<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi,</p>
<p>yes, there were some fixes related to bind to device option. I
would suggest looking at CentOS 8/RHEL 8 patches of 2.79 [1],
which hopefully fixed also regressions caused by the CVE fixes.
Description of the problem matches something I had to fix later,
it should be some of recent patches.</p>
<p>I think it might be referenced by this:</p>
<table class="hljs-ln">
<tbody>
<pre class="syntaxhighlightblock"><code class="lang-rpm-specfile hljs"></code></pre>
<tr>
<td class="hljs-ln-numbers bg-light text-right pr-2 pl-2
border-right mr-3"><br>
</td>
<td class="hljs-ln-code pl-2">
<div class="hljs-ln-line notblue text-muted"><span
class="hljs-comment">#
<a class="moz-txt-link-freetext" href="http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3f535da79e7a42104543ef5c7b5fa2bed819a78b">http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3f535da79e7a42104543ef5c7b5fa2bed819a78b</a></span></div>
</td>
</tr>
<tr>
<td class="hljs-ln-numbers bg-light text-right pr-2 pl-2
border-right mr-3"><br>
</td>
<td class="hljs-ln-code pl-2">
<div class="hljs-ln-line notblue text-muted"><span
class="hljs-comment">#
<a class="moz-txt-link-freetext" href="http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=04490bf622ac84891aad6f2dd2edf83725decdee">http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=04490bf622ac84891aad6f2dd2edf83725decdee</a></span></div>
</td>
</tr>
<tr>
<td class="hljs-ln-numbers bg-light text-right pr-2 pl-2
border-right mr-3"><br>
</td>
<td class="hljs-ln-code pl-2">
<div class="hljs-ln-line notblue text-muted"><span
class="hljs-type">Patch27:</span>
dnsmasq-2.79-mixed-family-failed.patch</div>
</td>
</tr>
</tbody>
</table>
<p>Not all fixes are always backported. I think the issue you
describe were about not matching sfd->fd socket properly. One
were ignored because SO_BINDTODEVICE, the other because
mismatching socket number. Result was ignored responses. Cannot
remember exact commit, I am sorry. I think Simon fixed it together
with random sockets of source device, so it has no separate
commit.</p>
<p>Cheers,<br>
Petr<br>
</p>
<p>1. <a class="moz-txt-link-freetext" href="https://git.centos.org/rpms/dnsmasq/blob/c8s/f/SOURCES">https://git.centos.org/rpms/dnsmasq/blob/c8s/f/SOURCES</a><br>
</p>
<div class="moz-cite-prefix">On 12/3/21 12:32, sunil rathod wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAEF7KN2jcJ5d9KP5V_8+Uah=xdg-swABLdDaiuvzEd331bR8Xg@mail.gmail.com">
<div dir="ltr">
<div>Hi Petr,</div>
<div>I have used the following patches for 2.80 release along
with dnspooq patch to resolve the bugs.</div>
<div><br>
</div>
<div>Does this patch have any implications with the
"SO_BINDTODEVICE" option in sockets. In my system, when DNS
replies arrive on the interface, the kernel seems to drop
these because of a mismatched socket. After the kernel
upgrade, I see this problem. Is there a way we can bind to an
IP address rather than interface for forwarding interf</div>
<div><br>
<br>
1.<br>
<a
href="https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014789.html"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014789.html</a><br>
2.<br>
<a
href="http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=74d4fcd756a85bc1823232ea74334f7ccfb9d5d2"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=74d4fcd756a85bc1823232ea74334f7ccfb9d5d2</a><br>
3.<br>
<a
href="http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=8f9bd615053cd13aba82a111ec20bb79d25a2d1e"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=8f9bd615053cd13aba82a111ec20bb79d25a2d1e</a><span
class="gmail-im"><br>
</span><br>
</div>
<div>Regards,</div>
<div>Sunil</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Fri, 2 Apr 2021 at 05:21,
Simon Kelley <<a href="mailto:simon@thekelleys.org.uk"
moz-do-not-send="true" class="moz-txt-link-freetext">simon@thekelleys.org.uk</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"><br>
<br>
On 31/03/2021 08:50, Petr Menšík wrote:<br>
> Hi Sunil,<br>
> <br>
> This is exactly the same issue I reported on thread
[1]. Unfortunately<br>
> it haven't got merged separately, but it should be
patched by<br>
> CVE-2021-3448 fix [2]. It happens only when you have
rp_filter set to 1.<br>
> The root cause of this is the lookup_frec part change
in commit<br>
> 8f9bd615053cd [3], including the part added previously
by commit [2].<br>
> <br>
> Yes, these are uncovered bugs not found when testing
dnspooq patches.<br>
> The root of the issue was there also before, but it
stopped working only<br>
> after dnspooq patches. They are related.<br>
> <br>
<br>
Thanks Petr, Given the above.<br>
<br>
1) This is not fixed in the 2.80 dnspooq v3 patches.<br>
2) It is fixed in the forthcoming 2.85 release.<br>
<br>
Simon.<br>
<br>
<br>
_______________________________________________<br>
Dnsmasq-discuss mailing list<br>
<a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">Dnsmasq-discuss@lists.thekelleys.org.uk</a><br>
<a
href="https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss</a><br>
</blockquote>
</div>
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
Petr Menšík
Software Engineer
Red Hat, <a class="moz-txt-link-freetext" href="http://www.redhat.com/">http://www.redhat.com/</a>
email: <a class="moz-txt-link-abbreviated" href="mailto:pemensik@redhat.com">pemensik@redhat.com</a>
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB</pre>
</body>
</html>