Re: [libvirt] [PATCH 0/9] add DHCP snooping support to nwfilter

Wednesday, 11 May 2011

Stefan Berger/Watson/IBM wrote on 05/11/2011 11:59:21 AM:

...
 Looking at patch 8 I would assume you need to store the IP leases 
 you track into
 a file so you can handle the cases of libvirt restart while a VM is 
 running. How
 does the DHCP snooping currently deal with libvirt restarts or a 
 SIGHUP to libvirt.
 Both I believe are currently rebuilding all filters when libvirt 
 restarts and on
 those interfaces where it is necessary the learning will again start up. 
        But the problem with that is a guest can circumvent the whole 
point of
the filters by tricking it into allowing an address not officially 
assigned
to it. With this patch set, the guest would have to recycle the interface
to trigger another DHCP request/ACK, but saving in a lease file is a 
better
idea; I'll look into that.
...

 >    With DHCP snooping, only addresses acknowledged by a DHCP server  can
...
 > be used by the guest, and only for the given lease time if the
address  lease
...
 > is not renewed.

 How do you treat VMs with statically configured interfaces? Are they
 permanently blocked
 from sending? 
        Just as with your learning code, if the IP variable is set, it'll
use that as the static address in the filters (and not require DHCP).

                                                                +-DLS

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005