<div dir="ltr">Hi Dan,<div><br></div><div>I try the following way :- </div><div><br></div><div>1. I placed your script in the following location :- /usr/libexec/vdsm/hooks/before_device_create/50_noipspoof & /usr/libexec/vdsm/hooks/before_nic_hotplug/50_noipspoof</div>
<div><br></div><div>2. Then run this command on the ovirt-engine server (engine-config -s "UserDefinedVMProperties=noipspoof=^[0-9.]*$")</div><div>3. After that stop the VM and set<span style="font-family:arial,sans-serif;font-size:13px"> a custom property named "noipspoof" with ip 10.10.10.6.</span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px">4. Run the VM and login via ssh,configure another ethernet with eth0:0 with the ip address 10.10.10.9</span></div><div><span style="font-family:arial,sans-serif;font-size:13px">5. From another VM with ip 10.10.10.5 i can able to ping 10.10.10.9....</span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><font face="arial, sans-serif">One strange thing is in VM xml still the filter is "v</font><span style="font-family:arial,sans-serif">dsm-no-mac-spoofing</span><span style="font-family:arial,sans-serif">" instead of "noipspoof"</span></div>
<div><font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif">----------------</font></div><div><font face="arial, sans-serif"><div> <interface type='bridge'></div><div> <mac address='00:1a:4a:81:80:09'/></div>
<div> <source bridge='private'/></div><div> <target dev='vnet0'/></div><div> <model type='virtio'/></div><div> <filterref filter='vdsm-no-mac-spoofing'/></div>
<div> <link state='up'/></div><div> <alias name='net0'/></div><div> <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/ ></div>
<div>----------------</div><div><br></div><div>Please let me know if i am wrong here....</div><div><br></div><div><img src="cid:ii_146d0cebaffd5dfa" alt="Inline image 1" width="558" height="458.90163934426226"><br></div></font></div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jun 24, 2014 at 8:06 PM, Dan Kenigsberg <span dir="ltr"><<a href="mailto:danken@redhat.com" target="_blank">danken@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">On Tue, Jun 24, 2014 at 05:52:51PM +0800, Punit Dambiwal wrote:<br>
> Hi Den,<br>
><br>
> Thanks for the updates...but still the user can spoof the another ip<br>
> address by manually edit the ifcfg-eth0:0 file....<br>
><br>
> Like if i assign the 10.0.0.5 ip address to one VM through cloud-int...once<br>
> the VM bootup user can login to VM and create another virtual ethernet<br>
> device and add another ip address 10.0.0.6 to this VM....<br>
><br>
> I want in anyhow the user can not spoof the ip address....either they can<br>
> edit but the new ip address can not boot up(should not active)...<br>
><br>
> Thanks,<br>
> Punit<br>
<br>
</div>Have you placed my script properly? Could you share your domxml as<br>
visible to libvirt?<br>
<br>
virsh -r dumxml <name-of-your-vm><br>
<br>
And as alluded by Sven - could you try to use the spooded IP address?<br>
Configuring is not blocked by the filter, only using it (try pinging<br>
outside of the VM).<br>
<br>
Regrads,<br>
Dan.<br>
</blockquote></div><br></div>