David Stevens/Beaverton/IBM@IBMUS wrote on 05/09/2011 04:04:47 PM:



> diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c
> index c5705c1..df1a012 100644
> --- a/src/conf/nwfilter_conf.c
> +++ b/src/conf/nwfilter_conf.c
> @@ -82,7 +82,9 @@ VIR_ENUM_IMPL(virNWFilterEbtablesTable,
> VIR_NWFILTER_EBTABLES_TABLE_LAST,
>  
>  VIR_ENUM_IMPL(virNWFilterChainSuffix, VIR_NWFILTER_CHAINSUFFIX_LAST,
>                "root",
> -              "arp",
> +              "mac",
> +              "arpmac",
> +              "arpip",
>                "rarp",
>                "ipv4",
>                "ipv6");


The mac chain is there for supporting multiple MAC addresses per interface. What is the use case for having
multiple MAC address on an interface and how do I set this up in a Linux guest for example?

I am not sure whether we should remove a chain, i.e., the 'arp' chain here. Adding is ok. Maybe the existing chain 'arp' could be doing one part and 'arpmac' the other ?


> diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h
> index ef60b6b..4d60751 100644
> --- a/src/conf/nwfilter_conf.h
> +++ b/src/conf/nwfilter_conf.h
> @@ -425,7 +425,9 @@ struct _virNWFilterEntry {
>  
>  enum virNWFilterChainSuffixType {
>      VIR_NWFILTER_CHAINSUFFIX_ROOT = 0,
> -    VIR_NWFILTER_CHAINSUFFIX_ARP,
> +    VIR_NWFILTER_CHAINSUFFIX_MAC,
> +    VIR_NWFILTER_CHAINSUFFIX_ARPMAC,
> +    VIR_NWFILTER_CHAINSUFFIX_ARPIP,
>      VIR_NWFILTER_CHAINSUFFIX_RARP,
>      VIR_NWFILTER_CHAINSUFFIX_IPv4,
>      VIR_NWFILTER_CHAINSUFFIX_IPv6,
> diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/
> nwfilter/nwfilter_ebiptables_driver.c
> index 39bd4a5..fa6f719 100644
> --- a/src/nwfilter/nwfilter_ebiptables_driver.c
> +++ b/src/nwfilter/nwfilter_ebiptables_driver.c
> @@ -129,20 +129,24 @@ struct ushort_map {
>  
>
>  enum l3_proto_idx {
> -    L3_PROTO_IPV4_IDX = 0,
> -    L3_PROTO_IPV6_IDX,
> -    L3_PROTO_ARP_IDX,
> +    L3_PROTO_MAC_IDX = 0,
> +    L3_PROTO_ARPMAC_IDX,
> +    L3_PROTO_ARPIP_IDX,
>      L3_PROTO_RARP_IDX,
> +    L3_PROTO_IPV4_IDX,
> +    L3_PROTO_IPV6_IDX,
>      L3_PROTO_LAST_IDX
>  };
>  
>  #define USHORTMAP_ENTRY_IDX(IDX, ATT, VAL) [IDX] = { .attr = ATT,
> .val = VAL }
>  
>  static const struct ushort_map l3_protocols[] = {
> -    USHORTMAP_ENTRY_IDX(L3_PROTO_IPV4_IDX, ETHERTYPE_IP    , "ipv4"),
> -    USHORTMAP_ENTRY_IDX(L3_PROTO_IPV6_IDX, ETHERTYPE_IPV6  , "ipv6"),
> -    USHORTMAP_ENTRY_IDX(L3_PROTO_ARP_IDX , ETHERTYPE_ARP   , "arp"),
> -    USHORTMAP_ENTRY_IDX(L3_PROTO_RARP_IDX, ETHERTYPE_REVARP, "rarp"),
> +    USHORTMAP_ENTRY_IDX(L3_PROTO_MAC_IDX,   0               , "mac"),
> +    USHORTMAP_ENTRY_IDX(L3_PROTO_IPV4_IDX,  ETHERTYPE_IP    , "ipv4"),
> +    USHORTMAP_ENTRY_IDX(L3_PROTO_IPV6_IDX,  ETHERTYPE_IPV6  , "ipv6"),
> +    USHORTMAP_ENTRY_IDX(L3_PROTO_ARPMAC_IDX,ETHERTYPE_ARP   , "arpmac"),
> +    USHORTMAP_ENTRY_IDX(L3_PROTO_ARPIP_IDX, ETHERTYPE_ARP   , "arpip"),
> +    USHORTMAP_ENTRY_IDX(L3_PROTO_RARP_IDX,  ETHERTYPE_REVARP, "rarp"),
>      USHORTMAP_ENTRY_IDX(L3_PROTO_LAST_IDX, 0               , NULL),
>  };
>  

Can you run a VM and do a 'ebtables -t nat -L' and post the output. I'd be curious how
the chains look like now with the 'clean-traffic' filter without having to apply the
patches and test them.

Regards,
   Stefan