[one-users] ebtables not taking effect

Shi Jin jinzishuai at gmail.com
Wed Sep 23 12:16:29 PDT 2009


Hi,

After some debugging, I think in order to restrict a VM to a
particular MAC address, we need to work on the FORWARD chain.
Therefore I added the following to the ebtables-kvm script:
forward_rule1="FORWARD -s ! #{iface_mac}/FF:FF:FF:FF:FF:FF -i #{tap} -j DROP"
forward_rule2="FORWARD -d ! #{iface_mac}/FF:FF:FF:FF:FF:FF -o #{tap} -j DROP"
And call them in start (similar in stop)
activate(forward_rule1)
activate(forward_rule2)

This has been working for me. If I tried to change the MAC address
within the VM I will lose connection.

I guess similarly I can work out rules on FORWARD to prevent users
from changing the VM IP address as well.

Please let me know if this is making sense.
Thanks.
Shi

On Wed, Sep 23, 2009 at 10:32 AM, Javier Fontan <jfontan at gmail.com> wrote:
> Hello,
>
> I have to take a deeper look into it. In our tests we successfully
> isolated networks but maybe my testing procedure was not good enough.
> Right now we are in the middle of cluster relocation/installation so
> it will be difficult for me to test in next few days but I'll try to
> test it as soon as possible.
>
> If you come up with a solution for network isolation please make us
> know about it.
>
> Bye
>
> On Wed, Sep 23, 2009 at 6:53 AM, Shi Jin <jinzishuai at gmail.com> wrote:
>> Hi, there,
>>
>> I've got the ebtables-kvm script running now. But it does  not seem to
>> really taking effect.
>> I could actually change the MAC address inside the VM (for a windows
>> XP VM) and still get network working.
>> The provided script is supposed to prevent the users from changing the
>> MAC, right? So I do change it, the expected behavior would be no
>> networking for that VM, right?
>> I can see the ebtables by running ebtables -L.
>> Has anyone had similar problem?
>>
>> Thanks.
>>
>> --
>> Shi Jin, Ph.D.
>> _______________________________________________
>> Users mailing list
>> Users at lists.opennebula.org
>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>
>
>
>
> --
> Javier Fontan, Grid & Virtualization Technology Engineer/Researcher
> DSA Research Group: http://dsa-research.org
> Globus GridWay Metascheduler: http://www.GridWay.org
> OpenNebula Virtual Infrastructure Engine: http://www.OpenNebula.org
>



-- 
Shi Jin, Ph.D.


More information about the Users mailing list