2 * services/listen_dnsport.c - listen on port 53 for incoming DNS queries.
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
6 * This software is open source.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 * This file has functions to get queries from clients.
42 #ifdef HAVE_SYS_TYPES_H
43 # include <sys/types.h>
46 #ifdef USE_TCP_FASTOPEN
47 #include <netinet/tcp.h>
49 #include "services/listen_dnsport.h"
50 #include "services/outside_network.h"
51 #include "util/netevent.h"
53 #include "util/config_file.h"
54 #include "util/net_help.h"
55 #include "sldns/sbuffer.h"
67 #include <systemd/sd-daemon.h>
70 /** number of queued TCP connections for listen() */
71 #define TCP_BACKLOG 256
74 * Debug print of the getaddrinfo returned address.
75 * @param addr: the address returned.
78 verbose_print_addr(struct addrinfo *addr)
80 if(verbosity >= VERB_ALGO) {
82 void* sinaddr = &((struct sockaddr_in*)addr->ai_addr)->sin_addr;
84 if(addr->ai_family == AF_INET6)
85 sinaddr = &((struct sockaddr_in6*)addr->ai_addr)->
88 if(inet_ntop(addr->ai_family, sinaddr, buf,
89 (socklen_t)sizeof(buf)) == 0) {
90 (void)strlcpy(buf, "(null)", sizeof(buf));
92 buf[sizeof(buf)-1] = 0;
93 verbose(VERB_ALGO, "creating %s%s socket %s %d",
94 addr->ai_socktype==SOCK_DGRAM?"udp":
95 addr->ai_socktype==SOCK_STREAM?"tcp":"otherproto",
96 addr->ai_family==AF_INET?"4":
97 addr->ai_family==AF_INET6?"6":
99 ntohs(((struct sockaddr_in*)addr->ai_addr)->sin_port));
105 systemd_get_activated(int family, int socktype, int listen,
106 struct sockaddr *addr, socklen_t addrlen,
112 const char* listen_pid, *listen_fds;
114 /* We should use "listen" option only for stream protocols. For UDP it should be -1 */
116 if((r = sd_booted()) < 1) {
118 log_warn("systemd is not running");
120 log_err("systemd sd_booted(): %s", strerror(-r));
124 listen_pid = getenv("LISTEN_PID");
125 listen_fds = getenv("LISTEN_FDS");
128 log_warn("Systemd mandatory ENV variable is not defined: LISTEN_PID");
133 log_warn("Systemd mandatory ENV variable is not defined: LISTEN_FDS");
137 if((r = sd_listen_fds(0)) < 1) {
139 log_warn("systemd: did not return socket, check unit configuration");
141 log_err("systemd sd_listen_fds(): %s", strerror(-r));
145 for(i = 0; i < r; i++) {
146 if(sd_is_socket(SD_LISTEN_FDS_START + i, family, socktype, listen)) {
147 s = SD_LISTEN_FDS_START + i;
153 log_err_addr("systemd sd_listen_fds()",
155 (struct sockaddr_storage *)addr, addrlen);
157 log_err("systemd sd_listen_fds(): %s", path);
164 create_udp_sock(int family, int socktype, struct sockaddr* addr,
165 socklen_t addrlen, int v6only, int* inuse, int* noproto,
166 int rcv, int snd, int listen, int* reuseport, int transparent,
167 int freebind, int use_systemd)
170 #if defined(SO_REUSEADDR) || defined(SO_REUSEPORT) || defined(IPV6_USE_MIN_MTU) || defined(IP_TRANSPARENT) || defined(IP_BINDANY) || defined(IP_FREEBIND) || defined (SO_BINDANY)
174 int mtu = IPV6_MIN_MTU;
176 #if !defined(SO_RCVBUFFORCE) && !defined(SO_RCVBUF)
179 #if !defined(SO_SNDBUFFORCE) && !defined(SO_SNDBUF)
185 #if !defined(IP_TRANSPARENT) && !defined(IP_BINDANY) && !defined(SO_BINDANY)
188 #if !defined(IP_FREEBIND)
192 int got_fd_from_systemd = 0;
196 && (s = systemd_get_activated(family, socktype, -1, addr,
197 addrlen, NULL)) == -1)) {
201 if((s = socket(family, socktype, 0)) == -1) {
204 if(errno == EAFNOSUPPORT || errno == EPROTONOSUPPORT) {
208 log_err("can't create socket: %s", strerror(errno));
210 if(WSAGetLastError() == WSAEAFNOSUPPORT ||
211 WSAGetLastError() == WSAEPROTONOSUPPORT) {
215 log_err("can't create socket: %s",
216 wsa_strerror(WSAGetLastError()));
223 got_fd_from_systemd = 1;
228 if(setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void*)&on,
229 (socklen_t)sizeof(on)) < 0) {
231 log_err("setsockopt(.. SO_REUSEADDR ..) failed: %s",
233 if(errno != ENOSYS) {
240 log_err("setsockopt(.. SO_REUSEADDR ..) failed: %s",
241 wsa_strerror(WSAGetLastError()));
248 #endif /* SO_REUSEADDR */
250 /* try to set SO_REUSEPORT so that incoming
251 * queries are distributed evenly among the receiving threads.
252 * Each thread must have its own socket bound to the same port,
253 * with SO_REUSEPORT set on each socket.
255 if (reuseport && *reuseport &&
256 setsockopt(s, SOL_SOCKET, SO_REUSEPORT, (void*)&on,
257 (socklen_t)sizeof(on)) < 0) {
259 if(errno != ENOPROTOOPT || verbosity >= 3)
260 log_warn("setsockopt(.. SO_REUSEPORT ..) failed: %s",
263 /* this option is not essential, we can continue */
268 #endif /* defined(SO_REUSEPORT) */
269 #ifdef IP_TRANSPARENT
271 setsockopt(s, IPPROTO_IP, IP_TRANSPARENT, (void*)&on,
272 (socklen_t)sizeof(on)) < 0) {
273 log_warn("setsockopt(.. IP_TRANSPARENT ..) failed: %s",
276 #elif defined(IP_BINDANY)
278 setsockopt(s, (family==AF_INET6? IPPROTO_IPV6:IPPROTO_IP),
279 (family == AF_INET6? IPV6_BINDANY:IP_BINDANY),
280 (void*)&on, (socklen_t)sizeof(on)) < 0) {
281 log_warn("setsockopt(.. IP%s_BINDANY ..) failed: %s",
282 (family==AF_INET6?"V6":""), strerror(errno));
284 #elif defined(SO_BINDANY)
286 setsockopt(s, SOL_SOCKET, SO_BINDANY, (void*)&on,
287 (socklen_t)sizeof(on)) < 0) {
288 log_warn("setsockopt(.. SO_BINDANY ..) failed: %s",
291 #endif /* IP_TRANSPARENT || IP_BINDANY || SO_BINDANY */
295 setsockopt(s, IPPROTO_IP, IP_FREEBIND, (void*)&on,
296 (socklen_t)sizeof(on)) < 0) {
297 log_warn("setsockopt(.. IP_FREEBIND ..) failed: %s",
300 #endif /* IP_FREEBIND */
304 socklen_t slen = (socklen_t)sizeof(got);
305 # ifdef SO_RCVBUFFORCE
306 /* Linux specific: try to use root permission to override
307 * system limits on rcvbuf. The limit is stored in
308 * /proc/sys/net/core/rmem_max or sysctl net.core.rmem_max */
309 if(setsockopt(s, SOL_SOCKET, SO_RCVBUFFORCE, (void*)&rcv,
310 (socklen_t)sizeof(rcv)) < 0) {
313 log_err("setsockopt(..., SO_RCVBUFFORCE, "
314 "...) failed: %s", strerror(errno));
317 log_err("setsockopt(..., SO_RCVBUFFORCE, "
319 wsa_strerror(WSAGetLastError()));
326 # endif /* SO_RCVBUFFORCE */
327 if(setsockopt(s, SOL_SOCKET, SO_RCVBUF, (void*)&rcv,
328 (socklen_t)sizeof(rcv)) < 0) {
330 log_err("setsockopt(..., SO_RCVBUF, "
331 "...) failed: %s", strerror(errno));
334 log_err("setsockopt(..., SO_RCVBUF, "
336 wsa_strerror(WSAGetLastError()));
343 /* check if we got the right thing or if system
344 * reduced to some system max. Warn if so */
345 if(getsockopt(s, SOL_SOCKET, SO_RCVBUF, (void*)&got,
346 &slen) >= 0 && got < rcv/2) {
347 log_warn("so-rcvbuf %u was not granted. "
348 "Got %u. To fix: start with "
349 "root permissions(linux) or sysctl "
350 "bigger net.core.rmem_max(linux) or "
351 "kern.ipc.maxsockbuf(bsd) values.",
352 (unsigned)rcv, (unsigned)got);
354 # ifdef SO_RCVBUFFORCE
357 #endif /* SO_RCVBUF */
359 /* first do RCVBUF as the receive buffer is more important */
363 socklen_t slen = (socklen_t)sizeof(got);
364 # ifdef SO_SNDBUFFORCE
365 /* Linux specific: try to use root permission to override
366 * system limits on sndbuf. The limit is stored in
367 * /proc/sys/net/core/wmem_max or sysctl net.core.wmem_max */
368 if(setsockopt(s, SOL_SOCKET, SO_SNDBUFFORCE, (void*)&snd,
369 (socklen_t)sizeof(snd)) < 0) {
372 log_err("setsockopt(..., SO_SNDBUFFORCE, "
373 "...) failed: %s", strerror(errno));
376 log_err("setsockopt(..., SO_SNDBUFFORCE, "
378 wsa_strerror(WSAGetLastError()));
385 # endif /* SO_SNDBUFFORCE */
386 if(setsockopt(s, SOL_SOCKET, SO_SNDBUF, (void*)&snd,
387 (socklen_t)sizeof(snd)) < 0) {
389 log_err("setsockopt(..., SO_SNDBUF, "
390 "...) failed: %s", strerror(errno));
393 log_err("setsockopt(..., SO_SNDBUF, "
395 wsa_strerror(WSAGetLastError()));
402 /* check if we got the right thing or if system
403 * reduced to some system max. Warn if so */
404 if(getsockopt(s, SOL_SOCKET, SO_SNDBUF, (void*)&got,
405 &slen) >= 0 && got < snd/2) {
406 log_warn("so-sndbuf %u was not granted. "
407 "Got %u. To fix: start with "
408 "root permissions(linux) or sysctl "
409 "bigger net.core.wmem_max(linux) or "
410 "kern.ipc.maxsockbuf(bsd) values.",
411 (unsigned)snd, (unsigned)got);
413 # ifdef SO_SNDBUFFORCE
416 #endif /* SO_SNDBUF */
418 if(family == AF_INET6) {
419 # if defined(IPV6_V6ONLY)
421 int val=(v6only==2)?0:1;
422 if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
423 (void*)&val, (socklen_t)sizeof(val)) < 0) {
425 log_err("setsockopt(..., IPV6_V6ONLY"
426 ", ...) failed: %s", strerror(errno));
429 log_err("setsockopt(..., IPV6_V6ONLY"
431 wsa_strerror(WSAGetLastError()));
440 # if defined(IPV6_USE_MIN_MTU)
442 * There is no fragmentation of IPv6 datagrams
443 * during forwarding in the network. Therefore
444 * we do not send UDP datagrams larger than
445 * the minimum IPv6 MTU of 1280 octets. The
446 * EDNS0 message length can be larger if the
447 * network stack supports IPV6_USE_MIN_MTU.
449 if (setsockopt(s, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
450 (void*)&on, (socklen_t)sizeof(on)) < 0) {
452 log_err("setsockopt(..., IPV6_USE_MIN_MTU, "
453 "...) failed: %s", strerror(errno));
456 log_err("setsockopt(..., IPV6_USE_MIN_MTU, "
458 wsa_strerror(WSAGetLastError()));
465 # elif defined(IPV6_MTU)
467 * On Linux, to send no larger than 1280, the PMTUD is
468 * disabled by default for datagrams anyway, so we set
471 if (setsockopt(s, IPPROTO_IPV6, IPV6_MTU,
472 (void*)&mtu, (socklen_t)sizeof(mtu)) < 0) {
474 log_err("setsockopt(..., IPV6_MTU, ...) failed: %s",
478 log_err("setsockopt(..., IPV6_MTU, ...) failed: %s",
479 wsa_strerror(WSAGetLastError()));
486 # endif /* IPv6 MTU */
487 } else if(family == AF_INET) {
488 # if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
489 /* linux 3.15 has IP_PMTUDISC_OMIT, Hannes Frederic Sowa made it so that
490 * PMTU information is not accepted, but fragmentation is allowed
491 * if and only if the packet size exceeds the outgoing interface MTU
492 * (and also uses the interface mtu to determine the size of the packets).
493 * So there won't be any EMSGSIZE error. Against DNS fragmentation attacks.
494 * FreeBSD already has same semantics without setting the option. */
497 # if defined(IP_PMTUDISC_OMIT)
498 action = IP_PMTUDISC_OMIT;
499 if (setsockopt(s, IPPROTO_IP, IP_MTU_DISCOVER,
500 &action, (socklen_t)sizeof(action)) < 0) {
502 if (errno != EINVAL) {
503 log_err("setsockopt(..., IP_MTU_DISCOVER, IP_PMTUDISC_OMIT...) failed: %s",
522 action = IP_PMTUDISC_DONT;
523 if (setsockopt(s, IPPROTO_IP, IP_MTU_DISCOVER,
524 &action, (socklen_t)sizeof(action)) < 0) {
525 log_err("setsockopt(..., IP_MTU_DISCOVER, IP_PMTUDISC_DONT...) failed: %s",
537 # elif defined(IP_DONTFRAG)
539 if (setsockopt(s, IPPROTO_IP, IP_DONTFRAG,
540 &off, (socklen_t)sizeof(off)) < 0) {
541 log_err("setsockopt(..., IP_DONTFRAG, ...) failed: %s",
552 # endif /* IPv4 MTU */
556 !got_fd_from_systemd &&
558 bind(s, (struct sockaddr*)addr, addrlen) != 0) {
563 *inuse = (errno == EADDRINUSE);
564 /* detect freebsd jail with no ipv6 permission */
565 if(family==AF_INET6 && errno==EINVAL)
567 else if(errno != EADDRINUSE &&
568 !(errno == EACCES && verbosity < 4 && !listen)) {
569 log_err_addr("can't bind socket", strerror(errno),
570 (struct sockaddr_storage*)addr, addrlen);
572 #endif /* EADDRINUSE */
574 #else /* USE_WINSOCK */
575 if(WSAGetLastError() != WSAEADDRINUSE &&
576 WSAGetLastError() != WSAEADDRNOTAVAIL &&
577 !(WSAGetLastError() == WSAEACCES && verbosity < 4 && !listen)) {
578 log_err_addr("can't bind socket",
579 wsa_strerror(WSAGetLastError()),
580 (struct sockaddr_storage*)addr, addrlen);
583 #endif /* USE_WINSOCK */
586 if(!fd_set_nonblock(s)) {
600 create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
601 int* reuseport, int transparent, int mss, int freebind, int use_systemd)
604 #if defined(SO_REUSEADDR) || defined(SO_REUSEPORT) || defined(IPV6_V6ONLY) || defined(IP_TRANSPARENT) || defined(IP_BINDANY) || defined(IP_FREEBIND) || defined(SO_BINDANY)
608 int got_fd_from_systemd = 0;
610 #ifdef USE_TCP_FASTOPEN
613 #if !defined(IP_TRANSPARENT) && !defined(IP_BINDANY) && !defined(SO_BINDANY)
616 #if !defined(IP_FREEBIND)
619 verbose_print_addr(addr);
624 && (s = systemd_get_activated(addr->ai_family, addr->ai_socktype, 1,
625 addr->ai_addr, addr->ai_addrlen,
630 if((s = socket(addr->ai_family, addr->ai_socktype, 0)) == -1) {
632 if(errno == EAFNOSUPPORT || errno == EPROTONOSUPPORT) {
636 log_err("can't create socket: %s", strerror(errno));
638 if(WSAGetLastError() == WSAEAFNOSUPPORT ||
639 WSAGetLastError() == WSAEPROTONOSUPPORT) {
643 log_err("can't create socket: %s",
644 wsa_strerror(WSAGetLastError()));
649 #if defined(IPPROTO_TCP) && defined(TCP_MAXSEG)
650 if(setsockopt(s, IPPROTO_TCP, TCP_MAXSEG, (void*)&mss,
651 (socklen_t)sizeof(mss)) < 0) {
653 log_err(" setsockopt(.. TCP_MAXSEG ..) failed: %s",
656 log_err(" setsockopt(.. TCP_MAXSEG ..) failed: %s",
657 wsa_strerror(WSAGetLastError()));
661 " tcp socket mss set to %d", mss);
664 log_warn(" setsockopt(TCP_MAXSEG) unsupported");
665 #endif /* defined(IPPROTO_TCP) && defined(TCP_MAXSEG) */
669 got_fd_from_systemd = 1;
673 if(setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void*)&on,
674 (socklen_t)sizeof(on)) < 0) {
676 log_err("setsockopt(.. SO_REUSEADDR ..) failed: %s",
680 log_err("setsockopt(.. SO_REUSEADDR ..) failed: %s",
681 wsa_strerror(WSAGetLastError()));
686 #endif /* SO_REUSEADDR */
688 if (freebind && setsockopt(s, IPPROTO_IP, IP_FREEBIND, (void*)&on,
689 (socklen_t)sizeof(on)) < 0) {
690 log_warn("setsockopt(.. IP_FREEBIND ..) failed: %s",
693 #endif /* IP_FREEBIND */
695 /* try to set SO_REUSEPORT so that incoming
696 * connections are distributed evenly among the receiving threads.
697 * Each thread must have its own socket bound to the same port,
698 * with SO_REUSEPORT set on each socket.
700 if (reuseport && *reuseport &&
701 setsockopt(s, SOL_SOCKET, SO_REUSEPORT, (void*)&on,
702 (socklen_t)sizeof(on)) < 0) {
704 if(errno != ENOPROTOOPT || verbosity >= 3)
705 log_warn("setsockopt(.. SO_REUSEPORT ..) failed: %s",
708 /* this option is not essential, we can continue */
713 #endif /* defined(SO_REUSEPORT) */
714 #if defined(IPV6_V6ONLY)
715 if(addr->ai_family == AF_INET6 && v6only) {
716 if(setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
717 (void*)&on, (socklen_t)sizeof(on)) < 0) {
719 log_err("setsockopt(..., IPV6_V6ONLY, ...) failed: %s",
723 log_err("setsockopt(..., IPV6_V6ONLY, ...) failed: %s",
724 wsa_strerror(WSAGetLastError()));
732 #endif /* IPV6_V6ONLY */
733 #ifdef IP_TRANSPARENT
735 setsockopt(s, IPPROTO_IP, IP_TRANSPARENT, (void*)&on,
736 (socklen_t)sizeof(on)) < 0) {
737 log_warn("setsockopt(.. IP_TRANSPARENT ..) failed: %s",
740 #elif defined(IP_BINDANY)
742 setsockopt(s, (addr->ai_family==AF_INET6? IPPROTO_IPV6:IPPROTO_IP),
743 (addr->ai_family == AF_INET6? IPV6_BINDANY:IP_BINDANY),
744 (void*)&on, (socklen_t)sizeof(on)) < 0) {
745 log_warn("setsockopt(.. IP%s_BINDANY ..) failed: %s",
746 (addr->ai_family==AF_INET6?"V6":""), strerror(errno));
748 #elif defined(SO_BINDANY)
750 setsockopt(s, SOL_SOCKET, SO_BINDANY, (void*)&on, (socklen_t)
752 log_warn("setsockopt(.. SO_BINDANY ..) failed: %s",
755 #endif /* IP_TRANSPARENT || IP_BINDANY || SO_BINDANY */
758 !got_fd_from_systemd &&
760 bind(s, addr->ai_addr, addr->ai_addrlen) != 0) {
762 /* detect freebsd jail with no ipv6 permission */
763 if(addr->ai_family==AF_INET6 && errno==EINVAL)
766 log_err_addr("can't bind socket", strerror(errno),
767 (struct sockaddr_storage*)addr->ai_addr,
772 log_err_addr("can't bind socket",
773 wsa_strerror(WSAGetLastError()),
774 (struct sockaddr_storage*)addr->ai_addr,
780 if(!fd_set_nonblock(s)) {
788 if(listen(s, TCP_BACKLOG) == -1) {
790 log_err("can't listen: %s", strerror(errno));
793 log_err("can't listen: %s", wsa_strerror(WSAGetLastError()));
798 #ifdef USE_TCP_FASTOPEN
799 /* qlen specifies how many outstanding TFO requests to allow. Limit is a defense
800 against IP spoofing attacks as suggested in RFC7413 */
802 /* OS X implementation only supports qlen of 1 via this call. Actual
803 value is configured by the net.inet.tcp.fastopen_backlog kernel parm. */
806 /* 5 is recommended on linux */
809 if ((setsockopt(s, IPPROTO_TCP, TCP_FASTOPEN, &qlen,
810 sizeof(qlen))) == -1 ) {
812 /* squelch ENOPROTOOPT: freebsd server mode with kernel support
813 disabled, except when verbosity enabled for debugging */
814 if(errno != ENOPROTOOPT || verbosity >= 3)
816 log_err("Setting TCP Fast Open as server failed: %s", strerror(errno));
823 create_local_accept_sock(const char *path, int* noproto, int use_systemd)
828 if (use_systemd && (ret = systemd_get_activated(AF_LOCAL, SOCK_STREAM, 1, NULL, 0, path)) != -1)
834 struct sockaddr_un usock;
839 verbose(VERB_ALGO, "creating unix socket %s", path);
840 #ifdef HAVE_STRUCT_SOCKADDR_UN_SUN_LEN
841 /* this member exists on BSDs, not Linux */
842 usock.sun_len = (unsigned)sizeof(usock);
844 usock.sun_family = AF_LOCAL;
845 /* length is 92-108, 104 on FreeBSD */
846 (void)strlcpy(usock.sun_path, path, sizeof(usock.sun_path));
848 if ((s = socket(AF_LOCAL, SOCK_STREAM, 0)) == -1) {
849 log_err("Cannot create local socket %s (%s)",
850 path, strerror(errno));
854 if (unlink(path) && errno != ENOENT) {
855 /* The socket already exists and cannot be removed */
856 log_err("Cannot remove old local socket %s (%s)",
857 path, strerror(errno));
861 if (bind(s, (struct sockaddr *)&usock,
862 (socklen_t)sizeof(struct sockaddr_un)) == -1) {
863 log_err("Cannot bind local socket %s (%s)",
864 path, strerror(errno));
868 if (!fd_set_nonblock(s)) {
869 log_err("Cannot set non-blocking mode");
873 if (listen(s, TCP_BACKLOG) == -1) {
874 log_err("can't listen: %s", strerror(errno));
878 (void)noproto; /*unused*/
895 log_err("Local sockets are not supported");
903 * Create socket from getaddrinfo results
906 make_sock(int stype, const char* ifname, const char* port,
907 struct addrinfo *hints, int v6only, int* noip6, size_t rcv, size_t snd,
908 int* reuseport, int transparent, int tcp_mss, int freebind, int use_systemd)
910 struct addrinfo *res = NULL;
911 int r, s, inuse, noproto;
912 hints->ai_socktype = stype;
914 if((r=getaddrinfo(ifname, port, hints, &res)) != 0 || !res) {
916 if(r == EAI_NONAME && hints->ai_family == AF_INET6){
917 *noip6 = 1; /* 'Host not found' for IP6 on winXP */
921 log_err("node %s:%s getaddrinfo: %s %s",
922 ifname?ifname:"default", port, gai_strerror(r),
924 r==EAI_SYSTEM?(char*)strerror(errno):""
931 if(stype == SOCK_DGRAM) {
932 verbose_print_addr(res);
933 s = create_udp_sock(res->ai_family, res->ai_socktype,
934 (struct sockaddr*)res->ai_addr, res->ai_addrlen,
935 v6only, &inuse, &noproto, (int)rcv, (int)snd, 1,
936 reuseport, transparent, freebind, use_systemd);
937 if(s == -1 && inuse) {
938 log_err("bind: address already in use");
939 } else if(s == -1 && noproto && hints->ai_family == AF_INET6){
943 s = create_tcp_accept_sock(res, v6only, &noproto, reuseport,
944 transparent, tcp_mss, freebind, use_systemd);
945 if(s == -1 && noproto && hints->ai_family == AF_INET6){
953 /** make socket and first see if ifname contains port override info */
955 make_sock_port(int stype, const char* ifname, const char* port,
956 struct addrinfo *hints, int v6only, int* noip6, size_t rcv, size_t snd,
957 int* reuseport, int transparent, int tcp_mss, int freebind, int use_systemd)
959 char* s = strchr(ifname, '@');
961 /* override port with ifspec@port */
964 if((size_t)(s-ifname) >= sizeof(newif)) {
965 log_err("ifname too long: %s", ifname);
969 if(strlen(s+1) >= sizeof(p)) {
970 log_err("portnumber too long: %s", ifname);
974 (void)strlcpy(newif, ifname, sizeof(newif));
976 (void)strlcpy(p, s+1, sizeof(p));
978 return make_sock(stype, newif, p, hints, v6only, noip6,
979 rcv, snd, reuseport, transparent, tcp_mss, freebind, use_systemd);
981 return make_sock(stype, ifname, port, hints, v6only, noip6, rcv, snd,
982 reuseport, transparent, tcp_mss, freebind, use_systemd);
986 * Add port to open ports list.
987 * @param list: list head. changed.
989 * @param ftype: if fd is UDP.
990 * @return false on failure. list in unchanged then.
993 port_insert(struct listen_port** list, int s, enum listen_type ftype)
995 struct listen_port* item = (struct listen_port*)malloc(
996 sizeof(struct listen_port));
1001 item->ftype = ftype;
1006 /** set fd to receive source address packet info */
1008 set_recvpktinfo(int s, int family)
1010 #if defined(IPV6_RECVPKTINFO) || defined(IPV6_PKTINFO) || (defined(IP_RECVDSTADDR) && defined(IP_SENDSRCADDR)) || defined(IP_PKTINFO)
1015 if(family == AF_INET6) {
1016 # ifdef IPV6_RECVPKTINFO
1017 if(setsockopt(s, IPPROTO_IPV6, IPV6_RECVPKTINFO,
1018 (void*)&on, (socklen_t)sizeof(on)) < 0) {
1019 log_err("setsockopt(..., IPV6_RECVPKTINFO, ...) failed: %s",
1023 # elif defined(IPV6_PKTINFO)
1024 if(setsockopt(s, IPPROTO_IPV6, IPV6_PKTINFO,
1025 (void*)&on, (socklen_t)sizeof(on)) < 0) {
1026 log_err("setsockopt(..., IPV6_PKTINFO, ...) failed: %s",
1031 log_err("no IPV6_RECVPKTINFO and no IPV6_PKTINFO option, please "
1032 "disable interface-automatic or do-ip6 in config");
1034 # endif /* defined IPV6_RECVPKTINFO */
1036 } else if(family == AF_INET) {
1038 if(setsockopt(s, IPPROTO_IP, IP_PKTINFO,
1039 (void*)&on, (socklen_t)sizeof(on)) < 0) {
1040 log_err("setsockopt(..., IP_PKTINFO, ...) failed: %s",
1044 # elif defined(IP_RECVDSTADDR) && defined(IP_SENDSRCADDR)
1045 if(setsockopt(s, IPPROTO_IP, IP_RECVDSTADDR,
1046 (void*)&on, (socklen_t)sizeof(on)) < 0) {
1047 log_err("setsockopt(..., IP_RECVDSTADDR, ...) failed: %s",
1052 log_err("no IP_SENDSRCADDR or IP_PKTINFO option, please disable "
1053 "interface-automatic or do-ip4 in config");
1055 # endif /* IP_PKTINFO */
1061 /** see if interface is ssl, its port number == the ssl port number */
1063 if_is_ssl(const char* ifname, const char* port, int ssl_port,
1064 struct config_strlist* tls_additional_port)
1066 struct config_strlist* s;
1067 char* p = strchr(ifname, '@');
1068 if(!p && atoi(port) == ssl_port)
1070 if(p && atoi(p+1) == ssl_port)
1072 for(s = tls_additional_port; s; s = s->next) {
1073 if(p && atoi(p+1) == atoi(s->str))
1075 if(!p && atoi(port) == atoi(s->str))
1082 * Helper for ports_open. Creates one interface (or NULL for default).
1083 * @param ifname: The interface ip address.
1084 * @param do_auto: use automatic interface detection.
1085 * If enabled, then ifname must be the wildcard name.
1086 * @param do_udp: if udp should be used.
1087 * @param do_tcp: if udp should be used.
1088 * @param hints: for getaddrinfo. family and flags have to be set by caller.
1089 * @param port: Port number to use (as string).
1090 * @param list: list of open ports, appended to, changed to point to list head.
1091 * @param rcv: receive buffer size for UDP
1092 * @param snd: send buffer size for UDP
1093 * @param ssl_port: ssl service port number
1094 * @param tls_additional_port: list of additional ssl service port numbers.
1095 * @param reuseport: try to set SO_REUSEPORT if nonNULL and true.
1096 * set to false on exit if reuseport failed due to no kernel support.
1097 * @param transparent: set IP_TRANSPARENT socket option.
1098 * @param tcp_mss: maximum segment size of tcp socket. default if zero.
1099 * @param freebind: set IP_FREEBIND socket option.
1100 * @param use_systemd: if true, fetch sockets from systemd.
1101 * @param dnscrypt_port: dnscrypt service port number
1102 * @return: returns false on error.
1105 ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
1106 struct addrinfo *hints, const char* port, struct listen_port** list,
1107 size_t rcv, size_t snd, int ssl_port,
1108 struct config_strlist* tls_additional_port, int* reuseport,
1109 int transparent, int tcp_mss, int freebind, int use_systemd,
1114 int is_dnscrypt = ((strchr(ifname, '@') &&
1115 atoi(strchr(ifname, '@')+1) == dnscrypt_port) ||
1116 (!strchr(ifname, '@') && atoi(port) == dnscrypt_port));
1118 int is_dnscrypt = 0;
1119 (void)dnscrypt_port;
1122 if(!do_udp && !do_tcp)
1125 if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1,
1126 &noip6, rcv, snd, reuseport, transparent,
1127 tcp_mss, freebind, use_systemd)) == -1) {
1129 log_warn("IPv6 protocol not available");
1134 /* getting source addr packet info is highly non-portable */
1135 if(!set_recvpktinfo(s, hints->ai_family)) {
1143 if(!port_insert(list, s,
1144 is_dnscrypt?listen_type_udpancil_dnscrypt:listen_type_udpancil)) {
1153 /* regular udp socket */
1154 if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1,
1155 &noip6, rcv, snd, reuseport, transparent,
1156 tcp_mss, freebind, use_systemd)) == -1) {
1158 log_warn("IPv6 protocol not available");
1163 if(!port_insert(list, s,
1164 is_dnscrypt?listen_type_udp_dnscrypt:listen_type_udp)) {
1174 int is_ssl = if_is_ssl(ifname, port, ssl_port,
1175 tls_additional_port);
1176 if((s = make_sock_port(SOCK_STREAM, ifname, port, hints, 1,
1177 &noip6, 0, 0, reuseport, transparent, tcp_mss,
1178 freebind, use_systemd)) == -1) {
1180 /*log_warn("IPv6 protocol not available");*/
1186 verbose(VERB_ALGO, "setup TCP for SSL service");
1187 if(!port_insert(list, s, is_ssl?listen_type_ssl:
1188 (is_dnscrypt?listen_type_tcp_dnscrypt:listen_type_tcp))) {
1201 * Add items to commpoint list in front.
1202 * @param c: commpoint to add.
1203 * @param front: listen struct.
1204 * @return: false on failure.
1207 listen_cp_insert(struct comm_point* c, struct listen_dnsport* front)
1209 struct listen_list* item = (struct listen_list*)malloc(
1210 sizeof(struct listen_list));
1214 item->next = front->cps;
1219 struct listen_dnsport*
1220 listen_create(struct comm_base* base, struct listen_port* ports,
1221 size_t bufsize, int tcp_accept_count, int tcp_idle_timeout,
1222 struct tcl_list* tcp_conn_limit, void* sslctx,
1223 struct dt_env* dtenv, comm_point_callback_type* cb, void *cb_arg)
1225 struct listen_dnsport* front = (struct listen_dnsport*)
1226 malloc(sizeof(struct listen_dnsport));
1230 front->udp_buff = sldns_buffer_new(bufsize);
1232 front->dnscrypt_udp_buff = NULL;
1234 if(!front->udp_buff) {
1239 /* create comm points as needed */
1241 struct comm_point* cp = NULL;
1242 if(ports->ftype == listen_type_udp ||
1243 ports->ftype == listen_type_udp_dnscrypt)
1244 cp = comm_point_create_udp(base, ports->fd,
1245 front->udp_buff, cb, cb_arg);
1246 else if(ports->ftype == listen_type_tcp ||
1247 ports->ftype == listen_type_tcp_dnscrypt)
1248 cp = comm_point_create_tcp(base, ports->fd,
1249 tcp_accept_count, tcp_idle_timeout,
1250 tcp_conn_limit, bufsize, cb, cb_arg);
1251 else if(ports->ftype == listen_type_ssl) {
1252 cp = comm_point_create_tcp(base, ports->fd,
1253 tcp_accept_count, tcp_idle_timeout,
1254 tcp_conn_limit, bufsize, cb, cb_arg);
1256 } else if(ports->ftype == listen_type_udpancil ||
1257 ports->ftype == listen_type_udpancil_dnscrypt)
1258 cp = comm_point_create_udp_ancil(base, ports->fd,
1259 front->udp_buff, cb, cb_arg);
1261 log_err("can't create commpoint");
1262 listen_delete(front);
1266 cp->do_not_close = 1;
1268 if (ports->ftype == listen_type_udp_dnscrypt ||
1269 ports->ftype == listen_type_tcp_dnscrypt ||
1270 ports->ftype == listen_type_udpancil_dnscrypt) {
1272 cp->dnscrypt_buffer = sldns_buffer_new(bufsize);
1273 if(!cp->dnscrypt_buffer) {
1274 log_err("can't alloc dnscrypt_buffer");
1275 comm_point_delete(cp);
1276 listen_delete(front);
1279 front->dnscrypt_udp_buff = cp->dnscrypt_buffer;
1282 if(!listen_cp_insert(cp, front)) {
1283 log_err("malloc failed");
1284 comm_point_delete(cp);
1285 listen_delete(front);
1288 ports = ports->next;
1291 log_err("Could not open sockets to accept queries.");
1292 listen_delete(front);
1300 listen_list_delete(struct listen_list* list)
1302 struct listen_list *p = list, *pn;
1305 comm_point_delete(p->com);
1312 listen_delete(struct listen_dnsport* front)
1316 listen_list_delete(front->cps);
1318 if(front->dnscrypt_udp_buff &&
1319 front->udp_buff != front->dnscrypt_udp_buff) {
1320 sldns_buffer_free(front->dnscrypt_udp_buff);
1323 sldns_buffer_free(front->udp_buff);
1328 listening_ports_open(struct config_file* cfg, int* reuseport)
1330 struct listen_port* list = NULL;
1331 struct addrinfo hints;
1332 int i, do_ip4, do_ip6;
1333 int do_tcp, do_auto;
1335 snprintf(portbuf, sizeof(portbuf), "%d", cfg->port);
1336 do_ip4 = cfg->do_ip4;
1337 do_ip6 = cfg->do_ip6;
1338 do_tcp = cfg->do_tcp;
1339 do_auto = cfg->if_automatic && cfg->do_udp;
1340 if(cfg->incoming_num_tcp == 0)
1344 memset(&hints, 0, sizeof(hints));
1345 hints.ai_flags = AI_PASSIVE;
1346 /* no name lookups on our listening ports */
1347 if(cfg->num_ifs > 0)
1348 hints.ai_flags |= AI_NUMERICHOST;
1349 hints.ai_family = AF_UNSPEC;
1353 if(!do_ip4 && !do_ip6) {
1356 /* create ip4 and ip6 ports so that return addresses are nice. */
1357 if(do_auto || cfg->num_ifs == 0) {
1359 hints.ai_family = AF_INET6;
1360 if(!ports_create_if(do_auto?"::0":"::1",
1361 do_auto, cfg->do_udp, do_tcp,
1362 &hints, portbuf, &list,
1363 cfg->so_rcvbuf, cfg->so_sndbuf,
1364 cfg->ssl_port, cfg->tls_additional_port,
1365 reuseport, cfg->ip_transparent,
1366 cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
1367 cfg->dnscrypt_port)) {
1368 listening_ports_free(list);
1373 hints.ai_family = AF_INET;
1374 if(!ports_create_if(do_auto?"0.0.0.0":"127.0.0.1",
1375 do_auto, cfg->do_udp, do_tcp,
1376 &hints, portbuf, &list,
1377 cfg->so_rcvbuf, cfg->so_sndbuf,
1378 cfg->ssl_port, cfg->tls_additional_port,
1379 reuseport, cfg->ip_transparent,
1380 cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
1381 cfg->dnscrypt_port)) {
1382 listening_ports_free(list);
1386 } else for(i = 0; i<cfg->num_ifs; i++) {
1387 if(str_is_ip6(cfg->ifs[i])) {
1390 hints.ai_family = AF_INET6;
1391 if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp,
1392 do_tcp, &hints, portbuf, &list,
1393 cfg->so_rcvbuf, cfg->so_sndbuf,
1394 cfg->ssl_port, cfg->tls_additional_port,
1395 reuseport, cfg->ip_transparent,
1396 cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
1397 cfg->dnscrypt_port)) {
1398 listening_ports_free(list);
1404 hints.ai_family = AF_INET;
1405 if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp,
1406 do_tcp, &hints, portbuf, &list,
1407 cfg->so_rcvbuf, cfg->so_sndbuf,
1408 cfg->ssl_port, cfg->tls_additional_port,
1409 reuseport, cfg->ip_transparent,
1410 cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
1411 cfg->dnscrypt_port)) {
1412 listening_ports_free(list);
1420 void listening_ports_free(struct listen_port* list)
1422 struct listen_port* nx;
1425 if(list->fd != -1) {
1429 closesocket(list->fd);
1437 size_t listen_get_mem(struct listen_dnsport* listen)
1439 struct listen_list* p;
1440 size_t s = sizeof(*listen) + sizeof(*listen->base) +
1441 sizeof(*listen->udp_buff) +
1442 sldns_buffer_capacity(listen->udp_buff);
1444 s += sizeof(*listen->dnscrypt_udp_buff);
1445 if(listen->udp_buff != listen->dnscrypt_udp_buff){
1446 s += sldns_buffer_capacity(listen->dnscrypt_udp_buff);
1449 for(p = listen->cps; p; p = p->next) {
1451 s += comm_point_get_mem(p->com);
1456 void listen_stop_accept(struct listen_dnsport* listen)
1458 /* do not stop the ones that have no tcp_free list
1459 * (they have already stopped listening) */
1460 struct listen_list* p;
1461 for(p=listen->cps; p; p=p->next) {
1462 if(p->com->type == comm_tcp_accept &&
1463 p->com->tcp_free != NULL) {
1464 comm_point_stop_listening(p->com);
1469 void listen_start_accept(struct listen_dnsport* listen)
1471 /* do not start the ones that have no tcp_free list, it is no
1472 * use to listen to them because they have no free tcp handlers */
1473 struct listen_list* p;
1474 for(p=listen->cps; p; p=p->next) {
1475 if(p->com->type == comm_tcp_accept &&
1476 p->com->tcp_free != NULL) {
1477 comm_point_start_listening(p->com, -1, -1);