Bug 809814 - (rhev_nwfilter) PRD31 - BETA3 - Add nwfilter rules to all VMs
PRD31 - BETA3 - Add nwfilter rules to all VMs
Status: CLOSED ERRATA
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine (Show other bugs)
3.1.0
All Linux
high Severity high
: ---
: 3.1.0
Assigned To: Moti Asayag
Meni Yakove
http://wiki.ovirt.org/wiki/Features/D...
network
: FutureFeature, Triaged
Depends On: 811807
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-04 08:53 EDT by Andrew Cathrow
Modified: 2016-02-10 14:50 EST (History)
18 users (show)

See Also:
Fixed In Version: SI18
Doc Type: Enhancement
Doc Text:
Previously, Red Hat Enterprise Virtualization did not prevent MAC-spoofing. A virtual machine could impersonate other virtual machines, causing a traffic meant for a specific virtual machine to reach an unexpected destination. Now, the Red Hat Enterprise Virtualization Manager exposes a global configuration property named EnableMACAntiSpoofingFilterRules, which is set to "True" by default. With the EnableMACAntiSpoofingFilterRules property enabled, a filter that prevents spoofing gets added to a virtual machine network interface's XML definition.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-04 14:23:54 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Network
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andrew Cathrow 2012-04-04 08:53:37 EDT
All virtual machines should be started with no-arp-spoofing and no-mac-spoofing nwfilter 

Note: portmirror VMs are excluded from this.
Comment 6 Andrew Cathrow 2012-07-08 05:47:03 EDT
Agreed in today's meeting that we this will be a global config option to enable or disable. The default will be enabled.

We'll extend in 3.2/4.0 to allow per VM and per logical network settings
Comment 7 lpeer 2012-07-15 06:56:33 EDT
2 notes:

1. support for setting the filters on hot-plug NIC is also needed.
2. we should avoid setting the filter on port-mirroring NICS.
Comment 8 lpeer 2012-07-31 04:42:20 EDT
(In reply to comment #7)
> 2 notes:
> 
> 1. support for setting the filters on hot-plug NIC is also needed.
> 2. we should avoid setting the filter on port-mirroring NICS.

After reviewing the filter carefully it looks like there is no need for a special treatment for port mirroring as the filters are only for the vm egress traffic.
Comment 20 Moti Asayag 2012-08-13 11:04:53 EDT
The feature page for Network Filtering:

http://wiki.ovirt.org/wiki/Features/Design/Network/NetworkFiltering
Comment 23 Moti Asayag 2012-08-20 14:45:40 EDT
Suggested patch:

http://gerrit.ovirt.org/#/c/7356/
Comment 30 Meni Yakove 2012-09-24 04:03:23 EDT
Verified on rhevm-3.1.0-16.el6ev.noarch
Comment 33 errata-xmlrpc 2012-12-04 14:23:54 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-1506.html

Note You need to log in before you can comment on or make changes to this bug.