[ovirt-users] Ip spoofing

Dan Kenigsberg danken at redhat.com
Thu Jun 19 11:34:51 UTC 2014


On Thu, Jun 19, 2014 at 04:23:18PM +0800, Punit Dambiwal wrote:
> Hi,
> 
> I have setup Ovirt with glusterfs...I have some concern about the network
> part....
> 
> 1. Is there any way to restrict the Guest VM...so that it can be assign
> with single ip address...and in anyhow the user can not manipulate the IP
> address from inside the VM (that means user can not change the ip address
> inside the VM).

I am afraid that oVirt does not let you do that out-of-the-box. By
default, the vdsm-no-mac-spoofing filter is applied to vNICs, which
indeed allows IP spoofing.

This behavior can be changed by writing a vdsm hook that changes the
default filterref to

      <filterref filter='clean-traffic'>
              <parameter name='CTRL_IP_LEARNING' value='dhcp'/>
      </filterref>

If your VM is assigned with its address not via dhcp, life is more
complicated, since the hook needs to have access to this address before
boot.

I would love to assist you in writing such a hook; please take the
vmfex_dev hook as a reference. To read more about vdsm hooks, please see
http://www.ovirt.org/Vdsm_Hooks .

Regards,
Dan.



More information about the Users mailing list