Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1164397

Summary: [RFE] Block incoming DHCP server traffic and outgoing IPv6 through vnic, allow these kinds of traffic in each vnic configuration
Product: [oVirt] ovirt-engine Reporter: David Jaša <djasa>
Component: RFEsAssignee: Nir Yechiel <nyechiel>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: low    
Version: 3.5.0CC: bugs, danken, lpeer, lsurette, nyechiel, pmatouse, rbalakri, srevivo, ykaul, ylavi
Target Milestone: ---Keywords: FutureFeature, Improvement
Target Release: ---Flags: ylavi: ovirt-future?
rule-engine: planning_ack?
rule-engine: devel_ack?
rule-engine: testing_ack?
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-06 07:35:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Network RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1193224, 1317441    
Bug Blocks:    

Description David Jaša 2014-11-14 23:35:36 UTC 
Description of problem:
Currently, vdsm only adds rules preventing MAC and ARP spoofing. These aren't however the only attack vectors available to rogue VMs. I dare say that the other similarly dangerous are at least:
  * rogue DHCP server
  * rogue IPv6 routers
so RHEV should IMO add nwfilter rules disallowing these kinds of traffic by default and only allow them when they are explicitly allowed in vnic configuration.

The various part of RHEV affected would be:

1. Permissions: Not everybody should be able to run dhcpd or IPv6 router
2. UI/API: in vnic properties, allow setting up these properties in vnic settings
3. backend: save settings for each VM/vnic, pass the settings to vdsm
4. vdsm: set up libvirt nwfilter filters, assign them to all vnics but those that have respective kinds of traffic allowed

Version-Release number of selected component (if applicable):
all up to 3.5

How reproducible:
always

Steps to Reproduce:
1. try to set up rogue dhcp server or IPv6 router (e.g. Windows 7 with teredo tunnels)
2.
3.

Actual results:
rogue dhcpd can operate by default

Expected results:
dhcpd can operate only when explicitly allowed in dhcp settings

Additional info:
Comment 1 Dan Kenigsberg 2016-11-10 10:10:46 UTC 
All that is now left is to define a vdsm-even-cleaner-traffic nwfilter and expose add it on Engine.
Comment 2 Yaniv Lavi 2018-06-06 07:35:24 UTC 
This is possible with clean traffic filter + network filters parameters.