[Dnsmasq-discuss] Router advertisement sent to wrong interface

Sjors Gielen sjors at sjorsgielen.nl
Thu May 2 00:56:47 BST 2013

Hi all,

A while ago I replaced radvd with dnsmasq for SLAAC. It's been working smoothly ever since I set it up. Today, I had to reboot my router and something unintended happened: it sent out a router advertisement on the external interface. Now, people in my building suddenly have IPv6 addresses in my range, and while this represents a nice test for my firewall setup it's annoying for them.

I'm failing to figure out why dnsmasq sent this advertisement -- I have "except-interface=eth0" in my dnsmasq configuration and my dnsmasq logs in Syslog never say it sent a packet to this interface, and there are no bridges with this interface in it. Still, a friend of mine (CC'd) suddenly reported an autoconfigured address in my range, which can only mean a prank or a router advertisement. (And if it's a prank, it's a bad one.) It could be because the interfaces dnsmasq is supposed to use don't exist yet when it starts, so it just decides to use all of them?

The relevant configuration follows. I'm running dnsmasq 2.62, and no radvd or other software that sends router advertisements. Hopefully one of you can spot a mistake in here; if not, I guess more debugging is necessary...

Thank you,

== External interface ==

> eth0      Link encap:Ethernet  HWaddr 00:1d:60:ea:95:85  
>           inet addr:<snip>.216.43  Bcast:<snip>.216.127  Mask:
>           inet6 addr: fe80::21d:60ff:feea:9585/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

I never want to do any DHCP or SLAAC on this interface, so I have:

> except-interface=eth0

== Internal interfaces ==

I have several interfaces that I want to do both DHCP and stateful & stateless DHCPv6 on, they all look like this:

> brlxc     Link encap:Ethernet  HWaddr fe:35:46:19:16:eb  
>           inet addr:  Bcast:  Mask:
>           inet6 addr: fe80::10e6:22ff:fe27:a873/64 Scope:Link
>           inet6 addr: <snip>:75::1/64 Scope:Global
>           UP BROADCAST RUNNING MULTICAST  MTU:1280  Metric:1

The given range, <snip>:75::1/64, is also one of the two ranges in which my friend suddenly got autoconfigured IPv6 addresses. If I understand it correctly, this should be impossible with this dnsmasq configuration:

> dhcp-authorative
> dhcp-range=,,2m
> dhcp-host=6E:21:5F:A1:0B:E1,,24h
> # [..some other dhcp-hosts like this one..]
> enable-ra
> dhcp-range=set:netlxc,<snip>:75::, ra-stateless, ra-names
> dhcp-option=tag:netlxc,option6:dns-server,[<snip>:75::1]

During boot, including during dnsmasq start, these interfaces do not exist yet and neither do the IPv6 addresses/ranges dnsmasq is configured to use. At some point after boot I ssh into the machine to enter the data disk decryption key, and after that the bridges are created and some virtual machines are started that also use dnsmasq. As said, it's possible that dnsmasq semantics differ based on whether the configured IPv6 address range exists on one of the interfaces; in that case, maybe we should start a discussion on whether this is desirable. Either way, the logs don't show router advertisements going out eth0, which is maybe even more weird; they simply show the bridge name they are supposed to use:

May  1 23:36:05 router dnsmasq[3552]: started, version 2.62 cachesize 150
May  1 23:36:05 router dnsmasq[3552]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack
May  1 23:36:05 router dnsmasq-dhcp[3552]: IPv6 router advertisement enabled
May  1 23:36:05 router dnsmasq-dhcp[3552]: stateless DHCPv6 on <snip>:75::
May  1 23:36:05 router dnsmasq-dhcp[3552]: DHCPv4-derived IPv6 names on <snip>:75::
May  1 23:36:05 router dnsmasq-dhcp[3552]: SLAAC on <snip>:75:: prefix valid 2h
# note the 5 minutes passed until I created the interfaces, there are
# NO RTR-ADVERTs for <snip>:75:: and NO RTR-ADVERTs on eth0 in this
# time, only expected RTR-ADVERTs on eth1 with the right address
May  1 23:41:45 router dnsmasq-dhcp[3552]: RTR-ADVERT(brlxc) <snip>:75::

This is how the interfaces are created:

> # Normal container bridge
> iface brlxc inet static
> 	pre-up brctl addbr brlxc
> 	address
> 	netmask
> 	bridge_fd 0
> 	post-down brctl delbr brlxc
> iface brlxc inet6 static
> 	address 2001:610:6d0:75::1
> 	netmask 64

Then they are started using e.g.:
> # ifup brlxc

At this point, dnsmasq seems to function nicely.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20130502/b52d763f/attachment.pgp>

More information about the Dnsmasq-discuss mailing list