[ovirt-users] Ip spoofing
Dan Kenigsberg
danken at redhat.com
Thu Jun 19 11:34:51 UTC 2014
On Thu, Jun 19, 2014 at 04:23:18PM +0800, Punit Dambiwal wrote:
> Hi,
>
> I have setup Ovirt with glusterfs...I have some concern about the network
> part....
>
> 1. Is there any way to restrict the Guest VM...so that it can be assign
> with single ip address...and in anyhow the user can not manipulate the IP
> address from inside the VM (that means user can not change the ip address
> inside the VM).
I am afraid that oVirt does not let you do that out-of-the-box. By
default, the vdsm-no-mac-spoofing filter is applied to vNICs, which
indeed allows IP spoofing.
This behavior can be changed by writing a vdsm hook that changes the
default filterref to
<filterref filter='clean-traffic'>
<parameter name='CTRL_IP_LEARNING' value='dhcp'/>
</filterref>
If your VM is assigned with its address not via dhcp, life is more
complicated, since the hook needs to have access to this address before
boot.
I would love to assist you in writing such a hook; please take the
vmfex_dev hook as a reference. To read more about vdsm hooks, please see
http://www.ovirt.org/Vdsm_Hooks .
Regards,
Dan.
More information about the Users
mailing list