On 11/19/2013 11:00 AM, vlad halilov wrote: > Hi there. I have configured kvm domain (rhel6.4) with ethernet bridged > over macvtap, and found no filtration applied except mac. 'virsh' just > silently ignoring attributes 'filterref' and 'ip address' in different > formats. No error on validate stage. Config examples: > > ... > <interface type='direct'> > <mac address='52:54:00:31:ae:1a'/> > <source dev='em1' mode='private'/> > > <filterref filter='clean-traffic'> > <parameter name='IP' value='10.1.101.44'/> > </filterref> > > <model type='virtio'/> > <address type='pci' domain='0x0000' bus='0x00' slot='0x03' > function='0x0'/> > </interface> > ... > > or like these: > > ... > <interface type='direct'> > <mac address='52:54:00:31:ae:1a'/> > <source dev='em1' mode='private'/> > <ip address='10.1.101.44'/> > <filterref filter='clean-traffic'/> > <model type='virtio'/> > <address type='pci' domain='0x0000' bus='0x00' slot='0x03' > function='0x0'/> > </interface> > ... > > With 'virsh create domain.xml', vm created, but dumpxml show that > filterref is disappeared. > I have not found any success stories with filtering rules and 'direct' interface types. > Is it supported with this type? Or may be other tricks to protect network from vm spoofing > and direct type? > The kernel macvtap packet processing bypasses both iptables and ebtables, so libvirt's filters are ineffective for guest interfaces using a macvtap connection. _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
