Re: [libvirt] [PATCH 0/9] add DHCP snooping support to nwfilter
David Stevens/Beaverton/IBM@IBMUS wrote on 05/09/2011 04:00:05 PM:
The following series of patches replaces IP address learning in
network filtering with DHCP snooping. The existing address learning
capability
does not provide security since it relies on addresses used in initial
packets
sent by the guest to determine an IP address. A spoofing guest can
simply
arrange to send packets using the target address early on.
The current IP address learning algo. takes either the address given by
the DHCP
server or the address a VM seems to be using, which can either be from an
ARP reply
or the first packet a VM is sending out. It then locks the VM's interface
into
that address. This works for static configuration or DHCP and if DHCP is
used it
also works when libvirt is restarted while a VM is running -- then it will
simply
pick the address from the ARP reply or first packet treating the VM as if
it was
using static configuration.
Looking at patch 8 I would assume you need to store the IP leases you
track into
a file so you can handle the cases of libvirt restart while a VM is
running. How
does the DHCP snooping currently deal with libvirt restarts or a SIGHUP to
libvirt.
Both I believe are currently rebuilding all filters when libvirt restarts
and on
those interfaces where it is necessary the learning will again start up.
With DHCP snooping, only addresses acknowledged by a DHCP server
can
be used by the guest, and only for the given lease time if the address
lease
is not renewed.
How do you treat VMs with statically configured interfaces? Are they
permanently blocked
from sending?
The patches also add support for multiple IP addresses per
interface.
This would be great!
Stefan
The split:
p1 -add return & continue support
Add support for "return" and "continue" in filters.
p2 -fix ARP input checks
Fix a bug that breaks correct use of ARP by overfiltering.
p3 -add MAC check; split ARP intp ARPMAC and ARPIP
Support for multiple IP addresses in ARP checks, and allow for
multiple MAC addresses in the future.
p4 -set default protocol policy to "DROP"; edit filters
Change default protocol policy to "DROP", rather than adding explicit
"DROP" rules at the end of all of them. This is for multiple address
support.
p5 -optional "modify" (don't use temp, generate placeholder rules)
Add support to dynamically add and remove filters without
re-installing
an entire chain.
p6 -addRules
Add support for adding new rules to a chain incrementally. Remove
support was already there.
p7 -ChangeVar support
Add support to change chains that have a matching variable
substitution
to either add or delete rules with the given variable value (e.g.,
"IP")
p8 -add DHCP snooping
The DHCP snooping code itself.
p9 -delete learnipaddr
Clean up remaining learnipaddr infrastructure.
Attachments:
- attachment.html (text/html — 4.1 KB)