wido commented on PR #8951: URL: https://github.com/apache/cloudstack/pull/8951#issuecomment-2070862069
> > > > My suggestion: > > > > ``` > > > > * Enable this in Libvirt > > > > > > > > * Remove functionality from security_group.py > > > > ``` > > > > > > > > > meaning, @wido , this is good but we need to add a removal of some of the " -j DROP/ACCEPT" lines from the script? sounds like some precision surgery. Do you know which ones to drop? cc @weizhouapache . > > > > > > It would, I think if you take a look it starts here: > > https://github.com/apache/cloudstack/blob/8ff2c018cc5b3fc69bcd8756695d04b384e46ab8/scripts/vm/network/security_group.py#L280 > > > > > > * default_ebtables_rules() > > * destroy_ebtables_rules() > > > > Those would no longer be needed > > @wido actually I am thinking of disabling this change for vms with security groups the script `security_group.py` programs iptables/ebtables rules including the mac/ip/arp anti-spoofing, it has been proved to be working well with both ipv4/ipv6 addresses and one/multiple network nics. this PR only contains `no-mac-spoofing` which is not good enough to replace the `security_group.py`. it looks like a precise surgery to remove the ebtables rules, as @DaanHoogland said. we could drop the methods in `security_group.py` if all mac/ip/arp anti-spoofing are supported (see the PR description). > > other than that, the upgrade could be an issue as the VMs started in old versions (before upgrade) do not have the configuration in their VM XML definition. Sounds good. I would only add this to VMs without any SG. That would get my approval. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
