Bug 1254972

Summary: [RFE] indicate how many packets are filtered out per vnic
Product: [oVirt] ovirt-engine Reporter: Juan Pablo Lorier <jplorier>
Component: RFEsAssignee: bugs <bugs>
Status: CLOSED DEFERRED QA Contact: Lukas Svaty <lsvaty>
Severity: medium Docs Contact:
Priority: unspecified    
Version: ---CC: bugs, danken, jplorier, lsurette, mburman, srevivo
Target Milestone: ---Keywords: FutureFeature
Target Release: ---Flags: ylavi: ovirt-future?
ylavi: planning_ack?
ylavi: devel_ack?
ylavi: testing_ack?
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-13 11:12:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Metrics RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1193224, 1317441    
Bug Blocks:    

Description Juan Pablo Lorier 2015-08-19 11:15:54 UTC 
Description of problem:Ovirt filters mac addresses not registered by the guest nic


Version-Release number of selected component (if applicable): all


How reproducible:

Create a virtual nic within a guest and use vlans in the vnic. The vlan traffic will be stopped by ebtables


Steps to Reproduce:
1.Install a tap adapter
2.Create tagged vlan traffic from the tap adappter
3.The tagged traffic won't go through the bridge due to a ebtable rule.

Actual results:

No tagged traffic goes out to the network

Expected results:

Traffic can flow normally

Additional info:

I'm not reporting from my personal experience but by a post in the list. This is the second time I see someone with this problem and using a lot of time to get to the root of the problem.
Comment 1 Dan Kenigsberg 2015-08-26 14:08:56 UTC 
no-mac-spoofing is a security measure which most of our users want. I think that disabling it by default is wrong.

Have you tried following http://www.ovirt.org/Vdsm_Hooks#Installing_a_hook to install vdsm-hook-macspoof ? Setting http://www.ovirt.org/Vdsm_Hooks#Device-level_hooks makes the option of allowing mac-spoofing much more accessible.
Comment 2 Juan Pablo Lorier 2015-08-26 14:24:03 UTC 
Dear Dan,

I'm not questioning the use of no-mac-spoofing. I question that this is enabled by default. In the time I'm in the list, I saw more than once people having troubles with this.
I think that having it disabled by default will let the people that do understand and want this security measure running the option of enabling it and not the other way arround as more inexperienced people may fall for this without knowing it exists.
This people may not find out that this is their problem and that have to install a hook to customice it until they actually have a problem and spend at least a couple of days until they reach to a solution or a helping hand pointing to the right direction.
Regards,
Comment 3 Dan Kenigsberg 2015-08-26 15:08:51 UTC 
I believe that installing and configuring vdsm-hook-macspoof by default would make this feature more accessible and easier to consume. Don't you think?
Comment 4 Juan Pablo Lorier 2015-08-26 15:33:46 UTC 
That seems to be a better solution. I agree that by doing that we can get the best of both worlds. It should be also documented so everybody knows how to use this.
Regards
Comment 5 Dan Kenigsberg 2015-09-08 09:33:39 UTC 
Come to think of it, we already have an rfe bug 1193224 about this.

We may want to give an indication how many packets have been filtered out as a warning on each vnic.
Comment 6 Yaniv Lavi 2016-11-23 10:36:10 UTC 
Moving to DWH as we would like to get this via the metrics store.
Comment 7 Sandro Bonazzola 2019-09-26 13:41:44 UTC 
Dan is this still relevant? Can you please sync with Shirly on exact requirements?
Comment 8 Dan Kenigsberg 2019-10-13 11:12:52 UTC 
It is still relevant, but I am afraid we don't have the capacity to handle this anytime soon.