I found an explanation here: https://www.redhat.com/archives/libvir-list/2010-June/msg00762.html
"If *no <ip address> *is included, the network filter driver will activate its '*learning mode*'. This uses libpcap to snoop on network traffic the guest sends and attempts to identify the first IP address it uses. It then locks traffic to this address.*Obviously this isn't entirely secure*, but it does offer some protection against the guest being trojaned once up & running." According to he says, is created with ebtables rules As I was doing directly with ebtables but "All active guests *immediately* have their iptables/ebtables rules rebuilt." I applied the filter and checked on the host, but nothing appears *[root@host02 ~]# ebtables -L* *Bridge table: filter* *Bridge chain: INPUT, entries: 0, policy: ACCEPT* *Bridge chain: FORWARD, entries: 0, policy: ACCEPT* *Bridge chain: OUTPUT, entries: 0, policy: ACCEPT* this post is old (2010), I do not know if there was any change. But I'll do some tests and see if it works thank 2016-09-15 18:17 GMT-03:00 Edward Haas <[email protected]>: > > > On Thu, Sep 15, 2016 at 8:49 PM, Marcin Mirecki <[email protected]> > wrote: > >> Andre, >> >> The clean-traffic is meant to prevent mac/IP/ARP spoofing. >> I am afraid this is the best we can offer out of the box at the moment. >> >> If you are willing to give some additional effort you can try and look at >> the OVS based >> networking (added recently). You could use the vdsm hooks to create some >> additional >> openflow rules on the ovs-switch that would put some constraints on where >> the traffic is going. >> >> One more item which is still in a very early development stage is an >> OVN-provider (http://openvswitch.org/support/dist-docs/ovn-architecture. >> 7.html). >> OVN itself is also still not a ripe project, but is actively being >> developed. >> If you are interested I could update you once we have something working. >> >> Thanks, >> Marcin >> >> >> ----- Original Message ----- >> > From: "André Gustavo" <[email protected]> >> > To: "Marcin Mirecki" <[email protected]> >> > Cc: [email protected] >> > Sent: Tuesday, September 13, 2016 11:53:30 PM >> > Subject: Re: [ovirt-users] Associate IP addresses to MAC addresses >> (anti-spoofing rules) >> > >> > I forgot to comment >> > >> > It is a public network (Public IP) >> > >> > I have 2 servers and 1 router >> > I hired a "IP block" that can be accessed through the router >> > >> > For example: >> > >> > Network: 165.112.12.112/28 >> > IPs: 165.112.12.113 - 167.114.12.125 >> > Gateway: 165.112.12.126 (router) >> > >> > I provide to my client a public IP directly in VM >> > >> > I want to prevent a customer responds by another customer >> > or take another ip available for himself >> > >> > ---- >> > >> > Since that my client has access to the "User Portal" >> > The "clean-traffic" filter will prevent it change the ip when it shut >> down >> > and restart the VM? >> > This is a security mechanism provided by libvirt to restrict the VM from > communicating > with more than one mac, one IP (and some more restrictions). > If I'm not mistaken, the heuristic (when not set manually in the domxml), > is to lock on the first > source address it detects. > > > >> > Thanks, >> > André >> > >> > 2016-09-13 5:57 GMT-03:00 Marcin Mirecki <[email protected]>: >> > >> > > Hi André, >> > > >> > > The best separation would be providing a separate network for each >> > > customer. >> > > This way you could protect them from other malicious users on your >> > > internal networks. >> > > Please describe your env in some more detail. >> > > >> > > Thanks, >> > > Marcin >> > > >> > > >> > > >> > > ----- Original Message ----- >> > > > From: "André Gustavo" <[email protected]> >> > > > To: [email protected] >> > > > Sent: Monday, September 12, 2016 8:33:40 PM >> > > > Subject: [ovirt-users] Associate IP addresses to MAC addresses >> > > (anti-spoofing rules) >> > > > >> > > > Aloha, >> > > > >> > > > I'm using oVirt 4 in my hosting. >> > > > >> > > > However, easily a customer can change the IP to another client (IP >> > > spoofing) >> > > > >> > > > In vNIC profiles, altered Network Filter >> > > > from "VDSM-on-mac-spoofing" to "no-ip-spoofing" >> > > > >> > > > It worked partially, but if the client power off 'vm' and turn on >> the >> > > 'vm', >> > > > he can perform the change in IP >> > > > >> > > > I tried to use eptables, but also had problems >> > > > http://ebtables.netfilter.org/examples/basic.html#ex_anti-spoof >> > > > >> > > > >> > > > What is the best option? >> > > > >> > > > >> > > > -- >> > > > --- >> > > > André Gustavo Timermann >> > > > Curitiba/PR - Brasil >> > > > >> > > > _______________________________________________ >> > > > Users mailing list >> > > > [email protected] >> > > > http://lists.ovirt.org/mailman/listinfo/users >> > > > >> > > >> > >> > >> > >> > -- >> > --- >> > André Gustavo Timermann >> > >> _______________________________________________ >> Users mailing list >> [email protected] >> http://lists.ovirt.org/mailman/listinfo/users >> > > -- --- André Gustavo Timermann
_______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
