>>>> net0: e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3 >>>> It is then easy to implement such filter. > >also a good idea. > >Alexandre - any suggestions?
I like this one ;) also, could be use when we'll implement dhcp server inside proxmox. ----- Mail original ----- De: "Stefan Priebe - Profihost AG" <s.pri...@profihost.ag> À: "Dietmar Maurer" <diet...@proxmox.com>, pve-devel@pve.proxmox.com Envoyé: Mercredi 4 Juin 2014 12:43:51 Objet: Re: [pve-devel] pve-firewall: dhcp snooping >> net0: e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3 >> It is then easy to implement such filter. also a good idea. Alexandre - any suggestions? Am 04.06.2014 12:19, schrieb Stefan Priebe - Profihost AG: > Am 04.06.2014 12:10, schrieb Dietmar Maurer: >>> i'm starting to deploy the pve-firewall code on a test cluster. >>> >>> Something i really would like to have is dhcp snooping on the linux bridge >>> so that >>> VMs controlled by somebody else can't use fake / wrong ip adresses. >>> >>> Is something like this possible with the current firewall code? >> >> Not implemented, because we do not have/store a list of IPs. >> >> One option would be to store the list of allowed IP in the VM network >> config: >> >> net0: e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3 >> >> It is then easy to implement such filter. >> > > For snooping there is no ip list neeeded. You just monitor DHCP ACK > packets from specific MAC and IP and then generate the entries. > > Stefan > _______________________________________________ > pve-devel mailing list > pve-devel@pve.proxmox.com > http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
