Re: [PATCH] network: Let domains be restricted to local DNS

John Ferlan <jferlan@xxxxxxxxxx> · Mon, 01 Dec 2014 06:40:00 -0500

On 11/20/2014 09:46 PM, Josh Stone wrote:
> This adds a new "localOnly" attribute on the domain element of the
> network xml.  With this set to "yes", DNS requests under that domain
> will only be resolved by libvirt's dnsmasq, never forwarded upstream.
> 
> This was how it worked before commit f69a6b987d616, and I found that
> functionality useful.  For example, I have my host's NetworkManager
> dnsmasq configured to forward that domain to libvirt's dnsmasq, so I can
> easily resolve guest names from outside.  But if libvirt's dnsmasq
> doesn't know a name and forwards it to the host, I'd get an endless
> forwarding loop.  Now I can set localOnly="yes" to prevent the loop.
> 
> Signed-off-by: Josh Stone <jistone@xxxxxxxxxx>
> Cc: Laine Stump <laine@xxxxxxxxx>

Depending on how you proceed with Martin's comments...

> ---
>  docs/formatnetwork.html.in                                 | 12 +++++++++++-
>  docs/schemas/network.rng                                   |  3 +++
>  src/conf/network_conf.c                                    |  5 +++++
>  src/conf/network_conf.h                                    |  1 +
>  src/network/bridge_driver.c                                |  5 +++++
>  .../networkxml2confdata/nat-network-dns-local-domain.conf  | 14 ++++++++++++++
>  tests/networkxml2confdata/nat-network-dns-local-domain.xml |  9 +++++++++
>  tests/networkxml2conftest.c                                |  1 +
>  8 files changed, 49 insertions(+), 1 deletion(-)
>  create mode 100644 tests/networkxml2confdata/nat-network-dns-local-domain.conf
>  create mode 100644 tests/networkxml2confdata/nat-network-dns-local-domain.xml
> 
> diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in
> index dc438aee8622..defcdba00930 100644
> --- a/docs/formatnetwork.html.in
> +++ b/docs/formatnetwork.html.in
> @@ -82,7 +82,7 @@
>      <pre>
>          ...
>          &lt;bridge name="virbr0" stp="on" delay="5"/&gt;
> -        &lt;domain name="example.com"/&gt;
> +        &lt;domain name="example.com" localOnly="no"/&gt;
>          &lt;forward mode="nat" dev="eth0"/&gt;
>          ...</pre>
>  
> @@ -113,6 +113,16 @@
>          a <code>&lt;forward&gt;</code> mode of "nat" or "route" (or an
>          isolated network with no <code>&lt;forward&gt;</code>
>          element). <span class="since">Since 0.4.5</span>
> +
> +        <p>
> +          If the optional <code>localOnly</code> attribute on the
> +          <code>domain</code> element is "yes", then DNS requests under
> +          this domain will only be resolved by the virtual network's own
> +          DNS server - they will not be forwarded to the host's upstream
> +          DNS server.  If <code>localOnly</code> is "no", and by
> +          default, unresolved requests <b>will</b> be forwarded.
> +          <span class="since">Since 1.2.11</span>
> +        </p>
>        </dd>
>        <dt><code>forward</code></dt>
>        <dd>Inclusion of the <code>forward</code> element indicates that
> diff --git a/docs/schemas/network.rng b/docs/schemas/network.rng
> index 4546f8037580..a1da28092375 100644
> --- a/docs/schemas/network.rng
> +++ b/docs/schemas/network.rng
> @@ -225,6 +225,9 @@
>          <optional>
>            <element name="domain">
>              <attribute name="name"><ref name="dnsName"/></attribute>
> +            <optional>
> +              <attribute name="localOnly"><ref name="virYesNo"/></attribute>
> +            </optional>
>            </element>
>          </optional>
>  
> diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c
> index 067334e87cb0..61451c39805f 100644
> --- a/src/conf/network_conf.c
> +++ b/src/conf/network_conf.c
> @@ -2083,6 +2083,11 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt)
>  
>      /* Parse network domain information */
>      def->domain = virXPathString("string(./domain[1]/@name)", ctxt);
> +    tmp = virXPathString("string(./domain[1]/@localOnly)", ctxt);
> +    if (tmp) {
> +        def->domain_local = STRCASEEQ(tmp, "yes");
> +        VIR_FREE(tmp);
> +    }

This should use virTristateBoolTypeFromString like other yes/no processing.

Also how do you save in the XML what you've read in (hint: Format*
function)?  Perhaps look at 'forwardPlainNames' for an example of
Tristate and find all the places it touches.  Something is a Tristate
when it's optional, can be yes or no, and has a default...

>  
>      if ((bandwidthNode = virXPathNode("./bandwidth", ctxt)) != NULL &&
>          (def->bandwidth = virNetDevBandwidthParse(bandwidthNode, -1)) == NULL)
> diff --git a/src/conf/network_conf.h b/src/conf/network_conf.h
> index 660cd2d10cd1..6308a7dcfbf7 100644
> --- a/src/conf/network_conf.h
> +++ b/src/conf/network_conf.h
> @@ -232,6 +232,7 @@ struct _virNetworkDef {
>  
>      char *bridge;       /* Name of bridge device */
>      char *domain;
> +    bool domain_local; /* Choose not to forward dns for this domain */

This would then be:

    int domain_local; /* enum virTristateBool */

>      unsigned long delay;   /* Bridge forward delay (ms) */
>      bool stp; /* Spanning tree protocol */
>      virMacAddr mac; /* mac address of bridge device */
> diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
> index 6cb421c52850..dfa375d3aa72 100644
> --- a/src/network/bridge_driver.c
> +++ b/src/network/bridge_driver.c
> @@ -912,6 +912,11 @@ networkDnsmasqConfContents(virNetworkObjPtr network,
>      }
>  
>      if (network->def->domain) {
> +        if (network->def->domain_local) {

This would then check using == VIR_TRISTATE_BOOL_YES

> +            virBufferAsprintf(&configbuf,
> +                              "local=/%s/\n",
> +                              network->def->domain);
> +        }
>          virBufferAsprintf(&configbuf,
>                            "domain=%s\n"
>                            "expand-hosts\n",
> diff --git a/tests/networkxml2confdata/nat-network-dns-local-domain.conf b/tests/networkxml2confdata/nat-network-dns-local-domain.conf
> new file mode 100644
> index 000000000000..5f41b9186cbc
> --- /dev/null
> +++ b/tests/networkxml2confdata/nat-network-dns-local-domain.conf
> @@ -0,0 +1,14 @@
> +##WARNING:  THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
> +##OVERWRITTEN AND LOST.  Changes to this configuration should be made using:
> +##    virsh net-edit default
> +## or other application using the libvirt API.
> +##
> +## dnsmasq conf file created by libvirt
> +strict-order
> +local=/example.com/
> +domain=example.com
> +expand-hosts
> +except-interface=lo
> +bind-dynamic
> +interface=virbr0
> +addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts
> diff --git a/tests/networkxml2confdata/nat-network-dns-local-domain.xml b/tests/networkxml2confdata/nat-network-dns-local-domain.xml
> new file mode 100644
> index 000000000000..a92d71f1f2f6
> --- /dev/null
> +++ b/tests/networkxml2confdata/nat-network-dns-local-domain.xml
> @@ -0,0 +1,9 @@
> +<network>
> +  <name>default</name>
> +  <uuid>81ff0d90-c91e-6742-64da-4a736edb9a9c</uuid>
> +  <forward dev='eth0' mode='nat'/>
> +  <bridge name='virbr0' stp='on' delay='0' />
> +  <domain name='example.com' localOnly='yes'/>
> +  <ip address='192.168.122.1' netmask='255.255.255.0'>
> +  </ip>
> +</network>
> diff --git a/tests/networkxml2conftest.c b/tests/networkxml2conftest.c
> index 4f1d9345ffe4..d2aa8c62cfcd 100644
> --- a/tests/networkxml2conftest.c
> +++ b/tests/networkxml2conftest.c
> @@ -146,6 +146,7 @@ mymain(void)
>      DO_TEST("nat-network-dns-hosts", full);
>      DO_TEST("nat-network-dns-forward-plain", full);
>      DO_TEST("nat-network-dns-forwarders", full);
> +    DO_TEST("nat-network-dns-local-domain", full);
>      DO_TEST("dhcp6-network", dhcpv6);
>      DO_TEST("dhcp6-nat-network", dhcpv6);
>      DO_TEST("dhcp6host-routed-network", dhcpv6);
> 

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list