[libvirt] [RFC PATCHv2 2/9] allow required ARP packets

The ARP protocol requires processing of packets that may not be explicitly addressed to a host and only defines request and reply. This patch removes the filtering of ARP requests not explicitly addressed to a VM to allow for proper ARP cache updates for entries based on any traffic and removes the unnecessary check for arpop of request or reply. Signed-off-by: David L Stevens <dlstevens(a)us.ibm.com&gt; --- examples/xml/nwfilter/no-arp-spoofing.xml | 23 ++--------------------- 1 files changed, 2 insertions(+), 21 deletions(-) diff --git a/examples/xml/nwfilter/no-arp-spoofing.xml b/examples/xml/nwfilter/no-arp-spoofing.xml index 96c58c1..3c83acd 100644 --- a/examples/xml/nwfilter/no-arp-spoofing.xml +++ b/examples/xml/nwfilter/no-arp-spoofing.xml @@ -12,25 +12,6 @@ <rule action='drop' direction='out' priority='400' > <arp match='no' arpsrcipaddr='$IP' /> </rule> - <!-- allow gratuitous arp --> - <rule action='accept' direction='in' priority='425'> - <arp gratuitous='true'/> - </rule> - <!-- drop if ipaddr or macaddr does not belong to guest --> - <rule action='drop' direction='in' priority='450' > - <arp match='no' arpdstmacaddr='$MAC'/> - <arp opcode='reply'/> - </rule> - <rule action='drop' direction='in' priority='500' > - <arp match='no' arpdstipaddr='$IP' /> - </rule> - <!-- accept only request or reply packets --> - <rule action='accept' direction='inout' priority='600' > - <arp opcode='request'/> - </rule> - <rule action='accept' direction='inout' priority='650' > - <arp opcode='reply'/> - </rule> - <!-- drop everything else --> - <rule action='drop' direction='inout' priority='1000' /> + <!-- allow everything else --> + <rule action='accept' direction='in' priority='425' /> </filter> -- 1.7.6.4