Re: [PR] KVM: enable no-mac-spoofing on virtual nics [cloudstack]
NuxRo commented on PR #8951: URL: https://github.com/apache/cloudstack/pull/8951#issuecomment-2088282206 @weizhouapache Good effort. Like @wido says, the problems this would solve are not an issue in SG zones usually, so indeed we should not apply any of this there. Otherwise it'd be a nice "win" for operators of regular Advanced Zones to apply anti-spoofing measures. We already have something somewhat similar for VMWare. I'd be happy to use all reasonable libvirt nwfilter features, make them options in Network Offering: - IP anti-spoofing (with or without auto-detect) - ARP anti-spoofing - MAC anti-spoofing Would it even be reasonable to allow the operator to specify more nwfilter? Ie load whatever xml file from /usr/share/libvirt/nwfilter/ that they want? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] KVM: enable no-mac-spoofing on virtual nics [cloudstack]
blueorangutan commented on PR #8951: URL: https://github.com/apache/cloudstack/pull/8951#issuecomment-2079052378 [SF] Trillian test result (tid-10030) Environment: kvm-ubuntu22 (x2), Advanced Networking with Mgmt server u22 Total time taken: 70862 seconds Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr8951-t10030-kvm-ubuntu22.zip Smoke tests completed. 126 look OK, 3 have errors, 0 did not run Only failed and skipped tests results shown below: Test | Result | Time (s) | Test File --- | --- | --- | --- test_01_events_resource | `Error` | 338.24 | test_events_resource.py test_01_events_resource | `Error` | 338.26 | test_events_resource.py test_list_system_vms_metrics_history | `Failure` | 0.48 | test_metrics_api.py test_04_deploy_vm_for_other_user_and_test_vm_operations | `Failure` | 102.16 | test_network_permissions.py ContextSuite context=TestNetworkPermissions>:teardown | `Error` | 1.57 | test_network_permissions.py -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] KVM: enable no-mac-spoofing on virtual nics [cloudstack]
blueorangutan commented on PR #8951: URL: https://github.com/apache/cloudstack/pull/8951#issuecomment-2077107548 [SF] Trillian Build Failed (tid-10024) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] KVM: enable no-mac-spoofing on virtual nics [cloudstack]
wido commented on PR #8951: URL: https://github.com/apache/cloudstack/pull/8951#issuecomment-2070862069 > > > > My suggestion: > > > > ``` > > > > * Enable this in Libvirt > > > > > > > > * Remove functionality from security_group.py > > > > ``` > > > > > > > > > meaning, @wido , this is good but we need to add a removal of some of the " -j DROP/ACCEPT" lines from the script? sounds like some precision surgery. Do you know which ones to drop? cc @weizhouapache . > > > > > > It would, I think if you take a look it starts here: > > https://github.com/apache/cloudstack/blob/8ff2c018cc5b3fc69bcd8756695d04b384e46ab8/scripts/vm/network/security_group.py#L280 > > > > > > * default_ebtables_rules() > > * destroy_ebtables_rules() > > > > Those would no longer be needed > > @wido actually I am thinking of disabling this change for vms with security groups the script `security_group.py` programs iptables/ebtables rules including the mac/ip/arp anti-spoofing, it has been proved to be working well with both ipv4/ipv6 addresses and one/multiple network nics. this PR only contains `no-mac-spoofing` which is not good enough to replace the `security_group.py`. it looks like a precise surgery to remove the ebtables rules, as @DaanHoogland said. we could drop the methods in `security_group.py` if all mac/ip/arp anti-spoofing are supported (see the PR description). > > other than that, the upgrade could be an issue as the VMs started in old versions (before upgrade) do not have the configuration in their VM XML definition. Sounds good. I would only add this to VMs without any SG. That would get my approval. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] KVM: enable no-mac-spoofing on virtual nics [cloudstack]
DaanHoogland commented on PR #8951: URL: https://github.com/apache/cloudstack/pull/8951#issuecomment-2069129882 > actually I am thinking of disabling this change for vms with security groups I second that. It will be simpler and the will not cripple the much security groups implementation. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] KVM: enable no-mac-spoofing on virtual nics [cloudstack]
weizhouapache commented on PR #8951: URL: https://github.com/apache/cloudstack/pull/8951#issuecomment-2069055435 > > > My suggestion: > > > ``` > > > * Enable this in Libvirt > > > > > > * Remove functionality from security_group.py > > > ``` > > > > > > meaning, @wido , this is good but we need to add a removal of some of the " -j DROP/ACCEPT" lines from the script? sounds like some precision surgery. Do you know which ones to drop? cc @weizhouapache . > > It would, I think if you take a look it starts here: > > https://github.com/apache/cloudstack/blob/8ff2c018cc5b3fc69bcd8756695d04b384e46ab8/scripts/vm/network/security_group.py#L280 > > * default_ebtables_rules() > * destroy_ebtables_rules() > > Those would no longer be needed @wido actually I am thinking of disabling this change for vms with security groups the script `security_group.py` programs iptables/ebtables rules including the mac/ip/arp anti-spoofing, it has been proved to be working well with both ipv4/ipv6 addresses and one/multiple network nics. this PR only contains `no-mac-spoofing` which is not good enough to replace the `security_group.py`. it looks like a precise surgery to remove the ebtables rules, as @DaanHoogland said. we could drop the methods in `security_group.py` if all mac/ip/arp anti-spoofing are supported (see the PR description). other than that, the upgrade could be an issue as the VMs started in old versions (before upgrade) do not have the configuration in their VM XML definition. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] KVM: enable no-mac-spoofing on virtual nics [cloudstack]
wido commented on PR #8951: URL: https://github.com/apache/cloudstack/pull/8951#issuecomment-2068983414 > > My suggestion: > > ``` > > * Enable this in Libvirt > > > > * Remove functionality from security_group.py > > ``` > > meaning, @wido , this is good but we need to add a removal of some of the " -j DROP/ACCEPT" lines from the script? sounds like some precision surgery. Do you know which ones to drop? cc @weizhouapache . It would, I think if you take a look it starts here: https://github.com/apache/cloudstack/blob/8ff2c018cc5b3fc69bcd8756695d04b384e46ab8/scripts/vm/network/security_group.py#L280 - default_ebtables_rules() - destroy_ebtables_rules() Those would no longer be needed -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] KVM: enable no-mac-spoofing on virtual nics [cloudstack]
DaanHoogland commented on PR #8951: URL: https://github.com/apache/cloudstack/pull/8951#issuecomment-2068917569 > My suggestion: > > * Enable this in Libvirt > > * Remove functionality from security_group.py meaning, @wido , this is good but we need to add a removal of some of the " -j DROP/ACCEPT" lines from the script? sounds like some precision surgery. Do you know which ones to drop? cc @weizhouapache . -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] KVM: enable no-mac-spoofing on virtual nics [cloudstack]
blueorangutan commented on PR #8951: URL: https://github.com/apache/cloudstack/pull/8951#issuecomment-2067665100 [SF] Trillian test result (tid-9937) Environment: kvm-rocky8 (x2), Advanced Networking with Mgmt server r8 Total time taken: 52334 seconds Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr8951-t9937-kvm-rocky8.zip Smoke tests completed. 127 look OK, 2 have errors, 0 did not run Only failed and skipped tests results shown below: Test | Result | Time (s) | Test File --- | --- | --- | --- test_01_events_resource | `Error` | 314.34 | test_events_resource.py test_01_events_resource | `Error` | 314.35 | test_events_resource.py test_04_deploy_vm_for_other_user_and_test_vm_operations | `Failure` | 100.58 | test_network_permissions.py ContextSuite context=TestNetworkPermissions>:teardown | `Error` | 1.52 | test_network_permissions.py -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] KVM: enable no-mac-spoofing on virtual nics [cloudstack]
weizhouapache commented on PR #8951: URL: https://github.com/apache/cloudstack/pull/8951#issuecomment-2067593614 > Hey @weizhouapache, can you provide more context to the issue fixed by this PR? Should we add a no arp spoofing as well? @BryanMLima Updated the PR description -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] KVM: enable no-mac-spoofing on virtual nics [cloudstack]
BryanMLima commented on PR #8951: URL: https://github.com/apache/cloudstack/pull/8951#issuecomment-2067292978 Hey @weizhouapache, can you provide more context to the issue fixed by this PR? Should we add a no arp spoofing as well? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] KVM: enable no-mac-spoofing on virtual nics [cloudstack]
blueorangutan commented on PR #8951: URL: https://github.com/apache/cloudstack/pull/8951#issuecomment-2067167694 @weizhouapache a [SL] Trillian-Jenkins test job (rocky8 mgmt + kvm-rocky8) has been kicked to run smoke tests -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] KVM: enable no-mac-spoofing on virtual nics [cloudstack]
weizhouapache commented on PR #8951: URL: https://github.com/apache/cloudstack/pull/8951#issuecomment-2067167093 @blueorangutan test rocky8 kvm-rocky8 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] KVM: enable no-mac-spoofing on virtual nics [cloudstack]
blueorangutan commented on PR #8951: URL: https://github.com/apache/cloudstack/pull/8951#issuecomment-2067163760 Packaging result [SF]: ✔️ el7 ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 9339 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] KVM: enable no-mac-spoofing on virtual nics [cloudstack]
blueorangutan commented on PR #8951: URL: https://github.com/apache/cloudstack/pull/8951#issuecomment-2067066946 @weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] KVM: enable no-mac-spoofing on virtual nics [cloudstack]
weizhouapache commented on PR #8951: URL: https://github.com/apache/cloudstack/pull/8951#issuecomment-2067064795 @blueorangutan package -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] KVM: enable no-mac-spoofing on virtual nics [cloudstack]
weizhouapache commented on PR #8951: URL: https://github.com/apache/cloudstack/pull/8951#issuecomment-2067060156 @NuxRo this is probably you want to have. I am not sure if there are downside . @DaanHoogland and me have tested it. mac anti-spoofing works, but ip anti-spoofing does not work. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] KVM: enable no-mac-spoofing on virtual nics [cloudstack]
weizhouapache opened a new pull request, #8951: URL: https://github.com/apache/cloudstack/pull/8951 Refer to https://libvirt.org/firewall.html#the-network-filter-driver https://libvirt.org/formatnwfilter.html#concepts ### Description This PR... ### Types of changes - [ ] Breaking change (fix or feature that would cause existing functionality to change) - [ ] New feature (non-breaking change which adds functionality) - [x] Bug fix (non-breaking change which fixes an issue) - [ ] Enhancement (improves an existing feature and functionality) - [ ] Cleanup (Code refactoring and cleanup, that may add test cases) - [ ] build/CI ### Feature/Enhancement Scale or Bug Severity Feature/Enhancement Scale - [ ] Major - [ ] Minor Bug Severity - [ ] BLOCKER - [ ] Critical - [ ] Major - [ ] Minor - [ ] Trivial ### Screenshots (if appropriate): ### How Has This Been Tested? How did you try to break this feature and the system with this change? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org