On 16/02/2022 20:19, Martin-Éric Racine wrote:
The startup message DOES suggest that DHCP is bound to an exclusive
interface, not to wildcard. This is misleading.
No it's not. it calls setsockopt(SO_BINDTODEVICE) which binds the socket
to the physical interface, instead of to a IP address.
Meanwhile TFTP is not meant to appear on loopback.
Why? I guess we could argue the 15-year old design decision to do that,
but it would be pointless since I'm not going to change it now and risk
breaking installations which rely on it.
As I said, that option is available using --listen-address.
Simon.
Martin-Éric
On Wed, Feb 16, 2022 at 10:11 PM Simon Kelley <[email protected]> wrote:
67 is DHCP and always binds the wildcard: that's necessary to make DHCP
work. It checks the arrival address of packets and discards those which
are not valid.
interface= is documented to listen on the addresses of the given
interface AND LOOPBACK. If you want to exclude loopback, you can do
listen-address=17n172.16.1.22.16.1.2
(
instead.
Simon.
On 16/02/2022 19:58, Martin-Éric Racine wrote:
bind-enterfaces is supposed to restrict the services to exactly those
defined in interfaces. It currently doesn't.
My reduced config:
bogus-priv
conntrack
dns-loop-detect
dnssec
domain-needed
domain=lan
local=/lan/
expand-hosts
dhcp-hostsfile=/etc/dhcp-hostsfile
dhcp-fqdn
dhcp-option=option:dns-server,0.0.0.0,9.9.9.9,1.1.1.1
dhcp-option=option6:dns-server,[::]
dhcp-range=tag:br0,172.16.0.0,static,infinite
dhcp-range=tag:br0,::,constructor:br0,ra-names,ra-stateless,infinite
quiet-ra
interface=br0
bind-interfaces
enable-tftp
tftp-root=/srv/tftp
dhcp-boot=net:eth,/debian-installer/i386/undionly.kpxe
dhcp-boot=net:pxe,/debian-installer/i386/pxelinux.0
dhcp-vendorclass=eth,Etherboot
dhcp-vendorclass=pxe,PXEClient
dhcp-option=vendor:pxe,6,2b
#EOF
What the startup log shows:
Feb 16 21:51:07 voima systemd[1]: Starting dnsmasq - A lightweight
DHCP and caching DNS server...
Feb 16 21:51:07 voima dnsmasq[8813]: started, version 2.85 cachesize 150
Feb 16 21:51:07 voima dnsmasq[8813]: compile time options: IPv6
GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack
ipset auth cryptohash DNSSEC loop-detect inotify dumpfile
Feb 16 21:51:07 voima dnsmasq[8813]: DNSSEC validation enabled
Feb 16 21:51:07 voima dnsmasq[8813]: configured with trust anchor for
<root> keytag 20326
Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: DHCP, static leases only on
172.16.0.0, lease time infinite
Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: DHCPv6 stateless on br0
Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: DHCPv4-derived IPv6 names on br0
Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: router advertisement on br0
Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: DHCPv6 stateless on
(redacted), constructed for br0
Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: DHCPv4-derived IPv6 names on
(redacted), constructed for br0
Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: router advertisement on
(redacted), constructed for br0
Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: DHCP, sockets bound
exclusively to interface br0
Feb 16 21:51:07 voima dnsmasq-tftp[8813]: TFTP root is /srv/tftp
Feb 16 21:51:07 voima dnsmasq[8813]: using only locally-known
addresses for domain lan
Feb 16 21:51:07 voima dnsmasq[8813]: reading /etc/resolv.conf
Feb 16 21:51:07 voima dnsmasq[8813]: using only locally-known
addresses for domain lan
Feb 16 21:51:07 voima dnsmasq[8813]: using nameserver (redacted)#53
Feb 16 21:51:07 voima dnsmasq[8813]: using nameserver (redacted)#53
Feb 16 21:51:07 voima dnsmasq[8813]: read /etc/hosts - 20 addresses
Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: read /etc/dhcp-hostsfile
Feb 16 21:51:07 voima systemd[1]: Started dnsmasq - A lightweight DHCP
and caching DNS server.
Yet netstat shows me:
$ netstat | grep dnsmasq | grep -v p6
tcp 0 0 127.0.0.1:53 0.0.0.0:*
LISTEN 7036/dnsmasq
tcp 0 0 172.16.1.2:53 0.0.0.0:*
LISTEN 7036/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:*
7036/dnsmasq
udp 0 0 127.0.0.1:53 0.0.0.0:*
7036/dnsmasq
udp 0 0 127.0.0.1:69 0.0.0.0:*
7036/dnsmasq
udp 0 0 172.16.1.2:53 0.0.0.0:*
7036/dnsmasq
udp 0 0 172.16.1.2:69 0.0.0.0:*
7036/dnsmasq
67 is on wild card and 69 appears on loopback. Neither of these should
happen. They should only be on 172.16.1.2 yet they aren't. Basically,
unless I misunderstood something, nothing except 53 should appear on
loopback as per the above config.
Cheers!
Martin-Éric
On Wed, Feb 16, 2022 at 9:36 PM Simon Kelley <[email protected]> wrote:
I'm not clear what you think is happening, and what you want to happen.
bind-interfaces works for tftp; there will be a socket for each address
on each valid interface bound to that address and port 69
no-dhcp-interface does indeed suppress tftp on that interface too, and
is documented so to do.
Cheers,
Simon.
On 16/02/2022 13:42, Martin-Éric Racine wrote:
> Package: dnsmasq
> Version: 2.85-1
> Severity: important
>
If 'enable-tftp' is set, the TFTP server appears on all interfaces. It
completely disregards bind-interfaces and friends. One would think that TFTP
would only be offered on interfaces where dnsmasq happens to offer DHCP
services (since DHCP essentially is a superset of BOOTP, to which TFTP is
related), but apparently not.
The relevant part of my config:
bind-interfaces
interface=br0
except-interface=enp4s0
no-dhcp-interface=enp4s0
IMHO, the only service that dnsmasq should offer on both loopback and
'interface' is DNS. It ought to be possible to bind every other service that
dnsmasq can offer to specific interfaces.
If the above already is possible, but my particular combination of
bind-interfaces/interface/except-interface/no-dhcp-interface prevents that, I
welcome tips on how to fix it.
Martin-Éric
-- System Information:
Debian Release: 11.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable-debug'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-11-amd64 (SMP w/8 CPU threads)
Locale: LANG=fi_FI.utf8, LC_CTYPE=fi_FI.utf8 (charmap=UTF-8), LANGUAGE=fi:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages dnsmasq depends on:
ii dnsmasq-base [dnsmasq-base] 2.85-1
ii init-system-helpers 1.60
ii lsb-base 11.1.0
ii netbase 6.3
ii runit-helper 2.10.3
dnsmasq recommends no packages.
Versions of packages dnsmasq suggests:
pn resolvconf <none>
-- no debconf information
