From patchwork Tue Feb 28 04:26:45 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heiko Hund X-Patchwork-Id: 3095 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:2310:b0:9f:bfa4:120f with SMTP id r16csp1647337dye; Mon, 27 Feb 2023 20:28:10 -0800 (PST) X-Google-Smtp-Source: AK7set8nRxv4GlDSC3gnD78uQrD1JDtdgfE1useQxXxm+NeaU6pPU98b6P3iuz2acUtYef/NE4jZ X-Received: by 2002:a17:90b:3911:b0:233:ebf8:424f with SMTP id ob17-20020a17090b391100b00233ebf8424fmr1938274pjb.0.1677558490760; Mon, 27 Feb 2023 20:28:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1677558490; cv=none; d=google.com; s=arc-20160816; b=cgeDfMzw+KXOTbXj8mFjJ1dbb4FTpirqbl2H9heNjMGcT6XNu2TUR4P6yeAHym67cH iX9HJ9LcnQiYASfKEaSJPcwKp/s4PkVwZ1FPgsxZBJ4rlokmmk2OHO2VtY4NSDLsNbTb pr8WEKr/9s6GdHDK0F7Vm93nTvnay09S6SiSRk9SNnzPUpwSFB57jhNOBQbIST7EOSyi 1K0AYdyD7SAByp1wK3lPdQz1awtQgxep9FcO58Uf0VOBjc43CI8/zR8Ng422oOwKyOhx mAbqc2n5PTCkLJQ4yPrn3Ak7/yTQQzjFMwM+dJH2abHQQ9c5hAPq6ieb7oOxwlacYMR4 IAlA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature; bh=un59utRaz/GVc/3BuWpxEzZni8GuQlcQrCMubVghCns=; b=GWXVfg1SHC+r+heTBQdzw4vyXE17xMU1RID8tmr6Sc6gBC582SA71Rfxl6TEPQGQu8 lywapkm93zsqtbg4fxKVJi2lofvhkKgwcL0FGntqcjwn05tS+xXtK6Wzwl+g910iRIVS 7pCbnccnB4BshEwVjcRIUIHduvUGSN9EwgvoYulJVlZ59kLT6po78UPoFi01N0qO+mBx vLRDvYCd3xHjJCvzqOACPKHG7aUoxdAq7QKC6eoPyrPIBYRFUSh4I4taQsK1dRcFuanf QFDcrALljPujSLyUd4nljHkSD5VkpP2npBvYEEaoFHrvXJMaASvrAGfvo8nTUQ4/9udL iZNA== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=LlvUreAW; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=TVRoN388; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id z20-20020a17090ab11400b0022c9cb7662csi11695425pjq.159.2023.02.27.20.28.10 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 27 Feb 2023 20:28:10 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=LlvUreAW; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=TVRoN388; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pWra2-0003aD-2q; Tue, 28 Feb 2023 04:27:10 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pWrZz-0003a7-0g for openvpn-devel@lists.sourceforge.net; Tue, 28 Feb 2023 04:27:07 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=z95TsSmf7mRPgOarfkEzffN8Q4zXrJPzolSOfkPYsmI=; b=LlvUreAWJlT5zvVnP6SpRdpIBk Ue8KpzYT6ecN+rKOfdiFzMBNJpXAHGyROdigjJZFykYDcMgYrIIfC2qKu5RXR+Z4ixHpsS5gBZF7+ WMdAvCkzYiWnfjJ6UPd2N5ppCJ++2jwOUfPf5iwlhlaMKOxXyqwrQ1MCQlDyIt/5cLhE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=z95TsSmf7mRPgOarfkEzffN8Q4zXrJPzolSOfkPYsmI=; b=T VRoN388/r+no1KbYmsCMOW1Vql00VrVk6ZnqPXjOusfdgiBQQtH+93Q6tZTDd8bAzfqFH5MODqznW 3VLqP7HCISb3XdbFJ0zIf9+T4lKUkpU8BBEBBHcHgIuJdkx3gaxaUh1yp3CqpGymqp8spaUYt1e1h ZiEzCnrCyECiANWY=; Received: from exit0.net ([85.25.119.185]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1pWrZv-005fBq-Cd for openvpn-devel@lists.sourceforge.net; Tue, 28 Feb 2023 04:27:07 +0000 Received: from coruscant.fritz.box (i577BF0F5.versanet.de [87.123.240.245]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by exit0.net (Postfix) with ESMTPSA id DB93D648019C for ; Tue, 28 Feb 2023 05:26:49 +0100 (CET) From: Heiko Hund To: openvpn-devel@lists.sourceforge.net Date: Tue, 28 Feb 2023 05:26:45 +0100 Message-Id: <20230228042645.38863-1-heiko@ist.eigentlich.net> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Spam-Score: 0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Heiko Hund --- doc/man-sections/client-options.rst | 7 +-- src/openvpn/dns.c | 70 ++++++++++++++++ src/openvpn/dns.h | 19 +++++--- src/openvpn/op [...] Content analysis details: (0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record X-Headers-End: 1pWrZv-005fBq-Cd Subject: [Openvpn-devel] [PATCH] dns option: allow up to two addresses per family X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1759047572194525868?= X-GMAIL-MSGID: =?utf-8?q?1759047572194525868?= Signed-off-by: Heiko Hund --- doc/man-sections/client-options.rst | 7 +-- src/openvpn/dns.c | 70 ++++++++++++++++------------- src/openvpn/dns.h | 19 +++++--- src/openvpn/options.c | 30 +++++++------ 4 files changed, 72 insertions(+), 54 deletions(-) diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index 974cc992..0b973adf 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -168,7 +168,7 @@ configuration. :: dns search-domains domain [domain ...] - dns server n address addr[:port] [addr[:port]] + dns server n address addr[:port] [addr[:port]] [addr[:port]] [addr[:port]] dns server n resolve-domains|exclude-domains domain [domain ...] dns server n dnssec yes|optional|no dns server n transport DoH|DoT|plain @@ -187,8 +187,9 @@ configuration. already configured DNS servers with the same server id. The ``address`` option configures the IPv4 and / or IPv6 address of - the DNS server. Optionally a port can be appended after a colon. IPv6 - addresses need to be enclosed in brackets if a port is appended. + the DNS server. Up to two addresses per address family can be specified. + Optionally a port can be appended after a colon. IPv6 addresses need to + be enclosed in brackets if a port is appended. The ``resolve-domains`` and ``exclude-domains`` options take one or more DNS domains which are explicitly resolved or explicitly not resolved diff --git a/src/openvpn/dns.c b/src/openvpn/dns.c index 9f2a7d5e..18f6e58b 100644 --- a/src/openvpn/dns.c +++ b/src/openvpn/dns.c @@ -117,17 +117,25 @@ dns_server_addr_parse(struct dns_server *server, const char *addr) if (ai->ai_family == AF_INET) { + if (server->addr4_count >= SIZE(server->addr4)) + { + return false; + } struct sockaddr_in *sin = (struct sockaddr_in *)ai->ai_addr; - server->addr4_defined = true; - server->addr4.s_addr = ntohl(sin->sin_addr.s_addr); - server->port4 = port; + server->addr4[server->addr4_count].in.a4.s_addr = ntohl(sin->sin_addr.s_addr); + server->addr4[server->addr4_count].port = port; + server->addr4_count += 1; } else { + if (server->addr6_count >= SIZE(server->addr6)) + { + return false; + } struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)ai->ai_addr; - server->addr6_defined = true; - server->addr6 = sin6->sin6_addr; - server->port6 = port; + server->addr6[server->addr6_count].in.a6 = sin6->sin6_addr; + server->addr6[server->addr6_count].port = port; + server->addr6_count += 1; } freeaddrinfo(ai); @@ -197,7 +205,7 @@ dns_options_verify(int msglevel, const struct dns_options *o) o->servers ? o->servers : o->servers_prepull; while (server) { - if (!server->addr4_defined && !server->addr6_defined) + if (server->addr4_count == 0 && server->addr6_count == 0) { msg(msglevel, "ERROR: dns server %ld does not have an address assigned", server->priority); return false; @@ -376,26 +384,26 @@ setenv_dns_options(const struct dns_options *o, struct env_set *es) for (i = 1, s = o->servers; s != NULL; i++, s = s->next) { - if (s->addr4_defined) - { - setenv_dns_option(es, "dns_server_%d_address4", i, -1, - print_in_addr_t(s->addr4.s_addr, 0, &gc)); - } - if (s->port4) + for (j = 0; j < s->addr4_count; ++j) { - setenv_dns_option(es, "dns_server_%d_port4", i, -1, - print_in_port_t(s->port4, &gc)); + setenv_dns_option(es, "dns_server_%d_address4_%d", i, j + 1, + print_in_addr_t(s->addr4[j].in.a4.s_addr, 0, &gc)); + if (s->addr4[j].port) + { + setenv_dns_option(es, "dns_server_%d_port4_%d", i, j + 1, + print_in_port_t(s->addr4[j].port, &gc)); + } } - if (s->addr6_defined) + for (j = 0; j < s->addr6_count; ++j) { - setenv_dns_option(es, "dns_server_%d_address6", i, -1, - print_in6_addr(s->addr6, 0, &gc)); - } - if (s->port6) - { - setenv_dns_option(es, "dns_server_%d_port6", i, -1, - print_in_port_t(s->port6, &gc)); + setenv_dns_option(es, "dns_server_%d_address6_%d", i, j + 1, + print_in6_addr(s->addr6[j].in.a6, 0, &gc)); + if (s->addr6[j].port) + { + setenv_dns_option(es, "dns_server_%d_port6", i, -1, + print_in_port_t(s->addr6[j].port, &gc)); + } } if (s->domains) @@ -439,12 +447,12 @@ show_dns_options(const struct dns_options *o) { msg(D_SHOW_PARMS, " DNS server #%d:", i++); - if (server->addr4_defined) + for (int j = 0; j < server->addr4_count; ++j) { - const char *addr = print_in_addr_t(server->addr4.s_addr, 0, &gc); - if (server->port4) + const char *addr = print_in_addr_t(server->addr4[j].in.a4.s_addr, 0, &gc); + if (server->addr4[j].port) { - const char *port = print_in_port_t(server->port4, &gc); + const char *port = print_in_port_t(server->addr4[j].port, &gc); msg(D_SHOW_PARMS, " address4 = %s:%s", addr, port); } else @@ -452,12 +460,12 @@ show_dns_options(const struct dns_options *o) msg(D_SHOW_PARMS, " address4 = %s", addr); } } - if (server->addr6_defined) + for (int j = 0; j < server->addr6_count; ++j) { - const char *addr = print_in6_addr(server->addr6, 0, &gc); - if (server->port6) + const char *addr = print_in6_addr(server->addr6[j].in.a6, 0, &gc); + if (server->addr6[j].port) { - const char *port = print_in_port_t(server->port6, &gc); + const char *port = print_in_port_t(server->addr6[j].port, &gc); msg(D_SHOW_PARMS, " address6 = [%s]:%s", addr, port); } else diff --git a/src/openvpn/dns.h b/src/openvpn/dns.h index 03a894f2..34f864dd 100644 --- a/src/openvpn/dns.h +++ b/src/openvpn/dns.h @@ -52,15 +52,22 @@ struct dns_domain { const char *name; }; +struct dns_server_addr +{ + union { + struct in_addr a4; + struct in6_addr a6; + } in; + in_port_t port; +}; + struct dns_server { struct dns_server *next; long priority; - bool addr4_defined; - bool addr6_defined; - struct in_addr addr4; - struct in6_addr addr6; - in_port_t port4; - in_port_t port6; + size_t addr4_count; + size_t addr6_count; + struct dns_server_addr addr4[2]; + struct dns_server_addr addr6[2]; struct dns_domain *domains; enum dns_domain_type domain_type; enum dns_security dnssec; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 9105449c..7ea1994a 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1387,21 +1387,23 @@ tuntap_options_copy_dns(struct options *o) const struct dns_server *server = dns->servers; while (server) { - if (server->addr4_defined && tt->dns_len < N_DHCP_ADDR) + for (int i = 0; i < server->addr4_count; ++i) { - tt->dns[tt->dns_len++] = server->addr4.s_addr; - } - else - { - overflow = true; - } - if (server->addr6_defined && tt->dns6_len < N_DHCP_ADDR) - { - tt->dns6[tt->dns6_len++] = server->addr6; + if (tt->dns_len >= N_DHCP_ADDR) + { + overflow = true; + break; + } + tt->dns[tt->dns_len++] = server->addr4[i].in.a4.s_addr; } - else + for (int i = 0; i < server->addr6_count; ++i) { - overflow = true; + if (tt->dns6_len >= N_DHCP_ADDR) + { + overflow = true; + break; + } + tt->dns6[tt->dns6_len++] = server->addr6[i].in.a6; } server = server->next; } @@ -8001,13 +8003,13 @@ add_option(struct options *options, struct dns_server *server = dns_server_get(&options->dns_options.servers, priority, &options->dns_options.gc); - if (streq(p[3], "address") && !p[6]) + if (streq(p[3], "address") && !p[8]) { for (int i = 4; p[i]; i++) { if (!dns_server_addr_parse(server, p[i])) { - msg(msglevel, "--dns server %ld: malformed or duplicate address '%s'", priority, p[i]); + msg(msglevel, "--dns server %ld: malformed address or maximum exceeded '%s'", priority, p[i]); goto err; } }