Cool. It looks like that works. Perhaps it would be good for oVirt to have a 
few text fields in the nic properties to enter IP addresses into which can 
match the rules being used. For example, when enabling the clean-traffic filter 
it appears the VM can only have 1 IP address, even if another IP is added 
legitimately, it still only works with the original IP address.

Something like this:

So essentially, traffic would be blocked on that VM for any other IP space 
other than the IP’s entered into the text fields, which then edit/work with the 
netfilter rules. The idea would be to click “click to add more” would add 
another text field.

From: Edward Haas<>
Sent: Thursday, August 4, 2016 3:47 AM
To: Subhendu Ghosh<>
Cc: Bill Bill<>; users<>
Subject: Re: [ovirt-users] IP Address Stealing

On Thu, Aug 4, 2016 at 6:27 AM, Subhendu Ghosh 
<<>> wrote:
Not built into ovirt AFAIK,  but an ebtables rule can allow you to filter out 
mac+ip combinations

Look at the anti-spoofing rules on<>

It doesn't prevent the user adding it in the vm, but the infrastructure blocks 
it's usage.

From: Bill Bill <<>>
Sent: Aug 3, 2016 22:40
Subject: [ovirt-users] IP Address Stealing


It is possible to prevent a VM from adding an IP? For example, if we provision 
a VM with one IP, if the user has root access they can simply add random IP’s 
from within the same range as sub interfaces: eth0:0 eth0:1 eth0:2 so on and so 

Subnetting is not ideal in this situation because it’s a huge waste of IP space.

In oVirt 4.0, you can choose a vnic libvirt filter from a list (at the vnic 
profile settings).
You can check the clean-traffic filter which uses multiple other more specific 


Users mailing list<>

Users mailing list

Reply via email to