This series of patches adds DHCP snooping support to libvirt's
nwfilter subsystem.
DHCP snooping detects DHCP leases obtained by a VM and automatically
adjusts the network traffic filters to reflect the IP addresses
with which a VM may send its traffic, thus for example preventing
IP address spoofing.
Once leases on IP addresses expire or if a VM gives up on a
lease on an IP address, the filters are also adjusted.
All leases are persisted and automatically applied upon a VM's restart.
Leases are associated with the tuple of VM-UUID and interface MAC
address.
The following interface XML activates and uses the DHCP snooping:
<interface type='bridge'>
<source bridge='virbr0'/>
<filterref filter='clean-traffic'>
<parameter name='CTRL_IP_LEARNING' value='dhcp'/>
</filterref>
</interface>
Once an IP address has been detected on an interface, 'virsh dumpxml <vm>'
would show the IP address lease in the format <IP address>,<lease timeout
in seconds>:
<interface type='bridge'>
<source bridge='virbr0'/>
<filterref filter='clean-traffic'>
<parameter name='CTRL_IP_LEARNING' value='dhcp'/>
<parameter name='IP_LEASE' value='192.168.122.210,180'/>
</filterref>
</interface>
Regards,
David and Stefan
v14:
- addressed Eric Blake's concerns
- introducing a typedef for MAC addresses
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
