Quoting Maxim Terletskiy (terlets...@emu.ru): > Hi! > > No we're using vlans with simple bridging. I've used ovswitch in > past and do not remember anything about "ip hijacking" prevention in > it. How can ovswitch know what ip/mac must be on vm interface? Will > it be usefull if VMs living on different virtualization hosts?
"openvswitch" by itself doesn't do anything to prevent "mac spoofing" or "ip hijacking". That's done by ONE based on OpenFlow rules. From the docs [1]: Mac-spoofing These rules prevent any traffic to come out of the port the MAC address has changed. in_port=<PORT>,dl_src=<MAC>,priority=40000,actions=normal in_port=<PORT>,priority=39000,actions=normal IP hijacking These rules prevent any traffic to come out of the port for IPv4 IP’s not configured for a VM in_port=<PORT>,arp,dl_src=<MAC>priority=45000,actions=drop in_port=<PORT>,arp,dl_src=<MAC>,nw_src=<IP>,priority=46000,actions=normal See /var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb as well. Using openvswitch gives you exactly what you asked for, without the need for hacking ebtables/iptables script. In a much cleaner way IMHO. Gr. Stefan -- | BIT BV http://www.bit.nl/ Kamer van Koophandel 09090351 | GPG: 0xD14839C6 +31 318 648 688 / i...@bit.nl _______________________________________________ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
