mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-10 05:17:59 +03:00
nwfilter: let qemu's after-migration packet pass
Qemu currently sends an Ethernet packet with protocol id 0x835 once a VM was successfully migrated. The content of the packet looks like a gratuitous RARP, just with the wrong protocol ID, which should be 0x8035. I wrote some filters to let either one of the packets pass and am adapting the clean-traffic sample filter to use it. I am also doing some changes on the existing ARP filter which was lacking a test for source MAC address.
This commit is contained in:
parent
71f99af5a4
commit
ed7813d28d
@ -11,7 +11,10 @@ FILTERS = \
|
||||
no-ip-spoofing.xml \
|
||||
no-mac-broadcast.xml \
|
||||
no-mac-spoofing.xml \
|
||||
no-other-l2-traffic.xml
|
||||
no-other-l2-traffic.xml \
|
||||
no-other-rarp-traffic.xml \
|
||||
qemu-announce-self.xml \
|
||||
qemu-announce-self-rarp.xml
|
||||
|
||||
EXTRA_DIST=$(FILTERS)
|
||||
|
||||
|
@ -14,4 +14,7 @@
|
||||
<!-- preventing any other traffic than IPv4 and ARP -->
|
||||
<filterref filter='no-other-l2-traffic'/>
|
||||
|
||||
<!-- allow qemu to send a self-announce upon migration end -->
|
||||
<filterref filter='qemu-announce-self'/>
|
||||
|
||||
</filter>
|
||||
|
@ -1,27 +1,30 @@
|
||||
<filter name='no-arp-spoofing' chain='arp'>
|
||||
<uuid>f88f1932-debf-4aa1-9fbe-f10d3aa4bc95</uuid>
|
||||
<rule action='drop' direction='out' priority='300' >
|
||||
<mac match='no' srcmacaddr='$MAC'/>
|
||||
</rule>
|
||||
|
||||
<!-- no arp spoofing -->
|
||||
<!-- drop if ipaddr or macaddr does not belong to guest -->
|
||||
<rule action='drop' direction='out' priority='400' >
|
||||
<rule action='drop' direction='out' priority='350' >
|
||||
<arp match='no' arpsrcmacaddr='$MAC'/>
|
||||
</rule>
|
||||
<rule action='drop' direction='out' priority='400' >
|
||||
<arp match='no' arpsrcipaddr='$IP' />
|
||||
</rule>
|
||||
<!-- drop if ipaddr or macaddr odes not belong to guest -->
|
||||
<rule action='drop' direction='in' priority='400' >
|
||||
<rule action='drop' direction='in' priority='450' >
|
||||
<arp match='no' arpdstmacaddr='$MAC'/>
|
||||
<arp opcode='reply'/>
|
||||
</rule>
|
||||
<rule action='drop' direction='in' priority='400' >
|
||||
<rule action='drop' direction='in' priority='500' >
|
||||
<arp match='no' arpdstipaddr='$IP' />
|
||||
</rule>
|
||||
<!-- accept only request or reply packets -->
|
||||
<rule action='accept' direction='inout' priority='500' >
|
||||
<rule action='accept' direction='inout' priority='600' >
|
||||
<arp opcode='request'/>
|
||||
</rule>
|
||||
<rule action='accept' direction='inout' priority='500' >
|
||||
<rule action='accept' direction='inout' priority='650' >
|
||||
<arp opcode='reply'/>
|
||||
</rule>
|
||||
<!-- drop everything else -->
|
||||
|
3
examples/xml/nwfilter/no-other-rarp-traffic.xml
Normal file
3
examples/xml/nwfilter/no-other-rarp-traffic.xml
Normal file
@ -0,0 +1,3 @@
|
||||
<filter name='no-other-rarp-traffic' chain='rarp'>
|
||||
<rule action='drop' direction='inout' priority='1000'/>
|
||||
</filter>
|
14
examples/xml/nwfilter/qemu-announce-self-rarp.xml
Normal file
14
examples/xml/nwfilter/qemu-announce-self-rarp.xml
Normal file
@ -0,0 +1,14 @@
|
||||
<filter name='qemu-announce-self-rarp' chain='rarp'>
|
||||
<rule action='accept' direction='out' priority='500'>
|
||||
<rarp opcode='Request_Reverse'
|
||||
srcmacaddr='$MAC' dstmacaddr='ff:ff:ff:ff:ff:ff'
|
||||
arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC'
|
||||
arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/>
|
||||
</rule>
|
||||
<rule action='accept' direction='in' priority='500'>
|
||||
<rarp opcode='Request_Reverse'
|
||||
dstmacaddr='ff:ff:ff:ff:ff:ff'
|
||||
arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC'
|
||||
arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/>
|
||||
</rule>
|
||||
</filter>
|
13
examples/xml/nwfilter/qemu-announce-self.xml
Normal file
13
examples/xml/nwfilter/qemu-announce-self.xml
Normal file
@ -0,0 +1,13 @@
|
||||
<filter name='qemu-announce-self' chain='root'>
|
||||
<!-- as of 4/26/2010 qemu sends out a bogus packet with
|
||||
wrong rarp protocol ID -->
|
||||
<!-- accept what is being sent now -->
|
||||
<rule action='accept' direction='out'>
|
||||
<mac protocolid='0x835'/>
|
||||
</rule>
|
||||
|
||||
<!-- accept if it was changed to rarp -->
|
||||
<filterref filter='qemu-announce-self-rarp'/>
|
||||
<filterref filter='no-other-rarp-traffic'/>
|
||||
|
||||
</filter>
|
Loading…
Reference in New Issue
Block a user