670 Commits

Author SHA1 Message Date
Nicholas J. Kain
7572e2eb8b snprintf() truncation checks were one byte too conservative. 2022-02-25 06:18:08 -05:00
Nicholas J. Kain
ba8f674e15 nk/exec: Simplify and remove double null termination.
The current code pads with an extra character that is then rewritten
into a null character.  This isn't necessary with post-C99
implementations of standardized snprintf, so get rid of it.

Also add a note warning that nk_generate_env() and nk_execute()
are not async signal safe and are thus unsuitable for use in
multithreaded processes.

nk_execute() could be rewritten to be async signal safe without much
trouble, as the only problem point is snprintf() which is not guaranteed
to be async signal safe by POSIX.

However, nk_generate_env() performs chroot() if a chroot_path is
specified, and chroot() is not async signal safe in POSIX.
Additionally, malloc() can be called in rare cases where user
information fields are very long, and malloc() is obviously not async
signal safe.  Finally, snprintf() is used here, too, but it could be
replaced.

Converting to posix_spawn() is a no-go because posix_spawn() has no
facility for changing rlimits or chroot on the spawned process.

In summary, I don't think the gains are worth it.  Multithreaded
processes should just not fork().
2022-02-25 04:53:02 -05:00
Nicholas J. Kain
62aef529f4 Use safe_write() in nk/exec.c 2022-02-25 00:05:57 -05:00
Nicholas J. Kain
286b86d62c Preserve errno across signals. 2022-02-24 06:57:49 -05:00
Nicholas J. Kain
a9874d4959 Support running an executable file when a new lease is acquired.
If no 'script-file = SCRIPTFILE' is specified in the configuration
file and if no '-X SCRIPTFILE' or '--script-file SCRIPTFILE'
command argument is provided, then this functionality is entirely
inactive and no associated subprocess is spawned.

Otherwise, ndhc will spawn a subprocess that runs as root that has the
sole job of forking off a subprocess that exec's the specified script in
a sanitized and fixed-state environment whenever a new DHCPv4 lease is
acquired.

Note that this script is provided no information about ndhc or the
DHCP state in the environment or in any argument fields; it is the
responsibility of this script to gather whatever information it needs
from either the filesystem or syscalls.  This design is intended to
avoid the historical problems that are associated with dhcp clients
invoking scripts.

The path of the scriptfile cannot be changed after ndhc is initially
run; ndhc forks off the privsep script subprocess that executes scripts
after it has read the configuration file and command arguments, but
before it begins processing network data; thus, it is impossible for the
network-handling process to modify or influence the script assuming
proper OS memory protection.

The privsep channel communicates that the script should be run by simply
writing a newline; anything else will result in ndhc terminating itself.

Before the recommended way to update system state after a change in
lease information was to run the fcactus program and watch the
associated leasefile for the interface for modification; now no external
program is needed for this job.
2022-02-24 03:58:37 -05:00
Nicholas J. Kain
2fb16567f1 Support s6 service startup notification
This can be enabled via the s6-notify configure option; see
http://www.skarnet.org/software/s6/notifywhenup.html for details.

ndhc will signal that it is ready when the first valid lease is
obtained.  Programs dependent on a working network interface
can then simply use s6-wait on the associated ndhc service dir.

A typical command line option assuming the s6 service directory
notification-fd contains '3' would be '--s6-notify 3', and
a typical configure file option would be 's6-notify 3'.
2022-02-13 05:25:17 -05:00
Nicholas J. Kain
d67e1599df Update the manpage a bit. 2022-02-12 12:57:10 -05:00
Nicholas J. Kain
416bed7eec Minor README update 2022-02-06 21:02:14 -05:00
Nicholas J. Kain
1732bccccc Relicense as MIT.
It's a lot more common than BSD 2-clause it is both compatible
and nearly identical in effect.
2022-02-06 20:05:29 -05:00
Nicholas J. Kain
9fddfbda61 Simplify Makefile 2022-01-23 19:37:40 -05:00
Nicholas J. Kain
6f85b2aaf2 Update Makefile to generate dependency info 2022-01-23 18:42:40 -05:00
Nicholas J. Kain
8db8c5589d Replace CMake with GNU Make.
There was previously support for both build systems, but ndhc is
undemanding and there is no point in maintaining a complex
CMake build.
2022-01-22 18:39:41 -05:00
Nicholas J. Kain
1055c27bcf Update Makefile build flags 2022-01-22 15:49:16 -05:00
Nicholas J. Kain
a71b95ad34 CMake: Update to latest policies 2022-01-21 19:01:37 -05:00
Nicholas J. Kain
6ec0a5c731 Replace mostly obsolete -[static 1] with reliable old *-.
This notation originally had the sole advantage of implying
that the pointer was non-NULL, but it has seen little use and
now clang presents warnings about it in certain contexts.
2022-01-11 22:35:19 -05:00
Nicholas J. Kain
6047f04a12 Guard against carrier being spuriously set down.
Corrects a possible regression introduced by the previous patch.
2022-01-11 22:16:44 -05:00
Nicholas J. Kain
f3766990f9 Speed up interface carrier checking.
This is done by performing one synchronous query for carrier state at
the start of the program; after that, we just monitor the nlsocket for
carrier state changes and update the cached state accordingly.

The benefit is that ifchd needs to do a lot less work and this should
reduce the CPU cycle consumption; prior to this commit, the CPU time
ends up being a few CPU-minutes per month.
2021-04-25 05:55:01 -04:00
Nicholas J. Kain
ad1546ecb0 ifchd: Minor corrections in informative prints 2021-04-25 05:45:21 -04:00
Nicholas J. Kain
d61902cad4 ifchd: Better handle incomplete command buffers.
Before the handling would constantly acculmulate a prefix of previous
incomplete commands.  Now it still has a latent defect where the entire
buffer will be discarded given a spurious command, but ndhc shouldn't
generate such commands so it shouldn't matter.
2021-04-25 05:45:21 -04:00
Nicholas J. Kain
eb463ab086 poll() revents bits are reset by poll() 2021-04-25 05:45:21 -04:00
Nicholas J. Kain
c8eb238f31 ifchd-parse: Simplify leftover-buffer copying. 2021-04-24 20:50:08 -04:00
Nicholas J. Kain
b8bffa16c5 Build without -fno-strict-overflow.
I only built with this flag to mitigate accidental UB.  Now that
UBSan exists, there's no point as UBSan does better and actually
allows offending code to be located and fixed easily.
2020-11-25 04:44:26 -05:00
Nicholas J. Kain
28e1b34bac Simplify logging and fix some format specifiers. 2020-11-24 21:02:51 -05:00
Nicholas J. Kain
2e3c504cc5 Add and use safe_ftruncate() wrapper. 2020-11-06 18:47:51 -05:00
Nicholas J. Kain
a91b1d34ac Check and clear events from poll() even if interrupted by signal. 2020-11-06 18:32:38 -05:00
Nicholas J. Kain
1e60b4b8e7 Optimize internet checksum to use 32-bit fetches.
It's actually not very hard to do everything with 32-bit fetches
and 32-bit registers, aside from the necessary bit fetches for
tails.
2020-11-01 01:06:58 -04:00
Nicholas J. Kain
ff8b910222 Rename net_checksum161c to net_checksum16.
How many characters are summed at a time is an irrelevant
implementation detail.
2020-10-27 14:45:15 -04:00
Nicholas J. Kain
918555219b Make fingerprinting more robust with rapid carrier state changes.
The existing code tracked the fingerprinting completion state with
a bool, which is insufficient; what is required is a tristate
(none|inprogress|done) where the inprogress state reverts to
none on carrier down, but done state stays done on carrier down.
2020-10-27 14:14:18 -04:00
Nicholas J. Kain
d07469a5fa Optimize internet checksum to use 16-bit fetches.
We could use 32-bit fetches with the same technique on 64-bit
architectures, or SIMD could be used to do very fast 128-bit
fetches, but this isn't a performance bottleneck and this
method is very simple and relatively fast.
2020-10-24 17:14:20 -04:00
Nicholas J. Kain
5fdf3bd83e Remove unused definitions from CMakeLists.txt. 2020-10-24 15:45:57 -04:00
Nicholas J. Kain
b86735c478 Minor signal handling fixes. 2020-10-21 09:49:22 -04:00
Nicholas J. Kain
d58338b70b serverid checks for RENEW and REBIND DHCP(ACK|NAK) were too strict.
Use the same test that is already used for the DHCPACK sent by
the server in the REQUESTING state.
2020-10-21 06:47:11 -04:00
Nicholas J. Kain
b07ebb60a2 Revert bb7841f3ee0ffe17e.
That trivial warning fix causes warnings with -Wcast-qual, which
is a more valid warning than whatever was causing the warnings
under -Wall -pedantic with the normal Makefile.
2020-10-20 07:55:47 -04:00
Nicholas J. Kain
48bbb0b805 Add a missing newline to an error message.
I'm almost certain I remember adding this before, but I guess
it somehow got lost.
2020-10-20 07:53:23 -04:00
Nicholas J. Kain
bb7841f3ee Trivial warning fix. 2020-10-20 07:18:49 -04:00
Nicholas J. Kain
e6b5247d54 Update the plain Makefile. 2020-10-20 07:18:19 -04:00
Nicholas J. Kain
1ba7c9a2ba Documentation update -- signalfd and epoll aren't used anymore. 2020-10-20 07:06:19 -04:00
Nicholas J. Kain
f1e20305ba Don't depend on external ncmlib. 2020-10-20 07:00:20 -04:00
Nicholas J. Kain
4575f74164 Remove legacy support for exiting after obtaining a DHCP lease. 2020-10-20 06:55:04 -04:00
Nicholas J. Kain
ade4e988af Remove legacy support for forking to background. 2020-10-20 06:55:04 -04:00
Nicholas J. Kain
58067200d6 Remove legacy support for writing a pidfile. 2020-10-20 06:55:04 -04:00
Nicholas J. Kain
4d33c00e04 Use poll() instead of epoll() for ndhc-master. 2020-10-20 05:58:29 -04:00
Nicholas J. Kain
af9d45719f Use poll() instead of epoll() for ifchd and sockd.
poll() is simpler, portable, and the scalability advantages of
epoll are inapplicable here.
2020-10-20 05:41:09 -04:00
Nicholas J. Kain
06a541261e Stop using signalfd and audit signal handling code.
There's really no advantage to using signalfd in ndhc, particularly
since the normal POSIX signal API is now used for handling SIGCHLD in
ndhc-master.  So just use the tried and true volatile sig_atomic_t set
and check approach.

The only intended behavior change is in the dhcp RELEASE state --
before there would be a spurious attempt at renewing a nonexistent
lease when the RENEW signal was received.
2020-10-20 04:42:58 -04:00
Nicholas J. Kain
8d89ca9f19 Reliably force restart when a subprocess has a fatal error.
Suppose a system call such as bind() fails in the sockd subprocess in
request_sockd_fd().  sockd will suicide().  This will send a SIGCHLD to
the master process, which the master process should respond to by
calling suicide(), forcing a process supervisor to respawn the entire
ndhc program.

But, this doesn't reliably happen prior to this commit because of the
interaction between request_sock_fd() and signalfd() [or equivalently
self-pipe-trick] signal handling.

request_sock_fd() makes ndhc-master synchronously wait for a response
from sockd via safe_recvmsg().  The normal goto-like signal handling
path is suppressed when using signalfd() , so when SIGCHLD is received,
it will not be handled until io is dispatched for the signalfd or pipe.
But such code will never be reached because ndhc-master is waiting in
safe_recvmsg() and thus never polls signal fd status.

So, revert to using traditional POSIX sigaction() for SIGCHLD, which
provides exactly the required behavior for proper functioning.
2020-10-20 04:41:51 -04:00
Nicholas J. Kain
f0340b1475 Correct ba046c02c729c.
Apparently I had forgotten the counter-intuitive semantics of
signalfd(): it's necessary to BLOCK the signals that will be
handled exclusively by signalfd() so that the default POSIX
signal handling mechanism won't intercept the signals first.

The lack of response to ctrl+c is a legitimate bug that is
now properly fixed; ba046c02c729c fixed that issue, but
regressed the handling of other signals.
2020-10-19 13:03:35 -04:00
Nicholas J. Kain
32bc422d0e Add a heuristic to detect when server ignores dhcp renews.
If we get no response to three renews (unicast), switch to sending
rebinds (broadcast).  Servers are supposed to always reply with
a DHCPACK or DHCPNAK even if the server doesn't update its internal
lease duration database, so this behavior should be RFC compliant.
2020-10-19 07:03:03 -04:00
Nicholas J. Kain
f4365897bc Make renew and rebinding directly track whether DHCPREQUEST was sent.
Before it was inferred by examining timeouts.  Also, simplify
the associated timeout code so that there are no longer effectively
two redundant paths.
2020-10-19 06:36:26 -04:00
Nicholas J. Kain
4df035ced3 Make sure xids in packets sent conform to RFC2131 pg36 table5. 2020-10-19 05:48:52 -04:00
Nicholas J. Kain
5dc35eca6d Merge send_renew() and send_rebind() into send_renew_or_rebind(). 2020-10-19 05:26:47 -04:00