<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta content="text/html; charset=utf-8">
</head>
<body>
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style>
<!--
@font-face
{font-family:"Cambria Math"}
@font-face
{font-family:Calibri}
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline}
a:visited, span.MsoHyperlinkFollowed
{color:#954F72;
text-decoration:underline}
.MsoChpDefault
{}
@page WordSection1
{margin:1.0in 1.0in 1.0in 1.0in}
div.WordSection1
{}
-->
</style>
<div class="WordSection1">
<p class="MsoNormal">Cool. It looks like that works. Perhaps it would be good for oVirt to have a few text fields in the nic properties to enter IP addresses into which can match the rules being used. For example, when enabling the clean-traffic filter it appears
the VM can only have 1 IP address, even if another IP is added legitimately, it still only works with the original IP address.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Something like this: <a href="http://i.imgur.com/9BUZRCN.jpg">
http://i.imgur.com/9BUZRCN.jpg</a></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">So essentially, traffic would be blocked on that VM for any other IP space other than the IP’s entered into the text fields, which then edit/work with the netfilter rules. The idea would be to click “click to add more” would add another
text field. </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span style="font-size:12.0pt; font-family:"Times New Roman",serif"> </span></p>
<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="border:none; padding:0in"><b>From: </b><a href="mailto:ehaas@redhat.com">Edward Haas</a><br>
<b>Sent: </b>Thursday, August 4, 2016 3:47 AM<br>
<b>To: </b><a href="mailto:sghosh@redhat.com">Subhendu Ghosh</a><br>
<b>Cc: </b><a href="mailto:jax2568@outlook.com">Bill Bill</a>; <a href="mailto:users@ovirt.org">
users</a><br>
<b>Subject: </b>Re: [ovirt-users] IP Address Stealing</p>
</div>
<p class="MsoNormal"><span style="font-size:12.0pt; font-family:"Times New Roman",serif"> </span></p>
</div>
<div>
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Aug 4, 2016 at 6:27 AM, Subhendu Ghosh <span dir="ltr">
<<a href="mailto:sghosh@redhat.com" target="_blank">sghosh@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(31,73,125)">
<div>Not built into ovirt AFAIK, but an ebtables rule can allow you to filter out mac+ip combinations </div>
<div><br>
</div>
<div>Look at the anti-spoofing rules on <a href="http://ebtables.netfilter.org" target="_blank">
ebtables.netfilter.org</a></div>
<div><br>
</div>
<div>It doesn't prevent the user adding it in the vm, but the infrastructure blocks it's usage.</div>
<div><br>
</div>
</div>
<div>
<div style="clear:both">
<hr style="border:medium none; min-height:1px; color:rgb(225,225,225); background-color:rgb(225,225,225)">
<div style="border:medium none; padding:3pt 0cm 0cm"><span style="font-size:11pt; font-family:Calibri,Arial,Helvetica,sans-serif"><b>From:</b> Bill Bill <<a href="mailto:jax2568@outlook.com" target="_blank">jax2568@outlook.com</a>><br>
<b>Sent:</b> Aug 3, 2016 22:40<br>
<b>To:</b> <a href="mailto:users@ovirt.org" target="_blank">users@ovirt.org</a><br>
<b>Subject:</b> [ovirt-users] IP Address Stealing<br>
</span></div>
</div>
<span class=""><br type="attribution">
<div>
<div>
<p class="MsoNormal">Hello,</p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">It is possible to prevent a VM from adding an IP? For example, if we provision a VM with one IP, if the user has root access they can simply add random IP’s from within the same range as sub interfaces: eth0:0 eth0:1 eth0:2 so on and so
forth.</p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Subnetting is not ideal in this situation because it’s a huge waste of IP space.</p>
</div>
</div>
</span></div>
</blockquote>
<div><br>
</div>
In oVirt 4.0, you can choose a vnic libvirt filter from a list (at the vnic profile settings).<br>
</div>
<div class="gmail_quote">You can check the clean-traffic filter which uses multiple other more specific filters.<br>
Ref: <a href="https://libvirt.org/formatnwfilter.html">https://libvirt.org/formatnwfilter.html</a><br>
</div>
<div class="gmail_quote">
<div><br>
</div>
<div>Thanks,<br>
</div>
<div>Edy.<br>
<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">
<div><span class="">
<div>
<div>
<p class="MsoNormal"><span style="font-size:12pt; font-family:"Times New Roman",serif"><u></u> <u></u></span></p>
</div>
</div>
</span></div>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</body>
</html>