[libvirt] [PATCH 3/9] add DHCP snooping support to nwfilter

David Stevens dlstevens at us.ibm.com
Wed May 11 21:53:33 UTC 2011 


Stefan Berger/Watson/IBM wrote on 05/11/2011 12:20:49 PM:
>
> The mac chain is there for supporting multiple MAC addresses per
> interface. What is the use case for having
> multiple MAC address on an interface and how do I set this up in a
> Linux guest for example?

	I don't know if Linux guests support it now, but I wanted to
eliminate the unnecessary requirement from nwfilter. Most real NICs
support multiple MAC addresses; failover mechanisms can make use of
it (e.g., by moving a MAC address from one device to another one that
already has one).
	But the feature in nwfilter is more generally useful since it
allows a host administrator to assign a set of legal MAC addresses
to a VM and the VM user can choose/use any one of them at run time.
	Of course, VM users may have other reasons for wanting multiple
MAC addresses on the same interface; the real point is that there's
no technical reason to restrict it within nwfilter.

> I am not sure whether we should remove a chain, i.e., the 'arp'
> chain here. Adding is ok. Maybe the existing chain 'arp' could be
> doing one part and 'arpmac' the other ?

	I renamed it to make it clearer what fields specifically each is
checking for ARP. If you're concerned about compatibility with existing
filters, we could either leave "arp" as an empty stub, or put one or the
other of arpip or arpmac under that name. But this, as with the "drop"
policy change, I think comes down to my belief that administrators have
to revisit existing custom filters if we make any change whatsoever to
the set in examples. So, I made that set self-consistent, but any filters
that rely on changing any of them need to be reworked for any change.
Independent custom filters aren't affected, of course.

>
> Can you run a VM and do a 'ebtables -t nat -L' and post the output.
> I'd be curious how
> the chains look like now with the 'clean-traffic' filter without
> having to apply the
> patches and test them.

<two stages -- before DHCP ACK and after below>

Bridge table: nat

Bridge chain: PREROUTING, entries: 1, policy: ACCEPT
-i vnet0 -j libvirt-I-vnet0

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Bridge chain: POSTROUTING, entries: 1, policy: ACCEPT
-o vnet0 -j libvirt-O-vnet0

Bridge chain: libvirt-I-vnet0, entries: 9, policy: ACCEPT
-j I-vnet0-mac
-p IPv4 -j I-vnet0-ipv4
-p ARP -j I-vnet0-arpmac
-p ARP -j I-vnet0-arpip
-p 0x8035 -j I-vnet0-rarp
-p 0x835 -j ACCEPT
-p IPv4 -j ACCEPT
-p ARP -j ACCEPT
-j DROP

Bridge chain: libvirt-O-vnet0, entries: 5, policy: ACCEPT
-p IPv4 -j O-vnet0-ipv4
-p 0x8035 -j O-vnet0-rarp
-p IPv4 -j ACCEPT
-p ARP -j ACCEPT
-j DROP

Bridge chain: I-vnet0-mac, entries: 1, policy: DROP
-s 54:0:0:0:0:1 -j RETURN

Bridge chain: I-vnet0-ipv4, entries: 1, policy: DROP
-p IPv4 --ip-src 0.0.0.0 --ip-proto udp --ip-sport 68 -j RETURN

Bridge chain: O-vnet0-ipv4, entries: 1, policy: DROP
-j ACCEPT

Bridge chain: I-vnet0-arpmac, entries: 1, policy: DROP
-p ARP --arp-mac-src 54:0:0:0:0:1 -j RETURN

Bridge chain: I-vnet0-arpip, entries: 1, policy: DROP
-p ARP --arp-ip-src 0.0.0.0 -j RETURN

Bridge chain: I-vnet0-rarp, entries: 1, policy: DROP
-p 0x8035 -s 54:0:0:0:0:1 -d Broadcast --arp-op Request_Reverse
    --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 54:0:0:0:0:1
    --arp-mac-dst 54:0:0:0:0:1 -j ACCEPT

Bridge chain: O-vnet0-rarp, entries: 1, policy: DROP
-p 0x8035 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0
   --arp-ip-dst 0.0.0.0 --arp-mac-src 54:0:0:0:0:1
   --arp-mac-dst 54:0:0:0:0:1 -j ACCEPT

[after DHCP ACK]
Bridge table: nat

Bridge chain: PREROUTING, entries: 1, policy: ACCEPT
-i vnet0 -j libvirt-I-vnet0

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Bridge chain: POSTROUTING, entries: 1, policy: ACCEPT
-o vnet0 -j libvirt-O-vnet0

Bridge chain: libvirt-I-vnet0, entries: 9, policy: ACCEPT
-j I-vnet0-mac
-p IPv4 -j I-vnet0-ipv4
-p ARP -j I-vnet0-arpmac
-p ARP -j I-vnet0-arpip
-p 0x8035 -j I-vnet0-rarp
-p 0x835 -j ACCEPT
-p IPv4 -j ACCEPT
-p ARP -j ACCEPT
-j DROP

Bridge chain: libvirt-O-vnet0, entries: 5, policy: ACCEPT
-p IPv4 -j O-vnet0-ipv4
-p 0x8035 -j O-vnet0-rarp
-p IPv4 -j ACCEPT
-p ARP -j ACCEPT
-j DROP

Bridge chain: I-vnet0-mac, entries: 1, policy: DROP
-s 54:0:0:0:0:1 -j RETURN

Bridge chain: I-vnet0-ipv4, entries: 2, policy: DROP
-p IPv4 --ip-src 0.0.0.0 --ip-proto udp --ip-sport 68 -j RETURN
-p IPv4 --ip-src 10.0.0.1 -j RETURN

Bridge chain: O-vnet0-ipv4, entries: 1, policy: DROP
-j ACCEPT

Bridge chain: I-vnet0-arpmac, entries: 1, policy: DROP
-p ARP --arp-mac-src 54:0:0:0:0:1 -j RETURN

Bridge chain: I-vnet0-arpip, entries: 2, policy: DROP
-p ARP --arp-ip-src 0.0.0.0 -j RETURN
-p ARP --arp-ip-src 10.0.0.1 -j RETURN

Bridge chain: I-vnet0-rarp, entries: 1, policy: DROP
-p 0x8035 -s 54:0:0:0:0:1 -d Broadcast --arp-op Request_Reverse
   --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 54:0:0:0:0:1
   --arp-mac-dst 54:0:0:0:0:1 -j ACCEPT

Bridge chain: O-vnet0-rarp, entries: 1, policy: DROP
-p 0x8035 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0
    --arp-ip-dst 0.0.0.0 --arp-mac-src 54:0:0:0:0:1
    --arp-mac-dst 54:0:0:0:0:1 -j ACCEPT

thanks,
	+-DLS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20110511/a769b1ca/attachment-0001.htm>

More information about the libvir-list mailing list