[pve-devel] pve-firewall: dhcp snooping
Alexandre DERUMIER
aderumier at odiso.com
Wed Jun 4 13:10:26 CEST 2014
>>>> net0: e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3
>>>> It is then easy to implement such filter.
>
>also a good idea.
>
>Alexandre - any suggestions?
I like this one ;) also, could be use when we'll implement dhcp server inside proxmox.
----- Mail original -----
De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
À: "Dietmar Maurer" <dietmar at proxmox.com>, pve-devel at pve.proxmox.com
Envoyé: Mercredi 4 Juin 2014 12:43:51
Objet: Re: [pve-devel] pve-firewall: dhcp snooping
>> net0: e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3
>> It is then easy to implement such filter.
also a good idea.
Alexandre - any suggestions?
Am 04.06.2014 12:19, schrieb Stefan Priebe - Profihost AG:
> Am 04.06.2014 12:10, schrieb Dietmar Maurer:
>>> i'm starting to deploy the pve-firewall code on a test cluster.
>>>
>>> Something i really would like to have is dhcp snooping on the linux bridge so that
>>> VMs controlled by somebody else can't use fake / wrong ip adresses.
>>>
>>> Is something like this possible with the current firewall code?
>>
>> Not implemented, because we do not have/store a list of IPs.
>>
>> One option would be to store the list of allowed IP in the VM network config:
>>
>> net0: e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1,ip=192.168.2.3
>>
>> It is then easy to implement such filter.
>>
>
> For snooping there is no ip list neeeded. You just monitor DHCP ACK
> packets from specific MAC and IP and then generate the entries.
>
> Stefan
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list