[Dnsmasq-discuss] [PATCH] Another regression from v2.83 on bound interfaces

Petr Menšík pemensik at redhat.com
Wed Mar 10 10:22:05 UTC 2021 

It was found this behaviour does not depend on specific kernel version,
but on sysctl net.ipv4.conf.all.rp_filter configured by default on the
system.

It works with values 0 and 2 (2 is used on Fedora), but does not work on
RHEL 7 or RHEL 8 with value=1.

Of course it is important to take both all and interface specific value
into account. Evaluated value is take from rp_filter =
max(net.ipv4.conf.$IFACE.rp_filter,net.ipv4.conf.all.rp_filter)

If only bound interfaces are configured and rp_filter==1, then current
resolution would work only on the last interface. If active route is on
the first interface, it just would not work at all.

On my test machine, resolution were saved by IPv6 resolution received
via router advertisement. It does not use bound socket and therefore
worked with rp filter.

On 3/9/21 1:25 AM, Petr Menšík wrote:
> Hi Simon,
> 
> Another issue was reported on RHEL7 dnsmasq 2.76[1] after CVE fixes were
> backported. I think this issue is still present on current version as
> well, it is just not as severe as on RHEL7 kernel
> 3.10.0-1160.21.1.el7.x86_64.
> 
> It happens when dnsmasq is used in dns=dnsmasq under Network Manager. It
> configures then separate servers for each interface and prepares socket
> for outgoing requests. Because of changes to harden accepted replies
> only from correct socket, it would accept only response from the last
> server with bound socket. When a laptop is connected with both
> interfaces, it stops resolution altogether. On RHEL7, for yet unknown
> reason it blocks reply over wifi device, it never reaches the socket of
> dnsmasq (tested with strace). Reply over ethernet arrives, but because
> frec->sentto->sfd->fd does not match attempt last sent over wifi, it is
> ignored.
> 
> Specific issue prevents complete resolution, once both devices are
> connected. When only one of them is connected, resolution work both over
> wifi and ethernet separately.
> 
> On RHEL8 kernel 4.18.0-295.el8.x86_64 receiving over wifi still works,
> so it does not break resolution. When I used iptables to block incoming
> responses over wifi, it failed to switch to ethernet even on v2.84. It
> is just saved by the last working interface this time. If that breaks,
> it breaks completely. The same on Fedora 5.10.19-100.fc32.x86_64 kernels.
> 
> I attached patch with change proposal, I am not too sure about that. I
> think frec->sentto is not enough, because it can forward query to
> multiple servers in daemon->servers list. It seems like luck coincidence
> that bound sockets (those with sentto->sfd != NULL) are at the end of
> servers list. Meaning test in frec_lookup it can test frec->sentto->sfd.
> If the last server were not the one with bound socket, this test would
> never lead to sfd. Any reply to it would be ignored in that case. Now
> all but the last one are ignored.
> 
> I changed it to accept reply on any bound sockets if bound socket were
> used to forward requests. It relaxes the test and might accept also from
> unrelated sockets. But I have not found good and simple way to check
> only servers used when sending. It fixes the problem on RHEL7. It might
> lower security in some cases, but works fine on my case with Lenovo
> laptop, Network Manager and dnsmasq forwarders configured over d-bus.
> 
> Review, opinions or alternative ways to fix it welcome.
> 
> Cheers,
> Petr
> 
> 1. https://bugzilla.redhat.com/show_bug.cgi?id=1923913

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20210310/7137aa48/attachment.sig>

More information about the Dnsmasq-discuss mailing list