On Thu, Aug 4, 2016 at 6:27 AM, Subhendu Ghosh <sghosh@redhat.com> wrote:
Not built into ovirt AFAIK, but an ebtables rule can allow you to filter out mac+ip combinations
Look at the anti-spoofing rules on ebtables.netfilter.org
It doesn't prevent the user adding it in the vm, but the infrastructure blocks it's usage.
------------------------------ *From:* Bill Bill <jax2568@outlook.com> *Sent:* Aug 3, 2016 22:40 *To:* users@ovirt.org *Subject:* [ovirt-users] IP Address Stealing
Hello,
It is possible to prevent a VM from adding an IP? For example, if we provision a VM with one IP, if the user has root access they can simply add random IP’s from within the same range as sub interfaces: eth0:0 eth0:1 eth0:2 so on and so forth.
Subnetting is not ideal in this situation because it’s a huge waste of IP space.
In oVirt 4.0, you can choose a vnic libvirt filter from a list (at the vnic profile settings). You can check the clean-traffic filter which uses multiple other more specific filters. Ref: https://libvirt.org/formatnwfilter.html Thanks, Edy.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users