On 04/13/2012 01:54 PM, dennis jenkins wrote:


On Fri, Apr 13, 2012 at 10:09 AM, Stefan Berger <stefanb@linux.vnet.ibm.com> wrote:
This series of patches adds DHCP snooping support to libvirt's
nwfilter subsystem.

DHCP snooping detects DHCP leases obtained by a VM and automatically
adjusts the network traffic filters to reflect the IP addresses
with which a VM may send its traffic, thus for example preventing
IP address spoofing.
Once leases on IP addresses expire or if a VM gives up on a
lease on an IP address, the filters are also adjusted.
All leases are persisted and automatically applied upon a VM's restart.
Leases are associated with the tuple of VM-UUID and interface MAC
address.

The following interface XML activates and uses the DHCP snooping:

   <interface type='bridge'>
     <source bridge='virbr0'/>
     <filterref filter='clean-traffic'>
       <parameter name='ip_learning' value='dhcp'/>
     </filterref>
   </interface>


Regards,
  David and Stefan


Would libvirt (via the perl wrapper) be able to query the IP address information?


Patch 7 is going to add this with DETECTED_IP in the parameter list that then looks something like this:

    <interface type='bridge'>
      <mac address='52:54:00:68:e3:90'/>
      <source bridge='virbr0'/>
      <target dev='vnet1'/>
      <model type='virtio'/>
      <filterref filter='clean-traffic'>
        <parameter name='ip_learning' value='dhcp'/>
        <parameter name='DETECTED_IP' value='192.168.122.210'/>
      </filterref>
      <alias name='net0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
    </interface>

Some other considerations:

We should probably reserve some variables. This DETECTED_IP will be read-only meaning no-one can set it by writing the XML. Then we have
- IP: list of IP addresses use by an interface
- MAC: MAC address of the interface
- ip_learning: for choosing the IP detection mechanism  (capital letters??)
- DHCPSERVER: for list of trusted DHCP servers

Maybe the following should be also reserved

- IPV6
- DETECTED_IPV6
- DHCPSERVER_IPV6

independent of when they may be supported.

Another idea may be whether this special variable DETECTED_IP could be extended to include the lease and use it for migration, i.e. DETECTED_IP=<ip addr>,<lease timeout> and then when migrating we need to know that the XML is being parse due to migration (rather than the XML coming from user input directly) and that we can pick up its contents and feed it into the IP lease mechanism. Just a thought for now. Maybe someone has a comment on whether this is a good idea to begin with...

   Stefan