mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-11 07:17:44 +00:00
bridge_driver: handle DNS over IPv6
* dnsmasq listens on all defined IPv[46] addresses for network * Add ip6tables rules to allow DNS traffic to host
This commit is contained in:
Paweł Krześniak
Laine Stump
parent
bd6c46fa0c
commit
47969c055e
@ -432,6 +432,8 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network,
|
|||||||
int r, ret = -1;
|
int r, ret = -1;
|
||||||
int nbleases = 0;
|
int nbleases = 0;
|
||||||
char *bridgeaddr;
|
char *bridgeaddr;
|
||||||
|
int ii;
|
||||||
|
virNetworkIpDefPtr tmpipdef;
|
||||||
|
|
||||||
if (!(bridgeaddr = virSocketFormatAddr(&ipdef->address)))
|
if (!(bridgeaddr = virSocketFormatAddr(&ipdef->address)))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
@ -468,20 +470,28 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network,
|
|||||||
/* *no* conf file */
|
/* *no* conf file */
|
||||||
virCommandAddArgList(cmd, "--conf-file=", "", NULL);
|
virCommandAddArgList(cmd, "--conf-file=", "", NULL);
|
||||||
|
|
||||||
/*
|
|
||||||
* XXX does not actually work, due to some kind of
|
|
||||||
* race condition setting up ipv6 addresses on the
|
|
||||||
* interface. A sleep(10) makes it work, but that's
|
|
||||||
* clearly not practical
|
|
||||||
*
|
|
||||||
* virCommandAddArg(cmd, "--interface");
|
|
||||||
* virCommandAddArg(cmd, ipdef->bridge);
|
|
||||||
*/
|
|
||||||
virCommandAddArgList(cmd,
|
virCommandAddArgList(cmd,
|
||||||
"--listen-address", bridgeaddr,
|
|
||||||
"--except-interface", "lo",
|
"--except-interface", "lo",
|
||||||
NULL);
|
NULL);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* --interface does not actually work with dnsmasq < 2.47,
|
||||||
|
* due to DAD for ipv6 addresses on the interface.
|
||||||
|
*
|
||||||
|
* virCommandAddArgList(cmd, "--interface", ipdef->bridge, NULL);
|
||||||
|
*
|
||||||
|
* So listen on all defined IPv[46] addresses
|
||||||
|
*/
|
||||||
|
for (ii = 0;
|
||||||
|
(tmpipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, ii));
|
||||||
|
ii++) {
|
||||||
|
char *ipaddr = virSocketFormatAddr(&tmpipdef->address);
|
||||||
|
if (!ipaddr)
|
||||||
|
goto cleanup;
|
||||||
|
virCommandAddArgList(cmd, "--listen-address", ipaddr, NULL);
|
||||||
|
VIR_FREE(ipaddr);
|
||||||
|
}
|
||||||
|
|
||||||
for (r = 0 ; r < ipdef->nranges ; r++) {
|
for (r = 0 ; r < ipdef->nranges ; r++) {
|
||||||
char *saddr = virSocketFormatAddr(&ipdef->ranges[r].start);
|
char *saddr = virSocketFormatAddr(&ipdef->ranges[r].start);
|
||||||
if (!saddr)
|
if (!saddr)
|
||||||
@ -1027,9 +1037,30 @@ networkAddGeneralIp6tablesRules(struct network_driver *driver,
|
|||||||
goto err3;
|
goto err3;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* allow DNS over IPv6 */
|
||||||
|
if (iptablesAddTcpInput(driver->iptables, AF_INET6,
|
||||||
|
network->def->bridge, 53) < 0) {
|
||||||
|
networkReportError(VIR_ERR_SYSTEM_ERROR,
|
||||||
|
_("failed to add ip6tables rule to allow DNS requests from '%s'"),
|
||||||
|
network->def->bridge);
|
||||||
|
goto err4;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (iptablesAddUdpInput(driver->iptables, AF_INET6,
|
||||||
|
network->def->bridge, 53) < 0) {
|
||||||
|
networkReportError(VIR_ERR_SYSTEM_ERROR,
|
||||||
|
_("failed to add ip6tables rule to allow DNS requests from '%s'"),
|
||||||
|
network->def->bridge);
|
||||||
|
goto err5;
|
||||||
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
/* unwind in reverse order from the point of failure */
|
/* unwind in reverse order from the point of failure */
|
||||||
|
err5:
|
||||||
|
iptablesRemoveTcpInput(driver->iptables, AF_INET6, network->def->bridge, 53);
|
||||||
|
err4:
|
||||||
|
iptablesRemoveForwardAllowCross(driver->iptables, AF_INET6, network->def->bridge);
|
||||||
err3:
|
err3:
|
||||||
iptablesRemoveForwardRejectIn(driver->iptables, AF_INET6, network->def->bridge);
|
iptablesRemoveForwardRejectIn(driver->iptables, AF_INET6, network->def->bridge);
|
||||||
err2:
|
err2:
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user