[libvirt] [PATCH V9 0/6] Add DHCP snooping support to nwfilter

Stefan Berger stefanb at linux.vnet.ibm.com
Sat Apr 14 13:03:45 UTC 2012 

On 04/13/2012 01:54 PM, dennis jenkins wrote:
>
>
> On Fri, Apr 13, 2012 at 10:09 AM, Stefan Berger 
> <stefanb at linux.vnet.ibm.com <mailto:stefanb at linux.vnet.ibm.com>> wrote:
>
>     This series of patches adds DHCP snooping support to libvirt's
>     nwfilter subsystem.
>
>     DHCP snooping detects DHCP leases obtained by a VM and automatically
>     adjusts the network traffic filters to reflect the IP addresses
>     with which a VM may send its traffic, thus for example preventing
>     IP address spoofing.
>     Once leases on IP addresses expire or if a VM gives up on a
>     lease on an IP address, the filters are also adjusted.
>     All leases are persisted and automatically applied upon a VM's
>     restart.
>     Leases are associated with the tuple of VM-UUID and interface MAC
>     address.
>
>     The following interface XML activates and uses the DHCP snooping:
>
>     <interface type='bridge'>
>     <source bridge='virbr0'/>
>     <filterref filter='clean-traffic'>
>     <parameter name='ip_learning' value='dhcp'/>
>     </filterref>
>     </interface>
>
>
>     Regards,
>       David and Stefan
>
>
>
> Would libvirt (via the perl wrapper) be able to query the IP address 
> information?
>

Patch 7 is going to add this with DETECTED_IP in the parameter list that 
then looks something like this:

<interface type='bridge'>
<mac address='52:54:00:68:e3:90'/>
<source bridge='virbr0'/>
<target dev='vnet1'/>
<model type='virtio'/>
<filterref filter='clean-traffic'>
<parameter name='ip_learning' value='dhcp'/>
<parameter name='DETECTED_IP' value='192.168.122.210'/>
</filterref>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
</interface>

Some other considerations:

We should probably reserve some variables. This DETECTED_IP will be 
read-only meaning no-one can set it by writing the XML. Then we have
- IP: list of IP addresses use by an interface
- MAC: MAC address of the interface
- ip_learning: for choosing the IP detection mechanism  (capital letters??)
- DHCPSERVER: for list of trusted DHCP servers

Maybe the following should be also reserved

- IPV6
- DETECTED_IPV6
- DHCPSERVER_IPV6

independent of when they may be supported.

Another idea may be whether this special variable DETECTED_IP could be 
extended to include the lease and use it for migration, i.e. 
DETECTED_IP=<ip addr>,<lease timeout> and then when migrating we need to 
know that the XML is being parse due to migration (rather than the XML 
coming from user input directly) and that we can pick up its contents 
and feed it into the IP lease mechanism. Just a thought for now. Maybe 
someone has a comment on whether this is a good idea to begin with...

    Stefan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20120414/453e7546/attachment-0001.htm>

More information about the libvir-list mailing list