11:06 a.m.
dnsmasq documentation says that the *IPv4* prefix/network
address/broadcast address sent to dhcp clients will be automatically
determined by dnsmasq by looking at the interface it's listening on,
so the original libvirt code that added dhcp support to virtual
networks did not add a prefix to the dnsmasq commandline (or later,
the dnsmasq conf file).
For *IPv6* however, dnsmasq cannot automatically determine the prefix,
so it must be explicitly provided in the conf file (as a part of the
dhcp-range option). Years after the initial IPv4 support, when IPv6
dhcp support was added, libvirt added the prefix to dhcp-range, but
only for IPv6 (following the "if it ain't broke, don't fix it"
doctrine).
Recently a user reported (privately, because they suspected a possible
security implication, which turned out to be unfounded) a bug on a
host where one of the interfaces was a superset of the libvirt network
where dhcp is needed (e.g., the host's ethernet is 10.0.0.20/8, and
the libvirt network is 10.10.0.1/24). For some reason dnsmasq was
supplying the netmask/broadcast address for the /8 network to clients
requesting an address on the /24 interface.
This seems like a bug in dnsmasq, but even if/when it gets fixed
there, it looks like there is no harm in just adding the prefix to all
dhcp-range options regardless of IPv4 vs IPv6, so that's what this
patch does.
Signed-off-by: Laine Stump <laine(a)laine.org>
---
src/network/bridge_driver.c | 7 ++-----
tests/networkxml2confdata/dhcp6-nat-network.conf | 2 +-
tests/networkxml2confdata/isolated-network.conf | 2 +-
tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf | 2 +-
tests/networkxml2confdata/nat-network-dns-srv-record.conf | 2 +-
tests/networkxml2confdata/nat-network-dns-txt-record.conf | 2 +-
tests/networkxml2confdata/nat-network-name-with-quotes.conf | 2 +-
tests/networkxml2confdata/nat-network.conf | 2 +-
tests/networkxml2confdata/netboot-network.conf | 2 +-
tests/networkxml2confdata/netboot-proxy-network.conf | 2 +-
tests/networkxml2confdata/ptr-domains-auto.conf | 2 +-
11 files changed, 12 insertions(+), 15 deletions(-)
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index 4bbc4f5a6d..7f5ff79fdc 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -1416,11 +1416,8 @@ networkDnsmasqConfContents(virNetworkObjPtr obj,
!(eaddr = virSocketAddrFormat(&ipdef->ranges[r].end)))
goto cleanup;
- virBufferAsprintf(&configbuf, "dhcp-range=%s,%s",
- saddr, eaddr);
- if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6))
- virBufferAsprintf(&configbuf, ",%d", prefix);
- virBufferAddLit(&configbuf, "\n");
+ virBufferAsprintf(&configbuf, "dhcp-range=%s,%s,%d\n",
+ saddr, eaddr, prefix);
VIR_FREE(saddr);
VIR_FREE(eaddr);
diff --git a/tests/networkxml2confdata/dhcp6-nat-network.conf
b/tests/networkxml2confdata/dhcp6-nat-network.conf
index d1058df3b6..e1e110fe23 100644
--- a/tests/networkxml2confdata/dhcp6-nat-network.conf
+++ b/tests/networkxml2confdata/dhcp6-nat-network.conf
@@ -8,7 +8,7 @@ strict-order
except-interface=lo
bind-dynamic
interface=virbr0
-dhcp-range=192.168.122.2,192.168.122.254
+dhcp-range=192.168.122.2,192.168.122.254,24
dhcp-no-override
dhcp-authoritative
dhcp-range=2001:db8:ac10:fd01::1:10,2001:db8:ac10:fd01::1:ff,64
diff --git a/tests/networkxml2confdata/isolated-network.conf
b/tests/networkxml2confdata/isolated-network.conf
index ce4a59f6c1..d182f42f0a 100644
--- a/tests/networkxml2confdata/isolated-network.conf
+++ b/tests/networkxml2confdata/isolated-network.conf
@@ -10,7 +10,7 @@ bind-interfaces
listen-address=192.168.152.1
dhcp-option=3
no-resolv
-dhcp-range=192.168.152.2,192.168.152.254
+dhcp-range=192.168.152.2,192.168.152.254,24
dhcp-no-override
dhcp-authoritative
dhcp-lease-max=253
diff --git a/tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf
b/tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf
index f35ea1d5d4..678e4a4bfd 100644
--- a/tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf
+++ b/tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf
@@ -13,7 +13,7 @@ listen-address=fc00:db8:ac10:fe01::1
listen-address=fc00:db8:ac10:fd01::1
listen-address=10.24.10.1
srv-host=_name._tcp
-dhcp-range=192.168.122.2,192.168.122.254
+dhcp-range=192.168.122.2,192.168.122.254,24
dhcp-no-override
dhcp-authoritative
dhcp-lease-max=253
diff --git a/tests/networkxml2confdata/nat-network-dns-srv-record.conf
b/tests/networkxml2confdata/nat-network-dns-srv-record.conf
index af1ed70758..4f21eb18b3 100644
--- a/tests/networkxml2confdata/nat-network-dns-srv-record.conf
+++ b/tests/networkxml2confdata/nat-network-dns-srv-record.conf
@@ -15,7 +15,7 @@ srv-host=_name4._tcp.test4.com,test4.example.com,4444
srv-host=_name5._udp,test5.example.com,1,55,555
srv-host=_name6._tcp.test6.com,test6.example.com,6666,0,666
srv-host=_name7._tcp.test7.com,test7.example.com,1,0,777
-dhcp-range=192.168.122.2,192.168.122.254
+dhcp-range=192.168.122.2,192.168.122.254,24
dhcp-no-override
dhcp-authoritative
dhcp-lease-max=253
diff --git a/tests/networkxml2confdata/nat-network-dns-txt-record.conf
b/tests/networkxml2confdata/nat-network-dns-txt-record.conf
index 7f560fbb5c..12e13c999e 100644
--- a/tests/networkxml2confdata/nat-network-dns-txt-record.conf
+++ b/tests/networkxml2confdata/nat-network-dns-txt-record.conf
@@ -9,7 +9,7 @@ except-interface=lo
bind-dynamic
interface=virbr0
txt-record=example,example value
-dhcp-range=192.168.122.2,192.168.122.254
+dhcp-range=192.168.122.2,192.168.122.254,24
dhcp-no-override
dhcp-authoritative
dhcp-lease-max=253
diff --git a/tests/networkxml2confdata/nat-network-name-with-quotes.conf
b/tests/networkxml2confdata/nat-network-name-with-quotes.conf
index 36e11d17b9..63475ef511 100644
--- a/tests/networkxml2confdata/nat-network-name-with-quotes.conf
+++ b/tests/networkxml2confdata/nat-network-name-with-quotes.conf
@@ -13,7 +13,7 @@ listen-address=fc00:db8:ac10:fe01::1
listen-address=fc00:db8:ac10:fd01::1
listen-address=10.24.10.1
srv-host=_name._tcp
-dhcp-range=192.168.122.2,192.168.122.254
+dhcp-range=192.168.122.2,192.168.122.254,24
dhcp-no-override
dhcp-authoritative
dhcp-lease-max=253
diff --git a/tests/networkxml2confdata/nat-network.conf
b/tests/networkxml2confdata/nat-network.conf
index a3c8b102d3..015d51c952 100644
--- a/tests/networkxml2confdata/nat-network.conf
+++ b/tests/networkxml2confdata/nat-network.conf
@@ -8,7 +8,7 @@ strict-order
except-interface=lo
bind-dynamic
interface=virbr0
-dhcp-range=192.168.122.2,192.168.122.254
+dhcp-range=192.168.122.2,192.168.122.254,24
dhcp-no-override
dhcp-authoritative
dhcp-lease-max=253
diff --git a/tests/networkxml2confdata/netboot-network.conf
b/tests/networkxml2confdata/netboot-network.conf
index b554a5456c..987164c24c 100644
--- a/tests/networkxml2confdata/netboot-network.conf
+++ b/tests/networkxml2confdata/netboot-network.conf
@@ -10,7 +10,7 @@ expand-hosts
except-interface=lo
bind-interfaces
listen-address=192.168.122.1
-dhcp-range=192.168.122.2,192.168.122.254
+dhcp-range=192.168.122.2,192.168.122.254,24
dhcp-no-override
dhcp-authoritative
enable-tftp
diff --git a/tests/networkxml2confdata/netboot-proxy-network.conf
b/tests/networkxml2confdata/netboot-proxy-network.conf
index afb4033f7e..ad7e55fd09 100644
--- a/tests/networkxml2confdata/netboot-proxy-network.conf
+++ b/tests/networkxml2confdata/netboot-proxy-network.conf
@@ -10,7 +10,7 @@ expand-hosts
except-interface=lo
bind-interfaces
listen-address=192.168.122.1
-dhcp-range=192.168.122.2,192.168.122.254
+dhcp-range=192.168.122.2,192.168.122.254,24
dhcp-no-override
dhcp-authoritative
dhcp-boot=pxeboot.img,,10.20.30.40
diff --git a/tests/networkxml2confdata/ptr-domains-auto.conf
b/tests/networkxml2confdata/ptr-domains-auto.conf
index 7f1a393dd5..3be679ac4d 100644
--- a/tests/networkxml2confdata/ptr-domains-auto.conf
+++ b/tests/networkxml2confdata/ptr-domains-auto.conf
@@ -10,7 +10,7 @@ local=/1.0.e.f.0.1.c.a.8.b.d.0.1.0.0.2.ip6.arpa/
except-interface=lo
bind-dynamic
interface=virbr0
-dhcp-range=192.168.122.2,192.168.122.254
+dhcp-range=192.168.122.2,192.168.122.254,24
dhcp-no-override
dhcp-authoritative
dhcp-lease-max=253
--
2.14.5
7:57 p.m.
Self-NACK. I'vebeen informed by the original reporter that for IPv4 we
have to specify a netmask rather than prefix (it worked for me with
prefix, but for him it didn't :-/)
I'll send a V2 in the morning. Too close to bedtime now to do anything
that requires attention to detail...
On 10/17/2018 12:06 PM, Laine Stump wrote:
dnsmasq documentation says that the *IPv4* prefix/network
address/broadcast address sent to dhcp clients will be automatically
determined by dnsmasq by looking at the interface it's listening on,
so the original libvirt code that added dhcp support to virtual
networks did not add a prefix to the dnsmasq commandline (or later,
the dnsmasq conf file).
For *IPv6* however, dnsmasq cannot automatically determine the prefix,
so it must be explicitly provided in the conf file (as a part of the
dhcp-range option). Years after the initial IPv4 support, when IPv6
dhcp support was added, libvirt added the prefix to dhcp-range, but
only for IPv6 (following the "if it ain't broke, don't fix it"
doctrine).
Recently a user reported (privately, because they suspected a possible
security implication, which turned out to be unfounded) a bug on a
host where one of the interfaces was a superset of the libvirt network
where dhcp is needed (e.g., the host's ethernet is 10.0.0.20/8, and
the libvirt network is 10.10.0.1/24). For some reason dnsmasq was
supplying the netmask/broadcast address for the /8 network to clients
requesting an address on the /24 interface.
This seems like a bug in dnsmasq, but even if/when it gets fixed
there, it looks like there is no harm in just adding the prefix to all
dhcp-range options regardless of IPv4 vs IPv6, so that's what this
patch does.
Signed-off-by: Laine Stump <laine(a)laine.org>
---
src/network/bridge_driver.c | 7 ++-----
tests/networkxml2confdata/dhcp6-nat-network.conf | 2 +-
tests/networkxml2confdata/isolated-network.conf | 2 +-
tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf | 2 +-
tests/networkxml2confdata/nat-network-dns-srv-record.conf | 2 +-
tests/networkxml2confdata/nat-network-dns-txt-record.conf | 2 +-
tests/networkxml2confdata/nat-network-name-with-quotes.conf | 2 +-
tests/networkxml2confdata/nat-network.conf | 2 +-
tests/networkxml2confdata/netboot-network.conf | 2 +-
tests/networkxml2confdata/netboot-proxy-network.conf | 2 +-
tests/networkxml2confdata/ptr-domains-auto.conf | 2 +-
11 files changed, 12 insertions(+), 15 deletions(-)
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index 4bbc4f5a6d..7f5ff79fdc 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -1416,11 +1416,8 @@ networkDnsmasqConfContents(virNetworkObjPtr obj,
!(eaddr = virSocketAddrFormat(&ipdef->ranges[r].end)))
goto cleanup;
- virBufferAsprintf(&configbuf, "dhcp-range=%s,%s",
- saddr, eaddr);
- if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6))
- virBufferAsprintf(&configbuf, ",%d", prefix);
- virBufferAddLit(&configbuf, "\n");
+ virBufferAsprintf(&configbuf, "dhcp-range=%s,%s,%d\n",
+ saddr, eaddr, prefix);
VIR_FREE(saddr);
VIR_FREE(eaddr);
diff --git a/tests/networkxml2confdata/dhcp6-nat-network.conf
b/tests/networkxml2confdata/dhcp6-nat-network.conf
index d1058df3b6..e1e110fe23 100644
--- a/tests/networkxml2confdata/dhcp6-nat-network.conf
+++ b/tests/networkxml2confdata/dhcp6-nat-network.conf
@@ -8,7 +8,7 @@ strict-order
except-interface=lo
bind-dynamic
interface=virbr0
-dhcp-range=192.168.122.2,192.168.122.254
+dhcp-range=192.168.122.2,192.168.122.254,24
dhcp-no-override
dhcp-authoritative
dhcp-range=2001:db8:ac10:fd01::1:10,2001:db8:ac10:fd01::1:ff,64
diff --git a/tests/networkxml2confdata/isolated-network.conf
b/tests/networkxml2confdata/isolated-network.conf
index ce4a59f6c1..d182f42f0a 100644
--- a/tests/networkxml2confdata/isolated-network.conf
+++ b/tests/networkxml2confdata/isolated-network.conf
@@ -10,7 +10,7 @@ bind-interfaces
listen-address=192.168.152.1
dhcp-option=3
no-resolv
-dhcp-range=192.168.152.2,192.168.152.254
+dhcp-range=192.168.152.2,192.168.152.254,24
dhcp-no-override
dhcp-authoritative
dhcp-lease-max=253
diff --git a/tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf
b/tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf
index f35ea1d5d4..678e4a4bfd 100644
--- a/tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf
+++ b/tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf
@@ -13,7 +13,7 @@ listen-address=fc00:db8:ac10:fe01::1
listen-address=fc00:db8:ac10:fd01::1
listen-address=10.24.10.1
srv-host=_name._tcp
-dhcp-range=192.168.122.2,192.168.122.254
+dhcp-range=192.168.122.2,192.168.122.254,24
dhcp-no-override
dhcp-authoritative
dhcp-lease-max=253
diff --git a/tests/networkxml2confdata/nat-network-dns-srv-record.conf
b/tests/networkxml2confdata/nat-network-dns-srv-record.conf
index af1ed70758..4f21eb18b3 100644
--- a/tests/networkxml2confdata/nat-network-dns-srv-record.conf
+++ b/tests/networkxml2confdata/nat-network-dns-srv-record.conf
@@ -15,7 +15,7 @@ srv-host=_name4._tcp.test4.com,test4.example.com,4444
srv-host=_name5._udp,test5.example.com,1,55,555
srv-host=_name6._tcp.test6.com,test6.example.com,6666,0,666
srv-host=_name7._tcp.test7.com,test7.example.com,1,0,777
-dhcp-range=192.168.122.2,192.168.122.254
+dhcp-range=192.168.122.2,192.168.122.254,24
dhcp-no-override
dhcp-authoritative
dhcp-lease-max=253
diff --git a/tests/networkxml2confdata/nat-network-dns-txt-record.conf
b/tests/networkxml2confdata/nat-network-dns-txt-record.conf
index 7f560fbb5c..12e13c999e 100644
--- a/tests/networkxml2confdata/nat-network-dns-txt-record.conf
+++ b/tests/networkxml2confdata/nat-network-dns-txt-record.conf
@@ -9,7 +9,7 @@ except-interface=lo
bind-dynamic
interface=virbr0
txt-record=example,example value
-dhcp-range=192.168.122.2,192.168.122.254
+dhcp-range=192.168.122.2,192.168.122.254,24
dhcp-no-override
dhcp-authoritative
dhcp-lease-max=253
diff --git a/tests/networkxml2confdata/nat-network-name-with-quotes.conf
b/tests/networkxml2confdata/nat-network-name-with-quotes.conf
index 36e11d17b9..63475ef511 100644
--- a/tests/networkxml2confdata/nat-network-name-with-quotes.conf
+++ b/tests/networkxml2confdata/nat-network-name-with-quotes.conf
@@ -13,7 +13,7 @@ listen-address=fc00:db8:ac10:fe01::1
listen-address=fc00:db8:ac10:fd01::1
listen-address=10.24.10.1
srv-host=_name._tcp
-dhcp-range=192.168.122.2,192.168.122.254
+dhcp-range=192.168.122.2,192.168.122.254,24
dhcp-no-override
dhcp-authoritative
dhcp-lease-max=253
diff --git a/tests/networkxml2confdata/nat-network.conf
b/tests/networkxml2confdata/nat-network.conf
index a3c8b102d3..015d51c952 100644
--- a/tests/networkxml2confdata/nat-network.conf
+++ b/tests/networkxml2confdata/nat-network.conf
@@ -8,7 +8,7 @@ strict-order
except-interface=lo
bind-dynamic
interface=virbr0
-dhcp-range=192.168.122.2,192.168.122.254
+dhcp-range=192.168.122.2,192.168.122.254,24
dhcp-no-override
dhcp-authoritative
dhcp-lease-max=253
diff --git a/tests/networkxml2confdata/netboot-network.conf
b/tests/networkxml2confdata/netboot-network.conf
index b554a5456c..987164c24c 100644
--- a/tests/networkxml2confdata/netboot-network.conf
+++ b/tests/networkxml2confdata/netboot-network.conf
@@ -10,7 +10,7 @@ expand-hosts
except-interface=lo
bind-interfaces
listen-address=192.168.122.1
-dhcp-range=192.168.122.2,192.168.122.254
+dhcp-range=192.168.122.2,192.168.122.254,24
dhcp-no-override
dhcp-authoritative
enable-tftp
diff --git a/tests/networkxml2confdata/netboot-proxy-network.conf
b/tests/networkxml2confdata/netboot-proxy-network.conf
index afb4033f7e..ad7e55fd09 100644
--- a/tests/networkxml2confdata/netboot-proxy-network.conf
+++ b/tests/networkxml2confdata/netboot-proxy-network.conf
@@ -10,7 +10,7 @@ expand-hosts
except-interface=lo
bind-interfaces
listen-address=192.168.122.1
-dhcp-range=192.168.122.2,192.168.122.254
+dhcp-range=192.168.122.2,192.168.122.254,24
dhcp-no-override
dhcp-authoritative
dhcp-boot=pxeboot.img,,10.20.30.40
diff --git a/tests/networkxml2confdata/ptr-domains-auto.conf
b/tests/networkxml2confdata/ptr-domains-auto.conf
index 7f1a393dd5..3be679ac4d 100644
--- a/tests/networkxml2confdata/ptr-domains-auto.conf
+++ b/tests/networkxml2confdata/ptr-domains-auto.conf
@@ -10,7 +10,7 @@ local=/1.0.e.f.0.1.c.a.8.b.d.0.1.0.0.2.ip6.arpa/
except-interface=lo
bind-dynamic
interface=virbr0
-dhcp-range=192.168.122.2,192.168.122.254
+dhcp-range=192.168.122.2,192.168.122.254,24
dhcp-no-override
dhcp-authoritative
dhcp-lease-max=253
2227
days inactive
2228
days old
1 comments
1 participants
participants (1)
-
Laine Stump