[ovirt-users] IP Address Stealing

Bill Bill jax2568 at outlook.com
Fri Aug 12 13:17:20 EDT 2016 

Cool. It looks like that works. Perhaps it would be good for oVirt to have a few text fields in the nic properties to enter IP addresses into which can match the rules being used. For example, when enabling the clean-traffic filter it appears the VM can only have 1 IP address, even if another IP is added legitimately, it still only works with the original IP address.

Something like this: http://i.imgur.com/9BUZRCN.jpg

So essentially, traffic would be blocked on that VM for any other IP space other than the IP’s entered into the text fields, which then edit/work with the netfilter rules. The idea would be to click “click to add more” would add another text field.



From: Edward Haas<mailto:ehaas at redhat.com>
Sent: Thursday, August 4, 2016 3:47 AM
To: Subhendu Ghosh<mailto:sghosh at redhat.com>
Cc: Bill Bill<mailto:jax2568 at outlook.com>; users<mailto:users at ovirt.org>
Subject: Re: [ovirt-users] IP Address Stealing



On Thu, Aug 4, 2016 at 6:27 AM, Subhendu Ghosh <sghosh at redhat.com<mailto:sghosh at redhat.com>> wrote:
Not built into ovirt AFAIK,  but an ebtables rule can allow you to filter out mac+ip combinations

Look at the anti-spoofing rules on ebtables.netfilter.org<http://ebtables.netfilter.org>

It doesn't prevent the user adding it in the vm, but the infrastructure blocks it's usage.

________________________________
From: Bill Bill <jax2568 at outlook.com<mailto:jax2568 at outlook.com>>
Sent: Aug 3, 2016 22:40
To: users at ovirt.org<mailto:users at ovirt.org>
Subject: [ovirt-users] IP Address Stealing

Hello,

It is possible to prevent a VM from adding an IP? For example, if we provision a VM with one IP, if the user has root access they can simply add random IP’s from within the same range as sub interfaces: eth0:0 eth0:1 eth0:2 so on and so forth.

Subnetting is not ideal in this situation because it’s a huge waste of IP space.

In oVirt 4.0, you can choose a vnic libvirt filter from a list (at the vnic profile settings).
You can check the clean-traffic filter which uses multiple other more specific filters.
Ref: https://libvirt.org/formatnwfilter.html

Thanks,
Edy.



_______________________________________________
Users mailing list
Users at ovirt.org<mailto:Users at ovirt.org>
http://lists.ovirt.org/mailman/listinfo/users


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20160812/f84d6518/attachment.html>

More information about the Users mailing list