Re: [ovirt-users] Ip spoofing
On Thu, Jun 19, 2014 at 04:23:18PM +0800, Punit Dambiwal wrote:
Hi,
I have setup Ovirt with glusterfs...I have some concern about the network
part....
1. Is there any way to restrict the Guest VM...so that it can be assign
with single ip address...and in anyhow the user can not manipulate the IP
address from inside the VM (that means user can not change the ip address
inside the VM).
I am afraid that oVirt does not let you do that out-of-the-box. By
default, the vdsm-no-mac-spoofing filter is applied to vNICs, which
indeed allows IP spoofing.
This behavior can be changed by writing a vdsm hook that changes the
default filterref to
<filterref filter='clean-traffic'>
<parameter name='CTRL_IP_LEARNING' value='dhcp'/>
</filterref>
If your VM is assigned with its address not via dhcp, life is more
complicated, since the hook needs to have access to this address before
boot.
I would love to assist you in writing such a hook; please take the
vmfex_dev hook as a reference. To read more about vdsm hooks, please see
http://www.ovirt.org/Vdsm_Hooks .
Regards,
Dan.