[openstack-dev] [neutron][security-group] rules for filter mac-addresses
Darren J Moffat
Darren.Moffat at Oracle.COM
Mon Jul 20 14:57:48 UTC 2015
On 07/17/15 03:17, Yan Xing'an wrote:
> For example, in usecase of VM is a LVS (Linux Virtual Server),
> to make any client's ip outgoing, we need configure allowed_address_pairs to 0.0.0.0/0,
> or disable security-group on port by setting "port-security-enable" false.
> After that, mac-level rules are needed to protect other VMs.
>
> Does anyone else has other usecase?
It sounds like what you want is anti-spoofing capability for the VM so
that it can't pretend have a link with the MAC address of some other VM
(that is hosted on the same system), is that correct ?
If so then that sounds like something the VM should provide and it
shouldn't need that much configuration. In fact Solaris Zones already
have such anti-spoof capabilities and they are automatically enabled
when Solaris Zones are deployed in OpenStack. Solaris Zones have bother
IP, DHCP (CID) and MAC layer nospoof protections that can be enabled.
mac-nospoof:
MAC address anti-spoof. An outbound packet's source MAC address
must match the link's configured MAC address. Non-matching
packets will be dropped. If the link belongs to a zone, turning
mac-nospoof on will prevent the zone's owner from modifying the
link's MAC address.
--
Darren J Moffat
More information about the OpenStack-dev
mailing list