1. 11 12月, 2012 1 次提交
    • G
      network: put dnsmasq parameters in conf-file instead of command line · 8b32c80d
      Gene Czarcinski 提交于
      This patch changes how parameters are passed to dnsmasq.  Instead of
      being on the command line, the parameters are put into a file (one
      parameter per line) and a commandline --conf-file= specifies the
      location of the file.  The file is located in the same directory as
      the leases file.
      
      Putting the dnsmasq parameters into a configuration file
      allows them to be examined and more easily understood than
      examining the command lines displayed by "ps ax".  This is
      especially true when a number of networks have been started.
      
      When the use of dnsmasq was originally done, the required command line
      was simple, but it has gotten more complicated over time and will
      likely become even more complicated in the future.
      
      Note: The test conf files have all been renamed .conf instead of
      .argv, and tests/networkxml2xmlargvdata was moved to
      tests/networkxml2xmlconfdata.
      8b32c80d
  2. 30 11月, 2012 1 次提交
    • L
      network: use dnsmasq --bind-dynamic when available · 753ff83a
      Laine Stump 提交于
      This bug resolves CVE-2012-3411, which is described in the following
      bugzilla report:
      
        https://bugzilla.redhat.com/show_bug.cgi?id=833033
      
      The following report is specifically for libvirt on Fedora:
      
        https://bugzilla.redhat.com/show_bug.cgi?id=874702
      
      In short, a dnsmasq instance run with the intention of listening for
      DHCP/DNS requests only on a libvirt virtual network (which is
      constructed using a Linux host bridge) would also answer queries sent
      from outside the virtualization host.
      
      This patch takes advantage of a new dnsmasq option "--bind-dynamic",
      which will cause the listening socket to be setup such that it will
      only receive those requests that actually come in via the bridge
      interface. In order for this behavior to actually occur, not only must
      "--bind-interfaces" be replaced with "--bind-dynamic", but also all
      "--listen-address" options must be replaced with a single
      "--interface" option. Fully:
      
         --bind-interfaces --except-interface lo --listen-address x.x.x.x ...
      
      (with --listen-address possibly repeated) is replaced with:
      
         --bind-dynamic --interface virbrX
      
      Of course libvirt can't use this new option if the host's dnsmasq
      doesn't have it, but we still want libvirt to function (because the
      great majority of libvirt installations, which only have mode='nat'
      networks using RFC1918 private address ranges (e.g. 192.168.122.0/24),
      are immune to this vulnerability from anywhere beyond the local subnet
      of the host), so we use the new dnsmasqCaps API to check if dnsmasq
      supports the new option and, if not, we use the "old" option style
      instead. In order to assure that this permissiveness doesn't lead to a
      vulnerable system, we do check for non-private addresses in this case,
      and refuse to start the network if both a) we are using the old-style
      options, and b) the network has a publicly routable IP
      address. Hopefully this will provide the proper balance of not being
      disruptive to those not practically affected, and making sure that
      those who *are* affected get their dnsmasq upgraded.
      
      (--bind-dynamic was added to dnsmasq in upstream commit
      54dd393f3938fc0c19088fbd319b95e37d81a2b0, which was included in
      dnsmasq-2.63)
      753ff83a
  3. 02 1月, 2012 1 次提交
    • M
      Implement DNS SRV record into the bridge driver · 973af236
      Michal Novotny 提交于
      Hi,
      this is the fifth version of my SRV record for DNSMasq patch rebased
      for the current codebase to the bridge driver and libvirt XML file to
      include support for the SRV records in the DNS. The syntax is based on
      DNSMasq man page and tests for both xml2xml and xml2argv were added as
      well. There are some things written a better way in comparison with
      version 4, mainly there's no hack in tests/networkxml2argvtest.c and
      also the xPath context is changed to use a simpler query using the
      virXPathInt() function relative to the current node.
      
      Also, the patch is also fixing the networkxml2argv test to pass both
      checks, i.e. both unit tests and also syntax check.
      
      Please review,
      Michal
      Signed-off-by: NMichal Novotny <minovotn@redhat.com>
      973af236
  4. 22 7月, 2011 1 次提交
    • L
      conf: support abstracted interface info in network XML · 40fd7073
      Laine Stump 提交于
      The network XML is updated in the following ways:
      
      1) The <forward> element can now contain a list of forward interfaces:
      
           <forward .... >
             <interface dev='eth10'/>
             <interface dev='eth11'/>
             <interface dev='eth12'/>
             <interface dev='eth13'/>
           </forward>
      
         The first of these takes the place of the dev attribute that is
         normally in <forward> - when defining a network you can specify
         either one, and on output both will be present. If you specify
         both on input, they must match.
      
      2) In addition to forward modes of 'nat' and 'route', these new modes
         are supported:
      
           private, passthrough, vepa - when this network is referenced by a
           domain's interface, it will have the same effect as if the
           interface had been defined as type='direct', e.g.:
      
              <interface type='direct'>
                <source mode='${mode}' dev='${dev}>
                ...
              </interface>
      
           where ${mode} is one of the three new modes, and ${dev} is an interface
           selected from the list given in <forward>.
      
           bridge - if a <forward> dev (or multiple devs) is defined, and
           forward mode is 'bridge' this is just like the modes 'private',
           'passthrough', and 'vepa' above. If there is no forward dev
           specified but a bridge name is given (e.g. "<bridge
           name='br0'/>"), then guest interfaces using this network will use
           libvirt's "host bridge" mode, equivalent to this:
      
             <interface type='bridge'>
                <source bridge='${bridge-name}'/>
                ...
             </interface>
      
      3) A network can have multiple <portgroup> elements, which may be
         selected by the guest interface definition (by adding
         "portgroup='${name}'" in the <source> element along with the
         network name). Currently a portgroup can only contain a
         virtportprofile, but the intent is that other configuration items
         may be put there int the future (e.g. bandwidth config). When
         building a guest's interface, if the <interface> XML itself has no
         virtportprofile, and if the requested network has a portgroup with
         a name matching the name given in the <interface> (or if one of the
         network's portgroups is marked with the "default='yes'" attribute),
         the virtportprofile from that portgroup will be used by the
         interface.
      
      4) A network can have a virtportprofile defined at the top level,
         which will be used by a guest interface when connecting in one of
         the 'direct' modes if the guest interface XML itself hasn't
         specified any virtportprofile, and if there are also no matching
         portgroups on the network.
      40fd7073
  5. 25 6月, 2011 1 次提交
    • M
      Add TXT record support for virtual DNS service · 5dd986db
      Michal Novotny 提交于
      This commit introduces the <dns> element and <txt> record for the
      virtual DNS network. The DNS TXT record can be defined using following
      syntax in the network XML file:
      
        <dns>
          <txt name="example" value="example value" />
        </dns>
      
      Also, the Relax-NG scheme has been altered to allow the texts without
      spaces only for the name element and some nitpicks about memory
      free'ing have been fixed by Laine so therefore I'm adding Laine to the
      SOB clause ;-)
      Signed-off-by: NMichal Novotny <minovotn@redhat.com>
      Signed-off-by: NLaine Stump <laine@laine.org>
      5dd986db
  6. 24 12月, 2010 1 次提交
    • L
      Change virtual network XML parsing/formatting to support IPv6 · a950dd2a
      Laine Stump 提交于
      This commit adds support for IPv6 parsing and formatting to the
      virtual network XML parser, including moving around data definitions
      to allow for multiple <ip> elements on a single network, but only
      changes the consumers of this API to accommodate for the changes in
      API/structure, not to add any actual IPv6 functionality. That will
      come in a later patch - this patch attempts to maintain the same final
      functionality in both drivers that use the network XML parser - vbox
      and "bridge" (the Linux bridge-based driver used by the qemu
      hypervisor driver).
      
      * src/libvirt_private.syms: Add new private API functions.
      * src/conf/network_conf.[ch]: Change C data structure and
        parsing/formatting.
      * src/network/bridge_driver.c: Update to use new parser/formatter.
      * src/vbox/vbox_tmpl.c: update to use new parser/formatter
      * docs/schemas/network.rng: changes to the schema -
        * there can now be more than one <ip> element.
        * ip address is now an ip-addr (ipv4 or ipv6) rather than ipv4-addr
        * new optional "prefix" attribute that can be used in place of "netmask"
        * new optional "family" attribute - "ipv4" or "ipv6"
          (will default to ipv4)
        * define data types for the above
      * tests/networkxml2xml(in|out)/nat-network.xml: add multiple <ip> elements
        (including IPv6) to a single network definition to verify they are being
        correctly parsed and formatted.
      a950dd2a
  7. 16 10月, 2009 1 次提交