[libvirt] [PATCH] network: don't require private addresses if dnsmasq uses SO_BINDTODEVICE
Eric Blake
eblake at redhat.com
Mon Dec 17 20:48:57 UTC 2012
> This is yet another refinement to the fix for CVE-2012-3411:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=833033
>
> It turns out that it would be very intrusive to correctly backport
> the
> entire --bind-dynamic option to older dnsmasq versions
> (e.g. dnsmasq-2.48 that is used on RHEL6.x and CentOS 6.x), but very
> simple to patch those versions to just use SO_BINDTODEVICE on all
> their listening sockets (SO_BINDTODEVICE also has the desired effect
> of permitting only traffic that was received on the interface(s)
> where
> dnsmasq was set to listen.)
>
> This patch modifies the dnsmasq capabilities detection to detect the
> string:
>
> --bind-interfaces with SO_BINDTODEVICE
>
> in the output of "dnsmasq --version", and in that case realize that
> using the old --bind-interfaces option is just as safe as
> --bind-dynamic (and therefore *not* forbid creation of networks that
> use public IP address ranges).
ACK.
--
Eric Blake eblake at redhat.com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
More information about the libvir-list
mailing list