On 10.02.13 16:16, Matt . wrote:
Hi Shahar,
Thanks, I need to work this out further to have it 100% visible.
I wonder why I was able in the past (3.1) to dedicate an NIC to a VM.
Do you also have an explanation why I cannot save a network configuration
with a nic in DHCP mode ? It complains about a wrong IP and I have seen it
should be a bug. Is this right ?
How did you that...
I.e can you tell me the steps that you made in the UI? (for both cases)
Cheers,
Matt
2013/2/10 Shahar Havivi <shaharh(a)redhat.com>
> On 10.02.13 14:13, Dan Kenigsberg wrote:
> > On Sun, Feb 10, 2013 at 12:19:57PM +0100, Matt . wrote:
> > > Hi,
> > >
> > > For setting up a firewall in a VM I would like to add 2 of my 4 nics
> > > directly to a VM.
> > >
> > > In my previous setup I thought I have done that, but at the moment I
> cannot
> > > figure this out and cannot find the docs to accomplish this.
> > >
> > > I would like to dedicate those 2 nics to my firewall VM's to avoid
> sharing
> > > them using a network per accident to other VM's.
> > >
> > > How is this be done at the moment ?
> >
> > AFAIK it can be done only with a vdsm hook. You'd need to define your VM
> > with no interface at all, but instead, mark it with a special custom
> > property you define. Then, you should write a hook that adds the two
> > host interfaces to the VM, by means of either
> >
http://libvirt.org/formatdomain.html#elementsNICSDirect or
> >
http://libvirt.org/formatdomain.html#elementsNICSHostdev
> >
> > Most probably, you would need to pin your firewall VM to a specific
> > host.
> >
> > Writing a hook is not too complex, but it requires understanding of how
> > vdsm and libvirt works. You can take
> >
http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=tree;f=vdsm_hooks/vmfex as a
> > reference, or ask for specific guidance here.
> >
> > Dan.
> Dan is right,
> Currently you can do it via hook,
> We do have promisc mode but currently we have mirroring mode only (ie you
> can
> monitor each VM traffic but cannot intercept it).
> The way to do it is via layer 2.
>
> its best to implement after_vm_start hook and use ebtables.
> you can pass to the hook the network name.
> when you have the network name you can prob for its mac address and in the
> libvirt xml
> you can view the interfaces that are part of that network and get the mac
> addresses as well. (look at other hooks as Dan point out)
>
> when you have the network name the network mac and the target interface you
> can use ebtables:
> 1. set the bridge in promisc mode
> $ ifconfig <netwok name> promisc
> 2. traffic to the monitoring machine
> $ ebtables -t nat -A PREROUTING -d 00:1a:4a:16:01:51 -i eth0 -j dnat
> --to-destination 00:1a:4a:16:01:11
> 3. traffic from the monitoring machine
> $ ebtables -t nat -A PREROUTING -s 00:1a:4a:16:01:51 -i vnet0 -j dnat
> --to-destination 00:1a:4a:16:01:11
>
> 1. set the network interface in promiscous mode
> 2. traffic that ment to the vm mac will go to the destination mac
> 2. traffic that sent from the vm mac will go to the destination mac
>
> note that the -i <interface> is the interface name and I think it can be
> omitted...
>
> Shahar Havivi.
>