RHV 4.0 includes a setting for vNIC profiles that allows users to set a libvirt network filter using the 'Network Filter' drop-down list in the 'VM Interface Profile' window. This list, and its options, must be documented. The default value is 'vdsm-no-mac-spoofing'. Explanations for the other options should be covered by a link to a place where these options are already documented (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Virtualization_Administration_Guide/index.html#sect-applying-network-filtering and/or https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Virtualization_Deployment_and_Administration_Guide/index.html#sect-Virtual_Networking-Applying_network_filtering).
Assigning to Tahlia for review.
Hi Tahlia, The procedure looks good. Maybe we could enumerate the default available filter? I added the list in the doc text. But I'm also fine with this without it.
Hi Marcin, Thanks for reviewing. If you can provide a description of what each filter does, I'd be more than happy to add that to the docs. Otherwise, I don't think just a list of the filters adds much value, since you can see the same list from the drop-down in the UI anyway. Let me know what you think.
Marcin, please do. I think it will be very beneficial for all.
From the email thread, how can vdsm-macspoofing-hook can be implemented in 4.0 using vNic profiles: > @Dan, > I am trying to figure out how this feature should work, but it is not really clear neither from the ovirt page, nor from the docs bug. > Where can I define the mac addresses or whatever is need to enable mac-spoofing? > Can someone please elaborate more on how this is supposed to work? > With some real life example? I'm not sure what feature you are refering to, since the network filter feature does not require you to "define mac addresses". All you need to do is define a new network profile; in it, in 4.0 you can select a specific filter, which can be the simple "None". Then, when you attach this profile to a vnic, the vnic would have no filtering, and the guest can spoof whatever address it wants.
The filters are defined by libvirt and are documented by it https://libvirt.org/formatnwfilter.html#nwfexamples
The documentation at https://libvirt.org/formatnwfilter.html#nwfexamples (and in the RHEL Virt docs) only includes: - no-arp-spoofing - allow-dhcp - allow-dhcp-server - no-ip-spoofing - no-ip-multicast - clean-traffic But the filters available through the UI are: - vdsm-no-mac-spoofing - allow-arp - allow-dhcp - allow-incoming-ipv4 - allow-ipv4 - clean-traffic - no-arp-ip-spoofing - no-arp-mac-spoofing - no-arp-spoofing - no-ip-multicast - no-ip-spoofing - no-mac-broadcast - no-mac-spoofing - no-other-l2-traffic - no-other-rarp-traffic - qemu-announce-self - qemu-announce-self-rarp - <No Network Filter> So some filters would still be lacking a description.
I see. These filters are libvirt's; RHV only exposes them. I suggest that libvirt documents them in somewhere like https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Virtualization_Deployment_and_Administration_Guide/sect-Virtual_Networking-Applying_network_filtering.html I think that we should refer to their doc, possibly copying what they currently have upstream. To that we should add: * vdsm-no-mac-spoofing is the default filter in RHV * <No Network Filter> is self-explanatory, but mention that it should be used for in-guest vlan and bonds, as well as for a (slight) performance boost when the guest is trusted.
Now published at https://access.redhat.com/documentation/en/red-hat-virtualization/4.0/single/administration-guide/#sect-Virtual_Network_Interface_Cards