The ARP protocol requires processing of packets that may not be
explicitly addressed to a host and only defines request and reply. This patch
removes the filtering of ARP requests not explicitly addressed to a VM to allow
for proper ARP cache updates for entries based on any traffic and removes the
unnecessary check for arpop of request or reply.
Signed-off-by: David L Stevens <dlstevens@xxxxxxxxxx>
---
examples/xml/nwfilter/no-arp-spoofing.xml | 23 ++---------------------
1 files changed, 2 insertions(+), 21 deletions(-)
diff --git a/examples/xml/nwfilter/no-arp-spoofing.xml b/examples/xml/nwfilter/no-arp-spoofing.xml
index 96c58c1..3c83acd 100644
--- a/examples/xml/nwfilter/no-arp-spoofing.xml
+++ b/examples/xml/nwfilter/no-arp-spoofing.xml
@@ -12,25 +12,6 @@
<rule action='drop' direction='out' priority='400' >
<arp match='no' arpsrcipaddr='$IP' />
</rule>
- <!-- allow gratuitous arp -->
- <rule action='accept' direction='in' priority='425'>
- <arp gratuitous='true'/>
- </rule>
- <!-- drop if ipaddr or macaddr does not belong to guest -->
- <rule action='drop' direction='in' priority='450' >
- <arp match='no' arpdstmacaddr='$MAC'/>
- <arp opcode='reply'/>
- </rule>
- <rule action='drop' direction='in' priority='500' >
- <arp match='no' arpdstipaddr='$IP' />
- </rule>
- <!-- accept only request or reply packets -->
- <rule action='accept' direction='inout' priority='600' >
- <arp opcode='request'/>
- </rule>
- <rule action='accept' direction='inout' priority='650' >
- <arp opcode='reply'/>
- </rule>
- <!-- drop everything else -->
- <rule action='drop' direction='inout' priority='1000' />
+ <!-- allow everything else -->
+ <rule action='accept' direction='in' priority='425' />
</filter>
--
1.7.6.4
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list