Bug 1610979 - [downstream clone - 4.2.7] [RHEL-7.6] Limit east-west traffic of VMs with network filter
Summary: [downstream clone - 4.2.7] [RHEL-7.6] Limit east-west traffic of VMs with net...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 3.6.9
Hardware: All
OS: Linux
medium
high
Target Milestone: ovirt-4.2.7
: ---
Assignee: Ales Musil
QA Contact: Michael Burman
URL:
Whiteboard: network
Depends On: 1009608
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-08-01 19:29 UTC by RHV bug bot
Modified: 2021-01-08 18:11 UTC (History)
27 users (show)

Fixed In Version: ovirt-engine-4.2.7
Doc Type: Enhancement
Doc Text:
In the current release, a filter for VNIC profiles, `clean-traffic-gateway`, supports private VLAN connections.
Clone Of: 1009608
Environment:
Last Closed: 2018-11-05 15:02:41 UTC
oVirt Team: Network
Target Upstream Version:
mburman: testing_plan_complete+


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 640003 0 None None None 2018-08-01 19:32:54 UTC
Red Hat Knowledge Base (Solution) 5693301 0 None None None 2021-01-08 18:08:30 UTC
Red Hat Product Errata RHBA-2018:3480 0 None None None 2018-11-05 15:03:40 UTC
oVirt gerrit 93109 0 'None' MERGED db: Add clean-traffic-gateway into network filters 2021-01-12 07:37:40 UTC
oVirt gerrit 93807 0 'None' MERGED db: Add clean-traffic-gateway into network filters 2021-01-12 07:37:40 UTC
oVirt gerrit 93836 0 'None' MERGED db: Update clean-traffic-gateway network filter 2021-01-12 07:38:18 UTC

Description RHV bug bot 2018-08-01 19:29:51 UTC
+++ This bug is a downstream clone. The original bug is: +++
+++   bug 1009608 +++
======================================================================

Description of problem:

Support for private virtual local area networks (PVLAN) allowing to 'sub-partition' a VLAN by restricting switch ports to only communicate with a given 'uplink' - avoiding 'per-to per' communication (extension to the VLAN standard).

Private VLAN works when assigning IP to interface directly on RHEL KVM hypervisor server...but when creating a bridge using same interface and assign network to VM..it does not work.

(Originally by Allan Voss)

Comment 19 RHV bug bot 2018-08-01 19:32:04 UTC
RFE:

Red Hat Virtualization Manager Administration portal
Existing:
Navigate to any network N under a datacenter. Open the associated vNIC profile. The 'Network Filter' shows a drop down list of only the built-in network filters.

Requirement:
A way to create a new network filter and associate it with a vNIC profile from the administration portal.

(Originally by fnanushr)

Comment 20 RHV bug bot 2018-08-01 19:32:12 UTC
(In reply to fnanushr from comment #18)
> RFE:
>
> A way to create a new network filter and associate it with a vNIC profile
> from the administration portal.

bug 1544666 is all about letting Engine select a non-built-in nwfilter, that is already deployed to all hosts. Here you request a way to deploy nwfilter to all hosts, which I believe is better done by Ansible, possibly triggered by ovirt-host-deploy. If you think differently, please file an independent RFE.

(Originally by danken)

Comment 21 RHV bug bot 2018-08-01 19:32:20 UTC
We will look to add the network filter into libvirt and gateway option in RHV to enable this use case.

(Originally by ylavi)

Comment 22 RHV bug bot 2018-08-01 19:32:29 UTC
We agreed to remove RFEs component from Bugzilla, if you feel the component has been renamed incorrectly please reach out.

(Originally by Sarah Power)

Comment 23 RHV bug bot 2018-08-01 19:32:38 UTC
Upstream patch is going well and we will ask to add the filter to a coming RHEL release.

(Originally by ylavi)

Comment 24 Dan Kenigsberg 2018-08-20 06:42:07 UTC
In my opinion it safe enough to introduce this to 4.2.7 which is going to support el7.6 which is going to have this filter.

Comment 25 Ales Musil 2018-09-04 07:06:00 UTC
The new filter is called "clean-traffic-gateway" and can be chosen in vnic profiles. Then for every vm nic, with this vnic, the "GATEWAY_MAC" network filter parameter should be specified for the filter to work properly.

Comment 26 Michael Burman 2018-09-04 08:58:48 UTC
Verified upstream with - 4.2.6.5-0.0.master.20180831090131.git1d64d4c.el7
vdsm-4.20.39-1.el7ev.x86_64
kernel 3.10.0-940.el7.x86_64
Red Hat Enterprise Linux Server release 7.6 Beta (Maipo)
libvirt-daemon-4.5.0-7.el7.x86_64
libvirt-client-4.5.0-7.el7.x86_64
rhel 7.5 guests(VMs)

Test flow -

1. Create 3 VMs with 1 vNIC each

2. Create logical network 'net1'  

3. Edit net1's vNIC profile and choose 'clean-traffic-gateway' network filter

4. VM1 - assign the net1's vNIC profile and 
In 'Network Filter Parameters' set 
name=GATEWAY_MAC , value=MAC address of VM2
name=GATEWAY_MAC , value=ff:ff:ff:ff:ff:ff - for dhcp to work correctly

5. VM2 - assign the net's vNIC profile and 
In 'Network Filter Parameters' set 
name=GATEWAY_MAC , value=MAC address of VM1
name=GATEWAY_MAC , value=ff:ff:ff:ff:ff:ff - for dhcp to work correctly

6. VM3 - Create new vNIC profile for the 'net1' network without the clean-traffic-gateway network filter and assign the new net1's vNIC profile and don't set any 'Network Filter Parameters'

7. Ping between VM1 and VM2 - PASS
8. Try ping from VM3 VM1/VM2 - FAIL as expected
9. Try to ping from VM1/VM2 to VM3 - FAIL as expected
10. Try to ping from VM1/VM2 to default gateway - FAIL as expected
11. Try to ssh to VM1/VM2 from outside(MAC address that isn't specified in the network filter parameters) - FAIL as expected

12. xml passed correctly - 

<filterref filter='clean-traffic-gateway'>
        <parameter name='GATEWAY_MAC' value='ff:ff:ff:ff:ff:ff'/>
        <parameter name='GATEWAY_MAC' value='00:xx:xx:xx:xx:00'/>
      </filterref>

Comment 28 Raz Tamir 2018-09-19 12:30:14 UTC
QE verification bot: the bug was verified upstream

Comment 30 errata-xmlrpc 2018-11-05 15:02:41 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3480

Comment 31 Roni 2018-11-20 09:54:30 UTC
The requirement is to enable traffic from VMs to default-gateway only
As a result, we expected that any type of traffic between VMs will be blocked including broadcast, e.g.: ARP, DHCP requests, etc...

The following 3 leaking issues break that requirement:

https://bugzilla.redhat.com/show_bug.cgi?id=1647944
https://bugzilla.redhat.com/show_bug.cgi?id=1651499
https://bugzilla.redhat.com/show_bug.cgi?id=1651467


Note You need to log in before you can comment on or make changes to this bug.