Am 24.06.2014 11:52, schrieb Punit Dambiwal: > Hi Den, > > Thanks for the updates...but still the user can spoof the another ip > address by manually edit the ifcfg-eth0:0 file.... > > Like if i assign the 10.0.0.5 ip address to one VM through cloud-int...once > the VM bootup user can login to VM and create another virtual ethernet > device and add another ip address 10.0.0.6 to this VM.... > > I want in anyhow the user can not spoof the ip address....either they can > edit but the new ip address can not boot up(should not active)... > > Thanks, > Punit >
Imho you can't force the vm to not spin it's inside network interface up with a certain IP. What you _can_ (and should) prevent is to allow packets from this spoofed ip to access your network. this is, what the filter no-ip-spoofing does, see the docs here: http://libvirt.org/formatnwfilter.html#nwfexamples it prevents sending spoofed packages from inside the vm by not allowing them on the virtual integrated libvirt switch on your host (which runs the vm). this might look a little different, depending on your network setup (bonding, bridges, vlans). HTH -- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users