[libvirt] [PATCH 3/9] add DHCP snooping support to nwfilter

Stefan Berger stefanb at us.ibm.com
Wed May 11 19:20:50 UTC 2011 

David Stevens/Beaverton/IBM at IBMUS wrote on 05/09/2011 04:04:47 PM:



> diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c
> index c5705c1..df1a012 100644
> --- a/src/conf/nwfilter_conf.c
> +++ b/src/conf/nwfilter_conf.c
> @@ -82,7 +82,9 @@ VIR_ENUM_IMPL(virNWFilterEbtablesTable, 
> VIR_NWFILTER_EBTABLES_TABLE_LAST,
> 
>  VIR_ENUM_IMPL(virNWFilterChainSuffix, VIR_NWFILTER_CHAINSUFFIX_LAST,
>                "root",
> -              "arp",
> +              "mac",
> +              "arpmac",
> +              "arpip",
>                "rarp",
>                "ipv4",
>                "ipv6");


The mac chain is there for supporting multiple MAC addresses per 
interface. What is the use case for having
multiple MAC address on an interface and how do I set this up in a Linux 
guest for example?

I am not sure whether we should remove a chain, i.e., the 'arp' chain 
here. Adding is ok. Maybe the existing chain 'arp' could be doing one part 
and 'arpmac' the other ?


> diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h
> index ef60b6b..4d60751 100644
> --- a/src/conf/nwfilter_conf.h
> +++ b/src/conf/nwfilter_conf.h
> @@ -425,7 +425,9 @@ struct _virNWFilterEntry {
> 
>  enum virNWFilterChainSuffixType {
>      VIR_NWFILTER_CHAINSUFFIX_ROOT = 0,
> -    VIR_NWFILTER_CHAINSUFFIX_ARP,
> +    VIR_NWFILTER_CHAINSUFFIX_MAC,
> +    VIR_NWFILTER_CHAINSUFFIX_ARPMAC,
> +    VIR_NWFILTER_CHAINSUFFIX_ARPIP,
>      VIR_NWFILTER_CHAINSUFFIX_RARP,
>      VIR_NWFILTER_CHAINSUFFIX_IPv4,
>      VIR_NWFILTER_CHAINSUFFIX_IPv6,
> diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/
> nwfilter/nwfilter_ebiptables_driver.c
> index 39bd4a5..fa6f719 100644
> --- a/src/nwfilter/nwfilter_ebiptables_driver.c
> +++ b/src/nwfilter/nwfilter_ebiptables_driver.c
> @@ -129,20 +129,24 @@ struct ushort_map {
> 
> 
>  enum l3_proto_idx {
> -    L3_PROTO_IPV4_IDX = 0,
> -    L3_PROTO_IPV6_IDX,
> -    L3_PROTO_ARP_IDX,
> +    L3_PROTO_MAC_IDX = 0,
> +    L3_PROTO_ARPMAC_IDX,
> +    L3_PROTO_ARPIP_IDX,
>      L3_PROTO_RARP_IDX,
> +    L3_PROTO_IPV4_IDX,
> +    L3_PROTO_IPV6_IDX,
>      L3_PROTO_LAST_IDX
>  };
> 
>  #define USHORTMAP_ENTRY_IDX(IDX, ATT, VAL) [IDX] = { .attr = ATT, 
> .val = VAL }
> 
>  static const struct ushort_map l3_protocols[] = {
> -    USHORTMAP_ENTRY_IDX(L3_PROTO_IPV4_IDX, ETHERTYPE_IP    , "ipv4"),
> -    USHORTMAP_ENTRY_IDX(L3_PROTO_IPV6_IDX, ETHERTYPE_IPV6  , "ipv6"),
> -    USHORTMAP_ENTRY_IDX(L3_PROTO_ARP_IDX , ETHERTYPE_ARP   , "arp"),
> -    USHORTMAP_ENTRY_IDX(L3_PROTO_RARP_IDX, ETHERTYPE_REVARP, "rarp"),
> +    USHORTMAP_ENTRY_IDX(L3_PROTO_MAC_IDX,   0               , "mac"),
> +    USHORTMAP_ENTRY_IDX(L3_PROTO_IPV4_IDX,  ETHERTYPE_IP    , "ipv4"),
> +    USHORTMAP_ENTRY_IDX(L3_PROTO_IPV6_IDX,  ETHERTYPE_IPV6  , "ipv6"),
> +    USHORTMAP_ENTRY_IDX(L3_PROTO_ARPMAC_IDX,ETHERTYPE_ARP   , 
"arpmac"),
> +    USHORTMAP_ENTRY_IDX(L3_PROTO_ARPIP_IDX, ETHERTYPE_ARP   , "arpip"),
> +    USHORTMAP_ENTRY_IDX(L3_PROTO_RARP_IDX,  ETHERTYPE_REVARP, "rarp"),
>      USHORTMAP_ENTRY_IDX(L3_PROTO_LAST_IDX, 0               , NULL),
>  };
> 

Can you run a VM and do a 'ebtables -t nat -L' and post the output. I'd be 
curious how
the chains look like now with the 'clean-traffic' filter without having to 
apply the
patches and test them.

Regards,
   Stefan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20110511/384bc60f/attachment-0001.htm>

More information about the libvir-list mailing list