mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-09-19 14:10:58 +00:00
ed7813d28d
Qemu currently sends an Ethernet packet with protocol id 0x835 once a VM was successfully migrated. The content of the packet looks like a gratuitous RARP, just with the wrong protocol ID, which should be 0x8035. I wrote some filters to let either one of the packets pass and am adapting the clean-traffic sample filter to use it. I am also doing some changes on the existing ARP filter which was lacking a test for source MAC address.
33 lines
1.2 KiB
XML
33 lines
1.2 KiB
XML
<filter name='no-arp-spoofing' chain='arp'>
|
|
<uuid>f88f1932-debf-4aa1-9fbe-f10d3aa4bc95</uuid>
|
|
<rule action='drop' direction='out' priority='300' >
|
|
<mac match='no' srcmacaddr='$MAC'/>
|
|
</rule>
|
|
|
|
<!-- no arp spoofing -->
|
|
<!-- drop if ipaddr or macaddr does not belong to guest -->
|
|
<rule action='drop' direction='out' priority='350' >
|
|
<arp match='no' arpsrcmacaddr='$MAC'/>
|
|
</rule>
|
|
<rule action='drop' direction='out' priority='400' >
|
|
<arp match='no' arpsrcipaddr='$IP' />
|
|
</rule>
|
|
<!-- drop if ipaddr or macaddr odes not belong to guest -->
|
|
<rule action='drop' direction='in' priority='450' >
|
|
<arp match='no' arpdstmacaddr='$MAC'/>
|
|
<arp opcode='reply'/>
|
|
</rule>
|
|
<rule action='drop' direction='in' priority='500' >
|
|
<arp match='no' arpdstipaddr='$IP' />
|
|
</rule>
|
|
<!-- accept only request or reply packets -->
|
|
<rule action='accept' direction='inout' priority='600' >
|
|
<arp opcode='request'/>
|
|
</rule>
|
|
<rule action='accept' direction='inout' priority='650' >
|
|
<arp opcode='reply'/>
|
|
</rule>
|
|
<!-- drop everything else -->
|
|
<rule action='drop' direction='inout' priority='1000' />
|
|
</filter>
|