Use --bind-dynamic with dnsmasq instead of --bind-interfaces

Dnsmasq emits a warning when started in most neutron deployments:

dnsmasq[27287]: LOUD WARNING: use --bind-dynamic rather than
    --bind-interfaces to avoid DNS amplification attacks via
    these interface(s)

Since option --bind-dynamic is available since dnsmasq 2.63
(https://github.com/liquidm/dnsmasq/blob/master/FAQ#L239) and
we require 2.67, change to use this option instead.

Change-Id: Id7971bd99b04aca38180ff109f542422b1a925d5
Closes-bug: #1828473
This commit is contained in:
Brian Haley 2019-05-09 22:33:02 -04:00 committed by Brian Haley
parent bd3d85807c
commit 09ee934786
2 changed files with 14 additions and 8 deletions

View File

@ -354,14 +354,10 @@ class Dnsmasq(DhcpLocalProcess):
'--dhcp-match=set:ipxe,175',
'--dhcp-userclass=set:ipxe6,iPXE',
'--local-service',
'--bind-dynamic',
]
if self.device_manager.driver.bridged:
if not self.device_manager.driver.bridged:
cmd += [
'--bind-interfaces',
]
else:
cmd += [
'--bind-dynamic',
'--bridge-interface=%s,tap*' % self.interface_name,
]

View File

@ -1260,7 +1260,8 @@ class TestDnsmasq(TestBase):
def _test_spawn(self, extra_options, network=FakeDualNetwork(),
max_leases=16777216, lease_duration=86400,
has_static=True, no_resolv='--no-resolv',
has_stateless=True, dhcp_t1=0, dhcp_t2=0):
has_stateless=True, dhcp_t1=0, dhcp_t2=0,
bridged=True):
def mock_get_conf_file_name(kind):
return '/dhcp/%s/%s' % (network.id, kind)
@ -1281,8 +1282,12 @@ class TestDnsmasq(TestBase):
'--dhcp-match=set:ipxe,175',
'--dhcp-userclass=set:ipxe6,iPXE',
'--local-service',
'--bind-interfaces',
'--bind-dynamic',
]
if not bridged:
expected += [
'--bridge-interface=tap0,tap*'
]
seconds = ''
if lease_duration == -1:
@ -1356,6 +1361,11 @@ class TestDnsmasq(TestBase):
def test_spawn(self):
self._test_spawn(['--conf-file=', '--domain=openstacklocal'])
def test_spawn_not_bridged(self):
self.mock_mgr.return_value.driver.bridged = False
self._test_spawn(['--conf-file=', '--domain=openstacklocal'],
bridged=False)
def test_spawn_infinite_lease_duration(self):
self.conf.set_override('dhcp_lease_duration', -1)
self._test_spawn(['--conf-file=', '--domain=openstacklocal'],