[ovirt-users] Re: Network filters in oVirt : zero-trust, IP and port filtering

I've created the below filter. The intention is that it will allow incoming traffic only from SRCIP parameter and within the port range. However I'm still able to access the VM from other IPs as well. We are running oVirt 4.3 and the networks are vlan tagged. virsh -r nwfilter-dumpxml clean-ip-port-filter <filter name='clean-ip-port-filter' chain='root'> <uuid>f9d2ff6b-db31-41a0-8f1b-97dc0166c10a</uuid> <rule action='accept' direction='in' priority='500'> <tcp srcipaddr='$SRCIP' dstportstart='$PORTSTART' dstportend='$PORTEND'/> </rule> </filter> Could it be because of the statement "VLAN (802.1Q) packets, if sent by a virtual machine, cannot be filtered with rules for protocol IDs arp, rarp, ipv4 and ipv6 but only with protocol IDs mac and vlan." in https://libvirt.org/formatnwfilter.html? If netfilters do not work with vlan packets, is there any other way I can implement such filtering? Regards, Ravi