Merge branch 'master' into dnssec

Conflicts: src/dnsmasq.h src/forward.c src/option.c
2025-12-19 18:28:25 +00:00 · 2013-10-25 13:13:11 +01:00
parent 687bac22db eec5c1e21c
commit 5a4120dbfb
48 changed files with 7716 additions and 5766 deletions
--- a/src/forward.c
+++ b/src/forward.c
@@ -284,6 +284,7 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
 	  forward->fd = udpfd;
 	  forward->crc = crc;
 	  forward->forwardall = 0;
+	  forward->flags = 0;
 	  if (norebind)
 	    forward->flags |= FREC_NOREBIND;
 	  if (header->hb4 & HB4_CD)
@@ -331,6 +332,16 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
      if (option_bool(OPT_ADD_MAC))
 	plen = add_mac(header, plen, ((char *) header) + PACKETSZ, &forward->source);
      
+      if (option_bool(OPT_CLIENT_SUBNET))
+	{
+	  size_t new = add_source_addr(header, plen, ((char *) header) + PACKETSZ, &forward->source); 
+	  if (new != plen)
+	    {
+	      plen = new;
+	      forward->flags |= FREC_HAS_SUBNET;
+	    }
+	}
+
      while (1)
 	{ 
 	  /* only send to servers dealing with our domain.
@@ -435,8 +446,8 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
  return 0;
 }

-static size_t process_reply(struct dns_header *header, time_t now, 
-			    struct server *server, size_t n, int check_rebind, int checking_disabled)
+static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind, 
+			    int checking_disabled, int check_subnet, union mysockaddr *query_source)
 {
  unsigned char *pheader, *sizep;
  char **sets = 0;
@@ -465,15 +476,25 @@ static size_t process_reply(struct dns_header *header, time_t now,
     than we allow, trim it so that we don't get overlarge
     requests for the client. We can't do this for signed packets. */

-  if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign)) && !is_sign)
+  if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign)))
    {
-      unsigned short udpsz;
-      unsigned char *psave = sizep;
+      if (!is_sign)
+	{
+	  unsigned short udpsz;
+	  unsigned char *psave = sizep;
+	  
+	  GETSHORT(udpsz, sizep);
+	  if (udpsz > daemon->edns_pktsz)
+	    PUTSHORT(daemon->edns_pktsz, psave);
+	}
      
-      GETSHORT(udpsz, sizep);
-      if (udpsz > daemon->edns_pktsz)
-	PUTSHORT(daemon->edns_pktsz, psave);
+      if (check_subnet && !check_source(header, plen, pheader, query_source))
+	{
+	  my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
+	  return 0;
+	}
    }
+      

  /* RFC 4035 sect 4.6 para 3 */
  if (!is_sign && !option_bool(OPT_DNSSEC_PROXY))
@@ -637,7 +658,8 @@ void reply_query(int fd, int family, time_t now)
      if (!option_bool(OPT_NO_REBIND))
 	check_rebind = 0;
      
-      if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, forward->flags & FREC_CHECKING_DISABLED)))
+      if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, forward->flags & FREC_CHECKING_DISABLED,
+			      forward->flags & FREC_HAS_SUBNET, &forward->source)))
 	{
 	  header->id = htons(forward->orig_id);
 	  header->hb4 |= HB4_RA; /* recursion if available */
@@ -659,7 +681,7 @@ void receive_query(struct listener *listen, time_t now)
  size_t m;
  ssize_t n;
  int if_index = 0;
-  int auth_dns = 0;
+  int local_auth = 0, auth_dns = 0;
  struct iovec iov[1];
  struct msghdr msg;
  struct cmsghdr *cmptr;
@@ -831,6 +853,9 @@ void receive_query(struct listener *listen, time_t now)
  if (extract_request(header, (size_t)n, daemon->namebuff, &type))
    {
      char types[20];
+#ifdef HAVE_AUTH
+      struct auth_zone *zone;
+#endif

      querystr(auth_dns ? "auth" : "query", types, type);

@@ -842,15 +867,30 @@ void receive_query(struct listener *listen, time_t now)
 	log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff, 
 		  (struct all_addr *)&source_addr.in6.sin6_addr, types);
 #endif
-    }

+#ifdef HAVE_AUTH
+      /* find queries for zones we're authoritative for, and answer them directly */
+      if (!auth_dns)
+	for (zone = daemon->auth_zones; zone; zone = zone->next)
+	  if (in_zone(zone, daemon->namebuff, NULL))
+	    {
+	      auth_dns = 1;
+	      local_auth = 1;
+	      break;
+	    }
+#endif
+    }
+  
 #ifdef HAVE_AUTH
  if (auth_dns)
    {
-      m = answer_auth(header, ((char *) header) + PACKETSZ, (size_t)n, now, &source_addr);
+      m = answer_auth(header, ((char *) header) + PACKETSZ, (size_t)n, now, &source_addr, local_auth);
      if (m >= 1)
-	send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
-		  (char *)header, m, &source_addr, &dst_addr, if_index);
+	{
+	  send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
+		    (char *)header, m, &source_addr, &dst_addr, if_index);
+	  daemon->auth_answer++;
+	}
    }
  else
 #endif
@@ -881,7 +921,8 @@ unsigned char *tcp_request(int confd, time_t now,
 {
  size_t size = 0;
  int norebind = 0;
-  int checking_disabled;
+  int local_auth = 0;
+  int checking_disabled, check_subnet;
  size_t m;
  unsigned short qtype;
  unsigned int gotname;
@@ -911,6 +952,8 @@ unsigned char *tcp_request(int confd, time_t now,
      if (size < (int)sizeof(struct dns_header))
 	continue;
      
+      check_subnet = 0;
+
      /* save state of "cd" flag in query */
      checking_disabled = header->hb4 & HB4_CD;
       
@@ -920,7 +963,9 @@ unsigned char *tcp_request(int confd, time_t now,
      if ((gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
 	{
 	  char types[20];
-	  
+#ifdef HAVE_AUTH
+	  struct auth_zone *zone;
+#endif
 	  querystr(auth_dns ? "auth" : "query", types, qtype);
 	  
 	  if (peer_addr.sa.sa_family == AF_INET) 
@@ -931,6 +976,18 @@ unsigned char *tcp_request(int confd, time_t now,
 	    log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff, 
 		      (struct all_addr *)&peer_addr.in6.sin6_addr, types);
 #endif
+	  
+#ifdef HAVE_AUTH
+	  /* find queries for zones we're authoritative for, and answer them directly */
+	  if (!auth_dns)
+	    for (zone = daemon->auth_zones; zone; zone = zone->next)
+	      if (in_zone(zone, daemon->namebuff, NULL))
+		{
+		  auth_dns = 1;
+		  local_auth = 1;
+		  break;
+		}
+#endif
 	}
      
      if (local_addr->sa.sa_family == AF_INET)
@@ -940,7 +997,7 @@ unsigned char *tcp_request(int confd, time_t now,
      
 #ifdef HAVE_AUTH
      if (auth_dns)
-	m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &peer_addr);
+	m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &peer_addr, local_auth);
      else
 #endif
 	{
@@ -960,7 +1017,17 @@ unsigned char *tcp_request(int confd, time_t now,
 	      
 	      if (option_bool(OPT_ADD_MAC))
 		size = add_mac(header, size, ((char *) header) + 65536, &peer_addr);
-	      
+	      	
+	      if (option_bool(OPT_CLIENT_SUBNET))
+		{
+		  size_t new = add_source_addr(header, size, ((char *) header) + 65536, &peer_addr);
+		  if (size != new)
+		    {
+		      size = new;
+		      check_subnet = 1;
+		    }
+		}
+
 	      if (gotname)
 		flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
 	      
@@ -1061,7 +1128,8 @@ unsigned char *tcp_request(int confd, time_t now,
 			 sending replies containing questions and bogus answers. */
 		      if (crc == questions_crc(header, (unsigned int)m, daemon->namebuff))
 			m = process_reply(header, now, last_server, (unsigned int)m, 
-					  option_bool(OPT_NO_REBIND) && !norebind, checking_disabled);
+					  option_bool(OPT_NO_REBIND) && !norebind, checking_disabled,
+					  check_subnet, &peer_addr);
 		      
 		      break;
 		    }