Information
Configure VMs protected by dvfilter network APIs correctly.
*Rationale*
A VM must be configured explicitly to accept access by the dvfilter network API. Only
configure VMs that will be specifically accessed by the API. An attacker might compromise
a VM by making use the dvFilter API.
Solution
If a VM is supposed to be protected:
Configure the following in its VMX file:
ethernet0.filter1.name = dv-filter1 where ethernet0 is the network adapter interface of the virtual machine
that is to be protected, filter1 is the number of the filter that is being used, and dv-filter1 is the name of the particular data path kernel module that is protecting the
VM.
Ensure that the name of the data path kernel is set correctly.If a VM is not supposed to be protected:
Remove the following from its VMX file:
ethernet0.filter1.name = dv-filter1 where ethernet0 is the network adapter interface of the virtual machine
that is to be protected, filter1 is the number of the filter that is being used, and dv-filter1 is the name of the particular data path kernel module that is protecting the
VM.
Impact-Incorrectly configuring this option can negatively impact functionality of tools that use
vmsafe API. It can also prevent VMs from connecting to the network.
Default Value-The prescribed state is the default state.