Re: [libvirt] [PATCH 2/2] add MAC address based port filtering to qemu
On Wed, Nov 18, 2009 at 05:10:38PM +0100, Gerhard Stenzel wrote:
On Wed, 2009-11-04 at 12:55 +0000, Daniel P. Berrange wrote:
...
>
> Mark pointed out to me offlist, that this filtering is a little too
> restrictive because it also blocks multicast + broadcast packets. We
> can fix that easily enough with an extra patch though, and a single
> catch-all rule for multi/broad-cast packets.
>
> Daniel
Hi,
I have revisited this subject and was trying to find a scenario, where
multi/broad-cast packets would be affected by this patch and failed so
far.
Since only the source mac address of a guest is filtered, I don't see
how a multicast or broadcast destination mac address could be a problem.
That is sufficient, I mis-read how the rules were being added.
That said I believe this is an issue in here with guests with a NIC
configured with type=network instead of type=bridge. with the former,
no traffic seems to go over the FORWARD chain - only the INPUT
chain, so our rules are not matched.
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|