[openstack-dev] [neutron][security-group] rules for filter mac-addresses

Darren J Moffat Darren.Moffat at Oracle.COM
Mon Jul 20 14:57:48 UTC 2015



On 07/17/15 03:17, Yan Xing'an wrote:
> For example, in usecase of VM is a LVS (Linux Virtual Server),
> to make any client's ip outgoing, we need configure allowed_address_pairs to 0.0.0.0/0,
>   or disable security-group on port by setting "port-security-enable" false.
> After that, mac-level rules are needed to protect other VMs.
>
> Does anyone else has other usecase?

It sounds like what you want is anti-spoofing capability for the VM so 
that it can't pretend have a link with the MAC address of some other VM 
(that is hosted on the same system), is that correct ?

If so then that sounds like something the VM should provide and it 
shouldn't need that much configuration.  In fact Solaris Zones already 
have such anti-spoof capabilities and they are automatically enabled 
when Solaris Zones are deployed in OpenStack.  Solaris Zones have bother 
IP, DHCP (CID) and MAC layer nospoof protections that can be enabled.

mac-nospoof:

MAC address anti-spoof. An outbound packet's source MAC address
must match the  link's  configured  MAC  address.  Non-matching
packets will be dropped. If the link belongs to a zone, turning
mac-nospoof on will prevent the zone's owner from modifying the
link's MAC address.


-- 
Darren J Moffat



More information about the OpenStack-dev mailing list