<div dir="ltr"><div><br></div><div>I found an explanation here:<br></div><div><a href="https://www.redhat.com/archives/libvir-list/2010-June/msg00762.html">https://www.redhat.com/archives/libvir-list/2010-June/msg00762.html</a></div><div><br></div><div><pre style="color:rgb(0,0,0)">"If <b>no <ip address> </b>is included, the network filter driver will
activate its '<b>learning mode</b>'. This uses libpcap to snoop on
network traffic the guest sends and attempts to identify the
first IP address it uses. It then locks traffic to this address.
<b>Obviously this isn't entirely secure</b>, but it does offer some
protection against the guest being trojaned once up & running."</pre><pre style="color:rgb(0,0,0)"><br></pre><pre><font color="#000000">According to he says, is created with ebtables rules
As I was doing directly with ebtables<br></font></pre></div><div class="gmail_extra"><br></div><div class="gmail_extra">but</div><div class="gmail_extra"><br></div><div class="gmail_extra"><pre style="color:rgb(0,0,0)"><span style="font-family:arial,sans-serif">"All active guests </span><b style="font-family:arial,sans-serif">immediately</b><span style="font-family:arial,sans-serif"> have their iptables/ebtables rules</span><br></pre></div><div class="gmail_extra"><pre style="color:rgb(0,0,0)">rebuilt."</pre></div><div class="gmail_extra"><br></div><div class="gmail_extra">I applied the filter and checked on the host, but nothing appears<br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><div class="gmail_extra"><i>[root@host02 ~]# ebtables -L</i></div><div class="gmail_extra"><i>Bridge table: filter</i></div><div class="gmail_extra"><i><br></i></div><div class="gmail_extra"><i>Bridge chain: INPUT, entries: 0, policy: ACCEPT</i></div><div class="gmail_extra"><i><br></i></div><div class="gmail_extra"><i>Bridge chain: FORWARD, entries: 0, policy: ACCEPT</i></div><div class="gmail_extra"><i><br></i></div><div class="gmail_extra"><i>Bridge chain: OUTPUT, entries: 0, policy: ACCEPT</i></div><div class="gmail_extra"><br></div></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><div class="gmail_extra"><div class="gmail_extra">this post is old (2010), I do not know if there was any change.</div><div class="gmail_extra"><br></div><div class="gmail_extra">But I'll do some tests and see if it works</div><div class="gmail_extra"><br></div><div class="gmail_extra">thank</div></div></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br><div class="gmail_quote">2016-09-15 18:17 GMT-03:00 Edward Haas <span dir="ltr"><<a href="mailto:ehaas@redhat.com" target="_blank">ehaas@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="gmail-h5">On Thu, Sep 15, 2016 at 8:49 PM, Marcin Mirecki <span dir="ltr"><<a href="mailto:mmirecki@redhat.com" target="_blank">mmirecki@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Andre,<br>
<br>
The clean-traffic is meant to prevent mac/IP/ARP spoofing.<br>
I am afraid this is the best we can offer out of the box at the moment.<br>
<br>
If you are willing to give some additional effort you can try and look at the OVS based<br>
networking (added recently). You could use the vdsm hooks to create some additional<br>
openflow rules on the ovs-switch that would put some constraints on where the traffic is going.<br>
<br>
One more item which is still in a very early development stage is an OVN-provider (<a href="http://openvswitch.org/support/dist-docs/ovn-architecture.7.html" rel="noreferrer" target="_blank">http://openvswitch.org/suppor<wbr>t/dist-docs/ovn-architecture.<wbr>7.html</a>).<br>
OVN itself is also still not a ripe project, but is actively being developed.<br>
If you are interested I could update you once we have something working.<br>
<span><br>
Thanks,<br>
Marcin<br>
<br>
<br>
----- Original Message -----<br>
> From: "André Gustavo" <<a href="mailto:andre@andregustavo.org" target="_blank">andre@andregustavo.org</a>><br>
</span><span>> To: "Marcin Mirecki" <<a href="mailto:mmirecki@redhat.com" target="_blank">mmirecki@redhat.com</a>><br>
> Cc: <a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
</span><div><div>> Sent: Tuesday, September 13, 2016 11:53:30 PM<br>
> Subject: Re: [ovirt-users] Associate IP addresses to MAC addresses (anti-spoofing rules)<br>
><br>
> I forgot to comment<br>
><br>
> It is a public network (Public IP)<br>
><br>
> I have 2 servers and 1 router<br>
> I hired a "IP block" that can be accessed through the router<br>
><br>
> For example:<br>
><br>
> Network: <a href="http://165.112.12.112/28" rel="noreferrer" target="_blank">165.112.12.112/28</a><br>
> IPs: 165.112.12.113 - 167.114.12.125<br>
> Gateway: 165.112.12.126 (router)<br>
><br>
> I provide to my client a public IP directly in VM<br>
><br>
> I want to prevent a customer responds by another customer<br>
> or take another ip available for himself<br>
><br>
> ----<br>
><br>
> Since that my client has access to the "User Portal"<br>
> The "clean-traffic" filter will prevent it change the ip when it shut down<br>
> and restart the VM?<br></div></div></blockquote></div></div><div>This is a security mechanism provided by libvirt to restrict the VM from communicating<br>with more than one mac, one IP (and some more restrictions).<br></div><div>If I'm not mistaken, the heuristic (when not set manually in the domxml), is to lock on the first<br></div><div>source address it detects.<br><br></div><div><div class="gmail-h5"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div>
><br>
> Thanks,<br>
> André<br>
><br>
> 2016-09-13 5:57 GMT-03:00 Marcin Mirecki <<a href="mailto:mmirecki@redhat.com" target="_blank">mmirecki@redhat.com</a>>:<br>
><br>
> > Hi André,<br>
> ><br>
> > The best separation would be providing a separate network for each<br>
> > customer.<br>
> > This way you could protect them from other malicious users on your<br>
> > internal networks.<br>
> > Please describe your env in some more detail.<br>
> ><br>
> > Thanks,<br>
> > Marcin<br>
> ><br>
> ><br>
> ><br>
> > ----- Original Message -----<br>
> > > From: "André Gustavo" <<a href="mailto:andre@andregustavo.org" target="_blank">andre@andregustavo.org</a>><br>
> > > To: <a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
> > > Sent: Monday, September 12, 2016 8:33:40 PM<br>
> > > Subject: [ovirt-users] Associate IP addresses to MAC addresses<br>
> > (anti-spoofing rules)<br>
> > ><br>
> > > Aloha,<br>
> > ><br>
> > > I'm using oVirt 4 in my hosting.<br>
> > ><br>
> > > However, easily a customer can change the IP to another client (IP<br>
> > spoofing)<br>
> > ><br>
> > > In vNIC profiles, altered Network Filter<br>
> > > from "VDSM-on-mac-spoofing" to "no-ip-spoofing"<br>
> > ><br>
> > > It worked partially, but if the client power off 'vm' and turn on the<br>
> > 'vm',<br>
> > > he can perform the change in IP<br>
> > ><br>
> > > I tried to use eptables, but also had problems<br>
> > > <a href="http://ebtables.netfilter.org/examples/basic.html#ex_anti-spoof" rel="noreferrer" target="_blank">http://ebtables.netfilter.org/<wbr>examples/basic.html#ex_anti-sp<wbr>oof</a><br>
> > ><br>
> > ><br>
> > > What is the best option?<br>
> > ><br>
> > ><br>
> > > --<br>
> > > ---<br>
> > > André Gustavo Timermann<br>
> > > Curitiba/PR - Brasil<br>
> > ><br>
> > > ______________________________<wbr>_________________<br>
> > > Users mailing list<br>
> > > <a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
> > > <a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman<wbr>/listinfo/users</a><br>
> > ><br>
> ><br>
><br>
><br>
><br>
> --<br>
> ---<br>
> André Gustavo Timermann<br>
><br>
______________________________<wbr>_________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman<wbr>/listinfo/users</a><br>
</div></div></blockquote></div></div></div><br></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div>---</div>André Gustavo Timermann</div>
</div></div>