subject:"Re\: \[libvirt\] \[libvirt PATCHv3 00\/10\] DHCP snooping support for libvirt"

Re: [libvirt] [libvirt PATCHv3 00/10] DHCP snooping support for libvirt

2011-10-14 Thread Stefan Berger


On 10/12/2011 05:25 PM, David Stevens wrote:

Stefan Bergerstef...@linux.vnet.ibm.com  wrote on 10/12/2011 02:02:59
PM:


The problem we're having at the moment is that it's not possible to
evaluate fields of packets that may have more than one possible value.
This is the general problem, the specific one being allowing multiple
MAC or IP addresses.

Stefan,
 Yes, this is why for this patchset I've added RETURN and made
the address checks  be if match return and a default drop at the
end. This code already supports multiple IP addresses for DHCP snooping,
static IP addresses (new to this version) and a combination of the
two (if both IP is set and ip_learning=dhcp. Sample output using
multiple static addresses below.
 The same model can be applied to user-generated filters with:

do a series of checks using RETURN for acceptable packets
-j DROP

If the user filter does RETURN, it'll apply other tests as
well. If it does ACCEPT/DROP, it'll accept or drop despite
any other conditions. I'm not sure I see any need for other
tables here, though-- can you elaborate?
 +-DLS


Basically I would like to get away from having a hardcoded 
representation of the names of filters inside the code. We now have 4 
such filters, arp, rarp, ipv4 and ipv6 and you are adding 2 more arpmac 
and arpip. For ipv6 we would again need to add more. I think the names 
of the filters should be picked up from the XML and then in some way 
sorted and have them generate the rules


-j I-vnet0-mac
-p IPv4 -j I-vnet0-ipv4
-p ARP -j I-vnet0-arpmac
-p ARP -j I-vnet0-arpip
-p 0x8035 -j I-vnet0-rarp


in the right order. i.e., ipv4 before ipv6 before arpmac before arpip 
before rapr and 'arp' somewhere in between. This and later on an 
introduction of an action 'jump' or 'goto' with a target would then 
provide more flexibility for the user to build even more complex 
filters. I'll look into getting rid of the bit fields that I have been 
using so far and try to collect the names of filters. I guess they would 
have to be given an implicit 'priority' so they are ordered in that way 
above -- so maybe some of the filters are known to the system and have 
an implicit priority while others will have to be given a priority. 
Comments?


   Stefan


lab1.dls 226 # ebtables -t nat -L
Bridge table: nat

Bridge chain: PREROUTING, entries: 1, policy: ACCEPT
-i vnet0 -j libvirt-I-vnet0

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Bridge chain: POSTROUTING, entries: 1, policy: ACCEPT
-o vnet0 -j libvirt-O-vnet0

Bridge chain: libvirt-I-vnet0, entries: 9, policy: ACCEPT
-j I-vnet0-mac
-p IPv4 -j I-vnet0-ipv4
-p ARP -j I-vnet0-arpmac
-p ARP -j I-vnet0-arpip
-p 0x8035 -j I-vnet0-rarp
-p 0x835 -j ACCEPT
-p IPv4 -j ACCEPT
-p ARP -j ACCEPT
-j DROP

Bridge chain: libvirt-O-vnet0, entries: 5, policy: ACCEPT
-p IPv4 -j O-vnet0-ipv4
-p 0x8035 -j O-vnet0-rarp
-p IPv4 -j ACCEPT
-p ARP -j ACCEPT
-j DROP

Bridge chain: I-vnet0-mac, entries: 1, policy: DROP
-s 54:0:0:0:0:1 -j RETURN

Bridge chain: I-vnet0-ipv4, entries: 5, policy: DROP
-p IPv4 --ip-src 10.0.0.1 -j RETURN
-p IPv4 --ip-src 0.0.0.0 --ip-proto udp --ip-sport 68 -j RETURN
-p IPv4 --ip-src 11.0.0.0/24 -j RETURN
-p IPv4 --ip-src 10.0.0.3 -j RETURN
-p IPv4 --ip-src 10.0.0.4 -j RETURN

Bridge chain: O-vnet0-ipv4, entries: 1, policy: DROP
-j ACCEPT

Bridge chain: I-vnet0-arpmac, entries: 1, policy: DROP
-p ARP --arp-mac-src 54:0:0:0:0:1 -j RETURN

Bridge chain: I-vnet0-arpip, entries: 5, policy: DROP
-p ARP --arp-ip-src 10.0.0.1 -j RETURN
-p ARP --arp-ip-src 0.0.0.0 -j RETURN
-p ARP --arp-ip-src 11.0.0.0/24 -j RETURN
-p ARP --arp-ip-src 10.0.0.3 -j RETURN
-p ARP --arp-ip-src 10.0.0.4 -j RETURN

Bridge chain: I-vnet0-rarp, entries: 1, policy: DROP
-p 0x8035 -s 54:0:0:0:0:1 -d Broadcast --arp-op Request_Reverse
--arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 54:0:0:0:0:1
--arp-mac-dst 54:0:0:0:0:1 -j ACCEPT

Bridge chain: O-vnet0-rarp, entries: 1, policy: DROP
-p 0x8035 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0
--arp-ip-dst 0.0.0.0 --arp-mac-src 54:0:0:0:0:1 --arp-mac-dst 54:0:0:0:0:1
-j ACCEPT




--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [libvirt PATCHv3 00/10] DHCP snooping support for libvirt

2011-10-12 Thread Stefan Berger


David,

  I have unfortunately missed v2 of this and in the meantime (since 
after V1) I had been thinking about this a bit.


  The problem we're having at the moment is that it's not possible to 
evaluate fields of packets that may have more than one possible value. 
This is the general problem, the specific one being allowing multiple 
MAC or IP addresses. This problem requires us to enable more tables 
along with jumps to those tables. I think we should solve this in a more 
general way. What we seem to need for this are tables that are connected 
to the 'root table' of an interface and tables that are not connected to 
the 'root table'. So for now we handle arp, rarp, ipv4 and ipv6 from 
that 'root' table using '-p arp -j table' for example to jump to an 
ARP-specific table for example, the protocol being the decision point 
here ('-p'). So now maybe what we should do is allow user to define 
tables with prefixes 'arp', 'ipv4' and 'ipv6' and have all of them 
connected to the root table and jump into them using '-p'. There could 
be an arp table, an 'arp-xyz' table and all of them would be connected 
to that root table -- the question is just in what order. Maybe 
alphabetical order, with arp and rarp still being always treated after 
ipv4 and ipv6. Then to realize the other 'loose tables' they could maybe 
all be required to have a prefix 'ud-' for 'user-defined'. Those would 
then just be created but not accessed from the 'root table' of an 
interface but from those connected to an interface's 'root table'. Does 
this sound reasonable ?


   Stefan


On 10/12/2011 03:50 PM, David L Stevens wrote:

This series of patches adds DHCP snooping support to libvirt. This version
saves leases on disk for restoration after a libvirtd restart and allows
selection of different ip_learning methods by setting filter parameter
ip_learning to one of any (existing IP learning code) none (static only
addresses) or DHCP (DHCP Snooping).

This code does not (yet) support passing lease information across a migration.
A migrated guest requires a DHCP ACK (e.g., via ifdown/ifup on the guest) to
send/receive traffic for DHCP-learned addresses after a migration.

Differences from v2: added support for multiple static IP addresses using
  a comma-separated list.

David L Stevens (10):
   support continue/return
   allow required ARP packets
   reverse sense of address matching
   make default chain policy DROP
   allow chain modification
   support addRules
   support variable value changing
   add DHCP snooping
   add leasefile support
   support multiple static IP addresses

  examples/xml/nwfilter/Makefile.am   |5 +-
  examples/xml/nwfilter/allow-arp.xml |5 +-
  examples/xml/nwfilter/allow-arpip.xml   |3 +
  examples/xml/nwfilter/allow-arpmac.xml  |3 +
  examples/xml/nwfilter/clean-traffic.xml |6 +-
  examples/xml/nwfilter/no-arp-spoofing.xml   |   38 +-
  examples/xml/nwfilter/no-arpip-spoofing.xml |   10 +
  examples/xml/nwfilter/no-arpmac-spoofing.xml|5 +
  examples/xml/nwfilter/no-ip-spoofing.xml|9 +-
  examples/xml/nwfilter/no-mac-spoofing.xml   |   10 +-
  examples/xml/nwfilter/no-other-l2-traffic.xml   |   13 +-
  examples/xml/nwfilter/no-other-rarp-traffic.xml |3 -
  examples/xml/nwfilter/qemu-announce-self.xml|1 -
  src/Makefile.am |2 +
  src/conf/nwfilter_conf.c|   12 +-
  src/conf/nwfilter_conf.h|   16 +-
  src/nwfilter/nwfilter_dhcpsnoop.c   |  938 +++
  src/nwfilter/nwfilter_dhcpsnoop.h   |   36 +
  src/nwfilter/nwfilter_driver.c  |5 +
  src/nwfilter/nwfilter_ebiptables_driver.c   |  225 +--
  src/nwfilter/nwfilter_gentech_driver.c  |  225 +-
  src/nwfilter/nwfilter_gentech_driver.h  |   11 +
  22 files changed, 1445 insertions(+), 136 deletions(-)
  create mode 100644 examples/xml/nwfilter/allow-arpip.xml
  create mode 100644 examples/xml/nwfilter/allow-arpmac.xml
  create mode 100644 examples/xml/nwfilter/no-arpip-spoofing.xml
  create mode 100644 examples/xml/nwfilter/no-arpmac-spoofing.xml
  delete mode 100644 examples/xml/nwfilter/no-other-rarp-traffic.xml
  create mode 100644 src/nwfilter/nwfilter_dhcpsnoop.c
  create mode 100644 src/nwfilter/nwfilter_dhcpsnoop.h



--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [libvirt PATCHv3 00/10] DHCP snooping support for libvirt

2011-10-12 Thread David Stevens

Stefan Berger stef...@linux.vnet.ibm.com wrote on 10/12/2011 02:02:59 
PM:

The problem we're having at the moment is that it's not possible to 
 evaluate fields of packets that may have more than one possible value. 
 This is the general problem, the specific one being allowing multiple 
 MAC or IP addresses.

Stefan,
Yes, this is why for this patchset I've added RETURN and made
the address checks  be if match return and a default drop at the
end. This code already supports multiple IP addresses for DHCP snooping,
static IP addresses (new to this version) and a combination of the
two (if both IP is set and ip_learning=dhcp. Sample output using
multiple static addresses below.
The same model can be applied to user-generated filters with:

do a series of checks using RETURN for acceptable packets
-j DROP

If the user filter does RETURN, it'll apply other tests as
well. If it does ACCEPT/DROP, it'll accept or drop despite
any other conditions. I'm not sure I see any need for other
tables here, though-- can you elaborate?
+-DLS


lab1.dls 226 # ebtables -t nat -L
Bridge table: nat

Bridge chain: PREROUTING, entries: 1, policy: ACCEPT
-i vnet0 -j libvirt-I-vnet0

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Bridge chain: POSTROUTING, entries: 1, policy: ACCEPT
-o vnet0 -j libvirt-O-vnet0

Bridge chain: libvirt-I-vnet0, entries: 9, policy: ACCEPT
-j I-vnet0-mac
-p IPv4 -j I-vnet0-ipv4
-p ARP -j I-vnet0-arpmac
-p ARP -j I-vnet0-arpip
-p 0x8035 -j I-vnet0-rarp
-p 0x835 -j ACCEPT 
-p IPv4 -j ACCEPT 
-p ARP -j ACCEPT 
-j DROP 

Bridge chain: libvirt-O-vnet0, entries: 5, policy: ACCEPT
-p IPv4 -j O-vnet0-ipv4
-p 0x8035 -j O-vnet0-rarp
-p IPv4 -j ACCEPT 
-p ARP -j ACCEPT 
-j DROP 

Bridge chain: I-vnet0-mac, entries: 1, policy: DROP
-s 54:0:0:0:0:1 -j RETURN 

Bridge chain: I-vnet0-ipv4, entries: 5, policy: DROP
-p IPv4 --ip-src 10.0.0.1 -j RETURN 
-p IPv4 --ip-src 0.0.0.0 --ip-proto udp --ip-sport 68 -j RETURN 
-p IPv4 --ip-src 11.0.0.0/24 -j RETURN 
-p IPv4 --ip-src 10.0.0.3 -j RETURN 
-p IPv4 --ip-src 10.0.0.4 -j RETURN 

Bridge chain: O-vnet0-ipv4, entries: 1, policy: DROP
-j ACCEPT 

Bridge chain: I-vnet0-arpmac, entries: 1, policy: DROP
-p ARP --arp-mac-src 54:0:0:0:0:1 -j RETURN 

Bridge chain: I-vnet0-arpip, entries: 5, policy: DROP
-p ARP --arp-ip-src 10.0.0.1 -j RETURN 
-p ARP --arp-ip-src 0.0.0.0 -j RETURN 
-p ARP --arp-ip-src 11.0.0.0/24 -j RETURN 
-p ARP --arp-ip-src 10.0.0.3 -j RETURN 
-p ARP --arp-ip-src 10.0.0.4 -j RETURN 

Bridge chain: I-vnet0-rarp, entries: 1, policy: DROP
-p 0x8035 -s 54:0:0:0:0:1 -d Broadcast --arp-op Request_Reverse 
--arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 54:0:0:0:0:1 
--arp-mac-dst 54:0:0:0:0:1 -j ACCEPT 

Bridge chain: O-vnet0-rarp, entries: 1, policy: DROP
-p 0x8035 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0 
--arp-ip-dst 0.0.0.0 --arp-mac-src 54:0:0:0:0:1 --arp-mac-dst 54:0:0:0:0:1 
-j ACCEPT 


--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [libvirt PATCHv3 00/10] DHCP snooping support for libvirt

Re: [libvirt] [libvirt PATCHv3 00/10] DHCP snooping support for libvirt

Re: [libvirt] [libvirt PATCHv3 00/10] DHCP snooping support for libvirt

3 matches

Site Navigation

Mail list logo

Footer information