[Users] disable EnableMACAntiSpoofingFilterRules per VM

Assaf Muller amuller at redhat.com
Thu Dec 26 09:34:07 EST 2013


Thank you for your feedback. I sent a patch to fix all mentioned issues:
http://gerrit.ovirt.org/#/c/22760/

It will be available for oVirt 3.4.


Assaf Muller, Cloud Networking Engineer 
Red Hat 

----- Original Message -----
From: "Kapetanakis Giannis" <bilias at edu.physics.uoc.gr>
To: "users at oVirt.org" <users at ovirt.org>
Cc: "Assaf Muller" <amuller at redhat.com>, danken at redhat.com
Sent: Thursday, December 26, 2013 3:23:07 PM
Subject: Re: [Users] disable EnableMACAntiSpoofingFilterRules per VM

Resending cause somehow the format got screwed up.

On 26/12/13 11:06, Assaf Muller wrote:
>> what will be the default action for my VMs? Filter or not filter?
>> So I gave to alter EnableMACAntiSpoofingFilterRules as well?
> The default is to filter. You'll have to add a VM or VNIC custom property
> and set the value to False whenever you want to disable the filtering.
>
>> What about conflicting values between VM and VNIC. Which has precedence
>> over the other?
> You would think that anything VNIC specific would take precedence, but with
> how the code is implemented at this time, before_device_create is called
> for all devices, and before_vm_create is called after that. That means
> that whatever is defined at the VM level will take precedence.

ok, this worked like a charm but I did some changes.

Maybe you want to update the README on
https://github.com/oVirt/vdsm/blob/master/vdsm_hooks/macspoof/README

engine-config -s 
UserDefinedVMProperties='previousPropertiesmacspoof=^(true|false)$' 
--cver=3.3

failed with an error:

Cannot set value previousProperties;macspoof=^(true|false)$ to key 
UserDefinedVMProperties. Invalid syntax, user defined VM properties 
specification should conform to 
(([a-z_A-Z0-9])+)=(([^;])+)(;(([a-z_A-Z0-9])+)=(([^;])+))*;?

I changed that to
engine-config -s "UserDefinedVMProperties=macspoof=(true|false)"
like it is defined in http://www.ovirt.org/Engine_config_examples
which was inserted with no error.

CustomDeviceProperties also inserted like
engine-config -s CustomDeviceProperties=
'{type=interface;prop={ifacemacspoof=(true|false)}}'

so both true/false options could be available.

VM option indeed takes precedence over VNIC option.

You should also take notice that setting macspoof=false or 
ifacemacspoof=false does the opposite of at least what I expected.
It filters.

I had to apply with either macspoof=true or ifacemacspoof=true to 
disable filtering.

The README also has that the other way.
Either the README has to be changed or the options could be renamed to 
something like disable_macspoof_filter and disable_ifacemacspoof_filter

best regards and thanks for all the replies,

G



More information about the Users mailing list