[libvirt PATCH 07/17] network: assume DNSMASQ_CAPS_BIND_DYNAMIC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Introduced by dnsmasq commit:
commit 54dd393f3938fc0c19088fbd319b95e37d81a2b0
CommitDate: 2012-06-20 11:23:38 +0100

    Add --bind-dynamic

git describe: v2.63test1 contains: v2.63test1^0

Signed-off-by: Ján Tomko <jtomko@xxxxxxxxxx>
---
 src/network/bridge_driver.c | 68 ++++++-------------------------------
 1 file changed, 11 insertions(+), 57 deletions(-)

diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index e57731742b..dffe4e1574 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -1062,7 +1062,6 @@ networkDnsmasqConfContents(virNetworkObj *obj,
     size_t i;
     virNetworkDNSDef *dns = &def->dns;
     bool wantDNS = dns->enable != VIR_TRISTATE_BOOL_NO;
-    virNetworkIPDef *tmpipdef;
     virNetworkIPDef *ipdef;
     virNetworkIPDef *ipv4def;
     virNetworkIPDef *ipv6def;
@@ -1173,62 +1172,17 @@ networkDnsmasqConfContents(virNetworkObj *obj,
     virBufferAddLit(&configbuf, "except-interface=lo0\n");
 #endif
 
-    if (dnsmasqCapsGet(caps, DNSMASQ_CAPS_BIND_DYNAMIC)) {
-        /* using --bind-dynamic with only --interface (no
-         * --listen-address) prevents dnsmasq from responding to dns
-         * queries that arrive on some interface other than our bridge
-         * interface (in other words, requests originating somewhere
-         * other than one of the virtual guests connected directly to
-         * this network). This was added in response to CVE 2012-3411.
-         */
-        virBufferAsprintf(&configbuf,
-                          "bind-dynamic\n"
-                          "interface=%s\n",
-                          def->bridge);
-    } else {
-        virBufferAddLit(&configbuf, "bind-interfaces\n");
-        /*
-         * --interface does not actually work with dnsmasq < 2.47,
-         * due to DAD for ipv6 addresses on the interface.
-         *
-         * virCommandAddArgList(cmd, "--interface", def->bridge, NULL);
-         *
-         * So listen on all defined IPv[46] addresses
-         */
-        for (i = 0;
-             (tmpipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i));
-             i++) {
-            g_autofree char *ipaddr = virSocketAddrFormat(&tmpipdef->address);
-
-            if (!ipaddr)
-                return -1;
-
-            /* also part of CVE 2012-3411 - if the host's version of
-             * dnsmasq doesn't have bind-dynamic, only allow listening on
-             * private/local IP addresses (see RFC1918/RFC3484/RFC4193)
-             */
-            if (!dnsmasqCapsGet(caps, DNSMASQ_CAPS_BINDTODEVICE) &&
-                !virSocketAddrIsPrivate(&tmpipdef->address)) {
-                unsigned long version = dnsmasqCapsGetVersion(caps);
-
-                virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
-                               _("Publicly routable address %s is prohibited. "
-                                 "The version of dnsmasq on this host (%d.%d) "
-                                 "doesn't support the bind-dynamic option or "
-                                 "use SO_BINDTODEVICE on listening sockets, "
-                                 "one of which is required for safe operation "
-                                 "on a publicly routable subnet "
-                                 "(see CVE-2012-3411). You must either "
-                                 "upgrade dnsmasq, or use a private/local "
-                                 "subnet range for this network "
-                                 "(as described in RFC1918/RFC3484/RFC4193)."),
-                               ipaddr, (int)version / 1000000,
-                               (int)(version % 1000000) / 1000);
-                return -1;
-            }
-            virBufferAsprintf(&configbuf, "listen-address=%s\n", ipaddr);
-        }
-    }
+    /* using --bind-dynamic with only --interface (no
+     * --listen-address) prevents dnsmasq from responding to dns
+     * queries that arrive on some interface other than our bridge
+     * interface (in other words, requests originating somewhere
+     * other than one of the virtual guests connected directly to
+     * this network). This was added in response to CVE 2012-3411.
+     */
+    virBufferAsprintf(&configbuf,
+                      "bind-dynamic\n"
+                      "interface=%s\n",
+                      def->bridge);
 
     /* If this is an isolated network, set the default route option
      * (3) to be empty to avoid setting a default route that's
-- 
2.31.1




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux