Discussion:
[Dnsmasq-discuss] MAC address resolution of virtual machines
Ashish Sharma
2016-08-29 15:41:25 UTC
Permalink
Hi,

I have been running Dnsmasq on Openwrt (opensource router OS). It also
acts as DHCP server.

Once a client connects, I need to whitelist his ip & mac through iptables
depending on a few criteria. I am able to hack this part out by calling
appropriate iptables command before the DHCP ACK packets are being sent in
Dnsmasq code.

The issue with virtual machines in bridged mode connecting is - while
Dnsmasq resolve their mac address as the true address, the packets that
iptables see mac source of the packets as that of the host.

Now I have two options - either fiddle with Dnsmasq to see if it could
figure out the host mac address & eventually use that with iptables
command, or fiddle with iptables to see if it could identify the virtual
machine packets . I figured, changing Dnsmasq would lead to lesser
probability of breaking things as it would just happen while the client
connects, while packets will keep on coming & going all the time.

Can someone help me on this. Advance thanks.

Ashish

P.S. - if someone knows a better way of doing it, I am ready to discard my
work so far & start from scratch.
r***@gmail.com
2016-08-30 04:00:13 UTC
Permalink
Not relevant to the issue you still face, but I just wanted to point out
that triggering commands (such as iptables rule creation) based on leases
being issued can be done using either the dhcp-script or DBus messaging,
without having to hack the dnsmasq code itself.

Actually, looking at the man page, some enhancements have been made to that
functionality in newer versions. Quite possibly the arp-add action might
have exactly the information you need for creating rules to match these
pseudo-routed packets.
Post by Ashish Sharma
Hi,
I have been running Dnsmasq on Openwrt (opensource router OS). It also
acts as DHCP server.
Once a client connects, I need to whitelist his ip & mac through
iptables depending on a few criteria. I am able to hack this part out by
calling appropriate iptables command before the DHCP ACK packets are being
sent in Dnsmasq code.
The issue with virtual machines in bridged mode connecting is - while
Dnsmasq resolve their mac address as the true address, the packets that
iptables see mac source of the packets as that of the host.
Now I have two options - either fiddle with Dnsmasq to see if it could
figure out the host mac address & eventually use that with iptables
command, or fiddle with iptables to see if it could identify the virtual
machine packets . I figured, changing Dnsmasq would lead to lesser
probability of breaking things as it would just happen while the client
connects, while packets will keep on coming & going all the time.
Can someone help me on this. Advance thanks.
Ashish
P.S. - if someone knows a better way of doing it, I am ready to discard
my work so far & start from scratch.
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Ashish Sharma
2016-08-30 04:44:02 UTC
Permalink
Btw - I have another problem with the 'blocking approach' I am doing above.
Since the DHCP request gets blocked, the client tend to send another
request, possibly thinking that Dnsmasq has probably not got the request.
That leads to multiple iptables command being executed for the same client.
This also lead to some discrepancies a few times & I have to write some
extra code to keep it all sane.

I understand that the dhcp script would solve this problem as there would
only be 1 execution of the script for a client. But then, the blocking
thing would go for a toss.

Is there a middle path where I could get both the above features working ?
Post by r***@gmail.com
Not relevant to the issue you still face, but I just wanted to point out
that triggering commands (such as iptables rule creation) based on leases
being issued can be done using either the dhcp-script or DBus messaging,
without having to hack the dnsmasq code itself.
Thanks for this. As a hacker-dev, I do have tendency to start looking into
the code & not read the docs. I looked at the doc & this is what it says
---------
The script is not invoked concurrently: at most one instance of the script
is ever running (dnsmasq waits for an instance of script to exit before
running the next)
-------
For my case - the DHCP process need to block till I have created the rules
otherwise, the internet wont work for the right client post IP has been
assigned to them.
Post by r***@gmail.com
Actually, looking at the man page, some enhancements have been made to
that functionality in newer versions. Quite possibly the arp-add action
might have exactly the information you need for creating rules to match
these pseudo-routed packets.
Are you pointing to my original problem of figuring out the host IP
address of a virtual machine here ? I am unable to find any such reference
on the doc. Mind passing a small example.
Post by r***@gmail.com
Post by Ashish Sharma
Hi,
I have been running Dnsmasq on Openwrt (opensource router OS). It also
acts as DHCP server.
Once a client connects, I need to whitelist his ip & mac through
iptables depending on a few criteria. I am able to hack this part out by
calling appropriate iptables command before the DHCP ACK packets are being
sent in Dnsmasq code.
The issue with virtual machines in bridged mode connecting is - while
Dnsmasq resolve their mac address as the true address, the packets that
iptables see mac source of the packets as that of the host.
Now I have two options - either fiddle with Dnsmasq to see if it could
figure out the host mac address & eventually use that with iptables
command, or fiddle with iptables to see if it could identify the virtual
machine packets . I figured, changing Dnsmasq would lead to lesser
probability of breaking things as it would just happen while the client
connects, while packets will keep on coming & going all the time.
Can someone help me on this. Advance thanks.
Ashish
P.S. - if someone knows a better way of doing it, I am ready to discard
my work so far & start from scratch.
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Continue reading on narkive:
Loading...