[libvirt] [PATCH 9/9] add DHCP snooping support to nwfilter

Stefan Berger stefanb at linux.vnet.ibm.com
Wed May 11 23:41:41 UTC 2011


On 05/10/2011 05:28 AM, Daniel P. Berrange wrote:
> On Mon, May 09, 2011 at 01:12:10PM -0700, David L Stevens wrote:
>> This patch removes remaining pieces of IP address learning.
> Do we actually want todo this ?  This is effectively causing a
> regression in functionality for anyone who's relying on the
> current IP learning support, but who does not use DHCP.
>
> I'm inclined to say that we should have a configuration
> parameter in /etc/libvirt/qemu.conf  (or /etc/libvirt/nwfilter.conf)
> to specify the learning method, and perhaps to also specify
> a particular DHCP server address (otherwise one guest could
> run a malicious DHCP server and hand out addrs to other
> guests). so perhaps:
>
>     ip_learning="none|arp|dhcp"
>     dhcp_server="192.2.2.43"
You'd need a trusted dhcp_server for every possible VLAN (802.1Q)...

   Stefan




More information about the libvir-list mailing list