[libvirt] [libvirt PATCHv4 0/2] DHCP Snooping support for libvirt
Stefan Berger
stefanb at linux.vnet.ibm.com
Tue Oct 25 18:44:23 UTC 2011
On 10/25/2011 02:01 PM, David Stevens wrote:
> Stefan,
> Thanks for reviewing.
>
> Stefan Berger<stefanb at linux.vnet.ibm.com> wrote on 10/25/2011 04:59:16
> AM:
>
>> I hope that this code will be able to support multiple IP addresses once
>> my patches have gone in.
> I labelled in the code with comments the places that need to be
> revised (3, I believe) for multiple address support. I added one check to
> ignore
> an additional address when you already have one for an interface. The
> other
> depends on the form of multiple address support. If it is a mechanism
> that changes variable values (either add or remove) in place in the
> filters,
> it'll be reverting to code similar to my first post. If it uses something
> like virNWFilterInstantiateFilterLate(), my main concern is making sure
> there isn't a window while deleting or adding an address that rebuilds the
> entire filter where either no packets or spoofed packets would be allowed.
This should not be possible to happen during this call. The new filter
is built while the old filter is still active. The new filter is
connected to the 'root' where all filters are connected to and only then
the old one is disconnected and deleted. So the switch-over is 'atomic'.
Though this *may* need re-visiting in case *all* leases expiring and IP
= <empty> and one has to put in the DHCP-only filter now.
> Both cases would need to remove the DHCP-only rule installation in delete,
> since removing one of multiple addresses shouldn't remove the other
> address(es)'s
> filters.
> The internal snooping code supports multiple addresses per
> interface as
> before. It assumes 1-interface==1-network as before, so your comments
> about
> VLANs and the leasefile also require a visit, but don't apply without
> multiple
> address support in the rest of nwfilter. Tracking and saving the VLAN ID
> or saving and matching the DHCP client ID should do that.
>
We'll get to that.
Stefan
> +-DLS
>
More information about the libvir-list
mailing list