[libvirt] [RFC] Allowing promiscuous mode for domains network interfaces
Jean-Baptiste Rouault
jean-baptiste.rouault at diateam.net
Thu Jul 5 07:40:15 UTC 2012
On Monday 02 July 2012 19:14:04 Eric Blake wrote:
> On 07/02/2012 09:28 AM, Jean-Baptiste Rouault wrote:
> > Hi all,
> >
> > By default, OpenVZ and VirtualBox (> 4.0.x) filter network packets by MAC
> > addresses : only broadcast, multicast and packets directly targeted to
> > VMs are transmitted.
> > This behaviour prevents from using promiscuous mode inside domains.
> >
> > I'd like to write some patches to disable these filters from libvirt.
> > Would it be ok to modify OpenVZ and VirtualBox drivers so that they
> > disable the filters by default ?
> >
> > If this is not acceptable, what about making it configurable through
> > domains' XML ?
>
> It sounds like exposing this through the domain XML would be useful to
> other hypervisors, and certainly something that I would rather have
> configurable per-guest instead of hard-coded to one default or another.
> We might declare that if the XML element is not present then it is up
> to hypervisor defaults whether the interface is promiscuous, to allow
> for back-compat, while still allowing the user to explicitly select
> narrow or promiscuous with new libvirt.
Ok, so what about adding a "promiscuouspolicy" attribute to the "interface"
tag ?
There are currently 3 possible values with VirtualBox :
- Deny
- AllowNetwork : allow promiscuous mode but restrict its scope to the internal
network
- AllowAll
So we could create a virDomainNetPromiscuousPolicy enum with these 3 values
for a start.
Regards
--
Jean-Baptiste ROUAULT
Ingénieur R&D - diateam : Architectes de l'information
Phone : +33 (0)2 98 050 050 Fax : +33 (0)2 98 050 051
More information about the libvir-list
mailing list