[one-users] ip spoofing

Maxim Terletskiy terletskiy at emu.ru
Thu May 1 03:17:15 PDT 2014

As you wrote this is exactly we were looking for. Thank you very much, 
Stefan! :)

01.05.2014 12:39, Stefan Kooman пишет:
> Quoting Maxim Terletskiy (terletskiy at emu.ru):
>> Hi!
>> No we're using vlans with simple bridging. I've used ovswitch in
>> past and do not remember anything about "ip hijacking" prevention in
>> it. How can ovswitch know what ip/mac must be on vm interface? Will
>> it be usefull if VMs living on different virtualization hosts?
> "openvswitch" by itself doesn't do anything to prevent "mac spoofing" or
> "ip hijacking". That's done by ONE based on OpenFlow rules. From the
> docs [1]:
> Mac-spoofing
> These rules prevent any traffic to come out of the port the MAC address
> has changed.
> in_port=<PORT>,dl_src=<MAC>,priority=40000,actions=normal
> in_port=<PORT>,priority=39000,actions=normal
> IP hijacking
> These rules prevent any traffic to come out of the port for IPv4 IP’s
> not configured for a VM
> in_port=<PORT>,arp,dl_src=<MAC>priority=45000,actions=drop
> in_port=<PORT>,arp,dl_src=<MAC>,nw_src=<IP>,priority=46000,actions=normal
> See /var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb as well.
> Using openvswitch gives you exactly what you asked for, without the need
> for hacking ebtables/iptables script. In a much cleaner way IMHO.
> Gr. Stefan

More information about the Users mailing list