From f595a75cd633bb6af8888e0233100eb8025ae8c4 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Tue, 14 Dec 2021 09:28:01 +0000 Subject: [PATCH] Recreate HTTPS and TLS interfaces only during reconfiguration The 850e9e59bf8c29f895a981211c72c0b3c294bcfd commit intended to recreate the HTTPS and TLS interfaces during reconfiguration, but they are being recreated also during regular interface re-scans. Make sure the HTTPS and TLS interfaces are being recreated only during reconfiguration. --- bin/named/server.c | 6 +++--- lib/ns/include/ns/interfacemgr.h | 5 ++++- lib/ns/interfacemgr.c | 24 ++++++++++++------------ lib/ns/tests/nstest.c | 2 +- 4 files changed, 20 insertions(+), 17 deletions(-) diff --git a/bin/named/server.c b/bin/named/server.c index f7db73faf9..8943ce7e17 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -6933,7 +6933,7 @@ interface_timer_tick(isc_task_t *task, isc_event_t *event) { UNUSED(task); isc_event_free(&event); - ns_interfacemgr_scan(server->interfacemgr, false); + ns_interfacemgr_scan(server->interfacemgr, false, false); } static void @@ -8933,7 +8933,7 @@ load_configuration(const char *filename, named_server_t *server, * to configure the query source, since the dispatcher we use might * be shared with an interface. */ - result = ns_interfacemgr_scan(server->interfacemgr, true); + result = ns_interfacemgr_scan(server->interfacemgr, true, true); /* * Check that named is able to TCP listen on at least one @@ -10411,7 +10411,7 @@ named_server_scan_interfaces(named_server_t *server) { NAMED_LOGMODULE_SERVER, ISC_LOG_DEBUG(1), "automatic interface rescan"); - ns_interfacemgr_scan(server->interfacemgr, true); + ns_interfacemgr_scan(server->interfacemgr, true, false); } /* diff --git a/lib/ns/include/ns/interfacemgr.h b/lib/ns/include/ns/interfacemgr.h index c52392156a..2331fc63e3 100644 --- a/lib/ns/include/ns/interfacemgr.h +++ b/lib/ns/include/ns/interfacemgr.h @@ -131,12 +131,15 @@ ns_interfacemgr_islistening(ns_interfacemgr_t *mgr); */ isc_result_t -ns_interfacemgr_scan(ns_interfacemgr_t *mgr, bool verbose); +ns_interfacemgr_scan(ns_interfacemgr_t *mgr, bool verbose, bool config); /*%< * Scan the operatings system's list of network interfaces * and create listeners when new interfaces are discovered. * Shut down the sockets for interfaces that go away. * + * When 'config' is true, also shut down and recreate any existing TLS and HTTPS + * interfaces in order to use their new configuration. + * * This should be called once on server startup and then * periodically according to the 'interface-interval' option * in named.conf. diff --git a/lib/ns/interfacemgr.c b/lib/ns/interfacemgr.c index 38de7cfe23..4c3eef92f9 100644 --- a/lib/ns/interfacemgr.c +++ b/lib/ns/interfacemgr.c @@ -98,7 +98,7 @@ scan_event(isc_task_t *task, isc_event_t *event) { UNUSED(task); - ns_interfacemgr_scan(mgr, false); + ns_interfacemgr_scan(mgr, false, false); isc_event_free(&event); } @@ -851,7 +851,7 @@ clearlistenon(ns_interfacemgr_t *mgr) { } static isc_result_t -do_scan(ns_interfacemgr_t *mgr, bool verbose) { +do_scan(ns_interfacemgr_t *mgr, bool verbose, bool config) { isc_interfaceiter_t *iter = NULL; bool scan_ipv4 = false; bool scan_ipv6 = false; @@ -919,10 +919,10 @@ do_scan(ns_interfacemgr_t *mgr, bool verbose) { if (ifp != NULL) { /* * We need to recreate the TLS/HTTPS listeners - * because the certificates could have been - * changed on reconfiguration. + * during reconfiguration because the + * certificates could have been changed. */ - if (le->sslctx != NULL) { + if (config && le->sslctx != NULL) { INSIST(NS_INTERFACE_VALID(ifp)); LOCK(&mgr->lock); ISC_LIST_UNLINK(ifp->mgr->interfaces, @@ -1104,10 +1104,10 @@ do_scan(ns_interfacemgr_t *mgr, bool verbose) { if (ifp != NULL) { /* * We need to recreate the TLS/HTTPS listeners - * because the certificates could have been - * changed on reconfiguration. + * during a reconfiguration because the + * certificates could have been changed. */ - if (le->sslctx != NULL) { + if (config && le->sslctx != NULL) { INSIST(NS_INTERFACE_VALID(ifp)); LOCK(&mgr->lock); ISC_LIST_UNLINK(ifp->mgr->interfaces, @@ -1207,7 +1207,7 @@ cleanup_iter: } static isc_result_t -ns_interfacemgr_scan0(ns_interfacemgr_t *mgr, bool verbose) { +ns_interfacemgr_scan0(ns_interfacemgr_t *mgr, bool verbose, bool config) { isc_result_t result; bool purge = true; @@ -1215,7 +1215,7 @@ ns_interfacemgr_scan0(ns_interfacemgr_t *mgr, bool verbose) { mgr->generation++; /* Increment the generation count. */ - result = do_scan(mgr, verbose); + result = do_scan(mgr, verbose, config); if ((result != ISC_R_SUCCESS) && (result != ISC_R_ADDRINUSE)) { purge = false; } @@ -1249,7 +1249,7 @@ ns_interfacemgr_islistening(ns_interfacemgr_t *mgr) { } isc_result_t -ns_interfacemgr_scan(ns_interfacemgr_t *mgr, bool verbose) { +ns_interfacemgr_scan(ns_interfacemgr_t *mgr, bool verbose, bool config) { isc_result_t result; bool unlock = false; @@ -1263,7 +1263,7 @@ ns_interfacemgr_scan(ns_interfacemgr_t *mgr, bool verbose) { unlock = true; } - result = ns_interfacemgr_scan0(mgr, verbose); + result = ns_interfacemgr_scan0(mgr, verbose, config); if (unlock) { isc_task_endexclusive(mgr->excl); diff --git a/lib/ns/tests/nstest.c b/lib/ns/tests/nstest.c index 15614e1059..3c458ca1d6 100644 --- a/lib/ns/tests/nstest.c +++ b/lib/ns/tests/nstest.c @@ -211,7 +211,7 @@ static void scan_interfaces(isc_task_t *task, isc_event_t *event) { UNUSED(task); - ns_interfacemgr_scan(interfacemgr, true); + ns_interfacemgr_scan(interfacemgr, true, false); isc_event_free(&event); }