dnsbl: src/dnsbl.cpp comparison

comparison src/dnsbl.cpp @ 59:510a511ad554

Add resolver processes to allow better performance on busy machines

author	carl
date	Mon, 03 Jan 2005 18:35:50 -0800
parents	7bb8bbf79285
children	390ed250c5d2

comparison

equal deleted inserted replaced

-:7bb8bbf79285
+:510a511ad554
 /*
-Copyright (c) 2004 Carl Byington - 510 Software Group, released under
+Copyright (c) 2004, 2005 Carl Byington - 510 Software Group, released
-the GPL version 2 or any later version at your choice available at
+under the GPL version 2 or any later version at your choice available at
 http://www.fsf.org/licenses/gpl.txt
 Based on a sample milter Copyright (c) 2000-2003 Sendmail, Inc. and its
 suppliers.  Inspired by the DCC by Rhyolite Software
+-r port  The port used to talk to our internal dns resolver processes
 -p port  The port through which the MTA will connect to this milter.
 -t sec   The timeout value.
 -c       Check the config, and print a copy to stdout. Don't start the
 milter or do anything with the socket.
 -d       Add debug syslog entries
 data is rejected if sent.
 3) Add option to only allow one recipient if the return path is empty.
 4) Check if the envelope from domain name primary MX points 127.0.0.0/8
+5) Add option for using smtp connections to verify addresses from backup
+mx machines. This allows the backup mx to learn the valid addresses
+on the primary machine.
 */
 // from sendmail sample
 static int  generation = 0;         // protected by the config_mutex
 static pthread_mutex_t  config_mutex;
 static pthread_mutex_t  syslog_mutex;
 static pthread_mutex_t  resolve_mutex;
+static pthread_mutex_t  fd_pool_mutex;
+static std::set<int>    fd_pool;
+static int    NULL_SOCKET       = -1;
+static int    resolver_port     = 0;            // global port number to talk to the dns resolver process
+static int    resolver_socket   = NULL_SOCKET;  // socket used to listen for resolver requests
+static time_t ERROR_SOCKET_TIME = 60;           // number of seconds between attempts to open the spam filter socket
+static time_t last_error_time;
+#ifdef NS_PACKETSZ
+// packed structure to allow a single socket write to dump the
+// length and the following answer. The packing attribute is gcc specific.
+struct glommer {
+int    length;
+u_char answer[NS_PACKETSZ];
+} __attribute__ ((packed));
+#endif
 struct mlfiPriv;
 ////////////////////////////////////////////////
 // include the content scanner
 #include "scanner.cpp"
 ////////////////////////////////////////////////
+// disconnect the fd from the dns resolver process
+//
+void my_disconnect(int sock);
+void my_disconnect(int sock)
+{
+if (sock != NULL_SOCKET) {
+shutdown(sock, SHUT_RDWR);
+close(sock);
+}
+}
+////////////////////////////////////////////////
+// return fd connected to the dns resolver process
+//
+int my_connect();
+int my_connect()
+{
+// if we have had recent errors, don't even try to open the socket
+time_t now = time(NULL);
+if ((now - last_error_time) < ERROR_SOCKET_TIME) return NULL_SOCKET;
+// nothing recent, maybe this time it will work
+int sock = NULL_SOCKET;
+hostent *host = gethostbyname("localhost");
+if (host) {
+sockaddr_in server;
+server.sin_family = host->h_addrtype;
+server.sin_port   = htons(resolver_port);
+memcpy(&server.sin_addr, host->h_addr_list[0], host->h_length);
+sock = socket(PF_INET, SOCK_STREAM, 0);
+if (sock != NULL_SOCKET) {
+bool rc = (connect(sock, (sockaddr *)&server, sizeof(server)) == 0);
+if (!rc) {
+int er = errno;
+my_disconnect(sock);
+sock = NULL_SOCKET;
+last_error_time = now;
+}
+}
+else last_error_time = now;
+}
+return sock;
+}
+////////////////////////////////////////////////
 // mail filter private data, held for us by sendmail
 //
 struct mlfiPriv
 {
 // connection specific data
 CONFIG  *pc;                    // global context with our maps
+int     fd;                     // to talk to dns resolvers process
+bool    err;                    // did we get any errors on the resolver socket?
 int     ip;                     // ip4 address of the smtp client
 map<DNSBLP, status> checked;    // status from those lists
 // message specific data
 char    *mailaddr;      // envelope from value
 char    *queueid;       // sendmail queue id
 recorder    *memory;    // memory for the content scanner
 url_scanner *scanner;   // object to handle body scanning
 mlfiPriv();
 ~mlfiPriv();
 void reset(bool final = false); // for a new message
+void get_fd();
+void return_fd();
+int  my_read(char *buf, int len);
+int  my_write(char *buf, int len);
 };
 mlfiPriv::mlfiPriv() {
 pthread_mutex_lock(&config_mutex);
 pc = config;
 pc->reference_count++;
 pthread_mutex_unlock(&config_mutex);
+get_fd();
 ip            = 0;
 mailaddr      = NULL;
 queueid       = NULL;
 authenticated = false;
 have_whites   = false;
 only_whites   = true;
 memory        = new recorder(this, &pc->html_tags, &pc->tlds);
 scanner       = new url_scanner(memory);
 }
 mlfiPriv::~mlfiPriv() {
+return_fd();
 pthread_mutex_lock(&config_mutex);
 pc->reference_count--;
 pthread_mutex_unlock(&config_mutex);
 reset(true);
 }
 void mlfiPriv::reset(bool final) {
 if (mailaddr) free(mailaddr);
 if (queueid)  free(queueid);
 discard(non_whites);
 delete memory;
 memory        = new recorder(this, &pc->html_tags, &pc->tlds);
 scanner       = new url_scanner(memory);
 }
 }
+void mlfiPriv::get_fd()
+{
+err = true;
+fd  = NULL_SOCKET;
+int result = pthread_mutex_lock(&fd_pool_mutex);
+if (!result) {
+std::set<int>::iterator i;
+i = fd_pool.begin();
+if (i != fd_pool.end()) {
+// have at least one fd in the pool
+err = false;
+fd  = *i;
+fd_pool.erase(fd);
+}
+else {
+// pool is empty, get a new fd
+fd  = my_connect();
+err = (fd == NULL_SOCKET);
+}
+pthread_mutex_unlock(&fd_pool_mutex);
+}
+else {
+// cannot lock the pool, just get a new fd
+fd  = my_connect();
+err = (fd == NULL_SOCKET);
+}
+}
+void mlfiPriv::return_fd()
+{
+if (err) {
+// this fd got a socket error, so close it, rather than returning it to the pool
+my_disconnect(fd);
+}
+else {
+int result = pthread_mutex_lock(&fd_pool_mutex);
+if (!result) {
+// return the fd to the pool
+fd_pool.insert(fd);
+pthread_mutex_unlock(&fd_pool_mutex);
+}
+else {
+// could not lock the pool, so just close the fd
+my_disconnect(fd);
+}
+}
+}
+int mlfiPriv::my_write(char *buf, int len)
+{
+if (err) return 0;
+int rs = 0;
+while (len) {
+int ws = write(fd, buf, len);
+if (ws > 0) {
+rs  += ws;
+len -= ws;
+buf += ws;
+}
+else {
+// peer closed the socket!
+rs = 0;
+err = true;
+break;
+}
+}
+return rs;
+}
+int mlfiPriv::my_read(char *buf, int len)
+{
+if (err) return 0;
+int rs = 0;
+while (len > 1) {
+int ws = read(fd, buf, len);
+if (ws > 0) {
+rs  += ws;
+len -= ws;
+buf += ws;
+}
+else {
+// peer closed the socket!
+rs = 0;
+err = true;
+break;
+}
+}
+return rs;
+}
 #define MLFIPRIV    ((struct mlfiPriv *) smfi_getpriv(ctx))
 ////////////////////////////////////////////////
 // syslog a message
 }
 return *sm;
 }
-////////////////////////////////////////////////
-//
+////////////////////////////////////////////////
+//  read a resolver request from the socket, process it, and
+//  write the result back to the socket.
+#ifdef NS_PACKETSZ
+static void process_resolver_requests(int socket);
+static void process_resolver_requests(int socket) {
+#ifdef NS_MAXDNAME
+char question[NS_MAXDNAME];
+#else
+char question[1000];
+#endif
+glommer glom;
+int maxq = sizeof(question);
+while (true) {
+// read a question
+int rs = 0;
+while (true) {
+int ns = read(socket, question+rs, maxq-rs);
+if (ns > 0) {
+rs += ns;
+if (question[rs-1] == '\0') {
+// last byte read was the null terminator, we are done
+break;
+}
+}
+else {
+// peer closed the socket
+//my_syslog("child worker process, peer closed socket while reading question");
+shutdown(socket, SHUT_RDWR);
+close(socket);
+return;
+}
+}
+// find the answer
+//char text[1000];
+//snprintf(text, sizeof(text), "child worker process has a question %s", question);
+//my_syslog(text);
+glom.length = res_search(question, ns_c_in, ns_t_a, glom.answer, sizeof(glom.answer));
+if (glom.length < 0) glom.length = 0;   // represent all errors as zero length answers
+// write the answer
+char *buf = (char *)&glom;
+int   len = glom.length + sizeof(glom.length);
+//snprintf(text, sizeof(text), "child worker process writing answer length %d for total %d", glom.length, len);
+//my_syslog(text);
+int    ws = 0;
+while (len > ws) {
+int ns = write(socket, buf+ws, len-ws);
+if (ns > 0) {
+ws += ns;
+}
+else {
+// peer closed the socket!
+//my_syslog("child worker process, peer closed socket while writing answer");
+shutdown(socket, SHUT_RDWR);
+close(socket);
+return;
+}
+}
+}
+}
+#endif
+////////////////////////////////////////////////
 //  ask a dns question and get an A record answer - we don't try
 //  very hard, just using the default resolver retry settings.
-//  If we cannot get an answer, we just accept the mail.  The
+//  If we cannot get an answer, we just accept the mail.
-//  caller must ensure thread safety.
+//
 //
-//
+static int dns_interface(mlfiPriv &priv, char *question, bool maybe_ip, ns_map *nameservers);
-static int dns_interface(char *question, bool maybe_ip, ns_map *nameservers);
+static int dns_interface(mlfiPriv &priv, char *question, bool maybe_ip, ns_map *nameservers) {
-static int dns_interface(char *question, bool maybe_ip, ns_map *nameservers) {
+int ret_address = 0;
 #ifdef NS_PACKETSZ
-u_char answer[NS_PACKETSZ];
-int length = res_search(question, ns_c_in, ns_t_a, answer, sizeof(answer));
+// this part can be done without locking the resolver mutex. Each
-if (length >= 0) {  // no error yet
+// milter thread is talking over its own socket to a separate resolver
-// parse the answer
+// process, which does the actual dns resolution.
-ns_msg handle;
+if (priv.err) return 0; // cannot ask more questions on this socket.
-ns_rr  rr;
+priv.my_write(question, strlen(question)+1);   // write the question including the null terminator
-if (ns_initparse(answer, length, &handle) == 0) {
+glommer glom;
-// look for ns names
+char *buf = (char *)&glom;
-if (nameservers) {
+priv.my_read(buf, sizeof(glom.length));
-ns_map &ns = *nameservers;
+buf += sizeof(glom.length);
-int rrnum = 0;
+//char text[1000];
-while (ns_parserr(&handle, ns_s_ns, rrnum++, &rr) == 0) {
+//snprintf(text, sizeof(text), "milter thread wrote question %s and has answer length %d", question, glom.length);
-if (ns_rr_type(rr) == ns_t_ns) {
+//my_syslog(text);
-char nam[NS_MAXDNAME+1];
+if ((glom.length < 0) || (glom.length > sizeof(glom.answer))) {
-char         *n = nam;
+priv.err = true;
-const u_char *p = ns_rr_rdata(rr);
+return 0;  // cannot process overlarge answers
-while (((n-nam) < NS_MAXDNAME) && ((p-answer) < length) && *p) {
+}
-size_t s = *(p++);
+priv.my_read(buf, glom.length);
-if (s > 191) {
-// compression pointer
+// now we need to lock the resolver mutex to keep the milter threads from
-s = (s-192)*256 + *(p++);
+// stepping on each other while parsing the dns answer.
-if (s >= length) break; // pointer outside bounds of answer
+pthread_mutex_lock(&resolve_mutex);
-p = answer + s;
+if (glom.length > 0) {
-s = *(p++);
+// parse the answer
+ns_msg handle;
+ns_rr  rr;
+if (ns_initparse(glom.answer, glom.length, &handle) == 0) {
+// look for ns names
+if (nameservers) {
+ns_map &ns = *nameservers;
+int rrnum = 0;
+while (ns_parserr(&handle, ns_s_ns, rrnum++, &rr) == 0) {
+if (ns_rr_type(rr) == ns_t_ns) {
+char nam[NS_MAXDNAME+1];
+char         *n = nam;
+const u_char *p = ns_rr_rdata(rr);
+while (((n-nam) < NS_MAXDNAME) && ((p-glom.answer) < glom.length) && *p) {
+size_t s = *(p++);
+if (s > 191) {
+// compression pointer
+s = (s-192)*256 + *(p++);
+if (s >= glom.length) break; // pointer outside bounds of answer
+p = glom.answer + s;
+s = *(p++);
+}
+if (s > 0) {
+if ((n-nam)         >= (NS_MAXDNAME-s)) break;  // destination would overflow name buffer
+if ((p-glom.answer) >= (glom.length-s)) break;  // source outside bounds of answer
+memcpy(n, p, s);
+n += s;
+p += s;
+*(n++) = '.';
+}
 }
-if (s > 0) {
+if (n-nam) n--;             // remove trailing .
-if ((n-nam)    >= (NS_MAXDNAME-s)) break;  // destination would overflow name buffer
+*n = '\0';                  // null terminate it
-if ((p-answer) >= (length-s))      break;  // source outside bounds of answer
+register_string(ns, nam, question);     // ns host to lookup later
-memcpy(n, p, s);
+}
-n += s;
+}
-p += s;
+rrnum = 0;
-*(n++) = '.';
+while (ns_parserr(&handle, ns_s_ar, rrnum++, &rr) == 0) {
+if (ns_rr_type(rr) == ns_t_a) {
+char* nam = (char*)ns_rr_name(rr);
+ns_mapper::iterator i = ns.ns_ip.find(nam);
+if (i != ns.ns_ip.end()) {
+// we want this ip address
+int address;
+memcpy(&address, ns_rr_rdata(rr), sizeof(address));
+ns.ns_ip[nam] = address;
 }
-}
-if (n-nam) n--;             // remove trailing .
-*n = '\0';                  // null terminate it
-register_string(ns, nam, question);     // ns host to lookup later
-}
-}
-rrnum = 0;
-while (ns_parserr(&handle, ns_s_ar, rrnum++, &rr) == 0) {
-if (ns_rr_type(rr) == ns_t_a) {
-char* nam = (char*)ns_rr_name(rr);
-ns_mapper::iterator i = ns.ns_ip.find(nam);
-if (i != ns.ns_ip.end()) {
-// we want this ip address
-int address;
-memcpy(&address, ns_rr_rdata(rr), sizeof(address));
-ns.ns_ip[nam] = address;
 }
 }
 }
-}
+int rrnum = 0;
-int rrnum = 0;
+while (ns_parserr(&handle, ns_s_an, rrnum++, &rr) == 0) {
-while (ns_parserr(&handle, ns_s_an, rrnum++, &rr) == 0) {
+if (ns_rr_type(rr) == ns_t_a) {
-if (ns_rr_type(rr) == ns_t_a) {
+int address;
-int address;
+memcpy(&address, ns_rr_rdata(rr), sizeof(address));
-memcpy(&address, ns_rr_rdata(rr), sizeof(address));
+ret_address = address;
-return address;
+}
 }
 }
 }
-}
+if (maybe_ip && !ret_address) {
-if (maybe_ip) {
+// might be a bare ip address
-// might be a bare ip address
+in_addr ip;
-in_addr ip;
+if (inet_aton(question, &ip)) {
-if (inet_aton(question, &ip)) {
+ret_address = ip.s_addr;
-return ip.s_addr;
+}
 }
-}
+pthread_mutex_unlock(&resolve_mutex);
-return 0;
+return ret_address;
 #else
-struct hostent *host = gethostbyname(question);
+// systems without the resolver interface
-if (!host) return 0;
+pthread_mutex_lock(&resolve_mutex);
-if (host->h_addrtype != AF_INET) return 0;
+struct hostent *host = gethostbyname(question);
-int address;
+if (host && (host->h_addrtype == AF_INET)) {
-memcpy(&address, host->h_addr, sizeof(address));
+memcpy(&ret_address, host->h_addr, sizeof(ret_address));
-return address;
+}
+pthread_mutex_unlock(&resolve_mutex);
+return ret_address;
 #endif
 }
-static int protected_dns_interface(char *question, bool maybe_ip, ns_map *nameservers);
-static int protected_dns_interface(char *question, bool maybe_ip, ns_map *nameservers) {
-int ans;
-pthread_mutex_lock(&resolve_mutex);
-ans = dns_interface(question, maybe_ip, nameservers);
-pthread_mutex_unlock(&resolve_mutex);
-return ans;
-}
 ////////////////////////////////////////////////
 //  check a single dnsbl
 //
-static status check_single(int ip, char *suffix);
+static status check_single(mlfiPriv &priv, int ip, char *suffix);
-static status check_single(int ip, char *suffix) {
+static status check_single(mlfiPriv &priv, int ip, char *suffix) {
 // make a dns question
 const u_char *src = (const u_char *)&ip;
 if (src[0] == 127) return oksofar;  // don't do dns lookups on localhost
 #ifdef NS_MAXDNAME
 char question[NS_MAXDNAME];
 #else
 char question[1000];
 #endif
 snprintf(question, sizeof(question), "%u.%u.%u.%u.%s.", src[3], src[2], src[1], src[0], suffix);
 // ask the question, if we get an A record it implies a blacklisted ip address
-return (protected_dns_interface(question, false, NULL)) ? reject : oksofar;
+return (dns_interface(priv, question, false, NULL)) ? reject : oksofar;
 }
 ////////////////////////////////////////////////
 //  check a single dnsbl
 //
-static status check_single(int ip, DNSBL &bl);
+static status check_single(mlfiPriv &priv, int ip, DNSBL &bl);
-static status check_single(int ip, DNSBL &bl) {
+static status check_single(mlfiPriv &priv, int ip, DNSBL &bl) {
-return check_single(ip, bl.suffix);
+return check_single(priv, ip, bl.suffix);
 }
 ////////////////////////////////////////////////
 //  check the dnsbls specified for this recipient
 DNSBLP dp = *i;     // non null by construction
 status st;
 map<DNSBLP, status>::iterator f = priv.checked.find(dp);
 if (f == priv.checked.end()) {
 // have not checked this list yet
-st = check_single(priv.ip, *dp);
+st = check_single(priv, priv.ip, *dp);
 rejectlist = dp;
 priv.checked[dp] = st;
 }
 else {
 st = (*f).second;
 count++;
 if ((count > lim) && (lim > 0) && (!ran)) {
 discard(nameservers);
 return reject_host;
 }
-ip = protected_dns_interface(host, true, &nameservers);
+ip = dns_interface(priv, host, true, &nameservers);
 if (debug_syslog) {
 char buf[1000];
 if (ip) {
 char adr[sizeof "255.255.255.255"];
 adr[0] = '\0';
 }
 if (ip) {
 int_set::iterator i = ips.find(ip);
 if (i == ips.end()) {
 ips.insert(ip);
-status st = check_single(ip, dc.content_suffix);
+status st = check_single(priv, ip, dc.content_suffix);
 if (st == reject) {
 discard(nameservers);
 return st;
 }
 }
 discard(nameservers);
 return reject_host;
 }
 host = (*i).first;  // a transient reference that needs to be replaced before we return it
 ip   = (*i).second;
-if (!ip) ip = protected_dns_interface(host, false, NULL);
+if (!ip) ip = dns_interface(priv, host, false, NULL);
 if (debug_syslog) {
 char buf[200];
 if (ip) {
 char adr[sizeof "255.255.255.255"];
 adr[0] = '\0';
 }
 if (ip) {
 int_set::iterator i = ips.find(ip);
 if (i == ips.end()) {
 ips.insert(ip);
-status st = check_single(ip, dc.content_suffix);
+status st = check_single(priv, ip, dc.content_suffix);
 if (st == reject) {
 string_map::iterator j = nameservers.ns_host.find(host);
 if (j != nameservers.ns_host.end()) {
 char *refer = (*j).second;
 char buf[1000];
 static void usage(char *prog);
 static void usage(char *prog)
 {
-fprintf(stderr, "Usage: %s  [-d] [-c] -p socket-addr [-t timeout]\n", prog);
+fprintf(stderr, "Usage: %s  [-d] [-c] -r port -p sm-sock-addr [-t timeout]\n", prog);
-fprintf(stderr, "where socket-addr is for the connection to sendmail and should be one of\n");
+fprintf(stderr, "where port is for the connection to our own dns resolver processes\n");
-fprintf(stderr, "   inet:port@local-ip-address\n");
+fprintf(stderr, "where sm-sock-addr is for the connection to sendmail\n");
-fprintf(stderr, "   local:local-domain-socket-file-name\n");
+fprintf(stderr, "    and should be one of\n");
+fprintf(stderr, "        inet:port@ip-address\n");
+fprintf(stderr, "        local:local-domain-socket-file-name\n");
 fprintf(stderr, "-c will load and dump the config to stdout\n");
 fprintf(stderr, "-d will add some syslog debug messages\n");
 }
 int main(int argc, char**argv)
 {
 bool check   = false;
 bool setconn = false;
+bool setreso = false;
 int c;
-const char *args = "p:t:hcd";
+const char *args = "r:p:t:hcd";
 extern char *optarg;
 // Process command line options
 while ((c = getopt(argc, argv, args)) != -1) {
 switch (c) {
+case 'r':
+if (optarg == NULL || *optarg == '\0') {
+fprintf(stderr, "Illegal resolver socket: %s\n", optarg);
+exit(EX_USAGE);
+}
+resolver_port = atoi(optarg);
+setreso = true;
+break;
 case 'p':
 if (optarg == NULL || *optarg == '\0') {
-fprintf(stderr, "Illegal conn: %s\n", optarg);
+fprintf(stderr, "Illegal sendmail socket: %s\n", optarg);
 exit(EX_USAGE);
 }
 if (smfi_setconn(optarg) == MI_FAILURE) {
 fprintf(stderr, "smfi_setconn failed\n");
 exit(EX_SOFTWARE);
 }
 if (strncasecmp(optarg, "unix:", 5) == 0)  setup_socket(optarg + 5);
 else if (strncasecmp(optarg, "local:", 6) == 0) setup_socket(optarg + 6);
 setconn = true;
 break;
 return 0;
 }
 if (!setconn) {
 fprintf(stderr, "%s: Missing required -p argument\n", argv[0]);
+usage(argv[0]);
+exit(EX_USAGE);
+}
+if (!setreso) {
+fprintf(stderr, "%s: Missing required -r argument\n", argv[0]);
 usage(argv[0]);
 exit(EX_USAGE);
 }
 if (smfi_register(smfilter) == MI_FAILURE) {
 fprintf(f, "%d\n", (u_int)getpid());
 #endif
 fclose(f);
 }
+// initialize the thread sync objects
+pthread_mutex_init(&config_mutex, 0);
+pthread_mutex_init(&syslog_mutex, 0);
+pthread_mutex_init(&resolve_mutex, 0);
+pthread_mutex_init(&fd_pool_mutex, 0);
+#ifdef NS_PACKETSZ
+// fork off the resolver listener process
+pid_t child = fork();
+if (child < 0) {
+my_syslog("failed to create resolver listener process");
+exit(0);
+}
+if (child == 0) {
+// we are the child - dns resolver listener process
+resolver_socket = socket(PF_INET, SOCK_STREAM, 0);
+if (resolver_socket < 0) {
+my_syslog("child failed to create resolver socket");
+exit(0);   // failed
+}
+sockaddr_in server;
+server.sin_family   = AF_INET;
+server.sin_port     = htons(resolver_port);
+server.sin_addr.s_addr = 0;
+// set the socket options
+int      reuse_addr = 1;
+linger linger_opt;
+linger_opt.l_onoff  = 0;    // off
+linger_opt.l_linger = 0;
+setsockopt(resolver_socket, SOL_SOCKET, SO_REUSEADDR, reinterpret_cast<char*>(&reuse_addr), sizeof(reuse_addr));
+setsockopt(resolver_socket, SOL_SOCKET, SO_LINGER,    reinterpret_cast<char*>(&linger_opt), sizeof(linger_opt));
+///// set nonblocking mode
+///int     dummy = 0;
+///int     flags = fcntl(resolver_socket, F_GETFL, dummy);
+///if (flags >= 0) fcntl(resolver_socket, F_SETFL, flags | O_NONBLOCK);
+//try to bind the address to the socket.
+if (bind(resolver_socket, (sockaddr *)&server, sizeof(server)) < 0) {
+// bind failed
+shutdown(resolver_socket, SHUT_RDWR);
+close(resolver_socket);
+my_syslog("child failed to bind resolver socket");
+exit(0);   // failed
+}
+//listen on the socket.
+if (listen(resolver_socket, 10) < 0) {
+// listen failed
+shutdown(resolver_socket, SHUT_RDWR);
+close(resolver_socket);
+my_syslog("child failed to listen to the resolver socket");
+return -1;
+}
+}
+else {
+sleep(2);   // allow child to get started
+}
+#endif
 // drop root privs
 struct passwd *pw = getpwnam("dnsbl");
 if (pw) {
 if (setgid(pw->pw_gid) == -1) {
 my_syslog("failed to switch to group dnsbl");
 if (setuid(pw->pw_uid) == -1) {
 my_syslog("failed to switch to user dnsbl");
 }
 }
-// initialize the thread sync objects
+#ifdef NS_PACKETSZ
-pthread_mutex_init(&config_mutex, 0);
+if (child == 0) {
-pthread_mutex_init(&syslog_mutex, 0);
+while (true) {
-pthread_mutex_init(&resolve_mutex, 0);
+sockaddr_in client;
+socklen_t   clientlen = sizeof(client);
+int s = accept(resolver_socket, (sockaddr *)&client, &clientlen);
+if (s > 0) {
+// accept worked, it did not get cancelled before we could accept it
+// fork off a process to handle this connection
+int newchild = fork();
+if (newchild == 0) {
+// this is the worker process
+my_syslog("child forked a worker process");
+process_resolver_requests(s);
+my_syslog("child terminated a worker process");
+exit(0);
+}
+}
+}
+exit(0);    // make sure we don't fall thru.
+}
+#endif
 // load the initial config
 config = new_conf();
 // only create threads after the fork() in daemon

Mercurial > dnsbl

comparison src/dnsbl.cpp @ 59:510a511ad554