On Tue, Apr 27, 2010 at 9:20 PM, Jesse Gross <je...@nicira.com> wrote: > On Tue, Apr 27, 2010 at 7:37 AM, George Shuklin <n...@narod.ru> wrote: >> >> Good day. >> >> Is any way to filter with ovs VM's traffic (like mac spoofing or ip >> usurpation)? >> >> I was tried to find any, but found none. > > There isn't currently a specific MAC/IP anti-spoofing feature. You can, > however, add flow entries that allows traffic from a given port, MAC, and IP > and drops everything else. The ovs-ofctl man page describes how to add > flows.
An explicit feature isn't really necessary though given those three right? An attacker with root on a VM can fake a MAC and IP, but they can't plug the VM into a different vswitch port... I guess a database feature could be added that makes it so the three must be bound in order for flows not to get dropped. But I guess that would be more important with migration of VMs and then it gets into a more sophisticated controller like NOX probably right? Todd _______________________________________________ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss_openvswitch.org
