Re: Reporting of IP detected by network filter

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Nov 20, 2018 at 04:05:43PM +0100, Marcin Mirecki wrote:
> Hello,
> 
> The network filters feature has an option of automatically detecting the IP
> of a VM [1].
> Is it possible to retrieve this IP by any means?

It is possibly visible in the live XML in the <filterref> XML as a
parameter.

> If not, would you considering adding such a feature?

We should make it visible via the API for fetching guest IP addrs.

The snooping code should be moved out of nwfilter and into the
QEMU driver. The QEMU driver should simply update the nwfilter
binding with the IP  once it has snooped it.

> It would be very useful for uses cases where there is no guest agent.

NB, there are potentially trust issues when using a snooped IP addr.

eg if snooping DHCP responses, a malicious guest could act as a DHCP
server  and send bogus responses.   If snooping ARPs a malicious
guest can send gratuituous ARPs. Thus for nwfilter we tend to recommend
setting explicit IP addrs, or using filters that block guests from
sending bogus DHCP response

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux