Bug 1691352
| Summary: | Network filters are not honouring explicitly listed parameters for MAC | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux Advanced Virtualization | Reporter: | Daniel Berrangé <berrange> | |
| Component: | libvirt | Assignee: | Daniel Berrangé <berrange> | |
| Status: | CLOSED ERRATA | QA Contact: | yalzhang <yalzhang> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 8.0 | CC: | jdenemar, jsuchane, knoel, xuzhang, yalzhang | |
| Target Milestone: | rc | Keywords: | Regression, Upstream | |
| Target Release: | 8.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | libvirt-5.0.0-10.el8 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1691356 1691358 (view as bug list) | Environment: | ||
| Last Closed: | 2019-08-07 10:41:10 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1691356, 1691358 | |||
Upstream fix
commit 01e11ebcb6e8f24662b7c67b70134c192785691c
Author: Nikolay Shirokovskiy <nshirokovskiy>
Date: Wed Mar 20 16:05:59 2019 +0300
nwfilter: fix adding std MAC and IP values to filter binding
test on libvirt-5.0.0-11.module+el8.0.1+3459+e357ef2f.x86_64, all the result is as expected:
# rpm -q libvirt
libvirt-5.0.0-11.module+el8.0.1+3459+e357ef2f.x86_64
1. Start a guest with interface as below:
# virsh dumpxml rhel8_q35 | grep /interface -B13
<interface type='network'>
<mac address='52:54:00:1c:1b:a7'/>
<source network='default' bridge='virbr0'/>
<target dev='vnet0'/>
<model type='virtio'/>
<filterref filter='clean-traffic'>
<parameter name='IP' value='104.207.129.11'/>
<parameter name='IP' value='104.207.129.12'/>
<parameter name='MAC' value='52:54:00:7b:35:94'/>
<parameter name='MAC' value='52:54:00:7b:35:96'/>
</filterref>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
</interface>
2. Check the nwfilter binding on host:
# virsh nwfilter-binding-list
Port Dev Filter
---------------------------
vnet0 clean-traffic
# virsh nwfilter-binding-dumpxml vnet0
<filterbinding>
<owner>
<name>rhel8_q35</name>
<uuid>04a6e599-42b4-40db-804b-0c4361979f6d</uuid>
</owner>
<portdev name='vnet0'/>
<mac address='52:54:00:1c:1b:a7'/>
<filterref filter='clean-traffic'>
<parameter name='IP' value='104.207.129.11'/>
<parameter name='IP' value='104.207.129.12'/>
<parameter name='MAC' value='52:54:00:7b:35:94'/>
<parameter name='MAC' value='52:54:00:7b:35:96'/>
</filterref>
</filterbinding>
3. Check the ebtables rules, all parameters are listed:
# ebtables -t nat -L
...
Bridge chain: I-vnet0-mac, entries: 3, policy: ACCEPT
-s 52:54:00:7b:35:94 -j RETURN
-s 52:54:00:7b:35:96 -j RETURN
-j DROP
Bridge chain: I-vnet0-ipv4-ip, entries: 4, policy: ACCEPT
-p IPv4 --ip-src 0.0.0.0 --ip-proto udp -j RETURN
-p IPv4 --ip-src 104.207.129.11 -j RETURN
-p IPv4 --ip-src 104.207.129.12 -j RETURN
-j DROP
...
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2395 |
Description of problem: When using a network filter, libvirt will automatically set a MAC parameter, and sometimes a IP parameter too. These defaults are not always correct, so the user is supposed to be able to override them, for example to list multiple values: <interface type='network'> <mac address='52:54:00:7b:35:93'/> <source network='default' bridge='virbr0'/> <target dev='vnet0'/> <model type='rtl8139'/> <filterref filter='clean-traffic'> <parameter name='IP' value='104.207.129.11'/> <parameter name='IP' value='104.207.129.12'/> <parameter name='MAC' value='52:54:00:7b:35:93'/> <parameter name='MAC' value='52:54:00:7b:35:94'/> </filterref> <alias name='net0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface> Unfortunately a bug in refactoring of nwfilter led to the overrides no longer being honoured for MAC, and sometimes not honoured for IP This is due to upstream commit d1a7c08eb in 4.5.0 Version-Release number of selected component (if applicable): libvirt-5.0.0-7.el8 How reproducible: Steps to Reproduce: 1. Create a guest with nwfilter referencing 'clean-traffic' and add 2 IP and 2 MAC address parameters in the XML 2. Start the guest 3. Look at the 'virsh nwfilter-binding-dumpxml $TAPDEVNAME' output to validate the parameters are still present Actual results: The parameters are sometimes missing Expected results: The parameters from domain XML are copied to nwfilter binding XML