[Users] Add NIC directly to VM (Dedicated)

Shahar Havivi shaharh at redhat.com
Sun Feb 10 09:39:16 EST 2013


On 10.02.13 14:13, Dan Kenigsberg wrote:
> On Sun, Feb 10, 2013 at 12:19:57PM +0100, Matt . wrote:
> > Hi,
> > 
> > For setting up a firewall in a VM I would like to add 2 of my 4 nics
> > directly to a VM.
> > 
> > In my previous setup I thought I have done that, but at the moment I cannot
> > figure this out and cannot find the docs to accomplish this.
> > 
> > I would like to dedicate those 2 nics to my firewall VM's to avoid sharing
> > them using a network per accident to other VM's.
> > 
> > How is this be done at the moment ?
> 
> AFAIK it can be done only with a vdsm hook. You'd need to define your VM
> with no interface at all, but instead, mark it with a special custom
> property you define. Then, you should write a hook that adds the two
> host interfaces to the VM, by means of either
> http://libvirt.org/formatdomain.html#elementsNICSDirect or
> http://libvirt.org/formatdomain.html#elementsNICSHostdev
> 
> Most probably, you would need to pin your firewall VM to a specific
> host.
> 
> Writing a hook is not too complex, but it requires understanding of how
> vdsm and libvirt works. You can take
> http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=tree;f=vdsm_hooks/vmfex as a
> reference, or ask for specific guidance here.
> 
> Dan.
Dan is right,
Currently you can do it via hook,
We do have promisc mode but currently we have mirroring mode only (ie you can
monitor each VM traffic but cannot intercept it).
The way to do it is via layer 2.

its best to implement after_vm_start hook and use ebtables.
you can pass to the hook the network name.
when you have the network name you can prob for its mac address and in the libvirt xml
you can view the interfaces that are part of that network and get the mac
addresses as well. (look at other hooks as Dan point out)

when you have the network name the network mac and the target interface you
can use ebtables:
1. set the bridge in promisc mode
   $ ifconfig <netwok name> promisc
2. traffic to the monitoring machine
   $ ebtables -t nat -A PREROUTING -d 00:1a:4a:16:01:51 -i eth0 -j dnat --to-destination 00:1a:4a:16:01:11
3. traffic from the monitoring machine
   $ ebtables -t nat -A PREROUTING -s 00:1a:4a:16:01:51 -i vnet0 -j dnat --to-destination 00:1a:4a:16:01:11

1. set the network interface in promiscous mode
2. traffic that ment to the vm mac will go to the destination mac
2. traffic that sent from the vm mac will go to the destination mac

note that the -i <interface> is the interface name and I think it can be omitted...

Shahar Havivi.


More information about the Users mailing list