On Mon, Dec 08, 2014 at 11:00:03AM -0500, Laine Stump wrote: > The macTableManager attribute of a network's bridge subelement tells > libvirt how the bridge's MAC address table (used to determine the > egress port for packets) is managed. In the default mode, "kernel", > management is left to the kernel, which usually determines entries in > part by turning on promiscuous mode on all ports of the bridge, > flooding packets to all ports when the correct destination is unknown, > and adding/removing entries to the fdb as it sees incoming traffic > from particular MAC addresses. In "libvirt" mode, libvirt turns off > learning and flooding on all the bridge ports connected to guest > domain interfaces, and adds/removes entries according to the MAC > addresses in the domain interface configurations. A side effect of > turning off learning and unicast_flood on the ports of a bridge is > that (with Linux kernel 3.17 and newer), the kernel can automatically > turn off promiscuous mode on one or more of the bridge's ports > (usually only the one interface that is used to connect the bridge to > the physical network). The result is better performance (because > packets aren't being flooded to all ports, and can be dropped earlier > when they are of no interest) and slightly better security (a guest > can still send out packets with a spoofed source MAC address, but will > only receive traffic intended for the guest interface's configured MAC > address). > > The attribute looks like this in the configuration: > > <network> > <name>test</name> > <bridge name='br0' macTableManager='libvirt'/> > ... > > This patch only adds the config knob, documentation, and test > cases. The functionality behind this knob is added in later patches. ACK, design looks good now. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list