[Dnsmasq-discuss] Announce 2.85rc1 and security warning.

Petr Menšík pemensik at redhat.com
Tue Mar 23 16:52:30 UTC 2021 

Hi,
More below...

On 3/20/21 10:26 AM, Simon Kelley wrote:
> 
> 
>>>
>>> 2) On *BSD this is moot anyway, since the index we're deriving is used
>>> for binding a UDP socket to an interface, and *BSD doesn't, as far as I
>>> know, have an equivalent of the SO_BINDTODEVICE linux ioctl, so it's not
>>> supported. Matthias, you can't test any code, since to do so you'd need
>>> to bind a server to an interface
>>>
>>> server=8.8.8.8 at eth0
>>>
>>> and that will just exit with a "not supported" message on *BSD.
>>>
>>> I think the best bet here might be to use if_nametoindex(), on non-linux
>>> builds, so that the expected data is there, even if it's not used
>>> (principle of least surprise). I'll commit that patch.
>>>
>>>
>>> Matthias, do you know of FreeBSD has gained an equivalent of
>>> SO_BINDTODEVICE? Last time I looked it didn't, and a quick Google wasn't
>>> promising, but if it does that would a useful thing to support.
>>
>> Simon, thank you.
>>
>> Apparently FreeBSD still has neither SO_BINDTODEVICE nor IP_SENDIF.
>> https://github.com/freebsd/freebsd-src is a mirror of FreeBSD's source
>> and has a search function. Nadazero except users in included/imported
>> third-party application code.
>>
>> For specifying datagram source addresses, it would appear you can either
>> bind(2) the socket you send from, or you can use IP_SENDSRCADDR as
>> ancillary data for sendmsg() if you want to ship out from unbound udp(4)
>> sockets. Anything else that we need here functionally?
I think current code always binds to ANY source address and randomized port.

> The code dnsmasq already binds the sending socket, and binding servers
> to source addresses works under FreeBSD (hence, this is still a security
> issue for you, though probably a very minor one, since you don't have
> the ubiquity of networkmanger usage driving things.)
I am not sure, is Network Manager only Linux specific? I am not sure,
could it be used on any *BSD?
> 
> Adding binding to interfaces will be pretty trivial if/when FreeBSD adds
> the kernel smarts with any API. (The Linux calls are not necessarily the
> ones to emulate - SO_BINDTODEVICE takes interface _name_ but IP_SENDIF
> takes interface _index_. Hmmm.)

It seems to me Linux solves just a corner case, when single IP address
might be used on multiple interfaces. If all addresses are unique
(common on most systems), just bind() call with first IP address on that
interface would work also on Linux. If it would be modified to use the
first address on the interface to bind(), it would work also on BSD or
BSD socket implementation.

It seems bind()-ing to INADDR_ANY as source, then using extra features
to bind only to single interface, it innecessary linked to special
features like SO_BINDTODEVICE. We should have useful data already
fetched by enumerate_addresses().

It seems there is not hard enough push for this functionality on *BSD. I
think it wouldn't be hard to implement it there also. It would use
interface name just to obtain some address on it, otherwise work the
same way as explicit @1.2.3.4 address specified for server. Similar to
logic done for --interface and --bind-interfaces, it is more or less
equivalent to --listen-address with address from the interface.

> 
> Cheers,
> 
> Simon.
> 
>>
>> https://www.freebsd.org/cgi/man.cgi?query=ip&apropos=0&sektion=4&manpath=FreeBSD+11.4-RELEASE&arch=default&format=html
>>
>> https://www.freebsd.org/cgi/man.cgi?query=sendmsg&apropos=0&sektion=2&manpath=FreeBSD+11.4-RELEASE&arch=default&format=html
>>
>> and the structures are on the recv(2) manpage:
>>
>> https://www.freebsd.org/cgi/man.cgi?query=recvmsg&apropos=0&sektion=2&manpath=FreeBSD+11.4-RELEASE&arch=default&format=html

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20210323/d0216f14/attachment.sig>

More information about the Dnsmasq-discuss mailing list