Hi Shahar, Thanks, I need to work this out further to have it 100% visible.
I wonder why I was able in the past (3.1) to dedicate an NIC to a VM. Do you also have an explanation why I cannot save a network configuration with a nic in DHCP mode ? It complains about a wrong IP and I have seen it should be a bug. Is this right ? Cheers, Matt 2013/2/10 Shahar Havivi <shah...@redhat.com> > On 10.02.13 14:13, Dan Kenigsberg wrote: > > On Sun, Feb 10, 2013 at 12:19:57PM +0100, Matt . wrote: > > > Hi, > > > > > > For setting up a firewall in a VM I would like to add 2 of my 4 nics > > > directly to a VM. > > > > > > In my previous setup I thought I have done that, but at the moment I > cannot > > > figure this out and cannot find the docs to accomplish this. > > > > > > I would like to dedicate those 2 nics to my firewall VM's to avoid > sharing > > > them using a network per accident to other VM's. > > > > > > How is this be done at the moment ? > > > > AFAIK it can be done only with a vdsm hook. You'd need to define your VM > > with no interface at all, but instead, mark it with a special custom > > property you define. Then, you should write a hook that adds the two > > host interfaces to the VM, by means of either > > http://libvirt.org/formatdomain.html#elementsNICSDirect or > > http://libvirt.org/formatdomain.html#elementsNICSHostdev > > > > Most probably, you would need to pin your firewall VM to a specific > > host. > > > > Writing a hook is not too complex, but it requires understanding of how > > vdsm and libvirt works. You can take > > http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=tree;f=vdsm_hooks/vmfex as a > > reference, or ask for specific guidance here. > > > > Dan. > Dan is right, > Currently you can do it via hook, > We do have promisc mode but currently we have mirroring mode only (ie you > can > monitor each VM traffic but cannot intercept it). > The way to do it is via layer 2. > > its best to implement after_vm_start hook and use ebtables. > you can pass to the hook the network name. > when you have the network name you can prob for its mac address and in the > libvirt xml > you can view the interfaces that are part of that network and get the mac > addresses as well. (look at other hooks as Dan point out) > > when you have the network name the network mac and the target interface you > can use ebtables: > 1. set the bridge in promisc mode > $ ifconfig <netwok name> promisc > 2. traffic to the monitoring machine > $ ebtables -t nat -A PREROUTING -d 00:1a:4a:16:01:51 -i eth0 -j dnat > --to-destination 00:1a:4a:16:01:11 > 3. traffic from the monitoring machine > $ ebtables -t nat -A PREROUTING -s 00:1a:4a:16:01:51 -i vnet0 -j dnat > --to-destination 00:1a:4a:16:01:11 > > 1. set the network interface in promiscous mode > 2. traffic that ment to the vm mac will go to the destination mac > 2. traffic that sent from the vm mac will go to the destination mac > > note that the -i <interface> is the interface name and I think it can be > omitted... > > Shahar Havivi. >
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users