1
0
forked from rpms/bind
bind/bind-9.16-tcp-listening.patch
Petr Menšík 31b69a221c Remove the code to adjust listening interfaces for *-source-v6
Previously, named would run with a configuration where *-source-v6 (notify-source-v6,
transfer-source-v6 and query-source-v6) address and port could be simultaneously used
for listening. This is no longer true for BIND 9.16+ and the code that would do
interface adjustments would unexpectedly disable listening on TCP for such interfaces.

Resolves: rhbz#1999691
2021-10-12 13:32:02 +02:00

481 lines
14 KiB
Diff

From 0807d8b0588c89ee9eb18c17544174e51c2aaa97 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
Date: Tue, 7 Sep 2021 14:40:19 +0200
Subject: [PATCH] Remove the code to adjust listening interfaces for
*-source-v6
Previously, named would run with a configuration
where *-source-v6 (notify-source-v6, transfer-source-v6 and
query-source-v6) address and port could be simultaneously used for
listening. This is no longer true for BIND 9.16+ and the code that
would do interface adjustments would unexpectedly disable listening on
TCP for such interfaces.
This commit removes the code that would adjust listening interfaces
for addresses/ports configured in *-source-v6 option.
(cherry picked from commit 8ac1d4e0daee6fc785377761da42023127ec2284)
---
bin/named/server.c | 162 -------------------------------
lib/ns/include/ns/interfacemgr.h | 14 ---
lib/ns/interfacemgr.c | 117 +++++++---------------
3 files changed, 33 insertions(+), 260 deletions(-)
diff --git a/bin/named/server.c b/bin/named/server.c
index 0237817c29..60da9c9b1e 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -6767,160 +6767,6 @@ directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
return (ISC_R_SUCCESS);
}
-static isc_result_t
-add_listenelt(isc_mem_t *mctx, ns_listenlist_t *list, isc_sockaddr_t *addr,
- isc_dscp_t dscp, bool wcardport_ok) {
- ns_listenelt_t *lelt = NULL;
- dns_acl_t *src_acl = NULL;
- isc_result_t result;
- isc_sockaddr_t any_sa6;
- isc_netaddr_t netaddr;
-
- REQUIRE(isc_sockaddr_pf(addr) == AF_INET6);
-
- isc_sockaddr_any6(&any_sa6);
- if (!isc_sockaddr_equal(&any_sa6, addr) &&
- (wcardport_ok || isc_sockaddr_getport(addr) != 0))
- {
- isc_netaddr_fromin6(&netaddr, &addr->type.sin6.sin6_addr);
-
- result = dns_acl_create(mctx, 0, &src_acl);
- if (result != ISC_R_SUCCESS) {
- return (result);
- }
-
- result = dns_iptable_addprefix(src_acl->iptable, &netaddr, 128,
- true);
- if (result != ISC_R_SUCCESS) {
- goto clean;
- }
-
- result = ns_listenelt_create(mctx, isc_sockaddr_getport(addr),
- dscp, src_acl, &lelt);
- if (result != ISC_R_SUCCESS) {
- goto clean;
- }
- ISC_LIST_APPEND(list->elts, lelt, link);
- }
-
- return (ISC_R_SUCCESS);
-
-clean:
- INSIST(lelt == NULL);
- dns_acl_detach(&src_acl);
-
- return (result);
-}
-
-/*
- * Make a list of xxx-source addresses and call ns_interfacemgr_adjust()
- * to update the listening interfaces accordingly.
- * We currently only consider IPv6, because this only affects IPv6 wildcard
- * sockets.
- */
-static void
-adjust_interfaces(named_server_t *server, isc_mem_t *mctx) {
- isc_result_t result;
- ns_listenlist_t *list = NULL;
- dns_view_t *view;
- dns_zone_t *zone, *next;
- isc_sockaddr_t addr, *addrp;
- isc_dscp_t dscp = -1;
-
- result = ns_listenlist_create(mctx, &list);
- if (result != ISC_R_SUCCESS) {
- return;
- }
-
- for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
- view = ISC_LIST_NEXT(view, link))
- {
- dns_dispatch_t *dispatch6;
-
- dispatch6 = dns_resolver_dispatchv6(view->resolver);
- if (dispatch6 == NULL) {
- continue;
- }
- result = dns_dispatch_getlocaladdress(dispatch6, &addr);
- if (result != ISC_R_SUCCESS) {
- goto fail;
- }
-
- /*
- * We always add non-wildcard address regardless of whether
- * the port is 'any' (the fourth arg is TRUE): if the port is
- * specific, we need to add it since it may conflict with a
- * listening interface; if it's zero, we'll dynamically open
- * query ports, and some of them may override an existing
- * wildcard IPv6 port.
- */
- /* XXXMPA fix dscp */
- result = add_listenelt(mctx, list, &addr, dscp, true);
- if (result != ISC_R_SUCCESS) {
- goto fail;
- }
- }
-
- zone = NULL;
- for (result = dns_zone_first(server->zonemgr, &zone);
- result == ISC_R_SUCCESS;
- next = NULL, result = dns_zone_next(zone, &next), zone = next)
- {
- dns_view_t *zoneview;
-
- /*
- * At this point the zone list may contain a stale zone
- * just removed from the configuration. To see the validity,
- * check if the corresponding view is in our current view list.
- * There may also be old zones that are still in the process
- * of shutting down and have detached from their old view
- * (zoneview == NULL).
- */
- zoneview = dns_zone_getview(zone);
- if (zoneview == NULL) {
- continue;
- }
- for (view = ISC_LIST_HEAD(server->viewlist);
- view != NULL && view != zoneview;
- view = ISC_LIST_NEXT(view, link))
- {}
- if (view == NULL) {
- continue;
- }
-
- addrp = dns_zone_getnotifysrc6(zone);
- dscp = dns_zone_getnotifysrc6dscp(zone);
- result = add_listenelt(mctx, list, addrp, dscp, false);
- if (result != ISC_R_SUCCESS) {
- goto fail;
- }
-
- addrp = dns_zone_getxfrsource6(zone);
- dscp = dns_zone_getxfrsource6dscp(zone);
- result = add_listenelt(mctx, list, addrp, dscp, false);
- if (result != ISC_R_SUCCESS) {
- goto fail;
- }
- }
-
- ns_interfacemgr_adjust(server->interfacemgr, list, true);
-
-clean:
- ns_listenlist_detach(&list);
- return;
-
-fail:
- /*
- * Even when we failed the procedure, most of other interfaces
- * should work correctly. We therefore just warn it.
- */
- isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
- NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
- "could not adjust the listen-on list; "
- "some interfaces may not work");
- goto clean;
-}
-
/*
* This event callback is invoked to do periodic network interface
* scanning.
@@ -9633,14 +9479,6 @@ cleanup:
isc_mem_put(server->sctx->mctx, altsecret, sizeof(*altsecret));
}
- /*
- * Adjust the listening interfaces in accordance with the source
- * addresses specified in views and zones.
- */
- if (isc_net_probeipv6() == ISC_R_SUCCESS) {
- adjust_interfaces(server, named_g_mctx);
- }
-
/*
* Record the time of most recent configuration
*/
diff --git a/lib/ns/include/ns/interfacemgr.h b/lib/ns/include/ns/interfacemgr.h
index e210ee3bc0..0a2092a249 100644
--- a/lib/ns/include/ns/interfacemgr.h
+++ b/lib/ns/include/ns/interfacemgr.h
@@ -147,20 +147,6 @@ ns_interfacemgr_scan(ns_interfacemgr_t *mgr, bool verbose);
* in named.conf.
*/
-isc_result_t
-ns_interfacemgr_adjust(ns_interfacemgr_t *mgr, ns_listenlist_t *list,
- bool verbose);
-/*%<
- * Similar to ns_interfacemgr_scan(), but this function also tries to see the
- * need for an explicit listen-on when a list element in 'list' is going to
- * override an already-listening a wildcard interface.
- *
- * This function does not update localhost and localnets ACLs.
- *
- * This should be called once on server startup, after configuring views and
- * zones.
- */
-
void
ns_interfacemgr_setlistenon4(ns_interfacemgr_t *mgr, ns_listenlist_t *value);
/*%<
diff --git a/lib/ns/interfacemgr.c b/lib/ns/interfacemgr.c
index b8302b75e6..acc83016dc 100644
--- a/lib/ns/interfacemgr.c
+++ b/lib/ns/interfacemgr.c
@@ -503,8 +503,8 @@ ns_interface_listentcp(ns_interface_t *ifp) {
static isc_result_t
ns_interface_setup(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
- const char *name, ns_interface_t **ifpret, bool accept_tcp,
- isc_dscp_t dscp, bool *addr_in_use) {
+ const char *name, ns_interface_t **ifpret, isc_dscp_t dscp,
+ bool *addr_in_use) {
isc_result_t result;
ns_interface_t *ifp = NULL;
REQUIRE(ifpret != NULL && *ifpret == NULL);
@@ -525,7 +525,7 @@ ns_interface_setup(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
goto cleanup_interface;
}
- if (((mgr->sctx->options & NS_SERVER_NOTCP) == 0) && accept_tcp) {
+ if (((mgr->sctx->options & NS_SERVER_NOTCP) == 0)) {
result = ns_interface_listentcp(ifp);
if (result != ISC_R_SUCCESS) {
if ((result == ISC_R_ADDRINUSE) &&
@@ -774,11 +774,10 @@ clearlistenon(ns_interfacemgr_t *mgr) {
}
static isc_result_t
-do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, bool verbose) {
+do_scan(ns_interfacemgr_t *mgr, bool verbose) {
isc_interfaceiter_t *iter = NULL;
bool scan_ipv4 = false;
bool scan_ipv6 = false;
- bool adjusting = false;
bool ipv6only = true;
bool ipv6pktinfo = true;
isc_result_t result;
@@ -792,10 +791,6 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, bool verbose) {
bool tried_listening;
bool all_addresses_in_use;
- if (ext_listen != NULL) {
- adjusting = true;
- }
-
if (isc_net_probeipv6() == ISC_R_SUCCESS) {
scan_ipv6 = true;
} else if ((mgr->sctx->options & NS_SERVER_DISABLE6) == 0) {
@@ -864,7 +859,7 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, bool verbose) {
"interfaces, port %u",
le->port);
result = ns_interface_setup(mgr, &listen_addr,
- "<any>", &ifp, true,
+ "<any>", &ifp,
le->dscp, NULL);
if (result == ISC_R_SUCCESS) {
ifp->flags |= NS_INTERFACEFLAG_ANYADDR;
@@ -887,17 +882,15 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, bool verbose) {
return (result);
}
- if (!adjusting) {
- result = clearacl(mgr->mctx, &mgr->aclenv.localhost);
- if (result != ISC_R_SUCCESS) {
- goto cleanup_iter;
- }
- result = clearacl(mgr->mctx, &mgr->aclenv.localnets);
- if (result != ISC_R_SUCCESS) {
- goto cleanup_iter;
- }
- clearlistenon(mgr);
+ result = clearacl(mgr->mctx, &mgr->aclenv.localhost);
+ if (result != ISC_R_SUCCESS) {
+ goto cleanup_iter;
}
+ result = clearacl(mgr->mctx, &mgr->aclenv.localnets);
+ if (result != ISC_R_SUCCESS) {
+ goto cleanup_iter;
+ }
+ clearlistenon(mgr);
tried_listening = false;
all_addresses_in_use = true;
@@ -940,22 +933,19 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, bool verbose) {
continue;
}
- if (!adjusting) {
- /*
- * If running with -T fixedlocal, then we only
- * want 127.0.0.1 and ::1 in the localhost ACL.
- */
- if (((mgr->sctx->options & NS_SERVER_FIXEDLOCAL) !=
- 0) &&
- !isc_netaddr_isloopback(&interface.address))
- {
- goto listenon;
- }
+ /*
+ * If running with -T fixedlocal, then we only
+ * want 127.0.0.1 and ::1 in the localhost ACL.
+ */
+ if (((mgr->sctx->options & NS_SERVER_FIXEDLOCAL) != 0) &&
+ !isc_netaddr_isloopback(&interface.address))
+ {
+ goto listenon;
+ }
- result = setup_locals(mgr, &interface);
- if (result != ISC_R_SUCCESS) {
- goto ignore_interface;
- }
+ result = setup_locals(mgr, &interface);
+ if (result != ISC_R_SUCCESS) {
+ goto ignore_interface;
}
listenon:
@@ -995,7 +985,7 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, bool verbose) {
continue;
}
- if (!adjusting && dolistenon) {
+ if (dolistenon) {
setup_listenon(mgr, &interface, le->port);
dolistenon = false;
}
@@ -1009,37 +999,6 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, bool verbose) {
ipv6_wildcard = true;
}
- /*
- * When adjusting interfaces with extra a listening
- * list, see if the address matches the extra list.
- * If it does, and is also covered by a wildcard
- * interface, we need to listen on the address
- * explicitly.
- */
- if (adjusting) {
- ns_listenelt_t *ele;
-
- match = 0;
- for (ele = ISC_LIST_HEAD(ext_listen->elts);
- ele != NULL;
- ele = ISC_LIST_NEXT(ele, link))
- {
- (void)dns_acl_match(&listen_netaddr,
- NULL, ele->acl,
- NULL, &match, NULL);
- if (match > 0 &&
- (ele->port == le->port ||
- ele->port == 0)) {
- break;
- } else {
- match = 0;
- }
- }
- if (ipv6_wildcard && match == 0) {
- continue;
- }
- }
-
ifp = find_matching_interface(mgr, &listen_sockaddr);
if (ifp != NULL) {
ifp->generation = mgr->generation;
@@ -1058,12 +1017,12 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, bool verbose) {
} else {
bool addr_in_use = false;
- if (!adjusting && ipv6_wildcard) {
+ if (ipv6_wildcard) {
continue;
}
if (log_explicit && family == AF_INET6 &&
- !adjusting && listenon_is_ip6_any(le)) {
+ listenon_is_ip6_any(le)) {
isc_log_write(
IFMGR_COMMON_LOGARGS,
verbose ? ISC_LOG_INFO
@@ -1078,17 +1037,14 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, bool verbose) {
sizeof(sabuf));
isc_log_write(
IFMGR_COMMON_LOGARGS, ISC_LOG_INFO,
- "%s"
"listening on %s interface "
"%s, %s",
- (adjusting) ? "additionally " : "",
(family == AF_INET) ? "IPv4" : "IPv6",
interface.name, sabuf);
result = ns_interface_setup(
mgr, &listen_sockaddr, interface.name,
- &ifp, (adjusting) ? false : true,
- le->dscp, &addr_in_use);
+ &ifp, le->dscp, &addr_in_use);
tried_listening = true;
if (!addr_in_use) {
@@ -1135,8 +1091,7 @@ cleanup_iter:
}
static isc_result_t
-ns_interfacemgr_scan0(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen,
- bool verbose) {
+ns_interfacemgr_scan0(ns_interfacemgr_t *mgr, bool verbose) {
isc_result_t result;
bool purge = true;
@@ -1144,7 +1099,7 @@ ns_interfacemgr_scan0(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen,
mgr->generation++; /* Increment the generation count. */
- result = do_scan(mgr, ext_listen, verbose);
+ result = do_scan(mgr, verbose);
if ((result != ISC_R_SUCCESS) && (result != ISC_R_ADDRINUSE)) {
purge = false;
}
@@ -1162,7 +1117,7 @@ ns_interfacemgr_scan0(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen,
/*
* Warn if we are not listening on any interface.
*/
- if (ext_listen == NULL && ISC_LIST_EMPTY(mgr->interfaces)) {
+ if (ISC_LIST_EMPTY(mgr->interfaces)) {
isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_WARNING,
"not listening on any interfaces");
}
@@ -1192,7 +1147,7 @@ ns_interfacemgr_scan(ns_interfacemgr_t *mgr, bool verbose) {
unlock = true;
}
- result = ns_interfacemgr_scan0(mgr, NULL, verbose);
+ result = ns_interfacemgr_scan0(mgr, verbose);
if (unlock) {
isc_task_endexclusive(mgr->excl);
@@ -1201,12 +1156,6 @@ ns_interfacemgr_scan(ns_interfacemgr_t *mgr, bool verbose) {
return (result);
}
-isc_result_t
-ns_interfacemgr_adjust(ns_interfacemgr_t *mgr, ns_listenlist_t *list,
- bool verbose) {
- return (ns_interfacemgr_scan0(mgr, list, verbose));
-}
-
void
ns_interfacemgr_setlistenon4(ns_interfacemgr_t *mgr, ns_listenlist_t *value) {
REQUIRE(NS_INTERFACEMGR_VALID(mgr));
--
2.31.1