<tt><font size=2>David Stevens/Beaverton/IBM@IBMUS wrote on 05/09/2011
04:04:47 PM:<br>
<br>
<br>
<br>
> diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c<br>
> index c5705c1..df1a012 100644<br>
> --- a/src/conf/nwfilter_conf.c<br>
> +++ b/src/conf/nwfilter_conf.c<br>
> @@ -82,7 +82,9 @@ VIR_ENUM_IMPL(virNWFilterEbtablesTable, <br>
> VIR_NWFILTER_EBTABLES_TABLE_LAST,<br>
>  <br>
>  VIR_ENUM_IMPL(virNWFilterChainSuffix, VIR_NWFILTER_CHAINSUFFIX_LAST,<br>
>                "root",<br>
> -              "arp",<br>
> +              "mac",<br>
> +              "arpmac",<br>
> +              "arpip",<br>
>                "rarp",<br>
>                "ipv4",<br>
>                "ipv6");</font></tt>
<br>
<br>
<br><tt><font size=2>The mac chain is there for supporting multiple MAC
addresses per interface. What is the use case for having</font></tt>
<br><tt><font size=2>multiple MAC address on an interface and how do I
set this up in a Linux guest for example?</font></tt>
<br>
<br><tt><font size=2>I am not sure whether we should remove a chain, i.e.,
the 'arp' chain here. Adding is ok. Maybe the existing chain 'arp' could
be doing one part and 'arpmac' the other ?</font></tt>
<br>
<br><tt><font size=2><br>
> diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h<br>
> index ef60b6b..4d60751 100644<br>
> --- a/src/conf/nwfilter_conf.h<br>
> +++ b/src/conf/nwfilter_conf.h<br>
> @@ -425,7 +425,9 @@ struct _virNWFilterEntry {<br>
>  <br>
>  enum virNWFilterChainSuffixType {<br>
>      VIR_NWFILTER_CHAINSUFFIX_ROOT = 0,<br>
> -    VIR_NWFILTER_CHAINSUFFIX_ARP,<br>
> +    VIR_NWFILTER_CHAINSUFFIX_MAC,<br>
> +    VIR_NWFILTER_CHAINSUFFIX_ARPMAC,<br>
> +    VIR_NWFILTER_CHAINSUFFIX_ARPIP,<br>
>      VIR_NWFILTER_CHAINSUFFIX_RARP,<br>
>      VIR_NWFILTER_CHAINSUFFIX_IPv4,<br>
>      VIR_NWFILTER_CHAINSUFFIX_IPv6,<br>
> diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/<br>
> nwfilter/nwfilter_ebiptables_driver.c<br>
> index 39bd4a5..fa6f719 100644<br>
> --- a/src/nwfilter/nwfilter_ebiptables_driver.c<br>
> +++ b/src/nwfilter/nwfilter_ebiptables_driver.c<br>
> @@ -129,20 +129,24 @@ struct ushort_map {<br>
>  <br>
> <br>
>  enum l3_proto_idx {<br>
> -    L3_PROTO_IPV4_IDX = 0,<br>
> -    L3_PROTO_IPV6_IDX,<br>
> -    L3_PROTO_ARP_IDX,<br>
> +    L3_PROTO_MAC_IDX = 0,<br>
> +    L3_PROTO_ARPMAC_IDX,<br>
> +    L3_PROTO_ARPIP_IDX,<br>
>      L3_PROTO_RARP_IDX,<br>
> +    L3_PROTO_IPV4_IDX,<br>
> +    L3_PROTO_IPV6_IDX,<br>
>      L3_PROTO_LAST_IDX<br>
>  };<br>
>  </font></tt>
<br><tt><font size=2>>  #define USHORTMAP_ENTRY_IDX(IDX, ATT, VAL)
[IDX] = { .attr = ATT, <br>
> .val = VAL }<br>
>  <br>
>  static const struct ushort_map l3_protocols[] = {<br>
> -    USHORTMAP_ENTRY_IDX(L3_PROTO_IPV4_IDX, ETHERTYPE_IP
   , "ipv4"),<br>
> -    USHORTMAP_ENTRY_IDX(L3_PROTO_IPV6_IDX, ETHERTYPE_IPV6
 , "ipv6"),<br>
> -    USHORTMAP_ENTRY_IDX(L3_PROTO_ARP_IDX , ETHERTYPE_ARP
  , "arp"),<br>
> -    USHORTMAP_ENTRY_IDX(L3_PROTO_RARP_IDX, ETHERTYPE_REVARP,
"rarp"),<br>
> +    USHORTMAP_ENTRY_IDX(L3_PROTO_MAC_IDX,   0  
            , "mac"),<br>
> +    USHORTMAP_ENTRY_IDX(L3_PROTO_IPV4_IDX,  ETHERTYPE_IP
   , "ipv4"),<br>
> +    USHORTMAP_ENTRY_IDX(L3_PROTO_IPV6_IDX,  ETHERTYPE_IPV6
 , "ipv6"),<br>
> +    USHORTMAP_ENTRY_IDX(L3_PROTO_ARPMAC_IDX,ETHERTYPE_ARP
  , "arpmac"),<br>
> +    USHORTMAP_ENTRY_IDX(L3_PROTO_ARPIP_IDX, ETHERTYPE_ARP
  , "arpip"),<br>
> +    USHORTMAP_ENTRY_IDX(L3_PROTO_RARP_IDX,  ETHERTYPE_REVARP,
"rarp"),<br>
>      USHORTMAP_ENTRY_IDX(L3_PROTO_LAST_IDX, 0  
            , NULL),<br>
>  };<br>
>  </font></tt>
<br>
<br><tt><font size=2>Can you run a VM and do a 'ebtables -t nat -L' and
post the output. I'd be curious how</font></tt>
<br><tt><font size=2>the chains look like now with the 'clean-traffic'
filter without having to apply the</font></tt>
<br><tt><font size=2>patches and test them.</font></tt>
<br>
<br><tt><font size=2>Regards,</font></tt>
<br><tt><font size=2>   Stefan</font></tt>
<br>