1. 04 2月, 2014 2 次提交
    • L
      network: change default of forwardPlainNames to 'yes' · 66f75925
      Laine Stump 提交于
      The previous patch fixed "forwardPlainNames" so that it really is
      doing only what is intended, but left the default to be
      "forwardPlainNames='no'". Discussion around the initial version of
      that patch led to the decision that the default should instead be
      "forwardPlainNames='yes'" (i.e. the original behavior before commit
      f3886825). This patch makes that change to the default.
      66f75925
    • L
      network: only prevent forwarding of DNS requests for unqualified names · f69a6b98
      Laine Stump 提交于
      In commit f3868259 we began adding the options
      
        --domain-needed
        --local=/$mydomain/
      
      to all dnsmasq commandlines with the stated reason of preventing
      forwarding of DNS queries for names that weren't fully qualified
      domain names ("FQDN", i.e. a name that included some "."s and a domain
      name). This was later changed to
      
        domain-needed
        local=/$mydomain/
      
      when we moved the options from the dnsmasq commandline to a conf file.
      
      The original patch on the list, and discussion about it, is here:
      
        https://www.redhat.com/archives/libvir-list/2012-August/msg01594.html
      
      When a domain name isn't specified (mydomain == ""), the addition of
      "domain-needed local=//" will prevent forwarding of domain-less
      requests to the virtualization host's DNS resolver, but if a domain
      *is* specified, the addition of "local=/domain/" will prevent
      forwarding of any requests for *qualified* names within that domain
      that aren't resolvable by libvirt's dnsmasq itself.
      
      An example of the problems this causes - let's say a network is
      defined with:
      
         <domain name='example.com'/>
         <dhcp>
            ..
            <host mac='52:54:00:11:22:33' ip='1.2.3.4' name='myguest'/>
         </dhcp>
      
      This results in "local=/example.com/" being added to the dnsmasq options.
      
      If a guest requests "myguest" or "myguest.example.com", that will be
      resolved by dnsmasq. If the guest asks for "www.example.com", dnsmasq
      will not know the answer, but instead of forwarding it to the host, it
      will return NOT FOUND to the guest. In most cases that isn't the
      behavior an admin is looking for.
      
      A later patch (commit 4f595ba6) attempted to remedy this by adding a
      "forwardPlainNames" attribute to the <dns> element. The idea was that
      if forwardPlainNames='yes' (default is 'no'), we would allow
      unresolved names to be forwarded. However, that patch was botched, in
      that it only removed the "domain-needed" option when
      forwardPlainNames='yes', and left the "local=/mydomain/".
      
      Really we should have been just including the option "--domain-needed
      --local=//" (note the lack of domain name) regardless of the
      configured domain of the network, so that requests for names without a
      domain would be treated as "local to dnsmasq" and not forwarded, but
      all others (including those in the network's configured domain) would
      be forwarded. We also shouldn't include *either* of those options if
      forwardPlainNames='yes'. This patch makes those corrections.
      
      This patch doesn't remedy the fact that default behavior was changed
      by the addition of this feature. That will be handled in a subsequent
      patch.
      f69a6b98
  2. 14 12月, 2012 1 次提交
    • L
      network: prevent dnsmasq from listening on localhost · d66eb786
      Laine Stump 提交于
      This patch resolves the problem reported in:
      
         https://bugzilla.redhat.com/show_bug.cgi?id=886663
      
      The source of the problem was the fix for CVE 2011-3411:
      
         https://bugzilla.redhat.com/show_bug.cgi?id=833033
      
      which was originally committed upstream in commit
      753ff83a. That commit improperly
      removed the "--except-interface lo" from dnsmasq commandlines when
      --bind-dynamic was used (based on comments in the latter bug).
      
      It turns out that the problem reported in the CVE could be eliminated
      without removing "--except-interface lo", and removing it actually
      caused each instance of dnsmasq to listen on localhost on port 53,
      which created a new problem:
      
      If another instance of dnsmasq using "bind-interfaces" (instead of
      "bind-dynamic") had already been started (or if another instance
      started later used "bind-dynamic"), this wouldn't have any immediately
      visible ill effects, but if you tried to start another dnsmasq
      instance using "bind-interfaces" *after* starting any libvirt
      networks, the new dnsmasq would fail to start, because there was
      already another process listening on port 53.
      
      (Subsequent to the CVE fix, another patch changed the network driver
      to put dnsmasq options in a conf file rather than directly on the
      dnsmasq commandline, but preserved the same options.)
      
      This patch changes the network driver to *always* add
      "except-interface=lo" to dnsmasq conf files, regardless of whether we use
      bind-dynamic or bind-interfaces. This way no libvirt dnsmasq instances
      are listening on localhost (and the CVE is still fixed).
      
      The actual code change is miniscule, but must be propogated through all
      of the test files as well.
      d66eb786
  3. 13 12月, 2012 1 次提交
    • E
      network: match xml warning message · 7339bc4c
      Eric Blake 提交于
      I noticed that /var/lib/libvirt/dnsmasq/*.conf used the wrong word;
      it was intended to match the wording in src/util/xml.c.
      
      * src/network/bridge_driver.c (networkDnsmasqConfContents): Fix typo.
      * tests/networkxml2confdata/*.conf: Update accordingly.
      7339bc4c
  4. 11 12月, 2012 1 次提交
    • G
      network: put dnsmasq parameters in conf-file instead of command line · 8b32c80d
      Gene Czarcinski 提交于
      This patch changes how parameters are passed to dnsmasq.  Instead of
      being on the command line, the parameters are put into a file (one
      parameter per line) and a commandline --conf-file= specifies the
      location of the file.  The file is located in the same directory as
      the leases file.
      
      Putting the dnsmasq parameters into a configuration file
      allows them to be examined and more easily understood than
      examining the command lines displayed by "ps ax".  This is
      especially true when a number of networks have been started.
      
      When the use of dnsmasq was originally done, the required command line
      was simple, but it has gotten more complicated over time and will
      likely become even more complicated in the future.
      
      Note: The test conf files have all been renamed .conf instead of
      .argv, and tests/networkxml2xmlargvdata was moved to
      tests/networkxml2xmlconfdata.
      8b32c80d