|Summary:||[RFE] Limit east-west traffic of VMs with network filter|
|Product:||Red Hat Enterprise Virtualization Manager||Reporter:||Allie DeVolder <adevolder>|
|Component:||ovirt-engine||Assignee:||Ales Musil <amusil>|
|Status:||CLOSED ERRATA||QA Contact:||Michael Burman <mburman>|
|Version:||3.6.9||CC:||adevolder, cory.bannister, danken, ecohen, fgarciad, fnanushr, kshukla, lpeer, lsurette, mburman, mgoldboi, mkalinin, myakove, pelauter, pvilayat, rdini, rdlugyhe, Rhev-m-bugs, rmcswain, shipatil, spower, srevivo, stmariejw, trichard, yeylon|
|Target Milestone:||ovirt-4.3.0||Keywords:||FutureFeature, Reopened, ZStream|
|Fixed In Version:||ovirt-engine-4.3.0_alpha||Doc Type:||Enhancement|
This release allows you to limit east-west traffic of VMs, to enable traffic only between the VM and a gateway. The new filter 'clean-traffic-gateway' has been added to libvirt. With a parameter called GATEWAY_MAC, a user can specify the MAC address of the gateway that is allowed to communicate with the VM and vice versa. Note that users can specify multiple GATEWAY_MACs. There are two possible configurations of VM: 1) A VM with a static IP. This is the recommended setup. It is also recommended to set the parameter CTRL_IP_LEARNING to 'none'. Any other value will result in a leak of initial traffic. This is caused by libvirt's learning mechanism (see https://libvirt.org/formatnwfilter.html#nwfelemsRulesAdvIPAddrDetection and https://bugzilla.redhat.com/show_bug.cgi?id=1647944 for more details). 2) A VM with DHCP. DHCP is working partially. It is not usable in production currently (https://bugzilla.redhat.com/show_bug.cgi?id=1651499). The filter has a general issue with ARP leak (https://bugzilla.redhat.com/show_bug.cgi?id=1651467). Peer VMs are able to see that the VM using this feature exists (in their arp table), but are not able to contact the VM, as the traffic from peers is still blocked by the filter.
|:||1610979 (view as bug list)||Environment:|
|Last Closed:||2019-05-08 12:36:47 UTC||Type:||Bug|
|oVirt Team:||Network||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||1603115|
Description Allie DeVolder 2013-09-18 17:14:53 UTC
Description of problem: Support for private virtual local area networks (PVLAN) allowing to 'sub-partition' a VLAN by restricting switch ports to only communicate with a given 'uplink' - avoiding 'per-to per' communication (extension to the VLAN standard). Private VLAN works when assigning IP to interface directly on RHEL KVM hypervisor server...but when creating a bridge using same interface and assign network to VM..it does not work.
Comment 18 fnanushr 2018-03-28 22:24:46 UTC
RFE: Red Hat Virtualization Manager Administration portal Existing: Navigate to any network N under a datacenter. Open the associated vNIC profile. The 'Network Filter' shows a drop down list of only the built-in network filters. Requirement: A way to create a new network filter and associate it with a vNIC profile from the administration portal.
Comment 19 Dan Kenigsberg 2018-04-01 13:20:55 UTC
(In reply to fnanushr from comment #18) > RFE: > > A way to create a new network filter and associate it with a vNIC profile > from the administration portal. bug 1544666 is all about letting Engine select a non-built-in nwfilter, that is already deployed to all hosts. Here you request a way to deploy nwfilter to all hosts, which I believe is better done by Ansible, possibly triggered by ovirt-host-deploy. If you think differently, please file an independent RFE.
Comment 20 Yaniv Lavi 2018-06-10 11:39:10 UTC
We will look to add the network filter into libvirt and gateway option in RHV to enable this use case.
Comment 21 spower 2018-07-03 10:53:26 UTC
We agreed to remove RFEs component from Bugzilla, if you feel the component has been renamed incorrectly please reach out.
Comment 22 Yaniv Lavi 2018-07-19 11:53:43 UTC
Upstream patch is going well and we will ask to add the filter to a coming RHEL release.
Comment 24 Dan Kenigsberg 2018-08-20 06:43:26 UTC
Please add to cluster level 4.2, too. We can add a release note that only folks with el7.6 can actually opt in and choose this new filter.
Comment 25 Michael Burman 2018-09-05 05:57:18 UTC
Verified on - 4.3.0-0.0.master.20180902070649.gita860c9c.el7 vdsm-4.30.0-554.git4594d97.el7.x86_64 kernel 3.10.0-940.el7.x86_64 Red Hat Enterprise Linux Server release 7.6 Beta (Maipo) libvirt-4.5.0-7.el7.x86_64 libvirt-daemon-4.5.0-7.el7.x86_64 rhel 7.5 guests(VMs) For test flow see BZ 1610979#26
Comment 27 errata-xmlrpc 2019-05-08 12:36:47 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2019:1085