On Sun, Aug 08, 2021 at 12:37:54PM +0200, Florian Obser wrote:
> This implements ignoring of nameservers and / or routes in leases as
> well as completely ignoring servers (you cannot block rogue DHCP servers
> in pf because bpf sees packets before pf).
>
> Various people voiced the need for these features.
> Tests, OKs?
>
> diff --git dhcpleased.c dhcpleased.c
> index 36a4a21c21a..e005d7de9ae 100644
> --- dhcpleased.c
> +++ dhcpleased.c
> @@ -569,6 +569,20 @@ main_dispatch_engine(int fd, short event, void *bula)
> sizeof(imsg_interface.if_index));
> break;
> }
> + case IMSG_WITHDRAW_ROUTES: {
> + struct imsg_configure_interface imsg_interface;
> + if (IMSG_DATA_SIZE(imsg) != sizeof(imsg_interface))
> + fatalx("%s: IMSG_CONFIGURE_INTERFACE wrong "
> + "length: %lu", __func__,
> + IMSG_DATA_SIZE(imsg));
> + memcpy(&imsg_interface, imsg.data,
> + sizeof(imsg_interface));
> + if (imsg_interface.routes_len >= MAX_DHCP_ROUTES)
> + fatalx("%s: too many routes in imsg", __func__);
> + if (imsg_interface.routes_len > 0)
> + configure_routes(RTM_DELETE, &imsg_interface);
> + break;
> + }
> case IMSG_PROPOSE_RDNS: {
> struct imsg_propose_rdns rdns;
> if (IMSG_DATA_SIZE(imsg) != sizeof(rdns))
> diff --git dhcpleased.conf.5 dhcpleased.conf.5
> index 9e6846f899e..b856113bac1 100644
> --- dhcpleased.conf.5
> +++ dhcpleased.conf.5
> @@ -57,6 +57,17 @@ A list of interfaces to overwrite defaults:
> .Ic interface
> options are as follows:
> .Bl -tag -width Ds
> +.It Ic ignore dns
> +Ignore nameservers from leases on this interface.
> +The default is to not ignore nameservers.
> +.It Ic ignore routes
> +Ignore routes from leases on this interface.
> +The default is to not ignore routes.
> +.It Ic ignore Ar server-ip
> +Ignore leases from
> +.Ar server-ip .
> +This option can be listed multiple times.
> +The default is to not ignore servers.
> .It Ic send client id Ar client-id
> Send the dhcp client identifier option with a value of
> .Ar client-id .
> diff --git dhcpleased.h dhcpleased.h
> index 7f6ec87ad19..1d20b77dbd3 100644
> --- dhcpleased.h
> +++ dhcpleased.h
> @@ -151,6 +151,12 @@
> #define DHCPRELEASE 7
> #define DHCPINFORM 8
>
> +/* Ignore parts of DHCP lease */
> +#define IGN_ROUTES 1
> +#define IGN_DNS 2
> +
> +#define MAX_SERVERS 16 /* max servers that can be ignores per
> if */
Typo in comment: ignored (not ignores)
Should there be a mention of a limitation in the man page where
it states the option can be listed multiple times?
--patrick
> +
> #define IMSG_DATA_SIZE(imsg) ((imsg).hdr.len - IMSG_HEADER_SIZE)
> #define DHCP_SNAME_LEN 64
> #define DHCP_FILE_LEN 128
> @@ -216,6 +222,7 @@ enum imsg_type {
> IMSG_DECONFIGURE_INTERFACE,
> IMSG_PROPOSE_RDNS,
> IMSG_WITHDRAW_RDNS,
> + IMSG_WITHDRAW_ROUTES,
> IMSG_REPROPOSE_RDNS,
> IMSG_REQUEST_REBOOT,
> };
> @@ -246,6 +253,9 @@ struct iface_conf {
> int vc_id_len;
> uint8_t *c_id;
> int c_id_len;
> + int ignore;
> + struct in_addr ignore_servers[MAX_SERVERS];
> + int ignore_servers_len;
> };
>
> struct dhcpleased_conf {
> @@ -304,6 +314,8 @@ const char *sin_to_str(struct sockaddr_in *);
>
> /* frontend.c */
> struct iface_conf *find_iface_conf(struct iface_conf_head *, char *);
> +int *changed_ifaces(struct dhcpleased_conf *, struct
> + dhcpleased_conf *);
>
> /* printconf.c */
> void print_config(struct dhcpleased_conf *);
> diff --git engine.c engine.c
> index 076a57e9ba6..67693c358ee 100644
> --- engine.c
> +++ engine.c
> @@ -139,6 +139,7 @@ void
> send_configure_interface(struct dhcpleased_iface *);
> void send_rdns_proposal(struct dhcpleased_iface *);
> void send_deconfigure_interface(struct dhcpleased_iface *);
> void send_rdns_withdraw(struct dhcpleased_iface *);
> +void send_routes_withdraw(struct dhcpleased_iface *);
> void parse_lease(struct dhcpleased_iface *,
> struct imsg_ifinfo *);
> int engine_imsg_compose_main(int, pid_t, void *, uint16_t);
> @@ -506,13 +507,37 @@ engine_dispatch_main(int fd, short event, void *bula)
> IMSG_DATA_SIZE(imsg));
> iface_conf->c_id_len = IMSG_DATA_SIZE(imsg);
> break;
> - case IMSG_RECONF_END:
> + case IMSG_RECONF_END: {
> + struct dhcpleased_iface *iface;
> + int *ifaces;
> + int i, if_index;
> + char *if_name;
> + char ifnamebuf[IF_NAMESIZE];
> +
> if (nconf == NULL)
> fatalx("%s: IMSG_RECONF_END without "
> "IMSG_RECONF_CONF", __func__);
> + ifaces = changed_ifaces(engine_conf, nconf);
> merge_config(engine_conf, nconf);
> nconf = NULL;
> + for (i = 0; ifaces[i] != 0; i++) {
> + if_index = ifaces[i];
> + if_name = if_indextoname(if_index, ifnamebuf);
> + iface = get_dhcpleased_iface_by_id(if_index);
> + if (if_name == NULL || iface == NULL)
> + continue;
> + iface_conf = find_iface_conf(
> + &engine_conf->iface_list, if_name);
> + if (iface_conf == NULL)
> + continue;
> + if (iface_conf->ignore & IGN_DNS)
> + send_rdns_withdraw(iface);
> + if (iface_conf->ignore & IGN_ROUTES)
> + send_routes_withdraw(iface);
> + }
> + free(ifaces);
> break;
> + }
> #endif /* SMALL */
> default:
> log_debug("%s: unexpected imsg %d", __func__,
> @@ -760,6 +785,18 @@ parse_dhcp(struct dhcpleased_iface *iface, struct
> imsg_dhcp *dhcp)
> if (inet_ntop(AF_INET, &ip->ip_dst, hbuf_dst, sizeof(hbuf_dst)) == NULL)
> hbuf_dst[0] = '\0';
>
> +#ifndef SMALL
> + if (iface_conf != NULL) {
> + for (i = 0; (int)i < iface_conf->ignore_servers_len; i++) {
> + if (iface_conf->ignore_servers[i].s_addr ==
> + ip->ip_src.s_addr) {
> + log_debug("ignoring server %s", hbuf_src);
> + return;
> + }
> + }
> + }
> +#endif /* SMALL */
> +
> if (rem < sizeof(*udp))
> goto too_short;
>
> @@ -1203,13 +1240,30 @@ parse_dhcp(struct dhcpleased_iface *iface, struct
> imsg_dhcp *dhcp)
> iface->server_identifier.s_addr = server_identifier.s_addr;
> iface->requested_ip.s_addr = dhcp_hdr->yiaddr.s_addr;
> iface->mask.s_addr = subnet_mask.s_addr;
> - iface->routes_len = routes_len;
> - memcpy(iface->routes, routes, sizeof(iface->routes));
> +#ifndef SMALL
> + if (iface_conf != NULL && iface_conf->ignore & IGN_ROUTES) {
> + iface->routes_len = 0;
> + memset(iface->routes, 0, sizeof(iface->routes));
> + } else
> +#endif /* SMALL */
> + {
> + iface->routes_len = routes_len;
> + memcpy(iface->routes, routes, sizeof(iface->routes));
> + }
> iface->lease_time = lease_time;
> iface->renewal_time = renewal_time;
> iface->rebinding_time = rebinding_time;
> - memcpy(iface->nameservers, nameservers,
> - sizeof(iface->nameservers));
> +
> +#ifndef SMALL
> + if (iface_conf != NULL && iface_conf->ignore & IGN_DNS) {
> + memset(iface->nameservers, 0,
> + sizeof(iface->nameservers));
> + } else
> +#endif /* SMALL */
> + {
> + memcpy(iface->nameservers, nameservers,
> + sizeof(iface->nameservers));
> + }
>
> iface->siaddr.s_addr = dhcp_hdr->siaddr.s_addr;
>
> @@ -1520,6 +1574,28 @@ send_deconfigure_interface(struct dhcpleased_iface
> *iface)
> memset(iface->routes, 0, sizeof(iface->routes));
> }
>
> +void
> +send_routes_withdraw(struct dhcpleased_iface *iface)
> +{
> + struct imsg_configure_interface imsg;
> +
> + if (iface->requested_ip.s_addr == INADDR_ANY || iface->routes_len == 0)
> + return;
> +
> + imsg.if_index = iface->if_index;
> + imsg.rdomain = iface->rdomain;
> + imsg.addr.s_addr = iface->requested_ip.s_addr;
> + imsg.mask.s_addr = iface->mask.s_addr;
> + imsg.siaddr.s_addr = iface->siaddr.s_addr;
> + strlcpy(imsg.file, iface->file, sizeof(imsg.file));
> + strlcpy(imsg.domainname, iface->domainname, sizeof(imsg.domainname));
> + strlcpy(imsg.hostname, iface->hostname, sizeof(imsg.hostname));
> + imsg.routes_len = iface->routes_len;
> + memcpy(imsg.routes, iface->routes, sizeof(imsg.routes));
> + engine_imsg_compose_main(IMSG_WITHDRAW_ROUTES, 0, &imsg,
> + sizeof(imsg));
> +}
> +
> void
> log_rdns(struct dhcpleased_iface *iface, int withdraw)
> {
> diff --git frontend.c frontend.c
> index 6e17b9c6c62..e52cfae0b25 100644
> --- frontend.c
> +++ frontend.c
> @@ -96,8 +96,6 @@ void send_discover(struct iface *);
> void send_request(struct iface *);
> void bpf_send_packet(struct iface *, uint8_t *, ssize_t);
> void udp_send_packet(struct iface *, uint8_t *, ssize_t);
> -int *changed_ifaces(struct dhcpleased_conf *, struct
> - dhcpleased_conf *);
> int iface_conf_cmp(struct iface_conf *, struct iface_conf *);
>
> LIST_HEAD(, iface) interfaces;
> @@ -1215,6 +1213,13 @@ iface_conf_cmp(struct iface_conf *a, struct iface_conf
> *b)
> return 1;
> if (memcmp(a->c_id, b->c_id, a->c_id_len) != 0)
> return 1;
> + if (a->ignore != b->ignore)
> + return 1;
> + if (a->ignore_servers_len != b->ignore_servers_len)
> + return 1;
> + if (memcmp(a->ignore_servers, b->ignore_servers,
> + a->ignore_servers_len * sizeof (struct in_addr)) != 0)
> + return 1;
> return 0;
> }
> #endif /* SMALL */
> diff --git parse.y parse.y
> index 947ed038f95..dc6f16d4400 100644
> --- parse.y
> +++ parse.y
> @@ -108,7 +108,7 @@ typedef struct {
>
> %}
>
> -%token DHCP_IFACE ERROR SEND VENDOR CLASS ID CLIENT
> +%token DHCP_IFACE ERROR SEND VENDOR CLASS ID CLIENT IGNORE DNS ROUTES
>
> %token <v.string> STRING
> %token <v.number> NUMBER
> @@ -275,6 +275,31 @@ ifaceoptsl : SEND VENDOR CLASS ID STRING {
> iface_conf->c_id[0] = DHO_DHCP_CLIENT_IDENTIFIER;
> iface_conf->c_id[1] = iface_conf->c_id_len - 2;
> }
> + | IGNORE ROUTES {
> + iface_conf->ignore |= IGN_ROUTES;
> + }
> + | IGNORE DNS {
> + iface_conf->ignore |= IGN_DNS;
> + }
> + | IGNORE STRING {
> + int res;
> +
> + if (iface_conf->ignore_servers_len >= MAX_SERVERS) {
> + yyerror("too many servers to ignore");
> + free($2);
> + YYERROR;
> + }
> + res = inet_pton(AF_INET, $2,
> + &iface_conf->ignore_servers[
> + iface_conf->ignore_servers_len++]);
> +
> + if (res != 1) {
> + yyerror("Invalid server IP %s", $2);
> + free($2);
> + YYERROR;
> + }
> + free($2);
> + }
> ;
> %%
>
> @@ -312,8 +337,11 @@ lookup(char *s)
> static const struct keywords keywords[] = {
> {"class", CLASS},
> {"client", CLIENT},
> + {"dns", DNS},
> {"id", ID},
> + {"ignore", IGNORE},
> {"interface", DHCP_IFACE},
> + {"routes", ROUTES},
> {"send", SEND},
> {"vendor", VENDOR},
> };
> diff --git printconf.c printconf.c
> index 16b33bbfe40..86eef19baf3 100644
> --- printconf.c
> +++ printconf.c
> @@ -106,11 +106,24 @@ void
> print_config(struct dhcpleased_conf *conf)
> {
> struct iface_conf *iface;
> + int i;
> + char hbuf[INET_ADDRSTRLEN];
>
> SIMPLEQ_FOREACH(iface, &conf->iface_list, entry) {
> printf("interface %s {\n", iface->name);
> print_dhcp_options("\t", iface->c_id, iface->c_id_len);
> print_dhcp_options("\t", iface->vc_id, iface->vc_id_len);
> + if (iface->ignore & IGN_DNS)
> + printf("\tignore dns\n");
> + if (iface->ignore & IGN_ROUTES)
> + printf("\tignore routes\n");
> + for (i = 0; i < iface->ignore_servers_len; i++) {
> + if (inet_ntop(AF_INET, &iface->ignore_servers[i],
> + hbuf, sizeof(hbuf)) == NULL)
> + continue;
> + printf("\tignore %s\n", hbuf);
> +
> + }
> printf("}\n");
> }
> }
>
>
>
> --
> I'm not entirely sure you are real.
>
