Re: [libvirt] [RFC] Allowing promiscuous mode for domains network interfaces
On Monday 02 July 2012 19:14:04 Eric Blake wrote: > On 07/02/2012 09:28 AM, Jean-Baptiste Rouault wrote: > > Hi all, > > > > By default, OpenVZ and VirtualBox (> 4.0.x) filter network packets by MAC > > addresses : only broadcast, multicast and packets directly targeted to > > VMs are transmitted. > > This behaviour prevents from using promiscuous mode inside domains. > > > > I'd like to write some patches to disable these filters from libvirt. > > Would it be ok to modify OpenVZ and VirtualBox drivers so that they > > disable the filters by default ? > > > > If this is not acceptable, what about making it configurable through > > domains' XML ? > > It sounds like exposing this through the domain XML would be useful to > other hypervisors, and certainly something that I would rather have > configurable per-guest instead of hard-coded to one default or another. > We might declare that if the XML element is not present then it is up > to hypervisor defaults whether the interface is promiscuous, to allow > for back-compat, while still allowing the user to explicitly select > narrow or promiscuous with new libvirt. Ok, so what about adding a "promiscuouspolicy" attribute to the "interface" tag ? There are currently 3 possible values with VirtualBox : - Deny - AllowNetwork : allow promiscuous mode but restrict its scope to the internal network - AllowAll So we could create a virDomainNetPromiscuousPolicy enum with these 3 values for a start. Regards -- Jean-Baptiste ROUAULT Ingénieur R&D - diateam : Architectes de l'information Phone : +33 (0)2 98 050 050 Fax : +33 (0)2 98 050 051 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [RFC] Allowing promiscuous mode for domains network interfaces
On 07/02/2012 09:28 AM, Jean-Baptiste Rouault wrote: > Hi all, > > By default, OpenVZ and VirtualBox (> 4.0.x) filter network packets by MAC > addresses : only broadcast, multicast and packets directly targeted to VMs > are > transmitted. > This behaviour prevents from using promiscuous mode inside domains. > > I'd like to write some patches to disable these filters from libvirt. > Would it be ok to modify OpenVZ and VirtualBox drivers so that they disable > the filters by default ? > > If this is not acceptable, what about making it configurable through domains' > XML ? It sounds like exposing this through the domain XML would be useful to other hypervisors, and certainly something that I would rather have configurable per-guest instead of hard-coded to one default or another. We might declare that if the XML element is not present then it is up to hypervisor defaults whether the interface is promiscuous, to allow for back-compat, while still allowing the user to explicitly select narrow or promiscuous with new libvirt. -- Eric Blake ebl...@redhat.com+1-919-301-3266 Libvirt virtualization library http://libvirt.org signature.asc Description: OpenPGP digital signature -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [RFC] Allowing promiscuous mode for domains network interfaces
Hi all, By default, OpenVZ and VirtualBox (> 4.0.x) filter network packets by MAC addresses : only broadcast, multicast and packets directly targeted to VMs are transmitted. This behaviour prevents from using promiscuous mode inside domains. I'd like to write some patches to disable these filters from libvirt. Would it be ok to modify OpenVZ and VirtualBox drivers so that they disable the filters by default ? If this is not acceptable, what about making it configurable through domains' XML ? Regards, Jean-Baptiste -- Jean-Baptiste ROUAULT Ingénieur R&D - diateam : Architectes de l'information Phone : +33 (0)2 98 050 050 Fax : +33 (0)2 98 050 051 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
