Bug 809814 (rhev_nwfilter)

Summary: PRD31 - BETA3 - Add nwfilter rules to all VMs
Product: Red Hat Enterprise Virtualization Manager Reporter: Andrew Cathrow <acathrow>
Component: ovirt-engineAssignee: Moti Asayag <masayag>
Status: CLOSED ERRATA QA Contact: Meni Yakove <myakove>
Severity: high Docs Contact:
Priority: high    
Version: 3.1.0CC: aburden, acathrow, danken, dougsland, dyasny, iheim, jeder, lpeer, mavital, myakove, pmatouse, rbalakri, Rhev-m-bugs, sgrinber, sputhenp, thildred, yeylon, ykaul
Target Milestone: ---Keywords: FutureFeature, Triaged
Target Release: 3.1.0   
Hardware: All   
OS: Linux   
URL: http://wiki.ovirt.org/wiki/Features/Design/Network/NetworkFiltering
Whiteboard: network
Fixed In Version: SI18 Doc Type: Enhancement
Doc Text:
Previously, Red Hat Enterprise Virtualization did not prevent MAC-spoofing. A virtual machine could impersonate other virtual machines, causing a traffic meant for a specific virtual machine to reach an unexpected destination. Now, the Red Hat Enterprise Virtualization Manager exposes a global configuration property named EnableMACAntiSpoofingFilterRules, which is set to "True" by default. With the EnableMACAntiSpoofingFilterRules property enabled, a filter that prevents spoofing gets added to a virtual machine network interface's XML definition.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-04 19:23:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Network RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 811807    
Bug Blocks:    

Description Andrew Cathrow 2012-04-04 12:53:37 UTC 
All virtual machines should be started with no-arp-spoofing and no-mac-spoofing nwfilter 

Note: portmirror VMs are excluded from this.
Comment 6 Andrew Cathrow 2012-07-08 09:47:03 UTC 
Agreed in today's meeting that we this will be a global config option to enable or disable. The default will be enabled.

We'll extend in 3.2/4.0 to allow per VM and per logical network settings
Comment 7 lpeer 2012-07-15 10:56:33 UTC 
2 notes:

1. support for setting the filters on hot-plug NIC is also needed.
2. we should avoid setting the filter on port-mirroring NICS.
Comment 8 lpeer 2012-07-31 08:42:20 UTC 
(In reply to comment #7)
> 2 notes:
> 
> 1. support for setting the filters on hot-plug NIC is also needed.
> 2. we should avoid setting the filter on port-mirroring NICS.

After reviewing the filter carefully it looks like there is no need for a special treatment for port mirroring as the filters are only for the vm egress traffic.
Comment 20 Moti Asayag 2012-08-13 15:04:53 UTC 
The feature page for Network Filtering:

http://wiki.ovirt.org/wiki/Features/Design/Network/NetworkFiltering
Comment 23 Moti Asayag 2012-08-20 18:45:40 UTC 
Suggested patch:

http://gerrit.ovirt.org/#/c/7356/
Comment 30 Meni Yakove 2012-09-24 08:03:23 UTC 
Verified on rhevm-3.1.0-16.el6ev.noarch
Comment 33 errata-xmlrpc 2012-12-04 19:23:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-1506.html