Re: [ovirt-users] IP Address Stealing
----_com.ninefolders.hd3.email_133710414088413_alt Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 Tm90IGJ1aWx0IGludG8gb3ZpcnQgQUZBSUssIMKgYnV0IGFuIGVidGFibGVzIHJ1bGUgY2FuIGFs bG93IHlvdSB0byBmaWx0ZXIgb3V0IG1hYytpcCBjb21iaW5hdGlvbnPCoAoKTG9vayBhdCB0aGUg YW50aS1zcG9vZmluZyBydWxlcyBvbiBlYnRhYmxlcy5uZXRmaWx0ZXIub3JnCgpJdCBkb2Vzbid0 IHByZXZlbnQgdGhlIHVzZXIgYWRkaW5nIGl0IGluIHRoZSB2bSwgYnV0IHRoZSBpbmZyYXN0cnVj dHVyZSBibG9ja3MgaXQncyB1c2FnZS4KCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f CkZyb206IEJpbGwgQmlsbCA8amF4MjU2OEBvdXRsb29rLmNvbT4KU2VudDogQXVnIDMsIDIwMTYg MjI6NDAKVG86IHVzZXJzQG92aXJ0Lm9yZwpTdWJqZWN0OiBbb3ZpcnQtdXNlcnNdIElQIEFkZHJl c3MgU3RlYWxpbmcKCkhlbGxvLAoKwqAKCkl0IGlzIHBvc3NpYmxlIHRvIHByZXZlbnQgYSBWTSBm cm9tIGFkZGluZyBhbiBJUD8gRm9yIGV4YW1wbGUsIGlmIHdlIHByb3Zpc2lvbiBhIFZNIHdpdGgg b25lIElQLCBpZiB0aGUgdXNlciBoYXMgcm9vdCBhY2Nlc3MgdGhleSBjYW4gc2ltcGx5IGFkZCBy YW5kb20gSVDigJlzIGZyb20gd2l0aGluIHRoZSBzYW1lIHJhbmdlIGFzIHN1YiBpbnRlcmZhY2Vz OiBldGgwOjAgZXRoMDoxIGV0aDA6MiBzbyBvbiBhbmQgc28gZm9ydGguCgrCoAoKU3VibmV0dGlu ZyBpcyBub3QgaWRlYWwgaW4gdGhpcyBzaXR1YXRpb24gYmVjYXVzZSBpdOKAmXMgYSBodWdlIHdh c3RlIG9mIElQIHNwYWNlLgoKwqA= ----_com.ninefolders.hd3.email_133710414088413_alt Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: base64 PGRpdiBzdHlsZT0iZm9udC1mYW1pbHk6Q2FsaWJyaSwgQXJpYWwsIEhlbHZldGljYSwgc2Fucy1z ZXJpZjsgZm9udC1zaXplOjEyLjBwdDsgY29sb3I6IzFGNDk3RCI+PGRpdj5Ob3QgYnVpbHQgaW50 byBvdmlydCBBRkFJSywgJm5ic3A7YnV0IGFuIGVidGFibGVzIHJ1bGUgY2FuIGFsbG93IHlvdSB0 byBmaWx0ZXIgb3V0IG1hYytpcCBjb21iaW5hdGlvbnMmbmJzcDs8L2Rpdj48ZGl2Pjxicj48L2Rp dj48ZGl2Pkxvb2sgYXQgdGhlIGFudGktc3Bvb2ZpbmcgcnVsZXMgb24gZWJ0YWJsZXMubmV0Zmls dGVyLm9yZzwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXY+SXQgZG9lc24ndCBwcmV2ZW50IHRoZSB1 c2VyIGFkZGluZyBpdCBpbiB0aGUgdm0sIGJ1dCB0aGUgaW5mcmFzdHJ1Y3R1cmUgYmxvY2tzIGl0 J3MgdXNhZ2UuPC9kaXY+CjxkaXY+PGJyPjwvZGl2Pgo8L2Rpdj48ZGl2IGNsYXNzPSJxdW90ZWRf c2VwYXJhdGVfYm9keSIvPjxkaXYgaWQ9InF1b3RlZF9oZWFkZXIiIHN0eWxlPSJjbGVhcjpib3Ro OyI+PGhyIHN0eWxlPSJib3JkZXI6bm9uZTsgaGVpZ2h0OjFweDsgY29sb3I6I0UxRTFFMTsgYmFj a2dyb3VuZC1jb2xvcjojRTFFMUUxOyIvPjxkaXYgc3R5bGU9ImJvcmRlcjpub25lOyBwYWRkaW5n OjMuMHB0IDBjbSAwY20gMGNtIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZh bWlseTpDYWxpYnJpLCBBcmlhbCwgSGVsdmV0aWNhLCBzYW5zLXNlcmlmIj48Yj5Gcm9tOjwvYj4g QmlsbCBCaWxsICZsdDtqYXgyNTY4QG91dGxvb2suY29tJmd0Ozxicj48Yj5TZW50OjwvYj4gQXVn IDMsIDIwMTYgMjI6NDA8YnI+PGI+VG86PC9iPiB1c2Vyc0BvdmlydC5vcmc8YnI+PGI+U3ViamVj dDo8L2I+IFtvdmlydC11c2Vyc10gSVAgQWRkcmVzcyBTdGVhbGluZzxicj48L3NwYW4+PC9kaXY+ PC9kaXY+PGJyIHR5cGU9J2F0dHJpYnV0aW9uJz48ZGl2IGlkPSJxdW90ZWRfYm9keSI+Cgo8bWV0 YSBodHRwLWVxdWl2PSJDb250ZW50LVR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD11 dGYtOCI+CjxtZXRhIG5hbWU9IkdlbmVyYXRvciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUg KGZpbHRlcmVkIG1lZGl1bSkiPgo8c3R5bGU+PCEtLQovKiBGb250IERlZmluaXRpb25zICovCkBm b250LWZhY2UKCXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsKCXBhbm9zZS0xOjIgNCA1IDMg NSA0IDYgMyAyIDQ7fQpAZm9udC1mYWNlCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsKCXBhbm9zZS0x OjIgMTUgNSAyIDIgMiA0IDMgMiA0O30KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8KcC5Nc29Ob3Jt YWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbAoJe21hcmdpbjowaW47CgltYXJnaW4tYm90 dG9tOi4wMDAxcHQ7Cglmb250LXNpemU6MTEuMHB0OwoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNh bnMtc2VyaWY7fQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rCgl7bXNvLXN0eWxlLXByaW9yaXR5 Ojk5OwoJY29sb3I6Ymx1ZTsKCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQphOnZpc2l0ZWQs IHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQKCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7Cgljb2xv cjojOTU0RjcyOwoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9Ci5Nc29DaHBEZWZhdWx0Cgl7 bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7fQpAcGFnZSBXb3JkU2VjdGlvbjEKCXtzaXplOjgu NWluIDExLjBpbjsKCW1hcmdpbjoxLjBpbiAxLjBpbiAxLjBpbiAxLjBpbjt9CmRpdi5Xb3JkU2Vj dGlvbjEKCXtwYWdlOldvcmRTZWN0aW9uMTt9Ci0tPjwvc3R5bGU+CgoKPGRpdiBjbGFzcz0iV29y ZFNlY3Rpb24xIj4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SGVsbG8sPC9wPgo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SXQgaXMg cG9zc2libGUgdG8gcHJldmVudCBhIFZNIGZyb20gYWRkaW5nIGFuIElQPyBGb3IgZXhhbXBsZSwg aWYgd2UgcHJvdmlzaW9uIGEgVk0gd2l0aCBvbmUgSVAsIGlmIHRoZSB1c2VyIGhhcyByb290IGFj Y2VzcyB0aGV5IGNhbiBzaW1wbHkgYWRkIHJhbmRvbSBJUOKAmXMgZnJvbSB3aXRoaW4gdGhlIHNh bWUgcmFuZ2UgYXMgc3ViIGludGVyZmFjZXM6IGV0aDA6MCBldGgwOjEgZXRoMDoyIHNvIG9uIGFu ZCBzbwogZm9ydGguPC9wPgo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwv cD4KPHAgY2xhc3M9Ik1zb05vcm1hbCI+U3VibmV0dGluZyBpcyBub3QgaWRlYWwgaW4gdGhpcyBz aXR1YXRpb24gYmVjYXVzZSBpdOKAmXMgYSBodWdlIHdhc3RlIG9mIElQIHNwYWNlLjwvcD4KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LHNlcmlmIj48bzpwPiZuYnNwOzwvbzpwPjwv c3Bhbj48L3A+CjwvZGl2PgoKCjwvZGl2Pg== ----_com.ninefolders.hd3.email_133710414088413_alt--
On Thu, Aug 4, 2016 at 6:27 AM, Subhendu Ghosh <sghosh@redhat.com> wrote:
Not built into ovirt AFAIK, but an ebtables rule can allow you to filter out mac+ip combinations
Look at the anti-spoofing rules on ebtables.netfilter.org
It doesn't prevent the user adding it in the vm, but the infrastructure blocks it's usage.
------------------------------ *From:* Bill Bill <jax2568@outlook.com> *Sent:* Aug 3, 2016 22:40 *To:* users@ovirt.org *Subject:* [ovirt-users] IP Address Stealing
Hello,
It is possible to prevent a VM from adding an IP? For example, if we provision a VM with one IP, if the user has root access they can simply add random IP’s from within the same range as sub interfaces: eth0:0 eth0:1 eth0:2 so on and so forth.
Subnetting is not ideal in this situation because it’s a huge waste of IP space.
In oVirt 4.0, you can choose a vnic libvirt filter from a list (at the vnic profile settings). You can check the clean-traffic filter which uses multiple other more specific filters. Ref: https://libvirt.org/formatnwfilter.html Thanks, Edy.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
--_000_CO2PR0801MB07438A494D4F1A460D97CA52A61F0CO2PR0801MB0743_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Cool. It looks like that works. Perhaps it would be good for oVirt to have = a few text fields in the nic properties to enter IP addresses into which ca= n match the rules being used. For example, when enabling the clean-traffic = filter it appears the VM can only have 1 IP address, even if another IP is = added legitimately, it still only works with the original IP address. Something like this: http://i.imgur.com/9BUZRCN.jpg So essentially, traffic would be blocked on that VM for any other IP space = other than the IP=92s entered into the text fields, which then edit/work wi= th the netfilter rules. The idea would be to click =93click to add more=94 = would add another text field. From: Edward Haas<mailto:ehaas@redhat.com> Sent: Thursday, August 4, 2016 3:47 AM To: Subhendu Ghosh<mailto:sghosh@redhat.com> Cc: Bill Bill<mailto:jax2568@outlook.com>; users<mailto:users@ovirt.org> Subject: Re: [ovirt-users] IP Address Stealing On Thu, Aug 4, 2016 at 6:27 AM, Subhendu Ghosh <sghosh@redhat.com<mailto:sg= hosh@redhat.com>> wrote: Not built into ovirt AFAIK, but an ebtables rule can allow you to filter o= ut mac+ip combinations Look at the anti-spoofing rules on ebtables.netfilter.org<http://ebtables.n= etfilter.org> It doesn't prevent the user adding it in the vm, but the infrastructure blo= cks it's usage. ________________________________ From: Bill Bill <jax2568@outlook.com<mailto:jax2568@outlook.com>> Sent: Aug 3, 2016 22:40 To: users@ovirt.org<mailto:users@ovirt.org> Subject: [ovirt-users] IP Address Stealing Hello, It is possible to prevent a VM from adding an IP? For example, if we provis= ion a VM with one IP, if the user has root access they can simply add rando= m IP=92s from within the same range as sub interfaces: eth0:0 eth0:1 eth0:2= so on and so forth. Subnetting is not ideal in this situation because it=92s a huge waste of IP= space. In oVirt 4.0, you can choose a vnic libvirt filter from a list (at the vnic= profile settings). You can check the clean-traffic filter which uses multiple other more speci= fic filters. Ref: https://libvirt.org/formatnwfilter.html Thanks, Edy. _______________________________________________ Users mailing list Users@ovirt.org<mailto:Users@ovirt.org> http://lists.ovirt.org/mailman/listinfo/users --_000_CO2PR0801MB07438A494D4F1A460D97CA52A61F0CO2PR0801MB0743_ Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable <html> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1= 252"> <meta content=3D"text/html; charset=3Dutf-8"> </head> <body> <meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)"> <style> <!-- @font-face {font-family:"Cambria Math"} @font-face {font-family:Calibri} p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:11.0pt; font-family:"Calibri",sans-serif} a:link, span.MsoHyperlink {color:blue; text-decoration:underline} a:visited, span.MsoHyperlinkFollowed {color:#954F72; text-decoration:underline} .MsoChpDefault {} @page WordSection1 {margin:1.0in 1.0in 1.0in 1.0in} div.WordSection1 {} --> </style> <div class=3D"WordSection1"> <p class=3D"MsoNormal">Cool. It looks like that works. Perhaps it would be = good for oVirt to have a few text fields in the nic properties to enter IP = addresses into which can match the rules being used. For example, when enab= ling the clean-traffic filter it appears the VM can only have 1 IP address, even if another IP is added legitimatel= y, it still only works with the original IP address.</p> <p class=3D"MsoNormal"> </p> <p class=3D"MsoNormal">Something like this: <a href=3D"http://i.imgur.com/9= BUZRCN.jpg"> http://i.imgur.com/9BUZRCN.jpg</a></p> <p class=3D"MsoNormal"> </p> <p class=3D"MsoNormal">So essentially, traffic would be blocked on that VM = for any other IP space other than the IP=92s entered into the text fields, = which then edit/work with the netfilter rules. The idea would be to click = =93click to add more=94 would add another text field. </p> <p class=3D"MsoNormal"> </p> <p class=3D"MsoNormal"> </p> <p class=3D"MsoNormal"><span style=3D"font-size:12.0pt; font-family:"T= imes New Roman",serif"> </span></p> <div style=3D"border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0i= n 0in 0in"> <p class=3D"MsoNormal" style=3D"border:none; padding:0in"><b>From: </b><a h= ref=3D"mailto:ehaas@redhat.com">Edward Haas</a><br> <b>Sent: </b>Thursday, August 4, 2016 3:47 AM<br> <b>To: </b><a href=3D"mailto:sghosh@redhat.com">Subhendu Ghosh</a><br> <b>Cc: </b><a href=3D"mailto:jax2568@outlook.com">Bill Bill</a>; <a href=3D= "mailto:users@ovirt.org"> users</a><br> <b>Subject: </b>Re: [ovirt-users] IP Address Stealing</p> </div> <p class=3D"MsoNormal"><span style=3D"font-size:12.0pt; font-family:"T= imes New Roman",serif"> </span></p> </div> <div> <div dir=3D"ltr"><br> <div class=3D"gmail_extra"><br> <div class=3D"gmail_quote">On Thu, Aug 4, 2016 at 6:27 AM, Subhendu Ghosh <= span dir=3D"ltr"> <<a href=3D"mailto:sghosh@redhat.com" target=3D"_blank">sghosh@redhat.co= m</a>></span> wrote:<br> <blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex; border= -left:1px solid rgb(204,204,204); padding-left:1ex"> <div style=3D"font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12p= t; color:rgb(31,73,125)"> <div>Not built into ovirt AFAIK, but an ebtables rule can allow you t= o filter out mac+ip combinations </div> <div><br> </div> <div>Look at the anti-spoofing rules on <a href=3D"http://ebtables.netfilte= r.org" target=3D"_blank"> ebtables.netfilter.org</a></div> <div><br> </div> <div>It doesn't prevent the user adding it in the vm, but the infrastructur= e blocks it's usage.</div> <div><br> </div> </div> <div> <div style=3D"clear:both"> <hr style=3D"border:medium none; min-height:1px; color:rgb(225,225,225); ba= ckground-color:rgb(225,225,225)"> <div style=3D"border:medium none; padding:3pt 0cm 0cm"><span style=3D"font-= size:11pt; font-family:Calibri,Arial,Helvetica,sans-serif"><b>From:</b> Bil= l Bill <<a href=3D"mailto:jax2568@outlook.com" target=3D"_blank">jax2568= @outlook.com</a>><br> <b>Sent:</b> Aug 3, 2016 22:40<br> <b>To:</b> <a href=3D"mailto:users@ovirt.org" target=3D"_blank">users@ovirt= .org</a><br> <b>Subject:</b> [ovirt-users] IP Address Stealing<br> </span></div> </div> <span class=3D""><br type=3D"attribution"> <div> <div> <p class=3D"MsoNormal">Hello,</p> <p class=3D"MsoNormal"><u></u> <u></u></p> <p class=3D"MsoNormal">It is possible to prevent a VM from adding an IP? Fo= r example, if we provision a VM with one IP, if the user has root access th= ey can simply add random IP=92s from within the same range as sub interface= s: eth0:0 eth0:1 eth0:2 so on and so forth.</p> <p class=3D"MsoNormal"><u></u> <u></u></p> <p class=3D"MsoNormal">Subnetting is not ideal in this situation because it= =92s a huge waste of IP space.</p> </div> </div> </span></div> </blockquote> <div><br> </div> In oVirt 4.0, you can choose a vnic libvirt filter from a list (at the vnic= profile settings).<br> </div> <div class=3D"gmail_quote">You can check the clean-traffic filter which use= s multiple other more specific filters.<br> Ref: <a href=3D"https://libvirt.org/formatnwfilter.html">https://libvirt.or= g/formatnwfilter.html</a><br> </div> <div class=3D"gmail_quote"> <div><br> </div> <div>Thanks,<br> </div> <div>Edy.<br> <br> </div> <blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex; border= -left:1px solid rgb(204,204,204); padding-left:1ex"> <div><span class=3D""> <div> <div> <p class=3D"MsoNormal"><span style=3D"font-size:12pt; font-family:"Tim= es New Roman",serif"><u></u> <u></u></span></p> </div> </div> </span></div> <br> _______________________________________________<br> Users mailing list<br> <a href=3D"mailto:Users@ovirt.org">Users@ovirt.org</a><br> <a href=3D"http://lists.ovirt.org/mailman/listinfo/users" rel=3D"noreferrer= " target=3D"_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br> <br> </blockquote> </div> <br> </div> </div> </div> </body> </html> --_000_CO2PR0801MB07438A494D4F1A460D97CA52A61F0CO2PR0801MB0743_--
On Fri, Aug 12, 2016 at 8:17 PM, Bill Bill <jax2568@outlook.com> wrote:
Cool. It looks like that works. Perhaps it would be good for oVirt to have a few text fields in the nic properties to enter IP addresses into which can match the rules being used. For example, when enabling the clean-traffic filter it appears the VM can only have 1 IP address, even if another IP is added legitimately, it still only works with the original IP address.
Something like this: http://i.imgur.com/9BUZRCN.jpg
So essentially, traffic would be blocked on that VM for any other IP space other than the IP’s entered into the text fields, which then edit/work with the netfilter rules. The idea would be to click “click to add more” would add another text field.
That could have been a nice option indeed. Could you please open an RFE on bugzilla so we can consider and manage this? Thanks, Edy.
*From: *Edward Haas <ehaas@redhat.com> *Sent: *Thursday, August 4, 2016 3:47 AM *To: *Subhendu Ghosh <sghosh@redhat.com> *Cc: *Bill Bill <jax2568@outlook.com>; users <users@ovirt.org> *Subject: *Re: [ovirt-users] IP Address Stealing
On Thu, Aug 4, 2016 at 6:27 AM, Subhendu Ghosh <sghosh@redhat.com> wrote:
Not built into ovirt AFAIK, but an ebtables rule can allow you to filter out mac+ip combinations
Look at the anti-spoofing rules on ebtables.netfilter.org
It doesn't prevent the user adding it in the vm, but the infrastructure blocks it's usage.
------------------------------ *From:* Bill Bill <jax2568@outlook.com> *Sent:* Aug 3, 2016 22:40 *To:* users@ovirt.org *Subject:* [ovirt-users] IP Address Stealing
Hello,
It is possible to prevent a VM from adding an IP? For example, if we provision a VM with one IP, if the user has root access they can simply add random IP’s from within the same range as sub interfaces: eth0:0 eth0:1 eth0:2 so on and so forth.
Subnetting is not ideal in this situation because it’s a huge waste of IP space.
In oVirt 4.0, you can choose a vnic libvirt filter from a list (at the vnic profile settings). You can check the clean-traffic filter which uses multiple other more specific filters. Ref: https://libvirt.org/formatnwfilter.html
Thanks, Edy.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
participants (3)
-
Bill Bill -
Edward Haas -
Subhendu Ghosh