[Date Prev][Date Next] [Thread Prev][Thread Next]
Re: [libvirt] [libvirt PATCHv3 03/10] reverse sense of address matching
- From: Stefan Berger <stefanb linux vnet ibm com>
- To: David Stevens <dlstevens us ibm com>
- Cc: libvir-list redhat com
- Subject: Re: [libvirt] [libvirt PATCHv3 03/10] reverse sense of address matching
- Date: Tue, 25 Oct 2011 19:08:28 -0400
On 10/25/2011 03:41 PM, David Stevens wrote:
The current (proposed) iterator does this, it produces every combination
of IP and MAC list items. The question is whether this is the correct
way of producing the filtering rules. On the one side one could say that
the VM (or nested VMs) owns all the given MAC and IP addresses and can
produce any combination of them. So we'll have m*n combinations ->
Another possibility would be to walk the lists of MAC and IP addresses
parallel, i.e. produce a rule for $MAC and $IP, another one for
$MAC[n] and $IP[n], thus enforcing the association of IP and MAC
addresses. We'd have O(n) evaluations, though the number of rules to
evaluate should not drive how this works, but obviously 'correctness'.
If we split the evaluation into two chains (one for IP , the other for
MAC checking) we allow all combinations. Complexity is O(2*n) -> O(n).
Stefan Berger<stefanb linux vnet ibm com> wrote on 10/25/2011 12:01:05
So the intention here was to remove the 'arp' chain. With it staying now
I suppose this patch and the allow-arpmac and allow-arpip aren't needed.
diff --git a/examples/xml/nwfilter/allow-arpip.xml b/examples/xml/
The intention was to separate MAC and IP address matching to be their
own chains to make adding and removing addresses dynamically easy. If you
do this in one chain with "IP=X and MAC=Y -j ACCEPT", then you need
every combination of IP and MAC address as a rule. If you separate them
So what should be correct?Fixed IP - MAC association or allow any
combination of them? Maybe we leave it as proposed (two chains) for now
and modify the iterator to process multiple lists' elements in parallel...
into MAC matching and protocol matching chains, you need one rule
per MAC and IP address. After doing that, the ARP chain was empty, since
that's all the standard chain had.
Yes, fine. For backwards compatibility purposes the 'arp' chain will remain.
With the arp chain remaining we can keep the existing filter 'allow-arp'
and don't need the one proposed in this patch.
new file mode 100644
@@ -0,0 +1,3 @@
+<filter name='allow-arpip' chain='arpip'>
+<rule direction='inout' action='accept'/>
Seems no necessary following above.
I don't understand this comment.
I didn't test with a well-known DHCP server, so I was not sure whether
the rule would actually be used. Following the DHCP protocol fields one
could broadcast and put the IP address of the server into the server
address field in the DHCP protocol and if the protocol was to support it
that way only that server could respond
This reshuffeling might make it more intuitive but isn't necessary.
I didn't say it was the only way to support multiple addresses. :-)
It uses nMAC + nIP rules, instead of nMAC X nIP rules to match every
combination of MAC and IP addresses in the original ARP chain.
+<rule action='return' direction='out' priority='410'>
+<arp match='yes' arpsrcipaddr='0.0.0.0' />
Under what circumstances is the stack allowed to send a 0.0.0.0 as a
response to an ARP request (presumably)? Form what I see 0.0.0.0 could
be any machine whose interface is not configured. At least when using
DHCP the VM would broadcast the request without prior sending of an ARP
request (of course) and from what I remember the DHCP server then sends
the response back to the MAC address it has received the request from
also without ARP request.
This isn't a requirement, but in general, the filters are placing
restrictions on packets that have nothing to do with spoofing and are
not part of the underlying protocols. A host without an IP address
can use source address "0.0.0.0" legally by the protocols in cases besides
sending a DHCP request, DHCP requests need not be MAC broadcast or sent
to the all-hosts broadcast address (e.g., if firmware configured a
preferred server (unicast MAC and/or IP), or knows the subnet and uses
a directed broadcast). ARP requests received from other machines need
not be addressed to this VM to be processed and update the cache.
By restricting these cases, the filters prevent VMs from doing
protocol-legal things that have nothing to do with spoofing. It simply
breaks unusual configurations unnecessarily.
I was planning to submit clean-up patches to remove all these
restrictions I found after my primary concern (DHCP snooping) is done.
I threw in some of them along with the multiple address support in
the version that did that, but they really are separate fixes that
have nothing to do with either multiple address support or DHCP
In the end, base anti-spoofing rules should prevent a VM from
masquerading as someone else, and allow everything else.
[Date Prev][Date Next] [Thread Prev][Thread Next]