On 07/29/2011 04:43 PM, Eric Blake wrote:
On 07/29/2011 02:35 PM, Laine Stump wrote:
This is in response to:
https://bugzilla.redhat.com/show_bug.cgi?id=723862
which points out that a guest on an "isolated" network could
potentially exploit the DNS forwarding provided by dnsmasq to create a
communication channel to the outside.
This patch eliminates that possibility by adding the "--no-resolv"
argument to the dnsmasq commandline, which tells dnsmasq to not
forward on any requests that it can't resolv itself (by looking at its
s/resolv/resolve/
own static hosts files and runtime lsit of dhcp clients), but to
s/lsit/list/
instead return a failure for those requests.
This shouldn't cause any undesirable change from current
behavior, even in the case where a guest is currently configured with
multiple interfaces, one of them being connected to an isolated
network, and another to a network that does have connectivity to the
outside. If the isolated network's DNS server is queried for a name
it doesn't know, it will return "Refused" rather than "Unknown", which
indicates to the guest that it should query other servers, so it then
queries the connected DNS server, and gets the desired response.
---
src/network/bridge_driver.c | 11 ++++++++---
tests/networkxml2argvdata/isolated-network.argv | 3 ++-
2 files changed, 10 insertions(+), 4 deletions(-)
A bug fix rather than a feature, and safe enough for inclusion in 0.9.4.
- if (network->def->forwardType == VIR_NETWORK_FORWARD_NONE)
- virCommandAddArg(cmd, "--dhcp-option=3");
+ if (network->def->forwardType == VIR_NETWORK_FORWARD_NONE) {
+ virCommandAddArgList(cmd, "--dhcp-option=3",
+ "--no-resolv", NULL);
+ }
ACK.
Thanks, pushed with the indicated typos fixed.
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list