Bug 1651467 - [clean-traffic-gateway filter] ARP packet is leaking between blocked VMs
Summary: [clean-traffic-gateway filter] ARP packet is leaking between blocked VMs
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: BLL.Network
Version: 4.3.0
Hardware: x86_64
OS: Linux
medium
high
Target Milestone: ovirt-4.3.0
: ---
Assignee: Ales Musil
QA Contact: Michael Burman
URL:
Whiteboard:
Depends On: 1725166 1848971
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-20 07:32 UTC by Roni
Modified: 2020-06-19 12:17 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-12-11 12:04:46 UTC
oVirt Team: Network
rule-engine: ovirt-4.3+


Attachments (Terms of Use)

Description Roni 2018-11-20 07:32:08 UTC
Description of problem:
clean-traffic-gateway filter is expected to block any traffic between two VMs
although unicast traffic is blocked, ARP traffic is not!
After a ping tries between two blocked VMs, their ARP table will include each other MAC.

Version-Release number of selected component (if applicable):
4.3.0-0.0.master.20181116185756.gite19db6e.el7

How reproducible:
100%

Steps to Reproduce:
1. Start two VMs
2. Run 'route -n' and then 'arp -an' to see their gateway MAC address
3. Add new vNIC profile
4. Choose: Network='ovirtmgmt', Network Filter='clean-traffic-gateway'
5. At both VMs: 
   Go to Compute | Virtual Machines | Click the VM name | 
   Network Interfaces tab | edit the NIC
   Change their profile to the newly created profile from section #3 above
   Add Network Filter Parameter GATEWAY_MAC=[GW NAC from section #2 above]
6. Run ping from VM-1 to VM-2
7. Run 'arp -an' at both VMs

Actual results:
1. Ping is not replying
2. ARP table includes each other VM, MAC address

Expected results:
1. Ping is not replying
2. ARP table at both VM should include only the Gateway MAC address


Additional info:

Comment 1 Dan Kenigsberg 2018-12-11 12:04:46 UTC
Thanks for filing this bug, but we are unlikely we are going to address it.


Note You need to log in before you can comment on or make changes to this bug.