<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 04/13/2012 01:54 PM, dennis jenkins wrote:
<blockquote
cite="mid:CAAEzAp-HcBF36v3zAmmRbRM2KaEPHShAe6sQ-nrjc6WE4mHGRA@mail.gmail.com"
type="cite"><br>
<br>
<div class="gmail_quote">On Fri, Apr 13, 2012 at 10:09 AM, Stefan
Berger <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:stefanb@linux.vnet.ibm.com">stefanb@linux.vnet.ibm.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
This series of patches adds DHCP snooping support to libvirt's<br>
nwfilter subsystem.<br>
<br>
DHCP snooping detects DHCP leases obtained by a VM and
automatically<br>
adjusts the network traffic filters to reflect the IP
addresses<br>
with which a VM may send its traffic, thus for example
preventing<br>
IP address spoofing.<br>
Once leases on IP addresses expire or if a VM gives up on a<br>
lease on an IP address, the filters are also adjusted.<br>
All leases are persisted and automatically applied upon a VM's
restart.<br>
Leases are associated with the tuple of VM-UUID and interface
MAC<br>
address.<br>
<br>
The following interface XML activates and uses the DHCP
snooping:<br>
<br>
<interface type='bridge'><br>
<source bridge='virbr0'/><br>
<filterref filter='clean-traffic'><br>
<parameter name='ip_learning' value='dhcp'/><br>
</filterref><br>
</interface><br>
<br>
<br>
Regards,<br>
David and Stefan<br>
</blockquote>
</div>
<br>
<br>
Would libvirt (via the perl wrapper) be able to query the IP
address information?<br>
<br>
</blockquote>
<br>
Patch 7 is going to add this with DETECTED_IP in the parameter list
that then looks something like this:<br>
<br>
<interface type='bridge'><br>
<mac address='52:54:00:68:e3:90'/><br>
<source bridge='virbr0'/><br>
<target dev='vnet1'/><br>
<model type='virtio'/><br>
<filterref filter='clean-traffic'><br>
<parameter name='ip_learning' value='dhcp'/><br>
<parameter name='DETECTED_IP'
value='192.168.122.210'/><br>
</filterref><br>
<alias name='net0'/><br>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04'
function='0x0'/><br>
</interface><br>
<br>
Some other considerations:<br>
<br>
We should probably reserve some variables. This DETECTED_IP will be
read-only meaning no-one can set it by writing the XML. Then we have<br>
- IP: list of IP addresses use by an interface<br>
- MAC: MAC address of the interface<br>
- ip_learning: for choosing the IP detection mechanism (capital
letters??)<br>
- DHCPSERVER: for list of trusted DHCP servers<br>
<br>
Maybe the following should be also reserved<br>
<br>
- IPV6<br>
- DETECTED_IPV6<br>
- DHCPSERVER_IPV6<br>
<br>
independent of when they may be supported.<br>
<br>
Another idea may be whether this special variable DETECTED_IP could
be extended to include the lease and use it for migration, i.e.
DETECTED_IP=<ip addr>,<lease timeout> and then when
migrating we need to know that the XML is being parse due to
migration (rather than the XML coming from user input directly) and
that we can pick up its contents and feed it into the IP lease
mechanism. Just a thought for now. Maybe someone has a comment on
whether this is a good idea to begin with...<br>
<br>
Stefan<br>
<br>
</body>
</html>