Ip-transparent patch

Sten_Spans · February 10, 2015, 9:55am

I'm trying to use unbound in combination with vrrp/keepalived.
The use of floating ips, would require an unbound restart every
time an ip moves from one host to another.

For ipv4 linux has the ip.nonlocal_bind sysctl to allow binding
to non-local ips, however ipv6 has no such sysctl.

NSD has the ip-transparent option to set the sockopt to make
non-local binding possible, unbound doesn't seem to support
a similar feature.

Would a patch adding support for this feature be accepted?

A very crude, but works-for-me diff is included below.
(this is based on 1.4.22, but 1.5 seems to be pretty similar)

--- services/listen_dnsport.c.orig 2014-02-14 10:50:25.000000000 +0100
+++ services/listen_dnsport.c 2015-02-10 10:38:29.993665452 +0100
@@ -173,6 +173,13 @@
  #else
      (void)reuseport;
  #endif /* defined(__linux__) && defined(SO_REUSEPORT) */
+#ifdef IP_TRANSPARENT
+ if (setsockopt(s, IPPROTO_IP, IP_TRANSPARENT, (void*)&on,
+ (socklen_t)sizeof(on)) < 0) {
+ log_warn("setsockopt(.. IP_TRANSPARENT ..) failed: %s",
+ strerror(errno));
+ }
+#endif /* IP_TRANSPARENT */
    }
    if(rcv) {
  #ifdef SO_RCVBUF
@@ -517,6 +525,13 @@
  #else
    (void)v6only;
  #endif /* IPV6_V6ONLY */
+#ifdef IP_TRANSPARENT
+ if (setsockopt(s, IPPROTO_IP, IP_TRANSPARENT, (void*)&on,
+ (socklen_t)sizeof(on)) < 0) {
+ log_warn("setsockopt(.. IP_TRANSPARENT ..) failed: %s",
+ strerror(errno));
+ }
+#endif /* IP_TRANSPARENT */
    if(bind(s, addr->ai_addr, addr->ai_addrlen) != 0) {
  #ifndef USE_WINSOCK
      /* detect freebsd jail with no ipv6 permission */

Sotiris_Tsimbonis · February 10, 2015, 11:54am

We currently have unbound running in combination with vrrp/keepalived,
with no such requirement.

I believe the trick is to bind to any address and enable
interface-automatic.

interface: 0.0.0.0
interface: ::0
interface-automatic: yes

Our keepalived moves an ipv4 and an ipv6 address without the need to
restart.

Sot.

Sten_Spans · February 10, 2015, 12:14pm

We have NSD on the same box as well, on port 53.
Binding to IN_ADDR_ANY doesn't work if you have more than one daemon.

We could re-locate nsd to a different port, but I really see no reason
not to merge this feature, given that NSD has identical functionality.

Jarno_Huuskonen1 · February 10, 2015, 12:24pm

Hi,

I'm trying to use unbound in combination with vrrp/keepalived.
The use of floating ips, would require an unbound restart every
time an ip moves from one host to another.

Have you tried using: interface-automatic: yes
(So something like:
        interface: 0.0.0.0
        interface: ::0
        interface-automatic: yes
in unbound.conf).

We've used this with keepalived/unbound and it has worked for us.
(No need to restart unbound after ip address failover).

(We also have
outgoing-interface: server.ipv4.add.ress
outgoing-interface: server.ipv6.add.ress
so unbound doesn't use floating(keepalived) addrs for outgoing queries).

(I think on ip address failover unbound can try to send reply from
floating(vip) address that has just moved to another server, but
with our setup this hasn't been a problem).

For ipv4 linux has the ip.nonlocal_bind sysctl to allow binding
to non-local ips, however ipv6 has no such sysctl.

For haproxy/keepalived we use this "hack" for ipv6 vip(floating
addresses): bind all ipv6 VIPs to "lo" interface --> haproxy
can bind to needed addrs.
(Simple ip_nonlocal_bind IPv6 workaround · GitHub)

(I haven't tested this with unbound, because interface-automatic: yes
works for us).

-Jarno

Sten_Spans · February 10, 2015, 12:56pm

As reported in my earlier mail, this doesn't work if you have
other daemons (like NSD) using port 53 on the same box.

I know there are workarounds to achieve the same result,
but I would actually prefer a fix to unbound which removes the need
for workarounds. It's not like this is an overly complicated patch.

This probably should be an optional feature, but listen_dnsports.c
passes options via function arguments so doing this would make the patch
a lot bigger and obscure the core requested feature.

Sten_Spans · March 19, 2015, 7:42am

FYI:

A patch implementing this functionality (via a more extensive list of socket options) has been merged by powerdns:

This means that we will stop running our patched unbound and
switch to a mainline version of pdns-recursor.

Wouter · March 19, 2015, 10:05am

Hi Sten,

Modified version of that ip-transparent patch is in unbound's code
repository (for future releases). I added a config option, because
setting it by default could not work, it fails for non-administrators.

Best regards,
Wouter