networkupstools · jimklimov · Aug 16, 2023 · Aug 5, 2023 · Aug 5, 2023 · Aug 5, 2023
diff --git a/NEWS b/NEWS
@@ -62,7 +62,7 @@ as part of https://github.com/networkupstools/nut/issues/1410 solution.
      too low. As issue #1455 and PR #1495 found, in two cases the called
      commands did "meaningfully" modify data -- so without debug logs the
      program misbehaved. A known regression for `upscode2` driver; might
-     be or not be a problem with `upsd` driver in NUT v2.8.0 release,
+     be or not be a problem with `upsd` server in NUT v2.8.0 release,
      fixed for NUT v2.8.1.
    * A table in `cyberpower-mib` (for `snmp-ups` driver) sources was
      arranged in NUT v2.8.0 release in a way that precluded the driver
@@ -278,6 +278,24 @@ as part of https://github.com/networkupstools/nut/issues/1410 solution.
    * added support for `NUT_QUIET_INIT_SSL` environment variable to hide
      the infamous "Init SSL without certificate database" warning [#1662]
 
+ - The `upsd.conf` listing of `LISTEN` addresses was previously inverted
+   (the last listed address was applied first), which was counter-intuitive
+   and fixed for this release [#2012]
+
+ - The `upsd` configured to listen on IPv6 addresses should handle only
+   IPv6 (and not IPv4-mappings) to avoid surprises and insecurity; it
+   will now warn if a host name resolves to several addresses (and will only
+   listen on the first hit, as before in such cases) [#2012]
+
+ - A definitive behavior for `LISTEN *` directives became specified, to try
+   handling both IPv4 and IPv6 "any" address (subject to `upsd` CLI options
+   to only choose one, and to OS abilities). When both address families are
+   enabled, the `upsd` data server will first try to open an IPv6 socket
+   asking for disabled IPv4-mapped IPv6 address support (if the OS honors
+   that), and then an IPv4 socket (which may fail if the IPv6 socket already
+   covers it anyway); in other words, you can end up with one or two separate
+   listening sockets. [#2012]
+
  - sstate (server state, e.g. upsd) should now "PING" drivers also if they
    last reported themselves as "stale" (and might later crash) so their
    connections would be terminated if really no longer active [#1626]

diff --git a/UPGRADING b/UPGRADING
@@ -65,6 +65,30 @@ Changes from 2.8.0 to 2.8.1
   the packaging recipes may use NUT source-code facilities and package just
   symlinks as relevant for each distro separately [#1462, #1504]
 
+- The `upsd.conf` listing of `LISTEN` addresses was previously inverted
+  (the last listed address was applied first), which was counter-intuitive
+  and fixed for this release. If user configurations somehow relied on this
+  order (e.g. to prioritize IPv6 vs IPv4 listeners), configuration changes
+  may be needed. [#2012]
+
+- The `upsd` configured to listen on IPv6 addresses should handle only
+  IPv6 (and not IPv4-mappings like it might have done before) to avoid
+  surprises and insecurity -- if user configurations somehow relied on
+  this dual support, configuration changes may be needed to specify both
+  desired IP addresses. Note that the daemon logs will now warn if a
+  host name resolves to several addresses (and will only listen on the
+  first hit, as it did before in such cases). [#2012]
+
+- A definitive behavior for `LISTEN *` directives became specified, to try
+  handling both IPv4 and IPv6 "any" address (subject to `upsd` CLI options
+  to only choose one, and to OS abilities). This use-case may be practically
+  implemented as a single IPv6 socket on systems with enabled and required
+  IPv4-mapped IPv6 address support, or as two separate listening sockets -
+  logged messages to this effect (e.g. inability to listen on IPv4 after
+  opening IPv6) are expected on some platforms. End-users may also want to
+  reconfigure their `upsd.conf` files to remove some now-redundant `LISTEN`
+  lines. [#2012]
+
 - Added support for `make sockdebug` for easier developer access to the tool;
   also if `configure --with-dev` is in effect, it would now be installed to
   the configured `libexec` location. A man page was also added. [#1936]

diff --git a/conf/upsd.conf.sample b/conf/upsd.conf.sample
@@ -64,6 +64,13 @@
 # Note that it is not true for Windows platforms. You shouldn't use IPv6 in
 # your configuration files unless you have IPv6 installed.
 #
+# As a special case, `LISTEN * <port>` (with an asterisk) will try
+# to listen on "ANY" IP address for both IPv6 (::0) and IPv4 (0.0.0.0),
+# subject to `upsd` command-line arguments, or system configuration.
+# Note that if the system supports IPv4-mapped IPv6 addressing per RFC-3493,
+# and does not allow to disable this mode, then there may be one listening
+# socket to handle both address families.
+#
 # One or more LISTEN statements give the IP address (or name that
 # resolves to such an address) for upsd to listen on, optionally with
 # a port number.
@@ -74,6 +81,12 @@
 #
 # This will only be read at startup of upsd.  If you make changes here,
 # you'll need to restart upsd, as reload will have no effect.
+#
+# Please note that older NUT releases could have been using the IPv4-mapped
+# IPv6 addressing (sometimes also known as "dual-stack") mode, if provided
+# by the system. Current versions (since NUT v2.8.1 release) explicitly try
+# to restrict their listening sockets to only support one address family on
+# each socket, and so avoid IPv4-mapped mode where possible.
 
 # =======================================================================
 # MAXCONN <connections>

diff --git a/configure.ac b/configure.ac
@@ -1120,7 +1120,7 @@ NUT_TYPE_SOCKLEN_T
 NUT_CHECK_SOCKETLIB
 NUT_FUNC_GETNAMEINFO_ARGTYPES
 
-AC_CACHE_CHECK([for inet_ntop()],
+AC_CACHE_CHECK([for inet_ntop() with IPv4 and IPv6 support],
     [ac_cv_func_inet_ntop],
     [AC_LANG_PUSH([C])
     dnl e.g. add "-lws2_32" for mingw builds
@@ -1148,7 +1148,8 @@ AC_CACHE_CHECK([for inet_ntop()],
 ]],
             [[/* const char* inet_ntop(int af, const void* src, char* dst, size_t cnt); */
 char buf[128];
-printf("%s", inet_ntop(AF_INET, "1.2.3.4", buf, 10))
+printf("%s", inet_ntop(AF_INET, "1.2.3.4", buf, 10));
+printf("%s", inet_ntop(AF_INET6, "::1", buf, 10))
 /* autoconf adds ";return 0;" */
 ]])],
         [ac_cv_func_inet_ntop=yes], [ac_cv_func_inet_ntop=no]

diff --git a/docs/config-notes.txt b/docs/config-notes.txt
@@ -295,6 +295,13 @@ want `upsd` to listen on for connections, optionally with a port number.
 	LISTEN 127.0.0.1 3493
 	LISTEN ::1 3493
 
+As a special case, `LISTEN * <port>` (with an asterisk) will try to
+listen on "ANY" IP address for both and IPv6 (`::0`) and IPv4 (`0.0.0.0`),
+subject to `upsd` command-line arguments, or system configuration or support.
+Note that if the system supports IPv4-mapped IPv6 addressing per RFC-3493,
+and does not allow to disable this mode, then there may be one listening
+socket to handle both address families.
+
 NOTE: Refer to the NUT user manual <<NUT_Security,security chapter>> for
 information on how to access and secure upsd clients connections.
 

diff --git a/docs/man/upsd.conf.txt b/docs/man/upsd.conf.txt
@@ -66,12 +66,18 @@ compiled into the code.  This overrides any value you may have set with
 upsd will listen on port 3493 for this interface.
 +
 Multiple LISTEN addresses may be specified.  The default is to bind to
-127.0.0.1 if no LISTEN addresses are specified (and ::1 if IPv6 support is
-compiled in).
+`127.0.0.1` if no LISTEN addresses are specified (and also `::1` if IPv6
+support is compiled in).
++
+To listen on all available interfaces and configured IP addresses of your
+system, you may also use `::` for IPv6 and `0.0.0.0` for IPv4, respectively.
+As a special case, a single `LISTEN * <port>` directive (with an asterisk) will
+try to listen on both IPv6 (`::0`) and IPv4 (`0.0.0.0`) wild-card IP addresses,
+subject to `upsd` command-line arguments or system configuration.
+Note that if the system supports IPv4-mapped IPv6 addressing per RFC-3493,
+and does not allow to disable this mode, then there may be one listening
+socket to handle both address families.
 +
-To listen on all available interfaces, you may also use '0.0.0.0' for IPv4 and
-and '::' for IPv6.
-
 	LISTEN 127.0.0.1
 	LISTEN 192.168.50.1
 	LISTEN myhostname.mydomain
@@ -80,6 +86,12 @@ and '::' for IPv6.
 +
 This parameter will only be read at startup.  You'll need to restart
 (rather than reload) upsd to apply any changes made here.
++
+Please note that older NUT releases could have been using the IPv4-mapped
+IPv6 addressing (sometimes also known as "dual-stack") mode, if provided
+by the system. Current versions (since NUT v2.8.1 release) explicitly try
+to restrict their listening sockets to only support one address family on
+each socket, and so avoid IPv4-mapped mode where possible.
 
 "MAXCONN 'connections'"::
 

diff --git a/docs/security.txt b/docs/security.txt
@@ -234,6 +234,13 @@ compiled in).
 	   LISTEN ::1
 	   LISTEN 2001:0db8:1234:08d3:1319:8a2e:0370:7344
 
+As a special case, `LISTEN * <port>` (with an asterisk) will try to
+listen on "ANY" IP address for both IPv6 (`::0`) and IPv4 (`0.0.0.0`),
+subject to `upsd` command-line arguments, or system configuration or support.
+Note that if the system supports IPv4-mapped IPv6 addressing per RFC-3493,
+and does not allow to disable this mode, then there may be one listening
+socket to handle both address families.
+
 This parameter will only be read at startup.  You'll need to restart (rather
 than reload) `upsd` to apply any changes made here.
 

diff --git a/scripts/augeas/nutupsdconf.aug.in b/scripts/augeas/nutupsdconf.aug.in
@@ -55,8 +55,14 @@ let upsd_certfile = [ opt_spc . key "CERTFILE" . sep_spc . store path . eol ]
  * ALLOW_NO_DEVICE Boolean
  * STATEPATH path
  * LISTEN interface port
- *    Multiple LISTEN addresses may be specified. The default is to bind to 0.0.0.0 if no LISTEN addresses are specified.
- *    LISTEN 127.0.0.1 LISTEN 192.168.50.1 LISTEN ::1 LISTEN 2001:0db8:1234:08d3:1319:8a2e:0370:7344
+ *    Multiple lines each with one LISTEN address (or host name) and an optional
+ *    port may be specified. The default is to bind to IPv4 and IPv6 "localhost"
+ *    addresses (subject to CLI options `-4` or `-6` constraining IP version,
+ *    or system configuration or support), if no LISTEN addresses are specified.
+ *    LISTEN 127.0.0.1
+ *    LISTEN 192.168.50.1
+ *    LISTEN ::1
+ *    LISTEN 2001:0db8:1234:08d3:1319:8a2e:0370:7344
  *
  *************************************************************************)
 let upsd_other  =  upsd_maxage | upsd_trackingdelay | upsd_allow_no_device | upsd_statepath | upsd_listen_list | upsd_maxconn | upsd_certfile