On 10.02.13 14:13, Dan Kenigsberg wrote:
On Sun, Feb 10, 2013 at 12:19:57PM +0100, Matt . wrote:
> Hi,
>
> For setting up a firewall in a VM I would like to add 2 of my 4 nics
> directly to a VM.
>
> In my previous setup I thought I have done that, but at the moment I cannot
> figure this out and cannot find the docs to accomplish this.
>
> I would like to dedicate those 2 nics to my firewall VM's to avoid sharing
> them using a network per accident to other VM's.
>
> How is this be done at the moment ?
AFAIK it can be done only with a vdsm hook. You'd need to define your VM
with no interface at all, but instead, mark it with a special custom
property you define. Then, you should write a hook that adds the two
host interfaces to the VM, by means of either
http://libvirt.org/formatdomain.html#elementsNICSDirect or
http://libvirt.org/formatdomain.html#elementsNICSHostdev
Most probably, you would need to pin your firewall VM to a specific
host.
Writing a hook is not too complex, but it requires understanding of how
vdsm and libvirt works. You can take
http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=tree;f=vdsm_hooks/vmfex as a
reference, or ask for specific guidance here.
Dan.
Dan is right,
Currently you can do it via hook,
We do have promisc mode but currently we have mirroring mode only (ie you can
monitor each VM traffic but cannot intercept it).
The way to do it is via layer 2.
its best to implement after_vm_start hook and use ebtables.
you can pass to the hook the network name.
when you have the network name you can prob for its mac address and in the libvirt xml
you can view the interfaces that are part of that network and get the mac
addresses as well. (look at other hooks as Dan point out)
when you have the network name the network mac and the target interface you
can use ebtables:
1. set the bridge in promisc mode
$ ifconfig <netwok name> promisc
2. traffic to the monitoring machine
$ ebtables -t nat -A PREROUTING -d 00:1a:4a:16:01:51 -i eth0 -j dnat --to-destination
00:1a:4a:16:01:11
3. traffic from the monitoring machine
$ ebtables -t nat -A PREROUTING -s 00:1a:4a:16:01:51 -i vnet0 -j dnat --to-destination
00:1a:4a:16:01:11
1. set the network interface in promiscous mode
2. traffic that ment to the vm mac will go to the destination mac
2. traffic that sent from the vm mac will go to the destination mac
note that the -i <interface> is the interface name and I think it can be omitted...
Shahar Havivi.