[libvirt] [PATCH 2/2] add MAC address based port filtering to qemu

Daniel P. Berrange berrange at redhat.com
Thu Nov 19 16:31:56 UTC 2009

On Wed, Nov 18, 2009 at 05:10:38PM +0100, Gerhard Stenzel wrote:
> On Wed, 2009-11-04 at 12:55 +0000, Daniel P. Berrange wrote:
> ...
> > 
> > Mark  pointed  out to me offlist, that this filtering is a little too
> > restrictive because it also blocks multicast + broadcast packets. We
> > can fix that easily enough with an extra patch though, and a single
> > catch-all rule for multi/broad-cast packets.
> > 
> > Daniel
> Hi,
> I have revisited this subject and was trying to find a scenario, where
> multi/broad-cast packets would be affected by this patch and failed so
> far.
> Since only the source mac address of a guest is filtered, I don't see
> how a multicast or broadcast destination mac address could be a problem.

That is sufficient, I mis-read how the rules were being added. 

That said I believe this is an issue in here with guests with a NIC
configured with type=network instead of type=bridge. with the former,
no traffic seems to go over the FORWARD chain - only the INPUT
chain, so our rules are not matched.

|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

More information about the libvir-list mailing list