Hi there,
I want/need to enforce instances to use the IPs allocated by OpenNebula.
I do have them configured on boot, but nothing currently prevents my users to
change them.
This can lead to problems as they can DoS other user instances, or even my
router, proxy or infrastructure services.
I currently use ebtables, but it only prevents mac spoof (by the way, what's
the use case for that?). Iptables, as far as I can see, will only set rules for
Layer 7.
I previously tested CloudStack, and they used iptables to enforce the IP. Also,
as far as I know, libvirt now supports ip antispoof.
I though about adding the iptables rules to ebtables, but then I they would be
overriden by OpenNebula firewall. Also, I'm unsure how it would behave when
machines are live migrated.
My question is if there is a way, out of the box, to prevent spoof. If not,
maybe somebody can give me some guidance on what files or hooks to change.
Thanks.
_______________________________________________
Users mailing list
Users@lists.opennebula.org
http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
