10:16 a.m.
From: Gene Czarcinski <gene(a)czarc.net>
For networks which dnsmasq has "--listen-address" specified, add
the command line parameter so that any dns PTR queries for those
networks are not forwarded.
There are separate patches for IPv4 and IPv6.
Gene Czarcinski (2):
IPV4 local=/....in-addr.arpa/
IPv6 local=/...ip6.arpa/
src/network/bridge_driver.c | 32 ++++++++++++++++++++++
tests/networkxml2argvdata/isolated-network.argv | 1 +
.../networkxml2argvdata/nat-network-dns-hosts.argv | 1 +
.../nat-network-dns-srv-record-minimal.argv | 5 ++++
.../nat-network-dns-srv-record.argv | 5 ++++
.../nat-network-dns-txt-record.argv | 11 ++++++--
tests/networkxml2argvdata/nat-network.argv | 18 ++++++++++--
tests/networkxml2argvdata/nat-network.xml | 4 +++
tests/networkxml2argvdata/netboot-network.argv | 1 +
.../networkxml2argvdata/netboot-proxy-network.argv | 1 +
tests/networkxml2argvdata/routed-network.argv | 3 +-
11 files changed, 76 insertions(+), 6 deletions(-)
--
1.7.11.4
10:16 a.m.
New subject: [libvirt] [PATCH 1/2] IPV4 tell dnsmasq not to forward PTR queries
From: Gene Czarcinski <gene(a)czarc.net>
For IPv4 networks dnsmasq listens to, do no forward
any IPv4 dns PTR queries for that network.
Only network prefixes 8, 16, or 24 work correctly.
---
src/network/bridge_driver.c | 17 +++++++++++++++++
tests/networkxml2argvdata/isolated-network.argv | 1 +
tests/networkxml2argvdata/nat-network-dns-hosts.argv | 1 +
.../nat-network-dns-srv-record-minimal.argv | 3 +++
.../networkxml2argvdata/nat-network-dns-srv-record.argv | 3 +++
.../networkxml2argvdata/nat-network-dns-txt-record.argv | 9 +++++++--
tests/networkxml2argvdata/nat-network.argv | 12 +++++++++---
tests/networkxml2argvdata/netboot-network.argv | 1 +
tests/networkxml2argvdata/netboot-proxy-network.argv | 1 +
tests/networkxml2argvdata/routed-network.argv | 3 ++-
10 files changed, 45 insertions(+), 6 deletions(-)
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index 4faad5d..7ad6fe2 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -634,6 +634,23 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network,
if (!ipaddr)
goto cleanup;
virCommandAddArgList(cmd, "--listen-address", ipaddr, NULL);
+ int psize = virNetworkIpDefPrefix(tmpipdef);
+ if ((VIR_SOCKET_ADDR_IS_FAMILY(&tmpipdef->address, AF_INET)) &&
+ ((psize==8) || (psize==16) || (psize=24)))
+ {
+ int val =
+ ntohl(tmpipdef->address.data.inet4.sin_addr.s_addr) >> 8;
+ char *p, str[25]; /* strlen("xxx.yyy.zzz.in-addr.arpa")+1 */
+ p = &str[0];
+ if (psize == 24)
+ p += sprintf(p, "%d.", val & 0xff);
+ val = val >> 8;
+ if (psize != 8)
+ p += sprintf(p, "%d.", val & 0xff);
+ val = val >> 8;
+ p += sprintf(p, "%d.in-addr.arpa", val & 0xff);
+ virCommandAddArgFormat(cmd, "--local=/%s/", &str[0]);
+ }
VIR_FREE(ipaddr);
}
diff --git a/tests/networkxml2argvdata/isolated-network.argv
b/tests/networkxml2argvdata/isolated-network.argv
index 048c72b..40592d9 100644
--- a/tests/networkxml2argvdata/isolated-network.argv
+++ b/tests/networkxml2argvdata/isolated-network.argv
@@ -2,6 +2,7 @@
--local=// --domain-needed --conf-file= \
--except-interface lo --dhcp-option=3 --no-resolv \
--listen-address 192.168.152.1 \
+--local=/152.168.192.in-addr.arpa/ \
--dhcp-range 192.168.152.2,192.168.152.254 \
--dhcp-leasefile=/var/lib/libvirt/dnsmasq/private.leases --dhcp-lease-max=253 \
--dhcp-no-override\
diff --git a/tests/networkxml2argvdata/nat-network-dns-hosts.argv
b/tests/networkxml2argvdata/nat-network-dns-hosts.argv
index 03a0676..b04f9cc 100644
--- a/tests/networkxml2argvdata/nat-network-dns-hosts.argv
+++ b/tests/networkxml2argvdata/nat-network-dns-hosts.argv
@@ -1,4 +1,5 @@
@DNSMASQ@ --strict-order --bind-interfaces --domain=example.com \
--local=/example.com/ --domain-needed \
--conf-file= --except-interface lo --listen-address 192.168.122.1 \
+--local=/122.168.192.in-addr.arpa/ \
--expand-hosts --addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts\
diff --git a/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv
b/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv
index a1e4200..e0ea334 100644
--- a/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv
+++ b/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv
@@ -5,10 +5,13 @@
--except-interface lo \
--srv-host=name.tcp.,,,, \
--listen-address 192.168.122.1 \
+--local=/122.168.192.in-addr.arpa/ \
--listen-address 192.168.123.1 \
+--local=/123.168.192.in-addr.arpa/ \
--listen-address 2001:db8:ac10:fe01::1 \
--listen-address 2001:db8:ac10:fd01::1 \
--listen-address 10.24.10.1 \
+--local=/10.in-addr.arpa/ \
--dhcp-range 192.168.122.2,192.168.122.254 \
--dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases \
--dhcp-lease-max=253 \
diff --git a/tests/networkxml2argvdata/nat-network-dns-srv-record.argv
b/tests/networkxml2argvdata/nat-network-dns-srv-record.argv
index 8af38c4..0a5cd6b 100644
--- a/tests/networkxml2argvdata/nat-network-dns-srv-record.argv
+++ b/tests/networkxml2argvdata/nat-network-dns-srv-record.argv
@@ -5,10 +5,13 @@
--except-interface lo \
--srv-host=name.tcp.test-domain-name,.,1024,10,10 \
--listen-address 192.168.122.1 \
+--local=/122.168.192.in-addr.arpa/ \
--listen-address 192.168.123.1 \
+--local=/123.168.192.in-addr.arpa/ \
--listen-address 2001:db8:ac10:fe01::1 \
--listen-address 2001:db8:ac10:fd01::1 \
--listen-address 10.24.10.1 \
+--local=/10.in-addr.arpa/ \
--dhcp-range 192.168.122.2,192.168.122.254 \
--dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases \
--dhcp-lease-max=253 \
diff --git a/tests/networkxml2argvdata/nat-network-dns-txt-record.argv
b/tests/networkxml2argvdata/nat-network-dns-txt-record.argv
index 404b56a..6e1d054 100644
--- a/tests/networkxml2argvdata/nat-network-dns-txt-record.argv
+++ b/tests/networkxml2argvdata/nat-network-dns-txt-record.argv
@@ -1,9 +1,14 @@
@DNSMASQ@ --strict-order --bind-interfaces \
--local=// --domain-needed --conf-file= \
--except-interface lo '--txt-record=example,example value' \
---listen-address 192.168.122.1 --listen-address 192.168.123.1 \
+--listen-address 192.168.122.1 \
+--local=/122.168.192.in-addr.arpa/ \
+--listen-address 192.168.123.1 \
+--local=/123.168.192.in-addr.arpa/ \
--listen-address 2001:db8:ac10:fe01::1 \
---listen-address 2001:db8:ac10:fd01::1 --listen-address 10.24.10.1 \
+--listen-address 2001:db8:ac10:fd01::1 \
+--listen-address 10.24.10.1 \
+--local=/10.in-addr.arpa/ \
--dhcp-range 192.168.122.2,192.168.122.254 \
--dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases \
--dhcp-lease-max=253 --dhcp-no-override \
diff --git a/tests/networkxml2argvdata/nat-network.argv
b/tests/networkxml2argvdata/nat-network.argv
index 1dc8f73..55f31e2 100644
--- a/tests/networkxml2argvdata/nat-network.argv
+++ b/tests/networkxml2argvdata/nat-network.argv
@@ -1,8 +1,14 @@
@DNSMASQ@ --strict-order --bind-interfaces \
--local=// --domain-needed --conf-file= \
---except-interface lo --listen-address 192.168.122.1 \
---listen-address 192.168.123.1 --listen-address 2001:db8:ac10:fe01::1 \
---listen-address 2001:db8:ac10:fd01::1 --listen-address 10.24.10.1 \
+--except-interface lo \
+--listen-address 192.168.122.1 \
+--local=/122.168.192.in-addr.arpa/ \
+--listen-address 192.168.123.1 \
+--local=/123.168.192.in-addr.arpa/ \
+--listen-address 2001:db8:ac10:fe01::1 \
+--listen-address 2001:db8:ac10:fd01::1 \
+--listen-address 10.24.10.1 \
+--local=/10.in-addr.arpa/ \
--dhcp-range 192.168.122.2,192.168.122.254 \
--dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases \
--dhcp-lease-max=253 --dhcp-no-override \
diff --git a/tests/networkxml2argvdata/netboot-network.argv
b/tests/networkxml2argvdata/netboot-network.argv
index 5a85ec2..9d62602 100644
--- a/tests/networkxml2argvdata/netboot-network.argv
+++ b/tests/networkxml2argvdata/netboot-network.argv
@@ -1,6 +1,7 @@
@DNSMASQ@ --strict-order --bind-interfaces --domain=example.com \
--local=/example.com/ --domain-needed --conf-file= \
--except-interface lo --listen-address 192.168.122.1 \
+--local=/122.168.192.in-addr.arpa/ \
--dhcp-range 192.168.122.2,192.168.122.254 \
--dhcp-leasefile=/var/lib/libvirt/dnsmasq/netboot.leases \
--dhcp-lease-max=253 --dhcp-no-override --expand-hosts --enable-tftp \
diff --git a/tests/networkxml2argvdata/netboot-proxy-network.argv
b/tests/networkxml2argvdata/netboot-proxy-network.argv
index 36836b0..01a4ffd 100644
--- a/tests/networkxml2argvdata/netboot-proxy-network.argv
+++ b/tests/networkxml2argvdata/netboot-proxy-network.argv
@@ -1,6 +1,7 @@
@DNSMASQ@ --strict-order --bind-interfaces --domain=example.com \
--local=/example.com/ --domain-needed --conf-file= \
--except-interface lo --listen-address 192.168.122.1 \
+--local=/122.168.192.in-addr.arpa/ \
--dhcp-range 192.168.122.2,192.168.122.254 \
--dhcp-leasefile=/var/lib/libvirt/dnsmasq/netboot.leases \
--dhcp-lease-max=253 --dhcp-no-override --expand-hosts \
diff --git a/tests/networkxml2argvdata/routed-network.argv
b/tests/networkxml2argvdata/routed-network.argv
index 77e802f..e0b3033 100644
--- a/tests/networkxml2argvdata/routed-network.argv
+++ b/tests/networkxml2argvdata/routed-network.argv
@@ -1,3 +1,4 @@
@DNSMASQ@ --strict-order --bind-interfaces \
--local=// --domain-needed --conf-file= \
---except-interface lo --listen-address 192.168.122.1\
+--except-interface lo --listen-address 192.168.122.1 \
+--local=/122.168.192.in-addr.arpa/\
--
1.7.11.4
10:16 a.m.
New subject: [libvirt] [PATCH 2/2] IPv6 tell dnsmasq not to forward PTR queries
From: Gene Czarcinski <gene(a)czarc.net>
For IPv6 networks that dnsmasq listens to, do not forward any
dns PTR queries for that network. A character string compare
is performed by dnsmasq where each character is a 4-bit
hexidecimal number. Dots ('.') are used to separate characters.
Note that if a network is "listened to", then the assumption is
that the network is "owned" by dnsmasq for purposes of dns query
forwarding.
---
src/network/bridge_driver.c | 15 +++++++++++++++
.../nat-network-dns-srv-record-minimal.argv | 2 ++
tests/networkxml2argvdata/nat-network-dns-srv-record.argv | 2 ++
tests/networkxml2argvdata/nat-network-dns-txt-record.argv | 2 ++
tests/networkxml2argvdata/nat-network.argv | 6 ++++++
tests/networkxml2argvdata/nat-network.xml | 4 ++++
6 files changed, 31 insertions(+)
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index 7ad6fe2..e9de25a 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -650,6 +650,21 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network,
val = val >> 8;
p += sprintf(p, "%d.in-addr.arpa", val & 0xff);
virCommandAddArgFormat(cmd, "--local=/%s/", &str[0]);
+ }
+ else if ((VIR_SOCKET_ADDR_IS_FAMILY(&tmpipdef->address, AF_INET6)) &&
+ (psize>0) && (psize<128) && ((psize & 3)==0))
+ {
+ /* note its a "nibble" at a time like the ipv4 8/16/24 */
+ char *p, str[73]; /* 73 is strlen("32*<n.>ip6.arpa")+1 */
+ int ii = psize - 1;
+ p = &str[0];
+ while (ii >= 0) {
+ int val = tmpipdef->address.data.inet6.sin6_addr.s6_addr[ii>>3];
+ p += sprintf(p, "%.1x.", (ii>>2) & 1 ? val & 0x0f : val
>> 4);
+ ii -= 4;
+ }
+ p += sprintf(p, "ip6.arpa");
+ virCommandAddArgFormat(cmd, "--local=/%s/", &str[0]);
}
VIR_FREE(ipaddr);
}
diff --git a/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv
b/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv
index e0ea334..6e666cd 100644
--- a/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv
+++ b/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv
@@ -9,7 +9,9 @@
--listen-address 192.168.123.1 \
--local=/123.168.192.in-addr.arpa/ \
--listen-address 2001:db8:ac10:fe01::1 \
+--local=/1.0.e.f.0.1.c.a.8.b.d.0.1.0.0.2.ip6.arpa/ \
--listen-address 2001:db8:ac10:fd01::1 \
+--local=/1.0.d.f.0.1.c.a.8.b.d.0.1.0.0.2.ip6.arpa/ \
--listen-address 10.24.10.1 \
--local=/10.in-addr.arpa/ \
--dhcp-range 192.168.122.2,192.168.122.254 \
diff --git a/tests/networkxml2argvdata/nat-network-dns-srv-record.argv
b/tests/networkxml2argvdata/nat-network-dns-srv-record.argv
index 0a5cd6b..6021ca0 100644
--- a/tests/networkxml2argvdata/nat-network-dns-srv-record.argv
+++ b/tests/networkxml2argvdata/nat-network-dns-srv-record.argv
@@ -9,7 +9,9 @@
--listen-address 192.168.123.1 \
--local=/123.168.192.in-addr.arpa/ \
--listen-address 2001:db8:ac10:fe01::1 \
+--local=/1.0.e.f.0.1.c.a.8.b.d.0.1.0.0.2.ip6.arpa/ \
--listen-address 2001:db8:ac10:fd01::1 \
+--local=/1.0.d.f.0.1.c.a.8.b.d.0.1.0.0.2.ip6.arpa/ \
--listen-address 10.24.10.1 \
--local=/10.in-addr.arpa/ \
--dhcp-range 192.168.122.2,192.168.122.254 \
diff --git a/tests/networkxml2argvdata/nat-network-dns-txt-record.argv
b/tests/networkxml2argvdata/nat-network-dns-txt-record.argv
index 6e1d054..28c808d 100644
--- a/tests/networkxml2argvdata/nat-network-dns-txt-record.argv
+++ b/tests/networkxml2argvdata/nat-network-dns-txt-record.argv
@@ -6,7 +6,9 @@
--listen-address 192.168.123.1 \
--local=/123.168.192.in-addr.arpa/ \
--listen-address 2001:db8:ac10:fe01::1 \
+--local=/1.0.e.f.0.1.c.a.8.b.d.0.1.0.0.2.ip6.arpa/ \
--listen-address 2001:db8:ac10:fd01::1 \
+--local=/1.0.d.f.0.1.c.a.8.b.d.0.1.0.0.2.ip6.arpa/ \
--listen-address 10.24.10.1 \
--local=/10.in-addr.arpa/ \
--dhcp-range 192.168.122.2,192.168.122.254 \
diff --git a/tests/networkxml2argvdata/nat-network.argv
b/tests/networkxml2argvdata/nat-network.argv
index 55f31e2..b516706 100644
--- a/tests/networkxml2argvdata/nat-network.argv
+++ b/tests/networkxml2argvdata/nat-network.argv
@@ -6,7 +6,13 @@
--listen-address 192.168.123.1 \
--local=/123.168.192.in-addr.arpa/ \
--listen-address 2001:db8:ac10:fe01::1 \
+--local=/1.0.e.f.0.1.c.a.8.b.d.0.1.0.0.2.ip6.arpa/ \
--listen-address 2001:db8:ac10:fd01::1 \
+--local=/1.0.d.f.0.1.c.a.8.b.d.0.1.0.0.2.ip6.arpa/ \
+--listen-address fe00:2001:dead:beef:fd01::1 \
+--local=/e.e.b.d.a.e.d.1.0.0.2.0.0.e.f.ip6.arpa/ \
+--listen-address fe00:dead:beef:1234:fd01::1 \
+--local=/0.0.0.0.0.0.0.0.0.0.1.0.d.f.4.3.2.1.f.e.e.b.d.a.e.d.0.0.e.f.ip6.arpa/ \
--listen-address 10.24.10.1 \
--local=/10.in-addr.arpa/ \
--dhcp-range 192.168.122.2,192.168.122.254 \
diff --git a/tests/networkxml2argvdata/nat-network.xml
b/tests/networkxml2argvdata/nat-network.xml
index eb71d9e..98dcca2 100644
--- a/tests/networkxml2argvdata/nat-network.xml
+++ b/tests/networkxml2argvdata/nat-network.xml
@@ -16,6 +16,10 @@
</ip>
<ip family='ipv6' address='2001:db8:ac10:fd01::1'
prefix='64'>
</ip>
+ <ip family='ipv6' address='fe00:2001:dead:beef:fd01::1'
prefix='60'>
+ </ip>
+ <ip family='ipv6' address='fe00:dead:beef:1234:fd01::1'
prefix='120'>
+ </ip>
<ip family='ipv4' address='10.24.10.1'>
</ip>
</network>
--
1.7.11.4
5:43 a.m.
On 09/12/2012 11:16 AM, gene(a)czarc.net wrote:
From: Gene Czarcinski <gene(a)czarc.net>
For networks which dnsmasq has "--listen-address" specified, add
the command line parameter so that any dns PTR queries for those
networks are not forwarded.
Are you certain this will never be desired? If dnsmasq "owns" the
network, then shouldn't it simply be answering these queries (and if it
doesn't, doesn't that imply that dnsmasq disagrees with the assertion
that it owns the network?)
(on the subject of PTRs, I've never quite decided what annoys me more -
admins who don't properly setup PTR records for all of their hosts, or
software that believes the ability to successfully resolve the PTR for a
client's IP address somehow makes that client more "legitimate". All
those wasted hours waiting for sshd or ftpd to connect just because my
ISP doesn't have a PTR for the IP address they gave me...)
There are separate patches for IPv4 and IPv6.
Gene Czarcinski (2):
IPV4 local=/....in-addr.arpa/
IPv6 local=/...ip6.arpa/
src/network/bridge_driver.c | 32 ++++++++++++++++++++++
tests/networkxml2argvdata/isolated-network.argv | 1 +
.../networkxml2argvdata/nat-network-dns-hosts.argv | 1 +
.../nat-network-dns-srv-record-minimal.argv | 5 ++++
.../nat-network-dns-srv-record.argv | 5 ++++
.../nat-network-dns-txt-record.argv | 11 ++++++--
tests/networkxml2argvdata/nat-network.argv | 18 ++++++++++--
tests/networkxml2argvdata/nat-network.xml | 4 +++
tests/networkxml2argvdata/netboot-network.argv | 1 +
.../networkxml2argvdata/netboot-proxy-network.argv | 1 +
tests/networkxml2argvdata/routed-network.argv | 3 +-
11 files changed, 76 insertions(+), 6 deletions(-)
4454
days inactive
4456
days old
3 comments
2 participants
participants (2)
-
gene@czarc.net -
Laine Stump