On 5/1/2014 1:17 PM, Maxim Terletskiy wrote:
As you wrote this is exactly we were looking for. Thank you very much,
Stefan! :)
01.05.2014 12:39, Stefan Kooman пишет:
Quoting Maxim Terletskiy (terlets...@emu.ru):
Hi!
No we're using vlans with simple bridging. I've used ovswitch in
past and do not remember anything about "ip hijacking" prevention in
it. How can ovswitch know what ip/mac must be on vm interface? Will
it be usefull if VMs living on different virtualization hosts?
"openvswitch" by itself doesn't do anything to prevent "mac spoofing" or
"ip hijacking". That's done by ONE based on OpenFlow rules. From the
docs [1]:
Mac-spoofing
These rules prevent any traffic to come out of the port the MAC address
has changed.
in_port=<PORT>,dl_src=<MAC>,priority=40000,actions=normal
in_port=<PORT>,priority=39000,actions=normal
IP hijacking
These rules prevent any traffic to come out of the port for IPv4 IP’s
not configured for a VM
in_port=<PORT>,arp,dl_src=<MAC>priority=45000,actions=drop
in_port=<PORT>,arp,dl_src=<MAC>,nw_src=<IP>,priority=46000,actions=normal
See /var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb as well.
Using openvswitch gives you exactly what you asked for, without the need
for hacking ebtables/iptables script. In a much cleaner way IMHO.
Gr. Stefan
_______________________________________________
Users mailing list
Users@lists.opennebula.org
http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
i give in a early email who to check via iptables source mac address
for ip ...
/sbin/iptables -A FORWARD -i ethX -m mac --mac-source YOUR-MAC-ADDRESS-HERE -j
ACCEPT
or you can expand
/sbin/iptables -A FORWARD -i ethX -m mac --mac-source YOUR-MAC-ADDRESS-HERE -s
YOUR-IP-ADDRESS HERE-j ACCEPT
_______________________________________________
Users mailing list
Users@lists.opennebula.org
http://lists.opennebula.org/listinfo.cgi/users-opennebula.org