1164397 – [RFE] Block incoming DHCP server traffic and outgoing IPv6 through vnic, allow these kinds of traffic in each vnic configuration

Bug 1164397 - [RFE] Block incoming DHCP server traffic and outgoing IPv6 through vnic, allow these kinds of traffic in each vnic configuration

Summary: [RFE] Block incoming DHCP server traffic and outgoing IPv6 through vnic, allo...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-engine
Classification:	oVirt
Component:	RFEs
Sub Component:
Version:	3.5.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Nir Yechiel
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1193224 1317441
Blocks:
TreeView+	depends on / blocked

Reported:	2014-11-14 23:35 UTC by David Jaša
Modified:	2019-04-28 10:53 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2018-06-06 07:35:24 UTC
oVirt Team:	Network
Embargoed:
Dependent Products:
Flags:	ylavi: ovirt-future? rule-engine: planning_ack? rule-engine: devel_ack? rule-engine: testing_ack?

Attachments	(Terms of Use)

Description David Jaša 2014-11-14 23:35:36 UTC

Description of problem:
Currently, vdsm only adds rules preventing MAC and ARP spoofing. These aren't however the only attack vectors available to rogue VMs. I dare say that the other similarly dangerous are at least:
  * rogue DHCP server
  * rogue IPv6 routers
so RHEV should IMO add nwfilter rules disallowing these kinds of traffic by default and only allow them when they are explicitly allowed in vnic configuration.

The various part of RHEV affected would be:

1. Permissions: Not everybody should be able to run dhcpd or IPv6 router
2. UI/API: in vnic properties, allow setting up these properties in vnic settings
3. backend: save settings for each VM/vnic, pass the settings to vdsm
4. vdsm: set up libvirt nwfilter filters, assign them to all vnics but those that have respective kinds of traffic allowed

Version-Release number of selected component (if applicable):
all up to 3.5

How reproducible:
always

Steps to Reproduce:
1. try to set up rogue dhcp server or IPv6 router (e.g. Windows 7 with teredo tunnels)
2.
3.

Actual results:
rogue dhcpd can operate by default

Expected results:
dhcpd can operate only when explicitly allowed in dhcp settings

Additional info:

Comment 1 Dan Kenigsberg 2016-11-10 10:10:46 UTC

All that is now left is to define a vdsm-even-cleaner-traffic nwfilter and expose add it on Engine.

Comment 2 Yaniv Lavi 2018-06-06 07:35:24 UTC

This is possible with clean traffic filter + network filters parameters.

Note You need to log in before you can comment on or make changes to this bug.