mirror of
https://github.com/pi-hole/dnsmasq.git
synced 2025-12-19 02:08:24 +00:00
Don't accept queries ariving on alias interface if configured not to do this.
Signed-off-by: DL6ER <dl6er@dl6er.de>
This commit is contained in:
Dominik Derigs
@@ -949,8 +949,6 @@ int main (int argc, char **argv)
|
||||
|
||||
if (option_bool(OPT_NOWILD))
|
||||
warn_bound_listeners();
|
||||
else if (!option_bool(OPT_CLEVERBIND))
|
||||
warn_wild_labels();
|
||||
|
||||
warn_int_names();
|
||||
|
||||
|
||||
@@ -1463,12 +1463,11 @@ int enumerate_interfaces(int reset);
|
||||
void create_wildcard_listeners(void);
|
||||
void create_bound_listeners(int dienow);
|
||||
void warn_bound_listeners(void);
|
||||
void warn_wild_labels(void);
|
||||
void warn_int_names(void);
|
||||
int is_dad_listeners(void);
|
||||
int iface_check(int family, union all_addr *addr, char *name, int *auth);
|
||||
int loopback_exception(int fd, int family, union all_addr *addr, char *name);
|
||||
int label_exception(int index, int family, union all_addr *addr);
|
||||
int label_match(int index, int family, union all_addr *addr);
|
||||
int fix_fd(int fd);
|
||||
int tcp_interface(int fd, int af);
|
||||
int set_ipv6pktinfo(int fd);
|
||||
|
||||
@@ -1497,12 +1497,18 @@ void receive_query(struct listener *listen, time_t now)
|
||||
if (!indextoname(listen->fd, if_index, ifr.ifr_name))
|
||||
return;
|
||||
|
||||
if (!iface_check(family, &dst_addr, ifr.ifr_name, &auth_dns))
|
||||
if (!option_bool(OPT_CLEVERBIND))
|
||||
enumerate_interfaces(0);
|
||||
/* interface=eth0 and query over eth0 -> ifchk = 1, label = 1 - ACCEPTED */
|
||||
/* interface=eth0 and query over eth0:0 -> ifchk = 1, label = 0 - REJECTED */
|
||||
/* interface=eth0:0 and query over eth0:0 -> ifchk = 0, label = 1 - ACCEPTED */
|
||||
/* interface=eth0:0 and query over eth0:0 -> ifchk = 0, label = 0 - REJECTED */
|
||||
/* If the interace is not IPv4, label_match return 2 and we use iface_check */
|
||||
const int label = label_match(if_index, family, &dst_addr);
|
||||
const int ifchk = iface_check(family, &dst_addr, ifr.ifr_name, &auth_dns);
|
||||
if (label == 0 || (label == 2 && !ifchk))
|
||||
{
|
||||
if (!option_bool(OPT_CLEVERBIND))
|
||||
enumerate_interfaces(0);
|
||||
if (!loopback_exception(listen->fd, family, &dst_addr, ifr.ifr_name) &&
|
||||
!label_exception(if_index, family, &dst_addr))
|
||||
if (!loopback_exception(listen->fd, family, &dst_addr, ifr.ifr_name))
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
@@ -207,13 +207,13 @@ int loopback_exception(int fd, int family, union all_addr *addr, char *name)
|
||||
on the relevant address, but the name of the arrival interface, derived from the
|
||||
index won't match the config. Check that we found an interface address for the arrival
|
||||
interface: daemon->interfaces must be up-to-date. */
|
||||
int label_exception(int index, int family, union all_addr *addr)
|
||||
int label_match(int index, int family, union all_addr *addr)
|
||||
{
|
||||
struct irec *iface;
|
||||
|
||||
/* labels only supported on IPv4 addresses. */
|
||||
if (family != AF_INET)
|
||||
return 0;
|
||||
return 2;
|
||||
|
||||
for (iface = daemon->interfaces; iface; iface = iface->next)
|
||||
if (iface->index == index && iface->addr.sa.sa_family == AF_INET &&
|
||||
@@ -1215,15 +1215,6 @@ void warn_bound_listeners(void)
|
||||
my_syslog(LOG_WARNING, _("LOUD WARNING: use --bind-dynamic rather than --bind-interfaces to avoid DNS amplification attacks via these interface(s)"));
|
||||
}
|
||||
|
||||
void warn_wild_labels(void)
|
||||
{
|
||||
struct irec *iface;
|
||||
|
||||
for (iface = daemon->interfaces; iface; iface = iface->next)
|
||||
if (iface->found && iface->name && iface->label)
|
||||
my_syslog(LOG_WARNING, _("warning: using interface %s instead"), iface->name);
|
||||
}
|
||||
|
||||
void warn_int_names(void)
|
||||
{
|
||||
struct interface_name *intname;
|
||||
|
||||
11
src/tftp.c
11
src/tftp.c
@@ -211,13 +211,14 @@ void tftp_request(struct listener *listen, time_t now)
|
||||
}
|
||||
else
|
||||
{
|
||||
if (!option_bool(OPT_CLEVERBIND))
|
||||
enumerate_interfaces(0);
|
||||
/* Do the same as DHCP */
|
||||
if (!iface_check(family, &addra, name, NULL))
|
||||
const int label = label_match(if_index, family, &addra);
|
||||
const int ifchk = iface_check(family, &addra, name, NULL);
|
||||
if (!label || (label == 2 && ifchk))
|
||||
{
|
||||
if (!option_bool(OPT_CLEVERBIND))
|
||||
enumerate_interfaces(0);
|
||||
if (!loopback_exception(listen->tftpfd, family, &addra, name) &&
|
||||
!label_exception(if_index, family, &addra))
|
||||
if (!loopback_exception(listen->tftpfd, family, &addra, name))
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user