Red Hat Bugzilla – Bug 1254972
[RFE] indicate how many packets are filtered out per vnic
Last modified: 2017-09-28 05:11:19 EDT
Description of problem:Ovirt filters mac addresses not registered by the guest nic
Version-Release number of selected component (if applicable): all
Create a virtual nic within a guest and use vlans in the vnic. The vlan traffic will be stopped by ebtables
Steps to Reproduce:
1.Install a tap adapter
2.Create tagged vlan traffic from the tap adappter
3.The tagged traffic won't go through the bridge due to a ebtable rule.
No tagged traffic goes out to the network
Traffic can flow normally
I'm not reporting from my personal experience but by a post in the list. This is the second time I see someone with this problem and using a lot of time to get to the root of the problem.
no-mac-spoofing is a security measure which most of our users want. I think that disabling it by default is wrong.
Have you tried following http://www.ovirt.org/Vdsm_Hooks#Installing_a_hook to install vdsm-hook-macspoof ? Setting http://www.ovirt.org/Vdsm_Hooks#Device-level_hooks makes the option of allowing mac-spoofing much more accessible.
I'm not questioning the use of no-mac-spoofing. I question that this is enabled by default. In the time I'm in the list, I saw more than once people having troubles with this.
I think that having it disabled by default will let the people that do understand and want this security measure running the option of enabling it and not the other way arround as more inexperienced people may fall for this without knowing it exists.
This people may not find out that this is their problem and that have to install a hook to customice it until they actually have a problem and spend at least a couple of days until they reach to a solution or a helping hand pointing to the right direction.
I believe that installing and configuring vdsm-hook-macspoof by default would make this feature more accessible and easier to consume. Don't you think?
That seems to be a better solution. I agree that by doing that we can get the best of both worlds. It should be also documented so everybody knows how to use this.
Come to think of it, we already have an rfe bug 1193224 about this.
We may want to give an indication how many packets have been filtered out as a warning on each vnic.
Moving to DWH as we would like to get this via the metrics store.