> From: "InterNetX - Juergen Gotteswinter" <j...@internetx.com> > To: users@ovirt.org > Sent: Thursday, July 16, 2015 3:21:15 PM > Subject: [ovirt-users] Problem with Mac Spoof Filter > > Hi, > > seems like the Setting EnableMACAntiSpoofingFilterRules only applies to > the main IP of a VM, additional IP Adresses on Alias Interfaces (eth0:x) > are not included in the generated ebtables ruleset. > > Is there any Workaround / Setting / whatever to allow more than one IP > without completly disabling this Filter? > > Thanks, > > Juergen
IIUC this works with hwaddr only: virsh # nwfilter-dumpxml vdsm-no-mac-spoofing <filter name='vdsm-no-mac-spoofing' chain='root'> <uuid>cd70b235-b0f7-461e-9080-7e6d750e2c70</uuid> <filterref filter='no-mac-spoofing'/> <filterref filter='no-arp-mac-spoofing'/> </filter> virsh # nwfilter-dumpxml no-mac-spoofing <filter name='no-mac-spoofing' chain='mac' priority='-800'> <uuid>b7bbb2e5-2208-47cb-a0e6-1d0a81b5e515</uuid> <rule action='return' direction='out' priority='500'> <mac srcmacaddr='$MAC'/> </rule> <rule action='drop' direction='out' priority='500'> <mac/> </rule> </filter> virsh # nwfilter-dumpxml no-arp-mac-spoofing <filter name='no-arp-mac-spoofing' chain='arp-mac' priority='-520'> <uuid>454abfeb-259c-4868-bf64-de1315a97aa6</uuid> <rule action='return' direction='out' priority='350'> <arp arpsrcmacaddr='$MAC'/> </rule> <rule action='drop' direction='out' priority='1000'/> </filter> j. _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users