[libvirt] [PATCH 0/9] add DHCP snooping support to nwfilter
David L Stevens
dlstevens at us.ibm.com
Mon May 9 20:00:05 UTC 2011
The following series of patches replaces IP address learning in
network filtering with DHCP snooping. The existing address learning capability
does not provide security since it relies on addresses used in initial packets
sent by the guest to determine an IP address. A spoofing guest can simply
arrange to send packets using the target address early on.
With DHCP snooping, only addresses acknowledged by a DHCP server can
be used by the guest, and only for the given lease time if the address lease
is not renewed.
The patches also add support for multiple IP addresses per interface.
The split:
p1 -add return & continue support
Add support for "return" and "continue" in filters.
p2 -fix ARP input checks
Fix a bug that breaks correct use of ARP by overfiltering.
p3 -add MAC check; split ARP intp ARPMAC and ARPIP
Support for multiple IP addresses in ARP checks, and allow for
multiple MAC addresses in the future.
p4 -set default protocol policy to "DROP"; edit filters
Change default protocol policy to "DROP", rather than adding explicit
"DROP" rules at the end of all of them. This is for multiple address
support.
p5 -optional "modify" (don't use temp, generate placeholder rules)
Add support to dynamically add and remove filters without re-installing
an entire chain.
p6 -addRules
Add support for adding new rules to a chain incrementally. Remove
support was already there.
p7 -ChangeVar support
Add support to change chains that have a matching variable substitution
to either add or delete rules with the given variable value (e.g., "IP")
p8 -add DHCP snooping
The DHCP snooping code itself.
p9 -delete learnipaddr
Clean up remaining learnipaddr infrastructure.
More information about the libvir-list
mailing list