Re: [libvirt] [libvirt PATCHv3 00/10] DHCP snooping support for libvirt
Stefan Berger <stefanb(a)linux.vnet.ibm.com> wrote on 10/12/2011 02:02:59
PM:
The problem we're having at the moment is that it's not
possible to
evaluate fields of packets that may have more than one possible value.
This is the general problem, the specific one being allowing multiple
MAC or IP addresses.
Stefan,
Yes, this is why for this patchset I've added "RETURN" and made
the address checks be "if match return" and a default drop at the
end. This code already supports multiple IP addresses for DHCP snooping,
static IP addresses (new to this version) and a combination of the
two (if both "IP" is set and "ip_learning=dhcp". Sample output using
multiple static addresses below.
The same model can be applied to user-generated filters with:
<do a series of checks using RETURN for acceptable packets>
-j DROP
If the user filter does "RETURN", it'll apply other tests as
well. If it does "ACCEPT"/"DROP", it'll accept or drop despite
any other conditions. I'm not sure I see any need for other
tables here, though-- can you elaborate?
+-DLS
lab1.dls 226 # ebtables -t nat -L
Bridge table: nat
Bridge chain: PREROUTING, entries: 1, policy: ACCEPT
-i vnet0 -j libvirt-I-vnet0
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
Bridge chain: POSTROUTING, entries: 1, policy: ACCEPT
-o vnet0 -j libvirt-O-vnet0
Bridge chain: libvirt-I-vnet0, entries: 9, policy: ACCEPT
-j I-vnet0-mac
-p IPv4 -j I-vnet0-ipv4
-p ARP -j I-vnet0-arpmac
-p ARP -j I-vnet0-arpip
-p 0x8035 -j I-vnet0-rarp
-p 0x835 -j ACCEPT
-p IPv4 -j ACCEPT
-p ARP -j ACCEPT
-j DROP
Bridge chain: libvirt-O-vnet0, entries: 5, policy: ACCEPT
-p IPv4 -j O-vnet0-ipv4
-p 0x8035 -j O-vnet0-rarp
-p IPv4 -j ACCEPT
-p ARP -j ACCEPT
-j DROP
Bridge chain: I-vnet0-mac, entries: 1, policy: DROP
-s 54:0:0:0:0:1 -j RETURN
Bridge chain: I-vnet0-ipv4, entries: 5, policy: DROP
-p IPv4 --ip-src 10.0.0.1 -j RETURN
-p IPv4 --ip-src 0.0.0.0 --ip-proto udp --ip-sport 68 -j RETURN
-p IPv4 --ip-src 11.0.0.0/24 -j RETURN
-p IPv4 --ip-src 10.0.0.3 -j RETURN
-p IPv4 --ip-src 10.0.0.4 -j RETURN
Bridge chain: O-vnet0-ipv4, entries: 1, policy: DROP
-j ACCEPT
Bridge chain: I-vnet0-arpmac, entries: 1, policy: DROP
-p ARP --arp-mac-src 54:0:0:0:0:1 -j RETURN
Bridge chain: I-vnet0-arpip, entries: 5, policy: DROP
-p ARP --arp-ip-src 10.0.0.1 -j RETURN
-p ARP --arp-ip-src 0.0.0.0 -j RETURN
-p ARP --arp-ip-src 11.0.0.0/24 -j RETURN
-p ARP --arp-ip-src 10.0.0.3 -j RETURN
-p ARP --arp-ip-src 10.0.0.4 -j RETURN
Bridge chain: I-vnet0-rarp, entries: 1, policy: DROP
-p 0x8035 -s 54:0:0:0:0:1 -d Broadcast --arp-op Request_Reverse
--arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 54:0:0:0:0:1
--arp-mac-dst 54:0:0:0:0:1 -j ACCEPT
Bridge chain: O-vnet0-rarp, entries: 1, policy: DROP
-p 0x8035 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0
--arp-ip-dst 0.0.0.0 --arp-mac-src 54:0:0:0:0:1 --arp-mac-dst 54:0:0:0:0:1
-j ACCEPT