[Dnsmasq-discuss] MAC address resolution of virtual machines

Ashish Sharma pocha.sharma at gmail.com
Tue Aug 30 05:44:02 BST 2016


Btw - I have another problem with the 'blocking approach' I am doing above.
Since the DHCP request gets blocked, the client tend to send another
request, possibly thinking that Dnsmasq has probably not got the request.
That leads to multiple iptables command being executed for the same client.
This also lead to some discrepancies a few times & I have to write some
extra code to keep it all sane.

I understand that the dhcp script would solve this problem as there would
only be 1 execution of the script for a client. But then, the blocking
thing would go for a toss.

Is there a middle path where I could get both the above features working ?

On Tue, Aug 30, 2016 at 10:01 AM, Ashish Sharma <pocha.sharma at gmail.com>
wrote:

>
>
> On Tue, Aug 30, 2016 at 9:30 AM, richardvoigt at gmail.com <
> richardvoigt at gmail.com> wrote:
>
>> Not relevant to the issue you still face, but I just wanted to point out
>> that triggering commands (such as iptables rule creation) based on leases
>> being issued can be done using either the dhcp-script or DBus messaging,
>> without having to hack the dnsmasq code itself.
>>
>
> Thanks for this. As a hacker-dev, I do have tendency to start looking into
> the code & not read the docs. I looked at the doc & this is what it says
> ---------
> The script is not invoked concurrently: at most one instance of the script
> is ever running (dnsmasq waits for an instance of script to exit before
> running the next)
> -------
> For my case - the DHCP process need to block till I have created the rules
> otherwise, the internet wont work for the right client post IP has been
> assigned to them.
>
>
>> Actually, looking at the man page, some enhancements have been made to
>> that functionality in newer versions.  Quite possibly the arp-add action
>> might have exactly the information you need for creating rules to match
>> these pseudo-routed packets.
>>
>
> Are you pointing to my original problem of figuring out the host IP
> address of a virtual machine here ? I am unable to find any such reference
> on the doc. Mind passing a small example.
>
>
>>
>> On Mon, Aug 29, 2016 at 10:41 AM, Ashish Sharma <pocha.sharma at gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>>  I have been running Dnsmasq on Openwrt (opensource router OS). It also
>>> acts as DHCP server.
>>>
>>>   Once a client connects, I need to whitelist his ip & mac through
>>> iptables depending on a few criteria. I am able to hack this part out by
>>> calling appropriate iptables command before the DHCP ACK packets are being
>>> sent in Dnsmasq code.
>>>
>>>  The issue with virtual machines in bridged mode connecting is - while
>>> Dnsmasq resolve their mac address as the true address, the packets that
>>> iptables see mac source of the packets as that of the host.
>>>
>>>  Now I have two options - either fiddle with Dnsmasq to see if it could
>>> figure out the host mac address & eventually use that with iptables
>>> command, or fiddle with iptables to see if it could identify the virtual
>>> machine packets . I figured, changing Dnsmasq would lead to lesser
>>> probability of breaking things as it would just happen while the client
>>> connects, while packets will keep on coming & going all the time.
>>>
>>>  Can someone help me on this. Advance thanks.
>>>
>>> Ashish
>>>
>>> P.S. - if someone knows a better way of doing it,  I am ready to discard
>>> my work so far & start from scratch.
>>>
>>>
>>>
>>> _______________________________________________
>>> Dnsmasq-discuss mailing list
>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20160830/21fd6f7c/attachment.html>


More information about the Dnsmasq-discuss mailing list