<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 15, 2016 at 8:49 PM, Marcin Mirecki <span dir="ltr"><<a href="mailto:mmirecki@redhat.com" target="_blank">mmirecki@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Andre,<br>
<br>
The clean-traffic is meant to prevent mac/IP/ARP spoofing.<br>
I am afraid this is the best we can offer out of the box at the moment.<br>
<br>
If you are willing to give some additional effort you can try and look at the OVS based<br>
networking (added recently). You could use the vdsm hooks to create some additional<br>
openflow rules on the ovs-switch that would put some constraints on where the traffic is going.<br>
<br>
One more item which is still in a very early development stage is an OVN-provider (<a href="http://openvswitch.org/support/dist-docs/ovn-architecture.7.html" rel="noreferrer" target="_blank">http://openvswitch.org/<wbr>support/dist-docs/ovn-<wbr>architecture.7.html</a>).<br>
OVN itself is also still not a ripe project, but is actively being developed.<br>
If you are interested I could update you once we have something working.<br>
<span class="im HOEnZb"><br>
Thanks,<br>
Marcin<br>
<br>
<br>
----- Original Message -----<br>
> From: "André Gustavo" <<a href="mailto:andre@andregustavo.org">andre@andregustavo.org</a>><br>
</span><span class="im HOEnZb">> To: "Marcin Mirecki" <<a href="mailto:mmirecki@redhat.com">mmirecki@redhat.com</a>><br>
> Cc: <a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
</span><div class="HOEnZb"><div class="h5">> Sent: Tuesday, September 13, 2016 11:53:30 PM<br>
> Subject: Re: [ovirt-users] Associate IP addresses to MAC addresses (anti-spoofing rules)<br>
><br>
> I forgot to comment<br>
><br>
> It is a public network (Public IP)<br>
><br>
> I have 2 servers and 1 router<br>
> I hired a "IP block" that can be accessed through the router<br>
><br>
> For example:<br>
><br>
> Network: <a href="http://165.112.12.112/28" rel="noreferrer" target="_blank">165.112.12.112/28</a><br>
> IPs: 165.112.12.113 - 167.114.12.125<br>
> Gateway: 165.112.12.126 (router)<br>
><br>
> I provide to my client a public IP directly in VM<br>
><br>
> I want to prevent a customer responds by another customer<br>
> or take another ip available for himself<br>
><br>
> ----<br>
><br>
> Since that my client has access to the "User Portal"<br>
> The "clean-traffic" filter will prevent it change the ip when it shut down<br>
> and restart the VM?<br></div></div></blockquote><div>This is a security mechanism provided by libvirt to restrict the VM from communicating<br>with more than one mac, one IP (and some more restrictions).<br></div><div>If I'm not mistaken, the heuristic (when not set manually in the domxml), is to lock on the first<br></div><div>source address it detects.<br><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">
><br>
> Thanks,<br>
> André<br>
><br>
> 2016-09-13 5:57 GMT-03:00 Marcin Mirecki <<a href="mailto:mmirecki@redhat.com">mmirecki@redhat.com</a>>:<br>
><br>
> > Hi André,<br>
> ><br>
> > The best separation would be providing a separate network for each<br>
> > customer.<br>
> > This way you could protect them from other malicious users on your<br>
> > internal networks.<br>
> > Please describe your env in some more detail.<br>
> ><br>
> > Thanks,<br>
> > Marcin<br>
> ><br>
> ><br>
> ><br>
> > ----- Original Message -----<br>
> > > From: "André Gustavo" <<a href="mailto:andre@andregustavo.org">andre@andregustavo.org</a>><br>
> > > To: <a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
> > > Sent: Monday, September 12, 2016 8:33:40 PM<br>
> > > Subject: [ovirt-users] Associate IP addresses to MAC addresses<br>
> > (anti-spoofing rules)<br>
> > ><br>
> > > Aloha,<br>
> > ><br>
> > > I'm using oVirt 4 in my hosting.<br>
> > ><br>
> > > However, easily a customer can change the IP to another client (IP<br>
> > spoofing)<br>
> > ><br>
> > > In vNIC profiles, altered Network Filter<br>
> > > from "VDSM-on-mac-spoofing" to "no-ip-spoofing"<br>
> > ><br>
> > > It worked partially, but if the client power off 'vm' and turn on the<br>
> > 'vm',<br>
> > > he can perform the change in IP<br>
> > ><br>
> > > I tried to use eptables, but also had problems<br>
> > > <a href="http://ebtables.netfilter.org/examples/basic.html#ex_anti-spoof" rel="noreferrer" target="_blank">http://ebtables.netfilter.org/<wbr>examples/basic.html#ex_anti-<wbr>spoof</a><br>
> > ><br>
> > ><br>
> > > What is the best option?<br>
> > ><br>
> > ><br>
> > > --<br>
> > > ---<br>
> > > André Gustavo Timermann<br>
> > > Curitiba/PR - Brasil<br>
> > ><br>
> > > ______________________________<wbr>_________________<br>
> > > Users mailing list<br>
> > > <a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
> > > <a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/<wbr>mailman/listinfo/users</a><br>
> > ><br>
> ><br>
><br>
><br>
><br>
> --<br>
> ---<br>
> André Gustavo Timermann<br>
><br>
______________________________<wbr>_________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/<wbr>mailman/listinfo/users</a><br>
</div></div></blockquote></div><br></div></div>