[libvirt] [PATCH] nwfilter: let qemu's after-migration packet pass

Stefan Berger stefanb at us.ibm.com
Tue Apr 27 16:03:34 UTC 2010


Qemu currently sends an Ethernet packet with protocol id 0x835 once a VM
was successfully migrated. The content of the packet looks like a
gratuitous RARP, just with the wrong protocol ID, which should be
0x8035. I wrote some filters to let either one of the packets pass and
am adapting the clean-traffic sample filter to use it. I am also
doing some changes on the existing ARP filter which was lacking a
test for source MAC address.

Signed-off-by: Stefan Berger <stefanb at us.ibm.com>

---
 examples/xml/nwfilter/Makefile.am                 |    5 ++++-
 examples/xml/nwfilter/clean-traffic.xml           |    3 +++
 examples/xml/nwfilter/no-arp-spoofing.xml         |   13 ++++++++-----
 examples/xml/nwfilter/no-other-rarp-traffic.xml   |    4 ++++
 examples/xml/nwfilter/qemu-announce-self-rarp.xml |   14 ++++++++++++++
 examples/xml/nwfilter/qemu-announce-self.xml      |   13 +++++++++++++
 6 files changed, 46 insertions(+), 6 deletions(-)

Index: libvirt-acl/examples/xml/nwfilter/Makefile.am
===================================================================
--- libvirt-acl.orig/examples/xml/nwfilter/Makefile.am
+++ libvirt-acl/examples/xml/nwfilter/Makefile.am
@@ -11,7 +11,10 @@ FILTERS = \
 	no-ip-spoofing.xml \
 	no-mac-broadcast.xml \
 	no-mac-spoofing.xml \
-	no-other-l2-traffic.xml
+	no-other-l2-traffic.xml \
+	no-other-rarp-traffic.xml \
+	qemu-announce-self.xml \
+	qemu-announce-self-rarp.xml
 
 EXTRA_DIST=$(FILTERS)
 
Index: libvirt-acl/examples/xml/nwfilter/qemu-announce-self-rarp.xml
===================================================================
--- /dev/null
+++ libvirt-acl/examples/xml/nwfilter/qemu-announce-self-rarp.xml
@@ -0,0 +1,14 @@
+<filter name='qemu-announce-self-rarp' chain='rarp'>
+  <rule action='accept' direction='out' priority='500'>
+    <rarp opcode='Request_Reverse'
+          srcmacaddr='$MAC' dstmacaddr='ff:ff:ff:ff:ff:ff'
+          arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC'
+          arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/>
+  </rule>
+  <rule action='accept' direction='in' priority='500'>
+    <rarp opcode='Request_Reverse'
+          dstmacaddr='ff:ff:ff:ff:ff:ff'
+          arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC'
+          arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/>
+  </rule>
+</filter>
Index: libvirt-acl/examples/xml/nwfilter/clean-traffic.xml
===================================================================
--- libvirt-acl.orig/examples/xml/nwfilter/clean-traffic.xml
+++ libvirt-acl/examples/xml/nwfilter/clean-traffic.xml
@@ -14,4 +14,7 @@
    <!-- preventing any other traffic than IPv4 and ARP -->
    <filterref filter='no-other-l2-traffic'/>
 
+   <!-- allow qemu to send a self-announce upon migration end -->
+   <filterref filter='qemu-announce-self'/>
+
 </filter>
Index: libvirt-acl/examples/xml/nwfilter/no-arp-spoofing.xml
===================================================================
--- libvirt-acl.orig/examples/xml/nwfilter/no-arp-spoofing.xml
+++ libvirt-acl/examples/xml/nwfilter/no-arp-spoofing.xml
@@ -1,27 +1,30 @@
 <filter name='no-arp-spoofing' chain='arp'>
    <uuid>f88f1932-debf-4aa1-9fbe-f10d3aa4bc95</uuid>
+   <rule action='drop' direction='out' priority='300' >
+       <mac match='no' srcmacaddr='$MAC'/>
+   </rule>
 
    <!-- no arp spoofing -->
    <!-- drop if ipaddr or macaddr does not belong to guest -->
-   <rule action='drop' direction='out' priority='400' >
+   <rule action='drop' direction='out' priority='350' >
        <arp match='no' arpsrcmacaddr='$MAC'/>
    </rule>
    <rule action='drop' direction='out' priority='400' >
        <arp match='no' arpsrcipaddr='$IP' />
    </rule>
    <!-- drop if ipaddr or macaddr odes not belong to guest -->
-   <rule action='drop' direction='in' priority='400' >
+   <rule action='drop' direction='in' priority='450' >
        <arp match='no' arpdstmacaddr='$MAC'/>
        <arp opcode='reply'/>
    </rule>
-   <rule action='drop' direction='in' priority='400' >
+   <rule action='drop' direction='in' priority='500' >
        <arp match='no' arpdstipaddr='$IP' />
    </rule>
    <!-- accept only request or reply packets -->
-   <rule action='accept' direction='inout' priority='500' >
+   <rule action='accept' direction='inout' priority='600' >
        <arp opcode='request'/>
    </rule>
-   <rule action='accept' direction='inout' priority='500' >
+   <rule action='accept' direction='inout' priority='650' >
        <arp opcode='reply'/>
    </rule>
    <!-- drop everything else -->
Index: libvirt-acl/examples/xml/nwfilter/no-other-rarp-traffic.xml
===================================================================
--- /dev/null
+++ libvirt-acl/examples/xml/nwfilter/no-other-rarp-traffic.xml
@@ -0,0 +1,4 @@
+<filter name='no-other-rarp-traffic' chain='rarp'>
+    <rule action='drop' direction='inout' priority='1000'/>
+</filter>
+
Index: libvirt-acl/examples/xml/nwfilter/qemu-announce-self.xml
===================================================================
--- /dev/null
+++ libvirt-acl/examples/xml/nwfilter/qemu-announce-self.xml
@@ -0,0 +1,13 @@
+<filter name='qemu-announce-self' chain='root'>
+    <!-- as of 4/26/2010 qemu sends out a bogus packet with
+         wrong rarp protocol ID -->
+    <!-- accept what is being sent now -->
+    <rule action='accept' direction='out'>
+        <mac protocolid='0x835'/>
+    </rule>
+
+    <!-- accept if it was changed to rarp -->
+    <filterref filter='qemu-announce-self-rarp'/>
+    <filterref filter='no-other-rarp-traffic'/>
+
+</filter>




More information about the libvir-list mailing list