Bug 809814 (rhev_nwfilter)
Summary: | PRD31 - BETA3 - Add nwfilter rules to all VMs | ||
---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Andrew Cathrow <acathrow> |
Component: | ovirt-engine | Assignee: | Moti Asayag <masayag> |
Status: | CLOSED ERRATA | QA Contact: | Meni Yakove <myakove> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 3.1.0 | CC: | aburden, acathrow, danken, dougsland, dyasny, iheim, jeder, lpeer, mavital, myakove, pmatouse, rbalakri, Rhev-m-bugs, sgrinber, sputhenp, thildred, yeylon, ykaul |
Target Milestone: | --- | Keywords: | FutureFeature, Triaged |
Target Release: | 3.1.0 | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://wiki.ovirt.org/wiki/Features/Design/Network/NetworkFiltering | ||
Whiteboard: | network | ||
Fixed In Version: | SI18 | Doc Type: | Enhancement |
Doc Text: |
Previously, Red Hat Enterprise Virtualization did not prevent MAC-spoofing. A virtual machine could impersonate other virtual machines, causing a traffic meant for a specific virtual machine to reach an unexpected destination.
Now, the Red Hat Enterprise Virtualization Manager exposes a global configuration property named EnableMACAntiSpoofingFilterRules, which is set to "True" by default. With the EnableMACAntiSpoofingFilterRules property enabled, a filter that prevents spoofing gets added to a virtual machine network interface's XML definition.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2012-12-04 19:23:54 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | Network | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 811807 | ||
Bug Blocks: |
Description
Andrew Cathrow
2012-04-04 12:53:37 UTC
Agreed in today's meeting that we this will be a global config option to enable or disable. The default will be enabled. We'll extend in 3.2/4.0 to allow per VM and per logical network settings 2 notes: 1. support for setting the filters on hot-plug NIC is also needed. 2. we should avoid setting the filter on port-mirroring NICS. (In reply to comment #7) > 2 notes: > > 1. support for setting the filters on hot-plug NIC is also needed. > 2. we should avoid setting the filter on port-mirroring NICS. After reviewing the filter carefully it looks like there is no need for a special treatment for port mirroring as the filters are only for the vm egress traffic. The feature page for Network Filtering: http://wiki.ovirt.org/wiki/Features/Design/Network/NetworkFiltering Suggested patch: http://gerrit.ovirt.org/#/c/7356/ Verified on rhevm-3.1.0-16.el6ev.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-1506.html |