summaryrefslogtreecommitdiff
path: root/src/resolve/resolved-conf.c
Commit message (Collapse)AuthorAgeFilesLines
* resolved: adjust message about credentialsZbigniew Jędrzejewski-Szmek2023-04-251-2/+2
| | | | | | "credential provided widget" would be better spelled as "credential-provided widget". But let's adjust the message to name the bad credential explicitly: this makes it easier to fix for the user.
* shared/creds-util: return 0 for missing creds in read_credential_strings_manyZbigniew Jędrzejewski-Szmek2023-04-251-4/+3
| | | | | | | | | | | Realistically, the only thing that the caller can do is ignore failures related to missing credentials. If the caller requires some credentials to be present, they should just check which output variables are not NULL. One of the callers was already doing that, and the other wanted to, but missed -ENOENT. By suppressing -ENOENT and -ENXIO, both callers are simplified. Fixes a warning at boot: systemd-vconsole-setup[221]: Failed to import credentials, ignoring: No such file or directory
* conf: replace config_parse_many_nulstr() with config_parse_config_file()Franck Bui2023-03-141-8/+3
| | | | | | | | | | | | | | | | | All daemons use a similar scheme to read their main config files and theirs drop-ins. The main config files are always stored in /etc/systemd directory and it's easy enough to construct the name of the drop-in directories based on the name of the main config file. Hence the new helper does that internally, which allows to reduce and simplify the args passed previously to config_parse_many_nulstr(). Besides the overall code simplification it results: 16 files changed, 87 insertions(+), 159 deletions(-) it allows to identify clearly the locations in the code where configuration files are parsed.
* resolved: read DNS conf also from creds and kernel cmdlineLennart Poettering2023-01-051-3/+101
| | | | | | | | | | | Note that this drops ProtectProc=invisible from systemd-resolved.service. This is done because othewise access to the booted "kernel" command line is not necessarily available. That's because in containers we want to read /proc/1/cmdline for that. Fixes: #24103
* Rename def.h to constants.hZbigniew Jędrzejewski-Szmek2022-11-081-1/+1
| | | | | | The name "def.h" originates from before the rule of "no needless abbreviations" was established. Let's rename the file to clarify that it contains a collection of various semi-related constants.
* tree-wide: use ASSERT_PTR moreDavid Tardon2022-09-131-10/+5
|
* resolved: rename field to indicate that it's a listZbigniew Jędrzejewski-Szmek2022-07-021-2/+2
|
* basic/list: drop LIST_IS_EMPTYZbigniew Jędrzejewski-Szmek2022-07-021-1/+1
| | | | | | | | | | This was a trivial wrapper that didn't provide any added value. With more complicated structures like strvs, hashmaps, sets, and arrays, it is possible to have an empty container. But in case of a list, the list is empty only when the head is missing. Also, we generally want the positive condition, so we replace many if (!LIST_IS_EMPTY(x)) with just if (x).
* tree-wide: host_name → hostnameZbigniew Jędrzejewski-Szmek2022-04-111-1/+1
| | | | | We use "hostname" exclusively in docs, and also in a big majority of the code. Let's use the same spelling in remaining places.
* Revert "resolved: filter out our own stub resolvers when parsing servers"Lennart Poettering2022-02-161-15/+13
| | | | | | | | | | | | | | | | | | This reverts commit 0ad4efb14beea9148838a0d974821e3b98cafc47. See https://github.com/systemd/systemd/pull/20559#issuecomment-1028011030 for reasoning. Quoting: > I think it should be OK to advertise extra stub listeners to local > clients, but you prohibit this now. i.e. there are two different > concepts here, and we shouldn't mix them up: > > 1. tracking configured dns servers and advertise them to local programs > 2. actually using them ourselves > > I am pretty sure that our own stubs are OK for 1 but not OK for 2, > hence we should filter at the time of use not at the time of parse.
* resolved: filter out our own stub resolvers when parsing serversZbigniew Jędrzejewski-Szmek2021-12-151-13/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We get "upstream" dns server config from ~three places: /etc/resolv.conf, config files, and runtime config via dbus. With this commit, we'll filter out our own stub listeners if they are configured in either of the first two sources. For /etc/resolv.conf this is done quitely, and for our own config files, a LOG_INFO message is emitted, since this is a small inconsistency in the config. Setting loops like this over dbus is still allowed. The reason is that in the past we didn't treat this as an error, and if we were to start responding with an error, we could break a scenario that worked previously. E.g. NM sends us a list of servers, and one happens to be the our own. We would just not use that stub server before, but it'd still be shown in the dbus properties and such. We would have to return error for the whole message, also rejecting the other valid servers. I think it's easier to just keep that part unchanged. Test case: $ ls -l /etc/resolv.conf -rw-r--r-- 1 root root 57 Dec 15 10:26 /etc/resolv.conf $ cat /etc/resolv.conf nameserver 192.168.150.1 options edns0 trust-ad search . $ cat /etc/systemd/resolved.conf.d/stub.conf [Resolve] DNSStubListenerExtra=192.168.150.1 $ resolvectl ... Global resolv.conf mode: foreign DNS Servers: 192.168.150.1 Fallback DNS Servers: ... (with the patch): Global resolv.conf mode: foreign Fallback DNS Servers: ...
* resolved: return immediately if we already know what to returnZbigniew Jędrzejewski-Szmek2021-12-151-10/+2
|
* port string_hashsum from libgcrypt to openssl^gcryptZbigniew Jędrzejewski-Szmek2021-12-011-3/+3
| | | | | | | | This allows resolved and importd to be built without libgcrypt. Note that we now say either 'cryptographic library' or 'cryptolib'. Co-authored-by: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
* resolved: add "proxy-only" stub on 127.0.0.54Lennart Poettering2021-11-221-1/+1
| | | | | | | | | | | | | | | | | | | | This beefs up the DNS stub logic to listen on two IP addresses: 127.0.0.53 (as before) + 127.0.0.54 (new). When the latter is contact our stub will operate in "bypass" mode only, i.e we'll try to pass DNS requests as unmodified upstream as we can (and not do mDNS/LLMNR and such, also no DNSSEC validation – but we'll still do DNS-over-TLS wrapping). This is supposed to be useful for container environments or tethering: this stub could be exposed (via NAT redirect) to clients of this system and we'll try to stay out of the way with doing too much DNS magic ourselves, but still expose whatever the current DNS server is from upstream under a stable address/port. How to use this: # iptables -t nat -I PREROUTING -p udp -i <interface> --dport 53 -j DNAT --to 127.0.0.54:53 # echo 1 > /proc/sys/net/ipv4/conf/<interface>/route_localnet
* Drop the text argument from assert_not_reached()Zbigniew Jędrzejewski-Szmek2021-08-031-1/+1
| | | | | | | | | | | | | | | | | In general we almost never hit those asserts in production code, so users see them very rarely, if ever. But either way, we just need something that users can pass to the developers. We have quite a few of those asserts, and some have fairly nice messages, but many are like "WTF?" or "???" or "unexpected something". The error that is printed includes the file location, and function name. In almost all functions there's at most one assert, so the function name alone is enough to identify the failure for a developer. So we don't get much extra from the message, and we might just as well drop them. Dropping them makes our code a tiny bit smaller, and most importantly, improves development experience by making it easy to insert such an assert in the code without thinking how to phrase the argument.
* tree-wide: make specifier expansion --root= awareLennart Poettering2021-06-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | This fixes repart's, systemctl's, sysusers' and tmpfiles' specifier expansion to honour the root dir specified with --root=. This is relevant for specifiers such as %m, %o, … which are directly sourced from files on disk. This doesn't try to be overly smart: specifiers referring to runtime concepts (i.e. boot ID, architecture, hostname) rather than files on the medium are left as is. There's certainly a point to be made that they should fail in case --root= is specified, but I am not entirely convinced about that, and it's certainly something we can look into later if there's reason to. I wondered for a while how to hook this up best, but given that quite a large number of specifiers resolve to data from files on disks, and most of our tools needs this, I ultimately decided to make the root dir a first class parameter to specifier_printf(). Replaces: #16187 Fixes: #16183
* tree-wide: refuse too long strings earlier in specifier_printf()Yu Watanabe2021-05-121-1/+1
| | | | | | | | | | | | We usually call specifier_printf() and then check the validity of the result. In many cases, validity checkers, e.g. path_is_valid(), refuse too long strings. This makes specifier_printf() refuse such long results earlier. Moreover, unit_full_string() and description field in sysuser now refuse results longer than LONG_LINE_MAX. config_parse() already refuses the line longer than LONG_LINE_MAX. Hence, it should be ok to set the same value as the maximum length of the resolved string.
* basic/extract-word: rename flagZbigniew Jędrzejewski-Szmek2021-03-111-1/+1
| | | | The flag enables "relaxed mode" for all kinds of unescaping, not just c-unescaping.
* tree-wide: sort specifiers and move common comments to specifier.hYu Watanabe2020-11-251-4/+4
|
* resolve: ignore invalid service template nameYu Watanabe2020-11-181-10/+11
| | | | Let's fiest test the template name, and then assign it.
* resolve: make config_parse_dnssd_service_name() accepts an empty stringYu Watanabe2020-11-181-2/+2
|
* resolve: add a short comment about difference between ↵Yu Watanabe2020-11-181-1/+1
| | | | dnssd_render_instance_name() and config_parse_dnssd_service_name()
* resolve: wrap long lineYu Watanabe2020-11-181-1/+12
|
* Revert "resolve: check DNSSD service name template before assigning it"Roman Beranek2020-11-181-23/+25
| | | | | | | | | This reverts commit 34136e1503cf60852051adbd8b9a002d6282b750. Having the "%H" host name specifier in a DNSSD service name template triggers a failed assertion during name template instantiation as specifier_dnssd_host_name expects DnssdService in its userdata pointer but finds NULL instead.
* license: LGPL-2.1+ -> LGPL-2.1-or-laterYu Watanabe2020-11-091-1/+1
|
* Merge pull request #16947 from keszybz/socket-parsing-reworkLennart Poettering2020-09-101-10/+3
|\ | | | | Socket parsing rework
| * resolved: drop duplicated checkZbigniew Jędrzejewski-Szmek2020-09-101-9/+2
| | | | | | | | The same conditional appears a few lines down.
| * Get rid of in_addr_port_from_string_auto() againZbigniew Jędrzejewski-Szmek2020-09-101-1/+1
| | | | | | | | | | With the commit "shared/socket-netlink: only allow ifindex if explicitly supported" this helper is not necessary anymore.
* | resolve: downgrade error level when the error will be ignoredYu Watanabe2020-09-101-19/+45
| |
* | resolve: check DNSSD service name template before assigning itYu Watanabe2020-09-101-25/+23
|/
* resolved: don't store udp/tcp fd in DnsPacket objectLennart Poettering2020-09-081-1/+1
| | | | | | | | | | | | | | | | DnsPacket should better be a "dead" object, i.e. list facts, not track resources. By including an fd in its fields it started tracking resources however, without actually taking a ref to the fd (i.e. no dup() or so was called on it). Let's hence rework things so that we don#t have to keep track of the fd a packet came in from. Instead, pass around the DnsStubListenerExtra object wherever we need to. This should be useful as soon as we start caching whole DnsPacket objects to allow replying to DNSSEC/CO packets, i.e. where we have to keep a copy of the original DnsPacket around for a long time in cache, potentially much longer than the fds the packet was received on.
* resolved: move dns stub definitions to resolved-dns-stub.[ch]Lennart Poettering2020-09-081-45/+0
| | | | Just some moving around, no logic changes.
* resolve: DNSStubListenerExtra → DnsStubListenerExtraLennart Poettering2020-09-081-4/+4
| | | | | All our other struct types use the "Dns" spelling, rather than "DNS". Do the same for this struct.
* resolve: introduce dns_stub_listener_extra_free() and set it as a key destructorYu Watanabe2020-09-041-2/+2
|
* resolve: use in_addr_union to store addresses for extra dns stub listenersYu Watanabe2020-09-041-15/+7
|
* resolve: set DNS_STUB_LISTENER_YES if no protocol is specified in ↵Yu Watanabe2020-09-041-66/+27
| | | | DNSStubListenExtra=
* resolve: allow configurable bind addressSusant Sahani2020-09-031-0/+152
|
* resolve: also compare port and SNI in dns_server_find()Yu Watanabe2020-07-211-1/+4
|
* resolve: support port specifier in DNS= settingYu Watanabe2020-07-211-3/+9
|
* conf-parser: return mtime in config_parse() and friendsLennart Poettering2020-06-021-5/+8
| | | | | | | | | | | | | This is a follow-up for 9f83091e3cceb646a66fa9df89de6d9a77c21d86. Instead of reading the mtime off the configuration files after reading, let's do so before reading, but with the fd we read the data from. This is not only cleaner (as it allows us to save one stat()), but also has the benefit that we'll detect changes that happen while we read the files. This also reworks unit file drop-ins to use the common code for determining drop-in mtime, instead of reading system clock for that.
* shared: move in_addr_ifindex_name_from_string_auto() thereMarc-André Lureau2020-05-071-1/+1
|
* resolved: Break include cyclesDaan De Meyer2020-05-071-0/+3
|
* tree-wide: support a bunch of additional specifiersLennart Poettering2020-04-281-1/+6
|
* Implement SNI when using DNS-over-TLSGuilhem Lettron2019-12-041-2/+4
| | | | | | | | | Some DNS providers need SNI to identify client. This can be used by adding #name to a DNS. Example: [Resolve] DNS=192.168.1.1#example.com
* resolved: make two functions staticZbigniew Jędrzejewski-Szmek2019-10-251-2/+2
|
* Rename EXTRACT_QUOTES to EXTRACT_UNQUOTEZbigniew Jędrzejewski-Szmek2019-06-281-2/+2
| | | | | | Whenever I see EXTRACT_QUOTES, I'm always confused whether it means to leave the quotes in or to take them out. Let's say "unquote", like we say "cunescape".
* resolved: add strict mode for DNS-over-TLSIwan Timmer2019-06-191-1/+1
| | | | Add strict mode for DNS-over-TLS, which will require TLS support from the server. Closes #10755
* meson: make DNS-over-TLS support optionalYu Watanabe2018-06-201-2/+2
| | | | | This adds dns-over-tls option to meson. If set to 'false', systemd-resolved is not linked with libgnutls.
* tree-wide: drop copyright headers from frequent contributorsZbigniew Jędrzejewski-Szmek2018-06-201-3/+0
| | | | | | | | Fixes #9320. for p in Shapovalov Chevalier Rozhkov Sievers Mack Herrmann Schmidt Rudenberg Sahani Landden Andersen Watanabe; do git grep -e 'Copyright.*'$p -l|xargs perl -i -0pe 's|/([*][*])?[*]\s+([*#]\s+)?Copyright[^\n]*'$p'[^\n]*\s*[*]([*][*])?/\n*|\n|gms; s|\s+([*#]\s+)?Copyright[^\n]*'$p'[^\n]*\n*|\n|gms' done
* tree-wide: beautify remaining copyright statementsLennart Poettering2018-06-141-1/+1
| | | | | | Let's unify an beautify our remaining copyright statements, with a unicode ©. This means our copyright statements are now always formatted the same way. Yay.
View Lorry Controller Status