Punt DNS request/reply traffic when name resolution disabled

Change-Id: Iaad22f25993783be57247aa1f050740f96d2566a Signed-off-by: Dave Barach <dave@barachs.net>
author: Dave Barach <dave@barachs.net> 2017-11-15 13:28:15 -0500
committer: Dave Barach <dave@barachs.net> 2017-11-15 13:28:43 -0500
commit: b8a0d2cf9ff8796123b3c167c051f78ab03cc4cf (patch)
tree: 69226e5206458c9c12e83fae1abd4bd34e0d04ff /src/vnet/dns
parent: 5665a22f81dd48c6d211a9a2be83d174c62d73cf (diff)
3 files changed, 27 insertions, 5 deletions
diff --git a/src/vnet/dns/dns.h b/src/vnet/dns/dns.h
index 84d7ee041b5..1272e756d7c 100644
--- a/src/vnet/dns/dns.h
+++ b/src/vnet/dns/dns.h
@@ -139,6 +139,7 @@ typedef enum
 } dns46_request_error_t;
 
 #define foreach_dns46_reply_error                       \
+_(DISABLED, "DNS pkts punted (feature disabled)")       \
 _(PROCESSED, "DNS reply pkts processed")                \
 _(NO_ELT, "No DNS pool element")                        \
 _(FORMAT_ERROR, "DNS format errors")                    \
diff --git a/src/vnet/dns/reply_node.c b/src/vnet/dns/reply_node.c
index fbb99e8a6f9..5681e11d8e2 100644
--- a/src/vnet/dns/reply_node.c
+++ b/src/vnet/dns/reply_node.c
@@ -50,6 +50,7 @@ static char *dns46_reply_error_strings[] = {
 typedef enum
 {
   DNS46_REPLY_NEXT_DROP,
+  DNS46_REPLY_NEXT_PUNT,
   DNS46_REPLY_N_NEXT,
 } dns46_reply_next_t;
 
@@ -59,6 +60,7 @@ dns46_reply_node_fn (vlib_main_t * vm,
 {
   u32 n_left_from, *from, *to_next;
   dns46_reply_next_t next_index;
+  dns_main_t *dm = &dns_main;
 
   from = vlib_frame_vector_args (frame);
   n_left_from = frame->n_vectors;
@@ -139,8 +141,8 @@ dns46_reply_node_fn (vlib_main_t * vm,
 	  vlib_buffer_t *b0;
 	  u32 next0 = DNS46_REPLY_NEXT_DROP;
 	  dns_header_t *d0;
-	  u32 pool_index0;
-	  u32 error0;
+	  u32 pool_index0 = ~0;
+	  u32 error0 = 0;
 	  u8 *resp0 = 0;
 
 	  /* speculatively enqueue b0 to the current next frame */
@@ -149,11 +151,16 @@ dns46_reply_node_fn (vlib_main_t * vm,
 	  from += 1;
 	  to_next += 1;
 	  n_left_from -= 1;
-
 	  n_left_to_next -= 1;
 
 	  b0 = vlib_get_buffer (vm, bi0);
 	  d0 = vlib_buffer_get_current (b0);
+	  if (PREDICT_FALSE (dm->is_enabled == 0))
+	    {
+	      next0 = DNS46_REPLY_NEXT_PUNT;
+	      error0 = DNS46_REPLY_ERROR_DISABLED;
+	      goto done0;
+	    }
 
 	  pool_index0 = clib_host_to_net_u16 (d0->id);
 
@@ -169,6 +176,7 @@ dns46_reply_node_fn (vlib_main_t * vm,
 					(uword) resp0);
 	  error0 = DNS46_REPLY_ERROR_PROCESSED;
 
+	done0:
 	  b0->error = node->errors[error0];
 
 	  if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
@@ -205,6 +213,7 @@ VLIB_REGISTER_NODE (dns46_reply_node) =
   .n_next_nodes = DNS46_REPLY_N_NEXT,
   .next_nodes = {
     [DNS46_REPLY_NEXT_DROP] = "error-drop",
+    [DNS46_REPLY_NEXT_PUNT] = "error-punt",
   },
 };
 /* *INDENT-ON* */
diff --git a/src/vnet/dns/request_node.c b/src/vnet/dns/request_node.c
index 64468805237..f7446cce825 100644
--- a/src/vnet/dns/request_node.c
+++ b/src/vnet/dns/request_node.c
@@ -51,6 +51,7 @@ typedef enum
 {
   DNS46_REQUEST_NEXT_DROP,
   DNS46_REQUEST_NEXT_IP_LOOKUP,
+  DNS46_REQUEST_NEXT_PUNT,
   DNS46_REQUEST_N_NEXT,
 } dns46_request_next_t;
 
@@ -160,15 +161,22 @@ dns46_request_inline (vlib_main_t * vm,
 	  from += 1;
 	  to_next += 1;
 	  n_left_from -= 1;
-
 	  n_left_to_next -= 1;
 
 	  b0 = vlib_get_buffer (vm, bi0);
 	  d0 = vlib_buffer_get_current (b0);
 	  u0 = (udp_header_t *) ((u8 *) d0 - sizeof (*u0));
+
+	  if (PREDICT_FALSE (dm->is_enabled == 0))
+	    {
+	      next0 = DNS46_REQUEST_NEXT_PUNT;
+	      goto done0;
+	    }
+
 	  if (is_ip6)
 	    {
-	      ip60 = (ip6_header_t *) (((u8 *) u0) - sizeof (ip4_header_t));
+	      ip60 = (ip6_header_t *) (((u8 *) u0) - sizeof (ip6_header_t));
+	      next0 = DNS46_REQUEST_NEXT_DROP;
 	      error0 = DNS46_REQUEST_ERROR_UNIMPLEMENTED;
 	      goto done0;
 	    }
@@ -187,11 +195,13 @@ dns46_request_inline (vlib_main_t * vm,
 	  /* Requests only */
 	  if (flags0 & DNS_QR)
 	    {
+	      next0 = DNS46_REQUEST_NEXT_DROP;
 	      error0 = DNS46_REQUEST_ERROR_BAD_REQUEST;
 	      goto done0;
 	    }
 	  if (clib_net_to_host_u16 (d0->qdcount) != 1)
 	    {
+	      next0 = DNS46_REQUEST_NEXT_DROP;
 	      error0 = DNS46_REQUEST_ERROR_TOO_MANY_REQUESTS;
 	      goto done0;
 	    }
@@ -286,6 +296,7 @@ VLIB_REGISTER_NODE (dns4_request_node) =
   .n_next_nodes = DNS46_REQUEST_N_NEXT,
   .next_nodes = {
     [DNS46_REQUEST_NEXT_DROP] = "error-drop",
+    [DNS46_REQUEST_NEXT_PUNT] = "error-punt",
     [DNS46_REQUEST_NEXT_IP_LOOKUP] = "ip4-lookup",
   },
 };
@@ -312,6 +323,7 @@ VLIB_REGISTER_NODE (dns6_request_node) =
   .n_next_nodes = DNS46_REQUEST_N_NEXT,
   .next_nodes = {
     [DNS46_REQUEST_NEXT_DROP] = "error-drop",
+    [DNS46_REQUEST_NEXT_PUNT] = "error-punt",
     [DNS46_REQUEST_NEXT_IP_LOOKUP] = "ip6-lookup",
   },
 };
author	Dave Barach <dave@barachs.net>	2017-11-15 13:28:15 -0500
committer	Dave Barach <dave@barachs.net>	2017-11-15 13:28:43 -0500
commit	b8a0d2cf9ff8796123b3c167c051f78ab03cc4cf (patch)
tree	69226e5206458c9c12e83fae1abd4bd34e0d04ff /src/vnet/dns
parent	5665a22f81dd48c6d211a9a2be83d174c62d73cf (diff)