Re: [libvirt] [PATCH] network: add an option to make dns public
Hi Laine,
On Thu, 2015-06-11 at 13:37 -0400, Laine Stump wrote:
On 06/10/2015 03:56 PM, John Ferlan wrote:
On 06/01/2015 07:54 AM, Cédric Bosdonnat wrote:
In some use cases we don't want the virtual network's DNS to only
listen to the vnet interface. Adding a publiclyAccessible attribute
:-) Really, that name was only intended as a placeholder! I was hoping
you (or someone else) would be able to find something shorter/simpler.
Lacking that, I guess this is a reasonable name though.
Given the other names around that didn't shock me, but it's surely not a
good habit to introduce such lengthy names ;)
to the dns element in the configuration allows the DNS to listen to
all interfaces.
It simply disables the bind-dynamic option of dnsmasq for the network.
---
docs/formatnetwork.html.in | 11 +++
docs/schemas/network.rng | 15 ++-
src/conf/network_conf.c | 6 ++
src/conf/network_conf.h | 1 +
src/network/bridge_driver.c | 4 +++-
tests/networkxml2confdata/nat-network-dns-hosts.conf | 1 -
tests/networkxml2confdata/nat-network-dns-hosts.xml | 2 +-
7 files changed, 32 insertions(+), 8 deletions(-)
diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in
index 6abed8f..8e43658 100644
--- a/docs/formatnetwork.html.in
+++ b/docs/formatnetwork.html.in
@@ -851,6 +851,17 @@
DNS server.
/p
+p
+ The dns element
+ can have an optional codepubliclyAccessible/code
+ attribute span class=sinceSince 1.2.17/span.
+ If codepubliclyAccessible/code is yes, then the DNS server
+ will handle requests for all interfaces.
+ If codepubliclyAccessible/code is not set or no, the DNS
+ server will only handle requests for the interface of the
virtual
+ network.
+/p
+
Currently supported sub-elements of codelt;dnsgt;/code are:
dl
dtcodeforwarder/code/dt
diff --git a/docs/schemas/network.rng b/docs/schemas/network.rng
index 4edb6eb..f989625 100644
--- a/docs/schemas/network.rng
+++ b/docs/schemas/network.rng
@@ -244,12 +244,17 @@
and other features in the dns element --
optional
element name=dns
-optional
- attribute name=forwardPlainNames
-ref name=virYesNo/
- /attribute
-/optional
interleave
+ optional
+attribute name=forwardPlainNames
+ ref name=virYesNo/
+/attribute
+ /optional
+ optional
+attribute name=publiclyAccessible
+ ref name=virYesNo/
+/attribute
+ /optional
Moving the attributes inside the interleave had me looking through
other .rng's... I'm no expert, but had thought they really only mattered
for element's
I'm not an expert either, but you are correct :-)
I'm fixing that one.
zeroOrMore
element name=forwarder
attribute name=addrref name=ipAddr//attribute
diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c
index f4a9df0..99bac6d 100644
--- a/src/conf/network_conf.c
+++ b/src/conf/network_conf.c
@@ -1309,9 +1309,14 @@ virNetworkDNSDefParseXML(const char *networkName,
size_t i;
int ret = -1;
xmlNodePtr save = ctxt-node;
+char *publiclyAccessible = NULL;
ctxt-node = node;
+publiclyAccessible = virXPathString(string(./@publiclyAccessible),
ctxt);
+if (publiclyAccessible)
+def-publiclyAccessible =
virTristateBoolTypeFromString(publiclyAccessible);
+
forwardPlainNames = virXPathString(string(./@forwardPlainNames),
ctxt);
if (forwardPlainNames) {
def-forwardPlainNames =
virTristateBoolTypeFromString(forwardPlainNames);
@@ -1410,6 +1415,7 @@ virNetworkDNSDefParseXML(const char *networkName,
ret = 0;
cleanup:
+VIR_FREE(publiclyAccessible);
VIR_FREE(forwardPlainNames);
VIR_FREE(fwdNodes);
VIR_FREE(hostNodes);
diff --git a/src/conf/network_conf.h b/src/conf/network_conf.h
index f69d999..f555b6b 100644
--- a/src/conf/network_conf.h
+++ b/src/conf/network_conf.h
@@ -136,6 +136,7 @@ struct _virNetworkDNSDef {
virNetworkDNSSrvDefPtr srvs;
size_t nfwds;
char **forwarders;
+int publiclyAccessible; /* enum virTristateBool */
};
typedef struct _virNetworkIpDef virNetworkIpDef;
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index d195085..c39b1a5 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@
Re: [libvirt] [PATCH] network: add an option to make dns public
On 06/16/2015 09:08 AM, Cedric Bosdonnat wrote:
Hi Laine,
On Thu, 2015-06-11 at 13:37 -0400, Laine Stump wrote:
On 06/10/2015 03:56 PM, John Ferlan wrote:
On 06/01/2015 07:54 AM, Cédric Bosdonnat wrote:
In some use cases we don't want the virtual network's DNS to only
listen to the vnet interface. Adding a publiclyAccessible attribute
:-) Really, that name was only intended as a placeholder! I was hoping
you (or someone else) would be able to find something shorter/simpler.
Lacking that, I guess this is a reasonable name though.
Given the other names around that didn't shock me, but it's surely not a
good habit to introduce such lengthy names ;)
Well, forwardPlainNames was another invention of mine, and one which
I'm not proud of, but I gave fair published notice that I would accept
other suggestions, and still couldn't come up with something better. The
trick is in getting the balance between short/cryptic and
long/unambiguously descriptive right. The worst outcome is to have
something short and cryptic that could easily be misunderstood to mean
something else.
Do you think public is specific enough? Or might that possibly be
confused with some other intent?
to the dns element in the configuration allows the DNS to listen to
all interfaces.
It simply disables the bind-dynamic option of dnsmasq for the network.
---
docs/formatnetwork.html.in | 11 +++
docs/schemas/network.rng | 15 ++-
src/conf/network_conf.c | 6 ++
src/conf/network_conf.h | 1 +
src/network/bridge_driver.c | 4 +++-
tests/networkxml2confdata/nat-network-dns-hosts.conf | 1 -
tests/networkxml2confdata/nat-network-dns-hosts.xml | 2 +-
7 files changed, 32 insertions(+), 8 deletions(-)
diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in
index 6abed8f..8e43658 100644
--- a/docs/formatnetwork.html.in
+++ b/docs/formatnetwork.html.in
@@ -851,6 +851,17 @@
DNS server.
/p
+p
+ The dns element
+ can have an optional codepubliclyAccessible/code
+ attribute span class=sinceSince 1.2.17/span.
+ If codepubliclyAccessible/code is yes, then the DNS server
+ will handle requests for all interfaces.
+ If codepubliclyAccessible/code is not set or no, the DNS
+ server will only handle requests for the interface of the
virtual
+ network.
+/p
+
Currently supported sub-elements of codelt;dnsgt;/code are:
dl
dtcodeforwarder/code/dt
diff --git a/docs/schemas/network.rng b/docs/schemas/network.rng
index 4edb6eb..f989625 100644
--- a/docs/schemas/network.rng
+++ b/docs/schemas/network.rng
@@ -244,12 +244,17 @@
and other features in the dns element --
optional
element name=dns
-optional
- attribute name=forwardPlainNames
-ref name=virYesNo/
- /attribute
-/optional
interleave
+ optional
+attribute name=forwardPlainNames
+ ref name=virYesNo/
+/attribute
+ /optional
+ optional
+attribute name=publiclyAccessible
+ ref name=virYesNo/
+/attribute
+ /optional
Moving the attributes inside the interleave had me looking through
other .rng's... I'm no expert, but had thought they really only mattered
for element's
I'm not an expert either, but you are correct :-)
I'm fixing that one.
zeroOrMore
element name=forwarder
attribute name=addrref name=ipAddr//attribute
diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c
index f4a9df0..99bac6d 100644
--- a/src/conf/network_conf.c
+++ b/src/conf/network_conf.c
@@ -1309,9 +1309,14 @@ virNetworkDNSDefParseXML(const char *networkName,
size_t i;
int ret = -1;
xmlNodePtr save = ctxt-node;
+char *publiclyAccessible = NULL;
ctxt-node = node;
+publiclyAccessible = virXPathString(string(./@publiclyAccessible),
ctxt);
+if (publiclyAccessible)
+def-publiclyAccessible =
virTristateBoolTypeFromString(publiclyAccessible);
+
forwardPlainNames = virXPathString(string(./@forwardPlainNames),
ctxt);
if (forwardPlainNames) {
def-forwardPlainNames =
virTristateBoolTypeFromString(forwardPlainNames);
@@ -1410,6 +1415,7 @@ virNetworkDNSDefParseXML(const char *networkName,
ret = 0;
cleanup:
+VIR_FREE(publiclyAccessible);
VIR_FREE(forwardPlainNames);
VIR_FREE(fwdNodes);
VIR_FREE(hostNodes);
diff --git a/src/conf/network_conf.h b/src/conf/network_conf.h
index f69d999..f555b6b 100644
--- a/src/conf/network_conf.h
Re: [libvirt] [PATCH] network: add an option to make dns public
On Tue, 2015-06-16 at 11:21 -0400, Laine Stump wrote:
On 06/16/2015 09:08 AM, Cedric Bosdonnat wrote:
Hi Laine,
On Thu, 2015-06-11 at 13:37 -0400, Laine Stump wrote:
On 06/10/2015 03:56 PM, John Ferlan wrote:
On 06/01/2015 07:54 AM, Cédric Bosdonnat wrote:
In some use cases we don't want the virtual network's DNS to only
listen to the vnet interface. Adding a publiclyAccessible attribute
:-) Really, that name was only intended as a placeholder! I was hoping
you (or someone else) would be able to find something shorter/simpler.
Lacking that, I guess this is a reasonable name though.
Given the other names around that didn't shock me, but it's surely not a
good habit to introduce such lengthy names ;)
Well, forwardPlainNames was another invention of mine, and one which
I'm not proud of, but I gave fair published notice that I would accept
other suggestions, and still couldn't come up with something better. The
trick is in getting the balance between short/cryptic and
long/unambiguously descriptive right. The worst outcome is to have
something short and cryptic that could easily be misunderstood to mean
something else.
Do you think public is specific enough? Or might that possibly be
confused with some other intent?
public could work, I don't think there are much more cases that would
fit this case for the DNS.
to the dns element in the configuration allows the DNS to listen to
all interfaces.
It simply disables the bind-dynamic option of dnsmasq for the network.
---
docs/formatnetwork.html.in | 11 +++
docs/schemas/network.rng | 15
++-
src/conf/network_conf.c | 6 ++
src/conf/network_conf.h | 1 +
src/network/bridge_driver.c | 4 +++-
tests/networkxml2confdata/nat-network-dns-hosts.conf | 1 -
tests/networkxml2confdata/nat-network-dns-hosts.xml | 2 +-
7 files changed, 32 insertions(+), 8 deletions(-)
diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in
index 6abed8f..8e43658 100644
--- a/docs/formatnetwork.html.in
+++ b/docs/formatnetwork.html.in
@@ -851,6 +851,17 @@
DNS server.
/p
+p
+ The dns element
+ can have an optional codepubliclyAccessible/code
+ attribute span class=sinceSince 1.2.17/span.
+ If codepubliclyAccessible/code is yes, then the DNS
server
+ will handle requests for all interfaces.
+ If codepubliclyAccessible/code is not set or no, the DNS
+ server will only handle requests for the interface of the
virtual
+ network.
+/p
+
Currently supported sub-elements of codelt;dnsgt;/code
are:
dl
dtcodeforwarder/code/dt
diff --git a/docs/schemas/network.rng b/docs/schemas/network.rng
index 4edb6eb..f989625 100644
--- a/docs/schemas/network.rng
+++ b/docs/schemas/network.rng
@@ -244,12 +244,17 @@
and other features in the dns element --
optional
element name=dns
-optional
- attribute name=forwardPlainNames
-ref name=virYesNo/
- /attribute
-/optional
interleave
+ optional
+attribute name=forwardPlainNames
+ ref name=virYesNo/
+/attribute
+ /optional
+ optional
+attribute name=publiclyAccessible
+ ref name=virYesNo/
+/attribute
+ /optional
Moving the attributes inside the interleave had me looking through
other .rng's... I'm no expert, but had thought they really only mattered
for element's
I'm not an expert either, but you are correct :-)
I'm fixing that one.
zeroOrMore
element name=forwarder
attribute name=addrref
name=ipAddr//attribute
diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c
index f4a9df0..99bac6d 100644
--- a/src/conf/network_conf.c
+++ b/src/conf/network_conf.c
@@ -1309,9 +1309,14 @@ virNetworkDNSDefParseXML(const char *networkName,
size_t i;
int ret = -1;
xmlNodePtr save = ctxt-node;
+char *publiclyAccessible = NULL;
ctxt-node = node;
+publiclyAccessible =
virXPathString(string(./@publiclyAccessible), ctxt);
+if (publiclyAccessible)
+def-publiclyAccessible =
virTristateBoolTypeFromString(publiclyAccessible);
+
forwardPlainNames = virXPathString(string(./@forwardPlainNames),
ctxt);
if (forwardPlainNames) {
def-forwardPlainNames =
virTristateBoolTypeFromString(forwardPlainNames);
@@ -1410,6 +1415,7 @@ virNetworkDNSDefParseXML(const char
Re: [libvirt] [PATCH] network: add an option to make dns public
On 06/11/2015 01:37 PM, Laine Stump wrote:
On 06/10/2015 03:56 PM, John Ferlan wrote:
On 06/01/2015 07:54 AM, Cédric Bosdonnat wrote:
In some use cases we don't want the virtual network's DNS to only
listen to the vnet interface. Adding a publiclyAccessible attribute
:-) Really, that name was only intended as a placeholder! I was hoping
you (or someone else) would be able to find something shorter/simpler.
Lacking that, I guess this is a reasonable name though.
haha - I was thinking that publiclyAccessible was long (and challenging
for my fingers to type), but figured forwardPlainNames was a similarly
long attribute name, so I just left it as is. Certainly far better than
some TLA or FLA (three/four letter acronym)
to the dns element in the configuration allows the DNS to listen to
all interfaces.
It simply disables the bind-dynamic option of dnsmasq for the network.
---
docs/formatnetwork.html.in | 11 +++
docs/schemas/network.rng | 15 ++-
src/conf/network_conf.c | 6 ++
src/conf/network_conf.h | 1 +
src/network/bridge_driver.c | 4 +++-
tests/networkxml2confdata/nat-network-dns-hosts.conf | 1 -
tests/networkxml2confdata/nat-network-dns-hosts.xml | 2 +-
7 files changed, 32 insertions(+), 8 deletions(-)
diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in
index 6abed8f..8e43658 100644
--- a/docs/formatnetwork.html.in
+++ b/docs/formatnetwork.html.in
@@ -851,6 +851,17 @@
DNS server.
/p
+p
+ The dns element
+ can have an optional codepubliclyAccessible/code
+ attribute span class=sinceSince 1.2.17/span.
+ If codepubliclyAccessible/code is yes, then the DNS server
+ will handle requests for all interfaces.
+ If codepubliclyAccessible/code is not set or no, the DNS
+ server will only handle requests for the interface of the virtual
+ network.
+/p
+
Currently supported sub-elements of codelt;dnsgt;/code are:
dl
dtcodeforwarder/code/dt
diff --git a/docs/schemas/network.rng b/docs/schemas/network.rng
index 4edb6eb..f989625 100644
--- a/docs/schemas/network.rng
+++ b/docs/schemas/network.rng
@@ -244,12 +244,17 @@
and other features in the dns element --
optional
element name=dns
-optional
- attribute name=forwardPlainNames
-ref name=virYesNo/
- /attribute
-/optional
interleave
+ optional
+attribute name=forwardPlainNames
+ ref name=virYesNo/
+/attribute
+ /optional
+ optional
+attribute name=publiclyAccessible
+ ref name=virYesNo/
+/attribute
+ /optional
Moving the attributes inside the interleave had me looking through
other .rng's... I'm no expert, but had thought they really only mattered
for element's
I'm not an expert either, but you are correct :-)
zeroOrMore
element name=forwarder
attribute name=addrref name=ipAddr//attribute
diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c
index f4a9df0..99bac6d 100644
--- a/src/conf/network_conf.c
+++ b/src/conf/network_conf.c
@@ -1309,9 +1309,14 @@ virNetworkDNSDefParseXML(const char *networkName,
size_t i;
int ret = -1;
xmlNodePtr save = ctxt-node;
+char *publiclyAccessible = NULL;
ctxt-node = node;
+publiclyAccessible = virXPathString(string(./@publiclyAccessible),
ctxt);
+if (publiclyAccessible)
+def-publiclyAccessible =
virTristateBoolTypeFromString(publiclyAccessible);
+
forwardPlainNames = virXPathString(string(./@forwardPlainNames),
ctxt);
if (forwardPlainNames) {
def-forwardPlainNames =
virTristateBoolTypeFromString(forwardPlainNames);
@@ -1410,6 +1415,7 @@ virNetworkDNSDefParseXML(const char *networkName,
ret = 0;
cleanup:
+VIR_FREE(publiclyAccessible);
VIR_FREE(forwardPlainNames);
VIR_FREE(fwdNodes);
VIR_FREE(hostNodes);
diff --git a/src/conf/network_conf.h b/src/conf/network_conf.h
index f69d999..f555b6b 100644
--- a/src/conf/network_conf.h
+++ b/src/conf/network_conf.h
@@ -136,6 +136,7 @@ struct _virNetworkDNSDef {
virNetworkDNSSrvDefPtr srvs;
size_t nfwds;
char **forwarders;
+int publiclyAccessible; /* enum virTristateBool */
};
typedef struct _virNetworkIpDef virNetworkIpDef;
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index d195085..c39b1a5 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -996,8 +996,10 @@
Re: [libvirt] [PATCH] network: add an option to make dns public
On 06/10/2015 03:56 PM, John Ferlan wrote:
On 06/01/2015 07:54 AM, Cédric Bosdonnat wrote:
In some use cases we don't want the virtual network's DNS to only
listen to the vnet interface. Adding a publiclyAccessible attribute
:-) Really, that name was only intended as a placeholder! I was hoping
you (or someone else) would be able to find something shorter/simpler.
Lacking that, I guess this is a reasonable name though.
to the dns element in the configuration allows the DNS to listen to
all interfaces.
It simply disables the bind-dynamic option of dnsmasq for the network.
---
docs/formatnetwork.html.in | 11 +++
docs/schemas/network.rng | 15 ++-
src/conf/network_conf.c | 6 ++
src/conf/network_conf.h | 1 +
src/network/bridge_driver.c | 4 +++-
tests/networkxml2confdata/nat-network-dns-hosts.conf | 1 -
tests/networkxml2confdata/nat-network-dns-hosts.xml | 2 +-
7 files changed, 32 insertions(+), 8 deletions(-)
diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in
index 6abed8f..8e43658 100644
--- a/docs/formatnetwork.html.in
+++ b/docs/formatnetwork.html.in
@@ -851,6 +851,17 @@
DNS server.
/p
+p
+ The dns element
+ can have an optional codepubliclyAccessible/code
+ attribute span class=sinceSince 1.2.17/span.
+ If codepubliclyAccessible/code is yes, then the DNS server
+ will handle requests for all interfaces.
+ If codepubliclyAccessible/code is not set or no, the DNS
+ server will only handle requests for the interface of the virtual
+ network.
+/p
+
Currently supported sub-elements of codelt;dnsgt;/code are:
dl
dtcodeforwarder/code/dt
diff --git a/docs/schemas/network.rng b/docs/schemas/network.rng
index 4edb6eb..f989625 100644
--- a/docs/schemas/network.rng
+++ b/docs/schemas/network.rng
@@ -244,12 +244,17 @@
and other features in the dns element --
optional
element name=dns
-optional
- attribute name=forwardPlainNames
-ref name=virYesNo/
- /attribute
-/optional
interleave
+ optional
+attribute name=forwardPlainNames
+ ref name=virYesNo/
+/attribute
+ /optional
+ optional
+attribute name=publiclyAccessible
+ ref name=virYesNo/
+/attribute
+ /optional
Moving the attributes inside the interleave had me looking through
other .rng's... I'm no expert, but had thought they really only mattered
for element's
I'm not an expert either, but you are correct :-)
zeroOrMore
element name=forwarder
attribute name=addrref name=ipAddr//attribute
diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c
index f4a9df0..99bac6d 100644
--- a/src/conf/network_conf.c
+++ b/src/conf/network_conf.c
@@ -1309,9 +1309,14 @@ virNetworkDNSDefParseXML(const char *networkName,
size_t i;
int ret = -1;
xmlNodePtr save = ctxt-node;
+char *publiclyAccessible = NULL;
ctxt-node = node;
+publiclyAccessible = virXPathString(string(./@publiclyAccessible),
ctxt);
+if (publiclyAccessible)
+def-publiclyAccessible =
virTristateBoolTypeFromString(publiclyAccessible);
+
forwardPlainNames = virXPathString(string(./@forwardPlainNames),
ctxt);
if (forwardPlainNames) {
def-forwardPlainNames =
virTristateBoolTypeFromString(forwardPlainNames);
@@ -1410,6 +1415,7 @@ virNetworkDNSDefParseXML(const char *networkName,
ret = 0;
cleanup:
+VIR_FREE(publiclyAccessible);
VIR_FREE(forwardPlainNames);
VIR_FREE(fwdNodes);
VIR_FREE(hostNodes);
diff --git a/src/conf/network_conf.h b/src/conf/network_conf.h
index f69d999..f555b6b 100644
--- a/src/conf/network_conf.h
+++ b/src/conf/network_conf.h
@@ -136,6 +136,7 @@ struct _virNetworkDNSDef {
virNetworkDNSSrvDefPtr srvs;
size_t nfwds;
char **forwarders;
+int publiclyAccessible; /* enum virTristateBool */
};
typedef struct _virNetworkIpDef virNetworkIpDef;
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index d195085..c39b1a5 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -996,8 +996,10 @@ networkDnsmasqConfContents(virNetworkObjPtr network,
* other than one of the virtual guests connected directly to
* this network). This was added in response to CVE 2012-3411.
*/
+if (network-def-dns.publiclyAccessible != VIR_TRISTATE_BOOL_YES)
+
Re: [libvirt] [PATCH] network: add an option to make dns public
On Wed, 2015-06-10 at 15:56 -0400, John Ferlan wrote:
On 06/01/2015 07:54 AM, Cédric Bosdonnat wrote:
In some use cases we don't want the virtual network's DNS to only
listen to the vnet interface. Adding a publiclyAccessible attribute
to the dns element in the configuration allows the DNS to listen to
all interfaces.
It simply disables the bind-dynamic option of dnsmasq for the network.
---
docs/formatnetwork.html.in | 11 +++
docs/schemas/network.rng | 15 ++-
src/conf/network_conf.c | 6 ++
src/conf/network_conf.h | 1 +
src/network/bridge_driver.c | 4 +++-
tests/networkxml2confdata/nat-network-dns-hosts.conf | 1 -
tests/networkxml2confdata/nat-network-dns-hosts.xml | 2 +-
7 files changed, 32 insertions(+), 8 deletions(-)
diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in
index 6abed8f..8e43658 100644
--- a/docs/formatnetwork.html.in
+++ b/docs/formatnetwork.html.in
@@ -851,6 +851,17 @@
DNS server.
/p
+p
+ The dns element
+ can have an optional codepubliclyAccessible/code
+ attribute span class=sinceSince 1.2.17/span.
+ If codepubliclyAccessible/code is yes, then the DNS server
+ will handle requests for all interfaces.
+ If codepubliclyAccessible/code is not set or no, the DNS
+ server will only handle requests for the interface of the virtual
+ network.
+/p
+
Currently supported sub-elements of codelt;dnsgt;/code are:
dl
dtcodeforwarder/code/dt
diff --git a/docs/schemas/network.rng b/docs/schemas/network.rng
index 4edb6eb..f989625 100644
--- a/docs/schemas/network.rng
+++ b/docs/schemas/network.rng
@@ -244,12 +244,17 @@
and other features in the dns element --
optional
element name=dns
-optional
- attribute name=forwardPlainNames
-ref name=virYesNo/
- /attribute
-/optional
interleave
+ optional
+attribute name=forwardPlainNames
+ ref name=virYesNo/
+/attribute
+ /optional
+ optional
+attribute name=publiclyAccessible
+ ref name=virYesNo/
+/attribute
+ /optional
Moving the attributes inside the interleave had me looking through
other .rng's... I'm no expert, but had thought they really only mattered
for element's
Hum, I'll try without moving it. I'm obviously no RNG expert either ;)
zeroOrMore
element name=forwarder
attribute name=addrref name=ipAddr//attribute
diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c
index f4a9df0..99bac6d 100644
--- a/src/conf/network_conf.c
+++ b/src/conf/network_conf.c
@@ -1309,9 +1309,14 @@ virNetworkDNSDefParseXML(const char *networkName,
size_t i;
int ret = -1;
xmlNodePtr save = ctxt-node;
+char *publiclyAccessible = NULL;
ctxt-node = node;
+publiclyAccessible = virXPathString(string(./@publiclyAccessible),
ctxt);
+if (publiclyAccessible)
+def-publiclyAccessible =
virTristateBoolTypeFromString(publiclyAccessible);
+
forwardPlainNames = virXPathString(string(./@forwardPlainNames),
ctxt);
if (forwardPlainNames) {
def-forwardPlainNames =
virTristateBoolTypeFromString(forwardPlainNames);
@@ -1410,6 +1415,7 @@ virNetworkDNSDefParseXML(const char *networkName,
ret = 0;
cleanup:
+VIR_FREE(publiclyAccessible);
VIR_FREE(forwardPlainNames);
VIR_FREE(fwdNodes);
VIR_FREE(hostNodes);
diff --git a/src/conf/network_conf.h b/src/conf/network_conf.h
index f69d999..f555b6b 100644
--- a/src/conf/network_conf.h
+++ b/src/conf/network_conf.h
@@ -136,6 +136,7 @@ struct _virNetworkDNSDef {
virNetworkDNSSrvDefPtr srvs;
size_t nfwds;
char **forwarders;
+int publiclyAccessible; /* enum virTristateBool */
};
typedef struct _virNetworkIpDef virNetworkIpDef;
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index d195085..c39b1a5 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -996,8 +996,10 @@ networkDnsmasqConfContents(virNetworkObjPtr network,
* other than one of the virtual guests connected directly to
* this network). This was added in response to CVE 2012-3411.
*/
+if (network-def-dns.publiclyAccessible != VIR_TRISTATE_BOOL_YES)
+virBufferAddLit(configbuf,
+
Re: [libvirt] [PATCH] network: add an option to make dns public
On 06/01/2015 07:54 AM, Cédric Bosdonnat wrote:
In some use cases we don't want the virtual network's DNS to only
listen to the vnet interface. Adding a publiclyAccessible attribute
to the dns element in the configuration allows the DNS to listen to
all interfaces.
It simply disables the bind-dynamic option of dnsmasq for the network.
---
docs/formatnetwork.html.in | 11 +++
docs/schemas/network.rng | 15 ++-
src/conf/network_conf.c | 6 ++
src/conf/network_conf.h | 1 +
src/network/bridge_driver.c | 4 +++-
tests/networkxml2confdata/nat-network-dns-hosts.conf | 1 -
tests/networkxml2confdata/nat-network-dns-hosts.xml | 2 +-
7 files changed, 32 insertions(+), 8 deletions(-)
diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in
index 6abed8f..8e43658 100644
--- a/docs/formatnetwork.html.in
+++ b/docs/formatnetwork.html.in
@@ -851,6 +851,17 @@
DNS server.
/p
+p
+ The dns element
+ can have an optional codepubliclyAccessible/code
+ attribute span class=sinceSince 1.2.17/span.
+ If codepubliclyAccessible/code is yes, then the DNS server
+ will handle requests for all interfaces.
+ If codepubliclyAccessible/code is not set or no, the DNS
+ server will only handle requests for the interface of the virtual
+ network.
+/p
+
Currently supported sub-elements of codelt;dnsgt;/code are:
dl
dtcodeforwarder/code/dt
diff --git a/docs/schemas/network.rng b/docs/schemas/network.rng
index 4edb6eb..f989625 100644
--- a/docs/schemas/network.rng
+++ b/docs/schemas/network.rng
@@ -244,12 +244,17 @@
and other features in the dns element --
optional
element name=dns
-optional
- attribute name=forwardPlainNames
-ref name=virYesNo/
- /attribute
-/optional
interleave
+ optional
+attribute name=forwardPlainNames
+ ref name=virYesNo/
+/attribute
+ /optional
+ optional
+attribute name=publiclyAccessible
+ ref name=virYesNo/
+/attribute
+ /optional
Moving the attributes inside the interleave had me looking through
other .rng's... I'm no expert, but had thought they really only mattered
for element's
zeroOrMore
element name=forwarder
attribute name=addrref name=ipAddr//attribute
diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c
index f4a9df0..99bac6d 100644
--- a/src/conf/network_conf.c
+++ b/src/conf/network_conf.c
@@ -1309,9 +1309,14 @@ virNetworkDNSDefParseXML(const char *networkName,
size_t i;
int ret = -1;
xmlNodePtr save = ctxt-node;
+char *publiclyAccessible = NULL;
ctxt-node = node;
+publiclyAccessible = virXPathString(string(./@publiclyAccessible),
ctxt);
+if (publiclyAccessible)
+def-publiclyAccessible =
virTristateBoolTypeFromString(publiclyAccessible);
+
forwardPlainNames = virXPathString(string(./@forwardPlainNames), ctxt);
if (forwardPlainNames) {
def-forwardPlainNames =
virTristateBoolTypeFromString(forwardPlainNames);
@@ -1410,6 +1415,7 @@ virNetworkDNSDefParseXML(const char *networkName,
ret = 0;
cleanup:
+VIR_FREE(publiclyAccessible);
VIR_FREE(forwardPlainNames);
VIR_FREE(fwdNodes);
VIR_FREE(hostNodes);
diff --git a/src/conf/network_conf.h b/src/conf/network_conf.h
index f69d999..f555b6b 100644
--- a/src/conf/network_conf.h
+++ b/src/conf/network_conf.h
@@ -136,6 +136,7 @@ struct _virNetworkDNSDef {
virNetworkDNSSrvDefPtr srvs;
size_t nfwds;
char **forwarders;
+int publiclyAccessible; /* enum virTristateBool */
};
typedef struct _virNetworkIpDef virNetworkIpDef;
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index d195085..c39b1a5 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -996,8 +996,10 @@ networkDnsmasqConfContents(virNetworkObjPtr network,
* other than one of the virtual guests connected directly to
* this network). This was added in response to CVE 2012-3411.
*/
+if (network-def-dns.publiclyAccessible != VIR_TRISTATE_BOOL_YES)
+virBufferAddLit(configbuf,
+ bind-dynamic\n);
virBufferAsprintf(configbuf,
- bind-dynamic\n
interface=%s\n,
network-def-bridge);
} else {
diff --git
[libvirt] [PATCH] network: add an option to make dns public
In some use cases we don't want the virtual network's DNS to only
listen to the vnet interface. Adding a publiclyAccessible attribute
to the dns element in the configuration allows the DNS to listen to
all interfaces.
It simply disables the bind-dynamic option of dnsmasq for the network.
---
docs/formatnetwork.html.in | 11 +++
docs/schemas/network.rng | 15 ++-
src/conf/network_conf.c | 6 ++
src/conf/network_conf.h | 1 +
src/network/bridge_driver.c | 4 +++-
tests/networkxml2confdata/nat-network-dns-hosts.conf | 1 -
tests/networkxml2confdata/nat-network-dns-hosts.xml | 2 +-
7 files changed, 32 insertions(+), 8 deletions(-)
diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in
index 6abed8f..8e43658 100644
--- a/docs/formatnetwork.html.in
+++ b/docs/formatnetwork.html.in
@@ -851,6 +851,17 @@
DNS server.
/p
+p
+ The dns element
+ can have an optional codepubliclyAccessible/code
+ attribute span class=sinceSince 1.2.17/span.
+ If codepubliclyAccessible/code is yes, then the DNS server
+ will handle requests for all interfaces.
+ If codepubliclyAccessible/code is not set or no, the DNS
+ server will only handle requests for the interface of the virtual
+ network.
+/p
+
Currently supported sub-elements of codelt;dnsgt;/code are:
dl
dtcodeforwarder/code/dt
diff --git a/docs/schemas/network.rng b/docs/schemas/network.rng
index 4edb6eb..f989625 100644
--- a/docs/schemas/network.rng
+++ b/docs/schemas/network.rng
@@ -244,12 +244,17 @@
and other features in the dns element --
optional
element name=dns
-optional
- attribute name=forwardPlainNames
-ref name=virYesNo/
- /attribute
-/optional
interleave
+ optional
+attribute name=forwardPlainNames
+ ref name=virYesNo/
+/attribute
+ /optional
+ optional
+attribute name=publiclyAccessible
+ ref name=virYesNo/
+/attribute
+ /optional
zeroOrMore
element name=forwarder
attribute name=addrref name=ipAddr//attribute
diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c
index f4a9df0..99bac6d 100644
--- a/src/conf/network_conf.c
+++ b/src/conf/network_conf.c
@@ -1309,9 +1309,14 @@ virNetworkDNSDefParseXML(const char *networkName,
size_t i;
int ret = -1;
xmlNodePtr save = ctxt-node;
+char *publiclyAccessible = NULL;
ctxt-node = node;
+publiclyAccessible = virXPathString(string(./@publiclyAccessible), ctxt);
+if (publiclyAccessible)
+def-publiclyAccessible =
virTristateBoolTypeFromString(publiclyAccessible);
+
forwardPlainNames = virXPathString(string(./@forwardPlainNames), ctxt);
if (forwardPlainNames) {
def-forwardPlainNames =
virTristateBoolTypeFromString(forwardPlainNames);
@@ -1410,6 +1415,7 @@ virNetworkDNSDefParseXML(const char *networkName,
ret = 0;
cleanup:
+VIR_FREE(publiclyAccessible);
VIR_FREE(forwardPlainNames);
VIR_FREE(fwdNodes);
VIR_FREE(hostNodes);
diff --git a/src/conf/network_conf.h b/src/conf/network_conf.h
index f69d999..f555b6b 100644
--- a/src/conf/network_conf.h
+++ b/src/conf/network_conf.h
@@ -136,6 +136,7 @@ struct _virNetworkDNSDef {
virNetworkDNSSrvDefPtr srvs;
size_t nfwds;
char **forwarders;
+int publiclyAccessible; /* enum virTristateBool */
};
typedef struct _virNetworkIpDef virNetworkIpDef;
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index d195085..c39b1a5 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -996,8 +996,10 @@ networkDnsmasqConfContents(virNetworkObjPtr network,
* other than one of the virtual guests connected directly to
* this network). This was added in response to CVE 2012-3411.
*/
+if (network-def-dns.publiclyAccessible != VIR_TRISTATE_BOOL_YES)
+virBufferAddLit(configbuf,
+ bind-dynamic\n);
virBufferAsprintf(configbuf,
- bind-dynamic\n
interface=%s\n,
network-def-bridge);
} else {
diff --git a/tests/networkxml2confdata/nat-network-dns-hosts.conf
b/tests/networkxml2confdata/nat-network-dns-hosts.conf
index 021316f..759a9e9 100644
--- a/tests/networkxml2confdata/nat-network-dns-hosts.conf
+++ b/tests/networkxml2confdata/nat-network-dns-hosts.conf
@@ -10,6 +10,5 @@ expand-hosts
domain-needed
local=//
except-interface=lo
-bind-dynamic
