[nsd-users] Wrong source IP for reply if 'ip-address' is not specified
Paul Wouters
paul at nohats.ca
Thu Dec 14 05:56:36 UTC 2017
On Wed, 13 Dec 2017, Anand Buddhdev wrote:
>> We have a different opinion on what is "normal behaviour". I believe the
>> normal behaviour is to reply using the IP address you received the
>> packet from, eg using:
>>
>> err = setsockopt(s, SOL_IP, IP_PKTINFO, &opt, sizeof(opt));
>>
>> or
>>
>> err = setsockopt(s, IPPROTO_IP, IP_RECVDSTADDR, &opt, sizeof(opt));
>
> I don't know if these options are available in non-Linux socket
> implementations, and is probably the reason that NSD doesn't use them.
Yes they are, but apparently for freebsd you use IP_RECVDSTADDR.
https://www.freebsd.org/cgi/man.cgi?query=ip&sektion=4&manpath=FreeBSD+9.0-RELEASE
If the IP_RECVDSTADDR option is enabled on a SOCK_DGRAM socket, the
recvmsg(2) call will return the destination IP address for a UDP data-
gram. The msg_control field in the msghdr structure points to a buffer
that contains a cmsghdr structure followed by the IP address. The
cmsghdr fields have the following values:
cmsg_len = sizeof(struct in_addr)
cmsg_level = IPPROTO_IP
cmsg_type = IP_RECVDSTADDR
The source address to be used for outgoing UDP datagrams on a socket that
is not bound to a specific IP address can be specified as ancillary data
with a type code of IP_SENDSRCADDR. The msg_control field in the msghdr
structure should point to a buffer that contains a cmsghdr structure fol-
lowed by the IP address. The cmsghdr fields should have the following
values:
[...]
There is really no excuse to answer using the wrong IP :P
> I know the questions will come, so let me try to anticipate them and
> answer them. Someone might ask why this isn't necessary with BIND. This
> is because BIND attempts to detect the capability of the OS it's running
> on, and compensate for the cases where these advanced options are not
> present. This may make it easier for an operator, but at the expense of
> more code complexity. I really do prefer NSD's simpler approach.
bind, powerdns, unbound and knot use these mechanisms. Someone should
really just fix is for nsd as well.
Paul
More information about the nsd-users
mailing list