From 6b17335209639a56f214d011eaed4ebcde8dd276 Mon Sep 17 00:00:00 2001 From: Simon Kelley Date: Tue, 8 May 2018 18:32:14 +0100 Subject: [PATCH 04/17] Add packet-dump debugging facility. Signed-off-by: Kevin Darbyshire-Bryant --- CHANGELOG | 6 ++ Makefile | 2 +- bld/Android.mk | 3 +- man/dnsmasq.8 | 7 ++ src/config.h | 16 ++++- src/dnsmasq.c | 16 ++++- src/dnsmasq.h | 29 +++++++- src/dump.c | 210 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ src/forward.c | 37 ++++++++-- src/option.c | 14 ++++ 10 files changed, 329 insertions(+), 11 deletions(-) create mode 100644 src/dump.c --- a/CHANGELOG +++ b/CHANGELOG @@ -17,6 +17,12 @@ version 2.80 Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip are set. Thanks to Daniel Miess for help with this. + Add a facilty to store DNS packets sent/recieved in a + pcap-format file for later debugging. The file location + is given by the --dumpfile option, and a bitmap controlling + which packets should be dumped is given by the --dumpmask + option. + version 2.79 Fix parsing of CNAME arguments, which are confused by extra spaces. --- a/Makefile +++ b/Makefile @@ -76,7 +76,7 @@ objs = cache.o rfc1035.o util.o option.o helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ - poll.o rrfilter.o edns0.o arp.o crypto.o + poll.o rrfilter.o edns0.o arp.o crypto.o dump.o hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \ dns-protocol.h radv-protocol.h ip6addr.h --- a/bld/Android.mk +++ b/bld/Android.mk @@ -10,7 +10,8 @@ LOCAL_SRC_FILES := bpf.c cache.c dbus.c dhcp6.c rfc3315.c dhcp-common.c outpacket.c \ radv.c slaac.c auth.c ipset.c domain.c \ dnssec.c dnssec-openssl.c blockdata.c tables.c \ - loop.c inotify.c poll.c rrfilter.c edns0.c arp.c crypto.c + loop.c inotify.c poll.c rrfilter.c edns0.c arp.c \ + crypto.c dump.c LOCAL_MODULE := dnsmasq --- a/man/dnsmasq.8 +++ b/man/dnsmasq.8 @@ -647,6 +647,13 @@ V4 mapped IPv6 addresses, which have a r The address range can be of the form , or / in both forms of the option. .TP +.B --dumpfile= +Specify the location of a pcap-format file which dnsmasq uses to dump copies of network packets for debugging purposes. If the file exists when dnsmasq starts, it is not deleted; new packets are added to the end. +.TP +.B --dumpmask= +Specify which types of packets should be added to the dumpfile. The argument should be the OR of the bitmasks for each type of packet to be dumped: it can be specified in hex by preceding the number with 0x in the normal way. Each time a packet is written to the dumpfile, dnsmasq logs the packet sequence and the mask +representing its type. The current types are: 0x0001 - DNS queries from clients 0x0002 DNS replies to clients 0x0004 - DNS queries to upstream 0x0008 - DNS replies from upstream 0x0010 - queries send upstream for DNSSEC validation 0x0020 - replies to queries for DNSSEC validation 0x0040 - replies to client queries which fail DNSSEC validation 0x0080 replies to queries for DNSSEC validation which fail validation. +.TP .B --add-mac[=base64|text] Add the MAC address of the requestor to DNS queries which are forwarded upstream. This may be used to DNS filtering by the upstream --- a/src/config.h +++ b/src/config.h @@ -117,6 +117,9 @@ HAVE_AUTH HAVE_DNSSEC include DNSSEC validator. +HAVE_DUMPFILE + include code to dump packets to a libpcap-format file for debugging. + HAVE_LOOP include functionality to probe for and remove DNS forwarding loops. @@ -132,6 +135,7 @@ NO_DHCP6 NO_SCRIPT NO_LARGEFILE NO_AUTH +NO_DUMPFILE NO_INOTIFY these are available to explicitly disable compile time options which would otherwise be enabled automatically (HAVE_IPV6, >2Gb file sizes) or @@ -164,6 +168,7 @@ RESOLVFILE #define HAVE_AUTH #define HAVE_IPSET #define HAVE_LOOP +#define HAVE_DUMPFILE /* Build options which require external libraries. @@ -363,6 +368,10 @@ HAVE_SOCKADDR_SA_LEN #undef HAVE_LOOP #endif +#ifdef NO_DUMPFILE +#undef HAVE_DUMPFILE +#endif + #if defined (HAVE_LINUX_NETWORK) && !defined(NO_INOTIFY) #define HAVE_INOTIFY #endif @@ -451,8 +460,11 @@ static char *compile_opts = #ifndef HAVE_INOTIFY "no-" #endif -"inotify"; - +"inotify " +#ifndef HAVE_DUMPFILE +"no-" +#endif +"dumpfile"; #endif --- a/src/dnsmasq.c +++ b/src/dnsmasq.c @@ -366,7 +366,16 @@ int main (int argc, char **argv) else daemon->inotifyfd = -1; #endif - + + if (daemon->dump_file) +#ifdef HAVE_DUMPFILE + dump_init(); + else + daemon->dumpfd = -1; +#else + die(_("Packet dumps not available: set HAVE_DUMP in src/config.h"), NULL, EC_BADCONF); +#endif + if (option_bool(OPT_DBUS)) #ifdef HAVE_DBUS { @@ -1424,6 +1433,11 @@ static void async_event(int pipe, time_t if (daemon->runfile) unlink(daemon->runfile); + +#ifdef HAVE_DUMPFILE + if (daemon->dumpfd != -1) + close(daemon->dumpfd); +#endif my_syslog(LOG_INFO, _("exiting on receipt of SIGTERM")); flush_log(); --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -119,6 +119,9 @@ typedef unsigned long long u64; #include #include #include +#ifdef HAVE_IPV6 +#include +#endif #include #include #include @@ -598,6 +601,16 @@ struct hostsfile { unsigned int index; /* matches to cache entries for logging */ }; +/* packet-dump flags */ +#define DUMP_QUERY 0x0001 +#define DUMP_REPLY 0x0002 +#define DUMP_UP_QUERY 0x0004 +#define DUMP_UP_REPLY 0x0008 +#define DUMP_SEC_QUERY 0x0010 +#define DUMP_SEC_REPLY 0x0020 +#define DUMP_BOGUS 0x0040 +#define DUMP_SEC_BOGUS 0x0080 + /* DNSSEC status values. */ #define STAT_SECURE 1 @@ -1020,14 +1033,14 @@ extern struct daemon { unsigned int duid_enterprise, duid_config_len; unsigned char *duid_config; char *dbus_name; + char *dump_file; + int dump_mask; unsigned long soa_sn, soa_refresh, soa_retry, soa_expiry; #ifdef OPTION6_PREFIX_CLASS struct prefix_class *prefix_classes; #endif #ifdef HAVE_DNSSEC struct ds_config *ds; - int dnssec_no_time_check; - int back_to_the_future; char *timestamp_file; #endif @@ -1040,6 +1053,8 @@ extern struct daemon { char *workspacename; /* ditto */ char *rr_status; /* flags for individual RRs */ int rr_status_sz; + int dnssec_no_time_check; + int back_to_the_future; #endif unsigned int local_answer, queries_forwarded, auth_answer; struct frec *frec_list; @@ -1094,6 +1109,10 @@ extern struct daemon { char *addrbuff; char *addrbuff2; /* only allocated when OPT_EXTRALOG */ +#ifdef HAVE_DUMPFILE + /* file for packet dumps. */ + int dumpfd; +#endif } *daemon; /* cache.c */ @@ -1588,3 +1607,9 @@ int check_source(struct dns_header *head /* arp.c */ int find_mac(union mysockaddr *addr, unsigned char *mac, int lazy, time_t now); int do_arp_script_run(void); + +/* dump.c */ +#ifdef HAVE_DUMPFILE +void dump_init(void); +void dump_packet(int mask, void *packet, size_t len, union mysockaddr *src, union mysockaddr *dst); +#endif --- /dev/null +++ b/src/dump.c @@ -0,0 +1,210 @@ +/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 dated June, 1991, or + (at your option) version 3 dated 29 June, 2007. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "dnsmasq.h" + +#ifdef HAVE_DUMPFILE + +static u32 packet_count; + +/* https://wiki.wireshark.org/Development/LibpcapFileFormat */ +struct pcap_hdr_s { + u32 magic_number; /* magic number */ + u16 version_major; /* major version number */ + u16 version_minor; /* minor version number */ + u32 thiszone; /* GMT to local correction */ + u32 sigfigs; /* accuracy of timestamps */ + u32 snaplen; /* max length of captured packets, in octets */ + u32 network; /* data link type */ +}; + +struct pcaprec_hdr_s { + u32 ts_sec; /* timestamp seconds */ + u32 ts_usec; /* timestamp microseconds */ + u32 incl_len; /* number of octets of packet saved in file */ + u32 orig_len; /* actual length of packet */ +}; + + +void dump_init(void) +{ + struct stat buf; + struct pcap_hdr_s header; + struct pcaprec_hdr_s pcap_header; + + packet_count = 0; + + if (stat(daemon->dump_file, &buf) == -1) + { + /* doesn't exist, create and add header */ + header.magic_number = 0xa1b2c3d4; + header.version_major = 2; + header.version_minor = 4; + header.thiszone = 0; + header.sigfigs = 0; + header.snaplen = daemon->edns_pktsz + 200; /* slop for IP/UDP headers */ + header.network = 101; /* DLT_RAW http://www.tcpdump.org/linktypes.html */ + + if (errno != ENOENT || + (daemon->dumpfd = creat(daemon->dump_file, S_IRUSR | S_IWUSR)) == -1 || + !read_write(daemon->dumpfd, (void *)&header, sizeof(header), 0)) + die(_("cannot create %s: %s"), daemon->dump_file, EC_FILE); + } + else if ((daemon->dumpfd = open(daemon->dump_file, O_APPEND | O_RDWR)) == -1 || + !read_write(daemon->dumpfd, (void *)&header, sizeof(header), 1) || + header.magic_number != 0xa1b2c3d4) + die(_("cannot access %s: %s"), daemon->dump_file, EC_FILE); + else + { + /* count existing records */ + while (read_write(daemon->dumpfd, (void *)&pcap_header, sizeof(pcap_header), 1)) + { + lseek(daemon->dumpfd, pcap_header.incl_len, SEEK_CUR); + packet_count++; + } + } +} + +void dump_packet(int mask, void *packet, size_t len, union mysockaddr *src, union mysockaddr *dst) +{ + struct ip ip; +#ifdef HAVE_IPV6 + struct ip6_hdr ip6; + int family; +#endif + struct udphdr { + u16 uh_sport; /* source port */ + u16 uh_dport; /* destination port */ + u16 uh_ulen; /* udp length */ + u16 uh_sum; /* udp checksum */ + } udp; + struct pcaprec_hdr_s pcap_header; + struct timeval time; + u32 i, sum; + void *iphdr; + size_t ipsz; + int rc; + + if (daemon->dumpfd == -1 || !(mask & daemon->dump_mask)) + return; + + /* So wireshark can Id the packet. */ + udp.uh_sport = udp.uh_dport = htons(NAMESERVER_PORT); + +#ifdef HAVE_IPV6 + if (src) + family = src->sa.sa_family; + else + family = dst->sa.sa_family; + + if (family == AF_INET6) + { + iphdr = &ip6; + ipsz = sizeof(ip6); + memset(&ip6, 0, sizeof(ip6)); + + ip6.ip6_vfc = 6 << 4; + ip6.ip6_plen = htons(sizeof(struct udphdr) + len); + ip6.ip6_nxt = IPPROTO_UDP; + ip6.ip6_hops = 64; + + if (src) + { + memcpy(&ip6.ip6_src, &src->in6.sin6_addr, IN6ADDRSZ); + udp.uh_sport = src->in6.sin6_port; + } + + if (dst) + { + memcpy(&ip6.ip6_dst, &dst->in6.sin6_addr, IN6ADDRSZ); + udp.uh_dport = dst->in6.sin6_port; + } + + /* start UDP checksum */ + for (sum = 0, i = 0; i < IN6ADDRSZ; i++) + sum += ((u16 *)&ip6.ip6_src)[i]; + } + else +#endif + { + iphdr = &ip; + ipsz = sizeof(ip); + memset(&ip, 0, sizeof(ip)); + + ip.ip_v = IPVERSION; + ip.ip_hl = sizeof(struct ip) / 4; + ip.ip_len = htons(sizeof(struct ip) + sizeof(struct udphdr) + len); + ip.ip_ttl = IPDEFTTL; + ip.ip_p = IPPROTO_UDP; + + if (src) + { + ip.ip_src = src->in.sin_addr; + udp.uh_sport = src->in.sin_port; + } + + if (dst) + { + ip.ip_dst = dst->in.sin_addr; + udp.uh_dport = dst->in.sin_port; + } + + ip.ip_sum = 0; + for (sum = 0, i = 0; i < sizeof(struct ip) / 2; i++) + sum += ((u16 *)&ip)[i]; + while (sum >> 16) + sum = (sum & 0xffff) + (sum >> 16); + ip.ip_sum = (sum == 0xffff) ? sum : ~sum; + + /* start UDP checksum */ + sum = ip.ip_src.s_addr & 0xffff; + sum += (ip.ip_src.s_addr >> 16) & 0xffff; + sum += ip.ip_dst.s_addr & 0xffff; + sum += (ip.ip_dst.s_addr >> 16) & 0xffff; + } + + if (len & 1) + ((unsigned char *)packet)[len] = 0; /* for checksum, in case length is odd. */ + + udp.uh_sum = 0; + udp.uh_ulen = htons(sizeof(struct udphdr) + len); + sum += htons(IPPROTO_UDP); + sum += htons(sizeof(struct udphdr) + len); + for (i = 0; i < sizeof(struct udphdr)/2; i++) + sum += ((u16 *)&udp)[i]; + for (i = 0; i < (len + 1) / 2; i++) + sum += ((u16 *)packet)[i]; + while (sum >> 16) + sum = (sum & 0xffff) + (sum >> 16); + udp.uh_sum = (sum == 0xffff) ? sum : ~sum; + + rc = gettimeofday(&time, NULL); + pcap_header.ts_sec = time.tv_sec; + pcap_header.ts_usec = time.tv_usec; + pcap_header.incl_len = pcap_header.orig_len = ipsz + sizeof(udp) + len; + + if (rc == -1 || + !read_write(daemon->dumpfd, (void *)&pcap_header, sizeof(pcap_header), 0) || + !read_write(daemon->dumpfd, iphdr, ipsz, 0) || + !read_write(daemon->dumpfd, (void *)&udp, sizeof(udp), 0) || + !read_write(daemon->dumpfd, (void *)packet, len, 0)) + my_syslog(LOG_ERR, _("failed to write packet dump")); + else + my_syslog(LOG_INFO, _("dumping UDP packet %u mask 0x%04x"), ++packet_count, mask); + +} + +#endif --- a/src/forward.c +++ b/src/forward.c @@ -508,6 +508,10 @@ static int forward_query(int udpfd, unio if (errno == 0) { +#ifdef HAVE_DUMPFILE + dump_packet(DUMP_UP_QUERY, (void *)header, plen, NULL, &start->addr); +#endif + /* Keep info in case we want to re-send this packet */ daemon->srv_save = start; daemon->packet_len = plen; @@ -769,7 +773,7 @@ void reply_query(int fd, int family, tim #endif header = (struct dns_header *)daemon->packet; - + if (n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR)) return; @@ -796,6 +800,12 @@ void reply_query(int fd, int family, tim if (!(forward = lookup_frec(ntohs(header->id), hash))) return; +#ifdef HAVE_DUMPFILE + dump_packet((forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) ? DUMP_SEC_REPLY : DUMP_UP_REPLY, + (void *)header, n, &serveraddr, NULL); +#endif + + /* log_query gets called indirectly all over the place, so pass these in global variables - sorry. */ daemon->log_display_id = forward->log_id; @@ -934,6 +944,11 @@ void reply_query(int fd, int family, tim status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, !option_bool(OPT_DNSSEC_IGN_NS) && (server->flags & SERV_DO_DNSSEC), NULL, NULL); +#ifdef HAVE_DUMPFILE + if (status == STAT_BOGUS) + dump_packet((forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) ? DUMP_SEC_BOGUS : DUMP_BOGUS, + header, (size_t)n, &serveraddr, NULL); +#endif } /* Can't validate, as we're missing key data. Put this @@ -1060,6 +1075,11 @@ void reply_query(int fd, int family, tim setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int)); } #endif + +#ifdef HAVE_DUMPFILE + dump_packet(DUMP_SEC_QUERY, (void *)header, (size_t)nn, NULL, &server->addr); +#endif + while (retry_send(sendto(fd, (char *)header, nn, 0, &server->addr.sa, sa_len(&server->addr)))); @@ -1114,8 +1134,8 @@ void reply_query(int fd, int family, tim bogusanswer = 1; } } -#endif - +#endif + /* restore CD bit to the value in the query */ if (forward->flags & FREC_CHECKING_DISABLED) header->hb4 |= HB4_CD; @@ -1141,6 +1161,11 @@ void reply_query(int fd, int family, tim nn = resize_packet(header, nn, NULL, 0); } #endif + +#ifdef HAVE_DUMPFILE + dump_packet(DUMP_REPLY, daemon->packet, (size_t)nn, NULL, &forward->source); +#endif + send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn, &forward->source, &forward->dest, forward->iface); } @@ -1394,7 +1419,11 @@ void receive_query(struct listener *list pass these in global variables - sorry. */ daemon->log_display_id = ++daemon->log_id; daemon->log_source_addr = &source_addr; - + +#ifdef HAVE_DUMPFILE + dump_packet(DUMP_QUERY, daemon->packet, (size_t)n, &source_addr, NULL); +#endif + if (extract_request(header, (size_t)n, daemon->namebuff, &type)) { #ifdef HAVE_AUTH --- a/src/option.c +++ b/src/option.c @@ -161,6 +161,8 @@ struct myoption { #define LOPT_TFTP_MTU 349 #define LOPT_REPLY_DELAY 350 #define LOPT_RAPID_COMMIT 351 +#define LOPT_DUMPFILE 352 +#define LOPT_DUMPMASK 353 #ifdef HAVE_GETOPT_LONG static const struct option opts[] = @@ -327,6 +329,8 @@ static const struct myoption opts[] = { "dhcp-ttl", 1, 0 , LOPT_DHCPTTL }, { "dhcp-reply-delay", 1, 0, LOPT_REPLY_DELAY }, { "dhcp-rapid-commit", 0, 0, LOPT_RAPID_COMMIT }, + { "dumpfile", 1, 0, LOPT_DUMPFILE }, + { "dumpmask", 1, 0, LOPT_DUMPMASK }, { NULL, 0, 0, 0 } }; @@ -500,6 +504,8 @@ static struct { { LOPT_DHCPTTL, ARG_ONE, "", gettext_noop("Set TTL in DNS responses with DHCP-derived addresses."), NULL }, { LOPT_REPLY_DELAY, ARG_ONE, "", gettext_noop("Delay DHCP replies for at least number of seconds."), NULL }, { LOPT_RAPID_COMMIT, OPT_RAPID_COMMIT, NULL, gettext_noop("Enables DHCPv4 Rapid Commit option."), NULL }, + { LOPT_DUMPFILE, ARG_ONE, "", gettext_noop("Path to debug packet dump file"), NULL }, + { LOPT_DUMPMASK, ARG_ONE, "", gettext_noop("Mask which packets to dump"), NULL }, { 0, 0, NULL, NULL, NULL } }; @@ -1811,6 +1817,14 @@ static int one_opt(int option, char *arg ret_err(_("bad MX target")); break; + case LOPT_DUMPFILE: /* --dumpfile */ + daemon->dump_file = opt_string_alloc(arg); + break; + + case LOPT_DUMPMASK: /* --dumpmask */ + daemon->dump_mask = strtol(arg, NULL, 0); + break; + #ifdef HAVE_DHCP case 'l': /* --dhcp-leasefile */ daemon->lease_file = opt_string_alloc(arg);