David Stevens/Beaverton/IBM@IBMUS wrote on 05/09/2011 04:04:47 PM:
diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c index c5705c1..df1a012 100644 --- a/src/conf/nwfilter_conf.c +++ b/src/conf/nwfilter_conf.c @@ -82,7 +82,9 @@ VIR_ENUM_IMPL(virNWFilterEbtablesTable, VIR_NWFILTER_EBTABLES_TABLE_LAST,
VIR_ENUM_IMPL(virNWFilterChainSuffix, VIR_NWFILTER_CHAINSUFFIX_LAST, "root", - "arp", + "mac", + "arpmac", + "arpip", "rarp", "ipv4", "ipv6");
The mac chain is there for supporting multiple MAC addresses per interface. What is the use case for having multiple MAC address on an interface and how do I set this up in a Linux guest for example? I am not sure whether we should remove a chain, i.e., the 'arp' chain here. Adding is ok. Maybe the existing chain 'arp' could be doing one part and 'arpmac' the other ?
diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h index ef60b6b..4d60751 100644 --- a/src/conf/nwfilter_conf.h +++ b/src/conf/nwfilter_conf.h @@ -425,7 +425,9 @@ struct _virNWFilterEntry {
enum virNWFilterChainSuffixType { VIR_NWFILTER_CHAINSUFFIX_ROOT = 0, - VIR_NWFILTER_CHAINSUFFIX_ARP, + VIR_NWFILTER_CHAINSUFFIX_MAC, + VIR_NWFILTER_CHAINSUFFIX_ARPMAC, + VIR_NWFILTER_CHAINSUFFIX_ARPIP, VIR_NWFILTER_CHAINSUFFIX_RARP, VIR_NWFILTER_CHAINSUFFIX_IPv4, VIR_NWFILTER_CHAINSUFFIX_IPv6, diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/ nwfilter/nwfilter_ebiptables_driver.c index 39bd4a5..fa6f719 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -129,20 +129,24 @@ struct ushort_map {
enum l3_proto_idx { - L3_PROTO_IPV4_IDX = 0, - L3_PROTO_IPV6_IDX, - L3_PROTO_ARP_IDX, + L3_PROTO_MAC_IDX = 0, + L3_PROTO_ARPMAC_IDX, + L3_PROTO_ARPIP_IDX, L3_PROTO_RARP_IDX, + L3_PROTO_IPV4_IDX, + L3_PROTO_IPV6_IDX, L3_PROTO_LAST_IDX };
#define USHORTMAP_ENTRY_IDX(IDX, ATT, VAL) [IDX] = { .attr = ATT, .val = VAL }
static const struct ushort_map l3_protocols[] = { - USHORTMAP_ENTRY_IDX(L3_PROTO_IPV4_IDX, ETHERTYPE_IP , "ipv4"), - USHORTMAP_ENTRY_IDX(L3_PROTO_IPV6_IDX, ETHERTYPE_IPV6 , "ipv6"), - USHORTMAP_ENTRY_IDX(L3_PROTO_ARP_IDX , ETHERTYPE_ARP , "arp"), - USHORTMAP_ENTRY_IDX(L3_PROTO_RARP_IDX, ETHERTYPE_REVARP, "rarp"), + USHORTMAP_ENTRY_IDX(L3_PROTO_MAC_IDX, 0 , "mac"), + USHORTMAP_ENTRY_IDX(L3_PROTO_IPV4_IDX, ETHERTYPE_IP , "ipv4"), + USHORTMAP_ENTRY_IDX(L3_PROTO_IPV6_IDX, ETHERTYPE_IPV6 , "ipv6"), + USHORTMAP_ENTRY_IDX(L3_PROTO_ARPMAC_IDX,ETHERTYPE_ARP , "arpmac"), + USHORTMAP_ENTRY_IDX(L3_PROTO_ARPIP_IDX, ETHERTYPE_ARP , "arpip"), + USHORTMAP_ENTRY_IDX(L3_PROTO_RARP_IDX, ETHERTYPE_REVARP, "rarp"), USHORTMAP_ENTRY_IDX(L3_PROTO_LAST_IDX, 0 , NULL), };
Can you run a VM and do a 'ebtables -t nat -L' and post the output. I'd be curious how the chains look like now with the 'clean-traffic' filter without having to apply the patches and test them. Regards, Stefan