"If no <ip address> is included, the network filter driver will activate its 'learning mode'. This uses libpcap to snoop on network traffic the guest sends and attempts to identify the first IP address it uses. It then locks traffic to this address. Obviously this isn't entirely secure, but it does offer some protection against the guest being trojaned once up & running."
According to he says, is created with ebtables rules As I was doing directly with ebtables
"All active guests immediately have their iptables/ebtables rules
rebuilt."
On Thu, Sep 15, 2016 at 8:49 PM, Marcin Mirecki <mmirecki@redhat.com> wrote:Andre,
The clean-traffic is meant to prevent mac/IP/ARP spoofing.
I am afraid this is the best we can offer out of the box at the moment.
If you are willing to give some additional effort you can try and look at the OVS based
networking (added recently). You could use the vdsm hooks to create some additional
openflow rules on the ovs-switch that would put some constraints on where the traffic is going.
One more item which is still in a very early development stage is an OVN-provider (http://openvswitch.org/support/dist-docs/ovn-architecture. ).7.html
OVN itself is also still not a ripe project, but is actively being developed.
If you are interested I could update you once we have something working.
Thanks,
Marcin
----- Original Message -----
> From: "André Gustavo" <andre@andregustavo.org>
> To: "Marcin Mirecki" <mmirecki@redhat.com>
> Cc: Users@ovirt.org
> Sent: Tuesday, September 13, 2016 11:53:30 PM
> Subject: Re: [ovirt-users] Associate IP addresses to MAC addresses (anti-spoofing rules)
>
> I forgot to comment
>
> It is a public network (Public IP)
>
> I have 2 servers and 1 router
> I hired a "IP block" that can be accessed through the router
>
> For example:
>
> Network: 165.112.12.112/28
> IPs: 165.112.12.113 - 167.114.12.125
> Gateway: 165.112.12.126 (router)
>
> I provide to my client a public IP directly in VM
>
> I want to prevent a customer responds by another customer
> or take another ip available for himself
>
> ----
>
> Since that my client has access to the "User Portal"
> The "clean-traffic" filter will prevent it change the ip when it shut down
> and restart the VM?This is a security mechanism provided by libvirt to restrict the VM from communicating
with more than one mac, one IP (and some more restrictions).If I'm not mistaken, the heuristic (when not set manually in the domxml), is to lock on the firstsource address it detects.>
> Thanks,
> André
>
> 2016-09-13 5:57 GMT-03:00 Marcin Mirecki <mmirecki@redhat.com>:
>
> > Hi André,
> >
> > The best separation would be providing a separate network for each
> > customer.
> > This way you could protect them from other malicious users on your
> > internal networks.
> > Please describe your env in some more detail.
> >
> > Thanks,
> > Marcin
> >
> >
> >
> > ----- Original Message -----
> > > From: "André Gustavo" <andre@andregustavo.org>
> > > To: Users@ovirt.org
> > > Sent: Monday, September 12, 2016 8:33:40 PM
> > > Subject: [ovirt-users] Associate IP addresses to MAC addresses
> > (anti-spoofing rules)
> > >
> > > Aloha,
> > >
> > > I'm using oVirt 4 in my hosting.
> > >
> > > However, easily a customer can change the IP to another client (IP
> > spoofing)
> > >
> > > In vNIC profiles, altered Network Filter
> > > from "VDSM-on-mac-spoofing" to "no-ip-spoofing"
> > >
> > > It worked partially, but if the client power off 'vm' and turn on the
> > 'vm',
> > > he can perform the change in IP
> > >
> > > I tried to use eptables, but also had problems
> > > http://ebtables.netfilter.org/examples/basic.html#ex_anti-sp oof
> > >
> > >
> > > What is the best option?
> > >
> > >
> > > --
> > > ---
> > > André Gustavo Timermann
> > > Curitiba/PR - Brasil
> > >
> > > _______________________________________________
> > > Users mailing list
> > > Users@ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/users
> > >
> >
>
>
>
> --
> ---
> André Gustavo Timermann
>
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users