[PATCH V11 0/7] Add DHCP snooping support to nwfilter

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This series of patches adds DHCP snooping support to libvirt's
nwfilter subsystem.

DHCP snooping detects DHCP leases obtained by a VM and automatically
adjusts the network traffic filters to reflect the IP addresses
with which a VM may send its traffic, thus for example preventing
IP address spoofing.
Once leases on IP addresses expire or if a VM gives up on a
lease on an IP address, the filters are also adjusted.
All leases are persisted and automatically applied upon a VM's restart.
Leases are associated with the tuple of VM-UUID and interface MAC
address.

The following interface XML activates and uses the DHCP snooping:

    <interface type='bridge'>
      <source bridge='virbr0'/>
      <filterref filter='clean-traffic'>
        <parameter name='ip_learning' value='dhcp'/>
      </filterref>
    </interface>

Once an IP address has been detected on an interface, 'virsh dumpxml <vm>'
would show the IP address lease in the format <IP address>,<lease timeout
in seconds>:

    <interface type='bridge'>
      <source bridge='virbr0'/>
      <filterref filter='clean-traffic'>
        <parameter name='ip_learning' value='dhcp'/>
        <parameter name='IP_LEASE' value='192.168.122.210,180'/>
      </filterref>
    </interface>

Regards,
   David and Stefan

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]