From: InterNetX - Juergen Gotteswinter j...@internetx.com
To: users@ovirt.org
Sent: Thursday, July 16, 2015 3:21:15 PM
Subject: [ovirt-users] Problem with Mac Spoof Filter
Hi,
seems like the Setting EnableMACAntiSpoofingFilterRules only applies to
the main IP of a VM, additional IP Adresses on Alias Interfaces (eth0:x)
are not included in the generated ebtables ruleset.
Is there any Workaround / Setting / whatever to allow more than one IP
without completly disabling this Filter?
Thanks,
Juergen
IIUC this works with hwaddr only:
virsh # nwfilter-dumpxml vdsm-no-mac-spoofing
filter name='vdsm-no-mac-spoofing' chain='root'
uuidcd70b235-b0f7-461e-9080-7e6d750e2c70/uuid
filterref filter='no-mac-spoofing'/
filterref filter='no-arp-mac-spoofing'/
/filter
virsh # nwfilter-dumpxml no-mac-spoofing
filter name='no-mac-spoofing' chain='mac' priority='-800'
uuidb7bbb2e5-2208-47cb-a0e6-1d0a81b5e515/uuid
rule action='return' direction='out' priority='500'
mac srcmacaddr='$MAC'/
/rule
rule action='drop' direction='out' priority='500'
mac/
/rule
/filter
virsh # nwfilter-dumpxml no-arp-mac-spoofing
filter name='no-arp-mac-spoofing' chain='arp-mac' priority='-520'
uuid454abfeb-259c-4868-bf64-de1315a97aa6/uuid
rule action='return' direction='out' priority='350'
arp arpsrcmacaddr='$MAC'/
/rule
rule action='drop' direction='out' priority='1000'/
/filter
j.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users