Stefan Berger/Watson/IBM wrote on 05/11/2011 11:59:21 AM:

Looking at patch 8 I would assume you need to store the IP leases you track into a file so you can handle the cases of libvirt restart while a VM is running. How does the DHCP snooping currently deal with libvirt restarts or a SIGHUP to libvirt. Both I believe are currently rebuilding all filters when libvirt restarts and on those interfaces where it is necessary the learning will again start up.

But the problem with that is a guest can circumvent the whole point of the filters by tricking it into allowing an address not officially assigned to it. With this patch set, the guest would have to recycle the interface to trigger another DHCP request/ACK, but saving in a lease file is a better idea; I'll look into that.

...

With DHCP snooping, only addresses acknowledged by a DHCP server

can

...

be used by the guest, and only for the given lease time if the address lease is not renewed.

How do you treat VMs with statically configured interfaces? Are they permanently blocked from sending?

Just as with your learning code, if the IP variable is set, it'll use that as the static address in the filters (and not require DHCP). +-DLS