[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] network: don't require private addresses if dnsmasq uses SO_BINDTODEVICE



> This is yet another refinement to the fix for CVE-2012-3411:
> 
>    https://bugzilla.redhat.com/show_bug.cgi?id=833033
> 
> It turns out that it would be very intrusive to correctly backport
> the
> entire --bind-dynamic option to older dnsmasq versions
> (e.g. dnsmasq-2.48 that is used on RHEL6.x and CentOS 6.x), but very
> simple to patch those versions to just use SO_BINDTODEVICE on all
> their listening sockets (SO_BINDTODEVICE also has the desired effect
> of permitting only traffic that was received on the interface(s)
> where
> dnsmasq was set to listen.)
> 
> This patch modifies the dnsmasq capabilities detection to detect the
> string:
> 
>     --bind-interfaces with SO_BINDTODEVICE
> 
> in the output of "dnsmasq --version", and in that case realize that
> using the old --bind-interfaces option is just as safe as
> --bind-dynamic (and therefore *not* forbid creation of networks that
> use public IP address ranges).

ACK.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]