From ed7813d28d45c8bf591d1567a8c7ea678b627958 Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@us.ibm.com>
Date: Tue, 27 Apr 2010 14:50:35 -0400
Subject: [PATCH] nwfilter: let qemu's after-migration packet pass

Qemu currently sends an Ethernet packet with protocol id 0x835 once a VM
was successfully migrated. The content of the packet looks like a
gratuitous RARP, just with the wrong protocol ID, which should be
0x8035. I wrote some filters to let either one of the packets pass and
am adapting the clean-traffic sample filter to use it. I am also
doing some changes on the existing ARP filter which was lacking a
test for source MAC address.
---
 examples/xml/nwfilter/Makefile.am                 |  5 ++++-
 examples/xml/nwfilter/clean-traffic.xml           |  3 +++
 examples/xml/nwfilter/no-arp-spoofing.xml         | 13 ++++++++-----
 examples/xml/nwfilter/no-other-rarp-traffic.xml   |  3 +++
 examples/xml/nwfilter/qemu-announce-self-rarp.xml | 14 ++++++++++++++
 examples/xml/nwfilter/qemu-announce-self.xml      | 13 +++++++++++++
 6 files changed, 45 insertions(+), 6 deletions(-)
 create mode 100644 examples/xml/nwfilter/no-other-rarp-traffic.xml
 create mode 100644 examples/xml/nwfilter/qemu-announce-self-rarp.xml
 create mode 100644 examples/xml/nwfilter/qemu-announce-self.xml

diff --git a/examples/xml/nwfilter/Makefile.am b/examples/xml/nwfilter/Makefile.am
index 54a7aae651..439e7b885b 100644
--- a/examples/xml/nwfilter/Makefile.am
+++ b/examples/xml/nwfilter/Makefile.am
@@ -11,7 +11,10 @@ FILTERS = \
 	no-ip-spoofing.xml \
 	no-mac-broadcast.xml \
 	no-mac-spoofing.xml \
-	no-other-l2-traffic.xml
+	no-other-l2-traffic.xml \
+	no-other-rarp-traffic.xml \
+	qemu-announce-self.xml \
+	qemu-announce-self-rarp.xml
 
 EXTRA_DIST=$(FILTERS)
 
diff --git a/examples/xml/nwfilter/clean-traffic.xml b/examples/xml/nwfilter/clean-traffic.xml
index 2cc7df983e..40f0ecbfa5 100644
--- a/examples/xml/nwfilter/clean-traffic.xml
+++ b/examples/xml/nwfilter/clean-traffic.xml
@@ -14,4 +14,7 @@
    <!-- preventing any other traffic than IPv4 and ARP -->
    <filterref filter='no-other-l2-traffic'/>
 
+   <!-- allow qemu to send a self-announce upon migration end -->
+   <filterref filter='qemu-announce-self'/>
+
 </filter>
diff --git a/examples/xml/nwfilter/no-arp-spoofing.xml b/examples/xml/nwfilter/no-arp-spoofing.xml
index b49e781be4..c6c858dad0 100644
--- a/examples/xml/nwfilter/no-arp-spoofing.xml
+++ b/examples/xml/nwfilter/no-arp-spoofing.xml
@@ -1,27 +1,30 @@
 <filter name='no-arp-spoofing' chain='arp'>
    <uuid>f88f1932-debf-4aa1-9fbe-f10d3aa4bc95</uuid>
+   <rule action='drop' direction='out' priority='300' >
+       <mac match='no' srcmacaddr='$MAC'/>
+   </rule>
 
    <!-- no arp spoofing -->
    <!-- drop if ipaddr or macaddr does not belong to guest -->
-   <rule action='drop' direction='out' priority='400' >
+   <rule action='drop' direction='out' priority='350' >
        <arp match='no' arpsrcmacaddr='$MAC'/>
    </rule>
    <rule action='drop' direction='out' priority='400' >
        <arp match='no' arpsrcipaddr='$IP' />
    </rule>
    <!-- drop if ipaddr or macaddr odes not belong to guest -->
-   <rule action='drop' direction='in' priority='400' >
+   <rule action='drop' direction='in' priority='450' >
        <arp match='no' arpdstmacaddr='$MAC'/>
        <arp opcode='reply'/>
    </rule>
-   <rule action='drop' direction='in' priority='400' >
+   <rule action='drop' direction='in' priority='500' >
        <arp match='no' arpdstipaddr='$IP' />
    </rule>
    <!-- accept only request or reply packets -->
-   <rule action='accept' direction='inout' priority='500' >
+   <rule action='accept' direction='inout' priority='600' >
        <arp opcode='request'/>
    </rule>
-   <rule action='accept' direction='inout' priority='500' >
+   <rule action='accept' direction='inout' priority='650' >
        <arp opcode='reply'/>
    </rule>
    <!-- drop everything else -->
diff --git a/examples/xml/nwfilter/no-other-rarp-traffic.xml b/examples/xml/nwfilter/no-other-rarp-traffic.xml
new file mode 100644
index 0000000000..7729996ece
--- /dev/null
+++ b/examples/xml/nwfilter/no-other-rarp-traffic.xml
@@ -0,0 +1,3 @@
+<filter name='no-other-rarp-traffic' chain='rarp'>
+    <rule action='drop' direction='inout' priority='1000'/>
+</filter>
diff --git a/examples/xml/nwfilter/qemu-announce-self-rarp.xml b/examples/xml/nwfilter/qemu-announce-self-rarp.xml
new file mode 100644
index 0000000000..b7a848ad0f
--- /dev/null
+++ b/examples/xml/nwfilter/qemu-announce-self-rarp.xml
@@ -0,0 +1,14 @@
+<filter name='qemu-announce-self-rarp' chain='rarp'>
+  <rule action='accept' direction='out' priority='500'>
+    <rarp opcode='Request_Reverse'
+          srcmacaddr='$MAC' dstmacaddr='ff:ff:ff:ff:ff:ff'
+          arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC'
+          arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/>
+  </rule>
+  <rule action='accept' direction='in' priority='500'>
+    <rarp opcode='Request_Reverse'
+          dstmacaddr='ff:ff:ff:ff:ff:ff'
+          arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC'
+          arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/>
+  </rule>
+</filter>
diff --git a/examples/xml/nwfilter/qemu-announce-self.xml b/examples/xml/nwfilter/qemu-announce-self.xml
new file mode 100644
index 0000000000..352db500de
--- /dev/null
+++ b/examples/xml/nwfilter/qemu-announce-self.xml
@@ -0,0 +1,13 @@
+<filter name='qemu-announce-self' chain='root'>
+    <!-- as of 4/26/2010 qemu sends out a bogus packet with
+         wrong rarp protocol ID -->
+    <!-- accept what is being sent now -->
+    <rule action='accept' direction='out'>
+        <mac protocolid='0x835'/>
+    </rule>
+
+    <!-- accept if it was changed to rarp -->
+    <filterref filter='qemu-announce-self-rarp'/>
+    <filterref filter='no-other-rarp-traffic'/>
+
+</filter>
-- 
GitLab