1 /* dnsmasq is Copyright (c) 2000-2013 Simon Kelley
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 #ifndef IN6_IS_ADDR_ULA
20 #define IN6_IS_ADDR_ULA(a) ((((__const uint32_t *) (a))[0] & htonl (0xfe00000)) == htonl (0xfc000000))
23 #ifdef HAVE_LINUX_NETWORK
25 int indextoname(int fd
, int index
, char *name
)
32 ifr
.ifr_ifindex
= index
;
33 if (ioctl(fd
, SIOCGIFNAME
, &ifr
) == -1)
36 strncpy(name
, ifr
.ifr_name
, IF_NAMESIZE
);
42 #elif defined(HAVE_SOLARIS_NETWORK)
46 #ifndef LIFC_UNDER_IPMP
47 # define LIFC_UNDER_IPMP 0
50 int indextoname(int fd
, int index
, char *name
)
54 int numifs
, bufsize
, i
;
61 if (getzoneid() == GLOBAL_ZONEID
)
63 if (!if_indextoname(index
, name
))
68 lifc_flags
= LIFC_NOXMIT
| LIFC_TEMPORARY
| LIFC_ALLZONES
| LIFC_UNDER_IPMP
;
69 lifn
.lifn_family
= AF_UNSPEC
;
70 lifn
.lifn_flags
= lifc_flags
;
71 if (ioctl(fd
, SIOCGLIFNUM
, &lifn
) < 0)
74 numifs
= lifn
.lifn_count
;
75 bufsize
= numifs
* sizeof(struct lifreq
);
77 lifc
.lifc_family
= AF_UNSPEC
;
78 lifc
.lifc_flags
= lifc_flags
;
79 lifc
.lifc_len
= bufsize
;
80 lifc
.lifc_buf
= alloca(bufsize
);
82 if (ioctl(fd
, SIOCGLIFCONF
, &lifc
) < 0)
85 lifrp
= lifc
.lifc_req
;
86 for (i
= lifc
.lifc_len
/ sizeof(struct lifreq
); i
; i
--, lifrp
++)
89 strncpy(lifr
.lifr_name
, lifrp
->lifr_name
, IF_NAMESIZE
);
90 if (ioctl(fd
, SIOCGLIFINDEX
, &lifr
) < 0)
93 if (lifr
.lifr_index
== index
) {
94 strncpy(name
, lifr
.lifr_name
, IF_NAMESIZE
);
104 int indextoname(int fd
, int index
, char *name
)
108 if (index
== 0 || !if_indextoname(index
, name
))
116 int iface_check(int family
, struct all_addr
*addr
, char *name
, int *auth
)
119 int ret
= 1, match_addr
= 0;
121 /* Note: have to check all and not bail out early, so that we set the
124 May be called with family == AF_LOCALto check interface by name only. */
129 if (daemon
->if_names
|| daemon
->if_addrs
)
133 for (tmp
= daemon
->if_names
; tmp
; tmp
= tmp
->next
)
134 if (tmp
->name
&& wildcard_match(tmp
->name
, name
))
138 for (tmp
= daemon
->if_addrs
; tmp
; tmp
= tmp
->next
)
139 if (tmp
->addr
.sa
.sa_family
== family
)
141 if (family
== AF_INET
&&
142 tmp
->addr
.in
.sin_addr
.s_addr
== addr
->addr
.addr4
.s_addr
)
143 ret
= match_addr
= tmp
->used
= 1;
145 else if (family
== AF_INET6
&&
146 IN6_ARE_ADDR_EQUAL(&tmp
->addr
.in6
.sin6_addr
,
148 ret
= match_addr
= tmp
->used
= 1;
154 for (tmp
= daemon
->if_except
; tmp
; tmp
= tmp
->next
)
155 if (tmp
->name
&& wildcard_match(tmp
->name
, name
))
159 for (tmp
= daemon
->authinterface
; tmp
; tmp
= tmp
->next
)
162 if (strcmp(tmp
->name
, name
) == 0 &&
163 (tmp
->addr
.sa
.sa_family
== 0 || tmp
->addr
.sa
.sa_family
== family
))
166 else if (addr
&& tmp
->addr
.sa
.sa_family
== AF_INET
&& family
== AF_INET
&&
167 tmp
->addr
.in
.sin_addr
.s_addr
== addr
->addr
.addr4
.s_addr
)
170 else if (addr
&& tmp
->addr
.sa
.sa_family
== AF_INET6
&& family
== AF_INET6
&&
171 IN6_ARE_ADDR_EQUAL(&tmp
->addr
.in6
.sin6_addr
, &addr
->addr
.addr6
))
185 /* Fix for problem that the kernel sometimes reports the loopback inerface as the
186 arrival interface when a packet originates locally, even when sent to address of
187 an interface other than the loopback. Accept packet if it arrived via a loopback
188 interface, even when we're not accepting packets that way, as long as the destination
189 address is one we're believing. Interface list must be up-to-date before calling. */
190 int loopback_exception(int fd
, int family
, struct all_addr
*addr
, char *name
)
195 strncpy(ifr
.ifr_name
, name
, IF_NAMESIZE
);
196 if (ioctl(fd
, SIOCGIFFLAGS
, &ifr
) != -1 &&
197 ifr
.ifr_flags
& IFF_LOOPBACK
)
199 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
200 if (iface
->addr
.sa
.sa_family
== family
)
202 if (family
== AF_INET
)
204 if (iface
->addr
.in
.sin_addr
.s_addr
== addr
->addr
.addr4
.s_addr
)
208 else if (IN6_ARE_ADDR_EQUAL(&iface
->addr
.in6
.sin6_addr
, &addr
->addr
.addr6
))
217 /* If we're configured with something like --interface=eth0:0 then we'll listen correctly
218 on the relevant address, but the name of the arrival interface, derived from the
219 index won't match the config. Check that we found an interface address for the arrival
220 interface: daemon->interfaces must be up-to-date. */
221 int label_exception(int index
, int family
, struct all_addr
*addr
)
225 /* labels only supported on IPv4 addresses. */
226 if (family
!= AF_INET
)
229 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
230 if (iface
->index
== index
&& iface
->addr
.sa
.sa_family
== AF_INET
&&
231 iface
->addr
.in
.sin_addr
.s_addr
== addr
->addr
.addr4
.s_addr
)
238 struct addrlist
*spare
;
242 static int iface_allowed(struct iface_param
*param
, int if_index
, char *label
,
243 union mysockaddr
*addr
, struct in_addr netmask
, int prefixlen
, int dad
)
246 int mtu
= 0, loopback
;
248 int tftp_ok
= !!option_bool(OPT_TFTP
);
251 #if defined(HAVE_DHCP) || defined(HAVE_TFTP)
257 if (!indextoname(param
->fd
, if_index
, ifr
.ifr_name
) ||
258 ioctl(param
->fd
, SIOCGIFFLAGS
, &ifr
) == -1)
261 loopback
= ifr
.ifr_flags
& IFF_LOOPBACK
;
266 if (ioctl(param
->fd
, SIOCGIFMTU
, &ifr
) != -1)
270 label
= ifr
.ifr_name
;
274 if (addr
->sa
.sa_family
!= AF_INET6
|| !IN6_IS_ADDR_LINKLOCAL(&addr
->in6
.sin6_addr
))
277 struct interface_name
*int_name
;
280 struct auth_zone
*zone
;
281 struct auth_name_list
*name
;
283 /* Find subnets in auth_zones */
284 for (zone
= daemon
->auth_zones
; zone
; zone
= zone
->next
)
285 for (name
= zone
->interface_names
; name
; name
= name
->next
)
286 if (wildcard_match(name
->name
, label
))
288 if (addr
->sa
.sa_family
== AF_INET
&& (name
->flags
& AUTH4
))
293 param
->spare
= al
->next
;
296 al
= whine_malloc(sizeof(struct addrlist
));
300 al
->next
= zone
->subnet
;
302 al
->prefixlen
= prefixlen
;
303 al
->addr
.addr
.addr4
= addr
->in
.sin_addr
;
309 if (addr
->sa
.sa_family
== AF_INET6
&& (name
->flags
& AUTH6
))
314 param
->spare
= al
->next
;
317 al
= whine_malloc(sizeof(struct addrlist
));
321 al
->next
= zone
->subnet
;
323 al
->prefixlen
= prefixlen
;
324 al
->addr
.addr
.addr6
= addr
->in6
.sin6_addr
;
325 al
->flags
= ADDRLIST_IPV6
;
333 /* Update addresses from interface_names. These are a set independent
334 of the set we're listening on. */
335 for (int_name
= daemon
->int_names
; int_name
; int_name
= int_name
->next
)
336 if (strncmp(label
, int_name
->intr
, IF_NAMESIZE
) == 0 &&
337 (addr
->sa
.sa_family
== int_name
->family
|| int_name
->family
== 0))
342 param
->spare
= al
->next
;
345 al
= whine_malloc(sizeof(struct addrlist
));
349 al
->next
= int_name
->addr
;
352 if (addr
->sa
.sa_family
== AF_INET
)
354 al
->addr
.addr
.addr4
= addr
->in
.sin_addr
;
360 al
->addr
.addr
.addr6
= addr
->in6
.sin6_addr
;
361 al
->flags
= ADDRLIST_IPV6
;
368 /* check whether the interface IP has been added already
369 we call this routine multiple times. */
370 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
371 if (sockaddr_isequal(&iface
->addr
, addr
))
377 /* If we are restricting the set of interfaces to use, make
378 sure that loopback interfaces are in that set. */
379 if (daemon
->if_names
&& loopback
)
382 for (lo
= daemon
->if_names
; lo
; lo
= lo
->next
)
383 if (lo
->name
&& strcmp(lo
->name
, ifr
.ifr_name
) == 0)
386 if (!lo
&& (lo
= whine_malloc(sizeof(struct iname
))))
388 if ((lo
->name
= whine_malloc(strlen(ifr
.ifr_name
)+1)))
390 strcpy(lo
->name
, ifr
.ifr_name
);
392 lo
->next
= daemon
->if_names
;
393 daemon
->if_names
= lo
;
400 if (addr
->sa
.sa_family
== AF_INET
&&
401 !iface_check(AF_INET
, (struct all_addr
*)&addr
->in
.sin_addr
, label
, &auth_dns
))
405 if (addr
->sa
.sa_family
== AF_INET6
&&
406 !iface_check(AF_INET6
, (struct all_addr
*)&addr
->in6
.sin6_addr
, label
, &auth_dns
))
411 /* No DHCP where we're doing auth DNS. */
418 for (tmp
= daemon
->dhcp_except
; tmp
; tmp
= tmp
->next
)
419 if (tmp
->name
&& wildcard_match(tmp
->name
, ifr
.ifr_name
))
428 if (daemon
->tftp_interfaces
)
430 /* dedicated tftp interface list */
432 for (tmp
= daemon
->tftp_interfaces
; tmp
; tmp
= tmp
->next
)
433 if (tmp
->name
&& wildcard_match(tmp
->name
, ifr
.ifr_name
))
439 if ((iface
= whine_malloc(sizeof(struct irec
))))
442 iface
->netmask
= netmask
;
443 iface
->tftp_ok
= tftp_ok
;
444 iface
->dhcp_ok
= dhcp_ok
;
445 iface
->dns_auth
= auth_dns
;
448 iface
->done
= iface
->multicast_done
= iface
->warned
= 0;
449 iface
->index
= if_index
;
450 if ((iface
->name
= whine_malloc(strlen(ifr
.ifr_name
)+1)))
452 strcpy(iface
->name
, ifr
.ifr_name
);
453 iface
->next
= daemon
->interfaces
;
454 daemon
->interfaces
= iface
;
466 static int iface_allowed_v6(struct in6_addr
*local
, int prefix
,
467 int scope
, int if_index
, int flags
,
468 int preferred
, int valid
, void *vparam
)
470 union mysockaddr addr
;
471 struct in_addr netmask
; /* dummy */
474 (void)scope
; /* warning */
478 memset(&addr
, 0, sizeof(addr
));
479 #ifdef HAVE_SOCKADDR_SA_LEN
480 addr
.in6
.sin6_len
= sizeof(addr
.in6
);
482 addr
.in6
.sin6_family
= AF_INET6
;
483 addr
.in6
.sin6_addr
= *local
;
484 addr
.in6
.sin6_port
= htons(daemon
->port
);
485 addr
.in6
.sin6_scope_id
= if_index
;
487 return iface_allowed((struct iface_param
*)vparam
, if_index
, NULL
, &addr
, netmask
, prefix
, !!(flags
& IFACE_TENTATIVE
));
491 static int iface_allowed_v4(struct in_addr local
, int if_index
, char *label
,
492 struct in_addr netmask
, struct in_addr broadcast
, void *vparam
)
494 union mysockaddr addr
;
497 memset(&addr
, 0, sizeof(addr
));
498 #ifdef HAVE_SOCKADDR_SA_LEN
499 addr
.in
.sin_len
= sizeof(addr
.in
);
501 addr
.in
.sin_family
= AF_INET
;
502 addr
.in
.sin_addr
= broadcast
; /* warning */
503 addr
.in
.sin_addr
= local
;
504 addr
.in
.sin_port
= htons(daemon
->port
);
506 /* determine prefix length from netmask */
507 for (prefix
= 32, bit
= 1; (bit
& ntohl(netmask
.s_addr
)) == 0 && prefix
!= 0; bit
= bit
<< 1, prefix
--);
509 return iface_allowed((struct iface_param
*)vparam
, if_index
, label
, &addr
, netmask
, prefix
, 0);
512 int enumerate_interfaces(int reset
)
514 static struct addrlist
*spare
= NULL
;
515 static int done
= 0, active
= 0;
516 struct iface_param param
;
517 int errsave
, ret
= 1;
518 struct addrlist
*addr
, *tmp
;
519 struct interface_name
*intname
;
521 struct auth_zone
*zone
;
524 /* Do this max once per select cycle - also inhibits netlink socket use
525 in TCP child processes. */
538 /* protect against recusive calls from iface_enumerate(); */
541 if ((param
.fd
= socket(PF_INET
, SOCK_DGRAM
, 0)) == -1)
544 /* remove addresses stored against interface_names */
545 for (intname
= daemon
->int_names
; intname
; intname
= intname
->next
)
547 for (addr
= intname
->addr
; addr
; addr
= tmp
)
554 intname
->addr
= NULL
;
558 /* remove addresses stored against auth_zone subnets, but not
559 ones configured as address literals */
560 for (zone
= daemon
->auth_zones
; zone
; zone
= zone
->next
)
561 if (zone
->interface_names
)
563 struct addrlist
**up
;
564 for (up
= &zone
->subnet
, addr
= zone
->subnet
; addr
; addr
= tmp
)
567 if (addr
->flags
& ADDRLIST_LITERAL
)
582 ret
= iface_enumerate(AF_INET6
, ¶m
, iface_allowed_v6
);
586 ret
= iface_enumerate(AF_INET
, ¶m
, iface_allowed_v4
);
598 /* set NONBLOCK bit on fd: See Stevens 16.6 */
603 if ((flags
= fcntl(fd
, F_GETFL
)) == -1 ||
604 fcntl(fd
, F_SETFL
, flags
| O_NONBLOCK
) == -1)
610 static int make_sock(union mysockaddr
*addr
, int type
, int dienow
)
612 int family
= addr
->sa
.sa_family
;
615 if ((fd
= socket(family
, type
, 0)) == -1)
620 /* No error if the kernel just doesn't support this IP flavour */
621 if (errno
== EPROTONOSUPPORT
||
622 errno
== EAFNOSUPPORT
||
627 port
= prettyprint_addr(addr
, daemon
->addrbuff
);
628 if (!option_bool(OPT_NOWILD
) && !option_bool(OPT_CLEVERBIND
))
629 sprintf(daemon
->addrbuff
, "port %d", port
);
630 s
= _("failed to create listening socket for %s: %s");
637 /* failure to bind addresses given by --listen-address at this point
638 is OK if we're doing bind-dynamic */
639 if (!option_bool(OPT_CLEVERBIND
))
640 die(s
, daemon
->addrbuff
, EC_BADNET
);
643 my_syslog(LOG_WARNING
, s
, daemon
->addrbuff
, strerror(errno
));
648 if (setsockopt(fd
, SOL_SOCKET
, SO_REUSEADDR
, &opt
, sizeof(opt
)) == -1 || !fix_fd(fd
))
652 if (family
== AF_INET6
&& setsockopt(fd
, IPPROTO_IPV6
, IPV6_V6ONLY
, &opt
, sizeof(opt
)) == -1)
656 if ((rc
= bind(fd
, (struct sockaddr
*)addr
, sa_len(addr
))) == -1)
659 if (type
== SOCK_STREAM
)
661 if (listen(fd
, 5) == -1)
664 else if (!option_bool(OPT_NOWILD
))
666 if (family
== AF_INET
)
668 #if defined(HAVE_LINUX_NETWORK)
669 if (setsockopt(fd
, IPPROTO_IP
, IP_PKTINFO
, &opt
, sizeof(opt
)) == -1)
671 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
672 if (setsockopt(fd
, IPPROTO_IP
, IP_RECVDSTADDR
, &opt
, sizeof(opt
)) == -1 ||
673 setsockopt(fd
, IPPROTO_IP
, IP_RECVIF
, &opt
, sizeof(opt
)) == -1)
678 else if (!set_ipv6pktinfo(fd
))
687 int set_ipv6pktinfo(int fd
)
691 /* The API changed around Linux 2.6.14 but the old ABI is still supported:
692 handle all combinations of headers and kernel.
693 OpenWrt note that this fixes the problem addressed by your very broken patch. */
694 daemon
->v6pktinfo
= IPV6_PKTINFO
;
696 #ifdef IPV6_RECVPKTINFO
697 if (setsockopt(fd
, IPPROTO_IPV6
, IPV6_RECVPKTINFO
, &opt
, sizeof(opt
)) != -1)
699 # ifdef IPV6_2292PKTINFO
700 else if (errno
== ENOPROTOOPT
&& setsockopt(fd
, IPPROTO_IPV6
, IPV6_2292PKTINFO
, &opt
, sizeof(opt
)) != -1)
702 daemon
->v6pktinfo
= IPV6_2292PKTINFO
;
707 if (setsockopt(fd
, IPPROTO_IPV6
, IPV6_PKTINFO
, &opt
, sizeof(opt
)) != -1)
716 /* Find the interface on which a TCP connection arrived, if possible, or zero otherwise. */
717 int tcp_interface(int fd
, int af
)
721 #ifdef HAVE_LINUX_NETWORK
723 struct cmsghdr
*cmptr
;
726 /* use mshdr do that the CMSDG_* macros are available */
727 msg
.msg_control
= daemon
->packet
;
728 msg
.msg_controllen
= daemon
->packet_buff_sz
;
730 /* we overwrote the buffer... */
731 daemon
->srv_save
= NULL
;
735 if (setsockopt(fd
, IPPROTO_IP
, IP_PKTINFO
, &opt
, sizeof(opt
)) != -1 &&
736 getsockopt(fd
, IPPROTO_IP
, IP_PKTOPTIONS
, msg
.msg_control
, (socklen_t
*)&msg
.msg_controllen
) != -1)
737 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
738 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_PKTINFO
)
742 struct in_pktinfo
*p
;
745 p
.c
= CMSG_DATA(cmptr
);
746 if_index
= p
.p
->ipi_ifindex
;
752 /* Only the RFC-2292 API has the ability to find the interface for TCP connections,
753 it was removed in RFC-3542 !!!!
755 Fortunately, Linux kept the 2292 ABI when it moved to 3542. The following code always
756 uses the old ABI, and should work with pre- and post-3542 kernel headers */
758 #ifdef IPV6_2292PKTOPTIONS
759 # define PKTOPTIONS IPV6_2292PKTOPTIONS
761 # define PKTOPTIONS IPV6_PKTOPTIONS
764 if (set_ipv6pktinfo(fd
) &&
765 getsockopt(fd
, IPPROTO_IPV6
, PKTOPTIONS
, msg
.msg_control
, (socklen_t
*)&msg
.msg_controllen
) != -1)
767 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
768 if (cmptr
->cmsg_level
== IPPROTO_IPV6
&& cmptr
->cmsg_type
== daemon
->v6pktinfo
)
772 struct in6_pktinfo
*p
;
774 p
.c
= CMSG_DATA(cmptr
);
776 if_index
= p
.p
->ipi6_ifindex
;
786 static struct listener
*create_listeners(union mysockaddr
*addr
, int do_tftp
, int dienow
)
788 struct listener
*l
= NULL
;
789 int fd
= -1, tcpfd
= -1, tftpfd
= -1;
793 if (daemon
->port
!= 0)
795 fd
= make_sock(addr
, SOCK_DGRAM
, dienow
);
796 tcpfd
= make_sock(addr
, SOCK_STREAM
, dienow
);
802 if (addr
->sa
.sa_family
== AF_INET
)
804 /* port must be restored to DNS port for TCP code */
805 short save
= addr
->in
.sin_port
;
806 addr
->in
.sin_port
= htons(TFTP_PORT
);
807 tftpfd
= make_sock(addr
, SOCK_DGRAM
, dienow
);
808 addr
->in
.sin_port
= save
;
813 short save
= addr
->in6
.sin6_port
;
814 addr
->in6
.sin6_port
= htons(TFTP_PORT
);
815 tftpfd
= make_sock(addr
, SOCK_DGRAM
, dienow
);
816 addr
->in6
.sin6_port
= save
;
822 if (fd
!= -1 || tcpfd
!= -1 || tftpfd
!= -1)
824 l
= safe_malloc(sizeof(struct listener
));
826 l
->family
= addr
->sa
.sa_family
;
835 void create_wildcard_listeners(void)
837 union mysockaddr addr
;
838 struct listener
*l
, *l6
;
840 memset(&addr
, 0, sizeof(addr
));
841 #ifdef HAVE_SOCKADDR_SA_LEN
842 addr
.in
.sin_len
= sizeof(addr
.in
);
844 addr
.in
.sin_family
= AF_INET
;
845 addr
.in
.sin_addr
.s_addr
= INADDR_ANY
;
846 addr
.in
.sin_port
= htons(daemon
->port
);
848 l
= create_listeners(&addr
, !!option_bool(OPT_TFTP
), 1);
851 memset(&addr
, 0, sizeof(addr
));
852 # ifdef HAVE_SOCKADDR_SA_LEN
853 addr
.in6
.sin6_len
= sizeof(addr
.in6
);
855 addr
.in6
.sin6_family
= AF_INET6
;
856 addr
.in6
.sin6_addr
= in6addr_any
;
857 addr
.in6
.sin6_port
= htons(daemon
->port
);
859 l6
= create_listeners(&addr
, !!option_bool(OPT_TFTP
), 1);
866 daemon
->listeners
= l
;
869 void create_bound_listeners(int dienow
)
871 struct listener
*new;
873 struct iname
*if_tmp
;
875 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
876 if (!iface
->done
&& !iface
->dad
&&
877 (new = create_listeners(&iface
->addr
, iface
->tftp_ok
, dienow
)))
880 new->next
= daemon
->listeners
;
881 daemon
->listeners
= new;
885 /* Check for --listen-address options that haven't been used because there's
886 no interface with a matching address. These may be valid: eg it's possible
887 to listen on 127.0.1.1 even if the loopback interface is 127.0.0.1
889 If the address isn't valid the bind() will fail and we'll die()
890 (except in bind-dynamic mode, when we'll complain but keep trying.)
892 The resulting listeners have the ->iface field NULL, and this has to be
893 handled by the DNS and TFTP code. It disables --localise-queries processing
894 (no netmask) and some MTU login the tftp code. */
896 for (if_tmp
= daemon
->if_addrs
; if_tmp
; if_tmp
= if_tmp
->next
)
898 (new = create_listeners(&if_tmp
->addr
, !!option_bool(OPT_TFTP
), dienow
)))
901 new->next
= daemon
->listeners
;
902 daemon
->listeners
= new;
906 /* In --bind-interfaces, the only access control is the addresses we're listening on.
907 There's nothing to avoid a query to the address of an internal interface arriving via
908 an external interface where we don't want to accept queries, except that in the usual
909 case the addresses of internal interfaces are RFC1918. When bind-interfaces in use,
910 and we listen on an address that looks like it's probably globally routeable, shout.
912 The fix is to use --bind-dynamic, which actually checks the arrival interface too.
913 Tough if your platform doesn't support this.
916 void warn_bound_listeners(void)
921 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
922 if (!iface
->dns_auth
)
925 if (iface
->addr
.sa
.sa_family
== AF_INET
)
927 if (!private_net(iface
->addr
.in
.sin_addr
, 1))
929 inet_ntop(AF_INET
, &iface
->addr
.in
.sin_addr
, daemon
->addrbuff
, ADDRSTRLEN
);
936 if (!IN6_IS_ADDR_LINKLOCAL(&iface
->addr
.in6
.sin6_addr
) &&
937 !IN6_IS_ADDR_SITELOCAL(&iface
->addr
.in6
.sin6_addr
) &&
938 !IN6_IS_ADDR_ULA(&iface
->addr
.in6
.sin6_addr
) &&
939 !IN6_IS_ADDR_LOOPBACK(&iface
->addr
.in6
.sin6_addr
))
941 inet_ntop(AF_INET6
, &iface
->addr
.in6
.sin6_addr
, daemon
->addrbuff
, ADDRSTRLEN
);
948 iface
->warned
= advice
= 1;
949 my_syslog(LOG_WARNING
,
950 _("LOUD WARNING: listening on %s may accept requests via interfaces other than %s"),
951 daemon
->addrbuff
, iface
->name
);
956 my_syslog(LOG_WARNING
, _("LOUD WARNING: use --bind-dynamic rather than --bind-interfaces to avoid DNS amplification attacks via these interface(s)"));
959 void warn_int_names(void)
961 struct interface_name
*intname
;
963 for (intname
= daemon
->int_names
; intname
; intname
= intname
->next
)
965 my_syslog(LOG_WARNING
, _("warning: no addresses found for interface %s"), intname
->intr
);
968 int is_dad_listeners(void)
972 if (option_bool(OPT_NOWILD
))
973 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
974 if (iface
->dad
&& !iface
->done
)
981 void join_multicast(int dienow
)
983 struct irec
*iface
, *tmp
;
985 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
986 if (iface
->addr
.sa
.sa_family
== AF_INET6
&& iface
->dhcp_ok
&& !iface
->multicast_done
)
988 /* There's an irec per address but we only want to join for multicast
989 once per interface. Weed out duplicates. */
990 for (tmp
= daemon
->interfaces
; tmp
; tmp
= tmp
->next
)
991 if (tmp
->multicast_done
&& tmp
->index
== iface
->index
)
994 iface
->multicast_done
= 1;
998 struct ipv6_mreq mreq
;
1001 mreq
.ipv6mr_interface
= iface
->index
;
1003 inet_pton(AF_INET6
, ALL_RELAY_AGENTS_AND_SERVERS
, &mreq
.ipv6mr_multiaddr
);
1005 if ((daemon
->doing_dhcp6
|| daemon
->relay6
) &&
1006 setsockopt(daemon
->dhcp6fd
, IPPROTO_IPV6
, IPV6_JOIN_GROUP
, &mreq
, sizeof(mreq
)) == -1)
1009 inet_pton(AF_INET6
, ALL_SERVERS
, &mreq
.ipv6mr_multiaddr
);
1011 if (daemon
->doing_dhcp6
&&
1012 setsockopt(daemon
->dhcp6fd
, IPPROTO_IPV6
, IPV6_JOIN_GROUP
, &mreq
, sizeof(mreq
)) == -1)
1015 inet_pton(AF_INET6
, ALL_ROUTERS
, &mreq
.ipv6mr_multiaddr
);
1017 if (daemon
->doing_ra
&&
1018 setsockopt(daemon
->icmp6fd
, IPPROTO_IPV6
, IPV6_JOIN_GROUP
, &mreq
, sizeof(mreq
)) == -1)
1023 char *s
= _("interface %s failed to join DHCPv6 multicast group: %s");
1025 die(s
, iface
->name
, EC_BADNET
);
1027 my_syslog(LOG_ERR
, s
, iface
->name
, strerror(errno
));
1034 /* return a UDP socket bound to a random port, have to cope with straying into
1035 occupied port nos and reserved ones. */
1036 int random_sock(int family
)
1040 if ((fd
= socket(family
, SOCK_DGRAM
, 0)) != -1)
1042 union mysockaddr addr
;
1043 unsigned int ports_avail
= 65536u - (unsigned short)daemon
->min_port
;
1044 int tries
= ports_avail
< 30 ? 3 * ports_avail
: 100;
1046 memset(&addr
, 0, sizeof(addr
));
1047 addr
.sa
.sa_family
= family
;
1049 /* don't loop forever if all ports in use. */
1054 unsigned short port
= rand16();
1056 if (daemon
->min_port
!= 0)
1057 port
= htons(daemon
->min_port
+ (port
% ((unsigned short)ports_avail
)));
1059 if (family
== AF_INET
)
1061 addr
.in
.sin_addr
.s_addr
= INADDR_ANY
;
1062 addr
.in
.sin_port
= port
;
1063 #ifdef HAVE_SOCKADDR_SA_LEN
1064 addr
.in
.sin_len
= sizeof(struct sockaddr_in
);
1070 addr
.in6
.sin6_addr
= in6addr_any
;
1071 addr
.in6
.sin6_port
= port
;
1072 #ifdef HAVE_SOCKADDR_SA_LEN
1073 addr
.in6
.sin6_len
= sizeof(struct sockaddr_in6
);
1078 if (bind(fd
, (struct sockaddr
*)&addr
, sa_len(&addr
)) == 0)
1081 if (errno
!= EADDRINUSE
&& errno
!= EACCES
)
1092 int local_bind(int fd
, union mysockaddr
*addr
, char *intname
, int is_tcp
)
1094 union mysockaddr addr_copy
= *addr
;
1096 /* cannot set source _port_ for TCP connections. */
1099 if (addr_copy
.sa
.sa_family
== AF_INET
)
1100 addr_copy
.in
.sin_port
= 0;
1103 addr_copy
.in6
.sin6_port
= 0;
1107 if (bind(fd
, (struct sockaddr
*)&addr_copy
, sa_len(&addr_copy
)) == -1)
1110 #if defined(SO_BINDTODEVICE)
1111 if (intname
[0] != 0 &&
1112 setsockopt(fd
, SOL_SOCKET
, SO_BINDTODEVICE
, intname
, IF_NAMESIZE
) == -1)
1119 static struct serverfd
*allocate_sfd(union mysockaddr
*addr
, char *intname
)
1121 struct serverfd
*sfd
;
1124 /* when using random ports, servers which would otherwise use
1125 the INADDR_ANY/port0 socket have sfd set to NULL */
1126 if (!daemon
->osport
&& intname
[0] == 0)
1130 if (addr
->sa
.sa_family
== AF_INET
&&
1131 addr
->in
.sin_addr
.s_addr
== INADDR_ANY
&&
1132 addr
->in
.sin_port
== htons(0))
1136 if (addr
->sa
.sa_family
== AF_INET6
&&
1137 memcmp(&addr
->in6
.sin6_addr
, &in6addr_any
, sizeof(in6addr_any
)) == 0 &&
1138 addr
->in6
.sin6_port
== htons(0))
1143 /* may have a suitable one already */
1144 for (sfd
= daemon
->sfds
; sfd
; sfd
= sfd
->next
)
1145 if (sockaddr_isequal(&sfd
->source_addr
, addr
) &&
1146 strcmp(intname
, sfd
->interface
) == 0)
1149 /* need to make a new one. */
1150 errno
= ENOMEM
; /* in case malloc fails. */
1151 if (!(sfd
= whine_malloc(sizeof(struct serverfd
))))
1154 if ((sfd
->fd
= socket(addr
->sa
.sa_family
, SOCK_DGRAM
, 0)) == -1)
1160 if (!local_bind(sfd
->fd
, addr
, intname
, 0) || !fix_fd(sfd
->fd
))
1162 errsave
= errno
; /* save error from bind. */
1169 strcpy(sfd
->interface
, intname
);
1170 sfd
->source_addr
= *addr
;
1171 sfd
->next
= daemon
->sfds
;
1176 /* create upstream sockets during startup, before root is dropped which may be needed
1177 this allows query_port to be a low port and interface binding */
1178 void pre_allocate_sfds(void)
1182 if (daemon
->query_port
!= 0)
1184 union mysockaddr addr
;
1185 memset(&addr
, 0, sizeof(addr
));
1186 addr
.in
.sin_family
= AF_INET
;
1187 addr
.in
.sin_addr
.s_addr
= INADDR_ANY
;
1188 addr
.in
.sin_port
= htons(daemon
->query_port
);
1189 #ifdef HAVE_SOCKADDR_SA_LEN
1190 addr
.in
.sin_len
= sizeof(struct sockaddr_in
);
1192 allocate_sfd(&addr
, "");
1194 memset(&addr
, 0, sizeof(addr
));
1195 addr
.in6
.sin6_family
= AF_INET6
;
1196 addr
.in6
.sin6_addr
= in6addr_any
;
1197 addr
.in6
.sin6_port
= htons(daemon
->query_port
);
1198 #ifdef HAVE_SOCKADDR_SA_LEN
1199 addr
.in6
.sin6_len
= sizeof(struct sockaddr_in6
);
1201 allocate_sfd(&addr
, "");
1205 for (srv
= daemon
->servers
; srv
; srv
= srv
->next
)
1206 if (!(srv
->flags
& (SERV_LITERAL_ADDRESS
| SERV_NO_ADDR
| SERV_USE_RESOLV
| SERV_NO_REBIND
)) &&
1207 !allocate_sfd(&srv
->source_addr
, srv
->interface
) &&
1209 option_bool(OPT_NOWILD
))
1211 prettyprint_addr(&srv
->source_addr
, daemon
->namebuff
);
1212 if (srv
->interface
[0] != 0)
1214 strcat(daemon
->namebuff
, " ");
1215 strcat(daemon
->namebuff
, srv
->interface
);
1217 die(_("failed to bind server socket for %s: %s"),
1218 daemon
->namebuff
, EC_BADNET
);
1223 void check_servers(void)
1226 struct server
*new, *tmp
, *ret
= NULL
;
1229 /* interface may be new since startup */
1230 if (!option_bool(OPT_NOWILD
))
1231 enumerate_interfaces(0);
1233 for (new = daemon
->servers
; new; new = tmp
)
1237 if (!(new->flags
& (SERV_LITERAL_ADDRESS
| SERV_NO_ADDR
| SERV_USE_RESOLV
| SERV_NO_REBIND
)))
1239 port
= prettyprint_addr(&new->addr
, daemon
->namebuff
);
1241 /* 0.0.0.0 is nothing, the stack treats it like 127.0.0.1 */
1242 if (new->addr
.sa
.sa_family
== AF_INET
&&
1243 new->addr
.in
.sin_addr
.s_addr
== 0)
1249 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
1250 if (sockaddr_isequal(&new->addr
, &iface
->addr
))
1254 my_syslog(LOG_WARNING
, _("ignoring nameserver %s - local interface"), daemon
->namebuff
);
1259 /* Do we need a socket set? */
1261 !(new->sfd
= allocate_sfd(&new->source_addr
, new->interface
)) &&
1264 my_syslog(LOG_WARNING
,
1265 _("ignoring nameserver %s - cannot make/bind socket: %s"),
1266 daemon
->namebuff
, strerror(errno
));
1272 /* reverse order - gets it right. */
1276 if (!(new->flags
& SERV_NO_REBIND
))
1278 if (new->flags
& (SERV_HAS_DOMAIN
| SERV_FOR_NODOTS
| SERV_USE_RESOLV
))
1281 if (!(new->flags
& SERV_HAS_DOMAIN
))
1282 s1
= _("unqualified"), s2
= _("names");
1283 else if (strlen(new->domain
) == 0)
1284 s1
= _("default"), s2
= "";
1286 s1
= _("domain"), s2
= new->domain
;
1288 if (new->flags
& SERV_NO_ADDR
)
1289 my_syslog(LOG_INFO
, _("using local addresses only for %s %s"), s1
, s2
);
1290 else if (new->flags
& SERV_USE_RESOLV
)
1291 my_syslog(LOG_INFO
, _("using standard nameservers for %s %s"), s1
, s2
);
1292 else if (!(new->flags
& SERV_LITERAL_ADDRESS
))
1293 my_syslog(LOG_INFO
, _("using nameserver %s#%d for %s %s"), daemon
->namebuff
, port
, s1
, s2
);
1295 else if (new->interface
[0] != 0)
1296 my_syslog(LOG_INFO
, _("using nameserver %s#%d(via %s)"), daemon
->namebuff
, port
, new->interface
);
1298 my_syslog(LOG_INFO
, _("using nameserver %s#%d"), daemon
->namebuff
, port
);
1302 daemon
->servers
= ret
;
1305 /* Return zero if no servers found, in that case we keep polling.
1306 This is a protection against an update-time/write race on resolv.conf */
1307 int reload_servers(char *fname
)
1311 struct server
*old_servers
= NULL
;
1312 struct server
*new_servers
= NULL
;
1313 struct server
*serv
;
1316 /* buff happens to be MAXDNAME long... */
1317 if (!(f
= fopen(fname
, "r")))
1319 my_syslog(LOG_ERR
, _("failed to read %s: %s"), fname
, strerror(errno
));
1323 /* move old servers to free list - we can reuse the memory
1324 and not risk malloc if there are the same or fewer new servers.
1325 Servers which were specced on the command line go to the new list. */
1326 for (serv
= daemon
->servers
; serv
;)
1328 struct server
*tmp
= serv
->next
;
1329 if (serv
->flags
& SERV_FROM_RESOLV
)
1331 serv
->next
= old_servers
;
1333 /* forward table rules reference servers, so have to blow them away */
1338 serv
->next
= new_servers
;
1344 while ((line
= fgets(daemon
->namebuff
, MAXDNAME
, f
)))
1346 union mysockaddr addr
, source_addr
;
1347 char *token
= strtok(line
, " \t\n\r");
1351 if (strcmp(token
, "nameserver") != 0 && strcmp(token
, "server") != 0)
1353 if (!(token
= strtok(NULL
, " \t\n\r")))
1356 memset(&addr
, 0, sizeof(addr
));
1357 memset(&source_addr
, 0, sizeof(source_addr
));
1359 if ((addr
.in
.sin_addr
.s_addr
= inet_addr(token
)) != (in_addr_t
) -1)
1361 #ifdef HAVE_SOCKADDR_SA_LEN
1362 source_addr
.in
.sin_len
= addr
.in
.sin_len
= sizeof(source_addr
.in
);
1364 source_addr
.in
.sin_family
= addr
.in
.sin_family
= AF_INET
;
1365 addr
.in
.sin_port
= htons(NAMESERVER_PORT
);
1366 source_addr
.in
.sin_addr
.s_addr
= INADDR_ANY
;
1367 source_addr
.in
.sin_port
= htons(daemon
->query_port
);
1372 int scope_index
= 0;
1373 char *scope_id
= strchr(token
, '%');
1378 scope_index
= if_nametoindex(scope_id
);
1381 if (inet_pton(AF_INET6
, token
, &addr
.in6
.sin6_addr
) > 0)
1383 #ifdef HAVE_SOCKADDR_SA_LEN
1384 source_addr
.in6
.sin6_len
= addr
.in6
.sin6_len
= sizeof(source_addr
.in6
);
1386 source_addr
.in6
.sin6_family
= addr
.in6
.sin6_family
= AF_INET6
;
1387 source_addr
.in6
.sin6_flowinfo
= addr
.in6
.sin6_flowinfo
= 0;
1388 addr
.in6
.sin6_port
= htons(NAMESERVER_PORT
);
1389 addr
.in6
.sin6_scope_id
= scope_index
;
1390 source_addr
.in6
.sin6_addr
= in6addr_any
;
1391 source_addr
.in6
.sin6_port
= htons(daemon
->query_port
);
1392 source_addr
.in6
.sin6_scope_id
= 0;
1405 old_servers
= old_servers
->next
;
1407 else if (!(serv
= whine_malloc(sizeof (struct server
))))
1410 /* this list is reverse ordered:
1411 it gets reversed again in check_servers */
1412 serv
->next
= new_servers
;
1415 serv
->source_addr
= source_addr
;
1416 serv
->domain
= NULL
;
1417 serv
->interface
[0] = 0;
1419 serv
->flags
= SERV_FROM_RESOLV
;
1420 serv
->queries
= serv
->failed_queries
= 0;
1424 /* Free any memory not used. */
1427 struct server
*tmp
= old_servers
->next
;
1432 daemon
->servers
= new_servers
;