Introduced by dnsmasq commit: commit 54dd393f3938fc0c19088fbd319b95e37d81a2b0 CommitDate: 2012-06-20 11:23:38 +0100 Add --bind-dynamic git describe: v2.63test1 contains: v2.63test1^0 Signed-off-by: Ján Tomko <jtomko@xxxxxxxxxx> --- src/network/bridge_driver.c | 68 ++++++------------------------------- 1 file changed, 11 insertions(+), 57 deletions(-) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index e57731742b..dffe4e1574 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -1062,7 +1062,6 @@ networkDnsmasqConfContents(virNetworkObj *obj, size_t i; virNetworkDNSDef *dns = &def->dns; bool wantDNS = dns->enable != VIR_TRISTATE_BOOL_NO; - virNetworkIPDef *tmpipdef; virNetworkIPDef *ipdef; virNetworkIPDef *ipv4def; virNetworkIPDef *ipv6def; @@ -1173,62 +1172,17 @@ networkDnsmasqConfContents(virNetworkObj *obj, virBufferAddLit(&configbuf, "except-interface=lo0\n"); #endif - if (dnsmasqCapsGet(caps, DNSMASQ_CAPS_BIND_DYNAMIC)) { - /* using --bind-dynamic with only --interface (no - * --listen-address) prevents dnsmasq from responding to dns - * queries that arrive on some interface other than our bridge - * interface (in other words, requests originating somewhere - * other than one of the virtual guests connected directly to - * this network). This was added in response to CVE 2012-3411. - */ - virBufferAsprintf(&configbuf, - "bind-dynamic\n" - "interface=%s\n", - def->bridge); - } else { - virBufferAddLit(&configbuf, "bind-interfaces\n"); - /* - * --interface does not actually work with dnsmasq < 2.47, - * due to DAD for ipv6 addresses on the interface. - * - * virCommandAddArgList(cmd, "--interface", def->bridge, NULL); - * - * So listen on all defined IPv[46] addresses - */ - for (i = 0; - (tmpipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i)); - i++) { - g_autofree char *ipaddr = virSocketAddrFormat(&tmpipdef->address); - - if (!ipaddr) - return -1; - - /* also part of CVE 2012-3411 - if the host's version of - * dnsmasq doesn't have bind-dynamic, only allow listening on - * private/local IP addresses (see RFC1918/RFC3484/RFC4193) - */ - if (!dnsmasqCapsGet(caps, DNSMASQ_CAPS_BINDTODEVICE) && - !virSocketAddrIsPrivate(&tmpipdef->address)) { - unsigned long version = dnsmasqCapsGetVersion(caps); - - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, - _("Publicly routable address %s is prohibited. " - "The version of dnsmasq on this host (%d.%d) " - "doesn't support the bind-dynamic option or " - "use SO_BINDTODEVICE on listening sockets, " - "one of which is required for safe operation " - "on a publicly routable subnet " - "(see CVE-2012-3411). You must either " - "upgrade dnsmasq, or use a private/local " - "subnet range for this network " - "(as described in RFC1918/RFC3484/RFC4193)."), - ipaddr, (int)version / 1000000, - (int)(version % 1000000) / 1000); - return -1; - } - virBufferAsprintf(&configbuf, "listen-address=%s\n", ipaddr); - } - } + /* using --bind-dynamic with only --interface (no + * --listen-address) prevents dnsmasq from responding to dns + * queries that arrive on some interface other than our bridge + * interface (in other words, requests originating somewhere + * other than one of the virtual guests connected directly to + * this network). This was added in response to CVE 2012-3411. + */ + virBufferAsprintf(&configbuf, + "bind-dynamic\n" + "interface=%s\n", + def->bridge); /* If this is an isolated network, set the default route option * (3) to be empty to avoid setting a default route that's -- 2.31.1