Bug 1377181
Summary: | [Docs][Admin][RFE] Document the Network Filter option for vNIC profiles | ||
---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Lucy Bopf <lbopf> |
Component: | Documentation | Assignee: | Tahlia Richardson <trichard> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Byron Gravenorst <bgraveno> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 4.0.0 | CC: | alkaplan, danken, gklein, lgoldber, lsurette, mkalinin, mmirecki, rbalakri, srevivo, trichard, ykaul |
Target Milestone: | ovirt-4.0.5 | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
URL: | https://www.ovirt.org/feature/networkfilter/ | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
Libvirt provides configurable network filters which can be applied to guest NICs.
The filters allow to filter unwanted traffic. The main motivation for this are security aspects.
This feature allows the user to apply these filters from oVirt.
The user can specify a network filter to be used as a vNIC profile property.
This will cause all vNIC using this vNIC profile will be configured with the network filter by libvirt.
The list of predefined libvirt network filters:
- vdsm-no-mac-spoofing
- allow-arp
- allow-dhcp
- allow-dhcp-server
- allow-incoming-ipv4
- allow-ipv4
- clean-traffic
- no-arp-ip-spoofing
- no-arp-mac-spoofing
- no-arp-spoofing
- no-ip-multicast
- no-ip-spoofing
- no-mac-broadcast
- no-mac-spoofing
- no-other-l2-traffic
- no-other-rarp-traffic
- qemu-announce-self
- qemu-announce-self-rarp
The feature page:
https://www.ovirt.org/feature/networkfilter/
Libvirt docuementation:
https://libvirt.org/firewall.html
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2016-12-06 02:50:01 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | Docs | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1317441 | ||
Bug Blocks: |
Description
Lucy Bopf
2016-09-19 06:04:47 UTC
Assigning to Tahlia for review. Hi Tahlia, The procedure looks good. Maybe we could enumerate the default available filter? I added the list in the doc text. But I'm also fine with this without it. Hi Marcin, Thanks for reviewing. If you can provide a description of what each filter does, I'd be more than happy to add that to the docs. Otherwise, I don't think just a list of the filters adds much value, since you can see the same list from the drop-down in the UI anyway. Let me know what you think. Marcin, please do. I think it will be very beneficial for all. From the email thread, how can vdsm-macspoofing-hook can be implemented in 4.0 using vNic profiles:
> @Dan,
> I am trying to figure out how this feature should work, but it is not really clear neither from the ovirt page, nor from the docs bug.
> Where can I define the mac addresses or whatever is need to enable mac-spoofing?
> Can someone please elaborate more on how this is supposed to work?
> With some real life example?
I'm not sure what feature you are refering to, since the network filter
feature does not require you to "define mac addresses". All you need to
do is define a new network profile; in it, in 4.0 you can select a
specific filter, which can be the simple "None".
Then, when you attach this profile to a vnic, the vnic would have no
filtering, and the guest can spoof whatever address it wants.
The filters are defined by libvirt and are documented by it https://libvirt.org/formatnwfilter.html#nwfexamples The documentation at https://libvirt.org/formatnwfilter.html#nwfexamples (and in the RHEL Virt docs) only includes: - no-arp-spoofing - allow-dhcp - allow-dhcp-server - no-ip-spoofing - no-ip-multicast - clean-traffic But the filters available through the UI are: - vdsm-no-mac-spoofing - allow-arp - allow-dhcp - allow-incoming-ipv4 - allow-ipv4 - clean-traffic - no-arp-ip-spoofing - no-arp-mac-spoofing - no-arp-spoofing - no-ip-multicast - no-ip-spoofing - no-mac-broadcast - no-mac-spoofing - no-other-l2-traffic - no-other-rarp-traffic - qemu-announce-self - qemu-announce-self-rarp - <No Network Filter> So some filters would still be lacking a description. I see. These filters are libvirt's; RHV only exposes them. I suggest that libvirt documents them in somewhere like https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Virtualization_Deployment_and_Administration_Guide/sect-Virtual_Networking-Applying_network_filtering.html I think that we should refer to their doc, possibly copying what they currently have upstream. To that we should add: * vdsm-no-mac-spoofing is the default filter in RHV * <No Network Filter> is self-explanatory, but mention that it should be used for in-guest vlan and bonds, as well as for a (slight) performance boost when the guest is trusted. |