[ovirt-users] Ip spoofing
Sven Kieske
S.Kieske at mittwald.de
Wed Jun 25 07:09:45 UTC 2014
Here's a workaround:
define one logical network per vm
assign IPs to these networks from a central instance
assign one broadcast domain per logical network.
so in other words: do correct subnetting.
if you got a router who can't get spoofed you should be fine.
HTH
Am 25.06.2014 04:16, schrieb Punit Dambiwal:
> Hi Dan,
>
> I try the following way :-
>
> 1. I placed your script in the following location
> :- /usr/libexec/vdsm/hooks/before_device_create/50_noipspoof &
> /usr/libexec/vdsm/hooks/before_nic_hotplug/50_noipspoof
>
> 2. Then run this command on the ovirt-engine server (engine-config -s
> "UserDefinedVMProperties=noipspoof=^[0-9.]*$")
> 3. After that stop the VM and set a custom property named "noipspoof" with
> ip 10.10.10.6.
> 4. Run the VM and login via ssh,configure another ethernet with eth0:0 with
> the ip address 10.10.10.9
> 5. From another VM with ip 10.10.10.5 i can able to ping 10.10.10.9....
>
> One strange thing is in VM xml still the filter is "vdsm-no-mac-spoofing"
> instead of "noipspoof"
>
> ----------------
> <interface type='bridge'>
> <mac address='00:1a:4a:81:80:09'/>
> <source bridge='private'/>
> <target dev='vnet0'/>
> <model type='virtio'/>
> <filterref filter='vdsm-no-mac-spoofing'/>
> <link state='up'/>
> <alias name='net0'/>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x05'
> function='0x0'/
> >
> ----------------
>
> Please let me know if i am wrong here....
>
> [image: Inline image 1]
>
>
> On Tue, Jun 24, 2014 at 8:06 PM, Dan Kenigsberg <danken at redhat.com> wrote:
>
>> On Tue, Jun 24, 2014 at 05:52:51PM +0800, Punit Dambiwal wrote:
>>> Hi Den,
>>>
>>> Thanks for the updates...but still the user can spoof the another ip
>>> address by manually edit the ifcfg-eth0:0 file....
>>>
>>> Like if i assign the 10.0.0.5 ip address to one VM through
>> cloud-int...once
>>> the VM bootup user can login to VM and create another virtual ethernet
>>> device and add another ip address 10.0.0.6 to this VM....
>>>
>>> I want in anyhow the user can not spoof the ip address....either they can
>>> edit but the new ip address can not boot up(should not active)...
>>>
>>> Thanks,
>>> Punit
>>
>> Have you placed my script properly? Could you share your domxml as
>> visible to libvirt?
>>
>> virsh -r dumxml <name-of-your-vm>
>>
>> And as alluded by Sven - could you try to use the spooded IP address?
>> Configuring is not blocked by the filter, only using it (try pinging
>> outside of the VM).
>>
>> Regrads,
>> Dan.
>>
>
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
--
Mit freundlichen Grüßen / Regards
Sven Kieske
Systemadministrator
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +49-5772-293-100
F: +49-5772-293-333
https://www.mittwald.de
Geschäftsführer: Robert Meyer
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
More information about the Users
mailing list