From: Bret Comnes Date: Thu, 26 Mar 2026 05:59:09 +0000 (-0700) Subject: Revert "resolve: refuse traffic from the local host only for queries" X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=658e5ac06f80ee2078b034f7cc483204d7f91c5e;p=thirdparty%2Fsystemd.git Revert "resolve: refuse traffic from the local host only for queries" This reverts commit 526f1594daec073269c3e70ee7914f6dd8740d5c. This revert is necessary because the change breaks mDNS hostname stability whenever a DNS-SD service calls UnregisterService. When a service unregisters (e.g. on process restart), manager_refresh_rrs() clears and re-adds all RRs in PROBING state, which sends a multicast announcement (QR=1). The kernel reflects this back to resolved's own socket. Because the local-address check was moved inside the query-only branch by the reverted commit, the reply path in on_mdns_packet() is now unguarded. The looped-back announcement matches the pending probe transaction and completes it with DNS_TRANSACTION_SUCCESS. Since the zone item is still in PROBING state (not ESTABLISHED), dns_zone_item_notify() sets we_lost=true and calls dns_zone_item_conflict(), which invokes manager_next_hostname() and renames the hostname (e.g. foo.local → foo4.local). This happens reliably on every restart of any service using RegisterService/UnregisterService (homebridge, avahi-compat wrappers, etc.). The top-level local-address check in on_mdns_packet() suppresses all looped-back multicast traffic before the reply/query split. Restoring it there is consistent with the overall design: dns_scope_check_conflicts() already has its own manager_packet_from_local_address() guard and is unaffected. A more targeted long-term fix (e.g. guarding dns_transaction_process_reply() for mDNS, or avoiding unnecessary re-probing of already-established records in manager_refresh_rrs()) can be pursued separately. --- diff --git a/src/resolve/resolved-mdns.c b/src/resolve/resolved-mdns.c index 5026b10ff4c..fb20ba9cd02 100644 --- a/src/resolve/resolved-mdns.c +++ b/src/resolve/resolved-mdns.c @@ -413,6 +413,14 @@ static int on_mdns_packet(sd_event_source *s, int fd, uint32_t revents, void *us if (r <= 0) return r; + /* Refuse traffic from the local host, to avoid query loops. However, allow legacy mDNS + * unicast queries through anyway (we never send those ourselves, hence no risk). + * i.e. check for the source port nr. */ + if (p->sender_port == MDNS_PORT && manager_packet_from_local_address(m, p)) { + log_debug("Got mDNS UDP packet from local host, ignoring."); + return 0; + } + scope = manager_find_scope(m, p); if (!scope) { log_debug("Got mDNS UDP packet on unknown scope. Ignoring."); @@ -529,14 +537,6 @@ static int on_mdns_packet(sd_event_source *s, int fd, uint32_t revents, void *us if (unsolicited_packet) mdns_notify_browsers_unsolicited_updates(m, p->answer, p->family); } else if (dns_packet_validate_query(p) > 0) { - /* Refuse traffic from the local host, to avoid query loops. However, allow legacy mDNS - * unicast queries through anyway (we never send those ourselves, hence no risk). - * i.e. check for the source port nr. */ - if (p->sender_port == MDNS_PORT && manager_packet_from_local_address(m, p)) { - log_debug("Got mDNS UDP packet from local host, ignoring."); - return 0; - } - log_debug("Got mDNS query packet for id %u", DNS_PACKET_ID(p)); r = mdns_scope_process_query(scope, p);