Here's a workaround: define one logical network per vm assign IPs to these networks from a central instance assign one broadcast domain per logical network.
so in other words: do correct subnetting. if you got a router who can't get spoofed you should be fine. HTH Am 25.06.2014 04:16, schrieb Punit Dambiwal: > Hi Dan, > > I try the following way :- > > 1. I placed your script in the following location > :- /usr/libexec/vdsm/hooks/before_device_create/50_noipspoof & > /usr/libexec/vdsm/hooks/before_nic_hotplug/50_noipspoof > > 2. Then run this command on the ovirt-engine server (engine-config -s > "UserDefinedVMProperties=noipspoof=^[0-9.]*$") > 3. After that stop the VM and set a custom property named "noipspoof" with > ip 10.10.10.6. > 4. Run the VM and login via ssh,configure another ethernet with eth0:0 with > the ip address 10.10.10.9 > 5. From another VM with ip 10.10.10.5 i can able to ping 10.10.10.9.... > > One strange thing is in VM xml still the filter is "vdsm-no-mac-spoofing" > instead of "noipspoof" > > ---------------- > <interface type='bridge'> > <mac address='00:1a:4a:81:80:09'/> > <source bridge='private'/> > <target dev='vnet0'/> > <model type='virtio'/> > <filterref filter='vdsm-no-mac-spoofing'/> > <link state='up'/> > <alias name='net0'/> > <address type='pci' domain='0x0000' bus='0x00' slot='0x05' > function='0x0'/ > > > ---------------- > > Please let me know if i am wrong here.... > > [image: Inline image 1] > > > On Tue, Jun 24, 2014 at 8:06 PM, Dan Kenigsberg <[email protected]> wrote: > >> On Tue, Jun 24, 2014 at 05:52:51PM +0800, Punit Dambiwal wrote: >>> Hi Den, >>> >>> Thanks for the updates...but still the user can spoof the another ip >>> address by manually edit the ifcfg-eth0:0 file.... >>> >>> Like if i assign the 10.0.0.5 ip address to one VM through >> cloud-int...once >>> the VM bootup user can login to VM and create another virtual ethernet >>> device and add another ip address 10.0.0.6 to this VM.... >>> >>> I want in anyhow the user can not spoof the ip address....either they can >>> edit but the new ip address can not boot up(should not active)... >>> >>> Thanks, >>> Punit >> >> Have you placed my script properly? Could you share your domxml as >> visible to libvirt? >> >> virsh -r dumxml <name-of-your-vm> >> >> And as alluded by Sven - could you try to use the spooded IP address? >> Configuring is not blocked by the filter, only using it (try pinging >> outside of the VM). >> >> Regrads, >> Dan. >> > > > > _______________________________________________ > Users mailing list > [email protected] > http://lists.ovirt.org/mailman/listinfo/users > -- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen _______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
