nwfilter: enable filtering of gratuitous ARP packets

This patch enables filtering of gratuitous ARP packets using the following XML:

<rule action='accept' direction='in' priority='425'>
<arp gratuitous='true'/>
</rule>

docs/formatnwfilter.html.in

@@ -321,6 +321,7 @@
      <li>IPV6_ADDR: IPv6 address in numbers format, i.e., FFFF::1</li>
      <li>IPV6_MASK: IPv6 mask in numbers format (FFFF:FFFF:FC00::) or CIDR mask (0-128)</li>
      <li>STRING: A string</li>
+     <li>BOOLEAN: 'true', 'yes', '1' or 'false', 'no', '0'</li>
     </ul>
     <p>
      <br/><br/>
@@ -476,6 +477,11 @@
          <td>STRING</td>
          <td>text with max. 256 characters</td>
        </tr>
+       <tr>
+         <td>gratuitous <span class="since">(Since 0.9.2)</span></td>
+         <td>BOOLEAN</td>
+         <td>boolean indicating whether to check for gratuitous ARP packet</td>
+       </tr>
       </table>
     <p>
       Valid strings for the <code>Opcode</code> field are:

docs/schemas/nwfilter.rng

@@ -581,6 +581,11 @@
           <ref name="uint16range"/>
         </attribute>
       </optional>
+      <optional>
+        <attribute name="gratuitous">
+          <ref name="boolean"/>
+        </attribute>
+      </optional>
    </interleave>
   </define>
 
@@ -784,6 +789,17 @@
     </choice>
   </define>
 
+  <define name="boolean">
+    <choice>
+      <value>yes</value>
+      <value>no</value>
+      <value>true</value>
+      <value>false</value>
+      <value>1</value>
+      <value>0</value>
+    </choice>
+  </define>
+
   <define name="arpOpcodeType">
     <choice>
       <!-- variable -->

examples/xml/nwfilter/no-arp-spoofing.xml

@@ -12,7 +12,11 @@
    <rule action='drop' direction='out' priority='400' >
        <arp match='no' arpsrcipaddr='$IP' />
    </rule>
-   <!-- drop if ipaddr or macaddr odes not belong to guest -->
+   <!-- allow gratuitous arp -->
+   <rule action='accept' direction='in' priority='425'>
+       <arp gratuitous='true'/>
+   </rule>
+   <!-- drop if ipaddr or macaddr does not belong to guest -->
    <rule action='drop' direction='in' priority='450' >
        <arp match='no' arpdstmacaddr='$MAC'/>
        <arp opcode='reply'/>

src/conf/nwfilter_conf.c

@@ -970,6 +970,10 @@ static const virXMLAttr2Struct arpAttributes[] = {
         .name = ARPDSTIPADDR,
         .datatype = DATATYPE_IPADDR,
         .dataIdx = offsetof(virNWFilterRuleDef, p.arpHdrFilter.dataARPDstIPAddr),
+    }, {
+        .name = "gratuitous",
+        .datatype = DATATYPE_BOOLEAN,
+        .dataIdx = offsetof(virNWFilterRuleDef, p.arpHdrFilter.dataGratuitousARP),
     },
     COMMENT_PROP(arpHdrFilter),
     {
@@ -1611,6 +1615,18 @@ virNWFilterRuleDetailsParse(xmlNodePtr node,
                             found = 1;
                         break;
 
+                        case DATATYPE_BOOLEAN:
+                            if (STREQ(prop, "true") ||
+                                STREQ(prop, "1") ||
+                                STREQ(prop, "yes"))
+                                item->u.boolean = true;
+                            else
+                                item->u.boolean = false;
+
+                            data.ui = item->u.boolean;
+                            found = 1;
+                        break;
+
                         case DATATYPE_LAST:
                         default:
                         break;
@@ -2744,6 +2760,13 @@ virNWFilterRuleDefDetailsFormat(virBufferPtr buf,
                    virBufferEscapeString(buf, "%s", item->u.string);
                break;
 
+               case DATATYPE_BOOLEAN:
+                   if (item->u.boolean == true)
+                       virBufferAddLit(buf, "true");
+                   else
+                       virBufferAddLit(buf, "false");
+               break;
+
                case DATATYPE_STRING:
                default:
                    virBufferAsprintf(buf,

src/conf/nwfilter_conf.h

@@ -97,8 +97,9 @@ enum attrDatatype {
     DATATYPE_IPV6ADDR         = (1 << 9),
     DATATYPE_IPV6MASK         = (1 << 10),
     DATATYPE_STRINGCOPY       = (1 << 11),
+    DATATYPE_BOOLEAN          = (1 << 12),
 
-    DATATYPE_LAST             = (1 << 12),
+    DATATYPE_LAST             = (1 << 13),
 };
 
 
@@ -118,6 +119,7 @@ struct _nwItemDesc {
     union {
         nwMACAddress macaddr;
         virSocketAddr ipaddr;
+        bool         boolean;
         uint8_t      u8;
         uint16_t     u16;
         char         protocolID[10];
@@ -160,6 +162,7 @@ struct _arpHdrFilterDef {
     nwItemDesc dataARPSrcIPAddr;
     nwItemDesc dataARPDstMACAddr;
     nwItemDesc dataARPDstIPAddr;
+    nwItemDesc dataGratuitousARP;
     nwItemDesc dataComment;
 };
 

src/nwfilter/nwfilter_ebiptables_driver.c

@@ -2033,6 +2033,13 @@ ebtablesCreateRuleInstance(char chainPrefix,
                           ENTRY_GET_NEG_SIGN(&rule->p.arpHdrFilter.dataARPDstMACAddr),
                           macaddr);
         }
+
+        if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataGratuitousARP) &&
+            rule->p.arpHdrFilter.dataGratuitousARP.u.boolean) {
+            virBufferAsprintf(&buf,
+                          " %s --arp-gratuitous",
+                          ENTRY_GET_NEG_SIGN(&rule->p.arpHdrFilter.dataGratuitousARP));
+        }
     break;
 
     case VIR_NWFILTER_RULE_PROTOCOL_IP:

tests/nwfilterxml2xmlin/arp-test.xml

@@ -30,4 +30,8 @@
      <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
           opcode='65536' hwtype='65536' protocoltype='65536' />
   </rule>
+
+  <rule action='accept' direction='in'>
+     <arp gratuitous='true'/>
+  </rule>
 </filter>

tests/nwfilterxml2xmlout/arp-test.xml

@@ -15,4 +15,7 @@
   <rule action='accept' direction='out' priority='500'>
     <arp srcmacaddr='01:02:03:04:05:06' srcmacmask='ff:ff:ff:ff:ff:ff'/>
   </rule>
+  <rule action='accept' direction='in' priority='500'>
+    <arp gratuitous='true'/>
+  </rule>
 </filter>