6:54 a.m.
In some use cases we don't want the virtual network's DNS to only
listen to the vnet interface. Adding a publiclyAccessible attribute
to the dns element in the configuration allows the DNS to listen to
all interfaces.
It simply disables the bind-dynamic option of dnsmasq for the network.
---
docs/formatnetwork.html.in | 11 +++++++++++
docs/schemas/network.rng | 15 ++++++++++-----
src/conf/network_conf.c | 6 ++++++
src/conf/network_conf.h | 1 +
src/network/bridge_driver.c | 4 +++-
tests/networkxml2confdata/nat-network-dns-hosts.conf | 1 -
tests/networkxml2confdata/nat-network-dns-hosts.xml | 2 +-
7 files changed, 32 insertions(+), 8 deletions(-)
diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in
index 6abed8f..8e43658 100644
--- a/docs/formatnetwork.html.in
+++ b/docs/formatnetwork.html.in
@@ -851,6 +851,17 @@
DNS server.
</p>
+ <p>
+ The dns element
+ can have an optional <code>publiclyAccessible</code>
+ attribute <span class="since">Since 1.2.17</span>.
+ If <code>publiclyAccessible</code> is "yes", then the DNS
server
+ will handle requests for all interfaces.
+ If <code>publiclyAccessible</code> is not set or "no",
the DNS
+ server will only handle requests for the interface of the virtual
+ network.
+ </p>
+
Currently supported sub-elements of <code><dns></code>
are:
<dl>
<dt><code>forwarder</code></dt>
diff --git a/docs/schemas/network.rng b/docs/schemas/network.rng
index 4edb6eb..f989625 100644
--- a/docs/schemas/network.rng
+++ b/docs/schemas/network.rng
@@ -244,12 +244,17 @@
and other features in the <dns> element -->
<optional>
<element name="dns">
- <optional>
- <attribute name="forwardPlainNames">
- <ref name="virYesNo"/>
- </attribute>
- </optional>
<interleave>
+ <optional>
+ <attribute name="forwardPlainNames">
+ <ref name="virYesNo"/>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="publiclyAccessible">
+ <ref name="virYesNo"/>
+ </attribute>
+ </optional>
<zeroOrMore>
<element name="forwarder">
<attribute name="addr"><ref
name="ipAddr"/></attribute>
diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c
index f4a9df0..99bac6d 100644
--- a/src/conf/network_conf.c
+++ b/src/conf/network_conf.c
@@ -1309,9 +1309,14 @@ virNetworkDNSDefParseXML(const char *networkName,
size_t i;
int ret = -1;
xmlNodePtr save = ctxt->node;
+ char *publiclyAccessible = NULL;
ctxt->node = node;
+ publiclyAccessible = virXPathString("string(./@publiclyAccessible)",
ctxt);
+ if (publiclyAccessible)
+ def->publiclyAccessible = virTristateBoolTypeFromString(publiclyAccessible);
+
forwardPlainNames = virXPathString("string(./@forwardPlainNames)", ctxt);
if (forwardPlainNames) {
def->forwardPlainNames = virTristateBoolTypeFromString(forwardPlainNames);
@@ -1410,6 +1415,7 @@ virNetworkDNSDefParseXML(const char *networkName,
ret = 0;
cleanup:
+ VIR_FREE(publiclyAccessible);
VIR_FREE(forwardPlainNames);
VIR_FREE(fwdNodes);
VIR_FREE(hostNodes);
diff --git a/src/conf/network_conf.h b/src/conf/network_conf.h
index f69d999..f555b6b 100644
--- a/src/conf/network_conf.h
+++ b/src/conf/network_conf.h
@@ -136,6 +136,7 @@ struct _virNetworkDNSDef {
virNetworkDNSSrvDefPtr srvs;
size_t nfwds;
char **forwarders;
+ int publiclyAccessible; /* enum virTristateBool */
};
typedef struct _virNetworkIpDef virNetworkIpDef;
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index d195085..c39b1a5 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -996,8 +996,10 @@ networkDnsmasqConfContents(virNetworkObjPtr network,
* other than one of the virtual guests connected directly to
* this network). This was added in response to CVE 2012-3411.
*/
+ if (network->def->dns.publiclyAccessible != VIR_TRISTATE_BOOL_YES)
+ virBufferAddLit(&configbuf,
+ "bind-dynamic\n");
virBufferAsprintf(&configbuf,
- "bind-dynamic\n"
"interface=%s\n",
network->def->bridge);
} else {
diff --git a/tests/networkxml2confdata/nat-network-dns-hosts.conf
b/tests/networkxml2confdata/nat-network-dns-hosts.conf
index 021316f..759a9e9 100644
--- a/tests/networkxml2confdata/nat-network-dns-hosts.conf
+++ b/tests/networkxml2confdata/nat-network-dns-hosts.conf
@@ -10,6 +10,5 @@ expand-hosts
domain-needed
local=//
except-interface=lo
-bind-dynamic
interface=virbr0
addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts
diff --git a/tests/networkxml2confdata/nat-network-dns-hosts.xml
b/tests/networkxml2confdata/nat-network-dns-hosts.xml
index 9add456..969dfa5 100644
--- a/tests/networkxml2confdata/nat-network-dns-hosts.xml
+++ b/tests/networkxml2confdata/nat-network-dns-hosts.xml
@@ -4,7 +4,7 @@
<forward dev='eth0' mode='nat'/>
<bridge name='virbr0' stp='on' delay='0'/>
<domain name="example.com"/>
- <dns forwardPlainNames='no'>
+ <dns forwardPlainNames='no' publiclyAccessible='yes'>
<host ip='192.168.122.1'>
<hostname>host</hostname>
<hostname>gateway</hostname>
--
2.1.4