Option --enable-linux-ip-local-port-range added to use system configured port range...

diff --git a/config.h.in b/config.h.in
index cb27afa4fe27e63a34407f1f9c1e0f5fefc253b8..a3b4bd1628a89ee95afffc4e99ec58f325373e25 100644 (file)
--- a/config.h.in
+++ b/config.h.in
@@ -856,6 +856,14 @@
 /* Define if you enable libevent */
 #undef USE_LIBEVENT
 
+/* Define this to enable use of /proc/sys/net/ipv4/ip_local_port_range as a
+   default outgoing port range. This is only for the libunbound on Linux and
+   does not affect unbound resolving daemon itself. This may severely limit
+   the number of available outgoing ports and thus decrease randomness. Define
+   this only when the target system restricts (e.g. some of SELinux enabled
+   distributions) the use of non-ephemeral ports. */
+#undef USE_LINUX_IP_LOCAL_PORT_RANGE
+
 /* Define if you want to use internal select based events */
 #undef USE_MINI_EVENT
 

diff --git a/configure b/configure
index 7e722b59eaf3ce59b7b8120a3eaf4a1f607cc054..e68013ead2b9632ebd7a1db06b1282c1fa5074f3 100755 (executable)
--- a/configure
+++ b/configure
@@ -902,6 +902,7 @@ enable_ipsecmod
 enable_ipset
 with_libmnl
 enable_explicit_port_randomisation
+enable_linux_ip_local_port_range
 with_libunbound_only
 '
       ac_precious_vars='build_alias
@@ -1605,6 +1606,16 @@ Optional Features:
   --disable-explicit-port-randomisation
                           disable explicit source port randomisation and rely
                           on the kernel to provide random source ports
+  --enable-linux-ip-local-port-range
+                          Define this to enable use of
+                          /proc/sys/net/ipv4/ip_local_port_range as a default
+                          outgoing port range. This is only for the libunbound
+                          on Linux and does not affect unbound resolving
+                          daemon itself. This may severely limit the number of
+                          available outgoing ports and thus decrease
+                          randomness. Define this only when the target system
+                          restricts (e.g. some of SELinux enabled
+                          distributions) the use of non-ephemeral ports.
 
 Optional Packages:
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
@@ -21632,6 +21643,23 @@ $as_echo "#define DISABLE_EXPLICIT_PORT_RANDOMISATION 1" >>confdefs.h
                ;;
 esac
 
+if echo "$host" | $GREP -i -e linux >/dev/null; then
+       # Check whether --enable-linux-ip-local-port-range was given.
+if test "${enable_linux_ip_local_port_range+set}" = set; then :
+  enableval=$enable_linux_ip_local_port_range;
+fi
+
+       case "$enable_linux_ip_local_port_range" in
+               yes)
+
+$as_echo "#define USE_LINUX_IP_LOCAL_PORT_RANGE 1" >>confdefs.h
+
+                       ;;
+               no|*)
+                       ;;
+       esac
+fi
+
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if ${MAKE:-make} supports $< with implicit rule in scope" >&5
 $as_echo_n "checking if ${MAKE:-make} supports $< with implicit rule in scope... " >&6; }

diff --git a/configure.ac b/configure.ac
index 5ffbe68344ec26cf6f44078637d4961876e6fc78..33ed0812c87014e437536f71a69b3dd3406456e5 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -1862,6 +1862,17 @@ case "$enable_explicit_port_randomisation" in
                ;;
 esac
 
+if echo "$host" | $GREP -i -e linux >/dev/null; then
+       AC_ARG_ENABLE(linux-ip-local-port-range, AC_HELP_STRING([--enable-linux-ip-local-port-range], [Define this to enable use of /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range. This is only for the libunbound on Linux and does not affect unbound resolving daemon itself. This may severely limit the number of available outgoing ports and thus decrease randomness. Define this only when the target system restricts (e.g. some of SELinux enabled distributions) the use of non-ephemeral ports.]))
+       case "$enable_linux_ip_local_port_range" in
+               yes)
+                       AC_DEFINE([USE_LINUX_IP_LOCAL_PORT_RANGE], [1], [Define this to enable use of /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range. This is only for the libunbound on Linux and does not affect unbound resolving daemon itself. This may severely limit the number of available outgoing ports and thus decrease randomness. Define this only when the target system restricts (e.g. some of SELinux enabled distributions) the use of non-ephemeral ports.])
+                       ;;
+               no|*)
+                       ;;
+       esac
+fi
+
 
 AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope])
 # on openBSD, the implicit rule make $< work.

diff --git a/libunbound/context.c b/libunbound/context.c
index 267366ae50c3e1e2abff442f997f1cdd92508efd..e589c6ae28d700efcfadfc7f60dcdc84afcf7f67 100644 (file)
--- a/libunbound/context.c
+++ b/libunbound/context.c
@@ -69,6 +69,7 @@ context_finalize(struct ub_ctx* ctx)
        } else {
                log_init(cfg->logfile, cfg->use_syslog, NULL);
        }
+       cfg_apply_local_port_policy(cfg, 65536);
        config_apply(cfg);
        if(!modstack_setup(&ctx->mods, cfg->module_conf, ctx->env))
                return UB_INITFAIL;

diff --git a/util/config_file.c b/util/config_file.c
index bbbfe24f5290643efe18a0be111b5d332dcc1f01..50b0e645af8f4d9d68791a733a5e722a0493b25f 100644 (file)
--- a/util/config_file.c
+++ b/util/config_file.c
@@ -1704,6 +1704,37 @@ int cfg_condense_ports(struct config_file* cfg, int** avail)
        return num;
 }
 
+void cfg_apply_local_port_policy(struct config_file* cfg, int num) {
+(void)cfg;
+(void)num;
+#ifdef USE_LINUX_IP_LOCAL_PORT_RANGE
+       {
+               int i = 0;
+               FILE* range_fd;
+               if ((range_fd = fopen(LINUX_IP_LOCAL_PORT_RANGE_PATH, "r")) != NULL) {
+                       int min_port = 0;
+                       int max_port = num - 1;
+                       if (fscanf(range_fd, "%d %d", &min_port, &max_port) == 2) {
+                               for(i=0; i<min_port; i++) {
+                                       cfg->outgoing_avail_ports[i] = 0;
+                               }
+                               for(i=max_port+1; i<num; i++) {
+                                       cfg->outgoing_avail_ports[i] = 0;
+                               }
+                       } else {
+                               log_err("unexpected port range in %s",
+                                               LINUX_IP_LOCAL_PORT_RANGE_PATH);
+                       }
+                       fclose(range_fd);
+               } else {
+                       log_err("failed to read from file: %s (%s)",
+                                       LINUX_IP_LOCAL_PORT_RANGE_PATH,
+                                       strerror(errno));
+               }
+       }
+#endif
+}
+
 /** print error with file and line number */
 static void ub_c_error_va_list(const char *fmt, va_list args)
 {

diff --git a/util/config_file.h b/util/config_file.h
index d61f7ce8c3cbe4a85500ddfb4b221fb44a3b89ea..aed6812dafe81f68648c39af5c1c0f834d67670c 100644 (file)
--- a/util/config_file.h
+++ b/util/config_file.h
@@ -1190,6 +1190,13 @@ int cfg_mark_ports(const char* str, int allow, int* avail, int num);
  */
 int cfg_condense_ports(struct config_file* cfg, int** avail);
 
+/**
+ * Apply system specific port range policy.
+ * @param cfg: config file.
+ * @param num: size of the array (65536).
+ */
+void cfg_apply_local_port_policy(struct config_file* cfg, int num);
+
 /**
  * Scan ports available
  * @param avail: the array from cfg.
@@ -1329,5 +1336,9 @@ int if_is_https(const char* ifname, const char* port, int https_port);
  */
 int cfg_has_https(struct config_file* cfg);
 
+#ifdef USE_LINUX_IP_LOCAL_PORT_RANGE
+#define LINUX_IP_LOCAL_PORT_RANGE_PATH "/proc/sys/net/ipv4/ip_local_port_range"
+#endif
+
 #endif /* UTIL_CONFIG_FILE_H */