon->int_names; intname; intname = intname->next)
1276: if (!intname->addr)
1277: my_syslog(LOG_WARNING, _("warning: no addresses found for interface %s"), intname->intr);
1278: }
1279:
1280: int is_dad_listeners(void)
1281: {
1282: struct irec *iface;
1283:
1284: if (option_bool(OPT_NOWILD))
1285: for (iface = daemon->interfaces; iface; iface = iface->next)
1286: if (iface->dad && !iface->done)
1287: return 1;
1288:
1289: return 0;
1290: }
1291:
1292: #ifdef HAVE_DHCP6
1293: void join_multicast(int dienow)
1294: {
1295: struct irec *iface, *tmp;
1296:
1297: for (iface = daemon->interfaces; iface; iface = iface->next)
1298: if (iface->addr.sa.sa_family == AF_INET6 && iface->dhcp_ok && !iface->multicast_done)
1299: {
1300: /* There's an irec per address but we only want to join for multicast
1301: once per interface. Weed out duplicates. */
1302: for (tmp = daemon->interfaces; tmp; tmp = tmp->next)
1303: if (tmp->multicast_done && tmp->index == iface->index)
1304: break;
1305:
1306: iface->multicast_done = 1;
1307:
1308: if (!tmp)
1309: {
1310: struct ipv6_mreq mreq;
1311: int err = 0;
1312:
1313: mreq.ipv6mr_interface = iface->index;
1314:
1315: inet_pton(AF_INET6, ALL_RELAY_AGENTS_AND_SERVERS, &mreq.ipv6mr_multiaddr);
1316:
1317: if ((daemon->doing_dhcp6 || daemon->relay6) &&
1318: setsockopt(daemon->dhcp6fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, &mreq, sizeof(mreq)) == -1)
1319: err = errno;
1320:
1321: inet_pton(AF_INET6, ALL_SERVERS, &mreq.ipv6mr_multiaddr);
1322:
1323: if (daemon->doing_dhcp6 &&
1324: setsockopt(daemon->dhcp6fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, &mreq, sizeof(mreq)) == -1)
1325: err = errno;
1326:
1327: inet_pton(AF_INET6, ALL_ROUTERS, &mreq.ipv6mr_multiaddr);
1328:
1329: if (daemon->doing_ra &&
1330: setsockopt(daemon->icmp6fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, &mreq, sizeof(mreq)) == -1)
1331: err = errno;
1332:
1333: if (err)
1334: {
1335: char *s = _("interface %s failed to join DHCPv6 multicast group: %s");
1336: errno = err;
1337:
1338: #ifdef HAVE_LINUX_NETWORK
1339: if (errno == ENOMEM)
1340: my_syslog(LOG_ERR, _("try increasing /proc/sys/net/core/optmem_max"));
1341: #endif
1342:
1343: if (dienow)
1344: die(s, iface->name, EC_BADNET);
1345: else
1346: my_syslog(LOG_ERR, s, iface->name, strerror(errno));
1347: }
1348: }
1349: }
1350: }
1351: #endif
1352:
1353: int local_bind(int fd, union mysockaddr *addr, char *intname, unsigned int ifindex, int is_tcp)
1354: {
1355: union mysockaddr addr_copy = *addr;
1356: unsigned short port;
1357: int tries = 1;
1358: unsigned short ports_avail = 1;
1359:
1360: if (addr_copy.sa.sa_family == AF_INET)
1361: port = addr_copy.in.sin_port;
1362: else
1363: port = addr_copy.in6.sin6_port;
1364:
1365: /* cannot set source _port_ for TCP connections. */
1366: if (is_tcp)
1367: port = 0;
1368: else if (port == 0 && daemon->max_port != 0)
1369: {
1370: /* Bind a random port within the range given by min-port and max-port if either
1371: or both are set. Otherwise use the OS's random ephemeral port allocation by
1372: leaving port == 0 and tries == 1 */
1373: ports_avail = daemon->max_port - daemon->min_port + 1;
1374: tries = (ports_avail < SMALL_PORT_RANGE) ? ports_avail : 100;
1375: port = htons(daemon->min_port + (rand16() % ports_avail));
1376: }
1377:
1378: while (1)
1379: {
1380: /* elide bind() call if it's to port 0, address 0 */
1381: if (addr_copy.sa.sa_family == AF_INET)
1382: {
1383: if (port == 0 && addr_copy.in.sin_addr.s_addr == 0)
1384: break;
1385: addr_copy.in.sin_port = port;
1386: }
1387: else
1388: {
1389: if (port == 0 && IN6_IS_ADDR_UNSPECIFIED(&addr_copy.in6.sin6_addr))
1390: break;
1391: addr_copy.in6.sin6_port = port;
1392: }
1393:
1394: if (bind(fd, (struct sockaddr *)&addr_copy, sa_len(&addr_copy)) != -1)
1395: break;
1396:
1397: if (errno != EADDRINUSE && errno != EACCES)
1398: return 0;
1399:
1400: if (--tries == 0)
1401: return 0;
1402:
1403: /* For small ranges, do a systematic search, not a random one. */
1404: if (ports_avail < SMALL_PORT_RANGE)
1405: {
1406: unsigned short hport = ntohs(port);
1407: if (hport++ == daemon->max_port)
1408: hport = daemon->min_port;
1409: port = htons(hport);
1410: }
1411: else
1412: port = htons(daemon->min_port + (rand16() % ports_avail));
1413: }
1414:
1415: if (!is_tcp && ifindex > 0)
1416: {
1417: #if defined(IP_UNICAST_IF)
1418: if (addr_copy.sa.sa_family == AF_INET)
1419: {
1420: uint32_t ifindex_opt = htonl(ifindex);
1421: return setsockopt(fd, IPPROTO_IP, IP_UNICAST_IF, &ifindex_opt, sizeof(ifindex_opt)) == 0;
1422: }
1423: #endif
1424: #if defined (IPV6_UNICAST_IF)
1425: if (addr_copy.sa.sa_family == AF_INET6)
1426: {
1427: uint32_t ifindex_opt = htonl(ifindex);
1428: return setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_IF, &ifindex_opt, sizeof(ifindex_opt)) == 0;
1429: }
1430: #endif
1431: }
1432:
1433: (void)intname; /* suppress potential unused warning */
1434: #if defined(SO_BINDTODEVICE)
1435: if (intname[0] != 0 &&
1436: setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, intname, IF_NAMESIZE) == -1)
1437: return 0;
1438: #endif
1439:
1440: return 1;
1441: }
1442:
1443: static struct serverfd *allocate_sfd(union mysockaddr *addr, char *intname, unsigned int ifindex)
1444: {
1445: struct serverfd *sfd;
1446: int errsave;
1447: int opt = 1;
1448:
1449: /* when using random ports, servers which would otherwise use
1450: the INADDR_ANY/port0 socket have sfd set to NULL, this is
1451: anything without an explictly set source port. */
1452: if (!daemon->osport)
1453: {
1454: errno = 0;
1455:
1456: if (addr->sa.sa_family == AF_INET &&
1457: addr->in.sin_port == htons(0))
1458: return NULL;
1459:
1460: if (addr->sa.sa_family == AF_INET6 &&
1461: addr->in6.sin6_port == htons(0))
1462: return NULL;
1463: }
1464:
1465: /* may have a suitable one already */
1466: for (sfd = daemon->sfds; sfd; sfd = sfd->next )
1467: if (ifindex == sfd->ifindex &&
1468: sockaddr_isequal(&sfd->source_addr, addr) &&
1469: strcmp(intname, sfd->interface) == 0)
1470: return sfd;
1471:
1472: /* need to make a new one. */
1473: errno = ENOMEM; /* in case malloc fails. */
1474: if (!(sfd = whine_malloc(sizeof(struct serverfd))))
1475: return NULL;
1476:
1477: if ((sfd->fd = socket(addr->sa.sa_family, SOCK_DGRAM, 0)) == -1)
1478: {
1479: free(sfd);
1480: return NULL;
1481: }
1482:
1483: if ((addr->sa.sa_family == AF_INET6 && setsockopt(sfd->fd, IPPROTO_IPV6, IPV6_V6ONLY, &opt, sizeof(opt)) == -1) ||
1484: !local_bind(sfd->fd, addr, intname, ifindex, 0) || !fix_fd(sfd->fd))
1485: {
1486: errsave = errno; /* save error from bind/setsockopt. */
1487: close(sfd->fd);
1488: free(sfd);
1489: errno = errsave;
1490: return NULL;
1491: }
1492:
1493: safe_strncpy(sfd->interface, intname, sizeof(sfd->interface));
1494: sfd->source_addr = *addr;
1495: sfd->next = daemon->sfds;
1496: sfd->ifindex = ifindex;
1497: sfd->preallocated = 0;
1498: daemon->sfds = sfd;
1499:
1500: return sfd;
1501: }
1502:
1503: /* create upstream sockets during startup, before root is dropped which may be needed
1504: this allows query_port to be a low port and interface binding */
1505: void pre_allocate_sfds(void)
1506: {
1507: struct server *srv;
1508: struct serverfd *sfd;
1509:
1510: if (daemon->query_port != 0)
1511: {
1512: union mysockaddr addr;
1513: memset(&addr, 0, sizeof(addr));
1514: addr.in.sin_family = AF_INET;
1515: addr.in.sin_addr.s_addr = INADDR_ANY;
1516: addr.in.sin_port = htons(daemon->query_port);
1517: #ifdef HAVE_SOCKADDR_SA_LEN
1518: addr.in.sin_len = sizeof(struct sockaddr_in);
1519: #endif
1520: if ((sfd = allocate_sfd(&addr, "", 0)))
1521: sfd->preallocated = 1;
1522:
1523: memset(&addr, 0, sizeof(addr));
1524: addr.in6.sin6_family = AF_INET6;
1525: addr.in6.sin6_addr = in6addr_any;
1526: addr.in6.sin6_port = htons(daemon->query_port);
1527: #ifdef HAVE_SOCKADDR_SA_LEN
1528: addr.in6.sin6_len = sizeof(struct sockaddr_in6);
1529: #endif
1530: if ((sfd = allocate_sfd(&addr, "", 0)))
1531: sfd->preallocated = 1;
1532: }
1533:
1534: for (srv = daemon->servers; srv; srv = srv->next)
1535: if (!allocate_sfd(&srv->source_addr, srv->interface, srv->ifindex) &&
1536: errno != 0 &&
1537: option_bool(OPT_NOWILD))
1538: {
1539: (void)prettyprint_addr(&srv->source_addr, daemon->namebuff);
1540: if (srv->interface[0] != 0)
1541: {
1542: strcat(daemon->namebuff, " ");
1543: strcat(daemon->namebuff, srv->interface);
1544: }
1545: die(_("failed to bind server socket for %s: %s"),
1546: daemon->namebuff, EC_BADNET);
1547: }
1548: }
1549:
1550: void check_servers(int no_loop_check)
1551: {
1552: struct irec *iface;
1553: struct server *serv;
1554: struct serverfd *sfd, *tmp, **up;
1555: int port = 0, count;
1556: int locals = 0;
1557:
1558: #ifdef HAVE_LOOP
1559: if (!no_loop_check)
1560: loop_send_probes();
1561: #endif
1562:
1563: /* clear all marks. */
1564: mark_servers(0);
1565:
1566: /* interface may be new since startup */
1567: if (!option_bool(OPT_NOWILD))
1568: enumerate_interfaces(0);
1569:
1570: /* don't garbage collect pre-allocated sfds. */
1571: for (sfd = daemon->sfds; sfd; sfd = sfd->next)
1572: sfd->used = sfd->preallocated;
1573:
1574: for (count = 0, serv = daemon->servers; serv; serv = serv->next)
1575: {
1576: /* Init edns_pktsz for newly created server records. */
1577: if (serv->edns_pktsz == 0)
1578: serv->edns_pktsz = daemon->edns_pktsz;
1579:
1580: #ifdef HAVE_DNSSEC
1581: if (option_bool(OPT_DNSSEC_VALID))
1582: {
1583: if (!(serv->flags & SERV_FOR_NODOTS))
1584: serv->flags |= SERV_DO_DNSSEC;
1585:
1586: /* Disable DNSSEC validation when using server=/domain/.... servers
1587: unless there's a configured trust anchor. */
1588: if (strlen(serv->domain) != 0)
1589: {
1590: struct ds_config *ds;
1591: char *domain = serv->domain;
1592:
1593: /* .example.com is valid */
1594: while (*domain == '.')
1595: domain++;
1596:
1597: for (ds = daemon->ds; ds; ds = ds->next)
1598: if (ds->name[0] != 0 && hostname_isequal(domain, ds->name))
1599: break;
1600:
1601: if (!ds)
1602: serv->flags &= ~SERV_DO_DNSSEC;
1603: }
1604: }
1605: #endif
1606:
1607: port = prettyprint_addr(&serv->addr, daemon->namebuff);
1608:
1609: /* 0.0.0.0 is nothing, the stack treats it like 127.0.0.1 */
1610: if (serv->addr.sa.sa_family == AF_INET &&
1611: serv->addr.in.sin_addr.s_addr == 0)
1612: {
1613: serv->flags |= SERV_MARK;
1614: continue;
1615: }
1616:
1617: for (iface = daemon->interfaces; iface; iface = iface->next)
1618: if (sockaddr_isequal(&serv->addr, &iface->addr))
1619: break;
1620: if (iface)
1621: {
1622: my_syslog(LOG_WARNING, _("ignoring nameserver %s - local interface"), daemon->namebuff);
1623: serv->flags |= SERV_MARK;
1624: continue;
1625: }
1626:
1627: /* Do we need a socket set? */
1628: if (!serv->sfd &&
1629: !(serv->sfd = allocate_sfd(&serv->source_addr, serv->interface, serv->ifindex)) &&
1630: errno != 0)
1631: {
1632: my_syslog(LOG_WARNING,
1633: _("ignoring nameserver %s - cannot make/bind socket: %s"),
1634: daemon->namebuff, strerror(errno));
1635: serv->flags |= SERV_MARK;
1636: continue;
1637: }
1638:
1639: if (serv->sfd)
1640: serv->sfd->used = 1;
1641:
1642: if (count == SERVERS_LOGGED)
1643: my_syslog(LOG_INFO, _("more servers are defined but not logged"));
1644:
1645: if (++count > SERVERS_LOGGED)
1646: continue;
1647:
1648: if (strlen(serv->domain) != 0 || (serv->flags & SERV_FOR_NODOTS))
1649: {
1650: char *s1, *s2, *s3 = "", *s4 = "";
1651:
1652: #ifdef HAVE_DNSSEC
1653: if (option_bool(OPT_DNSSEC_VALID) && !(serv->flags & SERV_DO_DNSSEC))
1654: s3 = _("(no DNSSEC)");
1655: #endif
1656: if (serv->flags & SERV_FOR_NODOTS)
1657: s1 = _("unqualified"), s2 = _("names");
1658: else if (strlen(serv->domain) == 0)
1659: s1 = _("default"), s2 = "";
1660: else
1661: s1 = _("domain"), s2 = serv->domain, s4 = (serv->flags & SERV_WILDCARD) ? "*" : "";
1662:
1663: my_syslog(LOG_INFO, _("using nameserver %s#%d for %s %s%s %s"), daemon->namebuff, port, s1, s4, s2, s3);
1664: }
1665: #ifdef HAVE_LOOP
1666: else if (serv->flags & SERV_LOOP)
1667: my_syslog(LOG_INFO, _("NOT using nameserver %s#%d - query loop detected"), daemon->namebuff, port);
1668: #endif
1669: else if (serv->interface[0] != 0)
1670: my_syslog(LOG_INFO, _("using nameserver %s#%d(via %s)"), daemon->namebuff, port, serv->interface);
1671: else
1672: my_syslog(LOG_INFO, _("using nameserver %s#%d"), daemon->namebuff, port);
1673:
1674: }
1675:
1676: for (count = 0, serv = daemon->local_domains; serv; serv = serv->next)
1677: {
1678: if (++count > SERVERS_LOGGED)
1679: continue;
1680:
1681: if ((serv->flags & SERV_LITERAL_ADDRESS) &&
1682: !(serv->flags & (SERV_6ADDR | SERV_4ADDR | SERV_ALL_ZEROS)) &&
1683: strlen(serv->domain))
1684: {
1685: count--;
1686: if (++locals <= LOCALS_LOGGED)
1687: my_syslog(LOG_INFO, _("using only locally-known addresses for %s"), serv->domain);
1688: }
1689: else if (serv->flags & SERV_USE_RESOLV)
1690: my_syslog(LOG_INFO, _("using standard nameservers for %s"), serv->domain);
1691: }
1692:
1693: if (locals > LOCALS_LOGGED)
1694: my_syslog(LOG_INFO, _("using %d more local addresses"), locals - LOCALS_LOGGED);
1695: if (count - 1 > SERVERS_LOGGED)
1696: my_syslog(LOG_INFO, _("using %d more nameservers"), count - SERVERS_LOGGED - 1);
1697:
1698: /* Remove unused sfds */
1699: for (sfd = daemon->sfds, up = &daemon->sfds; sfd; sfd = tmp)
1700: {
1701: tmp = sfd->next;
1702: if (!sfd->used)
1703: {
1704: *up = sfd->next;
1705: close(sfd->fd);
1706: free(sfd);
1707: }
1708: else
1709: up = &sfd->next;
1710: }
1711:
1712: cleanup_servers(); /* remove servers we just deleted. */
1713: build_server_array();
1714: }
1715:
1716: /* Return zero if no servers found, in that case we keep polling.
1717: This is a protection against an update-time/write race on resolv.conf */
1718: int reload_servers(char *fname)
1719: {
1720: FILE *f;
1721: char *line;
1722: int gotone = 0;
1723:
1724: /* buff happens to be MAXDNAME long... */
1725: if (!(f = fopen(fname, "r")))
1726: {
1727: my_syslog(LOG_ERR, _("failed to read %s: %s"), fname, strerror(errno));
1728: return 0;
1729: }
1730:
1731: mark_servers(SERV_FROM_RESOLV);
1732:
1733: while ((line = fgets(daemon->namebuff, MAXDNAME, f)))
1734: {
1735: union mysockaddr addr, source_addr;
1736: char *token = strtok(line, " \t\n\r");
1737:
1738: if (!token)
1739: continue;
1740: if (strcmp(token, "nameserver") != 0 && strcmp(token, "server") != 0)
1741: continue;
1742: if (!(token = strtok(NULL, " \t\n\r")))
1743: continue;
1744:
1745: memset(&addr, 0, sizeof(addr));
1746: memset(&source_addr, 0, sizeof(source_addr));
1747:
1748: if (inet_pton(AF_INET, token, &addr.in.sin_addr) > 0)
1749: {
1750: #ifdef HAVE_SOCKADDR_SA_LEN
1751: source_addr.in.sin_len = addr.in.sin_len = sizeof(source_addr.in);
1752: #endif
1753: source_addr.in.sin_family = addr.in.sin_family = AF_INET;
1754: addr.in.sin_port = htons(NAMESERVER_PORT);
1755: source_addr.in.sin_addr.s_addr = INADDR_ANY;
1756: source_addr.in.sin_port = htons(daemon->query_port);
1757: }
1758: else
1759: {
1760: int scope_index = 0;
1761: char *scope_id = strchr(token, '%');
1762:
1763: if (scope_id)
1764: {
1765: *(scope_id++) = 0;
1766: scope_index = if_nametoindex(scope_id);
1767: }
1768:
1769: if (inet_pton(AF_INET6, token, &addr.in6.sin6_addr) > 0)
1770: {
1771: #ifdef HAVE_SOCKADDR_SA_LEN
1772: source_addr.in6.sin6_len = addr.in6.sin6_len = sizeof(source_addr.in6);
1773: #endif
1774: source_addr.in6.sin6_family = addr.in6.sin6_family = AF_INET6;
1775: source_addr.in6.sin6_flowinfo = addr.in6.sin6_flowinfo = 0;
1776: addr.in6.sin6_port = htons(NAMESERVER_PORT);
1777: addr.in6.sin6_scope_id = scope_index;
1778: source_addr.in6.sin6_addr = in6addr_any;
1779: source_addr.in6.sin6_port = htons(daemon->query_port);
1780: source_addr.in6.sin6_scope_id = 0;
1781: }
1782: else
1783: continue;
1784: }
1785:
1786: add_update_server(SERV_FROM_RESOLV, &addr, &source_addr, NULL, NULL, NULL);
1787: gotone = 1;
1788: }
1789:
1790: fclose(f);
1791: cleanup_servers();
1792:
1793: return gotone;
1794: }
1795:
1796: /* Called when addresses are added or deleted from an interface */
1797: void newaddress(time_t now)
1798: {
1799: struct dhcp_relay *relay;
1800:
1801: (void)now;
1802:
1803: if (option_bool(OPT_CLEVERBIND) || option_bool(OPT_LOCAL_SERVICE) ||
1804: daemon->doing_dhcp6 || daemon->relay6 || daemon->doing_ra)
1805: enumerate_interfaces(0);
1806:
1807: if (option_bool(OPT_CLEVERBIND))
1808: create_bound_listeners(0);
1809:
1810: #ifdef HAVE_DHCP
1811: /* clear cache of subnet->relay index */
1812: for (relay = daemon->relay4; relay; relay = relay->next)
1813: relay->iface_index = 0;
1814: #endif
1815:
1816: #ifdef HAVE_DHCP6
1817: if (daemon->doing_dhcp6 || daemon->relay6 || daemon->doing_ra)
1818: join_multicast(0);
1819:
1820: if (daemon->doing_dhcp6 || daemon->doing_ra)
1821: dhcp_construct_contexts(now);
1822:
1823: if (daemon->doing_dhcp6)
1824: lease_find_interfaces(now);
1825:
1826: for (relay = daemon->relay6; relay; relay = relay->next)
1827: relay->iface_index = 0;
1828: #endif
1829: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>