Don't accept queries arriving on alias interface if configured not to do this.

src/dnsmasq.c

@@ -949,8 +949,6 @@ int main (int argc, char **argv)
 
   if (option_bool(OPT_NOWILD))
     warn_bound_listeners();
-  else if (!option_bool(OPT_CLEVERBIND))
-    warn_wild_labels();
 
   warn_int_names();
 

src/dnsmasq.h

@@ -1463,12 +1463,11 @@ int enumerate_interfaces(int reset);
 void create_wildcard_listeners(void);
 void create_bound_listeners(int dienow);
 void warn_bound_listeners(void);
-void warn_wild_labels(void);
 void warn_int_names(void);
 int is_dad_listeners(void);
 int iface_check(int family, union all_addr *addr, char *name, int *auth);
 int loopback_exception(int fd, int family, union all_addr *addr, char *name);
-int label_exception(int index, int family, union all_addr *addr);
+int label_match(int index, int family, union all_addr *addr);
 int fix_fd(int fd);
 int tcp_interface(int fd, int af);
 int set_ipv6pktinfo(int fd);

src/forward.c

@@ -1497,12 +1497,18 @@ void receive_query(struct listener *listen, time_t now)
       if (!indextoname(listen->fd, if_index, ifr.ifr_name))
 	return;
 
-      if (!iface_check(family, &dst_addr, ifr.ifr_name, &auth_dns))
+      if (!option_bool(OPT_CLEVERBIND))
+	enumerate_interfaces(0);
+      /* interface=eth0   and query over eth0   -> ifchk = 1, label = 1 - ACCEPTED */
+      /* interface=eth0   and query over eth0:0 -> ifchk = 1, label = 0 - REJECTED */
+      /* interface=eth0:0 and query over eth0:0 -> ifchk = 0, label = 1 - ACCEPTED */
+      /* interface=eth0:0 and query over eth0:0 -> ifchk = 0, label = 0 - REJECTED */
+      /* If the interace is not IPv4, label_match return 2 and we use iface_check */
+      const int label = label_match(if_index, family, &dst_addr);
+      const int ifchk = iface_check(family, &dst_addr, ifr.ifr_name, &auth_dns);
+      if (label == 0 || (label == 2 && !ifchk))
 	{
-	   if (!option_bool(OPT_CLEVERBIND))
-	     enumerate_interfaces(0); 
-	   if (!loopback_exception(listen->fd, family, &dst_addr, ifr.ifr_name) &&
-	       !label_exception(if_index, family, &dst_addr))
+	   if (!loopback_exception(listen->fd, family, &dst_addr, ifr.ifr_name))
 	     return;
 	}
 

src/network.c

@@ -207,13 +207,13 @@ int loopback_exception(int fd, int family, union all_addr *addr, char *name)
    on the relevant address, but the name of the arrival interface, derived from the
    index won't match the config. Check that we found an interface address for the arrival 
    interface: daemon->interfaces must be up-to-date. */
-int label_exception(int index, int family, union all_addr *addr)
+int label_match(int index, int family, union all_addr *addr)
 {
   struct irec *iface;
 
   /* labels only supported on IPv4 addresses. */
   if (family != AF_INET)
-    return 0;
+    return 2;
 
   for (iface = daemon->interfaces; iface; iface = iface->next)
     if (iface->index == index && iface->addr.sa.sa_family == AF_INET &&
@@ -506,7 +506,7 @@ static int iface_allowed(struct iface_param *param, int if_index, char *label,
     }
   else
     for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
-      if (tmp->name && wildcard_match(tmp->name, ifr.ifr_name))
+      if (tmp->name && wildcard_match(tmp->name, label))
 	{
 	  tftp_ok = 0;
 	  dhcp_ok = 0;
@@ -520,7 +520,7 @@ static int iface_allowed(struct iface_param *param, int if_index, char *label,
       /* dedicated tftp interface list */
       tftp_ok = 0;
       for (tmp = daemon->tftp_interfaces; tmp; tmp = tmp->next)
-	if (tmp->name && wildcard_match(tmp->name, ifr.ifr_name))
+	if (tmp->name && wildcard_match(tmp->name, label))
 	  tftp_ok = 1;
     }
 #endif
@@ -1215,15 +1215,6 @@ void warn_bound_listeners(void)
     my_syslog(LOG_WARNING, _("LOUD WARNING: use --bind-dynamic rather than --bind-interfaces to avoid DNS amplification attacks via these interface(s)")); 
 }
 
-void warn_wild_labels(void)
-{
-  struct irec *iface;
-
-  for (iface = daemon->interfaces; iface; iface = iface->next)
-    if (iface->found && iface->name && iface->label)
-      my_syslog(LOG_WARNING, _("warning: using interface %s instead"), iface->name);
-}
-
 void warn_int_names(void)
 {
   struct interface_name *intname;

src/tftp.c

@@ -211,13 +211,14 @@ void tftp_request(struct listener *listen, time_t now)
 	}
       else
 	{
+	  if (!option_bool(OPT_CLEVERBIND))
+	    enumerate_interfaces(0);
 	  /* Do the same as DHCP */
-	  if (!iface_check(family, &addra, name, NULL))
+	  const int label = label_match(if_index, family, &addra);
+	  const int ifchk = iface_check(family, &addra, name, NULL);
+	  if (!label || (label == 2 && ifchk))
 	    {
-	      if (!option_bool(OPT_CLEVERBIND))
-		enumerate_interfaces(0); 
-	      if (!loopback_exception(listen->tftpfd, family, &addra, name) &&
-		  !label_exception(if_index, family, &addra))
+	      if (!loopback_exception(listen->tftpfd, family, &addra, name))
 		return;
 	    }