[Dnsmasq-discuss] Router advertisement sent to wrong interface

Simon Kelley simon at thekelleys.org.uk
Thu May 2 09:49:51 BST 2013


On 02/05/13 00:56, Sjors Gielen wrote:
> Hi all,
>
> A while ago I replaced radvd with dnsmasq for SLAAC. It's been
> working
smoothly ever since I set it up. Today, I had to reboot my router and
something unintended happened: it sent out a router advertisement on the
external interface. Now, people in my building suddenly have IPv6
addresses in my range, and while this represents a nice test for my
firewall setup it's annoying for them.
>
> I'm failing to figure out why dnsmasq sent this advertisement -- I
have "except-interface=eth0" in my dnsmasq configuration and my dnsmasq
logs in Syslog never say it sent a packet to this interface, and there
are no bridges with this interface in it. Still, a friend of mine (CC'd)
suddenly reported an autoconfigured address in my range, which can only
mean a prank or a router advertisement. (And if it's a prank, it's a bad
one.) It could be because the interfaces dnsmasq is supposed to use
don't exist yet when it starts, so it just decides to use all of them?
>
> The relevant configuration follows. I'm running dnsmasq 2.62, and no
radvd or other software that sends router advertisements. Hopefully one
of you can spot a mistake in here; if not, I guess more debugging is
necessary...
>
> Thank you, Sjors
> == External interface ==
>
>> eth0      Link encap:Ethernet  HWaddr 00:1d:60:ea:95:85
>>            inet addr:<snip>.216.43  Bcast:<snip>.216.127  Mask:255.255.255.128
>>            inet6 addr: fe80::21d:60ff:feea:9585/64 Scope:Link
>>            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>
> I never want to do any DHCP or SLAAC on this interface, so I have:
>
>> except-interface=eth0
>
> == Internal interfaces ==
>
> I have several interfaces that I want to do both DHCP and stateful&  stateless DHCPv6 on, they all look like this:
>
>> brlxc     Link encap:Ethernet  HWaddr fe:35:46:19:16:eb
>>            inet addr:10.73.75.1  Bcast:10.73.75.255  Mask:255.255.255.0
>>            inet6 addr: fe80::10e6:22ff:fe27:a873/64 Scope:Link
>>            inet6 addr:<snip>:75::1/64 Scope:Global
>>            UP BROADCAST RUNNING MULTICAST  MTU:1280  Metric:1
>
> The given range,<snip>:75::1/64, is also one of the two ranges in which my friend suddenly got autoconfigured IPv6 addresses. If I understand it correctly, this should be impossible with this dnsmasq configuration:
>
>> dhcp-authorative
>> dhcp-range=10.73.75.100,10.73.75.199,2m
>> dhcp-host=6E:21:5F:A1:0B:E1,10.73.75.10,24h
>> # [..some other dhcp-hosts like this one..]
>> enable-ra
>> dhcp-range=set:netlxc,<snip>:75::, ra-stateless, ra-names
>> dhcp-option=tag:netlxc,option6:dns-server,[<snip>:75::1]
>
> During boot, including during dnsmasq start, these interfaces do not exist yet and neither do the IPv6 addresses/ranges dnsmasq is configured to use. At some point after boot I ssh into the machine to enter the data disk decryption key, and after that the bridges are created and some virtual machines are started that also use dnsmasq. As said, it's possible that dnsmasq semantics differ based on whether the configured IPv6 address range exists on one of the interfaces; in that case, maybe we should start a discussion on whether this is desirable. Either way, the logs don't show router advertisements going out eth0, which is maybe even more weird; they simply show the bridge name they are supposed to use:
>
> May  1 23:36:05 router dnsmasq[3552]: started, version 2.62 cachesize 150
> May  1 23:36:05 router dnsmasq[3552]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack
> May  1 23:36:05 router dnsmasq-dhcp[3552]: IPv6 router advertisement enabled
> [...]
> May  1 23:36:05 router dnsmasq-dhcp[3552]: stateless DHCPv6 on<snip>:75::
> May  1 23:36:05 router dnsmasq-dhcp[3552]: DHCPv4-derived IPv6 names on<snip>:75::
> May  1 23:36:05 router dnsmasq-dhcp[3552]: SLAAC on<snip>:75:: prefix valid 2h
> # note the 5 minutes passed until I created the interfaces, there are
> # NO RTR-ADVERTs for<snip>:75:: and NO RTR-ADVERTs on eth0 in this
> # time, only expected RTR-ADVERTs on eth1 with the right address
> May  1 23:41:45 router dnsmasq-dhcp[3552]: RTR-ADVERT(brlxc)<snip>:75::
>
> This is how the interfaces are created:
>
> /etc/network/interfaces:
>> # Normal container bridge
>> iface brlxc inet static
>> 	pre-up brctl addbr brlxc
>> 	address 10.73.75.1
>> 	netmask 255.255.255.0
>> 	bridge_fd 0
>> 	post-down brctl delbr brlxc
>>
>> iface brlxc inet6 static
>> 	address 2001:610:6d0:75::1
>> 	netmask 64
>
> Then they are started using e.g.:
>> # ifup brlxc
>
> At this point, dnsmasq seems to function nicely.
>

The logging in dnsmasq is fairly straightforward, if it says send a 
router advert to brlxc, it likely did.

My suspicion is about the setup of the bridge. I wonder is a router 
advertisement sent by dnsmasq to brlxc is being bridged to eth0, due to 
a small time window during the setup of the bridge where it's created 
but not configured? An "interface up" event will trigger dnsmasq to send 
a round of router advertisements, so that would be enough to synchronise 
the sending of a RA with any time window in the setup process. Classic 
race-condition.

Cheers,

Simon.






More information about the Dnsmasq-discuss mailing list