Hello Ricardo, That's a very nifty feature to have. The core idea of the networking scripts is that they are easily extensible and features like this are easy to have.
We have created a ticket [1] to provide this feature out of the box with the next OpenNebula release. However you can apply the patch [2] we've already submitted to this file : /var/tmp/one/vnm/Firewall.rb and do "onehost sync" so it gets copied to all your hosts. Take into account that this is an unfinished feature and not yet ready for production. To test it simply add this to your NIC section in the VM template: NO_IP_SPOOFING = "YES" [1] http://dev.opennebula.org/issues/1372 [2] http://dev.opennebula.org/projects/opennebula/repository/revisions/2b940821bd630010318996da1ada98cc26d78a4b/diff/src/vnm_mad/remotes/Firewall.rb?format=diff cheers, Jaime On Sat, Jul 14, 2012 at 10:18 PM, Ricardo Duarte <[email protected]> wrote: > Hi there, > > I want/need to enforce instances to use the IPs allocated by OpenNebula. > I do have them configured on boot, but nothing currently prevents my users > to change them. > This can lead to problems as they can DoS other user instances, or even my > router, proxy or infrastructure services. > I currently use ebtables, but it only prevents mac spoof (by the way, > what's the use case for that?). Iptables, as far as I can see, will only > set rules for Layer 7. > I previously tested CloudStack, and they used iptables to enforce the IP. > Also, as far as I know, libvirt now supports ip antispoof. > I though about adding the iptables rules to ebtables, but then I they > would be overriden by OpenNebula firewall. Also, I'm unsure how it would > behave when machines are live migrated. > My question is if there is a way, out of the box, to prevent spoof. If > not, maybe somebody can give me some guidance on what files or hooks to > change. > > Thanks. > > _______________________________________________ > Users mailing list > [email protected] > http://lists.opennebula.org/listinfo.cgi/users-opennebula.org > > -- Jaime Melis Project Engineer OpenNebula - The Open Source Toolkit for Cloud Computing www.OpenNebula.org | [email protected]
_______________________________________________ Users mailing list [email protected] http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
