[libvirt] [PATCH 2/9] add DHCP snooping support to nwfilter
Stefan Berger
stefanb at linux.vnet.ibm.com
Mon May 23 20:09:51 UTC 2011
On 05/09/2011 04:02 PM, David L Stevens wrote:
> The ARP protocol requires processing of packets that may not be
> explicitly addressed to a host and only defines request and reply. This patch
> removes the filtering of gratuitous ARPs and ARP requests which must update
> a VMs patch for correct function and removes the unnecessary check for arpop
> of request or reply.
As for the gratuitous ARPs I believe what's missing is the usage of
'ebtables ... -p ARP --arp-gratuitous' which presumably then lets the VM
see the gratuitous ARP packets. This would then add
<rule action='accept' direction='in' priority='425'>
<arp gratuitous='true'/>
</rule>
to the list below. I have a patch for that now, which is needed in any case.
For the other ARP requests I am not sure whether the VM needs to see all
of them. If a VM sees an ARP request on an interface not directed for
any of its IP addresses, why deliver the request at all? The VM cannot
respond to it. Since we are filtering on ARP we may just as well drop it
which likely saves a few processing cycles in the whole system. So I
wouldn't remove the filtering.
Stefan
> Signed-off-by: David L Stevens<dlstevens at us.ibm.com>
>
> diff --git a/examples/xml/nwfilter/no-arp-spoofing.xml b/examples/xml/nwfilter/no-arp-spoofing.xml
> index c6c858d..fdd4e60 100644
> --- a/examples/xml/nwfilter/no-arp-spoofing.xml
> +++ b/examples/xml/nwfilter/no-arp-spoofing.xml
> @@ -12,21 +12,6 @@
> <rule action='drop' direction='out' priority='400'>
> <arp match='no' arpsrcipaddr='$IP' />
> </rule>
> -<!-- drop if ipaddr or macaddr odes not belong to guest -->
> -<rule action='drop' direction='in' priority='450'>
> -<arp match='no' arpdstmacaddr='$MAC'/>
> -<arp opcode='reply'/>
> -</rule>
> -<rule action='drop' direction='in' priority='500'>
> -<arp match='no' arpdstipaddr='$IP' />
> -</rule>
> -<!-- accept only request or reply packets -->
> -<rule action='accept' direction='inout' priority='600'>
> -<arp opcode='request'/>
> -</rule>
> -<rule action='accept' direction='inout' priority='650'>
> -<arp opcode='reply'/>
> -</rule>
> <!-- drop everything else -->
> -<rule action='drop' direction='inout' priority='1000' />
> +<rule action='drop' direction='out' priority='1000' />
> </filter>
>
>
> --
> libvir-list mailing list
> libvir-list at redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
More information about the libvir-list
mailing list