[libvirt] [PATCH] network driver: don't send default route to clients on isolated networks

Mon Mar 14 10:30:12 UTC 2011

On Sun, Mar 13, 2011 at 11:08:20AM -0400, Laine Stump wrote:
> Normally dnsmasq will send a default route (the address of the host in
> the network definition) to any client requesting an address via
> DHCP. On an isolated network this makes no sense, as we have iptables
> to prevent any traffic going out via that interface, so anything sent
> that way would be dropped anyway.
> 
> This extra/unusable default route becomes problematic if you have
> setup a guest with multiple network interfaces, with one connected to
> an isolated network and another that provides connectivity to the
> outside (example - one interface directly connecting to a physical
> interface via macvtap, with a second connected to an isolated network
> so that the host and guest can communicate (macvtap doesn't support
> guest<->host communication without an external switch that supports
> vepa, or reflecting all traffic back)). In this case, if the guest
> chooses the default route of the isolated network, the guest will not
> be able to get network traffic beyond the host.
> 
> To prevent dnsmasq from sending a default route, you can tell it to
> send 0 bytes of data for the default route option (option number 3)
> with --dhcp-option=3 (normally the data to send for the option would
> follow the option number; no extra data means "don't send this option").
> 
> I have checked on RHEL5 (a good representative of the oldest supported
> libvirt platforms) and its version of dnsmasq (2.45) does support
> --dhcp-option, so this shouldn't create any compatibility problems.
> ---
>  src/network/bridge_driver.c |    7 +++++++
>  1 files changed, 7 insertions(+), 0 deletions(-)
> 
> diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
> index ca2ae8d..6a02df1 100644
> --- a/src/network/bridge_driver.c
> +++ b/src/network/bridge_driver.c
> @@ -490,6 +490,13 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network,
>                           "--except-interface", "lo",
>                           NULL);
>  
> +    /* If this is an isolated network, set the default route option
> +     * (3) to be empty to avoid setting a default route that's
> +     * guaranteed to not work.
> +     */
> +    if (network->def->forwardType == VIR_NETWORK_FORWARD_NONE)
> +        virCommandAddArg(cmd, "--dhcp-option=3");
> +
>      /*
>       * --interface does not actually work with dnsmasq < 2.47,
>       * due to DAD for ipv6 addresses on the interface.
> -- 

ACK


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|