Bug 1651467 - [clean-traffic-gateway filter] ARP packet is leaking between blocked VMs
Summary: [clean-traffic-gateway filter] ARP packet is leaking between blocked VMs
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: BLL.Network
Version: 4.3.0
Hardware: x86_64
OS: Linux
high vote
Target Milestone: ---
: ---
Assignee: Ales Musil
QA Contact: Michael Burman
Depends On: 1725166 1848971
TreeView+ depends on / blocked
Reported: 2018-11-20 07:32 UTC by Roni
Modified: 2022-03-22 13:27 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-12-11 12:04:46 UTC
oVirt Team: Network
sbonazzo: ovirt-4.3-

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHV-45404 0 None None None 2022-03-22 13:27:00 UTC

Description Roni 2018-11-20 07:32:08 UTC
Description of problem:
clean-traffic-gateway filter is expected to block any traffic between two VMs
although unicast traffic is blocked, ARP traffic is not!
After a ping tries between two blocked VMs, their ARP table will include each other MAC.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Start two VMs
2. Run 'route -n' and then 'arp -an' to see their gateway MAC address
3. Add new vNIC profile
4. Choose: Network='ovirtmgmt', Network Filter='clean-traffic-gateway'
5. At both VMs: 
   Go to Compute | Virtual Machines | Click the VM name | 
   Network Interfaces tab | edit the NIC
   Change their profile to the newly created profile from section #3 above
   Add Network Filter Parameter GATEWAY_MAC=[GW NAC from section #2 above]
6. Run ping from VM-1 to VM-2
7. Run 'arp -an' at both VMs

Actual results:
1. Ping is not replying
2. ARP table includes each other VM, MAC address

Expected results:
1. Ping is not replying
2. ARP table at both VM should include only the Gateway MAC address

Additional info:

Comment 1 Dan Kenigsberg 2018-12-11 12:04:46 UTC
Thanks for filing this bug, but we are unlikely we are going to address it.

Note You need to log in before you can comment on or make changes to this bug.