[libvirt] [libvirt PATCHv4 0/2] DHCP Snooping support for libvirt
David Stevens
dlstevens at us.ibm.com
Tue Oct 25 18:01:32 UTC 2011
Stefan,
Thanks for reviewing.
Stefan Berger <stefanb at linux.vnet.ibm.com> wrote on 10/25/2011 04:59:16
AM:
> I hope that this code will be able to support multiple IP addresses once
> my patches have gone in.
I labelled in the code with comments the places that need to be
revised (3, I believe) for multiple address support. I added one check to
ignore
an additional address when you already have one for an interface. The
other
depends on the form of multiple address support. If it is a mechanism
that changes variable values (either add or remove) in place in the
filters,
it'll be reverting to code similar to my first post. If it uses something
like virNWFilterInstantiateFilterLate(), my main concern is making sure
there isn't a window while deleting or adding an address that rebuilds the
entire filter where either no packets or spoofed packets would be allowed.
Both cases would need to remove the DHCP-only rule installation in delete,
since removing one of multiple addresses shouldn't remove the other
address(es)'s
filters.
The internal snooping code supports multiple addresses per
interface as
before. It assumes 1-interface==1-network as before, so your comments
about
VLANs and the leasefile also require a visit, but don't apply without
multiple
address support in the rest of nwfilter. Tracking and saving the VLAN ID
or saving and matching the DHCP client ID should do that.
+-DLS
More information about the libvir-list
mailing list