diff options
author | Dave Barach <dave@barachs.net> | 2017-11-15 13:28:15 -0500 |
---|---|---|
committer | Dave Barach <dave@barachs.net> | 2017-11-15 13:28:43 -0500 |
commit | b8a0d2cf9ff8796123b3c167c051f78ab03cc4cf (patch) | |
tree | 69226e5206458c9c12e83fae1abd4bd34e0d04ff | |
parent | 5665a22f81dd48c6d211a9a2be83d174c62d73cf (diff) |
Punt DNS request/reply traffic when name resolution disabled
Change-Id: Iaad22f25993783be57247aa1f050740f96d2566a
Signed-off-by: Dave Barach <dave@barachs.net>
-rw-r--r-- | src/vnet/dns/dns.h | 1 | ||||
-rw-r--r-- | src/vnet/dns/reply_node.c | 15 | ||||
-rw-r--r-- | src/vnet/dns/request_node.c | 16 |
3 files changed, 27 insertions, 5 deletions
diff --git a/src/vnet/dns/dns.h b/src/vnet/dns/dns.h index 84d7ee041b5..1272e756d7c 100644 --- a/src/vnet/dns/dns.h +++ b/src/vnet/dns/dns.h @@ -139,6 +139,7 @@ typedef enum } dns46_request_error_t; #define foreach_dns46_reply_error \ +_(DISABLED, "DNS pkts punted (feature disabled)") \ _(PROCESSED, "DNS reply pkts processed") \ _(NO_ELT, "No DNS pool element") \ _(FORMAT_ERROR, "DNS format errors") \ diff --git a/src/vnet/dns/reply_node.c b/src/vnet/dns/reply_node.c index fbb99e8a6f9..5681e11d8e2 100644 --- a/src/vnet/dns/reply_node.c +++ b/src/vnet/dns/reply_node.c @@ -50,6 +50,7 @@ static char *dns46_reply_error_strings[] = { typedef enum { DNS46_REPLY_NEXT_DROP, + DNS46_REPLY_NEXT_PUNT, DNS46_REPLY_N_NEXT, } dns46_reply_next_t; @@ -59,6 +60,7 @@ dns46_reply_node_fn (vlib_main_t * vm, { u32 n_left_from, *from, *to_next; dns46_reply_next_t next_index; + dns_main_t *dm = &dns_main; from = vlib_frame_vector_args (frame); n_left_from = frame->n_vectors; @@ -139,8 +141,8 @@ dns46_reply_node_fn (vlib_main_t * vm, vlib_buffer_t *b0; u32 next0 = DNS46_REPLY_NEXT_DROP; dns_header_t *d0; - u32 pool_index0; - u32 error0; + u32 pool_index0 = ~0; + u32 error0 = 0; u8 *resp0 = 0; /* speculatively enqueue b0 to the current next frame */ @@ -149,11 +151,16 @@ dns46_reply_node_fn (vlib_main_t * vm, from += 1; to_next += 1; n_left_from -= 1; - n_left_to_next -= 1; b0 = vlib_get_buffer (vm, bi0); d0 = vlib_buffer_get_current (b0); + if (PREDICT_FALSE (dm->is_enabled == 0)) + { + next0 = DNS46_REPLY_NEXT_PUNT; + error0 = DNS46_REPLY_ERROR_DISABLED; + goto done0; + } pool_index0 = clib_host_to_net_u16 (d0->id); @@ -169,6 +176,7 @@ dns46_reply_node_fn (vlib_main_t * vm, (uword) resp0); error0 = DNS46_REPLY_ERROR_PROCESSED; + done0: b0->error = node->errors[error0]; if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) @@ -205,6 +213,7 @@ VLIB_REGISTER_NODE (dns46_reply_node) = .n_next_nodes = DNS46_REPLY_N_NEXT, .next_nodes = { [DNS46_REPLY_NEXT_DROP] = "error-drop", + [DNS46_REPLY_NEXT_PUNT] = "error-punt", }, }; /* *INDENT-ON* */ diff --git a/src/vnet/dns/request_node.c b/src/vnet/dns/request_node.c index 64468805237..f7446cce825 100644 --- a/src/vnet/dns/request_node.c +++ b/src/vnet/dns/request_node.c @@ -51,6 +51,7 @@ typedef enum { DNS46_REQUEST_NEXT_DROP, DNS46_REQUEST_NEXT_IP_LOOKUP, + DNS46_REQUEST_NEXT_PUNT, DNS46_REQUEST_N_NEXT, } dns46_request_next_t; @@ -160,15 +161,22 @@ dns46_request_inline (vlib_main_t * vm, from += 1; to_next += 1; n_left_from -= 1; - n_left_to_next -= 1; b0 = vlib_get_buffer (vm, bi0); d0 = vlib_buffer_get_current (b0); u0 = (udp_header_t *) ((u8 *) d0 - sizeof (*u0)); + + if (PREDICT_FALSE (dm->is_enabled == 0)) + { + next0 = DNS46_REQUEST_NEXT_PUNT; + goto done0; + } + if (is_ip6) { - ip60 = (ip6_header_t *) (((u8 *) u0) - sizeof (ip4_header_t)); + ip60 = (ip6_header_t *) (((u8 *) u0) - sizeof (ip6_header_t)); + next0 = DNS46_REQUEST_NEXT_DROP; error0 = DNS46_REQUEST_ERROR_UNIMPLEMENTED; goto done0; } @@ -187,11 +195,13 @@ dns46_request_inline (vlib_main_t * vm, /* Requests only */ if (flags0 & DNS_QR) { + next0 = DNS46_REQUEST_NEXT_DROP; error0 = DNS46_REQUEST_ERROR_BAD_REQUEST; goto done0; } if (clib_net_to_host_u16 (d0->qdcount) != 1) { + next0 = DNS46_REQUEST_NEXT_DROP; error0 = DNS46_REQUEST_ERROR_TOO_MANY_REQUESTS; goto done0; } @@ -286,6 +296,7 @@ VLIB_REGISTER_NODE (dns4_request_node) = .n_next_nodes = DNS46_REQUEST_N_NEXT, .next_nodes = { [DNS46_REQUEST_NEXT_DROP] = "error-drop", + [DNS46_REQUEST_NEXT_PUNT] = "error-punt", [DNS46_REQUEST_NEXT_IP_LOOKUP] = "ip4-lookup", }, }; @@ -312,6 +323,7 @@ VLIB_REGISTER_NODE (dns6_request_node) = .n_next_nodes = DNS46_REQUEST_N_NEXT, .next_nodes = { [DNS46_REQUEST_NEXT_DROP] = "error-drop", + [DNS46_REQUEST_NEXT_PUNT] = "error-punt", [DNS46_REQUEST_NEXT_IP_LOOKUP] = "ip6-lookup", }, }; |