On 04/30/2015 10:26 AM, Lars Kellogg-Stedman wrote:
I am running OpenStack inside a libvirt guest that is connected to
the
local network via a macvtap interface. My experience so far suggests
that a macvtap interface will not pass traffic with a source MAC
address other than the MAC address of the interface itself...for
example, if inside the guest eth0 is attached to a bridge.
Is that correct, or is there some setting that will make that work?
Outbound traffic doesn't seem to be a problem (I can see, for example,
dhcp requests on the local network), but replies get dropped before
they reach the guest.
My understanding is that macvtap doesn't work with multiple MAC
addresses behind the macvtap device. There might be some way to make it
work, but if there is libvirt doesn't have a knob for it. (I Cc'ed Vlad
in case he wants to give a more informed statement).
Recent versions of libvirt have the ability to change the MAC address
(and multicast table) of the macvtap device based on events from the
virtual guest, which allows the guest to change the interface's MAC
address and have traffic still pass, but that is different from allowing
multiple MAC addresses at the same time. (this functionality is enabled
by adding "trustGuestRxFilters='yes'" as an attribute to the
guest's
<interface> element)
If you need to do support multiple MAC addresses coming from the guest,
you should probably use a standard tap-to-bridge connection on the host
instead (and make sure your openstack config isn't adding "<filterref
name='clean-traffic'/>" to the guest's interface, as that filter
enforces a strict single MAC address policy on traffic from the guest).