Hi Jure, It's ok....but what about if user will spoof the ip on the eth0:0....then the mac address will be same as eth0 ?? how we can control this ??
Thanks, Punit D On Wed, Jul 9, 2014 at 3:38 PM, Jure Kranjc <jure.kra...@arnes.si> wrote: > Hi, > > I don't know if this is much help but here is our setup which works in a > way that users cannot spoof public IP from inside VM. > We've set up a MAC pool range on engine and a DHCP server on one VM, this > server assigns IPs according to VMs MACs. > We use CentOS6 nodes (and engine 3.3.5). The node always sees the VM's NIC > by it's ovirt MAC, even if user changes it from inside VM. > Now the solution was ebtables (bridge tables). We've set rules on bridge > to public network which drops packets if they don't come from legit MAC/IP > combination. Example: > > -A FORWARD -p IPv4 -s 0:1a:4a:f9:xx:xx --ip-src ! IPADDRofVM -j DROP > > Any comments on the setup are appriceated. > > JureKr > > On 06/19/2014 10:23 AM, Punit Dambiwal wrote: > > Hi, > > I have setup Ovirt with glusterfs...I have some concern about the > network part.... > > 1. Is there any way to restrict the Guest VM...so that it can be assign > with single ip address...and in anyhow the user can not manipulate the IP > address from inside the VM (that means user can not change the ip address > inside the VM). > > Thanks, > Punit > > > _______________________________________________ > Users mailing listUsers@ovirt.orghttp://lists.ovirt.org/mailman/listinfo/users > > > > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > >
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users