Hi,
I don't know if this is much help but here is our setup which works in a way that users cannot spoof public IP from inside VM. We've set up a MAC pool range on engine and a DHCP server on one VM, this server assigns IPs according to VMs MACs. We use CentOS6 nodes (and engine 3.3.5). The node always sees the VM's NIC by it's ovirt MAC, even if user changes it from inside VM. Now the solution was ebtables (bridge tables). We've set rules on bridge to public network which drops packets if they don't come from legit MAC/IP combination. Example: -A FORWARD -p IPv4 -s 0:1a:4a:f9:xx:xx --ip-src ! IPADDRofVM -j DROP Any comments on the setup are appriceated. JureKrOn 06/19/2014 10:23 AM, Punit Dambiwal wrote:
|
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users