From 09ee9347864d731ce7ccf241178559815e82f57c Mon Sep 17 00:00:00 2001
From: Brian Haley <bhaley@redhat.com>
Date: Thu, 9 May 2019 22:33:02 -0400
Subject: [PATCH] Use --bind-dynamic with dnsmasq instead of --bind-interfaces

Dnsmasq emits a warning when started in most neutron deployments:

dnsmasq[27287]: LOUD WARNING: use --bind-dynamic rather than
    --bind-interfaces to avoid DNS amplification attacks via
    these interface(s)

Since option --bind-dynamic is available since dnsmasq 2.63
(https://github.com/liquidm/dnsmasq/blob/master/FAQ#L239) and
we require 2.67, change to use this option instead.

Change-Id: Id7971bd99b04aca38180ff109f542422b1a925d5
Closes-bug: #1828473
---
 neutron/agent/linux/dhcp.py                 |  8 ++------
 neutron/tests/unit/agent/linux/test_dhcp.py | 14 ++++++++++++--
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/neutron/agent/linux/dhcp.py b/neutron/agent/linux/dhcp.py
index dc25ca514f5..327c4e8ffdd 100644
--- a/neutron/agent/linux/dhcp.py
+++ b/neutron/agent/linux/dhcp.py
@@ -354,14 +354,10 @@ class Dnsmasq(DhcpLocalProcess):
             '--dhcp-match=set:ipxe,175',
             '--dhcp-userclass=set:ipxe6,iPXE',
             '--local-service',
+            '--bind-dynamic',
         ]
-        if self.device_manager.driver.bridged:
+        if not self.device_manager.driver.bridged:
             cmd += [
-                '--bind-interfaces',
-            ]
-        else:
-            cmd += [
-                '--bind-dynamic',
                 '--bridge-interface=%s,tap*' % self.interface_name,
             ]
 
diff --git a/neutron/tests/unit/agent/linux/test_dhcp.py b/neutron/tests/unit/agent/linux/test_dhcp.py
index 1285e5b790c..2be866c5d6f 100644
--- a/neutron/tests/unit/agent/linux/test_dhcp.py
+++ b/neutron/tests/unit/agent/linux/test_dhcp.py
@@ -1260,7 +1260,8 @@ class TestDnsmasq(TestBase):
     def _test_spawn(self, extra_options, network=FakeDualNetwork(),
                     max_leases=16777216, lease_duration=86400,
                     has_static=True, no_resolv='--no-resolv',
-                    has_stateless=True, dhcp_t1=0, dhcp_t2=0):
+                    has_stateless=True, dhcp_t1=0, dhcp_t2=0,
+                    bridged=True):
         def mock_get_conf_file_name(kind):
             return '/dhcp/%s/%s' % (network.id, kind)
 
@@ -1281,8 +1282,12 @@ class TestDnsmasq(TestBase):
             '--dhcp-match=set:ipxe,175',
             '--dhcp-userclass=set:ipxe6,iPXE',
             '--local-service',
-            '--bind-interfaces',
+            '--bind-dynamic',
         ]
+        if not bridged:
+            expected += [
+                '--bridge-interface=tap0,tap*'
+            ]
 
         seconds = ''
         if lease_duration == -1:
@@ -1356,6 +1361,11 @@ class TestDnsmasq(TestBase):
     def test_spawn(self):
         self._test_spawn(['--conf-file=', '--domain=openstacklocal'])
 
+    def test_spawn_not_bridged(self):
+        self.mock_mgr.return_value.driver.bridged = False
+        self._test_spawn(['--conf-file=', '--domain=openstacklocal'],
+                         bridged=False)
+
     def test_spawn_infinite_lease_duration(self):
         self.conf.set_override('dhcp_lease_duration', -1)
         self._test_spawn(['--conf-file=', '--domain=openstacklocal'],