[Dnsmasq-discuss] FreeBSD complement to Linux's netlink: route(4) socket

Simon Kelley simon at thekelleys.org.uk
Mon Dec 9 16:58:48 GMT 2013

On 05/12/13 00:13, Matthias Andree wrote:
> Am 03.12.2013 12:11, schrieb Simon Kelley:
>> The standard fix is to use --bind-dynamic, which can rely  on the
>> existence of the extended API. Unfortunately that doesn't work on
>> FreeBSD because it also relies on a a method of getting asynchronous
>> events when interfaces/address come and go. Does FreeBSD have an
>> equivalent of the Linux netlink socket?
> Following up on this question, I asked the FreeBSD-hackers@ list and got
> a useful pointer from Ian Lepore to the PF_ROUTE SOCK_RAW socket.
> The family can be used as an address filter, I used AF_UNSPEC.
> If a user-space application has such a route socket open, it can change
> the route table, or receive information from the kernel - not only about
> route changes, but also address changes, interface flag changes,
> interfaces appearing or dematerializing.  You could use
> The relevant information is in man 4 route, and in the headers
> (sys/socket.h, net/if.h, for instance).
> I dug around and have come up with a demo program that opens a route
> socket, selects() for messages, receives them, and decodes those I would
> find interesting for dnsmasq.  It took quite a bit of debugging to get
> the addresses in the messages decoded properly.

OK, using this, I've implemented dynamic interface-address discovery for 
*BSD. Available now in git and as 2.69test1. This is very useful as it 
stands, since it makes the dynamic DHCPv6 address-range facility using 
the constructor: keyword work on *BSD.

Unfortunately, it doesn't make --bind-dynamic work, and least not in a 
useful way. The problem is that when new interface addresses come along, 
dnsmasq has to bind sockets to them at low ports. This is not allowed 
when running as non-root, and of course dnsmasq drops root once it's 

On Linux, this problem is solved by using process capabilities: the 
dnsmasq process retains the ability to bind low ports when it gives away 
the rest of the root privileges. I don'r think there's a direct 
equivalent to capabilities in *BSD. Is there another way to allow a 
non-root process to bind low ports?



More information about the Dnsmasq-discuss mailing list