Bug 1193224 – [RFE] Allow MAC Anti-Spoofing per interface instead of globally

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1193224 - [RFE] Allow MAC Anti-Spoofing per interface instead of globally

Summary:	[RFE] Allow MAC Anti-Spoofing per interface instead of globally

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	RFEs (Show other bugs)
Sub Component:
Version:	3.4.0
Hardware:	Unspecified Unspecified

Priority	high Severity medium
Target Milestone:	ovirt-4.0.0-beta
Target Release:	4.0.0
Assigned To:	Alona Kaplan
QA Contact:	Michael Burman
Docs Contact:

URL:	https://www.ovirt.org/Features/Networ...
Whiteboard:
Keywords:	FutureFeature, Reopened

Duplicates:	1255568 (view as bug list)
Depends On:	1317441
Blocks:	1254972 1255558 1164397
	Show dependency tree / graph

Reported:	2015-02-16 17:12 EST by Robert McSwain
Modified:	2016-08-23 16:22 EDT (History)
CC List:	23 users (show)

See Also:
Fixed In Version:
Doc Type:	Enhancement
Doc Text:	With this update, the network filter has been enhanced to allow the administrator the ability to manage the network packet traffic to and from virtual machines. The required filter can now be specified on the vNIC profile via the web interface or the REST API. If no filter is specified and the 'EnableMACAntiSpoofingFilterRules' is enabled via engine-config tool the vNIC profile will use 'Enable MAC Anti Spoofing' as the default filter
Story Points:	---
Clone Of:
Clones:	1317441 (view as bug list)
Environment:
Last Closed:	2016-08-23 16:22:49 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	Network
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Flags:	sherold: Triaged+ mburman: testing_plan_complete+

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
oVirt gerrit	51184	None	None	None	2016-05-09 08:41 EDT
oVirt gerrit	51450	None	None	None	2016-05-09 08:40 EDT
oVirt gerrit	52768	None	None	None	2016-05-09 08:39 EDT
oVirt gerrit	52770	None	None	None	2016-05-09 08:38 EDT
oVirt gerrit	52832	None	None	None	2016-05-09 08:39 EDT
oVirt gerrit	52906	None	None	None	2016-05-09 08:35 EDT
oVirt gerrit	56937	None	None	None	2016-05-09 08:42 EDT
oVirt gerrit	57041	None	None	None	2016-05-09 08:37 EDT
oVirt gerrit	57042	None	None	None	2016-05-09 08:37 EDT
oVirt gerrit	57087	None	None	None	2016-05-09 08:36 EDT
Red Hat Product Errata	RHEA-2016:1743	normal	SHIPPED_LIVE	Red Hat Virtualization Manager 4.0 GA Enhancement (ovirt-engine)	2016-09-02 17:54:01 EDT

Groups: None (edit)

Description Robert McSwain 2015-02-16 17:12:35 EST

1. Proposed title of this feature request
[RFE] EnableMACAntiSpoofingFilterRules for virtual interfaces

3. What is the nature and description of the request?
We use several pfsense boxes on RHEV to as Firewalls between our VLANs. It would be nice to use CARP. I know it is possible to use CARP with EnableMACAntiSpoofingFilterRules = True but I only would like to activate it for the interfaces of the virtual Firewalls, not globally.

4. Why does the customer need this? (List the business requirements here)
The pfsense machines are virtual machines on RHEV. Their purpose is to separate/manage the access between machines in different vlans (all on RHEV). The idea behind all this is to separate lab-machines from production and so on. I don't want to enable MacSpoofing for all the Machines nor any physical Interface on the Hypervisors but only for the virtual interface CARP should work over (lets say vm:pfsense0[1|2] interface:vlan1000_pfsync for example).
5. How would the customer like to achieve this? (List the functional requirements here)
For example a checkbox in the "Edit Network Interfaces" mask of a virtual machine
6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.
when checked --> EnableMACAntiSpoofingFilterRules = True
else EnableMACAntiSpoofingFilterRules = False
7. Is there already an existing RFE upstream or in Red Hat Bugzilla?
No
8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?

9. Is the sales team involved in this request and do they have any additional input?
No
10. List any affected packages or components.
rhevm, vdsm
11. Would the customer be able to assist in testing this functionality if implemented?
yes

Comment 2 Fabian Deutsch 2015-02-17 00:38:40 EST

Moving this to vdsm, as it takes over network configuration after registration.

Comment 3 Dan Kenigsberg 2015-03-27 09:54:37 EDT

It seems that the customer asks to allow mac spoofing on particular VMs/devices. Is that correct? If not, please explain the request better.

This can be implemented today by:
- install vdsm-hook-macspoof on all hosts
- sudo engine-config -s "CustomDeviceProperties={type=interface;prop={$PREVIOUS_PROPERTIES;ifacemacspoof=^(true|false)$}}"
   to enable the ifacemacspoof custom property
- restart engine to make configuration effective
- there's a network you want to connect to, with mac spoofing. Define a vNIC profile on top of it, and set ifacemacspoof=true
- attach the vNIC profile to a vNIC. This vNIC is now allow to carry spoofed traffic


It would be a bit nicer to solve this request natively, with no hooks involved. This could be done by allowing the user to choose a filter name per vNIC profile.

Comment 4 Lior Vernia 2015-04-01 10:43:06 EDT

MAC spoofing can already be turned on/off on a per-profile basis, by following Dan's instructions and setting the ifacemacspoof property via the custom properties widget in the vNIC profile dialog.

Please re-open if it turns out I misunderstood your needs and this doesn't satisfy them...

Comment 10 Robert McSwain 2015-12-31 09:34:04 EST

Dan,

While this bug is open for 3.4, my customer got a chance to try your suggestion and it worked until 3.5 came out. Since the he's said this

[In RHEV 3.5] the Syntax seems to be wrong:

[root@engine ~]# engine-config -s "CustomDeviceProperties={type=interface;prop={$PREVIOUS_PROPERTIES;ifacemacspoof=^(true|false)$}}"
Please select a version:
1. 3.0
2. 3.1
3. 3.2
4. 3.3
5. 3.5
6. 3.4
5
Cannot set value {type=interface;prop={;ifacemacspoof=^(true|false)$}} to key CustomDeviceProperties. Invalid syntax, custom device properties specification should conform to \{type=(disk|interface|video|sound|controller|balloon|channel|redir|console|rng|smartcard|watchdog);prop=\{((([a-z_A-Z0-9])+)=(([^;])*)(;(([a-z_A-Z0-9])+)=(([^;])*))*;?)?\}\}[;]?

We updated to RHEV 3.5 now... did the Syntax change?

Comment 11 Dan Kenigsberg 2015-12-31 11:04:47 EST

You should set the value of the PREVIOUS_PROPERTIES shell variable prior to using it

PREVIOUS_PROPERTIES=`engine-config -g CustomDeviceProperties --cver=3.5`

if it ends up empty (as it seems from you comment) you should drop the semicolon following it.

Does this help?

Comment 12 Robert McSwain 2016-01-04 17:58:02 EST

Dan,

Is this the proper way to do this?


[root@engine ~]# PREVIOUS_PROPERTIES=`engine-config -g CustomDeviceProperties --cver=3.5`
[root@engine ~]# engine-config -s "CustomDeviceProperties={type=interface prop={$PREVIOUS_PROPERTIES;ifacemacspoof=^(true|false)$}}"
Please select a version:
1. 3.0
2. 3.1
3. 3.2
4. 3.3
5. 3.5
6. 3.4
5
Cannot set value {type=interface prop={{type=interface;prop={SecurityGroups=^(?:(?:[0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}, *)*[0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}|)$}};ifacemacspoof=^(true|false)$}} to key CustomDeviceProperties. Invalid syntax, custom device properties specification should conform to \{type=(disk|interface|video|sound|controller|balloon|channel|redir|console|rng|smartcard|watchdog);prop=\{((([a-z_A-Z0-9])+)=(([^;])*)(;(([a-z_A-Z0-9])+)=(([^;])*))*;?)?\}\}[;]?
[root@engine ~]# engine-config -s "CustomDeviceProperties={type=interface prop={$PREVIOUS_PROPERTIES ifacemacspoof=^(true|false)$}}"
Please select a version:
1. 3.0
2. 3.1
3. 3.2
4. 3.3
5. 3.5
6. 3.4
5
Cannot set value {type=interface prop={{type=interface;prop={SecurityGroups=^(?:(?:[0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}, *)*[0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}|)$}} ifacemacspoof=^(true|false)$}} to key CustomDeviceProperties. Invalid syntax, custom device properties specification should conform to \{type=(disk|interface|video|sound|controller|balloon|channel|redir|console|rng|smartcard|watchdog);prop=\{((([a-z_A-Z0-9])+)=(([^;])*)(;(([a-z_A-Z0-9])+)=(([^;])*))*;?)?\}\}[;]?

Comment 13 Yaniv Lavi 2016-01-06 08:43:28 EST

*** Bug 1255568 has been marked as a duplicate of this bug. ***

Comment 15 Mike McCune 2016-03-28 19:08:19 EDT

This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions

Comment 16 Michael Burman 2016-06-27 04:51:26 EDT

Verified on 4.0.0.6-0.1.el7ev

Comment 18 errata-xmlrpc 2016-08-23 16:22:49 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-1743.html

Note You need to log in before you can comment on or make changes to this bug.

alkaplan
bazulay
danken
fdeutsch
gklein
iheim
jbainbri
lpeer
lsurette
lvernia
mburman
melewis
myakove
pstehlik
rbalakri
Rhev-m-bugs
rmcswain
sraje
srevivo
ybronhei
ycui
ykaul
ylavi