From 333856b1c1b032f937dd24d604f98cdb6dfe3d91 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 29 Jan 2018 22:49:27 +0000
Subject: [PATCH] Default min-port to 1024 to avoid reserved ports.
(cherry picked from commit baf553db0cdb50707ddab464fb3eff7786ea576c)
---
man/dnsmasq.8 | 3 ++-
src/dns-protocol.h | 1 +
src/dnsmasq.c | 3 ---
src/network.c | 5 +----
src/option.c | 1 +
5 files changed, 5 insertions(+), 8 deletions(-)
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index 1f1b048..9b7adde 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -182,7 +182,8 @@ OS: this was the default behaviour in versions prior to 2.43.
Do not use ports less than that given as source for outbound DNS
queries. Dnsmasq picks random ports as source for outbound queries:
when this option is given, the ports used will always to larger
-than that specified. Useful for systems behind firewalls.
+than that specified. Useful for systems behind firewalls. If not specified,
+defaults to 1024.
.TP
.B --max-port=<port>
Use ports lower than that given as source for outbound DNS queries.
diff --git a/src/dns-protocol.h b/src/dns-protocol.h
index 75d8ffb..dd69b28 100644
--- a/src/dns-protocol.h
+++ b/src/dns-protocol.h
@@ -16,6 +16,7 @@
#define NAMESERVER_PORT 53
#define TFTP_PORT 69
+#define MIN_PORT 1024 /* first non-reserved port */
#define MAX_PORT 65535u
#define IN6ADDRSZ 16
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index 83631ef..ae1aa96 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -220,9 +220,6 @@ int main (int argc, char **argv)
die(_("loop detection not available: set HAVE_LOOP in src/config.h"), NULL, EC_BADCONF);
#endif
- if (daemon->max_port != MAX_PORT && daemon->min_port == 0)
- daemon->min_port = 1024u;
-
if (daemon->max_port < daemon->min_port)
die(_("max_port cannot be smaller than min_port"), NULL, EC_BADCONF);
diff --git a/src/network.c b/src/network.c
index fcd9d8d..d75f560 100644
--- a/src/network.c
+++ b/src/network.c
@@ -1149,10 +1149,7 @@ int random_sock(int family)
if (fix_fd(fd))
while(tries--)
{
- unsigned short port = rand16();
-
- if (daemon->min_port != 0 || daemon->max_port != MAX_PORT)
- port = htons(daemon->min_port + (port % ((unsigned short)ports_avail)));
+ unsigned short port = htons(daemon->min_port + (rand16() % ((unsigned short)ports_avail)));
if (family == AF_INET)
{
diff --git a/src/option.c b/src/option.c
index 3469f53..22846f6 100644
--- a/src/option.c
+++ b/src/option.c
@@ -4521,6 +4521,7 @@ void read_opts(int argc, char **argv, char *compile_opts)
daemon->soa_retry = SOA_RETRY;
daemon->soa_expiry = SOA_EXPIRY;
daemon->max_port = MAX_PORT;
+ daemon->min_port = MIN_PORT;
add_txt("version.bind", "dnsmasq-" VERSION, 0 );
add_txt("authors.bind", "Simon Kelley", 0);
--
2.20.1