Correct behaviour for TCP queries to allowed address via banned interface.

CHANGELOG

@@ -16,7 +16,16 @@ version 2.66
 	    this idea.
 
 	    Fix crash on startup on Solaris 11. Regression probably
-	    introduced in 2.61.  Thanks to Geoff Johnstone for the patch.
+	    introduced in 2.61.  Thanks to Geoff Johnstone for the
+	    patch.
+
+	    Add code to make behaviour for TCP DNS requests that same
+	    as for UDP requests, when a request arrives for an allowed 
+	    address, but via a banned interface. This change is only
+	    active on Linux, since the relevant API is missing (AFAIK)
+	    on other platforms. Many thanks to Tomas Hozza for
+	    spotting the problem, and doing invaluable discovery of
+	    the obscure and undocumented API required for the solution.
   
 
 version 2.65

src/dnsmasq.c

@@ -1337,7 +1337,7 @@ static void check_dns_listeners(fd_set *set, time_t now)
 
       if (listener->tcpfd != -1 && FD_ISSET(listener->tcpfd, set))
 	{
-	  int confd;
+	  int confd, client_ok = 1;
 	  struct irec *iface = NULL;
 	  pid_t p;
 	  union mysockaddr tcp_addr;
@@ -1349,24 +1349,48 @@ static void check_dns_listeners(fd_set *set, time_t now)
 	      getsockname(confd, (struct sockaddr *)&tcp_addr, &tcp_len) == -1)
 	    continue;
 
-	  if (option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND))
+	   if (option_bool(OPT_NOWILD))
 	    iface = listener->iface; /* May be NULL */
-	  else
-	    {
-	      /* Check for allowed interfaces when binding the wildcard address:
-		 we do this by looking for an interface with the same address as 
-		 the local address of the TCP connection, then looking to see if that's
-		 an allowed interface. As a side effect, we get the netmask of the
-		 interface too, for localisation. */
+	   else 
+	     {
+	       int if_index;
 
-	      /* interface may be new since startup */
-	      if (enumerate_interfaces())
-		for (iface = daemon->interfaces; iface; iface = iface->next)
-		  if (sockaddr_isequal(&iface->addr, &tcp_addr))
-		    break;
-	    }
+	       /* In full wildcard mode, need to refresh interface list.
+		  This happens automagically in CLEVERBIND */
+	        if (!option_bool(OPT_CLEVERBIND))
+		  enumerate_interfaces();
 
-	  if (!iface && !(option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND)))
+		/* if we can find the arrival interface, check it's one that's allowed */
+		if ((if_index = tcp_interface(confd, tcp_addr.sa.sa_family)) != 0)
+		 {
+		   for (iface = daemon->interfaces; iface; iface = iface->next)
+		     if (iface->index == if_index)
+		       break;
+		   
+		   if (!iface)
+		     client_ok = 0;
+		 }
+	       
+	       if (option_bool(OPT_CLEVERBIND))
+		 iface = listener->iface; /* May be NULL */
+	       else
+		 {
+		   /* Check for allowed interfaces when binding the wildcard address:
+		      we do this by looking for an interface with the same address as 
+		      the local address of the TCP connection, then looking to see if that's
+		      an allowed interface. As a side effect, we get the netmask of the
+		      interface too, for localisation. */
+		   
+		   for (iface = daemon->interfaces; iface; iface = iface->next)
+		     if (sockaddr_isequal(&iface->addr, &tcp_addr))
+		       break;
+		   
+		   if (!iface)
+		     client_ok = 0;
+		 }
+	     }
+	  	  
+	  if (!client_ok)
 	    {
 	      shutdown(confd, SHUT_RDWR);
 	      close(confd);

src/dnsmasq.h

@@ -1003,6 +1003,7 @@ void create_bound_listeners(int die);
 int is_dad_listeners(void);
 int iface_check(int family, struct all_addr *addr, char *name, int *auth_dns);
 int fix_fd(int fd);
+int tcp_interface(int fd, int af);
 struct in_addr get_ifaddr(char *intr);
 #ifdef HAVE_IPV6
 int set_ipv6pktinfo(int fd);

src/network.c

@@ -460,6 +460,77 @@ int set_ipv6pktinfo(int fd)
 }
 #endif
 
+
+/* Find the interface on which a TCP connection arrived, if possible, or zero otherwise. */
+int tcp_interface(int fd, int af)
+{ 
+  int if_index = 0;
+
+#ifdef HAVE_LINUX_NETWORK
+  int opt = 1;
+  struct cmsghdr *cmptr;
+  struct msghdr msg;
+  
+  /* use mshdr do that the CMSDG_* macros are available */
+  msg.msg_control = daemon->packet;
+  msg.msg_controllen = daemon->packet_buff_sz;
+  
+  /* we overwrote the buffer... */
+  daemon->srv_save = NULL;
+  
+  if (af == AF_INET)
+    {
+      if (setsockopt(fd, IPPROTO_IP, IP_PKTINFO, &opt, sizeof(opt)) != -1 &&
+	  getsockopt(fd, IPPROTO_IP, IP_PKTOPTIONS, msg.msg_control, (socklen_t *)&msg.msg_controllen) != -1)
+	for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
+	  if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
+            {
+              union {
+                unsigned char *c;
+                struct in_pktinfo *p;
+              } p;
+	      
+	      p.c = CMSG_DATA(cmptr);
+	      if_index = p.p->ipi_ifindex;
+	    }
+    }
+#ifdef HAVE_IPV6
+  else
+    {
+      /* Only the RFC-2292 API has the ability to find the interface for TCP connections,
+	 it was removed in RFC-3542 !!!! 
+
+	 Fortunately, Linux kept the 2292 ABI when it moved to 3542. The following code always
+	 uses the old ABI, and should work with pre- and post-3542 kernel headers */
+
+#ifdef IPV6_2292PKTOPTIONS   
+#  define PKTOPTIONS IPV6_2292PKTOPTIONS
+#else
+#  define PKTOPTIONS IPV6_PKTOPTIONS
+#endif
+
+      if (set_ipv6pktinfo(fd) &&
+	  getsockopt(fd, IPPROTO_IPV6, PKTOPTIONS, msg.msg_control, (socklen_t *)&msg.msg_controllen) != -1)
+	{
+          for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
+            if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
+              {
+                union {
+                  unsigned char *c;
+                  struct in6_pktinfo *p;
+                } p;
+                p.c = CMSG_DATA(cmptr);
+		
+		if_index = p.p->ipi6_ifindex;
+              }
+	}
+    }
+#endif /* IPV6 */
+#endif /* Linux */
+ 
+  return if_index;
+}
+      
 static struct listener *create_listeners(union mysockaddr *addr, int do_tftp, int dienow)
 {
   struct listener *l = NULL;