From 09ee9347864d731ce7ccf241178559815e82f57c Mon Sep 17 00:00:00 2001 From: Brian Haley <bhaley@redhat.com> Date: Thu, 9 May 2019 22:33:02 -0400 Subject: [PATCH] Use --bind-dynamic with dnsmasq instead of --bind-interfaces Dnsmasq emits a warning when started in most neutron deployments: dnsmasq[27287]: LOUD WARNING: use --bind-dynamic rather than --bind-interfaces to avoid DNS amplification attacks via these interface(s) Since option --bind-dynamic is available since dnsmasq 2.63 (https://github.com/liquidm/dnsmasq/blob/master/FAQ#L239) and we require 2.67, change to use this option instead. Change-Id: Id7971bd99b04aca38180ff109f542422b1a925d5 Closes-bug: #1828473 --- neutron/agent/linux/dhcp.py | 8 ++------ neutron/tests/unit/agent/linux/test_dhcp.py | 14 ++++++++++++-- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/neutron/agent/linux/dhcp.py b/neutron/agent/linux/dhcp.py index dc25ca514f5..327c4e8ffdd 100644 --- a/neutron/agent/linux/dhcp.py +++ b/neutron/agent/linux/dhcp.py @@ -354,14 +354,10 @@ class Dnsmasq(DhcpLocalProcess): '--dhcp-match=set:ipxe,175', '--dhcp-userclass=set:ipxe6,iPXE', '--local-service', + '--bind-dynamic', ] - if self.device_manager.driver.bridged: + if not self.device_manager.driver.bridged: cmd += [ - '--bind-interfaces', - ] - else: - cmd += [ - '--bind-dynamic', '--bridge-interface=%s,tap*' % self.interface_name, ] diff --git a/neutron/tests/unit/agent/linux/test_dhcp.py b/neutron/tests/unit/agent/linux/test_dhcp.py index 1285e5b790c..2be866c5d6f 100644 --- a/neutron/tests/unit/agent/linux/test_dhcp.py +++ b/neutron/tests/unit/agent/linux/test_dhcp.py @@ -1260,7 +1260,8 @@ class TestDnsmasq(TestBase): def _test_spawn(self, extra_options, network=FakeDualNetwork(), max_leases=16777216, lease_duration=86400, has_static=True, no_resolv='--no-resolv', - has_stateless=True, dhcp_t1=0, dhcp_t2=0): + has_stateless=True, dhcp_t1=0, dhcp_t2=0, + bridged=True): def mock_get_conf_file_name(kind): return '/dhcp/%s/%s' % (network.id, kind) @@ -1281,8 +1282,12 @@ class TestDnsmasq(TestBase): '--dhcp-match=set:ipxe,175', '--dhcp-userclass=set:ipxe6,iPXE', '--local-service', - '--bind-interfaces', + '--bind-dynamic', ] + if not bridged: + expected += [ + '--bridge-interface=tap0,tap*' + ] seconds = '' if lease_duration == -1: @@ -1356,6 +1361,11 @@ class TestDnsmasq(TestBase): def test_spawn(self): self._test_spawn(['--conf-file=', '--domain=openstacklocal']) + def test_spawn_not_bridged(self): + self.mock_mgr.return_value.driver.bridged = False + self._test_spawn(['--conf-file=', '--domain=openstacklocal'], + bridged=False) + def test_spawn_infinite_lease_duration(self): self.conf.set_override('dhcp_lease_duration', -1) self._test_spawn(['--conf-file=', '--domain=openstacklocal'],