https://bugzilla.novell.com/show_bug.cgi?id=801142 https://bugzilla.novell.com/show_bug.cgi?id=801142#c0 Summary: libvirt mistakenly claims 172.31.2.1 is a publicly routable address Classification: openSUSE Product: openSUSE Factory Version: 12.3 Milestone 2 Platform: x86-64 OS/Version: SUSE Other Status: NEW Severity: Normal Priority: P5 - None Component: Other AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: tegan@suse.com QAContact: qa-bugs@suse.de Found By: Field Engineer Blocker: --- I am running Tumbleweed with libvirt-1.0.1-4.1.x86_64.rpm (Jan 24th 2013) and using 172.31.2.1 private address for my default network. With this version I noticed that libvirt generates the following error when attempting to start my default network: Error starting network 'default': unsupported configuration: Publicly routable address 172.31.2.1 is prohibited. The version of dnsmasq on this host (2.61) doesn't support the bind-dynamic option, which is required for safe operation on a publicly routable subnet (see CVE-2012-3411). You must either upgrade dnsmasq, or use a private/local subnet range for this network (as described in RFC1918/RFC3484/RFC4193). Upstream recently accepted a set of 3 patches to address this CVE, one of these introduced libvirt util virSocketAddrIsPrivate (/src/util/virsocketaddr.c) where the new virSocketAddrIsPrivate function seems to be incorrectly defining and calculating the 172.16 IPv4 Private Address Range as described by RFC1918.
From the comments in the patch:
+ * Return true if this address is in its family's defined + * "private/local" address space. For IPv4, private addresses are in + * the range of 192.168.0.0/16, 172.16.0.0/16, or 10.0.0.0/8. For + * IPv6, local addresses are in the range of FC00::/7.
From the RFC:
The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets: 10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) So the patch is using 172.16/16 but should be using 172.16/12 for this Private Address range. The specific patch introducing this function is described here: https://www.redhat.com/archives/libvir-list/2012-November/msg00944.html and it is part of a three patch set detailed here: https://bugzilla.redhat.com/show_bug.cgi?id=833033#c47 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.