Commit e494bd26 authored by Petr Špaček's avatar Petr Špaček

Merge branch 'fwd-respect-ipver' into 'master'

force kresd to follow net.ipv(4,6) settings when forwarding

See merge request !710
parents 41cf07be ee440dec
......@@ -20,6 +20,7 @@ Bugfixes
as the submodule collects metrics from all sub-processes as well.
- TLS fixes for corner cases (!714, !700)
- fix build with -DNOVERBOSELOG (#424)
- policy.{FORWARD,TLS_FORWARD,STUB}: respect net.ipv{4,6} setting (!710)
Improvements
------------
......
......@@ -461,13 +461,13 @@ configured in the config file.
:return: boolean (default: true)
Enable/disable using IPv6 for recursion.
Enable/disable using IPv6 for contacting upstream nameservers.
.. envvar:: net.ipv4 = true|false
:return: boolean (default: true)
Enable/disable using IPv4 for recursion.
Enable/disable using IPv4 for contacting upstream nameservers.
.. function:: net.listen(addresses, [port = 53, flags = {tls = (port == 853)}])
......
......@@ -280,23 +280,24 @@ int kr_nsrep_set(struct kr_query *qry, size_t index, const struct sockaddr *sock
if (index >= KR_NSREP_MAXADDR) {
return kr_error(ENOSPC);
}
qry->ns.name = (const uint8_t *)"";
/* Reset score on first entry */
if (index == 0) {
qry->ns.score = KR_NS_UNKNOWN;
qry->ns.reputation = 0;
}
if (!sock) {
qry->ns.name = (const uint8_t *)"";
qry->ns.addr[index].ip.sa_family = AF_UNSPEC;
return kr_ok();
}
switch (sock->sa_family) {
case AF_INET:
if (qry->flags.NO_IPV4) {
return kr_error(ENOENT);
}
qry->ns.addr[index].ip4 = *(const struct sockaddr_in *)sock;
break;
case AF_INET6:
if (qry->flags.NO_IPV6) {
return kr_error(ENOENT);
}
qry->ns.addr[index].ip6 = *(const struct sockaddr_in6 *)sock;
break;
default:
......@@ -304,6 +305,13 @@ int kr_nsrep_set(struct kr_query *qry, size_t index, const struct sockaddr *sock
return kr_error(EINVAL);
}
qry->ns.name = (const uint8_t *)"";
/* Reset score on first entry */
if (index == 0) {
qry->ns.score = KR_NS_UNKNOWN;
qry->ns.reputation = 0;
}
/* Retrieve RTT from cache */
struct kr_context *ctx = qry->ns.ctx;
kr_nsrep_rtt_lru_entry_t *rtt_cache_entry = ctx
......
......@@ -109,11 +109,11 @@ struct kr_nsrep
};
/**
* Set given NS address.
* Set given NS address. (Very low-level access to the list.)
* @param qry updated query
* @param index index of the updated target
* @param sock socket address to use (sockaddr_in or sockaddr_in6 or NULL)
* @return 0 or an error code
* @return 0 or an error code, in particular kr_error(ENOENT) for net.ipvX
*/
KR_EXPORT
int kr_nsrep_set(struct kr_query *qry, size_t index, const struct sockaddr *sock);
......
; config options
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
SCENARIO_BEGIN Test that IPv6 is not used by kresd.
RANGE_BEGIN 0 100
ADDRESS ::1:2:3:4
RANGE_END
RANGE_BEGIN 0 100
ADDRESS 1.2.3.4
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
www.test.org A
SECTION ANSWER
www.test.org 3600 A 4.3.2.1
ENTRY_END
RANGE_END
STEP 10 QUERY
ENTRY_BEGIN
REPLY RD AD
SECTION QUESTION
www.test.org A
ENTRY_END
STEP 20 CHECK_ANSWER
ENTRY_BEGIN
MATCH all answer
REPLY QR RD RA NOERROR
SECTION QUESTION
www.test.org A
SECTION ANSWER
www.test.org 3600 A 4.3.2.1
SECTION AUTHORITY
SECTION ADDITIONAL
ENTRY_END
SCENARIO_END
programs:
- name: kresd
binary: kresd
additional:
- -f
- "1"
templates:
- modules/policy/noipv6.test.integr/kresd_config.j2
- tests/hints_zone.j2
configs:
- config
- hints
{% raw %}
net.ipv6 = false
policy.add(policy.all(policy.STUB({ '::1:2:3:4', '1.2.3.4' })))
-- Disable RFC8145 signaling, scenario doesn't provide expected answers
if ta_signal_query then
modules.unload('ta_signal_query')
end
-- Disable RFC8109 priming, scenario doesn't provide expected answers
if priming then
modules.unload('priming')
end
-- Disable this module because it make one priming query
if detect_time_skew then
modules.unload('detect_time_skew')
end
_hint_root_file('hints')
cache.size = 2*MB
verbose(true)
{% endraw %}
net = { '{{SELF_ADDR}}' }
{% if QMIN == "false" %}
option('NO_MINIMIZE', true)
{% else %}
option('NO_MINIMIZE', false)
{% endif %}
-- Self-checks on globals
assert(help() ~= nil)
assert(worker.id ~= nil)
-- Self-checks on facilities
assert(cache.count() == 0)
assert(cache.stats() ~= nil)
assert(cache.backends() ~= nil)
assert(worker.stats() ~= nil)
assert(net.interfaces() ~= nil)
-- Self-checks on loaded stuff
assert(net.list()['{{SELF_ADDR}}'])
assert(#modules.list() > 0)
-- Self-check timers
ev = event.recurrent(1 * sec, function (ev) return 1 end)
event.cancel(ev)
ev = event.after(0, function (ev) return 1 end)
; config options
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
SCENARIO_BEGIN Test that neither IPv6 nor IPv4 is used by kresd :-)
RANGE_BEGIN 0 100
ADDRESS ::1:2:3:4
RANGE_END
RANGE_BEGIN 0 100
ADDRESS 1.2.3.4
RANGE_END
STEP 10 QUERY
ENTRY_BEGIN
REPLY RD AD
SECTION QUESTION
www.test.org A
ENTRY_END
STEP 20 CHECK_ANSWER
ENTRY_BEGIN
MATCH all answer
REPLY QR RD RA SERVFAIL
SECTION QUESTION
www.test.org A
SECTION ANSWER
SECTION AUTHORITY
SECTION ADDITIONAL
ENTRY_END
SCENARIO_END
programs:
- name: kresd
binary: kresd
additional:
- -f
- "1"
templates:
- modules/policy/noipvx.test.integr/kresd_config.j2
- tests/hints_zone.j2
configs:
- config
- hints
{% raw %}
net.ipv4 = false
net.ipv6 = false
policy.add(policy.all(policy.STUB({ '::1:2:3:4', '1.2.3.4' })))
-- Disable RFC8145 signaling, scenario doesn't provide expected answers
if ta_signal_query then
modules.unload('ta_signal_query')
end
-- Disable RFC8109 priming, scenario doesn't provide expected answers
if priming then
modules.unload('priming')
end
-- Disable this module because it make one priming query
if detect_time_skew then
modules.unload('detect_time_skew')
end
_hint_root_file('hints')
cache.size = 2*MB
verbose(true)
{% endraw %}
net = { '{{SELF_ADDR}}' }
{% if QMIN == "false" %}
option('NO_MINIMIZE', true)
{% else %}
option('NO_MINIMIZE', false)
{% endif %}
-- Self-checks on globals
assert(help() ~= nil)
assert(worker.id ~= nil)
-- Self-checks on facilities
assert(cache.count() == 0)
assert(cache.stats() ~= nil)
assert(cache.backends() ~= nil)
assert(worker.stats() ~= nil)
assert(net.interfaces() ~= nil)
-- Self-checks on loaded stuff
assert(net.list()['{{SELF_ADDR}}'])
assert(#modules.list() > 0)
-- Self-check timers
ev = event.recurrent(1 * sec, function (ev) return 1 end)
event.cancel(ev)
ev = event.after(0, function (ev) return 1 end)
......@@ -81,12 +81,21 @@ end
-- Override the list of nameservers (forwarders)
local function set_nslist(qry, list)
for i, ns in ipairs(list) do
assert(ffi.C.kr_nsrep_set(qry, i - 1, ns) == 0);
local ns_i = 0
for _, ns in ipairs(list) do
-- kr_nsrep_set() can return kr_error(ENOENT), it's OK
if ffi.C.kr_nsrep_set(qry, ns_i, ns) == 0 then
ns_i = ns_i + 1
end
end
-- If less than maximum NSs, insert guard to terminate the list
if #list < 4 then
assert(ffi.C.kr_nsrep_set(qry, #list, nil) == 0);
if ns_i < 3 then
assert(ffi.C.kr_nsrep_set(qry, ns_i, nil) == 0);
end
if ns_i == 0 then
-- would use assert() but don't want to compose the message if not triggered
error('no usable address in NS set (check net.ipv4 and '
.. 'net.ipv6 config):\n' .. table_print(list, 2))
end
end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment