bridge: bind ip for aardvark-dns in unmanaged mode if gateway ip is not on the host

shivkr6 · shivkr6 · commit f5bc7c17c30c · 2025-08-13T18:13:33.000+05:30
Signed-off-by: Shivang K Raghuvanshi &lt;shivangraghuvanshi2005@gmail.com&gt;
diff --git a/examples/host-device-plugin.rs b/examples/host-device-plugin.rs
@@ -50,7 +50,7 @@ impl Plugin for Exec {
             }
         }
 
-        let addresses = host.netlink.dump_addresses(None)?;
+        let addresses = host.netlink.dump_addresses(None, None, None)?;
         let mut subnets = Vec::new();
         for address in addresses {
             if address.header.index == link.header.index {
diff --git a/src/network/bridge.rs b/src/network/bridge.rs
@@ -6,6 +6,7 @@ use netlink_packet_route::link::{
     BridgeVlanInfoFlags, InfoBridge, InfoData, InfoKind, InfoVeth, LinkAttribute, LinkInfo,
     LinkMessage,
 };
+use netlink_packet_route::{address::AddressScope, AddressFamily};
 
 use crate::dns::aardvark::SafeString;
 use crate::network::core_utils::get_default_route_interface;
@@ -166,7 +167,7 @@ impl driver::NetworkDriver for Bridge<'_> {
 
         let (host_sock, netns_sock) = netlink_sockets;
 
-        let (container_veth_mac, sysctl_writer) = create_interfaces(
+        let (container_veth_mac, sysctl_writer, bridge_index) = create_interfaces(
             host_sock,
             netns_sock,
             data,
@@ -252,18 +253,40 @@ impl driver::NetworkDriver for Bridge<'_> {
                 }
             }
 
-            let gw = data
-                .ipam
-                .gateway_addresses
-                .iter()
-                .map(|ipnet| ipnet.addr())
-                .collect();
+            // Fixes #1177: In unmanaged mode, the gateway IP may not be on the host.
+            // We need to find an IP on the bridge itself for aardvark-dns to bind to.
+            let bind_addr: Vec<IpAddr> = if data.mode == BridgeMode::Unmanaged {
+                let addresses = host_sock.dump_addresses(
+                    Some(bridge_index),
+                    Some(AddressFamily::Inet),
+                    Some(AddressScope::Universe),
+                )?;
+                let mut bind_addr = Vec::with_capacity(addresses.len());
+                for addr_msg in addresses {
+                    for attr in addr_msg.attributes {
+                        if let netlink_packet_route::address::AddressAttribute::Address(ip) = attr {
+                            bind_addr.push(ip);
+                        }
+                    }
+                }
+                if bind_addr.is_empty() {
+                    return Err(NetavarkError::msg(format!("bridge '{}' in unmanaged mode has no universe scope IP addresses, but aardvark-dns requires at least one universe scope address to bind to. Please add an universe scope IP address or disable DNS for this network (--disable-dns).", data.bridge_interface_name)));
+                }
+                response.dns_server_ips = Some(bind_addr.clone());
+                bind_addr
+            } else {
+                data.ipam
+                    .gateway_addresses
+                    .iter()
+                    .map(|ipnet| ipnet.addr())
+                    .collect()
+            };
 
             match self.info.container_id.as_str().try_into() {
                 Ok(id) => Some(AardvarkEntry {
                     network_name: &self.info.network.name,
                     container_id: id,
-                    network_gateways: gw,
+                    network_gateways: bind_addr,
                     network_dns_servers: &self.info.network.network_dns_servers,
                     container_ips_v4: ipv4,
                     container_ips_v6: ipv6,
@@ -556,6 +579,7 @@ fn create_interfaces(
 ) -> NetavarkResult<(
     String,
     Option<sysctl::SysctlDWriter<'static, String, String>>,
+    u32,
 )> {
     let mut sysctl_writer = None;
     let (bridge_index, mtu, mac) = match host.get_link(netlink::LinkID::Name(
@@ -738,7 +762,7 @@ fn create_interfaces(
         netns_fd,
         mtu,
     )?;
-    Ok((mac, sysctl_writer))
+    Ok((mac, sysctl_writer, bridge_index))
 }
 
 /// return the container veth mac address
diff --git a/src/network/netlink.rs b/src/network/netlink.rs
@@ -14,7 +14,7 @@ use netlink_packet_core::{
     NLM_F_REQUEST,
 };
 use netlink_packet_route::{
-    address::AddressMessage,
+    address::{self, AddressMessage, AddressScope},
     link::{
         AfSpecBridge, BridgeVlanInfo, BridgeVlanInfoFlags, InfoBridge, InfoData, InfoKind,
         LinkAttribute, LinkFlags, LinkInfo, LinkMessage,
@@ -414,19 +414,20 @@ impl Socket {
     // If interface's LinkID is supplied, then only the ip addresses of that specific interface is returned. Otherwise all ip addresses of all interfaces are returned
     pub fn dump_addresses(
         &mut self,
-        interface: Option<LinkID>,
+        interface_id_filter: Option<u32>,
+        address_filter: Option<AddressFamily>,
+        scope_filter: Option<AddressScope>,
     ) -> NetavarkResult<Vec<AddressMessage>> {
         let mut msg = AddressMessage::default();
 
-        match interface {
-            Some(LinkID::ID(id)) => {
-                msg.header.index = id;
-            }
-            Some(LinkID::Name(name)) => {
-                let link_message = self.get_link(LinkID::Name(name))?;
-                msg.header.index = link_message.header.index;
-            }
-            None => {}
+        if let Some(id) = interface_id_filter {
+            msg.header.index = id;
+        }
+        if let Some(addr_family) = address_filter {
+            msg.header.family = addr_family;
+        }
+        if let Some(scope) = scope_filter {
+            msg.header.scope = scope;
         }
 
         let results =
diff --git a/src/test/netlink.rs b/src/test/netlink.rs
@@ -175,7 +175,9 @@ mod tests {
         eprintln!("{}", String::from_utf8(out.stderr).unwrap());
         assert!(out.status.success(), "failed to set up lo via ip");
 
-        let addresses = sock.dump_addresses(None).expect("dump_addresses failed");
+        let addresses = sock
+            .dump_addresses(None, None, None)
+            .expect("dump_addresses failed");
         for nla in addresses[0].attributes.iter() {
             if let address::AddressAttribute::Address(ip) = nla {
                 assert_eq!(ip, &IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)))
@@ -206,8 +208,18 @@ mod tests {
         eprintln!("{}", String::from_utf8(out.stderr).unwrap());
         assert!(out.status.success(), "failed to set up lo via ip");
 
+        let bridge_id: u32 = sock
+            .get_link(LinkID::Name("test1".to_string()))
+            .expect("get_link failed")
+            .header
+            .index;
+
         let addresses = sock
-            .dump_addresses(Some(LinkID::Name("test1".to_string())))
+            .dump_addresses(
+                Some(bridge_id),
+                Some(netlink_packet_route::AddressFamily::Inet),
+                Some(address::AddressScope::Universe),
+            )
             .expect("dump_address_filter failed");
         for nla in addresses[0].attributes.iter() {
             if let address::AddressAttribute::Address(ip) = nla {

Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,7 @@ impl Plugin for Exec {`
`50`	`50`	`}`
`51`	`51`	`}`
`52`	`52`
`53`		`- let addresses = host.netlink.dump_addresses(None)?;`
	`53`	`+ let addresses = host.netlink.dump_addresses(None, None, None)?;`
`54`	`54`	`let mut subnets = Vec::new();`
`55`	`55`	`for address in addresses {`
`56`	`56`	`if address.header.index == link.header.index {`