[ovirt-users] vlan-tagging on non-tagged network
Dan Kenigsberg
danken at redhat.com
Wed Aug 19 08:03:48 UTC 2015
On Tue, Aug 18, 2015 at 12:32:47PM +0200, Felix Pepinghege wrote:
> Sorry for flooding the mailing list, but I have some new insights in why
> these things I described happen. So just in case someone stumbles over it in
> the future, I like to elaborate.
>
> The problem is my specific use-case, that is, the VM being an openVPN
> server. By default, ovirt expects exactly one mac address per VM. As one
> vnet device is created for every VM that implies only one mac address per
> vnet device. The ebtables rules that I ran into enforce that. They prevent
> the VM from spoofing other mac addresses, for obvious security reasons.
> This lead to the filtering of all packages of my VPN clients, as their mac
> addresses differed from the VM's.
>
> That much for the reasons, now some additional words to the solution. Just
> flushing the ebtables table is not a persistent solution, as ovirt creates
> the rules every time a new vnet device is created. This happens on every
> reboot and every migration of the VM. Interesstingly, the filters are
> resistant to turning off the ebtables service with
> '# systemctl stop ebtables'.
> Although the service claims to be inactive, filtering takes place,
> nevertheless.
> I currently fail to find the website that pointed me to it, but the
> persistent solution is to disable the MAC anti spoofing filter. Here's how
> it goes:
> On the engine, do
> # engine-config -s EnableMACAntiSpoofingFilterRules=false
> # systemctl restart ovirt-engine
> After that, the ebtables rules are no longer applied to newly created vnets.
> (Filters for existing vnets are not removed, though)
This disable mac spoofing protection for all VMs; even those which are
less trust-worthy. A finer grained approach is to install
vdsm-hook-macspoof
engine-config -s "UserDefinedVMProperties=macspoof=(true|false);another_property=regexp"
define a vnic profile with macspoof=true, and assign it to your VPN VM.
http://www.ovirt.org/Vdsm_Hooks#Installing_a_hook
More information about the Users
mailing list