[libvirt] [PATCH v2] network: Let domains be restricted to local DNS

Tue Jan 20 06:18:56 UTC 2015

I had forgotten about this patch during the holidays until John Ferlan
reminded me a few days ago.

On 12/03/2014 07:01 PM, Josh Stone wrote:
> This adds a new "localOnly" attribute on the domain element of the
> network xml.  With this set to "yes", DNS requests under that domain
> will only be resolved by libvirt's dnsmasq, never forwarded upstream.
>
> This was how it worked before commit f69a6b987d616, and I found that
> functionality useful.  For example, I have my host's NetworkManager
> dnsmasq configured to forward that domain to libvirt's dnsmasq, so I can
> easily resolve guest names from outside.  But if libvirt's dnsmasq
> doesn't know a name and forwards it to the host, I'd get an endless
> forwarding loop.  Now I can set localOnly="yes" to prevent the loop.
>
> Signed-off-by: Josh Stone <jistone at redhat.com>
> Cc: Laine Stump <laine at laine.org>
> ---
>  docs/formatnetwork.html.in                         | 12 +++++++-
>  docs/schemas/network.rng                           |  3 ++
>  src/conf/network_conf.c                            | 32 ++++++++++++++++++++--
>  src/conf/network_conf.h                            |  1 +
>  src/network/bridge_driver.c                        |  5 ++++
>  .../nat-network-dns-local-domain.conf              | 14 ++++++++++
>  .../nat-network-dns-local-domain.xml               |  9 ++++++
>  tests/networkxml2conftest.c                        |  1 +
>  8 files changed, 74 insertions(+), 3 deletions(-)
>  create mode 100644 tests/networkxml2confdata/nat-network-dns-local-domain.conf
>  create mode 100644 tests/networkxml2confdata/nat-network-dns-local-domain.xml
>
> diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in
> index dc438aee8622..defcdba00930 100644
> --- a/docs/formatnetwork.html.in
> +++ b/docs/formatnetwork.html.in
> @@ -82,7 +82,7 @@
>      <pre>
>          ...
>          <bridge name="virbr0" stp="on" delay="5"/>
> -        <domain name="example.com"/>
> +        <domain name="example.com" localOnly="no"/>
>          <forward mode="nat" dev="eth0"/>
>          ...</pre>
>  
> @@ -113,6 +113,16 @@
>          a <code><forward></code> mode of "nat" or "route" (or an
>          isolated network with no <code><forward></code>
>          element). <span class="since">Since 0.4.5</span>
> +
> +        <p>
> +          If the optional <code>localOnly</code> attribute on the
> +          <code>domain</code> element is "yes", then DNS requests under
> +          this domain will only be resolved by the virtual network's own
> +          DNS server - they will not be forwarded to the host's upstream
> +          DNS server.  If <code>localOnly</code> is "no", and by
> +          default, unresolved requests <b>will</b> be forwarded.
> +          <span class="since">Since 1.2.11</span>
> +        </p>
>        </dd>
>        <dt><code>forward</code></dt>
>        <dd>Inclusion of the <code>forward</code> element indicates that
> diff --git a/docs/schemas/network.rng b/docs/schemas/network.rng
> index 4546f8037580..a1da28092375 100644
> --- a/docs/schemas/network.rng
> +++ b/docs/schemas/network.rng
> @@ -225,6 +225,9 @@
>          <optional>
>            <element name="domain">
>              <attribute name="name"><ref name="dnsName"/></attribute>
> +            <optional>
> +              <attribute name="localOnly"><ref name="virYesNo"/></attribute>
> +            </optional>
>            </element>
>          </optional>
>  
> diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c
> index 97719ed536de..31b765ff2c51 100644
> --- a/src/conf/network_conf.c
> +++ b/src/conf/network_conf.c
> @@ -2083,6 +2083,18 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt)
>  
>      /* Parse network domain information */
>      def->domain = virXPathString("string(./domain[1]/@name)", ctxt);
> +    tmp = virXPathString("string(./domain[1]/@localOnly)", ctxt);
> +    if (tmp) {
> +        def->domain_local = virTristateBoolTypeFromString(tmp);
> +        if (def->domain_local <= 0) {
> +            virReportError(VIR_ERR_XML_ERROR,
> +                           _("Invalid domain localOnly setting '%s' "
> +                             "in network '%s'"),
> +                           tmp, def->name);
> +            goto error;
> +        }
> +        VIR_FREE(tmp);
> +    }
>  
>      if ((bandwidthNode = virXPathNode("./bandwidth", ctxt)) != NULL &&
>          (def->bandwidth = virNetDevBandwidthParse(bandwidthNode, -1)) == NULL)
> @@ -2805,8 +2817,24 @@ virNetworkDefFormatBuf(virBufferPtr buf,
>          virBufferAsprintf(buf, "<mac address='%s'/>\n", macaddr);
>      }
>  
> -    if (def->domain)
> -        virBufferAsprintf(buf, "<domain name='%s'/>\n", def->domain);
> +    if (def->domain) {
> +        virBufferAsprintf(buf, "<domain name='%s'", def->domain);
> +
> +        /* default to "no", but don't format it in the XML */
> +        if (def->domain_local) {
> +            const char *local = virTristateBoolTypeToString(def->domain_local);
> +
> +            if (!local) {
> +                virReportError(VIR_ERR_INTERNAL_ERROR,
> +                               _("Unknown localOnly type %d in network"),
> +                               def->domain_local);
> +                return -1;
> +            }
> +            virBufferAsprintf(buf, " localOnly='%s'", local);
> +        }
> +
> +        virBufferAddLit(buf, "/>\n");
> +    }
>  
>      if (virNetworkDNSDefFormat(buf, &def->dns) < 0)
>          goto error;
> diff --git a/src/conf/network_conf.h b/src/conf/network_conf.h
> index 660cd2d10cd1..bb9724fddbb8 100644
> --- a/src/conf/network_conf.h
> +++ b/src/conf/network_conf.h
> @@ -232,6 +232,7 @@ struct _virNetworkDef {
>  
>      char *bridge;       /* Name of bridge device */
>      char *domain;
> +    int domain_local; /* enum virTristateBool: yes disables dns forwarding */

ACK with one small modification - I renamed domain_local to
domainLocalOnly and pushed the result.

Thanks for the contribution!