--_000_CO2PR0801MB07438A494D4F1A460D97CA52A61F0CO2PR0801MB0743_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Cool. It looks like that works. Perhaps it would be good for oVirt to have = a few text fields in the nic properties to enter IP addresses into which ca= n match the rules being used. For example, when enabling the clean-traffic = filter it appears the VM can only have 1 IP address, even if another IP is = added legitimately, it still only works with the original IP address. Something like this: http://i.imgur.com/9BUZRCN.jpg So essentially, traffic would be blocked on that VM for any other IP space = other than the IP=92s entered into the text fields, which then edit/work wi= th the netfilter rules. The idea would be to click =93click to add more=94 = would add another text field. From: Edward Haas<mailto:ehaas@redhat.com> Sent: Thursday, August 4, 2016 3:47 AM To: Subhendu Ghosh<mailto:sghosh@redhat.com> Cc: Bill Bill<mailto:jax2568@outlook.com>; users<mailto:users@ovirt.org> Subject: Re: [ovirt-users] IP Address Stealing On Thu, Aug 4, 2016 at 6:27 AM, Subhendu Ghosh <sghosh@redhat.com<mailto:sg= hosh@redhat.com>> wrote: Not built into ovirt AFAIK, but an ebtables rule can allow you to filter o= ut mac+ip combinations Look at the anti-spoofing rules on ebtables.netfilter.org<http://ebtables.n= etfilter.org> It doesn't prevent the user adding it in the vm, but the infrastructure blo= cks it's usage. ________________________________ From: Bill Bill <jax2568@outlook.com<mailto:jax2568@outlook.com>> Sent: Aug 3, 2016 22:40 To: users@ovirt.org<mailto:users@ovirt.org> Subject: [ovirt-users] IP Address Stealing Hello, It is possible to prevent a VM from adding an IP? For example, if we provis= ion a VM with one IP, if the user has root access they can simply add rando= m IP=92s from within the same range as sub interfaces: eth0:0 eth0:1 eth0:2= so on and so forth. Subnetting is not ideal in this situation because it=92s a huge waste of IP= space. In oVirt 4.0, you can choose a vnic libvirt filter from a list (at the vnic= profile settings). You can check the clean-traffic filter which uses multiple other more speci= fic filters. Ref: https://libvirt.org/formatnwfilter.html Thanks, Edy. _______________________________________________ Users mailing list Users@ovirt.org<mailto:Users@ovirt.org> http://lists.ovirt.org/mailman/listinfo/users --_000_CO2PR0801MB07438A494D4F1A460D97CA52A61F0CO2PR0801MB0743_ Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable <html> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1= 252"> <meta content=3D"text/html; charset=3Dutf-8"> </head> <body> <meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)"> <style> <!-- @font-face {font-family:"Cambria Math"} @font-face {font-family:Calibri} p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:11.0pt; font-family:"Calibri",sans-serif} a:link, span.MsoHyperlink {color:blue; text-decoration:underline} a:visited, span.MsoHyperlinkFollowed {color:#954F72; text-decoration:underline} .MsoChpDefault {} @page WordSection1 {margin:1.0in 1.0in 1.0in 1.0in} div.WordSection1 {} --> </style> <div class=3D"WordSection1"> <p class=3D"MsoNormal">Cool. It looks like that works. Perhaps it would be = good for oVirt to have a few text fields in the nic properties to enter IP = addresses into which can match the rules being used. For example, when enab= ling the clean-traffic filter it appears the VM can only have 1 IP address, even if another IP is added legitimatel= y, it still only works with the original IP address.</p> <p class=3D"MsoNormal"> </p> <p class=3D"MsoNormal">Something like this: <a href=3D"http://i.imgur.com/9= BUZRCN.jpg"> http://i.imgur.com/9BUZRCN.jpg</a></p> <p class=3D"MsoNormal"> </p> <p class=3D"MsoNormal">So essentially, traffic would be blocked on that VM = for any other IP space other than the IP=92s entered into the text fields, = which then edit/work with the netfilter rules. The idea would be to click = =93click to add more=94 would add another text field. </p> <p class=3D"MsoNormal"> </p> <p class=3D"MsoNormal"> </p> <p class=3D"MsoNormal"><span style=3D"font-size:12.0pt; font-family:"T= imes New Roman",serif"> </span></p> <div style=3D"border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0i= n 0in 0in"> <p class=3D"MsoNormal" style=3D"border:none; padding:0in"><b>From: </b><a h= ref=3D"mailto:ehaas@redhat.com">Edward Haas</a><br> <b>Sent: </b>Thursday, August 4, 2016 3:47 AM<br> <b>To: </b><a href=3D"mailto:sghosh@redhat.com">Subhendu Ghosh</a><br> <b>Cc: </b><a href=3D"mailto:jax2568@outlook.com">Bill Bill</a>; <a href=3D= "mailto:users@ovirt.org"> users</a><br> <b>Subject: </b>Re: [ovirt-users] IP Address Stealing</p> </div> <p class=3D"MsoNormal"><span style=3D"font-size:12.0pt; font-family:"T= imes New Roman",serif"> </span></p> </div> <div> <div dir=3D"ltr"><br> <div class=3D"gmail_extra"><br> <div class=3D"gmail_quote">On Thu, Aug 4, 2016 at 6:27 AM, Subhendu Ghosh <= span dir=3D"ltr"> <<a href=3D"mailto:sghosh@redhat.com" target=3D"_blank">sghosh@redhat.co= m</a>></span> wrote:<br> <blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex; border= -left:1px solid rgb(204,204,204); padding-left:1ex"> <div style=3D"font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12p= t; color:rgb(31,73,125)"> <div>Not built into ovirt AFAIK, but an ebtables rule can allow you t= o filter out mac+ip combinations </div> <div><br> </div> <div>Look at the anti-spoofing rules on <a href=3D"http://ebtables.netfilte= r.org" target=3D"_blank"> ebtables.netfilter.org</a></div> <div><br> </div> <div>It doesn't prevent the user adding it in the vm, but the infrastructur= e blocks it's usage.</div> <div><br> </div> </div> <div> <div style=3D"clear:both"> <hr style=3D"border:medium none; min-height:1px; color:rgb(225,225,225); ba= ckground-color:rgb(225,225,225)"> <div style=3D"border:medium none; padding:3pt 0cm 0cm"><span style=3D"font-= size:11pt; font-family:Calibri,Arial,Helvetica,sans-serif"><b>From:</b> Bil= l Bill <<a href=3D"mailto:jax2568@outlook.com" target=3D"_blank">jax2568= @outlook.com</a>><br> <b>Sent:</b> Aug 3, 2016 22:40<br> <b>To:</b> <a href=3D"mailto:users@ovirt.org" target=3D"_blank">users@ovirt= .org</a><br> <b>Subject:</b> [ovirt-users] IP Address Stealing<br> </span></div> </div> <span class=3D""><br type=3D"attribution"> <div> <div> <p class=3D"MsoNormal">Hello,</p> <p class=3D"MsoNormal"><u></u> <u></u></p> <p class=3D"MsoNormal">It is possible to prevent a VM from adding an IP? Fo= r example, if we provision a VM with one IP, if the user has root access th= ey can simply add random IP=92s from within the same range as sub interface= s: eth0:0 eth0:1 eth0:2 so on and so forth.</p> <p class=3D"MsoNormal"><u></u> <u></u></p> <p class=3D"MsoNormal">Subnetting is not ideal in this situation because it= =92s a huge waste of IP space.</p> </div> </div> </span></div> </blockquote> <div><br> </div> In oVirt 4.0, you can choose a vnic libvirt filter from a list (at the vnic= profile settings).<br> </div> <div class=3D"gmail_quote">You can check the clean-traffic filter which use= s multiple other more specific filters.<br> Ref: <a href=3D"https://libvirt.org/formatnwfilter.html">https://libvirt.or= g/formatnwfilter.html</a><br> </div> <div class=3D"gmail_quote"> <div><br> </div> <div>Thanks,<br> </div> <div>Edy.<br> <br> </div> <blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex; border= -left:1px solid rgb(204,204,204); padding-left:1ex"> <div><span class=3D""> <div> <div> <p class=3D"MsoNormal"><span style=3D"font-size:12pt; font-family:"Tim= es New Roman",serif"><u></u> <u></u></span></p> </div> </div> </span></div> <br> _______________________________________________<br> Users mailing list<br> <a href=3D"mailto:Users@ovirt.org">Users@ovirt.org</a><br> <a href=3D"http://lists.ovirt.org/mailman/listinfo/users" rel=3D"noreferrer= " target=3D"_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br> <br> </blockquote> </div> <br> </div> </div> </div> </body> </html> --_000_CO2PR0801MB07438A494D4F1A460D97CA52A61F0CO2PR0801MB0743_--