network: assume DNSMASQ_CAPS_BIND_DYNAMIC

Introduced by dnsmasq commit:
commit 54dd393f3938fc0c19088fbd319b95e37d81a2b0
CommitDate: 2012-06-20 11:23:38 +0100

    Add --bind-dynamic

git describe: v2.63test1 contains: v2.63test1^0

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Laine Stump <laine@redhat.com>
This commit is contained in:
Ján Tomko 2021-12-14 17:57:45 +01:00
parent ac0028f541
commit 0927510d7f

View File

@ -1062,7 +1062,6 @@ networkDnsmasqConfContents(virNetworkObj *obj,
size_t i;
virNetworkDNSDef *dns = &def->dns;
bool wantDNS = dns->enable != VIR_TRISTATE_BOOL_NO;
virNetworkIPDef *tmpipdef;
virNetworkIPDef *ipdef;
virNetworkIPDef *ipv4def;
virNetworkIPDef *ipv6def;
@ -1173,62 +1172,17 @@ networkDnsmasqConfContents(virNetworkObj *obj,
virBufferAddLit(&configbuf, "except-interface=lo0\n");
#endif
if (dnsmasqCapsGet(caps, DNSMASQ_CAPS_BIND_DYNAMIC)) {
/* using --bind-dynamic with only --interface (no
* --listen-address) prevents dnsmasq from responding to dns
* queries that arrive on some interface other than our bridge
* interface (in other words, requests originating somewhere
* other than one of the virtual guests connected directly to
* this network). This was added in response to CVE 2012-3411.
*/
virBufferAsprintf(&configbuf,
"bind-dynamic\n"
"interface=%s\n",
def->bridge);
} else {
virBufferAddLit(&configbuf, "bind-interfaces\n");
/*
* --interface does not actually work with dnsmasq < 2.47,
* due to DAD for ipv6 addresses on the interface.
*
* virCommandAddArgList(cmd, "--interface", def->bridge, NULL);
*
* So listen on all defined IPv[46] addresses
*/
for (i = 0;
(tmpipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i));
i++) {
g_autofree char *ipaddr = virSocketAddrFormat(&tmpipdef->address);
if (!ipaddr)
return -1;
/* also part of CVE 2012-3411 - if the host's version of
* dnsmasq doesn't have bind-dynamic, only allow listening on
* private/local IP addresses (see RFC1918/RFC3484/RFC4193)
*/
if (!dnsmasqCapsGet(caps, DNSMASQ_CAPS_BINDTODEVICE) &&
!virSocketAddrIsPrivate(&tmpipdef->address)) {
unsigned long version = dnsmasqCapsGetVersion(caps);
virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
_("Publicly routable address %s is prohibited. "
"The version of dnsmasq on this host (%d.%d) "
"doesn't support the bind-dynamic option or "
"use SO_BINDTODEVICE on listening sockets, "
"one of which is required for safe operation "
"on a publicly routable subnet "
"(see CVE-2012-3411). You must either "
"upgrade dnsmasq, or use a private/local "
"subnet range for this network "
"(as described in RFC1918/RFC3484/RFC4193)."),
ipaddr, (int)version / 1000000,
(int)(version % 1000000) / 1000);
return -1;
}
virBufferAsprintf(&configbuf, "listen-address=%s\n", ipaddr);
}
}
/* using --bind-dynamic with only --interface (no
* --listen-address) prevents dnsmasq from responding to dns
* queries that arrive on some interface other than our bridge
* interface (in other words, requests originating somewhere
* other than one of the virtual guests connected directly to
* this network). This was added in response to CVE 2012-3411.
*/
virBufferAsprintf(&configbuf,
"bind-dynamic\n"
"interface=%s\n",
def->bridge);
/* If this is an isolated network, set the default route option
* (3) to be empty to avoid setting a default route that's