[libvirt PATCHv3 02/10] allow required ARP packets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



	The ARP protocol requires processing of packets that may not be
explicitly addressed to a host and only defines request and reply. This patch
removes the filtering of ARP requests not explicitly addressed to a VM to allow
for proper ARP cache updates for entries based on any traffic and removes the
unnecessary check for arpop of request or reply.

Signed-off-by: David L Stevens <dlstevens@xxxxxxxxxx>
---
 examples/xml/nwfilter/no-arp-spoofing.xml |   23 ++---------------------
 1 files changed, 2 insertions(+), 21 deletions(-)

diff --git a/examples/xml/nwfilter/no-arp-spoofing.xml b/examples/xml/nwfilter/no-arp-spoofing.xml
index 96c58c1..3c83acd 100644
--- a/examples/xml/nwfilter/no-arp-spoofing.xml
+++ b/examples/xml/nwfilter/no-arp-spoofing.xml
@@ -12,25 +12,6 @@
    <rule action='drop' direction='out' priority='400' >
        <arp match='no' arpsrcipaddr='$IP' />
    </rule>
-   <!-- allow gratuitous arp -->
-   <rule action='accept' direction='in' priority='425'>
-       <arp gratuitous='true'/>
-   </rule>
-   <!-- drop if ipaddr or macaddr does not belong to guest -->
-   <rule action='drop' direction='in' priority='450' >
-       <arp match='no' arpdstmacaddr='$MAC'/>
-       <arp opcode='reply'/>
-   </rule>
-   <rule action='drop' direction='in' priority='500' >
-       <arp match='no' arpdstipaddr='$IP' />
-   </rule>
-   <!-- accept only request or reply packets -->
-   <rule action='accept' direction='inout' priority='600' >
-       <arp opcode='request'/>
-   </rule>
-   <rule action='accept' direction='inout' priority='650' >
-       <arp opcode='reply'/>
-   </rule>
-   <!-- drop everything else -->
-   <rule action='drop' direction='inout' priority='1000' />
+   <!-- allow everything else -->
+   <rule action='accept' direction='in' priority='425' />
 </filter>
-- 
1.7.6.4

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]