diff options
| author |   Stefan Berger <stefanb@us.ibm.com> | 2011-05-23 19:41:18 -0400 |
|---|---|---|
| committer | Stefan Berger <stefanb@us.ibm.com> | 2011-05-23 19:41:18 -0400 |
| commit | fcb0e8c2275f108b595f37defbe3c6de5bfc849e (patch) | |
| tree | e308a580d2e632c992401043e485b215cf4dbfb1 /examples | |
| parent | qemu: don't require is_kvm for vhost-net support (diff) | |
| download | libvirt-fcb0e8c2275f108b595f37defbe3c6de5bfc849e.tar.gz libvirt-fcb0e8c2275f108b595f37defbe3c6de5bfc849e.tar.bz2 libvirt-fcb0e8c2275f108b595f37defbe3c6de5bfc849e.zip | |
nwfilter: enable filtering of gratuitous ARP packets
This patch enables filtering of gratuitous ARP packets using the following XML:
<rule action='accept' direction='in' priority='425'>
<arp gratuitous='true'/>
</rule>
Diffstat (limited to 'examples')
| -rw-r--r-- | examples/xml/nwfilter/no-arp-spoofing.xml | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/examples/xml/nwfilter/no-arp-spoofing.xml b/examples/xml/nwfilter/no-arp-spoofing.xml index c6c858dad..96c58c153 100644 --- a/examples/xml/nwfilter/no-arp-spoofing.xml +++ b/examples/xml/nwfilter/no-arp-spoofing.xml @@ -12,7 +12,11 @@ <rule action='drop' direction='out' priority='400' > <arp match='no' arpsrcipaddr='$IP' /> </rule> - <!-- drop if ipaddr or macaddr odes not belong to guest --> + <!-- allow gratuitous arp --> + <rule action='accept' direction='in' priority='425'> + <arp gratuitous='true'/> + </rule> + <!-- drop if ipaddr or macaddr does not belong to guest --> <rule action='drop' direction='in' priority='450' > <arp match='no' arpdstmacaddr='$MAC'/> <arp opcode='reply'/> |