can't bind socket: Permission denied for IPv6 (port bellow 1024)

W.C.A. Wijngaards wouter at nlnetlabs.nl
Tue Jul 3 14:03:43 UTC 2018


Hi,

On 03/07/18 13:39, nusenu via Unbound-users wrote:
>> I can see the similar issue with similar config (which is there btw
>> because of selinux preventing use of non-dynamic ports.
>>
>> Jul  3 12:56:28 resolver unbound: [18382:0] error: can't bind socket:
>> Permission denied for ::
>> Jul  3 13:56:27 resolver unbound: [18382:0] error: can't bind socket:
>> Permission denied for 0.0.0.0
>>
>> But in my log lines there are is no port.
> 
> to get the used ports you would have to apply the patch from this thread.
> 
>  
>> Could it be auth-zone not using those outgoing-port-permit and
>> outoging-port-avoid settings - timing from log looks like it could be
>> caused by rfc7706 config.
> 
> I'm using auth-zone (for RFC7706) indeed.

Yes that is the problem, the auth zone probes did not consult the
config.  They had 16 bit random numbers, good for security, but not
config.  So, made patch.  This patch is also more capable in case of a
lot of traffic and interfaces fully in use, it'll failover to another
unused part of another interface.

Fix in code repository, (bigger patch), but also reproduced below.

Best regards, Wouter


Index: services/outside_network.c
===================================================================
--- services/outside_network.c	(revision 4768)
+++ services/outside_network.c	(working copy)
@@ -2192,40 +2192,49 @@
 {
 	struct sockaddr_storage* addr;
 	socklen_t addrlen;
-	int i;
-	int try;
+	int i, try, pnum;
+	struct port_if* pif;

-	/* select interface */
-	if(addr_is_ip6(to_addr, to_addrlen)) {
-		if(outnet->num_ip6 == 0) {
-			char to[64];
-			addr_to_str(to_addr, to_addrlen, to, sizeof(to));
-			verbose(VERB_QUERY, "need ipv6 to send, but no ipv6 outgoing
interfaces, for %s", to);
-			return -1;
-		}
-		i = ub_random_max(outnet->rnd, outnet->num_ip6);
-		addr = &outnet->ip6_ifs[i].addr;
-		addrlen = outnet->ip6_ifs[i].addrlen;
-	} else {
-		if(outnet->num_ip4 == 0) {
-			char to[64];
-			addr_to_str(to_addr, to_addrlen, to, sizeof(to));
-			verbose(VERB_QUERY, "need ipv4 to send, but no ipv4 outgoing
interfaces, for %s", to);
-			return -1;
-		}
-		i = ub_random_max(outnet->rnd, outnet->num_ip4);
-		addr = &outnet->ip4_ifs[i].addr;
-		addrlen = outnet->ip4_ifs[i].addrlen;
-	}
-
 	/* create fd */
 	for(try = 0; try<1000; try++) {
+		int port = 0;
 		int freebind = 0;
 		int noproto = 0;
 		int inuse = 0;
-		int port = ub_random(outnet->rnd)&0xffff;
 		int fd = -1;
+
+		/* select interface */
 		if(addr_is_ip6(to_addr, to_addrlen)) {
+			if(outnet->num_ip6 == 0) {
+				char to[64];
+				addr_to_str(to_addr, to_addrlen, to, sizeof(to));
+				verbose(VERB_QUERY, "need ipv6 to send, but no ipv6 outgoing
interfaces, for %s", to);
+				return -1;
+			}
+			i = ub_random_max(outnet->rnd, outnet->num_ip6);
+			pif = &outnet->ip6_ifs[i];
+		} else {
+			if(outnet->num_ip4 == 0) {
+				char to[64];
+				addr_to_str(to_addr, to_addrlen, to, sizeof(to));
+				verbose(VERB_QUERY, "need ipv4 to send, but no ipv4 outgoing
interfaces, for %s", to);
+				return -1;
+			}
+			i = ub_random_max(outnet->rnd, outnet->num_ip4);
+			pif = &outnet->ip4_ifs[i];
+		}
+		addr = &pif->addr;
+		addrlen = pif->addrlen;
+		pnum = ub_random_max(outnet->rnd, pif->avail_total);
+		if(pnum < pif->inuse) {
+			/* port already open */
+			port = pif->out[pnum]->number;
+		} else {
+			/* unused ports in start part of array */
+			port = pif->avail_ports[pnum - pif->inuse];
+		}
+
+		if(addr_is_ip6(to_addr, to_addrlen)) {
 			struct sockaddr_in6 sa = *(struct sockaddr_in6*)addr;
 			sa.sin6_port = (in_port_t)htons((uint16_t)port);
 			fd = create_udp_sock(AF_INET6, SOCK_DGRAM,



> 
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20180703/c6d0e637/attachment.bin>


More information about the Unbound-users mailing list