General user-mode-linux networking question
I've mostly got it working, but I'm not happy with the security of the networking.
I've tried using tuntap thus:
brctl addif br0 eth0 ifconfig br0 10.10.10.100 up int=`tunctl -b` brctl addif br0 $int linux .... eth0=tuntap,$int ....
This works and the UML can set an IP address and sees the network. BUT.. the vhost decides on the IP address. If someone did manage to break into the vhost then they could disrupt other servers by changing IP address.
I looked at
Does anyone know a secure way of forcing the client to have a specific IP address on a bridged network?
Do we need to go to that level, or could we use iptables "physdev" module, as described in
iptables -A FORWARD -m physdev --physdev-in tap0 -s ! 10.1.1.10 -j DROP
Or does that still leave me open to spoofing?
Otherwise, could I bug you for a longer answer on how to use ebtables? Thanks!
ebtables -A FORWARD -i tap0 --among-src E6:EF:3B:43:11:11=10.0.0.250 -j ACCEPT ebtables -A FORWARD -i tap0 -j DROP
Quick tests seem to mean that if the guest tries to change MAC or IP addresses then traffic out is blocked. So this looks good.
Am I missing anything else?