[libvirt-users] Lack of ebtables rules when using nwfilters

Hi I am using libvirt (0.9.12) with openstack and xen. It looks like libvirt is not creating ebtables rules against arp spoofing etc. Here are my configs: VM definition: <domain type='xen'> <uuid>d49b777f-32f1-4093-ae47-a12efd0efd2c</uuid> <name>instance-00000168</name> <memory>2097152</memory> <os> <type>linux</type> <root>/dev/xvda</root> <kernel>/var/lib/nova/instances/instance-00000168/kernel</kernel> <cmdline>ro</cmdline> <initrd>/var/lib/nova/instances/instance-00000168/ramdisk</initrd> </os> <features> <acpi/> </features> <vcpu>2</vcpu> <devices> <disk type='file' device='disk'> <driver type='raw' cache='none'/> <source file='/var/lib/nova/instances/instance-00000168/disk'/> <target dev='sda' bus='scsi'/> </disk> <disk type='file'> <driver type='raw' cache='none'/> <source file='/var/lib/nova/instances/instance-00000168/disk.swap'/> <target dev='sdb' bus='scsi'/> </disk> <interface type='bridge'> <source bridge='br0'/> <mac address='fa:16:3e:1e:70:87'/> <filterref filter="nova-instance-instance-00000168-fa163e1e7087"> <parameter name="IP" value="10.255.0.114" /> <parameter name="DHCPSERVER" value="10.255.0.3" /> </filterref> </interface> <console type='pty'/> <graphics type='vnc' port='-1' autoport='yes' keymap='en-us' listen='127.0.0.1'/> </devices> </domain> # virsh nwfilter-dumpxml nova-instance-instance-00000168-fa163e1e7087 <filter name='nova-instance-instance-00000168-fa163e1e7087' chain='root'> <uuid>b6475525-5901-aeab-4ed0-dc0d7b545aea</uuid> <filterref filter='nova-base'/> </filter> # virsh nwfilter-dumpxml nova-base <filter name='nova-base' chain='root'> <uuid>197b7f7a-389c-bd6d-6b77-07b88d3d9138</uuid> <filterref filter='no-mac-spoofing'/> <filterref filter='no-ip-spoofing'/> <filterref filter='no-arp-spoofing'/> </filter> # ebtables -t nat -L Bridge table: nat Bridge chain: PREROUTING, entries: 0, policy: ACCEPT Bridge chain: OUTPUT, entries: 0, policy: ACCEPT Bridge chain: POSTROUTING, entries: 0, policy: ACCEPT # ebtables -L Bridge table: filter Bridge chain: INPUT, entries: 0, policy: ACCEPT Bridge chain: FORWARD, entries: 0, policy: ACCEPT Bridge chain: OUTPUT, entries: 0, policy: ACCEPT logs: 2013-04-23 10:47:37.438+0000: 30155: debug : virNWFilterDefineXML:16099 : conn=0x1331ff0, xmlDesc=<filter name='nova-instance-instance-00000167-fa163e4faae5' chain='roo t'><filterref filter='nova-base'/></filter> 2013-04-23 10:47:37.544+0000: 30155: debug : virNWFilterFree:15971 : nwfilter=0x7f18400bc2b0 2013-04-23 10:47:37.544+0000: 30155: debug : virUnrefNWFilter:1262 : unref nwfilter 0x7f18400bc2b0 nova-instance-instance-00000167-fa163e4faae5 1 2013-04-23 10:47:37.544+0000: 30155: debug : virReleaseNWFilter:1222 : release nwfilter 0x7f18400bc2b0 nova-instance-instance-00000167-fa163e4faae5 875ff1e5-fc4d-2fca-9 da2-f163f273ad6a 2013-04-23 10:47:37.544+0000: 30155: debug : virReleaseNWFilter:1229 : unref connection 0x1331ff0 2 regards Maciej Gałkiewicz