Gionatan Danti
2018-Mar-13 15:08 UTC
Re: [libvirt-users] Specify DNS and gateway for dnsmasq
On 13/03/2018 15:30, Michal Privoznik wrote:> The default GW depends on the IP address you assigned to your network:> > <ip address='192.168.122.1' netmask='255.255.255.0'/> > > This says the default GW is 192.168.122.1/24. However, you can insert > other routes too: > > <route address="192.168.222.0" prefix="24" gateway="192.168.122.2"/> > > For handling DNS, you need to focus on <dns/> element. For instance, to > set a different forwarder than GW: > > <dns> > <forwarder addr="8.8.8.8"/> > </dns>For NATed/routed networks, sure. However, I have an isolated network like that (without the "forward" element): <network> <name>net1</name> <uuid>dcf5c09b-dcb6-4fd3-86b8-6312a7b94bf6</uuid> <bridge name='virbr1' stp='on' delay='0'/> <mac address='52:54:00:97:1b:15'/> <domain name='TEST'/> <ip address='192.168.10.1' netmask='255.255.255.0'> <dhcp> <range start='192.168.10.128' end='192.168.10.254'/> </dhcp> </ip> </network> When the client asks for an IP via DHCP, it obtain a valid IP address but *no* gateway. Is it the expected behavior for an isolated network? From my understanding, network isolation is accomplished by firewall rules in the FORWARD table, rather than by not assigning the gateway IP address to clients.> > No, that was just a proposal. RFC, a discussion how should we implement > some special features of DHCP. Those are not patches and in fact patches > implementing that were never merged. > > Michal >Ok, thank you Michal. -- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.danti@assyoma.it - info@assyoma.it GPG public key ID: FF5F32A8
On 03/13/2018 11:08 AM, Gionatan Danti wrote:> On 13/03/2018 15:30, Michal Privoznik wrote:> The default GW depends on > the IP address you assigned to your network: >> >> <ip address='192.168.122.1' netmask='255.255.255.0'/> >> >> This says the default GW is 192.168.122.1/24. However, you can insert >> other routes too: >> >> <route address="192.168.222.0" prefix="24" gateway="192.168.122.2"/>...however this wouldn't be of use to you - the routes listed in a libvirt network are routes that are added on the *host*, not on the guest. (these are used when there is a network behind a guest that the host can only access via that guest).>> >> For handling DNS, you need to focus on <dns/> element. For instance, to >> set a different forwarder than GW: >> >> <dns> >> <forwarder addr="8.8.8.8"/> >> </dns> > > For NATed/routed networks, sure. However, I have an isolated network > like that (without the "forward" element):We don't want DNS requests to be forwarded by dnsmasq from an isolated network - forwarded DNS requests and responses can be used as a clandestine medium for communicating outside the guest (we actually had a bug report about this). libvirt's virtual networks are intended to be a simple way to setup the most common networking scenario. It sounds like you're beyond that, so you probably should do your own network setup on the host outside of libvirt. A libvirt virtual network is really just the combination of a bridge device, a dnsmasq instance + config, some iptables rules, and optionally some routes.> > <network> > <name>net1</name> > <uuid>dcf5c09b-dcb6-4fd3-86b8-6312a7b94bf6</uuid> > <bridge name='virbr1' stp='on' delay='0'/> > <mac address='52:54:00:97:1b:15'/> > <domain name='TEST'/> > <ip address='192.168.10.1' netmask='255.255.255.0'> > <dhcp> > <range start='192.168.10.128' end='192.168.10.254'/> > </dhcp> > </ip> > </network> > > When the client asks for an IP via DHCP, it obtain a valid IP address > but *no* gateway. Is it the expected behavior for an isolated network? > From my understanding, network isolation is accomplished by firewall > rules in the FORWARD table, rather than by not assigning the gateway IP > address to clients.It does both of those things (no gateway combined with iptables rules to prevent traffic from being forwarded from the bridge). Why set a default gateway when 1) it can't be used and 2) it may conflict with the default gateway set on a 2nd interface in the guest that *can* be used to reach outside the host? (a common use of an isolated network is to to contain inter-guest communication between guests that have 2nd interfaces used for communication with the outside).
Gionatan Danti
2018-Mar-14 07:21 UTC
Re: [libvirt-users] Specify DNS and gateway for dnsmasq
Il 13-03-2018 20:48 Laine Stump ha scritto:> On 03/13/2018 11:08 AM, Gionatan Danti wrote: >> On 13/03/2018 15:30, Michal Privoznik wrote:> The default GW depends >> on >> the IP address you assigned to your network: >>> >>> <ip address='192.168.122.1' netmask='255.255.255.0'/> >>> >>> This says the default GW is 192.168.122.1/24. However, you can insert >>> other routes too: >>> >>> <route address="192.168.222.0" prefix="24" gateway="192.168.122.2"/> > > ...however this wouldn't be of use to you - the routes listed in a > libvirt network are routes that are added on the *host*, not on the > guest. (these are used when there is a network behind a guest that the > host can only access via that guest). > >>> >>> For handling DNS, you need to focus on <dns/> element. For instance, >>> to >>> set a different forwarder than GW: >>> >>> <dns> >>> <forwarder addr="8.8.8.8"/> >>> </dns> >> >> For NATed/routed networks, sure. However, I have an isolated network >> like that (without the "forward" element): > > We don't want DNS requests to be forwarded by dnsmasq from an isolated > network - forwarded DNS requests and responses can be used as a > clandestine medium for communicating outside the guest (we actually had > a bug report about this). > > libvirt's virtual networks are intended to be a simple way to setup the > most common networking scenario. It sounds like you're beyond that, so > you probably should do your own network setup on the host outside of > libvirt. A libvirt virtual network is really just the combination of a > bridge device, a dnsmasq instance + config, some iptables rules, and > optionally some routes. > >> >> <network> >> <name>net1</name> >> <uuid>dcf5c09b-dcb6-4fd3-86b8-6312a7b94bf6</uuid> >> <bridge name='virbr1' stp='on' delay='0'/> >> <mac address='52:54:00:97:1b:15'/> >> <domain name='TEST'/> >> <ip address='192.168.10.1' netmask='255.255.255.0'> >> <dhcp> >> <range start='192.168.10.128' end='192.168.10.254'/> >> </dhcp> >> </ip> >> </network> >> >> When the client asks for an IP via DHCP, it obtain a valid IP address >> but *no* gateway. Is it the expected behavior for an isolated network? >> From my understanding, network isolation is accomplished by firewall >> rules in the FORWARD table, rather than by not assigning the gateway >> IP >> address to clients. > > It does both of those things (no gateway combined with iptables rules > to > prevent traffic from being forwarded from the bridge). Why set a > default > gateway when 1) it can't be used and 2) it may conflict with the > default > gateway set on a 2nd interface in the guest that *can* be used to reach > outside the host? (a common use of an isolated network is to to contain > inter-guest communication between guests that have 2nd interfaces used > for communication with the outside).Hi Laine, thanks for the detailed answer! One more question: what about setting a custom DNS? For example, consider the scenario where a specific guest acts as a DNS server (ie: active directory server) and other clients in the same isolated network should use its IP address as DNS. If I understand it correctly, I can use the "dns forward" directive to, well, forward dnsmasq's requests to the specific IP address. But what about directly assigning the correct DNS server to the running guests? Thanks. -- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.danti@assyoma.it - info@assyoma.it GPG public key ID: FF5F32A8