summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDave Barach <dave@barachs.net>2017-11-15 13:28:15 -0500
committerDave Barach <dave@barachs.net>2017-11-15 13:28:43 -0500
commitb8a0d2cf9ff8796123b3c167c051f78ab03cc4cf (patch)
tree69226e5206458c9c12e83fae1abd4bd34e0d04ff
parent5665a22f81dd48c6d211a9a2be83d174c62d73cf (diff)
Punt DNS request/reply traffic when name resolution disabled
Change-Id: Iaad22f25993783be57247aa1f050740f96d2566a Signed-off-by: Dave Barach <dave@barachs.net>
-rw-r--r--src/vnet/dns/dns.h1
-rw-r--r--src/vnet/dns/reply_node.c15
-rw-r--r--src/vnet/dns/request_node.c16
3 files changed, 27 insertions, 5 deletions
diff --git a/src/vnet/dns/dns.h b/src/vnet/dns/dns.h
index 84d7ee041b5..1272e756d7c 100644
--- a/src/vnet/dns/dns.h
+++ b/src/vnet/dns/dns.h
@@ -139,6 +139,7 @@ typedef enum
} dns46_request_error_t;
#define foreach_dns46_reply_error \
+_(DISABLED, "DNS pkts punted (feature disabled)") \
_(PROCESSED, "DNS reply pkts processed") \
_(NO_ELT, "No DNS pool element") \
_(FORMAT_ERROR, "DNS format errors") \
diff --git a/src/vnet/dns/reply_node.c b/src/vnet/dns/reply_node.c
index fbb99e8a6f9..5681e11d8e2 100644
--- a/src/vnet/dns/reply_node.c
+++ b/src/vnet/dns/reply_node.c
@@ -50,6 +50,7 @@ static char *dns46_reply_error_strings[] = {
typedef enum
{
DNS46_REPLY_NEXT_DROP,
+ DNS46_REPLY_NEXT_PUNT,
DNS46_REPLY_N_NEXT,
} dns46_reply_next_t;
@@ -59,6 +60,7 @@ dns46_reply_node_fn (vlib_main_t * vm,
{
u32 n_left_from, *from, *to_next;
dns46_reply_next_t next_index;
+ dns_main_t *dm = &dns_main;
from = vlib_frame_vector_args (frame);
n_left_from = frame->n_vectors;
@@ -139,8 +141,8 @@ dns46_reply_node_fn (vlib_main_t * vm,
vlib_buffer_t *b0;
u32 next0 = DNS46_REPLY_NEXT_DROP;
dns_header_t *d0;
- u32 pool_index0;
- u32 error0;
+ u32 pool_index0 = ~0;
+ u32 error0 = 0;
u8 *resp0 = 0;
/* speculatively enqueue b0 to the current next frame */
@@ -149,11 +151,16 @@ dns46_reply_node_fn (vlib_main_t * vm,
from += 1;
to_next += 1;
n_left_from -= 1;
-
n_left_to_next -= 1;
b0 = vlib_get_buffer (vm, bi0);
d0 = vlib_buffer_get_current (b0);
+ if (PREDICT_FALSE (dm->is_enabled == 0))
+ {
+ next0 = DNS46_REPLY_NEXT_PUNT;
+ error0 = DNS46_REPLY_ERROR_DISABLED;
+ goto done0;
+ }
pool_index0 = clib_host_to_net_u16 (d0->id);
@@ -169,6 +176,7 @@ dns46_reply_node_fn (vlib_main_t * vm,
(uword) resp0);
error0 = DNS46_REPLY_ERROR_PROCESSED;
+ done0:
b0->error = node->errors[error0];
if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
@@ -205,6 +213,7 @@ VLIB_REGISTER_NODE (dns46_reply_node) =
.n_next_nodes = DNS46_REPLY_N_NEXT,
.next_nodes = {
[DNS46_REPLY_NEXT_DROP] = "error-drop",
+ [DNS46_REPLY_NEXT_PUNT] = "error-punt",
},
};
/* *INDENT-ON* */
diff --git a/src/vnet/dns/request_node.c b/src/vnet/dns/request_node.c
index 64468805237..f7446cce825 100644
--- a/src/vnet/dns/request_node.c
+++ b/src/vnet/dns/request_node.c
@@ -51,6 +51,7 @@ typedef enum
{
DNS46_REQUEST_NEXT_DROP,
DNS46_REQUEST_NEXT_IP_LOOKUP,
+ DNS46_REQUEST_NEXT_PUNT,
DNS46_REQUEST_N_NEXT,
} dns46_request_next_t;
@@ -160,15 +161,22 @@ dns46_request_inline (vlib_main_t * vm,
from += 1;
to_next += 1;
n_left_from -= 1;
-
n_left_to_next -= 1;
b0 = vlib_get_buffer (vm, bi0);
d0 = vlib_buffer_get_current (b0);
u0 = (udp_header_t *) ((u8 *) d0 - sizeof (*u0));
+
+ if (PREDICT_FALSE (dm->is_enabled == 0))
+ {
+ next0 = DNS46_REQUEST_NEXT_PUNT;
+ goto done0;
+ }
+
if (is_ip6)
{
- ip60 = (ip6_header_t *) (((u8 *) u0) - sizeof (ip4_header_t));
+ ip60 = (ip6_header_t *) (((u8 *) u0) - sizeof (ip6_header_t));
+ next0 = DNS46_REQUEST_NEXT_DROP;
error0 = DNS46_REQUEST_ERROR_UNIMPLEMENTED;
goto done0;
}
@@ -187,11 +195,13 @@ dns46_request_inline (vlib_main_t * vm,
/* Requests only */
if (flags0 & DNS_QR)
{
+ next0 = DNS46_REQUEST_NEXT_DROP;
error0 = DNS46_REQUEST_ERROR_BAD_REQUEST;
goto done0;
}
if (clib_net_to_host_u16 (d0->qdcount) != 1)
{
+ next0 = DNS46_REQUEST_NEXT_DROP;
error0 = DNS46_REQUEST_ERROR_TOO_MANY_REQUESTS;
goto done0;
}
@@ -286,6 +296,7 @@ VLIB_REGISTER_NODE (dns4_request_node) =
.n_next_nodes = DNS46_REQUEST_N_NEXT,
.next_nodes = {
[DNS46_REQUEST_NEXT_DROP] = "error-drop",
+ [DNS46_REQUEST_NEXT_PUNT] = "error-punt",
[DNS46_REQUEST_NEXT_IP_LOOKUP] = "ip4-lookup",
},
};
@@ -312,6 +323,7 @@ VLIB_REGISTER_NODE (dns6_request_node) =
.n_next_nodes = DNS46_REQUEST_N_NEXT,
.next_nodes = {
[DNS46_REQUEST_NEXT_DROP] = "error-drop",
+ [DNS46_REQUEST_NEXT_PUNT] = "error-punt",
[DNS46_REQUEST_NEXT_IP_LOOKUP] = "ip6-lookup",
},
};