[libvirt] [PATCH] util: fail attempts to use same mac address for guest and tap

This patch is in response to: https://bugzilla.redhat.com/show_bug.cgi?id=798467 If a guest's tap device is created using the same MAC address the guest uses for its own network card (which connects to the tap device), the Linux kernel will log the following message and traffic will not pass: kernel: vnet9: received packet with own address as source address This patch disallows MAC addresses with a first byte of 0xFE, but only in the case that the MAC address is used for a guest interface that's connected by way of a standard tap device. (In other words, the validation is done at runtime at the same place the MAC address is modified for the tap device, rather than when mac address is parsed, the idea being that it is then we know for sure the address will be problematic.) --- src/util/virnetdevtap.c | 22 ++++++++++++++++++++-- 1 files changed, 20 insertions(+), 2 deletions(-) diff --git a/src/util/virnetdevtap.c b/src/util/virnetdevtap.c index fb0a8d2..b19c006 100644 --- a/src/util/virnetdevtap.c +++ b/src/util/virnetdevtap.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2007-2011 Red Hat, Inc. + * Copyright (C) 2007-2012 Red Hat, Inc. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -45,6 +45,10 @@ #define VIR_FROM_THIS VIR_FROM_NONE +#define virNetDevTapError(code, ...) \ + virReportErrorHelper(VIR_FROM_NONE, code, __FILE__, \ + __FUNCTION__, __LINE__, __VA_ARGS__) + /** * virNetDevProbeVnetHdr: * @tapfd: a tun/tap file descriptor @@ -293,8 +297,22 @@ int virNetDevTapCreateInBridgePort(const char *brname, * device before we set our static MAC. */ memcpy(tapmac, macaddr, VIR_MAC_BUFLEN); - if (!(flags & VIR_NETDEV_TAP_CREATE_USE_MAC_FOR_BRIDGE)) + if (!(flags & VIR_NETDEV_TAP_CREATE_USE_MAC_FOR_BRIDGE)) { + if (macaddr[0] == 0xFE) { + /* For normal use, the tap device's MAC address cannot + * match the MAC address used by the guest. This results + * in "received packet on vnetX with own address as source + * address" error logs from the kernel. + */ + virNetDevTapError(VIR_ERR_CONFIG_UNSUPPORTED, + "Unable to use MAC address starting with " + "reserved value 0xFE - '%02X:%02X:%02X:%02X:%02X:%02X' - ", + macaddr[0], macaddr[1], macaddr[2], + macaddr[3], macaddr[4], macaddr[5]); + goto error; + } tapmac[0] = 0xFE; /* Discourage bridge from using TAP dev MAC */ + } if (virNetDevSetMAC(*ifname, tapmac) < 0) goto error; -- 1.7.7.6

On 03/05/2012 09:05 AM, Laine Stump wrote:
This patch is in response to:
https://bugzilla.redhat.com/show_bug.cgi?id=798467
If a guest's tap device is created using the same MAC address the guest uses for its own network card (which connects to the tap device), the Linux kernel will log the following message and traffic will not pass:
kernel: vnet9: received packet with own address as source address
This patch disallows MAC addresses with a first byte of 0xFE, but only in the case that the MAC address is used for a guest interface that's connected by way of a standard tap device. (In other words, the validation is done at runtime at the same place the MAC address is modified for the tap device, rather than when mac address is parsed, the idea being that it is then we know for sure the address will be problematic.) --- src/util/virnetdevtap.c | 22 ++++++++++++++++++++-- 1 files changed, 20 insertions(+), 2 deletions(-)
ACK. -- Eric Blake eblake@redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org

On 03/05/2012 11:14 AM, Eric Blake wrote:
On 03/05/2012 09:05 AM, Laine Stump wrote:
This patch is in response to:
https://bugzilla.redhat.com/show_bug.cgi?id=798467
If a guest's tap device is created using the same MAC address the guest uses for its own network card (which connects to the tap device), the Linux kernel will log the following message and traffic will not pass:
kernel: vnet9: received packet with own address as source address
This patch disallows MAC addresses with a first byte of 0xFE, but only in the case that the MAC address is used for a guest interface that's connected by way of a standard tap device. (In other words, the validation is done at runtime at the same place the MAC address is modified for the tap device, rather than when mac address is parsed, the idea being that it is then we know for sure the address will be problematic.) --- src/util/virnetdevtap.c | 22 ++++++++++++++++++++-- 1 files changed, 20 insertions(+), 2 deletions(-) ACK.
Thanks. I recieved the additional info that this was discovered not by someone manually setting the mac address to fe:xx:xx:xx:xx:xx in some ill-informed attempt to match what they saw in the tap device's ifconfig output, but because a management application automatically chose an address that started with 0xFE. I'm waiting to push until I hear back whether or not that management application can be configured to *not* do that.
participants (2)
-
Eric Blake
-
Laine Stump