[Dnsmasq-discuss] MAC address resolution of virtual machines

Ashish Sharma pocha.sharma at gmail.com
Tue Aug 30 05:31:57 BST 2016


On Tue, Aug 30, 2016 at 9:30 AM, richardvoigt at gmail.com <
richardvoigt at gmail.com> wrote:

> Not relevant to the issue you still face, but I just wanted to point out
> that triggering commands (such as iptables rule creation) based on leases
> being issued can be done using either the dhcp-script or DBus messaging,
> without having to hack the dnsmasq code itself.
>

Thanks for this. As a hacker-dev, I do have tendency to start looking into
the code & not read the docs. I looked at the doc & this is what it says
---------
The script is not invoked concurrently: at most one instance of the script
is ever running (dnsmasq waits for an instance of script to exit before
running the next)
-------
For my case - the DHCP process need to block till I have created the rules
otherwise, the internet wont work for the right client post IP has been
assigned to them.


> Actually, looking at the man page, some enhancements have been made to
> that functionality in newer versions.  Quite possibly the arp-add action
> might have exactly the information you need for creating rules to match
> these pseudo-routed packets.
>

Are you pointing to my original problem of figuring out the host IP address
of a virtual machine here ? I am unable to find any such reference on the
doc. Mind passing a small example.


>
> On Mon, Aug 29, 2016 at 10:41 AM, Ashish Sharma <pocha.sharma at gmail.com>
> wrote:
>
>> Hi,
>>
>>  I have been running Dnsmasq on Openwrt (opensource router OS). It also
>> acts as DHCP server.
>>
>>   Once a client connects, I need to whitelist his ip & mac through
>> iptables depending on a few criteria. I am able to hack this part out by
>> calling appropriate iptables command before the DHCP ACK packets are being
>> sent in Dnsmasq code.
>>
>>  The issue with virtual machines in bridged mode connecting is - while
>> Dnsmasq resolve their mac address as the true address, the packets that
>> iptables see mac source of the packets as that of the host.
>>
>>  Now I have two options - either fiddle with Dnsmasq to see if it could
>> figure out the host mac address & eventually use that with iptables
>> command, or fiddle with iptables to see if it could identify the virtual
>> machine packets . I figured, changing Dnsmasq would lead to lesser
>> probability of breaking things as it would just happen while the client
>> connects, while packets will keep on coming & going all the time.
>>
>>  Can someone help me on this. Advance thanks.
>>
>> Ashish
>>
>> P.S. - if someone knows a better way of doing it,  I am ready to discard
>> my work so far & start from scratch.
>>
>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20160830/bfa81c69/attachment-0001.html>


More information about the Dnsmasq-discuss mailing list