<div dir="ltr"><div><div><div><div><div>Hi Den,<br><br></div>Thanks for the updates...but still the user can spoof the another ip address by manually edit the ifcfg-eth0:0 file....<br><br></div>Like if i assign the 10.0.0.5 ip address to one VM through cloud-int...once the VM bootup user can login to VM and create another virtual ethernet device and add another ip address 10.0.0.6 to this VM....<br>
<br></div>I want in anyhow the user can not spoof the ip address....either they can edit but the new ip address can not boot up(should not active)...<br><br></div>Thanks,<br></div>Punit<br><div><div><div class="gmail_extra">
<br><br><div class="gmail_quote">On Tue, Jun 24, 2014 at 4:44 PM, Dan Kenigsberg <span dir="ltr"><<a href="mailto:danken@redhat.com" target="_blank">danken@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="HOEnZb"><div class="h5">On Thu, Jun 19, 2014 at 12:34:51PM +0100, Dan Kenigsberg wrote:<br>
> On Thu, Jun 19, 2014 at 04:23:18PM +0800, Punit Dambiwal wrote:<br>
> > Hi,<br>
> ><br>
> > I have setup Ovirt with glusterfs...I have some concern about the network<br>
> > part....<br>
> ><br>
> > 1. Is there any way to restrict the Guest VM...so that it can be assign<br>
> > with single ip address...and in anyhow the user can not manipulate the IP<br>
> > address from inside the VM (that means user can not change the ip address<br>
> > inside the VM).<br>
><br>
> I am afraid that oVirt does not let you do that out-of-the-box. By<br>
> default, the vdsm-no-mac-spoofing filter is applied to vNICs, which<br>
> indeed allows IP spoofing.<br>
><br>
> This behavior can be changed by writing a vdsm hook that changes the<br>
> default filterref to<br>
><br>
> <filterref filter='clean-traffic'><br>
> <parameter name='CTRL_IP_LEARNING' value='dhcp'/><br>
> </filterref><br>
><br>
> If your VM is assigned with its address not via dhcp, life is more<br>
> complicated, since the hook needs to have access to this address before<br>
> boot.<br>
><br>
> I would love to assist you in writing such a hook; please take the<br>
> vmfex_dev hook as a reference. To read more about vdsm hooks, please see<br>
> <a href="http://www.ovirt.org/Vdsm_Hooks" target="_blank">http://www.ovirt.org/Vdsm_Hooks</a> .<br>
<br>
</div></div>I've posted a hook like that to <a href="http://gerrit.ovirt.org/#/c/29093/1" target="_blank">http://gerrit.ovirt.org/#/c/29093/1</a><br>
Maybe you can try it out, by placing<br>
<a href="http://gerrit.ovirt.org/#/c/29093/1/vdsm_hooks/noipspoof/noipspoof.py" target="_blank">http://gerrit.ovirt.org/#/c/29093/1/vdsm_hooks/noipspoof/noipspoof.py</a> on<br>
your /usr/libexec/vdsm/hooks/before_device_create on each of your hosts,<br>
and setting a custom property named "noipspoof" to a list of valid IP<br>
addresses.<br>
<br>
Please report if it does what it should.<br>
<br>
It would obviously be nicer if we integrate this with cloud-init,<br>
so that each VM would have its list of valid addresses defined once.<br>
Care to open an RFE?<br>
<br>
Regards,<br>
Dan.<br>
</blockquote></div><br></div></div></div></div>