Cool. It looks like that works. Perhaps it would be good for oVirt to have a few text fields in the nic properties to enter IP addresses into which can match the rules being used. For example, when enabling the clean-traffic filter it appears the VM can only have 1 IP address, even if another IP is added legitimately, it still only works with the original IP address.
Something like this: http://i.imgur.com/9BUZRCN.jpg So essentially, traffic would be blocked on that VM for any other IP space other than the IP’s entered into the text fields, which then edit/work with the netfilter rules. The idea would be to click “click to add more” would add another text field. From: Edward Haas<mailto:[email protected]> Sent: Thursday, August 4, 2016 3:47 AM To: Subhendu Ghosh<mailto:[email protected]> Cc: Bill Bill<mailto:[email protected]>; users<mailto:[email protected]> Subject: Re: [ovirt-users] IP Address Stealing On Thu, Aug 4, 2016 at 6:27 AM, Subhendu Ghosh <[email protected]<mailto:[email protected]>> wrote: Not built into ovirt AFAIK, but an ebtables rule can allow you to filter out mac+ip combinations Look at the anti-spoofing rules on ebtables.netfilter.org<http://ebtables.netfilter.org> It doesn't prevent the user adding it in the vm, but the infrastructure blocks it's usage. ________________________________ From: Bill Bill <[email protected]<mailto:[email protected]>> Sent: Aug 3, 2016 22:40 To: [email protected]<mailto:[email protected]> Subject: [ovirt-users] IP Address Stealing Hello, It is possible to prevent a VM from adding an IP? For example, if we provision a VM with one IP, if the user has root access they can simply add random IP’s from within the same range as sub interfaces: eth0:0 eth0:1 eth0:2 so on and so forth. Subnetting is not ideal in this situation because it’s a huge waste of IP space. In oVirt 4.0, you can choose a vnic libvirt filter from a list (at the vnic profile settings). You can check the clean-traffic filter which uses multiple other more specific filters. Ref: https://libvirt.org/formatnwfilter.html Thanks, Edy. _______________________________________________ Users mailing list [email protected]<mailto:[email protected]> http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
