[libvirt] [PATCH V10 4/7] nwfilter: add DHCP snooping
Stefan Berger
stefanb at linux.vnet.ibm.com
Tue Apr 17 13:15:39 UTC 2012
On 04/16/2012 11:08 AM, Stefan Berger wrote:
> This patch adds DHCP snooping support to libvirt. The learning method for
> IP addresses is specified by setting the "ip_learning" variable to one of
> "any" [default] (existing IP learning code), "none" (static only addresses)
> or "dhcp" (DHCP snooping).
>
Unfortunately this patch needs yet another revision. Its usage of the
pcap library did not allow one to determine whether the captured packets
were sent by the VM or going towards the VM, which in turn would allow
the VM to send for example DHCPACK messages with bogus leases and with
that let it acquire spoofed addresses. Also at the point of capture, the
packets were not filtered, yet. So, the new revision uses two pcap
handles, one capturing packets in incoming direction and one in outgoing
direction which then in turn allows testing of MAC addresses in headers
and whether the different DHCP messages were sent in the appropriate
direction and with this enabling the filtering of for example (spoofed)
DHCPACKs sent by the VM. Testing this now...
Stefan
More information about the libvir-list
mailing list