[Users] disable EnableMACAntiSpoofingFilterRules per VM
Hi, Trying to move a VM with CARP/VRRP on oVirt 3.3.2 I got bitten by this. http://www.ovirt.org/Features/Design/Network/NetworkFiltering http://lists.ovirt.org/pipermail/users/2013-October/017217.html Is there a way to disable mac filtering only for a specific VM and not for the entire cluster? I've tried giving MAC addresses in the form of 00-00-5E-00-01-XX but it didn't work. Best regards, G
Yep! Here you go: 'yum install vdsm-hook-macspoof' on all hosts, then following the instructions here: https://github.com/oVirt/vdsm/blob/master/vdsm_hooks/macspoof/README You can disable the filter on a VM or VNIC level. Assaf Muller, Cloud Networking Engineer Red Hat ----- Original Message ----- From: "Kapetanakis Giannis" <bilias@edu.physics.uoc.gr> To: "users@oVirt.org" <users@ovirt.org> Sent: Wednesday, December 25, 2013 1:19:23 PM Subject: [Users] disable EnableMACAntiSpoofingFilterRules per VM Hi, Trying to move a VM with CARP/VRRP on oVirt 3.3.2 I got bitten by this. http://www.ovirt.org/Features/Design/Network/NetworkFiltering http://lists.ovirt.org/pipermail/users/2013-October/017217.html Is there a way to disable mac filtering only for a specific VM and not for the entire cluster? I've tried giving MAC addresses in the form of 00-00-5E-00-01-XX but it didn't work. Best regards, G _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On 25/12/13 17:26, Assaf Muller wrote:
Yep!
Here you go: 'yum install vdsm-hook-macspoof' on all hosts, then following the instructions here: https://github.com/oVirt/vdsm/blob/master/vdsm_hooks/macspoof/README
You can disable the filter on a VM or VNIC level.
Assaf Muller, Cloud Networking Engineer Red Hat
Thanks for the quick reply. That looks very cool :) Just to understand better because the instructions are not clear on that. Suppose I install the package and add engine-config -s UserDefinedVMProperties='previousProperties;macspoof=^(true|false)$' --cver=3.3 what will be the default action for my VMs? Filter or not filter? So I gave to alter EnableMACAntiSpoofingFilterRules as well? I mean do I have to explicitly define macspoof=true on all the VMs except the VMs I don't need filtering or the opposite -> filter by default and set macspoof=false in the VM I don't need filtering? I guess the same applies for VNIC. What about conflicting values between VM and VNIC. Which has precedence over the other? Thanks G
what will be the default action for my VMs? Filter or not filter? So I gave to alter EnableMACAntiSpoofingFilterRules as well?
The default is to filter. You'll have to add a VM or VNIC custom property and set the value to False whenever you want to disable the filtering.
What about conflicting values between VM and VNIC. Which has precedence over the other?
You would think that anything VNIC specific would take precedence, but with how the code is implemented at this time, before_device_create is called for all devices, and before_vm_create is called after that. That means that whatever is defined at the VM level will take precedence. Assaf Muller, Cloud Networking Engineer Red Hat ----- Original Message ----- From: "Kapetanakis Giannis" <bilias@edu.physics.uoc.gr> To: "users@oVirt.org" <users@ovirt.org> Sent: Wednesday, December 25, 2013 5:44:47 PM Subject: Re: [Users] disable EnableMACAntiSpoofingFilterRules per VM On 25/12/13 17:26, Assaf Muller wrote:
Yep!
Here you go: 'yum install vdsm-hook-macspoof' on all hosts, then following the instructions here: https://github.com/oVirt/vdsm/blob/master/vdsm_hooks/macspoof/README
You can disable the filter on a VM or VNIC level.
Assaf Muller, Cloud Networking Engineer Red Hat
Thanks for the quick reply. That looks very cool :) Just to understand better because the instructions are not clear on that. Suppose I install the package and add engine-config -s UserDefinedVMProperties='previousProperties;macspoof=^(true|false)$' --cver=3.3 what will be the default action for my VMs? Filter or not filter? So I gave to alter EnableMACAntiSpoofingFilterRules as well? I mean do I have to explicitly define macspoof=true on all the VMs except the VMs I don't need filtering or the opposite -> filter by default and set macspoof=false in the VM I don't need filtering? I guess the same applies for VNIC. What about conflicting values between VM and VNIC. Which has precedence over the other? Thanks G _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On 26/12/13 11:06, Assaf Muller wrote:
what will be the default action for my VMs? Filter or not filter? So I gave to alter EnableMACAntiSpoofingFilterRules as well? The default is to filter. You'll have to add a VM or VNIC custom property and set the value to False whenever you want to disable the filtering.
What about conflicting values between VM and VNIC. Which has precedence over the other? You would think that anything VNIC specific would take precedence, but with how the code is implemented at this time, before_device_create is called for all devices, and before_vm_create is called after that. That means that whatever is defined at the VM level will take precedence.
ok, this worked like a charm but I did some changes. Maybe you want to update the README on https://github.com/oVirt/vdsm/blob/master/vdsm_hooks/macspoof/README engine-config -s UserDefinedVMProperties='previousProperties;macspoof=^(true|false)$' --cver=3.3 failed with an error: Cannot set value previousProperties;macspoof=^(true|false)$ to key UserDefinedVMProperties. Invalid syntax, user defined VM properties specification should conform to (([a-z_A-Z0-9])+)=(([^;])+)(;(([a-z_A-Z0-9])+)=(([^;])+))*;? I changed that to engine-config -s "UserDefinedVMProperties=macspoof=(true|false)" like it is defined in http://www.ovirt.org/Engine_config_examples which was inserted with no error. CustomDeviceProperties also inserted like engine-config -s CustomDeviceProperties='{type=interface;prop={ifacemacspoof=(true|false)}}' so both options could be available. VM option indeed takes precedence over VNIC option. You should also take notice that setting macspoof=false or ifacemacspoof=false does the opposite of at least what I expected. It filters. I had to apply with either macspoof=true or ifacemacspoof=true to disable filtering The README also has that the other way. Either the README has to be changed or the options could be renamed to something like disable_macspoof_filter and disable_ifacemacspoof_filter best regards and thanks for all the replies, G
Resending cause somehow the format got screwed up. On 26/12/13 11:06, Assaf Muller wrote:
what will be the default action for my VMs? Filter or not filter? So I gave to alter EnableMACAntiSpoofingFilterRules as well? The default is to filter. You'll have to add a VM or VNIC custom property and set the value to False whenever you want to disable the filtering.
What about conflicting values between VM and VNIC. Which has precedence over the other? You would think that anything VNIC specific would take precedence, but with how the code is implemented at this time, before_device_create is called for all devices, and before_vm_create is called after that. That means that whatever is defined at the VM level will take precedence.
ok, this worked like a charm but I did some changes. Maybe you want to update the README on https://github.com/oVirt/vdsm/blob/master/vdsm_hooks/macspoof/README engine-config -s UserDefinedVMProperties='previousPropertiesmacspoof=^(true|false)$' --cver=3.3 failed with an error: Cannot set value previousProperties;macspoof=^(true|false)$ to key UserDefinedVMProperties. Invalid syntax, user defined VM properties specification should conform to (([a-z_A-Z0-9])+)=(([^;])+)(;(([a-z_A-Z0-9])+)=(([^;])+))*;? I changed that to engine-config -s "UserDefinedVMProperties=macspoof=(true|false)" like it is defined in http://www.ovirt.org/Engine_config_examples which was inserted with no error. CustomDeviceProperties also inserted like engine-config -s CustomDeviceProperties= '{type=interface;prop={ifacemacspoof=(true|false)}}' so both true/false options could be available. VM option indeed takes precedence over VNIC option. You should also take notice that setting macspoof=false or ifacemacspoof=false does the opposite of at least what I expected. It filters. I had to apply with either macspoof=true or ifacemacspoof=true to disable filtering. The README also has that the other way. Either the README has to be changed or the options could be renamed to something like disable_macspoof_filter and disable_ifacemacspoof_filter best regards and thanks for all the replies, G
Thank you for your feedback. I sent a patch to fix all mentioned issues: http://gerrit.ovirt.org/#/c/22760/ It will be available for oVirt 3.4. Assaf Muller, Cloud Networking Engineer Red Hat ----- Original Message ----- From: "Kapetanakis Giannis" <bilias@edu.physics.uoc.gr> To: "users@oVirt.org" <users@ovirt.org> Cc: "Assaf Muller" <amuller@redhat.com>, danken@redhat.com Sent: Thursday, December 26, 2013 3:23:07 PM Subject: Re: [Users] disable EnableMACAntiSpoofingFilterRules per VM Resending cause somehow the format got screwed up. On 26/12/13 11:06, Assaf Muller wrote:
what will be the default action for my VMs? Filter or not filter? So I gave to alter EnableMACAntiSpoofingFilterRules as well? The default is to filter. You'll have to add a VM or VNIC custom property and set the value to False whenever you want to disable the filtering.
What about conflicting values between VM and VNIC. Which has precedence over the other? You would think that anything VNIC specific would take precedence, but with how the code is implemented at this time, before_device_create is called for all devices, and before_vm_create is called after that. That means that whatever is defined at the VM level will take precedence.
ok, this worked like a charm but I did some changes. Maybe you want to update the README on https://github.com/oVirt/vdsm/blob/master/vdsm_hooks/macspoof/README engine-config -s UserDefinedVMProperties='previousPropertiesmacspoof=^(true|false)$' --cver=3.3 failed with an error: Cannot set value previousProperties;macspoof=^(true|false)$ to key UserDefinedVMProperties. Invalid syntax, user defined VM properties specification should conform to (([a-z_A-Z0-9])+)=(([^;])+)(;(([a-z_A-Z0-9])+)=(([^;])+))*;? I changed that to engine-config -s "UserDefinedVMProperties=macspoof=(true|false)" like it is defined in http://www.ovirt.org/Engine_config_examples which was inserted with no error. CustomDeviceProperties also inserted like engine-config -s CustomDeviceProperties= '{type=interface;prop={ifacemacspoof=(true|false)}}' so both true/false options could be available. VM option indeed takes precedence over VNIC option. You should also take notice that setting macspoof=false or ifacemacspoof=false does the opposite of at least what I expected. It filters. I had to apply with either macspoof=true or ifacemacspoof=true to disable filtering. The README also has that the other way. Either the README has to be changed or the options could be renamed to something like disable_macspoof_filter and disable_ifacemacspoof_filter best regards and thanks for all the replies, G
----- Original Message -----
From: "Kapetanakis Giannis" <bilias@edu.physics.uoc.gr> To: "users@oVirt.org" <users@ovirt.org> Sent: Wednesday, December 25, 2013 1:19:23 PM Subject: [Users] disable EnableMACAntiSpoofingFilterRules per VM
Hi,
Trying to move a VM with CARP/VRRP on oVirt 3.3.2 I got bitten by this. http://www.ovirt.org/Features/Design/Network/NetworkFiltering http://lists.ovirt.org/pipermail/users/2013-October/017217.html
Is there a way to disable mac filtering only for a specific VM and not for the entire cluster?
The EnableMACAntiSpoofingFilterRules config value is defined on cluster level, therefore this isn't a way from engine side to disable it for a specific vm/nic. Perhaps using the "custom properties" and a vdsm hook which omits the filter rule from the vm configuration it will be achievable. Adding Dan to see if it is feasible or if there is a better alternative.
I've tried giving MAC addresses in the form of 00-00-5E-00-01-XX but it didn't work.
Best regards,
G _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Resending the message, since it seems like the previous one failed to reach the @users.
----- Original Message -----
From: "Kapetanakis Giannis" <bilias@edu.physics.uoc.gr> To: "users@oVirt.org" <users@ovirt.org> Sent: Wednesday, December 25, 2013 1:19:23 PM Subject: [Users] disable EnableMACAntiSpoofingFilterRules per VM
Hi,
Trying to move a VM with CARP/VRRP on oVirt 3.3.2 I got bitten by this. http://www.ovirt.org/Features/Design/Network/NetworkFiltering http://lists.ovirt.org/pipermail/users/2013-October/017217.html
Is there a way to disable mac filtering only for a specific VM and not for the entire cluster?
The EnableMACAntiSpoofingFilterRules config value is defined on cluster level, therefore this isn't a way from engine side to disable it for a specific vm/nic.
Perhaps using the "custom properties" and a vdsm hook which omits the filter rule from the vm configuration it will be achievable.
Adding Dan to see if it is feasible or if there is a better alternative.
I've tried giving MAC addresses in the form of 00-00-5E-00-01-XX but it didn't work.
Best regards,
G _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
participants (3)
-
Assaf Muller -
Kapetanakis Giannis -
Moti Asayag