Daniel P. Berrange wrote: > Actually I believe Karl's use case is that the host explicitly *does* > know the IP the guest is /supposed/ to be using, and wants to prevent > it spoofing someone else's IP. > Yes. This is what I was thinking. > I agree with your general point though, that when trying this in a general > purpose OS deployment I don't think you can provide sufficient guarentees > from a libvirt POV. There are simply too many other things that may break > or otherwise badly interact with the iptables rules we're adding. At the > very simplest level, 'service iptables restart' messes things up. > > In the context of a controlled host image, like the oVirt managed node, > the mgmt app is in control of the host OS, and in such a scenario it > may be practical for libvirt to add iptables rules for guests. > I was thinking of a fully managed node. Thanks for this feedback. -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list