On 07/17/15 03:17, Yan Xing'an wrote:
For example, in usecase of VM is a LVS (Linux Virtual Server), to make any client's ip outgoing, we need configure allowed_address_pairs to 0.0.0.0/0, or disable security-group on port by setting "port-security-enable" false. After that, mac-level rules are needed to protect other VMs. Does anyone else has other usecase?
It sounds like what you want is anti-spoofing capability for the VM so that it can't pretend have a link with the MAC address of some other VM (that is hosted on the same system), is that correct ?
If so then that sounds like something the VM should provide and it shouldn't need that much configuration. In fact Solaris Zones already have such anti-spoof capabilities and they are automatically enabled when Solaris Zones are deployed in OpenStack. Solaris Zones have bother IP, DHCP (CID) and MAC layer nospoof protections that can be enabled.
mac-nospoof: MAC address anti-spoof. An outbound packet's source MAC address must match the link's configured MAC address. Non-matching packets will be dropped. If the link belongs to a zone, turning mac-nospoof on will prevent the zone's owner from modifying the link's MAC address. -- Darren J Moffat __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
