[Pkg-dns-devel] Bug#720864: Bug#720864: Fails to bind IPv6 socket during DAD
Robert Edmonds
edmonds at debian.org
Tue Mar 1 19:14:42 UTC 2016
martin f krafft wrote:
> also sprach Robert Edmonds <edmonds at debian.org> [2013-09-23 19:16 +0200]:
> > i think the best thing to do, however, is to just make sure in the
> > distro that when static IPv6 addressing is used, that we fully bring up
> > the network before starting any network daemons.
>
> You'll be at odds with the systemd mafia. On
> https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/ at
> the bottom, they specifically write:
Well, the systemd mafia does make some persuasive arguments...
> If you write a server: if you want to listen on other, explicitly
> configured addresses, consider using the IP_FREEBIND sockopt
> functionality of the Linux kernel. This allows your code to bind
> to an address even if it is not actually (yet or ever) configured
> locally. This also makes your code robust towards network
> configuration changes.
>
> And in fact, I do agree with them.
I like the first suggestion even more:
Watch rtnetlink and react properly to network configuration changes
as they happen. This is usually the nicest solution, but not always
the easiest.
But that is significantly more development work.
> Do you think adding IP_FREEBIND is an option?
There are already a number of socket options that are configurable in
unbound.conf, e.g. so-rcvbuf, so-sndbuf, so-reuseport, ip-transparent,
so I don't think one more would hurt all that much, especially if it
fixes this problem.
By the way, have you tried "ip-transparent: yes"? According to
unbound.conf:
ip-transparent: <yes or no>
If yes, then use IP_TRANSPARENT socket option on sockets where
unbound is listening for incoming traffic. Default no. Allows
you to bind to non-local interfaces. For example for non-exis‐
tant IP addresses that are going to exist later on, with host
failover configuration. This is a lot like interface-automatic,
but that one services all interfaces and with this option you
can select which (future) interfaces unbound provides service
on. This option needs unbound to be started with root permis‐
sions on some systems.
That makes it sound pretty much identical to IP_FREEBIND, but according
to ip(7):
IP_FREEBIND (since Linux 2.4)
If enabled, this boolean option allows binding to an IP address
that is nonlocal or does not (yet) exist. This permits listen‐
ing on a socket, without requiring the underlying network inter‐
face or the specified dynamic IP address to be up at the time
that the application is trying to bind to it. This option is
the per-socket equivalent of the ip_nonlocal_bind /proc inter‐
face described below.
IP_TRANSPARENT (since Linux 2.6.24)
Setting this boolean option enables transparent proxying on this
socket. This socket option allows the calling application to
bind to a nonlocal IP address and operate both as a client and a
server with the foreign address as the local endpoint. NOTE:
this requires that routing be set up in a way that packets going
to the foreign address are routed through the TProxy box (i.e.,
the system hosting the application that employs the IP_TRANSPAR‐
ENT socket option). Enabling this socket option requires supe‐
ruser privileges (the CAP_NET_ADMIN capability).
TProxy redirection with the iptables TPROXY target also requires
that this option be set on the redirected socket.
I wonder if IP_FREEBIND would actually be a better fit for the
functionality described in unbound.conf than IP_TRANSPARENT, since
unbound.conf doesn't mention any of the proxying properties of
IP_TRANSPARENT.
--
Robert Edmonds
edmonds at debian.org
More information about the pkg-dns-devel
mailing list