809814 – (rhev_nwfilter) PRD31 - BETA3 - Add nwfilter rules to all VMs

Bug 809814 (rhev_nwfilter) - PRD31 - BETA3 - Add nwfilter rules to all VMs

Summary: PRD31 - BETA3 - Add nwfilter rules to all VMs

Keywords:
Status:	CLOSED ERRATA
Alias:	rhev_nwfilter
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-engine
Sub Component:
Version:	3.1.0
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	3.1.0
Assignee:	Moti Asayag
QA Contact:	Meni Yakove
Docs Contact:
URL:	http://wiki.ovirt.org/wiki/Features/D...
Whiteboard:	network
Depends On:	811807
Blocks:
TreeView+	depends on / blocked

Reported:	2012-04-04 12:53 UTC by Andrew Cathrow
Modified:	2018-11-28 20:00 UTC (History)
CC List:	18 users (show)
Fixed In Version:	SI18
Doc Type:	Enhancement
Doc Text:	Previously, Red Hat Enterprise Virtualization did not prevent MAC-spoofing. A virtual machine could impersonate other virtual machines, causing a traffic meant for a specific virtual machine to reach an unexpected destination. Now, the Red Hat Enterprise Virtualization Manager exposes a global configuration property named EnableMACAntiSpoofingFilterRules, which is set to "True" by default. With the EnableMACAntiSpoofingFilterRules property enabled, a filter that prevents spoofing gets added to a virtual machine network interface's XML definition.
Clone Of:
Environment:
Last Closed:	2012-12-04 19:23:54 UTC
oVirt Team:	Network
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	833542	1	None	None	None	2021-01-20 06:05:38 UTC
Red Hat Product Errata	RHSA-2012:1506	0	normal	SHIPPED_LIVE	Important: Red Hat Enterprise Virtualization Manager 3.1	2012-12-04 23:58:40 UTC

Internal Links: 833542

Description Andrew Cathrow 2012-04-04 12:53:37 UTC

All virtual machines should be started with no-arp-spoofing and no-mac-spoofing nwfilter 

Note: portmirror VMs are excluded from this.

Comment 6 Andrew Cathrow 2012-07-08 09:47:03 UTC

Agreed in today's meeting that we this will be a global config option to enable or disable. The default will be enabled.

We'll extend in 3.2/4.0 to allow per VM and per logical network settings

Comment 7 lpeer 2012-07-15 10:56:33 UTC

2 notes:

1. support for setting the filters on hot-plug NIC is also needed.
2. we should avoid setting the filter on port-mirroring NICS.

Comment 8 lpeer 2012-07-31 08:42:20 UTC

(In reply to comment #7)
> 2 notes:
> 
> 1. support for setting the filters on hot-plug NIC is also needed.
> 2. we should avoid setting the filter on port-mirroring NICS.

After reviewing the filter carefully it looks like there is no need for a special treatment for port mirroring as the filters are only for the vm egress traffic.

Comment 20 Moti Asayag 2012-08-13 15:04:53 UTC

The feature page for Network Filtering:

http://wiki.ovirt.org/wiki/Features/Design/Network/NetworkFiltering

Comment 23 Moti Asayag 2012-08-20 18:45:40 UTC

Suggested patch:

http://gerrit.ovirt.org/#/c/7356/

Comment 30 Meni Yakove 2012-09-24 08:03:23 UTC

Verified on rhevm-3.1.0-16.el6ev.noarch

Comment 33 errata-xmlrpc 2012-12-04 19:23:54 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-1506.html

Note You need to log in before you can comment on or make changes to this bug.