Problem with Mac Spoof Filter
Hi, seems like the Setting EnableMACAntiSpoofingFilterRules only applies to the main IP of a VM, additional IP Adresses on Alias Interfaces (eth0:x) are not included in the generated ebtables ruleset. Is there any Workaround / Setting / whatever to allow more than one IP without completly disabling this Filter? Thanks, Juergen
From: "InterNetX - Juergen Gotteswinter" <jg@internetx.com> To: users@ovirt.org Sent: Thursday, July 16, 2015 3:21:15 PM Subject: [ovirt-users] Problem with Mac Spoof Filter
Hi,
seems like the Setting EnableMACAntiSpoofingFilterRules only applies to the main IP of a VM, additional IP Adresses on Alias Interfaces (eth0:x) are not included in the generated ebtables ruleset.
Is there any Workaround / Setting / whatever to allow more than one IP without completly disabling this Filter?
Thanks,
Juergen
IIUC this works with hwaddr only: virsh # nwfilter-dumpxml vdsm-no-mac-spoofing <filter name='vdsm-no-mac-spoofing' chain='root'> <uuid>cd70b235-b0f7-461e-9080-7e6d750e2c70</uuid> <filterref filter='no-mac-spoofing'/> <filterref filter='no-arp-mac-spoofing'/> </filter> virsh # nwfilter-dumpxml no-mac-spoofing <filter name='no-mac-spoofing' chain='mac' priority='-800'> <uuid>b7bbb2e5-2208-47cb-a0e6-1d0a81b5e515</uuid> <rule action='return' direction='out' priority='500'> <mac srcmacaddr='$MAC'/> </rule> <rule action='drop' direction='out' priority='500'> <mac/> </rule> </filter> virsh # nwfilter-dumpxml no-arp-mac-spoofing <filter name='no-arp-mac-spoofing' chain='arp-mac' priority='-520'> <uuid>454abfeb-259c-4868-bf64-de1315a97aa6</uuid> <rule action='return' direction='out' priority='350'> <arp arpsrcmacaddr='$MAC'/> </rule> <rule action='drop' direction='out' priority='1000'/> </filter> j.
participants (2)
-
InterNetX - Juergen Gotteswinter -
Jiri Belka