Hi,

I have prepared two patches with suggestion how to fix it.

Patch 1 warns when a label is used for --interface in default mode.
Patch 2 corrects manual page about real behavior of --interface with
labels. Feel free to change it, I am not very good at complicated
sentences in English.

I think changing it back again to use all addresses including labels
would be wrong. Let's just warn user about unexpected results.

Hope that helps,
Petr

Dne 21.2.2017 v 19:50 Simon Kelley napsal(a):
>> The first problem is, manual page is not updated. It tells you
>> cannot use labels, but you can. Also it does not tell you you can
>> use -i eth0,eth0:0,eth0:1,lo, but that is minor change.
> 
> Documentation point taken.
> 
> 
>> Labels are now supported and dnsmasq is able to bind only to
>> secondary IPv4 interface with different address. (Since 2.67!) It
>> works well with --bind-interfaces. However it has inconsistent
>> behavior with and without that option.
> 
>> Let's say my configuration is: 4: virbr0:
>> <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
>> group default qlen 1000 link/ether 52:54:00:2b:ee:d3 brd
>> ff:ff:ff:ff:ff:ff inet 192.168.122.1/24 brd 192.168.122.255 scope
>> global virbr0 valid_lft forever preferred_lft forever inet
>> 192.168.122.254/24 scope global secondary virbr0:1 valid_lft
>> forever preferred_lft forever
> 
> 
>> $ dnsmasq -i virbr0 will respond to queries to both addresses. It
>> might be useful backward compatibility feature. However $ dnsmasq
>> -i virbr0:1 Will respond only on address 192.168.122.254. Ok, call
>> it a feature.
> 
>> Problem is, $ dnsmasq -i virbr0 -z Will respond only on address
>> 192.168.122.1, as I would expect.
> 
>> $ dnsmasq -i virbr0:1 -z Behaves the same way, as without -z.
> 
>> I think different behavior is an error. It might be a feature, but
>> even then, it has to be documented. Opinions?
> 
> The different behavior is certainly undesirable, and can be fixed.
> Unfortunately, I can only see how to easily fix it so that the
> --bind-interfaces case works the same way as the default.
No, please don't do that. I think current state is the best version we
can prepare now. Just correct the documentation and warn user if he or
she tries to use unsupported combination.
> 
> The problem is that the sockets API tells you the interface that the
> packet arrived on, and that's what's checked with -i. In your example,
> queries send to 192.168.122.1 and 192.168.122.254 both arrive at
> interface virbr0, so there's no easy way to tell them apart, except by
> looking at the address they were sent to and correlating that with the
> list of interfaces and their addresses .
> 
> That requires an up-to-date list of all interfaces, which means, if
> you're going to behave well in the face of interfaces and addresses
> coming and going, enumerating the list for every packet received,
> which will likely kill performance.
> 
> My feeling is that consistency is good, so I'll certainly make a
> change, the question is, is the current behaviour of -i <interface
> name> as encompassing _all_ addresses associated with the interface OK?
> 
> 
> 
> Cheers,
> 
> Simon.
> 
> 
> 
> 
> 
>> [1]
>> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3f2873d42c4d
> 7e7dba32b6e64a3687d43928bc8e
> 
>>  Cheers, Petr -- Petr Menšík Software Engineer Red Hat,
>> http://www.redhat.com/ email: pemen...@redhat.com  PGP: 65C6C973
> 
> 
>> _______________________________________________ Dnsmasq-discuss
>> mailing list Dnsmasq-discuss@lists.thekelleys.org.uk 
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 
From c3d10a1132ada7baa80914f61abb720f94400465 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemen...@redhat.com>
Date: Tue, 14 Mar 2017 15:23:22 +0100
Subject: [PATCH 1/2] Warn when using label in default mode

---
 src/dnsmasq.c |  2 ++
 src/dnsmasq.h |  3 ++-
 src/network.c | 13 +++++++++++++
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index 456b0e8..d2cc7cc 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -771,6 +771,8 @@ int main (int argc, char **argv)
 
   if (option_bool(OPT_NOWILD))
     warn_bound_listeners();
+  else if (!option_bool(OPT_CLEVERBIND))
+    warn_wild_labels();
 
   warn_int_names();
   
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index a27fbc1..6b44e53 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -522,7 +522,7 @@ struct ipsets {
 struct irec {
   union mysockaddr addr;
   struct in_addr netmask; /* only valid for IPv4 */
-  int tftp_ok, dhcp_ok, mtu, done, warned, dad, dns_auth, index, multicast_done, found;
+  int tftp_ok, dhcp_ok, mtu, done, warned, dad, dns_auth, index, multicast_done, found, label;
   char *name; 
   struct irec *next;
 };
@@ -1252,6 +1252,7 @@ int enumerate_interfaces(int reset);
 void create_wildcard_listeners(void);
 void create_bound_listeners(int die);
 void warn_bound_listeners(void);
+void warn_wild_labels(void);
 void warn_int_names(void);
 int is_dad_listeners(void);
 int iface_check(int family, struct all_addr *addr, char *name, int *auth_dns);
diff --git a/src/network.c b/src/network.c
index eb41624..e5ceb76 100644
--- a/src/network.c
+++ b/src/network.c
@@ -244,6 +244,7 @@ static int iface_allowed(struct iface_param *param, int if_index, char *label,
   int tftp_ok = !!option_bool(OPT_TFTP);
   int dhcp_ok = 1;
   int auth_dns = 0;
+  int is_label = 0;
 #if defined(HAVE_DHCP) || defined(HAVE_TFTP)
   struct iname *tmp;
 #endif
@@ -264,6 +265,8 @@ static int iface_allowed(struct iface_param *param, int if_index, char *label,
   
   if (!label)
     label = ifr.ifr_name;
+  else
+    is_label = strcmp(label, ifr.ifr_name);
  
   /* maintain a list of all addresses on all interfaces for --local-service option */
   if (option_bool(OPT_LOCAL_SERVICE))
@@ -482,6 +485,7 @@ static int iface_allowed(struct iface_param *param, int if_index, char *label,
       iface->found = 1;
       iface->done = iface->multicast_done = iface->warned = 0;
       iface->index = if_index;
+      iface->label = is_label;
       if ((iface->name = whine_malloc(strlen(ifr.ifr_name)+1)))
 	{
 	  strcpy(iface->name, ifr.ifr_name);
@@ -1034,6 +1038,15 @@ void warn_bound_listeners(void)
     my_syslog(LOG_WARNING, _("LOUD WARNING: use --bind-dynamic rather than --bind-interfaces to avoid DNS amplification attacks via these interface(s)")); 
 }
 
+void warn_wild_labels(void)
+{
+  struct irec *iface;
+
+  for (iface = daemon->interfaces; iface; iface = iface->next)
+    if (iface->found && iface->name && iface->label)
+      my_syslog(LOG_WARNING, _("warning: using interface %s instead"), iface->name);
+}
+
 void warn_int_names(void)
 {
   struct interface_name *intname;
-- 
2.9.3

From 6eaafb18e56928881bae371ba8bb05ee93f55d54 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemen...@redhat.com>
Date: Tue, 14 Mar 2017 15:24:58 +0100
Subject: [PATCH 2/2] Document real behaviour of labels with --interface

---
 man/dnsmasq.8 | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index 523c823..6e93cf1 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -203,12 +203,14 @@ or
 options are given dnsmasq listens on all available interfaces except any
 given in
 .B \--except-interface
-options. IP alias interfaces (eg "eth1:0") cannot be used with
-.B --interface
+options. IP alias interface names (eg "eth1:0") can be used only in
+.B \--bind-interfaces
 or
-.B --except-interface
-options, use --listen-address instead. A simple wildcard, consisting
-of a trailing '*', can be used in 
+.B \--bind-dynamic
+mode. Use
+.B \--listen-address
+in the default mode instead. A simple wildcard, consisting of a trailing '*',
+can be used in
 .B \--interface 
 and
 .B \--except-interface
-- 
2.9.3

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to