1 /* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 #ifdef HAVE_LINUX_NETWORK
21 int indextoname(int fd, int index, char *name)
28 ifr.ifr_ifindex = index;
29 if (ioctl(fd, SIOCGIFNAME, &ifr) == -1)
32 safe_strncpy(name, ifr.ifr_name, IF_NAMESIZE);
38 #elif defined(HAVE_SOLARIS_NETWORK)
42 #ifndef LIFC_UNDER_IPMP
43 # define LIFC_UNDER_IPMP 0
46 int indextoname(int fd, int index, char *name)
50 int numifs, bufsize, i;
57 if (getzoneid() == GLOBAL_ZONEID)
59 if (!if_indextoname(index, name))
64 lifc_flags = LIFC_NOXMIT | LIFC_TEMPORARY | LIFC_ALLZONES | LIFC_UNDER_IPMP;
65 lifn.lifn_family = AF_UNSPEC;
66 lifn.lifn_flags = lifc_flags;
67 if (ioctl(fd, SIOCGLIFNUM, &lifn) < 0)
70 numifs = lifn.lifn_count;
71 bufsize = numifs * sizeof(struct lifreq);
73 lifc.lifc_family = AF_UNSPEC;
74 lifc.lifc_flags = lifc_flags;
75 lifc.lifc_len = bufsize;
76 lifc.lifc_buf = alloca(bufsize);
78 if (ioctl(fd, SIOCGLIFCONF, &lifc) < 0)
81 lifrp = lifc.lifc_req;
82 for (i = lifc.lifc_len / sizeof(struct lifreq); i; i--, lifrp++)
85 safe_strncpy(lifr.lifr_name, lifrp->lifr_name, IF_NAMESIZE);
86 if (ioctl(fd, SIOCGLIFINDEX, &lifr) < 0)
89 if (lifr.lifr_index == index) {
90 safe_strncpy(name, lifr.lifr_name, IF_NAMESIZE);
100 int indextoname(int fd, int index, char *name)
104 if (index == 0 || !if_indextoname(index, name))
112 int iface_check(int family, union all_addr *addr, char *name, int *auth)
115 int ret = 1, match_addr = 0;
117 /* Note: have to check all and not bail out early, so that we set the "used" flags.
118 May be called with family == AF_LOCAL to check interface by name only. */
120 if (daemon->if_names || daemon->if_addrs)
124 for (tmp = daemon->if_names; tmp; tmp = tmp->next)
125 if (tmp->name && wildcard_match(tmp->name, name))
129 for (tmp = daemon->if_addrs; tmp; tmp = tmp->next)
130 if (tmp->addr.sa.sa_family == family)
132 if (family == AF_INET &&
133 tmp->addr.in.sin_addr.s_addr == addr->addr4.s_addr)
134 ret = match_addr = tmp->used = 1;
135 else if (family == AF_INET6 &&
136 IN6_ARE_ADDR_EQUAL(&tmp->addr.in6.sin6_addr,
138 ret = match_addr = tmp->used = 1;
143 for (tmp = daemon->if_except; tmp; tmp = tmp->next)
144 if (tmp->name && wildcard_match(tmp->name, name))
151 for (tmp = daemon->authinterface; tmp; tmp = tmp->next)
154 if (strcmp(tmp->name, name) == 0 &&
155 (tmp->addr.sa.sa_family == 0 || tmp->addr.sa.sa_family == family))
158 else if (addr && tmp->addr.sa.sa_family == AF_INET && family == AF_INET &&
159 tmp->addr.in.sin_addr.s_addr == addr->addr4.s_addr)
161 else if (addr && tmp->addr.sa.sa_family == AF_INET6 && family == AF_INET6 &&
162 IN6_ARE_ADDR_EQUAL(&tmp->addr.in6.sin6_addr, &addr->addr6))
176 /* Fix for problem that the kernel sometimes reports the loopback interface as the
177 arrival interface when a packet originates locally, even when sent to address of
178 an interface other than the loopback. Accept packet if it arrived via a loopback
179 interface, even when we're not accepting packets that way, as long as the destination
180 address is one we're believing. Interface list must be up-to-date before calling. */
181 int loopback_exception(int fd, int family, union all_addr *addr, char *name)
186 safe_strncpy(ifr.ifr_name, name, IF_NAMESIZE);
187 if (ioctl(fd, SIOCGIFFLAGS, &ifr) != -1 &&
188 ifr.ifr_flags & IFF_LOOPBACK)
190 for (iface = daemon->interfaces; iface; iface = iface->next)
191 if (iface->addr.sa.sa_family == family)
193 if (family == AF_INET)
195 if (iface->addr.in.sin_addr.s_addr == addr->addr4.s_addr)
198 else if (IN6_ARE_ADDR_EQUAL(&iface->addr.in6.sin6_addr, &addr->addr6))
205 /* If we're configured with something like --interface=eth0:0 then we'll listen correctly
206 on the relevant address, but the name of the arrival interface, derived from the
207 index won't match the config. Check that we found an interface address for the arrival
208 interface: daemon->interfaces must be up-to-date. */
209 int label_exception(int index, int family, union all_addr *addr)
213 /* labels only supported on IPv4 addresses. */
214 if (family != AF_INET)
217 for (iface = daemon->interfaces; iface; iface = iface->next)
218 if (iface->index == index && iface->addr.sa.sa_family == AF_INET &&
219 iface->addr.in.sin_addr.s_addr == addr->addr4.s_addr)
226 struct addrlist *spare;
230 static int iface_allowed(struct iface_param *param, int if_index, char *label,
231 union mysockaddr *addr, struct in_addr netmask, int prefixlen, int iface_flags)
234 struct cond_domain *cond;
237 int tftp_ok = !!option_bool(OPT_TFTP);
241 #if defined(HAVE_DHCP) || defined(HAVE_TFTP)
247 if (!indextoname(param->fd, if_index, ifr.ifr_name) ||
248 ioctl(param->fd, SIOCGIFFLAGS, &ifr) == -1)
251 loopback = ifr.ifr_flags & IFF_LOOPBACK;
257 label = ifr.ifr_name;
259 is_label = strcmp(label, ifr.ifr_name);
261 /* maintain a list of all addresses on all interfaces for --local-service option */
262 if (option_bool(OPT_LOCAL_SERVICE))
269 param->spare = al->next;
272 al = whine_malloc(sizeof(struct addrlist));
276 al->next = daemon->interface_addrs;
277 daemon->interface_addrs = al;
278 al->prefixlen = prefixlen;
280 if (addr->sa.sa_family == AF_INET)
282 al->addr.addr4 = addr->in.sin_addr;
287 al->addr.addr6 = addr->in6.sin6_addr;
288 al->flags = ADDRLIST_IPV6;
293 if (addr->sa.sa_family != AF_INET6 || !IN6_IS_ADDR_LINKLOCAL(&addr->in6.sin6_addr))
295 struct interface_name *int_name;
298 struct auth_zone *zone;
299 struct auth_name_list *name;
301 /* Find subnets in auth_zones */
302 for (zone = daemon->auth_zones; zone; zone = zone->next)
303 for (name = zone->interface_names; name; name = name->next)
304 if (wildcard_match(name->name, label))
306 if (addr->sa.sa_family == AF_INET && (name->flags & AUTH4))
311 param->spare = al->next;
314 al = whine_malloc(sizeof(struct addrlist));
318 al->next = zone->subnet;
320 al->prefixlen = prefixlen;
321 al->addr.addr4 = addr->in.sin_addr;
326 if (addr->sa.sa_family == AF_INET6 && (name->flags & AUTH6))
331 param->spare = al->next;
334 al = whine_malloc(sizeof(struct addrlist));
338 al->next = zone->subnet;
340 al->prefixlen = prefixlen;
341 al->addr.addr6 = addr->in6.sin6_addr;
342 al->flags = ADDRLIST_IPV6;
348 /* Update addresses from interface_names. These are a set independent
349 of the set we're listening on. */
350 for (int_name = daemon->int_names; int_name; int_name = int_name->next)
351 if (strncmp(label, int_name->intr, IF_NAMESIZE) == 0)
357 if (addr->sa.sa_family == AF_INET && (int_name->flags & (IN4 | INP4)))
359 struct in_addr newaddr = addr->in.sin_addr;
361 if (int_name->flags & INP4)
363 if (netmask.s_addr == 0xffffffff)
366 newaddr.s_addr = (addr->in.sin_addr.s_addr & netmask.s_addr) |
367 (int_name->proto4.s_addr & ~netmask.s_addr);
370 /* check for duplicates. */
371 for (lp = int_name->addr; lp; lp = lp->next)
372 if (lp->flags == 0 && lp->addr.addr4.s_addr == newaddr.s_addr)
380 param->spare = al->next;
383 al = whine_malloc(sizeof(struct addrlist));
388 al->addr.addr4 = newaddr;
393 if (addr->sa.sa_family == AF_INET6 && (int_name->flags & (IN6 | INP6)))
395 struct in6_addr newaddr = addr->in6.sin6_addr;
397 if (int_name->flags & INP6)
401 /* No sense in doing /128. */
402 if (prefixlen == 128)
405 for (i = 0; i < 16; i++)
407 int bits = ((i+1)*8) - prefixlen;
410 newaddr.s6_addr[i] = int_name->proto6.s6_addr[i];
413 unsigned char mask = 0xff << bits;
415 (addr->in6.sin6_addr.s6_addr[i] & mask) |
416 (int_name->proto6.s6_addr[i] & ~mask);
421 /* check for duplicates. */
422 for (lp = int_name->addr; lp; lp = lp->next)
423 if ((lp->flags & ADDRLIST_IPV6) &&
424 IN6_ARE_ADDR_EQUAL(&lp->addr.addr6, &newaddr))
432 param->spare = al->next;
435 al = whine_malloc(sizeof(struct addrlist));
439 al->flags = ADDRLIST_IPV6;
440 al->addr.addr6 = newaddr;
442 /* Privacy addresses and addresses still undergoing DAD and deprecated addresses
443 don't appear in forward queries, but will in reverse ones. */
444 if (!(iface_flags & IFACE_PERMANENT) || (iface_flags & (IFACE_DEPRECATED | IFACE_TENTATIVE)))
445 al->flags |= ADDRLIST_REVONLY;
452 al->next = int_name->addr;
458 /* Update addresses for domain=<domain>,<interface> */
459 for (cond = daemon->cond_domain; cond; cond = cond->next)
460 if (cond->interface && strncmp(label, cond->interface, IF_NAMESIZE) == 0)
467 param->spare = al->next;
470 al = whine_malloc(sizeof(struct addrlist));
472 if (addr->sa.sa_family == AF_INET)
474 al->addr.addr4 = addr->in.sin_addr;
479 al->addr.addr6 = addr->in6.sin6_addr;
480 al->flags = ADDRLIST_IPV6;
483 al->prefixlen = prefixlen;
488 /* check whether the interface IP has been added already
489 we call this routine multiple times. */
490 for (iface = daemon->interfaces; iface; iface = iface->next)
491 if (sockaddr_isequal(&iface->addr, addr) && iface->index == if_index)
493 iface->dad = !!(iface_flags & IFACE_TENTATIVE);
494 iface->found = 1; /* for garbage collection */
495 iface->netmask = netmask;
499 /* If we are restricting the set of interfaces to use, make
500 sure that loopback interfaces are in that set. */
501 if (daemon->if_names && loopback)
504 for (lo = daemon->if_names; lo; lo = lo->next)
505 if (lo->name && strcmp(lo->name, ifr.ifr_name) == 0)
508 if (!lo && (lo = whine_malloc(sizeof(struct iname))))
510 if ((lo->name = whine_malloc(strlen(ifr.ifr_name)+1)))
512 strcpy(lo->name, ifr.ifr_name);
514 lo->next = daemon->if_names;
515 daemon->if_names = lo;
522 if (addr->sa.sa_family == AF_INET &&
523 !iface_check(AF_INET, (union all_addr *)&addr->in.sin_addr, label, &auth_dns))
526 if (addr->sa.sa_family == AF_INET6 &&
527 !iface_check(AF_INET6, (union all_addr *)&addr->in6.sin6_addr, label, &auth_dns))
531 /* No DHCP where we're doing auth DNS. */
538 for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
539 if (tmp->name && wildcard_match(tmp->name, ifr.ifr_name))
548 if (daemon->tftp_interfaces)
550 /* dedicated tftp interface list */
552 for (tmp = daemon->tftp_interfaces; tmp; tmp = tmp->next)
553 if (tmp->name && wildcard_match(tmp->name, ifr.ifr_name))
559 if ((iface = whine_malloc(sizeof(struct irec))))
563 if (ioctl(param->fd, SIOCGIFMTU, &ifr) != -1)
567 iface->netmask = netmask;
568 iface->tftp_ok = tftp_ok;
569 iface->dhcp_ok = dhcp_ok;
570 iface->dns_auth = auth_dns;
572 iface->dad = !!(iface_flags & IFACE_TENTATIVE);
574 iface->done = iface->multicast_done = iface->warned = 0;
575 iface->index = if_index;
576 iface->label = is_label;
577 if ((iface->name = whine_malloc(strlen(ifr.ifr_name)+1)))
579 strcpy(iface->name, ifr.ifr_name);
580 iface->next = daemon->interfaces;
581 daemon->interfaces = iface;
592 static int iface_allowed_v6(struct in6_addr *local, int prefix,
593 int scope, int if_index, int flags,
594 int preferred, int valid, void *vparam)
596 union mysockaddr addr;
597 struct in_addr netmask; /* dummy */
600 (void)scope; /* warning */
604 memset(&addr, 0, sizeof(addr));
605 #ifdef HAVE_SOCKADDR_SA_LEN
606 addr.in6.sin6_len = sizeof(addr.in6);
608 addr.in6.sin6_family = AF_INET6;
609 addr.in6.sin6_addr = *local;
610 addr.in6.sin6_port = htons(daemon->port);
611 /* FreeBSD insists this is zero for non-linklocal addresses */
612 if (IN6_IS_ADDR_LINKLOCAL(local))
613 addr.in6.sin6_scope_id = if_index;
615 addr.in6.sin6_scope_id = 0;
617 return iface_allowed((struct iface_param *)vparam, if_index, NULL, &addr, netmask, prefix, flags);
620 static int iface_allowed_v4(struct in_addr local, int if_index, char *label,
621 struct in_addr netmask, struct in_addr broadcast, void *vparam)
623 union mysockaddr addr;
626 (void)broadcast; /* warning */
628 memset(&addr, 0, sizeof(addr));
629 #ifdef HAVE_SOCKADDR_SA_LEN
630 addr.in.sin_len = sizeof(addr.in);
632 addr.in.sin_family = AF_INET;
633 addr.in.sin_addr = local;
634 addr.in.sin_port = htons(daemon->port);
636 /* determine prefix length from netmask */
637 for (prefix = 32, bit = 1; (bit & ntohl(netmask.s_addr)) == 0 && prefix != 0; bit = bit << 1, prefix--);
639 return iface_allowed((struct iface_param *)vparam, if_index, label, &addr, netmask, prefix, 0);
643 * Clean old interfaces no longer found.
645 static void clean_interfaces()
648 struct irec **up = &daemon->interfaces;
650 for (iface = *up; iface; iface = *up)
652 if (!iface->found && !iface->done)
665 /** Release listener if no other interface needs it.
667 * @return 1 if released, 0 if still required
669 static int release_listener(struct listener *l)
674 for (iface = daemon->interfaces; iface; iface = iface->next)
675 if (iface->done && sockaddr_isequal(&l->addr, &iface->addr))
679 /* update listener to point to active interface instead */
680 if (!l->iface->found)
690 /* Someone is still using this listener, skip its deletion */
699 port = prettyprint_addr(&l->iface->addr, daemon->addrbuff);
700 my_syslog(LOG_DEBUG|MS_DEBUG, _("stopped listening on %s(#%d): %s port %d"),
701 l->iface->name, l->iface->index, daemon->addrbuff, port);
702 /* In case it ever returns */
717 int enumerate_interfaces(int reset)
719 static struct addrlist *spare = NULL;
721 struct iface_param param;
722 int errsave, ret = 1;
723 struct addrlist *addr, *tmp;
724 struct interface_name *intname;
725 struct cond_domain *cond;
728 struct auth_zone *zone;
732 /* Do this max once per select cycle - also inhibits netlink socket use
733 in TCP child processes. */
746 if ((param.fd = socket(PF_INET, SOCK_DGRAM, 0)) == -1)
749 /* iface indexes can change when interfaces are created/destroyed.
750 We use them in the main forwarding control path, when the path
751 to a server is specified by an interface, so cache them.
752 Update the cache here. */
753 for (serv = daemon->servers; serv; serv = serv->next)
754 if (serv->interface[0] != 0)
756 #ifdef HAVE_LINUX_NETWORK
759 safe_strncpy(ifr.ifr_name, serv->interface, IF_NAMESIZE);
760 if (ioctl(param.fd, SIOCGIFINDEX, &ifr) != -1)
761 serv->ifindex = ifr.ifr_ifindex;
763 serv->ifindex = if_nametoindex(serv->interface);
768 /* Mark interfaces for garbage collection */
769 for (iface = daemon->interfaces; iface; iface = iface->next)
772 /* remove addresses stored against interface_names */
773 for (intname = daemon->int_names; intname; intname = intname->next)
775 for (addr = intname->addr; addr; addr = tmp)
782 intname->addr = NULL;
785 /* remove addresses stored against cond-domains. */
786 for (cond = daemon->cond_domain; cond; cond = cond->next)
788 for (addr = cond->al; addr; addr = tmp)
798 /* Remove list of addresses of local interfaces */
799 for (addr = daemon->interface_addrs; addr; addr = tmp)
805 daemon->interface_addrs = NULL;
808 /* remove addresses stored against auth_zone subnets, but not
809 ones configured as address literals */
810 for (zone = daemon->auth_zones; zone; zone = zone->next)
811 if (zone->interface_names)
813 struct addrlist **up;
814 for (up = &zone->subnet, addr = zone->subnet; addr; addr = tmp)
817 if (addr->flags & ADDRLIST_LITERAL)
831 ret = iface_enumerate(AF_INET6, ¶m, iface_allowed_v6);
836 ret = iface_enumerate(AF_INET, ¶m, iface_allowed_v4);
844 if (option_bool(OPT_CLEVERBIND))
846 /* Garbage-collect listeners listening on addresses that no longer exist.
847 Does nothing when not binding interfaces or for listeners on localhost,
848 since the ->iface field is NULL. Note that this needs the protections
849 against reentrancy, hence it's here. It also means there's a possibility,
850 in OPT_CLEVERBIND mode, that at listener will just disappear after
851 a call to enumerate_interfaces, this is checked OK on all calls. */
852 struct listener *l, *tmp, **up;
855 for (up = &daemon->listeners, l = daemon->listeners; l; l = tmp)
859 if (!l->iface || l->iface->found)
861 else if (release_listener(l))
878 /* set NONBLOCK bit on fd: See Stevens 16.6 */
883 if ((flags = fcntl(fd, F_GETFL)) == -1 ||
884 fcntl(fd, F_SETFL, flags | O_NONBLOCK) == -1)
890 static int make_sock(union mysockaddr *addr, int type, int dienow)
892 int family = addr->sa.sa_family;
895 if ((fd = socket(family, type, 0)) == -1)
900 /* No error if the kernel just doesn't support this IP flavour */
901 if (errno == EPROTONOSUPPORT ||
902 errno == EAFNOSUPPORT ||
908 port = prettyprint_addr(addr, daemon->addrbuff);
909 if (!option_bool(OPT_NOWILD) && !option_bool(OPT_CLEVERBIND))
910 sprintf(daemon->addrbuff, "port %d", port);
911 s = _("failed to create listening socket for %s: %s");
920 /* failure to bind addresses given by --listen-address at this point
921 is OK if we're doing bind-dynamic */
922 if (!option_bool(OPT_CLEVERBIND))
923 die(s, daemon->addrbuff, EC_BADNET);
926 my_syslog(LOG_WARNING, s, daemon->addrbuff, strerror(errno));
931 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)) == -1 || !fix_fd(fd))
934 if (family == AF_INET6 && setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &opt, sizeof(opt)) == -1)
937 if ((rc = bind(fd, (struct sockaddr *)addr, sa_len(addr))) == -1)
940 if (type == SOCK_STREAM)
944 setsockopt(fd, IPPROTO_TCP, TCP_FASTOPEN, &qlen, sizeof(qlen));
947 if (listen(fd, TCP_BACKLOG) == -1)
950 else if (family == AF_INET)
952 if (!option_bool(OPT_NOWILD))
954 #if defined(HAVE_LINUX_NETWORK)
955 if (setsockopt(fd, IPPROTO_IP, IP_PKTINFO, &opt, sizeof(opt)) == -1)
957 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
958 if (setsockopt(fd, IPPROTO_IP, IP_RECVDSTADDR, &opt, sizeof(opt)) == -1 ||
959 setsockopt(fd, IPPROTO_IP, IP_RECVIF, &opt, sizeof(opt)) == -1)
964 else if (!set_ipv6pktinfo(fd))
970 int set_ipv6pktinfo(int fd)
974 /* The API changed around Linux 2.6.14 but the old ABI is still supported:
975 handle all combinations of headers and kernel.
976 OpenWrt note that this fixes the problem addressed by your very broken patch. */
977 daemon->v6pktinfo = IPV6_PKTINFO;
979 #ifdef IPV6_RECVPKTINFO
980 if (setsockopt(fd, IPPROTO_IPV6, IPV6_RECVPKTINFO, &opt, sizeof(opt)) != -1)
982 # ifdef IPV6_2292PKTINFO
983 else if (errno == ENOPROTOOPT && setsockopt(fd, IPPROTO_IPV6, IPV6_2292PKTINFO, &opt, sizeof(opt)) != -1)
985 daemon->v6pktinfo = IPV6_2292PKTINFO;
990 if (setsockopt(fd, IPPROTO_IPV6, IPV6_PKTINFO, &opt, sizeof(opt)) != -1)
998 /* Find the interface on which a TCP connection arrived, if possible, or zero otherwise. */
999 int tcp_interface(int fd, int af)
1001 (void)fd; /* suppress potential unused warning */
1002 (void)af; /* suppress potential unused warning */
1005 #ifdef HAVE_LINUX_NETWORK
1007 struct cmsghdr *cmptr;
1011 /* use mshdr so that the CMSDG_* macros are available */
1012 msg.msg_control = daemon->packet;
1013 msg.msg_controllen = len = daemon->packet_buff_sz;
1015 /* we overwrote the buffer... */
1016 daemon->srv_save = NULL;
1020 if (setsockopt(fd, IPPROTO_IP, IP_PKTINFO, &opt, sizeof(opt)) != -1 &&
1021 getsockopt(fd, IPPROTO_IP, IP_PKTOPTIONS, msg.msg_control, &len) != -1)
1023 msg.msg_controllen = len;
1024 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
1025 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
1029 struct in_pktinfo *p;
1032 p.c = CMSG_DATA(cmptr);
1033 if_index = p.p->ipi_ifindex;
1039 /* Only the RFC-2292 API has the ability to find the interface for TCP connections,
1040 it was removed in RFC-3542 !!!!
1042 Fortunately, Linux kept the 2292 ABI when it moved to 3542. The following code always
1043 uses the old ABI, and should work with pre- and post-3542 kernel headers */
1045 #ifdef IPV6_2292PKTOPTIONS
1046 # define PKTOPTIONS IPV6_2292PKTOPTIONS
1048 # define PKTOPTIONS IPV6_PKTOPTIONS
1051 if (set_ipv6pktinfo(fd) &&
1052 getsockopt(fd, IPPROTO_IPV6, PKTOPTIONS, msg.msg_control, &len) != -1)
1054 msg.msg_controllen = len;
1055 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
1056 if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
1060 struct in6_pktinfo *p;
1062 p.c = CMSG_DATA(cmptr);
1064 if_index = p.p->ipi6_ifindex;
1073 static struct listener *create_listeners(union mysockaddr *addr, int do_tftp, int dienow)
1075 struct listener *l = NULL;
1076 int fd = -1, tcpfd = -1, tftpfd = -1;
1080 if (daemon->port != 0)
1082 fd = make_sock(addr, SOCK_DGRAM, dienow);
1083 tcpfd = make_sock(addr, SOCK_STREAM, dienow);
1089 if (addr->sa.sa_family == AF_INET)
1091 /* port must be restored to DNS port for TCP code */
1092 short save = addr->in.sin_port;
1093 addr->in.sin_port = htons(TFTP_PORT);
1094 tftpfd = make_sock(addr, SOCK_DGRAM, dienow);
1095 addr->in.sin_port = save;
1099 short save = addr->in6.sin6_port;
1100 addr->in6.sin6_port = htons(TFTP_PORT);
1101 tftpfd = make_sock(addr, SOCK_DGRAM, dienow);
1102 addr->in6.sin6_port = save;
1107 if (fd != -1 || tcpfd != -1 || tftpfd != -1)
1109 l = safe_malloc(sizeof(struct listener));
1122 void create_wildcard_listeners(void)
1124 union mysockaddr addr;
1125 struct listener *l, *l6;
1127 memset(&addr, 0, sizeof(addr));
1128 #ifdef HAVE_SOCKADDR_SA_LEN
1129 addr.in.sin_len = sizeof(addr.in);
1131 addr.in.sin_family = AF_INET;
1132 addr.in.sin_addr.s_addr = INADDR_ANY;
1133 addr.in.sin_port = htons(daemon->port);
1135 l = create_listeners(&addr, !!option_bool(OPT_TFTP), 1);
1137 memset(&addr, 0, sizeof(addr));
1138 #ifdef HAVE_SOCKADDR_SA_LEN
1139 addr.in6.sin6_len = sizeof(addr.in6);
1141 addr.in6.sin6_family = AF_INET6;
1142 addr.in6.sin6_addr = in6addr_any;
1143 addr.in6.sin6_port = htons(daemon->port);
1145 l6 = create_listeners(&addr, !!option_bool(OPT_TFTP), 1);
1151 daemon->listeners = l;
1154 static struct listener *find_listener(union mysockaddr *addr)
1157 for (l = daemon->listeners; l; l = l->next)
1158 if (sockaddr_isequal(&l->addr, addr))
1163 void create_bound_listeners(int dienow)
1165 struct listener *new;
1167 struct iname *if_tmp;
1168 struct listener *existing;
1170 for (iface = daemon->interfaces; iface; iface = iface->next)
1171 if (!iface->done && !iface->dad && iface->found)
1173 existing = find_listener(&iface->addr);
1177 existing->used++; /* increase usage counter */
1179 else if ((new = create_listeners(&iface->addr, iface->tftp_ok, dienow)))
1182 new->next = daemon->listeners;
1183 daemon->listeners = new;
1186 /* Don't log the initial set of listen addresses created
1187 at startup, since this is happening before the logging
1188 system is initialised and the sign-on printed. */
1191 int port = prettyprint_addr(&iface->addr, daemon->addrbuff);
1192 my_syslog(LOG_DEBUG|MS_DEBUG, _("listening on %s(#%d): %s port %d"),
1193 iface->name, iface->index, daemon->addrbuff, port);
1198 /* Check for --listen-address options that haven't been used because there's
1199 no interface with a matching address. These may be valid: eg it's possible
1200 to listen on 127.0.1.1 even if the loopback interface is 127.0.0.1
1202 If the address isn't valid the bind() will fail and we'll die()
1203 (except in bind-dynamic mode, when we'll complain but keep trying.)
1205 The resulting listeners have the ->iface field NULL, and this has to be
1206 handled by the DNS and TFTP code. It disables --localise-queries processing
1207 (no netmask) and some MTU login the tftp code. */
1209 for (if_tmp = daemon->if_addrs; if_tmp; if_tmp = if_tmp->next)
1210 if (!if_tmp->used &&
1211 (new = create_listeners(&if_tmp->addr, !!option_bool(OPT_TFTP), dienow)))
1213 new->next = daemon->listeners;
1214 daemon->listeners = new;
1218 int port = prettyprint_addr(&if_tmp->addr, daemon->addrbuff);
1219 my_syslog(LOG_DEBUG|MS_DEBUG, _("listening on %s port %d"), daemon->addrbuff, port);
1224 /* In --bind-interfaces, the only access control is the addresses we're listening on.
1225 There's nothing to avoid a query to the address of an internal interface arriving via
1226 an external interface where we don't want to accept queries, except that in the usual
1227 case the addresses of internal interfaces are RFC1918. When bind-interfaces in use,
1228 and we listen on an address that looks like it's probably globally routeable, shout.
1230 The fix is to use --bind-dynamic, which actually checks the arrival interface too.
1231 Tough if your platform doesn't support this.
1233 Note that checking the arrival interface is supported in the standard IPv6 API and
1234 always done, so we don't warn about any IPv6 addresses here.
1237 void warn_bound_listeners(void)
1242 for (iface = daemon->interfaces; iface; iface = iface->next)
1243 if (!iface->dns_auth)
1245 if (iface->addr.sa.sa_family == AF_INET)
1247 if (!private_net(iface->addr.in.sin_addr, 1))
1249 inet_ntop(AF_INET, &iface->addr.in.sin_addr, daemon->addrbuff, ADDRSTRLEN);
1250 iface->warned = advice = 1;
1251 my_syslog(LOG_WARNING,
1252 _("LOUD WARNING: listening on %s may accept requests via interfaces other than %s"),
1253 daemon->addrbuff, iface->name);
1259 my_syslog(LOG_WARNING, _("LOUD WARNING: use --bind-dynamic rather than --bind-interfaces to avoid DNS amplification attacks via these interface(s)"));
1262 void warn_wild_labels(void)
1266 for (iface = daemon->interfaces; iface; iface = iface->next)
1267 if (iface->found && iface->name && iface->label)
1268 my_syslog(LOG_WARNING, _("warning: using interface %s instead"), iface->name);
1271 void warn_int_names(void)
1273 struct interface_name *intname;
1275 for (intname = daemon->int_names; intname; intname = intname->next)
1277 my_syslog(LOG_WARNING, _("warning: no addresses found for interface %s"), intname->intr);
1280 int is_dad_listeners(void)
1284 if (option_bool(OPT_NOWILD))
1285 for (iface = daemon->interfaces; iface; iface = iface->next)
1286 if (iface->dad && !iface->done)
1293 void join_multicast(int dienow)
1295 struct irec *iface, *tmp;
1297 for (iface = daemon->interfaces; iface; iface = iface->next)
1298 if (iface->addr.sa.sa_family == AF_INET6 && iface->dhcp_ok && !iface->multicast_done)
1300 /* There's an irec per address but we only want to join for multicast
1301 once per interface. Weed out duplicates. */
1302 for (tmp = daemon->interfaces; tmp; tmp = tmp->next)
1303 if (tmp->multicast_done && tmp->index == iface->index)
1306 iface->multicast_done = 1;
1310 struct ipv6_mreq mreq;
1313 mreq.ipv6mr_interface = iface->index;
1315 inet_pton(AF_INET6, ALL_RELAY_AGENTS_AND_SERVERS, &mreq.ipv6mr_multiaddr);
1317 if ((daemon->doing_dhcp6 || daemon->relay6) &&
1318 setsockopt(daemon->dhcp6fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, &mreq, sizeof(mreq)) == -1)
1321 inet_pton(AF_INET6, ALL_SERVERS, &mreq.ipv6mr_multiaddr);
1323 if (daemon->doing_dhcp6 &&
1324 setsockopt(daemon->dhcp6fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, &mreq, sizeof(mreq)) == -1)
1327 inet_pton(AF_INET6, ALL_ROUTERS, &mreq.ipv6mr_multiaddr);
1329 if (daemon->doing_ra &&
1330 setsockopt(daemon->icmp6fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, &mreq, sizeof(mreq)) == -1)
1335 char *s = _("interface %s failed to join DHCPv6 multicast group: %s");
1338 #ifdef HAVE_LINUX_NETWORK
1339 if (errno == ENOMEM)
1340 my_syslog(LOG_ERR, _("try increasing /proc/sys/net/core/optmem_max"));
1344 die(s, iface->name, EC_BADNET);
1346 my_syslog(LOG_ERR, s, iface->name, strerror(errno));
1353 int local_bind(int fd, union mysockaddr *addr, char *intname, unsigned int ifindex, int is_tcp)
1355 union mysockaddr addr_copy = *addr;
1356 unsigned short port;
1358 unsigned short ports_avail = 1;
1360 if (addr_copy.sa.sa_family == AF_INET)
1361 port = addr_copy.in.sin_port;
1363 port = addr_copy.in6.sin6_port;
1365 /* cannot set source _port_ for TCP connections. */
1368 else if (port == 0 && daemon->max_port != 0)
1370 /* Bind a random port within the range given by min-port and max-port if either
1371 or both are set. Otherwise use the OS's random ephemeral port allocation by
1372 leaving port == 0 and tries == 1 */
1373 ports_avail = daemon->max_port - daemon->min_port + 1;
1374 tries = (ports_avail < SMALL_PORT_RANGE) ? ports_avail : 100;
1375 port = htons(daemon->min_port + (rand16() % ports_avail));
1380 /* elide bind() call if it's to port 0, address 0 */
1381 if (addr_copy.sa.sa_family == AF_INET)
1383 if (port == 0 && addr_copy.in.sin_addr.s_addr == 0)
1385 addr_copy.in.sin_port = port;
1389 if (port == 0 && IN6_IS_ADDR_UNSPECIFIED(&addr_copy.in6.sin6_addr))
1391 addr_copy.in6.sin6_port = port;
1394 if (bind(fd, (struct sockaddr *)&addr_copy, sa_len(&addr_copy)) != -1)
1397 if (errno != EADDRINUSE && errno != EACCES)
1403 /* For small ranges, do a systematic search, not a random one. */
1404 if (ports_avail < SMALL_PORT_RANGE)
1406 unsigned short hport = ntohs(port);
1407 if (hport++ == daemon->max_port)
1408 hport = daemon->min_port;
1409 port = htons(hport);
1412 port = htons(daemon->min_port + (rand16() % ports_avail));
1415 if (!is_tcp && ifindex > 0)
1417 #if defined(IP_UNICAST_IF)
1418 if (addr_copy.sa.sa_family == AF_INET)
1420 uint32_t ifindex_opt = htonl(ifindex);
1421 return setsockopt(fd, IPPROTO_IP, IP_UNICAST_IF, &ifindex_opt, sizeof(ifindex_opt)) == 0;
1424 #if defined (IPV6_UNICAST_IF)
1425 if (addr_copy.sa.sa_family == AF_INET6)
1427 uint32_t ifindex_opt = htonl(ifindex);
1428 return setsockopt(fd, IPPROTO_IPV6, IPV6_UNICAST_IF, &ifindex_opt, sizeof(ifindex_opt)) == 0;
1433 (void)intname; /* suppress potential unused warning */
1434 #if defined(SO_BINDTODEVICE)
1435 if (intname[0] != 0 &&
1436 setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, intname, IF_NAMESIZE) == -1)
1443 static struct serverfd *allocate_sfd(union mysockaddr *addr, char *intname, unsigned int ifindex)
1445 struct serverfd *sfd;
1449 /* when using random ports, servers which would otherwise use
1450 the INADDR_ANY/port0 socket have sfd set to NULL, this is
1451 anything without an explictly set source port. */
1452 if (!daemon->osport)
1456 if (addr->sa.sa_family == AF_INET &&
1457 addr->in.sin_port == htons(0))
1460 if (addr->sa.sa_family == AF_INET6 &&
1461 addr->in6.sin6_port == htons(0))
1465 /* may have a suitable one already */
1466 for (sfd = daemon->sfds; sfd; sfd = sfd->next )
1467 if (ifindex == sfd->ifindex &&
1468 sockaddr_isequal(&sfd->source_addr, addr) &&
1469 strcmp(intname, sfd->interface) == 0)
1472 /* need to make a new one. */
1473 errno = ENOMEM; /* in case malloc fails. */
1474 if (!(sfd = whine_malloc(sizeof(struct serverfd))))
1477 if ((sfd->fd = socket(addr->sa.sa_family, SOCK_DGRAM, 0)) == -1)
1483 if ((addr->sa.sa_family == AF_INET6 && setsockopt(sfd->fd, IPPROTO_IPV6, IPV6_V6ONLY, &opt, sizeof(opt)) == -1) ||
1484 !local_bind(sfd->fd, addr, intname, ifindex, 0) || !fix_fd(sfd->fd))
1486 errsave = errno; /* save error from bind/setsockopt. */
1493 safe_strncpy(sfd->interface, intname, sizeof(sfd->interface));
1494 sfd->source_addr = *addr;
1495 sfd->next = daemon->sfds;
1496 sfd->ifindex = ifindex;
1497 sfd->preallocated = 0;
1503 /* create upstream sockets during startup, before root is dropped which may be needed
1504 this allows query_port to be a low port and interface binding */
1505 void pre_allocate_sfds(void)
1508 struct serverfd *sfd;
1510 if (daemon->query_port != 0)
1512 union mysockaddr addr;
1513 memset(&addr, 0, sizeof(addr));
1514 addr.in.sin_family = AF_INET;
1515 addr.in.sin_addr.s_addr = INADDR_ANY;
1516 addr.in.sin_port = htons(daemon->query_port);
1517 #ifdef HAVE_SOCKADDR_SA_LEN
1518 addr.in.sin_len = sizeof(struct sockaddr_in);
1520 if ((sfd = allocate_sfd(&addr, "", 0)))
1521 sfd->preallocated = 1;
1523 memset(&addr, 0, sizeof(addr));
1524 addr.in6.sin6_family = AF_INET6;
1525 addr.in6.sin6_addr = in6addr_any;
1526 addr.in6.sin6_port = htons(daemon->query_port);
1527 #ifdef HAVE_SOCKADDR_SA_LEN
1528 addr.in6.sin6_len = sizeof(struct sockaddr_in6);
1530 if ((sfd = allocate_sfd(&addr, "", 0)))
1531 sfd->preallocated = 1;
1534 for (srv = daemon->servers; srv; srv = srv->next)
1535 if (!allocate_sfd(&srv->source_addr, srv->interface, srv->ifindex) &&
1537 option_bool(OPT_NOWILD))
1539 (void)prettyprint_addr(&srv->source_addr, daemon->namebuff);
1540 if (srv->interface[0] != 0)
1542 strcat(daemon->namebuff, " ");
1543 strcat(daemon->namebuff, srv->interface);
1545 die(_("failed to bind server socket for %s: %s"),
1546 daemon->namebuff, EC_BADNET);
1550 void check_servers(int no_loop_check)
1553 struct server *serv;
1554 struct serverfd *sfd, *tmp, **up;
1555 int port = 0, count;
1563 /* clear all marks. */
1566 /* interface may be new since startup */
1567 if (!option_bool(OPT_NOWILD))
1568 enumerate_interfaces(0);
1570 /* don't garbage collect pre-allocated sfds. */
1571 for (sfd = daemon->sfds; sfd; sfd = sfd->next)
1572 sfd->used = sfd->preallocated;
1574 for (count = 0, serv = daemon->servers; serv; serv = serv->next)
1576 /* Init edns_pktsz for newly created server records. */
1577 if (serv->edns_pktsz == 0)
1578 serv->edns_pktsz = daemon->edns_pktsz;
1581 if (option_bool(OPT_DNSSEC_VALID))
1583 if (!(serv->flags & SERV_FOR_NODOTS))
1584 serv->flags |= SERV_DO_DNSSEC;
1586 /* Disable DNSSEC validation when using server=/domain/.... servers
1587 unless there's a configured trust anchor. */
1588 if (strlen(serv->domain) != 0)
1590 struct ds_config *ds;
1591 char *domain = serv->domain;
1593 /* .example.com is valid */
1594 while (*domain == '.')
1597 for (ds = daemon->ds; ds; ds = ds->next)
1598 if (ds->name[0] != 0 && hostname_isequal(domain, ds->name))
1602 serv->flags &= ~SERV_DO_DNSSEC;
1607 port = prettyprint_addr(&serv->addr, daemon->namebuff);
1609 /* 0.0.0.0 is nothing, the stack treats it like 127.0.0.1 */
1610 if (serv->addr.sa.sa_family == AF_INET &&
1611 serv->addr.in.sin_addr.s_addr == 0)
1613 serv->flags |= SERV_MARK;
1617 for (iface = daemon->interfaces; iface; iface = iface->next)
1618 if (sockaddr_isequal(&serv->addr, &iface->addr))
1622 my_syslog(LOG_WARNING, _("ignoring nameserver %s - local interface"), daemon->namebuff);
1623 serv->flags |= SERV_MARK;
1627 /* Do we need a socket set? */
1629 !(serv->sfd = allocate_sfd(&serv->source_addr, serv->interface, serv->ifindex)) &&
1632 my_syslog(LOG_WARNING,
1633 _("ignoring nameserver %s - cannot make/bind socket: %s"),
1634 daemon->namebuff, strerror(errno));
1635 serv->flags |= SERV_MARK;
1640 serv->sfd->used = 1;
1642 if (count == SERVERS_LOGGED)
1643 my_syslog(LOG_INFO, _("more servers are defined but not logged"));
1645 if (++count > SERVERS_LOGGED)
1648 if (strlen(serv->domain) != 0 || (serv->flags & SERV_FOR_NODOTS))
1650 char *s1, *s2, *s3 = "", *s4 = "";
1653 if (option_bool(OPT_DNSSEC_VALID) && !(serv->flags & SERV_DO_DNSSEC))
1654 s3 = _("(no DNSSEC)");
1656 if (serv->flags & SERV_FOR_NODOTS)
1657 s1 = _("unqualified"), s2 = _("names");
1658 else if (strlen(serv->domain) == 0)
1659 s1 = _("default"), s2 = "";
1661 s1 = _("domain"), s2 = serv->domain, s4 = (serv->flags & SERV_WILDCARD) ? "*" : "";
1663 my_syslog(LOG_INFO, _("using nameserver %s#%d for %s %s%s %s"), daemon->namebuff, port, s1, s4, s2, s3);
1666 else if (serv->flags & SERV_LOOP)
1667 my_syslog(LOG_INFO, _("NOT using nameserver %s#%d - query loop detected"), daemon->namebuff, port);
1669 else if (serv->interface[0] != 0)
1670 my_syslog(LOG_INFO, _("using nameserver %s#%d(via %s)"), daemon->namebuff, port, serv->interface);
1672 my_syslog(LOG_INFO, _("using nameserver %s#%d"), daemon->namebuff, port);
1676 for (count = 0, serv = daemon->local_domains; serv; serv = serv->next)
1678 if (++count > SERVERS_LOGGED)
1681 if ((serv->flags & SERV_LITERAL_ADDRESS) &&
1682 !(serv->flags & (SERV_6ADDR | SERV_4ADDR | SERV_ALL_ZEROS)) &&
1683 strlen(serv->domain))
1686 if (++locals <= LOCALS_LOGGED)
1687 my_syslog(LOG_INFO, _("using only locally-known addresses for %s"), serv->domain);
1689 else if (serv->flags & SERV_USE_RESOLV)
1690 my_syslog(LOG_INFO, _("using standard nameservers for %s"), serv->domain);
1693 if (locals > LOCALS_LOGGED)
1694 my_syslog(LOG_INFO, _("using %d more local addresses"), locals - LOCALS_LOGGED);
1695 if (count - 1 > SERVERS_LOGGED)
1696 my_syslog(LOG_INFO, _("using %d more nameservers"), count - SERVERS_LOGGED - 1);
1698 /* Remove unused sfds */
1699 for (sfd = daemon->sfds, up = &daemon->sfds; sfd; sfd = tmp)
1712 cleanup_servers(); /* remove servers we just deleted. */
1713 build_server_array();
1716 /* Return zero if no servers found, in that case we keep polling.
1717 This is a protection against an update-time/write race on resolv.conf */
1718 int reload_servers(char *fname)
1724 /* buff happens to be MAXDNAME long... */
1725 if (!(f = fopen(fname, "r")))
1727 my_syslog(LOG_ERR, _("failed to read %s: %s"), fname, strerror(errno));
1731 mark_servers(SERV_FROM_RESOLV);
1733 while ((line = fgets(daemon->namebuff, MAXDNAME, f)))
1735 union mysockaddr addr, source_addr;
1736 char *token = strtok(line, " \t\n\r");
1740 if (strcmp(token, "nameserver") != 0 && strcmp(token, "server") != 0)
1742 if (!(token = strtok(NULL, " \t\n\r")))
1745 memset(&addr, 0, sizeof(addr));
1746 memset(&source_addr, 0, sizeof(source_addr));
1748 if (inet_pton(AF_INET, token, &addr.in.sin_addr) > 0)
1750 #ifdef HAVE_SOCKADDR_SA_LEN
1751 source_addr.in.sin_len = addr.in.sin_len = sizeof(source_addr.in);
1753 source_addr.in.sin_family = addr.in.sin_family = AF_INET;
1754 addr.in.sin_port = htons(NAMESERVER_PORT);
1755 source_addr.in.sin_addr.s_addr = INADDR_ANY;
1756 source_addr.in.sin_port = htons(daemon->query_port);
1760 int scope_index = 0;
1761 char *scope_id = strchr(token, '%');
1766 scope_index = if_nametoindex(scope_id);
1769 if (inet_pton(AF_INET6, token, &addr.in6.sin6_addr) > 0)
1771 #ifdef HAVE_SOCKADDR_SA_LEN
1772 source_addr.in6.sin6_len = addr.in6.sin6_len = sizeof(source_addr.in6);
1774 source_addr.in6.sin6_family = addr.in6.sin6_family = AF_INET6;
1775 source_addr.in6.sin6_flowinfo = addr.in6.sin6_flowinfo = 0;
1776 addr.in6.sin6_port = htons(NAMESERVER_PORT);
1777 addr.in6.sin6_scope_id = scope_index;
1778 source_addr.in6.sin6_addr = in6addr_any;
1779 source_addr.in6.sin6_port = htons(daemon->query_port);
1780 source_addr.in6.sin6_scope_id = 0;
1786 add_update_server(SERV_FROM_RESOLV, &addr, &source_addr, NULL, NULL, NULL);
1796 /* Called when addresses are added or deleted from an interface */
1797 void newaddress(time_t now)
1799 struct dhcp_relay *relay;
1803 if (option_bool(OPT_CLEVERBIND) || option_bool(OPT_LOCAL_SERVICE) ||
1804 daemon->doing_dhcp6 || daemon->relay6 || daemon->doing_ra)
1805 enumerate_interfaces(0);
1807 if (option_bool(OPT_CLEVERBIND))
1808 create_bound_listeners(0);
1811 /* clear cache of subnet->relay index */
1812 for (relay = daemon->relay4; relay; relay = relay->next)
1813 relay->iface_index = 0;
1817 if (daemon->doing_dhcp6 || daemon->relay6 || daemon->doing_ra)
1820 if (daemon->doing_dhcp6 || daemon->doing_ra)
1821 dhcp_construct_contexts(now);
1823 if (daemon->doing_dhcp6)
1824 lease_find_interfaces(now);
1826 for (relay = daemon->relay6; relay; relay = relay->next)
1827 relay->iface_index = 0;