From 66eefac78c92b64b6689a1655cc677a2b1d13496 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Thu, 11 Feb 2021 08:37:52 +0100 Subject: [PATCH 1/2] Rollback setting IP_DONTFRAG option on the UDP sockets In DNS Flag Day 2020, the development branch started setting the IP_DONTFRAG option on the UDP sockets. It turned out, that this code was incomplete leading to dropping the outgoing UDP packets. Henceforth this commit rolls back this setting until we have a proper fix that would send back empty response with TC flag set. --- lib/isc/netmgr/netmgr.c | 31 +++++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c index fb8b1fa701..5ec2ea0707 100644 --- a/lib/isc/netmgr/netmgr.c +++ b/lib/isc/netmgr/netmgr.c @@ -2202,6 +2202,9 @@ isc__nm_closesocket(uv_os_sock_t sock) { #define setsockopt_on(socket, level, name) \ setsockopt(socket, level, name, &(int){ 1 }, sizeof(int)) +#define setsockopt_off(socket, level, name) \ + setsockopt(socket, level, name, &(int){ 1 }, sizeof(int)) + isc_result_t isc__nm_socket_freebind(uv_os_sock_t fd, sa_family_t sa_family) { /* @@ -2327,14 +2330,22 @@ isc__nm_socket_dontfrag(uv_os_sock_t fd, sa_family_t sa_family) { */ if (sa_family == AF_INET6) { #if defined(IPV6_DONTFRAG) - if (setsockopt_on(fd, IPPROTO_IPV6, IPV6_DONTFRAG) == -1) { + if (setsockopt_off(fd, IPPROTO_IPV6, IPV6_DONTFRAG) == -1) { return (ISC_R_FAILURE); } else { return (ISC_R_SUCCESS); } -#elif defined(IPV6_MTU_DISCOVER) +#elif defined(IPV6_MTU_DISCOVER) && defined(IP_PMTUDISC_OMIT) if (setsockopt(fd, IPPROTO_IPV6, IPV6_MTU_DISCOVER, - &(int){ IP_PMTUDISC_DO }, sizeof(int)) == -1) + &(int){ IP_PMTUDISC_OMIT }, sizeof(int)) == -1) + { + return (ISC_R_FAILURE); + } else { + return (ISC_R_SUCCESS); + } +#elif defined(IPV6_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT) + if (setsockopt(fd, IPPROTO_IPV6, IPV6_MTU_DISCOVER, + &(int){ IP_PMTUDISC_DONT }, sizeof(int)) == -1) { return (ISC_R_FAILURE); } else { @@ -2345,14 +2356,22 @@ isc__nm_socket_dontfrag(uv_os_sock_t fd, sa_family_t sa_family) { #endif } else if (sa_family == AF_INET) { #if defined(IP_DONTFRAG) - if (setsockopt_on(fd, IPPROTO_IP, IP_DONTFRAG) == -1) { + if (setsockopt_off(fd, IPPROTO_IP, IP_DONTFRAG) == -1) { return (ISC_R_FAILURE); } else { return (ISC_R_SUCCESS); } -#elif defined(IP_MTU_DISCOVER) +#elif defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_OMIT) if (setsockopt(fd, IPPROTO_IP, IP_MTU_DISCOVER, - &(int){ IP_PMTUDISC_DO }, sizeof(int)) == -1) + &(int){ IP_PMTUDISC_OMIT }, sizeof(int)) == -1) + { + return (ISC_R_FAILURE); + } else { + return (ISC_R_SUCCESS); + } +#elif defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT) + if (setsockopt(fd, IPPROTO_IP, IP_MTU_DISCOVER, + &(int){ IP_PMTUDISC_DONT }, sizeof(int)) == -1) { return (ISC_R_FAILURE); } else { From 6d442e9c043dfd5bfb9d7af392dd19adc6ecc129 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Thu, 11 Feb 2021 08:43:51 +0100 Subject: [PATCH 2/2] Add CHANGES and release notes for GL #2487 --- CHANGES | 3 +++ doc/notes/notes-current.rst | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/CHANGES b/CHANGES index b2b7d59835..a49353e09b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +5584. [bug] Rollback setting IP_DONTFRAG option on the UDP sockets. + [GL #2487] + 5583. [func] Changes to DoH configuration syntax: - When "http" is specified in "listen-on" or "listen-on-v6" statements, "tls" must also now diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 5fe9644665..a4a2babf21 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -121,3 +121,8 @@ Bug Fixes list in ``named.conf``, the wrong size was passed to ``isc_mem_put()``, which resulted in the returned memory being put on the wrong freed list. This has been fixed. [GL #2460] + +- If an outgoing packet would exceed max-udp-size, it would be dropped instead + of sending a proper response back. Rollback setting the IP_DONTFRAG on the + UDP sockets that we enabled during the DNS Flag Day 2020 to fix this issue. + [GL #2487]