[libvirt] [PATCH 2/9] add DHCP snooping support to nwfilter

Mon May 23 20:45:55 UTC 2011

Stefan Berger <stefanb at linux.vnet.ibm.com> wrote on 05/23/2011 01:09:51 
PM:

> For the other ARP requests I am not sure whether the VM needs to see all 

> of them. If a VM sees an ARP request on an interface not directed for 
> any of its IP addresses, why deliver the request at all? The VM cannot 
> respond to it. Since we are filtering on ARP we may just as well drop it 

> which likely saves a few processing cycles in the whole system. So I 
> wouldn't remove the filtering.

        No, the point is to update cached entries. If some some other
machine does an ARP request or reply (either) that updates an entry
in our ARP cache, we are supposed to do that. From RFC 826:

        ...
        If the pair <protocol type, sender protocol address> is
                already in my translation table, update the sender
                hardware address filed of the entry with the new
                information in the packet and set Merge_flag to true.
        ?Am I the target protocol address?

See, it updates the cache before even checking if we are the target.

                                                        +-DLS