[ovirt-users] Ip spoofing

Punit Dambiwal hypunit at gmail.com
Tue Jun 24 09:52:51 UTC 2014 

Hi Den,

Thanks for the updates...but still the user can spoof the another ip
address by manually edit the ifcfg-eth0:0 file....

Like if i assign the 10.0.0.5 ip address to one VM through cloud-int...once
the VM bootup user can login to VM and create another virtual ethernet
device and add another ip address 10.0.0.6 to this VM....

I want in anyhow the user can not spoof the ip address....either they can
edit but the new ip address can not boot up(should not active)...

Thanks,
Punit


On Tue, Jun 24, 2014 at 4:44 PM, Dan Kenigsberg <danken at redhat.com> wrote:

> On Thu, Jun 19, 2014 at 12:34:51PM +0100, Dan Kenigsberg wrote:
> > On Thu, Jun 19, 2014 at 04:23:18PM +0800, Punit Dambiwal wrote:
> > > Hi,
> > >
> > > I have setup Ovirt with glusterfs...I have some concern about the
> network
> > > part....
> > >
> > > 1. Is there any way to restrict the Guest VM...so that it can be assign
> > > with single ip address...and in anyhow the user can not manipulate the
> IP
> > > address from inside the VM (that means user can not change the ip
> address
> > > inside the VM).
> >
> > I am afraid that oVirt does not let you do that out-of-the-box. By
> > default, the vdsm-no-mac-spoofing filter is applied to vNICs, which
> > indeed allows IP spoofing.
> >
> > This behavior can be changed by writing a vdsm hook that changes the
> > default filterref to
> >
> >       <filterref filter='clean-traffic'>
> >               <parameter name='CTRL_IP_LEARNING' value='dhcp'/>
> >       </filterref>
> >
> > If your VM is assigned with its address not via dhcp, life is more
> > complicated, since the hook needs to have access to this address before
> > boot.
> >
> > I would love to assist you in writing such a hook; please take the
> > vmfex_dev hook as a reference. To read more about vdsm hooks, please see
> > http://www.ovirt.org/Vdsm_Hooks .
>
> I've posted a hook like that to http://gerrit.ovirt.org/#/c/29093/1
> Maybe you can try it out, by placing
> http://gerrit.ovirt.org/#/c/29093/1/vdsm_hooks/noipspoof/noipspoof.py on
> your /usr/libexec/vdsm/hooks/before_device_create on each of your hosts,
> and setting a custom property named "noipspoof" to a list of valid IP
> addresses.
>
> Please report if it does what it should.
>
> It would obviously be nicer if we integrate this with cloud-init,
> so that each VM would have its list of valid addresses defined once.
> Care to open an RFE?
>
> Regards,
> Dan.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20140624/4905c684/attachment-0001.html>

More information about the Users mailing list