cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jayapal Reddy Uradi <jayapalreddy.ur...@citrix.com>
Subject Re: Secondary IP (4.1.1)
Date Wed, 21 Aug 2013 05:14:33 GMT
you can add the below rules on the host.
Also you need to update the iptables filter rules.

You need to add rules on host in vm reboot, on VM reboot the old rules get added on host.

Thanks,
Jayapal

On 21-Aug-2013, at 6:49 AM, Maurice Lawler <maurice.lawler@me.com> wrote:

> It would seem to be perhaps I can add something via this segment in the security policy.
> 
> try:
>    193         # -s ! 52:54:0:56:44:32 -j DROP
>    194         execute("ebtables -t nat -A PREROUTING -i " + vif + " -j " +  vmchain_in)
>    195         execute("ebtables -t nat -A POSTROUTING -o " + vif + " -j " + vmchain_out)
>    196     except:
>    197         logging.debug("Failed to program default rules")
>    198         return 'false'
>    199
>    200     try:
>    201         execute("ebtables -t nat -A " +  vmchain_in + " -s ! " +  vm_mac + " -j
DROP")
>    202         execute("ebtables -t nat -A " +  vmchain_in  + " -p ARP -s ! " + vm_mac
+ " -j DROP")
>    203         execute("ebtables -t nat -A " +  vmchain_in  + " -p ARP --arp-mac-src
! " + vm_mac + " -j DROP")
>    204         if vm_ip is not None:
>    205             execute("ebtables -t nat -A " + vmchain_in  +  " -p ARP --arp-ip-src
! " + vm_ip + " -j DROP")
>    206         execute("ebtables -t nat -A " + vmchain_in  + " -p ARP --arp-op Request
-j ACCEPT")
>    207         execute("ebtables -t nat -A " + vmchain_in  + " -p ARP --arp-op Reply
-j ACCEPT")
>    208         execute("ebtables -t nat -A " + vmchain_in  + " -p ARP  -j DROP")
>    209     except:
>    210         logging.exception("Failed to program default ebtables IN rules")
>    211         return 'false'
> 
> Am I wrong in my thinking?
> 
> 
> On Aug 19, 2013, at 11:43 PM, Marcus Sorensen <shadowsor@gmail.com> wrote:
> 
>> Well, it depends on how you edit the security_group.py script, it
>> certainly wouldn't have to open up everything. You could add a
>> one-liner in there that would pass the instance name to a separate
>> script that looked up the vm in a table or database and applied extra
>> rules (in post_default_network_rules), maybe adding something like:
>> 
>> "ebtables -t nat -I " + vmchain_in  +  "  -p ARP --arp-ip-src " +
>> secondary_vm_ip + " -j ACCEPT"
>> 
>> etc.
>> 
>> Although, that might not be fun to maintain.  It would probably be
>> easier to use the libvirt hooks: http://www.libvirt.org/hooks.html  To
>> call your script whenever a vm starts or stops.  You would accept the
>> guest name as an argument to your script, and then that script could
>> look up secondary IPs in a table, from a database or file, adding them
>> to the ebtables chain of the same guest name.
>> 
>> On Mon, Aug 19, 2013 at 8:03 PM, Maurice Lawler <maurice.lawler@me.com> wrote:
>>> Greetings,
>>> 
>>> Does anyone have experience in adding a secondary IP address (by way of altering
the ebtables / security script) in basic networking mode (KVM)
>>> 
>>> I have reviewed the script that is called to setup the ebtables, but if I alter
that, I would believe that would open all ports on all my instances. I just simply want the
easy ability to add a secondary IP address.
>>> 
>>> I understand this is a feature coming in 4.2, but I also understand this version
is a ways out.
>>> 
>>> Any assistance would be GREATLY appreciated!
>>> 
>>> - Maurice
> 


Mime
View raw message