Question
Is it possible to disable spoofing for the existing virtual machine's network interface?
Answer
Spoofing can be disabled from two OpenStack users as follows:
Admin user can manage port security using UI in interface settings or using CLI.
Owner of the network also can manage port security using self-service portal or CLI.
Note: Only system admin can disable it for public networks.
# grep security /etc/kolla/neutron-server/policy.json "create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", "update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
From CLI for the existing virtual machines, the following commands can be used:
[ ~]# openstack --insecure port list +--------------------------------------+------+-------------------+------------------------------------------------------------------------------+--------+ | ID | Name | MAC Address | Fixed IP Addresses | Status | +--------------------------------------+------+-------------------+------------------------------------------------------------------------------+--------+ | 1bc9ae16-a948-456b-9423-db6774190652 | | fa:16:3e:2d:15:e0 | ip_address='192.168.0.2', subnet_id='360d0cdf-015b-415e-bfe5-41858f6b11ba' | ACTIVE | | 41f64b74-1648-4b1e-9b9a-612ba7e333f9 | | fa:16:3e:13:8f:35 | ip_address='192.168.0.114', subnet_id='360d0cdf-015b-415e-bfe5-41858f6b11ba' | ACTIVE | | 49d14a0b-7799-41d7-bf79-3cbd119a7416 | | fa:16:3e:f1:cc:84 | ip_address='192.168.0.164', subnet_id='360d0cdf-015b-415e-bfe5-41858f6b11ba' | ACTIVE | | 76d184b3-a61e-4d51-bc60-feb0cd7f1dfe | | fa:16:3e:a9:91:7b | ip_address='192.168.0.1', subnet_id='360d0cdf-015b-415e-bfe5-41858f6b11ba' | ACTIVE | | b0c551d1-0ef3-4664-9a94-476cbb97f54d | | fa:16:3e:78:a5:02 | ip_address='10.94.141.23', subnet_id='ea1b578d-a8a8-4baf-b21d-2a6a030410c8' | N/A | +--------------------------------------+------+-------------------+------------------------------------------------------------------------------+--------+ [ ~]# openstack --insecure port set --no-security-group 41f64b74-1648-4b1e-9b9a-612ba7e333f9 [ ~]# openstack --insecure port set --disable-port-security 41f64b74-1648-4b1e-9b9a-612ba7e333f9
For private networks spoofing protection can be disabled directly by self-service users and only system admin can disable it for public networks.