On Wed, Nov 18, 2009 at 05:10:38PM +0100, Gerhard Stenzel wrote: > On Wed, 2009-11-04 at 12:55 +0000, Daniel P. Berrange wrote: > ... > > > > Mark pointed out to me offlist, that this filtering is a little too > > restrictive because it also blocks multicast + broadcast packets. We > > can fix that easily enough with an extra patch though, and a single > > catch-all rule for multi/broad-cast packets. > > > > Daniel > Hi, > I have revisited this subject and was trying to find a scenario, where > multi/broad-cast packets would be affected by this patch and failed so > far. > Since only the source mac address of a guest is filtered, I don't see > how a multicast or broadcast destination mac address could be a problem. That is sufficient, I mis-read how the rules were being added. That said I believe this is an issue in here with guests with a NIC configured with type=network instead of type=bridge. with the former, no traffic seems to go over the FORWARD chain - only the INPUT chain, so our rules are not matched. Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list