[Unbound-users] ip-transparent patch

Discussion:

Sten Spans

2015-02-10 09:55:09 UTC

I'm trying to use unbound in combination with vrrp/keepalived.
The use of floating ips, would require an unbound restart every
time an ip moves from one host to another.

For ipv4 linux has the ip.nonlocal_bind sysctl to allow binding
to non-local ips, however ipv6 has no such sysctl.

NSD has the ip-transparent option to set the sockopt to make
non-local binding possible, unbound doesn't seem to support
a similar feature.

Would a patch adding support for this feature be accepted?

A very crude, but works-for-me diff is included below.
(this is based on 1.4.22, but 1.5 seems to be pretty similar)

--- services/listen_dnsport.c.orig 2014-02-14 10:50:25.000000000 +0100
+++ services/listen_dnsport.c 2015-02-10 10:38:29.993665452 +0100
@@ -173,6 +173,13 @@
#else
(void)reuseport;
#endif /* defined(__linux__) && defined(SO_REUSEPORT) */
+#ifdef IP_TRANSPARENT
+ if (setsockopt(s, IPPROTO_IP, IP_TRANSPARENT, (void*)&on,
+ (socklen_t)sizeof(on)) < 0) {
+ log_warn("setsockopt(.. IP_TRANSPARENT ..) failed: %s",
+ strerror(errno));
+ }
+#endif /* IP_TRANSPARENT */
}
if(rcv) {
#ifdef SO_RCVBUF
@@ -517,6 +525,13 @@
#else
(void)v6only;
#endif /* IPV6_V6ONLY */
+#ifdef IP_TRANSPARENT
+ if (setsockopt(s, IPPROTO_IP, IP_TRANSPARENT, (void*)&on,
+ (socklen_t)sizeof(on)) < 0) {
+ log_warn("setsockopt(.. IP_TRANSPARENT ..) failed: %s",
+ strerror(errno));
+ }
+#endif /* IP_TRANSPARENT */
if(bind(s, addr->ai_addr, addr->ai_addrlen) != 0) {
#ifndef USE_WINSOCK
/* detect freebsd jail with no ipv6 permission */

--
Sten Spans

"There is a crack in everything, that's how the light gets in."
Leonard Cohen - Anthem

Sotiris Tsimbonis

2015-02-10 11:54:03 UTC

Permalink

Post by Sten Spans
I'm trying to use unbound in combination with vrrp/keepalived.
The use of floating ips, would require an unbound restart every
time an ip moves from one host to another.

We currently have unbound running in combination with vrrp/keepalived,
with no such requirement.

I believe the trick is to bind to any address and enable
interface-automatic.

interface: 0.0.0.0
interface: ::0
interface-automatic: yes

Our keepalived moves an ipv4 and an ipv6 address without the need to
restart.

Sot.

Sten Spans

2015-02-10 12:14:45 UTC

Permalink

Post by Sotiris Tsimbonis

Post by Sten Spans
I'm trying to use unbound in combination with vrrp/keepalived.
The use of floating ips, would require an unbound restart every
time an ip moves from one host to another.

We currently have unbound running in combination with vrrp/keepalived,
with no such requirement.
I believe the trick is to bind to any address and enable
interface-automatic.
interface: 0.0.0.0
interface: ::0
interface-automatic: yes
Our keepalived moves an ipv4 and an ipv6 address without the need to
restart.

We have NSD on the same box as well, on port 53.
Binding to IN_ADDR_ANY doesn't work if you have more than one daemon.

We could re-locate nsd to a different port, but I really see no reason
not to merge this feature, given that NSD has identical functionality.

--
Sten Spans

"There is a crack in everything, that's how the light gets in."
Leonard Cohen - Anthem

Jarno Huuskonen

2015-02-10 12:24:10 UTC

Permalink

This post might be inappropriate. Click to display it.

Sten Spans

2015-02-10 12:56:09 UTC

Permalink

Post by Jarno Huuskonen
Hi,

Post by Sten Spans
I'm trying to use unbound in combination with vrrp/keepalived.
The use of floating ips, would require an unbound restart every
time an ip moves from one host to another.

Have you tried using: interface-automatic: yes
interface: 0.0.0.0
interface: ::0
interface-automatic: yes
in unbound.conf).
We've used this with keepalived/unbound and it has worked for us.
(No need to restart unbound after ip address failover).

As reported in my earlier mail, this doesn't work if you have
other daemons (like NSD) using port 53 on the same box.

I know there are workarounds to achieve the same result,
but I would actually prefer a fix to unbound which removes the need
for workarounds. It's not like this is an overly complicated patch.

This probably should be an optional feature, but listen_dnsports.c
passes options via function arguments so doing this would make the patch
a lot bigger and obscure the core requested feature.

--
Sten Spans

"There is a crack in everything, that's how the light gets in."
Leonard Cohen - Anthem

Sten Spans

2015-03-19 07:42:30 UTC

Permalink

FYI:

A patch implementing this functionality (via a more extensive list of
socket options) has been merged by powerdns:

https://github.com/PowerDNS/pdns/pull/2218/files

This means that we will stop running our patched unbound and
switch to a mainline version of pdns-recursor.

Hi,

Post by Sten Spans
I'm trying to use unbound in combination with vrrp/keepalived.
The use of floating ips, would require an unbound restart every
time an ip moves from one host to another.

--
Sten Spans

"There is a crack in everything, that's how the light gets in."
Leonard Cohen - Anthem

W.C.A. Wijngaards

2015-03-19 10:05:14 UTC

Permalink

Hi Sten,

Modified version of that ip-transparent patch is in unbound's code
repository (for future releases). I added a config option, because
setting it by default could not work, it fails for non-administrators.

Best regards,
Wouter

Post by Sten Spans
A patch implementing this functionality (via a more extensive list
https://github.com/PowerDNS/pdns/pull/2218/files
This means that we will stop running our patched unbound and switch
to a mainline version of pdns-recursor.

Hi,

Post by Sten Spans
I'm trying to use unbound in combination with
vrrp/keepalived. The use of floating ips, would require an
unbound restart every time an ip moves from one host to
another.