On Wed, Oct 26, 2016 at 04:22:55PM +0800, Delan Azabani wrote:
> > ip-transparent: <yes or no>
> > Allows NSD to bind to non local addresses. This is useful to
> > have NSD listen to IP addresses that are not (yet) added to the
> > network interface, so that it can answer immediately when the
> > address is added. Default is no.
This matches what SO_BINDANY does.
> > IP_TRANSPARENT (since Linux 2.6.24)
> > Setting this boolean option enables transparent proxying on this
> > socket. This socket option allows the calling application to
> > bind to a nonlocal IP address and operate both as a client and a
> > server with the foreign address as the local endpoint. NOTE:
> > this requires that routing be set up in a way that packets going
> > to the foreign address are routed through the TProxy box (i.e.,
> > the system hosting the application that employs the IP_TRANSPAR???
> > ENT socket option). Enabling this socket option requires supe???
> > ruser privileges (the CAP_NET_ADMIN capability).
> >
> > TProxy redirection with the iptables TPROXY target also requires
> > that this option be set on the redirected socket.
This also sounds very much like our SO_BINDANY feature.
> I don't think I know enough about sockets on OpenBSD and Linux to say
> whether or not they ought to be exposed as one option in nsd.conf(5).
Having the same option name on all operating systems is good. The
system call to implement this is a detail that is not relevant for
the user.
> Here's a patch under the assumption that one option will suffice:
OK bluhm@
And please ask upstream to accept the patch when it is commited here.
> Index: usr.sbin/nsd/server.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/nsd/server.c,v
> retrieving revision 1.25
> diff -u -p -u -r1.25 server.c
> --- usr.sbin/nsd/server.c 31 Aug 2016 07:31:20 -0000 1.25
> +++ usr.sbin/nsd/server.c 26 Oct 2016 07:40:56 -0000
> @@ -565,7 +565,7 @@ server_init_ifs(struct nsd *nsd, size_t
> {
> struct addrinfo* addr;
> size_t i;
> -#if defined(SO_REUSEPORT) || defined(SO_REUSEADDR) || (defined(INET6) &&
> (defined(IPV6_V6ONLY) || defined(IPV6_USE_MIN_MTU) || defined(IPV6_MTU) ||
> defined(IP_TRANSPARENT)) || defined(IP_FREEBIND))
> +#if defined(SO_REUSEPORT) || defined(SO_REUSEADDR) || (defined(INET6) &&
> (defined(IPV6_V6ONLY) || defined(IPV6_USE_MIN_MTU) || defined(IPV6_MTU) ||
> defined(IP_TRANSPARENT) || defined(SO_BINDANY)) || defined(IP_FREEBIND))
> int on = 1;
> #endif
>
> @@ -755,6 +755,12 @@ server_init_ifs(struct nsd *nsd, size_t
> strerror(errno));
> }
> #endif /* IP_TRANSPARENT */
> +#ifdef SO_BINDANY
> + if (setsockopt(nsd->udp[i].s, SOL_SOCKET, SO_BINDANY,
> &on, sizeof(on)) < 0) {
> + log_msg(LOG_ERR, "setsockopt(...,SO_BINDANY,
> ...) failed for udp: %s",
> + strerror(errno));
> + }
> +#endif /* SO_BINDANY */
> }
>
> if (bind(nsd->udp[i].s, (struct sockaddr *) addr->ai_addr,
> addr->ai_addrlen) != 0) {
> @@ -885,6 +891,12 @@ server_init_ifs(struct nsd *nsd, size_t
> strerror(errno));
> }
> #endif /* IP_TRANSPARENT */
> +#ifdef SO_BINDANY
> + if (setsockopt(nsd->tcp[i].s, SOL_SOCKET, SO_BINDANY,
> &on, sizeof(on)) < 0) {
> + log_msg(LOG_ERR, "setsockopt(...,SO_BINDANY,
> ...) failed for tcp: %s",
> + strerror(errno));
> + }
> +#endif /* SO_BINDANY */
> }
>
> if (bind(nsd->tcp[i].s, (struct sockaddr *) addr->ai_addr,
> addr->ai_addrlen) != 0) {
