cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Maurice Lawler <>
Subject Re: Secondary IP (4.1.1)
Date Wed, 21 Aug 2013 15:18:03 GMT

You say "you can add the below rules on that host" the rules I provided is a direct extract
of what rules that are listed presently. Would I simply duplicate the same rules to allow
a secondary IP to pass through, or is it more involved then that?

Also, you mention a manipulation required in the IPTables, mind pointing me in the right direction
to make this happen.

- Maurice

On Aug 21, 2013, at 01:14 AM, Jayapal Reddy Uradi <> wrote:

you can add the below rules on the host.
Also you need to update the iptables filter rules.

You need to add rules on host in vm reboot, on VM reboot the old rules get added on host.


On 21-Aug-2013, at 6:49 AM, Maurice Lawler <> wrote:

It would seem to be perhaps I can add something via this segment in the security policy.
193 # -s ! 52:54:0:56:44:32 -j DROP
194 execute("ebtables -t nat -A PREROUTING -i " + vif + " -j " + vmchain_in)
195 execute("ebtables -t nat -A POSTROUTING -o " + vif + " -j " + vmchain_out)
196 except:
197 logging.debug("Failed to program default rules")
198 return 'false'
200 try:
201 execute("ebtables -t nat -A " + vmchain_in + " -s ! " + vm_mac + " -j DROP")
202 execute("ebtables -t nat -A " + vmchain_in + " -p ARP -s ! " + vm_mac + " -j DROP")
203 execute("ebtables -t nat -A " + vmchain_in + " -p ARP --arp-mac-src ! " + vm_mac + " -j
204 if vm_ip is not None:
205 execute("ebtables -t nat -A " + vmchain_in + " -p ARP --arp-ip-src ! " + vm_ip + " -j
206 execute("ebtables -t nat -A " + vmchain_in + " -p ARP --arp-op Request -j ACCEPT")
207 execute("ebtables -t nat -A " + vmchain_in + " -p ARP --arp-op Reply -j ACCEPT")
208 execute("ebtables -t nat -A " + vmchain_in + " -p ARP -j DROP")
209 except:
210 logging.exception("Failed to program default ebtables IN rules")
211 return 'false'
Am I wrong in my thinking?
On Aug 19, 2013, at 11:43 PM, Marcus Sorensen <> wrote:
Well, it depends on how you edit the script, it
certainly wouldn't have to open up everything. You could add a
one-liner in there that would pass the instance name to a separate
script that looked up the vm in a table or database and applied extra
rules (in post_default_network_rules), maybe adding something like:
"ebtables -t nat -I " + vmchain_in + " -p ARP --arp-ip-src " +
secondary_vm_ip + " -j ACCEPT"
Although, that might not be fun to maintain. It would probably be
easier to use the libvirt hooks: To
call your script whenever a vm starts or stops. You would accept the
guest name as an argument to your script, and then that script could
look up secondary IPs in a table, from a database or file, adding them
to the ebtables chain of the same guest name.
On Mon, Aug 19, 2013 at 8:03 PM, Maurice Lawler <> wrote:
Does anyone have experience in adding a secondary IP address (by way of altering the ebtables
/ security script) in basic networking mode (KVM)
I have reviewed the script that is called to setup the ebtables, but if I alter that, I would
believe that would open all ports on all my instances. I just simply want the easy ability
to add a secondary IP address.
I understand this is a feature coming in 4.2, but I also understand this version is a ways
Any assistance would be GREATLY appreciated!
- Maurice

  • Unnamed multipart/alternative (inline, None, 0 bytes)
    • Unnamed multipart/related (inline, None, 0 bytes)
View raw message