[libvirt] [PATCH] network: add an option to make dns public
John Ferlan
jferlan at redhat.com
Wed Jun 10 19:56:45 UTC 2015
On 06/01/2015 07:54 AM, Cédric Bosdonnat wrote:
> In some use cases we don't want the virtual network's DNS to only
> listen to the vnet interface. Adding a publiclyAccessible attribute
> to the dns element in the configuration allows the DNS to listen to
> all interfaces.
>
> It simply disables the bind-dynamic option of dnsmasq for the network.
> ---
> docs/formatnetwork.html.in | 11 +++++++++++
> docs/schemas/network.rng | 15 ++++++++++-----
> src/conf/network_conf.c | 6 ++++++
> src/conf/network_conf.h | 1 +
> src/network/bridge_driver.c | 4 +++-
> tests/networkxml2confdata/nat-network-dns-hosts.conf | 1 -
> tests/networkxml2confdata/nat-network-dns-hosts.xml | 2 +-
> 7 files changed, 32 insertions(+), 8 deletions(-)
>
> diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in
> index 6abed8f..8e43658 100644
> --- a/docs/formatnetwork.html.in
> +++ b/docs/formatnetwork.html.in
> @@ -851,6 +851,17 @@
> DNS server.
> </p>
>
> + <p>
> + The dns element
> + can have an optional <code>publiclyAccessible</code>
> + attribute <span class="since">Since 1.2.17</span>.
> + If <code>publiclyAccessible</code> is "yes", then the DNS server
> + will handle requests for all interfaces.
> + If <code>publiclyAccessible</code> is not set or "no", the DNS
> + server will only handle requests for the interface of the virtual
> + network.
> + </p>
> +
> Currently supported sub-elements of <code><dns></code> are:
> <dl>
> <dt><code>forwarder</code></dt>
> diff --git a/docs/schemas/network.rng b/docs/schemas/network.rng
> index 4edb6eb..f989625 100644
> --- a/docs/schemas/network.rng
> +++ b/docs/schemas/network.rng
> @@ -244,12 +244,17 @@
> and other features in the <dns> element -->
> <optional>
> <element name="dns">
> - <optional>
> - <attribute name="forwardPlainNames">
> - <ref name="virYesNo"/>
> - </attribute>
> - </optional>
> <interleave>
> + <optional>
> + <attribute name="forwardPlainNames">
> + <ref name="virYesNo"/>
> + </attribute>
> + </optional>
> + <optional>
> + <attribute name="publiclyAccessible">
> + <ref name="virYesNo"/>
> + </attribute>
> + </optional>
Moving the attributes inside the <interleave> had me looking through
other .rng's... I'm no expert, but had thought they really only mattered
for <element>'s
> <zeroOrMore>
> <element name="forwarder">
> <attribute name="addr"><ref name="ipAddr"/></attribute>
> diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c
> index f4a9df0..99bac6d 100644
> --- a/src/conf/network_conf.c
> +++ b/src/conf/network_conf.c
> @@ -1309,9 +1309,14 @@ virNetworkDNSDefParseXML(const char *networkName,
> size_t i;
> int ret = -1;
> xmlNodePtr save = ctxt->node;
> + char *publiclyAccessible = NULL;
>
> ctxt->node = node;
>
> + publiclyAccessible = virXPathString("string(./@publiclyAccessible)", ctxt);
> + if (publiclyAccessible)
> + def->publiclyAccessible = virTristateBoolTypeFromString(publiclyAccessible);
> +
> forwardPlainNames = virXPathString("string(./@forwardPlainNames)", ctxt);
> if (forwardPlainNames) {
> def->forwardPlainNames = virTristateBoolTypeFromString(forwardPlainNames);
> @@ -1410,6 +1415,7 @@ virNetworkDNSDefParseXML(const char *networkName,
>
> ret = 0;
> cleanup:
> + VIR_FREE(publiclyAccessible);
> VIR_FREE(forwardPlainNames);
> VIR_FREE(fwdNodes);
> VIR_FREE(hostNodes);
> diff --git a/src/conf/network_conf.h b/src/conf/network_conf.h
> index f69d999..f555b6b 100644
> --- a/src/conf/network_conf.h
> +++ b/src/conf/network_conf.h
> @@ -136,6 +136,7 @@ struct _virNetworkDNSDef {
> virNetworkDNSSrvDefPtr srvs;
> size_t nfwds;
> char **forwarders;
> + int publiclyAccessible; /* enum virTristateBool */
> };
>
> typedef struct _virNetworkIpDef virNetworkIpDef;
> diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
> index d195085..c39b1a5 100644
> --- a/src/network/bridge_driver.c
> +++ b/src/network/bridge_driver.c
> @@ -996,8 +996,10 @@ networkDnsmasqConfContents(virNetworkObjPtr network,
> * other than one of the virtual guests connected directly to
> * this network). This was added in response to CVE 2012-3411.
> */
> + if (network->def->dns.publiclyAccessible != VIR_TRISTATE_BOOL_YES)
> + virBufferAddLit(&configbuf,
> + "bind-dynamic\n");
> virBufferAsprintf(&configbuf,
> - "bind-dynamic\n"
> "interface=%s\n",
> network->def->bridge);
> } else {
> diff --git a/tests/networkxml2confdata/nat-network-dns-hosts.conf b/tests/networkxml2confdata/nat-network-dns-hosts.conf
> index 021316f..759a9e9 100644
> --- a/tests/networkxml2confdata/nat-network-dns-hosts.conf
> +++ b/tests/networkxml2confdata/nat-network-dns-hosts.conf
> @@ -10,6 +10,5 @@ expand-hosts
> domain-needed
> local=//
> except-interface=lo
> -bind-dynamic
> interface=virbr0
> addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts
> diff --git a/tests/networkxml2confdata/nat-network-dns-hosts.xml b/tests/networkxml2confdata/nat-network-dns-hosts.xml
> index 9add456..969dfa5 100644
> --- a/tests/networkxml2confdata/nat-network-dns-hosts.xml
> +++ b/tests/networkxml2confdata/nat-network-dns-hosts.xml
> @@ -4,7 +4,7 @@
> <forward dev='eth0' mode='nat'/>
> <bridge name='virbr0' stp='on' delay='0'/>
> <domain name="example.com"/>
> - <dns forwardPlainNames='no'>
> + <dns forwardPlainNames='no' publiclyAccessible='yes'>
> <host ip='192.168.122.1'>
> <hostname>host</hostname>
> <hostname>gateway</hostname>
>
Rather than change an existing test, a new test or two should be
created... One that specifically states 'yes' and possibly one that has
'no' keeping the existing one with nothing provided to be sure that
works as well.
I don't mind doing that for you, but also I figure by bumping this
perhaps Laine will take a look too since he usually responds to most of
the network related patches anyway... It seems fine to me though.
John
More information about the libvir-list
mailing list