summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2015-12-08resolved: add mDNS packet dispatcherDaniel Mack
Add the packet dispatching routine for mDNS. It differs to what LLMNR and DNS dispatchers do in the way it matches incoming packets. In mDNS, we actually handle all incoming packets, regardless whether we asked for them earlier or not.
2015-12-08resolved: allow name compression in NSEC recordsDaniel Mack
2015-12-08resolved: handle mDNS timeouts per transactionDaniel Mack
mDNS packet timeouts need to be handled per transaction, not per link. Re-use the n_attempts field for this purpose, as packets timeouts should be determined by starting at 1 second, and doubling the value on each try.
2015-12-08resolved: short-cut jitter callbacks for LLMNR and mDNSDaniel Mack
When a jitter callback is issued instead of sending a DNS packet directly, on_transaction_timeout() is invoked to 'retry' the transaction. However, this function has side effects. For once, it increases the packet loss counter on the scope, and it also unrefs/refs the server instances. Fix this by tracking the jitter with two bool variables. One saying that the initial jitter has been scheduled in the first place, and one that tells us the delay packet has been sent.
2015-12-08resolved: flush keys when DNS_RESOURCE_KEY_CACHE_FLUSH is setDaniel Mack
In mDNS, DNS_RESOURCE_KEY_CACHE_FLUSH denotes whether other records with the same key should be flushed from the cache.
2015-12-08resolved: add cache flush flag to DnsResourceKeyDaniel Mack
MDNS has a 'key cache flush' flag for records which must be masked out for the parsers to do our right thing. We will also use that flag later (in a different patch) in order to alter the cache behavior.
2015-12-08resolved: add mDNS initial jitterDaniel Mack
The logic is to kick off mDNS packets in a delayed way is mostly identical to what LLMNR needs, except that the constants are different.
2015-12-08resolved: create dns scopes for mDNSDaniel Mack
Follow what LLMNR does, and create per-link DnsScope objects.
2015-12-08resolved: add code to join/leave mDNS multicast groupsDaniel Mack
Per link, join the mDNS multicast groups when the scope is created, and leave it again when the scope goes away.
2015-12-08resolved: add packet header details for mDNSDaniel Mack
Validate mDNS queries and responses by looking at some header fields, add mDNS flags.
2015-12-08resolved: add infrastructure for mDNS related socketsDaniel Mack
Just hook up mDNS listeners with an empty packet dispather function, introduce a config directive, man page updates etc.
2015-12-07Merge pull request #2104 from evverx/rlimit-util-testZbigniew Jędrzejewski-Szmek
tests: add test-rlimit-util
2015-12-07Merge pull request #2117 from evverx/remove-dist-check-pythonZbigniew Jędrzejewski-Szmek
build-sys: remove dist-check-python
2015-12-08build-sys: remove dist-check-pythonEvgeny Vereshchagin
added: 279419b379 obsoleted: 2c8849add4
2015-12-07Merge pull request #2111 from evverx/remove-unnecessary-checkingFilipe Brandenburger
build-sys: remove unnecessary check
2015-12-07Merge pull request #2109 from keszybz/udev-null-derefMartin Pitt
Udev null deref
2015-12-07tests: disable hard errorsEvgeny Vereshchagin
we don't use it https://www.gnu.org/software/automake/manual/automake.html#Scripts_002dbased-Testsuites
2015-12-07tests: add test-rlimit-utilEvgeny Vereshchagin
2015-12-07build-sys: remove unnecessary checkEvgeny Vereshchagin
added: 65adc982d obsoleted: 2c8849add
2015-12-07udev: fix NULL deref when executing rulesZbigniew Jędrzejewski-Szmek
We quite obviously check whether event->dev_db is nonnull, and right after that call a function which asserts the same. Move the call under the same if. https://bugzilla.redhat.com/show_bug.cgi?id=1283971
2015-12-07libudev: simplify udev_device_ensure_usec_initialized a bitZbigniew Jędrzejewski-Szmek
2015-12-06Merge pull request #2095 from evverx/fix-distcheck-for-disable-timesyncLennart Poettering
build-sys: move "dist" parts out of conditional
2015-12-06Merge pull request #2100 from msekletar/nologin-labelLennart Poettering
user-sessions: make sure /run/nologin has correct SELinux label
2015-12-06Merge pull request #2107 from phomes/miscLennart Poettering
Misc cleanups
2015-12-06Merge pull request #2097 from kinvolk/alban/TasksMaxLennart Poettering
nspawn: set TasksMax in machined instead of nspawn
2015-12-06resolve: remove unused variableThomas Hindoe Paaboel Andersen
2015-12-06shared: include what we useThomas Hindoe Paaboel Andersen
The next step of a general cleanup of our includes. This one mostly adds missing includes but there are a few removals as well.
2015-12-04nspawn: set TasksMax in machined instead of nspawnAlban Crequy
https://github.com/systemd/systemd/issues/2016
2015-12-04login: make sure /run/nologin has correct SELinux labelMichal Sekletar
2015-12-04user-sessions: make sure /run/nologin has correct SELinux labelMichal Sekletar
2015-12-04Merge pull request #2092 from poettering/dnssec2Tom Gundersen
Second DNSSEC patch set
2015-12-04build-sys: move "dist" parts out of conditionalEvgeny Vereshchagin
Fixes: $ ./autogen.sh $ ./configure ... --disable-timesyncd $ make distcheck ... make[1]: *** No rule to make target 'src/timesync/timesyncd-gperf.gperf', needed by 'src/timesync/timesyncd-gperf.c'. Stop.
2015-12-03Merge pull request #2093 from evverx/add-test-dnssec-to-gitignoreZbigniew Jędrzejewski-Szmek
.gitignore: add test-dnssec
2015-12-04.gitignore: add test-dnssecEvgeny Vereshchagin
This is a follow-up for 2b442ac87838be7c326
2015-12-03resolved: update DNSSEC TODO list a bitLennart Poettering
2015-12-03resolved: add a concept of "authenticated" responsesLennart Poettering
This adds a new SD_RESOLVED_AUTHENTICATED flag for responses we return on the bus. When set, then the data has been authenticated. For now this mostly reflects the DNSSEC AD bit, if DNSSEC=trust is set. As soon as the client-side validation is complete it will be hooked up to this flag too. We also set this bit whenver we generated the data ourselves, for example, because it originates in our local LLMNR zone, or from the built-in trust anchor database. The "systemd-resolve-host" tool has been updated to show the flag state for the data it shows.
2015-12-03resolved: when synthesizing NODATA from cached NSEC bitmaps, honour CNAME/DNAMELennart Poettering
When an RR type is not set in an NSEC, then the CNAME/DNAME types might still be, hence check them too. Otherwise we might end up refusing resolving of CNAME'd RRs if we cached an NSEC before.
2015-12-03resolved: maintain a short TODO list for DNSSEC support in the dnssec C ↵Lennart Poettering
files for now
2015-12-03resolved: introduce a dnssec_mode setting per scopeLennart Poettering
The setting controls which kind of DNSSEC validation is done: none at all, trusting the AD bit, or client-side validation. For now, no validation is implemented, hence the setting doesn't do much yet, except of toggling the CD bit in the generated messages if full client-side validation is requested.
2015-12-03resolved: add a limit on the max DNSSEC RRSIG expiry skew we allowLennart Poettering
2015-12-03resolved: add a simple trust anchor database as additional RR sourceLennart Poettering
When doing DNSSEC lookups we need to know one or more DS or DNSKEY RRs as trust anchors to validate lookups. With this change we add a compiled-in trust anchor database, serving the root DS key as of today, retrieved from: https://data.iana.org/root-anchors/root-anchors.xml The interface is kept generic, so that additional DS or DNSKEY RRs may be served via the same interface, for example by provisioning them locally in external files to support "islands" of security. The trust anchor database becomes the fourth source of RRs we maintain, besides, the network, the local cache, and the local zone.
2015-12-03resolved: rework how we allow allow queries to be dispatched to scopesLennart Poettering
Previously, we'd never do any single-label or root domain lookups via DNS, thus leaving single-label lookups to LLMNR and the search path logic in order that single-label names don't leak too easily onto the internet. With this change we open things up a bit, and only prohibit A/AAAA lookups of single-label/root domains, but allow all other lookups. This should provide similar protection, but allow us to resolve DNSKEY+DS RRs for the top-level and root domains. (This also simplifies handling of the search domain detection, and gets rid of dns_scope_has_search_domains() in favour of dns_scope_get_search_domains()).
2015-12-03resolved: don't bother with picking a search domain when searching is disabledLennart Poettering
2015-12-03resolved: optionally, allocate DnsResourceKey objects on the stackLennart Poettering
Sometimes when looking up entries in hashmaps indexed by a DnsResourceKey it is helpful not having to allocate a full DnsResourceKey dynamically just to use it as search key. Instead, optionally allow allocation of a DnsResourceKey on the stack. Resource keys allocated like that of course are subject to other lifetime cycles than the usual Resource keys, hence initialize the reference counter to to (unsigned) -1. While we are at it, remove the prototype for dns_resource_key_new_dname() which was never implemented.
2015-12-03resolved: make expiration error recognizableLennart Poettering
2015-12-03resolved: refuse resolving of a number of domains listed in RFC6303Lennart Poettering
We already blacklisted a few domains, add more.
2015-12-03Merge pull request #1934 from martinpitt/masterTom Gundersen
tests: add networkd integration test
2015-12-03Merge pull request #2089 from keszybz/journal-fixes-2Tom Gundersen
Journal fixes
2015-12-03journal: silently skip failing large messages if journald is missingZbigniew Jędrzejewski-Szmek
We treated -ENOENT errors with silent failure, for small messages. Do the same for large messages.
2015-12-03journal: unbreak sd_journal_sendvZbigniew Jędrzejewski-Szmek
Borked since commit 3ee897d6c2401effbc82f5eef35fce405781d6c8 Author: Lennart Poettering <lennart@poettering.net> Date: Wed Sep 23 01:00:04 2015 +0200 tree-wide: port more code to use send_one_fd() and receive_one_fd() because here our fd is not connected and we need to specify the address.