[libvirt] [libvirt PATCHv3 00/10] DHCP snooping support for libvirt
Stefan Berger
stefanb at linux.vnet.ibm.com
Wed Oct 12 21:02:59 UTC 2011
David,
I have unfortunately missed v2 of this and in the meantime (since
after V1) I had been thinking about this a bit.
The problem we're having at the moment is that it's not possible to
evaluate fields of packets that may have more than one possible value.
This is the general problem, the specific one being allowing multiple
MAC or IP addresses. This problem requires us to enable more tables
along with jumps to those tables. I think we should solve this in a more
general way. What we seem to need for this are tables that are connected
to the 'root table' of an interface and tables that are not connected to
the 'root table'. So for now we handle arp, rarp, ipv4 and ipv6 from
that 'root' table using '-p arp -j <table>' for example to jump to an
ARP-specific table for example, the protocol being the decision point
here ('-p'). So now maybe what we should do is allow user to define
tables with prefixes 'arp', 'ipv4' and 'ipv6' and have all of them
connected to the root table and jump into them using '-p'. There could
be an arp table, an 'arp-xyz' table and all of them would be connected
to that root table -- the question is just in what order. Maybe
alphabetical order, with arp and rarp still being always treated after
ipv4 and ipv6. Then to realize the other 'loose tables' they could maybe
all be required to have a prefix 'ud-' for 'user-defined'. Those would
then just be created but not accessed from the 'root table' of an
interface but from those connected to an interface's 'root table'. Does
this sound reasonable ?
Stefan
On 10/12/2011 03:50 PM, David L Stevens wrote:
> This series of patches adds DHCP snooping support to libvirt. This version
> saves leases on disk for restoration after a libvirtd restart and allows
> selection of different ip_learning methods by setting filter parameter
> "ip_learning" to one of "any" (existing IP learning code) "none" (static only
> addresses) or "DHCP" (DHCP Snooping).
>
> This code does not (yet) support passing lease information across a migration.
> A migrated guest requires a DHCP ACK (e.g., via ifdown/ifup on the guest) to
> send/receive traffic for DHCP-learned addresses after a migration.
>
> Differences from v2: added support for multiple static IP addresses using
> a comma-separated list.
>
> David L Stevens (10):
> support continue/return
> allow required ARP packets
> reverse sense of address matching
> make default chain policy "DROP"
> allow chain modification
> support addRules
> support variable value changing
> add DHCP snooping
> add leasefile support
> support multiple static IP addresses
>
> examples/xml/nwfilter/Makefile.am | 5 +-
> examples/xml/nwfilter/allow-arp.xml | 5 +-
> examples/xml/nwfilter/allow-arpip.xml | 3 +
> examples/xml/nwfilter/allow-arpmac.xml | 3 +
> examples/xml/nwfilter/clean-traffic.xml | 6 +-
> examples/xml/nwfilter/no-arp-spoofing.xml | 38 +-
> examples/xml/nwfilter/no-arpip-spoofing.xml | 10 +
> examples/xml/nwfilter/no-arpmac-spoofing.xml | 5 +
> examples/xml/nwfilter/no-ip-spoofing.xml | 9 +-
> examples/xml/nwfilter/no-mac-spoofing.xml | 10 +-
> examples/xml/nwfilter/no-other-l2-traffic.xml | 13 +-
> examples/xml/nwfilter/no-other-rarp-traffic.xml | 3 -
> examples/xml/nwfilter/qemu-announce-self.xml | 1 -
> src/Makefile.am | 2 +
> src/conf/nwfilter_conf.c | 12 +-
> src/conf/nwfilter_conf.h | 16 +-
> src/nwfilter/nwfilter_dhcpsnoop.c | 938 +++++++++++++++++++++++
> src/nwfilter/nwfilter_dhcpsnoop.h | 36 +
> src/nwfilter/nwfilter_driver.c | 5 +
> src/nwfilter/nwfilter_ebiptables_driver.c | 225 +++++--
> src/nwfilter/nwfilter_gentech_driver.c | 225 +++++-
> src/nwfilter/nwfilter_gentech_driver.h | 11 +
> 22 files changed, 1445 insertions(+), 136 deletions(-)
> create mode 100644 examples/xml/nwfilter/allow-arpip.xml
> create mode 100644 examples/xml/nwfilter/allow-arpmac.xml
> create mode 100644 examples/xml/nwfilter/no-arpip-spoofing.xml
> create mode 100644 examples/xml/nwfilter/no-arpmac-spoofing.xml
> delete mode 100644 examples/xml/nwfilter/no-other-rarp-traffic.xml
> create mode 100644 src/nwfilter/nwfilter_dhcpsnoop.c
> create mode 100644 src/nwfilter/nwfilter_dhcpsnoop.h
>
More information about the libvir-list
mailing list