[ovirt-users] Ip spoofing
Dan Kenigsberg
danken at redhat.com
Tue Jun 24 08:44:30 UTC 2014
On Thu, Jun 19, 2014 at 12:34:51PM +0100, Dan Kenigsberg wrote:
> On Thu, Jun 19, 2014 at 04:23:18PM +0800, Punit Dambiwal wrote:
> > Hi,
> >
> > I have setup Ovirt with glusterfs...I have some concern about the network
> > part....
> >
> > 1. Is there any way to restrict the Guest VM...so that it can be assign
> > with single ip address...and in anyhow the user can not manipulate the IP
> > address from inside the VM (that means user can not change the ip address
> > inside the VM).
>
> I am afraid that oVirt does not let you do that out-of-the-box. By
> default, the vdsm-no-mac-spoofing filter is applied to vNICs, which
> indeed allows IP spoofing.
>
> This behavior can be changed by writing a vdsm hook that changes the
> default filterref to
>
> <filterref filter='clean-traffic'>
> <parameter name='CTRL_IP_LEARNING' value='dhcp'/>
> </filterref>
>
> If your VM is assigned with its address not via dhcp, life is more
> complicated, since the hook needs to have access to this address before
> boot.
>
> I would love to assist you in writing such a hook; please take the
> vmfex_dev hook as a reference. To read more about vdsm hooks, please see
> http://www.ovirt.org/Vdsm_Hooks .
I've posted a hook like that to http://gerrit.ovirt.org/#/c/29093/1
Maybe you can try it out, by placing
http://gerrit.ovirt.org/#/c/29093/1/vdsm_hooks/noipspoof/noipspoof.py on
your /usr/libexec/vdsm/hooks/before_device_create on each of your hosts,
and setting a custom property named "noipspoof" to a list of valid IP
addresses.
Please report if it does what it should.
It would obviously be nicer if we integrate this with cloud-init,
so that each VM would have its list of valid addresses defined once.
Care to open an RFE?
Regards,
Dan.
More information about the Users
mailing list