Re: [Dnsmasq-discuss] Fwd: no-ping

Tue, 20 Feb 2024 01:46:33 -0800

Ah, this is working because you include --dhcp-broadcast, which avoids the ARP-cache access.
I'm not clear why you want to avoid CAP_NET_ADMIN, but a correct patch to do that would only not set need_cap_netadmin when --broadcast is set, and only when it's set unconditionally, without tags. 

Cheers,

Simon.


On 20/02/2024 00:50, Martin Ivičič wrote:

I'm currently running dnsmasq (with my patch applied) using the following 
script and everything seems to work fine actually - no errors reported.
(I have only added CAP_NET_BIND_SERVICE in order to be able to bind to port 67.)

#!/bin/bash
set -euo pipefail
SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"

PID_FILE=$SCRIPT_DIR/dnsmasq.pid

dnsmasq \
--pid-file=$PID_FILE \
--dhcp-leasefile=$SCRIPT_DIR/dnsmasq.leases \
--strict-order \
--bind-interfaces \
--dhcp-authoritative \
--no-ping \
--dhcp-broadcast \
--port=0  \
--conf-file= \
--no-hosts  \
--interface=br-mgmt \
--listen-address=10.0.0.254 \
--dhcp-range=net:mgmt,10.0.0.1,10.0.0.250,255.255.255.0,10.0.0.255 \
--dhcp-option=mgmt,option:router \
--dhcp-host=52:54:00:00:00:01,id:*,net:mgmt,10.0.0.1 \
--dhcp-host=52:54:00:00:00:02,id:*,net:mgmt,10.0.0.2 \
--dhcp-host=52:54:00:00:00:03,id:*,net:mgmt,10.0.0.3 \
\
--interface=br-dth \
--listen-address=10.0.1.254 \
--dhcp-range=net:dth,10.0.1.1,10.0.1.250,255.255.255.0,10.0.1.255 \
--dhcp-option=dth,option:router \
--dhcp-option=dth,option:classless-static-route,10.235.0.0/16,10.0.1.254  
<http://10.235.0.0/16,10.0.1.254>  \
--dhcp-host=52:54:00:00:01:01,id:*,net:dth,10.0.1.1 \
--dhcp-host=52:54:00:00:01:02,id:*,net:dth,10.0.1.2 \
--dhcp-host=52:54:00:00:01:03,id:*,net:dth,10.0.1.3 \
\
--interface=br-inet \
--listen-address=10.0.2.254 \
--dhcp-range=net:inet,10.0.2.1,10.0.2.250,255.255.255.0,10.0.2.255 \
--dhcp-option=inet,option:router,10.0.2.254 \
--dhcp-host=52:54:00:00:02:01,id:*,net:inet,10.0.2.1 \
--dhcp-host=52:54:00:00:02:02,id:*,net:inet,10.0.2.2 \
--dhcp-host=52:54:00:00:02:03,id:*,net:inet,10.0.2.3 \
\
--no-daemon


this is the output:

dnsmasq: started, version 2.90deb2-1-g1ed783b DNS disabled
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n no-IDN 
DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-nftset auth no-cryptohash 
no-DNSSEC loop-detect inotify dumpfile
dnsmasq-dhcp: DHCP, IP range 10.0.2.1 -- 10.0.2.250, lease time 1h
dnsmasq-dhcp: DHCP, IP range 10.0.1.1 -- 10.0.1.250, lease time 1h
dnsmasq-dhcp: DHCP, IP range 10.0.0.1 -- 10.0.0.250, lease time 1h
dnsmasq-dhcp: DHCPDISCOVER(br-mgmt) 52:54:00:00:00:01
dnsmasq-dhcp: DHCPOFFER(br-mgmt) 10.0.0.1 52:54:00:00:00:01
dnsmasq-dhcp: DHCPDISCOVER(br-dth) 52:54:00:00:01:01
dnsmasq-dhcp: DHCPOFFER(br-dth) 10.0.1.1 52:54:00:00:01:01
dnsmasq-dhcp: DHCPDISCOVER(br-inet) 52:54:00:00:02:01
dnsmasq-dhcp: DHCPOFFER(br-inet) 10.0.2.1 52:54:00:00:02:01
dnsmasq-dhcp: DHCPREQUEST(br-mgmt) 10.0.0.1 52:54:00:00:00:01
dnsmasq-dhcp: DHCPACK(br-mgmt) 10.0.0.1 52:54:00:00:00:01
dnsmasq-dhcp: DHCPREQUEST(br-inet) 10.0.2.1 52:54:00:00:02:01
dnsmasq-dhcp: DHCPACK(br-inet) 10.0.2.1 52:54:00:00:02:01
dnsmasq-dhcp: DHCPREQUEST(br-dth) 10.0.1.1 52:54:00:00:01:01
dnsmasq-dhcp: DHCPACK(br-dth) 10.0.1.1 52:54:00:00:01:01


inside the VM:

root@localhost:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group 
default qlen 1000
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet127.0.0.1/8  <http://127.0.0.1/8>  scope host lo
        valid_lft forever preferred_lft forever
2: enp0s1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP 
group default qlen 1000
     link/ether 52:54:00:00:00:01 brd ff:ff:ff:ff:ff:ff
     inet10.0.0.1/24  <http://10.0.0.1/24>  metric 1024 brd 10.0.0.255 scope 
global dynamic enp0s1
        valid_lft 3525sec preferred_lft 3525sec
3: enp0s2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP 
group default qlen 1000
     link/ether 52:54:00:00:01:01 brd ff:ff:ff:ff:ff:ff
     inet10.0.1.1/24  <http://10.0.1.1/24>  metric 1024 brd 10.0.1.255 scope 
global dynamic enp0s2
        valid_lft 3525sec preferred_lft 3525sec
4: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP 
group default qlen 1000
     link/ether 52:54:00:00:02:01 brd ff:ff:ff:ff:ff:ff
     inet10.0.2.1/24  <http://10.0.2.1/24>  metric 1024 brd 10.0.2.255 scope 
global dynamic enp0s3
        valid_lft 3525sec preferred_lft 3525sec


Best regards,
Martin



On Tue, Feb 20, 2024 at 1:46 AM Simon Kelley <si...@thekelleys.org.uk 
<mailto:si...@thekelleys.org.uk>> wrote:


    If you're doing DHCP, even if you're not sending ICMP ping packets, you
    still need CAP_NET_ADMIN, because the DHCP server has to be able to
    manipulate the ARP table.

    I guess you're starting dnsmasq without CAP_NET_ADMIN, dnsmasq is
    determining that it needs CPA_NET_ADMIN to run the DHCP server, and
    erroring out because it doesn't have it.


    Simon.


    On 19/02/2024 15:32, Martin Ivičič wrote:
     > Hello,
     >
     > I might have stumbled upon a minor bug in dnsmasq which causes
    NET_ADMIN
     > capability being required even if it's actually not needed
    (according to
     > provided command line arguments).
     >
     > diff --git a/src/dnsmasq.c b/src/dnsmasq.c
     > index 30fb419..cef42f6 100644
     > --- a/src/dnsmasq.c
     > +++ b/src/dnsmasq.c
     > @@ -313,9 +313,10 @@ int main (int argc, char **argv)
     >       {
     >         dhcp_init();
     >   #   ifdef HAVE_LINUX_NETWORK
     > -      if (!option_bool(OPT_NO_PING))
     > -   need_cap_net_raw = 1;
     > -      need_cap_net_admin = 1;
     > +      if (!option_bool(OPT_NO_PING)) {
     > +        need_cap_net_raw = 1;
     > +        need_cap_net_admin = 1;
     > +      }
     >   #   endif
     >       }
     >
     > Without this patch, with following arguments, dnsmasq ends with
     > "dnsmasq: process is missing required capability NET_ADMIN"
     >
     > src/dnsmasq  \
     > --strict-order \
     > --bind-interfaces \
     > --interface=br-mgmt \
     > --listen-address=10.0.0.254 \
     > --dhcp-range=10.0.0.1,10.0.0.250 \
     > --dhcp-authoritative \
     > --no-ping \
     > --dhcp-broadcast \
     > --port=0 \
     > --conf-file= \
     > --pid-file=/tmp/dnsmasq.pid \
     > --dhcp-leasefile=/tmp/dnsmasq.leases \
     > --dhcp-no-override \
     > --no-daemon
     >
     > After applying the patch dnsmasq starts and runs fine.
     >
     > Best regards,
     > Martin
     >
     >
     > _______________________________________________
     > Dnsmasq-discuss mailing list
     > Dnsmasq-discuss@lists.thekelleys.org.uk
    <mailto:Dnsmasq-discuss@lists.thekelleys.org.uk>
     >
    https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss 
<https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss>


    _______________________________________________
    Dnsmasq-discuss mailing list
    Dnsmasq-discuss@lists.thekelleys.org.uk
    <mailto:Dnsmasq-discuss@lists.thekelleys.org.uk>
    https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss 
<https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss>



_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss






















					Reply via email to