mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-23 06:05:27 +00:00
network: assume DNSMASQ_CAPS_BIND_DYNAMIC
Introduced by dnsmasq commit: commit 54dd393f3938fc0c19088fbd319b95e37d81a2b0 CommitDate: 2012-06-20 11:23:38 +0100 Add --bind-dynamic git describe: v2.63test1 contains: v2.63test1^0 Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Laine Stump <laine@redhat.com>
This commit is contained in:
parent
ac0028f541
commit
0927510d7f
@ -1062,7 +1062,6 @@ networkDnsmasqConfContents(virNetworkObj *obj,
|
||||
size_t i;
|
||||
virNetworkDNSDef *dns = &def->dns;
|
||||
bool wantDNS = dns->enable != VIR_TRISTATE_BOOL_NO;
|
||||
virNetworkIPDef *tmpipdef;
|
||||
virNetworkIPDef *ipdef;
|
||||
virNetworkIPDef *ipv4def;
|
||||
virNetworkIPDef *ipv6def;
|
||||
@ -1173,62 +1172,17 @@ networkDnsmasqConfContents(virNetworkObj *obj,
|
||||
virBufferAddLit(&configbuf, "except-interface=lo0\n");
|
||||
#endif
|
||||
|
||||
if (dnsmasqCapsGet(caps, DNSMASQ_CAPS_BIND_DYNAMIC)) {
|
||||
/* using --bind-dynamic with only --interface (no
|
||||
* --listen-address) prevents dnsmasq from responding to dns
|
||||
* queries that arrive on some interface other than our bridge
|
||||
* interface (in other words, requests originating somewhere
|
||||
* other than one of the virtual guests connected directly to
|
||||
* this network). This was added in response to CVE 2012-3411.
|
||||
*/
|
||||
virBufferAsprintf(&configbuf,
|
||||
"bind-dynamic\n"
|
||||
"interface=%s\n",
|
||||
def->bridge);
|
||||
} else {
|
||||
virBufferAddLit(&configbuf, "bind-interfaces\n");
|
||||
/*
|
||||
* --interface does not actually work with dnsmasq < 2.47,
|
||||
* due to DAD for ipv6 addresses on the interface.
|
||||
*
|
||||
* virCommandAddArgList(cmd, "--interface", def->bridge, NULL);
|
||||
*
|
||||
* So listen on all defined IPv[46] addresses
|
||||
*/
|
||||
for (i = 0;
|
||||
(tmpipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i));
|
||||
i++) {
|
||||
g_autofree char *ipaddr = virSocketAddrFormat(&tmpipdef->address);
|
||||
|
||||
if (!ipaddr)
|
||||
return -1;
|
||||
|
||||
/* also part of CVE 2012-3411 - if the host's version of
|
||||
* dnsmasq doesn't have bind-dynamic, only allow listening on
|
||||
* private/local IP addresses (see RFC1918/RFC3484/RFC4193)
|
||||
*/
|
||||
if (!dnsmasqCapsGet(caps, DNSMASQ_CAPS_BINDTODEVICE) &&
|
||||
!virSocketAddrIsPrivate(&tmpipdef->address)) {
|
||||
unsigned long version = dnsmasqCapsGetVersion(caps);
|
||||
|
||||
virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
|
||||
_("Publicly routable address %s is prohibited. "
|
||||
"The version of dnsmasq on this host (%d.%d) "
|
||||
"doesn't support the bind-dynamic option or "
|
||||
"use SO_BINDTODEVICE on listening sockets, "
|
||||
"one of which is required for safe operation "
|
||||
"on a publicly routable subnet "
|
||||
"(see CVE-2012-3411). You must either "
|
||||
"upgrade dnsmasq, or use a private/local "
|
||||
"subnet range for this network "
|
||||
"(as described in RFC1918/RFC3484/RFC4193)."),
|
||||
ipaddr, (int)version / 1000000,
|
||||
(int)(version % 1000000) / 1000);
|
||||
return -1;
|
||||
}
|
||||
virBufferAsprintf(&configbuf, "listen-address=%s\n", ipaddr);
|
||||
}
|
||||
}
|
||||
/* using --bind-dynamic with only --interface (no
|
||||
* --listen-address) prevents dnsmasq from responding to dns
|
||||
* queries that arrive on some interface other than our bridge
|
||||
* interface (in other words, requests originating somewhere
|
||||
* other than one of the virtual guests connected directly to
|
||||
* this network). This was added in response to CVE 2012-3411.
|
||||
*/
|
||||
virBufferAsprintf(&configbuf,
|
||||
"bind-dynamic\n"
|
||||
"interface=%s\n",
|
||||
def->bridge);
|
||||
|
||||
/* If this is an isolated network, set the default route option
|
||||
* (3) to be empty to avoid setting a default route that's
|
||||
|
Loading…
Reference in New Issue
Block a user