[ovirt-users] Problem with Mac Spoof Filter
Jiri Belka
jbelka at redhat.com
Fri Jul 17 11:04:28 UTC 2015
> From: "InterNetX - Juergen Gotteswinter" <jg at internetx.com>
> To: users at ovirt.org
> Sent: Thursday, July 16, 2015 3:21:15 PM
> Subject: [ovirt-users] Problem with Mac Spoof Filter
>
> Hi,
>
> seems like the Setting EnableMACAntiSpoofingFilterRules only applies to
> the main IP of a VM, additional IP Adresses on Alias Interfaces (eth0:x)
> are not included in the generated ebtables ruleset.
>
> Is there any Workaround / Setting / whatever to allow more than one IP
> without completly disabling this Filter?
>
> Thanks,
>
> Juergen
IIUC this works with hwaddr only:
virsh # nwfilter-dumpxml vdsm-no-mac-spoofing
<filter name='vdsm-no-mac-spoofing' chain='root'>
<uuid>cd70b235-b0f7-461e-9080-7e6d750e2c70</uuid>
<filterref filter='no-mac-spoofing'/>
<filterref filter='no-arp-mac-spoofing'/>
</filter>
virsh # nwfilter-dumpxml no-mac-spoofing
<filter name='no-mac-spoofing' chain='mac' priority='-800'>
<uuid>b7bbb2e5-2208-47cb-a0e6-1d0a81b5e515</uuid>
<rule action='return' direction='out' priority='500'>
<mac srcmacaddr='$MAC'/>
</rule>
<rule action='drop' direction='out' priority='500'>
<mac/>
</rule>
</filter>
virsh # nwfilter-dumpxml no-arp-mac-spoofing
<filter name='no-arp-mac-spoofing' chain='arp-mac' priority='-520'>
<uuid>454abfeb-259c-4868-bf64-de1315a97aa6</uuid>
<rule action='return' direction='out' priority='350'>
<arp arpsrcmacaddr='$MAC'/>
</rule>
<rule action='drop' direction='out' priority='1000'/>
</filter>
j.
More information about the Users
mailing list