[libvirt] [PATCH 2/9] add DHCP snooping support to nwfilter
The ARP protocol requires processing of packets that may not be
explicitly addressed to a host and only defines request and reply. This patch
removes the filtering of gratuitous ARPs and ARP requests which must update
a VMs patch for correct function and removes the unnecessary check for arpop
of request or reply.
Signed-off-by: David L Stevens <dlstevens(a)us.ibm.com>
diff --git a/examples/xml/nwfilter/no-arp-spoofing.xml
b/examples/xml/nwfilter/no-arp-spoofing.xml
index c6c858d..fdd4e60 100644
--- a/examples/xml/nwfilter/no-arp-spoofing.xml
+++ b/examples/xml/nwfilter/no-arp-spoofing.xml
@@ -12,21 +12,6 @@
<rule action='drop' direction='out' priority='400' >
<arp match='no' arpsrcipaddr='$IP' />
</rule>
- <!-- drop if ipaddr or macaddr odes not belong to guest -->
- <rule action='drop' direction='in' priority='450' >
- <arp match='no' arpdstmacaddr='$MAC'/>
- <arp opcode='reply'/>
- </rule>
- <rule action='drop' direction='in' priority='500' >
- <arp match='no' arpdstipaddr='$IP' />
- </rule>
- <!-- accept only request or reply packets -->
- <rule action='accept' direction='inout' priority='600'
>
- <arp opcode='request'/>
- </rule>
- <rule action='accept' direction='inout' priority='650'
>
- <arp opcode='reply'/>
- </rule>
<!-- drop everything else -->
- <rule action='drop' direction='inout' priority='1000'
/>
+ <rule action='drop' direction='out' priority='1000' />
</filter>