Matt, I attached a hook that will give you a kick start on the promisc mode, it implemented only the mirror mode which is a part of vdsm now but you can look at the comments and the README file that have the appropriate in-line mode commands and implementation. Shahar Havivi. On 10.02.13 17:07, Matt . wrote:
Here: http://www.mail-archive.com/users@ovirt.org/msg06261.html
2013/2/10 Shahar Havivi <shaharh@redhat.com>
On 10.02.13 16:36, Matt . wrote:
Hi,
I'm thinking about the way how I did that with the dedicated NIC to the VM. I was discussing this a couple of months ago on IRC but I can't remeber and I already tried to do this... no luck yet. I remember that the NICS were just available when adding a nic to the VM, by MAC-address. Can't figure it out yet what I did those except of not sleeping that much :) I don't remember that, sorry...
About the error that I get I do the following:
Hosts > Network Interfaces > Setup Host Networks.
When I drag a network I created to a NIC and I don't set an IP or DHCP or None I get that error: "Error while executing action Setup Networks: Illegal or Incomplete IP Address"
When I set and IP to that network that is draaged to the Nic I don't get an error, but why only and IP and no GW as this is IP seems to be bridged in the host to the VM where you add a Nic to with that same network you just gave an IP.
When saying the above, could have been possible that I have set the Mac-Address of the real Nic @ the VM Nic ? As this is possible that might have been the solution I used ?
For the rest this software is good and the support is superb! I can't reproduce this error, its look like UI validation... Alona,Moti did you encounter this error?
Thanks so far again.
Matt
2013/2/10 Shahar Havivi <shaharh@redhat.com>
On 10.02.13 16:16, Matt . wrote:
Hi Shahar,
Thanks, I need to work this out further to have it 100% visible.
I wonder why I was able in the past (3.1) to dedicate an NIC to a VM.
Do you also have an explanation why I cannot save a network
with a nic in DHCP mode ? It complains about a wrong IP and I have seen it should be a bug. Is this right ? How did you that... I.e can you tell me the steps that you made in the UI? (for both cases)
Cheers,
Matt
2013/2/10 Shahar Havivi <shaharh@redhat.com>
On 10.02.13 14:13, Dan Kenigsberg wrote: > On Sun, Feb 10, 2013 at 12:19:57PM +0100, Matt . wrote: > > Hi, > > > > For setting up a firewall in a VM I would like to add 2 of my 4 nics > > directly to a VM. > > > > In my previous setup I thought I have done that, but at the moment I cannot > > figure this out and cannot find the docs to accomplish this. > > > > I would like to dedicate those 2 nics to my firewall VM's to avoid sharing > > them using a network per accident to other VM's. > > > > How is this be done at the moment ? > > AFAIK it can be done only with a vdsm hook. You'd need to define your VM > with no interface at all, but instead, mark it with a special custom > property you define. Then, you should write a hook that adds the two > host interfaces to the VM, by means of either > http://libvirt.org/formatdomain.html#elementsNICSDirect or > http://libvirt.org/formatdomain.html#elementsNICSHostdev > > Most probably, you would need to pin your firewall VM to a specific > host. > > Writing a hook is not too complex, but it requires understanding of how > vdsm and libvirt works. You can take > http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=tree;f=vdsm_hooks/vmfexas a > reference, or ask for specific guidance here. > > Dan. Dan is right, Currently you can do it via hook, We do have promisc mode but currently we have mirroring mode only (ie you can monitor each VM traffic but cannot intercept it). The way to do it is via layer 2.
its best to implement after_vm_start hook and use ebtables. you can pass to the hook the network name. when you have the network name you can prob for its mac address and in the libvirt xml you can view the interfaces that are part of that network and get
configuration the
mac
addresses as well. (look at other hooks as Dan point out)
when you have the network name the network mac and the target interface you can use ebtables: 1. set the bridge in promisc mode $ ifconfig <netwok name> promisc 2. traffic to the monitoring machine $ ebtables -t nat -A PREROUTING -d 00:1a:4a:16:01:51 -i eth0 -j dnat --to-destination 00:1a:4a:16:01:11 3. traffic from the monitoring machine $ ebtables -t nat -A PREROUTING -s 00:1a:4a:16:01:51 -i vnet0 -j dnat --to-destination 00:1a:4a:16:01:11
1. set the network interface in promiscous mode 2. traffic that ment to the vm mac will go to the destination mac 2. traffic that sent from the vm mac will go to the destination mac
note that the -i <interface> is the interface name and I think it can be omitted...
Shahar Havivi.