This patch enables filtering of gratuitous ARP packets using the
following XML:
<rule action='accept' direction='in' priority='425'>
<arp gratuitous='true'/>
</rule>
Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx>
---
docs/formatnwfilter.html.in | 6 ++++++
docs/schemas/nwfilter.rng | 16 ++++++++++++++++
examples/xml/nwfilter/no-arp-spoofing.xml | 6 +++++-
src/conf/nwfilter_conf.c | 23 +++++++++++++++++++++++
src/conf/nwfilter_conf.h | 5 ++++-
src/nwfilter/nwfilter_ebiptables_driver.c | 7 +++++++
tests/nwfilterxml2xmlin/arp-test.xml | 4 ++++
tests/nwfilterxml2xmlout/arp-test.xml | 3 +++
8 files changed, 68 insertions(+), 2 deletions(-)
Index: libvirt-acl/src/conf/nwfilter_conf.c
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_conf.c
+++ libvirt-acl/src/conf/nwfilter_conf.c
@@ -970,6 +970,10 @@ static const virXMLAttr2Struct arpAttrib
.name = ARPDSTIPADDR,
.datatype = DATATYPE_IPADDR,
.dataIdx = offsetof(virNWFilterRuleDef,
p.arpHdrFilter.dataARPDstIPAddr),
+ }, {
+ .name = "gratuitous",
+ .datatype = DATATYPE_BOOLEAN,
+ .dataIdx = offsetof(virNWFilterRuleDef,
p.arpHdrFilter.dataGratuitousARP),
},
COMMENT_PROP(arpHdrFilter),
{
@@ -1611,6 +1615,18 @@ virNWFilterRuleDetailsParse(xmlNodePtr n
found = 1;
break;
+ case DATATYPE_BOOLEAN:
+ if (STREQ(prop, "true") ||
+ STREQ(prop, "1") ||
+ STREQ(prop, "yes"))
+ item->u.boolean = true;
+ else
+ item->u.boolean = false;
+
+ data.ui = item->u.boolean;
+ found = 1;
+ break;
+
case DATATYPE_LAST:
default:
break;
@@ -2744,6 +2760,13 @@ virNWFilterRuleDefDetailsFormat(virBuffe
virBufferEscapeString(buf, "%s", item->u.string);
break;
+ case DATATYPE_BOOLEAN:
+ if (item->u.boolean == true)
+ virBufferAddLit(buf, "true");
+ else
+ virBufferAddLit(buf, "false");
+ break;
+
case DATATYPE_STRING:
default:
virBufferAsprintf(buf,
Index: libvirt-acl/src/conf/nwfilter_conf.h
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_conf.h
+++ libvirt-acl/src/conf/nwfilter_conf.h
@@ -97,8 +97,9 @@ enum attrDatatype {
DATATYPE_IPV6ADDR = (1 << 9),
DATATYPE_IPV6MASK = (1 << 10),
DATATYPE_STRINGCOPY = (1 << 11),
+ DATATYPE_BOOLEAN = (1 << 12),
- DATATYPE_LAST = (1 << 12),
+ DATATYPE_LAST = (1 << 13),
};
@@ -118,6 +119,7 @@ struct _nwItemDesc {
union {
nwMACAddress macaddr;
virSocketAddr ipaddr;
+ bool boolean;
uint8_t u8;
uint16_t u16;
char protocolID[10];
@@ -160,6 +162,7 @@ struct _arpHdrFilterDef {
nwItemDesc dataARPSrcIPAddr;
nwItemDesc dataARPDstMACAddr;
nwItemDesc dataARPDstIPAddr;
+ nwItemDesc dataGratuitousARP;
nwItemDesc dataComment;
};
Index: libvirt-acl/docs/schemas/nwfilter.rng
===================================================================
--- libvirt-acl.orig/docs/schemas/nwfilter.rng
+++ libvirt-acl/docs/schemas/nwfilter.rng
@@ -581,6 +581,11 @@
<ref name="uint16range"/>
</attribute>
</optional>
+ <optional>
+ <attribute name="gratuitous">
+ <ref name="boolean"/>
+ </attribute>
+ </optional>
</interleave>
</define>
@@ -784,6 +789,17 @@
</choice>
</define>
+ <define name="boolean">
+ <choice>
+ <value>yes</value>
+ <value>no</value>
+ <value>true</value>
+ <value>false</value>
+ <value>1</value>
+ <value>0</value>
+ </choice>
+ </define>
+
<define name="arpOpcodeType">
<choice>
<!-- variable -->
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -2033,6 +2033,13 @@ ebtablesCreateRuleInstance(char chainPre
ENTRY_GET_NEG_SIGN(&rule->p.arpHdrFilter.dataARPDstMACAddr),
macaddr);
}
+
+ if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataGratuitousARP) &&
+ rule->p.arpHdrFilter.dataGratuitousARP.u.boolean == true) {
+ virBufferAsprintf(&buf,
+ " %s --arp-gratuitous",
+
ENTRY_GET_NEG_SIGN(&rule->p.arpHdrFilter.dataGratuitousARP));
+ }
break;
case VIR_NWFILTER_RULE_PROTOCOL_IP:
Index: libvirt-acl/examples/xml/nwfilter/no-arp-spoofing.xml
===================================================================
--- libvirt-acl.orig/examples/xml/nwfilter/no-arp-spoofing.xml
+++ libvirt-acl/examples/xml/nwfilter/no-arp-spoofing.xml
@@ -12,7 +12,11 @@
<rule action='drop' direction='out' priority='400' >
<arp match='no' arpsrcipaddr='$IP' />
</rule>
- <!-- drop if ipaddr or macaddr odes not belong to guest -->
+ <!-- allow gratuitous arp -->
+ <rule action='accept' direction='in' priority='425'>
+ <arp gratuitous='true'/>
+ </rule>
+ <!-- drop if ipaddr or macaddr does not belong to guest -->
<rule action='drop' direction='in' priority='450' >
<arp match='no' arpdstmacaddr='$MAC'/>
<arp opcode='reply'/>
Index: libvirt-acl/docs/formatnwfilter.html.in
===================================================================
--- libvirt-acl.orig/docs/formatnwfilter.html.in
+++ libvirt-acl/docs/formatnwfilter.html.in
@@ -321,6 +321,7 @@
<li>IPV6_ADDR: IPv6 address in numbers format, i.e., FFFF::1</li>
<li>IPV6_MASK: IPv6 mask in numbers format (FFFF:FFFF:FC00::) or CIDR
mask (0-128)</li>
<li>STRING: A string</li>
+ <li>BOOLEAN: 'true', 'yes', '1' or 'false', 'no', '0'</li>
</ul>
<p>
<br/><br/>
@@ -476,6 +477,11 @@
<td>STRING</td>
<td>text with max. 256 characters</td>
</tr>
+ <tr>
+ <td>gratuitous <span class="since">(Since 0.9.2)</span></td>
+ <td>BOOLEAN</td>
+ <td>boolean indicating whether to check for gratuitous ARP packet</td>
+ </tr>
</table>
<p>
Valid strings for the <code>Opcode</code> field are:
Index: libvirt-acl/tests/nwfilterxml2xmlin/arp-test.xml
===================================================================
--- libvirt-acl.orig/tests/nwfilterxml2xmlin/arp-test.xml
+++ libvirt-acl/tests/nwfilterxml2xmlin/arp-test.xml
@@ -30,4 +30,8 @@
<arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
opcode='65536' hwtype='65536' protocoltype='65536' />
</rule>
+
+ <rule action='accept' direction='in'>
+ <arp gratuitous='true'/>
+ </rule>
</filter>
Index: libvirt-acl/tests/nwfilterxml2xmlout/arp-test.xml
===================================================================
--- libvirt-acl.orig/tests/nwfilterxml2xmlout/arp-test.xml
+++ libvirt-acl/tests/nwfilterxml2xmlout/arp-test.xml
@@ -15,4 +15,7 @@
<rule action='accept' direction='out' priority='500'>
<arp srcmacaddr='01:02:03:04:05:06' srcmacmask='ff:ff:ff:ff:ff:ff'/>
</rule>
+ <rule action='accept' direction='in' priority='500'>
+ <arp gratuitous='true'/>
+ </rule>
</filter>
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list