Allow configuring a socket mark for DNS packets.
This allows dnsmasq to send DNS queries on a non-default network
(e.g., the DUN APN). We add support for a mark instead of using
existing code to bind DNS servers to interfaces because:
1. Marks are more flexible, and we use them elsewhere.
2. The existing code to bind DNS servers to interfaces causes
the DNS socket to be bound to a constant port, which exposes
us to a Kaminsky attack.
Bug: 16357676
Change-Id: I8933b6de198a92c2aaf0291931ace8966ddba275
diff --git a/src/network.c b/src/network.c
index cb2001d..43b1573 100755
--- a/src/network.c
+++ b/src/network.c
@@ -680,7 +680,7 @@
}
-int local_bind(int fd, union mysockaddr *addr, char *intname, int is_tcp)
+int local_bind(int fd, union mysockaddr *addr, char *intname, uint32_t mark, int is_tcp)
{
union mysockaddr addr_copy = *addr;
@@ -704,10 +704,13 @@
return 0;
#endif
+ if (mark != 0 && setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(mark)) == -1)
+ return 0;
+
return 1;
}
-static struct serverfd *allocate_sfd(union mysockaddr *addr, char *intname)
+static struct serverfd *allocate_sfd(union mysockaddr *addr, char *intname, uint32_t mark)
{
struct serverfd *sfd;
int errsave;
@@ -734,6 +737,7 @@
/* may have a suitable one already */
for (sfd = daemon->sfds; sfd; sfd = sfd->next )
if (sockaddr_isequal(&sfd->source_addr, addr) &&
+ mark == sfd->mark &&
strcmp(intname, sfd->interface) == 0)
return sfd;
@@ -748,7 +752,7 @@
return NULL;
}
- if (!local_bind(sfd->fd, addr, intname, 0) || !fix_fd(sfd->fd))
+ if (!local_bind(sfd->fd, addr, intname, mark, 0) || !fix_fd(sfd->fd))
{
errsave = errno; /* save error from bind. */
close(sfd->fd);
@@ -759,6 +763,7 @@
strcpy(sfd->interface, intname);
sfd->source_addr = *addr;
+ sfd->mark = mark;
sfd->next = daemon->sfds;
daemon->sfds = sfd;
return sfd;
@@ -780,7 +785,7 @@
#ifdef HAVE_SOCKADDR_SA_LEN
addr.in.sin_len = sizeof(struct sockaddr_in);
#endif
- allocate_sfd(&addr, "");
+ allocate_sfd(&addr, "", 0);
#ifdef HAVE_IPV6
memset(&addr, 0, sizeof(addr));
addr.in6.sin6_family = AF_INET6;
@@ -789,13 +794,13 @@
#ifdef HAVE_SOCKADDR_SA_LEN
addr.in6.sin6_len = sizeof(struct sockaddr_in6);
#endif
- allocate_sfd(&addr, "");
+ allocate_sfd(&addr, "", 0);
#endif
}
for (srv = daemon->servers; srv; srv = srv->next)
if (!(srv->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) &&
- !allocate_sfd(&srv->source_addr, srv->interface) &&
+ !allocate_sfd(&srv->source_addr, srv->interface, srv->mark) &&
errno != 0 &&
(daemon->options & OPT_NOWILD))
{
@@ -845,7 +850,7 @@
/* Do we need a socket set? */
if (!new->sfd &&
- !(new->sfd = allocate_sfd(&new->source_addr, new->interface)) &&
+ !(new->sfd = allocate_sfd(&new->source_addr, new->interface, new->mark)) &&
errno != 0)
{
my_syslog(LOG_WARNING,
@@ -999,7 +1004,9 @@
}
/*
- * Takes a string in the format "1.2.3.4:1.2.3.4:..." - up to 1024 bytes in length
+ * Takes a string in the format "0x100b:1.2.3.4:1.2.3.4:..." - up to 1024 bytes in length
+ * - The first element is the socket mark to set on sockets that forward DNS queries.
+ * - The subsequent elements are the DNS servers to forward queries to.
*/
int set_servers(const char *servers)
{
@@ -1007,6 +1014,8 @@
struct server *old_servers = NULL;
struct server *new_servers = NULL;
struct server *serv;
+ char *mark_string;
+ uint32_t mark;
strncpy(s, servers, sizeof(s));
@@ -1031,10 +1040,14 @@
serv = tmp;
}
- char *next = s;
- char *saddr;
+ char *next = s;
+ char *saddr;
- while ((saddr = strsep(&next, ":"))) {
+ /* Parse the mark. */
+ mark_string = strsep(&next, ":");
+ mark = strtoul(mark_string, NULL, 0);
+
+ while ((saddr = strsep(&next, ":"))) {
union mysockaddr addr, source_addr;
memset(&addr, 0, sizeof(addr));
memset(&source_addr, 0, sizeof(source_addr));
@@ -1080,6 +1093,7 @@
serv->source_addr = source_addr;
serv->domain = NULL;
serv->interface[0] = 0;
+ serv->mark = mark;
serv->sfd = NULL;
serv->flags = SERV_FROM_RESOLV;
serv->queries = serv->failed_queries = 0;
@@ -1193,6 +1207,7 @@
serv->source_addr = source_addr;
serv->domain = NULL;
serv->interface[0] = 0;
+ serv->mark = 0;
serv->sfd = NULL;
serv->flags = SERV_FROM_RESOLV;
serv->queries = serv->failed_queries = 0;