Hi,

This is mostly a cut/paste from a bugzilla I just filed,
https://bugzilla.redhat.com/show_bug.cgi?id=862887 - Dave Allan mentioned I
should post it on the mailing list for comments.

I was trying to program up a libvirt nwfilter rule to restrict the ARP
destination IP address (in the request) to be a subnet.  I can specify one using
ebtables directly, but not via a filter.  Looking on libvirt.org seems to show
it must be an IP address, don't know if anyone's thought about changing that to
support a subnet?

$ libvirtd --version
libvirtd (libvirt) 0.9.8

I created a file that looks something like this:

<filter name='only-arp-dstip-net' chain='arp'>
 <rule action='drop' direction='out' priority='550'>
     <arp match='no' arpdstipaddr='10.1.2.0/24' />
 </rule>
</filter>

But when it's defined, it loses the arpdstipaddr part:

<filter name='only-arp-dstip-net' chain='arp' priority='-500'>
  <uuid>a4f2f8a4-a590-b406-e4cd-97580a153545</uuid>
  <rule action='drop' direction='out' priority='550'>
    <arp/>
  </rule>
</filter>

And the corresponding ebtables rule is:

Bridge chain: I-vnet0-arp, entries: 7, policy: ACCEPT
<snip>
-p ARP -j DROP , pcnt = 0 -- bcnt = 0

Using ebtables works:

$ sudo ebtables -t nat -A I-vnet0-arp -p ARP --arp-ip-dst 10.1.2.0/24 -j DROP

Bridge chain: I-vnet0-arp, entries: 7, policy: ACCEPT
<snip>
-p ARP --arp-ip-dst 10.1.2.0/24 -j DROP , pcnt = 0 -- bcnt = 0

The use case I have is that I have a bridge with proxy_arp=1, but I don't want
to respond for all IP addresses, just a certain range.  Right now a VM can use
'ping -r -I eth0 $any_ip' and the stack will respond.

Thanks,

-Brian

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Reply via email to