[libvirt] Re: Libvirt, nwfilter, openvswitch

There's no support for nwfilter at all when using openvswitch, due to the kernel limitations you mention. The (disgusting) way openstack deals with this is to create a traditional bridge per vm so you have phys nic <-> openvswitch \---> vm bridge <-> vm tap dev \---> vm bridge <-> vm tap dev \---> vm bridge <-> vm tap dev