Re: [ovirt-users] vlan-tagging on non-tagged network

Sorry for flooding the mailing list, but I have some new insights in why these things I described happen. So just in case someone stumbles over it in the future, I like to elaborate. The problem is my specific use-case, that is, the VM being an openVPN server. By default, ovirt expects exactly one mac address per VM. As one vnet device is created for every VM that implies only one mac address per vnet device. The ebtables rules that I ran into enforce that. They prevent the VM from spoofing other mac addresses, for obvious security reasons. This lead to the filtering of all packages of my VPN clients, as their mac addresses differed from the VM's. That much for the reasons, now some additional words to the solution. Just flushing the ebtables table is not a persistent solution, as ovirt creates the rules every time a new vnet device is created. This happens on every reboot and every migration of the VM. Interesstingly, the filters are resistant to turning off the ebtables service with '# systemctl stop ebtables'. Although the service claims to be inactive, filtering takes place, nevertheless. I currently fail to find the website that pointed me to it, but the persistent solution is to disable the MAC anti spoofing filter. Here's how it goes: On the engine, do # engine-config -s EnableMACAntiSpoofingFilterRules=false # systemctl restart ovirt-engine After that, the ebtables rules are no longer applied to newly created vnets. (Filters for existing vnets are not removed, though)