Re: [ovirt-users] IP Address Stealing
On Fri, Aug 12, 2016 at 8:17 PM, Bill Bill <jax2568(a)outlook.com> wrote:
Cool. It looks like that works. Perhaps it would be good for oVirt to
have
a few text fields in the nic properties to enter IP addresses into which
can match the rules being used. For example, when enabling the
clean-traffic filter it appears the VM can only have 1 IP address, even if
another IP is added legitimately, it still only works with the original IP
address.
Something like this: http://i.imgur.com/9BUZRCN.jpg
So essentially, traffic would be blocked on that VM for any other IP space
other than the IP’s entered into the text fields, which then edit/work with
the netfilter rules. The idea would be to click “click to add more” would
add another text field.
That could have been a nice option indeed.
Could you please open an RFE on bugzilla so we can consider and manage this?
Thanks,
Edy.
*From: *Edward Haas <ehaas(a)redhat.com>
*Sent: *Thursday, August 4, 2016 3:47 AM
*To: *Subhendu Ghosh <sghosh(a)redhat.com>
*Cc: *Bill Bill <jax2568(a)outlook.com>; users <users(a)ovirt.org>
*Subject: *Re: [ovirt-users] IP Address Stealing
On Thu, Aug 4, 2016 at 6:27 AM, Subhendu Ghosh <sghosh(a)redhat.com> wrote:
> Not built into ovirt AFAIK, but an ebtables rule can allow you to filter
> out mac+ip combinations
>
> Look at the anti-spoofing rules on ebtables.netfilter.org
>
> It doesn't prevent the user adding it in the vm, but the infrastructure
> blocks it's usage.
>
> ------------------------------
> *From:* Bill Bill <jax2568(a)outlook.com>
> *Sent:* Aug 3, 2016 22:40
> *To:* users(a)ovirt.org
> *Subject:* [ovirt-users] IP Address Stealing
>
> Hello,
>
>
>
> It is possible to prevent a VM from adding an IP? For example, if we
> provision a VM with one IP, if the user has root access they can simply add
> random IP’s from within the same range as sub interfaces: eth0:0 eth0:1
> eth0:2 so on and so forth.
>
>
>
> Subnetting is not ideal in this situation because it’s a huge waste of IP
> space.
>
In oVirt 4.0, you can choose a vnic libvirt filter from a list (at the
vnic profile settings).
You can check the clean-traffic filter which uses multiple other more
specific filters.
Ref: https://libvirt.org/formatnwfilter.html
Thanks,
Edy.
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
Attachments:
- attachment.html (text/html — 5.5 KB)