[pve-devel] pve-firewall: dhcp snooping
Stefan Priebe - Profihost AG
s.priebe at profihost.ag
Wed Jun 4 12:19:23 CEST 2014
Am 04.06.2014 12:10, schrieb Dietmar Maurer:
>> i'm starting to deploy the pve-firewall code on a test cluster.
>>
>> Something i really would like to have is dhcp snooping on the linux bridge so that
>> VMs controlled by somebody else can't use fake / wrong ip adresses.
>>
>> Is something like this possible with the current firewall code?
>
> Not implemented, because we do not have/store a list of IPs.
>
> One option would be to store the list of allowed IP in the VM network config:
>
> net0: e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3
>
> It is then easy to implement such filter.
>
For snooping there is no ip list neeeded. You just monitor DHCP ACK
packets from specific MAC and IP and then generate the entries.
Stefan
More information about the pve-devel
mailing list