>> net0: e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3 >> It is then easy to implement such filter.
also a good idea. Alexandre - any suggestions? Am 04.06.2014 12:19, schrieb Stefan Priebe - Profihost AG: > Am 04.06.2014 12:10, schrieb Dietmar Maurer: >>> i'm starting to deploy the pve-firewall code on a test cluster. >>> >>> Something i really would like to have is dhcp snooping on the linux bridge >>> so that >>> VMs controlled by somebody else can't use fake / wrong ip adresses. >>> >>> Is something like this possible with the current firewall code? >> >> Not implemented, because we do not have/store a list of IPs. >> >> One option would be to store the list of allowed IP in the VM network config: >> >> net0: e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3 >> >> It is then easy to implement such filter. >> > > For snooping there is no ip list neeeded. You just monitor DHCP ACK > packets from specific MAC and IP and then generate the entries. > > Stefan > _______________________________________________ > pve-devel mailing list > pve-devel@pve.proxmox.com > http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
