Commit e494bd26 authored by Petr Špaček's avatar Petr Špaček

Merge branch 'fwd-respect-ipver' into 'master'

force kresd to follow net.ipv(4,6) settings when forwarding

See merge request !710
parents 41cf07be ee440dec
...@@ -20,6 +20,7 @@ Bugfixes ...@@ -20,6 +20,7 @@ Bugfixes
as the submodule collects metrics from all sub-processes as well. as the submodule collects metrics from all sub-processes as well.
- TLS fixes for corner cases (!714, !700) - TLS fixes for corner cases (!714, !700)
- fix build with -DNOVERBOSELOG (#424) - fix build with -DNOVERBOSELOG (#424)
- policy.{FORWARD,TLS_FORWARD,STUB}: respect net.ipv{4,6} setting (!710)
Improvements Improvements
------------ ------------
......
...@@ -461,13 +461,13 @@ configured in the config file. ...@@ -461,13 +461,13 @@ configured in the config file.
:return: boolean (default: true) :return: boolean (default: true)
Enable/disable using IPv6 for recursion. Enable/disable using IPv6 for contacting upstream nameservers.
.. envvar:: net.ipv4 = true|false .. envvar:: net.ipv4 = true|false
:return: boolean (default: true) :return: boolean (default: true)
Enable/disable using IPv4 for recursion. Enable/disable using IPv4 for contacting upstream nameservers.
.. function:: net.listen(addresses, [port = 53, flags = {tls = (port == 853)}]) .. function:: net.listen(addresses, [port = 53, flags = {tls = (port == 853)}])
......
...@@ -280,23 +280,24 @@ int kr_nsrep_set(struct kr_query *qry, size_t index, const struct sockaddr *sock ...@@ -280,23 +280,24 @@ int kr_nsrep_set(struct kr_query *qry, size_t index, const struct sockaddr *sock
if (index >= KR_NSREP_MAXADDR) { if (index >= KR_NSREP_MAXADDR) {
return kr_error(ENOSPC); return kr_error(ENOSPC);
} }
qry->ns.name = (const uint8_t *)"";
/* Reset score on first entry */
if (index == 0) {
qry->ns.score = KR_NS_UNKNOWN;
qry->ns.reputation = 0;
}
if (!sock) { if (!sock) {
qry->ns.name = (const uint8_t *)"";
qry->ns.addr[index].ip.sa_family = AF_UNSPEC; qry->ns.addr[index].ip.sa_family = AF_UNSPEC;
return kr_ok(); return kr_ok();
} }
switch (sock->sa_family) { switch (sock->sa_family) {
case AF_INET: case AF_INET:
if (qry->flags.NO_IPV4) {
return kr_error(ENOENT);
}
qry->ns.addr[index].ip4 = *(const struct sockaddr_in *)sock; qry->ns.addr[index].ip4 = *(const struct sockaddr_in *)sock;
break; break;
case AF_INET6: case AF_INET6:
if (qry->flags.NO_IPV6) {
return kr_error(ENOENT);
}
qry->ns.addr[index].ip6 = *(const struct sockaddr_in6 *)sock; qry->ns.addr[index].ip6 = *(const struct sockaddr_in6 *)sock;
break; break;
default: default:
...@@ -304,6 +305,13 @@ int kr_nsrep_set(struct kr_query *qry, size_t index, const struct sockaddr *sock ...@@ -304,6 +305,13 @@ int kr_nsrep_set(struct kr_query *qry, size_t index, const struct sockaddr *sock
return kr_error(EINVAL); return kr_error(EINVAL);
} }
qry->ns.name = (const uint8_t *)"";
/* Reset score on first entry */
if (index == 0) {
qry->ns.score = KR_NS_UNKNOWN;
qry->ns.reputation = 0;
}
/* Retrieve RTT from cache */ /* Retrieve RTT from cache */
struct kr_context *ctx = qry->ns.ctx; struct kr_context *ctx = qry->ns.ctx;
kr_nsrep_rtt_lru_entry_t *rtt_cache_entry = ctx kr_nsrep_rtt_lru_entry_t *rtt_cache_entry = ctx
......
...@@ -109,11 +109,11 @@ struct kr_nsrep ...@@ -109,11 +109,11 @@ struct kr_nsrep
}; };
/** /**
* Set given NS address. * Set given NS address. (Very low-level access to the list.)
* @param qry updated query * @param qry updated query
* @param index index of the updated target * @param index index of the updated target
* @param sock socket address to use (sockaddr_in or sockaddr_in6 or NULL) * @param sock socket address to use (sockaddr_in or sockaddr_in6 or NULL)
* @return 0 or an error code * @return 0 or an error code, in particular kr_error(ENOENT) for net.ipvX
*/ */
KR_EXPORT KR_EXPORT
int kr_nsrep_set(struct kr_query *qry, size_t index, const struct sockaddr *sock); int kr_nsrep_set(struct kr_query *qry, size_t index, const struct sockaddr *sock);
......
; config options
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
SCENARIO_BEGIN Test that IPv6 is not used by kresd.
RANGE_BEGIN 0 100
ADDRESS ::1:2:3:4
RANGE_END
RANGE_BEGIN 0 100
ADDRESS 1.2.3.4
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
www.test.org A
SECTION ANSWER
www.test.org 3600 A 4.3.2.1
ENTRY_END
RANGE_END
STEP 10 QUERY
ENTRY_BEGIN
REPLY RD AD
SECTION QUESTION
www.test.org A
ENTRY_END
STEP 20 CHECK_ANSWER
ENTRY_BEGIN
MATCH all answer
REPLY QR RD RA NOERROR
SECTION QUESTION
www.test.org A
SECTION ANSWER
www.test.org 3600 A 4.3.2.1
SECTION AUTHORITY
SECTION ADDITIONAL
ENTRY_END
SCENARIO_END
programs:
- name: kresd
binary: kresd
additional:
- -f
- "1"
templates:
- modules/policy/noipv6.test.integr/kresd_config.j2
- tests/hints_zone.j2
configs:
- config
- hints
{% raw %}
net.ipv6 = false
policy.add(policy.all(policy.STUB({ '::1:2:3:4', '1.2.3.4' })))
-- Disable RFC8145 signaling, scenario doesn't provide expected answers
if ta_signal_query then
modules.unload('ta_signal_query')
end
-- Disable RFC8109 priming, scenario doesn't provide expected answers
if priming then
modules.unload('priming')
end
-- Disable this module because it make one priming query
if detect_time_skew then
modules.unload('detect_time_skew')
end
_hint_root_file('hints')
cache.size = 2*MB
verbose(true)
{% endraw %}
net = { '{{SELF_ADDR}}' }
{% if QMIN == "false" %}
option('NO_MINIMIZE', true)
{% else %}
option('NO_MINIMIZE', false)
{% endif %}
-- Self-checks on globals
assert(help() ~= nil)
assert(worker.id ~= nil)
-- Self-checks on facilities
assert(cache.count() == 0)
assert(cache.stats() ~= nil)
assert(cache.backends() ~= nil)
assert(worker.stats() ~= nil)
assert(net.interfaces() ~= nil)
-- Self-checks on loaded stuff
assert(net.list()['{{SELF_ADDR}}'])
assert(#modules.list() > 0)
-- Self-check timers
ev = event.recurrent(1 * sec, function (ev) return 1 end)
event.cancel(ev)
ev = event.after(0, function (ev) return 1 end)
; config options
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
SCENARIO_BEGIN Test that neither IPv6 nor IPv4 is used by kresd :-)
RANGE_BEGIN 0 100
ADDRESS ::1:2:3:4
RANGE_END
RANGE_BEGIN 0 100
ADDRESS 1.2.3.4
RANGE_END
STEP 10 QUERY
ENTRY_BEGIN
REPLY RD AD
SECTION QUESTION
www.test.org A
ENTRY_END
STEP 20 CHECK_ANSWER
ENTRY_BEGIN
MATCH all answer
REPLY QR RD RA SERVFAIL
SECTION QUESTION
www.test.org A
SECTION ANSWER
SECTION AUTHORITY
SECTION ADDITIONAL
ENTRY_END
SCENARIO_END
programs:
- name: kresd
binary: kresd
additional:
- -f
- "1"
templates:
- modules/policy/noipvx.test.integr/kresd_config.j2
- tests/hints_zone.j2
configs:
- config
- hints
{% raw %}
net.ipv4 = false
net.ipv6 = false
policy.add(policy.all(policy.STUB({ '::1:2:3:4', '1.2.3.4' })))
-- Disable RFC8145 signaling, scenario doesn't provide expected answers
if ta_signal_query then
modules.unload('ta_signal_query')
end
-- Disable RFC8109 priming, scenario doesn't provide expected answers
if priming then
modules.unload('priming')
end
-- Disable this module because it make one priming query
if detect_time_skew then
modules.unload('detect_time_skew')
end
_hint_root_file('hints')
cache.size = 2*MB
verbose(true)
{% endraw %}
net = { '{{SELF_ADDR}}' }
{% if QMIN == "false" %}
option('NO_MINIMIZE', true)
{% else %}
option('NO_MINIMIZE', false)
{% endif %}
-- Self-checks on globals
assert(help() ~= nil)
assert(worker.id ~= nil)
-- Self-checks on facilities
assert(cache.count() == 0)
assert(cache.stats() ~= nil)
assert(cache.backends() ~= nil)
assert(worker.stats() ~= nil)
assert(net.interfaces() ~= nil)
-- Self-checks on loaded stuff
assert(net.list()['{{SELF_ADDR}}'])
assert(#modules.list() > 0)
-- Self-check timers
ev = event.recurrent(1 * sec, function (ev) return 1 end)
event.cancel(ev)
ev = event.after(0, function (ev) return 1 end)
...@@ -81,12 +81,21 @@ end ...@@ -81,12 +81,21 @@ end
-- Override the list of nameservers (forwarders) -- Override the list of nameservers (forwarders)
local function set_nslist(qry, list) local function set_nslist(qry, list)
for i, ns in ipairs(list) do local ns_i = 0
assert(ffi.C.kr_nsrep_set(qry, i - 1, ns) == 0); for _, ns in ipairs(list) do
-- kr_nsrep_set() can return kr_error(ENOENT), it's OK
if ffi.C.kr_nsrep_set(qry, ns_i, ns) == 0 then
ns_i = ns_i + 1
end
end end
-- If less than maximum NSs, insert guard to terminate the list -- If less than maximum NSs, insert guard to terminate the list
if #list < 4 then if ns_i < 3 then
assert(ffi.C.kr_nsrep_set(qry, #list, nil) == 0); assert(ffi.C.kr_nsrep_set(qry, ns_i, nil) == 0);
end
if ns_i == 0 then
-- would use assert() but don't want to compose the message if not triggered
error('no usable address in NS set (check net.ipv4 and '
.. 'net.ipv6 config):\n' .. table_print(list, 2))
end end
end end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment