diff options
| author |   Stefan Berger <stefanb@us.ibm.com> | 2010-04-27 14:50:35 -0400 |
|---|---|---|
| committer | Stefan Berger <stefanb@us.ibm.com> | 2010-04-27 14:50:35 -0400 |
| commit | ed7813d28d45c8bf591d1567a8c7ea678b627958 (patch) | |
| tree | 1b9d7c65036a690ddf88429cefd7848bf479568f | |
| parent | Fix up the error message if we can't parse the snapshot XML. (diff) | |
| download | libvirt-ed7813d28d45c8bf591d1567a8c7ea678b627958.tar.gz libvirt-ed7813d28d45c8bf591d1567a8c7ea678b627958.tar.bz2 libvirt-ed7813d28d45c8bf591d1567a8c7ea678b627958.zip | |
nwfilter: let qemu's after-migration packet pass
Qemu currently sends an Ethernet packet with protocol id 0x835 once a VM
was successfully migrated. The content of the packet looks like a
gratuitous RARP, just with the wrong protocol ID, which should be
0x8035. I wrote some filters to let either one of the packets pass and
am adapting the clean-traffic sample filter to use it. I am also
doing some changes on the existing ARP filter which was lacking a
test for source MAC address.
| -rw-r--r-- | examples/xml/nwfilter/Makefile.am | 5 | ||||
| -rw-r--r-- | examples/xml/nwfilter/clean-traffic.xml | 3 | ||||
| -rw-r--r-- | examples/xml/nwfilter/no-arp-spoofing.xml | 13 | ||||
| -rw-r--r-- | examples/xml/nwfilter/no-other-rarp-traffic.xml | 3 | ||||
| -rw-r--r-- | examples/xml/nwfilter/qemu-announce-self-rarp.xml | 14 | ||||
| -rw-r--r-- | examples/xml/nwfilter/qemu-announce-self.xml | 13 |
6 files changed, 45 insertions, 6 deletions
diff --git a/examples/xml/nwfilter/Makefile.am b/examples/xml/nwfilter/Makefile.am index 54a7aae65..439e7b885 100644 --- a/examples/xml/nwfilter/Makefile.am +++ b/examples/xml/nwfilter/Makefile.am @@ -11,7 +11,10 @@ FILTERS = \ no-ip-spoofing.xml \ no-mac-broadcast.xml \ no-mac-spoofing.xml \ - no-other-l2-traffic.xml + no-other-l2-traffic.xml \ + no-other-rarp-traffic.xml \ + qemu-announce-self.xml \ + qemu-announce-self-rarp.xml EXTRA_DIST=$(FILTERS) diff --git a/examples/xml/nwfilter/clean-traffic.xml b/examples/xml/nwfilter/clean-traffic.xml index 2cc7df983..40f0ecbfa 100644 --- a/examples/xml/nwfilter/clean-traffic.xml +++ b/examples/xml/nwfilter/clean-traffic.xml @@ -14,4 +14,7 @@ <!-- preventing any other traffic than IPv4 and ARP --> <filterref filter='no-other-l2-traffic'/> + <!-- allow qemu to send a self-announce upon migration end --> + <filterref filter='qemu-announce-self'/> + </filter> diff --git a/examples/xml/nwfilter/no-arp-spoofing.xml b/examples/xml/nwfilter/no-arp-spoofing.xml index b49e781be..c6c858dad 100644 --- a/examples/xml/nwfilter/no-arp-spoofing.xml +++ b/examples/xml/nwfilter/no-arp-spoofing.xml @@ -1,27 +1,30 @@ <filter name='no-arp-spoofing' chain='arp'> <uuid>f88f1932-debf-4aa1-9fbe-f10d3aa4bc95</uuid> + <rule action='drop' direction='out' priority='300' > + <mac match='no' srcmacaddr='$MAC'/> + </rule> <!-- no arp spoofing --> <!-- drop if ipaddr or macaddr does not belong to guest --> - <rule action='drop' direction='out' priority='400' > + <rule action='drop' direction='out' priority='350' > <arp match='no' arpsrcmacaddr='$MAC'/> </rule> <rule action='drop' direction='out' priority='400' > <arp match='no' arpsrcipaddr='$IP' /> </rule> <!-- drop if ipaddr or macaddr odes not belong to guest --> - <rule action='drop' direction='in' priority='400' > + <rule action='drop' direction='in' priority='450' > <arp match='no' arpdstmacaddr='$MAC'/> <arp opcode='reply'/> </rule> - <rule action='drop' direction='in' priority='400' > + <rule action='drop' direction='in' priority='500' > <arp match='no' arpdstipaddr='$IP' /> </rule> <!-- accept only request or reply packets --> - <rule action='accept' direction='inout' priority='500' > + <rule action='accept' direction='inout' priority='600' > <arp opcode='request'/> </rule> - <rule action='accept' direction='inout' priority='500' > + <rule action='accept' direction='inout' priority='650' > <arp opcode='reply'/> </rule> <!-- drop everything else --> diff --git a/examples/xml/nwfilter/no-other-rarp-traffic.xml b/examples/xml/nwfilter/no-other-rarp-traffic.xml new file mode 100644 index 000000000..7729996ec --- /dev/null +++ b/examples/xml/nwfilter/no-other-rarp-traffic.xml @@ -0,0 +1,3 @@ +<filter name='no-other-rarp-traffic' chain='rarp'> + <rule action='drop' direction='inout' priority='1000'/> +</filter> diff --git a/examples/xml/nwfilter/qemu-announce-self-rarp.xml b/examples/xml/nwfilter/qemu-announce-self-rarp.xml new file mode 100644 index 000000000..b7a848ad0 --- /dev/null +++ b/examples/xml/nwfilter/qemu-announce-self-rarp.xml @@ -0,0 +1,14 @@ +<filter name='qemu-announce-self-rarp' chain='rarp'> + <rule action='accept' direction='out' priority='500'> + <rarp opcode='Request_Reverse' + srcmacaddr='$MAC' dstmacaddr='ff:ff:ff:ff:ff:ff' + arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC' + arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/> + </rule> + <rule action='accept' direction='in' priority='500'> + <rarp opcode='Request_Reverse' + dstmacaddr='ff:ff:ff:ff:ff:ff' + arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC' + arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/> + </rule> +</filter> diff --git a/examples/xml/nwfilter/qemu-announce-self.xml b/examples/xml/nwfilter/qemu-announce-self.xml new file mode 100644 index 000000000..352db500d --- /dev/null +++ b/examples/xml/nwfilter/qemu-announce-self.xml @@ -0,0 +1,13 @@ +<filter name='qemu-announce-self' chain='root'> + <!-- as of 4/26/2010 qemu sends out a bogus packet with + wrong rarp protocol ID --> + <!-- accept what is being sent now --> + <rule action='accept' direction='out'> + <mac protocolid='0x835'/> + </rule> + + <!-- accept if it was changed to rarp --> + <filterref filter='qemu-announce-self-rarp'/> + <filterref filter='no-other-rarp-traffic'/> + +</filter> |