Bug 862887 - Libvirt arpdstipaddr doesn't work with a subnet
Libvirt arpdstipaddr doesn't work with a subnet
Status: CLOSED NEXTRELEASE
Product: Virtualization Tools
Classification: Community
Component: libvirt (Show other bugs)
unspecified
All Linux
unspecified Severity low
: ---
: ---
Assigned To: Stefan Berger
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-03 16:14 EDT by Brian Haley
Modified: 2014-03-20 02:10 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-03-20 02:10:37 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Brian Haley 2012-10-03 16:14:25 EDT
Description of problem:

I was trying to program up a libvirt nwfilter rule to restrict the ARP destination IP address (in the request) to be a subnet.  I can specify one using ebtables directly, but not via a filter.  Looking on libvirt.org seems to show it must be an IP address.

So this is really more of a feature request.


Version-Release number of selected component (if applicable):

$ libvirtd --version
libvirtd (libvirt) 0.9.8

How reproducible:

Very


Steps to Reproduce:

I created a file that looks something like this:

<filter name='only-arp-dstip-net' chain='arp'>
 <rule action='drop' direction='out' priority='550'>
     <arp match='no' arpdstipaddr='10.1.2.0/24' />
 </rule>
</filter>


Actual results:

But when it's defined, it loses the arpdstipaddr part:

<filter name='only-arp-dstip-net' chain='arp' priority='-500'>
  <uuid>a4f2f8a4-a590-b406-e4cd-97580a153545</uuid>
  <rule action='drop' direction='out' priority='550'>
    <arp/>
  </rule>
</filter>

And the corresponding ebtables rule is:

Bridge chain: I-vnet0-arp, entries: 7, policy: ACCEPT
<snip>
-p ARP -j DROP , pcnt = 0 -- bcnt = 0


Expected results:

$ sudo ebtables -t nat -A I-vnet0-arp -p ARP --arp-ip-dst 10.1.2.0/24 -j DROP

Bridge chain: I-vnet0-arp, entries: 7, policy: ACCEPT
<snip>
-p ARP --arp-ip-dst 10.1.2.0/24 -j DROP , pcnt = 0 -- bcnt = 0


Additional info:

The use case I have is that I have a bridge with proxy_arp=1, but I don't want to respond for all IP addresses, just a certain range.  Right now a VM can use 'ping -r -I eth0 $any_ip' and the stack will respond.
Comment 1 Dave Allan 2012-10-03 17:36:17 EDT
You should mention this on the libvirt mailing list as well, as not everybody on the list monitors bugzilla.
Comment 2 Stefan Berger 2014-03-13 18:46:43 EDT
This feature has now been implemented  and pushed to the upstream repo:

commit a81756f1ff174c2603f1a392658741f4678bf3ed
Author: Stefan Berger <stefanb@linux.vnet.ibm.com>
Date:   Thu Mar 13 18:30:09 2014 -0400

    nwfilter: Add ARP src/dst IP mask for ebtables ARP

    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=862887

    Add a netmask for the source and destination IP address for the
    ebtables --arp-ip-src and --arp-ip-dst options. Extend the XML
    parser with support for XML attributes for these netmasks similar
    to already supported netmasks. Extend the documentation.

    Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>

We can close this bz now.

Note You need to log in before you can comment on or make changes to this bug.