On Mon, Nov 20, 2023 at 05:15:16AM -0700, Florian Obser wrote: > CVSROOT: /cvs > Module name: src > Changes by: flor...@cvs.openbsd.org 2023/11/20 05:15:16 > > Modified files: > lib/libc/asr : asr_private.h asr_utils.c getaddrinfo_async.c > gethostnamadr_async.c > > Log message: > localhost is either 127.0.0.1 or ::1, nothing else. > > RFC 6761, 6.3 Domain Name Reservation Considerations for "localhost.": > 3. Name resolution APIs and libraries SHOULD recognize localhost > names as special and SHOULD always return the IP loopback address > for address queries and negative responses for all other query > types. Name resolution APIs SHOULD NOT send queries for > localhost names to their configured caching DNS server(s). > > This makes sure that the getaddrinfo(3) and gethostbyname(3) family of > functions always return the loopback address and do not send queries > to name servers. This includes "localhost", "localhost." and > everything under ".localhost" and ".localhost.". > > For example, a host underneath the .com.ar zone will per default have > a search list of "com.ar.". resolv.conf(5) has a default of "lookup > bind file". Both combined will result in lookups for "localhost" to > not return 127.0.0.1 because localhost.com.ar is registered in DNS. > > It has been known for decades that this is a problem, especially for > localhost. > > Problem recently spotted by gonzalo@ and debugged by sthen@ > > Testing sthen, gonzalo > Input & OK phessler, eric, millert > OK sthen, kn, deraadt
Seeing two new failures. The offending pf rule: pass in inet6 proto tcp to port 25 divert-to localhost port 8025 pfctl complains about: stdin:10: divert-to address family mismatch Changing localhost to ::1 makes it pass again. Is this expected or a regression? The ipsecctl failure looks like a symptom of the same problem. > sbin/ipsecctl Exit: 1 Duration: 00:00:06 Log: 181-sbin-ipsecctl.log ==== ike ==== cat /home/src/regress/sbin/ipsecctl/ike56.in | sed -e 's,DIR,/home/src/regress/sbin/ipsecctl,g' | /sbin/ipsecctl -nv -f - | diff -u /home/src/regress/sbin/ipsecctl/ike56.ok /dev/stdin stdin: 1: source/destination address families do not match ipsecctl: Syntax error in config file: ipsec rules not loaded --- /home/src/regress/sbin/ipsecctl/ike56.ok Fri Sep 2 12:58:24 2016 +++ /dev/stdin Tue Nov 21 02:26:19 2023 @@ -1,33 +0,0 @@ -C set [Phase 1]:127.0.0.1=peer-127.0.0.1 force -C set [peer-127.0.0.1]:Phase=1 force -C set [peer-127.0.0.1]:Address=127.0.0.1 force -C set [peer-127.0.0.1]:Configuration=phase1-peer-127.0.0.1 force -C set [phase1-peer-127.0.0.1]:EXCHANGE_TYPE=ID_PROT force -C add [phase1-peer-127.0.0.1]:Transforms=phase1-transform-peer-127.0.0.1-RSA_SIG-SHA-AES128-MODP_3072 force -C set [phase1-transform-peer-127.0.0.1-RSA_SIG-SHA-AES128-MODP_3072]:AUTHENTICATION_METHOD=RSA_SIG force -C set [phase1-transform-peer-127.0.0.1-RSA_SIG-SHA-AES128-MODP_3072]:HASH_ALGORITHM=SHA force -C set [phase1-transform-peer-127.0.0.1-RSA_SIG-SHA-AES128-MODP_3072]:ENCRYPTION_ALGORITHM=AES_CBC force -C set [phase1-transform-peer-127.0.0.1-RSA_SIG-SHA-AES128-MODP_3072]:KEY_LENGTH=128,128:256 force -C set [phase1-transform-peer-127.0.0.1-RSA_SIG-SHA-AES128-MODP_3072]:GROUP_DESCRIPTION=MODP_3072 force -C set [phase1-transform-peer-127.0.0.1-RSA_SIG-SHA-AES128-MODP_3072]:Life=LIFE_MAIN_MODE force -C set [from-127.0.0.1-to-127.0.0.1]:Phase=2 force -C set [from-127.0.0.1-to-127.0.0.1]:ISAKMP-peer=peer-127.0.0.1 force -C set [from-127.0.0.1-to-127.0.0.1]:Configuration=phase2-from-127.0.0.1-to-127.0.0.1 force -C set [from-127.0.0.1-to-127.0.0.1]:Local-ID=from-127.0.0.1 force -C set [from-127.0.0.1-to-127.0.0.1]:Remote-ID=to-127.0.0.1 force -C set [phase2-from-127.0.0.1-to-127.0.0.1]:EXCHANGE_TYPE=QUICK_MODE force -C set [phase2-from-127.0.0.1-to-127.0.0.1]:Suites=phase2-suite-from-127.0.0.1-to-127.0.0.1 force -C set [phase2-suite-from-127.0.0.1-to-127.0.0.1]:Protocols=phase2-protocol-from-127.0.0.1-to-127.0.0.1 force -C set [phase2-protocol-from-127.0.0.1-to-127.0.0.1]:PROTOCOL_ID=IPSEC_ESP force -C set [phase2-protocol-from-127.0.0.1-to-127.0.0.1]:Transforms=phase2-transform-from-127.0.0.1-to-127.0.0.1-AES128-SHA2_256-MODP_3072-TUNNEL force -C set [phase2-transform-from-127.0.0.1-to-127.0.0.1-AES128-SHA2_256-MODP_3072-TUNNEL]:TRANSFORM_ID=AES force -C set [phase2-transform-from-127.0.0.1-to-127.0.0.1-AES128-SHA2_256-MODP_3072-TUNNEL]:KEY_LENGTH=128,128:256 force -C set [phase2-transform-from-127.0.0.1-to-127.0.0.1-AES128-SHA2_256-MODP_3072-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force -C set [phase2-transform-from-127.0.0.1-to-127.0.0.1-AES128-SHA2_256-MODP_3072-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force -C set [phase2-transform-from-127.0.0.1-to-127.0.0.1-AES128-SHA2_256-MODP_3072-TUNNEL]:GROUP_DESCRIPTION=MODP_3072 force -C set [phase2-transform-from-127.0.0.1-to-127.0.0.1-AES128-SHA2_256-MODP_3072-TUNNEL]:Life=LIFE_QUICK_MODE force -C set [from-127.0.0.1]:ID-type=IPV4_ADDR force -C set [from-127.0.0.1]:Address=127.0.0.1 force -C set [to-127.0.0.1]:ID-type=IPV4_ADDR force -C set [to-127.0.0.1]:Address=127.0.0.1 force -C add [Phase 2]:Passive-Connections=from-127.0.0.1-to-127.0.0.1 *** Error 1 in . (Makefile:79 'ike56') FAILED > sbin/pfctl Exit: 1 Duration: 00:00:26 Log: 388-sbin-pfctl.log ==== pf ==== doas -n ifconfig lo1000000 create doas -n ifconfig tun1000000 create doas -n ifconfig tun1000001 create /sbin/pfctl -o none -nv -f - < /home/src/regress/sbin/pfctl/pf104.in | diff -u /home/src/regress/sbin/pfctl/pf104.ok /dev/stdin stdin:10: divert-to address family mismatch --- /home/src/regress/sbin/pfctl/pf104.ok Tue May 19 19:16:20 2015 +++ /dev/stdin Tue Nov 21 04:30:00 2023 @@ -1,7 +0,0 @@ -pass in inet proto tcp from any to any port = 25 flags S/SA divert-to 127.0.0.1 port 8025 -pass in inet proto tcp from any to any port = 25 flags S/SA divert-to 127.0.0.1 port 8025 -pass in inet proto tcp from any to any port = 25 flags S/SA divert-to 127.0.0.1 port 8025 -pass in inet proto tcp from any to any port = 25 flags S/SA divert-to 127.0.0.1 port 8025 -pass in inet6 proto tcp from any to any port = 25 flags S/SA divert-to ::1 port 8025 -pass in inet6 proto tcp from any to any port = 25 flags S/SA divert-to ::1 port 8025 -pass in inet6 proto tcp from any to any port = 25 flags S/SA divert-to ::1 port 8025 *** Error 1 in . (Makefile:106 'pf104') FAILED ==== pfcmdfail ==== doas -n ifconfig lo1000000 create doas -n ifconfig tun1000000 create doas -n ifconfig tun1000001 create doas -n /sbin/pfctl `cat /home/src/regress/sbin/pfctl/pfcmdfail1.opts` -f - < /home/src/regress/sbin/pfctl/pfcmdfail1.in 2>&1 | diff -u /home/src/regress/sbin/pfctl/pfcmdfail1.ok /dev/stdin --- /home/src/regress/sbin/pfctl/pfcmdfail1.ok Sun Aug 13 04:20:43 2017 +++ /dev/stdin Tue Nov 21 04:30:20 2023 @@ -1,2 +0,0 @@ -no IP address found for localhost -stdin:1: could not parse host specification *** Error 1 in . (Makefile:281 'pfcmdfail1') FAILED