From 013427e6e733f7a662f4e8a9c11f7dad4cd65e3f Mon Sep 17 00:00:00 2001 From: Laine Stump Date: Sun, 13 Mar 2011 04:42:58 -0400 Subject: [PATCH] network driver: don't send default route to clients on isolated networks Normally dnsmasq will send a default route (the address of the host in the network definition) to any client requesting an address via DHCP. On an isolated network this makes no sense, as we have iptables to prevent any traffic going out via that interface, so anything sent that way would be dropped anyway. This extra/unusable default route becomes problematic if you have setup a guest with multiple network interfaces, with one connected to an isolated network and another that provides connectivity to the outside (example - one interface directly connecting to a physical interface via macvtap, with a second connected to an isolated network so that the host and guest can communicate (macvtap doesn't support guest<->host communication without an external switch that supports vepa, or reflecting all traffic back)). In this case, if the guest chooses the default route of the isolated network, the guest will not be able to get network traffic beyond the host. To prevent dnsmasq from sending a default route, you can tell it to send 0 bytes of data for the default route option (option number 3) with --dhcp-option=3 (normally the data to send for the option would follow the option number; no extra data means "don't send this option"). I have checked on RHEL5 (a good representative of the oldest supported libvirt platforms) and its version of dnsmasq (2.45) does support --dhcp-option, so this shouldn't create any compatibility problems. --- src/network/bridge_driver.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index ca2ae8d366..6a02df11ae 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -490,6 +490,13 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network, "--except-interface", "lo", NULL); + /* If this is an isolated network, set the default route option + * (3) to be empty to avoid setting a default route that's + * guaranteed to not work. + */ + if (network->def->forwardType == VIR_NETWORK_FORWARD_NONE) + virCommandAddArg(cmd, "--dhcp-option=3"); + /* * --interface does not actually work with dnsmasq < 2.47, * due to DAD for ipv6 addresses on the interface. -- GitLab