Re: [libvirt] [PATCH 3/9] add DHCP snooping support to nwfilter

Wednesday, 11 May 2011

David Stevens/Beaverton/IBM@IBMUS wrote on 05/09/2011 04:04:47 PM:

...
 diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c
 index c5705c1..df1a012 100644
 --- a/src/conf/nwfilter_conf.c
 +++ b/src/conf/nwfilter_conf.c
 @@ -82,7 +82,9 @@ VIR_ENUM_IMPL(virNWFilterEbtablesTable, 
 VIR_NWFILTER_EBTABLES_TABLE_LAST,

  VIR_ENUM_IMPL(virNWFilterChainSuffix, VIR_NWFILTER_CHAINSUFFIX_LAST,
                "root",
 -              "arp",
 +              "mac",
 +              "arpmac",
 +              "arpip",
                "rarp",
                "ipv4",
                "ipv6"); 

The mac chain is there for supporting multiple MAC addresses per 
interface. What is the use case for having
multiple MAC address on an interface and how do I set this up in a Linux 
guest for example?

I am not sure whether we should remove a chain, i.e., the 'arp' chain 
here. Adding is ok. Maybe the existing chain 'arp' could be doing one part 
and 'arpmac' the other ?

...
 diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h
 index ef60b6b..4d60751 100644
 --- a/src/conf/nwfilter_conf.h
 +++ b/src/conf/nwfilter_conf.h
 @@ -425,7 +425,9 @@ struct _virNWFilterEntry {

  enum virNWFilterChainSuffixType {
      VIR_NWFILTER_CHAINSUFFIX_ROOT = 0,
 -    VIR_NWFILTER_CHAINSUFFIX_ARP,
 +    VIR_NWFILTER_CHAINSUFFIX_MAC,
 +    VIR_NWFILTER_CHAINSUFFIX_ARPMAC,
 +    VIR_NWFILTER_CHAINSUFFIX_ARPIP,
      VIR_NWFILTER_CHAINSUFFIX_RARP,
      VIR_NWFILTER_CHAINSUFFIX_IPv4,
      VIR_NWFILTER_CHAINSUFFIX_IPv6,
 diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/
 nwfilter/nwfilter_ebiptables_driver.c
 index 39bd4a5..fa6f719 100644
 --- a/src/nwfilter/nwfilter_ebiptables_driver.c
 +++ b/src/nwfilter/nwfilter_ebiptables_driver.c
 @@ -129,20 +129,24 @@ struct ushort_map {

  enum l3_proto_idx {
 -    L3_PROTO_IPV4_IDX = 0,
 -    L3_PROTO_IPV6_IDX,
 -    L3_PROTO_ARP_IDX,
 +    L3_PROTO_MAC_IDX = 0,
 +    L3_PROTO_ARPMAC_IDX,
 +    L3_PROTO_ARPIP_IDX,
      L3_PROTO_RARP_IDX,
 +    L3_PROTO_IPV4_IDX,
 +    L3_PROTO_IPV6_IDX,
      L3_PROTO_LAST_IDX
  };

  #define USHORTMAP_ENTRY_IDX(IDX, ATT, VAL) [IDX] = { .attr = ATT, 
 .val = VAL }

  static const struct ushort_map l3_protocols[] = {
 -    USHORTMAP_ENTRY_IDX(L3_PROTO_IPV4_IDX, ETHERTYPE_IP    , "ipv4"),
 -    USHORTMAP_ENTRY_IDX(L3_PROTO_IPV6_IDX, ETHERTYPE_IPV6  , "ipv6"),
 -    USHORTMAP_ENTRY_IDX(L3_PROTO_ARP_IDX , ETHERTYPE_ARP   , "arp"),
 -    USHORTMAP_ENTRY_IDX(L3_PROTO_RARP_IDX, ETHERTYPE_REVARP, "rarp"),
 +    USHORTMAP_ENTRY_IDX(L3_PROTO_MAC_IDX,   0               , "mac"),
 +    USHORTMAP_ENTRY_IDX(L3_PROTO_IPV4_IDX,  ETHERTYPE_IP    , "ipv4"),
 +    USHORTMAP_ENTRY_IDX(L3_PROTO_IPV6_IDX,  ETHERTYPE_IPV6  , "ipv6"),
 +    USHORTMAP_ENTRY_IDX(L3_PROTO_ARPMAC_IDX,ETHERTYPE_ARP   , 
"arpmac"),
...
 +    USHORTMAP_ENTRY_IDX(L3_PROTO_ARPIP_IDX, ETHERTYPE_ARP   ,
"arpip"),
 +    USHORTMAP_ENTRY_IDX(L3_PROTO_RARP_IDX,  ETHERTYPE_REVARP, "rarp"),
      USHORTMAP_ENTRY_IDX(L3_PROTO_LAST_IDX, 0               , NULL),
  };

Can you run a VM and do a 'ebtables -t nat -L' and post the output. I'd be 
curious how
the chains look like now with the 'clean-traffic' filter without having to 
apply the
patches and test them.

Regards,
   Stefan

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Re: [libvirt] [PATCH 3/9] add DHCP snooping support to nwfilter