[libvirt] [PATCH] network: add prefix to dhcp range of dnsmasq conf file for IPv4 too

Laine Stump laine at laine.org
Thu Oct 18 00:57:10 UTC 2018 

Self-NACK. I'vebeen informed by the original reporter that for IPv4 we
have to specify a netmask rather than prefix (it worked for me with
prefix, but for him it didn't :-/)

I'll send a V2 in the morning. Too close to bedtime now to do anything
that requires attention to detail...

On 10/17/2018 12:06 PM, Laine Stump wrote:
> dnsmasq documentation says that the *IPv4* prefix/network
> address/broadcast address sent to dhcp clients will be automatically
> determined by dnsmasq by looking at the interface it's listening on,
> so the original libvirt code that added dhcp support to virtual
> networks did not add a prefix to the dnsmasq commandline (or later,
> the dnsmasq conf file).
>
> For *IPv6* however, dnsmasq cannot automatically determine the prefix,
> so it must be explicitly provided in the conf file (as a part of the
> dhcp-range option). Years after the initial IPv4 support, when IPv6
> dhcp support was added, libvirt added the prefix to dhcp-range, but
> only for IPv6 (following the "if it ain't broke, don't fix it"
> doctrine).
>
> Recently a user reported (privately, because they suspected a possible
> security implication, which turned out to be unfounded) a bug on a
> host where one of the interfaces was a superset of the libvirt network
> where dhcp is needed (e.g., the host's ethernet is 10.0.0.20/8, and
> the libvirt network is 10.10.0.1/24). For some reason dnsmasq was
> supplying the netmask/broadcast address for the /8 network to clients
> requesting an address on the /24 interface.
>
> This seems like a bug in dnsmasq, but even if/when it gets fixed
> there, it looks like there is no harm in just adding the prefix to all
> dhcp-range options regardless of IPv4 vs IPv6, so that's what this
> patch does.
>
> Signed-off-by: Laine Stump <laine at laine.org>
> ---
>  src/network/bridge_driver.c                                       | 7 ++-----
>  tests/networkxml2confdata/dhcp6-nat-network.conf                  | 2 +-
>  tests/networkxml2confdata/isolated-network.conf                   | 2 +-
>  tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf | 2 +-
>  tests/networkxml2confdata/nat-network-dns-srv-record.conf         | 2 +-
>  tests/networkxml2confdata/nat-network-dns-txt-record.conf         | 2 +-
>  tests/networkxml2confdata/nat-network-name-with-quotes.conf       | 2 +-
>  tests/networkxml2confdata/nat-network.conf                        | 2 +-
>  tests/networkxml2confdata/netboot-network.conf                    | 2 +-
>  tests/networkxml2confdata/netboot-proxy-network.conf              | 2 +-
>  tests/networkxml2confdata/ptr-domains-auto.conf                   | 2 +-
>  11 files changed, 12 insertions(+), 15 deletions(-)
>
> diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
> index 4bbc4f5a6d..7f5ff79fdc 100644
> --- a/src/network/bridge_driver.c
> +++ b/src/network/bridge_driver.c
> @@ -1416,11 +1416,8 @@ networkDnsmasqConfContents(virNetworkObjPtr obj,
>                  !(eaddr = virSocketAddrFormat(&ipdef->ranges[r].end)))
>                  goto cleanup;
>  
> -            virBufferAsprintf(&configbuf, "dhcp-range=%s,%s",
> -                              saddr, eaddr);
> -            if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6))
> -                virBufferAsprintf(&configbuf, ",%d", prefix);
> -            virBufferAddLit(&configbuf, "\n");
> +            virBufferAsprintf(&configbuf, "dhcp-range=%s,%s,%d\n",
> +                              saddr, eaddr, prefix);
>  
>              VIR_FREE(saddr);
>              VIR_FREE(eaddr);
> diff --git a/tests/networkxml2confdata/dhcp6-nat-network.conf b/tests/networkxml2confdata/dhcp6-nat-network.conf
> index d1058df3b6..e1e110fe23 100644
> --- a/tests/networkxml2confdata/dhcp6-nat-network.conf
> +++ b/tests/networkxml2confdata/dhcp6-nat-network.conf
> @@ -8,7 +8,7 @@ strict-order
>  except-interface=lo
>  bind-dynamic
>  interface=virbr0
> -dhcp-range=192.168.122.2,192.168.122.254
> +dhcp-range=192.168.122.2,192.168.122.254,24
>  dhcp-no-override
>  dhcp-authoritative
>  dhcp-range=2001:db8:ac10:fd01::1:10,2001:db8:ac10:fd01::1:ff,64
> diff --git a/tests/networkxml2confdata/isolated-network.conf b/tests/networkxml2confdata/isolated-network.conf
> index ce4a59f6c1..d182f42f0a 100644
> --- a/tests/networkxml2confdata/isolated-network.conf
> +++ b/tests/networkxml2confdata/isolated-network.conf
> @@ -10,7 +10,7 @@ bind-interfaces
>  listen-address=192.168.152.1
>  dhcp-option=3
>  no-resolv
> -dhcp-range=192.168.152.2,192.168.152.254
> +dhcp-range=192.168.152.2,192.168.152.254,24
>  dhcp-no-override
>  dhcp-authoritative
>  dhcp-lease-max=253
> diff --git a/tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf b/tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf
> index f35ea1d5d4..678e4a4bfd 100644
> --- a/tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf
> +++ b/tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf
> @@ -13,7 +13,7 @@ listen-address=fc00:db8:ac10:fe01::1
>  listen-address=fc00:db8:ac10:fd01::1
>  listen-address=10.24.10.1
>  srv-host=_name._tcp
> -dhcp-range=192.168.122.2,192.168.122.254
> +dhcp-range=192.168.122.2,192.168.122.254,24
>  dhcp-no-override
>  dhcp-authoritative
>  dhcp-lease-max=253
> diff --git a/tests/networkxml2confdata/nat-network-dns-srv-record.conf b/tests/networkxml2confdata/nat-network-dns-srv-record.conf
> index af1ed70758..4f21eb18b3 100644
> --- a/tests/networkxml2confdata/nat-network-dns-srv-record.conf
> +++ b/tests/networkxml2confdata/nat-network-dns-srv-record.conf
> @@ -15,7 +15,7 @@ srv-host=_name4._tcp.test4.com,test4.example.com,4444
>  srv-host=_name5._udp,test5.example.com,1,55,555
>  srv-host=_name6._tcp.test6.com,test6.example.com,6666,0,666
>  srv-host=_name7._tcp.test7.com,test7.example.com,1,0,777
> -dhcp-range=192.168.122.2,192.168.122.254
> +dhcp-range=192.168.122.2,192.168.122.254,24
>  dhcp-no-override
>  dhcp-authoritative
>  dhcp-lease-max=253
> diff --git a/tests/networkxml2confdata/nat-network-dns-txt-record.conf b/tests/networkxml2confdata/nat-network-dns-txt-record.conf
> index 7f560fbb5c..12e13c999e 100644
> --- a/tests/networkxml2confdata/nat-network-dns-txt-record.conf
> +++ b/tests/networkxml2confdata/nat-network-dns-txt-record.conf
> @@ -9,7 +9,7 @@ except-interface=lo
>  bind-dynamic
>  interface=virbr0
>  txt-record=example,example value
> -dhcp-range=192.168.122.2,192.168.122.254
> +dhcp-range=192.168.122.2,192.168.122.254,24
>  dhcp-no-override
>  dhcp-authoritative
>  dhcp-lease-max=253
> diff --git a/tests/networkxml2confdata/nat-network-name-with-quotes.conf b/tests/networkxml2confdata/nat-network-name-with-quotes.conf
> index 36e11d17b9..63475ef511 100644
> --- a/tests/networkxml2confdata/nat-network-name-with-quotes.conf
> +++ b/tests/networkxml2confdata/nat-network-name-with-quotes.conf
> @@ -13,7 +13,7 @@ listen-address=fc00:db8:ac10:fe01::1
>  listen-address=fc00:db8:ac10:fd01::1
>  listen-address=10.24.10.1
>  srv-host=_name._tcp
> -dhcp-range=192.168.122.2,192.168.122.254
> +dhcp-range=192.168.122.2,192.168.122.254,24
>  dhcp-no-override
>  dhcp-authoritative
>  dhcp-lease-max=253
> diff --git a/tests/networkxml2confdata/nat-network.conf b/tests/networkxml2confdata/nat-network.conf
> index a3c8b102d3..015d51c952 100644
> --- a/tests/networkxml2confdata/nat-network.conf
> +++ b/tests/networkxml2confdata/nat-network.conf
> @@ -8,7 +8,7 @@ strict-order
>  except-interface=lo
>  bind-dynamic
>  interface=virbr0
> -dhcp-range=192.168.122.2,192.168.122.254
> +dhcp-range=192.168.122.2,192.168.122.254,24
>  dhcp-no-override
>  dhcp-authoritative
>  dhcp-lease-max=253
> diff --git a/tests/networkxml2confdata/netboot-network.conf b/tests/networkxml2confdata/netboot-network.conf
> index b554a5456c..987164c24c 100644
> --- a/tests/networkxml2confdata/netboot-network.conf
> +++ b/tests/networkxml2confdata/netboot-network.conf
> @@ -10,7 +10,7 @@ expand-hosts
>  except-interface=lo
>  bind-interfaces
>  listen-address=192.168.122.1
> -dhcp-range=192.168.122.2,192.168.122.254
> +dhcp-range=192.168.122.2,192.168.122.254,24
>  dhcp-no-override
>  dhcp-authoritative
>  enable-tftp
> diff --git a/tests/networkxml2confdata/netboot-proxy-network.conf b/tests/networkxml2confdata/netboot-proxy-network.conf
> index afb4033f7e..ad7e55fd09 100644
> --- a/tests/networkxml2confdata/netboot-proxy-network.conf
> +++ b/tests/networkxml2confdata/netboot-proxy-network.conf
> @@ -10,7 +10,7 @@ expand-hosts
>  except-interface=lo
>  bind-interfaces
>  listen-address=192.168.122.1
> -dhcp-range=192.168.122.2,192.168.122.254
> +dhcp-range=192.168.122.2,192.168.122.254,24
>  dhcp-no-override
>  dhcp-authoritative
>  dhcp-boot=pxeboot.img,,10.20.30.40
> diff --git a/tests/networkxml2confdata/ptr-domains-auto.conf b/tests/networkxml2confdata/ptr-domains-auto.conf
> index 7f1a393dd5..3be679ac4d 100644
> --- a/tests/networkxml2confdata/ptr-domains-auto.conf
> +++ b/tests/networkxml2confdata/ptr-domains-auto.conf
> @@ -10,7 +10,7 @@ local=/1.0.e.f.0.1.c.a.8.b.d.0.1.0.0.2.ip6.arpa/
>  except-interface=lo
>  bind-dynamic
>  interface=virbr0
> -dhcp-range=192.168.122.2,192.168.122.254
> +dhcp-range=192.168.122.2,192.168.122.254,24
>  dhcp-no-override
>  dhcp-authoritative
>  dhcp-lease-max=253

More information about the libvir-list mailing list