Hello, my new research:)
I have tried to use network with and without settings IP spoofing, Mac spoofing checkbox. The result was the same:
Mon Oct 10 08:22:46 2016 [Z0][VMM][I]: post: Executed “sudo ovs-vsctl set Port one-167-0 tag=4043”.
Mon Oct 10 08:22:46 2016 [Z0][VMM][I]: post: Executed “sudo ovs-ofctl add-flow ovsbr0 in_port=12,arp,dl_src=02:00:c0:a8:9a:0e,priority=45000,actions=drop”.
Mon Oct 10 08:22:46 2016 [Z0][VMM][I]: post: Executed “sudo ovs-ofctl add-flow ovsbr0 in_port=12,arp,dl_src=02:00:c0:a8:9a:0e,nw_src=192.168.154.14,priority=46000,actions=normal”.
Mon Oct 10 08:22:46 2016 [Z0][VMM][I]: post: Executed “sudo ovs-ofctl add-flow ovsbr0 in_port=12,dl_src=02:00:c0:a8:9a:0e,priority=40000,actions=normal”.
Mon Oct 10 08:22:46 2016 [Z0][VMM][I]: post: Executed “sudo ovs-ofctl add-flow ovsbr0 in_port=12,priority=39000,actions=drop”.
Specially I have created new VM after change network properties:
Mon Oct 10 08:19:19 2016 [Z0][VMM][I]: post: Executed “sudo ovs-vsctl set Port one-166-0 tag=4043”.
Mon Oct 10 08:19:19 2016 [Z0][VMM][I]: post: Executed “sudo ovs-ofctl add-flow ovsbr0 in_port=11,arp,dl_src=02:00:c0:a8:9a:0d,priority=45000,actions=drop”.
Mon Oct 10 08:19:19 2016 [Z0][VMM][I]: post: Executed “sudo ovs-ofctl add-flow ovsbr0 in_port=11,arp,dl_src=02:00:c0:a8:9a:0d,nw_src=192.168.154.13,priority=46000,actions=normal”.
Mon Oct 10 08:19:19 2016 [Z0][VMM][I]: post: Executed “sudo ovs-ofctl add-flow ovsbr0 in_port=11,dl_src=02:00:c0:a8:9a:0d,priority=40000,actions=normal”.
Mon Oct 10 08:19:19 2016 [Z0][VMM][I]: post: Executed “sudo ovs-ofctl add-flow ovsbr0 in_port=11,priority=39000,actions=drop”.
So, I thought about problem with vmn driver:
I have found:
file: /var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb (line 59)
arp_cache_poisoning if CONF[:arp_cache_poisoning] && @nic[:ip]
file: /var/lib/one/remotes/vnm/vnmmad.rb
begin
CONF = YAML.load_file(
File.join(File.dirname(FILE), “OpenNebulaNetwork.conf”)
)
rescue
# Default configuration values
CONF = {
:arp_cache_poisoning => true,
:vxlan_mc => “239.0.0.0”,
:vxlan_ttl => “16”
}
end
Thereby, arp_cache_poisoning depends on the default value=true, and value in file ./OpenNebulaNetwork.conf.
And now, file: /var/lib/one/remotes/vnm/OpenNebulaNetwork.conf
:arp_cache_poisoning: true
I have changed this optionsе to false, ran onehost sync --force (mandatory operation!!!), and Secondary IP’s have started works.
In VM,s log file:
Mon Oct 10 09:10:39 2016 [Z0][VMM][I]: post: Executed “sudo ovs-vsctl set Port one-166-0 tag=4043”.
Mon Oct 10 09:10:39 2016 [Z0][VMM][I]: post: Executed “sudo ovs-ofctl add-flow ovsbr0 in_port=14,dl_src=02:00:c0:a8:9a:0d,priority=40000,actions=normal”.
Mon Oct 10 09:10:39 2016 [Z0][VMM][I]: post: Executed “sudo ovs-ofctl add-flow ovsbr0 in_port=14,priority=39000,actions=drop”.
So the checkboxes “Ip spoofing”, “mac spoofing” have not matters. You can permit secondary IP’s, for all Networks!
It’s not useful.
It would be fine, if developers fixed influence IP/mac spoofing checkboxes for each network. Because global setting in OpenNebulaNetwork.conf reduces network security in general.