Bug 1009608

Summary:	[RFE] Limit east-west traffic of VMs with network filter
Product:	Red Hat Enterprise Virtualization Manager	Reporter:	Allie DeVolder <adevolder>
Component:	ovirt-engine	Assignee:	Ales Musil <amusil>
Status:	CLOSED ERRATA	QA Contact:	Michael Burman <mburman>
Severity:	high	Docs Contact:
Priority:	medium
Version:	3.6.9	CC:	adevolder, cory.bannister, danken, ecohen, fgarciad, fnanushr, kshukla, lpeer, lsurette, mburman, mgoldboi, mkalinin, myakove, pelauter, pvilayat, rdini, rdlugyhe, Rhev-m-bugs, rmcswain, shipatil, spower, srevivo, stmariejw, trichard, yeylon
Target Milestone:	ovirt-4.3.0	Keywords:	FutureFeature, Reopened, ZStream
Target Release:	4.3.0	Flags:	nyechiel: Triaged+ mburman: testing_plan_complete+
Hardware:	All
OS:	Linux
Whiteboard:	network
Fixed In Version:	ovirt-engine-4.3.0_alpha	Doc Type:	Enhancement
Doc Text:	This release allows you to limit east-west traffic of VMs, to enable traffic only between the VM and a gateway. The new filter 'clean-traffic-gateway' has been added to libvirt. With a parameter called GATEWAY_MAC, a user can specify the MAC address of the gateway that is allowed to communicate with the VM and vice versa. Note that users can specify multiple GATEWAY_MACs. There are two possible configurations of VM: 1) A VM with a static IP. This is the recommended setup. It is also recommended to set the parameter CTRL_IP_LEARNING to 'none'. Any other value will result in a leak of initial traffic. This is caused by libvirt's learning mechanism (see https://libvirt.org/formatnwfilter.html#nwfelemsRulesAdvIPAddrDetection and https://bugzilla.redhat.com/show_bug.cgi?id=1647944 for more details). 2) A VM with DHCP. DHCP is working partially. It is not usable in production currently (https://bugzilla.redhat.com/show_bug.cgi?id=1651499). The filter has a general issue with ARP leak (https://bugzilla.redhat.com/show_bug.cgi?id=1651467). Peer VMs are able to see that the VM using this feature exists (in their arp table), but are not able to contact the VM, as the traffic from peers is still blocked by the filter.	Story Points:	---
Clone Of:
Clones:	1610979 (view as bug list)		Environment:
Last Closed:	2019-05-08 12:36:47 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	Network	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1603115
Bug Blocks:	1610979

Description Allie DeVolder 2013-09-18 17:14:53 UTC

Description of problem:

Support for private virtual local area networks (PVLAN) allowing to 'sub-partition' a VLAN by restricting switch ports to only communicate with a given 'uplink' - avoiding 'per-to per' communication (extension to the VLAN standard).

Private VLAN works when assigning IP to interface directly on RHEL KVM hypervisor server...but when creating a bridge using same interface and assign network to VM..it does not work.

Comment 18 fnanushr 2018-03-28 22:24:46 UTC

RFE:

Red Hat Virtualization Manager Administration portal
Existing:
Navigate to any network N under a datacenter. Open the associated vNIC profile. The 'Network Filter' shows a drop down list of only the built-in network filters.

Requirement:
A way to create a new network filter and associate it with a vNIC profile from the administration portal.

Comment 19 Dan Kenigsberg 2018-04-01 13:20:55 UTC

(In reply to fnanushr from comment #18)
> RFE:
>
> A way to create a new network filter and associate it with a vNIC profile
> from the administration portal.

bug 1544666 is all about letting Engine select a non-built-in nwfilter, that is already deployed to all hosts. Here you request a way to deploy nwfilter to all hosts, which I believe is better done by Ansible, possibly triggered by ovirt-host-deploy. If you think differently, please file an independent RFE.

Comment 20 Yaniv Lavi 2018-06-10 11:39:10 UTC

We will look to add the network filter into libvirt and gateway option in RHV to enable this use case.

Comment 21 spower 2018-07-03 10:53:26 UTC

We agreed to remove RFEs component from Bugzilla, if you feel the component has been renamed incorrectly please reach out.

Comment 22 Yaniv Lavi 2018-07-19 11:53:43 UTC

Upstream patch is going well and we will ask to add the filter to a coming RHEL release.

Comment 24 Dan Kenigsberg 2018-08-20 06:43:26 UTC

Please add to cluster level 4.2, too.

We can add a release note that only folks with el7.6 can actually opt in and choose this new filter.

Comment 25 Michael Burman 2018-09-05 05:57:18 UTC

Verified on - 4.3.0-0.0.master.20180902070649.gita860c9c.el7
vdsm-4.30.0-554.git4594d97.el7.x86_64
kernel 3.10.0-940.el7.x86_64
Red Hat Enterprise Linux Server release 7.6 Beta (Maipo)
libvirt-4.5.0-7.el7.x86_64
libvirt-daemon-4.5.0-7.el7.x86_64
rhel 7.5 guests(VMs)

For test flow see BZ 1610979#26

Comment 27 errata-xmlrpc 2019-05-08 12:36:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:1085