On Mon, Aug 11, 2014 at 5:38 PM, Anton Gorlov <stal...@altlinux.ru> wrote:
> Hi all. > What right way to protect ip/mac spoofing for guests withnount dhcp and > other 1 ip per guest? > > _______________________________________________ > libvirt-users mailing list > libvirt-users@redhat.com > https://www.redhat.com/mailman/listinfo/libvirt-users > Libvirt manages iptables, ebtables, etc via nwfilter. You can add a filterref to your guest xml. This libvirt documentation covers this topic <http://Libvirt manages iptables, ebtables, etc via nwfilter. You can add a filterref to your guest xml. This article covers>. It sounds like you will want to implement the clean-traffic filter. >From a similar libvirt document <http://libvirt.org/firewall.html> there is this reference which sounds like what you want to implement. "Most of these are just building blocks. The interesting one here is 'clean-traffic'. This pulls together all the building blocks into one filter that you can then associate with a guest NIC. This stops the most common bad things a guest might try, IP spoofing, arp spoofing and MAC spoofing." Regards, Jamie Ian Fargen
_______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users
