vmd: VMs with auto-configured L3 interfaces (call for testing)

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

vmd: VMs with auto-configured L3 interfaces (call for testing)

Reyk Floeter-2
Hi,

we want to make it easier to run NAT'ed and auto-configured VMs that
don't need switches, L2, manual scripts, or any additional servers on
the host.  I wrote a new mode that just needs vmd, pf, and forwarding.

I'm looking for feedback, testing, and responses on this list.

vmd currently supports two modes to configure network interfaces:
-i/interface: unconfigured tap(4) interfaces for static configuration.
-n/switch: automatically adds tap(4) interfaces to bridge/switch interfaces.

The attached diff adds a new mode for dynamic "NAT" interfaces:
-L/local interface: auto-configure an L3 interface and run built-in DHCP.

Setting it up is easy:

1. Enable forwarding:

    # sysctl net.inet.ip.forwarding=1

2. Add a NAT rule to pf.conf(5) and a redirection for DNS (or run unbound):

    pass out on egress received-on tap nat-to (egress:0)
    pass in on tap proto { tcp udp } to 100.64.0.0/10 port domain rdr-to 8.8.8.8

3. Now start a new VM with the -L option to add a "local" interface:

    # vmctl start foo -d foo.img -L -c

vmd configures a /31 address on the tap(4) interface of the host and
provides another IP in the same subnet via DHCP (BOOTP) to the VM.
vmd runs an internal DHCP server that replies with IP, gateway, and
DNS addresses to the VM - there is no need to run dhcpd!  The built-in
server only ever responds to the VM on the inside and cannot leak its
DHCP responses to the outside.

DHCPDISCOVER on vio0 - interval 1
BOOTREPLY from 100.64.3.2 (fe:e1:bb:d1:b7:5e)
bound to 100.64.3.3 -- renewal in 8000 seconds.

Done.

This also replaces the "dhcpd on vether0 on switch" approach for
NAT'ed VMs on laptops that I recommended before.  The switch concept
itself will still be provided and improved for other use cases.

The addresses are currently allocated from the RFC6598 100.64.0.0/10
"IPv4 Prefix for Shared Address Space" to avoid collisions with
RFC1918 addresses on the host.  I will add a configuration option to
change the default prefix later.

The current algorithm to generate the IPs and /31 subnets from the
prefix can be found in the vm_priv_addr() function below.  The
packet.c and dhcp.h code is copied from dhcrelay which got improved
recently.

Thoughts? OKs?

Reyk

Index: usr.sbin/vmd/Makefile
===================================================================
RCS file: /cvs/src/usr.sbin/vmd/Makefile,v
retrieving revision 1.13
diff -u -p -u -p -r1.13 Makefile
--- usr.sbin/vmd/Makefile 1 Mar 2017 18:00:50 -0000 1.13
+++ usr.sbin/vmd/Makefile 12 Apr 2017 11:16:50 -0000
@@ -5,7 +5,7 @@
 PROG= vmd
 SRCS= vmd.c control.c log.c priv.c proc.c config.c vmm.c
 SRCS+= vm.c loadfile_elf.c pci.c virtio.c i8259.c mc146818.c
-SRCS+= ns8250.c i8253.c vmboot.c ufs.c disklabel.c
+SRCS+= ns8250.c i8253.c vmboot.c ufs.c disklabel.c dhcp.c packet.c
 SRCS+= parse.y
 
 CFLAGS+= -Wall -I${.CURDIR}
Index: usr.sbin/vmd/dhcp.c
===================================================================
RCS file: usr.sbin/vmd/dhcp.c
diff -N usr.sbin/vmd/dhcp.c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ usr.sbin/vmd/dhcp.c 12 Apr 2017 11:16:50 -0000
@@ -0,0 +1,163 @@
+/* $OpenBSD$ */
+
+/*
+ * Copyright (c) 2017 Reyk Floeter <[hidden email]>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <net/if.h>
+#include <netinet/in.h>
+#include <netinet/if_ether.h>
+
+#include <stdlib.h>
+#include <string.h>
+#include <stddef.h>
+
+#include "proc.h"
+#include "vmd.h"
+#include "dhcp.h"
+#include "virtio.h"
+
+static const uint8_t broadcast[6] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
+
+ssize_t
+dhcp_request(struct vionet_dev *dev, char *buf, size_t buflen, char **obuf)
+{
+ unsigned char *respbuf = NULL;
+ ssize_t offset, respbuflen = 0;
+ struct packet_ctx pc;
+ struct dhcp_packet req, resp;
+ struct in_addr in, mask;
+ size_t resplen, o;
+
+ if (buflen < (ssize_t)(BOOTP_MIN_LEN + sizeof(struct ether_header)))
+ return (-1);
+
+ memset(&pc, 0, sizeof(pc));
+ if ((offset = decode_hw_header(buf, buflen, 0, &pc, HTYPE_ETHER)) < 0)
+ return (-1);
+
+ if (memcmp(pc.pc_smac, dev->mac, ETHER_ADDR_LEN) != 0 ||
+    memcmp(pc.pc_dmac, broadcast, ETHER_ADDR_LEN) != 0)
+ return (-1);
+
+ if ((offset = decode_udp_ip_header(buf, buflen, offset, &pc)) < 0)
+ return (-1);
+
+ if (ntohs(ss2sin(&pc.pc_src)->sin_port) != CLIENT_PORT ||
+    ntohs(ss2sin(&pc.pc_dst)->sin_port) != SERVER_PORT)
+ return (-1);
+
+ memset(&req, 0, sizeof(req));
+ memcpy(&req, buf + offset, buflen - offset);
+
+ if (req.op != BOOTREQUEST ||
+    req.htype != pc.pc_htype ||
+    req.hlen != ETHER_ADDR_LEN ||
+    memcmp(dev->mac, req.chaddr, req.hlen) != 0)
+ return (-1);
+
+ /* Ignore unsupported requests for now */
+ if (req.ciaddr.s_addr != 0 || req.file[0] != '\0' || req.hops != 0)
+ return (-1);
+
+ memset(&resp, 0, sizeof(resp));
+ resp.op = BOOTREPLY;
+ resp.htype = req.htype;
+ resp.hlen = req.hlen;
+ resp.xid = req.xid;
+
+ if ((in.s_addr = vm_priv_addr(dev->vm_vmid, dev->idx, 1)) == 0)
+ return (-1);
+ memcpy(&resp.yiaddr, &in, sizeof(in));
+ memcpy(&ss2sin(&pc.pc_dst)->sin_addr, &in, sizeof(in));
+ ss2sin(&pc.pc_dst)->sin_port = htons(CLIENT_PORT);
+
+ if ((in.s_addr = vm_priv_addr(dev->vm_vmid, dev->idx, 0)) == 0)
+ return (-1);
+ memcpy(&resp.siaddr, &in, sizeof(in));
+ memcpy(&ss2sin(&pc.pc_src)->sin_addr, &in, sizeof(in));
+ ss2sin(&pc.pc_src)->sin_port = htons(SERVER_PORT);
+
+ /* Packet is already allocated */
+ if (*obuf != NULL)
+ goto fail;
+
+ buflen = 0;
+ respbuflen = DHCP_MTU_MAX;
+ if ((respbuf = calloc(1, respbuflen)) == NULL)
+ goto fail;
+
+ memcpy(&pc.pc_dmac, dev->mac, sizeof(pc.pc_dmac));
+ memcpy(&resp.chaddr, dev->mac, resp.hlen);
+ memcpy(&pc.pc_smac, dev->mac, sizeof(pc.pc_smac));
+ pc.pc_smac[5]++;
+ if ((offset = assemble_hw_header(respbuf, respbuflen, 0,
+    &pc, HTYPE_ETHER)) < 0) {
+ log_debug("%s: assemble_hw_header failed", __func__);
+ goto fail;
+ }
+
+ /* BOOTP uses a 64byte vendor field instead of the DHCP options */
+ resplen = BOOTP_MIN_LEN;
+
+ /* Add BOOTP Vendor Extensions (DHCP options) */
+ o = 0;
+ memcpy(&resp.options,
+    DHCP_OPTIONS_COOKIE, DHCP_OPTIONS_COOKIE_LEN);
+ o+= DHCP_OPTIONS_COOKIE_LEN;
+
+ resp.options[o++] = DHO_SUBNET_MASK;
+ resp.options[o++] = sizeof(mask);
+ mask.s_addr = htonl(0xfffffffe);
+ memcpy(&resp.options[o], &mask, sizeof(mask));
+ o += sizeof(mask);
+
+ resp.options[o++] = DHO_ROUTERS;
+ resp.options[o++] = sizeof(in);
+ memcpy(&resp.options[o], &in, sizeof(in));
+ o += sizeof(in);
+
+ resp.options[o++] = DHO_DOMAIN_NAME_SERVERS;
+ resp.options[o++] = sizeof(in);
+ memcpy(&resp.options[o], &in, sizeof(in));
+ o += sizeof(in);
+
+ resp.options[o++] = DHO_END;
+
+ resplen = offsetof(struct dhcp_packet, options) + o;
+
+ /* Minimum packet size */
+ if (resplen < BOOTP_MIN_LEN)
+ resplen = BOOTP_MIN_LEN;
+
+ if ((offset = assemble_udp_ip_header(respbuf, respbuflen, offset, &pc,
+    (unsigned char *)&resp, resplen)) < 0) {
+ log_debug("%s: assemble_udp_ip_header failed", __func__);
+ goto fail;
+ }
+
+ memcpy(respbuf + offset, &resp, sizeof(resp));
+ respbuflen = offset + resplen;
+
+ *obuf = respbuf;
+ return (respbuflen);
+ fail:
+ free(respbuf);
+ return (0);
+}
+
Index: usr.sbin/vmd/dhcp.h
===================================================================
RCS file: usr.sbin/vmd/dhcp.h
diff -N usr.sbin/vmd/dhcp.h
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ usr.sbin/vmd/dhcp.h 12 Apr 2017 11:16:50 -0000
@@ -0,0 +1,181 @@
+/* $OpenBSD: dhcp.h,v 1.6 2016/12/12 15:41:05 rzalamena Exp $ */
+
+/* Protocol structures... */
+
+/*
+ * Copyright (c) 1995, 1996 The Internet Software Consortium.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of The Internet Software Consortium nor the names
+ *    of its contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INTERNET SOFTWARE CONSORTIUM AND
+ * CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED.  IN NO EVENT SHALL THE INTERNET SOFTWARE CONSORTIUM OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+ * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * This software has been written for the Internet Software Consortium
+ * by Ted Lemon <[hidden email]> in cooperation with Vixie
+ * Enterprises.  To learn more about the Internet Software Consortium,
+ * see ``http://www.vix.com/isc''.  To learn more about Vixie
+ * Enterprises, see ``http://www.vix.com''.
+ */
+
+#define DHCP_UDP_OVERHEAD (20 + /* IP header */ \
+ 8)   /* UDP header */
+#define DHCP_SNAME_LEN 64
+#define DHCP_FILE_LEN 128
+#define DHCP_FIXED_NON_UDP 236
+#define DHCP_FIXED_LEN (DHCP_FIXED_NON_UDP + DHCP_UDP_OVERHEAD)
+ /* Everything but options. */
+#define DHCP_MTU_MAX 1500
+#define DHCP_OPTION_LEN (DHCP_MTU_MAX - DHCP_FIXED_LEN)
+/* The option/sub-option maximum length. */
+#define DHCP_OPTION_MAXLEN 255
+/* The option/sub-option header length. */
+#define DHCP_OPTION_HDR_LEN 2
+
+#define BOOTP_MIN_LEN 300
+
+#define SERVER_PORT 67
+#define CLIENT_PORT 68
+
+struct dhcp_packet {
+ u_int8_t  op; /* Message opcode/type */
+ u_int8_t  htype; /* Hardware addr type (see net/if_types.h) */
+ u_int8_t  hlen; /* Hardware addr length */
+ u_int8_t  hops; /* Number of relay agent hops from client */
+ u_int32_t xid; /* Transaction ID */
+ u_int16_t secs; /* Seconds since client started looking */
+ u_int16_t flags; /* Flag bits */
+ struct in_addr ciaddr; /* Client IP address (if already in use) */
+ struct in_addr yiaddr; /* Client IP address */
+ struct in_addr siaddr; /* IP address of next server to talk to */
+ struct in_addr giaddr; /* DHCP relay agent IP address */
+ unsigned char chaddr[16]; /* Client hardware address */
+ char sname[DHCP_SNAME_LEN]; /* Server name */
+ char file[DHCP_FILE_LEN]; /* Boot filename */
+ unsigned char options[DHCP_OPTION_LEN];
+ /* Optional parameters
+   (actual length dependent on MTU). */
+};
+
+/* BOOTP (rfc951) message types */
+#define BOOTREQUEST 1
+#define BOOTREPLY 2
+
+/* Possible values for flags field... */
+#define BOOTP_BROADCAST 32768L
+
+/* Possible values for hardware type (htype) field... */
+#define HTYPE_ETHER 1 /* Ethernet */
+#define HTYPE_IEEE802 6 /* IEEE 802.2 Token Ring... */
+#define HTYPE_FDDI 8 /* FDDI... */
+#define HTYPE_IPSEC_TUNNEL 31 /* IPsec Tunnel (RFC3456) */
+
+/* Magic cookie validating dhcp options field (and bootp vendor
+   extensions field). */
+#define DHCP_OPTIONS_COOKIE "\143\202\123\143"
+#define DHCP_OPTIONS_COOKIE_LEN 4
+
+/* DHCP Option codes: */
+
+#define DHO_PAD 0
+#define DHO_SUBNET_MASK 1
+#define DHO_TIME_OFFSET 2
+#define DHO_ROUTERS 3
+#define DHO_TIME_SERVERS 4
+#define DHO_NAME_SERVERS 5
+#define DHO_DOMAIN_NAME_SERVERS 6
+#define DHO_LOG_SERVERS 7
+#define DHO_COOKIE_SERVERS 8
+#define DHO_LPR_SERVERS 9
+#define DHO_IMPRESS_SERVERS 10
+#define DHO_RESOURCE_LOCATION_SERVERS 11
+#define DHO_HOST_NAME 12
+#define DHO_BOOT_SIZE 13
+#define DHO_MERIT_DUMP 14
+#define DHO_DOMAIN_NAME 15
+#define DHO_SWAP_SERVER 16
+#define DHO_ROOT_PATH 17
+#define DHO_EXTENSIONS_PATH 18
+#define DHO_IP_FORWARDING 19
+#define DHO_NON_LOCAL_SOURCE_ROUTING 20
+#define DHO_POLICY_FILTER 21
+#define DHO_MAX_DGRAM_REASSEMBLY 22
+#define DHO_DEFAULT_IP_TTL 23
+#define DHO_PATH_MTU_AGING_TIMEOUT 24
+#define DHO_PATH_MTU_PLATEAU_TABLE 25
+#define DHO_INTERFACE_MTU 26
+#define DHO_ALL_SUBNETS_LOCAL 27
+#define DHO_BROADCAST_ADDRESS 28
+#define DHO_PERFORM_MASK_DISCOVERY 29
+#define DHO_MASK_SUPPLIER 30
+#define DHO_ROUTER_DISCOVERY 31
+#define DHO_ROUTER_SOLICITATION_ADDRESS 32
+#define DHO_STATIC_ROUTES 33
+#define DHO_TRAILER_ENCAPSULATION 34
+#define DHO_ARP_CACHE_TIMEOUT 35
+#define DHO_IEEE802_3_ENCAPSULATION 36
+#define DHO_DEFAULT_TCP_TTL 37
+#define DHO_TCP_KEEPALIVE_INTERVAL 38
+#define DHO_TCP_KEEPALIVE_GARBAGE 39
+#define DHO_NIS_DOMAIN 40
+#define DHO_NIS_SERVERS 41
+#define DHO_NTP_SERVERS 42
+#define DHO_VENDOR_ENCAPSULATED_OPTIONS 43
+#define DHO_NETBIOS_NAME_SERVERS 44
+#define DHO_NETBIOS_DD_SERVER 45
+#define DHO_NETBIOS_NODE_TYPE 46
+#define DHO_NETBIOS_SCOPE 47
+#define DHO_FONT_SERVERS 48
+#define DHO_X_DISPLAY_MANAGER 49
+#define DHO_DHCP_REQUESTED_ADDRESS 50
+#define DHO_DHCP_LEASE_TIME 51
+#define DHO_DHCP_OPTION_OVERLOAD 52
+#define DHO_DHCP_MESSAGE_TYPE 53
+#define DHO_DHCP_SERVER_IDENTIFIER 54
+#define DHO_DHCP_PARAMETER_REQUEST_LIST 55
+#define DHO_DHCP_MESSAGE 56
+#define DHO_DHCP_MAX_MESSAGE_SIZE 57
+#define DHO_DHCP_RENEWAL_TIME 58
+#define DHO_DHCP_REBINDING_TIME 59
+#define DHO_DHCP_CLASS_IDENTIFIER 60
+#define DHO_DHCP_CLIENT_IDENTIFIER 61
+#define DHO_DHCP_USER_CLASS_ID 77
+#define DHO_RELAY_AGENT_INFORMATION 82
+#define DHO_END 255
+
+/* DHCP message types. */
+#define DHCPDISCOVER 1
+#define DHCPOFFER 2
+#define DHCPREQUEST 3
+#define DHCPDECLINE 4
+#define DHCPACK 5
+#define DHCPNAK 6
+#define DHCPRELEASE 7
+#define DHCPINFORM 8
+
+/* Relay Agent Information sub-options */
+#define RAI_CIRCUIT_ID 1
+#define RAI_REMOTE_ID 2
+#define RAI_AGENT_ID 3
Index: usr.sbin/vmd/packet.c
===================================================================
RCS file: usr.sbin/vmd/packet.c
diff -N usr.sbin/vmd/packet.c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ usr.sbin/vmd/packet.c 12 Apr 2017 11:16:50 -0000
@@ -0,0 +1,332 @@
+/* $OpenBSD: packet.c,v 1.13 2017/02/13 19:15:39 krw Exp $ */
+
+/* Packet assembly code, originally contributed by Archie Cobbs. */
+
+/*
+ * Copyright (c) 1995, 1996, 1999 The Internet Software Consortium.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of The Internet Software Consortium nor the names
+ *    of its contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INTERNET SOFTWARE CONSORTIUM AND
+ * CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED.  IN NO EVENT SHALL THE INTERNET SOFTWARE CONSORTIUM OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+ * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * This software has been written for the Internet Software Consortium
+ * by Ted Lemon <[hidden email]> in cooperation with Vixie
+ * Enterprises.  To learn more about the Internet Software Consortium,
+ * see ``http://www.vix.com/isc''.  To learn more about Vixie
+ * Enterprises, see ``http://www.vix.com''.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <arpa/inet.h>
+
+#include <net/if.h>
+#include <net/if_enc.h>
+
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#include <netinet/udp.h>
+#include <netinet/if_ether.h>
+
+#include <string.h>
+
+#include "dhcp.h"
+#include "vmd.h"
+#include "proc.h"
+
+u_int32_t checksum(unsigned char *, u_int32_t, u_int32_t);
+u_int32_t wrapsum(u_int32_t);
+
+u_int32_t
+checksum(unsigned char *buf, u_int32_t nbytes, u_int32_t sum)
+{
+ u_int32_t i;
+
+ /* Checksum all the pairs of bytes first... */
+ for (i = 0; i < (nbytes & ~1U); i += 2) {
+ sum += (u_int16_t)ntohs(*((u_int16_t *)(buf + i)));
+ if (sum > 0xFFFF)
+ sum -= 0xFFFF;
+ }
+
+ /*
+ * If there's a single byte left over, checksum it, too.
+ * Network byte order is big-endian, so the remaining byte is
+ * the high byte.
+ */
+ if (i < nbytes) {
+ sum += buf[i] << 8;
+ if (sum > 0xFFFF)
+ sum -= 0xFFFF;
+ }
+
+ return (sum);
+}
+
+u_int32_t
+wrapsum(u_int32_t sum)
+{
+ sum = ~sum & 0xFFFF;
+ return (htons(sum));
+}
+
+ssize_t
+assemble_hw_header(unsigned char *buf, size_t buflen,
+    size_t offset, struct packet_ctx *pc, unsigned int intfhtype)
+{
+ struct ether_header eh;
+
+ switch (intfhtype) {
+ case HTYPE_ETHER:
+ if (buflen < offset + ETHER_HDR_LEN)
+ return (-1);
+
+ /* Use the supplied address or let the kernel fill it. */
+ memcpy(eh.ether_shost, pc->pc_smac, ETHER_ADDR_LEN);
+ memcpy(eh.ether_dhost, pc->pc_dmac, ETHER_ADDR_LEN);
+
+ eh.ether_type = htons(ETHERTYPE_IP);
+
+ memcpy(&buf[offset], &eh, ETHER_HDR_LEN);
+ offset += ETHER_HDR_LEN;
+ break;
+ default:
+ return (-1);
+ }
+
+ return (offset);
+}
+
+ssize_t
+assemble_udp_ip_header(unsigned char *buf, size_t buflen, size_t offset,
+    struct packet_ctx *pc, unsigned char *data, size_t datalen)
+{
+ struct ip ip;
+ struct udphdr udp;
+
+ if (buflen < offset + sizeof(ip) + sizeof(udp))
+ return (-1);
+
+ ip.ip_v = 4;
+ ip.ip_hl = 5;
+ ip.ip_tos = IPTOS_LOWDELAY;
+ ip.ip_len = htons(sizeof(ip) + sizeof(udp) + datalen);
+ ip.ip_id = 0;
+ ip.ip_off = 0;
+ ip.ip_ttl = 16;
+ ip.ip_p = IPPROTO_UDP;
+ ip.ip_sum = 0;
+ ip.ip_src.s_addr = ss2sin(&pc->pc_src)->sin_addr.s_addr;
+ ip.ip_dst.s_addr = ss2sin(&pc->pc_dst)->sin_addr.s_addr;
+
+ ip.ip_sum = wrapsum(checksum((unsigned char *)&ip, sizeof(ip), 0));
+ memcpy(&buf[offset], &ip, sizeof(ip));
+ offset += sizeof(ip);
+
+ udp.uh_sport = ss2sin(&pc->pc_src)->sin_port;
+ udp.uh_dport = ss2sin(&pc->pc_dst)->sin_port;
+ udp.uh_ulen = htons(sizeof(udp) + datalen);
+ memset(&udp.uh_sum, 0, sizeof(udp.uh_sum));
+
+ udp.uh_sum = wrapsum(checksum((unsigned char *)&udp, sizeof(udp),
+    checksum(data, datalen, checksum((unsigned char *)&ip.ip_src,
+    2 * sizeof(ip.ip_src),
+    IPPROTO_UDP + (u_int32_t)ntohs(udp.uh_ulen)))));
+
+ memcpy(&buf[offset], &udp, sizeof(udp));
+ offset += sizeof(udp);
+
+ return (offset);
+}
+
+ssize_t
+decode_hw_header(unsigned char *buf, size_t buflen,
+    size_t offset, struct packet_ctx *pc, unsigned int intfhtype)
+{
+ u_int32_t ip_len;
+ struct ip *ip;
+
+ switch (intfhtype) {
+ case HTYPE_IPSEC_TUNNEL:
+ if (buflen < offset + ENC_HDRLEN + sizeof(*ip))
+ return (-1);
+ offset += ENC_HDRLEN;
+ ip_len = (buf[offset] & 0xf) << 2;
+ if (buflen < offset + ip_len)
+ return (-1);
+
+ ip = (struct ip *)(buf + offset);
+
+ /* Encapsulated IP */
+ if (ip->ip_p != IPPROTO_IPIP)
+ return (-1);
+
+ memset(pc->pc_dmac, 0xff, ETHER_ADDR_LEN);
+ offset += ip_len;
+
+ pc->pc_htype = ARPHRD_ETHER;
+ pc->pc_hlen = ETHER_ADDR_LEN;
+ break;
+ case HTYPE_ETHER:
+ if (buflen < offset + ETHER_HDR_LEN)
+ return (-1);
+
+ memcpy(pc->pc_dmac, buf + offset, ETHER_ADDR_LEN);
+ memcpy(pc->pc_smac, buf + offset + ETHER_ADDR_LEN,
+    ETHER_ADDR_LEN);
+ offset += ETHER_HDR_LEN;
+
+ pc->pc_htype = ARPHRD_ETHER;
+ pc->pc_hlen = ETHER_ADDR_LEN;
+ break;
+ default:
+ return (-1);
+ }
+
+ return (offset);
+}
+
+ssize_t
+decode_udp_ip_header(unsigned char *buf, size_t buflen,
+    size_t offset, struct packet_ctx *pc)
+{
+ struct ip *ip;
+ struct udphdr *udp;
+ unsigned char *data;
+ u_int32_t ip_len;
+ u_int32_t sum, usum;
+ static unsigned int ip_packets_seen;
+ static unsigned int ip_packets_bad_checksum;
+ static unsigned int udp_packets_seen;
+ static unsigned int udp_packets_bad_checksum;
+ static unsigned int udp_packets_length_checked;
+ static unsigned int udp_packets_length_overflow;
+ int len;
+
+ /* Assure that an entire IP header is within the buffer. */
+ if (buflen < offset + sizeof(*ip))
+ return (-1);
+ ip_len = (buf[offset] & 0xf) << 2;
+ if (buflen < offset + ip_len)
+ return (-1);
+
+ ip = (struct ip *)(buf + offset);
+ ip_packets_seen++;
+
+ /* Check the IP header checksum - it should be zero. */
+ if (wrapsum(checksum(buf + offset, ip_len, 0)) != 0) {
+ ip_packets_bad_checksum++;
+ if (ip_packets_seen > 4 && ip_packets_bad_checksum != 0 &&
+    (ip_packets_seen / ip_packets_bad_checksum) < 2) {
+ log_info("%u bad IP checksums seen in %u packets",
+    ip_packets_bad_checksum, ip_packets_seen);
+ ip_packets_seen = ip_packets_bad_checksum = 0;
+ }
+ return (-1);
+ }
+
+ pc->pc_src.ss_len = sizeof(struct sockaddr_in);
+ pc->pc_src.ss_family = AF_INET;
+ memcpy(&ss2sin(&pc->pc_src)->sin_addr, &ip->ip_src,
+    sizeof(ss2sin(&pc->pc_src)->sin_addr));
+
+ pc->pc_dst.ss_len = sizeof(struct sockaddr_in);
+ pc->pc_dst.ss_family = AF_INET;
+ memcpy(&ss2sin(&pc->pc_dst)->sin_addr, &ip->ip_dst,
+    sizeof(ss2sin(&pc->pc_dst)->sin_addr));
+
+#ifdef DEBUG
+ if (buflen != offset + ntohs(ip->ip_len))
+ log_debug("ip length %d disagrees with bytes received %zd.",
+    ntohs(ip->ip_len), buflen - offset);
+#endif
+
+ /* Assure that the entire IP packet is within the buffer. */
+ if (buflen < offset + ntohs(ip->ip_len))
+ return (-1);
+
+ /* Assure that the UDP header is within the buffer. */
+ if (buflen < offset + ip_len + sizeof(*udp))
+ return (-1);
+ udp = (struct udphdr *)(buf + offset + ip_len);
+ udp_packets_seen++;
+
+ /* Assure that the entire UDP packet is within the buffer. */
+ if (buflen < offset + ip_len + ntohs(udp->uh_ulen))
+ return (-1);
+ data = buf + offset + ip_len + sizeof(*udp);
+
+ /*
+ * Compute UDP checksums, including the ``pseudo-header'', the
+ * UDP header and the data. If the UDP checksum field is zero,
+ * we're not supposed to do a checksum.
+ */
+ udp_packets_length_checked++;
+ len = ntohs(udp->uh_ulen) - sizeof(*udp);
+ if ((len < 0) || (len + data > buf + buflen)) {
+ udp_packets_length_overflow++;
+ if (udp_packets_length_checked > 4 &&
+    udp_packets_length_overflow != 0 &&
+    (udp_packets_length_checked /
+    udp_packets_length_overflow) < 2) {
+ log_info("%u udp packets in %u too long - dropped",
+    udp_packets_length_overflow,
+    udp_packets_length_checked);
+ udp_packets_length_overflow =
+    udp_packets_length_checked = 0;
+ }
+ return (-1);
+ }
+ if (len + data != buf + buflen)
+ log_debug("accepting packet with data after udp payload.");
+
+ usum = udp->uh_sum;
+ udp->uh_sum = 0;
+
+ sum = wrapsum(checksum((unsigned char *)udp, sizeof(*udp),
+    checksum(data, len, checksum((unsigned char *)&ip->ip_src,
+    2 * sizeof(ip->ip_src),
+    IPPROTO_UDP + (u_int32_t)ntohs(udp->uh_ulen)))));
+
+ udp_packets_seen++;
+ if (usum && usum != sum) {
+ udp_packets_bad_checksum++;
+ if (udp_packets_seen > 4 && udp_packets_bad_checksum != 0 &&
+    (udp_packets_seen / udp_packets_bad_checksum) < 2) {
+ log_info("%u bad udp checksums in %u packets",
+    udp_packets_bad_checksum, udp_packets_seen);
+ udp_packets_seen = udp_packets_bad_checksum = 0;
+ }
+ return (-1);
+ }
+
+ ss2sin(&pc->pc_src)->sin_port = udp->uh_sport;
+ ss2sin(&pc->pc_dst)->sin_port = udp->uh_dport;
+
+ return (offset + ip_len + sizeof(*udp));
+}
Index: usr.sbin/vmd/parse.y
===================================================================
RCS file: /cvs/src/usr.sbin/vmd/parse.y,v
retrieving revision 1.24
diff -u -p -u -p -r1.24 parse.y
--- usr.sbin/vmd/parse.y 6 Apr 2017 21:35:22 -0000 1.24
+++ usr.sbin/vmd/parse.y 12 Apr 2017 11:16:50 -0000
@@ -116,10 +116,11 @@ typedef struct {
 
 %token INCLUDE ERROR
 %token ADD DISK DOWN GROUP INTERFACE NIFS PATH SIZE SWITCH UP VMID
-%token ENABLE DISABLE VM BOOT LLADDR MEMORY OWNER LOCKED
+%token ENABLE DISABLE VM BOOT LLADDR MEMORY OWNER LOCKED LOCAL
 %token <v.string> STRING
 %token  <v.number> NUMBER
 %type <v.number> disable
+%type <v.number> local
 %type <v.number> locked
 %type <v.number> updown
 %type <v.lladdr> lladdr
@@ -325,36 +326,38 @@ vm_opts : disable {
  free($2);
  vmc.vmc_flags |= VMOP_CREATE_DISK;
  }
- | INTERFACE optstring iface_opts_o {
+ | local INTERFACE optstring iface_opts_o {
  unsigned int i;
  char type[IF_NAMESIZE];
 
  i = vcp_nnics;
  if (++vcp_nnics > VMM_MAX_NICS_PER_VM) {
  yyerror("too many interfaces: %zu", vcp_nnics);
- free($2);
+ free($3);
  YYERROR;
  }
 
- if ($2 != NULL) {
- if (strcmp($2, "tap") != 0 &&
-    (priv_getiftype($2, type, NULL) == -1 ||
+ if ($1)
+ vmc.vmc_ifflags[i] |= VMIFF_LOCAL;
+ if ($3 != NULL) {
+ if (strcmp($3, "tap") != 0 &&
+    (priv_getiftype($3, type, NULL) == -1 ||
     strcmp(type, "tap") != 0)) {
- yyerror("invalid interface: %s", $2);
- free($2);
+ yyerror("invalid interface: %s", $3);
+ free($3);
  YYERROR;
  }
 
- if (strlcpy(vmc.vmc_ifnames[i], $2,
+ if (strlcpy(vmc.vmc_ifnames[i], $3,
     sizeof(vmc.vmc_ifnames[i])) >=
     sizeof(vmc.vmc_ifnames[i])) {
  yyerror("interface name too long: %s",
-    $2);
- free($2);
+    $3);
+ free($3);
  YYERROR;
  }
  }
- free($2);
+ free($3);
  vmc.vmc_flags |= VMOP_CREATE_NETWORK;
  }
  | BOOT string {
@@ -547,6 +550,10 @@ lladdr : STRING {
  }
  ;
 
+local : /* empty */ { $$ = 0; }
+ | LOCAL { $$ = 1; }
+ ;
+
 locked : /* empty */ { $$ = 0; }
  | LOCKED { $$ = 1; }
  ;
@@ -616,6 +623,7 @@ lookup(char *s)
  { "interface", INTERFACE },
  { "interfaces", NIFS },
  { "lladdr", LLADDR },
+ { "local", LOCAL },
  { "locked", LOCKED },
  { "memory", MEMORY },
  { "owner", OWNER },
Index: usr.sbin/vmd/priv.c
===================================================================
RCS file: /cvs/src/usr.sbin/vmd/priv.c,v
retrieving revision 1.6
diff -u -p -u -p -r1.6 priv.c
--- usr.sbin/vmd/priv.c 2 Mar 2017 07:33:37 -0000 1.6
+++ usr.sbin/vmd/priv.c 12 Apr 2017 11:16:50 -0000
@@ -29,6 +29,8 @@
 #include <netinet/if_ether.h>
 #include <net/if_bridge.h>
 
+#include <arpa/inet.h>
+
 #include <errno.h>
 #include <event.h>
 #include <fcntl.h>
@@ -80,6 +82,7 @@ priv_dispatch_parent(int fd, struct priv
  struct ifreq ifr;
  struct ifbreq ifbr;
  struct ifgroupreq ifgr;
+ struct ifaliasreq ifra;
  char type[IF_NAMESIZE];
 
  switch (imsg->hdr.type) {
@@ -89,6 +92,7 @@ priv_dispatch_parent(int fd, struct priv
  case IMSG_VMDOP_PRIV_IFUP:
  case IMSG_VMDOP_PRIV_IFDOWN:
  case IMSG_VMDOP_PRIV_IFGROUP:
+ case IMSG_VMDOP_PRIV_IFADDR:
  IMSG_SIZE_CHECK(imsg, &vfr);
  memcpy(&vfr, imsg->data, sizeof(vfr));
 
@@ -160,6 +164,25 @@ priv_dispatch_parent(int fd, struct priv
     errno != EEXIST)
  log_warn("SIOCAIFGROUP");
  break;
+ case IMSG_VMDOP_PRIV_IFADDR:
+ memset(&ifra, 0, sizeof(ifra));
+
+ /* Set the interface address */
+ strlcpy(ifra.ifra_name, vfr.vfr_name, sizeof(ifra.ifra_name));
+
+ memcpy(&ifra.ifra_addr, &vfr.vfr_ifra.ifra_addr,
+    sizeof(ifra.ifra_addr));
+ ifra.ifra_addr.sa_family = AF_INET;
+ ifra.ifra_addr.sa_len = sizeof(struct sockaddr_in);
+
+ memcpy(&ifra.ifra_mask, &vfr.vfr_ifra.ifra_mask,
+    sizeof(ifra.ifra_mask));
+ ifra.ifra_mask.sa_family = AF_INET;
+ ifra.ifra_mask.sa_len = sizeof(struct sockaddr_in);
+
+ if (ioctl(env->vmd_fd, SIOCAIFADDR, &ifra) < 0)
+ log_warn("SIOCAIFADDR");
+ break;
  default:
  return (-1);
  }
@@ -227,6 +250,7 @@ vm_priv_ifconfig(struct privsep *ps, str
  struct vmd_switch *vsw;
  unsigned int i;
  struct vmop_ifreq vfr, vfbr;
+ struct sockaddr_in *sin4;
 
  for (i = 0; i < VMM_MAX_NICS_PER_VM; i++) {
  vif = &vm->vm_ifs[i];
@@ -298,6 +322,27 @@ vm_priv_ifconfig(struct privsep *ps, str
  proc_compose(ps, PROC_PRIV, (vif->vif_flags & VMIFF_UP) ?
     IMSG_VMDOP_PRIV_IFUP : IMSG_VMDOP_PRIV_IFDOWN,
     &vfr, sizeof(vfr));
+
+ if (vm->vm_params.vmc_ifflags[i] & VMIFF_LOCAL) {
+ sin4 = (struct sockaddr_in *)&vfr.vfr_ifra.ifra_mask;
+ sin4->sin_family = AF_INET;
+ sin4->sin_len = sizeof(*sin4);
+ sin4->sin_addr.s_addr = htonl(0xfffffffe);
+
+ sin4 = (struct sockaddr_in *)&vfr.vfr_ifra.ifra_addr;
+ sin4->sin_family = AF_INET;
+ sin4->sin_len = sizeof(*sin4);
+ if ((sin4->sin_addr.s_addr =
+    vm_priv_addr(vm->vm_vmid, i, 0)) == 0)
+ return (-1);
+
+ log_debug("%s: interface %s address %s/31",
+    __func__, vfr.vfr_name,
+    inet_ntoa(sin4->sin_addr));
+
+ proc_compose(ps, PROC_PRIV, IMSG_VMDOP_PRIV_IFADDR,
+    &vfr, sizeof(vfr));
+ }
  }
 
  return (0);
@@ -345,4 +390,47 @@ vm_priv_brconfig(struct privsep *ps, str
 
  vsw->sw_running = 1;
  return (0);
+}
+
+uint32_t
+vm_priv_addr(uint32_t vmid, int idx, int isvm)
+{
+ in_addr_t prefix, mask, addr;
+
+ /*
+ * 1. Set the address prefix and mask, 100.64.0.0/10 by default.
+ * XXX make the global prefix configurable.
+ */
+ prefix = inet_addr(VMD_DHCP_PREFIX);
+ mask = prefixlen2mask(VMD_DHCP_PREFIXLEN);
+
+ /* 2. Encode the VM ID as a per-VM subnet range N, 10.64.N.0/24. */
+ addr = vmid << 8;
+
+ /*
+ * 3. Assign a /31 subnet M per VM interface, 10.64.N.M/31.
+ * Each subnet contains exactly two IP addresses; skip the
+ * first subnet to avoid a gateway address ending with .0.
+ */
+ addr |= (idx + 1) * 2;
+
+ /* 4. Use the first address for the gateway, the second for the VM. */
+ if (isvm)
+ addr++;
+
+ /* 5. Convert to network byte order and add the prefix. */
+ addr = htonl(addr) | prefix;
+
+ /*
+ * Validate the results:
+ * - the address should not exceed the prefix (eg. VM ID to high).
+ * - up to 126 interfaces can be encoded per VM.
+ */
+ if (prefix != (addr & mask) || idx >= 0x7f) {
+ log_warnx("%s: dhcp address range exceeded,"
+    " vm id %u interface %d", __func__, vmid, idx);
+ return (0);
+ }
+
+ return (addr);
 }
Index: usr.sbin/vmd/virtio.c
===================================================================
RCS file: /cvs/src/usr.sbin/vmd/virtio.c,v
retrieving revision 1.41
diff -u -p -u -p -r1.41 virtio.c
--- usr.sbin/vmd/virtio.c 8 Apr 2017 19:08:18 -0000 1.41
+++ usr.sbin/vmd/virtio.c 12 Apr 2017 11:16:51 -0000
@@ -1251,15 +1251,17 @@ vionet_notifyq(struct vionet_dev *dev)
  uint32_t vr_sz;
  uint16_t idx, pkt_desc_idx, hdr_desc_idx, dxx;
  size_t pktsz;
- int ret, num_enq, ofs;
- char *vr, *pkt;
+ ssize_t dhcpsz;
+ int ret, num_enq, ofs, spc;
+ char *vr, *pkt, *dhcppkt;
  struct vring_desc *desc, *pkt_desc, *hdr_desc;
  struct vring_avail *avail;
  struct vring_used *used;
  struct ether_header *eh;
 
- vr = pkt = NULL;
- ret = 0;
+ vr = pkt = dhcppkt = NULL;
+ ret = spc = 0;
+ dhcpsz = 0;
 
  /* Invalid queue? */
  if (dev->cfg.queue_notify != 1) {
@@ -1373,8 +1375,13 @@ vionet_notifyq(struct vionet_dev *dev)
  log_debug("vionet: wrong source address %s for vm %d",
     ether_ntoa((struct ether_addr *)
     eh->ether_shost), dev->vm_id);
+ else if (dev->local && dhcpsz == 0 &&
+    (dhcpsz = dhcp_request(dev, pkt, pktsz, &dhcppkt)) != -1) {
+ log_debug("vionet: dhcp request,"
+    " local response size %zd", dhcpsz);
+
  /* XXX signed vs unsigned here, funky cast */
- else if (write(dev->fd, pkt, pktsz) != (int)pktsz) {
+ } else if (write(dev->fd, pkt, pktsz) != (int)pktsz) {
  log_warnx("vionet: tx failed writing to tap: "
     "%d", errno);
  goto out;
@@ -1398,9 +1405,15 @@ vionet_notifyq(struct vionet_dev *dev)
  log_warnx("vionet: tx error writing vio ring");
  }
 
+ if (dhcpsz > 0) {
+ if (vionet_enq_rx(dev, dhcppkt, dhcpsz, &spc))
+ ret = 1;
+ }
+
 out:
  free(vr);
  free(pkt);
+ free(dhcppkt);
 
  return (ret);
 }
@@ -1582,8 +1595,9 @@ vmmci_io(int dir, uint16_t reg, uint32_t
 }
 
 void
-virtio_init(struct vmop_create_params *vmc, int *child_disks, int *child_taps)
+virtio_init(struct vmd_vm *vm, int *child_disks, int *child_taps)
 {
+ struct vmop_create_params *vmc = &vm->vm_params;
  struct vm_create_params *vcp = &vmc->vmc_params;
  static const uint8_t zero_mac[6];
  uint8_t id;
@@ -1713,6 +1727,7 @@ virtio_init(struct vmop_create_params *v
  vionet[i].fd = child_taps[i];
  vionet[i].rx_pending = 0;
  vionet[i].vm_id = vcp->vcp_id;
+ vionet[i].vm_vmid = vm->vm_vmid;
  vionet[i].irq = pci_get_dev_irq(id);
 
  event_set(&vionet[i].event, vionet[i].fd,
@@ -1747,11 +1762,15 @@ virtio_init(struct vmop_create_params *v
  }
  vionet[i].lockedmac =
     vmc->vmc_ifflags[i] & VMIFF_LOCKED ? 1 : 0;
+ vionet[i].local =
+    vmc->vmc_ifflags[i] & VMIFF_LOCAL ? 1 : 0;
+ vionet[i].idx = i;
 
- log_debug("%s: vm \"%s\" vio%u lladdr %s%s",
+ log_debug("%s: vm \"%s\" vio%u lladdr %s%s%s",
     __func__, vcp->vcp_name, i,
     ether_ntoa((void *)vionet[i].mac),
-    vionet[i].lockedmac ? " (locked)" : "");
+    vionet[i].lockedmac ? ", locked" : "",
+    vionet[i].local ? ", local" : "");
  }
  }
 
Index: usr.sbin/vmd/virtio.h
===================================================================
RCS file: /cvs/src/usr.sbin/vmd/virtio.h,v
retrieving revision 1.14
diff -u -p -u -p -r1.14 virtio.h
--- usr.sbin/vmd/virtio.h 27 Mar 2017 00:28:04 -0000 1.14
+++ usr.sbin/vmd/virtio.h 12 Apr 2017 11:16:51 -0000
@@ -118,9 +118,13 @@ struct vionet_dev {
  int fd, rx_added;
  int rx_pending;
  uint32_t vm_id;
+ uint32_t vm_vmid;
  int irq;
  uint8_t mac[6];
+
+ int idx;
  int lockedmac;
+ int local;
 };
 
 struct virtio_net_hdr {
@@ -154,7 +158,8 @@ struct vmmci_dev {
  int irq;
 };
 
-void virtio_init(struct vmop_create_params *, int *, int *);
+/* virtio.c */
+void virtio_init(struct vmd_vm *, int *, int *);
 uint32_t vring_size(uint32_t);
 
 int virtio_rnd_io(int, uint16_t, uint32_t *, uint8_t *, void *, uint8_t);
@@ -181,3 +186,6 @@ void vmmci_ack(unsigned int);
 void vmmci_timeout(int, short, void *);
 
 const char *vioblk_cmd_name(uint32_t);
+
+/* dhcp.c */
+ssize_t dhcp_request(struct vionet_dev *, char *, size_t, char **);
Index: usr.sbin/vmd/vm.c
===================================================================
RCS file: /cvs/src/usr.sbin/vmd/vm.c,v
retrieving revision 1.11
diff -u -p -u -p -r1.11 vm.c
--- usr.sbin/vmd/vm.c 27 Mar 2017 00:28:04 -0000 1.11
+++ usr.sbin/vmd/vm.c 12 Apr 2017 11:16:51 -0000
@@ -656,7 +656,7 @@ init_emulated_hw(struct vmop_create_para
  pci_init();
 
  /* Initialize virtio devices */
- virtio_init(vmc, child_disks, child_taps);
+ virtio_init(current_vm, child_disks, child_taps);
 }
 
 /*
Index: usr.sbin/vmd/vm.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/vmd/vm.conf.5,v
retrieving revision 1.17
diff -u -p -u -p -r1.17 vm.conf.5
--- usr.sbin/vmd/vm.conf.5 25 Mar 2017 16:28:25 -0000 1.17
+++ usr.sbin/vmd/vm.conf.5 12 Apr 2017 11:16:51 -0000
@@ -112,7 +112,7 @@ is specified.
 Do not start this VM.
 .It Cm disk Ar path
 Disk image file (may be specified multiple times to add multiple disk images).
-.It Cm interface Oo name Oc Op Brq ...
+.It Oo Cm local Oc Cm interface Oo name Oc Op Brq ...
 Network interface to add to the VM.
 The optional
 .Ar name
@@ -123,6 +123,7 @@ to select the next available
 interface on the VM host side (the default) or
 .Ar tapN
 to select a specific one.
+.Pp
 Valid options are:
 .Bl -tag -width Ds
 .It Cm group Ar group-name
@@ -158,6 +159,13 @@ This is the default.
 .It Cm down
 Stop the interface from forwarding packets.
 .El
+.Pp
+A
+.Cm local
+interface will auto-generate an IPv4 subnet for the interface,
+configure a gateway address on the VM host side,
+and run a simple DHCP (BOOTP) server for the VM.
+This option can be used for layer 3 mode without configuring a switch.
 .It Cm interfaces Ar count
 Optional minimum number of network interfaces to add to the VM.
 If the
Index: usr.sbin/vmd/vmd.c
===================================================================
RCS file: /cvs/src/usr.sbin/vmd/vmd.c,v
retrieving revision 1.56
diff -u -p -u -p -r1.56 vmd.c
--- usr.sbin/vmd/vmd.c 6 Apr 2017 18:07:13 -0000 1.56
+++ usr.sbin/vmd/vmd.c 12 Apr 2017 11:16:51 -0000
@@ -1045,3 +1045,15 @@ get_string(uint8_t *ptr, size_t len)
 
  return strndup(ptr, i);
 }
+
+uint32_t
+prefixlen2mask(uint8_t prefixlen)
+{
+ if (prefixlen == 0)
+ return (0);
+
+ if (prefixlen > 32)
+ prefixlen = 32;
+
+ return (htonl(0xffffffff << (32 - prefixlen)));
+}
Index: usr.sbin/vmd/vmd.h
===================================================================
RCS file: /cvs/src/usr.sbin/vmd/vmd.h,v
retrieving revision 1.50
diff -u -p -u -p -r1.50 vmd.h
--- usr.sbin/vmd/vmd.h 6 Apr 2017 18:07:13 -0000 1.50
+++ usr.sbin/vmd/vmd.h 12 Apr 2017 11:16:51 -0000
@@ -23,6 +23,8 @@
 #include <machine/vmmvar.h>
 
 #include <net/if.h>
+#include <netinet/in.h>
+#include <netinet/if_ether.h>
 
 #include <limits.h>
 #include <stdio.h>
@@ -48,6 +50,10 @@
 #define VMD_SWITCH_TYPE "bridge"
 #define VM_DEFAULT_MEMORY 512
 
+/* 100.64.0.0/10 from rfc6598 (IPv4 Prefix for Shared Address Space) */
+#define VMD_DHCP_PREFIX "100.64.0.0"
+#define VMD_DHCP_PREFIXLEN 10
+
 #ifdef VMD_DEBUG
 #define dprintf(x...)   do { log_debug(x); } while(0)
 #else
@@ -74,6 +80,7 @@ enum imsg_type {
  IMSG_VMDOP_PRIV_IFUP,
  IMSG_VMDOP_PRIV_IFDOWN,
  IMSG_VMDOP_PRIV_IFGROUP,
+ IMSG_VMDOP_PRIV_IFADDR,
  IMSG_VMDOP_VM_SHUTDOWN,
  IMSG_VMDOP_VM_REBOOT
 };
@@ -102,6 +109,7 @@ struct vmop_ifreq {
  uint32_t vfr_id;
  char vfr_name[IF_NAMESIZE];
  char vfr_value[VM_NAME_MAX];
+ struct ifaliasreq vfr_ifra;
 };
 
 struct vmop_create_params {
@@ -116,7 +124,8 @@ struct vmop_create_params {
  unsigned int vmc_ifflags[VMM_MAX_NICS_PER_VM];
 #define VMIFF_UP 0x01
 #define VMIFF_LOCKED 0x02
-#define VMIFF_OPTMASK VMIFF_LOCKED
+#define VMIFF_LOCAL 0x04
+#define VMIFF_OPTMASK (VMIFF_LOCKED|VMIFF_LOCAL)
  char vmc_ifnames[VMM_MAX_NICS_PER_VM][IF_NAMESIZE];
  char vmc_ifswitch[VMM_MAX_NICS_PER_VM][VM_NAME_MAX];
  char vmc_ifgroup[VMM_MAX_NICS_PER_VM][IF_NAMESIZE];
@@ -198,6 +207,38 @@ struct vmd {
  int vmd_ptmfd;
 };
 
+static inline struct sockaddr_in *
+ss2sin(struct sockaddr_storage *ss)
+{
+ return ((struct sockaddr_in *)ss);
+}
+
+static inline struct sockaddr_in6 *
+ss2sin6(struct sockaddr_storage *ss)
+{
+ return ((struct sockaddr_in6 *)ss);
+}
+
+struct packet_ctx {
+ uint8_t pc_htype;
+ uint8_t pc_hlen;
+ uint8_t pc_smac[ETHER_ADDR_LEN];
+ uint8_t pc_dmac[ETHER_ADDR_LEN];
+
+ struct sockaddr_storage pc_src;
+ struct sockaddr_storage pc_dst;
+};
+
+/* packet.c */
+ssize_t assemble_hw_header(unsigned char *, size_t, size_t,
+    struct packet_ctx *, unsigned int);
+ssize_t assemble_udp_ip_header(unsigned char *, size_t, size_t,
+    struct packet_ctx *pc, unsigned char *, size_t);
+ssize_t decode_hw_header(unsigned char *, size_t, size_t, struct packet_ctx *,
+    unsigned int);
+ssize_t decode_udp_ip_header(unsigned char *, size_t, size_t,
+    struct packet_ctx *);
+
 /* vmd.c */
 void vmd_reload(unsigned int, const char *);
 struct vmd_vm *vm_getbyid(uint32_t);
@@ -216,6 +257,7 @@ void vm_closetty(struct vmd_vm *);
 void switch_remove(struct vmd_switch *);
 struct vmd_switch *switch_getbyname(const char *);
 char *get_string(uint8_t *, size_t);
+uint32_t prefixlen2mask(uint8_t);
 
 /* priv.c */
 void priv(struct privsep *, struct privsep_proc *);
@@ -224,6 +266,7 @@ int priv_findname(const char *, const c
 int priv_validgroup(const char *);
 int vm_priv_ifconfig(struct privsep *, struct vmd_vm *);
 int vm_priv_brconfig(struct privsep *, struct vmd_switch *);
+uint32_t vm_priv_addr(uint32_t, int, int);
 
 /* vmm.c */
 void vmm(struct privsep *, struct privsep_proc *);
Index: usr.sbin/vmctl/main.c
===================================================================
RCS file: /cvs/src/usr.sbin/vmctl/main.c,v
retrieving revision 1.25
diff -u -p -u -p -r1.25 main.c
--- usr.sbin/vmctl/main.c 6 Apr 2017 18:07:13 -0000 1.25
+++ usr.sbin/vmctl/main.c 12 Apr 2017 11:16:51 -0000
@@ -65,7 +65,7 @@ struct ctl_command ctl_commands[] = {
  { "reload", CMD_RELOAD, ctl_reload, "" },
  { "reset", CMD_RESET, ctl_reset, "[all|vms|switches]" },
  { "start", CMD_START, ctl_start, "\"name\""
-    " [-c] [-b image] [-m size]\n"
+    " [-Lc] [-b image] [-m size]\n"
     "\t\t[-n switch] [-i count] [-d disk]*" },
  { "status", CMD_STATUS, ctl_status, "[id]" },
  { "stop", CMD_STOP, ctl_stop, "id" },
@@ -539,7 +539,7 @@ ctl_start(struct parse_result *res, int
  argc--;
  argv++;
 
- while ((ch = getopt(argc, argv, "b:cm:n:d:i:")) != -1) {
+ while ((ch = getopt(argc, argv, "b:cLm:n:d:i:")) != -1) {
  switch (ch) {
  case 'b':
  if (res->path)
@@ -551,6 +551,10 @@ ctl_start(struct parse_result *res, int
  break;
  case 'c':
  tty_autoconnect = 1;
+ break;
+ case 'L':
+ if (parse_network(res, ".") != 0)
+ errx(1, "invalid network: %s", optarg);
  break;
  case 'm':
  if (res->size)
Index: usr.sbin/vmctl/vmctl.8
===================================================================
RCS file: /cvs/src/usr.sbin/vmctl/vmctl.8,v
retrieving revision 1.27
diff -u -p -u -p -r1.27 vmctl.8
--- usr.sbin/vmctl/vmctl.8 25 Mar 2017 16:28:25 -0000 1.27
+++ usr.sbin/vmctl/vmctl.8 12 Apr 2017 11:16:51 -0000
@@ -72,8 +72,8 @@ Reset the configured switches.
 .It Cm reset vms
 Reset and terminate all VMs.
 .It Xo Cm start Ar name
+.Op Fl Lc
 .Op Fl b Ar path
-.Op Fl c
 .Op Fl d Ar path
 .Op Fl i Ar count
 .Op Fl m Ar size
@@ -91,6 +91,12 @@ Automatically connect to the VM console.
 Disk image file (may be specified multiple times to add multiple disk images).
 .It Fl i Ar count
 Number of network interfaces to add to the VM.
+.It Fl L
+Add a local network interface.
+.Xr vmd 8
+will auto-generate an IPv4 subnet for the interface,
+configure a gateway address on the VM host side,
+and run a simple DHCP (BOOTP) server for the VM.
 .It Fl m Ar size
 Memory
 .Ar size
Index: usr.sbin/vmctl/vmctl.c
===================================================================
RCS file: /cvs/src/usr.sbin/vmctl/vmctl.c,v
retrieving revision 1.29
diff -u -p -u -p -r1.29 vmctl.c
--- usr.sbin/vmctl/vmctl.c 6 Apr 2017 18:07:13 -0000 1.29
+++ usr.sbin/vmctl/vmctl.c 12 Apr 2017 11:16:51 -0000
@@ -123,8 +123,16 @@ vm_start(uint32_t start_id, const char *
  for (i = 0 ; i < ndisks; i++)
  strlcpy(vcp->vcp_disks[i], disks[i], VMM_MAX_PATH_DISK);
  for (i = 0 ; i < nnics; i++) {
- strlcpy(vmc->vmc_ifswitch[i], nics[i], IF_NAMESIZE);
  vmc->vmc_ifflags[i] = VMIFF_UP;
+
+ if (strcmp(".", nics[i]) == 0) {
+ /* Add a "local" interface */
+ strlcpy(vmc->vmc_ifswitch[i], "", IF_NAMESIZE);
+ vmc->vmc_ifflags[i] |= VMIFF_LOCAL;
+ } else {
+ /* Add a interface to a switch */
+ strlcpy(vmc->vmc_ifswitch[i], nics[i], IF_NAMESIZE);
+ }
  }
  if (name != NULL)
  strlcpy(vcp->vcp_name, name, VMM_MAX_NAME_LEN);

Reply | Threaded
Open this post in threaded view
|

Re: vmd: VMs with auto-configured L3 interfaces (call for testing)

Uwe Werler
Thanks Reyk for Your great work!

Tested and works like a charm. Made some tcpbench tests too and got ~180 MBit
between host and vm.

Regards Uwe


On 12 Apr 13:44, Reyk Floeter wrote:

> Hi,
>
> we want to make it easier to run NAT'ed and auto-configured VMs that
> don't need switches, L2, manual scripts, or any additional servers on
> the host.  I wrote a new mode that just needs vmd, pf, and forwarding.
>
> I'm looking for feedback, testing, and responses on this list.
>
> vmd currently supports two modes to configure network interfaces:
> -i/interface: unconfigured tap(4) interfaces for static configuration.
> -n/switch: automatically adds tap(4) interfaces to bridge/switch interfaces.
>
> The attached diff adds a new mode for dynamic "NAT" interfaces:
> -L/local interface: auto-configure an L3 interface and run built-in DHCP.
>
> Setting it up is easy:
>
> 1. Enable forwarding:
>
>     # sysctl net.inet.ip.forwarding=1
>
> 2. Add a NAT rule to pf.conf(5) and a redirection for DNS (or run unbound):
>
>     pass out on egress received-on tap nat-to (egress:0)
>     pass in on tap proto { tcp udp } to 100.64.0.0/10 port domain rdr-to 8.8.8.8
>
> 3. Now start a new VM with the -L option to add a "local" interface:
>
>     # vmctl start foo -d foo.img -L -c
>
> vmd configures a /31 address on the tap(4) interface of the host and
> provides another IP in the same subnet via DHCP (BOOTP) to the VM.
> vmd runs an internal DHCP server that replies with IP, gateway, and
> DNS addresses to the VM - there is no need to run dhcpd!  The built-in
> server only ever responds to the VM on the inside and cannot leak its
> DHCP responses to the outside.
>
> DHCPDISCOVER on vio0 - interval 1
> BOOTREPLY from 100.64.3.2 (fe:e1:bb:d1:b7:5e)
> bound to 100.64.3.3 -- renewal in 8000 seconds.
>
> Done.
>
> This also replaces the "dhcpd on vether0 on switch" approach for
> NAT'ed VMs on laptops that I recommended before.  The switch concept
> itself will still be provided and improved for other use cases.
>
> The addresses are currently allocated from the RFC6598 100.64.0.0/10
> "IPv4 Prefix for Shared Address Space" to avoid collisions with
> RFC1918 addresses on the host.  I will add a configuration option to
> change the default prefix later.
>
> The current algorithm to generate the IPs and /31 subnets from the
> prefix can be found in the vm_priv_addr() function below.  The
> packet.c and dhcp.h code is copied from dhcrelay which got improved
> recently.
>
> Thoughts? OKs?
>
> Reyk
>
> Index: usr.sbin/vmd/Makefile
> ===================================================================
> RCS file: /cvs/src/usr.sbin/vmd/Makefile,v
> retrieving revision 1.13
> diff -u -p -u -p -r1.13 Makefile
> --- usr.sbin/vmd/Makefile 1 Mar 2017 18:00:50 -0000 1.13
> +++ usr.sbin/vmd/Makefile 12 Apr 2017 11:16:50 -0000
> @@ -5,7 +5,7 @@
>  PROG= vmd
>  SRCS= vmd.c control.c log.c priv.c proc.c config.c vmm.c
>  SRCS+= vm.c loadfile_elf.c pci.c virtio.c i8259.c mc146818.c
> -SRCS+= ns8250.c i8253.c vmboot.c ufs.c disklabel.c
> +SRCS+= ns8250.c i8253.c vmboot.c ufs.c disklabel.c dhcp.c packet.c
>  SRCS+= parse.y
>  
>  CFLAGS+= -Wall -I${.CURDIR}
> Index: usr.sbin/vmd/dhcp.c
> ===================================================================
> RCS file: usr.sbin/vmd/dhcp.c
> diff -N usr.sbin/vmd/dhcp.c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ usr.sbin/vmd/dhcp.c 12 Apr 2017 11:16:50 -0000
> @@ -0,0 +1,163 @@
> +/* $OpenBSD$ */
> +
> +/*
> + * Copyright (c) 2017 Reyk Floeter <[hidden email]>
> + *
> + * Permission to use, copy, modify, and distribute this software for any
> + * purpose with or without fee is hereby granted, provided that the above
> + * copyright notice and this permission notice appear in all copies.
> + *
> + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
> + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
> + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
> + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
> + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
> + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
> + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
> + */
> +
> +#include <sys/types.h>
> +#include <sys/socket.h>
> +
> +#include <net/if.h>
> +#include <netinet/in.h>
> +#include <netinet/if_ether.h>
> +
> +#include <stdlib.h>
> +#include <string.h>
> +#include <stddef.h>
> +
> +#include "proc.h"
> +#include "vmd.h"
> +#include "dhcp.h"
> +#include "virtio.h"
> +
> +static const uint8_t broadcast[6] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
> +
> +ssize_t
> +dhcp_request(struct vionet_dev *dev, char *buf, size_t buflen, char **obuf)
> +{
> + unsigned char *respbuf = NULL;
> + ssize_t offset, respbuflen = 0;
> + struct packet_ctx pc;
> + struct dhcp_packet req, resp;
> + struct in_addr in, mask;
> + size_t resplen, o;
> +
> + if (buflen < (ssize_t)(BOOTP_MIN_LEN + sizeof(struct ether_header)))
> + return (-1);
> +
> + memset(&pc, 0, sizeof(pc));
> + if ((offset = decode_hw_header(buf, buflen, 0, &pc, HTYPE_ETHER)) < 0)
> + return (-1);
> +
> + if (memcmp(pc.pc_smac, dev->mac, ETHER_ADDR_LEN) != 0 ||
> +    memcmp(pc.pc_dmac, broadcast, ETHER_ADDR_LEN) != 0)
> + return (-1);
> +
> + if ((offset = decode_udp_ip_header(buf, buflen, offset, &pc)) < 0)
> + return (-1);
> +
> + if (ntohs(ss2sin(&pc.pc_src)->sin_port) != CLIENT_PORT ||
> +    ntohs(ss2sin(&pc.pc_dst)->sin_port) != SERVER_PORT)
> + return (-1);
> +
> + memset(&req, 0, sizeof(req));
> + memcpy(&req, buf + offset, buflen - offset);
> +
> + if (req.op != BOOTREQUEST ||
> +    req.htype != pc.pc_htype ||
> +    req.hlen != ETHER_ADDR_LEN ||
> +    memcmp(dev->mac, req.chaddr, req.hlen) != 0)
> + return (-1);
> +
> + /* Ignore unsupported requests for now */
> + if (req.ciaddr.s_addr != 0 || req.file[0] != '\0' || req.hops != 0)
> + return (-1);
> +
> + memset(&resp, 0, sizeof(resp));
> + resp.op = BOOTREPLY;
> + resp.htype = req.htype;
> + resp.hlen = req.hlen;
> + resp.xid = req.xid;
> +
> + if ((in.s_addr = vm_priv_addr(dev->vm_vmid, dev->idx, 1)) == 0)
> + return (-1);
> + memcpy(&resp.yiaddr, &in, sizeof(in));
> + memcpy(&ss2sin(&pc.pc_dst)->sin_addr, &in, sizeof(in));
> + ss2sin(&pc.pc_dst)->sin_port = htons(CLIENT_PORT);
> +
> + if ((in.s_addr = vm_priv_addr(dev->vm_vmid, dev->idx, 0)) == 0)
> + return (-1);
> + memcpy(&resp.siaddr, &in, sizeof(in));
> + memcpy(&ss2sin(&pc.pc_src)->sin_addr, &in, sizeof(in));
> + ss2sin(&pc.pc_src)->sin_port = htons(SERVER_PORT);
> +
> + /* Packet is already allocated */
> + if (*obuf != NULL)
> + goto fail;
> +
> + buflen = 0;
> + respbuflen = DHCP_MTU_MAX;
> + if ((respbuf = calloc(1, respbuflen)) == NULL)
> + goto fail;
> +
> + memcpy(&pc.pc_dmac, dev->mac, sizeof(pc.pc_dmac));
> + memcpy(&resp.chaddr, dev->mac, resp.hlen);
> + memcpy(&pc.pc_smac, dev->mac, sizeof(pc.pc_smac));
> + pc.pc_smac[5]++;
> + if ((offset = assemble_hw_header(respbuf, respbuflen, 0,
> +    &pc, HTYPE_ETHER)) < 0) {
> + log_debug("%s: assemble_hw_header failed", __func__);
> + goto fail;
> + }
> +
> + /* BOOTP uses a 64byte vendor field instead of the DHCP options */
> + resplen = BOOTP_MIN_LEN;
> +
> + /* Add BOOTP Vendor Extensions (DHCP options) */
> + o = 0;
> + memcpy(&resp.options,
> +    DHCP_OPTIONS_COOKIE, DHCP_OPTIONS_COOKIE_LEN);
> + o+= DHCP_OPTIONS_COOKIE_LEN;
> +
> + resp.options[o++] = DHO_SUBNET_MASK;
> + resp.options[o++] = sizeof(mask);
> + mask.s_addr = htonl(0xfffffffe);
> + memcpy(&resp.options[o], &mask, sizeof(mask));
> + o += sizeof(mask);
> +
> + resp.options[o++] = DHO_ROUTERS;
> + resp.options[o++] = sizeof(in);
> + memcpy(&resp.options[o], &in, sizeof(in));
> + o += sizeof(in);
> +
> + resp.options[o++] = DHO_DOMAIN_NAME_SERVERS;
> + resp.options[o++] = sizeof(in);
> + memcpy(&resp.options[o], &in, sizeof(in));
> + o += sizeof(in);
> +
> + resp.options[o++] = DHO_END;
> +
> + resplen = offsetof(struct dhcp_packet, options) + o;
> +
> + /* Minimum packet size */
> + if (resplen < BOOTP_MIN_LEN)
> + resplen = BOOTP_MIN_LEN;
> +
> + if ((offset = assemble_udp_ip_header(respbuf, respbuflen, offset, &pc,
> +    (unsigned char *)&resp, resplen)) < 0) {
> + log_debug("%s: assemble_udp_ip_header failed", __func__);
> + goto fail;
> + }
> +
> + memcpy(respbuf + offset, &resp, sizeof(resp));
> + respbuflen = offset + resplen;
> +
> + *obuf = respbuf;
> + return (respbuflen);
> + fail:
> + free(respbuf);
> + return (0);
> +}
> +
> Index: usr.sbin/vmd/dhcp.h
> ===================================================================
> RCS file: usr.sbin/vmd/dhcp.h
> diff -N usr.sbin/vmd/dhcp.h
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ usr.sbin/vmd/dhcp.h 12 Apr 2017 11:16:50 -0000
> @@ -0,0 +1,181 @@
> +/* $OpenBSD: dhcp.h,v 1.6 2016/12/12 15:41:05 rzalamena Exp $ */
> +
> +/* Protocol structures... */
> +
> +/*
> + * Copyright (c) 1995, 1996 The Internet Software Consortium.
> + * All rights reserved.
> + *
> + * Redistribution and use in source and binary forms, with or without
> + * modification, are permitted provided that the following conditions
> + * are met:
> + *
> + * 1. Redistributions of source code must retain the above copyright
> + *    notice, this list of conditions and the following disclaimer.
> + * 2. Redistributions in binary form must reproduce the above copyright
> + *    notice, this list of conditions and the following disclaimer in the
> + *    documentation and/or other materials provided with the distribution.
> + * 3. Neither the name of The Internet Software Consortium nor the names
> + *    of its contributors may be used to endorse or promote products derived
> + *    from this software without specific prior written permission.
> + *
> + * THIS SOFTWARE IS PROVIDED BY THE INTERNET SOFTWARE CONSORTIUM AND
> + * CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
> + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
> + * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
> + * DISCLAIMED.  IN NO EVENT SHALL THE INTERNET SOFTWARE CONSORTIUM OR
> + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
> + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
> + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
> + * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
> + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
> + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
> + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
> + * SUCH DAMAGE.
> + *
> + * This software has been written for the Internet Software Consortium
> + * by Ted Lemon <[hidden email]> in cooperation with Vixie
> + * Enterprises.  To learn more about the Internet Software Consortium,
> + * see ``http://www.vix.com/isc''.  To learn more about Vixie
> + * Enterprises, see ``http://www.vix.com''.
> + */
> +
> +#define DHCP_UDP_OVERHEAD (20 + /* IP header */ \
> + 8)   /* UDP header */
> +#define DHCP_SNAME_LEN 64
> +#define DHCP_FILE_LEN 128
> +#define DHCP_FIXED_NON_UDP 236
> +#define DHCP_FIXED_LEN (DHCP_FIXED_NON_UDP + DHCP_UDP_OVERHEAD)
> + /* Everything but options. */
> +#define DHCP_MTU_MAX 1500
> +#define DHCP_OPTION_LEN (DHCP_MTU_MAX - DHCP_FIXED_LEN)
> +/* The option/sub-option maximum length. */
> +#define DHCP_OPTION_MAXLEN 255
> +/* The option/sub-option header length. */
> +#define DHCP_OPTION_HDR_LEN 2
> +
> +#define BOOTP_MIN_LEN 300
> +
> +#define SERVER_PORT 67
> +#define CLIENT_PORT 68
> +
> +struct dhcp_packet {
> + u_int8_t  op; /* Message opcode/type */
> + u_int8_t  htype; /* Hardware addr type (see net/if_types.h) */
> + u_int8_t  hlen; /* Hardware addr length */
> + u_int8_t  hops; /* Number of relay agent hops from client */
> + u_int32_t xid; /* Transaction ID */
> + u_int16_t secs; /* Seconds since client started looking */
> + u_int16_t flags; /* Flag bits */
> + struct in_addr ciaddr; /* Client IP address (if already in use) */
> + struct in_addr yiaddr; /* Client IP address */
> + struct in_addr siaddr; /* IP address of next server to talk to */
> + struct in_addr giaddr; /* DHCP relay agent IP address */
> + unsigned char chaddr[16]; /* Client hardware address */
> + char sname[DHCP_SNAME_LEN]; /* Server name */
> + char file[DHCP_FILE_LEN]; /* Boot filename */
> + unsigned char options[DHCP_OPTION_LEN];
> + /* Optional parameters
> +   (actual length dependent on MTU). */
> +};
> +
> +/* BOOTP (rfc951) message types */
> +#define BOOTREQUEST 1
> +#define BOOTREPLY 2
> +
> +/* Possible values for flags field... */
> +#define BOOTP_BROADCAST 32768L
> +
> +/* Possible values for hardware type (htype) field... */
> +#define HTYPE_ETHER 1 /* Ethernet */
> +#define HTYPE_IEEE802 6 /* IEEE 802.2 Token Ring... */
> +#define HTYPE_FDDI 8 /* FDDI... */
> +#define HTYPE_IPSEC_TUNNEL 31 /* IPsec Tunnel (RFC3456) */
> +
> +/* Magic cookie validating dhcp options field (and bootp vendor
> +   extensions field). */
> +#define DHCP_OPTIONS_COOKIE "\143\202\123\143"
> +#define DHCP_OPTIONS_COOKIE_LEN 4
> +
> +/* DHCP Option codes: */
> +
> +#define DHO_PAD 0
> +#define DHO_SUBNET_MASK 1
> +#define DHO_TIME_OFFSET 2
> +#define DHO_ROUTERS 3
> +#define DHO_TIME_SERVERS 4
> +#define DHO_NAME_SERVERS 5
> +#define DHO_DOMAIN_NAME_SERVERS 6
> +#define DHO_LOG_SERVERS 7
> +#define DHO_COOKIE_SERVERS 8
> +#define DHO_LPR_SERVERS 9
> +#define DHO_IMPRESS_SERVERS 10
> +#define DHO_RESOURCE_LOCATION_SERVERS 11
> +#define DHO_HOST_NAME 12
> +#define DHO_BOOT_SIZE 13
> +#define DHO_MERIT_DUMP 14
> +#define DHO_DOMAIN_NAME 15
> +#define DHO_SWAP_SERVER 16
> +#define DHO_ROOT_PATH 17
> +#define DHO_EXTENSIONS_PATH 18
> +#define DHO_IP_FORWARDING 19
> +#define DHO_NON_LOCAL_SOURCE_ROUTING 20
> +#define DHO_POLICY_FILTER 21
> +#define DHO_MAX_DGRAM_REASSEMBLY 22
> +#define DHO_DEFAULT_IP_TTL 23
> +#define DHO_PATH_MTU_AGING_TIMEOUT 24
> +#define DHO_PATH_MTU_PLATEAU_TABLE 25
> +#define DHO_INTERFACE_MTU 26
> +#define DHO_ALL_SUBNETS_LOCAL 27
> +#define DHO_BROADCAST_ADDRESS 28
> +#define DHO_PERFORM_MASK_DISCOVERY 29
> +#define DHO_MASK_SUPPLIER 30
> +#define DHO_ROUTER_DISCOVERY 31
> +#define DHO_ROUTER_SOLICITATION_ADDRESS 32
> +#define DHO_STATIC_ROUTES 33
> +#define DHO_TRAILER_ENCAPSULATION 34
> +#define DHO_ARP_CACHE_TIMEOUT 35
> +#define DHO_IEEE802_3_ENCAPSULATION 36
> +#define DHO_DEFAULT_TCP_TTL 37
> +#define DHO_TCP_KEEPALIVE_INTERVAL 38
> +#define DHO_TCP_KEEPALIVE_GARBAGE 39
> +#define DHO_NIS_DOMAIN 40
> +#define DHO_NIS_SERVERS 41
> +#define DHO_NTP_SERVERS 42
> +#define DHO_VENDOR_ENCAPSULATED_OPTIONS 43
> +#define DHO_NETBIOS_NAME_SERVERS 44
> +#define DHO_NETBIOS_DD_SERVER 45
> +#define DHO_NETBIOS_NODE_TYPE 46
> +#define DHO_NETBIOS_SCOPE 47
> +#define DHO_FONT_SERVERS 48
> +#define DHO_X_DISPLAY_MANAGER 49
> +#define DHO_DHCP_REQUESTED_ADDRESS 50
> +#define DHO_DHCP_LEASE_TIME 51
> +#define DHO_DHCP_OPTION_OVERLOAD 52
> +#define DHO_DHCP_MESSAGE_TYPE 53
> +#define DHO_DHCP_SERVER_IDENTIFIER 54
> +#define DHO_DHCP_PARAMETER_REQUEST_LIST 55
> +#define DHO_DHCP_MESSAGE 56
> +#define DHO_DHCP_MAX_MESSAGE_SIZE 57
> +#define DHO_DHCP_RENEWAL_TIME 58
> +#define DHO_DHCP_REBINDING_TIME 59
> +#define DHO_DHCP_CLASS_IDENTIFIER 60
> +#define DHO_DHCP_CLIENT_IDENTIFIER 61
> +#define DHO_DHCP_USER_CLASS_ID 77
> +#define DHO_RELAY_AGENT_INFORMATION 82
> +#define DHO_END 255
> +
> +/* DHCP message types. */
> +#define DHCPDISCOVER 1
> +#define DHCPOFFER 2
> +#define DHCPREQUEST 3
> +#define DHCPDECLINE 4
> +#define DHCPACK 5
> +#define DHCPNAK 6
> +#define DHCPRELEASE 7
> +#define DHCPINFORM 8
> +
> +/* Relay Agent Information sub-options */
> +#define RAI_CIRCUIT_ID 1
> +#define RAI_REMOTE_ID 2
> +#define RAI_AGENT_ID 3
> Index: usr.sbin/vmd/packet.c
> ===================================================================
> RCS file: usr.sbin/vmd/packet.c
> diff -N usr.sbin/vmd/packet.c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ usr.sbin/vmd/packet.c 12 Apr 2017 11:16:50 -0000
> @@ -0,0 +1,332 @@
> +/* $OpenBSD: packet.c,v 1.13 2017/02/13 19:15:39 krw Exp $ */
> +
> +/* Packet assembly code, originally contributed by Archie Cobbs. */
> +
> +/*
> + * Copyright (c) 1995, 1996, 1999 The Internet Software Consortium.
> + * All rights reserved.
> + *
> + * Redistribution and use in source and binary forms, with or without
> + * modification, are permitted provided that the following conditions
> + * are met:
> + *
> + * 1. Redistributions of source code must retain the above copyright
> + *    notice, this list of conditions and the following disclaimer.
> + * 2. Redistributions in binary form must reproduce the above copyright
> + *    notice, this list of conditions and the following disclaimer in the
> + *    documentation and/or other materials provided with the distribution.
> + * 3. Neither the name of The Internet Software Consortium nor the names
> + *    of its contributors may be used to endorse or promote products derived
> + *    from this software without specific prior written permission.
> + *
> + * THIS SOFTWARE IS PROVIDED BY THE INTERNET SOFTWARE CONSORTIUM AND
> + * CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
> + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
> + * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
> + * DISCLAIMED.  IN NO EVENT SHALL THE INTERNET SOFTWARE CONSORTIUM OR
> + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
> + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
> + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
> + * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
> + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
> + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
> + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
> + * SUCH DAMAGE.
> + *
> + * This software has been written for the Internet Software Consortium
> + * by Ted Lemon <[hidden email]> in cooperation with Vixie
> + * Enterprises.  To learn more about the Internet Software Consortium,
> + * see ``http://www.vix.com/isc''.  To learn more about Vixie
> + * Enterprises, see ``http://www.vix.com''.
> + */
> +
> +#include <sys/types.h>
> +#include <sys/socket.h>
> +
> +#include <arpa/inet.h>
> +
> +#include <net/if.h>
> +#include <net/if_enc.h>
> +
> +#include <netinet/in.h>
> +#include <netinet/ip.h>
> +#include <netinet/udp.h>
> +#include <netinet/if_ether.h>
> +
> +#include <string.h>
> +
> +#include "dhcp.h"
> +#include "vmd.h"
> +#include "proc.h"
> +
> +u_int32_t checksum(unsigned char *, u_int32_t, u_int32_t);
> +u_int32_t wrapsum(u_int32_t);
> +
> +u_int32_t
> +checksum(unsigned char *buf, u_int32_t nbytes, u_int32_t sum)
> +{
> + u_int32_t i;
> +
> + /* Checksum all the pairs of bytes first... */
> + for (i = 0; i < (nbytes & ~1U); i += 2) {
> + sum += (u_int16_t)ntohs(*((u_int16_t *)(buf + i)));
> + if (sum > 0xFFFF)
> + sum -= 0xFFFF;
> + }
> +
> + /*
> + * If there's a single byte left over, checksum it, too.
> + * Network byte order is big-endian, so the remaining byte is
> + * the high byte.
> + */
> + if (i < nbytes) {
> + sum += buf[i] << 8;
> + if (sum > 0xFFFF)
> + sum -= 0xFFFF;
> + }
> +
> + return (sum);
> +}
> +
> +u_int32_t
> +wrapsum(u_int32_t sum)
> +{
> + sum = ~sum & 0xFFFF;
> + return (htons(sum));
> +}
> +
> +ssize_t
> +assemble_hw_header(unsigned char *buf, size_t buflen,
> +    size_t offset, struct packet_ctx *pc, unsigned int intfhtype)
> +{
> + struct ether_header eh;
> +
> + switch (intfhtype) {
> + case HTYPE_ETHER:
> + if (buflen < offset + ETHER_HDR_LEN)
> + return (-1);
> +
> + /* Use the supplied address or let the kernel fill it. */
> + memcpy(eh.ether_shost, pc->pc_smac, ETHER_ADDR_LEN);
> + memcpy(eh.ether_dhost, pc->pc_dmac, ETHER_ADDR_LEN);
> +
> + eh.ether_type = htons(ETHERTYPE_IP);
> +
> + memcpy(&buf[offset], &eh, ETHER_HDR_LEN);
> + offset += ETHER_HDR_LEN;
> + break;
> + default:
> + return (-1);
> + }
> +
> + return (offset);
> +}
> +
> +ssize_t
> +assemble_udp_ip_header(unsigned char *buf, size_t buflen, size_t offset,
> +    struct packet_ctx *pc, unsigned char *data, size_t datalen)
> +{
> + struct ip ip;
> + struct udphdr udp;
> +
> + if (buflen < offset + sizeof(ip) + sizeof(udp))
> + return (-1);
> +
> + ip.ip_v = 4;
> + ip.ip_hl = 5;
> + ip.ip_tos = IPTOS_LOWDELAY;
> + ip.ip_len = htons(sizeof(ip) + sizeof(udp) + datalen);
> + ip.ip_id = 0;
> + ip.ip_off = 0;
> + ip.ip_ttl = 16;
> + ip.ip_p = IPPROTO_UDP;
> + ip.ip_sum = 0;
> + ip.ip_src.s_addr = ss2sin(&pc->pc_src)->sin_addr.s_addr;
> + ip.ip_dst.s_addr = ss2sin(&pc->pc_dst)->sin_addr.s_addr;
> +
> + ip.ip_sum = wrapsum(checksum((unsigned char *)&ip, sizeof(ip), 0));
> + memcpy(&buf[offset], &ip, sizeof(ip));
> + offset += sizeof(ip);
> +
> + udp.uh_sport = ss2sin(&pc->pc_src)->sin_port;
> + udp.uh_dport = ss2sin(&pc->pc_dst)->sin_port;
> + udp.uh_ulen = htons(sizeof(udp) + datalen);
> + memset(&udp.uh_sum, 0, sizeof(udp.uh_sum));
> +
> + udp.uh_sum = wrapsum(checksum((unsigned char *)&udp, sizeof(udp),
> +    checksum(data, datalen, checksum((unsigned char *)&ip.ip_src,
> +    2 * sizeof(ip.ip_src),
> +    IPPROTO_UDP + (u_int32_t)ntohs(udp.uh_ulen)))));
> +
> + memcpy(&buf[offset], &udp, sizeof(udp));
> + offset += sizeof(udp);
> +
> + return (offset);
> +}
> +
> +ssize_t
> +decode_hw_header(unsigned char *buf, size_t buflen,
> +    size_t offset, struct packet_ctx *pc, unsigned int intfhtype)
> +{
> + u_int32_t ip_len;
> + struct ip *ip;
> +
> + switch (intfhtype) {
> + case HTYPE_IPSEC_TUNNEL:
> + if (buflen < offset + ENC_HDRLEN + sizeof(*ip))
> + return (-1);
> + offset += ENC_HDRLEN;
> + ip_len = (buf[offset] & 0xf) << 2;
> + if (buflen < offset + ip_len)
> + return (-1);
> +
> + ip = (struct ip *)(buf + offset);
> +
> + /* Encapsulated IP */
> + if (ip->ip_p != IPPROTO_IPIP)
> + return (-1);
> +
> + memset(pc->pc_dmac, 0xff, ETHER_ADDR_LEN);
> + offset += ip_len;
> +
> + pc->pc_htype = ARPHRD_ETHER;
> + pc->pc_hlen = ETHER_ADDR_LEN;
> + break;
> + case HTYPE_ETHER:
> + if (buflen < offset + ETHER_HDR_LEN)
> + return (-1);
> +
> + memcpy(pc->pc_dmac, buf + offset, ETHER_ADDR_LEN);
> + memcpy(pc->pc_smac, buf + offset + ETHER_ADDR_LEN,
> +    ETHER_ADDR_LEN);
> + offset += ETHER_HDR_LEN;
> +
> + pc->pc_htype = ARPHRD_ETHER;
> + pc->pc_hlen = ETHER_ADDR_LEN;
> + break;
> + default:
> + return (-1);
> + }
> +
> + return (offset);
> +}
> +
> +ssize_t
> +decode_udp_ip_header(unsigned char *buf, size_t buflen,
> +    size_t offset, struct packet_ctx *pc)
> +{
> + struct ip *ip;
> + struct udphdr *udp;
> + unsigned char *data;
> + u_int32_t ip_len;
> + u_int32_t sum, usum;
> + static unsigned int ip_packets_seen;
> + static unsigned int ip_packets_bad_checksum;
> + static unsigned int udp_packets_seen;
> + static unsigned int udp_packets_bad_checksum;
> + static unsigned int udp_packets_length_checked;
> + static unsigned int udp_packets_length_overflow;
> + int len;
> +
> + /* Assure that an entire IP header is within the buffer. */
> + if (buflen < offset + sizeof(*ip))
> + return (-1);
> + ip_len = (buf[offset] & 0xf) << 2;
> + if (buflen < offset + ip_len)
> + return (-1);
> +
> + ip = (struct ip *)(buf + offset);
> + ip_packets_seen++;
> +
> + /* Check the IP header checksum - it should be zero. */
> + if (wrapsum(checksum(buf + offset, ip_len, 0)) != 0) {
> + ip_packets_bad_checksum++;
> + if (ip_packets_seen > 4 && ip_packets_bad_checksum != 0 &&
> +    (ip_packets_seen / ip_packets_bad_checksum) < 2) {
> + log_info("%u bad IP checksums seen in %u packets",
> +    ip_packets_bad_checksum, ip_packets_seen);
> + ip_packets_seen = ip_packets_bad_checksum = 0;
> + }
> + return (-1);
> + }
> +
> + pc->pc_src.ss_len = sizeof(struct sockaddr_in);
> + pc->pc_src.ss_family = AF_INET;
> + memcpy(&ss2sin(&pc->pc_src)->sin_addr, &ip->ip_src,
> +    sizeof(ss2sin(&pc->pc_src)->sin_addr));
> +
> + pc->pc_dst.ss_len = sizeof(struct sockaddr_in);
> + pc->pc_dst.ss_family = AF_INET;
> + memcpy(&ss2sin(&pc->pc_dst)->sin_addr, &ip->ip_dst,
> +    sizeof(ss2sin(&pc->pc_dst)->sin_addr));
> +
> +#ifdef DEBUG
> + if (buflen != offset + ntohs(ip->ip_len))
> + log_debug("ip length %d disagrees with bytes received %zd.",
> +    ntohs(ip->ip_len), buflen - offset);
> +#endif
> +
> + /* Assure that the entire IP packet is within the buffer. */
> + if (buflen < offset + ntohs(ip->ip_len))
> + return (-1);
> +
> + /* Assure that the UDP header is within the buffer. */
> + if (buflen < offset + ip_len + sizeof(*udp))
> + return (-1);
> + udp = (struct udphdr *)(buf + offset + ip_len);
> + udp_packets_seen++;
> +
> + /* Assure that the entire UDP packet is within the buffer. */
> + if (buflen < offset + ip_len + ntohs(udp->uh_ulen))
> + return (-1);
> + data = buf + offset + ip_len + sizeof(*udp);
> +
> + /*
> + * Compute UDP checksums, including the ``pseudo-header'', the
> + * UDP header and the data. If the UDP checksum field is zero,
> + * we're not supposed to do a checksum.
> + */
> + udp_packets_length_checked++;
> + len = ntohs(udp->uh_ulen) - sizeof(*udp);
> + if ((len < 0) || (len + data > buf + buflen)) {
> + udp_packets_length_overflow++;
> + if (udp_packets_length_checked > 4 &&
> +    udp_packets_length_overflow != 0 &&
> +    (udp_packets_length_checked /
> +    udp_packets_length_overflow) < 2) {
> + log_info("%u udp packets in %u too long - dropped",
> +    udp_packets_length_overflow,
> +    udp_packets_length_checked);
> + udp_packets_length_overflow =
> +    udp_packets_length_checked = 0;
> + }
> + return (-1);
> + }
> + if (len + data != buf + buflen)
> + log_debug("accepting packet with data after udp payload.");
> +
> + usum = udp->uh_sum;
> + udp->uh_sum = 0;
> +
> + sum = wrapsum(checksum((unsigned char *)udp, sizeof(*udp),
> +    checksum(data, len, checksum((unsigned char *)&ip->ip_src,
> +    2 * sizeof(ip->ip_src),
> +    IPPROTO_UDP + (u_int32_t)ntohs(udp->uh_ulen)))));
> +
> + udp_packets_seen++;
> + if (usum && usum != sum) {
> + udp_packets_bad_checksum++;
> + if (udp_packets_seen > 4 && udp_packets_bad_checksum != 0 &&
> +    (udp_packets_seen / udp_packets_bad_checksum) < 2) {
> + log_info("%u bad udp checksums in %u packets",
> +    udp_packets_bad_checksum, udp_packets_seen);
> + udp_packets_seen = udp_packets_bad_checksum = 0;
> + }
> + return (-1);
> + }
> +
> + ss2sin(&pc->pc_src)->sin_port = udp->uh_sport;
> + ss2sin(&pc->pc_dst)->sin_port = udp->uh_dport;
> +
> + return (offset + ip_len + sizeof(*udp));
> +}
> Index: usr.sbin/vmd/parse.y
> ===================================================================
> RCS file: /cvs/src/usr.sbin/vmd/parse.y,v
> retrieving revision 1.24
> diff -u -p -u -p -r1.24 parse.y
> --- usr.sbin/vmd/parse.y 6 Apr 2017 21:35:22 -0000 1.24
> +++ usr.sbin/vmd/parse.y 12 Apr 2017 11:16:50 -0000
> @@ -116,10 +116,11 @@ typedef struct {
>  
>  %token INCLUDE ERROR
>  %token ADD DISK DOWN GROUP INTERFACE NIFS PATH SIZE SWITCH UP VMID
> -%token ENABLE DISABLE VM BOOT LLADDR MEMORY OWNER LOCKED
> +%token ENABLE DISABLE VM BOOT LLADDR MEMORY OWNER LOCKED LOCAL
>  %token <v.string> STRING
>  %token  <v.number> NUMBER
>  %type <v.number> disable
> +%type <v.number> local
>  %type <v.number> locked
>  %type <v.number> updown
>  %type <v.lladdr> lladdr
> @@ -325,36 +326,38 @@ vm_opts : disable {
>   free($2);
>   vmc.vmc_flags |= VMOP_CREATE_DISK;
>   }
> - | INTERFACE optstring iface_opts_o {
> + | local INTERFACE optstring iface_opts_o {
>   unsigned int i;
>   char type[IF_NAMESIZE];
>  
>   i = vcp_nnics;
>   if (++vcp_nnics > VMM_MAX_NICS_PER_VM) {
>   yyerror("too many interfaces: %zu", vcp_nnics);
> - free($2);
> + free($3);
>   YYERROR;
>   }
>  
> - if ($2 != NULL) {
> - if (strcmp($2, "tap") != 0 &&
> -    (priv_getiftype($2, type, NULL) == -1 ||
> + if ($1)
> + vmc.vmc_ifflags[i] |= VMIFF_LOCAL;
> + if ($3 != NULL) {
> + if (strcmp($3, "tap") != 0 &&
> +    (priv_getiftype($3, type, NULL) == -1 ||
>      strcmp(type, "tap") != 0)) {
> - yyerror("invalid interface: %s", $2);
> - free($2);
> + yyerror("invalid interface: %s", $3);
> + free($3);
>   YYERROR;
>   }
>  
> - if (strlcpy(vmc.vmc_ifnames[i], $2,
> + if (strlcpy(vmc.vmc_ifnames[i], $3,
>      sizeof(vmc.vmc_ifnames[i])) >=
>      sizeof(vmc.vmc_ifnames[i])) {
>   yyerror("interface name too long: %s",
> -    $2);
> - free($2);
> +    $3);
> + free($3);
>   YYERROR;
>   }
>   }
> - free($2);
> + free($3);
>   vmc.vmc_flags |= VMOP_CREATE_NETWORK;
>   }
>   | BOOT string {
> @@ -547,6 +550,10 @@ lladdr : STRING {
>   }
>   ;
>  
> +local : /* empty */ { $$ = 0; }
> + | LOCAL { $$ = 1; }
> + ;
> +
>  locked : /* empty */ { $$ = 0; }
>   | LOCKED { $$ = 1; }
>   ;
> @@ -616,6 +623,7 @@ lookup(char *s)
>   { "interface", INTERFACE },
>   { "interfaces", NIFS },
>   { "lladdr", LLADDR },
> + { "local", LOCAL },
>   { "locked", LOCKED },
>   { "memory", MEMORY },
>   { "owner", OWNER },
> Index: usr.sbin/vmd/priv.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/vmd/priv.c,v
> retrieving revision 1.6
> diff -u -p -u -p -r1.6 priv.c
> --- usr.sbin/vmd/priv.c 2 Mar 2017 07:33:37 -0000 1.6
> +++ usr.sbin/vmd/priv.c 12 Apr 2017 11:16:50 -0000
> @@ -29,6 +29,8 @@
>  #include <netinet/if_ether.h>
>  #include <net/if_bridge.h>
>  
> +#include <arpa/inet.h>
> +
>  #include <errno.h>
>  #include <event.h>
>  #include <fcntl.h>
> @@ -80,6 +82,7 @@ priv_dispatch_parent(int fd, struct priv
>   struct ifreq ifr;
>   struct ifbreq ifbr;
>   struct ifgroupreq ifgr;
> + struct ifaliasreq ifra;
>   char type[IF_NAMESIZE];
>  
>   switch (imsg->hdr.type) {
> @@ -89,6 +92,7 @@ priv_dispatch_parent(int fd, struct priv
>   case IMSG_VMDOP_PRIV_IFUP:
>   case IMSG_VMDOP_PRIV_IFDOWN:
>   case IMSG_VMDOP_PRIV_IFGROUP:
> + case IMSG_VMDOP_PRIV_IFADDR:
>   IMSG_SIZE_CHECK(imsg, &vfr);
>   memcpy(&vfr, imsg->data, sizeof(vfr));
>  
> @@ -160,6 +164,25 @@ priv_dispatch_parent(int fd, struct priv
>      errno != EEXIST)
>   log_warn("SIOCAIFGROUP");
>   break;
> + case IMSG_VMDOP_PRIV_IFADDR:
> + memset(&ifra, 0, sizeof(ifra));
> +
> + /* Set the interface address */
> + strlcpy(ifra.ifra_name, vfr.vfr_name, sizeof(ifra.ifra_name));
> +
> + memcpy(&ifra.ifra_addr, &vfr.vfr_ifra.ifra_addr,
> +    sizeof(ifra.ifra_addr));
> + ifra.ifra_addr.sa_family = AF_INET;
> + ifra.ifra_addr.sa_len = sizeof(struct sockaddr_in);
> +
> + memcpy(&ifra.ifra_mask, &vfr.vfr_ifra.ifra_mask,
> +    sizeof(ifra.ifra_mask));
> + ifra.ifra_mask.sa_family = AF_INET;
> + ifra.ifra_mask.sa_len = sizeof(struct sockaddr_in);
> +
> + if (ioctl(env->vmd_fd, SIOCAIFADDR, &ifra) < 0)
> + log_warn("SIOCAIFADDR");
> + break;
>   default:
>   return (-1);
>   }
> @@ -227,6 +250,7 @@ vm_priv_ifconfig(struct privsep *ps, str
>   struct vmd_switch *vsw;
>   unsigned int i;
>   struct vmop_ifreq vfr, vfbr;
> + struct sockaddr_in *sin4;
>  
>   for (i = 0; i < VMM_MAX_NICS_PER_VM; i++) {
>   vif = &vm->vm_ifs[i];
> @@ -298,6 +322,27 @@ vm_priv_ifconfig(struct privsep *ps, str
>   proc_compose(ps, PROC_PRIV, (vif->vif_flags & VMIFF_UP) ?
>      IMSG_VMDOP_PRIV_IFUP : IMSG_VMDOP_PRIV_IFDOWN,
>      &vfr, sizeof(vfr));
> +
> + if (vm->vm_params.vmc_ifflags[i] & VMIFF_LOCAL) {
> + sin4 = (struct sockaddr_in *)&vfr.vfr_ifra.ifra_mask;
> + sin4->sin_family = AF_INET;
> + sin4->sin_len = sizeof(*sin4);
> + sin4->sin_addr.s_addr = htonl(0xfffffffe);
> +
> + sin4 = (struct sockaddr_in *)&vfr.vfr_ifra.ifra_addr;
> + sin4->sin_family = AF_INET;
> + sin4->sin_len = sizeof(*sin4);
> + if ((sin4->sin_addr.s_addr =
> +    vm_priv_addr(vm->vm_vmid, i, 0)) == 0)
> + return (-1);
> +
> + log_debug("%s: interface %s address %s/31",
> +    __func__, vfr.vfr_name,
> +    inet_ntoa(sin4->sin_addr));
> +
> + proc_compose(ps, PROC_PRIV, IMSG_VMDOP_PRIV_IFADDR,
> +    &vfr, sizeof(vfr));
> + }
>   }
>  
>   return (0);
> @@ -345,4 +390,47 @@ vm_priv_brconfig(struct privsep *ps, str
>  
>   vsw->sw_running = 1;
>   return (0);
> +}
> +
> +uint32_t
> +vm_priv_addr(uint32_t vmid, int idx, int isvm)
> +{
> + in_addr_t prefix, mask, addr;
> +
> + /*
> + * 1. Set the address prefix and mask, 100.64.0.0/10 by default.
> + * XXX make the global prefix configurable.
> + */
> + prefix = inet_addr(VMD_DHCP_PREFIX);
> + mask = prefixlen2mask(VMD_DHCP_PREFIXLEN);
> +
> + /* 2. Encode the VM ID as a per-VM subnet range N, 10.64.N.0/24. */
> + addr = vmid << 8;
> +
> + /*
> + * 3. Assign a /31 subnet M per VM interface, 10.64.N.M/31.
> + * Each subnet contains exactly two IP addresses; skip the
> + * first subnet to avoid a gateway address ending with .0.
> + */
> + addr |= (idx + 1) * 2;
> +
> + /* 4. Use the first address for the gateway, the second for the VM. */
> + if (isvm)
> + addr++;
> +
> + /* 5. Convert to network byte order and add the prefix. */
> + addr = htonl(addr) | prefix;
> +
> + /*
> + * Validate the results:
> + * - the address should not exceed the prefix (eg. VM ID to high).
> + * - up to 126 interfaces can be encoded per VM.
> + */
> + if (prefix != (addr & mask) || idx >= 0x7f) {
> + log_warnx("%s: dhcp address range exceeded,"
> +    " vm id %u interface %d", __func__, vmid, idx);
> + return (0);
> + }
> +
> + return (addr);
>  }
> Index: usr.sbin/vmd/virtio.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/vmd/virtio.c,v
> retrieving revision 1.41
> diff -u -p -u -p -r1.41 virtio.c
> --- usr.sbin/vmd/virtio.c 8 Apr 2017 19:08:18 -0000 1.41
> +++ usr.sbin/vmd/virtio.c 12 Apr 2017 11:16:51 -0000
> @@ -1251,15 +1251,17 @@ vionet_notifyq(struct vionet_dev *dev)
>   uint32_t vr_sz;
>   uint16_t idx, pkt_desc_idx, hdr_desc_idx, dxx;
>   size_t pktsz;
> - int ret, num_enq, ofs;
> - char *vr, *pkt;
> + ssize_t dhcpsz;
> + int ret, num_enq, ofs, spc;
> + char *vr, *pkt, *dhcppkt;
>   struct vring_desc *desc, *pkt_desc, *hdr_desc;
>   struct vring_avail *avail;
>   struct vring_used *used;
>   struct ether_header *eh;
>  
> - vr = pkt = NULL;
> - ret = 0;
> + vr = pkt = dhcppkt = NULL;
> + ret = spc = 0;
> + dhcpsz = 0;
>  
>   /* Invalid queue? */
>   if (dev->cfg.queue_notify != 1) {
> @@ -1373,8 +1375,13 @@ vionet_notifyq(struct vionet_dev *dev)
>   log_debug("vionet: wrong source address %s for vm %d",
>      ether_ntoa((struct ether_addr *)
>      eh->ether_shost), dev->vm_id);
> + else if (dev->local && dhcpsz == 0 &&
> +    (dhcpsz = dhcp_request(dev, pkt, pktsz, &dhcppkt)) != -1) {
> + log_debug("vionet: dhcp request,"
> +    " local response size %zd", dhcpsz);
> +
>   /* XXX signed vs unsigned here, funky cast */
> - else if (write(dev->fd, pkt, pktsz) != (int)pktsz) {
> + } else if (write(dev->fd, pkt, pktsz) != (int)pktsz) {
>   log_warnx("vionet: tx failed writing to tap: "
>      "%d", errno);
>   goto out;
> @@ -1398,9 +1405,15 @@ vionet_notifyq(struct vionet_dev *dev)
>   log_warnx("vionet: tx error writing vio ring");
>   }
>  
> + if (dhcpsz > 0) {
> + if (vionet_enq_rx(dev, dhcppkt, dhcpsz, &spc))
> + ret = 1;
> + }
> +
>  out:
>   free(vr);
>   free(pkt);
> + free(dhcppkt);
>  
>   return (ret);
>  }
> @@ -1582,8 +1595,9 @@ vmmci_io(int dir, uint16_t reg, uint32_t
>  }
>  
>  void
> -virtio_init(struct vmop_create_params *vmc, int *child_disks, int *child_taps)
> +virtio_init(struct vmd_vm *vm, int *child_disks, int *child_taps)
>  {
> + struct vmop_create_params *vmc = &vm->vm_params;
>   struct vm_create_params *vcp = &vmc->vmc_params;
>   static const uint8_t zero_mac[6];
>   uint8_t id;
> @@ -1713,6 +1727,7 @@ virtio_init(struct vmop_create_params *v
>   vionet[i].fd = child_taps[i];
>   vionet[i].rx_pending = 0;
>   vionet[i].vm_id = vcp->vcp_id;
> + vionet[i].vm_vmid = vm->vm_vmid;
>   vionet[i].irq = pci_get_dev_irq(id);
>  
>   event_set(&vionet[i].event, vionet[i].fd,
> @@ -1747,11 +1762,15 @@ virtio_init(struct vmop_create_params *v
>   }
>   vionet[i].lockedmac =
>      vmc->vmc_ifflags[i] & VMIFF_LOCKED ? 1 : 0;
> + vionet[i].local =
> +    vmc->vmc_ifflags[i] & VMIFF_LOCAL ? 1 : 0;
> + vionet[i].idx = i;
>  
> - log_debug("%s: vm \"%s\" vio%u lladdr %s%s",
> + log_debug("%s: vm \"%s\" vio%u lladdr %s%s%s",
>      __func__, vcp->vcp_name, i,
>      ether_ntoa((void *)vionet[i].mac),
> -    vionet[i].lockedmac ? " (locked)" : "");
> +    vionet[i].lockedmac ? ", locked" : "",
> +    vionet[i].local ? ", local" : "");
>   }
>   }
>  
> Index: usr.sbin/vmd/virtio.h
> ===================================================================
> RCS file: /cvs/src/usr.sbin/vmd/virtio.h,v
> retrieving revision 1.14
> diff -u -p -u -p -r1.14 virtio.h
> --- usr.sbin/vmd/virtio.h 27 Mar 2017 00:28:04 -0000 1.14
> +++ usr.sbin/vmd/virtio.h 12 Apr 2017 11:16:51 -0000
> @@ -118,9 +118,13 @@ struct vionet_dev {
>   int fd, rx_added;
>   int rx_pending;
>   uint32_t vm_id;
> + uint32_t vm_vmid;
>   int irq;
>   uint8_t mac[6];
> +
> + int idx;
>   int lockedmac;
> + int local;
>  };
>  
>  struct virtio_net_hdr {
> @@ -154,7 +158,8 @@ struct vmmci_dev {
>   int irq;
>  };
>  
> -void virtio_init(struct vmop_create_params *, int *, int *);
> +/* virtio.c */
> +void virtio_init(struct vmd_vm *, int *, int *);
>  uint32_t vring_size(uint32_t);
>  
>  int virtio_rnd_io(int, uint16_t, uint32_t *, uint8_t *, void *, uint8_t);
> @@ -181,3 +186,6 @@ void vmmci_ack(unsigned int);
>  void vmmci_timeout(int, short, void *);
>  
>  const char *vioblk_cmd_name(uint32_t);
> +
> +/* dhcp.c */
> +ssize_t dhcp_request(struct vionet_dev *, char *, size_t, char **);
> Index: usr.sbin/vmd/vm.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/vmd/vm.c,v
> retrieving revision 1.11
> diff -u -p -u -p -r1.11 vm.c
> --- usr.sbin/vmd/vm.c 27 Mar 2017 00:28:04 -0000 1.11
> +++ usr.sbin/vmd/vm.c 12 Apr 2017 11:16:51 -0000
> @@ -656,7 +656,7 @@ init_emulated_hw(struct vmop_create_para
>   pci_init();
>  
>   /* Initialize virtio devices */
> - virtio_init(vmc, child_disks, child_taps);
> + virtio_init(current_vm, child_disks, child_taps);
>  }
>  
>  /*
> Index: usr.sbin/vmd/vm.conf.5
> ===================================================================
> RCS file: /cvs/src/usr.sbin/vmd/vm.conf.5,v
> retrieving revision 1.17
> diff -u -p -u -p -r1.17 vm.conf.5
> --- usr.sbin/vmd/vm.conf.5 25 Mar 2017 16:28:25 -0000 1.17
> +++ usr.sbin/vmd/vm.conf.5 12 Apr 2017 11:16:51 -0000
> @@ -112,7 +112,7 @@ is specified.
>  Do not start this VM.
>  .It Cm disk Ar path
>  Disk image file (may be specified multiple times to add multiple disk images).
> -.It Cm interface Oo name Oc Op Brq ...
> +.It Oo Cm local Oc Cm interface Oo name Oc Op Brq ...
>  Network interface to add to the VM.
>  The optional
>  .Ar name
> @@ -123,6 +123,7 @@ to select the next available
>  interface on the VM host side (the default) or
>  .Ar tapN
>  to select a specific one.
> +.Pp
>  Valid options are:
>  .Bl -tag -width Ds
>  .It Cm group Ar group-name
> @@ -158,6 +159,13 @@ This is the default.
>  .It Cm down
>  Stop the interface from forwarding packets.
>  .El
> +.Pp
> +A
> +.Cm local
> +interface will auto-generate an IPv4 subnet for the interface,
> +configure a gateway address on the VM host side,
> +and run a simple DHCP (BOOTP) server for the VM.
> +This option can be used for layer 3 mode without configuring a switch.
>  .It Cm interfaces Ar count
>  Optional minimum number of network interfaces to add to the VM.
>  If the
> Index: usr.sbin/vmd/vmd.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/vmd/vmd.c,v
> retrieving revision 1.56
> diff -u -p -u -p -r1.56 vmd.c
> --- usr.sbin/vmd/vmd.c 6 Apr 2017 18:07:13 -0000 1.56
> +++ usr.sbin/vmd/vmd.c 12 Apr 2017 11:16:51 -0000
> @@ -1045,3 +1045,15 @@ get_string(uint8_t *ptr, size_t len)
>  
>   return strndup(ptr, i);
>  }
> +
> +uint32_t
> +prefixlen2mask(uint8_t prefixlen)
> +{
> + if (prefixlen == 0)
> + return (0);
> +
> + if (prefixlen > 32)
> + prefixlen = 32;
> +
> + return (htonl(0xffffffff << (32 - prefixlen)));
> +}
> Index: usr.sbin/vmd/vmd.h
> ===================================================================
> RCS file: /cvs/src/usr.sbin/vmd/vmd.h,v
> retrieving revision 1.50
> diff -u -p -u -p -r1.50 vmd.h
> --- usr.sbin/vmd/vmd.h 6 Apr 2017 18:07:13 -0000 1.50
> +++ usr.sbin/vmd/vmd.h 12 Apr 2017 11:16:51 -0000
> @@ -23,6 +23,8 @@
>  #include <machine/vmmvar.h>
>  
>  #include <net/if.h>
> +#include <netinet/in.h>
> +#include <netinet/if_ether.h>
>  
>  #include <limits.h>
>  #include <stdio.h>
> @@ -48,6 +50,10 @@
>  #define VMD_SWITCH_TYPE "bridge"
>  #define VM_DEFAULT_MEMORY 512
>  
> +/* 100.64.0.0/10 from rfc6598 (IPv4 Prefix for Shared Address Space) */
> +#define VMD_DHCP_PREFIX "100.64.0.0"
> +#define VMD_DHCP_PREFIXLEN 10
> +
>  #ifdef VMD_DEBUG
>  #define dprintf(x...)   do { log_debug(x); } while(0)
>  #else
> @@ -74,6 +80,7 @@ enum imsg_type {
>   IMSG_VMDOP_PRIV_IFUP,
>   IMSG_VMDOP_PRIV_IFDOWN,
>   IMSG_VMDOP_PRIV_IFGROUP,
> + IMSG_VMDOP_PRIV_IFADDR,
>   IMSG_VMDOP_VM_SHUTDOWN,
>   IMSG_VMDOP_VM_REBOOT
>  };
> @@ -102,6 +109,7 @@ struct vmop_ifreq {
>   uint32_t vfr_id;
>   char vfr_name[IF_NAMESIZE];
>   char vfr_value[VM_NAME_MAX];
> + struct ifaliasreq vfr_ifra;
>  };
>  
>  struct vmop_create_params {
> @@ -116,7 +124,8 @@ struct vmop_create_params {
>   unsigned int vmc_ifflags[VMM_MAX_NICS_PER_VM];
>  #define VMIFF_UP 0x01
>  #define VMIFF_LOCKED 0x02
> -#define VMIFF_OPTMASK VMIFF_LOCKED
> +#define VMIFF_LOCAL 0x04
> +#define VMIFF_OPTMASK (VMIFF_LOCKED|VMIFF_LOCAL)
>   char vmc_ifnames[VMM_MAX_NICS_PER_VM][IF_NAMESIZE];
>   char vmc_ifswitch[VMM_MAX_NICS_PER_VM][VM_NAME_MAX];
>   char vmc_ifgroup[VMM_MAX_NICS_PER_VM][IF_NAMESIZE];
> @@ -198,6 +207,38 @@ struct vmd {
>   int vmd_ptmfd;
>  };
>  
> +static inline struct sockaddr_in *
> +ss2sin(struct sockaddr_storage *ss)
> +{
> + return ((struct sockaddr_in *)ss);
> +}
> +
> +static inline struct sockaddr_in6 *
> +ss2sin6(struct sockaddr_storage *ss)
> +{
> + return ((struct sockaddr_in6 *)ss);
> +}
> +
> +struct packet_ctx {
> + uint8_t pc_htype;
> + uint8_t pc_hlen;
> + uint8_t pc_smac[ETHER_ADDR_LEN];
> + uint8_t pc_dmac[ETHER_ADDR_LEN];
> +
> + struct sockaddr_storage pc_src;
> + struct sockaddr_storage pc_dst;
> +};
> +
> +/* packet.c */
> +ssize_t assemble_hw_header(unsigned char *, size_t, size_t,
> +    struct packet_ctx *, unsigned int);
> +ssize_t assemble_udp_ip_header(unsigned char *, size_t, size_t,
> +    struct packet_ctx *pc, unsigned char *, size_t);
> +ssize_t decode_hw_header(unsigned char *, size_t, size_t, struct packet_ctx *,
> +    unsigned int);
> +ssize_t decode_udp_ip_header(unsigned char *, size_t, size_t,
> +    struct packet_ctx *);
> +
>  /* vmd.c */
>  void vmd_reload(unsigned int, const char *);
>  struct vmd_vm *vm_getbyid(uint32_t);
> @@ -216,6 +257,7 @@ void vm_closetty(struct vmd_vm *);
>  void switch_remove(struct vmd_switch *);
>  struct vmd_switch *switch_getbyname(const char *);
>  char *get_string(uint8_t *, size_t);
> +uint32_t prefixlen2mask(uint8_t);
>  
>  /* priv.c */
>  void priv(struct privsep *, struct privsep_proc *);
> @@ -224,6 +266,7 @@ int priv_findname(const char *, const c
>  int priv_validgroup(const char *);
>  int vm_priv_ifconfig(struct privsep *, struct vmd_vm *);
>  int vm_priv_brconfig(struct privsep *, struct vmd_switch *);
> +uint32_t vm_priv_addr(uint32_t, int, int);
>  
>  /* vmm.c */
>  void vmm(struct privsep *, struct privsep_proc *);
> Index: usr.sbin/vmctl/main.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/vmctl/main.c,v
> retrieving revision 1.25
> diff -u -p -u -p -r1.25 main.c
> --- usr.sbin/vmctl/main.c 6 Apr 2017 18:07:13 -0000 1.25
> +++ usr.sbin/vmctl/main.c 12 Apr 2017 11:16:51 -0000
> @@ -65,7 +65,7 @@ struct ctl_command ctl_commands[] = {
>   { "reload", CMD_RELOAD, ctl_reload, "" },
>   { "reset", CMD_RESET, ctl_reset, "[all|vms|switches]" },
>   { "start", CMD_START, ctl_start, "\"name\""
> -    " [-c] [-b image] [-m size]\n"
> +    " [-Lc] [-b image] [-m size]\n"
>      "\t\t[-n switch] [-i count] [-d disk]*" },
>   { "status", CMD_STATUS, ctl_status, "[id]" },
>   { "stop", CMD_STOP, ctl_stop, "id" },
> @@ -539,7 +539,7 @@ ctl_start(struct parse_result *res, int
>   argc--;
>   argv++;
>  
> - while ((ch = getopt(argc, argv, "b:cm:n:d:i:")) != -1) {
> + while ((ch = getopt(argc, argv, "b:cLm:n:d:i:")) != -1) {
>   switch (ch) {
>   case 'b':
>   if (res->path)
> @@ -551,6 +551,10 @@ ctl_start(struct parse_result *res, int
>   break;
>   case 'c':
>   tty_autoconnect = 1;
> + break;
> + case 'L':
> + if (parse_network(res, ".") != 0)
> + errx(1, "invalid network: %s", optarg);
>   break;
>   case 'm':
>   if (res->size)
> Index: usr.sbin/vmctl/vmctl.8
> ===================================================================
> RCS file: /cvs/src/usr.sbin/vmctl/vmctl.8,v
> retrieving revision 1.27
> diff -u -p -u -p -r1.27 vmctl.8
> --- usr.sbin/vmctl/vmctl.8 25 Mar 2017 16:28:25 -0000 1.27
> +++ usr.sbin/vmctl/vmctl.8 12 Apr 2017 11:16:51 -0000
> @@ -72,8 +72,8 @@ Reset the configured switches.
>  .It Cm reset vms
>  Reset and terminate all VMs.
>  .It Xo Cm start Ar name
> +.Op Fl Lc
>  .Op Fl b Ar path
> -.Op Fl c
>  .Op Fl d Ar path
>  .Op Fl i Ar count
>  .Op Fl m Ar size
> @@ -91,6 +91,12 @@ Automatically connect to the VM console.
>  Disk image file (may be specified multiple times to add multiple disk images).
>  .It Fl i Ar count
>  Number of network interfaces to add to the VM.
> +.It Fl L
> +Add a local network interface.
> +.Xr vmd 8
> +will auto-generate an IPv4 subnet for the interface,
> +configure a gateway address on the VM host side,
> +and run a simple DHCP (BOOTP) server for the VM.
>  .It Fl m Ar size
>  Memory
>  .Ar size
> Index: usr.sbin/vmctl/vmctl.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/vmctl/vmctl.c,v
> retrieving revision 1.29
> diff -u -p -u -p -r1.29 vmctl.c
> --- usr.sbin/vmctl/vmctl.c 6 Apr 2017 18:07:13 -0000 1.29
> +++ usr.sbin/vmctl/vmctl.c 12 Apr 2017 11:16:51 -0000
> @@ -123,8 +123,16 @@ vm_start(uint32_t start_id, const char *
>   for (i = 0 ; i < ndisks; i++)
>   strlcpy(vcp->vcp_disks[i], disks[i], VMM_MAX_PATH_DISK);
>   for (i = 0 ; i < nnics; i++) {
> - strlcpy(vmc->vmc_ifswitch[i], nics[i], IF_NAMESIZE);
>   vmc->vmc_ifflags[i] = VMIFF_UP;
> +
> + if (strcmp(".", nics[i]) == 0) {
> + /* Add a "local" interface */
> + strlcpy(vmc->vmc_ifswitch[i], "", IF_NAMESIZE);
> + vmc->vmc_ifflags[i] |= VMIFF_LOCAL;
> + } else {
> + /* Add a interface to a switch */
> + strlcpy(vmc->vmc_ifswitch[i], nics[i], IF_NAMESIZE);
> + }
>   }
>   if (name != NULL)
>   strlcpy(vcp->vcp_name, name, VMM_MAX_NAME_LEN);
>

--

Reply | Threaded
Open this post in threaded view
|

Re: vmd: VMs with auto-configured L3 interfaces (call for testing)

Josh Grosse-3
In reply to this post by Reyk Floeter-2
On Wed, Apr 12, 2017 at 01:44:48PM +0200, Reyk Floeter wrote:
> Hi,
>
> we want to make it easier to run NAT'ed and auto-configured VMs that
> don't need switches, L2, manual scripts, or any additional servers on
> the host.  I wrote a new mode that just needs vmd, pf, and forwarding.

Tested on an amd64 host with both amd64 and i386 guests.  Works fine
with both.

I especially enjoy the fixed IP address 100.64.<vm number>.3, which makes
it a snap to ssh into.

Thanks, Reyk!

Reply | Threaded
Open this post in threaded view
|

Re: vmd: VMs with auto-configured L3 interfaces (call for testing)

Josh Grosse-3
On Fri, Apr 14, 2017 at 12:29:53PM -0400, Josh Grosse wrote:
> Tested on an amd64 host...

Following up on my own post to state this was tested both
with "local" in vm.conf as well as with vmctl -L.