4:02 p.m.
David,
I have unfortunately missed v2 of this and in the meantime (since
after V1) I had been thinking about this a bit.
The problem we're having at the moment is that it's not possible to
evaluate fields of packets that may have more than one possible value.
This is the general problem, the specific one being allowing multiple
MAC or IP addresses. This problem requires us to enable more tables
along with jumps to those tables. I think we should solve this in a more
general way. What we seem to need for this are tables that are connected
to the 'root table' of an interface and tables that are not connected to
the 'root table'. So for now we handle arp, rarp, ipv4 and ipv6 from
that 'root' table using '-p arp -j <table>' for example to jump to
an
ARP-specific table for example, the protocol being the decision point
here ('-p'). So now maybe what we should do is allow user to define
tables with prefixes 'arp', 'ipv4' and 'ipv6' and have all of them
connected to the root table and jump into them using '-p'. There could
be an arp table, an 'arp-xyz' table and all of them would be connected
to that root table -- the question is just in what order. Maybe
alphabetical order, with arp and rarp still being always treated after
ipv4 and ipv6. Then to realize the other 'loose tables' they could maybe
all be required to have a prefix 'ud-' for 'user-defined'. Those would
then just be created but not accessed from the 'root table' of an
interface but from those connected to an interface's 'root table'. Does
this sound reasonable ?
Stefan
On 10/12/2011 03:50 PM, David L Stevens wrote:
This series of patches adds DHCP snooping support to libvirt. This
version
saves leases on disk for restoration after a libvirtd restart and allows
selection of different ip_learning methods by setting filter parameter
"ip_learning" to one of "any" (existing IP learning code)
"none" (static only
addresses) or "DHCP" (DHCP Snooping).
This code does not (yet) support passing lease information across a migration.
A migrated guest requires a DHCP ACK (e.g., via ifdown/ifup on the guest) to
send/receive traffic for DHCP-learned addresses after a migration.
Differences from v2: added support for multiple static IP addresses using
a comma-separated list.
David L Stevens (10):
support continue/return
allow required ARP packets
reverse sense of address matching
make default chain policy "DROP"
allow chain modification
support addRules
support variable value changing
add DHCP snooping
add leasefile support
support multiple static IP addresses
examples/xml/nwfilter/Makefile.am | 5 +-
examples/xml/nwfilter/allow-arp.xml | 5 +-
examples/xml/nwfilter/allow-arpip.xml | 3 +
examples/xml/nwfilter/allow-arpmac.xml | 3 +
examples/xml/nwfilter/clean-traffic.xml | 6 +-
examples/xml/nwfilter/no-arp-spoofing.xml | 38 +-
examples/xml/nwfilter/no-arpip-spoofing.xml | 10 +
examples/xml/nwfilter/no-arpmac-spoofing.xml | 5 +
examples/xml/nwfilter/no-ip-spoofing.xml | 9 +-
examples/xml/nwfilter/no-mac-spoofing.xml | 10 +-
examples/xml/nwfilter/no-other-l2-traffic.xml | 13 +-
examples/xml/nwfilter/no-other-rarp-traffic.xml | 3 -
examples/xml/nwfilter/qemu-announce-self.xml | 1 -
src/Makefile.am | 2 +
src/conf/nwfilter_conf.c | 12 +-
src/conf/nwfilter_conf.h | 16 +-
src/nwfilter/nwfilter_dhcpsnoop.c | 938 +++++++++++++++++++++++
src/nwfilter/nwfilter_dhcpsnoop.h | 36 +
src/nwfilter/nwfilter_driver.c | 5 +
src/nwfilter/nwfilter_ebiptables_driver.c | 225 +++++--
src/nwfilter/nwfilter_gentech_driver.c | 225 +++++-
src/nwfilter/nwfilter_gentech_driver.h | 11 +
22 files changed, 1445 insertions(+), 136 deletions(-)
create mode 100644 examples/xml/nwfilter/allow-arpip.xml
create mode 100644 examples/xml/nwfilter/allow-arpmac.xml
create mode 100644 examples/xml/nwfilter/no-arpip-spoofing.xml
create mode 100644 examples/xml/nwfilter/no-arpmac-spoofing.xml
delete mode 100644 examples/xml/nwfilter/no-other-rarp-traffic.xml
create mode 100644 src/nwfilter/nwfilter_dhcpsnoop.c
create mode 100644 src/nwfilter/nwfilter_dhcpsnoop.h