--- /dev/null
+From a799ca0c6314ad73a97bc6c89382d2712a9c0b0e Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Thu, 18 Oct 2018 19:35:29 +0100
+Subject: [PATCH 01/11] Impove cache behaviour for TCP connections.
+
+For ease of implementaion, dnsmasq has always forked a new process to
+handle each incoming TCP connection. A side-effect of this is that any
+DNS queries answered from TCP connections are not cached: when TCP
+connections were rare, this was not a problem. With the coming of
+DNSSEC, it's now the case that some DNSSEC queries have answers which
+spill to TCP, and if, for instance, this applies to the keys for the
+root then those never get cached, and performance is very bad. This
+fix passes cache entries back from the TCP child process to the main
+server process, and fixes the problem.
+
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ CHANGELOG | 14 ++++
+ src/blockdata.c | 37 ++++++++-
+ src/cache.c | 196 ++++++++++++++++++++++++++++++++++++++++++++++--
+ src/dnsmasq.c | 58 ++++++++++++--
+ src/dnsmasq.h | 5 ++
+ 5 files changed, 291 insertions(+), 19 deletions(-)
+
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -1,3 +1,17 @@
++version 2.81
++ Impove cache behaviour for TCP connections. For ease of
++ implementaion, dnsmasq has always forked a new process to handle
++ each incoming TCP connection. A side-effect of this is that
++ any DNS queries answered from TCP connections are not cached:
++ when TCP connections were rare, this was not a problem.
++ With the coming of DNSSEC, it's now the case that some
++ DNSSEC queries have answers which spill to TCP, and if,
++ for instance, this applies to the keys for the root then
++ those never get cached, and performance is very bad.
++ This fix passes cache entries back from the TCP child process to
++ the main server process, and fixes the problem.
++
++
+ version 2.80
+ Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method
+ for the initial patch and motivation.
+--- a/src/blockdata.c
++++ b/src/blockdata.c
+@@ -61,7 +61,7 @@ void blockdata_report(void)
+ blockdata_alloced * sizeof(struct blockdata));
+ }
+
+-struct blockdata *blockdata_alloc(char *data, size_t len)
++static struct blockdata *blockdata_alloc_real(int fd, char *data, size_t len)
+ {
+ struct blockdata *block, *ret = NULL;
+ struct blockdata **prev = &ret;
+@@ -89,8 +89,17 @@ struct blockdata *blockdata_alloc(char *
+ blockdata_hwm = blockdata_count;
+
+ blen = len > KEYBLOCK_LEN ? KEYBLOCK_LEN : len;
+- memcpy(block->key, data, blen);
+- data += blen;
++ if (data)
++ {
++ memcpy(block->key, data, blen);
++ data += blen;
++ }
++ else if (!read_write(fd, block->key, blen, 1))
++ {
++ /* failed read free partial chain */
++ blockdata_free(ret);
++ return NULL;
++ }
+ len -= blen;
+ *prev = block;
+ prev = &block->next;
+@@ -100,6 +109,10 @@ struct blockdata *blockdata_alloc(char *
+ return ret;
+ }
+
++struct blockdata *blockdata_alloc(char *data, size_t len)
++{
++ return blockdata_alloc_real(0, data, len);
++}
+
+ void blockdata_free(struct blockdata *blocks)
+ {
+@@ -148,5 +161,21 @@ void *blockdata_retrieve(struct blockdat
+
+ return data;
+ }
+-
++
++
++void blockdata_write(struct blockdata *block, size_t len, int fd)
++{
++ for (; len > 0 && block; block = block->next)
++ {
++ size_t blen = len > KEYBLOCK_LEN ? KEYBLOCK_LEN : len;
++ read_write(fd, block->key, blen, 0);
++ len -= blen;
++ }
++}
++
++struct blockdata *blockdata_read(int fd, size_t len)
++{
++ return blockdata_alloc_real(fd, NULL, len);
++}
++
+ #endif
+--- a/src/cache.c
++++ b/src/cache.c
+@@ -26,6 +26,8 @@ static union bigname *big_free = NULL;
+ static int bignames_left, hash_size;
+
+ static void make_non_terminals(struct crec *source);
++static struct crec *really_insert(char *name, struct all_addr *addr,
++ time_t now, unsigned long ttl, unsigned short flags);
+
+ /* type->string mapping: this is also used by the name-hash function as a mixing table. */
+ static const struct {
+@@ -464,16 +466,10 @@ void cache_start_insert(void)
+ new_chain = NULL;
+ insert_error = 0;
+ }
+-
++
+ struct crec *cache_insert(char *name, struct all_addr *addr,
+ time_t now, unsigned long ttl, unsigned short flags)
+ {
+- struct crec *new, *target_crec = NULL;
+- union bigname *big_name = NULL;
+- int freed_all = flags & F_REVERSE;
+- int free_avail = 0;
+- unsigned int target_uid;
+-
+ /* Don't log DNSSEC records here, done elsewhere */
+ if (flags & (F_IPV4 | F_IPV6 | F_CNAME))
+ {
+@@ -484,7 +480,20 @@ struct crec *cache_insert(char *name, st
+ if (daemon->min_cache_ttl != 0 && daemon->min_cache_ttl > ttl)
+ ttl = daemon->min_cache_ttl;
+ }
++
++ return really_insert(name, addr, now, ttl, flags);
++}
+
++
++static struct crec *really_insert(char *name, struct all_addr *addr,
++ time_t now, unsigned long ttl, unsigned short flags)
++{
++ struct crec *new, *target_crec = NULL;
++ union bigname *big_name = NULL;
++ int freed_all = flags & F_REVERSE;
++ int free_avail = 0;
++ unsigned int target_uid;
++
+ /* if previous insertion failed give up now. */
+ if (insert_error)
+ return NULL;
+@@ -645,12 +654,185 @@ void cache_end_insert(void)
+ cache_hash(new_chain);
+ cache_link(new_chain);
+ daemon->metrics[METRIC_DNS_CACHE_INSERTED]++;
++
++ /* If we're a child process, send this cache entry up the pipe to the master.
++ The marshalling process is rather nasty. */
++ if (daemon->pipe_to_parent != -1)
++ {
++ char *name = cache_get_name(new_chain);
++ ssize_t m = strlen(name);
++ unsigned short flags = new_chain->flags;
++#ifdef HAVE_DNSSEC
++ u16 class = new_chain->uid;
++#endif
++
++ read_write(daemon->pipe_to_parent, (unsigned char *)&m, sizeof(m), 0);
++ read_write(daemon->pipe_to_parent, (unsigned char *)name, m, 0);
++ read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->ttd, sizeof(new_chain->ttd), 0);
++ read_write(daemon->pipe_to_parent, (unsigned char *)&flags, sizeof(flags), 0);
++
++ if (flags & (F_IPV4 | F_IPV6))
++ read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->addr, sizeof(new_chain->addr), 0);
++#ifdef HAVE_DNSSEC
++ else if (flags & F_DNSKEY)
++ {
++ read_write(daemon->pipe_to_parent, (unsigned char *)&class, sizeof(class), 0);
++ read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->addr.key.algo, sizeof(new_chain->addr.key.algo), 0);
++ read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->addr.key.keytag, sizeof(new_chain->addr.key.keytag), 0);
++ read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->addr.key.flags, sizeof(new_chain->addr.key.flags), 0);
++ read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->addr.key.keylen, sizeof(new_chain->addr.key.keylen), 0);
++ blockdata_write(new_chain->addr.key.keydata, new_chain->addr.key.keylen, daemon->pipe_to_parent);
++ }
++ else if (flags & F_DS)
++ {
++ read_write(daemon->pipe_to_parent, (unsigned char *)&class, sizeof(class), 0);
++ /* A negative DS entry is possible and has no data, obviously. */
++ if (!(flags & F_NEG))
++ {
++ read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->addr.ds.algo, sizeof(new_chain->addr.ds.algo), 0);
++ read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->addr.ds.keytag, sizeof(new_chain->addr.ds.keytag), 0);
++ read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->addr.ds.digest, sizeof(new_chain->addr.ds.digest), 0);
++ read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->addr.ds.keylen, sizeof(new_chain->addr.ds.keylen), 0);
++ blockdata_write(new_chain->addr.ds.keydata, new_chain->addr.ds.keylen, daemon->pipe_to_parent);
++ }
++ }
++#endif
++
++ }
+ }
++
+ new_chain = tmp;
+ }
++
++ /* signal end of cache insert in master process */
++ if (daemon->pipe_to_parent != -1)
++ {
++ ssize_t m = -1;
++ read_write(daemon->pipe_to_parent, (unsigned char *)&m, sizeof(m), 0);
++ }
++
+ new_chain = NULL;
+ }
+
++
++/* A marshalled cache entry arrives on fd, read, unmarshall and insert into cache of master process. */
++int cache_recv_insert(time_t now, int fd)
++{
++ ssize_t m;
++ struct all_addr addr;
++ unsigned long ttl;
++ time_t ttd;
++ unsigned short flags;
++ struct crec *crecp = NULL;
++
++ cache_start_insert();
++
++ while(1)
++ {
++
++ if (!read_write(fd, (unsigned char *)&m, sizeof(m), 1))
++ return 0;
++
++ if (m == -1)
++ {
++ cache_end_insert();
++ return 1;
++ }
++
++ if (!read_write(fd, (unsigned char *)daemon->namebuff, m, 1) ||
++ !read_write(fd, (unsigned char *)&ttd, sizeof(ttd), 1) ||
++ !read_write(fd, (unsigned char *)&flags, sizeof(flags), 1))
++ return 0;
++
++ daemon->namebuff[m] = 0;
++
++ ttl = difftime(ttd, now);
++
++ if (flags & (F_IPV4 | F_IPV6))
++ {
++ if (!read_write(fd, (unsigned char *)&addr, sizeof(addr), 1))
++ return 0;
++ crecp = really_insert(daemon->namebuff, &addr, now, ttl, flags);
++ }
++ else if (flags & F_CNAME)
++ {
++ struct crec *newc = really_insert(daemon->namebuff, NULL, now, ttl, flags);
++ /* This relies on the fact the the target of a CNAME immediately preceeds
++ it because of the order of extraction in extract_addresses, and
++ the order reversal on the new_chain. */
++ if (newc)
++ {
++ if (!crecp)
++ {
++ newc->addr.cname.target.cache = NULL;
++ /* anything other than zero, to avoid being mistaken for CNAME to interface-name */
++ newc->addr.cname.uid = 1;
++ }
++ else
++ {
++ next_uid(crecp);
++ newc->addr.cname.target.cache = crecp;
++ newc->addr.cname.uid = crecp->uid;
++ }
++ }
++ }
++#ifdef HAVE_DNSSEC
++ else if (flags & (F_DNSKEY | F_DS))
++ {
++ unsigned short class, keylen, keyflags, keytag;
++ unsigned char algo, digest;
++ struct blockdata *keydata;
++
++ if (!read_write(fd, (unsigned char *)&class, sizeof(class), 1))
++ return 0;
++ /* Cache needs to known class for DNSSEC stuff */
++ addr.addr.dnssec.class = class;
++
++ crecp = really_insert(daemon->namebuff, &addr, now, ttl, flags);
++
++ if (flags & F_DNSKEY)
++ {
++ if (!read_write(fd, (unsigned char *)&algo, sizeof(algo), 1) ||
++ !read_write(fd, (unsigned char *)&keytag, sizeof(keytag), 1) ||
++ !read_write(fd, (unsigned char *)&keyflags, sizeof(keyflags), 1) ||
++ !read_write(fd, (unsigned char *)&keylen, sizeof(keylen), 1) ||
++ !(keydata = blockdata_read(fd, keylen)))
++ return 0;
++ }
++ else if (!(flags & F_NEG))
++ {
++ if (!read_write(fd, (unsigned char *)&algo, sizeof(algo), 1) ||
++ !read_write(fd, (unsigned char *)&keytag, sizeof(keytag), 1) ||
++ !read_write(fd, (unsigned char *)&digest, sizeof(digest), 1) ||
++ !read_write(fd, (unsigned char *)&keylen, sizeof(keylen), 1) ||
++ !(keydata = blockdata_read(fd, keylen)))
++ return 0;
++ }
++
++ if (crecp)
++ {
++ if (flags & F_DNSKEY)
++ {
++ crecp->addr.key.algo = algo;
++ crecp->addr.key.keytag = keytag;
++ crecp->addr.key.flags = flags;
++ crecp->addr.key.keylen = keylen;
++ crecp->addr.key.keydata = keydata;
++ }
++ else if (!(flags & F_NEG))
++ {
++ crecp->addr.ds.algo = algo;
++ crecp->addr.ds.keytag = keytag;
++ crecp->addr.ds.digest = digest;
++ crecp->addr.ds.keylen = keylen;
++ crecp->addr.ds.keydata = keydata;
++ }
++ }
++ }
++#endif
++ }
++}
++
+ int cache_find_non_terminal(char *name, time_t now)
+ {
+ struct crec *crecp;
+--- a/src/dnsmasq.c
++++ b/src/dnsmasq.c
+@@ -930,6 +930,10 @@ int main (int argc, char **argv)
+ check_servers();
+
+ pid = getpid();
++
++ daemon->pipe_to_parent = -1;
++ for (i = 0; i < MAX_PROCS; i++)
++ daemon->tcp_pipes[i] = -1;
+
+ #ifdef HAVE_INOTIFY
+ /* Using inotify, have to select a resolv file at startup */
+@@ -1611,7 +1615,7 @@ static int set_dns_listeners(time_t now)
+ we don't need to explicitly arrange to wake up here */
+ if (listener->tcpfd != -1)
+ for (i = 0; i < MAX_PROCS; i++)
+- if (daemon->tcp_pids[i] == 0)
++ if (daemon->tcp_pids[i] == 0 && daemon->tcp_pipes[i] == -1)
+ {
+ poll_listen(listener->tcpfd, POLLIN);
+ break;
+@@ -1624,6 +1628,13 @@ static int set_dns_listeners(time_t now)
+
+ }
+
++#ifndef NO_FORK
++ if (!option_bool(OPT_DEBUG))
++ for (i = 0; i < MAX_PROCS; i++)
++ if (daemon->tcp_pipes[i] != -1)
++ poll_listen(daemon->tcp_pipes[i], POLLIN);
++#endif
++
+ return wait;
+ }
+
+@@ -1632,7 +1643,10 @@ static void check_dns_listeners(time_t n
+ struct serverfd *serverfdp;
+ struct listener *listener;
+ int i;
+-
++#ifndef NO_FORK
++ int pipefd[2];
++#endif
++
+ for (serverfdp = daemon->sfds; serverfdp; serverfdp = serverfdp->next)
+ if (poll_check(serverfdp->fd, POLLIN))
+ reply_query(serverfdp->fd, serverfdp->source_addr.sa.sa_family, now);
+@@ -1642,7 +1656,26 @@ static void check_dns_listeners(time_t n
+ if (daemon->randomsocks[i].refcount != 0 &&
+ poll_check(daemon->randomsocks[i].fd, POLLIN))
+ reply_query(daemon->randomsocks[i].fd, daemon->randomsocks[i].family, now);
+-
++
++#ifndef NO_FORK
++ /* Races. The child process can die before we read all of the data from the
++ pipe, or vice versa. Therefore send tcp_pids to zero when we wait() the
++ process, and tcp_pipes to -1 and close the FD when we read the last
++ of the data - indicated by cache_recv_insert returning zero.
++ The order of these events is indeterminate, and both are needed
++ to free the process slot. Once the child process has gone, poll()
++ returns POLLHUP, not POLLIN, so have to check for both here. */
++ if (!option_bool(OPT_DEBUG))
++ for (i = 0; i < MAX_PROCS; i++)
++ if (daemon->tcp_pipes[i] != -1 &&
++ poll_check(daemon->tcp_pipes[i], POLLIN | POLLHUP) &&
++ !cache_recv_insert(now, daemon->tcp_pipes[i]))
++ {
++ close(daemon->tcp_pipes[i]);
++ daemon->tcp_pipes[i] = -1;
++ }
++#endif
++
+ for (listener = daemon->listeners; listener; listener = listener->next)
+ {
+ if (listener->fd != -1 && poll_check(listener->fd, POLLIN))
+@@ -1736,15 +1769,20 @@ static void check_dns_listeners(time_t n
+ while (retry_send(close(confd)));
+ }
+ #ifndef NO_FORK
+- else if (!option_bool(OPT_DEBUG) && (p = fork()) != 0)
++ else if (!option_bool(OPT_DEBUG) && pipe(pipefd) == 0 && (p = fork()) != 0)
+ {
+- if (p != -1)
++ close(pipefd[1]); /* parent needs read pipe end. */
++ if (p == -1)
++ close(pipefd[0]);
++ else
+ {
+ int i;
++
+ for (i = 0; i < MAX_PROCS; i++)
+- if (daemon->tcp_pids[i] == 0)
++ if (daemon->tcp_pids[i] == 0 && daemon->tcp_pipes[i] == -1)
+ {
+ daemon->tcp_pids[i] = p;
++ daemon->tcp_pipes[i] = pipefd[0];
+ break;
+ }
+ }
+@@ -1761,7 +1799,7 @@ static void check_dns_listeners(time_t n
+ int flags;
+ struct in_addr netmask;
+ int auth_dns;
+-
++
+ if (iface)
+ {
+ netmask = iface->netmask;
+@@ -1777,7 +1815,11 @@ static void check_dns_listeners(time_t n
+ /* Arrange for SIGALRM after CHILD_LIFETIME seconds to
+ terminate the process. */
+ if (!option_bool(OPT_DEBUG))
+- alarm(CHILD_LIFETIME);
++ {
++ alarm(CHILD_LIFETIME);
++ close(pipefd[0]); /* close read end in child. */
++ daemon->pipe_to_parent = pipefd[1];
++ }
+ #endif
+
+ /* start with no upstream connections. */
+--- a/src/dnsmasq.h
++++ b/src/dnsmasq.h
+@@ -1091,6 +1091,8 @@ extern struct daemon {
+ size_t packet_len; /* " " */
+ struct randfd *rfd_save; /* " " */
+ pid_t tcp_pids[MAX_PROCS];
++ int tcp_pipes[MAX_PROCS];
++ int pipe_to_parent;
+ struct randfd randomsocks[RANDOM_SOCKS];
+ int v6pktinfo;
+ struct addrlist *interface_addrs; /* list of all addresses/prefix lengths associated with all local interfaces */
+@@ -1152,6 +1154,7 @@ struct crec *cache_find_by_name(struct c
+ char *name, time_t now, unsigned int prot);
+ void cache_end_insert(void);
+ void cache_start_insert(void);
++int cache_recv_insert(time_t now, int fd);
+ struct crec *cache_insert(char *name, struct all_addr *addr,
+ time_t now, unsigned long ttl, unsigned short flags);
+ void cache_reload(void);
+@@ -1174,6 +1177,8 @@ void blockdata_init(void);
+ void blockdata_report(void);
+ struct blockdata *blockdata_alloc(char *data, size_t len);
+ void *blockdata_retrieve(struct blockdata *block, size_t len, void *data);
++struct blockdata *blockdata_read(int fd, size_t len);
++void blockdata_write(struct blockdata *block, size_t len, int fd);
+ void blockdata_free(struct blockdata *blocks);
+ #endif
+
projects / openwrt / staging / hauke.git / blobdiff