[libvirt] [PATCH V10 0/7] Add DHCP snooping support to nwfilter

[Stefan Berger]

On 04/18/2012 04:54 PM, dennis jenkins wrote:
> On Tue, Apr 17, 2012 at 6:57 PM, Stefan Berger 
> <stefanb at linux.vnet.ibm.com <mailto:stefanb at linux.vnet.ibm.com>> wrote:
>
>
>     Let me know when you tested it. I have pretty high confidence in
>     the correctness of the code now :-)
>
>     Regards,
>      Stefan
>
>
>
> Short version:
>
>     I got an error "internal error IP parameter must be provided since 
> snooping the IP address does not work possibly due to missing tools".  
> Off the top of my head, I don't know what I'm missing, but I'm 
> probably at fault for it.
>
> Gorey details:
>
> First, I had a devil of a time getting libvirt to install on my Gentoo 
> system from the git repository.  I don't know if my method is causing 
> the error message that I will outline below.
>
> I install libvirt (0.9.11?) from your git sources (check out less than 
> one hour ago) directly on top of my existing Gentoo libivrt install 
> (0.9.10-r4).  I wanted to keep the Gentoo init scripts.  Some of the 
> older "0.9.10" ".so" files are lying around, but they are not in use 
> and can (hopefully) be ignored.
>
> This was my procedure:
> 1) emerge =libvirt-0.9.10-r4
> 2) cd /usr/src
> 3) git clone git://libvirt.org/libvirt.git 
> <http://libvirt.org/libvirt.git> libvirt
> 4) cd ./libvirt
> 5) ./autogen.sh
> 6) ./configure --prefix=/usr
> 7) make -j4
> 8)  ## Error about "libnl" not using a symbol (-Werror tripped me up).
> 9) ## (TL;DR - I forced Gentoo to update libnl to-1.1-r3)
> 10) make -j4
> 11) ## make backup of "/etc/libvirt", as "make install" will clobber 
> my config files.
> 12) make install
> 13) ## restore my "/etc/libvirt" on top of whatever "make install" 
> dropped there.
> 14) /etc/init.d/libvirt restart
> 15) virsh --version
>    0.9.11
> 16) virsh edit dwj-xp-msdev98
>    Added XML to enable DHCP snooping.  Result:
>
> <interface type='bridge'>
> <mac address='82:00:00:00:00:09'/>
> <source bridge='br0'/>
> <filterref filter='clean-traffic'>
> <parameter name='ip_learning' value='dhcp'/>
> </filterref>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' 
> function='0x0'/>
> </interface>
>
> 17) virsh start dwj-xp-msdev98
>
> ostara libvirt # virsh start dwj-xp-msdev98
> error: Failed to start domain dwj-xp-msdev98
> error: internal error IP parameter must be provided since snooping the 
> IP address does not work possibly due to missing tools
>
> ostara libvirt # virsh start dwj-xp-vs10
> Domain dwj-xp-vs10 started
>
> So libvirt is still working for VMs that I've not reconfigured for 
> DHCP snooping yet.
>
> Please advise on what I'm missing.


The support for DHCP snooping has not be check into the repository, yet. 
You would have to apply the patches from the ml.

Otherwise what seems to be missing is the package providing the ebtables 
tool.



>
> ps- I've reached out to the maintainer for the Gentoo "libvirt" 
> ebuilds with a bug report on the building a proper libvirt from git 
> ("=app-emulation/libvirt-9999" in Gentoo speak).
>
> Additional info:
>
> My system has 2 physical NICs and one bridge.
>
>    1. eth0 = internal LAN, default gateway for LAN.
>    2. eth1 = my public IP (off of residential DSL)
>    3. br0 = totally internal to my server.  Not connected to either
>       eth0 or eth1.  Use by QEMU to create "vnetNNN" interfaces off of.
>
> I run a custom iptables ruleset to (very high level):
>
>    1. NAT traffic from eth0, br0 out eth1
>    2. block br0 from initiating a connection into eth0
>    3. permit traffic from eth0 to go into systems on br0
>
> I have a DHCP server running on the host, answering on eth0 and br0.
>
> I'm _not_ using QEMU's built-in "nat" method for assigning a NIC to a 
> VM ("virbr0" or whatever).
>
> Is my setup compatible with DHCP snooping by libvirt?
>

It should be.


Regards,
    Stefan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20120418/9f7a5a46/attachment-0001.htm>