Hi,

I don't know if this is much help but here is our setup which works in a way that users cannot spoof public IP from inside VM.
We've set up a MAC pool range on engine and a DHCP server on one VM, this server assigns IPs according to VMs MACs.
We use CentOS6 nodes (and engine 3.3.5). The node always sees the VM's NIC by it's ovirt MAC, even if user changes it from inside VM.
Now the solution was ebtables (bridge tables). We've set rules on bridge to public network which drops packets if they don't come from legit MAC/IP combination. Example:

-A FORWARD -p IPv4 -s 0:1a:4a:f9:xx:xx --ip-src ! IPADDRofVM -j DROP

Any comments on the setup are appriceated.

JureKr

On 06/19/2014 10:23 AM, Punit Dambiwal wrote:

Hi,

I have setup Ovirt with glusterfs...I have some concern about the network part....

1. Is there any way to restrict the Guest VM...so that it can be assign with single ip address...and in anyhow the user can not manipulate the IP address from inside the VM (that means user can not change the ip address inside the VM).

Thanks,

Punit
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users