diff options
| author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2021-12-20 14:16:44 +0100 |
|---|---|---|
| committer | Yu Watanabe <watanabe.yu+github@gmail.com> | 2021-12-20 18:28:52 +0100 |
| commit | 8ef114c692846b0a801807a087ee65a1c7c6c7c3 (patch) | |
| tree | ddd24eda454e89989161c2a5be62a092570ceec1 /src/nss-resolve | |
| parent | NEWS: add note about path unit's TriggerLimitBurst= and TriggerLimitIntervalSec= (diff) | |
| download | systemd-8ef114c692846b0a801807a087ee65a1c7c6c7c3.tar.xz systemd-8ef114c692846b0a801807a087ee65a1c7c6c7c3.zip | |
nss-resolve: expose various source-disablement settings as variables
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2006761:
> systemd-resolved always (reverse)-resolves the host's IP addresses and FQDN.
> This can be harmful when an application (for instance, a DNS zone manager) is
> installed on the same server instance. That application would expect
> NXDOMAIN to be returned if the current server's IP does not belong in an
> already managed reverse zone.
This allows clients of nss-resolve to use the same config options that are
available through the dbus api and as command-line options to resolvectl.
The man page text is is mostly copied directly from
c6f20515ab600098b5c2871bae2e9ecab3b41555.
Diffstat (limited to 'src/nss-resolve')
| -rw-r--r-- | src/nss-resolve/nss-resolve.c | 30 |
1 files changed, 20 insertions, 10 deletions
diff --git a/src/nss-resolve/nss-resolve.c b/src/nss-resolve/nss-resolve.c index 951d141f35..6b0c762d03 100644 --- a/src/nss-resolve/nss-resolve.c +++ b/src/nss-resolve/nss-resolve.c @@ -198,19 +198,29 @@ static const JsonDispatch address_parameters_dispatch_table[] = { {} }; -static uint64_t query_flags(void) { - uint64_t f = 0; +static uint64_t query_flag( + const char *name, + const int value, + uint64_t flag) { int r; - /* Allow callers to turn off validation, when we resolve via nss-resolve */ - - r = getenv_bool_secure("SYSTEMD_NSS_RESOLVE_VALIDATE"); - if (r < 0 && r != -ENXIO) - log_debug_errno(r, "Failed to parse $SYSTEMD_NSS_RESOLVE_VALIDATE value, ignoring."); - else if (r == 0) - f |= SD_RESOLVED_NO_VALIDATE; + r = getenv_bool_secure(name); + if (r >= 0) + return r == value ? flag : 0; + if (r != -ENXIO) + log_debug_errno(r, "Failed to parse $%s, ignoring.", name); + return 0; +} - return f; +static uint64_t query_flags(void) { + /* Allow callers to turn off validation, synthetization, caching, etc., when we resolve via + * nss-resolve. */ + return query_flag("SYSTEMD_NSS_RESOLVE_VALIDATE", 0, SD_RESOLVED_NO_VALIDATE) | + query_flag("SYSTEMD_NSS_RESOLVE_SYNTHESIZE", 0, SD_RESOLVED_NO_SYNTHESIZE) | + query_flag("SYSTEMD_NSS_RESOLVE_CACHE", 0, SD_RESOLVED_NO_CACHE) | + query_flag("SYSTEMD_NSS_RESOLVE_ZONE", 0, SD_RESOLVED_NO_ZONE) | + query_flag("SYSTEMD_NSS_RESOLVE_TRUST_ANCHOR", 0, SD_RESOLVED_NO_TRUST_ANCHOR) | + query_flag("SYSTEMD_NSS_RESOLVE_NETWORK", 0, SD_RESOLVED_NO_NETWORK); } enum nss_status _nss_resolve_gethostbyname4_r( |