server/upsd.c, NEWS, UPGRADING: setuptcp(): when asked to LISTEN on I…

…Pv6 addresses, try to disable IPv4-mapping support [#2012] Signed-off-by: Jim Klimov <[email protected]>
networkupstools · Aug 5, 2023 · 22b51fc · 22b51fc
1 parent 534f153
commit 22b51fc
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 0 deletions.
diff --git a/NEWS b/NEWS
@@ -282,6 +282,11 @@ as part of https://github.com/networkupstools/nut/issues/1410 solution.
    (the last listed address was applied first), which was counter-intuitive
    and fixed for this release [#2012]
 
+ - The `upsd` configured to listen on IPv6 addresses should handle only
+   IPv6 (and not IPv4-mappings) to avoid surprises and insecurity; it
+   would warn if a hostname resolves to several addresses (and would only
+   listen on the first hit, as before in such cases) [#2012]
+
  - sstate (server state, e.g. upsd) should now "PING" drivers also if they
    last reported themselves as "stale" (and might later crash) so their
    connections would be terminated if really no longer active [#1626]

diff --git a/UPGRADING b/UPGRADING
@@ -71,6 +71,14 @@ Changes from 2.8.0 to 2.8.1
   order (e.g. to prioritize IPv6 vs IPv4 listeners), configuration changes
   may be needed. [#2012]
 
+- The `upsd` configured to listen on IPv6 addresses should handle only
+  IPv6 (and not IPv4-mappings like it might have done before) to avoid
+  surprises and insecurity -- if user configurations somehow relied on
+  this dual support, configuration changes may be needed to specify both
+  desired IP addresses. Note that the daemon logs would warn if a hostname
+  resolves to several addresses (and would only listen on the first hit,
+  as it did before in such cases) [#2012]
+
 - Added support for `make sockdebug` for easier developer access to the tool;
   also if `configure --with-dev` is in effect, it would now be installed to
   the configured `libexec` location. A man page was also added. [#1936]

diff --git a/server/upsd.c b/server/upsd.c
@@ -303,6 +303,17 @@ static void setuptcp(stype_t *server)
 			fatal_with_errno(EXIT_FAILURE, "setuptcp: setsockopt");
 		}
 
+		/* Ordinarily we request that IPv6 listeners handle only IPv6.
+		 * TOTHINK: Does any platform need `#ifdef IPV6_V6ONLY` given
+		 * that we apparently already have AF_INET6 OS support everywhere?
+		 */
+		if (ai->ai_family == AF_INET6) {
+			if (setsockopt(sock_fd, IPPROTO_IPV6, IPV6_V6ONLY, (void *)&one, sizeof(one)) != 0) {
+				upsdebug_with_errno(3, "setuptcp: setsockopt IPV6_V6ONLY");
+				/* ack, ignore */
+			}
+		}
+
 		if (bind(sock_fd, ai->ai_addr, ai->ai_addrlen) < 0) {
 			upsdebug_with_errno(3, "setuptcp: bind");
 			close(sock_fd);