Hi Dan, I try the following way :- 1. I placed your script in the following location :- /usr/libexec/vdsm/hooks/before_device_create/50_noipspoof & /usr/libexec/vdsm/hooks/before_nic_hotplug/50_noipspoof 2. Then run this command on the ovirt-engine server (engine-config -s "UserDefinedVMProperties=noipspoof=^[0-9.]*$") 3. After that stop the VM and set a custom property named "noipspoof" with ip 10.10.10.6. 4. Run the VM and login via ssh,configure another ethernet with eth0:0 with the ip address 10.10.10.9 5. From another VM with ip 10.10.10.5 i can able to ping 10.10.10.9.... One strange thing is in VM xml still the filter is "vdsm-no-mac-spoofing" instead of "noipspoof" ---------------- <interface type='bridge'> <mac address='00:1a:4a:81:80:09'/> <source bridge='private'/> <target dev='vnet0'/> <model type='virtio'/> <filterref filter='vdsm-no-mac-spoofing'/> <link state='up'/> <alias name='net0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/ > ---------------- Please let me know if i am wrong here.... [image: Inline image 1] On Tue, Jun 24, 2014 at 8:06 PM, Dan Kenigsberg <danken@redhat.com> wrote:
On Tue, Jun 24, 2014 at 05:52:51PM +0800, Punit Dambiwal wrote:
Hi Den,
Thanks for the updates...but still the user can spoof the another ip address by manually edit the ifcfg-eth0:0 file....
Like if i assign the 10.0.0.5 ip address to one VM through cloud-int...once the VM bootup user can login to VM and create another virtual ethernet device and add another ip address 10.0.0.6 to this VM....
I want in anyhow the user can not spoof the ip address....either they can edit but the new ip address can not boot up(should not active)...
Thanks, Punit
Have you placed my script properly? Could you share your domxml as visible to libvirt?
virsh -r dumxml <name-of-your-vm>
And as alluded by Sven - could you try to use the spooded IP address? Configuring is not blocked by the filter, only using it (try pinging outside of the VM).
Regrads, Dan.
