The startup message DOES suggest that DHCP is bound to an exclusive interface, not to wildcard. This is misleading. Meanwhile TFTP is not meant to appear on loopback.
Martin-Éric On Wed, Feb 16, 2022 at 10:11 PM Simon Kelley <si...@thekelleys.org.uk> wrote: > > 67 is DHCP and always binds the wildcard: that's necessary to make DHCP > work. It checks the arrival address of packets and discards those which > are not valid. > > interface= is documented to listen on the addresses of the given > interface AND LOOPBACK. If you want to exclude loopback, you can do > > > listen-address=17n172.16.1.22.16.1.2 > > instead. > > Simon. > > On 16/02/2022 19:58, Martin-Éric Racine wrote: > > bind-enterfaces is supposed to restrict the services to exactly those > > defined in interfaces. It currently doesn't. > > > > My reduced config: > > > > bogus-priv > > conntrack > > dns-loop-detect > > dnssec > > domain-needed > > domain=lan > > local=/lan/ > > expand-hosts > > dhcp-hostsfile=/etc/dhcp-hostsfile > > dhcp-fqdn > > dhcp-option=option:dns-server,0.0.0.0,9.9.9.9,1.1.1.1 > > dhcp-option=option6:dns-server,[::] > > dhcp-range=tag:br0,172.16.0.0,static,infinite > > dhcp-range=tag:br0,::,constructor:br0,ra-names,ra-stateless,infinite > > quiet-ra > > interface=br0 > > bind-interfaces > > enable-tftp > > tftp-root=/srv/tftp > > dhcp-boot=net:eth,/debian-installer/i386/undionly.kpxe > > dhcp-boot=net:pxe,/debian-installer/i386/pxelinux.0 > > dhcp-vendorclass=eth,Etherboot > > dhcp-vendorclass=pxe,PXEClient > > dhcp-option=vendor:pxe,6,2b > > #EOF > > > > What the startup log shows: > > > > Feb 16 21:51:07 voima systemd[1]: Starting dnsmasq - A lightweight > > DHCP and caching DNS server... > > Feb 16 21:51:07 voima dnsmasq[8813]: started, version 2.85 cachesize 150 > > Feb 16 21:51:07 voima dnsmasq[8813]: compile time options: IPv6 > > GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack > > ipset auth cryptohash DNSSEC loop-detect inotify dumpfile > > Feb 16 21:51:07 voima dnsmasq[8813]: DNSSEC validation enabled > > Feb 16 21:51:07 voima dnsmasq[8813]: configured with trust anchor for > > <root> keytag 20326 > > Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: DHCP, static leases only on > > 172.16.0.0, lease time infinite > > Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: DHCPv6 stateless on br0 > > Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: DHCPv4-derived IPv6 names on br0 > > Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: router advertisement on br0 > > Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: DHCPv6 stateless on > > (redacted), constructed for br0 > > Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: DHCPv4-derived IPv6 names on > > (redacted), constructed for br0 > > Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: router advertisement on > > (redacted), constructed for br0 > > Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: DHCP, sockets bound > > exclusively to interface br0 > > Feb 16 21:51:07 voima dnsmasq-tftp[8813]: TFTP root is /srv/tftp > > Feb 16 21:51:07 voima dnsmasq[8813]: using only locally-known > > addresses for domain lan > > Feb 16 21:51:07 voima dnsmasq[8813]: reading /etc/resolv.conf > > Feb 16 21:51:07 voima dnsmasq[8813]: using only locally-known > > addresses for domain lan > > Feb 16 21:51:07 voima dnsmasq[8813]: using nameserver (redacted)#53 > > Feb 16 21:51:07 voima dnsmasq[8813]: using nameserver (redacted)#53 > > Feb 16 21:51:07 voima dnsmasq[8813]: read /etc/hosts - 20 addresses > > Feb 16 21:51:07 voima dnsmasq-dhcp[8813]: read /etc/dhcp-hostsfile > > Feb 16 21:51:07 voima systemd[1]: Started dnsmasq - A lightweight DHCP > > and caching DNS server. > > > > Yet netstat shows me: > > > > $ netstat | grep dnsmasq | grep -v p6 > > tcp 0 0 127.0.0.1:53 0.0.0.0:* > > LISTEN 7036/dnsmasq > > tcp 0 0 172.16.1.2:53 0.0.0.0:* > > LISTEN 7036/dnsmasq > > udp 0 0 0.0.0.0:67 0.0.0.0:* > > 7036/dnsmasq > > udp 0 0 127.0.0.1:53 0.0.0.0:* > > 7036/dnsmasq > > udp 0 0 127.0.0.1:69 0.0.0.0:* > > 7036/dnsmasq > > udp 0 0 172.16.1.2:53 0.0.0.0:* > > 7036/dnsmasq > > udp 0 0 172.16.1.2:69 0.0.0.0:* > > 7036/dnsmasq > > > > 67 is on wild card and 69 appears on loopback. Neither of these should > > happen. They should only be on 172.16.1.2 yet they aren't. Basically, > > unless I misunderstood something, nothing except 53 should appear on > > loopback as per the above config. > > > > Cheers! > > Martin-Éric > > > > > > On Wed, Feb 16, 2022 at 9:36 PM Simon Kelley <si...@thekelleys.org.uk> > > wrote: > >> > >> I'm not clear what you think is happening, and what you want to happen. > >> > >> bind-interfaces works for tftp; there will be a socket for each address > >> on each valid interface bound to that address and port 69 > >> > >> no-dhcp-interface does indeed suppress tftp on that interface too, and > >> is documented so to do. > >> > >> > >> Cheers, > >> > >> Simon. > >> > >> > >> On 16/02/2022 13:42, Martin-Éric Racine wrote: > >> > Package: dnsmasq > >> > Version: 2.85-1 > >> > Severity: important > >> > > >>> If 'enable-tftp' is set, the TFTP server appears on all interfaces. It > >>> completely disregards bind-interfaces and friends. One would think that > >>> TFTP would only be offered on interfaces where dnsmasq happens to offer > >>> DHCP services (since DHCP essentially is a superset of BOOTP, to which > >>> TFTP is related), but apparently not. > >>> > >>> The relevant part of my config: > >>> > >>> bind-interfaces > >>> interface=br0 > >>> except-interface=enp4s0 > >>> no-dhcp-interface=enp4s0 > >>> > >>> IMHO, the only service that dnsmasq should offer on both loopback and > >>> 'interface' is DNS. It ought to be possible to bind every other service > >>> that dnsmasq can offer to specific interfaces. > >>> > >>> If the above already is possible, but my particular combination of > >>> bind-interfaces/interface/except-interface/no-dhcp-interface prevents > >>> that, I welcome tips on how to fix it. > >>> > >>> Martin-Éric > >>> > >>> -- System Information: > >>> Debian Release: 11.2 > >>> APT prefers stable-updates > >>> APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, > >>> 'stable-debug'), (500, 'stable') > >>> Architecture: amd64 (x86_64) > >>> > >>> Kernel: Linux 5.10.0-11-amd64 (SMP w/8 CPU threads) > >>> Locale: LANG=fi_FI.utf8, LC_CTYPE=fi_FI.utf8 (charmap=UTF-8), > >>> LANGUAGE=fi:en > >>> Shell: /bin/sh linked to /bin/dash > >>> Init: systemd (via /run/systemd/system) > >>> LSM: AppArmor: enabled > >>> > >>> Versions of packages dnsmasq depends on: > >>> ii dnsmasq-base [dnsmasq-base] 2.85-1 > >>> ii init-system-helpers 1.60 > >>> ii lsb-base 11.1.0 > >>> ii netbase 6.3 > >>> ii runit-helper 2.10.3 > >>> > >>> dnsmasq recommends no packages. > >>> > >>> Versions of packages dnsmasq suggests: > >>> pn resolvconf <none> > >>> > >>> -- no debconf information > >>> > >