do not allow to change ip address from inside a kvm guest - static

At the moment, a customer having a virtual machine on kvm can simply change his own ip address or add another one and probably cause an ip address conflict.
How can I prevent that a user can change the ip address of his virtual machine?
I read about using ebtables over the bridged network on the host.
Isn't there something like an ACL feature or defining it directly in the guests XML file?

I have found the solution. Libvirt provides a feature called nwfilter which allows you to setup filters. There are also some example filters. They exactly do what I wanted. See this link.
I have downloaded them directly from github and defined with virsh nwfilter-define <file.xml>

Related

Change the 10.20.20.1 network to my VMware network

I installed MicroStack in Ubuntu for the virtual machine. My instance floating IP is 10.20.20.238. I want to access my instance from Windows cmd,only can ping 172.21.10.13, but can't ping 10.20.20.238,so I want to change the 10.20.20.1 network to my own network. What should I do?enter image description here
Stackoverflow is about code development, not IT management. serverfault.com would be a more appropriate forum, or perhaps superuser.com.
microstack "fakes" the external network. It's not really external, but only exists on br-ex, the external bridge. It doesn't look like you can create a microstack cloud with a different external network CIDR, but you can try adding a subnet to the external network, inserting ens33 in br-ex and adding IP address 172.21.10.13 to br-ex . I have not tried this.
However, if your only requirement is to access the instance from the PC, you can create a tunnel or add a route. What makes sense in your case depends on the virtual machine hypervisor you are using (yours seems to be VMware - I can't comment on that) and the operating system on which this hypervisor runs.

Binding getaddrinfo to particular interface (source IP)

I use getaddrinfo() to get IP Address corresponding to a server using a URL. It essentially sends DNS query to the DNS server. I want to be able to send that query from a particular outbound interface. Basically I have multiple interfaces through which DNS query could be sent out. Currently, getaddrinfo() doesn't have a way to dictate which interface it should use to send out the DNS query. Is the only option to change getaddrinfo() routine? Does anyone know of any other way to achieve this?
The fundamental issue with the question is that you seem to expect getaddrinfo to work with DNS only, and then to be able to fine-tune the specifics of that DNS lookup. However, that is not what it does - it will use all name-resolving facilities on the system, which typically means it will do a hosts file lookup, and whatever else is configured in nsswitch.conf, which is usually DNS. For some of these non-DNS lookups, a source address binding may not make any sense, so it's not part of the least-common-denominator interface.
If you know that for your specific purpose you will never need the response of a name lookup from anywhere other than DNS, then you can use a DNS-specific function instead, one that will enable you to do this kind of fine-tuning.
There are several examples of DNS C libraries listed at gethostbyname dual network interfaces, select which one to use
The interface chosen to access a given IP address is dictated by the routing tables.
Since you presumably have the IP of the DNS server, it will be accessed by whatever interface the routing table says to use for that IP address, regardless of which application sends the request.
You would need to modify the routing table to force traffic over a particular interface. If it's only the DNS server that should use a fixed interface, you would add a route for that specific IP to the routing table for the interface you want.
On Linux, you can modify the routing table via the ip route command line tool.
rfc 3484 details an algorithm of which source addr (i.e. interface) to use when none is specified, but this works I think only for ipv6...
see /etc/gai.conf

Resolve remote host names into ip addresses in codename one

I'm interested in the ip address of remote hosts. Is there an easy way to resolve a host name into its ip address?
After searching in the codename one source code and reading through the documentation, the only way to achieve this seems by implement android/ios native features (e.g. using the InetAddress class).
Yes you would need to implement this using native code or thru the Socket API by implementing the DNS protocol calls.
The InetAddress class can be used in the Android/Desktop ports but other platforms (e.g. iOS) would need the Objective-C/C equivalent of that.

Privileges required to change Mac network settings programmatically, as normal user

Is there a special group or a capability (similar to Linux' CAP_NET_xxx) that would enable a user to change network settings programmatically on Mac OS X? The settings I am interested in are the IP address and netmask of an interface, set programmatically from a C program (via an ioctl call, sending an ifreq struct). The user type I am using at the moment is a stock "Admin" account on my Mac laptop. Ultimately, I wish for my program to add the user once to such a convenient group so that in subsequent runs the user can manipulate the IP address of interfaces without prompting.
Thanks
Mac OS X will pretty much require root privileges to change any network settings. You would need to run the program as root in order to change the settings. As mentioned by #edufinn, the sudo command is ideal for this.
However, if you want to change the configuration in a supported manner you should try one of the following approaches:
Script the scutil command.
use the Dynamic Store API, which is part of the SystemConfiguration Framework.
use the networksetup command, which allows easy getting/setting of values.
Changing the configuration through these APIs will inform applications that the network configuration has changed so they can react appropriately - e.g. make/reset a connection.
Mac OS X is BSD system. You can run your program with sudo command. It's not very obvious from your post what is exactly a problem?

Find machine name and IP address in OOB SL5 app

How can I obtain the client machine name and IP address when running my Silverlight 5 application out-of-browser (i.e. installed on the local machine and NOT running via the web)?
It looks like there's no way to gather this information using just Silverlight. You'd have to do something like this. The short version is you use an AutomationFactory to create an unmanaged object which contains that information (in this case, a WMI Win32_NetworkAdapterConfiguration object). That means this probably won't work on a Mac. If you need something truly cross platform, it seems like the way is to create a really simple web service that simply returns the requestor's IP and hostname.
I dont know what is your exact requirement .We had similar requirement some time back to get the local ip address to call a local service which is supposed to be present in client machine.
In that case we just built the local service url by hard coding the loopback address.ie localhost.

Resources