Re: [PATCH 0/9] add DHCP snooping support to nwfilter

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Stefan Berger/Watson/IBM wrote on 05/11/2011 11:59:21 AM:

> Looking at patch 8 I would assume you need to store the IP leases 
> you track into
> a file so you can handle the cases of libvirt restart while a VM is 
> running. How
> does the DHCP snooping currently deal with libvirt restarts or a 
> SIGHUP to libvirt.
> Both I believe are currently rebuilding all filters when libvirt 
> restarts and on
> those interfaces where it is necessary the learning will again start up.

        But the problem with that is a guest can circumvent the whole 
point of
the filters by tricking it into allowing an address not officially 
assigned
to it. With this patch set, the guest would have to recycle the interface
to trigger another DHCP request/ACK, but saving in a lease file is a 
better
idea; I'll look into that.
> 
> >    With DHCP snooping, only addresses acknowledged by a DHCP server 
can
> > be used by the guest, and only for the given lease time if the address 
lease
> > is not renewed.
> 
> How do you treat VMs with statically configured interfaces? Are they
> permanently blocked
> from sending?

        Just as with your learning code, if the IP variable is set, it'll
use that as the static address in the filters (and not require DHCP).

                                                                +-DLS


--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]