On 29.08.2010 20:23, Jonathan Tripathy wrote:
I can use anything, as long as it "pins" given MAC/IP addresses to a
VM guest - and that any "rogue" guest is not able to disrupt traffic
to other VM guests (or, worse, the gateway) - i.e. by changing its own
IP/MAC to something else, possibly addresses used by other guests /
gateway.
Yes, but the INPUT chain is only relevant for traffic destined for the
host itself. Does the host actually do anything in your case, or is it
just a bridging device?
Not sure I understand your question correctly, or if we refer to the
same thing if we use "host".
The "host system" is a bridge and gateway, and runs VM guests (KVM).
As guests are fully virtualized systems, they are technically free to
change their IP and MAC address (users have root access). This means
they can be a danger to other virtual guests, or generally network
infrastructure, if they change their IP or MAC addresses to something
different they should have.
Therefore, I would like to prevent it, but so far, my tries with
iptables or ebtables were not really successful.
--
Tomasz Chmielewski
http://wpkg.org
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
