[libvirt] [PATCHv3 0/9] Let libvirt manage a bridge's MAC table
Laine Stump
laine at laine.org
Mon Dec 8 16:00:00 UTC 2014
The idea behind these patches is the following:
1) most virtual machines only have a single MAC address behind each
interface, and that MAC address is known by libvirt.
2) If we (i.e. libvirt) manually add an entry to the bridge's
forwarding database (fdb) for the MAC address associated with a port
on the bridge, we can turn off learning and unicast_flooding for that
port.
3) kernels starting with 3.15 (and actually working correctly starting
in kernel 3.17) will notice that all of a bridge's ports have flood
and learning turned off, and in that case will turn off promiscuous
mode on all ports. If all but one of the ports have flood/learning
turned off, then promiscuous will be turned off on that port (and left
on for all the other ports)
4) When (4) can be done, there is a measurable performance
advantage. It can also *kind of* help security, as it will prevent a
guest from doing anything useful if it changes its MAC address (but
won't prevent the guest from *sending* packets with a spoofed MAC
address).
NB: These only work with a fixed MAC address, and no vlan tags set in
the guest. Support for both of those will be coming.
This series is the same as V2, which was previously ACK (pending final determination of attribute name):
https://www.redhat.com/archives/libvir-list/2014-December/msg00173.html
but with the name of the attribute changed - in V2 it was:
fdb="learnWithFlooding|managed"
and it is now:
macTableManager="kernel|libvirt"
which more accurately reflects what is being controlled with the attribute.
Laine Stump (9):
util: new functions for setting bridge and bridge port attributes
util: functions to manage bridge fdb (forwarding database)
conf: new network bridge device attribute macTableManager
network: save bridge name in ActualNetDef when actualType==network too
network: store network macTableManager setting in NetDef actual object
network: setup bridge devices for macTableManager='libvirt'
qemu: setup tap devices for macTableManager='libvirt'
qemu: always use virDomainNetGetActualBridgeName to get interface's
bridge
lxc: always use virDomainNetGetActualBridgeName to get interface's
bridge
docs/formatnetwork.html.in | 50 ++-
docs/schemas/network.rng | 9 +
src/conf/domain_conf.c | 130 ++++---
src/conf/domain_conf.h | 2 +
src/conf/network_conf.c | 51 ++-
src/conf/network_conf.h | 11 +
src/libvirt_private.syms | 11 +
src/lxc/lxc_driver.c | 26 +-
src/lxc/lxc_process.c | 26 +-
src/network/bridge_driver.c | 78 +++++
src/qemu/qemu_command.c | 53 +--
src/qemu/qemu_hotplug.c | 54 +--
src/util/virnetdevbridge.c | 382 ++++++++++++++++++++-
src/util/virnetdevbridge.h | 44 ++-
tests/networkxml2xmlin/host-bridge-no-flood.xml | 6 +
.../nat-network-explicit-flood.xml | 21 ++
tests/networkxml2xmlout/host-bridge-no-flood.xml | 6 +
.../nat-network-explicit-flood.xml | 23 ++
tests/networkxml2xmltest.c | 2 +
19 files changed, 796 insertions(+), 189 deletions(-)
create mode 100644 tests/networkxml2xmlin/host-bridge-no-flood.xml
create mode 100644 tests/networkxml2xmlin/nat-network-explicit-flood.xml
create mode 100644 tests/networkxml2xmlout/host-bridge-no-flood.xml
create mode 100644 tests/networkxml2xmlout/nat-network-explicit-flood.xml
--
1.9.3
More information about the libvir-list
mailing list