Bug 1651467

Summary: [clean-traffic-gateway filter] ARP packet is leaking between blocked VMs
Product: [oVirt] ovirt-engine Reporter: Roni <reliezer>
Component: BLL.NetworkAssignee: Ales Musil <amusil>
Status: CLOSED WONTFIX QA Contact: Michael Burman <mburman>
Severity: high Docs Contact:
Priority: medium    
Version: 4.3.0CC: bugs, dagur, danken, fgarciad
Target Milestone: ---Flags: sbonazzo: ovirt-4.3-
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-12-11 12:04:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Network RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1725166, 1848971    
Bug Blocks:    

Description Roni 2018-11-20 07:32:08 UTC 
Description of problem:
clean-traffic-gateway filter is expected to block any traffic between two VMs
although unicast traffic is blocked, ARP traffic is not!
After a ping tries between two blocked VMs, their ARP table will include each other MAC.

Version-Release number of selected component (if applicable):
4.3.0-0.0.master.20181116185756.gite19db6e.el7

How reproducible:
100%

Steps to Reproduce:
1. Start two VMs
2. Run 'route -n' and then 'arp -an' to see their gateway MAC address
3. Add new vNIC profile
4. Choose: Network='ovirtmgmt', Network Filter='clean-traffic-gateway'
5. At both VMs: 
   Go to Compute | Virtual Machines | Click the VM name | 
   Network Interfaces tab | edit the NIC
   Change their profile to the newly created profile from section #3 above
   Add Network Filter Parameter GATEWAY_MAC=[GW NAC from section #2 above]
6. Run ping from VM-1 to VM-2
7. Run 'arp -an' at both VMs

Actual results:
1. Ping is not replying
2. ARP table includes each other VM, MAC address

Expected results:
1. Ping is not replying
2. ARP table at both VM should include only the Gateway MAC address


Additional info:
Comment 1 Dan Kenigsberg 2018-12-11 12:04:46 UTC 
Thanks for filing this bug, but we are unlikely we are going to address it.