]> git.ipfire.org Git - thirdparty/libvirt.git/commit
projects / thirdparty / libvirt.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 46b2caf) | patch
nwfilter: accept broadcasted DHCP replies in DHCP snooping code
authorStefan Berger <stefanb@linux.vnet.ibm.com>
Thu, 30 Aug 2012 18:29:50 +0000 (14:29 -0400)
committerDaniel Veillard <veillard@redhat.com>
Fri, 31 Aug 2012 03:41:26 +0000 (11:41 +0800)
commitc828a746fae02095ae54162d235c8e7396c45bf9
tree76417f2637ebaa49fbf3fdf69f146806fa3fe0batree
parent46b2cafb25e5241e0bbe0a802ae6b98ea9e6ab14commit | diff
nwfilter: accept broadcasted DHCP replies in DHCP snooping code

Some DHCP servers send their DHCP replies to the broadcast MAC address
rather than to the MAC address of the VM. The existing DHCP snooping
code assumes that the reply always goes to the MAC address of the VM
thus filtering the traffic of some DHCP servers' replies.

The below patch adapts the code to

1) filter DHCP replies by comparing the MAC address in the reply against
   the MAC address of the VM (held in the snoop request)

2) adapts the pcap filter for traffic towards the VM to accept DHCP replies
   sent to any MAC address; for further filtering we rely on 1)

3) creates initial rules that are active while waiting for DHCP replies;
   these rules now accept DHCP replies to the VM's MAC address or to the
   MAC broadcast address
src/nwfilter/nwfilter_dhcpsnoop.c diff | blob | blame | history
src/nwfilter/nwfilter_ebiptables_driver.c diff | blob | blame | history
Mirror of https://github.com/libvirt/libvirt.git