Changeset 726

Timestamp:

04/18/06 18:44:10 (7 years ago)

Author:

ahu

Message:

make clientside ipv4/ip6 agnostic, including allow-from
fix address printing
fix tcp client limiting when listening on multiple addresses

Location:

trunk/pdns/pdns

Files:

• dnspacket.cc (modified) (2 diffs)
• dnsproxy.cc (modified) (1 diff)
• iputils.hh (modified) (5 diffs)
• misc.cc (modified) (2 diffs)
• misc.hh (modified) (1 diff)
• pdns_recursor.cc (modified) (25 diffs)

trunk/pdns/pdns/dnspacket.cc

@@ -53 +53 @@
 string DNSPacket::getLocal() const
 {
-  struct sockaddr_in sa;
-  int addrlen=sizeof(struct sockaddr_in);
+  struct sockaddr_in6 sa;
+  int addrlen=sizeof(sa);
 
   getsockname(d_socket, (struct sockaddr *)&sa, (socklen_t *)&addrlen);
-  return sockAddrToString(&sa, (socklen_t)addrlen);
+  return sockAddrToString(&sa);
 }
 
@@ -63 +63 @@
 string DNSPacket::getRemote() const
 {
-  return sockAddrToString((struct sockaddr_in *)remote, d_socklen);
+  return sockAddrToString((struct sockaddr_in *)remote);
 }
 

trunk/pdns/pdns/dnsproxy.cc

@@ -140 +140 @@
       if(i->second.created)
         L<<Logger::Warning<<"Recursive query for remote "<<
-          sockAddrToString((struct sockaddr_in *)&i->second.remote, i->second.addrlen)<<" with internal id "<<n<<
+          sockAddrToString((struct sockaddr_in *)&i->second.remote)<<" with internal id "<<n<<
           " was not answered by backend within timeout, reusing id"<<endl;
       

trunk/pdns/pdns/iputils.hh

@@ -35 +35 @@
 using namespace std;
 
+union ComboAddress {
+  struct sockaddr_in sin4;
+  struct sockaddr_in6 sin6;
+
+  bool operator<(const ComboAddress& rhs) const
+  {
+    if(sin4.sin_family < rhs.sin4.sin_family)
+      return true;
+    if(sin4.sin_family > rhs.sin4.sin_family)
+      return false;
+    
+    if(sin4.sin_family == AF_INET)
+      return sin4.sin_addr.s_addr < rhs.sin4.sin_addr.s_addr;
+    else
+      return memcmp(&sin6.sin6_addr.s6_addr, &rhs.sin6_addr.s6_addr, 16) < 0;
+  }
+
+  string toString() const
+  {
+    char tmp[128];
+    if(sin4.sin_family==AF_INET && !inet_ntop(AF_INET, ( const char * ) &sin4.sin_addr, tmp, sizeof(tmp)))
+      return tmp;
+
+    if(sin4.sin_family==AF_INET6 && !inet_ntop(AF_INET6, ( const char * ) &sin6.sin6_addr, tmp, sizeof(tmp)))
+      return tmp;
+      
+    return tmp;
+  }
+};
+
 /** This exception is thrown by the Netmask class and by extension by the NetmaskGroup class */
 class NetmaskException: public AhuException 
@@ -42 +72 @@
 };
 
+inline ComboAddress makeComboAddress(const string& str)
+{
+  ComboAddress address;
+  address.sin4.sin_family=AF_INET;
+  if(inet_pton(AF_INET, str.c_str(), &address.sin4.sin_addr) <= 0) {
+    address.sin4.sin_family=AF_INET6;
+    if(inet_pton(AF_INET6, str.c_str(), &address.sin6.sin6_addr) <= 0)
+      throw NetmaskException("Unable to convert '"+str+"' to a netmask");       
+  }
+  return address;
+}
+
 /** This class represents a netmask and can be queried to see if a certain
     IP address is matched by this mask */
-
 class Netmask
 {
@@ -51 +92 @@
   Netmask(const string &mask) 
   {
-    char *p;
-    uint8_t bits=32;
-    d_mask=0xFFFFFFFF;
-
-    if((p=strchr(mask.c_str(),'/')))
-      bits = (uint8_t) atoi(p+1);
-
-    if( bits < 32 )
-    d_mask=~(0xFFFFFFFF>>bits);
-
-    struct in_addr a;
-    if(!Utility::inet_aton(mask.substr(0,p-mask.c_str()).c_str(), &a))
-      throw NetmaskException("Unable to convert '"+mask+"' to a netmask");
-    d_network=htonl(a.s_addr);
+    pair<string,string> split=splitField(mask,'/');
+    d_network=makeComboAddress(split.first);
+    
+    if(!split.second.empty()) {
+      d_bits = (uint8_t) atoi(split.second.c_str());
+      if(d_bits<32)
+        d_mask=~(0xFFFFFFFF>>d_bits);
+    }
+    else if(d_network.sin4.sin_family==AF_INET) {
+      d_bits = 32;
+      d_mask = 0xFFFFFFFF;
+    }
+    else 
+      d_bits=128;
   }
 
   //! If this IP address in socket address matches
-  bool match(const struct sockaddr_in *ip) const
+  bool match(const ComboAddress *ip) const
   {
-    return match(htonl((unsigned int)ip->sin_addr.s_addr));
+    if(d_network.sin4.sin_family != ip->sin4.sin_family) {
+      return false;
+    }
+    if(d_network.sin4.sin_family == AF_INET) {
+      return match4(htonl((unsigned int)ip->sin4.sin_addr.s_addr));
+    }
+    if(d_network.sin6.sin6_family == AF_INET6) {
+      uint8_t bytes=d_bits/8, n;
+      const uint8_t *us=(const uint8_t*) &d_network.sin6.sin6_addr.s6_addr;
+      const uint8_t *them=(const uint8_t*) &ip->sin6.sin6_addr.s6_addr;
+      
+      for(n=0; n < bytes; ++n) {
+        if(us[n]!=them[n]) {
+          return false;
+        }
+      }
+      // still here, now match remaining bits
+      uint8_t bits=bytes%8;
+      uint8_t mask= ~(0xFF>>bits);
+      return((us[n] & mask) == (them[n] & mask));
+    }
+    return false;
   }
 
@@ -76 +138 @@
   bool match(const string &ip) const
   {
-    struct in_addr a;
-    Utility::inet_aton(ip.c_str(), &a);
-    return match(htonl(a.s_addr));
+    ComboAddress address=makeComboAddress(ip);
+    return match(&address);
   }
 
   //! If this IP address in native format matches
-  bool match(uint32_t ip) const
+  bool match4(uint32_t ip) const
   {
-    return (ip & d_mask) == (d_network & d_mask);
+    return (ip & d_mask) == (ntohl(d_network.sin4.sin_addr.s_addr) & d_mask);
   }
 
-
 private:
-  uint32_t d_network;
+  ComboAddress d_network;
   uint32_t d_mask;
+  uint8_t d_bits;
 };
 
@@ -100 +161 @@
 public:
   //! If this IP address is matched by any of the classes within
-  bool match(struct sockaddr_in *ip)
+  bool match(ComboAddress *ip)
   {
     for(container_t::const_iterator i=d_masks.begin();i!=d_masks.end();++i)

trunk/pdns/pdns/misc.cc

@@ -367 +367 @@
 }
 
-const string sockAddrToString(struct sockaddr_in *remote, Utility::socklen_t socklen) 
+
+const string sockAddrToString(struct sockaddr_in *remote) 
 {    
-  if(socklen==sizeof(struct sockaddr_in)) {
+  if(remote->sin_family == AF_INET) {
     struct sockaddr_in sip;
     memcpy(&sip,(struct sockaddr_in*)remote,sizeof(sip));
     return inet_ntoa(sip.sin_addr);
   }
-#ifdef HAVE_IPV6
   else {
     char tmp[128];
@@ -383 +383 @@
     return tmp;
   }
-#endif
-
-  return "untranslateable";
 }
 

trunk/pdns/pdns/misc.hh

@@ -182 +182 @@
   struct timeval d_set;
 };
-const string sockAddrToString(struct sockaddr_in *remote, Utility::socklen_t socklen);
+const string sockAddrToString(struct sockaddr_in *remote);
 int sendData(const char *buffer, int replen, int outsock);
 

trunk/pdns/pdns/pdns_recursor.cc

@@ -72 +72 @@
 NetmaskGroup* g_allowFrom;
 string s_programname="pdns_recursor";
-int g_tcpListenSocket;
+vector<int> g_tcpListenSockets;
 int g_tcpTimeout;
 
@@ -79 +79 @@
   {}
   MOADNSParser d_mdp;
-  void setRemote(struct sockaddr* sa, socklen_t len)
+  void setRemote(ComboAddress* sa)
   {
-    memcpy((void *)d_remote, (void *)sa, len);
-    d_socklen=len;
+    d_remote=*sa;
+    d_socklen= d_remote.sin4.sin_family == AF_INET ? sizeof(sockaddr_in) : sizeof(sockaddr_in6);
   }
 
@@ -92 +92 @@
   string getRemote() const
   {
-    return sockAddrToString((struct sockaddr_in *)d_remote, d_socklen);
+    return d_remote.toString();
   }
 
   struct timeval d_now;
-  char d_remote[sizeof(sockaddr_in6)];
+  ComboAddress d_remote;
   socklen_t d_socklen;
   bool d_tcp;
@@ -311 +311 @@
     memcpy(data,packet.c_str(),min(len,*d_len));
     if(*nearMissLimit && pident.nearMisses > *nearMissLimit) {
-      L<<Logger::Error<<"Too many ("<<pident.nearMisses<<" > "<<*nearMissLimit<<") bogus answers for '"<<domain<<"' from "<<sockAddrToString((struct sockaddr_in*)toaddr, sizeof(pident.remote))<<", assuming spoof attempt."<<endl;
+      L<<Logger::Error<<"Too many ("<<pident.nearMisses<<" > "<<*nearMissLimit<<") bogus answers for '"<<domain<<"' from "<<sockAddrToString((struct sockaddr_in*)toaddr)<<", assuming spoof attempt."<<endl;
       g_stats.spoofCount++;
       return -1;
@@ -405 +405 @@
 }
 
-map<uint32_t, uint32_t> g_tcpClientCounts;
+map<ComboAddress, uint32_t> g_tcpClientCounts;
 
 struct TCPConnection
@@ -413 +413 @@
   int qlen;
   int bytesread;
-  struct sockaddr_in remote;
+  ComboAddress remote;
   char data[65535];
   time_t startTime;
@@ -420 +420 @@
   {
     close(fd);
-    if(!g_tcpClientCounts[remote.sin_addr.s_addr]--) 
-      g_tcpClientCounts.erase(remote.sin_addr.s_addr);
+    if(!g_tcpClientCounts[remote]--) 
+      g_tcpClientCounts.erase(remote);
     s_currentConnections--;
   }
@@ -500 +500 @@
   sendit:;
     if(!dc->d_tcp) {
-      sendto(dc->d_socket, &*packet.begin(), packet.size(), 0, (struct sockaddr *)(dc->d_remote), dc->d_socklen);
+      sendto(dc->d_socket, &*packet.begin(), packet.size(), 0, (struct sockaddr *)(&dc->d_remote), dc->d_socklen);
     }
     else {
@@ -617 +617 @@
     if(!bytes || bytes < 0) {
       if(g_logCommonErrors)
-        L<<Logger::Error<<"TCP client "<<sockAddrToString(&conn.remote,sizeof(conn.remote))<<" disconnected after first byte"<<endl;
+        L<<Logger::Error<<"TCP client "<< conn.remote.toString() <<" disconnected after first byte"<<endl;
       TCPConnection tmp(conn); 
       g_fdm->removeReadFD(fd);
@@ -627 +627 @@
     int bytes=read(conn.fd,conn.data + conn.bytesread,conn.qlen - conn.bytesread);
     if(!bytes || bytes < 0) {
-      L<<Logger::Error<<"TCP client "<<sockAddrToString(&conn.remote,sizeof(conn.remote))<<" disconnected while reading question body"<<endl;
+      L<<Logger::Error<<"TCP client "<< conn.remote.toString() <<" disconnected while reading question body"<<endl;
       TCPConnection tmp(conn);
       g_fdm->removeReadFD(fd);
@@ -643 +643 @@
       catch(MOADNSException &mde) {
         g_stats.clientParseError++; 
-        L<<Logger::Error<<"Unable to parse packet from TCP client "<<sockAddrToString(&conn.remote,sizeof(conn.remote))<<endl;
+        L<<Logger::Error<<"Unable to parse packet from TCP client "<< conn.remote.toString() <<endl;
         TCPConnection tmp(conn); 
         g_fdm->removeReadFD(fd);
@@ -652 +652 @@
       dc->setSocket(conn.fd);
       dc->d_tcp=true;
-      dc->setRemote((struct sockaddr *)&conn.remote,sizeof(conn.remote));
+      dc->setRemote(&conn.remote);
       if(dc->d_mdp.d_header.qr)
         L<<Logger::Error<<"Ignoring answer on server socket!"<<endl;
@@ -668 +668 @@
 void handleNewTCPQuestion(int fd, boost::any& )
 {
-  struct sockaddr_in addr;
+  ComboAddress addr;
   socklen_t addrlen=sizeof(addr);
   int newsock=accept(fd, (struct sockaddr*)&addr, &addrlen);
@@ -678 +678 @@
     }
     
-    if(g_maxTCPPerClient && g_tcpClientCounts.count(addr.sin_addr.s_addr) && g_tcpClientCounts[addr.sin_addr.s_addr] >= g_maxTCPPerClient) {
+    if(g_maxTCPPerClient && g_tcpClientCounts.count(addr) && g_tcpClientCounts[addr] >= g_maxTCPPerClient) {
       g_stats.tcpClientOverflow++;
       close(newsock); // don't call TCPConnection::closeAndCleanup here - did not enter it in the counts yet!
       return;
     }
-    g_tcpClientCounts[addr.sin_addr.s_addr]++;
+    g_tcpClientCounts[addr]++;
     Utility::setNonBlocking(newsock);
     TCPConnection tc;
@@ -700 +700 @@
 void makeTCPServerSockets()
 {
+  int fd;
   vector<string>locals;
   stringtok(locals,::arg()["local-address"]," ,");
@@ -706 +707 @@
     throw AhuException("No local address specified");
   
+  ComboAddress sin;
   for(vector<string>::const_iterator i=locals.begin();i!=locals.end();++i) {
-    g_tcpListenSocket=socket(AF_INET, SOCK_STREAM,0);
-    if(g_tcpListenSocket<0) 
-      throw AhuException("Making a server socket for resolver: "+stringerror());
-  
-    struct sockaddr_in sin;
     memset((char *)&sin,0, sizeof(sin));
-    
-    sin.sin_family = AF_INET;
-    if(!IpToU32(*i, &sin.sin_addr.s_addr))
-      throw AhuException("Unable to resolve local address '"+ *i +"'"); 
+    ComboAddress sin;
+    sin.sin4.sin_family = AF_INET;
+    if(!IpToU32(*i, &sin.sin4.sin_addr.s_addr)) {
+      sin.sin6.sin6_family = AF_INET6;
+      if(inet_pton(AF_INET6, i->c_str(), &sin.sin6.sin6_addr) <= 0)
+        throw AhuException("Unable to resolve local address '"+ *i +"'"); 
+    }
+
+    fd=socket(sin.sin6.sin6_family, SOCK_STREAM, 0);
+    if(fd<0) 
+      throw AhuException("Making a TCP server socket for resolver: "+stringerror());
 
     int tmp=1;
-    if(setsockopt(g_tcpListenSocket,SOL_SOCKET,SO_REUSEADDR,(char*)&tmp,sizeof tmp)<0) {
+    if(setsockopt(fd,SOL_SOCKET,SO_REUSEADDR,(char*)&tmp,sizeof tmp)<0) {
       L<<Logger::Error<<"Setsockopt failed for TCP listening socket"<<endl;
       exit(1);
@@ -725 +729 @@
     
 #ifdef TCP_DEFER_ACCEPT
-    if(setsockopt(g_tcpListenSocket, SOL_TCP,TCP_DEFER_ACCEPT,(char*)&tmp,sizeof tmp) >= 0) {
-      L<<Logger::Error<<"Enabled TCP data-ready filter for (slight) DoS protection"<<endl;
+    if(setsockopt(fd, SOL_TCP,TCP_DEFER_ACCEPT,(char*)&tmp,sizeof tmp) >= 0) {
+      if(i==locals.begin())
+        L<<Logger::Error<<"Enabled TCP data-ready filter for (slight) DoS protection"<<endl;
     }
 #endif
 
-    sin.sin_port = htons(::arg().asNum("local-port")); 
-    
-    if (::bind(g_tcpListenSocket, (struct sockaddr *)&sin, sizeof(sin))<0) 
+    sin.sin4.sin_port = htons(::arg().asNum("local-port")); 
+    int socklen=sin.sin4.sin_family==AF_INET ? sizeof(sin.sin4) : sizeof(sin.sin6);
+    if (::bind(fd, (struct sockaddr *)&sin, socklen )<0) 
       throw AhuException("Binding TCP server socket for "+*i+": "+stringerror());
     
-    Utility::setNonBlocking(g_tcpListenSocket);
-    setSendBuffer(g_tcpListenSocket, 65000);
-    listen(g_tcpListenSocket, 128);
-    g_fdm->addReadFD(g_tcpListenSocket, handleNewTCPQuestion);
-    L<<Logger::Error<<"Listening for TCP queries on "<<inet_ntoa(sin.sin_addr)<<":"<<::arg().asNum("local-port")<<endl;
+    Utility::setNonBlocking(fd);
+    setSendBuffer(fd, 65000);
+    listen(fd, 128);
+    g_fdm->addReadFD(fd, handleNewTCPQuestion);
+    L<<Logger::Error<<"Listening for TCP queries on "<< sockAddrToString(&sin.sin4) <<":"<<::arg().asNum("local-port")<<endl;
   }
 }
@@ -747 +752 @@
   int d_len;
   char data[1500];
-  struct sockaddr_in fromaddr;
+  ComboAddress fromaddr;
   socklen_t addrlen=sizeof(fromaddr);
 
@@ -759 +764 @@
       DNSComboWriter* dc = new DNSComboWriter(data, d_len, g_now);
       
-      dc->setRemote((struct sockaddr *)&fromaddr, addrlen);
+      dc->setRemote(&fromaddr);
       
       if(dc->d_mdp.d_header.qr) {
@@ -774 +779 @@
     catch(MOADNSException& mde) {
       g_stats.clientParseError++; 
-      L<<Logger::Error<<"Unable to parse packet from remote UDP client "<< sockAddrToString((struct sockaddr_in*) &fromaddr, addrlen) <<": "<<mde.what()<<endl;
+      L<<Logger::Error<<"Unable to parse packet from remote UDP client "<<fromaddr.toString() <<": "<<mde.what()<<endl;
     }
   }
@@ -793 +798 @@
 
   for(vector<string>::const_iterator i=locals.begin();i!=locals.end();++i) {
-    int fd=socket(AF_INET, SOCK_DGRAM,0);
+    ComboAddress sin;
+    memset(&sin, 0, sizeof(sin));
+    sin.sin4.sin_family = AF_INET;
+    if(!IpToU32(*i, &sin.sin4.sin_addr.s_addr)) {
+      sin.sin6.sin6_family = AF_INET6;
+      if(inet_pton(AF_INET6, i->c_str(), &sin.sin6.sin6_addr) <= 0)
+        throw AhuException("Unable to resolve local address '"+ *i +"'"); 
+    }
+    
+    int fd=socket(sin.sin4.sin_family, SOCK_DGRAM,0);
     if(fd<0) 
-      throw AhuException("Making a server socket for resolver: "+stringerror());
+      throw AhuException("Making a UDP server socket for resolver: "+stringerror());
+
     setReceiveBuffer(fd, 200000);
-    struct sockaddr_in sin;
-    memset((char *)&sin,0, sizeof(sin));
-    
-    sin.sin_family = AF_INET;
-    if(!IpToU32(*i, &sin.sin_addr.s_addr))
-      throw AhuException("Unable to resolve local address '"+ *i +"'"); 
-    
-    sin.sin_port = htons(::arg().asNum("local-port")); 
-    
-    if (::bind(fd, (struct sockaddr *)&sin, sizeof(sin))<0) 
+    sin.sin4.sin_port = htons(::arg().asNum("local-port")); 
+
+    int socklen=sin.sin4.sin_family==AF_INET ? sizeof(sin.sin4) : sizeof(sin.sin6);
+    if (::bind(fd, (struct sockaddr *)&sin, socklen)<0) 
       throw AhuException("Resolver binding to server socket for "+*i+": "+stringerror());
     
     Utility::setNonBlocking(fd);
     g_fdm->addReadFD(fd, handleNewUDPQuestion);
-    L<<Logger::Error<<"Listening for UDP queries on "<<inet_ntoa(sin.sin_addr)<<":"<<::arg().asNum("local-port")<<endl;
+    g_tcpListenSockets.push_back(fd);
+    L<<Logger::Error<<"Listening for UDP queries on "<<sin.toString()<<":"<<::arg().asNum("local-port")<<endl;
   }
 }
@@ -1061 +1071 @@
       g_stats.serverParseError++; 
       if(g_logCommonErrors)
-        L<<Logger::Error<<"Unable to parse packet from remote UDP server "<< sockAddrToString((struct sockaddr_in*) &fromaddr, addrlen) <<
+        L<<Logger::Error<<"Unable to parse packet from remote UDP server "<< sockAddrToString((struct sockaddr_in*) &fromaddr) <<
           ": packet smalller than DNS header"<<endl;
     }
@@ -1100 +1110 @@
   }
   else
-    L<<Logger::Warning<<"Ignoring question on outgoing socket from "<< sockAddrToString((struct sockaddr_in*) &fromaddr, addrlen)  <<endl;
+    L<<Logger::Warning<<"Ignoring question on outgoing socket from "<< sockAddrToString((struct sockaddr_in*) &fromaddr)  <<endl;
 }
 
@@ -1292 +1302 @@
           if(conn.state != TCPConnection::DONE) {
             if(g_logCommonErrors)
-              L<<Logger::Warning<<"Timeout from remote TCP client "<<sockAddrToString(&conn.remote,sizeof(conn.remote))<<endl;
+              L<<Logger::Warning<<"Timeout from remote TCP client "<< conn.remote.toString() <<endl;
             g_fdm->removeReadFD(i->first);
             conn.closeAndCleanup();
@@ -1309 +1319 @@
 
       if(listenOnTCP) {
-        if(TCPConnection::s_currentConnections > maxTcpClients) {
-          g_fdm->removeReadFD(g_tcpListenSocket);
+        if(TCPConnection::s_currentConnections > maxTcpClients) {  // shutdown
+          for_each(g_tcpListenSockets.begin(), g_tcpListenSockets.end(), 
+                   boost::bind(&FDMultiplexer::removeReadFD, g_fdm, _1));
           listenOnTCP=false;
         }
       }
       else {
-        if(TCPConnection::s_currentConnections <= maxTcpClients) {
-          g_fdm->addReadFD(g_tcpListenSocket, handleNewTCPQuestion);
+        if(TCPConnection::s_currentConnections <= maxTcpClients) {  // reenable
+          for_each(g_tcpListenSockets.begin(), g_tcpListenSockets.end(), 
+                   boost::bind(&FDMultiplexer::addReadFD, 
+                               g_fdm, _1, handleNewTCPQuestion, boost::any()));
           listenOnTCP=true;
         }