ive leases are saved in a lease file and reloaded on restart or HUP.
Changes since v7:
- renamed functions as suggested
- collected local state into "virNWFilterSnoopState" struct
- cleaned up include file list
- misc code cleanups per review comments
Signed-off-by: David L Stevens
---
d
ive leases are saved in a lease file and reloaded on restart or HUP.
Changes since v6:
- replace pthread_cancel() with synchronous cancelation method
Signed-off-by: David L Stevens
---
docs/formatnwfilter.html.in| 17 +
src/Makefile.am|2 +
src/n
ive leases are saved in a lease file and reloaded on restart or HUP.
Changes since v5:
- use VMUUID+MAC to identify interfaces for leases
- use direct pthread_cancel to kill snooper threads to avoid races with
re-used host interfaces
Signed-off-by: David L Stevens
---
docs/formatnwfilter.html
This patch adds support for saving DHCP snooping leases to an on-disk
file and restoring saved leases that are still active on restart.
Signed-off-by: David L Stevens
---
src/nwfilter/nwfilter_dhcpsnoop.c | 270 +
1 files changed, 243 insertions
).
Differences from v4:
- added documentation of "ip_learning"
- added support for kill -HUP reloading
- simplified lease file handling
David L Stevens (2):
add DHCP snooping
add leasefile support
docs/formatnwfilter.html.in | 17 +
examples/xml/nwf
This patch adds DHCP Snooping support to libvirt.
Signed-off-by: David L Stevens
---
docs/formatnwfilter.html.in | 17 +
examples/xml/nwfilter/no-ip-spoofing.xml |5 +
src/Makefile.am |2 +
src/nwfilter/nwfilter_dhcpsnoop.c| 745
Differences from v3: removed support for multiple IP addresses. This version,
like this existing code, allows only one IP address per interface.
David L Stevens (2):
add DHCP snooping
add leasefile support
examples/xml/nwfilter/no-ip-spoofing.xml |5 +
src/Makefile.am
This patch adds DHCP Snooping support to libvirt.
Signed-off-by: David L Stevens
---
examples/xml/nwfilter/no-ip-spoofing.xml |5 +
src/Makefile.am |2 +
src/nwfilter/nwfilter_dhcpsnoop.c| 705 ++
src/nwfilter
This patch adds support for saving DHCP snooping leases to an on-disk
file and restoring saved leases that are still active on restart.
Signed-off-by: David L Stevens
---
src/nwfilter/nwfilter_dhcpsnoop.c | 312 -
1 files changed, 306 insertions
This patch adds support for "continue" and "return" actions
in filter rules.
Signed-off-by: David L Stevens
diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c
index 04bfa22..3e28806 100644
--- a/src/conf/nwfilter_conf.c
+++ b/src/conf/nwfilter_con
removes the
unnecessary check for arpop of request or reply.
Signed-off-by: David L Stevens
---
examples/xml/nwfilter/no-arp-spoofing.xml | 23 ++-
1 files changed, 2 insertions(+), 21 deletions(-)
diff --git a/examples/xml/nwfilter/no-arp-spoofing.xml
b/examples/xml
chains that can check multiple MAC
or IP addresses in any combination. This patch itself does not support multiple
addresses via the MAC and IP variables, but only changes the form of the rules
to allow multiple addresses in the future.
Signed-off-by: David L Stevens
---
examples/xml/nwfilter/Makefil
This patch adds support for saving DHCP snooping leases to an on-disk
file and restoring saved leases that are still active on restart.
Signed-off-by: David L Stevens
---
src/nwfilter/nwfilter_dhcpsnoop.c | 370 +++--
1 files changed, 353 insertions
Differences from v2: added support for multiple static IP addresses using
a comma-separated list.
David L Stevens (10):
support continue/return
allow required ARP packets
reverse sense of address matching
make default chain policy "DROP"
allow chain modifi
This patch adds the capability of adding individual rules to existing chains.
Signed-off-by: David L Stevens
---
src/conf/nwfilter_conf.h |6 ++
src/nwfilter/nwfilter_ebiptables_driver.c | 73 +
2 files changed, 79 insertions(+), 0 deletions
This patch adds support for multiple static IP addresses in a
comma-separated list. For example:
...
Signed-off-by: David L Stevens
---
src/nwfilter/nwfilter_gentech_driver.c | 26 ++
1 files changed, 26 insertions
., instantiate only when a given variable is present in a filter, or
only when it is not).
Signed-off-by: David L Stevens
---
src/conf/nwfilter_conf.h |4 +-
src/nwfilter/nwfilter_ebiptables_driver.c | 93 +
src/nwfilter/nwfilter_gentech_driver.c
This patch simplifies the table rules by setting the protocol chains
policy to be "DROP" and removes the explicit "-j DROP" entries that the
protocol rules had previously. It also makes "no-other-rarp-traffic.xml"
obsolete.
Signed-off-by: David L Steve
ach of the different
values. These rules can later be removed by calling this function with the
same variable and value and "delete" argument set to "1".
Signed-off-by: David L Stevens
---
src/nwfilter/nwfilter_gentech_driver.c | 86
src/nwfi
This patch adds support for "continue" and "return" actions
in filter rules.
Signed-off-by: David L Stevens
---
src/conf/nwfilter_conf.c |8 ++--
src/conf/nwfilter_conf.h |2 ++
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/conf/n
This patch adds DHCP Snooping support to libvirt.
Signed-off-by: David L Stevens
---
examples/xml/nwfilter/no-ip-spoofing.xml |5 +
src/Makefile.am |2 +
src/nwfilter/nwfilter_dhcpsnoop.c| 602 ++
src/nwfilter
This patch adds support for saving DHCP snooping leases to an on-disk
file and restoring saved leases that are still active on restart.
Signed-off-by: David L Stevens
---
src/nwfilter/nwfilter_dhcpsnoop.c | 370 +++--
1 files changed, 353 insertions
This patch adds the capability of adding individual rules to existing chains.
Signed-off-by: David L Stevens
---
src/conf/nwfilter_conf.h |6 ++
src/nwfilter/nwfilter_ebiptables_driver.c | 73 +
2 files changed, 79 insertions(+), 0 deletions
., instantiate only when a given variable is present in a filter, or
only when it is not).
Signed-off-by: David L Stevens
---
src/conf/nwfilter_conf.h |4 +-
src/nwfilter/nwfilter_ebiptables_driver.c | 93 +
src/nwfilter/nwfilter_gentech_driver.c
This patch adds support for "continue" and "return" actions
in filter rules.
Signed-off-by: David L Stevens
---
src/conf/nwfilter_conf.c |8 ++--
src/conf/nwfilter_conf.h |2 ++
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/conf/n
ach of the different
values. These rules can later be removed by calling this function with the
same variable and value and "delete" argument set to "1".
Signed-off-by: David L Stevens
---
src/nwfilter/nwfilter_gentech_driver.c | 86
src/nwfi
This patch adds DHCP Snooping support to libvirt.
Signed-off-by: David L Stevens
---
examples/xml/nwfilter/no-ip-spoofing.xml |5 +
src/Makefile.am |2 +
src/nwfilter/nwfilter_dhcpsnoop.c| 602 ++
src/nwfilter
removes the
unnecessary check for arpop of request or reply.
Signed-off-by: David L Stevens
---
examples/xml/nwfilter/no-arp-spoofing.xml | 23 ++-
1 files changed, 2 insertions(+), 21 deletions(-)
diff --git a/examples/xml/nwfilter/no-arp-spoofing.xml
b/examples/xml
This patch simplifies the table rules by setting the protocol chains
policy to be "DROP" and removes the explicit "-j DROP" entries that the
protocol rules had previously. It also makes "no-other-rarp-traffic.xml"
obsolete.
Signed-off-by: David L Steve
chains that can check multiple MAC
or IP addresses in any combination. This patch itself does not support multiple
addresses via the MAC and IP variables, but only changes the form of the rules
to allow multiple addresses in the future.
Signed-off-by: David L Stevens
---
examples/xml/nwfilter/Makefil
"none" (static only
addresses) or "DHCP" (DHCP Snooping).
This code does not (yet) support passing lease information across a migration.
A migrated guest requires a DHCP ACK (e.g., via ifdown/ifup on the guest) to
send/receive traffic for DHCP-learned addresses after a mi
This patch adds DHCP Snooping support to libvirt.
Signed-off-by: David L Stevens
diff --git a/examples/xml/nwfilter/no-ip-spoofing.xml
b/examples/xml/nwfilter/no-ip-spoofing.xml
index 2fccd12..2ae9500 100644
--- a/examples/xml/nwfilter/no-ip-spoofing.xml
+++ b/examples/xml/nwfilter/no-ip
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
ach of the different
values. These rules can later be removed by calling this function with the
same variable and value and "delete" argument set to "1".
Signed-off-by: David L Stevens
diff --git a/src/nwfilter/nwfilter_gentech_driver.c
b/src/nwfilter/nwfilter_gentech_driver.c
This patch removes remaining pieces of IP address learning.
diff --git a/src/Makefile.am b/src/Makefile.am
index 3da0797..53cdc00 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -389,9 +389,7 @@ NWFILTER_DRIVER_SOURCES =
\
nwfilter/nwfilter_
ach of the different
values. These rules can later be removed by calling this function with the
same variable and value and "delete" argument set to "1".
Signed-off-by: David L Stevens
diff --git a/src/nwfilter/nwfilter_gentech_driver.c
b/src/nwfilter/nwfilter_gentech_driver.c
This patch adds DHCP Snooping support to libvirt.
Signed-off-by: David L Stevens
diff --git a/examples/xml/nwfilter/no-ip-spoofing.xml
b/examples/xml/nwfilter/no-ip-spoofing.xml
index 2fccd12..2ae9500 100644
--- a/examples/xml/nwfilter/no-ip-spoofing.xml
+++ b/examples/xml/nwfilter/no-ip
This patch adds the capability of adding individual rules to existing chains.
Signed-off-by: David L Stevens
diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h
index 25f7b60..4b6759a 100644
--- a/src/conf/nwfilter_conf.h
+++ b/src/conf/nwfilter_conf.h
@@ -532,6 +532,11 @@ typedef
This patch adds the capability of adding individual rules to existing chains.
Signed-off-by: David L Stevens
diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h
index 25f7b60..4b6759a 100644
--- a/src/conf/nwfilter_conf.h
+++ b/src/conf/nwfilter_conf.h
@@ -532,6 +532,11 @@ typedef
This patch simplifies the table rules by setting the protocol chains policy to
be "DROP" and removes the explicit "-j DROP" entries that the protocol rules
had previously. It also makes "no-other-rarp-traffic.xml" obsolete.
Signed-off-by: David L Stevens
diff
only
when a given variable is present in a filter, or only when it is not).
Signed-off-by: David L Stevens
diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h
index 72bdade..25f7b60 100644
--- a/src/conf/nwfilter_conf.h
+++ b/src/conf/nwfilter_conf.h
@@ -517,7 +517,9 @@ typedef int
This patch simplifies the table rules by setting the protocol chains policy to
be "DROP" and removes the explicit "-j DROP" entries that the protocol rules
had previously. It also makes "no-other-rarp-traffic.xml" obsolete.
Signed-off-by: David L Stevens
diff
only
when a given variable is present in a filter, or only when it is not).
Signed-off-by: David L Stevens
diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h
index 72bdade..25f7b60 100644
--- a/src/conf/nwfilter_conf.h
+++ b/src/conf/nwfilter_conf.h
@@ -517,7 +517,9 @@ typedef int
chains that can check multiple MAC
or IP addresses in any combination. This patch itself does not support multiple
addresses via the MAC and IP variables, but only changes the form of the rules
to allow multiple addresses in the future.
Signed-off-by: David L Stevens
diff --git a/examples/xml/nwfil
chains that can check multiple MAC
or IP addresses in any combination. This patch itself does not support multiple
addresses via the MAC and IP variables, but only changes the form of the rules
to allow multiple addresses in the future.
Signed-off-by: David L Stevens
diff --git a/examples/xml/nwfil
arpop
of request or reply.
Signed-off-by: David L Stevens
diff --git a/examples/xml/nwfilter/no-arp-spoofing.xml
b/examples/xml/nwfilter/no-arp-spoofing.xml
index c6c858d..fdd4e60 100644
--- a/examples/xml/nwfilter/no-arp-spoofing.xml
+++ b/examples/xml/nwfilter/no-arp-spoofing.xml
@@ -12,21
The following series of patches replaces IP address learning in
network filtering with DHCP snooping. The existing address learning capability
does not provide security since it relies on addresses used in initial packets
sent by the guest to determine an IP address. A spoofing guest can s
This patch adds support for "continue" and "return" actions
in filter rules.
Signed-off-by: David L Stevens
diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c
index 13b5b38..6a15f04 100644
--- a/src/conf/nwfilter_conf.c
+++ b/src/conf/nwfilter_con
48 matches
Mail list logo
