It would seem to be perhaps I can add something via this segment in the
security policy.
try:
193 # -s ! 52:54:0:56:44:32 -j DROP
194 execute("ebtables -t nat -A PREROUTING -i " + vif + " -j " +
vmchain_in)
195 execute("ebtables -t nat -A POSTROUTING -o " + vif + " -j " +
vmchain_out)
196 except:
197 logging.debug("Failed to program default rules")
198 return 'false'
199
200 try:
201 execute("ebtables -t nat -A " + vmchain_in + " -s ! " +
vm_mac + " -j DROP")
202 execute("ebtables -t nat -A " + vmchain_in + " -p ARP -s ! "
+ vm_mac + " -j DROP")
203 execute("ebtables -t nat -A " + vmchain_in + " -p ARP
--arp-mac-src ! " + vm_mac + " -j DROP")
204 if vm_ip is not None:
205 execute("ebtables -t nat -A " + vmchain_in + " -p ARP
--arp-ip-src ! " + vm_ip + " -j DROP")
206 execute("ebtables -t nat -A " + vmchain_in + " -p ARP --arp-op
Request -j ACCEPT")
207 execute("ebtables -t nat -A " + vmchain_in + " -p ARP --arp-op
Reply -j ACCEPT")
208 execute("ebtables -t nat -A " + vmchain_in + " -p ARP -j
DROP")
209 except:
210 logging.exception("Failed to program default ebtables IN rules")
211 return 'false'
Am I wrong in my thinking?
On Aug 19, 2013, at 11:43 PM, Marcus Sorensen <[email protected]> wrote:
> Well, it depends on how you edit the security_group.py script, it
> certainly wouldn't have to open up everything. You could add a
> one-liner in there that would pass the instance name to a separate
> script that looked up the vm in a table or database and applied extra
> rules (in post_default_network_rules), maybe adding something like:
>
> "ebtables -t nat -I " + vmchain_in + " -p ARP --arp-ip-src " +
> secondary_vm_ip + " -j ACCEPT"
>
> etc.
>
> Although, that might not be fun to maintain. It would probably be
> easier to use the libvirt hooks: http://www.libvirt.org/hooks.html To
> call your script whenever a vm starts or stops. You would accept the
> guest name as an argument to your script, and then that script could
> look up secondary IPs in a table, from a database or file, adding them
> to the ebtables chain of the same guest name.
>
> On Mon, Aug 19, 2013 at 8:03 PM, Maurice Lawler <[email protected]> wrote:
>> Greetings,
>>
>> Does anyone have experience in adding a secondary IP address (by way of
>> altering the ebtables / security script) in basic networking mode (KVM)
>>
>> I have reviewed the script that is called to setup the ebtables, but if I
>> alter that, I would believe that would open all ports on all my instances. I
>> just simply want the easy ability to add a secondary IP address.
>>
>> I understand this is a feature coming in 4.2, but I also understand this
>> version is a ways out.
>>
>> Any assistance would be GREATLY appreciated!
>>
>> - Maurice
