Back to bug 1009608

Who When What Removed Added
Allie DeVolder 2013-09-18 17:15:21 UTC Priority unspecified high
Hardware Unspecified All
OS Unspecified Linux
Severity unspecified high
Einav Cohen 2013-09-19 21:55:45 UTC CC ecohen
Whiteboard network
Itamar Heim 2013-09-22 07:16:40 UTC Keywords FutureFeature
Red Hat Bugzilla 2013-09-22 07:16:40 UTC Doc Type Bug Fix Enhancement
Nir Yechiel 2013-12-15 12:35:18 UTC CC nyechiel
Nir Yechiel 2013-12-15 12:46:51 UTC Flags needinfo?(lpeer)
Ayal Baron 2014-01-01 08:08:51 UTC CC abaron
lpeer 2014-01-01 15:17:52 UTC CC avoss
Flags needinfo?(lpeer) needinfo?(avoss)
Nir Yechiel 2014-05-05 08:09:54 UTC Priority high low
John Skeoch 2014-09-07 23:10:55 UTC CC acathrow rbalakri
John Skeoch 2014-09-07 23:50:28 UTC Assignee acathrow rbalakri
Scott Herold 2014-09-09 15:57:15 UTC Assignee rbalakri sherold
Bryan Yount 2014-09-26 15:36:43 UTC Link ID Red Hat Knowledge Base (Solution) 640003
Marina Kalinin 2014-09-26 16:19:03 UTC Priority low medium
CC mkalinin
Marina Kalinin 2014-09-26 16:31:29 UTC Flags needinfo?(nyechiel)
Nir Yechiel 2014-09-29 12:16:53 UTC Flags needinfo?(avoss) needinfo?(nyechiel)
Rafael Dini 2015-11-09 15:03:06 UTC CC rdini
Yaniv Kaul 2015-11-11 16:00:25 UTC Flags needinfo?(mkalinin)
Marina Kalinin 2015-11-11 16:15:58 UTC Status NEW CLOSED
Resolution --- WONTFIX
Flags needinfo?(mkalinin)
Last Closed 2015-11-11 11:15:58 UTC
Yaniv Lavi 2016-02-10 19:58:34 UTC oVirt Team --- Network
John Skeoch 2016-04-18 06:58:58 UTC CC srevivo
Koutuk Shukla 2016-11-28 15:10:21 UTC Status CLOSED NEW
CC kshukla
Version 3.2.0 3.6.9
Resolution WONTFIX ---
Keywords Reopened
Yaniv Lavi 2016-11-30 09:50:16 UTC CC ydary
Itamar Heim 2016-12-04 20:33:17 UTC CC iheim
Pawan kumar Vilayatkar 2017-01-18 17:41:25 UTC CC pvilayat
Shivraj 2017-04-12 09:15:08 UTC CC sherold, shipatil
Flags needinfo?(sherold)
Yaniv Lavi 2017-04-23 07:54:29 UTC CC mgoldboi
Assignee sherold mgoldboi
Flags needinfo?(sherold) needinfo?(mgoldboi)
Yaniv Lavi 2017-04-23 07:55:22 UTC Assignee mgoldboi ydary
Flags needinfo?(mgoldboi) needinfo?(ydary)
Yaniv Lavi 2017-04-23 07:57:50 UTC Flags needinfo?(ydary)
Shivraj 2017-05-18 03:26:12 UTC Flags needinfo?(ydary)
Yaniv Lavi 2017-05-21 07:27:57 UTC Flags needinfo?(ydary)
Cory Bannister 2017-07-07 16:17:13 UTC CC cory.bannister
Robert McSwain 2017-08-17 01:42:32 UTC CC rmcswain
Yaniv Lavi 2017-08-30 13:19:07 UTC Flags needinfo?(rmcswain)
Scott Herold 2017-09-12 15:02:33 UTC CC sherold
Justin 2017-10-11 19:02:09 UTC CC stmariejw
Dan Kenigsberg 2018-04-01 13:20:55 UTC CC fnanushr
CC danken
Yaniv Lavi 2018-04-01 14:42:28 UTC Flags needinfo?(fnanushr)
Yaniv Kaul 2018-05-21 06:37:46 UTC Summary [RFE] support for PVLANs in RHEV [RFE] support for PVLANs in RHV
Yaniv Lavi 2018-06-10 11:39:10 UTC Target Milestone --- ovirt-4.2.5
Summary [RFE] support for PVLANs in RHV [RFE] Limit east-west traffic of VMs with network filter
Dan Kenigsberg 2018-07-05 19:44:27 UTC CC gklein, lsurette, Rhev-m-bugs, spower
Component RFEs ovirt-engine
Assignee ylavi nobody
QA Contact yeylon mavital
Assignee nobody amusil
PnT Account Manager 2018-07-18 14:21:03 UTC CC rbalakri
Ales Musil 2018-07-19 08:22:46 UTC Depends On 1603115
Meni Yakove 2018-07-19 10:20:29 UTC CC myakove
Yaniv Lavi 2018-07-19 11:53:43 UTC Flags needinfo?(rmcswain) needinfo?(fnanushr)
Dan Kenigsberg 2018-07-19 12:13:16 UTC Target Milestone ovirt-4.2.5 ovirt-4.2.6
Dan Kenigsberg 2018-07-22 08:18:10 UTC Status NEW ASSIGNED
Michael Burman 2018-07-22 08:49:47 UTC CC mburman
Dan Kenigsberg 2018-07-22 08:52:57 UTC Status ASSIGNED POST
Link ID oVirt gerrit 93109
Dan Kenigsberg 2018-08-01 19:26:49 UTC Status POST MODIFIED
Dan Kenigsberg 2018-08-01 19:28:36 UTC Target Milestone ovirt-4.2.6 ovirt-4.2.7
RHV bug bot 2018-08-01 19:32:47 UTC Blocks 1610979
RHV bug bot 2018-08-01 19:33:07 UTC Keywords ZStream
Target Milestone ovirt-4.2.7 ovirt-4.3.0
Michael Burman 2018-08-02 07:52:41 UTC QA Contact mavital mburman
Francisco Garcia 2018-08-06 16:52:01 UTC CC fgarciad
Dan Kenigsberg 2018-08-20 06:43:26 UTC Status MODIFIED ASSIGNED
Ales Musil 2018-09-04 06:56:49 UTC Status ASSIGNED MODIFIED
Michael Burman 2018-09-05 05:57:18 UTC Status MODIFIED VERIFIED
PnT Account Manager 2018-11-05 22:37:08 UTC CC ylavi
Ales Musil 2018-11-20 12:15:14 UTC Doc Text Feature:

Limit east-west traffic of VMs.

Reason:

To enable traffic only between VM and gateway.

Result:

The new filter 'clean-traffic-gateway' has been added to libvirt. With parameter called 'GATEWAY_MAC' user can specify MAC address of gateway that is allowed to communicate with the VM and vice versa. Please note that user can specify multiple 'GATEWAY_MAC'.

There are two possible configurations of VM:

1) VM with static IP

This is recommended setup. It is also recommended setting of parameter 'CTRL_IP_LEARNING' to 'none', any other value will result in leak of initial traffic. This is caused by libvirt learning mechanism (see https://libvirt.org/formatnwfilter.html#nwfelemsRulesAdvIPAddrDetection and https://bugzilla.redhat.com/show_bug.cgi?id=1647944 for more details).

2) VM with DHCP

DHCP is working partially. It is not usable in production currently (https://bugzilla.redhat.com/show_bug.cgi?id=1651499).


The filter has general issue with ARP leak (https://bugzilla.redhat.com/show_bug.cgi?id=1651467). Peer VMs are able to see that the VM using this feature exists (in their arp table), but are not able to contact the VM, as the traffic from peers is still blocked by the filter.
Sandro Bonazzola 2018-11-26 16:36:13 UTC Target Release --- 4.3.0
Fixed In Version ovirt-engine-4.3.0_alpha
Michael Burman 2019-01-22 13:59:19 UTC Flags testing_plan_complete+
PnT Account Manager 2019-02-13 23:07:04 UTC CC nyechiel
Tahlia Richardson 2019-02-28 12:01:13 UTC CC trichard
Doc Text Feature:

Limit east-west traffic of VMs.

Reason:

To enable traffic only between VM and gateway.

Result:

The new filter 'clean-traffic-gateway' has been added to libvirt. With parameter called 'GATEWAY_MAC' user can specify MAC address of gateway that is allowed to communicate with the VM and vice versa. Please note that user can specify multiple 'GATEWAY_MAC'.

There are two possible configurations of VM:

1) VM with static IP

This is recommended setup. It is also recommended setting of parameter 'CTRL_IP_LEARNING' to 'none', any other value will result in leak of initial traffic. This is caused by libvirt learning mechanism (see https://libvirt.org/formatnwfilter.html#nwfelemsRulesAdvIPAddrDetection and https://bugzilla.redhat.com/show_bug.cgi?id=1647944 for more details).

2) VM with DHCP

DHCP is working partially. It is not usable in production currently (https://bugzilla.redhat.com/show_bug.cgi?id=1651499).


The filter has general issue with ARP leak (https://bugzilla.redhat.com/show_bug.cgi?id=1651467). Peer VMs are able to see that the VM using this feature exists (in their arp table), but are not able to contact the VM, as the traffic from peers is still blocked by the filter. 		This realease allows you to limit east-west traffic of VMs, to enable traffic only between the VM and a gateway. The new filter 'clean-traffic-gateway' has been added to libvirt. With a parameter called GATEWAY_MAC, a user can specify the MAC address of the gateway that is allowed to communicate with the VM and vice versa. Note that users can specify multiple GATEWAY_MACs. There are two possible configurations of VM:

1) A VM with a static IP. This is the recommended setup. It is also recommended to set the parameter CTRL_IP_LEARNING to 'none'. Any other value will result in a leak of initial traffic. This is caused by libvirt's learning mechanism (see https://libvirt.org/formatnwfilter.html#nwfelemsRulesAdvIPAddrDetection and https://bugzilla.redhat.com/show_bug.cgi?id=1647944 for more details).

2) A VM with DHCP. DHCP is working partially. It is not usable in production currently (https://bugzilla.redhat.com/show_bug.cgi?id=1651499).

The filter has a general issue with ARP leak (https://bugzilla.redhat.com/show_bug.cgi?id=1651467). Peer VMs are able to see that the VM using this feature exists (in their arp table), but are not able to contact the VM, as the traffic from peers is still blocked by the filter.
Rolfe Dlugy-Hegwer 2019-03-01 17:12:56 UTC CC rdlugyhe
Doc Text This realease allows you to limit east-west traffic of VMs, to enable traffic only between the VM and a gateway. The new filter 'clean-traffic-gateway' has been added to libvirt. With a parameter called GATEWAY_MAC, a user can specify the MAC address of the gateway that is allowed to communicate with the VM and vice versa. Note that users can specify multiple GATEWAY_MACs. There are two possible configurations of VM:

1) A VM with a static IP. This is the recommended setup. It is also recommended to set the parameter CTRL_IP_LEARNING to 'none'. Any other value will result in a leak of initial traffic. This is caused by libvirt's learning mechanism (see https://libvirt.org/formatnwfilter.html#nwfelemsRulesAdvIPAddrDetection and https://bugzilla.redhat.com/show_bug.cgi?id=1647944 for more details).

2) A VM with DHCP. DHCP is working partially. It is not usable in production currently (https://bugzilla.redhat.com/show_bug.cgi?id=1651499).

The filter has a general issue with ARP leak (https://bugzilla.redhat.com/show_bug.cgi?id=1651467). Peer VMs are able to see that the VM using this feature exists (in their arp table), but are not able to contact the VM, as the traffic from peers is still blocked by the filter. 		This release allows you to limit east-west traffic of VMs, to enable traffic only between the VM and a gateway. The new filter 'clean-traffic-gateway' has been added to libvirt. With a parameter called GATEWAY_MAC, a user can specify the MAC address of the gateway that is allowed to communicate with the VM and vice versa. Note that users can specify multiple GATEWAY_MACs. There are two possible configurations of VM:

1) A VM with a static IP. This is the recommended setup. It is also recommended to set the parameter CTRL_IP_LEARNING to 'none'. Any other value will result in a leak of initial traffic. This is caused by libvirt's learning mechanism (see https://libvirt.org/formatnwfilter.html#nwfelemsRulesAdvIPAddrDetection and https://bugzilla.redhat.com/show_bug.cgi?id=1647944 for more details).

2) A VM with DHCP. DHCP is working partially. It is not usable in production currently (https://bugzilla.redhat.com/show_bug.cgi?id=1651499).

The filter has a general issue with ARP leak (https://bugzilla.redhat.com/show_bug.cgi?id=1651467). Peer VMs are able to see that the VM using this feature exists (in their arp table), but are not able to contact the VM, as the traffic from peers is still blocked by the filter.
Gil Klein 2019-04-14 12:51:13 UTC CC gklein
errata-xmlrpc 2019-04-30 00:05:35 UTC Status VERIFIED RELEASE_PENDING
errata-xmlrpc 2019-05-08 12:36:47 UTC Status RELEASE_PENDING CLOSED
Resolution --- ERRATA
Last Closed 2015-11-11 16:15:58 UTC 2019-05-08 12:36:47 UTC
errata-xmlrpc 2019-05-08 12:37:29 UTC Link ID Red Hat Product Errata RHEA-2019:1085
Peter Lauterbach 2020-05-11 12:56:20 UTC CC pelauter
Red Hat One Jira (issues.redhat.com) 2021-05-01 16:12:20 UTC Link ID Red Hat Issue Tracker RHV-40216

Back to bug 1009608