[libvirt] [PATCHv3 3/9] conf: new network bridge device attribute macTableManager

Daniel P. Berrange berrange at redhat.com
Mon Dec 8 16:33:35 UTC 2014 

On Mon, Dec 08, 2014 at 11:00:03AM -0500, Laine Stump wrote:
> The macTableManager attribute of a network's bridge subelement tells
> libvirt how the bridge's MAC address table (used to determine the
> egress port for packets) is managed. In the default mode, "kernel",
> management is left to the kernel, which usually determines entries in
> part by turning on promiscuous mode on all ports of the bridge,
> flooding packets to all ports when the correct destination is unknown,
> and adding/removing entries to the fdb as it sees incoming traffic
> from particular MAC addresses.  In "libvirt" mode, libvirt turns off
> learning and flooding on all the bridge ports connected to guest
> domain interfaces, and adds/removes entries according to the MAC
> addresses in the domain interface configurations. A side effect of
> turning off learning and unicast_flood on the ports of a bridge is
> that (with Linux kernel 3.17 and newer), the kernel can automatically
> turn off promiscuous mode on one or more of the bridge's ports
> (usually only the one interface that is used to connect the bridge to
> the physical network). The result is better performance (because
> packets aren't being flooded to all ports, and can be dropped earlier
> when they are of no interest) and slightly better security (a guest
> can still send out packets with a spoofed source MAC address, but will
> only receive traffic intended for the guest interface's configured MAC
> address).
> 
> The attribute looks like this in the configuration:
> 
>   <network>
>     <name>test</name>
>     <bridge name='br0' macTableManager='libvirt'/>
>     ...
> 
> This patch only adds the config knob, documentation, and test
> cases. The functionality behind this knob is added in later patches.

ACK, design looks good now.


Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvir-list mailing list