Bug 1366905 - [RFE] Allow multiple IP's / text fields for network filters, specifically clean-traffic
Summary: [RFE] Allow multiple IP's / text fields for network filters, specifically cle...
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: RFEs
Version: future
Hardware: All
OS: Linux
medium vote
Target Milestone: ovirt-4.2.0
: 4.2.0
Assignee: Dominik Holler
QA Contact: Michael Burman
: 1342784 (view as bug list)
Depends On:
Blocks: 1502496
TreeView+ depends on / blocked
Reported: 2016-08-14 15:46 UTC by jax2568
Modified: 2019-04-28 13:41 UTC (History)
8 users (show)

Fixed In Version: ovirt-engine-4.2.0-0.0.master.20170901193740.git7900511.el7.centos.noarch.rpm
Doc Type: Enhancement
Doc Text:
The engine already supports filtering the network communication of VMs. Now it is possible to configure the filter parameters using the REST-API. See http://www.ovirt.org/develop/release-management/features/network/networkfilterparameters/#current-implementation-status for details.
Clone Of:
Last Closed: 2017-12-20 11:23:06 UTC
oVirt Team: Network
danken: ovirt-4.2?
gklein: testing_plan_complete-
rule-engine: planning_ack?
danken: devel_ack+
mburman: testing_ack+

Attachments (Terms of Use)
network filter ip space (75.35 KB, image/jpeg)
2016-08-14 15:46 UTC, jax2568
no flags Details
untested /usr/libexec/vdsm/hooks/before_vm_start/multiips hook (1.81 KB, text/plain)
2016-12-15 14:53 UTC, Dan Kenigsberg
no flags Details
/usr/libexec/vdsm/hooks/before_vm_start/multiips hook with debug output (2.03 KB, text/x-python)
2016-12-19 10:20 UTC, Dominik Holler
no flags Details

System ID Private Priority Status Summary Last Updated
oVirt gerrit 66782 0 master MERGED net virt: Network Filter Parameters 2020-12-13 20:27:46 UTC
oVirt gerrit 67319 0 master ABANDONED engine: Adding new table for network filter parameters 2020-12-13 20:27:17 UTC
oVirt gerrit 67328 0 master MERGED engine: Adding new entity for network filter parameters 2020-12-13 20:27:46 UTC
oVirt gerrit 67330 0 master MERGED engine: Sending network filter parameters to hosts 2020-12-13 20:27:46 UTC
oVirt gerrit 68397 0 master MERGED Adding NetworkFilterParameter. 2020-12-13 20:27:17 UTC
oVirt gerrit 68447 0 master MERGED engine: Adding queries for network filter parameters 2020-12-13 20:27:15 UTC
oVirt gerrit 68448 0 master MERGED engine: Adding commands for network filter parameters 2020-12-13 20:27:18 UTC
oVirt gerrit 70160 0 master MERGED restapi: Update to model 4.2.2 2020-12-13 20:27:16 UTC
oVirt gerrit 73720 0 master MERGED restapi: Adding network filter parameters 2020-12-13 20:27:18 UTC
oVirt gerrit 73858 0 master MERGED Changing NetworkFilterParameterService to NicNetworkFilterParameterService 2020-12-13 20:27:18 UTC
oVirt gerrit 79608 0 master MERGED backend: Added saving/updating of Network Filter Parameter into backend 2020-12-13 20:27:18 UTC
oVirt gerrit 79610 0 master MERGED frontend: Add new editor for setting network filter parameters 2020-12-13 20:27:47 UTC

Description jax2568 2016-08-14 15:46:15 UTC
Created attachment 1190771 [details]
network filter ip space


It was requested to create a Bug Tracker item for this via the users list:

As a service provider, we utilize oVirt for a range of tasks. One issue with oVirt keeping from being able to place into production where users have root access to VM's is the ability to steal IP's. It's understood subnetting would be ideal, but it's a huge waste of IP space. Most other software such as OnApp, SolusVM, Virtualizor etc utilize ebtables along with an internal IP pool to the software. When an IP from the pool is assigned to a VM, the ebtables rules are automatically added. when it's removed, those rules are also removed. oVirt current lacks any functionality for IP address management, but the network filters are a good start.


Perhaps it would be good for oVirt to have a few text fields in the nic properties to enter IP addresses into which can match the rules being used. For example, when enabling the clean-traffic filter it appears the VM can only have 1 IP address, even if another IP is added legitimately, it still only works with the original IP address.

Something like this: http://i.imgur.com/9BUZRCN.jpg

So essentially, traffic would be blocked on that VM for any other IP space other than the IP’s entered into the text fields, which then edit/work with the netfilter rules. The idea would be to click “click to add more” would add another text field.


Manually editing the VM's XML file will work however, only if the VM is then restarted from Virsh. If it's restarted via oVirt, the XML file appears to be overwritted again with the default values.


I have a VM with network filtering enabled, specifically the clean-traffic filter.

Through virsh, I modify the configuration to reflect changes like this:

     <filterref filter='clean-traffic'>
        <parameter name='IP' value=''/>
        <parameter name='IP' value=''/>

This only allows those two specified IP’s to communicate on the VM. I’ve defined the xml through virsh.

Now, if I start the VM directly through virsh, those rules apply and work correctly. I can add any other random IP from the same subnet and it does not work, as expected. Only the two Ip’s specified above will respond.

This unfortunately, makes the VM appear to be down from with the ovirt dashboard if it’s started manually through virsh.

If I edit the machine through virsh but do not start it and then go onto oVirt to start the VM, it seems the configuration is not loaded – does oVirt load a different configuration file other than /etc/libvirt/qemu/machine.xml?

Comment 1 jax2568 2016-08-25 01:19:49 UTC
Hello - is there anything else needed for this? Or is it a possibility? Not sure how this Bugzilla/feature request should work or if it's in the right place or not.

Comment 2 Yaniv Lavi 2016-08-25 01:33:44 UTC
(In reply to jax2568 from comment #1)
> Hello - is there anything else needed for this? Or is it a possibility? Not
> sure how this Bugzilla/feature request should work or if it's in the right
> place or not.

We are currently reviewing this for oVirt 4.1. No other needs from you at this point.

Comment 3 Sandro Bonazzola 2016-12-12 13:59:36 UTC
The fix for this issue should be included in oVirt 4.1.0 beta 1 released on December 1st. If not included please move back to modified.

Comment 4 Michael Burman 2016-12-13 13:19:29 UTC
This RFE is not in 4.1.0-0.2.master.20161210231201.git26a385e.el7.centos

Comment 5 jax2568 2016-12-14 15:57:56 UTC

I see this was updated with the line below:

Flags: ovirt-4.1? → ovirt-4.2?

Is this not included anymore in 4.1? If not, how long until 4.2?

Comment 6 Dan Kenigsberg 2016-12-14 22:41:37 UTC
ovirt-4.2 schedule has not been decided yet. But we do know that we've missed 4.1's feature freeze.

Maybe we can help you write a vdsm hook to enable the functionality on the mean while?

Comment 7 jax2568 2016-12-14 22:55:28 UTC
Ok, thanks for the update.

>>Maybe we can help you write a vdsm hook to enable the functionality on the mean while?

Sure however, I don't have any experience with writing hooks for vdsm.

Basically, the clean traffic filter works as expected but it the VM has multiple IP's, only one of them would work.

What would be involved with a vdsm hook to accomplish what we need to do?

Comment 8 Dan Kenigsberg 2016-12-15 14:53:19 UTC
Created attachment 1232201 [details]
untested /usr/libexec/vdsm/hooks/before_vm_start/multiips hook

place this in the hook directory, and define a vm custom property named multiips. Set this property to a comma-separated list of ip addresses. The hook script would allow the VM to use these ips on all of its clean-traffic filters.

Comment 9 jax2568 2016-12-15 16:36:18 UTC

Thanks for that hook - I will get this tested!

>place this in the hook directory, and define a vm custom property named multiips.

Sorry, I'm not exactly sure how I would create a custom property. Is there an article or guide on how to do this?

Comment 11 jax2568 2016-12-15 20:07:49 UTC
@Dan Kenigsberg,

Thanks for that link. I took a look at that earlier actually, but wasn't 100% sure what I was supposed to put for the values. Would it be like this?

engine-config -s CustomDeviceProperties="{multiips}" --cver=3.3

Comment 12 Dan Kenigsberg 2016-12-15 20:16:47 UTC
This discussion about the hack does not really belong to this RFE. Let's continue it on users@ovirt.org. A good start would be

engine-config -s UserDefinedVMProperties='multiips=.*' --cver=4.0

and then restart ovirt-engine.

Comment 13 Dominik Holler 2016-12-19 10:20:32 UTC
Created attachment 1233353 [details]
/usr/libexec/vdsm/hooks/before_vm_start/multiips hook with debug output

Comment 14 Dan Kenigsberg 2016-12-25 10:17:18 UTC
*** Bug 1342784 has been marked as a duplicate of this bug. ***

Comment 15 Meni Yakove 2017-06-05 08:07:39 UTC
Please fill in the DOC TEXT and link to the feature page. The feature page http://www.ovirt.org/develop/release-management/features/network/networkfilterparameters/ should refer to the API doc http://ovirt.github.io/ovirt-engine-api-model/4.2/#services/nic_network_filter_parameters and mention that it is the only thing currently implemented.

Comment 16 Dan Kenigsberg 2017-06-11 16:02:08 UTC
A rudimentary implementation of this (REST only) already exists in master (future 4.2), https://gerrit.ovirt.org/#/c/78045/ would give a test and an example for usage. UX may follow later.

Comment 17 Michael Burman 2017-09-03 08:35:16 UTC
User can manage network filter parameters via REST-API and via UI.

Tested clean-traffic network filter scenario - 
name - IP
value - x.x.x.z 

Values passed as expected to the Libvirt XML -

<interface type='bridge'>
      <mac address='00:00:00:00:00:23'/>
      <source bridge='m3'/>
      <target dev='vnet2'/>
      <model type='virtio'/>
      <filterref filter='clean-traffic'>
        <parameter name='IP' value='x.x.x.x'/>
      <boot order='2'/>
      <alias name='net0'/>

Network filter parameters working as expected.

Verified on - 4.2.0-0.0.master.20170901193740.git7900511.el7.centos

Comment 18 Sandro Bonazzola 2017-12-20 11:23:06 UTC
This bugzilla is included in oVirt 4.2.0 release, published on Dec 20th 2017.

Since the problem described in this bug report should be
resolved in oVirt 4.2.0 release, published on Dec 20th 2017, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.

Note You need to log in before you can comment on or make changes to this bug.