Package: iodine Version: 0.6.0~rc1-2 Severity: important Usertags: pca.it-communication
Hi there! First, something which is related, but not critical: IMHO iodined should be started *after* any DNS server, simply because in most cases the topdomain argument must be resolved via DNS. Attached a Git patch against the Debian repository: commit a2c2fdf93b6783bd729b04ed57d15794d058c65c Author: Luca Capello <[email protected]> Date: Wed Apr 11 13:21:57 2012 +0200 Subject: debian/iodine.iodined.init: add to LSB's Required-Start Second, as suggested by Martin in #433528, /etc/default/iodine should be moved to /etc/default/iodined (which would also reflect the name of the init.d script). Finally, the real problem. I set up iodined together with dnsmasq (for the port option see #668386), with the following configuration (eth0 and eth1 are the external and internal networks, respectively): # iodine -c -b 5353 10.19.10.1 MYTUNNEL # dnsmasq --port=5353 --except-interface=eth0 However, at every boot iodined segfaults: --8<---------------cut here---------------start------------->8--- Apr 10 18:27:00 karon kernel: imklog 4.6.4, log source = /proc/kmsg started. Apr 10 18:27:00 karon rsyslogd: [origin software="rsyslogd" swVersion="4.6.4" x-pid="881" x-info="http://www.rsyslog.com";] (re)start Apr 10 18:27:00 karon kernel: [ 0.000000] Initializing cgroup subsys cpuset Apr 10 18:27:00 karon kernel: [ 0.000000] Initializing cgroup subsys cpu Apr 10 18:27:00 karon kernel: [ 0.000000] Linux version 2.6.32-5-686 (Debian 2.6.32-41squeeze2) ([email protected]) (gcc version 4.3.5 (Debian 4.3.5-4) ) #1 SMP Mon Mar 26 05:20:33 UTC 2012 [...] Apr 10 18:27:00 karon kernel: [ 26.424505] eth0: setting full-duplex. Apr 10 18:27:00 karon kernel: [ 26.465591] eth1: setting full-duplex. Apr 10 18:27:00 karon acpid: waiting for events: event logging is off Apr 10 18:27:01 karon dnsmasq[927]: started, version 2.55 cachesize 150 Apr 10 18:27:01 karon dnsmasq[927]: compile time options: IPv6 GNU-getopt DBus I18N DHCP TFTP Apr 10 18:27:01 karon dnsmasq-dhcp[927]: DHCP, IP range 10.10.10.101 -- 10.10.10.150, lease time 12h Apr 10 18:27:01 karon dnsmasq[927]: reading /etc/resolv.conf Apr 10 18:27:01 karon dnsmasq[927]: using nameserver 192.168.0.2#53 Apr 10 18:27:01 karon dnsmasq[927]: using nameserver 127.0.0.1#53 Apr 10 18:27:01 karon dnsmasq[927]: read /etc/hosts - 11 addresses Apr 10 18:27:01 karon dnsmasq-dhcp[927]: read /etc/ethers - 5 addresses Apr 10 18:27:02 karon kernel: [ 29.682868] tun: Universal TUN/TAP device driver, 1.6 Apr 10 18:27:02 karon kernel: [ 29.682889] tun: (C) 1999-2004 Max Krasnyansky <[email protected]> Apr 10 18:27:02 karon iodined: started, listening on port 53 Apr 10 18:27:03 karon kernel: [ 30.544671] ip_tables: (C) 2000-2006 Netfilter Core Team Apr 10 18:27:03 karon ntpd[1233]: ntpd [email protected] Sun Oct 17 13:45:13 UTC 2010 (1) Apr 10 18:27:03 karon ntpd[1246]: proto: precision = 3.631 usec Apr 10 18:27:03 karon ntpd[1246]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 Apr 10 18:27:03 karon kernel: [ 30.862418] nf_conntrack version 0.5.0 (8042 buckets, 32168 max) Apr 10 18:27:03 karon kernel: [ 30.869816] CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use Apr 10 18:27:03 karon kernel: [ 30.869838] nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or Apr 10 18:27:03 karon kernel: [ 30.869853] sysctl net.netfilter.nf_conntrack_acct=1 to enable it. Apr 10 18:27:03 karon ntpd[1246]: Listen and drop on 1 v6wildcard :: UDP 123 Apr 10 18:27:03 karon ntpd[1246]: Listen normally on 2 lo 127.0.0.1 UDP 123 Apr 10 18:27:03 karon ntpd[1246]: Listen normally on 3 eth0 192.168.0.5 UDP 123 Apr 10 18:27:03 karon ntpd[1246]: Listen normally on 4 eth1 10.10.10.1 UDP 123 Apr 10 18:27:03 karon ntpd[1246]: Listen normally on 5 dns0 10.19.10.1 UDP 123 Apr 10 18:27:03 karon ntpd[1246]: Listen normally on 6 lo ::1 UDP 123 Apr 10 18:27:03 karon ntpd[1246]: Listen normally on 7 eth0 fe80::250:4ff:fe0c:ee4 UDP 123 Apr 10 18:27:03 karon ntpd[1246]: Listen normally on 8 eth1 fe80::210:5aff:fe3b:434a UDP 123 Apr 10 18:27:03 karon kernel: [ 31.108696] iodined[1067]: segfault at 10 ip 080513f6 sp bfdd06b0 error 4 in iodined[8048000+d000] Apr 10 18:27:09 karon kernel: [ 36.612076] eth1: no IPv6 routers present Apr 10 18:27:09 karon ntpd[1246]: Deleting interface #5 dns0, 10.19.10.1#123, interface stats: received=0, sent=0, dropped=0, active_time=1 secs Apr 10 18:27:09 karon kernel: [ 37.144068] eth0: no IPv6 routers present --8<---------------cut here---------------end--------------->8--- Restarting iodined does not cause any segfault, so this should be something linked to the boot process. Some simple debugging revealed that with the following patch iodined does not segfault at boot: --8<---------------cut here---------------start------------->8--- diff --git a/init.d/iodined b/init.d/iodined index 21f2db2..5c383db 100755 --- a/init.d/iodined +++ b/init.d/iodined @@ -76,6 +76,10 @@ do_start() # 2 if daemon could not be started start-stop-daemon --start --quiet --exec $DAEMON --test > /dev/null \ || return 1 +sleep 5 +# 3 segfault +# 4 segfault +# 5 OK start-stop-daemon --start --quiet --exec $DAEMON -- $DAEMON_ARGS -P "$IODINED_PASSWORD" \ || return 2 # Add code here, if necessary, that waits for the process to be ready --8<---------------cut here---------------end--------------->8--- As you can see, there should be at least a 5-second delay, but then iodined still segfaults the first time a client connect, which led me guessing that something is connecting within the 5-second timeframe during the boot process (but this is not #521260). Please note that this happens even when I applied the named-dependency patch above. I was able to reproduce the segfault simply with: ===== # service dnsmasq start Starting DNS forwarder and DHCP server: dnsmasq. # iodined -f -c -b 5353 10.19.10.1 MYTUNNEL Requests for domains outside of MYTUNNEL will be forwarded to port 5353 Enter password: Opened dns0 Setting IP of dns0 to 10.19.10.1 Setting MTU of dns0 to 1130 Opened UDP socket Opened UDP socket Listening to dns for domain MYTUNNEL [`dig @localhost example.com`] Segmentation fault # iodined -f -c -b 5353 10.19.10.1 MYTUNNEL Requests for domains outside of MYTUNNEL will be forwarded to port 5353 Debug level 1 enabled, will stay in foreground. Add more -D switches to set higher debug level. Enter password: Opened dns0 Setting IP of dns0 to 10.19.10.1 Setting MTU of dns0 to 1130 Opened UDP socket Opened UDP socket Listening to dns for domain MYTUNNEL [`dig @localhost example.com` answer, see below] ^C # ===== The dig answer is the following: ===== # dig @localhost example.com ; <<>> DiG 9.7.3 <<>> @localhost example.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47666 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;example.com. IN A ;; ANSWER SECTION: example.com. 93681 IN A 192.0.43.10 example.com. 93681 IN RRSIG A 8 2 172800 20120419095245 20120412082625 40569 example.com. \ qBMb5245vFE6pEEzgKwAA7hf0MCAnotc0ybH4o6jJPMUoisU1w0HgJdD W/ifTuiS28r76/K9fKWA2S4ylsyYqfRJRO07VPmjGVZWEXbHNnky7d+Z \ H9VEx0j1PusPrYUUlAxS+eCQI012NrzSVyNg+V/1EeCN0irwb6qql0CU avg= ;; AUTHORITY SECTION: example.com. 93681 IN NS a.iana-servers.net. example.com. 93681 IN NS b.iana-servers.net. example.com. 93681 IN RRSIG NS 8 2 172800 20120419143501 20120412082625 40569 example.com. \ EdHsj4OKtyDqJVe8Nm+HoJvNm64MauwlgSKtYGNMnD6EIVEsSlj21Aym NW6ez1s5nFh842U0xuuiqAf0olmSg+XASnSLXty9cURZMSqQ/VtMpitU \ AJEu9ChBeSsNdm3K7eyLwB4NYmT1t4/qqeSg0vu+Wu4eOspKAeu8ntWh OU0= ;; ADDITIONAL SECTION: a.iana-servers.net. 1330 IN A 199.43.132.53 a.iana-servers.net. 1330 IN AAAA 2001:500:8c::53 b.iana-servers.net. 1330 IN A 199.43.133.53 b.iana-servers.net. 1330 IN AAAA 2001:500:8d::53 ;; Query time: 60 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Apr 13 09:40:35 2012 ;; MSG SIZE rcvd: 534 # ===== Basically, at a restart iodined does not segfault (I guess because dnsmasq already got the request), but the DNS information returned is too much. Attached is the strace output for the first segfault, reproducible restarting dnsmasq before starting iodined (but for whatever reason not with -D). This happens also with a backport of 0.6.0~rc1-3, thus this seems not to be related with #596740. While checking the upstream Git repository for relevant changes, I discovered that in configurations similar to mine, i.e. iodined and dnsmasq on different interfaces, there is no need to run the two daemons on separate ports: commit a62ae8e562d0e9e5729bb4f469bc900074930efc Author: Erik Ekman <[email protected]> Date: Thu Jul 16 08:44:04 2009 +0000 Subject: Allow bind port and listen port to be the same if listenip doesnt include localhost. Also remove newlines from warnx Actually, there is no mention of this in the iodine manpage, so attached a patch against the upstream Git repository (no mention in README to avoid naive usage): commit 3f246470c7abc13553cffe544c88a4b78afde5b2 Author: Luca Capello <[email protected]> Date: Fri Apr 13 16:45:43 2012 +0200 Subject: man/iodine.8: add note about sharing port/dnsport This complements a62ae8e562d0e9e5729bb4f469bc900074930efc. Indeed, with this feature and the following configuration iodined does not segfault anymore: # iodine -c -l 192.168.0.5 10.19.10.1 MYTUNNEL # dnsmasq --port=53 --except-interface=eth0 Thx, bye, Gismo / Luca PS, I have confirmed iodined's own behavior (i.e. creating an IPv4-over-DNS tunnel) only in the latter configuration ;-) -- System Information: Debian Release: 6.0.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages iodine depends on: ii adduser 3.112+nmu2 add and remove users and groups ii debconf [debconf-2.0] 1.5.36.1 Debian configuration management sy ii libc6 2.11.3-3 Embedded GNU C Library: Shared lib ii udev 164-3 /dev/ and hotplug management daemo ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime iodine recommends no packages. Versions of packages iodine suggests: ii dnsutils 1:9.7.3.dfsg-1~squeeze4 Clients provided with BIND pn fping <none> (no description available) pn gawk <none> (no description available) pn ipcalc <none> (no description available) ii iproute 20100519-3 networking and traffic control too -- debconf information: iodine/daemon_options: iodine/start_daemon: false
From a2c2fdf93b6783bd729b04ed57d15794d058c65c Mon Sep 17 00:00:00 2001 From: Luca Capello <[email protected]> Date: Wed, 11 Apr 2012 13:21:57 +0200 Subject: [PATCH] debian/iodine.iodined.init: add to LSB's Required-Start --- debian/changelog | 9 +++++++++ debian/iodine.iodined.init | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index f3f017e..5596f51 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +iodine (0.6.0~rc1-10) UNRELEASED; urgency=low + + [ Luca Capello ] + * debian/iodine.iodined.init: + + add $named to LSB's Required-Start, DNS resolution is needed for + the topdomain argument. + + -- + iodine (0.6.0~rc1-9) unstable; urgency=low * Make udev|makedev dependency Linux-only. Thanks to Robert Millan for diff --git a/debian/iodine.iodined.init b/debian/iodine.iodined.init index c766ea6..79839a7 100644 --- a/debian/iodine.iodined.init +++ b/debian/iodine.iodined.init @@ -1,7 +1,7 @@ #! /bin/sh ### BEGIN INIT INFO # Provides: iodined -# Required-Start: $remote_fs $network $syslog +# Required-Start: $remote_fs $network $syslog $named # Required-Stop: $remote_fs $network $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 -- 1.7.10
iodined.strace.gz
Description: Binary data
From 3f246470c7abc13553cffe544c88a4b78afde5b2 Mon Sep 17 00:00:00 2001 From: Luca Capello <[email protected]> Date: Fri, 13 Apr 2012 16:45:43 +0200 Subject: [PATCH] man/iodine.8: add note about sharing port/dnsport This complements a62ae8e562d0e9e5729bb4f469bc900074930efc. --- man/iodine.8 | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/man/iodine.8 b/man/iodine.8 index 9ff5247..87f5d95 100644 --- a/man/iodine.8 +++ b/man/iodine.8 @@ -1,5 +1,5 @@ .\" groff -man -Tascii iodine.8 -.TH IODINE 8 "DEC 2009" "User Manuals" +.TH IODINE 8 "APR 2012" "User Manuals" .SH NAME iodine, iodined \- tunnel IPv4 over DNS .SH SYNOPSIS @@ -255,6 +255,8 @@ By default, incoming requests are accepted from all interfaces. .TP .B -p port Make the server listen on 'port' instead of 53 for traffic. +If 'listen_ip' does not include localhost, this 'port' can be the same +as 'dnsport'. .B Note: You must make sure the dns requests are forwarded to this port yourself. .TP @@ -265,6 +267,8 @@ as destination in the query. .B -b dnsport If this port is specified, all incoming requests not inside the tunnel domain will be forwarded to this port on localhost, to be handled by a real dns. +If 'listen_ip' does not include localhost, this 'dnsport' can be the +same as 'port'. .B Note: The forwarding is not fully transparent, and not advised for use in production environments. -- 1.7.10
pgpbmbMFacv2o.pgp
Description: PGP signature
