[Dnsmasq-discuss] FreeBSD complement to Linux's netlink: route(4) socket
Simon Kelley
simon at thekelleys.org.uk
Mon Dec 9 16:58:48 GMT 2013
On 05/12/13 00:13, Matthias Andree wrote:
> Am 03.12.2013 12:11, schrieb Simon Kelley:
>
>> The standard fix is to use --bind-dynamic, which can rely on the
>> existence of the extended API. Unfortunately that doesn't work on
>> FreeBSD because it also relies on a a method of getting asynchronous
>> events when interfaces/address come and go. Does FreeBSD have an
>> equivalent of the Linux netlink socket?
>
> Following up on this question, I asked the FreeBSD-hackers@ list and got
> a useful pointer from Ian Lepore to the PF_ROUTE SOCK_RAW socket.
> The family can be used as an address filter, I used AF_UNSPEC.
>
> If a user-space application has such a route socket open, it can change
> the route table, or receive information from the kernel - not only about
> route changes, but also address changes, interface flag changes,
> interfaces appearing or dematerializing. You could use
>
> The relevant information is in man 4 route, and in the headers
> (sys/socket.h, net/if.h, for instance).
>
> I dug around and have come up with a demo program that opens a route
> socket, selects() for messages, receives them, and decodes those I would
> find interesting for dnsmasq. It took quite a bit of debugging to get
> the addresses in the messages decoded properly.
>
OK, using this, I've implemented dynamic interface-address discovery for
*BSD. Available now in git and as 2.69test1. This is very useful as it
stands, since it makes the dynamic DHCPv6 address-range facility using
the constructor: keyword work on *BSD.
Unfortunately, it doesn't make --bind-dynamic work, and least not in a
useful way. The problem is that when new interface addresses come along,
dnsmasq has to bind sockets to them at low ports. This is not allowed
when running as non-root, and of course dnsmasq drops root once it's
started.
On Linux, this problem is solved by using process capabilities: the
dnsmasq process retains the ability to bind low ports when it gives away
the rest of the root privileges. I don'r think there's a direct
equivalent to capabilities in *BSD. Is there another way to allow a
non-root process to bind low ports?
Cheers,
Simon.
More information about the Dnsmasq-discuss
mailing list