[Dnsmasq-discuss] New smart --bind-dynamic is greedy (binds also to interface aliases)

Andrew Bartlett abartlet at samba.org
Mon May 13 20:35:31 BST 2013


On Mon, 2013-05-13 at 09:28 +0100, Simon Kelley wrote:

> My guess about what's happening, (and I've not looked thoroughly, at 
> least yet) is this.
> 
> Linux long ago moved past the idea of interface aliases and into 
> complete support for multiple addresses of the same address family per 
> interface.
> 
> There's backwards compatible support for aliases, so that
> 
> ifconfig virbr0:0 192.168.122.2
> 
> has been redefined to mean something like "add another IP address to 
> eth0, and give it the backwards-compatible name eth0:0"
> 
> If you use the more modern "ip" command to look at things, this becomes 
> obvious: after
> 
> ifconfig eth0:0 192.168.99.1
> 
> if I do
> 
> ip addr show
> 
> I get
> 
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP 
> qlen 1000
>      link/ether 00:11:25:a1:91:c5 brd ff:ff:ff:ff:ff:ff
>      inet 192.168.0.193/24 brd 192.168.0.255 scope global eth0
>      inet 192.168.99.1/24 brd 192.168.99.255 scope global eth0:0
> ........
> 
> So, there's just another address in eth0, but it has the wierd eth0:0 on 
> the end.
> 
> Dnsmasq is using netlink to enumerate all the addresses associated with 
> interfaces, passes the interface index to ioctl(..., SIOCGIFNAME, ...) 
> to find the name of the interface associated with each address. I think 
> that both addresses probably have the same index and therefore that 
> always returns eth0 and not eth0:0 in my example. That would explain 
> what you're seeing exactly.
> 
> There are various ways we could proceed:
> 
> 1) I could tell you to stop using old-fashioned aliases, and specify 
> which addresses you want dnsmasq to listen in directly using 
> --listen-address

Then how would I ask libvirt to securely listen to packets from one
'physical' adaptor only, for security, but not grab each and every
address on that adaptor?

> 2) I could find out the API to get the "alias name" associated with an 
> address and change the behaviour of dnsmasq.

That would be consistent with the behaviour of other programs (such as
Samba) which have supported interface name binding over the very long
term (predating this more modern approach) and across multiple
platforms. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org





More information about the Dnsmasq-discuss mailing list