This is yet another refinement to the fix for CVE-2012-3411:
https://bugzilla.redhat.com/show_bug.cgi?id=833033
It turns out that it would be very intrusive to correctly backport the entire --bind-dynamic option to older dnsmasq versions (e.g. dnsmasq-2.48 that is used on RHEL6.x and CentOS 6.x), but very simple to patch those versions to just use SO_BINDTODEVICE on all their listening sockets (SO_BINDTODEVICE also has the desired effect of permitting only traffic that was received on the interface(s) where dnsmasq was set to listen.)
This patch modifies the dnsmasq capabilities detection to detect the string:
--bind-interfaces with SO_BINDTODEVICE
in the output of "dnsmasq --version", and in that case realize that using the old --bind-interfaces option is just as safe as --bind-dynamic (and therefore *not* forbid creation of networks that use public IP address ranges).
ACK. -- Eric Blake eblake@redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org