Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1005874: dnsmasq: TFTP server disregards bind-interfaces & co.
148 views
Skip to first unread message
Martin-Éric Racine
Feb 16, 2022, 8:50:03 AM2/16/22
to
Package: dnsmasq
Version: 2.85-1
Severity: important
Version: 2.85-1
Severity: important
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
If 'enable-tftp' is set, the TFTP server appears on all interfaces. It completely disregards bind-interfaces and friends. One would think that TFTP would only be offered on interfaces where dnsmasq happens to offer DHCP services (since DHCP essentially is a superset of BOOTP, to which TFTP is related), but apparently not.
The relevant part of my config:
bind-interfaces
interface=br0
except-interface=enp4s0
no-dhcp-interface=enp4s0
IMHO, the only service that dnsmasq should offer on both loopback and 'interface' is DNS. It ought to be possible to bind every other service that dnsmasq can offer to specific interfaces.
If the above already is possible, but my particular combination of bind-interfaces/interface/except-interface/no-dhcp-interface prevents that, I welcome tips on how to fix it.
Martin-Éric
- -- System Information:
Debian Release: 11.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-11-amd64 (SMP w/8 CPU threads)
Locale: LANG=fi_FI.utf8, LC_CTYPE=fi_FI.utf8 (charmap=UTF-8), LANGUAGE=fi:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages dnsmasq depends on:
ii dnsmasq-base [dnsmasq-base] 2.85-1
ii init-system-helpers 1.60
ii lsb-base 11.1.0
ii netbase 6.3
ii runit-helper 2.10.3
dnsmasq recommends no packages.
Versions of packages dnsmasq suggests:
pn resolvconf <none>
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEyJACx3qL7GpObXOQrh+Cd8S017YFAmIM/0IACgkQrh+Cd8S0
17YxjQ//fWx8Gq8SlkyP9MGBtnvvYoWX3Vov2i2QPNXgAoBIhbsyA6ELxYQVT/9B
oYViMGJxXxkU7+JmjZ5FJTKd6rv1hroOfL7N1esdEjh69GUUXxVTjkZ4I95AnE9i
6L3qQmIiq2jbzOK7D8S5bSACfxBUSKFd20eG5CHPJxK7hGaH+JqltiuqbsFCxhxC
OAnZzFeR/tmcLB6npRB0H0fnJmiA+J0S6i6+iI4fGwcnQV7rssK0GKMtqGpxKVVU
8knR/ZD5JkSEQJgKnLRWYkw4Vttjf0UDa5Fiw0WWgcYZHVneciYDAsDAK3G6cPJ6
Vy+A6A2XTgZD0TKzmJWxcWMCcetOMYxHfftdw8Ky+6BcKJ5tqd1jH9C6CLFgsQSU
vnk6LCwxBXz3toN6m7cuhxP8jws7YkVouMfUzwX0jW6MQS1Fw3rr73pKb4ssibDJ
nqqaG4DKdxZ+jOLwYKd0NllaDHauKezf85hMx4wnyVSp+gmPhFFLLjKujIXCiw3u
EvFSRuRas/86HirsCp8WHU7I5YraNv1ksU4IjEn4zwRPPhLiu0fxz4NIKgzhET6R
J+SpXty5rNw68w+m/Nro6OFnMUL1AMoY/JZNPJGvwYMRXl7/gRehgTH+H6KSXT3R
WYMQ0Xy05Slie3GeONeSE5uSw4I3bIJGTaNKUnEPbwCMywjNBKQ=
=7Yhl
-----END PGP SIGNATURE-----
Simon Kelley
Feb 16, 2022, 3:10:03 PM2/16/22
to
I'm not clear what you think is happening, and what you want to happen.
bind-interfaces works for tftp; there will be a socket for each address
on each valid interface bound to that address and port 69
no-dhcp-interface does indeed suppress tftp on that interface too, and
is documented so to do.
Cheers,
Simon.
On 16/02/2022 13:42, Martin-Éric Racine wrote:
> Package: dnsmasq
> Version: 2.85-1
> Severity: important
>
>
bind-interfaces works for tftp; there will be a socket for each address
on each valid interface bound to that address and port 69
no-dhcp-interface does indeed suppress tftp on that interface too, and
is documented so to do.
Cheers,
Simon.
On 16/02/2022 13:42, Martin-Éric Racine wrote:
> Package: dnsmasq
> Version: 2.85-1
> Severity: important
>
> If 'enable-tftp' is set, the TFTP server appears on all interfaces. It completely disregards bind-interfaces and friends. One would think that TFTP would only be offered on interfaces where dnsmasq happens to offer DHCP services (since DHCP essentially is a superset of BOOTP, to which TFTP is related), but apparently not.
>
> The relevant part of my config:
>
> bind-interfaces
> interface=br0
> except-interface=enp4s0
> no-dhcp-interface=enp4s0
>
> IMHO, the only service that dnsmasq should offer on both loopback and 'interface' is DNS. It ought to be possible to bind every other service that dnsmasq can offer to specific interfaces.
>
> If the above already is possible, but my particular combination of bind-interfaces/interface/except-interface/no-dhcp-interface prevents that, I welcome tips on how to fix it.
>
> Martin-Éric
>
>
> The relevant part of my config:
>
> bind-interfaces
> interface=br0
> except-interface=enp4s0
> no-dhcp-interface=enp4s0
>
> IMHO, the only service that dnsmasq should offer on both loopback and 'interface' is DNS. It ought to be possible to bind every other service that dnsmasq can offer to specific interfaces.
>
> If the above already is possible, but my particular combination of bind-interfaces/interface/except-interface/no-dhcp-interface prevents that, I welcome tips on how to fix it.
>
> Martin-Éric
>
> -- System Information:
> Debian Release: 11.2
> APT prefers stable-updates
> APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 5.10.0-11-amd64 (SMP w/8 CPU threads)
> Locale: LANG=fi_FI.utf8, LC_CTYPE=fi_FI.utf8 (charmap=UTF-8), LANGUAGE=fi:en
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages dnsmasq depends on:
> ii dnsmasq-base [dnsmasq-base] 2.85-1
> ii init-system-helpers 1.60
> ii lsb-base 11.1.0
> ii netbase 6.3
> ii runit-helper 2.10.3
>
> dnsmasq recommends no packages.
>
> Versions of packages dnsmasq suggests:
> pn resolvconf <none>
>
> -- no debconf information
> Debian Release: 11.2
> APT prefers stable-updates
> APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 5.10.0-11-amd64 (SMP w/8 CPU threads)
> Locale: LANG=fi_FI.utf8, LC_CTYPE=fi_FI.utf8 (charmap=UTF-8), LANGUAGE=fi:en
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages dnsmasq depends on:
> ii dnsmasq-base [dnsmasq-base] 2.85-1
> ii init-system-helpers 1.60
> ii lsb-base 11.1.0
> ii netbase 6.3
> ii runit-helper 2.10.3
>
> dnsmasq recommends no packages.
>
> Versions of packages dnsmasq suggests:
> pn resolvconf <none>
>
>
Simon Kelley
Feb 16, 2022, 3:20:03 PM2/16/22
to
67 is DHCP and always binds the wildcard: that's necessary to make DHCP
work. It checks the arrival address of packets and discards those which
are not valid.
interface= is documented to listen on the addresses of the given
interface AND LOOPBACK. If you want to exclude loopback, you can do
listen-address=17n172.16.1.22.16.1.2
instead.
Simon.
On 16/02/2022 19:58, Martin-Éric Racine wrote:
> bind-enterfaces is supposed to restrict the services to exactly those
> defined in interfaces. It currently doesn't.
>
> My reduced config:
>
> bogus-priv
> conntrack
> dns-loop-detect
> dnssec
> domain-needed
> domain=lan
> local=/lan/
> expand-hosts
> dhcp-hostsfile=/etc/dhcp-hostsfile
> dhcp-fqdn
> dhcp-option=option:dns-server,0.0.0.0,9.9.9.9,1.1.1.1
> dhcp-option=option6:dns-server,[::]
> dhcp-range=tag:br0,172.16.0.0,static,infinite
> dhcp-range=tag:br0,::,constructor:br0,ra-names,ra-stateless,infinite
> quiet-ra
> interface=br0
> bind-interfaces
> enable-tftp
> tftp-root=/srv/tftp
> dhcp-boot=net:eth,/debian-installer/i386/undionly.kpxe
> dhcp-boot=net:pxe,/debian-installer/i386/pxelinux.0
> dhcp-vendorclass=eth,Etherboot
> dhcp-vendorclass=pxe,PXEClient
> dhcp-option=vendor:pxe,6,2b
> #EOF
>
> What the startup log shows:
>
> Feb 16 21:51:07 voima systemd[1]: Starting dnsmasq - A lightweight
> DHCP and caching DNS server...
> Feb 16 21:51:07 voima dnsmasq[8813]: started, version 2.85 cachesize 150
> Feb 16 21:51:07 voima dnsmasq[8813]: compile time options: IPv6
> GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack
> ipset auth cryptohash DNSSEC loop-detect inotify dumpfile
> Feb 16 21:51:07 voima dnsmasq[8813]: DNSSEC validation enabled
> Feb 16 21:51:07 voima dnsmasq[8813]: configured with trust anchor for
> <root> keytag 20326
> Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: DHCP, static leases only on
> 172.16.0.0, lease time infinite
> Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: DHCPv6 stateless on br0
> Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: DHCPv4-derived IPv6 names on br0
> Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: router advertisement on br0
> Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: DHCPv6 stateless on
> (redacted), constructed for br0
> Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: DHCPv4-derived IPv6 names on
> (redacted), constructed for br0
> Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: router advertisement on
> (redacted), constructed for br0
> Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: DHCP, sockets bound
> exclusively to interface br0
> Feb 16 21:51:07 voima dnsmasq-tftp[8813]: TFTP root is /srv/tftp
> Feb 16 21:51:07 voima dnsmasq[8813]: using only locally-known
> addresses for domain lan
> Feb 16 21:51:07 voima dnsmasq[8813]: reading /etc/resolv.conf
> Feb 16 21:51:07 voima dnsmasq[8813]: using only locally-known
> addresses for domain lan
> Feb 16 21:51:07 voima dnsmasq[8813]: using nameserver (redacted)#53
> Feb 16 21:51:07 voima dnsmasq[8813]: using nameserver (redacted)#53
> Feb 16 21:51:07 voima dnsmasq[8813]: read /etc/hosts - 20 addresses
> Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: read /etc/dhcp-hostsfile
> Feb 16 21:51:07 voima systemd[1]: Started dnsmasq - A lightweight DHCP
> and caching DNS server.
>
> Yet netstat shows me:
>
> $ netstat | grep dnsmasq | grep -v p6
> tcp 0 0 127.0.0.1:53 0.0.0.0:*
> LISTEN 7036/dnsmasq
> tcp 0 0 172.16.1.2:53 0.0.0.0:*
> LISTEN 7036/dnsmasq
> udp 0 0 0.0.0.0:67 0.0.0.0:*
> 7036/dnsmasq
> udp 0 0 127.0.0.1:53 0.0.0.0:*
> 7036/dnsmasq
> udp 0 0 127.0.0.1:69 0.0.0.0:*
> 7036/dnsmasq
> udp 0 0 172.16.1.2:53 0.0.0.0:*
> 7036/dnsmasq
> udp 0 0 172.16.1.2:69 0.0.0.0:*
> 7036/dnsmasq
>
> 67 is on wild card and 69 appears on loopback. Neither of these should
> happen. They should only be on 172.16.1.2 yet they aren't. Basically,
> unless I misunderstood something, nothing except 53 should appear on
> loopback as per the above config.
>
> Cheers!
> Martin-Éric
>>>
>
work. It checks the arrival address of packets and discards those which
are not valid.
interface= is documented to listen on the addresses of the given
interface AND LOOPBACK. If you want to exclude loopback, you can do
listen-address=17n172.16.1.22.16.1.2
instead.
Simon.
On 16/02/2022 19:58, Martin-Éric Racine wrote:
> bind-enterfaces is supposed to restrict the services to exactly those
> defined in interfaces. It currently doesn't.
>
> My reduced config:
>
> bogus-priv
> conntrack
> dns-loop-detect
> dnssec
> domain-needed
> domain=lan
> local=/lan/
> expand-hosts
> dhcp-hostsfile=/etc/dhcp-hostsfile
> dhcp-fqdn
> dhcp-option=option:dns-server,0.0.0.0,9.9.9.9,1.1.1.1
> dhcp-option=option6:dns-server,[::]
> dhcp-range=tag:br0,172.16.0.0,static,infinite
> dhcp-range=tag:br0,::,constructor:br0,ra-names,ra-stateless,infinite
> quiet-ra
> interface=br0
> bind-interfaces
> enable-tftp
> tftp-root=/srv/tftp
> dhcp-boot=net:eth,/debian-installer/i386/undionly.kpxe
> dhcp-boot=net:pxe,/debian-installer/i386/pxelinux.0
> dhcp-vendorclass=eth,Etherboot
> dhcp-vendorclass=pxe,PXEClient
> dhcp-option=vendor:pxe,6,2b
> #EOF
>
> What the startup log shows:
>
> Feb 16 21:51:07 voima systemd[1]: Starting dnsmasq - A lightweight
> DHCP and caching DNS server...
> Feb 16 21:51:07 voima dnsmasq[8813]: started, version 2.85 cachesize 150
> Feb 16 21:51:07 voima dnsmasq[8813]: compile time options: IPv6
> GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack
> ipset auth cryptohash DNSSEC loop-detect inotify dumpfile
> Feb 16 21:51:07 voima dnsmasq[8813]: DNSSEC validation enabled
> Feb 16 21:51:07 voima dnsmasq[8813]: configured with trust anchor for
> <root> keytag 20326
> Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: DHCP, static leases only on
> 172.16.0.0, lease time infinite
> Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: DHCPv6 stateless on br0
> Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: DHCPv4-derived IPv6 names on br0
> Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: router advertisement on br0
> Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: DHCPv6 stateless on
> (redacted), constructed for br0
> Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: DHCPv4-derived IPv6 names on
> (redacted), constructed for br0
> Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: router advertisement on
> (redacted), constructed for br0
> Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: DHCP, sockets bound
> exclusively to interface br0
> Feb 16 21:51:07 voima dnsmasq-tftp[8813]: TFTP root is /srv/tftp
> Feb 16 21:51:07 voima dnsmasq[8813]: using only locally-known
> addresses for domain lan
> Feb 16 21:51:07 voima dnsmasq[8813]: reading /etc/resolv.conf
> Feb 16 21:51:07 voima dnsmasq[8813]: using only locally-known
> addresses for domain lan
> Feb 16 21:51:07 voima dnsmasq[8813]: using nameserver (redacted)#53
> Feb 16 21:51:07 voima dnsmasq[8813]: using nameserver (redacted)#53
> Feb 16 21:51:07 voima dnsmasq[8813]: read /etc/hosts - 20 addresses
> Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: read /etc/dhcp-hostsfile
> Feb 16 21:51:07 voima systemd[1]: Started dnsmasq - A lightweight DHCP
> and caching DNS server.
>
> Yet netstat shows me:
>
> $ netstat | grep dnsmasq | grep -v p6
> tcp 0 0 127.0.0.1:53 0.0.0.0:*
> LISTEN 7036/dnsmasq
> tcp 0 0 172.16.1.2:53 0.0.0.0:*
> LISTEN 7036/dnsmasq
> udp 0 0 0.0.0.0:67 0.0.0.0:*
> 7036/dnsmasq
> udp 0 0 127.0.0.1:53 0.0.0.0:*
> 7036/dnsmasq
> udp 0 0 127.0.0.1:69 0.0.0.0:*
> 7036/dnsmasq
> udp 0 0 172.16.1.2:53 0.0.0.0:*
> 7036/dnsmasq
> udp 0 0 172.16.1.2:69 0.0.0.0:*
> 7036/dnsmasq
>
> 67 is on wild card and 69 appears on loopback. Neither of these should
> happen. They should only be on 172.16.1.2 yet they aren't. Basically,
> unless I misunderstood something, nothing except 53 should appear on
> loopback as per the above config.
>
> Cheers!
> Martin-Éric
>
>
> On Wed, Feb 16, 2022 at 9:36 PM Simon Kelley <si...@thekelleys.org.uk> wrote:
>>
>> I'm not clear what you think is happening, and what you want to happen.
>>
>> bind-interfaces works for tftp; there will be a socket for each address
>> on each valid interface bound to that address and port 69
>>
>> no-dhcp-interface does indeed suppress tftp on that interface too, and
>> is documented so to do.
>>
>>
>> Cheers,
>>
>> Simon.
>>
>>
>> On 16/02/2022 13:42, Martin-Éric Racine wrote:
>
> On Wed, Feb 16, 2022 at 9:36 PM Simon Kelley <si...@thekelleys.org.uk> wrote:
>>
>> I'm not clear what you think is happening, and what you want to happen.
>>
>> bind-interfaces works for tftp; there will be a socket for each address
>> on each valid interface bound to that address and port 69
>>
>> no-dhcp-interface does indeed suppress tftp on that interface too, and
>> is documented so to do.
>>
>>
>> Cheers,
>>
>> Simon.
>>
>>
>> On 16/02/2022 13:42, Martin-Éric Racine wrote:
>> > Package: dnsmasq
>> > Version: 2.85-1
>> > Severity: important
>> >
>> > Version: 2.85-1
>> > Severity: important
>> >
>>> If 'enable-tftp' is set, the TFTP server appears on all interfaces. It completely disregards bind-interfaces and friends. One would think that TFTP would only be offered on interfaces where dnsmasq happens to offer DHCP services (since DHCP essentially is a superset of BOOTP, to which TFTP is related), but apparently not.
>>>
>>> The relevant part of my config:
>>>
>>> bind-interfaces
>>> interface=br0
>>> except-interface=enp4s0
>>> no-dhcp-interface=enp4s0
>>>
>>> IMHO, the only service that dnsmasq should offer on both loopback and 'interface' is DNS. It ought to be possible to bind every other service that dnsmasq can offer to specific interfaces.
>>>
>>> If the above already is possible, but my particular combination of bind-interfaces/interface/except-interface/no-dhcp-interface prevents that, I welcome tips on how to fix it.
>>>
>>> Martin-Éric
>>>
>>>
>>> The relevant part of my config:
>>>
>>> bind-interfaces
>>> interface=br0
>>> except-interface=enp4s0
>>> no-dhcp-interface=enp4s0
>>>
>>> IMHO, the only service that dnsmasq should offer on both loopback and 'interface' is DNS. It ought to be possible to bind every other service that dnsmasq can offer to specific interfaces.
>>>
>>> If the above already is possible, but my particular combination of bind-interfaces/interface/except-interface/no-dhcp-interface prevents that, I welcome tips on how to fix it.
>>>
>>> Martin-Éric
>>>
>>> -- System Information:
>>> Debian Release: 11.2
>>> APT prefers stable-updates
>>> APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable')
>>> Architecture: amd64 (x86_64)
>>>
>>> Kernel: Linux 5.10.0-11-amd64 (SMP w/8 CPU threads)
>>> Locale: LANG=fi_FI.utf8, LC_CTYPE=fi_FI.utf8 (charmap=UTF-8), LANGUAGE=fi:en
>>> Shell: /bin/sh linked to /bin/dash
>>> Init: systemd (via /run/systemd/system)
>>> LSM: AppArmor: enabled
>>>
>>> Versions of packages dnsmasq depends on:
>>> ii dnsmasq-base [dnsmasq-base] 2.85-1
>>> ii init-system-helpers 1.60
>>> ii lsb-base 11.1.0
>>> ii netbase 6.3
>>> ii runit-helper 2.10.3
>>>
>>> dnsmasq recommends no packages.
>>>
>>> Versions of packages dnsmasq suggests:
>>> pn resolvconf <none>
>>>
>>> -- no debconf information
>>> Debian Release: 11.2
>>> APT prefers stable-updates
>>> APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable')
>>> Architecture: amd64 (x86_64)
>>>
>>> Kernel: Linux 5.10.0-11-amd64 (SMP w/8 CPU threads)
>>> Locale: LANG=fi_FI.utf8, LC_CTYPE=fi_FI.utf8 (charmap=UTF-8), LANGUAGE=fi:en
>>> Shell: /bin/sh linked to /bin/dash
>>> Init: systemd (via /run/systemd/system)
>>> LSM: AppArmor: enabled
>>>
>>> Versions of packages dnsmasq depends on:
>>> ii dnsmasq-base [dnsmasq-base] 2.85-1
>>> ii init-system-helpers 1.60
>>> ii lsb-base 11.1.0
>>> ii netbase 6.3
>>> ii runit-helper 2.10.3
>>>
>>> dnsmasq recommends no packages.
>>>
>>> Versions of packages dnsmasq suggests:
>>> pn resolvconf <none>
>>>
>>>
>
Martin-Éric Racine
Feb 16, 2022, 3:30:03 PM2/16/22
to
The startup message DOES suggest that DHCP is bound to an exclusive
interface, not to wildcard. This is misleading.
Meanwhile TFTP is not meant to appear on loopback.
Martin-Éric
interface, not to wildcard. This is misleading.
Meanwhile TFTP is not meant to appear on loopback.
Martin-Éric
Simon Kelley
Feb 16, 2022, 4:10:03 PM2/16/22
to
On 16/02/2022 20:19, Martin-Éric Racine wrote:
> The startup message DOES suggest that DHCP is bound to an exclusive
> interface, not to wildcard. This is misleading.
to the physical interface, instead of to a IP address.
> Meanwhile TFTP is not meant to appear on loopback.
but it would be pointless since I'm not going to change it now and risk
breaking installations which rely on it.
As I said, that option is available using --listen-address.
Simon.
>
> Martin-Éric
>
> On Wed, Feb 16, 2022 at 10:11 PM Simon Kelley <si...@thekelleys.org.uk> wrote:
>>
>> 67 is DHCP and always binds the wildcard: that's necessary to make DHCP
>> work. It checks the arrival address of packets and discards those which
>> are not valid.
>>
>> interface= is documented to listen on the addresses of the given
>> interface AND LOOPBACK. If you want to exclude loopback, you can do
>>
>>
>> listen-address=17n172.16.1.22.16.1.2
Martin-Éric Racine
Feb 16, 2022, 4:30:02 PM2/16/22
to
On Wed, Feb 16, 2022 at 11:05 PM Simon Kelley <si...@thekelleys.org.uk> wrote:
> On 16/02/2022 20:19, Martin-Éric Racine wrote:
> > The startup message DOES suggest that DHCP is bound to an exclusive
> > interface, not to wildcard. This is misleading.
>
> No it's not. it calls setsockopt(SO_BINDTODEVICE) which binds the socket
> to the physical interface, instead of to a IP address.
Ah.
> On 16/02/2022 20:19, Martin-Éric Racine wrote:
> > The startup message DOES suggest that DHCP is bound to an exclusive
> > interface, not to wildcard. This is misleading.
>
> No it's not. it calls setsockopt(SO_BINDTODEVICE) which binds the socket
> to the physical interface, instead of to a IP address.
> > Meanwhile TFTP is not meant to appear on loopback.
>
> Why? I guess we could argue the 15-year old design decision to do that,
> but it would be pointless since I'm not going to change it now and risk
> breaking installations which rely on it.
Mind you, if I add the interface specification as follow, it does what I need:
enable-tftp=br0
Then TFTP indeed only is available on the IP for br0. Nontheless, I
still think that since interfaces=br0 is already specified, it should
have sufficed to ensure that all services are only available on that
interface (plus DNS also being available on loopback, since this is an
explicit exception stated in the documentation).
Anyhow, feel free to close this bug if you don't think that any code
or documentation change is required.
Martin-Éric
0 new messages