Daniel P. Berrange wrote:
Actually I believe Karl's use case is that the host explicitly *does* know the IP the guest is /supposed/ to be using, and wants to prevent it spoofing someone else's IP.
Yes. This is what I was thinking.
I agree with your general point though, that when trying this in a general purpose OS deployment I don't think you can provide sufficient guarentees from a libvirt POV. There are simply too many other things that may break or otherwise badly interact with the iptables rules we're adding. At the very simplest level, 'service iptables restart' messes things up.
In the context of a controlled host image, like the oVirt managed node, the mgmt app is in control of the host OS, and in such a scenario it may be practical for libvirt to add iptables rules for guests.
I was thinking of a fully managed node. Thanks for this feedback.