<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Aug 4, 2016 at 6:27 AM, Subhendu Ghosh <span dir="ltr"><<a href="mailto:sghosh@redhat.com" target="_blank">sghosh@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(31,73,125)"><div>Not built into ovirt AFAIK, but an ebtables rule can allow you to filter out mac+ip combinations </div><div><br></div><div>Look at the anti-spoofing rules on <a href="http://ebtables.netfilter.org" target="_blank">ebtables.netfilter.org</a></div><div><br></div><div>It doesn't prevent the user adding it in the vm, but the infrastructure blocks it's usage.</div>
<div><br></div>
</div><div><div style="clear:both"><hr style="border:medium none;min-height:1px;color:rgb(225,225,225);background-color:rgb(225,225,225)"><div style="border:medium none;padding:3pt 0cm 0cm"><span style="font-size:11pt;font-family:Calibri,Arial,Helvetica,sans-serif"><b>From:</b> Bill Bill <<a href="mailto:jax2568@outlook.com" target="_blank">jax2568@outlook.com</a>><br><b>Sent:</b> Aug 3, 2016 22:40<br><b>To:</b> <a href="mailto:users@ovirt.org" target="_blank">users@ovirt.org</a><br><b>Subject:</b> [ovirt-users] IP Address Stealing<br></span></div></div><span class=""><br type="attribution"><div>
<div>
<p class="MsoNormal">Hello,</p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">It is possible to prevent a VM from adding an IP? For example, if we provision a VM with one IP, if the user has root access they can simply add random IP’s from within the same range as sub interfaces: eth0:0 eth0:1 eth0:2 so on and so
forth.</p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Subnetting is not ideal in this situation because it’s a huge waste of IP space.</p></div></div></span></div></blockquote><div><br></div>In oVirt 4.0, you can choose a vnic libvirt filter from a list (at the vnic profile settings).<br></div><div class="gmail_quote">You can check the clean-traffic filter which uses multiple other more specific filters.<br>Ref: <a href="https://libvirt.org/formatnwfilter.html">https://libvirt.org/formatnwfilter.html</a><br></div><div class="gmail_quote"><div><br></div><div>Thanks,<br></div><div>Edy.<br><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><span class=""><div><div>
<p class="MsoNormal"><span style="font-size:12pt;font-family:"Times New Roman",serif"><u></u> <u></u></span></p>
</div>
</div></span></div><br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
<br></blockquote></div><br></div></div>