From c7ec31d43c3530e5463d7f4d51caedf3fab41d1e Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Thu, 31 Oct 2024 17:03:34 +0100 Subject: [run-virt] dnsmasq: fix interface listen, log to file For some reason, even without bind-interfaces, when using iptables -j REDIRECT, dnsmasq doesn't see any redirected queries, probably becuase it recognizes the actual source of the packet as not belonging to the interface it's being told to listen on. --- .../data/opt/openslx/vmchooser/run-virt.d/setup_firewall.inc | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/core/modules/run-virt/data/opt/openslx/vmchooser/run-virt.d/setup_firewall.inc b/core/modules/run-virt/data/opt/openslx/vmchooser/run-virt.d/setup_firewall.inc index c62a0862..e07df735 100644 --- a/core/modules/run-virt/data/opt/openslx/vmchooser/run-virt.d/setup_firewall.inc +++ b/core/modules/run-virt/data/opt/openslx/vmchooser/run-virt.d/setup_firewall.inc @@ -30,6 +30,9 @@ setup_firewall () { fi # Run dnsmasq if applicable if [ -s "$DNSMASQ_CONF" ]; then + # If we want to support bridged VMs in the future, we need to listen on br0 too, but then + # we need to block incoming traffic on this port (via set-firewall script) + # using physdev matching. cat >> "$DNSMASQ_CONF" <<-DNSCONF keep-in-foreground pid-file=/tmp/dns-$RANDOM.$RANDOM.$RANDOM @@ -38,15 +41,17 @@ setup_firewall () { no-resolv port=$port interface=lo - bind-interfaces - log-facility=- + interface=nat1 + interface=vsw2 + log-facility=${DNSMASQ_CONF}.log DNSCONF if ! dnsmasq --test --conf-file="$DNSMASQ_CONF" &> "${DNSMASQ_CONF}.tmp"; then cat "${DNSMASQ_CONF}.tmp" >> "${DNSMASQ_CONF}" rm -f -- "${DNSMASQ_CONF}.tmp" - slxlog -s -d "virt-firewall" "Invalid dnsmasq.conf was generated" "$DNSMASQ_CONF" + slxlog -s "virt-firewall" "Invalid dnsmasq.conf was generated" "$DNSMASQ_CONF" return 1 fi + rm -f -- "${DNSMASQ_CONF}.tmp" # All seems well, launch for real run_dnsmasq_fw "$port" add_cleanup "cleanup_firewall" -- cgit v1.2.3-55-g7522