<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 5/1/2014 1:17 PM, Maxim Terletskiy
wrote:<br>
</div>
<blockquote cite="mid:53621F2B.40101@emu.ru" type="cite">As you
wrote this is exactly we were looking for. Thank you very much,
Stefan! :)
<br>
<br>
01.05.2014 12:39, Stefan Kooman пишет:
<br>
<blockquote type="cite">Quoting Maxim Terletskiy
(<a class="moz-txt-link-abbreviated" href="mailto:terletskiy@emu.ru">terletskiy@emu.ru</a>):
<br>
<blockquote type="cite">Hi!
<br>
<br>
No we're using vlans with simple bridging. I've used ovswitch
in
<br>
past and do not remember anything about "ip hijacking"
prevention in
<br>
it. How can ovswitch know what ip/mac must be on vm interface?
Will
<br>
it be usefull if VMs living on different virtualization hosts?
<br>
</blockquote>
"openvswitch" by itself doesn't do anything to prevent "mac
spoofing" or
<br>
"ip hijacking". That's done by ONE based on OpenFlow rules. From
the
<br>
docs [1]:
<br>
<br>
Mac-spoofing
<br>
<br>
These rules prevent any traffic to come out of the port the MAC
address
<br>
has changed.
<br>
<br>
in_port=<PORT>,dl_src=<MAC>,priority=40000,actions=normal
<br>
in_port=<PORT>,priority=39000,actions=normal
<br>
<br>
IP hijacking
<br>
<br>
These rules prevent any traffic to come out of the port for IPv4
IP’s
<br>
not configured for a VM
<br>
<br>
in_port=<PORT>,arp,dl_src=<MAC>priority=45000,actions=drop
<br>
in_port=<PORT>,arp,dl_src=<MAC>,nw_src=<IP>,priority=46000,actions=normal
<br>
<br>
See /var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb as well.
<br>
<br>
Using openvswitch gives you exactly what you asked for, without
the need
<br>
for hacking ebtables/iptables script. In a much cleaner way
IMHO.
<br>
<br>
Gr. Stefan
<br>
<br>
</blockquote>
<br>
_______________________________________________
<br>
Users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.opennebula.org">Users@lists.opennebula.org</a>
<br>
<a class="moz-txt-link-freetext" href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a>
<br>
</blockquote>
i give in a early email who to check via iptables source mac
address for ip ... <br>
<pre class="bash" style="padding: 0.667em 0.917em; margin: 0px 0px 1.833em; background-color: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); overflow: auto; clear: both; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; color: rgb(17, 17, 17); font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-position: initial initial; background-repeat: initial initial;">/sbin/iptables -A FORWARD -i ethX -m mac --mac-<span style="padding: 0px; margin: 0px; color: rgb(122, 8, 116); font-weight: bold;">source</span> YOUR-MAC-ADDRESS-HERE -j ACCEPT
or you can expand
/sbin/iptables -A FORWARD -i ethX -m mac --mac-<span style="padding: 0px; margin: 0px; color: rgb(122, 8, 116); font-weight: bold;">source</span> YOUR-MAC-ADDRESS-HERE -s YOUR-IP-ADDRESS HERE-j ACCEPT
</pre>
<br>
</body>
</html>