Bug 862887 - Libvirt arpdstipaddr doesn't work with a subnet
Summary: Libvirt arpdstipaddr doesn't work with a subnet
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Virtualization Tools
Classification: Community
Component: libvirt
Version: unspecified
Hardware: All
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Stefan Berger
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-10-03 20:14 UTC by Brian Haley
Modified: 2014-03-20 06:10 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2014-03-20 06:10:37 UTC
Embargoed:

Attachments (Terms of Use)

Description Brian Haley 2012-10-03 20:14:25 UTC 
Description of problem:

I was trying to program up a libvirt nwfilter rule to restrict the ARP destination IP address (in the request) to be a subnet.  I can specify one using ebtables directly, but not via a filter.  Looking on libvirt.org seems to show it must be an IP address.

So this is really more of a feature request.


Version-Release number of selected component (if applicable):

$ libvirtd --version
libvirtd (libvirt) 0.9.8

How reproducible:

Very


Steps to Reproduce:

I created a file that looks something like this:

<filter name='only-arp-dstip-net' chain='arp'>
 <rule action='drop' direction='out' priority='550'>
     <arp match='no' arpdstipaddr='10.1.2.0/24' />
 </rule>
</filter>


Actual results:

But when it's defined, it loses the arpdstipaddr part:

<filter name='only-arp-dstip-net' chain='arp' priority='-500'>
  <uuid>a4f2f8a4-a590-b406-e4cd-97580a153545</uuid>
  <rule action='drop' direction='out' priority='550'>
    <arp/>
  </rule>
</filter>

And the corresponding ebtables rule is:

Bridge chain: I-vnet0-arp, entries: 7, policy: ACCEPT
<snip>
-p ARP -j DROP , pcnt = 0 -- bcnt = 0


Expected results:

$ sudo ebtables -t nat -A I-vnet0-arp -p ARP --arp-ip-dst 10.1.2.0/24 -j DROP

Bridge chain: I-vnet0-arp, entries: 7, policy: ACCEPT
<snip>
-p ARP --arp-ip-dst 10.1.2.0/24 -j DROP , pcnt = 0 -- bcnt = 0


Additional info:

The use case I have is that I have a bridge with proxy_arp=1, but I don't want to respond for all IP addresses, just a certain range.  Right now a VM can use 'ping -r -I eth0 $any_ip' and the stack will respond.
Comment 1 Dave Allan 2012-10-03 21:36:17 UTC 
You should mention this on the libvirt mailing list as well, as not everybody on the list monitors bugzilla.
Comment 2 Stefan Berger 2014-03-13 22:46:43 UTC 
This feature has now been implemented  and pushed to the upstream repo:

commit a81756f1ff174c2603f1a392658741f4678bf3ed
Author: Stefan Berger <stefanb.ibm.com>
Date:   Thu Mar 13 18:30:09 2014 -0400

    nwfilter: Add ARP src/dst IP mask for ebtables ARP

    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=862887

    Add a netmask for the source and destination IP address for the
    ebtables --arp-ip-src and --arp-ip-dst options. Extend the XML
    parser with support for XML attributes for these netmasks similar
    to already supported netmasks. Extend the documentation.

    Signed-off-by: Stefan Berger <stefanb.ibm.com>

We can close this bz now.
Note You need to log in before you can comment on or make changes to this bug.