<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Aug 12, 2016 at 8:17 PM, Bill Bill <span dir="ltr"><<a href="mailto:jax2568@outlook.com" target="_blank">jax2568@outlook.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>
<p class="MsoNormal">Cool. It looks like that works. Perhaps it would be good for oVirt to have a few text fields in the nic properties to enter IP addresses into which can match the rules being used. For example, when enabling the clean-traffic filter it appears
the VM can only have 1 IP address, even if another IP is added legitimately, it still only works with the original IP address.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Something like this: <a href="http://i.imgur.com/9BUZRCN.jpg" target="_blank">
http://i.imgur.com/9BUZRCN.jpg</a></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">So essentially, traffic would be blocked on that VM for any other IP space other than the IP’s entered into the text fields, which then edit/work with the netfilter rules. The idea would be to click “click to add more” would add another
text field. </p></div></div></blockquote><div><br></div><div>That could have been a nice option indeed.<br></div><div>Could you please open an RFE on bugzilla so we can consider and manage this?<br><br></div><div>Thanks,<br></div><div>Edy.<br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"> </span></p>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="border:none;padding:0in"><b>From: </b><a href="mailto:ehaas@redhat.com" target="_blank">Edward Haas</a><br>
<b>Sent: </b>Thursday, August 4, 2016 3:47 AM<br>
<b>To: </b><a href="mailto:sghosh@redhat.com" target="_blank">Subhendu Ghosh</a><br>
<b>Cc: </b><a href="mailto:jax2568@outlook.com" target="_blank">Bill Bill</a>; <a href="mailto:users@ovirt.org" target="_blank">
users</a><br>
<b>Subject: </b>Re: [ovirt-users] IP Address Stealing</p>
</div>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"> </span></p>
</div><div><div class="h5">
<div>
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Aug 4, 2016 at 6:27 AM, Subhendu Ghosh <span dir="ltr">
<<a href="mailto:sghosh@redhat.com" target="_blank">sghosh@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(31,73,125)">
<div>Not built into ovirt AFAIK, but an ebtables rule can allow you to filter out mac+ip combinations </div>
<div><br>
</div>
<div>Look at the anti-spoofing rules on <a href="http://ebtables.netfilter.org" target="_blank">
ebtables.netfilter.org</a></div>
<div><br>
</div>
<div>It doesn't prevent the user adding it in the vm, but the infrastructure blocks it's usage.</div>
<div><br>
</div>
</div>
<div>
<div style="clear:both">
<hr style="border:medium none;min-height:1px;color:rgb(225,225,225);background-color:rgb(225,225,225)">
<div style="border:medium none;padding:3pt 0cm 0cm"><span style="font-size:11pt;font-family:Calibri,Arial,Helvetica,sans-serif"><b>From:</b> Bill Bill <<a href="mailto:jax2568@outlook.com" target="_blank">jax2568@outlook.com</a>><br>
<b>Sent:</b> Aug 3, 2016 22:40<br>
<b>To:</b> <a href="mailto:users@ovirt.org" target="_blank">users@ovirt.org</a><br>
<b>Subject:</b> [ovirt-users] IP Address Stealing<br>
</span></div>
</div>
<span><br type="attribution">
<div>
<div>
<p class="MsoNormal">Hello,</p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">It is possible to prevent a VM from adding an IP? For example, if we provision a VM with one IP, if the user has root access they can simply add random IP’s from within the same range as sub interfaces: eth0:0 eth0:1 eth0:2 so on and so
forth.</p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Subnetting is not ideal in this situation because it’s a huge waste of IP space.</p>
</div>
</div>
</span></div>
</blockquote>
<div><br>
</div>
In oVirt 4.0, you can choose a vnic libvirt filter from a list (at the vnic profile settings).<br>
</div>
<div class="gmail_quote">You can check the clean-traffic filter which uses multiple other more specific filters.<br>
Ref: <a href="https://libvirt.org/formatnwfilter.html" target="_blank">https://libvirt.org/<wbr>formatnwfilter.html</a><br>
</div>
<div class="gmail_quote">
<div><br>
</div>
<div>Thanks,<br>
</div>
<div>Edy.<br>
<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div><span>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12pt;font-family:"Times New Roman",serif"><u></u> <u></u></span></p>
</div>
</div>
</span></div>
<br>
______________________________<wbr>_________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/<wbr>mailman/listinfo/users</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div></div></div>
</blockquote></div><br></div></div>