Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

802.1q MAC Spoofing blocks Network Aliases #3079

Closed
TinoatTSI opened this issue Mar 14, 2019 · 6 comments
Closed

802.1q MAC Spoofing blocks Network Aliases #3079

TinoatTSI opened this issue Mar 14, 2019 · 6 comments
Assignees
@rdiaz-on
Labels
Category: Drivers - Network Community Priority: High Status: Accepted Type: Bug
Milestone
Release 6.2

Comments

@TinoatTSI
Copy link

We are running the latest version 5.8.0 of OpenNebula und Ubuntu 18.04. If you add an alias (Attach nic) to an existing virtual NIC, the communication is dropped, if the not the MAC of the inital interface is used.
If you e.g. want to run a virtual machine on the VM or something using macvlan, the VM is unable to communication with the network, since the MAC spoofing protection setup by OpenNebula on the host interface will drop the packages.

Chain one-21-0-o (1 references)
num  target     prot opt source               destination
1    DROP       all  --  0.0.0.0/0            0.0.0.0/0            MAC ! 03:11:0A:0C:00:04
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
3    RETURN     all  --  0.0.0.0/0            0.0.0.0/0
4    DROP       all  --  0.0.0.0/0            0.0.0.0/0
>>>>

Manually removing rule 1 will work, but is more a dirty quick fix that does not last.

Can you please add additonal MACs also to the filter?
@rsmontero rsmontero added this to the Release 5.10 milestone Mar 14, 2019
@rsmontero
Copy link
Member

Totally! Thanks for the feedback.

As you said the driver needs to be updated to respond to this filters for the ALIAS. In the meanwhile you would need to disable MAC spoofing

@rsmontero
Copy link
Member

Sorry, I was reading again the issue. We are aware of the IP spoofing (i.e. some of the functionalities of the drivers are bypassed for NIC alias).

However NIC ALIAS is not attaching a new interface so it will not add a new MAC filter rule. In your case you need to disable MAC spoofing either way.

@rsmontero
Copy link
Member

Sorry, on a second thought we can add the IP/MAC pair in the MAC spoofing rules. So a NIC ALIAS includes IP/MAC pair and we can add that to the rules.

So for example, a VM template with:

NIC_ALIAS = [ NETWORK = "Public", PARENT = "private_net" ]

will result in:

NIC_ALIAS =   [ ALIAS_ID = 0, AR_ID=1, BRIDGE=virbr0, IP=1.1.1.1, MAC= 02:00:01:01:01:01...

So it may have sense to add that MAC to the rules. Is that your proposal?

@TinoatTSI
Copy link
Author

Yes I think that would do it. This also needs to be performed when a NIC is hot-attached.
So in both cases you would need to add the alias IP/MAC pair to the spoofing protection "whitelist".

@rsmontero
Copy link
Member

Perfect thanks! we'll address this issue as discussed

@atodorov-storpool atodorov-storpool mentioned this issue May 18, 2019
Closed
7 tasks
@al3xhh al3xhh self-assigned this Jun 12, 2019
@rsmontero rsmontero modified the milestones: Release 5.10, Release 5.10.1 Sep 4, 2019
@tinova tinova modified the milestones: Release 5.10.1, Release 5.10.2 Dec 11, 2019
@tinova tinova modified the milestones: Release 5.10.2, Release 5.10.3 Feb 12, 2020
@rsmontero rsmontero assigned rdiaz-on and unassigned al3xhh Mar 26, 2020
@tinova tinova modified the milestones: Release 5.10.5, Release 5.12 May 6, 2020
@tinova tinova modified the milestones: Release 5.12, Release 5.12.1 Jun 16, 2020
@atodorov-storpool atodorov-storpool mentioned this issue Jun 18, 2020
Open
@tinova tinova modified the milestones: Release 5.12.1, Release 5.12.2 Jul 8, 2020
@tinova tinova modified the milestones: Release 5.12.2, Release 5.12.3 Aug 5, 2020
@tinova tinova modified the milestones: Release 5.12.3, Release 5.12.4 Sep 3, 2020
@tinova tinova modified the milestones: Release 5.12.4, Release 5.12.5 Sep 23, 2020
@tinova tinova modified the milestones: Release 5.12.5, Release 5.12.6 Oct 21, 2020
@tinova tinova modified the milestones: Release 5.12.6, Release 5.12.7 Nov 5, 2020
@tinova tinova modified the milestones: Release 5.12.7, Release 5.12.8 Dec 17, 2020
@tinova tinova modified the milestones: Release 5.12.8, Release 5.12.9 Feb 18, 2021
@rdiaz-on
Copy link
Contributor

This issue has been fixed.

rsmontero pushed a commit that referenced this issue May 28, 2024
@xorel
B #6587: Switch to opennebula-augeas gem (#3079)
4da8c1c 
Switch to OpenNebula fork of the discontinued augeas gem.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rdiaz-on rdiaz-on

Labels
Category: Drivers - Network Community Priority: High Status: Accepted Type: Bug
Projects
None yet
Milestone
Release 6.2
Development

No branches or pull requests
5 participants
@tinova @rsmontero @al3xhh @TinoatTSI @rdiaz-on