Description of problem:Ovirt filters mac addresses not registered by the guest nic Version-Release number of selected component (if applicable): all How reproducible: Create a virtual nic within a guest and use vlans in the vnic. The vlan traffic will be stopped by ebtables Steps to Reproduce: 1.Install a tap adapter 2.Create tagged vlan traffic from the tap adappter 3.The tagged traffic won't go through the bridge due to a ebtable rule. Actual results: No tagged traffic goes out to the network Expected results: Traffic can flow normally Additional info: I'm not reporting from my personal experience but by a post in the list. This is the second time I see someone with this problem and using a lot of time to get to the root of the problem.
no-mac-spoofing is a security measure which most of our users want. I think that disabling it by default is wrong. Have you tried following http://www.ovirt.org/Vdsm_Hooks#Installing_a_hook to install vdsm-hook-macspoof ? Setting http://www.ovirt.org/Vdsm_Hooks#Device-level_hooks makes the option of allowing mac-spoofing much more accessible.
Dear Dan, I'm not questioning the use of no-mac-spoofing. I question that this is enabled by default. In the time I'm in the list, I saw more than once people having troubles with this. I think that having it disabled by default will let the people that do understand and want this security measure running the option of enabling it and not the other way arround as more inexperienced people may fall for this without knowing it exists. This people may not find out that this is their problem and that have to install a hook to customice it until they actually have a problem and spend at least a couple of days until they reach to a solution or a helping hand pointing to the right direction. Regards,
I believe that installing and configuring vdsm-hook-macspoof by default would make this feature more accessible and easier to consume. Don't you think?
That seems to be a better solution. I agree that by doing that we can get the best of both worlds. It should be also documented so everybody knows how to use this. Regards
Come to think of it, we already have an rfe bug 1193224 about this. We may want to give an indication how many packets have been filtered out as a warning on each vnic.
Moving to DWH as we would like to get this via the metrics store.
Dan is this still relevant? Can you please sync with Shirly on exact requirements?
It is still relevant, but I am afraid we don't have the capacity to handle this anytime soon.