Explicitly enable IPV6_V6ONLY on the netmgr sockets

Some operating systems (OpenBSD and DragonFly BSD) don't restrict the IPv6 sockets to sending and receiving IPv6 packets only. Explicitly enable the IPV6_V6ONLY socket option on the IPv6 sockets to prevent failures from using the IPv4-mapped IPv6 address.
2025-08-30 05:57:52 +00:00 · 2022-01-13 13:24:55 +01:00 · 2022-01-13 13:24:55 +01:00 · b5e086257d
commit b5e086257d
parent 55a0d0880a
7 changed files with 29 additions and 6 deletions
--- a/lib/isc/netmgr/netmgr-int.h
+++ b/lib/isc/netmgr/netmgr-int.h
@ -1849,6 +1849,12 @@ isc__nm_socket_disable_pmtud(uv_os_sock_t fd, sa_family_t sa_family);
 * option, or setting the IP(V6)_MTU_DISCOVER socket option to IP_PMTUDISC_OMIT
 */

+isc_result_t
+isc__nm_socket_v6only(uv_os_sock_t fd, sa_family_t sa_family);
+/*%<
+ * Restrict the socket to sending and receiving IPv6 packets only
+ */
+
 isc_result_t
 isc__nm_socket_connectiontimeout(uv_os_sock_t fd, int timeout_ms);
 /*%<
--- a/lib/isc/netmgr/netmgr.c
+++ b/lib/isc/netmgr/netmgr.c
@ -3183,6 +3183,25 @@ isc__nm_socket_disable_pmtud(uv_os_sock_t fd, sa_family_t sa_family) {
 	return (ISC_R_NOTIMPLEMENTED);
 }

+isc_result_t
+isc__nm_socket_v6only(uv_os_sock_t fd, sa_family_t sa_family) {
+	/*
+	 * Enable the IPv6-only option on IPv6 sockets
+	 */
+	if (sa_family == AF_INET6) {
+#if defined(IPV6_V6ONLY)
+		if (setsockopt_on(fd, IPPROTO_IPV6, IPV6_V6ONLY) == -1) {
+			return (ISC_R_FAILURE);
+		} else {
+			return (ISC_R_SUCCESS);
+		}
+#else
+		UNUSED(fd);
+#endif
+	}
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
 isc_result_t
 isc_nm_checkaddr(const isc_sockaddr_t *addr, isc_socktype_t type) {
 	int proto, pf, addrlen, fd, r;
--- a/lib/isc/netmgr/tcp.c
+++ b/lib/isc/netmgr/tcp.c
@ -367,6 +367,7 @@ isc__nm_tcp_lb_socket(sa_family_t sa_family) {
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);

 	(void)isc__nm_socket_incoming_cpu(sock);
+	(void)isc__nm_socket_v6only(sock, sa_family);

 	/* FIXME: set mss */

--- a/lib/isc/netmgr/tcpdns.c
+++ b/lib/isc/netmgr/tcpdns.c
@ -334,6 +334,7 @@ isc__nm_tcpdns_lb_socket(sa_family_t sa_family) {
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);

 	(void)isc__nm_socket_incoming_cpu(sock);
+	(void)isc__nm_socket_v6only(sock, sa_family);

 	/* FIXME: set mss */

--- a/lib/isc/netmgr/tlsdns.c
+++ b/lib/isc/netmgr/tlsdns.c
@ -401,6 +401,7 @@ isc__nm_tlsdns_lb_socket(sa_family_t sa_family) {
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);

 	(void)isc__nm_socket_incoming_cpu(sock);
+	(void)isc__nm_socket_v6only(sock, sa_family);

 	/* FIXME: set mss */

--- a/lib/isc/netmgr/udp.c
+++ b/lib/isc/netmgr/udp.c
@ -94,6 +94,7 @@ isc__nm_udp_lb_socket(sa_family_t sa_family) {

 	(void)isc__nm_socket_incoming_cpu(sock);
 	(void)isc__nm_socket_disable_pmtud(sock, sa_family);
+	(void)isc__nm_socket_v6only(sock, sa_family);

 	result = isc__nm_socket_reuse(sock);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
--- a/lib/ns/interfacemgr.c
+++ b/lib/ns/interfacemgr.c
@ -544,10 +544,6 @@ ns_interface_listentcp(ns_interface_t *ifp) {
 	}

 #if 0
-#ifndef ISC_ALLOW_MAPPED
-	isc_socket_ipv6only(ifp->tcpsocket, true);
-#endif /* ifndef ISC_ALLOW_MAPPED */
-
 	if (ifp->dscp != -1) {
 		isc_socket_dscp(ifp->tcpsocket,ifp->dscp);
 	}
@ -983,12 +979,10 @@ do_scan(ns_interfacemgr_t *mgr, bool verbose, bool config) {
 	 * packets as the form of mapped addresses unintentionally
 	 * unless explicitly allowed.
 	 */
-#ifndef ISC_ALLOW_MAPPED
 	if (scan_ipv6 && isc_net_probe_ipv6only() != ISC_R_SUCCESS) {
 		ipv6only = false;
 		log_explicit = true;
 	}
-#endif /* ifndef ISC_ALLOW_MAPPED */
 	if (scan_ipv6 && isc_net_probe_ipv6pktinfo() != ISC_R_SUCCESS) {
 		ipv6pktinfo = false;
 		log_explicit = true;