Bug 1254972 - [RFE] indicate how many packets are filtered out per vnic
[RFE] indicate how many packets are filtered out per vnic
Status: NEW
Product: ovirt-engine
Classification: oVirt
Component: RFEs (Show other bugs)
All All
unspecified Severity medium (vote)
: ---
: ---
Assigned To: bugs@ovirt.org
Pavel Stehlik
: FutureFeature
Depends On: 1193224 1317441
  Show dependency treegraph
Reported: 2015-08-19 07:15 EDT by Juan Pablo Lorier
Modified: 2018-05-10 17:38 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: Metrics
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
ylavi: ovirt‑future?
ylavi: planning_ack?
ylavi: devel_ack?
ylavi: testing_ack?

Attachments (Terms of Use)

  None (edit)
Description Juan Pablo Lorier 2015-08-19 07:15:54 EDT
Description of problem:Ovirt filters mac addresses not registered by the guest nic

Version-Release number of selected component (if applicable): all

How reproducible:

Create a virtual nic within a guest and use vlans in the vnic. The vlan traffic will be stopped by ebtables

Steps to Reproduce:
1.Install a tap adapter
2.Create tagged vlan traffic from the tap adappter
3.The tagged traffic won't go through the bridge due to a ebtable rule.

Actual results:

No tagged traffic goes out to the network

Expected results:

Traffic can flow normally

Additional info:

I'm not reporting from my personal experience but by a post in the list. This is the second time I see someone with this problem and using a lot of time to get to the root of the problem.
Comment 1 Dan Kenigsberg 2015-08-26 10:08:56 EDT
no-mac-spoofing is a security measure which most of our users want. I think that disabling it by default is wrong.

Have you tried following http://www.ovirt.org/Vdsm_Hooks#Installing_a_hook to install vdsm-hook-macspoof ? Setting http://www.ovirt.org/Vdsm_Hooks#Device-level_hooks makes the option of allowing mac-spoofing much more accessible.
Comment 2 Juan Pablo Lorier 2015-08-26 10:24:03 EDT
Dear Dan,

I'm not questioning the use of no-mac-spoofing. I question that this is enabled by default. In the time I'm in the list, I saw more than once people having troubles with this.
I think that having it disabled by default will let the people that do understand and want this security measure running the option of enabling it and not the other way arround as more inexperienced people may fall for this without knowing it exists.
This people may not find out that this is their problem and that have to install a hook to customice it until they actually have a problem and spend at least a couple of days until they reach to a solution or a helping hand pointing to the right direction.
Comment 3 Dan Kenigsberg 2015-08-26 11:08:51 EDT
I believe that installing and configuring vdsm-hook-macspoof by default would make this feature more accessible and easier to consume. Don't you think?
Comment 4 Juan Pablo Lorier 2015-08-26 11:33:46 EDT
That seems to be a better solution. I agree that by doing that we can get the best of both worlds. It should be also documented so everybody knows how to use this.
Comment 5 Dan Kenigsberg 2015-09-08 05:33:39 EDT
Come to think of it, we already have an rfe bug 1193224 about this.

We may want to give an indication how many packets have been filtered out as a warning on each vnic.
Comment 6 Yaniv Lavi 2016-11-23 05:36:10 EST
Moving to DWH as we would like to get this via the metrics store.

Note You need to log in before you can comment on or make changes to this bug.