On Sun, Mar 13, 2011 at 11:08:20AM -0400, Laine Stump wrote: > Normally dnsmasq will send a default route (the address of the host in > the network definition) to any client requesting an address via > DHCP. On an isolated network this makes no sense, as we have iptables > to prevent any traffic going out via that interface, so anything sent > that way would be dropped anyway. > > This extra/unusable default route becomes problematic if you have > setup a guest with multiple network interfaces, with one connected to > an isolated network and another that provides connectivity to the > outside (example - one interface directly connecting to a physical > interface via macvtap, with a second connected to an isolated network > so that the host and guest can communicate (macvtap doesn't support > guest<->host communication without an external switch that supports > vepa, or reflecting all traffic back)). In this case, if the guest > chooses the default route of the isolated network, the guest will not > be able to get network traffic beyond the host. > > To prevent dnsmasq from sending a default route, you can tell it to > send 0 bytes of data for the default route option (option number 3) > with --dhcp-option=3 (normally the data to send for the option would > follow the option number; no extra data means "don't send this option"). > > I have checked on RHEL5 (a good representative of the oldest supported > libvirt platforms) and its version of dnsmasq (2.45) does support > --dhcp-option, so this shouldn't create any compatibility problems. > --- > src/network/bridge_driver.c | 7 +++++++ > 1 files changed, 7 insertions(+), 0 deletions(-) > > diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c > index ca2ae8d..6a02df1 100644 > --- a/src/network/bridge_driver.c > +++ b/src/network/bridge_driver.c > @@ -490,6 +490,13 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network, > "--except-interface", "lo", > NULL); > > + /* If this is an isolated network, set the default route option > + * (3) to be empty to avoid setting a default route that's > + * guaranteed to not work. > + */ > + if (network->def->forwardType == VIR_NETWORK_FORWARD_NONE) > + virCommandAddArg(cmd, "--dhcp-option=3"); > + > /* > * --interface does not actually work with dnsmasq < 2.47, > * due to DAD for ipv6 addresses on the interface. > -- ACK Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list