On Wed, Nov 06, 2013 at 02:44:57PM +0100, Jan De Landtsheer wrote:
> Hello,
> I _was_ trying to set up an nwfilter for our networking set-up with VXLAN
> and openvswitch, where we use VXLAN as carrier for separate networks
> (unlike OpenStack gre-tunnels).
>
> But with OVS, ebtables do not work, and the basic setup of nwfilter rules
> are based on this premise... or so I understand...
>
> Now..
> Is there a way to define nwfilter rules _without_ ebtables ?
>
> What I would like to do is quite simple (block out dhcp{4,6} services from
> VM's, and ipv6 router advertisements )
There's no support for nwfilter at all when using openvswitch, due to
the kernel limitations you mention. The (disgusting) way openstack deals
with this is to create a traditional bridge per vm so you have
phys nic <-> openvswitch
\---> vm bridge <-> vm tap dev
\---> vm bridge <-> vm tap dev
\---> vm bridge <-> vm tap dev
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list