[libvirt] [PATCH 2/9] add DHCP snooping support to nwfilter

[David L Stevens <dlstevens us ibm com>]

	The ARP protocol requires processing of packets that may not be
explicitly addressed to a host and only defines request and reply. This patch
removes the filtering of gratuitous ARPs and ARP requests which must update
a VMs patch for correct function and removes the unnecessary check for arpop
of request or reply.

Signed-off-by: David L Stevens <dlstevens us ibm com>

diff --git a/examples/xml/nwfilter/no-arp-spoofing.xml b/examples/xml/nwfilter/no-arp-spoofing.xml
index c6c858d..fdd4e60 100644
--- a/examples/xml/nwfilter/no-arp-spoofing.xml
+++ b/examples/xml/nwfilter/no-arp-spoofing.xml
@@ -12,21 +12,6 @@
    <rule action='drop' direction='out' priority='400' >
        <arp match='no' arpsrcipaddr='$IP' />
    </rule>
-   <!-- drop if ipaddr or macaddr odes not belong to guest -->
-   <rule action='drop' direction='in' priority='450' >
-       <arp match='no' arpdstmacaddr='$MAC'/>
-       <arp opcode='reply'/>
-   </rule>
-   <rule action='drop' direction='in' priority='500' >
-       <arp match='no' arpdstipaddr='$IP' />
-   </rule>
-   <!-- accept only request or reply packets -->
-   <rule action='accept' direction='inout' priority='600' >
-       <arp opcode='request'/>
-   </rule>
-   <rule action='accept' direction='inout' priority='650' >
-       <arp opcode='reply'/>
-   </rule>
    <!-- drop everything else -->
-   <rule action='drop' direction='inout' priority='1000' />
+   <rule action='drop' direction='out' priority='1000' />
 </filter>