Re: [ovirt-users] IP Address Stealing
On Fri, Aug 12, 2016 at 8:17 PM, Bill Bill wrote: > Cool. It looks like that works. Perhaps it would be good for oVirt to have > a few text fields in the nic properties to enter IP addresses into which > can match the rules being used. For example, when enabling the > clean-traffic filter it appears the VM can only have 1 IP address, even if > another IP is added legitimately, it still only works with the original IP > address. > > > > Something like this: http://i.imgur.com/9BUZRCN.jpg > > > > So essentially, traffic would be blocked on that VM for any other IP space > other than the IP’s entered into the text fields, which then edit/work with > the netfilter rules. The idea would be to click “click to add more” would > add another text field. > That could have been a nice option indeed. Could you please open an RFE on bugzilla so we can consider and manage this? Thanks, Edy. > > > > > > > *From: *Edward Haas > *Sent: *Thursday, August 4, 2016 3:47 AM > *To: *Subhendu Ghosh > *Cc: *Bill Bill ; users > *Subject: *Re: [ovirt-users] IP Address Stealing > > > > > On Thu, Aug 4, 2016 at 6:27 AM, Subhendu Ghosh wrote: > >> Not built into ovirt AFAIK, but an ebtables rule can allow you to filter >> out mac+ip combinations >> >> Look at the anti-spoofing rules on ebtables.netfilter.org >> >> It doesn't prevent the user adding it in the vm, but the infrastructure >> blocks it's usage. >> >> -- >> *From:* Bill Bill >> *Sent:* Aug 3, 2016 22:40 >> *To:* users@ovirt.org >> *Subject:* [ovirt-users] IP Address Stealing >> >> Hello, >> >> >> >> It is possible to prevent a VM from adding an IP? For example, if we >> provision a VM with one IP, if the user has root access they can simply add >> random IP’s from within the same range as sub interfaces: eth0:0 eth0:1 >> eth0:2 so on and so forth. >> >> >> >> Subnetting is not ideal in this situation because it’s a huge waste of IP >> space. >> > > In oVirt 4.0, you can choose a vnic libvirt filter from a list (at the > vnic profile settings). > You can check the clean-traffic filter which uses multiple other more > specific filters. > Ref: https://libvirt.org/formatnwfilter.html > > Thanks, > Edy. > > >> >> ___ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users >> >> > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] IP Address Stealing
Cool. It looks like that works. Perhaps it would be good for oVirt to have a few text fields in the nic properties to enter IP addresses into which can match the rules being used. For example, when enabling the clean-traffic filter it appears the VM can only have 1 IP address, even if another IP is added legitimately, it still only works with the original IP address. Something like this: http://i.imgur.com/9BUZRCN.jpg So essentially, traffic would be blocked on that VM for any other IP space other than the IP’s entered into the text fields, which then edit/work with the netfilter rules. The idea would be to click “click to add more” would add another text field. From: Edward Haas<mailto:eh...@redhat.com> Sent: Thursday, August 4, 2016 3:47 AM To: Subhendu Ghosh<mailto:sgh...@redhat.com> Cc: Bill Bill<mailto:jax2...@outlook.com>; users<mailto:users@ovirt.org> Subject: Re: [ovirt-users] IP Address Stealing On Thu, Aug 4, 2016 at 6:27 AM, Subhendu Ghosh mailto:sgh...@redhat.com>> wrote: Not built into ovirt AFAIK, but an ebtables rule can allow you to filter out mac+ip combinations Look at the anti-spoofing rules on ebtables.netfilter.org<http://ebtables.netfilter.org> It doesn't prevent the user adding it in the vm, but the infrastructure blocks it's usage. From: Bill Bill mailto:jax2...@outlook.com>> Sent: Aug 3, 2016 22:40 To: users@ovirt.org<mailto:users@ovirt.org> Subject: [ovirt-users] IP Address Stealing Hello, It is possible to prevent a VM from adding an IP? For example, if we provision a VM with one IP, if the user has root access they can simply add random IP’s from within the same range as sub interfaces: eth0:0 eth0:1 eth0:2 so on and so forth. Subnetting is not ideal in this situation because it’s a huge waste of IP space. In oVirt 4.0, you can choose a vnic libvirt filter from a list (at the vnic profile settings). You can check the clean-traffic filter which uses multiple other more specific filters. Ref: https://libvirt.org/formatnwfilter.html Thanks, Edy. ___ Users mailing list Users@ovirt.org<mailto:Users@ovirt.org> http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] IP Address Stealing
On Thu, Aug 4, 2016 at 6:27 AM, Subhendu Ghosh wrote: > Not built into ovirt AFAIK, but an ebtables rule can allow you to filter > out mac+ip combinations > > Look at the anti-spoofing rules on ebtables.netfilter.org > > It doesn't prevent the user adding it in the vm, but the infrastructure > blocks it's usage. > > -- > *From:* Bill Bill > *Sent:* Aug 3, 2016 22:40 > *To:* users@ovirt.org > *Subject:* [ovirt-users] IP Address Stealing > > Hello, > > > > It is possible to prevent a VM from adding an IP? For example, if we > provision a VM with one IP, if the user has root access they can simply add > random IP’s from within the same range as sub interfaces: eth0:0 eth0:1 > eth0:2 so on and so forth. > > > > Subnetting is not ideal in this situation because it’s a huge waste of IP > space. > In oVirt 4.0, you can choose a vnic libvirt filter from a list (at the vnic profile settings). You can check the clean-traffic filter which uses multiple other more specific filters. Ref: https://libvirt.org/formatnwfilter.html Thanks, Edy. > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] IP Address Stealing
Not built into ovirt AFAIK, but an ebtables rule can allow you to filter out mac+ip combinations Look at the anti-spoofing rules on ebtables.netfilter.org It doesn't prevent the user adding it in the vm, but the infrastructure blocks it's usage. From: Bill Bill Sent: Aug 3, 2016 22:40 To: users@ovirt.org Subject: [ovirt-users] IP Address Stealing Hello, It is possible to prevent a VM from adding an IP? For example, if we provision a VM with one IP, if the user has root access they can simply add random IP’s from within the same range as sub interfaces: eth0:0 eth0:1 eth0:2 so on and so forth. Subnetting is not ideal in this situation because it’s a huge waste of IP space. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] IP Address Stealing
Hello, It is possible to prevent a VM from adding an IP? For example, if we provision a VM with one IP, if the user has root access they can simply add random IP’s from within the same range as sub interfaces: eth0:0 eth0:1 eth0:2 so on and so forth. Subnetting is not ideal in this situation because it’s a huge waste of IP space. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users