On 04/16/2012 11:08 AM, Stefan Berger wrote:
This patch adds DHCP snooping support to libvirt. The learning method for IP addresses is specified by setting the "ip_learning" variable to one of "any" [default] (existing IP learning code), "none" (static only addresses) or "dhcp" (DHCP snooping).
Unfortunately this patch needs yet another revision. Its usage of the pcap library did not allow one to determine whether the captured packets were sent by the VM or going towards the VM, which in turn would allow the VM to send for example DHCPACK messages with bogus leases and with that let it acquire spoofed addresses. Also at the point of capture, the packets were not filtered, yet. So, the new revision uses two pcap handles, one capturing packets in incoming direction and one in outgoing direction which then in turn allows testing of MAC addresses in headers and whether the different DHCP messages were sent in the appropriate direction and with this enabling the filtering of for example (spoofed) DHCPACKs sent by the VM. Testing this now...
Stefan -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list