On Wed, 2009-08-19 at 13:35 +0100, Daniel P. Berrange wrote: > On Wed, Aug 19, 2009 at 02:11:14PM +0200, Gerhard Stenzel wrote: ... > I think this extra XML element is probably redundant - we should always do > MAC filtering at all times, on all bridges. Not simply those used in a > virtual network, but also those connected to a real physical device too. > I used the extra XML element as a means to switch filtering on and off, I am not passionate about it. > I could see having a QEMU driver level configuration option in > /etc/libvirt/qemu.conf though, to turn filtering on/off for the > host as a whole though. > Fine with me, if that is the preferred way. > > The current prototype implementation is based on the existing iptables > > wrapper in libvirt. I basically cloned the iptables wrapper to an > > ebtables wrapper and did some ebtables specific adjustments. There are > > currenlty four occasions when the ebtables wrapper is called: > > - when creating the network > > What do you do to ebtables at this point ? > The "filter" element is evaluated at startup of libvirtd and a generic ebtables rules is generated to drop all frames. This could be changed to use the config option. > > - when adding a guest to the network > > - when removing a guest from the network > > Isn't it sufficient to only use ebtables in these two places ? > I think some generic settings should be dowe at libvirtd startup ... > > - when destroying the network (currently not implemented) > ... and some reasonable state should be restored at libvirtd shutdown, but that might be unnecessary. > > > These calls can be augmented to also do for example tagged vlan and > > protocol filtering. > > We probably also want to be able todo IP address filtering too. > IP address filtering, VLAN tag filtering and similar are further down on my list. > ie, if the guest XML has an <ip address> element inside the <interface> > then we should add rules to ensure only IP traffic matching that > source/target address is allowed to pass out/in > > > Daniel -- Best regards, Gerhard Stenzel, ----------------------------------------------------------------------------------------------------------------------------------- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Erich Baier Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list