Am 04.06.2014 12:10, schrieb Dietmar Maurer: >> i'm starting to deploy the pve-firewall code on a test cluster. >> >> Something i really would like to have is dhcp snooping on the linux bridge >> so that >> VMs controlled by somebody else can't use fake / wrong ip adresses. >> >> Is something like this possible with the current firewall code? > > Not implemented, because we do not have/store a list of IPs. > > One option would be to store the list of allowed IP in the VM network config: > > net0: e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3 > > It is then easy to implement such filter. >
For snooping there is no ip list neeeded. You just monitor DHCP ACK packets from specific MAC and IP and then generate the entries. Stefan _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
