[libvirt] [PATCH] handle DNS over IPv6

Laine Stump laine at laine.org
Fri Dec 31 19:57:16 UTC 2010 

On 12/29/2010 10:00 AM, Paweł Krześniak wrote:
> Firstly: Add ip6tables rules to allow DNS over IPv6 in network.
>
> Secondly: start dnsmasq with --interface option instead of --listen-address.
>
> Dnsmasq currently uses "--listen-address IPv4_address" option, which
> restricts DNS service to one IPv4 address only.
> We could append --listen-address for every IPv[46] address defined on
> interface, but it's cleaner to use "--interface brname".
>
> There were some problems in the past with --interface option. Dnsmasq
> version 2.46 and earlier exited with error when tired to bind() to IPv6
> addresses on just brought up interfaces, because DAD (Duplicate
> Address Detection) takes some time to finish and bind() returns
> EADDRNOTAVAIL which caused dnsmasq to exit.
> Dnsmasq version 2.47 (released on 05-Feb-2009) fixed this issue by
> retrying bind() after getting EADDRNOTAVAIL error (as described in
> http://www.thekelleys.org.uk/dnsmasq/CHANGELOG;
> loop itself is defined in dnsmasq-2.47/src/network.c:404)

In general this would be a good change to have. I'm not certain how 
careful we need to be about preserving compatibility with any platform 
that is still using dnsmasq older than 2.47, though. Dan or Dan, would 
you like to weigh in on that?
> * Using --interface option causes longer network startup:
> $ time virsh -c qemu:///system net-start isolated1
> Network isolated1 started
>
> real	0m0.112s
> user	0m0.013s
> sys	0m0.009s
>
> $ time virsh -c qemu:///system net-start isolated1
> Network isolated1 started
>
> real	0m2.101s
> user	0m0.011s
> sys	0m0.011s

Not ideal, but not a big deal in the larger scheme of things...

> * Dnsmasq exits after DAD complets which guarantees that radvd will no
> more produces following warnings:
> Dec 28 19:42:11 nemo radvd[14652]: sendmsg: Invalid argument

That's a good argument for putting in the change.

> ---
>   src/network/bridge_driver.c |   32 +++++++++++++++++++++++++-------
>   1 files changed, 25 insertions(+), 7 deletions(-)
>
> diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
> index 7d43ef5..a689c9f 100644
> --- a/src/network/bridge_driver.c
> +++ b/src/network/bridge_driver.c
> @@ -469,16 +469,13 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network,
>       virCommandAddArgList(cmd, "--conf-file=", "", NULL);
>
>       /*
> -     * XXX does not actually work, due to some kind of
> -     * race condition setting up ipv6 addresses on the
> -     * interface. A sleep(10) makes it work, but that's
> -     * clearly not practical
> +     * It's safe to use --interface option for dnsmasq 2.47 and later.
> +     * With earlier versions we had to use --listen-address option.
>        *
> -     * virCommandAddArg(cmd, "--interface");
> -     * virCommandAddArg(cmd, ipdef->bridge);
> +     * virCommandAddArgList(cmd, "--listen-address", bridgeaddr);


This is just a comment, but still might as well be correct - 
virCommandArgList needs to end with a NULL arg ;-)

>        */
>       virCommandAddArgList(cmd,
> -                         "--listen-address", bridgeaddr,
> +                         "--interface", network->def->bridge,
>                            "--except-interface", "lo",
>                            NULL);
>
> @@ -1157,9 +1154,30 @@ networkAddGeneralIptablesRules(struct
> network_driver *driver,
>           goto err9;
>       }
>
> +    /* allow DNS over IPv6 requests through to dnsmasq */
> +    if (iptablesAddTcpInput(driver->iptables, AF_INET6,
> +                            network->def->bridge, 53)<  0) {
> +        networkReportError(VIR_ERR_SYSTEM_ERROR,
> +                           _("failed to add ip6tables rule to allow
> DNS requests from '%s'"),
> +                           network->def->bridge);
> +        goto err10;
> +    }
> +
> +    if (iptablesAddUdpInput(driver->iptables, AF_INET6,
> +                            network->def->bridge, 53)<  0) {
> +        networkReportError(VIR_ERR_SYSTEM_ERROR,
> +                           _("failed to add ip6tables rule to allow
> DNS requests from '%s'"),
> +                           network->def->bridge);
> +        goto err11;
> +    }
> +

These rules should be added in networkAddGeneralIp6tablesRules() rather 
then in networkAddGeneralIptablesRules.

>       return 0;
>
>       /* unwind in reverse order from the point of failure */
> +err11:
> +    iptablesRemoveTcpInput(driver->iptables, AF_INET6,
> network->def->bridge, 53);
> +err10:
> +    networkRemoveGeneralIp6tablesRules(driver, network);
>   err9:
>       iptablesRemoveForwardAllowCross(driver->iptables, AF_INET,
> network->def->bridge);
>   err8:
>
> --
> libvir-list mailing list
> libvir-list at redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
>

More information about the libvir-list mailing list