[libvirt] Reporting of IP detected by network filter
Daniel P. Berrangé
berrange at redhat.com
Tue Nov 20 15:17:27 UTC 2018
On Tue, Nov 20, 2018 at 04:05:43PM +0100, Marcin Mirecki wrote:
> Hello,
>
> The network filters feature has an option of automatically detecting the IP
> of a VM [1].
> Is it possible to retrieve this IP by any means?
It is possibly visible in the live XML in the <filterref> XML as a
parameter.
> If not, would you considering adding such a feature?
We should make it visible via the API for fetching guest IP addrs.
The snooping code should be moved out of nwfilter and into the
QEMU driver. The QEMU driver should simply update the nwfilter
binding with the IP once it has snooped it.
> It would be very useful for uses cases where there is no guest agent.
NB, there are potentially trust issues when using a snooped IP addr.
eg if snooping DHCP responses, a malicious guest could act as a DHCP
server and send bogus responses. If snooping ARPs a malicious
guest can send gratuituous ARPs. Thus for nwfilter we tend to recommend
setting explicit IP addrs, or using filters that block guests from
sending bogus DHCP response
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list