From 22b51fc79b345861722dd52b06bdd783d2d36dd3 Mon Sep 17 00:00:00 2001 From: Jim Klimov Date: Sat, 5 Aug 2023 20:51:25 +0200 Subject: [PATCH] server/upsd.c, NEWS, UPGRADING: setuptcp(): when asked to LISTEN on IPv6 addresses, try to disable IPv4-mapping support [#2012] Signed-off-by: Jim Klimov --- NEWS | 5 +++++ UPGRADING | 8 ++++++++ server/upsd.c | 11 +++++++++++ 3 files changed, 24 insertions(+) diff --git a/NEWS b/NEWS index 2a99a07bfc..5b21a56099 100644 --- a/NEWS +++ b/NEWS @@ -282,6 +282,11 @@ as part of https://github.com/networkupstools/nut/issues/1410 solution. (the last listed address was applied first), which was counter-intuitive and fixed for this release [#2012] + - The `upsd` configured to listen on IPv6 addresses should handle only + IPv6 (and not IPv4-mappings) to avoid surprises and insecurity; it + would warn if a hostname resolves to several addresses (and would only + listen on the first hit, as before in such cases) [#2012] + - sstate (server state, e.g. upsd) should now "PING" drivers also if they last reported themselves as "stale" (and might later crash) so their connections would be terminated if really no longer active [#1626] diff --git a/UPGRADING b/UPGRADING index 72a1de5de5..03471a0660 100644 --- a/UPGRADING +++ b/UPGRADING @@ -71,6 +71,14 @@ Changes from 2.8.0 to 2.8.1 order (e.g. to prioritize IPv6 vs IPv4 listeners), configuration changes may be needed. [#2012] +- The `upsd` configured to listen on IPv6 addresses should handle only + IPv6 (and not IPv4-mappings like it might have done before) to avoid + surprises and insecurity -- if user configurations somehow relied on + this dual support, configuration changes may be needed to specify both + desired IP addresses. Note that the daemon logs would warn if a hostname + resolves to several addresses (and would only listen on the first hit, + as it did before in such cases) [#2012] + - Added support for `make sockdebug` for easier developer access to the tool; also if `configure --with-dev` is in effect, it would now be installed to the configured `libexec` location. A man page was also added. [#1936] diff --git a/server/upsd.c b/server/upsd.c index eb99df810c..23ec4df4e8 100644 --- a/server/upsd.c +++ b/server/upsd.c @@ -303,6 +303,17 @@ static void setuptcp(stype_t *server) fatal_with_errno(EXIT_FAILURE, "setuptcp: setsockopt"); } + /* Ordinarily we request that IPv6 listeners handle only IPv6. + * TOTHINK: Does any platform need `#ifdef IPV6_V6ONLY` given + * that we apparently already have AF_INET6 OS support everywhere? + */ + if (ai->ai_family == AF_INET6) { + if (setsockopt(sock_fd, IPPROTO_IPV6, IPV6_V6ONLY, (void *)&one, sizeof(one)) != 0) { + upsdebug_with_errno(3, "setuptcp: setsockopt IPV6_V6ONLY"); + /* ack, ignore */ + } + } + if (bind(sock_fd, ai->ai_addr, ai->ai_addrlen) < 0) { upsdebug_with_errno(3, "setuptcp: bind"); close(sock_fd);