[libvirt] [PATCH 0/9] add DHCP snooping support to nwfilter
David Stevens
dlstevens at us.ibm.com
Wed May 11 21:25:04 UTC 2011
Stefan Berger/Watson/IBM wrote on 05/11/2011 11:59:21 AM:
> Looking at patch 8 I would assume you need to store the IP leases
> you track into
> a file so you can handle the cases of libvirt restart while a VM is
> running. How
> does the DHCP snooping currently deal with libvirt restarts or a
> SIGHUP to libvirt.
> Both I believe are currently rebuilding all filters when libvirt
> restarts and on
> those interfaces where it is necessary the learning will again start up.
But the problem with that is a guest can circumvent the whole
point of
the filters by tricking it into allowing an address not officially
assigned
to it. With this patch set, the guest would have to recycle the interface
to trigger another DHCP request/ACK, but saving in a lease file is a
better
idea; I'll look into that.
>
> > With DHCP snooping, only addresses acknowledged by a DHCP server
can
> > be used by the guest, and only for the given lease time if the address
lease
> > is not renewed.
>
> How do you treat VMs with statically configured interfaces? Are they
> permanently blocked
> from sending?
Just as with your learning code, if the IP variable is set, it'll
use that as the static address in the filters (and not require DHCP).
+-DLS
More information about the libvir-list
mailing list