<div dir="ltr">Hi<div><br></div><div>I am using libvirt (0.9.12) with openstack and xen. It looks like libvirt is not creating ebtables rules against arp spoofing etc. Here are my configs:</div><div><div><br></div><div style>
VM definition:</div><div><domain type='xen'></div><div> <uuid>d49b777f-32f1-4093-ae47-a12efd0efd2c</uuid></div></div><div> <name>instance-00000168</name></div><div> <memory>2097152</memory></div>
<div> <os></div><div> <type>linux</type></div><div> <root>/dev/xvda</root></div><div> <kernel>/var/lib/nova/instances/instance-00000168/kernel</kernel></div>
<div> <cmdline>ro</cmdline></div><div> <initrd>/var/lib/nova/instances/instance-00000168/ramdisk</initrd></div><div> </os></div><div> <features></div>
<div> <acpi/></div><div> </features></div><div> <vcpu>2</vcpu></div><div> <devices></div><div> <disk type='file' device='disk'></div><div> <driver type='raw' cache='none'/></div>
<div> <source file='/var/lib/nova/instances/instance-00000168/disk'/></div><div> <target dev='sda' bus='scsi'/></div><div> </disk></div><div> <disk type='file'></div>
<div> <driver type='raw' cache='none'/></div><div> <source file='/var/lib/nova/instances/instance-00000168/disk.swap'/></div><div> <target dev='sdb' bus='scsi'/></div>
<div> </disk></div><div><br></div><div> <interface type='bridge'></div><div> <source bridge='br0'/></div><div> <mac address='fa:16:3e:1e:70:87'/></div>
<div> <filterref filter="nova-instance-instance-00000168-fa163e1e7087"></div><div> <parameter name="IP" value="10.255.0.114" /></div><div> <parameter name="DHCPSERVER" value="10.255.0.3" /></div>
<div> </filterref></div><div> </interface></div><div><br></div><div><br></div><div> <console type='pty'/></div><div><br></div><div><br></div><div> <graphics type='vnc' port='-1' autoport='yes' keymap='en-us' listen='127.0.0.1'/></div>
<div> </devices></div><div></domain> </div><div><br></div><div><div># virsh nwfilter-dumpxml nova-instance-instance-00000168-fa163e1e7087</div><div><filter name='nova-instance-instance-00000168-fa163e1e7087' chain='root'></div>
<div> <uuid>b6475525-5901-aeab-4ed0-dc0d7b545aea</uuid></div><div> <filterref filter='nova-base'/></div><div></filter></div><div><br></div><div># virsh nwfilter-dumpxml nova-base</div><div>
<filter name='nova-base' chain='root'></div><div> <uuid>197b7f7a-389c-bd6d-6b77-07b88d3d9138</uuid></div><div> <filterref filter='no-mac-spoofing'/></div><div> <filterref filter='no-ip-spoofing'/></div>
<div> <filterref filter='no-arp-spoofing'/></div><div></filter></div><div><br></div><div style><div># ebtables -t nat -L</div><div>Bridge table: nat</div><div><br></div><div>Bridge chain: PREROUTING, entries: 0, policy: ACCEPT</div>
<div><br></div><div>Bridge chain: OUTPUT, entries: 0, policy: ACCEPT</div><div><br></div><div>Bridge chain: POSTROUTING, entries: 0, policy: ACCEPT</div><div># ebtables -L</div><div>Bridge table: filter</div><div><br></div>
<div>Bridge chain: INPUT, entries: 0, policy: ACCEPT</div><div><br></div><div>Bridge chain: FORWARD, entries: 0, policy: ACCEPT</div><div><br></div><div>Bridge chain: OUTPUT, entries: 0, policy: ACCEPT</div></div><div><br>
</div><div style>logs:</div><div style><div>2013-04-23 10:47:37.438+0000: 30155: debug : virNWFilterDefineXML:16099 : conn=0x1331ff0, xmlDesc=<filter name='nova-instance-instance-00000167-fa163e4faae5' chain='roo</div>
<div>t'><filterref filter='nova-base'/></filter></div><div>2013-04-23 10:47:37.544+0000: 30155: debug : virNWFilterFree:15971 : nwfilter=0x7f18400bc2b0</div><div>2013-04-23 10:47:37.544+0000: 30155: debug : virUnrefNWFilter:1262 : unref nwfilter 0x7f18400bc2b0 nova-instance-instance-00000167-fa163e4faae5 1</div>
<div>2013-04-23 10:47:37.544+0000: 30155: debug : virReleaseNWFilter:1222 : release nwfilter 0x7f18400bc2b0 nova-instance-instance-00000167-fa163e4faae5 875ff1e5-fc4d-2fca-9</div><div>da2-f163f273ad6a</div><div>2013-04-23 10:47:37.544+0000: 30155: debug : virReleaseNWFilter:1229 : unref connection 0x1331ff0 2</div>
</div><div><br></div><div style>regards</div>Maciej Gałkiewicz<br></div></div>