Re: [libvirt] [libvirt PATCHv5 1/2] add DHCP snooping
On 11/10/2011 03:28 PM, David L Stevens wrote: This patch adds DHCP Snooping support to libvirt. Signed-off-by: David L Stevensdlstev...@us.ibm.com --- docs/formatnwfilter.html.in | 17 + examples/xml/nwfilter/no-ip-spoofing.xml |5 + src/Makefile.am |2 + src/nwfilter/nwfilter_dhcpsnoop.c| 745 ++ src/nwfilter/nwfilter_dhcpsnoop.h| 38 ++ src/nwfilter/nwfilter_driver.c |6 + src/nwfilter/nwfilter_gentech_driver.c | 53 ++- 7 files changed, 853 insertions(+), 13 deletions(-) create mode 100644 src/nwfilter/nwfilter_dhcpsnoop.c create mode 100644 src/nwfilter/nwfilter_dhcpsnoop.h diff --git a/docs/formatnwfilter.html.in b/docs/formatnwfilter.html.in index 8df4a93..8003320 100644 --- a/docs/formatnwfilter.html.in +++ b/docs/formatnwfilter.html.in @@ -1775,6 +1775,23 @@ br/br/ In case a VM is resumed after suspension or migrated, IP address detection will be restarted. +br/br/ + Variableiip_learning/i may be used to specify + the IP address learning method. Valid values areiany/i,idhcp/i, + orinone/i. The default value isiany/i, meaning that libvirt + may use any packet to determine the address in use by a VM. A value of +idhcp/i specifies that libvirt should only honor DHCP server-assigned + addresses with valid leases. Ifiip_learning/i is set toinone/i, + libvirt does not do address learning and referencingiIP/i without + assigning it an explicit value is an error. +br/br/ + Use ofiip_learning=dhcp/i (DHCP snooping) provides additional + anti-spoofing security, especially when combined with a filter allowing + only trusted DHCP servers to assign addresses. If the DHCP lease expires, + the VM will no longer be able to use the IP address until it acquires a + new, valid lease from a DHCP server. If the VM is migrated, it must get + a new valid DHCP lease to use an IP address (e.g., by + bringing the VM interface down and up again). /p Can you add a sentence that it must be used in combination with a filter that allows DHCP traffic to pass? h3a name=nwflimitsmigrVM Migration/a/h3 diff --git a/examples/xml/nwfilter/no-ip-spoofing.xml b/examples/xml/nwfilter/no-ip-spoofing.xml index b8c94c8..7c7fd46 100644 --- a/examples/xml/nwfilter/no-ip-spoofing.xml +++ b/examples/xml/nwfilter/no-ip-spoofing.xml @@ -1,5 +1,10 @@ filter name='no-ip-spoofing' chain='ipv4' +!-- allow DHCP requests -- +rule action='accept' direction='out' +ip match='yes' srcipaddr='0.0.0.0' protocol='udp' srcportstart='68' + srcportend='68' / +/rule !-- drop if srcipaddr is not the IP address of the guest -- rule action='drop' direction='out' ip match='no' srcipaddr='$IP' / diff --git a/src/Makefile.am b/src/Makefile.am index 87d91ed..c948cbf 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -481,6 +481,8 @@ NWFILTER_DRIVER_SOURCES = \ nwfilter/nwfilter_driver.h nwfilter/nwfilter_driver.c \ nwfilter/nwfilter_gentech_driver.c \ nwfilter/nwfilter_gentech_driver.h \ + nwfilter/nwfilter_dhcpsnoop.c \ + nwfilter/nwfilter_dhcpsnoop.h \ nwfilter/nwfilter_ebiptables_driver.c \ nwfilter/nwfilter_ebiptables_driver.h \ nwfilter/nwfilter_learnipaddr.c \ diff --git a/src/nwfilter/nwfilter_dhcpsnoop.c b/src/nwfilter/nwfilter_dhcpsnoop.c new file mode 100644 index 000..8a37a6f --- /dev/null +++ b/src/nwfilter/nwfilter_dhcpsnoop.c @@ -0,0 +1,745 @@ +/* + * nwfilter_dhcpsnoop.c: support for DHCP snooping used by a VM + * on an interface + * + * Copyright (C) 2011 IBM Corp. + * Copyright (C) 2011 David L Stevens + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Author: David L Stevensdlstev...@us.ibm.com + * Based in part on work by Stefan Bergerstef...@us.ibm.com + */ + +#includeconfig.h + +#ifdef HAVE_LIBPCAP
[libvirt] [libvirt PATCHv5 1/2] add DHCP snooping
This patch adds DHCP Snooping support to libvirt. Signed-off-by: David L Stevens dlstev...@us.ibm.com --- docs/formatnwfilter.html.in | 17 + examples/xml/nwfilter/no-ip-spoofing.xml |5 + src/Makefile.am |2 + src/nwfilter/nwfilter_dhcpsnoop.c| 745 ++ src/nwfilter/nwfilter_dhcpsnoop.h| 38 ++ src/nwfilter/nwfilter_driver.c |6 + src/nwfilter/nwfilter_gentech_driver.c | 53 ++- 7 files changed, 853 insertions(+), 13 deletions(-) create mode 100644 src/nwfilter/nwfilter_dhcpsnoop.c create mode 100644 src/nwfilter/nwfilter_dhcpsnoop.h diff --git a/docs/formatnwfilter.html.in b/docs/formatnwfilter.html.in index 8df4a93..8003320 100644 --- a/docs/formatnwfilter.html.in +++ b/docs/formatnwfilter.html.in @@ -1775,6 +1775,23 @@ br/br/ In case a VM is resumed after suspension or migrated, IP address detection will be restarted. + br/br/ + Variable iip_learning/i may be used to specify + the IP address learning method. Valid values are iany/i, idhcp/i, + or inone/i. The default value is iany/i, meaning that libvirt + may use any packet to determine the address in use by a VM. A value of + idhcp/i specifies that libvirt should only honor DHCP server-assigned + addresses with valid leases. If iip_learning/i is set to inone/i, + libvirt does not do address learning and referencing iIP/i without + assigning it an explicit value is an error. + br/br/ + Use of iip_learning=dhcp/i (DHCP snooping) provides additional + anti-spoofing security, especially when combined with a filter allowing + only trusted DHCP servers to assign addresses. If the DHCP lease expires, + the VM will no longer be able to use the IP address until it acquires a + new, valid lease from a DHCP server. If the VM is migrated, it must get + a new valid DHCP lease to use an IP address (e.g., by + bringing the VM interface down and up again). /p h3a name=nwflimitsmigrVM Migration/a/h3 diff --git a/examples/xml/nwfilter/no-ip-spoofing.xml b/examples/xml/nwfilter/no-ip-spoofing.xml index b8c94c8..7c7fd46 100644 --- a/examples/xml/nwfilter/no-ip-spoofing.xml +++ b/examples/xml/nwfilter/no-ip-spoofing.xml @@ -1,5 +1,10 @@ filter name='no-ip-spoofing' chain='ipv4' +!-- allow DHCP requests -- +rule action='accept' direction='out' +ip match='yes' srcipaddr='0.0.0.0' protocol='udp' srcportstart='68' + srcportend='68' / +/rule !-- drop if srcipaddr is not the IP address of the guest -- rule action='drop' direction='out' ip match='no' srcipaddr='$IP' / diff --git a/src/Makefile.am b/src/Makefile.am index 87d91ed..c948cbf 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -481,6 +481,8 @@ NWFILTER_DRIVER_SOURCES = \ nwfilter/nwfilter_driver.h nwfilter/nwfilter_driver.c \ nwfilter/nwfilter_gentech_driver.c \ nwfilter/nwfilter_gentech_driver.h \ + nwfilter/nwfilter_dhcpsnoop.c \ + nwfilter/nwfilter_dhcpsnoop.h \ nwfilter/nwfilter_ebiptables_driver.c \ nwfilter/nwfilter_ebiptables_driver.h \ nwfilter/nwfilter_learnipaddr.c \ diff --git a/src/nwfilter/nwfilter_dhcpsnoop.c b/src/nwfilter/nwfilter_dhcpsnoop.c new file mode 100644 index 000..8a37a6f --- /dev/null +++ b/src/nwfilter/nwfilter_dhcpsnoop.c @@ -0,0 +1,745 @@ +/* + * nwfilter_dhcpsnoop.c: support for DHCP snooping used by a VM + * on an interface + * + * Copyright (C) 2011 IBM Corp. + * Copyright (C) 2011 David L Stevens + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Author: David L Stevens dlstev...@us.ibm.com + * Based in part on work by Stefan Berger stef...@us.ibm.com + */ + +#include config.h + +#ifdef HAVE_LIBPCAP +#include pcap.h +#endif + +#include fcntl.h +#include sys/ioctl.h +#include signal.h + +#include arpa/inet.h +#include net/ethernet.h